Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 12:43:12PM -0400, Daniel Ouellet wrote:
 Hi,
 
 Just saw a few questions and patch for NAT64 on misc and tech@ and I
 am really questioning the reason to be fore NAT64 and why anyone in
 their right mind would actually want to use this?

To reach v4 only hosts, d'oh?
 
 IN IPv6, the smallest assigned to remote site is so big anyway and
 based on the RFC recommendation to provide a /48 to remote site and
 even a /56 to a single house, how could anyone possibly think he/she
 would even run of IP's and need NAT64?
 
This is a utopic dream, the reality is /64 or /128s in many places. This
is useless for anyone with a router unless you start playing with proxy
ndp which will end in tears, or NAT. But I really do not see what on
earth does this have to do with NAT64 at all.

 Isn't it just a side effect of a sadly miss guided use of NAT in
 IPv4 as a firewall carry over to a IPv6 world instead of starting to
 do proper setup now that IP's will be plentiful anyway?
 
NAT will not go away, there are plenty of corner cases where it is
useful (like managment networks where you cannot put each management
interface in a vrf.) Companies will also very likely want to keep
private addresses internally; NAT is easier for many cases than having a
separate routable address on every host.

NAT is a necessary evil, and it really is not that bad when operated
voluntarily by the same party as the end-hosts behind it. The real
problem is CGN; I doubt any ISP is going to NAT when it is not
absolutely necessary because it is expensive and painful.

Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
 What you need to multihome is either BGP or NAT. Exactly as in IPv4.
 Nothing has changed. The only new thing with IPv6 is that there's
 more bits.
 
Oh? I have two internet connections plugged directly into my desktop box
at home, it is multihomed and there is no BGP or NAT. This does need
some policy routing to work with uRPF filtered access lines.

With IPv6 multihoming should work trivially: plug two access lines into
a switch, get RAs from both, get addresses from both on your end-host,
and your end-host needs to select the proper route for each source
address. Again, no NAT or BGP. Applications will need to support hosts
having multiple addresses in the future, and happy eyeballs seems to
have made browsers do that.

There is also a considerable advantage against multihoming where hosts
only have 1 address configured: if the application tries to use all
source addresses available, you can get to google even if one of your
access lines has no connectivity to them; with BGP multihoming you will
not, with v4 NAT style multihoming you possibly can if it does
round-robin and you try again.

Add SCTP to this puzzle, and you should be able to roam seamlessly from
WLAN to 3G to WLAN without your ssh sessions breaking. mosh already more
or less does this. With multiple addresses and default routes per host,
and SCTP or multipath TCP, you should also be able to load-share one
connection among multiple internet connections.

End hosts need to get smarter, instead of the network adapting to their
stupidity. But I'm not holding my breath.

Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 02:25:07PM -0400, Kurt Mosiejczuk wrote:
 I read about it in the following article earlier this year.
 http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
 
Everybody except a few zealots have accepted the fact that NAT will
exist in ipv6 just like v4. The difference is that you are no longer
forced into using NAT by address scarcity, you get to choose if you want
to use it or not.

That article paints a picture of NAT as some kind of silver bullet that
solves everything; I'll not bother arguing against that.

The article also completely misses some of the proposed solutions, like
running multiple prefixes for multihoming, and having a ULA prefix for
internal communication and a dynamically assigned global one for external
connectivity. Yes, you get to change DNS entries for your
publicly-accessible hosts when you change ISPs if you use provider
allocated addresses - how does NAT help with this again, except add the
extra work of changing NAT translation rules?

Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 01:21:33PM -0600, Theo de Raadt wrote:
 What happens if one of your links goes down for a day?
 
 Do all your ssh sessions to everywhere in the world stay up?
 
 The internet has non-transient traffic, too.
 
No, I will have to re-start some of them. This is something that can
only be fixed by getting rid of the assumption about non-changing host
addresses. The other solutions do not scale to the size of the Internet;
I could get BGP at home but I don't want to, it is easier (and cheaper)
to just restart connections in the rare event of one line breaking.

v4 vs v6 has very little to do with this; the world wants roaming and
multi-homing, and BGP is not going to give it to the masses. NAT may
enable multi-homing, but it does nothing to help roaming (on the
contrary, state in the network makes it harder; and NATs tend to break
my idle SSH sessions even when there is no fault in any line)

Do your ssh sessions stay up if one of your upstreams starts blackholing
but still announces you a full table of routes?

Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 01:28:38PM -0600, Theo de Raadt wrote:
 Basically to make IPv6 pseudo-multihoming work like IPv4
 multihoming, ssh and sshd need to be modified that they can handle a
 network break, and re-connect using another address.
 
I fail to see what any of this has to do with address families. You can
multihome in every way possible in v4 with v6.

The DFZ will not scale to everyone's iPad having their own prefix,
sending an update each time they hop on to another network.

Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 01:43:01PM -0600, Theo de Raadt wrote:
 Luckily that is not a problem in ipv4.

I can get IPv6 PI and multihome with v6 as it is just like I used to be
able with v4; now there is no more v4 PI at RIPE. But what does this
have to do with the on-wire protocol again?

  Do your ssh sessions stay up if one of your upstreams starts blackholing
  but still announces you a full table of routes?
 
 My upstreams don't blackhole me, since that would be an administrative
 procedure.  They don't do it, because it is bad for business.
 
 You cannot equate an administrative procedure which isn't done, to an
 engineering mistake which screws everyone.

I really don't think I'll need to dignify this with a response, but
everyone who has operated a DFZ network knows there are always broken
paths to some destination, and this means broken connectivity until said
paths are manually fixed or routed around.

Re: Why anyone in their right mind would like to use NAT64

[Jussi Peltola]

On Wed, Oct 24, 2012 at 10:30:21PM +0200, Claudio Jeker wrote:
 On Wed, Oct 24, 2012 at 10:12:33PM +0300, Jussi Peltola wrote:
  On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
   What you need to multihome is either BGP or NAT. Exactly as in IPv4.
   Nothing has changed. The only new thing with IPv6 is that there's
   more bits.
   
  Oh? I have two internet connections plugged directly into my desktop box
  at home, it is multihomed and there is no BGP or NAT. This does need
  some policy routing to work with uRPF filtered access lines.
 
 This is just the tip of the iceberg.

This is a very common setup for bastion hosts with multiple dsl lines
for redundancy; it is extremely robust against all kinds of failures,
unlike other forms of multihoming.

  With IPv6 multihoming should work trivially: plug two access lines into
  a switch, get RAs from both, get addresses from both on your end-host,
  and your end-host needs to select the proper route for each source
  address. Again, no NAT or BGP. Applications will need to support hosts
  having multiple addresses in the future, and happy eyeballs seems to
  have made browsers do that.
 
 Ha ha ha ha, this will work for a single host but how will you manage
 multiple ones. Bonus question, how do you think the host router with no
 knowledge of the underlying network topology will choose a route?
 This setup is one of the biggest mistakes made in IPv6.
  
Roaming single hosts are a very large subset of all hosts; server-type
systems usually have static configuration anyway. I really don't see how
multiple hosts wouldn't work if one does...

  There is also a considerable advantage against multihoming where hosts
  only have 1 address configured: if the application tries to use all
  source addresses available, you can get to google even if one of your
  access lines has no connectivity to them; with BGP multihoming you will
  not, with v4 NAT style multihoming you possibly can if it does
  round-robin and you try again.
  
  Add SCTP to this puzzle, and you should be able to roam seamlessly from
  WLAN to 3G to WLAN without your ssh sessions breaking. mosh already more
  or less does this. With multiple addresses and default routes per host,
  and SCTP or multipath TCP, you should also be able to load-share one
  connection among multiple internet connections.
 
 Hey, you forgot to mention shim6 and all the other crap ideas that already
 died. SCTP is a monster and it is over engineered like IPv6. I wonder when
 the first SCTP hacks will apear that take down host and maybe networks.
 If I want persistent login sessions I use tmux.

Yes, with a while loop trying to ssh and re-attach to screen or tmux
forever you can get pretty close, as with web apps that do transient
http requests.

Again, this has absolutely nothing to do with ipv6; exactly the same
problems and solutions exist on ipv4.

  End hosts need to get smarter, instead of the network adapting to their
  stupidity. But I'm not holding my breath.
 
 Nope. End hosts need to stay stupid. They can not handle the truth their
 poor little mobile cores would just explode the moment they try to grasp
 the real world.

What exactly is your proposal? Infinite DFZ growth?

Re: OpenBSDd functionality equal to neighbor allowas-in?

[Jussi Peltola]

You can work around this by pointing a default at your provider, too.
But it is kind of yucky.

On Sat, Jan 07, 2012 at 09:21:35AM +0100, Pete Vickers wrote:
 SOO can be used for loop detection, but only if your bgp peerings don't strip
 extended communities.
 
 another dirty hack would be to get the peer to aggregate your 'remote'
 prefixes towards you (without as-set) to conceal the ASN. beware that ebgp
 routes are prefered over ibgp by default though - this is a gun  and your
 feet look tempting.
 
 /Pete
 
 
 On 6. jan. 2012, at 22:01, Stuart Henderson s...@spacehopper.org wrote:
 
  On 2012-01-06, Donald Reichert silvershadow...@gmx.de wrote:
  Hi list,
 
  I'd like to replace some Ciscos by OpenBSD machines.
 
  On the routers I have configured the possibility to span networks from our
 own AS over peerings, Cisco speak: neighbor x.x.x.x allowas-in
 
  This is needed for disjunct networks.
 
  I didn't find a clue how to do this with OpenBGPd - any hints?
 
  Thanks,
 
  Donald
 
  Not currently possible, it will need code changes. Normally this check
  is done to prevent route loops. It shouldn't be too hard to naively hack
  this type of option into place, but I'm not sure what else might need
  to be done to avoid loops.

