Re: pf queues
On Thu, 2023-11-30 at 15:55 +0300, 4 wrote: > "cbq can entirely be expressed in it" ok. so how do i set priorities > for queues in hfsc You stack HFSC with link-share service curves with linkshare criterion 1:0 - or in pf.conf(5) terms: "bandwidth 1" and "bandwidth 0". Or you do not configure queuing at all, as the default one supports the "prio" argument. > for my local(not for a router above that knows nothing about my > existence. Your local interface will be at 1G or something similar. There is little chance, that there will be any queuing at all.
Re: Recover partition table/FFS2 after overwrite?
On Mon, 2021-09-06 at 12:57 -0400, gwes wrote: > This doesn't happen often but... maybe a page somewhere online? http://akpoff.com/archive/2017/that_time_i_nuked_the_disklabel_and_recovered_the_disk.html Cases are often slightly different depending on how you destroyed your disk layout. But the gist of it is: If you have a backup of your disklabel (and Thomas has, he posted it here) you're probably lucky. The gist of it: 1. Create an image, so that you can always go back to step 0. 2. Re-create fdisk (MBR or GPT) 3a. Re-create disklabel layout, using a) disklabel backup b) scan_ffs c) default installer layout or d) other forensics tool In the case I had recently ("fdisk -iy" on inner GPT partition) all ways have worked, but step 2 would have been (almost) sufficient. Because of corruptions, the disk was not usable 'as-is' any more as a system disk afterwards, but this is probbly why you recommended re- installing into the partitions. I just mounted and backuped the partitions, did a fresh install and restored the data. Thanks to OpenBSD this is not much of an act.
Re: unexpected behavior with pf queues (bandwidth allocations seemingly ignored)
Please try first to remove „min“. „Min“ makes it a „real-time service curve“ in HFSC terminology, which may react … „unexpectedly“ when exceeded. And you do not want „real-time“ properties for file transfer anyways. > Am 24.07.2021 um 00:21 schrieb Scott Lewandowski : > > I am attempting to prioritize traffic from a particular host. I have the > following queue definitions, with this match rule: > > queue rootq on $ext_if bandwidth 13M max 13M > queue file1_bak parent rootq bandwidth 10M min 8M qlimit 1024 > queue std parent rootq bandwidth 3M min 2M default qlimit 1024 > > match from 192.168.1.176 set queue file1_bak > > However, even when the host at .176 has a steady stream of data to output, it > is not being prioritized for bandwidth utilization. For example: > > fw0# pfctl -v -sq > queue rootq on vmx0 bandwidth 13M, max 13M > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] > [ qlength: 0/ 50 ] > queue file1_bak parent rootq bandwidth 10M, min 8M qlimit 1024 > [ pkts: 1279 bytes:1825459 dropped pkts: 0 bytes: 0 ] > [ qlength: 0/1024 ] > queue std parent rootq bandwidth 3M, min 2M default qlimit 1024 > [ pkts: 8994 bytes: 12333179 dropped pkts: 0 bytes: 0 ] > [ qlength: 2/1024 ] > > Even after an extended period of execution, I see similar results. The > supposedly prioritized host sees upload speeds of 17-200KB/s, whereas other > hosts see 800KB/s or more. > > I do not understand the behavior I am seeing. Why are other hosts being > allocated so much bandwidth for uploads? > > Also of interest is that when I added the queues, a host that reliably used > to have consistent 27MB/s downloads now sees variable speeds between 13 and > 24MB/s, even when there is no other (meaningful) network activity. I'm not > sure if this is related to the upload speed issue I am seeing. I realize > there is outbound control traffic from the downloading host, but I can't > imagine that should be impacted by the queues when there is no other > meaningful network traffic. To try to address the download issue, I've > experimented with adding a control traffic queue and assigning traffic to > (std, ctrl), but that hasn't helped (in fact, it's hurt). > > Based on some past threads I've read on related issues, I've tried adding > "max" specifications to each queue, but that hasn't helped, and it doesn't > seem it should be necessary based on the docs. Oddly, if I specify a max of > 13 on each rule -- with no suffix, which I accidentally did -- I seem to get > the desired behavior, but in that case pf obviously isn't enforcing the max > correctly, and I also see download speeds of less than 1KB/s. Adding the > intended suffix gives the same observable behavior as I saw without the max > specifier at all. > > I am running up-to-date 6.9 on ESX 6.7 with vmxnet3 vNICs. The VM has 2 vCPUs > and 1G and is showing no sign of resource constraints. > > Any help or thoughts would be appreciated! >
Re: pf question: IPv6 prefix changed, how to tell pf?
On Fri, 2021-07-23 at 08:21 +0200, Harald Dunkel wrote: > Deutsche Telekom gives me a new /56 prefix for my internal net and > a new /64 prefix for the external connection on every reboot of my > modem. The old internal prefix is not routed anymore. Question is, > how can I tell pf to use the new prefix? > > There are a few constants in my pf.conf file, e.g. > > myhost = "{ 2001:db8:1f21:1c03:123:4567:89ab:cdef ... }" > > Currently they have to be edited on every prefix change. I'd suggest to write them into a table, which is runtime modifyable.
Re: .profile not being loaded (ksh) when opening shell in X
On Wed, 2021-04-28 at 06:20 +, David Dahlberg wrote: > I noticed the effect that the OP described ($PWD and $HOME/.profile > being ignored) too After some testing of different WM/DE (Xenodm to FVWM, CWM, Xfce, Lumina, Mate) and terminal emulators, I have to conclude, that the effect seems to be limited to Mate. Are you using Mate, Jan?
Re: .profile not being loaded (ksh) when opening shell in X
On Tue, 2021-04-27 at 09:37 +0200, Alexandre Ratchov wrote: > If you're using a display manager (xenodm or whatever), you've to > include your .profile in your session login script (X equivalent of > shell's ~/.profile concept), so the envoronment (and other global > login settings) from your .profile become visible to all X programs, > not only xterm. For instance put: > > . ~/.profile I noticed the effect that the OP described ($PWD and $HOME/.profile being ignored) too, when I reinstalled all packages (due to /usr/local partition going foobar) and also switched to Mate a couple of weeks ago. Happens both in mate-terminal and in xterm. Unfortunately tricks like described above didn't help. I think, I also tried Xfce and had the same effect, not sure though. Strangely, if I open a new mate-terminal, $PWD and .profile are ignored; If I open the second tab, they are processed, though ... So I guess the next step is to upgrade to todays snap and test, I it stays the same, and wheter I may reproduce it with a more basic WM like CWM/FVWM ...
