Re: Start point to learn OpenBSD programming
On Mon, Mar 16, 2020 at 10:00:31PM +0100, Ingo Schwarze wrote:
> Hi Martijn,
>
> Martijn van Duren wrote on Mon, Mar 16, 2020 at 09:24:26PM +0100:
> > On 3/16/20 9:22 AM, Ingo Schwarze wrote:
> >> Martijn van Duren wrote on Mon, Mar 16, 2020 at 08:52:54AM +0100:
>
> >>> On 3/16/20 8:23 AM, Martin wrote:
> >>> If you want reading material find a function you don't understand and
> >>> lookup the manpage. If you want to have a more adventurous approach:
> >>> $ PAGE=$(ls /usr/share/man/man[23] | sort -R | head -1); \
> >>> man ${PAGE##*.} ${PAGE%.*}
>
> >> That can be simplified:
> >> $ man -l $(ls /usr/share/man/man[23]/*.[23] | sort -R | head -1)
>
If you install random_run from packages,
you can go for
rr -1 man -l -- /usr/share/man/man[23]/*.[23]
that's precisely the kind of stupid thing it was built to handle.
Re: Hosting a CDN question
On 2020-03-16 03:26, Flipchan wrote: Hey all, My company needs to put up a cdn for fast hosting of javascript, images and css for websites, and then i would need something faster then httpd. Does anyone here run a cdn for static website content? If so what software did u use to set it up ? have a good one Sincerely Filip What level of traffic are you looking to push? Have you done any tests to confirm httpd was unsuitable or was the bottleneck? When coupled with relayd, you can have a very powerful setup. I have a setup with relayd + httpd on modest hardware, and I can push over 5,000 requests per second.
Re: Hosting a CDN question
It's worth noting that httpd didn't go over ~30% in the test, whereas the Go web server absolutely slammed the system. On Tue, Mar 17, 2020 at 1:44 PM Aaron Mason wrote: > > You can easily "write" one in Go with 9 lines of code. And since Go > builds static binaries, you can chroot it for security. > > I just did a quick test between httpd and a web server written in Go > and on a simple text file with 20,000 requests from 10 threads I saw a > 2.3x improvement on a pair of tests. > > On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: > > > > Hey all, > > > > My company needs to put up a cdn for fast hosting of javascript, images and > > css for websites, and then i would need something faster then httpd. > > > > > > Does anyone here run a cdn for static website content? > > > > If so what software did u use to set it up ? > > > > have a good one > > Sincerely > > Filip > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hosting a CDN question
You can easily "write" one in Go with 9 lines of code. And since Go builds static binaries, you can chroot it for security. I just did a quick test between httpd and a web server written in Go and on a simple text file with 20,000 requests from 10 threads I saw a 2.3x improvement on a pair of tests. On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: > > Hey all, > > My company needs to put up a cdn for fast hosting of javascript, images and > css for websites, and then i would need something faster then httpd. > > > Does anyone here run a cdn for static website content? > > If so what software did u use to set it up ? > > have a good one > Sincerely > Filip -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Record with a device, playback with another with sndiod
On Mon, Mar 16, 2020 at 02:41:20PM +0100, Alexandre Ratchov wrote: Hello, > Sorry, it's not possible to combine two devices into a single one with > sndiod. > > FWIW, this is because both devices don't use the same clock source, if > there were combined, audio could be unstable. Properly synchronizing > them is difficult and given the price and availability of full-duplex > hardware it is not worth the risk of making audio unreliable. Thanks for the explanation, since I've not found many information about that issue I was expecting that it was not possible. > I guess you're asking because the USB dock has no microphone, right? It has only one jack yes, but the logo on top of the jack is a headset with a microphone but I don't even know if combined output/microphone jacks are supported? I never experienced them at all, I don't have a headset that has microphone with a single jack to test anyway. Regards, -- David
Re: Start point to learn OpenBSD programming
Hi Martijn,
Martijn van Duren wrote on Mon, Mar 16, 2020 at 09:24:26PM +0100:
> On 3/16/20 9:22 AM, Ingo Schwarze wrote:
>> Martijn van Duren wrote on Mon, Mar 16, 2020 at 08:52:54AM +0100:
>>> On 3/16/20 8:23 AM, Martin wrote:
>>> If you want reading material find a function you don't understand and
>>> lookup the manpage. If you want to have a more adventurous approach:
>>> $ PAGE=$(ls /usr/share/man/man[23] | sort -R | head -1); \
>>> man ${PAGE##*.} ${PAGE%.*}
>> That can be simplified:
>> $ man -l $(ls /usr/share/man/man[23]/*.[23] | sort -R | head -1)
> Who said I went for simple?