Re: altq on a variable bandwidth interface

[Jussi Peltola]

On Thu, Nov 24, 2011 at 02:21:57PM +0100, Henning Brauer wrote:
 that changes the order how exactly?
 the only valid point is that the modem drops packets regardless of
 their priority while we would drop low prio first.
 
There won't be an appreciable queue on a router that is not next to the
choke point. It will just pass the packets toward the modem at whatever
rate they come, unless you configure the queue bandwidth lower than
the choke point's, invalidating the assumption that the router is not next
to the choke point...

  If the modem ist not queueing packets, why do you do priorization?
 
 that sentence doesn't make any sense at all.
 
It makes perfect sense. You control what the modem does with the packets
in its queue with marking, assuming the modem actually honors that.

  Most people use priority queueing because they want short delay on some
  connections like ssh, VoIP... They don't want the modem to buffer
  packets at all because that would add delay.
  This means you can priorize packets only on the bottleneck.
 
 sigh. what part in simple priority queueing just reorders packets
 didn't you understand?

It does not reorder much at all if the rate is less than the max.

   however and admittedly:
   the effect of simple priority queueing isn't all that drastic since
   your machine only reorders within the packets it has in flight at the
   given moment (few less even).
   the combo of the extra buffer and the lower bandwidth link further
   down the road minimizes the effects - foremost when there is congestion
   on that slower link. 
  as soon as the modem starts queueing your deley rises (my modem buffers
  up to 2500ms - try doing VoIP over such a connection).
  as soon as the modem starts dropping packets (because it has a small
  buffer or because it gets fed with 100MBit) your priorization won't
  work anymore, too.
 
 wrong.
 the priorization works just fine. the priorized packets go out before
 the unpriorized ones.
 
Since there is not much queue on the machine where you are prioritizing,
the packets go out immediately. The prioritized traffic is not any more
likely to get delivered, or getting any less delay. It may get ahead of
a few packets in case of a burst, but the majority of the queue is in
the modem and not affected, and neither is the risk of the packet
getting dropped.

 you don't get your desired effect, but that is a whole different
 story.
 
  You cannot do any kind of bandwidth shaping, priorization or fair
  queueing on any link but the bottleneck.
 
 that is plain bullshit.
 
 it is most effective at the bottleneck, but especially priority
 queueing - how often do I have to stress this, which just REORDERS
 PACKETS - has its effects and value no matter where. it does not
 suffice to guarantee low delay for voip or the like, but that has never
 been promised.
 
reordering packets implies that you hold some in a queue, i.e. delay
some packets less and some packets more. when does this happen when the
actual rate of packets is lower than the queue's max rate?

In any case, when your modem's queue is full, which is the case we are
talking about here, reordering is 100% useless. The modem randomly drops
packets and delaying some packets less than other packets will not make
it any less likely that the modem will drop them. 

The original poster's objective was

1) Utilize the full link bandwidth

2) Prioritize some packets (affecting their risk of getting dropped, and
their delay)

This is impossible to do if you do not have feedback about the modem's
queue, or knowledge of the speed of the link. 2) is possible without 1),
assuming that some lower bound of the link speed is known. 1) is
obviously possible without any prioritization at all.

Jussi Peltola

Re: altq on a variable bandwidth interface

[Jussi Peltola]

On Sat, Nov 19, 2011 at 08:58:46PM -0500, quartz wrote:
 is there a way to set up altq+priq on an internet connection with highly
 variable/unknown bandwidth?
 
 I'd like to create a simple one layer queue system that prioritizes empty
 ACKs over anything else (always, all the time, no matter the load or
 congestion). it looks like priq is the way to do this, but all the
 documentation I can find seems to say you have to type in a hard number,
 which won't work for my case.
 
This is usually impossible. The packets get re-queued in the modem or
whatever device is next to the choke point, and any prioritization you
configure becomes useless. Typically the only way around it is to send
at a rate slightly lower than the choke point bandwidth, so the buffer
of the modem never starts to get utilized. If the bandwidth is variable,
you're screwed.

You can try if your modem or other device supports DiffServ or 802.1q
priority tags. Some DSL modems do, which helps - DSL has an extra perk
of the extra headers causing more overhead for small packets, so you
need a shaper that can account for that, or you need to configure the
max rate lower than what the line is capable of with large packets.

Re: em(4) watchdog timeouts on 5.0-release

[Jussi Peltola]

You can ignore the clueless parts in my previous message :)

I can set up remote access to one of these machines if needed.

This made the ems work again:

--- if_em.c.origWed Nov  9 21:37:39 2011
+++ if_em.c Wed Nov  9 21:39:01 2011
@@ -331,6 +331,2 @@
 
-   /* Only use MSI on the newer PCIe parts */
-   if (sc-hw.mac_type  em_82571)
-   sc-osdep.em_pa.pa_flags = ~PCI_FLAGS_MSI_ENABLED;
-
/* Parameters (to be read from user) */
@@ -1621,3 +1617,3 @@
 
-   if (pci_intr_map_msi(pa, ih)  pci_intr_map(pa, ih)) {
+   if (pci_intr_map(pa, ih)) {
printf(: couldn't map interrupt\n);

em(4) watchdog timeouts on 5.0-release

[Jussi Peltola]

My em(4)'s stopped working with 5.0 - has anyone seen this on 82571EBs?
I'll try backing out the MSO patch.

Perhaps this is related:
ftp://download.intel.com/design/network/specupdt/82571eb_72ei.pdf

Page 22, Errata 7: Device Transmit Operation Might Halt in TCP
Segmentation Offload (TSO) Mode when Multiple Requests (MULR) Are
Enabled.

OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5502 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT24
 pins,CMOV,PAT,PSE36,CF
real mem  = 2136694784 (2037MB)SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3
avail mem = 2091687936 (1994MB).2,POPCNT
mainbus0 at root0: bus 4 (IPT5))
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.6 @ 0x7f7fe000 (134 entries)
bios0: vendor HP version W07 date 10/02/2009, BIOS32 rev. 0 @ 0xf, SMBIOS
bios0: HP ProLiant DL320 G6T03)) date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS
acpi0 at bios0: rev 2s 13 (PT01)es) 10/02/2009
acpi0: sleep states S0 S4 S5I0)date 10/02/2009
acpi0: tables DSDT FACP SPCR MCFG HPET  SPMI ERST APIC SRAT  BERT HEST 
DMAR SSDT SSDT SSDT
acpi0: wakeup devices PCI0(S4)perature is 31 degCxcd600/0x1000 0xce600/0x1000 0x
acpitimer0 at acpi0: 3579545 Hz, 24 bits0x2600! 0xcd600/0x1000 0xce600/0x1000 0x
acpimcfg0 at acpi0 addr 0xe800, bus 0-63SPMI ERST APIC SRAT  BERT HEST D
acpihpet0 at acpi0: 14318179 Hzration mode 1 (bios)
acpimadt0 at acpi0 addr 0xfee0: PC-AT compatos)v 0x13
cpu0 at mainbus0: apid 16 (boot processor) Host rev 0x13
cpu0: apic clock running at 133MHzel X58 PCIE rev 0x13
cpu at mainbus0: not configuredntel PRO/1000 PT (82571EB) rev 0x06: msi, addres
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins 0x06: msi, addres
ioapic1 at mainbus0: apid 0 pa 0xfec8, version 20, 24 pins
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 3 (NIB1)
acpiprt2 at acpi0: bus 4 (IPT5)
acpiprt3 at acpi0: bus -1 (PRB2)
acpiprt4 at acpi0: bus 10 (PT07)
acpiprt5 at acpi0: bus 7 (PT03)
acpiprt6 at acpi0: bus 13 (PT01)
acpiprt7 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature is 31 degC
bios0: ROM list: 0xc/0xb000 0xcb000/0x2600! 0xcd600/0x1000 0xce600/0x1000 
0xcf600/0x1000 0xd0600/0x1000
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 5500 Host rev 0x13
ppb0 at pci0 dev 1 function 0 Intel X58 PCIE rev 0x13
pci1 at ppb0 bus 13
em0 at pci1 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: msi, 
address 00:26:55:d5:86:f2
em1 at pci1 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: msi, 
address 00:26:55:d5:86:f3
ppb1 at pci0 dev 3 function 0 Intel X58 PCIE rev 0x13
pci2 at ppb1 bus 7
ppb2 at pci0 dev 7 function 0 Intel X58 PCIE rev 0x13
pci3 at ppb2 bus 10
em2 at pci3 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: msi, 
address 00:26:55:d5:8f:b4
em3 at pci3 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: msi, 
address 00:26:55:d5:8f:b5
pchb1 at pci0 dev 13 function 0 vendor Intel, unknown product 0x343a rev 0x13
pchb2 at pci0 dev 13 function 1 vendor Intel, unknown product 0x343b rev 0x13
pchb3 at pci0 dev 13 function 2 vendor Intel, unknown product 0x343c rev 0x13
pchb4 at pci0 dev 13 function 3 vendor Intel, unknown product 0x343d rev 0x13
pchb5 at pci0 dev 13 function 4 Intel 5520/X58 QuickPath rev 0x13
pchb6 at pci0 dev 13 function 5 Intel 5520 QuickPath rev 0x13
pchb7 at pci0 dev 13 function 6 vendor Intel, unknown product 0x341a rev 0x13
pchb8 at pci0 dev 14 function 0 vendor Intel, unknown product 0x341c rev 0x13
pchb9 at pci0 dev 14 function 1 vendor Intel, unknown product 0x341d rev 0x13
pchb10 at pci0 dev 14 function 2 vendor Intel, unknown product 0x341e rev 0x13
pchb11 at pci0 dev 14 function 3 vendor Intel, unknown product 0x341f rev 0x13
pchb12 at pci0 dev 14 function 4 vendor Intel, unknown product 0x3439 rev 0x13
Intel X58 Misc rev 0x13 at pci0 dev 20 function 0 not configured
Intel X58 GPIO rev 0x13 at pci0 dev 20 function 1 not configured
Intel X58 RAS rev 0x13 at pci0 dev 20 function 2 not configured
uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 8 int 20
uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 8 int 23
uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 8 int 22
ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 8 int 22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00
pci4 at ppb3 bus 2
ppb4 at pci4 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5
pci5 at ppb4 bus 3
bge0 at pci5 dev 4 function 0 Broadcom BCM5715 rev 0xa3, BCM5715 A3 (0x9003): 

Re: IPv6 and carp(4) problems

[Jussi Peltola]

I had some similar looking problems some releases back. Using a separate
carp if for ipv6 mostly fixed it. Didn't write down the exact problem,
though.

