Relayd - block bad bots
Hey I'm running a small VM on OpenBSD where my site resides. My stack is pf/relayd/httpd. I see a significant traffic coming from bad bots, like mj12. I'd love to completely block them and Relayd seems like the best place. I tried to block by "User-Agent" header, however there is no support for globs there. This means I would need to constantly adjust my filters when they release new version into the wild. Has anyone had any success with achieving something similiar? Frankly I was a bit surprised that globs in value are not supported. Seems like a great use case. --- Michal
Re: Default partitioning scheme ran out of space for updates
On 2023-05-13 11:16:13, Allan Streib wrote: > On Sat, May 13, 2023, at 09:19, Sylvain Saboua wrote: > > > Filesystem SizeUsed Avail Capacity Mounted on > > /dev/sd1a 986M986M -49.1M 105%/ > > You have something else using space on your root partition. > > From my machine, (7.3 amd64): > > /dev/sd0a 1005M214M740M23%/ > I can confirm that > /dev/sd0a 3.9G168M3.5G 4%/ And that's with ~60megs of my stuff in /root Try running "ncdu -x /" and see what is taking so much space. -- .-.-------.--.-. | Michal Lyszczek | Embedded C, Linux | Company Address| .-. opensource | | +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 | oo| supporter | | https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^--^-'
Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix
po 7. 11. 2022 v 13:38 odesílatel Eric JACQUOT napsal: > Hi, > > Could you try with this inet6 conf in your /etc/hostname.vio0 : > > inet6 [yourvpsipv6] 121 > !route add -inet6 -net 2001:db8:efef::1/128 -cloning -link -iface vio0 > !route add -inet6 default 2001:db8:efef::1 > Hi Eric, That was it! The cloning modifier did the trick. I tried almost the exact same thing before, but missed this modifier, that's why it didn't work. I had no clue :) In the end it was enough to add just the host route to the gateway. !route add -inet6 2001:db8:efef::1 -cloning -link -iface vio0 was appended to /etc/hostname.vio and 2001:db8:efef::1 went normally to /etc/mygate Works like a charm now. Thank you so much for the help. Michal
Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix
> > I'm sorry, I wasn't thinking very well. > > Have you tried using fe80::1%vio0 as the default IPv6 gateway? > No need to be sorry, I am grateful for any ideas :) And yes, I've also tried fe80::1%vio0 AFAIK that's a bit of a special case and a way how Hetzner (known German cloud provider) routes IPv6 to their VPS. I also installed and used some systems to their cloud, so it also came to my mind, but it didn't work in this particular case. Michal
Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix
Thank you very much for the reply, Kirill. > > try with > > > > route add -inet6 2001:db8:efef::1 -llinfo -link -static -iface vio0 > > ... that is, try the above before you try to add 2001:db8:efef::1 as > default gateway. I already tested something similar in my previous attempts with flags and link, but it also didn't work. Here's how it behaves, when I use the exact command you've advised. I removed all previous IPV6 addresses and flushed all routes before testing. $ ifconfig vio0 inet6 2001:db8:efef::d9e:18d2:b761:0/121 $ route add -inet6 2001:db8:efef::1 -llinfo -link -static -iface vio0 add host 2001:db8:efef::1: gateway vio0 $ route -n show -inet6 Routing tables Internet6: DestinationGateway Flags Refs Use Mtu Prio Iface ::1::1UHl 0 20 32768 1 lo0 2001:db8:efef::1 link#1 UHLS 01 - 8 vio0 2001:db8:efef::d9e:18d2:b761:0/121 2001:db8:efef::d9e:18d2:b761:0 UCn00 - 4 vio0 2001:db8:efef::d9e:18d2:b761:0 62:86:db:bc:c6:74 UHLl 00 - 1 vio0 ... $ ping6 2001:db8:efef::1 PING 2001:db8:efef::1 (2001:db8:efef::1): 56 data bytes ping6: sendmsg: Invalid argument ping: wrote 2001:db8:efef::1 64 chars, ret=-1 At this point 2001:db8:efef::1 is inaccessible with normal ping, so it shouldn't work as a default gateway. But nevertheless I've tried that. $ route add -inet6 default 2001:db8:efef::1 add net default: gateway 2a02:25b0:::1 $ ping6 www.google.com PING www.google.com (2a00:1450:4014:80a::2004): 56 data bytes ping6: sendmsg: Invalid argument ping: wrote www.google.com 64 chars, ret=-1 So unfortunately adding a route this way also doesn't work. Thank you, Michal
OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix
Hello to all, I'm looking for possible opinions or advice regarding IPv6 setup at new VPS. Probably the most common approach is a VPS provider gives you /64 prefix length with gateway within the subnet. Works everywhere, it's also the smallest usable prefix length for use with SLAAC. However in this case, the VPS has /121 prefix length and its gateway is outside of the subnet. Something like this: VPS IP: 2001:db8:efef::d9e:18d2:b761:0/121 GW: 2001:db8:efef::1/48 Before this OpenBSD VPS I installed another one there with Linux, where it surprisingly went without issues. Unfortunately with the BSD that setup wasn't successful. I came up with two workarounds. First I can set /48 prefix for the interface and it will work, compared to IPV4 there shouldn't be issues like with a wider mask and broadcasts and if I won't use any IP outside of the "designated" prefix, it will likely be fine. The other one is route everything via link-local address of particular gateway (eg. use address like fe80:::::%vio0 which I found), it also works, but it will be sensitive for any failovers or changes on their hardware, as the link local address might change and VPS will be essentially disconnected until manual fix. Anyway I'm still curious why it was possible to set up on Linux and not on OpenBSD. I just booted CentOS live ISO at the exact same VPS and tried to debug that step-by-step without any init scripts or NetworkManager. On CentOS I can do the following steps.. $ ip -6 addr add 2001:db8:efef::d9e:18d2:b761:0/121 dev eth0 noprefixroute $ ip -6 route add 2001:db8:efef::1 dev eth0 $ ip -6 route add default via 2001:db8:efef::1 dev eth0 Then it will work as expected, the important part is noprefixroute option at first command. This will prevent creation (and deletion) of prefix route during IP address assignment, if I omitted that, setup didn't work. On OpenBSD I tried.. $ ifconfig vio0 inet6 2001:db8:efef::d9e:18d2:b761:0/121 $ route add -inet6 default 2001:db8:efef::1 add net default: gateway 2001:db8:efef::1: Network is unreachable Well, that sounds logical. So I tried to tell how to reach the gateway first. It should be directly accessible, so after few failed attempts and digging in man page I thought the -iface modifier with the local address of the interface as destination should do the trick. $ route add -inet6 2001:db8:efef::1 2001:db8:efef::d9e:18d2:b761:0 -iface $ ping6 2001:db8:efef::1 PING 2001:db8:efef::1 (2001:db8:efef::1): 56 data bytes ping6: sendmsg: Invalid argument ehh.. no dice I tried a couple of other things, like adding an additional network route to /48 prefix, and experimenting with some additional flags, when adding. But it never worked. Is it impossible to achieve? Like without the equivalent of Linux noprefixroute option, there will always be an already automatically declared offending route. Or do I have some mistakes there? Thank you, Michal
Re: No valid root disk found when upgrading
On 2022-04-22 07:56:25, Stuart Henderson wrote: > On 2022-04-21, Stuart Henderson wrote: > >> upgrade# cd /dev; sh MAKEDEV sd0 > >> upgrade# mount -t ffs -r /dev/sd0a /mnt > >> upgrade# ls /mnt > >> .cshrc bsd dev sbin > >> .profilebsd.booted etc sys > >> altroot bsd.rd hometmp > >> auto_upgrade.conf bsd.sp mailwrapper.coreusr > >> bin bsd.upgrade rootvar > >> upgrade# df -h > >> Filesystem SizeUsed Avail Capacity Mounted on > >> /dev/rd0a 3.5M3.0M451K87%/ > >> /dev/sd0a 3.9G677M3.0G18%/mnt > >> > >>> it's worth seeing what "sysctl hw.disknames" says too > >> upgrade# sysctl hw.disknames > >> hw.disknames=sd0:dc999ef6267325df,rd0:a8c7c8e3bbaa0da7 > > > > That looks sane too.. > > Oh I didn't look close enough. You are missing /mnt. mkdir it and > that shoukd fix the problem. Yup, that was the problem. Thank you! Guess I must have removed it at some point from my rootfs. Thanks again for the help Stuart. -- .-.---.--.-. | Michal Lyszczek | Embedded C, Linux | Company Address| .-. opensource | | +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 | oo| supporter | | https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^--^-' signature.asc Description: PGP signature
Re: No valid root disk found when upgrading
Hello Stuart, Thanks for your reply, here is more data On 2022-04-21 21:43:08, Stuart Henderson wrote: > if you boot the upgrade kernel and drop to a shell, what do you > get from this? > > cd /dev; sh MAKEDEV sd0 > mount -t ffs -r /dev/sd0a /mnt > ls /mnt Sadly, nothing that would raise any flags or ideas in my brain, everything seems to work fine upgrade# cd /dev; sh MAKEDEV sd0 upgrade# mount -t ffs -r /dev/sd0a /mnt upgrade# ls /mnt .cshrc bsd dev sbin .profilebsd.booted etc sys altroot bsd.rd hometmp auto_upgrade.conf bsd.sp mailwrapper.coreusr bin bsd.upgrade rootvar upgrade# df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/rd0a 3.5M3.0M451K87%/ /dev/sd0a 3.9G677M3.0G18%/mnt > it's worth seeing what "sysctl hw.disknames" says too upgrade# sysctl hw.disknames hw.disknames=sd0:dc999ef6267325df,rd0:a8c7c8e3bbaa0da7 > (similar to what's used for the "is_rootdisk()" check in > src/distrib/miniroot/install.sub) Is there a way to run upgrade script with "set -x" globally? I tried to run /bin/ksh -x /upgrade.sh, but it seems -x is discarded in functions and I can only see debug up untile +do_ugrade function call. Maybe replacing all "() {" with "() {\nset -x" will do the trick? -- .-.---.--.-. | Michal Lyszczek | Embedded C, Linux | Company Address| .-. opensource | | +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 | oo| supporter | | https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^--^-' signature.asc Description: PGP signature
No valid root disk found when upgrading
Hello, So I have OpenBSD 6.8 (yeah I know), and are trying to upgrade to 6.9 (and version by version until 7.1:)). Problem is that installer does not see disk. This is my very first time I upgrade OpenBSD, so I might be missing something simple. I've read through the upgrade documentation, and tried to google my problem but I could not fix my problem. I upgrade with sysupgrade. After boot I try to select root disk: > Available disks are: . > Which disk is the root disk? ('?' for details) ? > sd0: NVMe, Samsung SSD 970, 2B2Q (232.9G) > Available disks are: . > Which disk is the root disk? ('?' for details) sd0 > sd0 is not a valid root disk. > Available disks are: . Going into shell, /dev/sd0* do not exist. So I tried to create nodes: > upgrade# ./MAKEDEV sd0 Now disklabel shows proper disk info (label is from samsung 960, even though I have samsung 970 disk. I migrated some time ago from 960 to 970, guess I must have used dd to do it, hence label from previous disk. I assure you I have only 1 disk inserted, and no usb disks). > upgrade# disklabel sd0 > # /dev/rsd0c: > type: SCSI > disk: SCSI disk > label: Samsung SSD 960 > duid: dc999ef6267325df > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 30401 > total sectors: 488397168 > boundstart: 1024 > boundend: 488397105 > drivedata: 0 > > 16 partitions: > #size offset fstype [fsize bsize cpg] > a: 8400960 1024 4.2BSD 2048 16384 12960 > b: 67119581 8401984swap > c:4883971680 unused > d:134223072 75521568 4.2BSD 2048 16384 12960 > e:278652416209744640 4.2BSD 4096 32768 26062 > i: 960 64 MSDOS fdisk > upgrade# fdisk /dev/rsd0c > Disk: /dev/rsd0c Usable LBA: 64 to 488397104 [488397168 Sectors] >#: type [ start: size ] > >1: EFI Sys [ 64: 960 ] >3: OpenBSD [1024:488396081 ] But when I exit shell I still have the very same problem as at the beginning and I can't select root disk. Strange thing is, that when I exit shell to installer, and then go back to shell with "!", /dev/sd0 disappears. More info: == Disk is detected in bsd.upgrade kernel > upgrade# dmesg | grep -i samsung > nvme0 at pci1 dev 0 function 0 "Samsung SM981/PM981 NVMe" rev 0x00: msix, > NVMe 1.3 > nvme0: Samsung SSD 970 EVO Plus 250GB, firmware 2B2QEXM7, serial > S4EUNX0R502629B > sd0 at scsibus1 targ 1 lun 0: > nvme0 at pci1 dev 0 function 0 "Samsung SM981/PM981 NVMe" rev 0x00: msix, > NVMe 1.3 > nvme0: Samsung SSD 970 EVO Plus 250GB, firmware 2B2QEXM7, serial > S4EUNX0R502629B > sd0 at scsibus0 targ 1 lun 0: It seems I am booting with uefi > >> OpenBSD/amd64 BOOTX64 3.54 > boot> When system is booted root disk is sd0 > # mount | grep sd0a > # /dev/sd0a on / type ffs (local) I don't know what else might be usefull. I have no idea what else I can do here :( -- .-.---.--.-. | Michal Lyszczek | Embedded C, Linux | Company Address| .-. opensource | | +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 | oo| supporter | | https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^--^-' signature.asc Description: PGP signature
Re: pf queue on packets with state
Hi Stuart, thank you for your clear reply On 2021-02-02 22:41:49, Stuart Henderson wrote: > Whichever rule creates state for the packets that you want to send > to a queue should have the queue assignment. The queue name is attached > to the PF state; when the packet is transmitted outbound it will use > the queue of that name on that interface. Yup, that was is. Instead of doing match out on $i_lan all set queue q_lte_in_http set prio 0 I did it "the opoosite" way match in on $i_lan all set queue q_lte_in_http set prio 0 Also in my real rules I've changed "from port $p_http" to "to port $p_http", and it started to match queues as expected. Thank you! I did read something around these lines on the openbsd forum, that queues are tied to input state, but I was just trying to do "pass in $i_lan". It never occured to me to try do 'set queue' during 'in' part. I've read about queueing in pf.conf(5) and nothing there hints this also. > You don't want queue names dealing with in/out/interface. Just the type > of traffic / queue policy / whatever. For example "user1", "user2", .. > or "http", "dns", .. or "high/med/low" or something. > Yes, I am indeed queueing by service dns/ssh/games, but my firewall has multiple WAN interfaces with different speed so I also must specify this. In examples I wanted to keep things to bare minimum so people do not have to waste time thinking what mess I have in my pf.conf :D > I find it easier to make the match rule setting the queue quite wide, > then do anything more complex (IP/port restrictions etc) in pass/block > rules. > You should use some variant of "block" covering all traffic as your > first rule ("block" / "block log" etc) so that packets are not allowed > to pass unless they create state. This makes it easier to figure out > the queues, and prevents state tracking getting messed up with TCP (the > TCP state must be created from a SYN packet not an intermediate packet > otherwise it doesn't know what the window-scaling value is, which will > cause longer lasting or fast connections to get dropped incorrectly). That's what I think too, I use pf in "block by default" and have rules to block everything at top. And I intend to queue packets by service port or IP. > > Is there any way to limit ingress on some ips/ports? I'd like to limit > > greedy apps like youtube or netflix from taking all the bandwidth. > > Good luck finding the relevant IPs for these ;) You might like to play > with "burst" and see if you can do something that way. (e.g. standard > bandwidth is slower, but allow a fast initial burst). But you'll probably > need to do that with separate queues per IP and it gets to be a pain. I found some sites with ip ranges for netflix and youtube, they are quite broad, but it's better than crippled network. Thank you again for clarification and explaining this to me. -- .-.---.-.--. | Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source | | +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter | | https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^-^--' signature.asc Description: PGP signature