You said so implicitly, in so far as you are doing good work on
OpenBSD. :)
> I even left a minor bug in there for Martin to find. :-)
Indeed! Which proves again that while randomization is important,
it is easy to cause subtle heisenbugs with it. And i consciously
chose to not point it out but silently fix it, to avoid having to
mark my posting as [SPOILERS].
Yours,
Ingo
Re: Start point to learn OpenBSD programming
On 3/16/20 9:22 AM, Ingo Schwarze wrote:
> Hi Martijn,
>
> Martijn van Duren wrote on Mon, Mar 16, 2020 at 08:52:54AM +0100:
>> On 3/16/20 8:23 AM, Martin wrote:
>> If you want reading material find a function you don't understand and
>> lookup the manpage. If you want to have a more adventurous approach:
>> $ PAGE=$(ls /usr/share/man/man[23] | sort -R | head -1); \
>> man ${PAGE##*.} ${PAGE%.*}
>
> That can be simplified:
>
> $ man -l $(ls /usr/share/man/man[23]/*.[23] | sort -R | head -1)
>
> ;-)
> Ingo
>
Who said I went for simple? I even left a minor bug in there for Martin
to find. :-)
Re: Jitsi on OpenBSD
On 2020-03-16 03:59, Edd Barrett wrote: Hi, (CC people who may be knowledgable in this area) I was wondering if anyone has got the Jitsi (https://jitsi.org/) web-client working on OpenBSD? It's open-source (and self-hostable) video conferencing. No prizes for guessing why I'm investigating this :P I've just (quickly) tried the browser client in firefox: - It recognises my microphone and my camera. - Thumbnail shows local video feed OK. - I can hear audio from an android participant. - The android participant cannot hear the audio from the OpenBSD machine. - The video is super-flaky on both ends. Did this, as per firefox README: - I have sysctl kern.audio.record=1. - I chowned /dev/video0 to me. This evening I'm going to have a deeper play around (e.g. verify if mic works in aucat), but if anyone has got this working before, I'd love to hear what tweaks they had to do. Could be that the jitsi server is overloaded. Thanks You may also want to try out talky.io, its treated my me well over the years and has a very similar concept to jitsi. Jordan (ps sorry for sending you this twice, forgot to cc misc on my first attempt)
Re: routing with DMZ between internal and external firewall
On Mon, 16 Mar 2020 09:49:30 +0100 pebwindkraft wrote: > Hi, > > I have a question concerning static routes and default gateways for a > DMZ setup, with internal and external firewall. > ... > What would be the correct design? > Can I use "only" the ext_fw with a static route, so that packages > from DNS would travel twice through DMZ net (from DNS to ext_fw, and > then from ext_fw via int_fw back to int_pc)? > > The information I found on misc@ and internet is usually talking > about "home router" with NAT and three network cards, where one leg > supplies the DMZ... Mine is different, and I think I do not need NAT > here? Hi, I have similar setup. Being on public IP space, I treat my DMZ as "Internet", meaning private IP addresses, either from Internet or from internal network, must not be able to contact it. So, I NAT everything from internal network to DMZ, which results in DNS & http seing requestes from em1, and not from internal network. Should you need more information don't hesitate to ask. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: What is the difference between these anchor rules
Thanks Edgar … Nop, it is not a typo 😊
--
Regards,
C. L. Martinez
From: "ed...@pettijohn-web.com"
Date: Monday, 16 March 2020 at 17:16
To: Carlos Lopez
Cc: "misc@openbsd.org"
Subject: Re: What is the difference between these anchor rules
On Mar 16, 2020 11:07 AM, Carlos Lopez wrote:
Hi all,
I am trying to accomplish several different tests using anchors rules under an
OpenBSD 6.6 host. But I am seeing a strange behavior depending how I configure
them. For example:
This rule works:
anchor inet from $laptop_admin label "Allow access from $srcaddr via SSH" {
anchor proto tcp to port ssh {
pass in to (self)
pass in to { $dmz_network $vpn_network } tag intlans-to-intlans
}
}
But this one never matches:
anchor inet from $laptop_admin label "Allow access from $srcaddr via http/https
services" {
anchor proto tcp to port { http https } {
pass in $hots2 tag intlans-to-intlans
}
}
Is hots2 a typo in the mail or the conf also? Or maybe it's not a typo.