Re: dhclient, resolv.conf

[Jussi Peltola]

On Sun, Oct 23, 2011 at 12:08:22AM +0200, Jan Stary wrote:
 Just out of curiosity, what would be an example
 situation for using a machine that simultaneously
 
 (1) acts as a name-server for others
 (2) gets its network settings dynamicaly reconfigured
 
Any kind of box that is connected to an internet connection using DHCP?

It is needed because kittens are at risk of death every time you run a
resolver for a trivial amount of clients that does not use forwarders.

Passing on the ISP's DNS is of course also an option, but a local cache
never hurts. When the ISP's resolver breaks and you want to switch to
something else, it's also nice to be able to do it without waiting for
all the hosts to renew their lease.

Re: Why aren't you running -current?

[Jussi Peltola]

I'm lazy.

Re: dual-stack IPv4/IPv6 CARP SOLVED

[Jussi Peltola]

On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote:
 2. CARP heartbeat messages use multicast. This means a switch with
 dual-stack CARP-attached devices should support not only IGMP snooping
 for IPv4 but also MLD snooping for IPv6.
 
Hmm. carppeer does not seem to like an inet6 address to work around
that. I wonder what happens if you dual-stack a carp interface with a
carppeer - I remember having some mysterious issues after which I've
been running a separate carp if for ipv6. OTOH I have dual-stacked
carppeer-less carp if's that show no problems. Perhaps I can find time
to investigate.

setting lladdr on a vlan

[Jussi Peltola]

I have a vlan on top of a vlan on an em. It connects to a remote switch
that requires me to use a specified lladdr.

Everything works just fine if I change the lladdr on em0, or run tcpdump
to switch it to promiscuous mode, but I need another lladdr on the other
vlans.

Setting the lladdr on the outer vlan does not help, either.

Any pointers, except dedicating an interface per lladdr?

Re: Wifi host AP thoughts

[Jussi Peltola]

In my experience, the caveat makes using most devices next to
impossible. It is way worse than using 3G data.

I use separate APs. They're usually cheaper and easier to find than
supported cards, anyway.

Re: private vlans

[Jussi Peltola]

On Fri, Dec 31, 2010 at 01:36:32AM -0800, S Mathias wrote:
 Does anyone has a similar howto on OpenBSD for using private VLAN's?
 
 like: 
 
 http://blog.ine.com/2008/07/14/private-vlans-revisited/
 
 I just need to separate the client's on Layer3 or better: on Layer2.
 Each client uses 1 port. But I'm not 
 

What's your question?

AFAICS there's nothing like ip local-proxy-arp on OpenBSD. Linux used
to be able to do that with proxy arp entries with a mask and interface,
but they've removed the feature in newer kernels.

If you can live with the silliness of your end-stations not being able
to talk to each other at all, this has nothing to do with OpenBSD and
everything with your switch. Just put the OpenBSD router on a
promiscuous (trusted) port.

Even this is very far from a good solution since it does nothing against
arp spoofing except for spoofing the gateway. It does not allow you to
filter source ip's and it won't help with duplicate mac addresses or
other malicious behavior.

With ip local-proxy-arp you could put clients on different vlans and
use proxy arp to fake they're in the same subnet, allowing the same
level of isolation, source address filtering and firewalling as giving
each host a vlan and a /30, but without wasting three quarters of your
ip addresses. With some dhcp relay magic you'd have a secure ethernet
access solution.

Sadly I don't understand the kernel well enough to do it myself.

Re: Aggregate multiple xDSL connections

[Jussi Peltola]

I have heard of multilink PPPoE, which you'd probably have to tunnel in
a gre / gif tunnel if it's not a private adsl link, lowering the MTU
even further...

I've never tried it, it may not work at all, but it might be usable if
the dsl connection in question is not a very wide wan.

Re: Mobile VPN

[Jussi Peltola]

The n900 most certainly can run openvpn.

Re: Linux or OpenBSD

[Jussi Peltola]

On Wed, Sep 22, 2010 at 08:39:36PM -0300, Nenhum_de_Nos wrote:
 On Wed, September 22, 2010 18:56, Luis F Urrea wrote:
  On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida mente...@gmail.com wrote:
 
  Iptables is ok, until you know PF, after knowing PF you'll never use
  Linux, at least for firewalls, anymore.
 
  +1
 
 +1
 
 matheus
 
 -- 
 We will call you cygnus,
 The God of balance you shall be
 
 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?
 
 http://en.wikipedia.org/wiki/Posting_style
 

Perhaps you should stop spamming before lecturing others about top
posting.

Re: Distribute bandwidth by IP's

[Jussi Peltola]

On Tue, Sep 07, 2010 at 01:56:57PM -0700, James Peltier wrote:
 Also, perhaps there will be a performance hit in the evaluation of all the 
 queues that might be more hindering than helpful?
 
With an E1?

Even if you lose a little bit of throughput (which I doubt, if you are
running hardware that you can do a regular install on), some kind of QoS
is a must on such an oversubscribed line. It will very likely be
completely unusable without it.

Jussi Peltola

Re: Problems sending correct Netmask with ospfd 4.7-AMD64

[Jussi Peltola]

Perhaps it is because you have a /8 netmask on em0.

man hostname.if

Jussi Peltola 

Re: networking problem with same vlan on different physical interfaces

[Jussi Peltola]

vlans or not, it will generally not work as you seem to expect to have
two interfaces in the same subnet. pf and route-to might be enough to
make it work, but you should probably just configure the different
addresses on one interface.

Or, maybe I'm completely mistaken, but judging from only a dmesg it is
rather hard to tell what you're trying to accomplish. You should include
at least ifconfig output and hostname.* files, probably also the pf
rules you mention.

Jussi Peltola

Re: OpenBSD stops responding on switching loop

[Jussi Peltola]

Does the machine recover after the loop is gone?

Re: Ordering CDs in Europe becoming increasingly difficult

[Jussi Peltola]

On Fri, Jul 09, 2010 at 01:34:26AM +0200, Floor Terra wrote:
  I admit that I'm a bit ignorant here, as I've myself never
  administered an SSL web site, but I am not convinced by this: Doesn't
  the above just mean that it switches to HTTPS *after* transmitting my
  information in the clear? Or can someone else explain if and/or how
  the above is sane?
 
 
 From a quick glance at the website:
 You get an empty form delivered over plain http. The form submits to
 an https page.
 This means the content of the form is only transmitted over https.
 
Unless the attacker substitutes the page with another one that can send
your password wherever he wants...

Re: routing problem

[Jussi Peltola]

On Fri, Jul 09, 2010 at 02:19:42PM -0700, Matt S wrote:
 Given the following:
 
 [internet - DSL Modem - 192.168.0.1]--[bge0:192.168.0.254 - OpenBSD
 4.7 - em0:10.40.60.1]--[Laptop - DHCP]
 
 net.inet.ip.forwarding=1
 
 How can I get my laptop to reach the internet?  I kind of figured that all I
 would have to do is have forwarding enabled on the OpenBSD box without
 specifying any additional routing instructions.  I can ping my laptop from
 the OpenBSD box.  Since my default gateway is effectively 192.168.0.1, I am
 puzzled as to why I cannot ping that address from the laptop.  What could I
 possibly be missing?  I'm tearing my hair out .
 

The modem has no route to 10.40.60.0/[whatever your netmask is, perhaps
you should have included enough information]

It will reply to this mysterious internet where its default route
points.

This configuration is not guaranteed to work even if you add a static
route in the modem, since it may not nat source addresses not within
192.168.0.0/[whatever netmask it is].

It's probably easiest to nat connections from 10.40.60.1/[...] on the
openbsd box.

Re: slow down dd - how?

[Jussi Peltola]

Something like http://zakalwe.fi/~shd/foss/pmr/ might work

Re: OpenBSD as a laptop OS

[Jussi Peltola]

Search the archives.

Re: Processeur Atom ?

[Jussi Peltola]

On Sat, Jun 12, 2010 at 10:53:52AM +0200, E.T wrote:
  * Nick n...@holland-consulting.net [2010-06-11 12:55]:
  If you want low power consumption and low cost, I'd suggest a small
  PIII or Celeron based system, hard to beat for the price (usually,
  free!).  IF the new, cool stuff has any real power savings, you are
  unlikely to ever recoup the initial cost over recycled hardware.
 
 it is a very bad idea, PIII low performance, low puissance, high hot, high
 electricity. 
 
Any real data for these claims? Nick has posted measurements on this
list many times.

  that might be (I am not convinced tho) with the electricity price in
  the US, but certainly isn't universal.