pf queue on packets with state
Hi, I'm trying to setup queues on my LTE interface. This machine is firewall machine with two interfaces: wan and lan. Egress traffic is queueing without a problem. Rules like match out on $i_wan proto {tcp udp} to any port $p_dns set queue q_lte_out_dns set prio 6 work as intended and I can see that rules are being matched in systat queue and rules. Problem is with ingress packets. Yes, I know people say it makes no sense to do it, but I belive it can work for TCP traffic. The slower program is receiving data, the slower it will ACK, the slower server will be sending data, and there should be more space for other packets. Anyway, it does not seem to work for me. I try the most basic rules: queue q_lte_in_root on $i_lan bandwidth 20M max 20M qlimit 50 This works as intended, speedtests do indeed show my speed is more or less 20Mbit. Now I add 2 more queues, default and for http queue q_lte_in_std parent q_lte_in_root bandwidth 512K default qlimit 50 queue q_lte_in_http parent q_lte_in_root bandwidth 512K qlimit 50 And I create match rule: match out on $i_lan all set queue q_lte_in_http set prio 0 And this rule is matched only by a handful of packets. systat queue shows that majority of packets go through q_lte_in_std, and only some of the packets go through q_lte_in_http. systat rules also shows only some of the packets are being matched by that rule. I don't know, it looks like only packets without state match "match" rule and are being queued properly? I know filtering will be skipped for packets that have state but queueing is not skipped. So why can't I queue packets ingressing on LTE that are being egressed on LAN interface? Is there any way to limit ingress on some ips/ports? I'd like to limit greedy apps like youtube or netflix from taking all the bandwidth. I read pf.conf man and searched the whole net but I couldn't find answer to my question. I think I could make it work if I made pf stateless by default? Performance is not an issue here, machine can take it, but I couldn't find a way to do stateless by default. Any ideas? Maybe I didn't read something carefully enough? -- .-.---.-.--. | Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source | | +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter | | https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^-^--' signature.asc Description: PGP signature
Re: Bridging multiple WAN via VLAN
On 2020-12-02 09:52:53, Stuart Henderson wrote: > On 2020-12-01, michal.lyszc...@bofc.pl wrote: > > Is it possible? Or am I imaging things and it's better to do it with > > dhcp/pf routing? If it's possible to do with vlans on layer2, then > > what am I suppose to look for? I can read man pages, but honestly > > I don't really know how to approach that problem, so some keywords, > > programs, rfcs would be nice to have:) > > If they were wired ethernet interfaces then you could do this directly > with bridge. But bridge needs an ethernet-type layer 2 interface. > > The LTE devices are a layer 3 type interface so this would need to be > routed (and usually also natted, unless you have a fancy provider that > can route a block of addresses to it). Yeah.. I didn't think about that. > With wifi, an AP often works by bridging to ethernet and that is OK, > but when connecting a wired device behind a wireless client there are > problems. The standard frame format has source/destination/AP MAC > addresses, but for "client bridge" to work it needs a fourth so it > can pass on the MAC address of the wired client. APs that support > WDS mode can cope with this, but OpenBSD doesn't have support for > this, either in client or in AP mode. > > So normally you'll need to use routing and possibly NAT to have > OpenBSD connect a wired client to a wifi interface. You made me realize that forcing it do be done on layer2 is way more complicated and hacky than simple NAT with redirect all, to specific vlan. NAT is simpler, more clean, and I probably will still be able to perform good packet queueing and redundancy on main router. RPI4 should have enough power to forward two networks that will probably never get faster than 20Mbps each. Thanks for explanation and opening my eyes:) -- .-.---.-.--. | Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source | | +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter | | https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^-^--' signature.asc Description: PGP signature
Bridging multiple WAN via VLAN
Hello, I was wondering if and how I could bridge 2 WAN interfaces into single cable over vlan. Sounds cryptic, so let's start with the diagram of what I'd like to achieve: lte wifi \|/ \|/ I have 2 WAN interfaces, LTE and WIFI | |Both are connected to OBSD1 box via | |USB cable, installation is on a rooftop +---+ | OBSD1 | OBSD1 is a raspberry pi 4 network thingy +---+ | From the roof, to my server goes single | CAT5E ethernet cable +---+ | OBSD2 | OBSD2 is a firewall/router +---+ | | | The rest are various computers, I got that | | | part covered | | | LAN DMZ IOT Now, both LTE and WIFI are USB devices that can give OBSD1 direct IP address - like modem. I know I could simply operate OBSD1 like router - install dhcpd to give IP to OBSD2 and forward traffic with pf. But that seems like unnecessary overhead and I'd like to setup packet priority/queueing on OBSD2 and treat OBSD1 like a stupid device. So I was wondering, is it possible to bridge network so that: (it's easier with another diagram) IPIP 1.2.3.4 4.3.2.1 \|/ \|/ | | +-o-*-+ o - lte usb modem; * - wifi usb card | | | | | vlan1 vlan2 | OBSD1 packs raw layer2 frames into | `+' | separate vlans | | | +--o--+ o - em0 interface | | Data goes through single cable | +--o--+ o - em0 interface | | | |.-+-.| OBSD2 unpacks vlan1 and 2 into separate | vlan1 vlan2 | virtual interfaces. | 1.2.3.4 4.3.2.1 | +-+ Now I'd like for vlan1 and vlan2 on OBSD2 to have 1.2.3.4 and 4.3.2.1 IPs, so that I can perform redundancy/load balancing/queueing/whatever directly on OBSD2 device, and treat OBSD1 like some kind of stupid switch/hub. Hope it's clear what I'd like to do. Is it possible? Or am I imaging things and it's better to do it with dhcp/pf routing? If it's possible to do with vlans on layer2, then what am I suppose to look for? I can read man pages, but honestly I don't really know how to approach that problem, so some keywords, programs, rfcs would be nice to have:) Or just tell me I'm stupid and overengineering things and I should go with routing way:) Thanks in advance for any help with this. -- .-.---.-.--. | Michal Lyszczek | Embedded C, Linux | Company Address | .-. open source | | +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 | oo| supporter | | https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\ & | | GPG FF1EBFE7E3A974B1 | Bits of Code | NIP: 813 349 58 78 |(\_;/) programer | `--^--^-^--' signature.asc Description: PGP signature
Re: opening fifo locks process in D state
On 2018-09-20 09:13:42, Alexandre Ratchov wrote: > On Wed, Sep 19, 2018 at 11:32:40PM +0200, michal.lyszc...@bofc.pl wrote: > > Hello, > > > > I've stumbled upon a weird problem. Long story short, I try to open > > fifo two times, once O_WRONLY and once O_RDONLY, both in separate > > threads - but on process. Unfortunately both threads are locked in > > open() functions. > > > > I prepared very small program that reproduces this problem for me, > > please see attached file and note that there is no error handling > > for readability. > > > > !!! Also note, this program may get stuck in D state, > > and you won't be able to SIGKILL it. > > > > Anyone got any idea why is this happening? Is something wrong with > > my code? > > This is a kernel bug, no program may behave like this. > > > It works properly on netbsd, freebsd, aix, hpux and linux. > > > > I don't know what info exactly you might need, but here is uname, > > it's almost clean system, I didn't make much changes, and > > especially not in the core. > > > > # uname -a > > OpenBSD bbs-i686-builder-openbsd.kurwinet.pl 6.2 GENERIC#163 i386 > > This is a old OpenBSD version; I reproduced it on 6.3 but not > on -current (this doesn't mean the bug was fixed). I confirm, just upgraded my system to: OpenBSD 6.3 GENERIC#490 i386 and problem is the same. I found a workaround. When I change flags in both open() to O_RDWR, the problem goes away, it's not much but it's something. Should I post a bug report? I cannot find a way to check if that was already reported or not. -- Best Regards
opening fifo locks process in D state
Hello, I've stumbled upon a weird problem. Long story short, I try to open fifo two times, once O_WRONLY and once O_RDONLY, both in separate threads - but on process. Unfortunately both threads are locked in open() functions. I prepared very small program that reproduces this problem for me, please see attached file and note that there is no error handling for readability. !!! Also note, this program may get stuck in D state, and you won't be able to SIGKILL it. Anyone got any idea why is this happening? Is something wrong with my code? It works properly on netbsd, freebsd, aix, hpux and linux. I don't know what info exactly you might need, but here is uname, it's almost clean system, I didn't make much changes, and especially not in the core. # uname -a OpenBSD bbs-i686-builder-openbsd.kurwinet.pl 6.2 GENERIC#163 i386 Output of program on openbsd $ ./a.out opening ./test-fifo O_WRONLY opening ./test-fifo O_RDONLY and on linux $ ./a.out opening /tmp/test-fifo O_WRONLY opening /tmp/test-fifo O_RDONLY opened /tmp/test-fifo O_RDONLY opened /tmp/test-fifo O_WRONLY producer read: test message -- Best Regards /* test of unix fifo * * compile: * gcc fifo.c -pthread */ #include #include #include #include #include #include #include static const char *fifo_path = "/tmp/test-fifo"; static const char *str = "test message"; void *consumer(void *arg) { int fd; printf("opening %s O_WRONLY\n", fifo_path); fd = open(fifo_path, O_WRONLY); printf("opened %s O_WRONLY\n", fifo_path); write(fd, str, strlen(str)); close(fd); return NULL; } void *producer(void *arg) { int fd; char buf[16] = {0}; printf("opening %s O_RDONLY\n", fifo_path); fd = open(fifo_path, O_RDONLY); printf("opened %s O_RDONLY\n", fifo_path); read(fd, buf, strlen(str)); printf("producer read: %s\n", buf); close(fd); return NULL; } int main(void) { pthread_t consumer_t; pthread_t producer_t; unlink(fifo_path); mkfifo(fifo_path, 0777); pthread_create(&consumer_t, NULL, consumer, NULL); pthread_create(&producer_t, NULL, producer, NULL); pthread_join(producer_t, NULL); pthread_join(consumer_t, NULL); return 0; }
Re: syspatch ideas
On 2017-05-15 Mon 02:50, Theo de Raadt wrote: > ... > This system is intentionally simple, to create robustness via simplicity. > > I think you are being critical because you think it is amusing. > (please not that the subject is still "syspatch ideas") Syspatch infrastructure itself is amusing, not necessarily it is so for currently available syspatch(8) feature set. Yet more than discussed patchset revert feature i do miss -v(erbose) option and/or mentioned -L(ist patched files) option. It reminds me the discomfort of absence of -v option to rm(1) -r $dir (which is fakeable by doing `find $dir` beforehand; manual listing of syspatch-patched files is much more complicated)
Re: syspatch ideas
On 2017-05-15 Mon 08:19, Michal Bozon wrote: > > > ... > > ... > ... > Reverting the last patchset would be reverting the patches from the last > patchset file, and removing that file. > correction/addition: in the reverse order
Re: syspatch ideas
On 2017-05-15 Mon 02:23, Theo de Raadt wrote: > >On 2017-05-15 Mon 01:31, Theo de Raadt wrote: > >> >2) Notion of transactions > >> > > >> >Often, more patches are installed at once, with the single `syspatch` > >> >command. One might want to be able to revert all those patches at once > >> >as well. A notion of transactions could be made by adding a notion > >> >of transactions, but that would add more unnecessary complexity. > >> > > >> >It can be solved simpler way, by adding the line with the list of > >> >patches applied, e.g. > >> > > >> > # syspatch > >> > Installing patch 005_pf_src_tracking > >> > Get/Verify syspatch61-006_libssl.tgz 100% |*| 2276 KB > >> > 00:04 > >> > Installing patch 006_libssl > >> > Get/Verify syspatch61-007_freetyp... 100% |*| 732 KB > >> > 00:01 > >> > Installing patch 007_freetype > >> > Missing set, skipping patch 007_freetype > >> > Patches applied: 5,6 > >> > > >> >and by adding support for -r optional argument, which could be comma > >> >separated > >> >patch number list. > >> > >> That is incorrect. > >> > >> The usage situations are no patches, or all of the patches, or a > >> subset and you are about to install to get more /all of them. You > >> don't get to choose which you want, unless all newer ones are ripped out > >> also. > >> > >> We don't manage dependencies. > >> > >> This tooling is designed to make errata handling EASY FOR US. Otherwise, > >> we would not bother building this service. > >> > > > >Here i agree. > > > >If not providing easy ability to revert arbitrary list of patches, what about > >handle "transactions" or "syspatch sessions" or "patchsets" internally: > > > >After successful application of patch(es), create > >/var/syspatch/patchset.$TIMESTAMP > >with list of applied patches (line by line). > > > >Reverting the last patchset would be reverting the patches from the last > >patchset file, and removing that file. > > You haven't justified need. > > They are either installed, or not, and existence of files and directories > already indicates the patchlevel. > I think the justification is: Why do i even need to revert a patch? Only because something got broken by the last syspatch command, that may have applied multiple patches. I might not now which patch caused the problem. If the problematic patch was not the last one from the set, reverting with -r does not help, because it reverts single last patch only. Well, applying `syspatch -r` repeatedly is a sort of solution as well.