X hangs on 3d accel'd desktop (X1C3)
Hi all, I am not sure, whether this is a problem of a graphics driver (for bugs@) or whether I messed up my config (ports@). So I am asking here, where I am definitively off-topic: Starting with a sysupgrade and pkg_add -u to last weeks -snapshot, GDM became unresponsive. Symptoms: * I see the plain X server being started (as ususal) * GDM takes over (as usual) - background/mouse pointer change - pointer jumps to lower right * Then the screen freezes - pointer still moving * If I switch back and forth consoles, screen is being redrawn once This happens with GDM and Gnome, when launched directly; But not with XFCE or Xenodm/cwm/... It also resebles effects that I have seen, when Broadwell support was still new, therefore I suspect some issue in the 3D accelleration. But I am pretty much lost when trying to debug X, so maybe might give me a push into the right direction. System: Thinkpad X1 Carbon (2015/3rd Gen) Chipset: Broadwell xorg.conf: empty To my lay knowledge, Xorg.log/xdm.log look unsuspicious -> no EE. (PS: I just noticed the warning about the aperture setting. But I didn't need it before, don't need it on other machines with modesetting driver, didn't find any mention about changes on current.html and increasing the value to 1/2 didn't change anything either - apart from the warning being removed from the log of course) Reinstalling base and removing/reinstalling all packages to rule out corrupt files during update didn't help either. dmesg OpenBSD 6.8 (GENERIC.MP) #89: Mon Sep 28 06:38:07 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8261632000 (7878MB) avail mem = 7996207104 (7625MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xacbfd000 (66 entries) bios0: vendor LENOVO version "N14ET54W (1.32 )" date 03/19/2020 bios0: LENOVO 20BSCTO1WW acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI MSDM BATB FPDT UEFI DMAR acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 2095.45 MHz, 06-3d-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 2095.16 MHz, 06-3d-04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 3 (EXP1) acpiprt3 at acpi0: bus 4 (EXP2) acpiprt4 at acpi0: bus -1 (EXP3) acpiprt5 at acpi0: bus 10 (EXP6) acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 acpibat0 at acpi0: BAT0 model "00HW002" serial 511 type LiP oem "LGC" acpiac0 at acpi0: AC unit online acpithinkpad0 at acpi0: version 1.0 "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "INT340F" at acpi0 not configured acpicpu0 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1 acpipwrres1 at acpi0: NVP3, resource for PEG_ acpipwrres2 at acpi0: NVP2, resource for PEG_ acpitz0 at acpi0: critical temperature is 128 degC acpivideo0 at acpi0: VID_ acpivout0 at acpivideo0: LCD0 acpivideo1 at a
Re: Pass, gpg2, gpg
Am Freitag, den 07.12.2018, 16:33 +0100 schrieb Lucas López: > I like https://www.passwordstore.org/ and I am so gratefull to have it > in OpenBSD as a package! Please do not ask questions that have nothing to do with OpenBSD in misc@. If it is about the port itself, you may contact the maintainer (which would be me in this case) or may use ports@. But if the question is not at all OpenBSD related, you're better advised to use the mailling list of the software itself: https://lists.zx2c4.com/mailman/listinfo/password-store That being said, of course I may answer your questions shortly via PM. Cheers David
Re: vlan without IP address not working (parent not in promisc mode)
> On 2018-05-22, Sigi Rudzio wrote: > > With this configuration, the parent interface on router 2 (sk0) > > isn't in > > promiscous mode and no traffic can pass into the vlan interface Sounds pretty much like the same problem that I had: https://marc.info/?t=15242230593 Does a "ifconfig $dev up" help you?
Re: iwm performance (was: Re: how would you troubleshoot your wifi?)
Am Freitag, den 22.07.2016, 11:36 +0200 schrieb Stefan Sperling: > I've already been told about iwm performance regressions compared to > 5.9, > so I'd like to make a statement (not just directed at you, Andreas, > but > at everyone). JFYI: A temporary workaround which works for me (on a X1C3) is disabling 802.11n with "ifconfig mode".
Re: serial & console access
Am Dienstag, den 26.04.2016, 23:42 -0700 schrieb jungle Boogie: > I would like to connect to a laptop via serial [..] > Unexpectedly to me, I could not see the machine actually boot up until > it went to the login prompt. > Is there an /etc/boot.conf option I can set to support both console > and serial access? There is exactly one boot console, but you may have multiple ttys. At the moment, you boot on the serial console, but you have additional "pc" ttys ("/dev/ttyC?"). Of course you can also do the reverse: Boot on the pc console and configure additional serial ttys (see ttys(5), FAQ 7). Cheers, David
Re: Cannot Cleanly Exit FVWM / X Windows System
Am Mittwoch, den 03.02.2016, 15:29 -0500 schrieb Samir Parikh: > I am running version 5.8 (amd64) on a Lenovo Thinkpad T450s > with a fairly default installation. The T405s is a Broadwell. > I have a few issues to sort out but my first concern is that I cannot > exit out of FVWM. I launch it via the command startx while logged in > as > root. When I go to exit (left mouse click on the desktop > Exit), > the > system just hangs which requires me to forcefully power down the > laptop. If you investigate more closely, you will probably find out, that the system still works, just the graphics is fscked up: Try logging in via ssh, or shutting down the system by blindly typing into ttyC0. Broadwell graphics support was added a while ago. IIRC 5.8 should have some basic support, but still a few bugs. By now (-current) it is petty stable though. > Any ideas or suggestions? 1) Use modesetting(4) in xorg.conf and wait for 5.9 2) Avoid the vulnerable code paths (e.g. "shutdown" in wm) and wait for 5.9 3) Update to a recent snapshot.
Re: Remove "flags S/SA keep state" for tcp packets
Am Dienstag, den 15.12.2015, 09:24 + schrieb C. L. Martinez: > I am trying to remove "flags S/SA keep state" for tcp packets inside > pf.conf and use "keep state" only, as it can do with udp and icmp. > > According to pf.conf man page, this is possible inserting "no state" > in tcp rule, but I can't use keep state. "keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking Options"), but it is not mentioned as often as it is the default. IOW: If you have not changed the default options, you you may simply remove "flags S/SA keep state" string without changing mutch (except that it might now also match UDP/ICMP).
Re: Configure NTP servers from DHCP response?
