from:"Patrick Dohman"

Re: pflow on PE router

2021-06-06 Thread Patrick Dohman

Perhaps it has something to do with Citrix being a dinosaur.
God forbid the powers that be choose on premise unix.
Regards
Patrick

> On Jun 4, 2021, at 6:43 AM, Stuart Henderson  wrote:
> 
> On 2021/06/03 15:04, Chris Cappuccio wrote:
>> Stuart Henderson [s...@spacehopper.org] wrote:
>>> 
>>> Oh watch out with sloppy. Keep an eye on your state table size.
>> 
>> Really? Wouldn't sloppy keep the state table smaller if anything since it's 
>> tracking less specifically?
>> 
>> Anyways I use sloppy across four boxes that run in parallel with pfsync. 
>> There could easily be 10,000 devices behind it at any given time. I keep my 
>> state table limit at 1,000,000. It's around 300,000 during this lighter 
>> traffic period today. I had to do sloppy after moving to several boxes in 
>> parallel, I didn't notice sloppy making any significant difference?
>> 
>> Chris
> 
> The problem I had was in conjunction with synfloods. I didn't get
> captures for everything to figure it out (it was in 2018 and my
> network was in flames, with the full state table bgp sessions were
> getting dropped / not reestablishing) but I think what happened was
> this,
> 
> spoofed SYN to real server behind PF
> SYN+ACK from server
> 
> and the state entry ended up as ESTABLISHED:ESTABLISHED where it
> remained until the tcp.established timer expired (24h default
> or 5h with "set optimization aggressive").
> 
> My "fix" was to move as much as possible to "pass XX flags any no state"
> but that's clearly not going to help with what Denis would like to do.
> (fwiw - I'm not doing flow monitoring regularly, but when I do it's
> usually via sflow on switches instead, which solves some problems,
> though it's only possible in some situations).
>

Re: pflow on PE router

2021-06-03 Thread Patrick Dohman

I suspect that you’ll be out of luck until TLSv1.3 is implemented. 
I’ve found the same to be true with the new 10 gb sfp switches in our 
infrastructure which surprisingly still implement TLSv1.0 & broken CGI web 
server.
Regards
Patrick

> On Jun 1, 2021, at 3:44 PM, Stuart Henderson  wrote:
> 
> On 2021-05-30, Denis Fondras  wrote:
>> Le Fri, May 28, 2021 at 03:30:58PM -0700, Chris Cappuccio a écrit :
>>> You might try "set state-defaults pflow, sloppy", also in some scenarios 
>>> you 
>>> might need "set state-policy floating"
>>> 
>>> If "sloppy" fixes it, there may be some bugs to hunt.
>>> 
>> 
>> "sloppy" seems to fix the issue. I will do more tests this week before 
>> declaring
>> victory :)
>> 
>> Thank you Chris.
>> 
>> 
> 
> Oh watch out with sloppy. Keep an eye on your state table size.
>

Re: pflow on PE router

2021-05-30 Thread Patrick Dohman



> "sloppy" seems to fix the issue. I will do more tests this week before 
> declaring
> victory :)
> 
> Thank you Chris.
> 

Get somme ;)
Regards
Patrick

Re: OpenBSD Hangs On

2020-07-19 Thread Patrick Dohman




> On Jul 19, 2020, at 5:44 PM, Tom Smyth  wrote:
> 
> Im not sure what you mean? 

I can has all your VM’s in carbonite.
Regards
Patrick

Re: OpenBSD Hangs On

2020-07-19 Thread Patrick Dohman




> On Jun 23, 2020, at 11:31 AM, Tom Smyth  wrote:
> 
> But newerversions of kvm / linux kernels  are unaffected
> By the bug fyi

Sounds like FUD.
B.T.W where is Boba’s ride?
Regards
Patrick

Re: Iked/unbound ~ more info.

2019-11-17 Thread Patrick Dohman



> On Nov 17, 2019, at 11:45 AM, Dale C.  wrote:
> 
> Hi again,
> 
> Still trying to forward DNS to a local unbound resolver on the
> responder of an IKE tunnel.
> 
> Providing more information here. Everything works, but DNS.
> 
> It's worth noting I've tried many, many variations on these configs,
> cannot get DNS to the remote unbound resolver.
> 
> So, my questions are: What is the correct way to forward DNS to a
> local unbound resolver on the responder?
> 
> If there is more information that is helpful, please let me know what
> you need and I'll post it ;)
> 
> Thanks!


Dale
Is it possible to place the ESP nterface in debug?
Can you log PF/UDP traffic on the local unbound?
Regards
Patrick

Re: Softraid data recovery

2019-10-14 Thread Patrick Dohman



> On Oct 14, 2019, at 3:04 PM, Steven Surdock wrote:
> 
> root@host# more /var/backups/disklabel.sd1.backup
> # /dev/rsd1c:
> type: SCSI
> disk: SCSI disk
> label: SR RAID 1
> duid: 8ec2330eabf7cd26
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 486401
> total sectors: 7814036576
> boundstart: 64
> boundend: 7814036576
> drivedata: 0
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>  a:   2147488704   64  4.2BSD   8192 65536 1 # 
> /home/public/
>  c:   78140365760  unused
>  d:   5666547712   2147488768  4.2BSD   8192 65536 1 # 
> /home/Backups/
> 


A combination of revised partition lettering & a custom fstab may allow for 
mounting of the partitions without a software device.

For example:

$cat /etc/fstab
/dev/wd0a  /home ffs rw,nodev,nosuid 1 2
/dev/wd0d  /home/Backups/ ffs rw,nodev,nosuid 1 2

The device naming may take some massaging to work...
man fstab & disklabel for more info.