Re: syspatch ideas
On 2017-05-15 Mon 01:31, Theo de Raadt wrote: > >2) Notion of transactions > > > >Often, more patches are installed at once, with the single `syspatch` > >command. One might want to be able to revert all those patches at once > >as well. A notion of transactions could be made by adding a notion > >of transactions, but that would add more unnecessary complexity. > > > >It can be solved simpler way, by adding the line with the list of > >patches applied, e.g. > > > > # syspatch > > Installing patch 005_pf_src_tracking > > Get/Verify syspatch61-006_libssl.tgz 100% |*| 2276 KB00:04 > > Installing patch 006_libssl > > Get/Verify syspatch61-007_freetyp... 100% |*| 732 KB00:01 > > Installing patch 007_freetype > > Missing set, skipping patch 007_freetype > > Patches applied: 5,6 > > > >and by adding support for -r optional argument, which could be comma > >separated > >patch number list. > > That is incorrect. > > The usage situations are no patches, or all of the patches, or a > subset and you are about to install to get more /all of them. You > don't get to choose which you want, unless all newer ones are ripped out also. > > We don't manage dependencies. > > This tooling is designed to make errata handling EASY FOR US. Otherwise, > we would not bother building this service. > Here i agree. If not providing easy ability to revert arbitrary list of patches, what about handle "transactions" or "syspatch sessions" or "patchsets" internally: After successful application of patch(es), create /var/syspatch/patchset.$TIMESTAMP with list of applied patches (line by line). Reverting the last patchset would be reverting the patches from the last patchset file, and removing that file.
syspatch ideas
Hi, the syspatch utility for now knows only three options: -c(heck for available plugins and list them) -l(ist installed patches - "id"'s only) -r(evert most recent patch) .. and recently apparently also -R(evert all patches) Here are two additional features that would be very useful: 1) -L(ist files of the recent patch) For now, i'm doing that with: tar tzf /var/syspatch/"$(ls -tr /var/syspatch/ | tail -n 1)"/*.tgz 2) Notion of transactions Often, more patches are installed at once, with the single `syspatch` command. One might want to be able to revert all those patches at once as well. A notion of transactions could be made by adding a notion of transactions, but that would add more unnecessary complexity. It can be solved simpler way, by adding the line with the list of patches applied, e.g. # syspatch Installing patch 005_pf_src_tracking Get/Verify syspatch61-006_libssl.tgz 100% |*| 2276 KB00:04 Installing patch 006_libssl Get/Verify syspatch61-007_freetyp... 100% |*| 732 KB00:01 Installing patch 007_freetype Missing set, skipping patch 007_freetype Patches applied: 5,6 and by adding support for -r optional argument, which could be comma separated patch number list. (And this optional argument support would be also nice for the proposed -L option) thanks for very handy feature, Michal Bozon
Re: thinkpad x220 with OpenBSD 6.1
On 2017-04-14 Fri 13:28, "misc nick" wrote: > This e-mail is complementary to the one i sent at dm...@openbsd.org. > > After the completion of the installation process, everything works except: > > -screen brightness controlled by the keyboard > -suspend/resume when i close the lid > > Both minor issues were resolved when i suspended the laptop from the command > line (zzz). Now everything works. > > Thank you OpenBSD team. same here, even external display works, even though it is DVI cable through DVI/DisplayPort adaptor; it is seen in xrandr as HDMI1. But when connected via the dock, (in linux seen as HDMI2), it does not work for me.
Re: [PATCH] Installer bug (MSDOS tildes)
The comment for the mentioned patch reversion was: the map-to-lowercase scheme for msdos is not going to work, because other filesystems can contain mixed case files (ie. sgi). discussed with krw and halex which makes not much sense for me, because the fix was a conditional treatment for MSDOS filesystem. (which also is not very transparent - i was unable to find the referenced discussion with krw and alex, but the issue Why OpenBSD does not yet (or anymore) have a bug tracker system is for another discussion) For the reference, quoted URLs fixed would be: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev1.750 https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev1.752 On 2017-05-10 Wed 13:27, Theo Buehler wrote: > A similar diff was briefly committed in 1.750 for the reason you mention: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev750 > It was backed out again in > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev752 > > ...
Re: [PATCH] Installer bug (MSDOS tildes)
There was a "typo" in my patch, this should be a correct one: --- /usr/src/distrib/miniroot/install.sub.ooo Wed May 10 12:19:56 2017 +++ /usr/src/distrib/miniroot/install.sub Wed May 10 12:48:31 2017 @@ -1804,7 +1804,7 @@ fi # Always mount msdos partitions with -s to get lower case names. -grep -q "^ $resp: .*MSDOS" $_file && _opts="-s" +grep -q "^ $resp: .*MSDOS" $_file && _opts="-l" mount -o ro,$_opts /dev/$_dev$resp /mnt2 } I am not sure why "-s" flag is used, maybe it fixed some problem, but it has introduced another one. MB On 2017-05-10 Wed 12:34, Michal Bozon wrote: > Hi, > there is a typo in install.sub > causing problems e.g. when removable FAT32 formatted > disk with installation files is attached, > and "disk" is selected as install media: > > INSTALL.i386 not found ... > (because it is visible as instal~1.i38) > > Directory does not contain SHA256.sig ... > (because it is visible as sha256.sig) > > here is the patch: > > --- /usr/src/distrib/miniroot/install.sub > +++ /usr/src/distrib/miniroot/install.sub > @@ -1805,7 +1805,7 @@ > > # Always mount msdos partitions with -s to get lower case names. > grep -q "^ $resp: .*MSDOS" $_file && _opts="-s" > -mount -o ro,$_opts /dev/$_dev$resp /mnt2 > +mount -o ro $_opts /dev/$_dev$resp /mnt2 > } > > > regards, > Michal Bozon
[PATCH] Installer bug (MSDOS tildes)
Hi, there is a typo in install.sub causing problems e.g. when removable FAT32 formatted disk with installation files is attached, and "disk" is selected as install media: INSTALL.i386 not found ... (because it is visible as instal~1.i38) Directory does not contain SHA256.sig ... (because it is visible as sha256.sig) here is the patch: --- /usr/src/distrib/miniroot/install.sub +++ /usr/src/distrib/miniroot/install.sub @@ -1805,7 +1805,7 @@ # Always mount msdos partitions with -s to get lower case names. grep -q "^ $resp: .*MSDOS" $_file && _opts="-s" -mount -o ro,$_opts /dev/$_dev$resp /mnt2 +mount -o ro $_opts /dev/$_dev$resp /mnt2 } regards, Michal Bozon
Re: not exactly (Re: systrace removed? Why?)
if someone's interested, here a list of fs differences between 6.0 upgraded from 5.9, and 6.0 install, i found, with some obvious differences like smtpd spool or sysmerge backups removed (amd64/qemu): http://pastebin.com/raw/VPkdbvxy (text/plain) (not pasting because of long lines) hth
Re: not exactly (Re: systrace removed? Why?)
> > good(?) news: sysmerge is gone in 6.0 > > but not removed by 5.9 to 6.0 uprade process. > > > > I really have a hard time understanding what you're trying to point out. > > Yes, systrace is gone, but it's an ordinary binary that does no harm, > feel free to remove it if it makes you feel better. > > sysmerge isn't gone, but it is executed automatically if you use a > bsd.rd upgrade, hence it's only mentioned in the manual upgrade process. ok, never mind, i have just spotted it when comparing fs trees of freshly installed 6.0 and freshly installed/upgraded 5.9/6.0 .. and made sure to report it immediately, since the removal of systrace is advertised as a security enhancement :)
Re: not exactly (Re: systrace removed? Why?)
> good(?) news: sysmerge is gone in 6.0 > but not removed by 5.9 to 6.0 uprade process. s/sysmerge/systrace/
not exactly (Re: systrace removed? Why?)
> Why? good(?) news: sysmerge is gone in 6.0 but not removed by 5.9 to 6.0 uprade process.
Re: lyrics.html nit.
> -With twitchy fingers on flashing keys > +Twitchy fingers, flashing keys > > -always claiming "it was just a prank!" > +Claiming "it was just a prank!" hi, this time (60c), i hear this: Money, donate your pay. Automate with a cron job and we'll be ok. +Money, donate your pay. Thoughtful programming versus "just make it fast". ... Not donating, it's a crime. ... finnally, i would do s/\.$//, to be consistent. ps: not guilty, bought at least 0b100 mugs
Re: hostname.if manpage enhancement: be clearer about #
> Even adding "debug" keyword did not assure me > whether the problem is with my password definition: > wpakey s3cur3-as-#311, for illustration (was not sure > if the '#' has to be escaped somehow); or somewhere > else. Finally, it was the latter, but it took me a while > to realize that. .. or maybe i should use simple english: $ grep key /etc/hostname.ath0 wpakey s3cur3-as-#311 $ doas ifconfig ath0 | perl -ne 'print if /status|key/' status: active ieee80211: nwid m ... wpakey 0x15b752645ecc6e52bf04052097af3d16031019d953f5c96cbdfeeabd223b2c89 ... $ ./wpakey.pl 's3cur3-as-#311' m 0x15b752645ecc6e52bf04052097af3d16031019d953f5c96cbdfeeabd223b2c89 $ cat wpakey.pl #!/usr/bin/perl use strict; my $pw = $ARGV[0]; my $salt = $ARGV[1]; use Crypt::PBKDF2; my $kdf = Crypt::PBKDF2->new( hash_class => "HMACSHA1", iterations => 4096, output_len => 32 ); my $h = $kdf->PBKDF2_hex($salt, $pw); print "0x$h\n";
Re: hostname.if manpage enhancement: be clearer about #
Theo de Raadt wrote: > > > As i said, my config with # in the password worked > > > without any escaping or quoting needed. > > > > > > > i understood from your mail that you'd had to escape it. > > that is correct. ... now i'm jealous, i want to be able to read other people's thoughts too.
Re: hostname.if manpage enhancement: be clearer about #
> On Mon, Aug 08, 2016 at 10:23:22AM +0200, Michal Bozon wrote: > > Hi, I've had an issue connecting to a wireless network > > (by doas sh /etc/netstart $if). Its password contained > > '#' character(s). > > > > Even adding "debug" keyword did not assure me > > whether the problem is with my password definition: > > wpakey s3cur3-as-#311, for illustration (was not sure > > if the '#' has to be escaped somehow); or somewhere > > else. Finally, it was the latter, but it took me a while > > to realize that. > > > > Current hostname.if manpage is not absolutely clear: > > > > #Comments are allowed. Anything following a comment > > character is treated as a comment. > > > > It suggests that what is before '#' might have a meaning, > > while the broader context of the definition strongly suggests > > that comment it is when '#' "keyword" is at the beginning. > > > > Looking into /etc/netstart might also be confusing - > > just at the beginning, there's stripcom() function definition, > > which clearly strips the input line from '#' and following. > > However, this function is NOT applied to /etc/hostname.if, > > it is treated differently, entire line beginning with '#' > > is skipped (see # Skip comments and empty lines). > > > > I am therefore proposing following or similar change: > > > > --- /usr/src/share/man/man5/hostname.if.5 > > +++ /usr/src/share/man/man5/hostname.if.5 > > @@ -201,7 +201,7 @@ > > the interface, such as 64. > > .It Li # > > Comments are allowed. > > -Anything following a comment character is treated as a comment. > > +Line beginning with a comment character is treated as a comment. > > .It Li \&! Ns Ar command > > Arbitrary shell commands can be executed using this directive, as > > long as they are available in the single-user environment (for > > > > hi. > > the diff as-is is wrong. i mean it's valid to have this in your > hostname.if file: > > up # blah blah > > that's a very common construct, and is allowed. > > however it might be that to the list of things that should be double > quoted (whitespace and single quotes) we should add the comment > character. i'm not sure though. > > jmc Indeed, my initial analysis was not correct, it is more, say, complicated. As i said, my config with # in the password worked without any escaping or quoting needed. !echo foo # boo will echo foo !echo foo#boo will echo foo#boo up # blah blah will work just because if fact it is ignored, because the interface is up-ped automatically, implicitly dhcp # blah blah will NOT work, because in the end it is interpreted as cmd: ifconfig ath0 # blah blah down;dhclient ath0
Re: ksh, ctrl-r followed by arrow key leaves "[D" or "[C" artifacts
Hi, this also bugs me. But ksh is not bash. Try hitting ESC before an arrow. (I'm not sure if it is a consistent keystroke behavior of ksh or not) Here's one of older threads to this: https://marc.info/?t=12126533981&r=1&w=2 regards, Michal Bozon Dave Cohen wrote: ... I'll try to describe an annoyance with my ksh setup. Web and man page searching has not provided a solution. I'm relatively new to both ksh and openbsd. I'm on version 5.9 release. Problem happens when I navigate command history with ctrl-r, then use left or right arrow. Hitting left arrow writes "[D", right inserts "[C". I'm hitting the arrow keys so I can edit my prior command. It's a habit I'm used to that works in bash. ...
hostname.if manpage enhancement: be clearer about #
Hi, I've had an issue connecting to a wireless network (by doas sh /etc/netstart $if). Its password contained '#' character(s). Even adding "debug" keyword did not assure me whether the problem is with my password definition: wpakey s3cur3-as-#311, for illustration (was not sure if the '#' has to be escaped somehow); or somewhere else. Finally, it was the latter, but it took me a while to realize that. Current hostname.if manpage is not absolutely clear: #Comments are allowed. Anything following a comment character is treated as a comment. It suggests that what is before '#' might have a meaning, while the broader context of the definition strongly suggests that comment it is when '#' "keyword" is at the beginning. Looking into /etc/netstart might also be confusing - just at the beginning, there's stripcom() function definition, which clearly strips the input line from '#' and following. However, this function is NOT applied to /etc/hostname.if, it is treated differently, entire line beginning with '#' is skipped (see # Skip comments and empty lines). I am therefore proposing following or similar change: --- /usr/src/share/man/man5/hostname.if.5 +++ /usr/src/share/man/man5/hostname.if.5 @@ -201,7 +201,7 @@ the interface, such as 64. .It Li # Comments are allowed. -Anything following a comment character is treated as a comment. +Line beginning with a comment character is treated as a comment. .It Li \&! Ns Ar command Arbitrary shell commands can be executed using this directive, as long as they are available in the single-user environment (for
Re: lyrics.html nit.
this is what i hear: -With twitchy fingers on flashing keys +Twitchy fingers, flashing keys -always claiming "it was just a prank!" +Claiming "it was just a prank!" regards, michal bozon
"Abort trap" when pledge()d and compiled with -pg
When compiling a program that calls pledge(2) with "-pg" the resulting binary will execute seemingly fine, but at the very end die with: Abort trap (core dumped) I think the problem lies in a call to profil(2). Is this a bug or a feature? -- Michal Mazurek
Re: CD's arrived
On 2015-10-08 Thu 16:33, Aaron Poffenberger wrote: > On 10/08/15 16:13, ian kremlin wrote: > >Hello > > > >Syracuse, NY -- no CD, but poster has arrived. looks great! > > > >http://ce.gl/openbsd-5.8-poster.jpg > > > >ian > > > >On Wed, Oct 7, 2015 at 10:51 AM, M Wheeler <6f84c...@refn.co.uk> wrote: > >>CD's arrived today UK. Thanks again. > > > Bonus points for effective use of Symbolics keyboard, manual and panel! > Does it mean that the poster did arrive rather in a tube instead of a large flat envelope?
Re: 2^64 - 39 ...
> ... > Michael > you have won! > > --- /usr/src/games/factor/factor.c Wed Oct 28 00:59:24 2009 > +++ factor.cTue Sep 8 20:06:44 2015 > @@ -192,6 +192,19 @@ pr_fact(u_int64_t val) /* Factor this value. > */ > (void)putchar('\n'); > } > > +static u_int32_t > +int_sqrt(u_int64_t y) > +{ > +int i; > +u_int32_t m_i; > +u_int32_t m = 0; > + > +for (i = 32; i >= 0; i--) { > +m_i = m | (1U << i); > +if ((u_int32_t)m_i * m_i <= y) m = m_i; > +} > +return m; > +} > > /* At this point, our number may have factors greater than those in primes[]; > * however, we can generate primes up to 32 bits (see primes(6)), which is > @@ -208,7 +221,7 @@ pr_bigfact(u_int64_t val) /* Factor this value. */ > char table[TABSIZE];/* Eratosthenes sieve of odd numbers */ > > start = *pr_limit + 2; > - stop = (ubig)sqrt((double)val); > + stop = int_sqrt(val); > if ((stop & 0x1) == 0) > stop++; > /*
Re: 2^64 - 39 ...
there's more.. * worst case is 18446744030759878681, which is previous_prime(sqrt(2^64))^2, which is 4294967291^2 * _smallest_ OpenBSD composite prime seems to be 4295360521, which is 65539^2 Michal Bozon
Re: 2^64 - 39 ...