Am Dienstag, den 15.12.2015, 08:23 + schrieb Stuart Henderson: > On 2015-12-14, Mark Carroll wrote: > > I'm guessing that wanting to set ntpd's servers based > > on what the DHCP server told the system is a fairly typical use case > > I don't think there's an easier way without modifying dhclient (and > the > latter is tricky with the current privilege model as it would need to > at least signal ntpd to restart). I am not sure either, that modifying dhclient to restart ntpd would be the clean approach either. I'd rather poll dhclient.leases from ntpd. It shouldn't be to tragic, if it takes a seconds or minutes for the new configuration to become effective.
Re: OpenBSD 5.7-stable/OpenSMTPD 5.4.4 error: client did not present certificate
Am Mittwoch, den 25.11.2015, 18:51 +0100 schrieb Gianluca D.Muscelli: > Hi, if i use verify in /etc/smtpd.conf sometimes I reciveerrors like > this: [..] > Nov 25 16:33:05 server smtpd[12808]: smtp-in: Disconnecting session > 95548f7f974b7523: client did not present certificate > > Any suggestion to fix this problem? There ain't any fix, because this behaviour is exactly the one that you requested: >listen on egress pki mail.example.it tls-require verify smtpd.conf(5) | If tls-require verify is specified, the client must provide a valid | certificate to be able to establish an SMTP session. If you don't want this, don't use it. BTW, you have other problems as well (found out while trying to PM): $ dig gianlucamuscelli.it MX gianlucamuscelli.it.85780 IN MX \ 0 mail.gianlucamuscelli.it. $ dig mail.gianlucamuscelli.it A mail.gianlucamuscelli.it has address 192.168.1.30 $ dig mail.gianlucamuscelli.it ;; connection timed out; no servers could be reached $ dig gianlucamuscelli.it NS gianlucamuscelli.it.85923 IN NS ns1.gianluc amuscelli.it. gianlucamuscelli.it.85923 IN NS ns2.gianluc amuscelli.it. $ dig ns1.gianlucamuscelli.it A ns1.gianlucamuscelli.it. 85923 IN A 192.168.1.30 $ dig ns2.gianlucamuscelli.it ;; connection timed out; no servers could be reached $ dig ns2.gianlucamuscelli.it A ns2.gianlucamuscelli.it. 85923 IN A 192.168.1.30 $ dig ns2.gianlucamuscelli.it ;; connection timed out; no servers could be reached
Re: queueing example on pf.conf man page
Am Mittwoch, den 04.11.2015, 10:09 +0800 schrieb Glenn Faustino: > I notice that under queueing section of the pf.conf man page the total > child queues bandwidth exceed what's defined in the parent. Oops, now I found the /other/ example #| > Can the bandwidth on the child queues exceed what's defined in the > parent? Yes, it can. But probably it shouldn't be like this in the example. Index: pf.conf.5 === RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.545 diff -u -p -u -r1.545 pf.conf.5 --- pf.conf.5 16 Feb 2015 21:43:10 - 1.545 +++ pf.conf.5 4 Nov 2015 09:23:59 - @@ -1547,8 +1547,8 @@ The queues are then referenced by filter above). .Bd -literal -offset 4n queue rootq on em0 bandwidth 100M max 100M -queue http parent rootq bandwidth 60M burst 90M for 100ms -queue developers parent http bandwidth 45M +queue http parent rootq bandwidth 50M burst 75M for 100ms +queue developers parent http bandwidth 35M queue employees parent http bandwidth 15M queue mail parent rootq bandwidth 10M queue ssh parent rootq bandwidth 20M
Re: queueing example on pf.conf man page
Am Mittwoch, den 04.11.2015, 13:37 +1100 schrieb Jason Tubnor: > While pf(4) will let you define and load queues that exceed the parent > (top > level) queue, when you start to load up your queues, you'll get > congestion > defeating the purpose of queuing. To what point, depends on your > environment. As long as you do not get congestion, you do not get queuing. If I understood henning@ correctly, what you get is an H-FSC-like queue. What is being defined width "bandwidth" is the "link-share service curve". pf.conf(5) let's you specify an absolute "bandwidth" parameter, because this format is more convenient and fits the typical workflow, rather than a "m2" parameter. Basically it determines in which ratio the bandwidth is shared between the flows (if and only iff there happens to be congestion). So 10M/10M/80M (that is what my pf.conf(5) says by the way) is exactly the same as 1M/1M/8M or 20M/20M/160M. > "All bandwidth values must be specified as an absolute value. The > suffixes K, M, and G are used to represent bits, kilobits, megabits, > and > gigabits per second, respectively. The value must not exceed the > interface bandwidth." That is what is says, indeed. But AFAIK, this is only true for the "root" queue because otherwise it won't have any effect. -dd
Re: Suggested 1000BASE-LX adapter
Am Dienstag, den 27.10.2015, 13:01 +0100 schrieb Federico Giannici: > I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card > supporting 1000BASE-LX (i.e. 1Gbps with Single Mode Fiber). > > Usually we use Intel cards (em driver) but I found that the only Intel > LX card has a PCI-X bus! We have a couple of those, they are em(4), I used them with 1000BASE- LX10 SFPs of the same vendor: http://www.allnet.de/en/allnet-brand/produkte/switches/netzwerkkarten/p/ allnet-all0130-2sfp-pcie-1000m-dual-sfp-fiber-card-adapter-lc-fiber- opticef/ > What reliable LX NIC with PCI-E do you suggest? I cannot really tell you anything about the reliability. I have not tried to stress them yet, nor did I use those NICs continuously over a prolonged period. David
Re: match rules and priorities
Am Freitag, den 09.10.2015, 07:56 +0300 schrieb Kimmo Paasiala: > On Thu, Oct 8, 2015 at 4:26 PM, Christer Solskogen > > I boiled the rule down to this: > > match proto tcp to port { http https } set prio 7 > > > > But I still can't see that it does anything useful, as I don't see > > any > > better speed on http with or without that rule. > > What have I missed? :( [..] > Your downloads from the internet are > incoming traffic on your internet facing network interface and can not > be prioritized. Well, actually it can[1]. But it involves some kind of reverse thinking and hsfc queues. And if this link is indeed not the bottleneck, even in the best case you can't win, but in the worst, you can screw up awfully. This is why I asked Christer to try to identify the exact limit that is being hit. Christer, if you find out that traffic on the incoming connection (i.e. the one from the last router of your provider to your OpenBSD machine) is indeed the problem, post it to the list and I may give you better instructions. [1] The basic idea is to limit traffic to the internal LAN to a bit less than the current bottleneck. This way you have control over the outgoing traffic on the (artificial) bottleneck link and you may indeed be able to do shaping. But this approach is of course complicated by the fact that (a) it would involve hsfc queues instead of the default prio ones and it will only work, if the protocols running are cooperative enough (i.e. predominantly TCP and no massive amounts of flows). Cheers David
Re: match rules and priorities
Am Donnerstag, den 08.10.2015, 15:26 +0200 schrieb Christer Solskogen: > I boiled the rule down to this: > match proto tcp to port { http https } set prio 7 > > But I still can't see that it does anything useful, as I don't see any > better speed on http with or without that rule. > What have I missed? :( You missed to identify the bottleneck. Effectively, traffic shaping does only have an impact on the bottleneck link. If this happens not to be the priority queue that you just configured, then you basically added just another fast lane to an empty motorway.
