OpenBSD 6.2 - 6.4 crash on ASRock Q1900 ITX boards

[Martin Hanson]

Hi,

I have a couple of Q1900DC-ITX boards: 
http://www.asrock.com/MB/Intel/Q1900DC-ITX/index.de.asp I also have a couple of 
Q1900M versions of the same board.

On the ITX version OpenBSD (tested from 6.2 - 6.4) crashes upon reboot, but not 
upon a cold boot, with the following:


NMI ... going to debugger
Stopped atacpicpu_idle+0x22d: nop
ddb{0}>


Is there anything I can do to help possibly solve this problem?

I also get these "annoying" ehci_sync_hc: tsleep() = 35 messages, as seen in 
dmesg, on all boards during boot, which makes the boot process halt for 35 
seconds. What is causing this?

Thanks in advance.

Kindest regards

dmesg:


OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1818173440 (1733MB)
avail mem = 1753853952 (1672MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebd40 (19 entries)
bios0: vendor American Megatrends Inc. version "P1.70" date 03/01/2018
bios0: ASRock Q1900DC-ITX
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT AAFT SSDT SSDT SSDT UEFI
acpi0: wakeup devices XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) 
BRCM(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.45 MHz, 06-37-08
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 1999.99 MHz, 06-37-08
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 1999.99 MHz, 06-37-08
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 1999.99 MHz, 06-37-08
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 87 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 2
acpimadt0: bogus nmi for apid 4
acpimadt0: bogus nmi for apid 6
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpicpu2 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpicpu3 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: PLPE
acpipwrres1 at acpi0: PLPE
acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1
acpipwrres3 at acpi0: CLK0, resource for CAM1
acpipwrres4 at acpi0: CLK1, resource for CAM0, CAM2
acpipwrres5 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 90 degC
"INT3396" at acpi0 not configured
acpicmos0 at acpi0
"DMA0F28" at acpi0 not configured
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
"BCM2E1A" at acpi0 not configured
"BCM4752" at acpi0 not configured
"INTCF0B" at acpi0 not configured
"INTCF1A" at acpi0 not configured
"INTCF1C" at acpi0 not configured
"SMO91D0" at acpi0 not configured

Re: Problems with a quad Realtek NIC

[Martin Hanson]

> It is preferable to just include the whole dmesg directly in the mail
> Better still, when it's a "sometimes works" problem, include a "diff -u"
> between the two (the context to show where the lines are added/removed).

I have pasted a "diff -u" on https://paste.debian.net/1047098/

> Very unlikely to be a problem with the NIC driver. From what I've
> seen (and having seen other examples of the quality of Jetway's BIOSes)
> my money would be on a BIOS bug.

I originally suspected it to be a BIOS bug (and please excuse me if I make a
wrong assumption here), but I have run a ton of tests booting the same
hardware up on Arch Linux, but I haven't seen the problem once. I don't know
if could still be a BIOS bug, but I would suspect that if it where that I would 
see
similar problems with the card not showing up.

> Can you identify any particular situations where it works or fails? For
> example "works after a cold boot but not warm" or something?

I have been looking for patterns in the different tests I have run, but haven't
found anything. Sometimes it works during a cold boot, other times it doesn't,
and the same goes for warm boots. I have also tried disabling and enabling the
onboard NIC to see if it might affect the problem, but it doesn't.

Just for information, I have another identical box (same motherboard), but with
a 4-port Intel NIC (same cheap card-thing from China, but with Intel) that runs
flawless, but not only that, it performs super well even with several NIC ports
going full speed. It has been running for a couple of years as a 
firewall/gateway,
managing multiple networks (each separated by the 4-port NIC). I have made
these as cheap alternatives to the very expensive Soekris.

By mistake I got two of the 4-port Realtek cards, but since I got them, I wanted
to see if they could run as well.

Kindest regards.

PS.: Sorry for the crappy Yandex mail client problem.