Regards
Patrick

HTTPD directory index

2019-10-12 Thread Patrick Dohman

Hoping to clarify if OpenBSD HTTPD supports index.html & index.php 
simultaneously?
The following config appears to be supported:

# A minimal default server
server "default" {
listen on $ext_addr port 80
directory { index "index.html" }
location "/*.php*" {
root { "/htdocs" }
fastcgi socket "/run/php-fpm.sock"}

However different varieties of the following directive:

directory { index “index.html”, index “index.php”} or { index “index.html”, 
“index.php”}

Results in either a successful reload or the following syntax error:

httpd[35299]: parent_sig_handler: reload requested with SIGHUP
httpd[35299]: /etc/httpd.conf:20: syntax error
httpd[35299]: no actions, nothing to do

Regards
Patrick

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-08-25 Thread Patrick Dohman

Radek
In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
I also believe that defining specific proto's in your nat rule can decrease 
interrupts. 
You might consider the following to modification to your nat rule to 
specificity allow UDP & ICMP.

match out log on $ext_if inet proto { tcp, udp, icmp } rom { $lan_rac_local, 
$backup_local } nat-to $ext_if set prio (3, 7)

It appears that you have ICMP allow rules which is a good idea in my opinion.
Have you ever done any logging of these packets. Is there any legitimate 
requests from your ISP?
Do you have an alternate DNS server you can test against? Are you using your 
ISP’s DNS?
Perhaps the new OpenBSD unwind package is worth investigating ;)
]Regards
Patrick

> On Aug 25, 2019, at 1:31 PM, Radek  wrote:
> 
> Hello Patrick, 
> 
>> In my opinion your net5501’s system calls per interval are relatively high.
>> The (traps sys) column on my firewall hovers between 40 & 50 quite 
>> consistently.
>> My understanding is that system calls are things like program calls & 
>> library access.
> Is there any way to decrease these values?
> 
>> Many commercial routers run a customized kernel & rely on a striped down 
>> user-land.
>> The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
>> things like storage or virtualization.
>> The OpenBSD O.S includes all the user-land tools such as ping & top in 
>> addition to a standardized precompiled kernel. 
> Ok, I get it.
> 
> 
> On Fri, 23 Aug 2019 21:12:35 -0500
> Patrick Dohman  wrote:
> 
>> In my opinion your net5501’s system calls per interval are relatively high.
>> The (traps sys) column on my firewall hovers between 40 & 50 quite 
>> consistently.
>> My understanding is that system calls are things like program calls & 
>> library access.
>> 
>> In addition your net5501’s memory requests per second seem heavy.
>> You have fifty eight million 1024 bucket requests per second.
>> My firewall has a max of one hundred thousand 128 bucket requests per second.
>> 
>> Many commercial routers run a customized kernel & rely on a striped down 
>> user-land.
>> The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
>> things like storage or virtualization.
>> The OpenBSD O.S includes all the user-land tools such as ping & top in 
>> addition to a standardized precompiled kernel. 
>> Regards
>> Patrick
>> .
>>> 
>>> 
>>> On Thu, 22 Aug 2019 19:12:55 -0500
>>> Patrick Dohman  wrote:
>>> 
>>>> Radek
>>>> 
>>>> I’ve found that fast networking is actually CPU & memory intensive. 
>>>> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in 
>>>> my opinion.
>>>> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio 
>>>> with a commercial router.
>>>> 
>>>> What are your context switches & interrupts doing while the VPN is up & 
>>>> traffic is flowing?
>>>> 
>>>> vmstat -w 4
>>>> 
>>>> What is your memory high water mark during a peak traffic?
>>>> 
>>>> vmstat -m
>>>> 
>>>> Regards
>>>> Patrick
>>>> 
>>>>> On Aug 21, 2019, at 12:34 AM, radek  wrote:
>>>>> 
>>>>> Hello Patrick,
>>>>> I am sorry for the late reply.
>>>>> 
>>>>>> Do you consider memory an issue?
>>>>> No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, 
>>>>> that I use for VPN testing.
>>>>> Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
>>>>> Production set (6.3/i386) is net5501-70 <-> ALIX2d2
>>>>> Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs
>>>>> It is unlikely that every box has any hardware issue.
>>>>> 
>>>>>> Unix load average can occasionally be deceiving.
>>>>> I did not know.
>>>>> 
>>>>>  net5501-70 
>>>>> $top -d1 | head -n 4
>>>>> load averages:  0.05,  0.01,  0.00RAC-fw65-test.PRAC 10:58:14
>>>>> 38 processes: 1 running, 35 idle, 1 dead, 1 on processor  up 3 days, 18:02
>>>>> CPU states:  0.5% user,  0.0% nice,  0.4% sys,  0.0% spin,  0.2% intr, 
>>>>> 98.8% idle
>>>>> Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M
>>&

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-08-23 Thread Patrick Dohman

In my opinion your net5501’s system calls per interval are relatively high.
The (traps sys) column on my firewall hovers between 40 & 50 quite consistently.
My understanding is that system calls are things like program calls & library 
access.

In addition your net5501’s memory requests per second seem heavy.
You have fifty eight million 1024 bucket requests per second.
My firewall has a max of one hundred thousand 128 bucket requests per second.