Re: Adding zombies to a pf table?
Am Donnerstag, den 24.09.2015, 10:39 +0200 schrieb Peter Hessler: > On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: > :Zombies are often attacking ports which don't have services running, > :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, > etc. > : [..] > :I've tried to overload a match statement, but that won't work. > : > > I've been playing with this, too. Overload won't work until the > packet > is processed by a userland process. I remember to have done it once. But when I look into that old configuration, I am not sure whether the "synproxy state" or the "rdr-to 127.0.0.1 port 9" part of the rule did the trick. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: rookie questions about flavors
Am Mittwoch, den 23.09.2015, 14:55 +0200 schrieb Thuban: > 1. A snapshot is a build made at one time of the developpement, more > recent than *-stable* flavor. Correct. > It is not *-current*. Can we consider a snapshot as an unreleased > *5.8* > at this time. Or is it above *5.8*? At this point of time, it is fresher than 58. Look at -snapshot more as the -current of a few days ago (depending on your architecture). > 2. In odrer to build the system, one can choose : > - to follow *-current* with `cvs -d$CVSROOT checkout -P src` > - to follow *-stable* with `cvs -d$CVSROOT checkout -rOPENBSD_5_7 > -P src > ` > > Is it possible to upgrade from 5.7 yo 5.8 using this flag : > cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src Er, ay, never done it this way but I should think so, if you do it carefully. You should follow the instructions on the website nevertheless. > 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply > updates > for 5.8 *-stable* later? No, as -snapshot is already newer than 58. > Sorry for the long message. I know the best is to use *-current* or a > *-stable* flavor, but I wish to understand these points in order to > keep > things clean. Well, usually there are two paths: To follow -current: * Use -snapshots * Update to -current (CVS) when you require it (e.g. to test some new code). To follow -stable(ish): * Install a -release * Update from CVS * OR use errata patches * OR use M:TIER stable service -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: bluetooth keyboard [was:Re: Intel Edison]
Am Freitag, den 28.08.2015, 05:51 -0400 schrieb Quartz: > Basically, let's say I buy a bluetooth keyboard. Let's say it's a > fancy > model and is nice enough to come with a generic usb->bluetooth > nub/dongle thingy I can plug in if my computer doesn't already have > bluetooth capabilities. I plug it in. Does the keyboard then present > to > the OS as a raw keyboard, or does it present as some kind of special > bluetooth device? That depends on the vendor/on the concrete device. I have seen both cases: That it presets itself (in my case) as a usb mouse, or as a bluet ooth dongle and bluetooth mouse. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Recommended Industrial PCs?
Am Donnerstag, den 27.08.2015, 09:42 +0200 schrieb Martin Haufschild: > Can you recommend > specific models (maybe you had good experience with)? Compact models > would be preferred. NEXCOM NISE 3600E2: http://www.nexcom.com/Products/industrial-computing-solutions/industrial -fanless-computer/core-i-performance/fanless-pc-fanless-computer-nise -3600e2-p2-p2e This one works quite well for me. I did not try any graphics though, and getting the serial console work on at least one of the six ports involved quite some guesswork in the BIOS and trial-and-error afterwards. The 4-Port GE and the two port SFP NIC that can be seen in the dmesg (em2-7) are not part of the factory configuration. Deltatronic Siletium Professional 1HE: http://www.deltatronic.de/en/19-rackmount-en/professional-1he It's a nice small form-factor fan-less server (only 30cm deep). Graphics are working (although you may see some errors in dmesg) as soon as you're able to convince it that it better should not use the (non existant) LVDS as primary display. A big drawback is the thermal design: While the devices may work well in air-conditioned offices and server-rooms and moderate climate, you surely should not give them too much work on a hot summers day. Shuttle DS437 http://global.shuttle.com/products/productsDetail?productId=1745 Highlights are that it is reasonably priced, comes with two re(4) NICs and two serial ports. Some people seem to have problems booting it without display attached ... strangely though, for me it works. Disclaimer: I have not tested it very throughoutly. I do not know how it behaves under load, don't know nothing about wifi and graphics. For a dmesg please consult the mailing list archives. NEXCOM NISE 3600E2 OpenBSD 5.6 (GENERIC.MP) #2: Tue Oct 28 11:13:59 CET 2014 r...@stable-56-amd64.mtier.org:/binpatchng/work-binpatch56 -amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4153286656 (3960MB) avail mem = 4033941504 (3847MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb800 (78 entries) bios0: vendor American Megatrends Inc. version "4.6.5" date 09/07/2012 bios0: INTEL Corporation ChiefRiver acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SSDT ASF! acpi0: wakeup devices PS2K(S0) PS2M(S0) P0P1(S0) USB1(S0) USB2(S0) USB3(S0) USB4(S0) USB5(S0) USB6(S0) USB7(S0) PXSX(S4) RP01(S0) PXSX(S4) RP02(S0) PXSX(S4) RP03(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i3-3120ME CPU @ 2.40GHz, 2392.63 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT, DS -CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,D EADLINE,XSAVE,AVX,F16C,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i3-3120ME CPU @ 2.40GHz, 2392.23 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT, DS -CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,D EADLINE,XSAVE,AVX,F16C,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 7 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus 8 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus 1 (PEG0) acpiprt11 at acpi0: bus 2 (PEG1) acpiprt12 at acpi0: bus 6 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: not present acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at acpi0: FN02, resource for FAN2 acpipwrres3 at acpi0: FN03, resource for FAN3 acpipwrres4 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 106 degC acpitz1 at acpi0: critical temperature is 106 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 cpu0: Enhanced SpeedStep 2392 MHz: speeds: 2400, 2300, 2200, 2100, 2000, 1900, 1800, 1700,
Re: Recommended Industrial PCs?