The calculations pretty much added up for me with domestic electricity
prices in Finland and no cooling costs (it's cold enough here anyway
most of the time). Caveat: an inefficient PSU may be worth replacing
with an efficient one. Maybe. This is assuming 5 years service life,
which is not very hard to get with carefully chosen hardware from the
dumpster, but seems to be too much to ask when buying new...

Saving 10 watts will save you (0.01kW * 24h * 365) = 87.6kWh per year.
Realistic savings might be around 20 watts, for a 35-40 watt P3 and
15-20W Atom. Calculate for yourself if it is worth it.

Small-ish, dull looking HP, IBM, Dell and other name-brand office PCs
tend to be rather low-power, and quiet too. It takes some time to learn
to dumpster-dive the correct machines, after that you will be able to
find them easily.

 why pay 100dollars/month, 1200dollars/yaer for a server ???. 2 plateform
 Atom = 120 dollars, 1 firewall, 1 serveur web, 1 disc openbsd4.7 = 50
 dollars :). Openbsd is very best performance, is best security. One
 problem: attack sript-kiddie, server datacenter or server home, the same
 thing.   

Since when have recycled machines cost 100 dollars a month?

Re: pf: how to apply route-to for packets matching states?

[Jussi Peltola]

reply-to

Re:

[Jussi Peltola]

On Mon, May 24, 2010 at 09:56:45PM -0700, J.C. Roberts wrote:
 Since most providers have bandwidth caps measuring all network
 traffic, preventing your system from connecting when it doesn't need to
 be connected is fairly important. Unlike the old POTS (land line)
 modems, these new mobile data network devices (EVDO, HSPA, ...) can
 establish a connection *very* quickly. This means only connecting when
 you need to is pretty fast and will help save your bandwidth.
 
But beware, some providers charge for each time you open the connection.
Here in Finland it's masked in the pricing as a minimum amount of
100KB; so they will charge you the (abhorrent) price for 100KB for each
time you open the connection.

Thankfully flat-rate 3G is very cheap here - and unusable in densely
populated areas as a result...

Re: Resilient RAID

[Jussi Peltola]

On Fri, May 21, 2010 at 10:45:01PM -0500, Marco Peereboom wrote:
 I've lost 3 due to washing...
 
I've revived many with a toothbrush and alcohol.

It's not the water, but all of the stuff that deposits on the thing.

Still, just take the backups...

Re: HA: pair of firewalls, 2 switches and 1 server

[Jussi Peltola]

On Fri, May 21, 2010 at 12:22:10AM +0200, Reyk Floeter wrote:
  Linux's bonding module has an arp monitor which solves some of these
  problems, but the implementation is so hackish (as usual there...) that
  I'd rather not use it in production. arping and ifstated might do the
  same on openbsd, but I'm not sure if that will work when the interfaces
  are trunk ports. I'll need to check this when I have time.
  
 
 why not?  trunk is just a normal ethernet interface.
 
the monitoring should be done on the ports/slaves/child interfaces, not
the trunk itself. I don't see why arping wouldn't work on those, either,
but I haven't tested it.

 the linux bondage trick sounds hackish, but link detection protocols
 like udld or bfd should help here on the ethernet level.  many managed
 switches support one of these protocols and i'd like to do this on the
 openbsd side at some point to alter the link state based on optional
 uni-/bidirectional link detection.
 
This would be a pretty good out of the box solution. end to end
monitoring with ifstated would still be useful especially on the end
hosts, which can just (ar)ping the carp gateway and kick out interfaces
that can't reach it. That would work against config mistakes (missing
vlans) and all kinds of subtle switch failures. For the routers this is
not so easy, they would need to ping an assortment of end hosts to get a
really useful end to end check. And there is always relayd et al that
solve the problem even better (in the cases where it can be used.)

Re: HA: pair of firewalls, 2 switches and 1 server

[Jussi Peltola]

On Thu, May 20, 2010 at 07:28:55PM +0200, Henning Brauer wrote:
 * Graham Allan al...@physics.umn.edu [2010-05-20 19:23]:
  On Thu, May 20, 2010 at 07:02:23PM +0200, Axel Rau wrote:
   Am 20.05.2010 um 00:04 schrieb Henning Brauer:
   
   * Axel Rau axel@chaos1.de [2010-05-19 10:34]:
   Now the question: Can I put a trunk on top of a carp?
   
   you put carp on top of the trunk of course.
   OK.
   Can I have a trunk connected to 2 different switches then?
   
  Not normally. Some higher-end switches can support this, eg the
  HP Procurve switches running their K-series software can do something
  they call distributed trunking (and no doubt Cisco and other vendors all
  call it something else). But as I think you were talking about using
  cheapish Netgear switches it's unlikely to be possible.
 
 well, lacp usually doesn't work across switches. but lacp is not the
 only mode trunk supports. roundrobin definately works across switches
 - how well might depend on your switches. works well for me on
 procurve with E-series software which doesn't do distributed trunking
 afair.
 
How about the warnings about packet reordering and interactions with
TCP? I'd guess it's not really such a big issue if you have two
identical switches and routers. But shouldn't the hash based trunk modes
work just fine, too (with the caveat that some flows will stop working
completely if the other switch fails in some ways while roundrobin will
cause half of the packets to be blackholed, keeping badly degraded
connectivity)

Also, the switches need to be separate; connecting them directly may
cause learned MACs to flap between the real host port and the cable
between the switches and make the trunk receive its own traffic on the
other port.

Fail-over trunk should work just fine, too. But see the following
paragraphs...

If you want reliability, do not use cheap switches. Switch power
supplies are not the failure mode you want to avoid. I don't remember
seeing very many at all, however I've seen lots of crappy ones lose
their config or stop forwarding completely while keeping the link up.

I have two identical core switches in one (not really so critical at
all) place running OSPF, with a bunch of routers connecting to both
switches for redundancy. Works pretty well and there has even been a
config reset incident, which didn't break anything - because OSPF can
detect link failures. Trying to do the same all the way to the end hosts
(i.e.  without a routing protocol) is pretty difficult.

One pseudo solution is to run a bridge instead of trunk on the 2
interfaces and use STP for fail-over; I find that too yucky to solve a
problem that doesn't really exist (just buy a reliable switch with a
redundant power supply or connect the single one to a good UPS)

However, if you need to ask if you can run a trunk on top of a carp, do
yourself a favor and use a single switch. There will be less downtime.

Jussi Peltola

Re: HA: pair of firewalls, 2 switches and 1 server

[Jussi Peltola]

On Thu, May 20, 2010 at 08:17:48PM +0200, Henning Brauer wrote:
  I have two identical core switches in one (not really so critical at
  all) place running OSPF, with a bunch of routers connecting to both
  switches for redundancy. Works pretty well and there has even been a
  config reset incident, which didn't break anything - because OSPF can
  detect link failures. Trying to do the same all the way to the end hosts
  (i.e.  without a routing protocol) is pretty difficult.
 
 i would never ever run any L3 on switches.
 
Bad wording on my part, the routers run OSPF and the switches are dumb
L2 devices.

Still, without OSPF et al there would be no way to detect a crappy
switch failing in funny ways, which was my point.

As an extra note, if you do get a crappy switch, be very careful with
its management interface. The cheapest ones have unbelievably slow CPUs
that are easily overloaded by broadcasts making the whole thing stop
responding. Even worse, the interrupt load seems to trigger some other
bugs, like LACP mysteriously failing and disabling one port on a trunk
and blackholing half of your traffic (this happened on a ZyXEL GS-4024,
which has otherwise totally Just Worked as a L2 switch for years) or
even the whole switch ASIC crashing after a broadcast storm and
requiring a reboot (though the management CPU was still responding
through the out of band ether and serial port after the storm was gone)

Also, it's a very obvious DoS; a malicious person needs to send a rather
small amount of BPDUs to overload the tiny CPU and the cheap switches
obviously have no rate limiting for packets going to the CPU (only on
all broadcasts). So, blocking BPDUs from non-trusted devices should be
enabled (but that should probably be done anyway.)

Even among trusted devices STP and LACP involve the shitty code
running on the underpowered management CPU, and that is not the part
that shines in the cheap switches. Static link aggregation works OK.

Re: HA: pair of firewalls, 2 switches and 1 server

[Jussi Peltola]

I do this too. In addition to the previously mentioned problems with
cheap switches losing their configs (and vlans) you should make sure the
active interfaces are all on one switch so that the link between them
isn't uselessly used; this will also avoid an unpleasant split brain
event if that link ever happens to fail. But in this case you will also
have to very carefully check the other switch stays properly configured so
the backup interfaces will actually pass the traffic you want.

Linux's bonding module has an arp monitor which solves some of these
problems, but the implementation is so hackish (as usual there...) that
I'd rather not use it in production. arping and ifstated might do the
same on openbsd, but I'm not sure if that will work when the interfaces
are trunk ports. I'll need to check this when I have time.

Re: help configuring pf: one net can access other but not vice versa

[Jussi Peltola]

On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote:
 Hello,
 
 I have the following network configuration:
 
 $ext_if -- wired interface, connected to my ISP's network, with a real
 IP address, visible from the Intertubes.
 
 $int_if -- wired interface, to which comps on my home LAN are connected
 
 $wifi_if -- wifi interface, working in host ap mode, free-for-all
 
 I've set up two NATs so that comps on $int_if:network and
 $wifi_if:network could access the Intertubes.
 
 Now I want the following:
 so that comps from $int_if:network could access $wifi_if:network (say,
 ssh to comps over there) but not vice versa.
 
 How do I do this?
 