Edgar
I have tried inserting “quick” keyword in second rule, but nothing … Maybe am I
doing some mistake? Rules that works goes before than the other that fails …
Changing order, it doesn’t matter …
Any tip?
--
Regards,
C. L. Martinez
Re: What is the difference between these anchor rules
On Mar 16, 2020 11:07 AM, Carlos Lopez wrote:
Hi all,
I am trying to accomplish several different tests using anchors rules
under an OpenBSD 6.6 host. But I am seeing a strange behavior
depending how I configure them. For example:
This rule works:
anchor inet from $laptop_admin label "Allow access from $srcaddr via
SSH" {
anchor proto tcp to port ssh {
pass in to (self)
pass in to { $dmz_network $vpn_network } tag intlans-to-intlans
}
}
But this one never matches:
anchor inet from $laptop_admin label "Allow access from $srcaddr via
http/https services" {
anchor proto tcp to port { http https } {
pass in $hots2 tag intlans-to-intlans
}
}
Is hots2 a typo in the mail or the conf also? Or maybe it's not a typo.
Edgar
I have tried inserting “quick” keyword in second rule, but
nothing … Maybe am I doing some mistake? Rules that works goes
before than the other that fails … Changing order, it doesn’t
matter …
Any tip?
--
Regards,
C. L. Martinez
What is the difference between these anchor rules
Hi all,
I am trying to accomplish several different tests using anchors rules under an
OpenBSD 6.6 host. But I am seeing a strange behavior depending how I configure
them. For example:
This rule works:
anchor inet from $laptop_admin label "Allow access from $srcaddr via SSH" {
anchor proto tcp to port ssh {
pass in to (self)
pass in to { $dmz_network $vpn_network } tag intlans-to-intlans
}
}
But this one never matches:
anchor inet from $laptop_admin label "Allow access from $srcaddr via http/https
services" {
anchor proto tcp to port { http https } {
pass in $hots2 tag intlans-to-intlans
}
}
I have tried inserting “quick” keyword in second rule, but nothing … Maybe am I
doing some mistake? Rules that works goes before than the other that fails …
Changing order, it doesn’t matter …
Any tip?
--
Regards,
C. L. Martinez
Re: Record with a device, playback with another with sndiod
On Sat, Mar 14, 2020 at 09:10:19AM +0100, David Demelier wrote: > Hello, > > I'm trying to setup sndiod to record input using my laptop's builtin > microphone but using an USB sound card for output. > > The microphone does work correctly because I was able to record some > test using aucat > > $ aucat -o test.wav > $ aucat -i test.wav (worked) > > To my understanding the option -m can be used to control either both > playback and recording so I've tried to setup my rsnd/0 (laptop) to only > use recording and my external dock rsnd/1 to only use playback. > > $ sndiod -f rsnd/1 -s default -m play -F rsnd/1 -f rsnd/0 -m rec > > The playback works correctly on the USB dock but plain `aucat -o` won't > record from the laptop's microphone. However, `aucat -f rsnd/0 -o > test.wav` works but since Firefox won't let me choose a specific input > device I'm stuck... > > Do I miss something or it's simply not possible to create this "virtual" > unique device that consist of input from a card and output to another > one? Hi, Sorry, it's not possible to combine two devices into a single one with sndiod. FWIW, this is because both devices don't use the same clock source, if there were combined, audio could be unstable. Properly synchronizing them is difficult and given the price and availability of full-duplex hardware it is not worth the risk of making audio unreliable. I guess you're asking because the USB dock has no microphone, right?