Am Mittwoch, den 26.08.2015, 21:11 +0200 schrieb Martin Haufschild: > > can someone recommend me an Industrial PC (IPC) to use with OpenBSD? I > > would like to have a lot of hardware supported from this IPC by > OpenBSD. Could you please explicate a bit? What exactly are you trying to to with it, what are your requirements? In the past, I have made good experiences with various Nexcom devices -- and Shuttle if you would consider them "IPCs", too. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: redirect nor vpn (as I know it) solves this problem
Am Donnerstag, den 13.08.2015, 22:10 -0400 schrieb Sonic: > Problem is a device that, due to its limitations, must have a default > gateway that is not the default gateway of the OpenBSD router (unlike > the rest of the network) so I'm having difficulty connecting to it > from the outside world. Have you though about placing a router at that hard configured default gateway address, which forwards the packets to your BSD router (or sends ICMP redirects)? Alternatively, just configure that address on the internal interface of the router as an -alias. > What I need to have happen is for the incoming packets to the > problematic device to have a source address in that private subnet > (the internal address of the router) so that the device sends return > packets to the right place instead of its configured default gateway > (which is not the router). Sounds like an typical use case for NAT to me (inbound nat-to). Alternatively, beam yourself into that network using some kind of L2 VPN. Possibilities would be EtherIP (gif(4)) or vxlan(4) over IPsec(4) or OpenVPN respectively. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: smtpd.conf.5 relay tls | verify
Am Mittwoch, den 05.08.2015, 00:31 +0100 schrieb Jason McIntyre: > if this were the case, i'd say we want: > [tls [verify]] Hmm, I think I have heard this proposal before ;-) https://marc.info/?l=openbsd-misc&m=140196108217209 > but the doc currently says: > > Note that the tls and verify options are mutually exclusive > and > should only be used in private networks as they will prevent > proper relaying on the Internet. - Note that the tls and verify options are mutually exclusive and + Note that the tls and tls verify options ? -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: New: colortree
Am Sunday, den 19.07.2015, 16:13 +0200 schrieb David Dahlberg: > A port for Steve Baker's "tree" program. Wrong list. Sorry.
New: colortree
A port for Steve Baker's "tree" program. As we have already a simpler, BSD-licenced alternative in ports, I used the gnugetopt/coreutils/colorls approach and renamed to "colortree", which is the author's preference. Cheers, David [demime 1.01d removed an attachment of type application/x-compressed-tar which had a name of colortree.tgz]
Re: SOHO IPv6 router problems
Am Dienstag, den 30.06.2015, 20:27 +0200 schrieb Patrik Lundin: > We start out by enabling autoconf on em0 to get a default route via > fe80: > === > # ifconfig em0 inet6 autoconf > === > > The interface configuration now looks like this: [...] > em0: flags=208843 > mtu 1500 > lladdr d0:50:99:51:78:e8 > priority: 0 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet XX.XXX.8.17 netmask 0xff80 broadcast XX.XXX.8.127 > inet6 fe80::d250:99ff:fe51:78e8%em0 prefixlen 64 scopeid 0x1 No global inet6 address available. Looks like autoconf did not succeed. > defrouter_select: called unexpectedly (forwarding=1) > nd6_ra_input: invalid prefixlen 48 for rfc2374 prefix > :XXX:::, ignored > === See? ;-) Okay, I probably know the problem: As RFC 2374 (superseded by 3587) is mentioned, SLAAC assumes a local part of 64: nd6_rtr.c: | /* aggregatable unicast address, rfc2374 */ | if ((pi->nd_opt_pi_prefix.s6_addr8[0] & 0xe0) == 0x20 | && pi->nd_opt_pi_prefix_len != 64) { | nd6log((LOG_INFO, | "nd6_ra_input: invalid prefixlen " | "%d for rfc2374 prefix %s, ignored\n", | pi->nd_opt_pi_prefix_len, | inet_ntop(AF_INET6, &pi->nd_opt_pi_prefix, | src, sizeof(src; | continue; |} It is a common assumtion, that autoconf only works on /64 prefixes. Even Wikipedia claimed this, citing the wrong RFC, which did not even support their claim m( True is, that SLAAC is defined in RFC 4826, that it es defined regardless of the prefix length, but /64 is assumed to be the usual one. Also true is, hat OpenBSD seems to require a 64 bit prefix, just like most other implementations. I cannot estimate, how much work it would be to support other prefix lengths (e.g. as EUI-64 cannot be uses on non-64-bit prefixes) and whether or not it is a worthwhile target to persue. Cheers, David
Re: ThinkPad X1 Carbon Gen3
> Am 27.06.2015 um 05:37 schrieb Masao Uebayashi : > > - ZZZ > - Disabling TPM doesn't help hibernation. > - I tried disabling various devices (iwm, em, xhci, ehci, ...). Didn't >help instability of hibernation. > - Most failures are not recognizing hibernation (`/ was not properly >unmounted') > - Unhibernation succeeds when you are really lucky. :) Cannot confirm this here. Unhibernation works fine. Did you disable that "Intel Rapid Start" thingy in the BIOS' "Power" settings?
Re: dnssec-signzone and NSEC3
Am Freitag, den 26.06.2015, 09:53 +0200 schrieb Peter J. Philipp: > I can't find the -3 - option to generate NSEC3 RR's with > dnssec-signzone. Am I reading the manual page wrong or is this a > missing feature? If it is I'll probably leave NSEC3 out. That's because old OpenBSD used an old version of ISC Bind (and thus an old version of dnssec-tools). Solution 1 (ISC): Get a newer version of bind from ports. You do not need to use the bind itself, it's the /usr/local/bin/dnssec-signzone, you're looking for. Solution 2 (NLnet Labs): Get ldns from ports. Cheers David
Re: nsd configuration problem
Am Donnerstag, den 25.06.2015, 11:42 +0100 schrieb Graham Stephens: > I'm trying to replace several boxes (firewall, file server, mail > server) > with one virtualized one. [..] So actually you do not want to serve names of a domain (say "thestephensdomain.com") to the Internet, but you want the OpenBSD box to resolve names on behalf of it's clients in the LAN. Short answer: Do not use NSD, use unbound. > ifconfig lo: [..] I requested this information, because of your queries being resolved sometimes, sometimes not. Just wanted to be sure that there are not multiple kinds of DNS servers running on multiple lo interfaces. > resolv.conf (no .tail): > > lookup bind files > search domain.com > nameserver 127.0.0.1 > nameserver 208.67.222.222 This explains, why a local lookup without specifying the resolvers name works: nslookup will use the NSD first, NSD will return "forbidden", nslookup will then proceed to 208.67.222.222 which gives you the expected answer. David
Re: Any books about OpenBSD ARM programming?