Problems with a quad Realtek NIC

[Martin Hanson]

Hi,� I have one of these 4-port Realtek NIC cards:
https://www.ebay.co.uk/itm/PCIe-PCI-Express-to-4x-Gigabit-Card-4-Port-Ethernet-Network-Adapter-10-100-1000M/252484240577?epid=505371101�
 I
am running OpenBSD 6.3 stable.� During boot the card is seen, but it only
works occasionally. When it works I can see all the 4 ports using
"ifconfig" and I can assign IP addresses etc. When it doesn't work
nothing is shown using "ifconfig".� As far as I understand from the "re"
manpage RTL8168E/8111E is supported.� This is my dmesg:� 
http://paste.debian.net/1046756/� When
the card isn't working I also get this:� +ppb1 at pci1 dev 0 function 0
vendor "ASMedia", unknown product 0x1184 rev 0x00
+pci2 at ppb1 bus 2
+ppb2 at pci2 dev 1 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: not configured by system firmware
+ppb3 at pci2 dev 3 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: not configured by system firmware
+ppb4 at pci2 dev 5 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: not configured by system firmware
+ppb5 at pci2 dev 7 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: not configured by system firmware
� Is this a driver issue or something else perhaps?� Kindest regards

PF redirect traffic to TUN/VPN

[Martin Hanson]

Hi,� I have an OpenBSD box setup as a firewall and gateway with DHCP.� I
was thinking about adding VPN to the box.� Is it possible to install
OpenVPN, establish a tunnel via a third partyVPN provider (like PIA), and
then have PF redirect some traffic throughthat tunnel based upon IP
addresses, but not all traffic?� So traffic coming from 192.168.1.2 goes
through the VPN tunnelinterface on the OpenBSD gateway, but traffic from
192.168.1.3 does not?� I am asking because normally all traffic is forced
through the VPNtunnel.� Maybe this isn't related to PF at all?� Kind
regards� Martin

Sharing files between OpenBSD, Linux, and Windows boxes

[Martin Hanson]

How do you share files between OpenBSD, Linux, and Windows boxes?

Currently I have a setup in which I mount Samba shares that are being served 
from Linux boxes and mounted on Linux boxes using cifs and on Windows boxes. 
This works very well and it's both easy to administer and it's very fast.

I would like to use OpenBSD for more that just firewalling and I would like to 
replace several Linux desktops with OpenBSD. However, every time I try to set 
this up I run into some kind of trouble.

NFS isn't a solution as file permissions is a mess between several different 
OS'es with different accounts.

Samba works really great between Linux and Windows, but mounting Samba shares 
on OpenBSD? I remember sharity-light, but it isn't in the ports any longer and 
isn't maintained.

How do you manage file sharing between these systems (if it all)?

Also, is it possible to decrypt and mount a Linux harddrive that has been 
encrypted with LUKS?

Many thanks in advance!

Kind regards

Syn flood crashed my LAN

[Martin Hanson]

Hi,

I have a home network that is segmented into 3 different zones using a NIC with 
4 ports sitting on an OpenBSD firewall/dhcp server. One port is connected to 
the Internet (ISP router) and each of the three others has a D-Link DGS-1005D 
switch connected to each.

So..

LAN1 = 192.168.1.0
LAN2 = 192.168.2.0
LAN3 = 192.168.3.0

Learning more about networking I wanted to test a SYN flood so I set up a 
couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with 
the "S" and "flood" options.

Running a regular ping in a terminal I could see how the response time 
decreased and eventually the box began to loose packages.

However after a while it seemed like the entire internal network went down.

No box on any LAN could get an IP address from the DHCP server on the OpenBSD 
box.

I eventually rebooted the OpenBSD box, but that didn't immediately help, and 
only after powering down the switches and powering the switches on again, 
everything worked again.

I have been looking through the PF documentation to see if PF somehow blocks 
SYN flooding, but I am not using synproxy on any rules.

What could cause such a "melt down" of the entire network because of a SYN 
flood to a box?