Many commercial routers run a customized kernel & rely on a striped down 
user-land.
The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
things like storage or virtualization.
The OpenBSD O.S includes all the user-land tools such as ping & top in addition 
to a standardized precompiled kernel. 
Regards
Patrick
.
> 
> 
> On Thu, 22 Aug 2019 19:12:55 -0500
> Patrick Dohman  wrote:
> 
>> Radek
>> 
>> I’ve found that fast networking is actually CPU & memory intensive. 
>> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my 
>> opinion.
>> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio with 
>> a commercial router.
>> 
>> What are your context switches & interrupts doing while the VPN is up & 
>> traffic is flowing?
>> 
>> vmstat -w 4
>> 
>> What is your memory high water mark during a peak traffic?
>> 
>> vmstat -m
>> 
>> Regards
>> Patrick
>> 
>>> On Aug 21, 2019, at 12:34 AM, radek  wrote:
>>> 
>>> Hello Patrick,
>>> I am sorry for the late reply.
>>> 
>>>> Do you consider memory an issue?
>>> No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, 
>>> that I use for VPN testing.
>>> Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
>>> Production set (6.3/i386) is net5501-70 <-> ALIX2d2
>>> Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs
>>> It is unlikely that every box has any hardware issue.
>>> 
>>>> Unix load average can occasionally be deceiving.
>>> I did not know.
>>> 
>>>  net5501-70 
>>> $top -d1 | head -n 4
>>> load averages:  0.05,  0.01,  0.00RAC-fw65-test.PRAC 10:58:14
>>> 38 processes: 1 running, 35 idle, 1 dead, 1 on processor  up 3 days, 18:02
>>> CPU states:  0.5% user,  0.0% nice,  0.4% sys,  0.0% spin,  0.2% intr, 
>>> 98.8% idle
>>> Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M
>>> 
>>>  ALIX2d3 
>>> $top -d1 | head -n 4
>>> load averages:  0.00,  0.00,  0.00mon65.home 07:30:05
>>> 37 processes: 1 running, 35 idle, 1 on processor  up 13:46
>>> CPU states:  0.3% user,  0.0% nice,  1.1% sys,  0.0% spin,  0.4% intr, 
>>> 98.3% idle
>>> Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M
>>> 
>>> 
>>> 
>>>> What is the speed of your memory?
>>>> What make of Ethernets are you running?
>>> Dmesgs below
>>> 
>>>  net5501-70 
>>> OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
>>>   r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>>> real mem  = 536363008 (511MB)
>>> avail mem = 511311872 (487MB)
>>> mpath0 at root
>>> scsibus0 at mpath0: 256 targets
>>> mainbus0 at root
>>> bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
>>> pcibios0 at bios0: rev 2.0 @ 0xf/0x1
>>> pcibios0: pcibios_get_intr_routing - function not supported
>>> pcibios0: PCI IRQ Routing information unavailable.
>>> pcibios0: PCI bus #0 is the last bus
>>> bios0: ROM list: 0xc8000/0xa800
>>> cpu0 at mainbus0: (uniprocessor)
>>> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 
>>> 500 MHz, 05-0a-02
>>> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
>>> mtrr: K6-family MTRR support (2 registers)
>>> amdmsr0 at mainbus0
>>> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
>>> 0:20:0: io address conflict 0x6100/0x100
>>> 0:20:0: io address conflict 0x6200/0x200
>>> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
>>> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
>>> vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, 
>>> address 00:00:24:cb:4f:cc
>>> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
>>

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-08-22 Thread Patrick Dohman

gt; com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbc0: unable to establish interrupt for irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
> gpio1 at nsclpcsio0: 29 pins
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb1 at ohci0: USB revision 1.0
> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
> addr 1
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on wd0a (2bf8b7abbbce37df.a) swap on wd0b dump on wd0b
> 
> 
>  ALIX2d3 
> OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
>r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> real mem  = 267931648 (255MB)
> avail mem = 247779328 (236MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xe/0xa800
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 
> 499 MHz, 05-0a-02
> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> mtrr: K6-family MTRR support (2 registers)
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 
> 00:0d:b9:1e:85:8c
> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, 
> address 00:0d:b9:1e:85:8d
> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, 
> address 00:0d:b9:1e:85:8e
> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 
> 3579545Hz timer, watchdog, gpio, i2c
> gpio0 at glxpcib0: 32 pins
> iic0 at glxpcib0
> maxtmp0 at iic0 addr 0x4c: lm86
> pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 
> wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 
> 1.0, legacy support
> ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
> addr 1
> isa0 at glxpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb1 at ohci0: USB revision 1.0
> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
> addr 1
> nvram: invalid checksum
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on wd0a (83b335c3c86bb80c.a) swap on wd0b dump on wd0b
> clock: unknown CMOS layout
> 
> On Mon, 19 Aug 2019 18:17:48 -0500
> Patrick Dohman  wrote:
> 
>> Do you consider memory an issue?
>> What is the speed of your memory?
>> Unix load average can occasionally be deceiving.
>> What make of Ethernets are you running?
>> Regards
>> Patrick
>> 
>>> On Aug 19, 2019, at 5:28 AM, radek  wrote:
>>> 
>>> Hello Patrick,
>>> 
>>>> Does your ISP implement authoritative DNS?
>>>> Do you suspect a UDP issue?
>>> My VPN is configured with IPs, not with domain names. Does DNS and/or UDP 
>>> matter anyway?
>>> 
>>>> Is a managed (switch) involved?
>>> No, it is n

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-08-19 Thread Patrick Dohman

Do you consider memory an issue?
What is the speed of your memory?
Unix load average can occasionally be deceiving.
What make of Ethernets are you running?
Regards
Patrick