Am Mittwoch, den 24.06.2015, 17:26 +0200 schrieb Piotr Kubaj: > I want to install OpenBSD on my BeagleBone Black and write some > simple > programs using I/O pins. Are there any tutorials on this? Additionally to what the others did say, you probably should have a look into the (code of the) gpioctl tool, as this basically a minimal wrapper for the functionality that you're intending to use. David
Re: nsd configuration problem
Am Mittwoch, den 24.06.2015, 18:02 +0100 schrieb Graham Stephens: > I've tried to set up nsd on 5.7 x64 and it's not working as it > should, > but I'm lost as to where to look to correct the issue. I was hoping > for > some pointers. :) Okay. First of all, I hope you are aware of the difference between an authoritative name server and a (recursive) resolver? NSD is an authoritative name server. > Starting nsd causes three processes to start - is this normal? It is. > If I use "nslookup blahname 127.0.0.1" from the local host, I get a > response as expected. I do not really know the nslookup tool. What are the contents of "/etc/resolve.conf[.tail]", what are the results of "ifconfig lo" and "netstat -anf inet[6]"? > Just using "nslookup blahname" gives as error of: > ";; Got recursion not available from 127.0.0.1, trying next server". > > From another machine on the lan, using "nslookup blahname" returns: > > "Server: blahname2.domain.com > Address: 10.0.2.1 > > *** blahname2.domain.com can't find blahname: Query refused" Both results look the same (although probably generated by a different tool?) and tell you, that recursion is not allowed. > Any ideas what the issue(s) might be? If you would please elaborate a bit about your setup and what you're intending to achieve, then I would probably tell you that you should use unbound (a resolver) instead of NSD (an authoritative name server). David
Re: Thinkpad E550
Am Monday, den 22.06.2015, 09:13 + schrieb David Dahlberg: > I have one the newer iwm's at home. Checking whether it is one of > those > that you were addressing was on my TODO list, but unfortunately it > seems to have fallen off :-( (BCC to self as a reminder). Sorry for alerting you, it was a 7265. And even though it is printing a lot of "iwm0: could not initate scan" into dmesg, it seems to work pretty well.
Re: Thinkpad E550
Am Montag, den 01.06.2015, 17:51 +0200 schrieb Stefan Sperling: > > > iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wirelsss AC 3160" > > rev 0x93, > > So 3160 intel cards work fine? Excellent!First time I've seen one > reported. > It seems we have typo in the pcidevs file ("Wireless" vs. > "Wirelsss"). I have one the newer iwm's at home. Checking whether it is one of those that you were addressing was on my TODO list, but unfortunately it seems to have fallen off :-( (BCC to self as a reminder). The snapshot that is currently running there is slightly older than your patch. It was showing that "error on scanning" message, but was otherwise working. I will come back when I have more info. > > Can't comment on your suspend/graphics problems, unfortunately. > The Intel 5500 is one of the Broadwells, which are not yet supported in any of the BSDs. Dragonfly seems to be working on it though[1]. As a workaround for the freezing X server, jcs@ advised me to kill the the X server by putting the following line into /etc/X11/xdm/xdm -config: DisplayManager.*.resetSignal: 9 [1] http://www.dragonflybsd.org/docs/newhandbook/docs/newhandbook/Broad wellBoxes/ -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)
Am Donnerstag, den 18.06.2015, 02:15 +0530 schrieb Mikael: > 2015-06-18 2:07 GMT+05:30 Gareth Nelson : > No I meant, you plug in a 2TB SSD and a 2TB magnet HD, is there any way to > make them properly mirror each other [so the SSD performance is delivered > while the magnet disk safeguards contents] - would you use softraid here? No. If you use a RAID1, you'll get the performance of the worse of both disks. To support multiple disks with different characteristics and to get the most out of it was AFAIK one of motivations for Matthew Dillon to write HAMMER. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: System hangs on exiting X (Lenovo X1C3)
Von: joshua stein -- Gesendet: 2015.05.29 - 19:00 > It is probably not the whole system hanging, but X with the VESA > driver seems to have some trouble exiting cleanly so you just get a > hung X server that won't respond to switching back to the console > (or allow XDM to respawn X). > > If you're using XDM, adding this to /etc/X11/xdm/xdm-config may help > until the actual problem in Xorg or the VESA driver can be located > and fixed: > > DisplayManager.*.resetSignal: 9 This leads me to the situation, that I get indeed a brand new, working X server. Graphics on C0-3 is still mixed up or blank, but typing blindly, I can confirm that there is a working system underneath it.