 Everything I try either ends up blocking all traffic or allowing
 traffic both initiated from $int_if:network to $wifi_if:network and
 vice versa in a strange way: only every second response gets to
 destination, i.e. I see ping like:
 seq_num: 2
 seq_num: 4
 ...etc
 
 Here's my current config file (with many failed attempts commented out),
 system is 4.5:
 
 #
 # See pf.conf(5) for syntax and examples; this sample ruleset uses
 # require-order to permit mixing of NAT/RDR and filter rules.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
 # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
 
 ext_if='fxp0'
 int_if='sis0'
 wifi_if='ral0'
 
 # Limit speed on wifi_if to 2 megabits
 #altq on $wifi_if cbq bandwidth 2Mb queue std
 #queue std bandwidth 100% cbq(default)
 
 # block return in all
 # block return out all
 
 set require-order no

 set skip on lo
 scrub in
 
 # NAT
 nat on $ext_if from $int_if:network to any - $ext_if
 nat on $ext_if from $wifi_if:network to any - $ext_if
 
 # NAT/filter rules and anchors for ftp-proxy(8)
 #nat-anchor ftp-proxy/*
 #rdr-anchor ftp-proxy/*
 #rdr pass on ! egress proto tcp to port ftp - 127.0.0.1 port 8021
 #anchor ftp-proxy/*
 #pass out proto tcp from $proxy to any port ftp
 
 # Filter for $ext_if
 block return in on $ext_if
 pass in on $ext_if proto tcp from any to any port { www, 222 }

this is unnecessarily broad. to $ext_if would be adequate.

To do what you want to do, I'd write something like the following:

set block-policy return

antispoof quick for { $int_if, $wifi_if, $ext_if }

block all

pass out on $ext_if
pass out on $wifi_if proto tcp from $int_if:network to $wifi_if:network port ssh
pass in on $ext_if proto tcp to $ext_if port { www, 222 }
pass in on $int_if
pass in on $wifi_if

Re: Semi-newbie NAT question

[Jussi Peltola]

On Thu, May 06, 2010 at 11:55:58AM -0700, Jeff Powell wrote:
 All this works just fine until I try to put another server on the public net.
 When I point that server's gateway at the public IP of the router ($IntIF),
 it's blocked by the NAT.  I understand that this is NAT doing its job by
 blocking packets it doesn't know about, but what do I do about a gateway for
 the DMZ net hosts?  I don't want to use the ISP's gateway, I'd rather use the
 router.

This would be useless, the return traffic still flows directly from
the isp router to your bridged hosts.

pf can filter on a bridge. Just do it that way.

Re: tls proxy in front of spamd?

[Jussi Peltola]

On Wed, May 05, 2010 at 03:30:06PM +0100, Kevin Chadwick wrote:
 Do you not think it would be better for mail servers to try ssl on one
 port and then plain on port 25 if a rst or timeout occurs. Then it
 would be harder for attackers to force falling back to plain and
 forcing only tls would be easier.
 
Ugh...
If the attacker can modify the EHLO to not include STARTTLS he surely
can also send a RST in response to your attempt to connect to another
port.

Also, SSL is completely useless without DNSSEC. You just need to spoof
the MX records or the A records they point to and you've lost.

Current day email just is not secure. It's no use trying to pretend
otherwise.

Jussi Peltola

Re: [Bulk] Re: tls proxy in front of spamd?

[Jussi Peltola]

On Wed, May 05, 2010 at 07:27:46PM +0100, Kevin Chadwick wrote:
 Of course, if it's your mail server and clients you can use ips without
 dns have certficates tied to those ips and even block or monitor resets,
 none of which can be done with starttls and it is also a smaller window
 of opportunity. You can always reset the starttls too and man in the
 middle that, just one less opportunity.
 

If it's your mail server and clients you can just force certificate
checking on the hosts you want to connect to with tls. Using a different
port adds no cryptographic security (authentication) at all, so it's
useless complexity.

Re: Is this a case of paranoia?

[Jussi Peltola]

On Mon, Apr 26, 2010 at 10:19:26AM +0300, Lars Nooden wrote:
 On 04/24/2010 10:27 PM, Ed Ahlsen-Girard wrote:
  Ha.  You laugh.  
 
 at you, not with you
 
  My employer is blocking the msdn blogs that we need to
  troubleshoot SharePoint and SQL. ...
 
 Take the hint and get rid of both.  Their presence fucks up the net.
 
Could you stop spewing this on m...@? This is not Lars's-little-soapbox@
and your opinions of all kinds of proprietary products have nothing to
do with OpenBSD. The fact that the rest of this thread is almost as
irrelevant is not a good excuse.

Jussi Peltola

Re: Is this a case of paranoia?

[Jussi Peltola]

Yes, yes. Polarized insults and yet more preaching... and PHP, give me a
break.

How can you use Gmail? Or is closed source SaaS suddenly OK? Why would
hosted sharepoint be any different?

Also, could you translate these sentences into English? I'm having
serious problems parsing them.

 Its wrong in allowing a mess on your LAN does, more so because it means
 that the rest of us net users should have to cover it.

 Because of dipshits using and defending broken protocols, broken formats
 and broken services, any project that is oriented towards proper design,
 security, standards, cross platform development and open source has a
 harder time of it.

 Taking a more proactive stance on security and go after the problem
 systems and those that spread them, or give backtalk about wanting to
 allow them.

Re: Execute startup script as user

[Jussi Peltola]

On Sat, Apr 10, 2010 at 12:38:25PM +0200, Mats-Gxran Karlsen wrote:
 -rw-r-   1 root  wheel   390 Jul 13 18:30 rc.transmission

it's not executable

 The following is appended to /etc/rc.conf
 
use rc.conf.local

ospfd and carp

[Jussi Peltola]

Hi,

Firstly, I think the ospfd man page should mention that it will do the
right thing when carp interfaces are added as passive. Currently the
only way to find out about this seems to be to search the archives.

Secondly, I have a test environment with a pair of boxes with a
large-ish number of vlans and carp interfaces on one side and ospf on
the other. Thinking about future maintenance when it gets to production,
is there any way to have ospfd announce the carp interfaces without
manually listing each in ospfd.conf? Perhaps with an interface group?

Of course I could automagically create an includeable config file with
the interfaces listed, but I hope there is a better way. It's easier for
me to document adding a new interface as find a free block,
echo up  hostname.vlanxxx
echo foobar carpdev vlanxxx group announceospf  hostname.carpxxx
(repeat on other machine)

Any extra steps will probably lead to someone screwing up (and I don't
want to be the sole person able to do day to day operations on these
things...)

Thanks
Jussi Peltola

Re: Opteron 250 Overheating

[Jussi Peltola]

On Mon, Mar 15, 2010 at 08:02:50AM -0400, Steve Shockley wrote:
 If you do take it apart, make sure you have some heatsink grease  
 on-hand, as the factory stuff may look (and function) like dried  
 toothpaste.  Don't spend extra on special grease, it doesn't really  
 make a difference.

Laptops often have thermal pads, which can't be replaced with thermal
paste. Better not remove it unless you know what you're doing. The pad
is nearly impossible to re-use, dust will stick to it and it'll be
unusable.

Snake oil thermal pastes are just a rip-off, though.

Re: SSH through port SMTP

[Jussi Peltola]

You are trying to do something evil by making a bridge pretend it is the
host on its other side. Do not do that. Just fix the upstream firewall
to pass the management traffic you need to the box.

127.0.0.1 shouldn't arrive on a non-loopback interface. If you wanted to
try to do this kind of silly hack, you would use another address and
configure it on $ext_if.

Where is your ifconfig output and dmesg, anyway?

Re: load balancing PPPoE connections

[Jussi Peltola]

On Tue, Feb 23, 2010 at 10:10:16PM +0800, Edwin Eyan Moragas wrote:
 hi misc,
 
 i have two outgoing DSL connections using PPPoE.
 
 i've read about mpath in the FAQ (together with ifstated(8)) and
 scoured the PF examples but i haven't found any straightforward
 examples using PPPoE.
 
 any pointers or advice would be most welcome.

Does your ISP support this? Typically they would do uRPF and drop
packets from addresses other than the PPP session where you got the
particular /32, forcing you to use NAT and an outgoing pool for load
balancing.

Re: recording sounds: a permanent DC offset

[Jussi Peltola]

The input should be capacitively coupled, so even if your mic has a DC
offset it shouldn't matter. Either the capacitor is leaky or the ADC is
broken. It could be a driver weirdness but that sounds unlikely. 

If you don't mind losing the few bits of dynamic range, you can just
remove the DC offset. A high-pass filter at 20Hz should do the trick,
if your audio editor doesn't have a DC removal filter. I'd guess
compressing the audio also limits the bandwidth so there is no DC.

Re: Filtering based on MAC adress

[Jussi Peltola]

On Sun, Feb 21, 2010 at 08:26:44PM +1000, David Gwynne wrote:
 i hate to bring this up, but if you have cisco gear with dhcp snooping enabled
 you can enforce this on the switch.
 
That's probably also the only reasonable place to do it. Thankfully it's
not only cisco that does that nowadays.

Still, for low intra-subnet traffic situations it'd be nice to be able
to do the same with openbsd, one port per vlan, while bridging and
filtering to achieve the same result. With the current MAC tagging
capability it might work, but I haven't tested how ARP works in this
case.

Re: PF log parser and dynamic PF rules...

[Jussi Peltola]

Just put your data on some funny port, then? Or give it a long and hard
to guess name, that might actually have sufficient entropy to be any
use.

A less-than-16-bit random port is rather easy to guess.

And, if you really want to do port blocking, read the pf man page. It is
possible with a rule that adds IPs to tables. Perhaps after more than
one knock for added security...

In any case, I really don't see a need for OpenBSD to support these
kinds of silly things, the people who really want to do them can find
their own ways.

Re: redistribute default route via ospfd

[Jussi Peltola]

On Sun, Feb 14, 2010 at 02:36:56PM +0100, Claudio Jeker wrote:
 I would install a default blackhole route like this:
 route add default -blackhole 127.0.0.1
 
Hmm, why not -reject? To avoid error messages while the routes are not
yet installed in the kernel?