> On Aug 19, 2019, at 5:28 AM, radek  wrote:
> 
> Hello Patrick,
> 
>> Does your ISP implement authoritative DNS?
>> Do you suspect a UDP issue?
> My VPN is configured with IPs, not with domain names. Does DNS and/or UDP 
> matter anyway?
> 
>> Is a managed (switch) involved?
> No, it is not. I do not use any switches in my testing setup.
> GW1--ISP1_modem--.--ISP2_modem--GW2
> 
> Has duplex ever been an issue?
> I have never noticed any duplex issue.
> 
> 
> On Sun, 18 Aug 2019 16:07:14 -0500
> Patrick Dohman  wrote:
> 
>> Does your ISP implement authoritative DNS?
>> Do you suspect a UDP issue?
>> Is a managed (switch) involved? Has duplex ever been an issue?
>> Regards
>> Patrick  
>> 
>>> On Aug 18, 2019, at 1:03 PM, Radek  wrote:
>>> 
>>> Hello,
>>> 
>>> I have two testing gateways (6.5/i386) with site-to-side VPN between its 
>>> LANs (OpenIKED).
>>> Both gws are fully syspatched, have public IPs and the same iked/pf 
>>> configuration.
>>> 
>>> Unfortunately, the network traffic over the VPN tunnel stalls few times a 
>>> day. 
>>> 
>>> On the one side I use a script to monitor VPN tunnel with ping, it restarts 
>>> iked and emails me if there is no ping over the VPN tunnel.
>>> Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
>>> 
>>> 
>>> In 6.3/i386 I have the same problem, but more frequently.
>>> Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
>>> Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
>>> 
>>> Do I have any bugs/deficiencies in my configs, missed something? 
>>> Is there any way to make it work uninterruptedly?
>>> I would be very greatful if you could help me with this case.
>>> 
>>> $cat /etc/hostname.enc0
>>> up
>>> 
>>> $cat /etc/hostname.vr3
>>> inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
>>> group trust
>>> 
>>> $cat /etc/iked.conf
>>> local_gw_RAC17  = "10.0.17.254" # lan_RAC
>>> local_lan_RAC17 = "10.0.17.0/24"
>>> remote_gw_MON   = "1.2.3.5" # fw_MON
>>> remote_lan_MON  = "172.16.1.0/24"
>>> ikev2 quick active esp \
>>> from $local_gw_RAC17 to $remote_gw_MON \
>>> from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
>>> childsa enc chacha20-poly1305 \
>>> psk "psk"
>>> 
>>> $cat /etc/pf.conf
>>> # RAC-fwTEST
>>> ext_if  = "vr0"
>>> lan_rac_if  = "vr3" # vr3 -
>>> lan_rac_local   = $lan_rac_if:network # 10.0.17.0/24
>>> backup_if   = "vr2" # vr2 - lewy port
>>> backup_local= $backup_if:network # 10.0.117/24
>>> 
>>> bud = "1.2.3.0/25"
>>> rdk_wy  = "1.2.3.4"
>>> rdk_mon = "1.2.3.5"
>>> panac_krz   = "1.2.3.6"
>>> panac_rac   = "1.2.3.7"
>>> 
>>> set fingerprints "/dev/null"
>>> set skip on { lo, enc0 }
>>> set block-policy drop
>>> set optimization normal
>>> set ruleset-optimization basic
>>> 
>>> antispoof quick for {lo0, $lan_rac_if, $backup_if }
>>> 
>>> match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to 
>>> $ext_if set prio (3, 7)
>>> 
>>> block all
>>> 
>>> match in all scrub (no-df random-id)
>>> match out all scrub (no-df random-id)
>>> pass out on egress keep state
>>> 
>>> pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio 
>>> (3, 7) keep state
>>> 
>>> ssh_port= "1071"
>>> table  const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $pa

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-08-18 Thread Patrick Dohman

Does your ISP implement authoritative DNS?
Do you suspect a UDP issue?
Is a managed (switch) involved? Has duplex ever been an issue?
Regards
Patrick  

> On Aug 18, 2019, at 1:03 PM, Radek  wrote:
> 
> Hello,
> 
> I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs 
> (OpenIKED).
> Both gws are fully syspatched, have public IPs and the same iked/pf 
> configuration.
> 
> Unfortunately, the network traffic over the VPN tunnel stalls few times a 
> day. 
> 
> On the one side I use a script to monitor VPN tunnel with ping, it restarts 
> iked and emails me if there is no ping over the VPN tunnel.
> Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
> Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
> Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
> Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
> 
> 
> In 6.3/i386 I have the same problem, but more frequently.
> Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
> Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
> Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
> Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
> Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
> Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
> Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
> Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
> Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
> 
> Do I have any bugs/deficiencies in my configs, missed something? 
> Is there any way to make it work uninterruptedly?
> I would be very greatful if you could help me with this case.
> 
> $cat /etc/hostname.enc0
> up
> 
> $cat /etc/hostname.vr3
> inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
> group trust
> 
> $cat /etc/iked.conf
> local_gw_RAC17  = "10.0.17.254" # lan_RAC
> local_lan_RAC17 = "10.0.17.0/24"
> remote_gw_MON   = "1.2.3.5" # fw_MON
> remote_lan_MON  = "172.16.1.0/24"
> ikev2 quick active esp \
> from $local_gw_RAC17 to $remote_gw_MON \
> from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
> childsa enc chacha20-poly1305 \
> psk "psk"
> 
> $cat /etc/pf.conf
> # RAC-fwTEST
> ext_if  = "vr0"
> lan_rac_if  = "vr3" # vr3 -
> lan_rac_local   = $lan_rac_if:network # 10.0.17.0/24
> backup_if   = "vr2" # vr2 - lewy port
> backup_local= $backup_if:network # 10.0.117/24
> 
> bud = "1.2.3.0/25"
> rdk_wy  = "1.2.3.4"
> rdk_mon = "1.2.3.5"
> panac_krz   = "1.2.3.6"
> panac_rac   = "1.2.3.7"
> 
> set fingerprints "/dev/null"
> set skip on { lo, enc0 }
> set block-policy drop
> set optimization normal
> set ruleset-optimization basic
> 
> antispoof quick for {lo0, $lan_rac_if, $backup_if }
> 
> match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to 
> $ext_if set prio (3, 7)
> 
> block all
> 
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> pass out on egress keep state
> 
> pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio 
> (3, 7) keep state
> 
> ssh_port= "1071"
> table  const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, 
> 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
> table  persist counters
> block from 
> pass in log quick inet proto tcp from  to $ext_if port $ssh_port 
> flags S/SA \
>set prio (7, 7) keep state \
>(max-src-conn 15, max-src-conn-rate 2/10, overload  flush 
> global)
> 
> icmp_types  = "{ echoreq, unreach }"
> pass inet proto icmp all icmp-type $icmp_types \
>set prio (7, 7) keep state
> 
> table  const { $rdk_mon, $panac_rac, $panac_krz }
> pass out quick on egress proto esp from (egress:0) to  
>  set prio (6, 7) keep state
> pass out quick on egress proto udp from (egress:0) to  port {500, 
> 4500} set prio (6, 7) keep state
> pass  in quick on egress proto esp from  to (egress:0) 
>  set prio (6, 7) keep state
> pass  in quick on egress proto udp from  to (egress:0) port {500, 
> 4500} set prio (6, 7) keep state
> pass out quick on trust received-on enc0 set prio (6, 7) keep state
> 
> pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} 
> set prio (6,7) keep state
> pass in on egress proto {ah,esp} set prio (6,7) keep state
> 
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> $cat iked_monitor.sh
> #!/bin/sh
> while true
> do
> vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " 
> '{print $4}'`
> 
> if [ "${vpn}" -eq 0 ] ; then
> mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print 
> $4}'`
> wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`
> 
>if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
>echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through 
> VPN RACTEST-MON! restartng iked!" em...@example.com
>rcctl restart iked
>fi
> fi
> sleep 32
> done
> 
> 
> -- 
> Radek
>