.. i was wondering before, why *bin/factor is in games, now i get it. Very nice observation! Another factor game fake primes: 18446744073709551503 == 2^64 - 113 == 119026343 * 154980348121 18446744073709551499 == 2^64 - 117 == 363269 * 50779846542671 18446744073709551491 == 2^64 - 125 == 315781601 * 58416145891 18446744073709551461 == 2^64 - 155 == 76511 * 241099241595451 ... i like this one: 18446744073709551043 == 2^64 - 573 == 83401 * 95279 * 2321406917 m. > ... is the greatest composite OpenBSD prime. ... > $ /usr/games/factor $n ...
Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem
On 14.05.2015 16:01, Joel Sing wrote: On Thursday 14 May 2015, Michal Lesniewski wrote: On 14.05.2015 15:02, Joel Sing wrote: On Thursday 14 May 2015, Michal Lesniewski wrote: Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server "default" { listen on 10.11.0.200 tls port 443 tls { certificate "/etc/ssl/server-unified.pem" key "/etc/ssl/private/server.key" } root "/htdocs/default" } types { include "/usr/share/misc/mime.types" } My certificate is intermediate/chain certificate. That mean I need to supply "next level" certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem > /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no "server_tls_init" nothing apears when started openssl s_client command This smells very much like the same problem that has been mentioned on the list earlier - with a 6KB private key and a 8KB bundle, you're almost certainly hitting the 16K limit for a single imsg. Unfortunately there were missing return value checks which means that this fails silently. If you can try httpd from -current you will likely see an error instead of a silent failure. Otherwise you can try removing one of the certificates from the bundle in order to reduce the size and see if it then reports "server_tls_init" and starts working. tested on -current: # httpd -dv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default': Result too large fatal: send server: Result too large socket_rlimit: max open files 1024 logger exiting, pid 4965 socket_rlimit: max open files 1024 server exiting, pid 10727 server exiting, pid 32594 server exiting, pid 5337 Above situation occurs when I have server cert + intermediate + ca and only server cert + intermediate in server-chain.pem. httpd starts only when I supply only my server cert to it. Is there any solution to run httpd with such big private key? Try this (albeit only tested a little beyond compilation...) Index: config.c === RCS file: /cvs/src/usr.sbin/httpd/config.c,v retrieving revision 1.37 diff -u -p -r1.37 config.c --- config.c11 Apr 2015 14:52:49 - 1.37 +++ config.c14 May 2015 13:58:57 - @@ -193,14 +193,6 @@ config_setserver(struct httpd *env, stru iov[c].iov_base = srv->srv_conf.return_uri; iov[c++].iov_len = srv->srv_conf.return_uri_len; } - if (srv->srv_conf.tls_cert_len != 0) { - iov[c].iov_base = srv->srv_conf.tls_cert; - iov[c++].iov_len = srv->srv_conf.tls_cert_len; - } - if (srv->srv_conf.tls_key_len != 0) { - iov[c].iov_base = srv->srv_conf.tls_key; - iov[c++].iov_len = srv->srv_conf.tls_key_len; - } if (id == PROC_SERVER && (srv->srv_conf.flags &
Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem
On 14.05.2015 15:02, Joel Sing wrote: On Thursday 14 May 2015, Michal Lesniewski wrote: Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server "default" { listen on 10.11.0.200 tls port 443 tls { certificate "/etc/ssl/server-unified.pem" key "/etc/ssl/private/server.key" } root "/htdocs/default" } types { include "/usr/share/misc/mime.types" } My certificate is intermediate/chain certificate. That mean I need to supply "next level" certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem > /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no "server_tls_init" nothing apears when started openssl s_client command This smells very much like the same problem that has been mentioned on the list earlier - with a 6KB private key and a 8KB bundle, you're almost certainly hitting the 16K limit for a single imsg. Unfortunately there were missing return value checks which means that this fails silently. If you can try httpd from -current you will likely see an error instead of a silent failure. Otherwise you can try removing one of the certificates from the bundle in order to reduce the size and see if it then reports "server_tls_init" and starts working. tested on -current: # httpd -dv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default': Result too large fatal: send server: Result too large socket_rlimit: max open files 1024 logger exiting, pid 4965 socket_rlimit: max open files 1024 server exiting, pid 10727 server exiting, pid 32594 server exiting, pid 5337 Above situation occurs when I have server cert + intermediate + ca and only server cert + intermediate in server-chain.pem. httpd starts only when I supply only my server cert to it. Is there any solution to run httpd with such big private key?
Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem
On 14.05.2015 14:43, Abel Abraham Camarillo Ojeda wrote: On Thu, May 14, 2015 at 7:35 AM, Michal Lesniewski wrote: Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server "default" { listen on 10.11.0.200 tls port 443 tls { certificate "/etc/ssl/server-unified.pem" key "/etc/ssl/private/server.key" } I think this should be tls certificate "/etc/ssl/server-unified.pem" tls key "/etc/ssl/private/server.key" the same situation root "/htdocs/default" } types { include "/usr/share/misc/mime.types" } My certificate is intermediate/chain certificate. That mean I need to supply "next level" certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem > /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no "server_tls_init" nothing apears when started openssl s_client command ^Clogger exiting, pid 20328 server exiting, pid 17109 server exiting, pid 6140 server exiting, pid 16603 parent terminating, pid 11859 I tested combinations with unified certificate like: cat server.pem sub.class2.server.ca.pem > /etc/ssl/server-unified.pem cat ca-sha2.pem sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem cat sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem but situation is always as described above. When I try to change in config file "tls certificate" to: tls certificate "/etc/ssl/server.pem" where server.pem is PEM format file certificate from my CA (there is no entire SSL certificate trust chain) and start httpd: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_tls_init: setting up TLS for default server_launch: running server default server_tls_init: setting up TLS for default server_tls_init: setting up TLS for default server_launch: running server default server_launch: running server default server_launch: running server default default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] "GET / HTTP/1.0" 200 7 server default, client 1 (1 active), 10.11.0.100:52805 -> 10.11.0.200:443, done ^Clogger exiting, pid 5930 server exiting, pid 19884 server exiting, pid 26372 server exiting, pid 14384 parent terminating, pid 22451 I try to test using openssl s_client like before: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=27:certificate not trusted verify return:1 depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX i:/C=I
OpenBSD 5.7 httpd tls intermediate/chain certificate problem
Hello, I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain certificate without no success. my httpd.conf: server "default" { listen on 10.11.0.200 tls port 443 tls { certificate "/etc/ssl/server-unified.pem" key "/etc/ssl/private/server.key" } root "/htdocs/default" } types { include "/usr/share/misc/mime.types" } My certificate is intermediate/chain certificate. That mean I need to supply "next level" certificate that is between my certificate and CA. I made that chain certificate concatenating PEM format files with corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption) cat server.pem sub.class2.server.ca.pem ca-sha2.pem > /etc/ssl/server-unified.pem server-unified.pem looks like: -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Intermediate certificate: sub.class2.server.ca.pem) -END CERTIFICATE- -BEGIN CERTIFICATE- (Root certificate: ca-sha2.pem) -END CERTIFICATE- Certificate and key installed in default locations: # ls -alh /etc/ssl/private/server.key -r 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem # ls -alh /etc/ssl/server-unified.pem -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem I try to test using openssl s_client: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) GET / HTTP/1.0 httpd log: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_launch: running server default there is no "server_tls_init" nothing apears when started openssl s_client command ^Clogger exiting, pid 20328 server exiting, pid 17109 server exiting, pid 6140 server exiting, pid 16603 parent terminating, pid 11859 I tested combinations with unified certificate like: cat server.pem sub.class2.server.ca.pem > /etc/ssl/server-unified.pem cat ca-sha2.pem sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem cat sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem but situation is always as described above. When I try to change in config file "tls certificate" to: tls certificate "/etc/ssl/server.pem" where server.pem is PEM format file certificate from my CA (there is no entire SSL certificate trust chain) and start httpd: # httpd -dvv startup server_tls_load_keypair: using certificate /etc/ssl/server.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server default socket_rlimit: max open files 1024 server_launch: running server default server_launch: running server default server_tls_init: setting up TLS for default server_launch: running server default server_tls_init: setting up TLS for default server_tls_init: setting up TLS for default server_launch: running server default server_launch: running server default server_launch: running server default default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] "GET / HTTP/1.0" 200 7 server default, client 1 (1 active), 10.11.0.100:52805 -> 10.11.0.200:443, done ^Clogger exiting, pid 5930 server exiting, pid 19884 server exiting, pid 26372 server exiting, pid 14384 parent terminating, pid 22451 I try to test using openssl s_client like before: michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443 CONNECTED(0003) depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=27:certificate not trusted verify return:1 depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, emailAddress = XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA --- Server certificate -BEGIN CERTIFICATE- (Primary SSL certificate: server.pem) -END CERTIFICATE- subject=/C=PL/ST=Mazowieckie/L=Warsza
Huawei E3272 USB 4G LTE modem (no HiLink)
quot;ATI SB700 ISA" rev 0x00 ppb2 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x00 pci3 at ppb2 bus 3 pchb1 at pci0 dev 24 function 0 "AMD AMD64 11h HyperTransport" rev 0x40 pchb2 at pci0 dev 24 function 1 "AMD AMD64 11h Address Map" rev 0x00 pchb3 at pci0 dev 24 function 2 "AMD AMD64 11h DRAM Cfg" rev 0x00 km0 at pci0 dev 24 function 3 "AMD AMD64 11h Misc Cfg" rev 0x00 pchb4 at pci0 dev 24 function 4 "AMD AMD64 11h Link Cfg" rev 0x00 usb2 at ohci0: USB revision 1.0 uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb3 at ohci1: USB revision 1.0 uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb4 at ohci2: USB revision 1.0 uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb5 at ohci3: USB revision 1.0 uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (bb547cb10c3cf0e4.a) swap on wd0b dump on wd0b drm: initializing kernel modesetting (RS780 0x1002:0x9610 0x103C:0x1721). radeondrm0: VRAM: 256M 0xC000 - 0xCFFF (256M used) radeondrm0: GTT: 512M 0xA000 - 0xBFFF drm: PCIE GART of 512M enabled (table at 0xC004). No connectors reported connected with modes Cannot find any crtc or sizes - going 1024x768 radeondrm0: 1024x768 wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (std, vt100 emulation) modem connected: umsm0 at uhub0 port 6 configuration 1 interface 0 "HUAWEI Technology HUAWEI Mobile" rev 2.00/1.02 addr 2 umsm0 detached urndis0 at uhub0 port 6 configuration 1 interface 0 "HUAWEI Technology HUAWEI Mobile" rev 2.00/1.02 addr 2 urndis0: using Vendorurndis0: ctrl message error: wrong size 3736059565 > 1024 urndis0: unable to get query response : unable to get hardware address urndis1 at uhub0 port 6 configuration 1 interface 2 "HUAWEI Technology HUAWEI Mobile" rev 2.00/1.02 addr 2 urndis1: using Vendorurndis1: ctrl message error: wrong size 3736059565 > 1024 urndis1: unable to get query response : unable to get hardware address umass0 at uhub0 port 6 configuration 1 interface 4 "HUAWEI Technology HUAWEI Mobile" rev 2.00/1.02 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: SCSI2 0/direct removable urndis2 at uhub0 port 6 configuration 1 interface 5 "HUAWEI Technology HUAWEI Mobile" rev 2.00/1.02 addr 2 urndis2: no data interface modem disconnected: urndis0 detached urndis1 detached sd0 detached scsibus2 detached umass0 detached urndis2 detached usbdevs: # usbdevs -dv Controller /dev/usb0: addr 1: high speed, self powered, config 1, EHCI root hub(0x), ATI(0x1002), rev 1.00 uhub0 port 1 powered port 2 powered port 3 powered port 4 powered port 5 powered port 6 addr 2: high speed, power 500 mA, config 1, HUAWEI Mobile(0x1c1e), HUAWEI Technology(0x12d1), rev 1.02 urndis0 urndis1 umass0 urndis2 Controller /dev/usb1: addr 1: high speed, self powered, config 1, EHCI root hub(0x), ATI(0x1002), rev 1.00 uhub1 port 1 powered port 2 powered port 3 powered port 4 powered port 5 powered port 6 powered Controller /dev/usb2: addr 1: full speed, self powered, config 1, OHCI root hub(0x), ATI(0x1002), rev 1.00 uhub2 port 1 powered port 2 powered port 3 powered Controller /dev/usb3: addr 1: full speed, self powered, config 1, OHCI root hub(0x), ATI(0x1002), rev 1.00 uhub3 port 1 powered port 2 powered port 3 powered Controller /dev/usb4: addr 1: full speed, self powered, config 1, OHCI root hub(0x), ATI(0x1002), rev 1.00 uhub4 port 1 powered port 2 powered port 3 powered Controller /dev/usb5: addr 1: full speed, self powered, config 1, OHCI root hub(0x), ATI(0x1002), rev 1.00 uhub5 port 1 powered port 2 powered port 3 powered Best Regards, Michal
Scrolling the terminal is slow on -current
channel 1 ignored (disabled) usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 wsmouse1 at pms0 mux 0 pms0: Synaptics touchpad, firmware 6.2 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support uhidev0 at uhub1 port 1 configuration 1 interface 0 "vendor 0x04fc USB Multi-Smart Mouse" rev 2.00/16.11 addr 2 uhidev0: iclass 3/1, 3 report ids ums0 at uhidev0 reportid 1: 5 buttons, Z dir wsmouse2 at ums0 mux 0 uhid0 at uhidev0 reportid 3: input=2, output=0, feature=0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (a1b91d15922da01d.a) swap on wd0b dump on wd0b -- Michal Mazurek
Installing OpenBSD on a TS-412 Turbo NAS
Has anybody successfully installed OpenBSD on a QNAP TS-412 Turbo NAS? I'm looking for a NAS that I can keep in my room, and would like to run OpenBSD. -- Michal Mazurek
Re: alix2d2 LM86, no hw.sensors
On Sun, Feb 19, 2012 at 01:12:13PM +0100, Mike Belopuhov wrote: > and i forgot to mention that kernel config has to be patched too. > thanks to shadchin@ for reminding. It didn't work, here is the dmesg: [15:19:ttyp0][root@T3:~:5]$ sysctl hw hw.machine=i386 hw.model=Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) hw.ncpu=1 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=wd0:c8fc559b0e991404 hw.diskcount=1 hw.cpuspeed=499 hw.physmem=267976704 hw.usermem=267964416 hw.ncpufound=1 hw.allowpowerdown=1 OpenBSD 5.0 (GENERIC.MP) #0: Mon Feb 20 09:41:29 CET 2012 r...@t3.nmi:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 267976704 (255MB) avail mem = 253517824 (241MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0xa800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:25:8f:ec ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 00:0d:b9:25:8f:ed ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c freq=0x7f gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 glxpcib0: negative ack, flags=0 pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 mtrr: K6-family MTRR support (2 registers) nvram: invalid checksum vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (c8fc559b0e991404.a) swap on wd0b dump on wd0b clock: unknown CMOS layout -- Michal Mazurek
alix2d2 LM86, no hw.sensors
I have an alix2d2 running OpenBSD 5.0. There are no hw.sensors. The producer says there is an LM86 on board, which is supported by the maxtmp driver. It appears the driver is present in generic. I tried starting sensorsd but got: daemon:Feb 17 13:12:04 T1 sensorsd[10445]: startup, system has 0 sensors How can I read the temperature of my alix2d2 running OpenBSD 5.0? [15:59:ttyp1][root@T3:~:1]$ sysctl hw hw.machine=i386 hw.model=Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) hw.ncpu=1 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=wd0:c8fc559b0e991404 hw.diskcount=1 hw.cpuspeed=499 hw.physmem=267976704 hw.usermem=267964416 hw.ncpufound=1 hw.allowpowerdown=1 [15:59:ttyp1][root@T3:~:2]$ uname -a OpenBSD T3.nmi 5.0 GENERIC.MP#59 i386 dmesg: OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 267976704 (255MB) avail mem = 253521920 (241MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0xa800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:25:8f:ec ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 00:0d:b9:25:8f:ed ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 mtrr: K6-family MTRR support (2 registers) nvram: invalid checksum vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (c8fc559b0e991404.a) swap on wd0b dump on wd0b -- Michal Mazurek
Re: man page sources?