Re: AMD power reduction

[Jussi Peltola]

On Sun, Feb 07, 2010 at 10:10:22PM -0500, Nick Holland wrote:
 With all this talk about power reduction...I'm going to toss out one
 small suggestion:
 
 Get a Wattmeter, and measure...  Don't waste your time speculating.
 
 An ammeter and high school physics V*A=Watts doesn't cut it for AC
 (in general -- a lot of machines are power-factor corrected now so V*A
 becomes QUITE useful again, but some have a really big power factor
 still...just discovered a P4-vintage machine running a power factor
 of 0.65, which surprised the heck out of me.  And if you have no idea
 what I'm talking about, just get a good Wattmeter that understands
 real AC Wattage, and don't worry about it).
 
Even though the cheap ones try to measure real power and not apparent
power, they are often very inaccurate especially at low loads. Watch out
for cheap meters, and if you have multiple similar machines it's not a
bad idea to measure them all at once.

If you don't believe me, buy two cheap meters of the same kind and one of
another kind, if they're within 10% of each other (with a non-resistive
load and low power) I suggest you go buy a lottery ticket. They're still
useful for relative comparisons, of course.

With a machine consuming 100 Watts, switching from a 65% efficient
supply (that's an optimistic guess for a cheap power supply a few years
ago) to a 80% efficient supply will save 28 watts. If you live in a hot
climate and use air conditioning, it's probably worth it in a 24/7
machine. For a machine consuming 50W the savings are probably not worth
the investment. If you are buying a new machine, the price difference
between a crappy and a good power supply is so small it's a no-brainer.
As a bonus the high efficiency supplies run cool and quiet.

Re: way to help: laptops and weekly

[Jussi Peltola]

On Mon, Feb 01, 2010 at 04:54:49AM +, Jacob Meuser wrote:
 On Mon, Feb 01, 2010 at 05:57:11AM +0200, Jussi Peltola wrote:
  On Mon, Feb 01, 2010 at 02:35:54AM +, Jacob Meuser wrote:
   yeah, but wasn't the original issue that started this thread was that
   the locate database was too old?  maybe if locate, apropos, etc would
   print databse last updated 3 weeks 2 days ago?
   
  This should be done in any case. IMHO it's a bug if they don't complain
  loudly, or even refuse to run with a stale database. Stale caches are
  evil, even if the man page warns about them.
 
 yeah, but if your computer hasn't been on for 3 weeks and then locate
 won't work because the database is 3 weeks old, that would suck.
 
Of course it would need a switch to force it to run. But I guess a
warning is better since locate might be used in scripts and it's not
good to add extra knobs to existing programs where they don't gain much.

Re: Announcing: JigglyPuffBSD

[Jussi Peltola]

http://www.gossipgamers.com/pokemon-redesigned-in-traditional-japanese-style-artwork/

Re: Hard disk errors - OpenBSD reports errors, SMART says all is well.

[Jussi Peltola]

On Sat, Dec 26, 2009 at 09:07:13AM -0600, Chris Bennett wrote:
 SMART is not the final word.

True

 Try running badblocks from e2fsprogs.

Neither is badblocks

 Be sure you use it correctly. You will need the partitions unmounted for it

It's rather hard to prove a disk isn't broken; a program may easily
prove it is broken, though.

Writing to all sectors will let the disk remap bad sectors. This may
make a broken disk seem ok for a while, or just remap the one or two bad
sectors in an otherwise OK disk. You never know. But what you do know is
that badblocks assumes disks are simple devices, while modern-day
disks are not simple. It's a usable tool if you understand its limits.

Never underestimate controller, software and cables as a source of drive
issues. A bad IDE cable caused me to waste embarrassingly many hours
some years back.

Re: What stupid mitake am I making?

[Jussi Peltola]

State. Blocking outgoing traffic will not prevent replies being allowed
out.

Re: Backup disk over USB good idea??

[Jussi Peltola]

On Fri, Dec 18, 2009 at 02:51:34PM +0700, Edho P Arief wrote:
 can you please enlighten me on why that's a bad thing?

Filling up / can be more annoying than filling up /usr.

It's better to make sure your mounts work and not try to work around
broken systems, though.

Re: pf reply-to not really working

[Jussi Peltola]

Check that another pass rule later in the file is not overriding it.
Maybe try with quick.

Re: ComixWall terminated [WAS: ComixWall 4.6 released, December 8, 2009]

[Jussi Peltola]

This is just silly. If you make a firewall distribution to promote
OpenBSD instead of making a firewall distribution, your source of
motivation is wrong.

OpenBSD is free software. You are completely free to use it as a basis
for your firewall distribution.

The project, on the other hand, does not have to distribute your
advertisements. Especially not for every release. You can start your own
mailing list and post them there. A single post to misc@ might have been
OK to inform potentially interested people.

If your choice of OS is based on whether you can advertize on their
list, the loss is yours. If I were making a firewall distribution I'd
certainly choose the OS that suits the project techincally.

In any case OpenBSD does not owe anything to you.  Had they asked you to
promote OpenBSD this way it would be different.

Re: Lucent Technologies Orinoco Wifi card (PCMCIA) and OpenBSD?

[Jussi Peltola]

I've seen my share of broken WaveLAN cards and AP-2000 power supplies.

Still, the new crappy WLAN devices probably have 10 times the failure
rate and don't work too well even when not broken...

IME even with newer hardware, leaving it open and using IPSec, openssh
etc. will be less painful. WPA still seems to be somewhat buggy in many
devices.

Re: How to disable IPv6?

[Jussi Peltola]

On Sat, Dec 05, 2009 at 12:44:42PM -0800, rhubbell wrote:
 On Sat, 5 Dec 2009 15:28:09 -0500
 STeve Andre' wrote:
 
  mostly a waste of time, except for the educational aspects of what not
  to do.
 
 Thanks for the nice story.  I get a kick out of how far folks here go out
 of their way not to help people out. Instead offering up non-sequitars,
 etc.
 
 Come on admit it, you don't know how to disable IPv6.  Why does everyone
 place so much trust in OpenBSD when the kernel seems to be a mystery to
 most here with constant warnings about not fiddling with it
 
At least some developers hang on misc@ and surely know how to disable
ipv6. The question is: do they care?

Re: IPSec Blues

[Jussi Peltola]

Try setting srcid and dstid manually (I used FQDN:s and pubkeys to make
it work, didn't succeed with IP addresses), you might also try testing
with a PSK to eliminate one part of the equation.

Re: CARP and ospf issue

[Jussi Peltola]

On Tue, Dec 01, 2009 at 06:17:32AM -0500, stan wrote:
 On Mon, Nov 30, 2009 at 11:29:00PM +0200, Jussi Peltola wrote:
  Not knowing your network I can only guess you don't want to mix CARP and
  OSPF on the outside interfaces. OSPF will handle the fail-over.
  
  CARP interfaces listed in ospfd.conf as passive will just work and get
  advertised in OSPF when they are master.
  
  You probably don't want redistribute connected; this will cause the
  CARP physical interface's route to be advertised even when the CARP
  interface is backup.
  
 
 Let me see if I understand. You are sugesting that I just use OSPF on the
 outside, and not CARP at all? If that's the case, won't both routes be
 advertised, if both interfaces are up?
 
That's probably how it should work.

You want the routers to be two, normal OSPF routers. CARP is only needed
to create a gateway address for the subnet they are serving. Assuming
the outside is something like an OSPF backbone, you do not need or
want CARP there (my crystal ball is rather foggy on your network).

The routes to the outside network will get advertised. This is normal
and they shouldn't get used, as the other routers in that network can
reach it directly.

The CARP routes will just work when you list the CARP interface (and
only the CARP interface, not its physical interface) in ospfd.conf as
passive, as explained by Stuart earlier.

Re: carp and ospf issue

[Jussi Peltola]

This is normal. The Linkstate column shows the CARP state, and the
interface is passive so it is DOWN - you do not run OSPF on it so there
are no neighbors.

Re: carp and ospf issue

[Jussi Peltola]

This works for me:
# NB: if a carp address is the lowest IP you will get duplicate
# router-id's - maybe ospfd should ignore CARP interfaces when selecting
# the host id?

router-id 1.2.3.4 

area 0.0.0.0 {
interface gif0 { } # link to another site
interface gif1 { } # link to  another site
# ...
interface vr1  { } # link to CARP peer
interface carp1 { passive }
interface carp2 { passive }
interface carp3 { passive }
}
 
OSPF doesn't work over CARP interfaces. You need to connect to the rest
of the OSPF cloud over real interfaces, and the CARP-connected
networks should be stub networks where your actual hosts live. And CARP
interfaces must be passive.

Re: carp and ospf issue

[Jussi Peltola]

Not knowing your network I can only guess you don't want to mix carp and
OSPF on the outside interfaces. OSPF will handle the fail-over.

CARP interfaces listed in ospfd.conf as passive will just work and get
advertised in OSPF when they are master.

You probably don't want redistribute connected; this will cause the
carp physical interface's route to be advertised even when the carp
interface is backup.

Re: Does Atom dual-core work with SMP?

[Jussi Peltola]

Insufficient data.

What are you going to do with it?

Re: Truncation Data Loss

[Jussi Peltola]

On Tue, Nov 10, 2009 at 11:18:57AM -0700, Theo de Raadt wrote:
 If you want to never lose data, you have an option.  Make the filesystem
 syncronous, using the -o sync option.
 
 If you can't accept the performance hit from that, then please accept
 that all the work done over the ages is only on ensuring metadata-safety
 for a low performance penalty.  It has never been about trying to
 promise file data consistancy when that could only be achieved by
 syncronous file data writing.
 