Re: OT: hardware war with manufacturers (espionage claims)

2019-07-06 Thread Patrick Dohman

> On Jul 5, 2019, at 10:49 PM, Theo de Raadt  wrote:
> 
> So this is misc, which is full of lots of talk about nothing, by people
> who can't change the ecosystem.  Having worried vocally about this
> before, I know I can't change it.  Pretty sad to see people who are even
> less capable find the energy to moan about it.  Especially americans.
> Know what I mean?

I currently suspect the well known Chinese conglomerates are not participating 
of industrial espionage.
At this point the trade war is an effort to continue with existing 
relationships that have existed for decades.
It’s well understood that the Agro business is a growing consideration for the 
likes of China & Vietnam & that manufacturing in those countries is a tug of 
war with demand.
As the predominance of fast food & connivence continues to explode it’s 
possible that American trade dominance may actually increase.
Regards
Patrick

Re: Installing OpenBSD on Supermicro A2SDi-4C-HLN4F

2019-06-15 Thread Patrick Dohman

My understanding is that a well known linux vendor was disabling kernel ACPI 
APEI & EINJ parameter support by default.

"ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
supported by the firmware, ACPI specification 5.0 and later provide for a
way to specify a physical memory address to which to inject the error.

Injecting errors through EINJ can produce errors which to the platform are
indistinguishable from real hardware errors. This can have undesirable
side-effects, such as causing the platform to mark hardware as needing
replacement.

While it does not provide a method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
securelevel is set."

Regards
Patrick

> On Jun 15, 2019, at 3:02 AM, Richard Laysell  
> wrote:
> 
> 
> Hello,
> 
> I was trying OpenBSD on a Supermicro A2SDi-4C-HLN4F which uses an Intel
> Atom CPU (Denverton).  The board boots but most devices are not
> detected because ACPI can't be enabled.
> 
> Does anyone know if this is likely to be supported at some point?
> 
> Full dmesg is below
> 
> OpenBSD 6.5 (RAMDISK_CD) #3: Sat Apr 13 14:55:38 MDT 2019
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 17125621760 (16332MB)
> avail mem = 16602619904 (15833MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f0c3000 (35 entries)
> bios0: vendor American Megatrends Inc. version "1.1b" date 12/17/2018
> bios0: Supermicro Super Server
> acpi0 at bios0: rev 2, can't enable ACPI
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.41 MHz, 06-5f-01
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> cpu0: 2MB 64b/line 16-way L2 cache
> cpu0: cannot disable silicon debug
> cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE
> pci0 at mainbus0 bus 0
> 0:31:5: mem address conflict 0xfe01/0x1000
> pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1980 rev 0x11
> pchb1 at pci0 dev 4 function 0 vendor "Intel", unknown product 0x19a1 rev 0x11
> vendor "Intel", unknown product 0x19a2 (class system subclass root complex 
> event, rev 0x11) at pci0 dev 5 function 0 not configured
> ppb0 at pci0 dev 6 function 0 vendor "Intel", unknown product 0x19a3 rev 0x11
> pci1 at ppb0 bus 1
> vendor "Intel", unknown product 0x19e2 (class processor subclass 
> Co-processor, rev 0x11) at pci1 dev 0 function 0 not configured
> ppb1 at pci0 dev 10 function 0 vendor "Intel", unknown product 0x19a5 rev 0x11
> pci2 at ppb1 bus 2
> ppb2 at pci0 dev 16 function 0 vendor "Intel", unknown product 0x19aa rev 0x11
> pci3 at ppb2 bus 3
> ppb3 at pci0 dev 17 function 0 vendor "Intel", unknown product 0x19ab rev 0x11
> pci4 at ppb3 bus 4
> ppb4 at pci4 dev 0 function 0 "ASPEED Technology AST1150 PCI" rev 0x03
> pci5 at ppb4 bus 5
> "ASPEED Technology AST2000" rev 0x30 at pci5 dev 0 function 0 not configured
> vendor "Intel", unknown product 0x19ac (class system subclass miscellaneous, 
> rev 0x11) at pci0 dev 18 function 0 not configured
> ahci0 at pci0 dev 19 function 0 vendor "Intel", unknown product 0x19b2 rev 
> 0x11: unable to map interrupt
> ahci1 at pci0 dev 20 function 0 vendor "Intel", unknown product 0x19c2 rev 
> 0x11: unable to map interrupt
> xhci0 at pci0 dev 21 function 0 vendor "Intel", unknown product 0x19d0 rev 
> 0x11: couldn't map interrupt
> ppb5 at pci0 dev 22 function 0 vendor "Intel", unknown product 0x19d1 rev 0x11
> pci6 at ppb5 bus 6
> vendor "Intel", unknown product 0x15e4 (class network subclass ethernet, rev 
> 0x11) at pci6 dev 0 function 0 not configured
> vendor "Intel", unknown product 0x15e4 (class network subclass ethernet, rev 
> 0x11) at pci6 dev 0 function 1 not configured
> ppb6 at pci0 dev 23 function 0 vendor "Intel", unknown product 0x19d2 rev 0x11
> pci7 at ppb6 bus 7
> vendor "Intel", unknown product 0x15e5 (class network subclass ethernet, rev 
> 0x11) at pci7 dev 0 function 0 not configured
> vendor "Intel", unknown product 0x15e5 (class network subclass ethernet, rev 
> 0x11) at pci7 dev 0 function 1 not configured
> vendor "Intel", unknown product 0x19d3 (class communications subclass 
> miscellaneous, rev 0x11) at pci0 dev 24 function 0 not configured
> vendor "Intel", unknown product 0x19dc (class bridge subclass ISA, rev 0x11) 
> at pci0 dev 31 function 0 not configured
> vendor "Intel", unknown product 0x19de (class memory subclass miscellaneous, 
> rev 0x11) at pci0 dev 31 function 2 not