Re: Jitsi on OpenBSD
On Mon, Mar 16, 2020 at 10:59:08AM +, Edd Barrett wrote: > Hi, > > (CC people who may be knowledgable in this area) > > I was wondering if anyone has got the Jitsi (https://jitsi.org/) > web-client working on OpenBSD? > > It's open-source (and self-hostable) video conferencing. > > No prizes for guessing why I'm investigating this :P > > I've just (quickly) tried the browser client in firefox: > > - It recognises my microphone and my camera. > - Thumbnail shows local video feed OK. > - I can hear audio from an android participant. > - The android participant cannot hear the audio from the OpenBSD machine. > - The video is super-flaky on both ends. > > Did this, as per firefox README: > > - I have sysctl kern.audio.record=1. > - I chowned /dev/video0 to me. > > This evening I'm going to have a deeper play around (e.g. verify if mic > works in aucat), but if anyone has got this working before, I'd love to > hear what tweaks they had to do. > > Could be that the jitsi server is overloaded. Hi, I haven't used jitsi yet, but other video-converencing web sites properly work in firefox. Jitsi claim they support chrome only, but according to the settings window's microphone level meter, it's properly recording. There was a recent regression in firefox 73., so check that you're using version 74 before testing. HTH, -- Alexandre
[PATCH] remove unnecessary link from faq/ports/index.html
Hey, there is one link from /faq/ports/index.html to /faq/ports/differences.html, that makes no sense. Link is not broken, but there is no #Differences on the /faq/ports/differences.html. First part is #Extra. I think we can remove it. Cheers, Alex Index: index.html === RCS file: /cvs/www/faq/ports/index.html,v retrieving revision 1.35 diff -u -p -r1.35 index.html --- index.html 28 May 2019 01:53:12 - 1.35 +++ index.html 16 Mar 2020 12:07:43 - @@ -83,8 +83,6 @@ Porter's Handbook Differences from Other BSD Projects - Important Differences from - Other BSD Projects Extra Support Generic Infrastructure Issues Using make Properly
Re: Jitsi on OpenBSD
On 2020-03-16 21:59, Edd Barrett wrote: > Could be that the jitsi server is overloaded. I doubt that - unless it's changed since I last looked, the Jitsi server does very little actual "work" during a call... most of the work is done in the browser (which is why Jitsi scales to "many calls" very well, and "many participants" very poorly)
Jitsi on OpenBSD
Hi, (CC people who may be knowledgable in this area) I was wondering if anyone has got the Jitsi (https://jitsi.org/) web-client working on OpenBSD? It's open-source (and self-hostable) video conferencing. No prizes for guessing why I'm investigating this :P I've just (quickly) tried the browser client in firefox: - It recognises my microphone and my camera. - Thumbnail shows local video feed OK. - I can hear audio from an android participant. - The android participant cannot hear the audio from the OpenBSD machine. - The video is super-flaky on both ends. Did this, as per firefox README: - I have sysctl kern.audio.record=1. - I chowned /dev/video0 to me. This evening I'm going to have a deeper play around (e.g. verify if mic works in aucat), but if anyone has got this working before, I'd love to hear what tweaks they had to do. Could be that the jitsi server is overloaded. Thanks -- Best Regards Edd Barrett http://www.theunixzoo.co.uk
Hosting a CDN question
Hey all, My company needs to put up a cdn for fast hosting of javascript, images and css for websites, and then i would need something faster then httpd. Does anyone here run a cdn for static website content? If so what software did u use to set it up ? have a good one Sincerely Filip
Re: routing with DMZ between internal and external firewall
On Mon, Mar 16, 2020 at 09:49:30AM +0100, pebwindkraft wrote:
> Hi,
>
> I have a question concerning static routes and default gateways for a DMZ
> setup, with internal and external firewall.