On Sun, Oct 23, 2011 at 02:14:02PM +0200, Ingo Schwarze wrote: > I committed build system changes to install source manuals > and no longer install formatted manuals from 5.0 onwards. This is nice, now I can do something like this in /etc/man.conf: < _build.[1-9n] /usr/bin/mandoc %s > _build.[1-9n] /usr/bin/mandoc -Owidth=`stty size | > awk '{print $2 - 2}'` %s to have the manpage fit my display. Especially usefull if I have split screen in a tiling window manager, and the terminals are smaller than 80 columns. -- Michal Mazurek
Re: Absurdly high temperature reading - system shutdown
It was pointed out to me to attach acpidump and dmesg. Kernel is custom built to include bce. -- Michal Mazurek [demime 1.01d removed an attachment of type application/octet-stream] [demime 1.01d removed an attachment of type application/octet-stream] [demime 1.01d removed an attachment of type application/octet-stream] [demime 1.01d removed an attachment of type application/octet-stream] [demime 1.01d removed an attachment of type application/octet-stream] RSD PTR: Checksum=172, OEMID=HP, RsdtAddress=0x1f7efc84 RSDT: Length=48, Revision=1, Checksum=85, OEMID=HP, OEM Table ID=099C, OEM Revision=0x21110520, Creator ID=HP, Creator Revision=0x1 Entries={ 0x1f7efc00, 0x1f7efcb4, 0x1f7efd10 } DSDT=0x1f7efd4c INT_MODEL=PIC SCI_INT=9 SMI_CMD=0xb2, ACPI_ENABLE=0xf1, ACPI_DISABLE=0xf0, S4BIOS_REQ=0xf2 PM1a_EVT_BLK=0x1000-0x1003 PM1a_CNT_BLK=0x1004-0x1005 PM2_CNT_BLK=0x1020-0x1020 PM2_TMR_BLK=0x1008-0x100b PM2_GPE0_BLK=0x1028-0x102f P_LVL2_LAT=2ms, P_LVL3_LAT=38ms FLUSH_SIZE=0, FLUSH_STRIDE=0 DUTY_OFFSET=1, DUTY_WIDTH=3 DAY_ALRM=13, MON_ALRM=0, CENTURY=50 Flags={WBINVD,PROC_C1,SLP_BUTTON,RTC_S4} DSDT: Length=32088, Revision=1, Checksum=211, OEMID=HP, OEM Table ID=DAU00, OEM Revision=0x1, Creator ID=MSFT, Creator Revision=0x10e APIC: Length=90, Revision=1, Checksum=66, OEMID=HP, OEM Table ID=099C, OEM Revision=0x1, Creator ID=HP, Creator Revision=0x1 MCFG: Length=60, Revision=1, Checksum=112, OEMID=HP, OEM Table ID=099C, OEM Revision=0x1, Creator ID=HP, Creator Revision=0x1 OpenBSD 4.9-stable (HOPEK) #0: Sun May 1 19:13:58 CEST 2011 r...@hopek.jasminek.net:/usr/src/sys/arch/i386/compile/HOPEK cpu0: Intel(R) Celeron(R) M processor 1.40GHz ("GenuineIntel" 686-class) 1.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 527855616 (503MB) avail mem = 509075456 (485MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/21/05, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xfc68f (23 entries) bios0: vendor Hewlett-Packard version "68DTD Ver. F.0C" date 11/21/2005 bios0: Hewlett-Packard HP Compaq nx6110 (PY536ES#AKD) acpi0 at bios0: rev 0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG acpi0: wakeup devices C068(S5) C0BB(S3) C0C2(S3) C0C3(S3) C0C4(S3) C0C5(S3) C0CC(S5) C1CD(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfec01000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 2 (C068) acpiprt1 at acpi0: bus 0 (C002) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1 acpipwrres0 at acpi0: C1A6 acpipwrres1 at acpi0: C1AE acpipwrres2 at acpi0: C1B5 acpipwrres3 at acpi0: C1C5 acpipwrres4 at acpi0: C244 acpipwrres5 at acpi0: C245 acpipwrres6 at acpi0: C246 acpipwrres7 at acpi0: C247 acpitz0 at acpi0: critical temperature 102 degC acpitz1 at acpi0: critical temperature 103 degC acpitz2 at acpi0: critical temperature 102 degC acpitz3 at acpi0: critical temperature 110 degC acpibat0 at acpi0: C174 model "Primary" serial 03121 2005/12/21 type LIon oem "Hewlett-Packard" acpibat1 at acpi0: C173 not present acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: C1E8 acpibtn1 at acpi0: C1E9 acpivideo0 at acpi0: C055 acpivout0 at acpivideo0: C103 acpivout1 at acpivideo0: C104 acpivout2 at acpivideo0: C105 acpivout3 at acpivideo0: C106 bios0: ROM list: 0xc/0x1! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82915GM Host" rev 0x03 vga1 at pci0 dev 2 function 0 "Intel 82915GM Video" rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xc000, size 0x1000 inteldrm0 at vga1: apic 1 int 16 (irq 11) drm0 at inteldrm0 "Intel 82915GM Video" rev 0x03 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: apic 1 int 23 (irq 11) uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: apic 1 int 17 (irq 10) uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: apic 1 int 18 (irq 10) uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: apic 1 int 19 (irq 10) ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: apic 1 int 23 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd3 pci1 at ppb0 bus
Absurdly high temperature reading - system shutdown
After moving my old laptop around I got home, booted it and got a very distressing message: messages.2.gz:Jun 14 22:40:09 hopek /bsd: acpitz2: Critical temperature 4938C (52112K), shutting down Perhaps some dust moved around, or a cable disconnected. Unfortunately, the system shut down before it booted. I booted bsd.rd, read some manpages and booted with -c 'disable acpitz' - everything worked fine. I attach a diff to only shutdown if the temperature is below 2000C. If it's above then it's too late to shut down anyway :) BTW, for no apparent reason my laptop started working fine again. Index: acpitz.c === RCS file: /cvs/src/sys/dev/acpi/acpitz.c,v retrieving revision 1.43 diff -u -r1.43 acpitz.c --- acpitz.c15 Jun 2011 00:15:54 - 1.43 +++ acpitz.c16 Jun 2011 15:09:14 - @@ -326,11 +326,17 @@ } /* critical trip points */ if (sc->sc_crt != -1 && sc->sc_crt <= sc->sc_tmp) { - /* do critical shutdown */ - printf("%s: critical temperature exceeded %dC (%dK), shutting " - "down\n", - DEVNAME(sc), KTOC(sc->sc_tmp), sc->sc_tmp); - psignal(initproc, SIGUSR2); + if (KTOC(sc->sc_tmp) > 2000) { + printf("%s: absurdly high temperature %dC (%dK), " + "doing nothing\n", + DEVNAME(sc), KTOC(sc->sc_tmp), sc->sc_tmp); + } else { + /* do critical shutdown */ + printf("%s: critical temperature exceeded %dC (%dK), " + "shutting down\n", + DEVNAME(sc), KTOC(sc->sc_tmp), sc->sc_tmp); + psignal(initproc, SIGUSR2); + } } if (sc->sc_hot != -1 && sc->sc_hot <= sc->sc_tmp) { printf("%s: _HOT temperature\n", DEVNAME(sc)); -- Michal Mazurek
Re: CARP and routing
On 25/11/10 13:20, Robert Hoffmann wrote: On Thu, 25 Nov 2010 13:22:13 +0100 Toni Mueller wrote: Internet --- host1 host2 Because your setup should rather look like this? Internet --- switch --- host1 --- switch --- LAN + --- host2 + regards, Robert This is what I was trying to get at...the way you draw your diagram, I can't understand what your trying to do with carp if you have internet -- host1 -- host2
Re: CARP and routing
On 25/11/10 12:22, Toni Mueller wrote: Hi, I discover that CARP and routing don't always mix well: Internet --- host1 host2 If host1 and host2 have a CARP interface with the same IP, then packets destined for that IP don't ever reach host2, even if the interface on host1 is in BACKUP state. Kind regards, --Toni++ Wait, do you mean; Host1 Internet --- | Host 2
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 23/11/10 13:56, Bahador NazariFard wrote: OK You are right. But you know in this case your security level is not higher than virtual machine. Because your security level in complex chained system is not higher than weakest point.In fact you are accepting the risk of using virtual machine. I think in this case if your virtual machine system is not stronger than OpenBSD you should not use it. If one can exploit virtual machine he/she can hurt your platform. I think virtual systems are very very useful but they are not very good for security box. I think virtual machine is one of your assets that you should be able to protect it. because it may have many guest and provide several services for your client . For example in this senario you can not protect your network even your firewall box against DoS or DDoS attack. because your virtual machine has to get a lot of packet before your firewall. This is a good post. I have esxi servers and they work well, but you'd have a hardware firewall sitting at the front of network, unless you want to do firewall testing etc. If you can afford to get some esxi servers, I'm sure you can pay the little bit extra to get an OpenBSD firewall on the go, even two for that matter
Re: HP Proliant NEO N36L
Storage Controller Embedded SATA Controller with Embedded RAID (0, 1) This concerns me. Generally with RAID, it's either a known, branded raid controller that can easily be replaced, or software raid. Anything in the middle like raid on desktop motherboards I avoid for servers
Re: Building a Practical Penetration Test Lab
I can confirm that OpenBSD doesn't always work as a virtual machine. So I would focus on using OpenBSD as the host and using some other OS as a client in QEMU. If you insist and I don't know about the latest version, then vmware is likely much more reliable than virtualbox but still more problematic than a true install. There is a blog on the virtual box site by theo stating he can't believe any OS allows the problems virtualbox introduces(d). This post by theo was made because developers had wasted their time fixing bugs that were caused by virtualbox. If anyone does have problems under emulation make sure you can reproduce it natively before reporting. I have several OpenBSD boxes running with no problems on some ESXi servers
Re: suggestion for a new/additional OpenBSD release media option
For me, the ability to boot of the install media is not a requirement. I do all my installs via pxeboot. If there were enough room on the DVD, you could also provide the CDROM ISOs. If a user REALLY needed bootable media, they could burn the ISOs to CDROMs, and do that. Again, these are only suggestions. You understand your user/customer base infinitely better than I do. Obviously it is your decision what "products" you choose to offer. You can have CD's with multiple types of OS and you have a choice screen. MS MSDN CD's often have different versions; server OS cd's have web, stranded and enterprise and you just get a choice screen. But again, its all time and effort at the end of the day
Re: availability of Building Firewalls with OpenBSD and PF, 3rd ed.
The books outlined bellow are not the same book the OP was asking about... On 21/10/10 13:11, open...@e-solutions.re wrote: I also bought this one this morning ;-) And have it on PDF also !! Thanks to NOSTARCH! On Thu, 21 Oct 2010 12:03:41 +0100, wrote: Having heard a stream of fraud stories from disgruntled devguide.net "customers", this morning I bought a copy of "Book of PF, 2nd Edition" which has been updated for 4.8 http://www.nostarch.com/pf2.htm within seconds of entering my credit card I had a PDF on my computer. Cant argue with that. Alastair
Re: ZFS and Storage Systems
It would be even better to simply ask them what exact Supermicro hardware (specifically, model numbers) they're using to build these systems. You can see Supermicro mentioned in the of their site, so that's definitely what they're using, even down to the controller card offerings (some of which (Marvell) are known to behave oddly on FreeBSD (yes there are success stories, but there are also follow-up horror stories) -- consider yourself warned). I think the best option is to just build it your self using similar components which I have looked at before. My ideal is build a system where you can extend the storage easily by adding another box instead of either replacing the HDD's with bigger HDD's or having multiple targets for the data. One target whose storage can be expanded by simply adding another box. However, that is harder in practice to work out
Re: Why renice not work in OpenBSD?
Dmitry-T> Is in OpenBSD lacks developers? That might as well be the last message you post here. Any little help you would get, you've just offended them. reading his e-mails, I don't think he is trying to be offensive, I think his English is just poor
Re: OpenBSD on DELL R310
Well, it optionally comes with one of five (or so) different RAID controllers, so if it is possible to check which - if any - it has it would be great. Thanks, -- Bjvrn Sandell You can look those up and check in the archives or on compatibility lists. I think the main ones they use are PERC
Re: project : openbsd as nas
On 30/08/10 13:03, Jean-Francois wrote: Hello, I was thinking about how to help openbsd project, and since I am not able to help in programming, I'm thinking about starting something aroung openbsd such as a layer making it an easy enough to manage home nas server of good quality. I have not yet the whole picture of how to do it but maybe a project that will take quite sometime and whose goal is to transform a standard install into a ready to run nas server with few efforts. I don't know yet what it will be like, probably it needs to be package or something else, I need to study it more in details so far. I hope that you will receive well this idea I have and maybe if you do wish, support if it is needed. I will then open something on my own wiki to prepare and work on the complete project, describe it in detail and start to implement things. Again thanks for the quality of that os and its documentation which makes it very interesting to work on. Regards JF Are you trying to make pure OBSD version of projects like Openfiler and FreeNAS? If you don't know about those, check those out as contributing to those may be more worth while then starting a new project
Re: another slow connection on openbsd 3.4
I think I can say without fear of contradiction, interest in 3.4 problems can only be measured by instruments sensitive enough to measure pixie dust. Brandished by those rare birds, OpenBSD Software Archeologists. Seriously dude, you need to upgrade if you want OpenBSD help/suggestions!! Ken I do agree with you of course, but lets not tell someone to "just upgrade" he will need some changes in his PF before it works. Hendo, make sure you have a really good read of the upgrade sections a there are small sections of your PF code that won't work and will error. If you can cope with your machine plugged directly into the line while you upgrade, then you should have very few problems, any problems have probably been asked before so have a search around :)
Re: OpenBSD Training
On 28/07/10 14:49, Robert wrote: On Wed, 28 Jul 2010 05:50:19 -0600 Chris Bennett wrote: My advice is to setup a server with some websites (doesn't matter if the are "real" or bogus) and learn to deal with the problems that pop-up. Be sure to get an ISP with remote IP-KVM so you can fix any mistakes that lock you out. I think it's too risky for a newcomer to go straight for a real server. Get a dual/quad core machine with 8GB (used ones are pretty cheap) and install the free ("no licence cost") vmWare ESXi server. Use this to host a whole network (dns, file server, email, etc.). Put another low cost machine with 2 NICs in front of it; this will be your firewall. Now you can simulate locally the daily business, e.g. remote administration, remote upgrades, road warrior setups etc. But you don't have the risk that someone roots your box because you made a mistake. Instead you can (should!) try out to attack it ;) When you're very confident in working with your network, yes, then you need to go out on The Hostile Internet to learn more. regards, Robert Apart from ESXi is free but the management isn't...you need vSphere to manage the thing. This seams like a very expensive way to learn an OS...you can install a free virtual piece of software on your computer, virtual box, vmware server etc and get going, or even get some very cheap PC's off ebay. And to be honest I wouldn't worry about a cert that much, just get some real experience under your belp. Certs help but they are not the be all and end all that some people like to make out
Re: Multiple VLANs in the same subnet on different Routing Domains
I've had no luck Googling this issue so thought I'd ask the experts. Ok we have 4 firewalls providing internet connectivity whose internal interfaces are on a single shared subnet, although the IPs are different. Outbound traffic from the various hosts on this subnet are distributed across the firewalls by setting the firewall internal IP's as the various different GW addresses. i.e. Hosts A/B/C/D use FW1 as their GW, hosts E/F/G/H use FW2 as their gateway etc. Ok so my problem is this. We have a single monitoring host that needs to send outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to www.apple.com, FW3 etc. Agreeing with the other two, do you really need to setup your network in that way?