Re: chrome pledge "", syscall 289

2019-06-04 Thread Patrick Dohman



> On Jun 3, 2019, at 6:46 PM, Cord  wrote:
> 
> Hi,
> I have found the following errors on the log:
> 
> /bsd: chrome[18585]: pledge "", syscall 289
> 
> they appear everytime I start chrome.. they are about 4 or 5, what means?
> It's the first time, yesterday and in the past there aren't any.
> 

Withstanding the obvious have you tried --enable-unveil?
Regards
Patrick

Re: Let's Encrypt ACMEv1 end-of-life

2019-06-01 Thread Patrick Dohman

> On May 31, 2019, at 10:42 AM, Diogo Pinela  wrote:
> 
> As I understand it, acme-client currently only supports
> ACMEv1. Let's Encrypt recently announced they're going
> to begin progressively deprecating that protocol starting
> this November:

OCSP is an interesting subject.
In my opinion there is still a need for a certificate infrastructure inside 
private LAN's.
I’ve learned that in many situations a DNS authority can not be accommodated & 
certs are non-op.
In addition I find the reliance on public API via browser a potential privacy 
concern.
Regards
Patrick

PCIe SFP Network Adapter's

2019-05-27 Thread Patrick Dohman

Hoping to clarify if any PCI Express SFP adapters are currently considered 
compatible.
I've recently upgraded my managed switch & now have two SFP 100/1000 uplinks.
At this point I consider my existing Broadcom NetXtreme 10/100/1000 ethernet 
card stable
However testing of SFP functionality on OpenBSD & PF seems worthwhile.
A quick search turned up a StarTech PEX1000SFP2 with the following chipsets:
Realtek - RTL8168E 
Marvell - 88EB1
Please note that I’m hoping to maintain desktop compatibility while 
implementing SFP.
Regards
Patrick

HTTPD Receiving SIGUSR1 from parent

2019-02-24 Thread Patrick Dohman

Hoping to clarify the necessity of HTTPD SIGUSR & specifically the following 
error located in the daemon log. 

httpd[59510]: parent_sig_handler: reopen requested with SIGUSR1

At this point it appears that SIGUSR1 is a definable signal.
However the following command forcibly closes the current login & disconnects 
the current user.

doas kill -SIGUSR1 $PPID

The behavior of the above command leads me to suspect that perhaps pledge is 
interacting with process & signals.
Regards
Patrick

Re: CPU platform

2019-02-10 Thread Patrick Dohman

> On Feb 10, 2019, at 12:13 PM, Nick Holland  
> wrote:
> 
> Most likely, you are going to start by panicking about Meltdown and
> Spectre.  Then you are going to go load up your system with poorly
> written software which is far more likely to be the REAL cause of a breach.
> 
> OpenBSD Developers are on the problems as well or better than anyone
> else.  At this point, worry much more about the decisions you make OTHER
> than HW platform, as they matter far more.
> 
> Nick.

Perhaps you can configure your proprietary compiler to run in error verbose
All new compiled binaries will fault & result in a watch dog reset. 
The one time package installer needed at inception is linked a temporary bin 
that is deleted at network target.
N.O.C analyst monitoring systems are responsible for repeated reboots & 
reinstallation.
Regards
Patrick

Re: CPU platform

2019-02-10 Thread Patrick Dohman

> On Feb 10, 2019, at 7:41 AM, Mihai Popescu  wrote:
> 
> How did you folks with Intel based production systems mitigated this?
> 
> Thank you.

At this point hyper threading is no-op on my Dell system.

Hoping to clarify if meltdown effects Bigtable?
Also what is the status of "no root unix”. The process owner is asking.
Regards
Patrick

Re: What programming languages and operating systems will be used after Jesus returns?

2019-02-09 Thread Patrick Dohman



> On Feb 9, 2019, at 3:11 PM, patrick keshishian  wrote:
> 
> also you have got daemons running in the system.
> 
> 
> 
>> Yours,
>>  Ingo
>> 

>From time to time the sounding of the dwarven horn will go on deaf ears ;)
Regards
Patrick

Re: Cheaper alternatives for APC UPS

2018-12-29 Thread Patrick Dohman

> On Dec 17, 2018, at 2:47 PM, Radek wrote:
> 
> Hello,
> 
> could you recommend me any UPS brands *cheaper* than APC that are fully 
> supported in OpenBSD?
> I always use APC, managing them via USB and apcupsd(both servers and clients) 
> and PowerChute(windows clients). It works like a charm.  APC is quite 
> expensive brand so I am looking for any cheaper alternatives.
> 
> Thanks!
> 
> -- 
> radek
> 

I own a set of APC Back-UPS 750 & I’ve found them 
to be effective & reliable In occasions where power was lost & 
also determined that UPS’s can outlast my patience with the power company 
here in St Paul MN. At this point I can envision the APC 750’s being of 
assistance in many situations
including the remote Canadian wilderness ;)
Regards
Patrick

Re: Automated remote install

2018-12-21 Thread Patrick Dohman



> On Dec 19, 2018, at 9:24 AM, andrew fabbro wrote:
> Virtually all of the better KVM hosts offer an OpenBSD ISO, and in my
> experience, 100% will add it to their library if you request it.
> 
> Note that I'm referring to KVM providers (traditional VPS providers), not
> "public cloud".  The big boys - AWS, Azure, Google, etc. are not interested
> in OpenBSD.
> 
> The mid-tier players - DigitalOcean, Vultr, Linode - are semi-interested.
> Vultr offers it natively.  You can shim on Linode or DO but why bother then
> the main field of KVM players (there are thousands) offer it.  If you
> search for a VPS provider that offers KVM (not OpenVZ, VIrtuozzo, or Xen)
> you will find many.