> A DNS in the DMZ shall be used from internal machines, and later a http
> proxy from internal and external machines.
> The setup is within a network of a bigger data centre with it's own edge
> router. I cannot change anything on this edge router.
> I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
> Here an ASCII pic (for better viewing also here:
> https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj):
>
> || |-| |-| /-\
> | int_pc |---| int_fw |---| ext_fw |---| Data Center |---> Internet
> || |em0 em1| | |em0 em1| | Edge Router |
> |-| | |-| \-/
> |
> ||
> | DNS & http |
> ||
>
> Setup of default routes:
> int_pc -> IP address of em0 on int_fw
> int_fw -> IP address of em0 on ext_fw
> DNS -> IP address of em0 on ext_fw
> ext_fw -> IP address of external interface
>
> Without any firewall rules (pfctl -d), I observe:
>
> 1.) I cannot ping from int_pc to DNS, and vice versa.
> 2.) I cannot ping from int_pc to em0 on ext_fw
>
> I can observe with tcpdump, that ping echo request leaves int_pc, goes
> through int_fw and reaches the network card of DNS or em0 on ext_fw. As the
> default route of DNS is pointing to ext_fw, the ping echo reply is sent to
> ext_fw, which doesn't know what to do with the IP address of int_pc, and
> ignores the package. I get this.
> So I can set a static route on the DNS or on the external firewall, like
> this
>
> route add -inet {network of int_pc} {IP address of em1 on int_fw}
>
> and then pinging back and forth works.
> But setting static routes on all DMZ machines and ext_fw seems doesn't seem
> right to me(?).
>
> What would be the correct design?
> Can I use "only" the ext_fw with a static route, so that packages from DNS
> would travel twice through DMZ net (from DNS to ext_fw, and then from ext_fw
> via int_fw back to int_pc)?
>
> The information I found on misc@ and internet is usually talking about "home
> router" with NAT and three network cards, where one leg supplies the DMZ...
> Mine is different, and I think I do not need NAT here?
>
You need to add routes for your internal network on ext_fw and on the DNS
box. They need to know that those networks are reachable via int_fw. These
routes are more specific and will make sure that the traffic has a path
back to int_pc.
--
:wq Claudio
routing with DMZ between internal and external firewall
Hi,
I have a question concerning static routes and default gateways for a
DMZ setup, with internal and external firewall.
A DNS in the DMZ shall be used from internal machines, and later a http
proxy from internal and external machines.
The setup is within a network of a bigger data centre with it's own edge
router. I cannot change anything on this edge router.
I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
Here an ASCII pic (for better viewing also here:
https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj):
|| |-| |-| /-\
| int_pc |---| int_fw |---| ext_fw |---| Data Center |---> Internet
|| |em0 em1| | |em0 em1| | Edge Router |
|-| | |-| \-/
|
||
| DNS & http |
||
Setup of default routes:
int_pc -> IP address of em0 on int_fw
int_fw -> IP address of em0 on ext_fw
DNS -> IP address of em0 on ext_fw
ext_fw -> IP address of external interface
Without any firewall rules (pfctl -d), I observe:
1.) I cannot ping from int_pc to DNS, and vice versa.
2.) I cannot ping from int_pc to em0 on ext_fw
I can observe with tcpdump, that ping echo request leaves int_pc, goes
through int_fw and reaches the network card of DNS or em0 on ext_fw. As
the default route of DNS is pointing to ext_fw, the ping echo reply is
sent to ext_fw, which doesn't know what to do with the IP address of
int_pc, and ignores the package. I get this.
So I can set a static route on the DNS or on the external firewall, like
this
route add -inet {network of int_pc} {IP address of em1 on int_fw}
and then pinging back and forth works.
But setting static routes on all DMZ machines and ext_fw seems doesn't
seem right to me(?).
What would be the correct design?
Can I use "only" the ext_fw with a static route, so that packages from
DNS would travel twice through DMZ net (from DNS to ext_fw, and then
from ext_fw via int_fw back to int_pc)?