I suspect that the D-Link switches are pretty bad and maybe are the cause of 
the problem?

I eventually will try again to see if I can determine what's causing the "melt 
down", but I want to know if anyone perhaps has experienced similar results 
during some testing?

Many thanks in advance.

Kind regards,

Martin 

Re: Syn flood crashed my LAN

[Martin Hanson]

Why would I need a container like Docker?!

[Martin Hanson]

I have occasionally used virtualization (Qemu) for easy testing of some OS. I 
have also played around with "containers" using FreeBSD Jails and Linux LXC, 
but I have never ever thought of any of this as a security measurement or 
anything needed beyond testing.

When I want isolation I run a single box (or boxes) and install OpenBSD on the 
bare metal. Then I run whatever services are needed on that box or boxes. I 
would then deploy a network with isolated segments.

Now, everyone is telling me I should run Docker and a completely different 
setup.

I read up about Docker and found this:

  "Containers are a solution to the problem of how to get software to run 
reliably when moved from one computing environment to another. This could be 
from a developer's laptop to a test environment, from a staging environment 
into production and perhaps from a physical machine in a data center to a 
virtual machine in a private or public cloud."

  "Problems arise when the supporting software environment is not identical, 
says Solomon Hykes, the creator of Docker, "You're going to test using Python 
2.7, and then it's going to run on Python 3 in production and something weird 
will happen. Or you'll rely on the behavior of a certain version of an SSL 
library and another one will be installed. You'll run your tests on Debian and 
production is on Red Hat and all sorts of weird things happen."

  "And it's not just different software that can make a difference, he added, 
"The network topology might be different, or the security policies and storage 
might be different but the software has to run on it."

What the fuck?! Why in the world would anyone setup Debian as a testing 
environment and then use Red Hat on production?! And different network topology?

Are people really that stupid?

If people really are that stupid they shouldn't be allowed near a computer in 
the first place and certainly Docker or any container technology isn't going to 
solve their problems!

It seems like the OpenBSD project is about the only project left nowadays where 
people are still using their brains!

dnsmasq not working on OpenBSD 6.1

[Martin Hanson]

Hi

I have successfully setup unbound on OpenBSD 6.1 and I can query it.

In the same setup I have tested dnsmasq, but it almost seems broken on OpenBSD 
6.1.

I have disabled unbound and confirmed nothing is running on port 53 using 
netstat.

Then I have installed dnsmasq from packages and set the dnsmasq.conf file as 
follows:


listen-address=127.0.0.1

address=/foobar/10.0.0.1

server=8.8.8.8


This is just a dummy setup for testing.

In /etc/resolv.conf I have (as with unbound):

nameserver 127.0.0.1

I have then started dnsmasq with:

/etc/rc.d/dnsmasq start

And I have confirmed it's running on port 53 using netstat.

No matter what I do dnsmasq doesn't respond to the query.


# dig foobar

; <<>> DiG 9.4.2-P2 <<>> foobar
;; global options:  printcmd
;; connection timed out; no servers could be reached


What am I missing? Is dnsmasq broken on OpenBSD 6.1?

Kind regards

Re: Non-free firmware without asking the user

[Martin Hanson]

On Sun, 8 Jan 2017, Stefan Sperling wrote:

>> The above policy applies to the base system code.
>> It does not apply to ports and packages of third party software, i.e.
>> anything
>> listed by pkg_info.

> Perhaps the whole only a misunderstanding of the original poster that
> could have been clarified with this few lines from the beginning?
>
> Rodrigo.

Good point, and yes it would.

However, the above statement that the policy only applies to the base code
isn't mentioned anywhere in the policy.

Stefan, from where do you get that conclusion?

Re: Non-free firmware without asking the user

[Martin Hanson]

08.01.2017, 02:53, "Peter Rippe" :
> I think it absolutely is a language issue:
>
>>  On policy page it clearly says: "OpenBSD strives to provide code that can
>
> be freely used, copied, modified, and distributed by anyone and for any
> purpose."
>
> Operative word being **strives** - might want to look it up.
>
> It does not say 'guaranteed', 'only', nor 'strictly' - It says they make a 
> good
> effort to provide such, and they certainly do - particularly compared to the
> rest of the OS landscape.