I’ve got a few static IP’s & a stable 6.3 machine.
Might trade you a VMM/VMD for a few beers.
Regards
Patrick

OptiPlex GX620 - OpenBSD 6.3 - PF appears stable while streaming

2018-11-03 Thread Patrick Dohman

Please note a Broadcom BCM5751 was added to facilitate NAT.

[patrick@database ~]$uptime
10:50AM  up 42 days, 8 mins, 1 user, load averages: 0.09, 0.06, 0.06

[patrick@database ~]$doas pfctl -si
doas (patrick@database) password:
Status: Enabled for 42 days 00:08:33  Debug: err

State Table   Total  Rate
current entries65
half-open tcp 0
searches782289109   215.5/s
inserts601225 0.2/s
removals   601160 0.2/s
Counters
match789832 0.2/s
bad-offset  0 0.0/s
fragment0 0.0/s
short   0 0.0/s
normalize   6 0.0/s
memory  0 0.0/s
bad-timestamp0 0.0/s
congestion  0 0.0/s
ip-option  0 0.0/s
proto-cksum   0 0.0/s
state-mismatch   10601 0.0/s
state-insert0 0.0/s
state-limit 0 0.0/s
src-limit   00.0/s
synproxy0 0.0/s
translate   0 0.0/s
no-route0 0.0/s


[patrick@database ~]$vmstat -iz
interrupt  total  rate
irq0/clock 362988731   100
irq0/ipi 0 0
irq144/acpi0 0  0
irq96/ppb0   0   0
irq114/inteldrm0 10
irq97/ppb1   0 0
irq114/bge0  171293425  47
irq98/ppb2   0 0
irq115/bge1  26529813273
irq99/uhci0  0 0
irq100/uhci1 0 0
irq101/uhci2 0 0
irq102/uhci3 0 0
irq99/ehci0  0 0
irq102/auich00 0
irq103/pciide0   0 0
irq104/pciide1 1989319 0
irq105/fdc0  0 0
irq145/com0  0 0
irq146/pckbc00 0
irq147/pckbc00 0
irq148/lpt0  0 0
Total801569608   220

OpenBSD 6.3 (GENERIC.MP) #4: Sun Jun 17 11:22:20 CEST 2018
r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/
GENERIC.MP
real mem = 3731382272 (3558MB)
avail mem = 3611279360 (3443MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (73 entries)
bios0: vendor Dell Inc. version "A10" date 10/27/2006
bios0: Dell Inc. OptiPlex GX620
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5)
PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz, 2793.46 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR,NXE,LONG,MELTDOWN
cpu0: 1MB 64b/line 8-way L2 cache
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
, remapped to apid 8
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 4 (PCI4)
acpiprt1 at acpi0: bus 2 (PCI2)
acpiprt2 at acpi0: bus 3 (PCI3)
acpiprt3 at acpi0: bus 1 (PCI1)
acpiprt4 at acpi0: bus -1 (PCI5)
acpiprt5 at acpi0: bus -1 (PCI6)
acpiprt6 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpibtn0 at acpi0: VBTN
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82945G PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
inteldrm0 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
drm0 at inteldrm0
intagp0 at

Re: ping blocked for 12 minutes

2018-05-20 Thread Patrick Dohman

It appears there is an errata effecting Avoton and Rangeley products.

AVR54:

“System May Experience Inability to Boot or May Cease Operation Problem: 
The SoC LPC_CLKOUT0 and/or LPC_CLKOUT1 signals (Low Pin Count bus clock 
outputs) may stop functioning.
Implication: If the LPC clock(s) stop functioning the system will no longer be 
able to boot.
Workaround: A platform level change has been identified and may be implemented 
as a workaround for this erratum."

Please not I’m not affiliated with the vendor...

Regards
Patrick

> On May 20, 2018, at 5:30 AM, Axel Rau  wrote:
> 
> 
>> Am 17.05.2018 um 11:47 schrieb Axel Rau :
>> 
>> Hi,
>> 
>> a firewall box blocks ICMP packets (from icinga2 hostalive4 check_command) 
>> for 12 minutes.
>> This happens nearly every night. mtr shows 100% loss on the last hop.
> 
> 
> Forwarded traffic is not affected but all traffic to the box itself is 
> blocked during these periods.
> A reboot after 63 days of uptime seems to have cleared the affect.
> 
> Axel
> ---
> PGP-Key:29E99DD6  ☀  computing @ chaos claudius
>

Re: OT: Yandex - was Re: Why is ftp option removed from installer?

2018-05-09 Thread Patrick Dohman

Their mirror appears to resolve correctly here in St Paul MN USA.
Incidentally why are there no African mirrors aka Kenya etc?
Regards
Patrick

> On May 8, 2018, at 2:27 PM, ropers  wrote:
> 
> On 8 May 2018 at 19:12, Leonid Bobrov  wrote:
> 
>> but in my country (Ukraine) Yandex is blocked,
>> but my ISP didn't block ftp://mirror.yandex.ru
> 
> 
> OT, but America also seems to mess with Yandex in weird ways, whereby at
> least some American users get Yandex.ru redirected to Yandex.ua, which very
> much looks like politically-motivated American sabotage of a major Russian
> digital enterprise.
> 
> Anybody else see this too? Are there any Americans (by IP-geolocation) who
> DON'T see this?
> 
> Apologies for the noise, but curiosity could not be contained.