The information I found on misc@ and internet is usually talking about
"home router" with NAT and three network cards, where one leg supplies
the DMZ... Mine is different, and I think I do not need NAT here?
thx
Re: Start point to learn OpenBSD programming
Hi Martijn,
Martijn van Duren wrote on Mon, Mar 16, 2020 at 08:52:54AM +0100:
> On 3/16/20 8:23 AM, Martin wrote:
>> The best way for beginner to start with OpenbBSD programming?
> This belongs on misc, so moving it there.
>
> My usual routine (and probably of a lot of other OpenBSD developers) is:
You forgot two steps:
> 1) Use it
> 2) Get annoyed by something (bug?)
Between steps 2 and 3, read the manual page to make sure your assumptions
about what it is supposed to do are correct. Often, that will already
reveal they are not: goto 1.
> 3) Dive into /usr/src to see what it actually does
> 4a) Realize I'm wrong in my initial annoyance; goto 1)
After step 4a and before going back to step 1, close the gap in the
manual page and send the patch to tech@; after all, that you even
got to step 4a proves that something a user needs to know wasn't
adequately described in the manual. Goto 5a.
> 4b) Realize you can't fix the bug and ask for help on bugs@; goto 1)
> 4c) Try to fix the bug and sent a patch to tech@
> 5a) Patch falls in between the cracks (no-one responds) and it's not
> that important to you; goto 1)
> 5b) Patch falls in between the cracks and it's important to you;
> send reminder and goto 1) in the meantime.
> 5c) Realize my interpretation was wrong based on feedback; goto 1)
> 5d) Realize my patch was wrong based on feedback; goto 4b)
> 5e) Patch gets committed; goto 1)
>
> If you want reading material find a function you don't understand and
> lookup the manpage. If you want to have a more adventurage approach:
> $ PAGE=$(ls /usr/share/man/man[23] | sort -R | head -1); \
> man ${PAGE##*.} ${PAGE%.*}
That can be simplified:
$ man -l $(ls /usr/share/man/man[23]/*.[23] | sort -R | head -1)
;-)
Ingo
Re: Start point to learn OpenBSD programming
On 3/16/20 8:23 AM, Martin wrote:
> Hello list,
>
> The best way for beginner to start with OpenbBSD programming?
>
> Martin
>
This belongs on misc, so moving it there.
My usual routine (and probably of a lot of other OpenBSD developers) is:
1) Use it
2) Get annoyed by something (bug?)
3) Dive into /usr/src to see what it actually does
4a) Realize I'm wrong in my initial annoyance; goto 1)
4b) Realize you can't fix the bug and ask for help on bugs@; goto 1)
4c) Try to fix the bug and sent a patch to tech@
5a) Patch falls in between the cracks (no-one responds) and it's not
that important to you; goto 1)
5b) Patch falls in between the cracks and it's important to you;
send reminder and goto 1) in the meantime.
5c) Realize my interpretation was wrong based on feedback; goto 1)
5d) Realize my patch was wrong based on feedback; goto 4b)
5e) Patch gets committed; goto 1)
If you want reading material find a function you don't understand and
lookup the manpage. If you want to have a more adventurage approach:
$ PAGE=$(ls /usr/share/man/man[23] | sort -R | head -1); \
man ${PAGE##*.} ${PAGE%.*}
Another interesting place for some backstories is:
https://www.openbsd.org/events.html
Hope this helps.
martijn@
Re: Lot of errors as a "bad ip cksum" using Tor
Thanks Stuart. This is a KVM virtual machine with all offloads settings disabled for the guest ... I will try to enable and see how it goes ... -- Regards, C. L. Martinez On 15/03/2020, 17:41, "owner-m...@openbsd.org on behalf of Stuart Henderson" wrote: On 2020-03-15, Carlos Lopez wrote: > Good morning, > > I've been seeing a lot of "bad ip cksum" error messages in my OpenBSD’s Tor gateway, like these: from the tcpdump manual: IP and Protocol Checksum Offload Some network cards support IP and/or protocol checksum offload. Packet headers for such interfaces erroneously indicate a bad checksum, since the checksum is not calculated until after tcpdump sees the packet.