Re: Segmentation Faults shortly after install, somehow random
Again I got Segmentation Fault, this time from sshd and ssh. Now I used gdb, and it was telling me about some problem with libcrypto.so.18.0, my bad I did not keep this file, I directly overwrote it with the lib from my backup , which I needed to create the Softraid. After this sshd and ssh was working normal again. I checked my disks and my ram, they are fine. How did you check them? Hopefully not by using SMART. Did you try swapping drive cables for new ones? I have had MANY drive problems that were from bad cables I used smartctl from linux side (because Im still more familiar with it, and I used atactl. For the ram I used mem86test, overnight, without any errors. Because other OS is working fine, I did not consider the cables, but I give it a try. How should I check the hard disks? I've seen memtest come back with no errors but there still been a problem with the ram. Memtest isn't 100% correct 100% of the time. If the other OS works fine, it's probably not an hardware issue. While it's not bad to look, it seams unlikely
Re: network access controller like medusa ?
On 15/07/10 13:35, Leonardo Lombardo wrote: Hi all, do you know if there is any project/packet/something that runs on openbsd similar to this http://www.medusabusiness.com/overview.html ? I'm interested even to abandoned or uncomplete projects. Thanks for any advice ! Leonardo I have no time or energy to trawl a website for you, so if you can say what you want, we can give you a straight answer. "I have X can I do Y" is better then saying "Working out this sum then tell me if I can do the answer"
Re: Mac mini G4
On 01/07/2010 14:15, Fred Snurd wrote: "fu...@safe-mail.net" wrote: I have one question: Is the any way to put the mini in "server" mode (make it boot automatically after Power Loss)? While asking about server mode, is it also possible to run a PPC mini headless? Thanks. Yes there is a hack using a VGA connector and a resistor...if it's what I'm thinking about
Re: Origin 350
>> On Wed, May 19, 2010 at 08:09:00AM -0500, Matt Bettinger wrote: >>> That is unfortunate. I emailed theo if they could use some origin 350s >>> but got no response. They have been recycled yesterday. I do have sgi >>> memory etc if needed. >>> I don't want to sound like I'm digging at you...but that was a bit stupid to not contact someone else or even cause a bit of noise on this list. Remember it for next time :)
Re: nested vlans: safe to use?
On 11/05/2010 12:45, Toni Mueller wrote: > Hi, > > I've been trying to figure out whether I can use OpenBSD in a nested > vlan scenario. I'm looking at a data centre where I want to get two > wires, each carrying several vlans, and funneling them home across a > WAN link. Various switch vendors claim to be able to do it, but I > couldn't really figure out what the current state of affairs wrt. > OpenBSD is. On the other side of the wires or fibres, I'll be talking > to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on > the other side(s). > > The desired setup looks like this: > > data centre LAN --- switch --- WAN --- home (OpenBSD) > > I want to run at least three vlans across the WAN link, and need to > keep the vlans strictly separated. I also need to do traffic shaping on > a per-vlan basis. :/ First of all, how will you connect from home to the data center? Normal household broadband? Can't do VLAN's over that. If you have leased lines for example, say from an office to datacenter, then you can do it but only if they are VLAN clear. I had some links once from Office to different sites from a company called Adapt, but they where not VLAN clear and it was problem which we had to work around, and it wasn't that bad but once we installed VLAN clear lines it was much better.
Squid (Stupid question that I can't solve)
I hate to admit this, but I am stumped by what quite clearly is such a simple problem but I can't find the answer. I've seen many sites, tutorials, guides but just cannot figure this one out...it's probably my bad skills with PF but admiittedly some of the things I've read are for older version of squid and what they have does not work anymore, so I'm reaching out for a prod in the right direction. OpenBSD 4.6, squid from the ports (up to date). The problem is, I want all users to pass through the squid server before heading out for a) caching reasons and b) to log all HTTP requests. I want to transparent and nobody can get out of it so I'm simply changing everyone's default gateway to the proxy server in DHCP (rather then setting proxy settings in Firefox etc). It must allow ALL traffic (SSH, SMPT, IMAP etc) and essentially ignore that traffic, simply working as a web cache and logger. Web traffic works fine, it goes though it, it logs it and cache is working I guess but nothing else goes through it. SMTP, SSH, IMAP all refuse to connect and I know it's something stupid but after searching around I can't find an answer. pf.conf --- int_if="em0" ext_if="em0" set skip on lo pass# to establish keep-state #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 # SQUID redirect rdr on $int_if inet proto tcp from any port www to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any port www to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any port www to any port www keep state squid.conf acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl badwebsite url_regex "/etc/squid/squid-block.acl" http_access deny badwebsite acl localnet src 192.168.2.0/24 # RFC1918 possible internal network acl localnet src 10.0.0.0/24 acl localnet src 10.1.0.0.0/24 acl localnet src 10.2.0.0.0/24 acl SSL_ports port 443 acl Safe_ports port 22 # SSH acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 993 # SSL/TLS imap acl Safe_ports port 25 # smtp acl CONNECT method CONNECT http_access allow manager localhost http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir ufs /var/squid/cache 1024 16 256 access_log /var/squid/logs/access.log squid log_fqdn on refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache visible_hostname proxy.internaldomain.com always_direct allow all coredump_dir /var/squid/cache
Re: OpenBSD culture?
On 14/04/2010 19:27, J Sisson wrote: > On Wed, Apr 14, 2010 at 1:19 PM, Matthias Kilian > wrote: >> On Wed, Apr 14, 2010 at 12:38:56PM -0500, Ron McDowell wrote: >>> Yup, nowhere in that goals page does it say anything about "don't be >>> rude to the casual users." Maybe that is why OpenBSD is so far down the >>> list at http://bsdstats.org/ . >> >> What detail in the original reply Theo sent to the OP (and quoted >> it later on this list) was rude? > > I think that implication was aimed at the OP who claimed Theo was rude. > Doesn't make it so, but the OP apparently took it that way. > Not that I think we should start exploring this, but I think a lot of cultures mixing is often the problem. People can see things very different, for those who are Western here, going to the east (even huge places like Tokyo) can be a massive shock to the system with how different it is. I think this can cause massive problems in the way people communicate. I'm sure someone will disagree but from past experience I think that can often be a huge factor. A very easy example is if I have to call an American call centre...I had to do some PCI stuff and ended up having to call one. Everyone seams to say "sir this" and "sir that"...I sometimes get a "Is that a Mr..." here (England) but often it's never as formal as from what I experience in America. I know that's a bad example but you get my point. Really though, who cares. Everything seams to be ticking along well (with development) and calling me a See You Next Tuesday won't affect anything so I don't care
Re: OpenBSD culture?
> but if a questioner seems sincere there is usually a certain > level of friendliness in Linux community towards them. I'm on Open/Free BSD, Fedora and Debian and while sometimes I find there can be a bit of unnecessary rudeness on the OpenBSD ML it's a truck load better then what you see on fedora/debian lists constantly... "Where can I get this piece of software" which just makes you angry as it takes 5 seconds to search it. It's hand holding BS most of the time. Everything is warm and fuzzy and everyone has this attitude of "wow man fedora is s much cooler then windozz LOL"... but very few can back that up other then sprouting "NO VIRUS'S YYYEAAAHHH" and sometimes you get the "YOU NEED TO USE SUDO WPPP"yeah great. I know there are a few Eurpeans knocking about so they might get the joke, but I was watching a Manchester United match not long ago and someone had the banner "Man Utd Not arrogant, just better" I think Obsd is along those lines > If you can not help yourself how can you help the project? Get lost. Think that says it best.
Re: Relayd
On 17/03/2010 22:23, Glenn Beadle wrote: > Hello, > > I know this is the OpenBSD mailing list, but I'm having an issue with > relayd on FreeBSD and was just hoping to get some direction. > I'm currently using relayd as a load balancer, and it's working fine. > Now I'm trying to add ssl accelration, and that's where I'm having an > issue. > I can get relayd to run, and as the _relayd user I can use the random > number generator, but when I try to make an ssl connection to the load > balancer I get the following error: > > SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL > routines:SSL_GET_NEW_SESSION:ssl session id callback failed > relay httpproxy, session 1 (1 active), 0, 192.168.103.80 -> :80, SSL > accept error > > > This bug has been reported to FreeBSD, but no action has been taken on > it in over a year. > I'm wondering if anyone in the OpenBSD community has any insight? > > > Thanks, > Glenn > The FreeBSD port is quite old, does the machine have to stay FreeBSD or could you move over to OpenBSD? I believe the port is more up todate over here. If you have a second machine you can trial it on their using 4.6-current (basically 4.7) or wait till 4.7-release which is coming soon
Re: softdeps enabled = poor "concurrent" access?
On 24/02/2010 09:52, Jan Stary wrote: > On Feb 23 19:20:28, Noah McNallie wrote: >> Hey guys. Noah here. I'd like to use openbsd on an older machine i have. >> I've had it on there before and never tested something that i've been >> testing on various operating systems lately. That's how well they do >> while under disk io load, concurrently. >> >> An example would be to tar -zxvf a large tarball and in another >> terminal, try to run a simple command. such as 'uname' or 'ls' or what >> have you. To test responsiveness. It may not be a very good test but >> it's a everyday usage test. >> >> Well, i've found on openbsd without sofdeps enabled it will do this just >> fine. But when enabling softdeps it will not. The 'uname' or 'ls' will >> take quite a while to complete. > > So, your system is "slow" _with_ softupdates? > >> The machine is a 300MHz 2MB L2 sparc64 SUN Ultra 30. softdeps is almost >> required as it speeds up something like the extraction of a tarball >> exponentially. I'm guessing somewhere near 25x. It's very slow on this >> machine without sofdeps. > > So, your system is "slow" _without_ softupdates? > I think he means untar is faster but doing ls, uname etc is slower WHILE doing the untar. It's a fair enough question till you actually think about it. I think Tobias Ulmer summed it up best
OT - comments from a debian user
I would ignore this if you don't like Off topic posts, and flame me if you so wish, just there is a small discussion going on in a debian mail list and this post made me chuckle a bit...reminded me of Jason's presentation about bsd dying. In hindsight, why I said anything in the first place I will never know. On 22/02/2010 13:01, NN9OON3N?O N N,N;N;N1O wrote: > > (it is, isn't it? :-) ) > > > > So, yes, we are moving on from our 10year experience with gentoo, and > > are searching for our new environment. From my personal experience I > > would say debian stable - any hard evidence to support the claim? Server > > OS statistics? Statistics for stableness? Bugs? Any white papers showing > > debian's superiority? > > > > I am also doing my google research, but I'm asking if someone can point > > me to something like real hard evidence... > > > > Thanks, > > G. Depending on what you want to use the servers for, OpenBSD What someone replied; Given that the amount of resources going into Linux kernel development over the past 10 years and moving forward is a vast ocean compared to the trickle of resources going into *BSD kernel development, for me, the choice of kernel is clear, as it is with many folks. The Linux kernel walks over over *BSD in too many categories to count. The *BSD kernels might walk all over the Linux kernel in only a couple of categories, if that. These projects are "hacks" in the true sense of the word. They are doing it to prove to themselves it can be done. It will be a very long time until either of these is production ready, if ever. Look at the Hurd project for a sobering reminder. It's 12 years old and still not close to its first release, let alone production ready. Probably never will be, again, due to developer resources. http://en.wikipedia.org/wiki/Debian_GNU/Hurd Debian GNU/Hurd has been in development since 1998[1], but still has not been officially released. Over 60%[2] of the software packaged for Debian GNU/Linux has been ported to the GNU Hurd. However, the Hurd itself remains under development, and as such is not ready for use in production systems. The overwhelming majority of Debian users run Debian GNU/Linux, rather than Debian GNU/Hurd.
Re: Refusal to mention OpenBSD in a MSc Advanced Networking course
On 14/02/2010 02:40, TS Lura wrote: > Thank you all for the replies. > > I might do a lecture on my own, presenting OpenBSD. > > If I where to do that it, as a subsection, would be cool to give references > to other institutions that are using OpenBSD and why they are using it. > > Why one would use OpenBSD, over eg. GNU/Linux. > Now I would site preemptive security, code correctness, it's easy to use; > enable daemons through rc.conf, pf, openssh, possibility for zfs in kernel?, > good documentation, jailing of daemons. > > It would also be cool to highlight any specific snazzy functionality. > Something that would get (MSc/geeky) people to think. "ooh, that's > cool" particular in relation to networking. > eg. I think the scrubbing of packets in PF is kinda cool, pftop, see > the interruptcounter for the nic and serial console. :P > > Maybe something related to cryptography, or general network gear(routers, > switches) , or any new cool feature in PF or something > that's expensive with Cisco but cheap and good with *BSD. ipsec?, VoIP? cool > feature in OpenSSH. > > > .tsl > When I did A-Level computer Science quite a few years ago (I don't know what the non-English equliveent of the A-Level would be, I don't even think there is an eqivilent in the American system as we have GCSE's then A-Levels then Uni in england...so here is a link http://en.wikipedia.org/wiki/A_level ) I had people in my class who couldn't program and knew very little about firewalls and such like...it was a shock that very few of them had even built a computer and really understood things. I was no expert back then, but I had coded PHP, bits of C, knew bits of Linux, window server how DNS worked and such like. I had two teachers and one was off for 8 weeks with an operation and our other teacher just said carry on doing your work in his lessons, I usually ended up teaching the other people in the class what I thought they should learn. Many of them had trouble grasping ideas like Database normalisation and pascal was the language of choice and had trouble understanding little bits. I helped them through it and showed them bits of PHP and how it was similar to other languages and how they can move on to C and such like. Over the last few years I've been out with a few girls who are in one uni or other (I really should learn to not get involved with girls at uni) and whenever I meet their friends who are doing IT related degree's I always mention they should check out OBSD et al and give them tips on how to get in to the industry, what would look good on their CV. Of all my friends that go to uni to do IT related degrees, I don't think any of them know of OpenBSD...they get taught Linux in a module but hardly much. My point is, if you know something, share it. This isn't banking or finance,you don't hold "the keys" to get one up on people...talk to your class, hold something outside of normal lectures/seminars etc "help a brother out" as my friend would say. I dont think the "you have one up on your fellow students" argument is a good one, in fact I think that's rather shit. Share it, give your opinions...chance's are (in my experience) they will appreciate it but always remember to back off, if they want you to.