System hangs on exiting X (Lenovo X1C3)
Hi, I am experiencing regular hangups (display freezes, switching to console not possible, does not respond to power button) when exiting X on a brandnew Lenovo X1 Carbon Gen. 3 (Type 20BB). I can reproduce this behaviour on freshly installed systems (5.7 and -snapshot): Start fvwm (XDM or startx), left-click on desktop -> quit. Syslog and xorg.log do not show anything suspicious to me. Could anyone please instruct me about how to generate/where to find more useful debugging information? Cheers David --- dmesg --- OpenBSD 5.7-current (GENERIC.MP) #1015: Wed May 27 11:44:27 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80 real mem = 8260685824 (7878MB) avail mem = 8006488064 (7635MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xacbfd000 (66 entries) bios0: vendor LENOVO version "N14ET28W (1.06 )" date 03/12/2015 bios0: LENOVO 20BSCTO1WW acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI MSDM BATB FPDT UEFI DMAR acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.29 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.16 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.16 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 798.16 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 3 (EXP1) acpiprt3 at acpi0: bus 4 (EXP2) acpiprt4 at acpi0: bus -1 (EXP3) acpiprt5 at acpi0: bus 10 (EXP6) acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1 acpipwrres1 at acpi0: NVP3, resource for PEG_ acpipwrres2 at acpi0: NVP2, resource for PEG_ acpitz0 at acpi0: critical temperature is 128 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model "00HW002" serial 511 type LiP oem "LGC" acpibat1 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit offline acpithinkpad0 at acpi0 cpu0: Enhanced SpeedStep 798 MHz: speeds: 2201, 2200, 2100, 2000, 1800, 1700, 1600, 1500, 1300, 1200, 1100, 1000, 900, 700, 600, 500 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 5G Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 5500" rev 0x09 intagp at vga1 not configured wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 3
Re: 5.7 upgrade question
Am Donnerstag, den 23.04.2015, 09:51 -0400 schrieb Joseph Oficre: > As i see http://www.openbsd.org/faq/upgrade57.html 5.7 upgrade guide is > ready. So if i want to upgrade from my 5.6 release i should use "bsd.rd" > from latest snapshot. Where did you read that, I did /not/ find this in the upgrade guide. > So, can i swap it to 5.7 release package tree after may 1 without getting > troubles? (cuz i dont want to update snapshots offten) Not at al. Snapshots are based on -current and thus /newer/ than the upcoming 5.7-release. If you want to follow -release or -stable, please wait until May or until you received your CD set. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: IPSec and Cisco peers
Am Dienstag, den 07.04.2015, 16:28 +0200 schrieb jean-yves boisiaud: > I'm using IPSec with OpenBSD. [..] > As the remote IT engineers wanted me to enable DPD, I changed the ipsec > configuration from active to dynamic, but nothing changes. I remember, I once had some issues once with DPD too. IIRC "dynamic" was not what I wanted for some reason. A quick glance at the manpage suggests me that it might be, that "dynamic" will also us "hostname" as ID pararameter, whilst IKE allows only IP addresses according to the standard (RFC 2409, 5.4). What I finally did was simply to enable DPD by default in isakmpd.conf (you want to have it always on anyways). Cheers David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Help needed: pkg_add dropps connections
Am Mittwoch, den 18.02.2015, 08:46 +0100 schrieb Stefan Wollny: > Only with 'pkg_add' the connection is > entirely gone and 'pkg_add' subsequently complains about 'No route to > host'... and only on this particular machine. Just wildly guessing here: At least on Linux, the kernel will reply "No route to host" not only if there is no route in the routing table, but also if it received an ICMP "dest unreach", including "admin prohibited". Maybe it would be useful tcpdump the the line (maybe add lo0 in case it's something locally generated) to see if something suspicious is happening when the connection terminates. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Full disk encryption and keyboard
Am Sonntag, den 11.01.2015, 20:45 + schrieb etie...@magickarpet.org: > Is there a way to have a different keymap in boot? Not that it's really > necessary to type "boot bsd.rd", but it would be much more efficient > when typing a passphrase to decrypt a softraid partition to boot from. Well, even if you could (I found no hint in boot(8)), you would have to take some serious deviations to achieve your goal because of a bootstrapping problem: The bootloader loads it's parameters from /etc/boot.conf, which by default is located on the (encrypted) root partition. For more info you may grep for "softraid" and "set tty com0" in the mailinglist archives. -dd -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Any experience running OpenBSD 5.6 or current on a Shuttle DS437?
Am Sonntag, den 21.12.2014, 05:26 +0100 schrieb Martin Hanson: > Hi, > > If so, how well does the driver for the two NICs work? How does the box > perform in general? I have a relatively fresh install of a 5.6 on a DS437. As it is still new, I cannot really tell you much about the performance. But at least the hardware fullfills my requirements (low-power, fanless, 24h) and all the important parts seem to be reasonable well supported by OpenBSD: Works: * USB 2 ports * 2 Ethernet NICs "re(4)" * 2 serial ports (tested RS232 mode) * APM * DVI-D Did not test * HDMI * USB 3 * SD card reader * Audio Does not work: * Broadcom wifi card (but can be easily replaced if necessary) The device does indeed boot without a monitor connected. I do not know, whether or not the monitor works, if not connected during boot. But for me it works fine as a headless home server. If I need a recovery console, I will connect on the COM port anyway as carrying a laptop and a serial cable is IMHO easier than carrying keyboard and monitor. Cheers David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: DNS over IPSec weirdness
First of all, I have no real clue. It sound weird. But maybe I can help you at least with that one: Am Donnerstag, den 11.12.2014, 16:13 + schrieb Zé Loff: > However, if I try to do something like "ping -c 1 www_lan.foo.bar" (or > e.g. ssh) I can see the packets with the DNS request pass through enc0 > on the tunnel (and on the physical interface too) but nothing traffic > shows up on enc0 on the other endpoint (I do believe they show up on > the > physical interface on that end, but my tcpdump foo isn't good enough > to > be sure). You can get the IPsec SA SPIs and keys with the "ipsecctl -k -sa" command. Feed them into tcpdump with "-E espalg:espkey" (please read the man page, before you do so). Wireshark may also decrypt your stream via the ESP protocol settings. -dd -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: simple way to block one word domains?