Alright, so lets look the word **strives** up:

Cambridge dictionary:

"to try hard to do something or make something happen, esp. for a long time
or against difficulties"

Macmillan dictionary:

"to make a lot of effort to achieve something"

Oxford dictionary:

"Make great efforts to achieve or obtain something"

Clearly it's NOT a language thing.

OpenBSD does NOT **strive** "to provide code that can be freely used, copied,
modified..". There is no striving being done here, except for the complete
opposite, as Theo himself so plainly put it, they actually **strive** to 
provide the
firmware blobs which cannot be modified in any way.

The fact is that OpenBSD has a MISLEADING policy.

> Nothing is going to change. Go try tugging on emotions elsewhere.

Actually, Theo I'm quite sure you need to change *something*:

http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/02776.html

But hey.. who gives a shit right?!

Re: Non-free firmware without asking the user

[Martin Hanson]

08.01.2017, 01:29, "Mike Burns" :
> On 2017-01-08 00.02.21 +0100, Martin Hanson wrote:
>>  The issue is a misguiding policy statement.
>
> It could be a language issue. I'm a native speaker and everything Theo,
> et al., are saying matches perfectly with the policy statement, to me.
> Perhaps you can suggest improved wording. Patches go to tech@.

I don't believe it's a language issue. What Theo has explained acts as a 
"clarification" of the policy, which is fine in itself, but it needs to be 
added.

The policy statement alone, as is, is misguiding and I even believe that
it's a problem from a legal stand point, but that's beside the matter.

Theo himself can correct his faulty policy.

Re: Non-free firmware without asking the user

[Martin Hanson]

ludovic coues said:

> You are free to use OpenBSD code.
> You are free to copy OpenBSD code.
> You are free to modify OpenBSD code.
> You are free to distribute you fork.
>
> So unless your dictionary is twisted, shipping non-free firmware isn't
> an exception to these freedom.

You're wrong. That's not what it says on the OpenBSD website. Please read
on.

Stefan Sperling said:

> I agree with Theo. Don't buy hardware you don't like.

Avoiding the hardware isn't the issue!

The issue is MISGUIDANCE by OpenBSD!

On the frontpage of openbsd.org it says "free" with big bold letters:

"The OpenBSD project produces a FREE, multi-platform 4.4BSD-based
UNIX-like operating system."

And there is a link to the explanation of the "free" term used by OpenBSD:

https://www.openbsd.org/policy.html

The explanation is not as given by "ludovic coues" in the above.

On policy page it clearly says: "OpenBSD strives to provide code that can
be freely used, copied, modified, and distributed by anyone and for any
purpose."

This is MISGUIDING!

OpenBSD ALSO provides software that cannot freely be modified in any way and
it DOES THIS WITHOUT EVEN ASKING THE USER!

Stop avoiding the issue by pointing to problems with "crappy" hardware and
vendors. This is not the issue.

The issue is a misguiding policy statement.

Re: Non-free firmware without asking the user

[Martin Hanson]

06.01.2017, 23:26, "Theo de Raadt" :
> If you don't want such firmwares loaded onto the hardware, then don't
> buy the hardware that needs it.
>
> There is your choice.
>
> I see no value in asking a user the question.

I have misunderstood the purpose and use of the term "free" of OpenBSD
then.

"OpenBSD strives to provide code that can be freely used, copied, modified,
and distributed by anyone and for any purpose", apparently there exists
exceptions to this then.

Of course it doesn't say anything like, "OpenBSD strives to ONLY provide.."

Sorry, my mistake!