Re: AMD power reduction
> Hello, > > I think of doing this too. > What I would like to understand is if I will be able to use the frequency > change 1000 / 2000 MHz dynamic load based. > > Regards > Do you mean change the frequency depending on load on the computer...? This is very easy in a virtual environment, I am not sure on machine. I have seen windows software that allows you to change certain options while in the OS, though weather you could do this in OpenBSD and dynamically you will need to see if someone else knows the answer. GPU's are very easy to do this with...certainly doing it manually, but CPU stuff I'm not so sure...
Re: AMD power reduction
On 04/02/2010 23:02, Jean-Francois wrote: > All, > > I am looking forward to reduce the TDP for a server planned to be built. > As low as possible shall be best, is AMD cool'n quiet operating with latest > OpenBSD ? > > Regards > Depending on what you where looking at, you can reduce the voltages (if your BIOS has this much control) and this will lower power/heat. I've done this on PC's with bad HSF in hot temperatures. Though, like over clocking, it's an art that requires testing, trying and patience to find the lowest/highest while still being stable
Re: trac on OpenBSD current
> I think that this is the point. I installed from a plain > install46.iso, but then I thought I could have choosen which ports > tree to choose, -stable or -current. Where can I get more info about > the upgrade process to -current? > > Thanks > > Sebastiano > http://openbsd.org/anoncvs.html#starting http://www.openbsd101.com/updating.html Some places to start. Use cvsup to download src, ports...whatever you wish and choose the branch you want, stable or current. Do some digging
Re: another reassemble tcp problem - details for PF developers
It may be an irrelevant coincidence but each FTP site that this happened with was Microsoft FTP. It never happened (ie FTP always worked fine) with other server types. I don't know if this matters, but I had some problems recently with people downloading from external FTP servers and we found it had something to do with the FTP client and the use of either the client of external server using passive mode. I can't remember the exact details but it came down to a the ms-client/server working differently then expected...this probably won't help anyone but it might
Re: ComixWall terminated
So what...someone was wrong, someone's train of thought was wrong...so what? Someone posts something and it's the wrong place...ok, say this isn't the place and move on. If this person though they where helping and people think they are not...well they have a different opinion but really they haven't actually don't anything wrong. The way Theo spoke to them in the e-mail was quite rude and you could say "oh well it's only words" but then you can say "oh well it's only an announcement". Ridiculing someone and telling them to get off the list is rude and unnecessary for someone who was only trying to help, whether they actually where or not, and whether they where right or wrong, in reality they didn't do any harm. We can all hold our hands up for being wrong, having a different opinion, sometimes doing things that are not helpful but you genuinely thought they where. This person, I don't think, had any intent to do anything but help. The harsh words from some people pushing them away is not needed, then ridiculing them when they want to terminate because of the way they have been spoken to is a sad loss. Some people are sensitive to the way people have spoken to them. Mocking them by coming out with gems like "Do you cut yourself when somebody yells at you just to show them?" is quite unnecessary.
Re: Truncation Data Loss
Janne Johansson wrote: > Nick Guenther wrote: > > So, as nicely summarized at > >> http://www.h-online.com/open/news/item/Possible-data-loss-in-Ext4-740467.html >> , > ext4 is kind of broken. It won't honor fsync and, as a /feature/, will > wait up to two minutes to write out data, leading to lots of files > emptied to the great bitbucket in the sky if the machine goes down in > that period. >>> There is a very simple explanation for why things are so. >>> Actual data file loss has never been what these things were coded for. >>> filesystem *tree and meta-data*, ie. the structure of how things are >>> knit together, is the main concern. If you lose the filesystem tree >>> structure, you've lost all your files, not just the newest ones. >>> Therefore the goal is safe metadata handling. The result is you can >>> lose specific data in specific (newly written to) files, but the >>> structure of the filesystem is consistant enough for fsck to not damage >>> it. > >> See, since it seems that BSD doesn't have this file-data consistency >> guarantee, are Linus' worries about ext4's potential data loss just >> being alarmist? It seems to me that the case described in >> https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/317781/comments/45 >> is just as likely to happen on OpenBSD--if I run KDE or GNOME and mess >> around with my settings then quickly murder the system the files will >> be resurrected empty, right? > > It seems like some posters in this thread somehow misses the fact that > if you have outstanding writes and the box dies. Some of your data dies > also. New or old data, something will be missing. > > From the point your app does a write(), it gets buffered in the I/O > handling, it gets buffered by the device driver for the card, it gets > buffered in the card probably, it gets buffered on the on-disk memory > cache and then it serially hits the platter one bit a a time until its > all written. If you have data in this long pipe and the power goes, you > will lose data, period. > > OpenBSD has chosen to try harder to keep the metadata intact, and ext4 > doesn't try at all, for the love of speed. Still, you are only moving > around the window of opportunity for fail, and sometimes making it > larger or smaller, but it is always there. > > The last comment above should really only read: > "If I quickly murder my system, the files might be gone". Nothing else. > > If you have writes going, data loss is a reality. Sometimes more, > sometimes less, but its all games with statistics. If ext4 has a 50% > chance of killing your files and FFS on obsd has 1%, you might still get > to keep your KDE settings on either system or you may lose them all. It > shouldn't be news to anyone that Linux always went for fast-and-insecure > whereas the BSDs opted for slower-but-safer for the filesystems. Making > a fuss about how insecure the penguins are this week feels like a waste > of time to me. > > If you care about your data, you have backups. > > Regardless of if the probability is 1% or 50%, because for someone out > there, the percentages will be against you. > I know this is a bit off topic, but storage devices have battery's on RAID cards for a reason. If you are worried about read/writes etc when a system dies, there are measures you can take
Re: Filtering scp ssh and sftp
Simen Stavdal wrote: Hello misc, I have an openbsd host running that I wish to access in different manners depending on where the users connect from. This host runs sftp chrooted for internet users, and at the same time, I wish to administer the box with ssh. At the same time, I do not wish to allow ssh from the internet. We have a policy that only vpn connected users can administer local systems. The host is located on a dmz with one interface and one public ip address. Between the users, the internet and this server I have two firewalls running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk). Internet -Firewall---DMZ with SFTP server | Internal users I want to allow all ssh services for internal users, and sftp _only_ from the internet. Since sftp/scp/ssh all run on the same port number (22 default), is there a way to filter the traffic with pf? I've seen that you can queue the traffic with ALTQ, but is there a way to block/allow before this stage? Any best practice on the subject? Cheers, Simon. Change the listening IP for one of the service and block access to that new IP address in PF?
Re: OT: Iphone with OpenBSD
...you just kill-joyed that whole page. It's a stupid rant that's quite funny if you like that humour and he is going on the first version of the iphone, non-jailbreak, (you cant bring that into it by the way as he is taking both phones as-is) So please donbt suck the humour out of everything -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Alvaro Mantilla Gimenez Sent: 18 September 2009 17:04 To: misc@openbsd.org Subject: Re: OT: Iphone with OpenBSD Jan Stary escribis: > > We will be trying to develop an entire suite of device > drivers for undocumented hardware and then attempt to run > a full-fledged operating system on it. > > Just hack away! After reading > http://www.thebestpageintheuniverse.net/c.cgi?u=iphone > of course. Compare the two phones is not the point here...this guy does not have any clue about what the iPhone is and probably he is using his Nokia to give pleasure himself through his ass. The site describes a "normal" iPhone. A Jailbroken iPhone with cydia and all the packages and cool stuff is a different beast. You can run perl, php, python, ruby, apache, svn, cvs, etc...you can manage your servers (the example that the guy is using against the iPhone) trough the Terminal application and connect with openssh, rdp or vnc...whatever you want. The keyboard comment...it is just valid for an English speaker...if you are from other language with more complex characters then you do "less work" because is more easy to select that characters and guest what? you do less "taps" and the end of the day. You can actually said: "Hey, here is your small server for your small office...right here in my pocket !!" "You can use it as media server, web server, backup server...". Take a look to cydia and the repositories. It has support for MMS and Video recording (yes..cycorder), IM (too many clients...you already have problems to choose one because of that), vlc, mplayer, mxtube (In fact...I downloaded the slackathon conferences with that), SIP, VoIP and a lot of other cool stuff. You can, from long time ago, personalize your ringtones without iTunes...so...that site is just the opinion from one guy that does not know wtf he is talking about. The actual point of the post was to have an iPhone/iPod Touch running as small SECURE server. It is running a BSD OS already...but not secure. That's the point of all this post. Regards, Alvaro
Re: 4.6 postponed to Nov 1
How dare she...you'd only be thinking about it ;) -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Matt Bettinger Sent: 18 September 2009 15:39 To: Michael Cc: m...@cvs.openbsd.org Subject: Re: 4.6 postponed to Nov 1 On 9/18/09, Michael wrote: > >>> Heh. I just cannot help being a little amused by this, since we are > >>> expecting our second kid with an ETA of Nov 1, and I thought it would > >>> have been a fun coincidence to have OpenBSD and (possibly) a kid > >>> "released" the same day. :-) > >> > >> don't name it puffy, please ;) > >> > > > > Don't listen to him; there's a shiny American dollar in it if you do. > > +1 EUR > > ;-) > > That funny because we have a c section scheduled Oct 1, 2009 to go in and get my third child. (boy). My wife REALLY believed (and maybe it is true) that I was going to be upgrading boxes on the same day my sone is born. She can rest easy now that the Release date has been bumped up! re, mb
Re: OT: Iphone with OpenBSD
That whole site as brilliant rants that remind me zero punctuation videos :) -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Gilles Chehade Sent: 18 September 2009 12:22 To: Jacob Yocom-Piatt Cc: misc@openbsd.org Subject: Re: OT: Iphone with OpenBSD hehe, following a link from a link from thelinuxoniphone blog, I ran into this: http://www.thebestpageintheuniverse.net/c.cgi?u=iphone made my day ;-) Gilles On Fri, Sep 18, 2009 at 05:10:49AM -0500, Jacob Yocom-Piatt wrote: > Alvaro Mantilla Gimenez wrote: > >I just found this page: > > > >http://linuxoniphone.blogspot.com/2008/06/why-iphone-linux.html > > > >I don't have any idea about how/where to start. Maybe Theo can put some > >light here...I think my developer skills are far to be good enough but, > >hey...I would like to try !! > > > > > > > getting openbsd working on an iphone would be a pretty serious > undertaking and would require a lot of man hours that aren't currently > available. you have to remember that the project is mostly driven by > donated developer time. > > if you have >100K USD and are committed you might be able to make it > happen. there would have to be a lot of reverse engineering on drivers > and there is no reason to expect apple wouldn't change the chipsets > across versions to make minute optimizations on cost. assuming you could > get all this code written there are many man hours that go into keeping > the arch working properly on an ongoing basis. > > there is no doubt this would be sweet but you have to be realistic when > considering the amount of work it would take to make this happen. there > are >10 mln iphones in circulation so there is no shortage of machines > > > >Regards, > > > >Alvaro > > > >beowuff escribis: > > > >>>Reading the article posted on undeadly.org: > >>>http://www.informit.com/articles/article.aspx?p=1393496 > >>> > >>>I was thinking it would be cool to have an Iphone running OpenBSD... > >>> > >>>Imagine that: the most secure phone in the planet :-P > >>> > >>Man, I have an old 1st gen iPhone just sitting there... I would so put > >>OpenBSD on it. Unfortunately, I wouldn't know where to begin :( > -- Gilles Chehade freelance developer/sysadmin/consultant http://www.poolp.org
Re: 4.6 will be released on October 1st?
>-Original Message- >From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of >Jacob Meuser >Sent: 19 August 2009 04:08 >To: OpenBSD Misc >Subject: Re: 4.6 will be released on October 1st? > >>On Tue, Aug 18, 2009 at 10:03:58PM +0300, Lars Nooden wrote: >> wim wauters wrote: >> >> Actually, better to aim Theo at YouTube and their ilk so they stop using >> Flash in the first place. >> >> +1 >> >> Flash is a pox. Youtube, and any other flash site, should go over to >> open standards. Ogg Theora comes to mind there. >*sigh* > >you're blaming the wrong people. 2009 and just now streaming video/audio >is being standardised in html? > >and theora? give me a break. > >either blame the w3c or the FOSS comunity in general for not creating a >superior "free" video codec. don't blame youtube and the like for using >"de facto" standards. > >-- >jake...@sdf.lonestar.org >SDF Public Access UNIX System - http://sdf.lonestar.org > > I have to agree here...they are using the standard that the majority of people have, that works, that people understand. Of course, they *should* change to an open standard like in HTML 5 but even that is a bit borked since Apple et al started moaning about it because they are twaty wankers
Re: Boxes hanging intermittently. Anybody seen such ?
Is there a set time when this will happen, say after it's been up for ~5 hours, or is it completely random, 2 days one time, 1 hour another -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Andres Salazar Sent: 17 August 2009 01:29 To: misc@openbsd.org Subject: Boxes hanging intermittently. Anybody seen such ? Hello, During the past week two boxes two boxes on the same network have stopped responding, they carry OpenBSD 4.5 i386 and I have logged at every possible log to find out why this occurs however I havent been able to spot anything unusual. All of the sudden they just stop responding requests. What these freezes do have in common is that when the boxes are reached via the KVM they present the login screen, they allow text to be entered in the login field... but upon hitting enter for it to ask the password thats when it just hangs. Iam afraid this will keep on happening and I woudl like to know if anybody has experienced this before.. these have been perfectly working boxes and it would be just odd both would have the same problem in the same few days. Upon a reboot everything returns to normal. Thank you. Andres
Re: New Project - MICO
I liked the video, I liked the concept, I give you more credit for using ogv and I will defiantly have a look at MICO...but please...for love of atheism, please dont keep highlighting bits of text if you make another one...it made it incredibly tedious to watch at times. All credit to the fact it's very simple to understand...so with this in mind, when you type "history" we know what it is your doing and do not need to highlight this...Just a little heads up, I know I am really am nit picking but I've seen so many people do presentations, videos etc badly and you end up hurting your self more. :) -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Fernando Quintero Sent: 22 July 2009 23:22 To: tico Cc: Astrid Sanchez; misc@openbsd.org Subject: Re: New Project - MICO Hi Tico, Im working in the project too. Basically, how do you add new "commands" to nsh?, coding in c?, the idea is use a .xml file with easy fields. And, We Think nsh is used more for routing services,like BGP, OSPF, etc, with mico the idea is configure system's stuff and services installed with the base system, like dhcp, dns, vpn, nfs, ssh, etc. these are some ideas about, what we want to do. 2009/7/22 tico : > Astrid Sanchez wrote: >> >> Here in Colombia started some months ago the development of a >> new project called MICO. It's purpose is create a CLI to configure >> services on >> OpenBSD. MICO was presented in Campus Party Colombia and you can see the >> slides on [1], also the screencast showing the functionality implemented >> so >> far in [2]. >> > > Hello Astrid, > > I've read your slides, but it's not clear to me what advantage MICO has over > nsh[A], > which already is a CLI that configures services on OpenBSD and is well > integrated. > > Certainly you're free to write whatever CLI or management scripts you want, > but I was curious why you wanted to start over? What problem with nsh are > you trying to fix? > > !Saludos! > Tico > > [A] http://www.nmedia.net/nsh/ > > -- -- Fernando Quintero http://nonroot.blogspot.com/ *Just a nonroot User*
Re: Web GUI for named(8) ?