Am Dienstag, den 09.12.2014, 11:01 -0500 schrieb Ted Unangst: > Curious if anyone knows a simple way to prevent resolution of one word > hostnames. Maybe I just think to simple here, but how about just switching on DNSSEC ("auto-trust-anchor-file" in unbound.conf)? David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: PF rules loading bug on OpenBSD 5.6
Am Mittwoch, den 03.12.2014, 11:08 +0800 schrieb Cosmo Wu: > > and it parsed correctly using > command " pfctl -nf /etc/pf.conf.test" > > > > when I loaded it from the > command " pfctl -f /etc/pf.conf.test " > > > > it grumbled: > > > > pfctl: > DIOCXCOMMIT: Invalid argument Happens usually, if the pf.conf is indeed correct if read on it's own, but something else in the current state of pf leads to a different result of a line than you might expect. In my case, usually flushing the queues before reloading them from pf.conf helps. -dd -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: nsd_flags
Am Donnerstag, den 06.11.2014, 21:24 +0100 schrieb Maurice Janssen: > I suppose the comment in rc.conf should be: for normal use: "" > Just like most other services. Is that correct? A look into rc.subr: | eval _rcflags=\${${_name}_flags} [..] | [ -n "${_rcflags}" ] && daemon_flags=${_rcflags} Seems that you are correct. Default flags are used when the script is not configured in rc.conf.local (i.e. started by distribution default, script started with "-f" or package script), or when flags="". So how do you define a service to start without any flags set? Seems up to 5.5 you would have to set ${daemon}_flags=" ". But does this still work with the parsed rc.conf.local from 5.6? | _val=${_l##*([!=])=*([[:blank:]])} | _val=${_val%%#*} | _val=${_val%%*([[:blank:]])} | # remove leading and trailing quotes (backwards compat) | [[ $_val == @(\"*\"|\'*\') ]] && _val=${_val#?} _val=${_val%?} Looks like _val is being trimmed. So " " should still work as "backwards compat". For me the question is, whether there is a usecase for starting a rc.d script (which has defined default) flags without any flags. If so, the line "[ -n "${_rcflags}" ] && daemon_flags=${_rcflags}" should probably be changed to just "daemon_flags=${_rcflags}" (the rc.conf manpage implies this behaviour) or the manpage should be changed accordingly. Regards David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: IPv6 nonfunctional after upgrade from 5.5 to 5.6
Am Montag, den 03.11.2014, 12:04 -0500 schrieb Sly Midnight: > [Problems with inet6 in 5.6] 5.6 disables IPvN by default (i.e. unless you configure it). Please try to add "inet6 eui64" to all hostname.if files or "ifconfig $if inet6 eui64" to dynamically configured interfaces/tunnels, where you require IPv6, but do not configure it explicitly by another statement (that is by "rtsol" or by explicitly configuring an IP address). I had a case, where I fell over a quaggea_ripngd, which according to the config an log files looked fine, yet did not send nor receive any PDUs. Cheers David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: hang at syncing disks... done
Am Donnerstag, den 21.08.2014, 16:38 +0200 schrieb Marko Cupać: > I have just installed OpenBSD 5.5 on my ThinkPad T440. At first glance > everything seems to work OK, except for the fact that, when shutting > down or restarting, system hangs at 'hang at syncing disks... done'. vi /etc/rc.shutdown -dd -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: openbgpd ipv6 nexthop
Am Mittwoch, den 20.08.2014, 08:25 +0200 schrieb Henning Brauer: > > trying to do the same for IPv6, the set nexthop statement in the bgpd.conf > > has no effect. The cisco receives the prefixes with the non-carp IP of each > > firewall as nexthop. > > that smells like a bug. I can confirm that I've seen this behaviour also. Yet I thought the reason would be more of the kind that I did evil things[tm] to bgpd. And maybe stuff like ":::10.0.0.1" would somehow not be regarded as a valid next_hop address for IPv6. Mickael, can you confirm that a route towards "2a02:d48:2f:1c::1:4" is in your rtable 0 FIB? -dd -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: hp proliant dl 320e gen 8 for openbsd 5.5 64 bit ?
Am Donnerstag, den 07.08.2014, 18:51 +0530 schrieb Indunil Jayasooriya: > Try to change the harddrive settings in BIOS. > > They are probably defaulting to "raid"-mode, which doesn't work under > > OpenBSD. > > > i.e - does NOT this server's Hardware Raid (Mirror) work under > OpenBSD? Will I have to go with Software RAID? If it is a real[TM] RAID controller, OpenBSD won't see the separate harddisks at all. Whether or not now the RAID controller will be accepted as a "harddisk" by OpenBSD depends pretty much on the model you bought. I.e. whether or not OpenBSD supports that type of "harddisk". On the other hand, if you did not explicitly order a RAID controller, but go the colourful leaflets of you were presented by your hardware vendor, you probably got some "Intel Matrix RAID" or something. This is not really a hardware RAID, but just RAID in (Windows) driver software. As the above mentioned type of "hardware RAID" is really nothing else than software RAID with a BIOS flag, you may as well go with standard software RAID, which has even the advantage, that you may monitor it with standard OS tools. Cheers David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Relationship Between VLANs and Physical Interfaces in PF
Am Dienstag, den 05.08.2014, 17:05 +0100 schrieb Andy: > Considering all this, there should never be a good reason to apply > queues to the VLAN interfaces at all? Well, there may be. For example a VLAN may indeed just represent a port on a switch elsewhere. Where a certain policy applies (e.g. do not send me more than 2Mbit, even if the physical connection is 1GE). But of course, one may realize that with several (non-sharing) queues on the physical interface and the right selectors, as Henning suggested. David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: Relationship Between VLANs and Physical Interfaces in PF
Am Dienstag, den 05.08.2014, 08:36 +0200 schrieb Henning Brauer: > queueing on vlan is pretty meaningless. > however, classification can happen anywhere, so assign queues on your > vlan interface and create them on the physical one, things will Just > Work (tm). Strangely, the following (simplified) setup seems to work here on 5.5 nevertheless: queue vlan33q on vlan33 bandwidth 2M, max 2M match out on vlan33 all set queue vlan33q In "pfctl -sq" this looks exactly like I expected and it does exactly what I intended it to do. But as you (if anybody) indeed should known, what happens. Please tell me, what the above config actually does. Will the first line silently add a vlan33q to re0 that still does what it is intended? OTOH, adding a queue to a GRE interface does not work indeed. Regards David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: IPSEC with redundant remote peer address
Am Montag, den 04.08.2014, 20:36 + schrieb Peter van Oord van der Vlies: > Does anyone know a way to built a setup when remote IPSEC endpoint got a > failover setup on the IPSEC side ? On cisco IOS it's possible to configure > multiple peers, when a peer dies it will try the other on the list. > > Anyone tried to fix this when the remote end is a cisco IOS device and other > side is openbsd box ? If you want the OpenBSD side to be redundant, use CARP and sasyncd. On the OpenBSD side you may use CARP and sasyncd. The OpenBSD boxes will look like only one machine to the Cisco, and there is no need even to enable this fallback feature on the Cisco. If you want the Ciscos to be redundant, you have multiple options. I do not know enough of Cisco to be able to tell you whether or not one may cluster their routers/VPN gateways. But you have multiple options to emulate the fallback behaviour that you described above. 1) Just configure two tunnels, to both Cisco gateways. Give one route(8) -priority, or use a dynamic routing protocol. 2) You may use ifstated or similar to monitor the gateways and tunnels and switch over, when indicated. 3) What you probably can do on the Cisco, which kind of emulates a CARP w/o sasyncd setup is, to configure the VPN on a VRRP interface. The disadvantage of the last setup is, that you will need both peers to notice that the tunnel is broken and to re-establish it. So please be sure to enable DPD (IKE1)/liveness checks (IKE2)/keepalives (Cisco). Cheers David -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277