> END OF CONVERSATION.
>
>>  I know that we cannot trust the hardware vendors and that all the hardware 
>> is running firmware on ROMS, except some which are provided be the kernel.
>>
>>  However, I fail to understand the reason for this patch:
>>
>>  
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?f=h#rev1.654
>>
>>  It was really nice when OpenBSD asked during installation.
>>
>>  Yes, it can be argued that since we cannot get any open hardware at all it 
>> doesn't matter whether the firmware is located on a ROM or if it's installed 
>> by the kernel, but if we use that logic we might as well just use whatever 
>> binary driver blob the vendors make for everything, right?
>>
>>  If no, then why not, what's the difference between running closed source 
>> firmware and closed source drivers?
>>
>>  During a Debian installation, or even a Linux Mint installation, the user 
>> gets the choice whether he wants to install these "non-free firmware blobs".
>>
>>  What have I misunderstood?
>>
>>  Kind regards,
>>
>>  Martin

Non-free firmware without asking the user

[Martin Hanson]

Hi,

I know that we cannot trust the hardware vendors and that all the hardware is 
running firmware on ROMS, except some which are provided be the kernel.

However, I fail to understand the reason for this patch:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?f=h#rev1.654

It was really nice when OpenBSD asked during installation.

Yes, it can be argued that since we cannot get any open hardware at all it 
doesn't matter whether the firmware is located on a ROM or if it's installed by 
the kernel, but if we use that logic we might as well just use whatever binary 
driver blob the vendors make for everything, right?

If no, then why not, what's the difference between running closed source 
firmware and closed source drivers?

During a Debian installation, or even a Linux Mint installation, the user gets 
the choice whether he wants to install these "non-free firmware blobs".

What have I misunderstood?

Kind regards,

Martin

Re: Unbound and dnscrypt-proxy not playing nice

[Martin Hanson]

09.09.2016, 06:14, "Lists" :
> Does unbound.conf have the following setting?
>
> do-not-query-localhost: no

Yes, it has the setting.

Unbound and dnscrypt-proxy not playing nice

[Martin Hanson]

Hi,

Since I upgraded to OBSD 6.0 I have had some problems with Unbound and 
dnscrypt-proxy.

Normally I would troubleshoot by using "dig" to request directly to 
dnscrypt-proxy, but for some reason (I don't know) the "-p" option has been 
removed and it is impossible to use that now.

Unbound seems unable to forward requests to dnscrypt-proxy which I have running 
on port 40 following the guide in the FAQ 
(http://www.openbsd.org/faq/pf/example1.html#dns).

In my unbound.conf I have the following:

forward-addr: 127.0.0.1@40

Then in my /etc/rc.conf.local I have:

dnscrypt_proxy_flags=-l /var/log/dnscrypt-proxy -R fvz-rec-de-fra-01 -a 
127.0.0.1:40
pkg_scripts="dnscrypt_proxy"

When I do a "dig yahoo.com" I get the following:

;yahoo.com. IN  A

No IP. And a ping also returns:

ping: unknown host: yahoo.com

Of course I have tested other hosts as well, same result.

I am getting no information in the logs.

If I have unbound forward directly to an OpenNIC server all works well again so 
the trouble is between unbound and dnscrypt-proxy.

This used to work flawlessly, but since the "-p" option has been removed from 
"dig" it's very difficult to debug dnscrypt-proxy without having PF doing 
redirects and what not.

How to troubleshoot this problem better?

Kind regards

Any experience running OpenBSD 5.6 or current on a Shuttle DS437?

[Martin Hanson]

Hi,

If so, how well does the driver for the two NICs work? How does the box perform 
in general?

Thanks!

Re: OpenBSD 5.6/current on Soekris 6501-70

[Martin Hanson]

I would like to be able to run ~100-120 MB/s from one NIC to the other
on this box, if possible?

OpenBSD 5.6/current on Soekris 6501-70

[Martin Hanson]

Hi,

Anyone running OpenBSD 5.6 or current on Soekris 6501-70 who
wouldn't mind sharing some through-put data for gigabit
performance.