And the more or less correct solution to improve the performance is
battery backed RAID write cache, but it's no silver bullet.

Re: partitioning wifi networks: multiple APs and access control

[Jussi Peltola]

On Sun, Nov 08, 2009 at 11:06:42AM -0600, Jacob Yocom-Piatt wrote:
 - what is the best facility to log wifi usage to syslog on an openbsd  
 host? have used hostapd in the past, it's pretty sweet but not practical  
 for guest users or wireless appliances

Some APs can log associations to remote syslog servers. What exactly do
you want to log?

 - are there any recommended appliance wifi routers that will play nice  
 with openbsd? i am looking for higher end hardware, not commodity junk  
 that will save me money but cost me maintenance time later. i think i  
 heard something about APs that can handle multiple nwids on multiple  
 channels, this may be heresy

More enterprise-y APs support multiple SSIDs on one channel, or multiple
channels, and bridge those to separate VLANs.

 - which particular wifi interfaces are suggested for hostap mode over  
 others? i haven't used hostap mode for several years since i had  
 problems with needing to periodically (~monthly) take the hostap  
 interface up and down

Lack of powersave support on ral has made it hard to find a hostap card
that works with all devices.

 - how should i avoid band over-occupancy issues to ensure decent  
 throughput on my networks?

Find free channels and hope for the best. Use channels as far away from
each other as you can. Don't worry about throughput until you've proven
it is an issue.

Get 3 cheap access points and a spare. Even expensive APs tend to run
hot and be somewhat unreliable, this also allows you to position the APs
optimally. If you need to drive to change the broken AP, buy a more
expensive one and hope for the best.

Ignore WLAN security if you can and use IPSec or something similar
that is truly secure and not a pain in the butt.

Jussi Peltola

Re: VHS transfer on OpenBSD

[Jussi Peltola]

The card's inputs probably work only one at a time. You would also need
some interesting post-processing to merge 3 streams of RGB captured
separately, and lack of sync would probably make it not work very well.

VHS has so little bandwidth that using composite video is just fine.
Don't fuss about the cable, either. The source is already so noisy and
low-bandwidth that it's not very important.

Re: Daily script - wake up disk

[Jussi Peltola]

How about re-scheduling it so it wakes you up in the morning at the
right time :)

Re: GRE performance specs

[Jussi Peltola]

How about trying it? Our crystal ball is unfortunately not able to
predict your traffic patterns.

50mbps sounds very little for a modern box running openbsd. I can get
20mbps over IPSec on an ALIX...

Jussi Peltola

Re: ZTE-MF626 USB Modem

[Jussi Peltola]

On Wed, Oct 14, 2009 at 01:14:00PM -0500, Sergio Andris Gsmez del Real wrote:
 Thanks for the reply.
 
 Indeed, I use usb_modeswitch under Linux, it is, however, quite just
 for Linux, cause it reloads a certain kernel module. With GENERIC
 kernel, usb_modeswitch does not even recognize the device. However,
 compiling it (the kernel) without umass support, that is, the device
 being ugen, it does.
 
 Now, when I boot GENERIC with the modem plugged-in, then I get the
 microSD that is 'inside my modem' (not the cd-rom device) recognized,
 but no modem...
 
 If any idea would be wonderful, and sorry for my horrible english.
 

OpenBSD already does this modeswitch dance automatically for loads of
different USB modems without the user having to play with all kinds of
programs like in linux. If only the developers had hardware like yours
it would probably already be supported...

Re: Defending OpenBSD Performance

[Jussi Peltola]

On Wed, Sep 16, 2009 at 08:22:19PM +, Stuart Henderson wrote:
 On 2009-09-16, Peter Kay - Syllopsium syllops...@syllopsium.com wrote:
 
  At the risk of a flaming, sysmerge is also a pain in the arse. Once you 
  know how to use patch files and diff properly I'm sure it is absolutely
  wonderful, but it also copes badly with files that have not changed
  in any significant way.
 
 it's better at this in 4.6 than 4.5, and better again in -current.
 

AFAIK debian won't magically merge your changed conffiles either. Or
have they come up with artificial thought-reading intelligence?

Re: shutting down

[Jussi Peltola]

On Sun, Sep 13, 2009 at 03:35:04PM +0200, Maurice Janssen wrote:
 The NFS-server is an embedded device (Netgear NAS).  Unfortunately I  
 can't set the +5 on the shutdown command...

Then there's probably no way to mount the NFS server's FS's sync? That
could be enough if all processes that need clean shutdown run on the
NFS clients.

Re: New Translation Options in PF

[Jussi Peltola]

On Sat, Sep 05, 2009 at 05:37:58AM -0600, Anathae Townsend wrote:
 match out on external from mynetwork to any nat-to (external) round-robin

IIRC it's been that way as long as I can remember, if you only have one
address round-robin doesn't really do anything. 

-- 
Jussi Peltola

Re: issues setting up OpenOSPFD between local and remote OpenBSD routers.

[Jussi Peltola]

I'd suggest running ospf over pointopoint links (gif/gre, on ipsec if
desired) instead of faking a layer 2 backbone where there isn't one.

-- 
Jussi Peltola

Re: PF with BGP CARP for a router

[Jussi Peltola]

 to 224.0.0.1


 block in log on $EXTIF001 inet from any to $ROUTERSINTIFACES


 pass in quick log on $EXTIF001 inet proto icmp from any to $EXTIF001  
 icmp-type 8 code 0 $UDPSTATE
 pass in log quick on $EXTIF001 inet proto icmp  from any to  
 $ROUTERSINTIFACES icmp-type 8 code 0 $UDPSTATE
 pass out log quick on $INTIF inet proto icmp  from any to $DECLAREDHOSTS  
 icmp-type 8 code 0 $UDPSTATE


 pass in log quick inet proto udp from any to $EXTIF001 port 33433   
 33626 keep state
 pass in log quick on $EXTIF001 inet proto udp from any to  
 $ROUTERSINTIFACES port 33433  33626 keep state
 pass out log quick on $INTIF inet proto udp from any to $DECLAREDHOSTS  
 port 33433  33626 keep state

 pass in log quick inet proto {tcp, udp} from $EBGPALLOW to $EXTIF001  
 port bgp


 pass in quick log on $EXTIF001 inet proto tcp from $SSHALLOW to  
 $EXTIF001 port ssh $SYNSTATE $SSHSTO queue (ssh_bulk, ssh_login) tag 
 OPENSSH

 pass in quick log on $EXTIF001 inet proto tcp  from $SSHALLOW to  
 $ROUTERSINTIFACES port ssh $SYNSTATE $SSHSTO queue (ssh_bulk, ssh_login)  
 tag OPENSSH
 pass out quick log on $INTIF inet proto tcp  from $SSHALLOW to  
 $DECLAREDHOSTS port ssh $SYNSTATE $SSHSTO queue (ssh_bulk, ssh_login)  
 tag OPENSSH



 pass in log quick on $EXTIF001 from any to $DECLAREDHOSTS


 pass out log quick on $INTIF from any to $DECLAREDHOSTS


 pass in log on $INTIF proto {tcp,udp} from $IBGPALLOW   to  $INTIF port  
 bgp   $TCPSTATE $INTIFSTO


 pass in log on $INTIF inet proto tcp  from $DECLAREDHOSTS to  $INTIF  
 port ssh   $TCPSTATE $INTIFSTO
 pass in log on $INTIF proto icmp  from $DECLAREDHOSTS to  $INTIF

 pass in log on $INTIF inet proto icmp from $DECLAREDHOSTS to  $INTIF  
 icmp-type 8 code 0 $UDPSTATE $INTIFSTO

 pass out log on $EXTIF001 proto {tcp, udp} from $DECLAREDHOSTS to any  
 port $ROUTER_ALLOW_OUT


 pass out log on $EXTIF001 proto icmp from  
 {$ROUTERSINTIFACES,$IBGPALLOW,$DECLAREDHOSTS} to any
 pass out log on $EXTIF001 proto {tcp, udp} from  
 {$ROUTERSINTIFACES,$IBGPALLOW} to any port $ROUTER_ALLOW_OUT

 # IPv6 config not yet completed, will do once v4 fully done
 passquick   inet6


I'm not sure if I see a typical border filtering scheme (maybe I didn't
read carefully enough), you'll want to drop:

* Packets not from you (your advertised prefix) to your ISP, probably
  also log these (even though your ISP should drop them, they might
  not[1] and you really want to know about them)

* Packets from you from your ISP, they are not you. Logging these should
  be interesting, too.

* Probably also: packets not addressed to you from your ISP


[1] I once managed to send packets from an RFC1918 address through two
AS's to my home DSL line. Don't trust your ISP, do your own
filtering.

-- 
Jussi Peltola

Re: [SOLVED, sort of] Re: 'ps auwx' and 'top': inconsistent display?

[Jussi Peltola]

On Sat, Aug 01, 2009 at 03:33:54PM +0200, Toni Mueller wrote:
 Why is the real userid inherited when using 'fork' while being
 switched to a different user?
 
Why should fork touch user id's? Drop them properly yourself after forking.

http://search.cpan.org/~tlbdk/Privileges-Drop-1.01/lib/Privileges/Drop.pm

-- 
Jussi Peltola

Re: ppp dialup with public subnet

[Jussi Peltola]

It makes no sense to try to bridge ethernet over ppp. You need to route,
not bridge.

Re: azalia

[Jussi Peltola]

On Thu, Jun 18, 2009 at 10:59:16AM +, Jacob Meuser wrote:
 I played with this a bit and was unable to get rid of the pop.  I
 left outputs muted, and still got the noise.  as far as I can tell,
 the pop happens when the codec is powered up.
 