What about ISPConfig. I can vouch for webmin, but ISP config comes highly recommended by a lot of people. You also have Cpannel but I am not sure if that has an OpenBSD port...or ISPConfig for that matter but you didn't mention it so though I would... -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Dr Alastair F. Brown Sent: 23 July 2009 09:32 To: Rolf Sommerhalder Cc: OpenBSD Misc List Subject: Re: Web GUI for named(8) ? Quoting "Rolf Sommerhalder" : > Hello list, > > Can you recommend any GUI that enables junior IT staff to maintain > basic DNS Resource Records (such as for ex.. A, PTR, CNAME,...) for > BIND 9 running on OpenBSD? > > Also, I will consider alternatives to named(8), provided that they > support an authoritative, split DNS server and some simple GUI, all > running on OpenBSD. > > So far, I have been looking at webmin, Binder, smbind, ProBIND, DNS > Control, adadns. None of them appears to have a OpenBSD port yet. > Their maturity & development activity appears to vary widely. I have used webmin for a while to allow simple changes to be made to our wireless gateway by others in the team who do not normally deal with it (e.g. during holiday periods etc. (I have not used the BIND module, so cannot comment on that). In its favour - a) simple install, just run the setup script b) very easy updates of core system and modules c) Custom Command module is VERY useful for setting up CLI commands needed by staff who can never remember them (to be honest that includes me sometimes!). Can also be safer than allowing them control of e.g. BIND through the BIND module, from where they could do a lot of damage Not in its favour - a) it is a GUI Make sure you use SSL - requires p5-Net-SSLeay Al -- Dr Alastair F. Brown, Head of Computing MRC Human Genetics Unit, Edinburgh EH4 2XU, UK Mailto:alastair.br...@hgu.mrc.ac.uk http://www.hgu.mrc.ac.uk/Users/Alastair.Brown/ Fax: +44 (0)131 467 8456Phone: +44 (0)131 332 2471
Re: reason for libexec?
As far as I'm aware ADD is on the autistic spectrum, and it is generally believed that a lot of people in IT are on the spectrum, especially those in the more technical areas, so in a way, your probably sort of right...in a way. Though, have you been tested for Asperger Syndrome? -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Theo de Raadt Sent: 15 July 2009 17:31 To: Daniel Barowy Cc: misc@openbsd.org Subject: Re: reason for libexec? > On Wed, 15 Jul 2009, Theo de Raadt wrote: > > > > It is stuff that isn't on root's path. > > > > Ok-- it turns out I am even more naive than I previously thought. I can > see that /usr/libexec is not in root's path on my machine (maybe that's > why the 'usr' part is in there?). > > But why not? Becuase it is stuff that isn't SUPPOSED TO BE on root's path. Does everyone on this list have ADD?
Cheap Sun equipment
With the Woolworths collapse, there are still some things up for grabs. It's phase 4 now, almost all has gone, but people might be interested http://www.hilcoind.com/sales/sale.asp?SALE_ID=1412&SALE_REFERENCE_ID=DLNOCM OFBC611200952523
Re: random crashes on a firewall with OpenBSD 4.5-stable
Well, you can check the Volt readings in the bios, most will give you a reading, but I am sure there is some BSD software out there, maybe someone in the list will know. On windows you can use Speedfan. Even if it's not this, it's worth knowing how to check this as a simple check on servers -Original Message- From: Comhte [mailto:com...@daknet.org] Sent: 26 June 2009 16:42 To: Michal Subject: Re: random crashes on a firewall with OpenBSD 4.5-stable Oh sorry :p How could i test the power supply unit ? Michal a icrit : > Other servers?? I don't mean PDU, I mean PSU...the power supply in the > server. If your shearing a power supply across 2 servers I would be shocked > :) > > -Original Message- > From: Comete [mailto:com...@daknet.org] > Sent: 26 June 2009 13:48 > To: Michal > Subject: Re: random crashes on a firewall with OpenBSD 4.5-stable > > No problem with the PSU and voltage limits. The PSU isn't used at its > full capacity and the other servers plugged on it work well. > > Could it be a bad network interface ? > > Michal a icrit : >> Just stabbing the dark here, test your Voltage Rails on your PSU. Check > they >> are within limits. I find unexplained crash's can be traced back to PSU's >> quite often >> >> -Original Message- >> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of >> Comhte >> Sent: 26 June 2009 12:22 >> To: Misc OpenBSD >> Cc: Daniel Gracia Garallar >> Subject: Re: random crashes on a firewall with OpenBSD 4.5-stable >> >> Well i have tested the RAM with memtest, no error. >> >> maybe another idea ? >> >> Thanks >> >> Daniel Gracia Garallar a C)crit : >>> Oh and maybe bad RAM; I've hit some nasty errors with these faulty >>> DIMMs... :/ >>> >>> ComC(te escribiC3: >>>> Hi, >>>> >>>> we are using the last OpenBSD 4.5-stable release on an old Compaq >>>> Proliant ML350 as a firewall with spamd. But we encounter randomly >>>> some system crashes (once a week or two weeks). The system always >>>> displays the same message: >>>> >>>> uvm_fault (0xd080d9e00x0,0,1) -> e >>>> >>>> kernel: page fault trap, code=0 >>>> >>>> Stopped at cac_pci_l0_intr_pending+0xb >>>> push 0x34 (%eax) >>>> >>>> What do you think it could be ? I thought about maybe a hardware >>>> problem but where exactly... >>>> >>>> I join my dmesg below >>>> >>>> Thanks for your advice ! >>>> >>>> OpenBSD 4.5-stable (GENERIC) #9: Sun May 17 22:59:17 CEST 2009 >>>> r...@arwen.saintlo.fr:/usr/src/sys/arch/i386/compile/GENERIC >>>> cpu0: Intel(R) Pentium(R) III CPU family 1266MHz ("GenuineIntel" >>>> 686-class) 1.27 GHz >>>> cpu0: >>>> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX, >> FXSR,SSE >>>> real mem = 267988992 (255MB) >>>> avail mem = 250839040 (239MB) >>>> mainbus0 at root >>>> bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ >>>> 0xf, SMBIOS rev. 2.3 @ 0xec000 (31 entries) >>>> bios0: vendor Compaq version "D11" date 01/29/2002 >>>> bios0: Compaq ProLiant ML350 G2 >>>> acpi0 at bios0: rev 0 >>>> acpi0: tables DSDT FACP APIC SPCR >>>> acpi0: wakeup devices PBTN(S5) >>>> acpitimer0 at acpi0: 3579545 Hz, 32 bits >>>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >>>> cpu0 at mainbus0: apid 3 (boot processor) >>>> cpu0: apic clock running at 132MHz >>>> ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins >>>> ioapic0: misconfigured as apic 0, remapped to apid 8 >>>> ioapic1 at mainbus0: apid 2 pa 0xfec01000, version 11, 16 pins >>>> ioapic1: misconfigured as apic 0, remapped to apid 2 >>>> acpiprt0 at acpi0: bus 0 (PCI0) >>>> acpiprt1 at acpi0: bus 2 (PCI1) >>>> acpicpu0 at acpi0 >>>> acpitz0 at acpi0: critical temperature 31 degC >>>> acpibtn0 at acpi0: PBTN >>>> bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x1800 >>>> 0xcb000/0x1800 0xcc800/0x4000! 0xd0800/0x1800 0xee000/0x2000! >>>> pci0 at mainbus0 bus 0: configuration mode 1 (bios) >>>> pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20LE Host" rev 0x06 >>>> pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20LE Host&
Re: Open Vs Free BSD
-Original Message- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Charlie Kester Sent: 19 June 2009 20:24 To: freebsd-sta...@freebsd.org Subject: Re: Open Vs Free BSD On Fri 19 Jun 2009 at 11:23:26 PDT Michael R. Wayne wrote: > >OK, I'm going to take a guess here that English may not be Michal's primary >language and re-ask his question: > > Given the several versions of *BSD, I have been led to understand > that each excells in different ways. How do I select which one > is right for my application, what are the underlying reasons > that would lead me to that choice and what are the the disadvantages > I am risking? > >This is, actually, not an inappropriate question coming from a potential >new user who is not familiar with the history surrounding the various >versions and would make an outstanding FAQ. As an example, we run FreeBSD >on our firewalling machines because it works well enough and we prefer the >reduced support costs of using a single O/S across our network. I am unsure >of what the advantage of moving to OpenBSD might be and would find it very >difficult to quantify the advantages (if any) versus the increased support >resources required. > >This is a very real issue. Linux has a similar problem; I've personally >been in meetings where clients examined the myriad Linux distributions >and say "It's very likely that we will make the incorrect choice. So we'll >go with Windows." I suspect similar events have occurred with *BSD. So, >rather than jumping on people about them bringing up religous wars (because, >face it, you CAN edit a file perfectly well in either vi or emacs :-), we'd >all be better served by giving them enough information to make the >right choice in their situation while realizing the tradeoffs they are >making. I agree, this shouldn't necessarily be treated as flamebait or trolling. But shouldn't the question be redirected to the advocacy mailing list/team? -- Sorry, I would just like to add that English is my first and only language. As I said at a Terremark Europe meeting, (everyone else spoke [mostly] Dutch and English, I speak English and bad English. I think my dyslexia and general ignorance may have caused the confusion in my question. I was never asking WHO WINS WHO WINS, as I have multiple OS's running, more looking forward 2-5 years, upgrades and so forth, what should I take in to account. >From the answers I have got, I've learn that I should ask my questions better, most importantly I think there, and OBSD may not have lots of packages but it has brilliant security. A desktop might be served better with Linux of FreeBSD, but at the end of the day, it's your horse, your course. You choose as you wish. I thank you all
Re: Open Vs Free BSD
It wasn't an argument or a versus anything. It was just a question relating to what he had said and the truth in it and the two OS's being used for different reasons. That's all. No rage, no debate or looking for any winner! -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of dem...@thephinix.org Sent: 19 June 2009 12:42 To: freebsd-sta...@freebsd.org; misc@openbsd.org Subject: Re: Open Vs Free BSD Oh why can't this versus this versus that never dies? There had been raging debate about which OSes is much better compared to the others since time immemorial. Sure, each one has its own merits over the others and vice versa. So why feeding this issue up since up to this very moment, there is no winner. > and the security is in netbsd: > > http://netbsd.gw.com/cgi-bin/man-cgi?security+8+NetBSD-5.0 > http://www.netbsd.org/~elad/recent/recent06.pdf > > On 6/19/09, Ivan Voras wrote: >> Kim Attree wrote: >> >>> NetBSD runs on just about anything. That's it's primary goal. Since I >>> don't >>> have any weird hardware, I've never had a use for NetBSD. >> >> I don't use NetBSD either but some recent development that come from >> that camp are very interesting: >> >> * Journalling UFS ("smart" journalling, not gjournal) >> * PUFFS (BSD implementation of FUSE-like system [file system in >> userland]) >> * They had Xen dom0 and domU for years >> * They are starting to show decent results in SMP support, including a >> new scheduler (a bit similar to ULE); their GENERIC has SMP included >> * Possibly superpages, I'm not sure how to parse "Merged amd64 and i386 >> pmap. Large pages are always used if available" >> * I think they are working on their own ZFS port >> * They have ported or reimplemented Linux LVM (read+write+admin) >> >> There are of course other things; see for example >> http://www.netbsd.org/releases/formal-5/NetBSD-5.0.html >> >> I have a feeling the project has been revitalized in the last few years. >> >> ___ >> freebsd-sta...@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to >> "freebsd-stable-unsubscr...@freebsd.org"
Open Vs Free BSD
Someone once said this too me "Comparing FreeBSD and OpenBSD, FreeBSD is generally better at disk-related I/O whereas OpenBSD handles net-I/O better. No test has been carried out to prove this though." Every offence to the person which said this, but they are not the best admin ever, though they like to think they are (the worst kind I think) Can anyone shed any light, the reason I ask is we where debating about a network and he said OpenBSD on the network (routers firewall etc) and FreeBSD as the app servers (mail, files etc etc), which I can see makes sense.but without having evidence it's pointless making a claim. Thanks :-)
Re: OpenBSD HA
Well yes, horse's for courses :) -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson Sent: 11 June 2009 16:51 To: misc@openbsd.org Subject: Re: OpenBSD HA On 2009-06-11, Michal wrote: > Not that I am disagreeing or anything, more questioning...but would we say > OpenBSD is better then Nokia Checkpoint Firewalls (disregarding cost > here)... for what I need, sure, very much better. but different people's needs vary. unfortunately I can't read about checkpoint without getting the corporate song stuck in my head. arrrgh. http://www.ranum.com/editorials/corporate-songs/sure-1.htm
Re: OpenBSD HA
Not that I am disagreeing or anything, more questioning...but would we say OpenBSD is better then Nokia Checkpoint Firewalls (disregarding cost here)... -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Joachim Schipper Sent: 11 June 2009 10:14 To: misc@openbsd.org Subject: Re: OpenBSD HA O n Wed, Jun 10, 2009 at 09:13:33AM -0400, Marcos Ortiz Valmaseda wrote: > Regards to all list. > I have several questions about OpenBSD that I don't have clear. > Look, we are a investigation team that we want to implant a DataCenter for > PostgreSQL, and we are thinking to use to FreeBSD like the plataform to let > the databases( or the clusters of the db) and to use OpenBSD like the firewall > to the outside. But we are very new in OpenBSD and we want to know if we could > build a product above OpenBSD for all: like plataform and like firewall, > because then we can use only one project and time to build the product would > be more short. > if we would use to > OpenBSD like a firewall Which would br the best solution to do that ? > 1- With a redundant firewall > 2- With a centralized firewall > etc OpenBSD is widely used as a (redundant) firewall: pf is developed on OpenBSD, and software like pfsync makes it easy to build a redundant firewall. The network stack has been tuned extensively, etc. In short, OpenBSD is quite possibly the best firewall platform available today, and is very likely the best *nix firewall platform. And it's certainly cheaper than Cisco. As to PostgreSQL: it works just fine on OpenBSD. I'd encourage you to at least try (benchmark) it to see if OpenBSD can suit your needs. FreeBSD wlll do fine as a database platform, too; but OpenBSD has a stronger focus on security, and - as you point out - running a single OS is easier. If you decide not to go with OpenBSD, you may wish to consider OpenSolaris instead of FreeBSD, which will allow you to use ZFS and DTrace, both of which may be useful in a PostgreSQL deployment. There are good reasons not to use (Open)Solaris (you may consider it "not truly free", Oracle may kill it, you may have trouble finding people with experience, the userland utilities lack polish, etc), but at least it does offer some useful things in exchange for the headache of running two different OSes. OpenBSD is not usually used on "big iron", so if you want to have one huge(ly expensive) database server, you may wish to go with something else. Reputedly, Linux and (Open)Solaris both do well here; I honestly couldn't tell you if FreeBSD is a good choice. Joachim