Regards,

MH

Re: Confused about authpf real world usage

[Martin Hanson]

> theoretically this is possible, but only if the original machine holding
> the ip was down. just as a nameserver converts to an ip, the ip is converted
> to a MAC-address, which is associated with the NIC. if you want you can
> permantly associate an ip with a mac, that way another machine cannot use
> that ip address, even if the rightful holder is down. see arp(8).

But wouldn't that be very easy to break?

First I would scan the network for MACs and matching IPs, then I would
spoof one at a time until I am out.

How does one secure against MAC/IP spoofing? Is there a way to prevent this.

Re: Confused about authpf real world usage

[Martin Hanson]

> Here is a case where you trust the machines, but do not trust Joe.  
> 
> Commonly, trusted servers are deployed on network segments that are
> separate from untrusted users - via Ethernet segments or VLANs.  It
> is also possible to use VPNs to provide functional separation of
> servers from users, if separate Ethernet tiers is not possible.

Sure, but in this case some users still needs access to these servers.

But I was thinking about have those servers logging into the
gateway/authpf via some boot script and then keeping that connection
open.

>> And what about other kinds of access? Now I get a brand new box in
>> that needs a fresh installation of some Linux distribution that we
>> install over HTTP. This new box doesn't come with a SSH console and
>> the install disk doesn't provide a console with SSH during
>> installation.

> The provisioning if performed on the untrusted network, would require 
> the distribution server to be accessible.  Simple enough with a pass
> rule to your organization's deployment server.
 
We don't run with a deployment server, but maybe this is one use case
in which all the different OS'es we use could be deployed over network
boot.

However, we do a lot of testing on many different distributions etc.,
but maybe in this particular case a isolated segment can be created.

Kind regards.

Confused about authpf real world usage

[Martin Hanson]

Hi

So I am looking into authpf and I am wondering about some real world
applications.

I have a bunch of users, but I also have just a bunch of machines.

The machines cannot login via SSH and should not try to do so (via some
script or otherwise). However, these machines needs access 24/7.

So I was thinking about fixing rules to those machines before any
anchors for users, but I cannot see how this provides any security at
all - and bear with me if I am overlooking something.

If say machine 192.168.0.2 and 192.168.0.3 needs unrestricted access to
the net, then wont it be as easy as "Joe" changing his machines IP
address to 192.168.0.2 to gain access without authentication?

And what about other kinds of access? Now I get a brand new box in that
needs a fresh installation of some Linux distribution that we install
over HTTP. This new box doesn't come with a SSH console and the install
disk doesn't provide a console with SSH during installation.

Then I am beginning to see signs of "network segmentation" in my head,
but that kindda makes authpf more or less useless then - unless I need
to grant different people different access on the same segment I can
just segment the entire net.

Anyway, I hope I make sense! :)

How do you use authpf in real life?

Kind regards.

Multiple NICs vs multiple physical firewalls

[Martin Hanson]

Hi all

I have one gateway and several boxes serving some NFS, Samba and other stuff. 
Then I have a public server for some gaming.

I am thinking about two different setups, but I am in serious doubt as to 
whether one actually has any real benefit over the other.

The public server gets its own NIC on the firewall, whereas the other boxes 
share another NIC (through a switch) for local stuff.

My worries is if the public server gets hacked.

Is it better to physically segment the network using two different boxes as 
routers/firewalls, or is it better to simply use one router/firewall with 3 
NICs?

Setup 1:

Gateway --> firewall --> NIC1 --> public server
 |
 --> NIC2 --> LAN

Setup 2:

Gateway --> firewall1 --> public server
|
--> firewall2 --> LAN

I am wondering about which of the two situations are "most secure".

Maybe it really depends on how the firewall is setup, but what I want to avoid 
is that if the public server gets hacked, that the attacker can gain access to 
stuff on the LAN.

Any comments on these different setups?

Of course the ideal would properly be to get two separate Internet connections, 
but that's really not an option in this case.

Kind regards.