I think the codec has a virtual ground tied halfway between 5V and 0V
or whatever its power supply is. The output is then connected to the
real output with a capacitor to avoid a 2.5V DC offset at the output
(this is commonly done when you only have a single supply but need a
split one).

When the codec is powered up, all of it is at 0V. The virtual ground
will rise to 2.5V, causing a very loud spike as the output capacitor
charges. It's not possible to mute this except with a mute transistor
after the output capacitor (haven't seen any sound card with one of
those) or a very slow-rising power supply, making the narrow, tall spike
into a wide, low pulse that you can't easily hear. Surely not somehing
you can fix without physically poking the hardware, though probably not
very difficult if the noise is really annoying.

-- 
Jussi Peltola

Re: random crashes on a firewall with OpenBSD 4.5-stable

[Jussi Peltola]

But even measuring the ripple with a scope won't guarantee it's OK.
Swapping out all of the hardware is sometimes the only way to find out.
Same goes for memtest86+: it can prove it's broken, but if it doesn't
find problems it doesn't guarantee there are none.

-- 
Jussi Peltola

Re: Plenty of Spam these days on the List

[Jussi Peltola]

On Fri, Jun 26, 2009 at 09:57:51PM +0530, Siju George wrote:
 I am wondering why this has increased in the near future :-(
 
 --Siju
 

Maybe you should stop sending more of it

Re: newfs_msdos alters disklabel?

[Jussi Peltola]

On Mon, Jun 08, 2009 at 07:43:22PM -0400, Nick Holland wrote:
 condensing... (Those who scream about the horror of top posting
 obviously don't have a netbook.  Having to flip down twenty
 screens worth just to see something one hasn't seen five times
 already is annoying and a good way to get ignored by me.)
 
S   skip-quoted skip beyond quoted text 

 
T   toggle-quoted   toggle display of quoted text

Just use a MUA that doesn't suck too much :)

-- 
Jussi Peltola

Re: Thinkpad T42 panic on i386 snapshot bsd.rd

[Jussi Peltola]

On Fri, Jun 05, 2009 at 04:11:39PM -0400, Joe Gidi wrote:
 
 Also, the machine has no serial port, so I can't try the serial console
 trick.

It does, but you need the port replicator to access it. Maybe you can
find one you can borrow.

-- 
Jussi Peltola

Re: multilink VPN

[Jussi Peltola]

In cisco speak, with pretty pictures:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

On OpenBSD, it works analoguously, except that it's much cleaner :)

Just think of the ipsec secured gre tunnel as a wire from point A to B.
Make two such wires. Then run a routing protocol on them to redundantly
route your traffic through.

Some things to consider:

1. What if the internet links fail some other way than completely dead,
like high packet loss?

2. The rest of the system probably isn't as reliable as you think, if
you can't have much money for making the internet links redundant.

-- 
Jussi Peltola

Re: OpenBSD router stops functioning but still send CARP advertisements

[Jussi Peltola]

I'd rather run pfsync in its own vlan than over a realtek card. It's
probably not any slower (what could be slower than a realtek...) and
it's not really any less reliable (what use is pfsync if your business
network goes down?)

Re: MPLS status questions.

[Jussi Peltola]

On Sun, May 24, 2009 at 02:49:53PM +0200, Martin Schrvder wrote:
 2009/5/24, Stuart Henderson s...@spacehopper.org:
  The P (Private) suggests some kind of privacy.
 
 MPLS is well suited to the task as it provides traffic isolation and
 differentiation without substantial overhead.
 
 
Doesn't the public Internet do that too, when everyone plays by the
rules and nothing is misconfigured?

Re: OpenBSD on Sun Netra X1

[Jussi Peltola]

Depends on the db9-rj45 adaptor, some need a rollover cable, some a
straight one. Try it.

Re: OpenBSD on Sun Netra X1

[Jussi Peltola]

Many (probably 50%) of RJ11 4-wire telephone cables were crimped wrong
by the factory and are in fact  roll over cables (RJ11 fits in RJ45,
but you need 4 wires, 2 won't work).

Saved me some from hair loss one sunday far away from everything.

-- 
Jussi Peltola

Re: Low power OpenBSD machine

[Jussi Peltola]

On Mon, Apr 13, 2009 at 05:40:57PM +0200, Henning Brauer wrote:
 1A * 120V = 120VA ~= 120W
 
Assuming cos(O) is somewhere near unity, which isn't a good assumption
to make even though it's increasingly close in new switching power
supplies. In the case of autoranging supplies it's usually pretty good.

Small switching supplies like ones for sokeris etc. can be pretty bad.
Linear supplies will also be far from 1.

-- 
Jussi Peltola

Re: Low power OpenBSD machine

[Jussi Peltola]

On Mon, Apr 13, 2009 at 11:59:11AM -0600, Daniel Melameth wrote:
 Almost any modern notebook will use less than 30 watts and be
 significantly more powerful than a Soekris.
 
Get a used ThinkPad and swap in a bigger drive. You'll get a superior
keyboard and silent operation on top of Really Working (tm) hardware. My
T40p was not much more expensive than an atom box or soekris and it runs
very cool, staying room-temperature at zero load. The port replicators
should be really cheap on ebay now if you want to connect more desktop-y
peripherals. And they, of course, run OpenBSD, even though I currently
don't run it on mine.

Besides, the ThinkPad is still in good shape after quite a few beverages
- much better than I on those nights...

And, as a side note, I'd not recommend cheaper laptops, they are quite
sucky and I'd much prefer an old ThinkPad to a more expensive new
plasticy thing that sounds like it's going to take off until the fan
fails after a year... let alone the icky hardware with driver pains.

-- 
Jussi Peltola

Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?

[Jussi Peltola]

On Mon, Apr 06, 2009 at 06:57:56PM -0500, Abel Camarillo wrote:
 Personally I believe that HP printers are they only thing that doesn't
 suck.
 
 I have had a very cheap HP printer for the last 8 years without any
 problems (a very cheap Inkjet).
 
I can agree with that they didn't suck 8 years ago.

Re: Stupid Ideas - softraid and ExpEther

[Jussi Peltola]

On Tue, Apr 07, 2009 at 11:23:59AM -0400, Steve Shockley wrote:
 On 4/7/2009 9:08 AM, Declan Ingram wrote:
   How does that help if you're encrypting the connection to the ExpEther
   server/device? I mostly trust that nobody is sniffing my PCI bus, I'm
   less trusting when data goes over the network.

   Just tunnel it over SSH

 That's fine, but then how do I offload the load from the ssh tunnel?  
 That's probably going to be the same load as the original ssl I'm  
 offloading.

not necessarily, ssh is one session, https is a stream of tiny ones.
still, the point stands, encrypting bus data sounds pretty slow
especially since it's latency sensitive

-- 
Jussi Peltola

Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?

[Jussi Peltola]

On Mon, Apr 06, 2009 at 11:37:30AM +0200, ropers wrote:
 (c), an ink jet printer cannot do this: http://www.riccibitti.com/pcb/pcb.htm
 
However, inkjets seem to be better for printing masks for photo-etching,
but the transparencies are awfully expensive and so is the ink when it
dries out. I got surprisingly good results photo etching with plain
paper and an inkjet, about as good as a LaserJet 2200 and
good transparencies.

For the toner transfer trick it seems to me that LaserJet 3 and 4 work
very well, they print much darker than newer lasers. Haven't tried a
color laser, they might have interesting differences. I wish I could
just put my PCBs through a laser printer and etch away... 

-- 
Jussi Peltola

Ethernet security, pf on a bridge and ARP filtering

[Jussi Peltola]

Is there a way to filter ARP on an OpenBSD bridge firewall joining a
bunch of ethernet ports with their own VLANs? I'm horrified by the
shared ethernet segments some organizations use for access among
mutually un-trusting people.

Currently pf does allow me to prevent L3 games, but it seems like
it's still possible to deny service by responding to another port's IP
address, so the router will learn the wrong MAC address and the packets
will be dropped by pf since they have the wrong IP destination for that
port.

I'm aware of static ARP, MAC filtering on the switch and DHCP snooping.
I'm not too keen on trusting the latter, and the former two are a
nightmare to manage (and I'd like to be able to use DHCP to hand out
static addresses to some clueless people, while not forcing DHCP on
some machines.)

I also would rather avoid wasting obscene amounts of IP addresses by
giving each vlan its own subnet.

This is the classic hotel scenario, for which I can find many
dissatisfactory solutions (either DHCP snooping or cisco private vlans
that won't allow communication within the subnet without silly proxy arp
hacks on the router), and scary examples of shared ethernet segments
with windows broadcasts storming in...

General ideas on securing ethernet are also welcome (I don't really like
the idea of having separate servers sharing a subnet, either - and we
had a discussion about the wrong solutions a while ago.)

-- 
Jussi Peltola

Re: Install freezes on macppc

[Jussi Peltola]

For less than $3 you can get old usb-r232 mobile phone data cables that
don't include a level shifter so they're compatible with TTL serial
ports directly. You just need to guess the pinouts.

It's somewhat dumb to first shift levels from TTL to real RS232 and then
have them shifted again in the USB serial converter, which you usually
need to use if your other computer is a laptop. I've used loads of said
data cables to interface microcontrollers etc. They're usually cheaper
than a level shifter and DE-9 jack, and often the computers I want to
interface with don't have real RS-232 ports anyway.

-- 
Jussi Peltola

Re: tomcat without X11

[Jussi Peltola]

On Sat, Mar 14, 2009 at 12:50:17PM +0200, Eugeni Akmuradov wrote:
 In that situation what are possibilites ?
 
Install the X sets. Search the archive before you start moaning and
making an idiot of yourself, this question pops up in various forms once
a week.