Re: kernel relink segfaults on ALIX

2018-04-19 Thread Patrick Dohman

> ed...@pettijohn-web.com wrote:
> 
> One step further would be to put that in your rc.local so it survives an 
> upgrade.
> 

An even more insecure option is:
chmod 000 /usr/libexec/reorder_kernel
doas chflags schg /usr/libexec/reorder_kernel
Beware securelevel 0 is required to clear the "schg” file flag.

Mamma mia!
Patrick

Re: 4-ports router under $150

2018-04-10 Thread Patrick Dohman

> Stuart Henderson wrote:
> 
> APU and APU2 are both rock solid for many people on OpenBSD. If seeing
> problems there I would first look for hardware issues e.g. is the power
> supply faulty, or are there any mPCIe cards that might be causing
> problems?
> 

My PC Engines APU & APU2 were both unstable running 5.7 & 5.8.
Specific to you question the mPCIe was equipped with an Atheros AR9281 WLAN 
Card.
In addition my current move to a distinct/discrete access point was hastened by 
a buggy Zyxel USG20w that implemented Dynamic Frequency Selection (DFS)
Please note the Zyzel & PC Engines both intermittently caused subnet 
“collisions” that necessitated power cycle of numerous networks hosts.
After several months of stability with the USG a patch to remediate KRACK 
caused DFS to to run idle and disconnect during channel scan.
In effort to remediate I configured a Hawking HW7ACB and found (subnet 
collisions) no longer an issue however occasional wireless disconnects occurred.
After installing WiFi Explorer I determined that all channels (1 - 161) were 
noisy and contained overlap in my urban apartment complex. 
In effort to remediate I’ve configured a Hawking HW7ACB with channel number 165.
At this point my network stability is considered good.

Re: 4-ports router under $150

2018-04-08 Thread Patrick Dohman

>  Jordan Geoghegan wrote:
> 
> I'd rather be running *BSD on ANY platform rather that running some 
> proprietary mikrotik garbage.
> 

The MikroTik 2011UiAS is quite respectable. 
It replaced a Zyxel USG that was patched to address KRACK which introduced a 
strange bug that left it unstable. 
The lesson learned being is don’t patch unless qualified.
Regards
Patrick

Re: 4-ports router under $150

2018-04-08 Thread Patrick Dohman

As much as I’d rather not point the blame I found the APU platform buggy when 
running OpenBSD.
Yes there are reports of stability with other O.S however subtle 
hardware/firmware bugs appeared on several OpenBSD releases.
I’m actually in the other boat when it comes to hardware stability being an 
excuse however openbsd'd excellent embedded footprint does well at disclosing 
subtle hardware issues.
I’m currently running a MikroTik 2011UiAS that is built on A mips processor. 
Quite honestly I’ve found the secret of stability on the network hardware arena 
to be distinct/discrete hardware.
Router ——> Firewall —— > Switch ——> Access point. Call me  throw back to the 
2001 however the result of one issue cascading across all protocols to heavy a 
load for one chip/box.
B.T.W im currently running a 6.2 DB on a Dell GX620 & things are stable.
Regards
Patrick

> On Apr 8, 2018, at 7:42 AM, Karel Gardas  wrote:
> 
> On Sat, 7 Apr 2018 20:28:14 -0700
> Jordan Geoghegan  wrote:
> 
>> 
>> On 04/07/18 19:01, jungle boogie wrote:
>>> Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700
 The Edgerouter 6 is going to be coming out shortly, that is what I am 
 holding out for to run my home network on.

>>> 
>>> Just curious, why this and not amd64 bit with something like the 
>>> pcengine apu2 board? I know it only has three NICs, so it's likely a 
>>> non-started for the OP, but it's 64bit amd.
>>> 
>>> I don't know the MSRP of the ER6. Do you?
>>> 
>> Because I don't like amd64 and avoid it when possible. I like the idea 
>> of having a niche architecture for my internet facing machines.
> 
> niche archs are nice, but if you do not have code of firmware to see what's 
> its doing inside, then it's kind of meaningless.
> PC Engines can provide you with their coreboot modified sources if you like 
> to see them...

Re: Broadcast/Multicast & NTP - CAPWAP

2018-01-01 Thread Patrick Dohman

Philip
I’ve recreated a wireless connectivity issue with the OpenBSD 6.2 machine 
powered off & RJ45 disconnected.
At this point I’m chalking things up to living in proximity to a airport.
In effort to resolve the issue I’ve implemented a spare hawking AP.
Regards
Patrick

> On Dec 30, 2017, at 7:06 PM, Philip Guenther <guent...@gmail.com> wrote:
> 
> On Sat, 30 Dec 2017, Patrick Dohman wrote:
>> I’m looking to determine if the cause of intermittent subnet 
>> “collisions” that necessitate power cycle of numerous networks hosts is 
>> the result of OpenBSD security configurations
> 
> You haven't described your setup or what you're actually running on your 
> OpenBSD box, so I don't know how OpenBSD is even *involved* in what you're 
> asking about.
> 
> ...
>> Essentially If security configurations that disable for example 
>> broadcast echo & address mask query can lead to unexpected results. For 
>> example MTU size & TCP window scaling options requiring the results of a 
>> broadcast ICMP echo.
> 
> Path MTU detection is dependent on ICMP "fragmentation required" 
> responses, but OpenBSD generates, processes, and passes those by default.  
> TCP window scaling is not dependent on any sort of ICMP.
> 
> 
>> Or if unintended result of the stateless UDP traffic never reaching it’s 
>> destination due to security config can result in ICMP UDP MTU errors.
> 
> Uh, no.
> 
> Frankly, this sounds like grasping at straws; you need to pause and 
> actually write down *testable* details before trying to come up with
> (more) hypotheses.  As I wrote before:
> 
>>> If the latter, then you should take it down a level and describe what you 
>>> tried to do, what you expected to see "on the wire/in the air", and what 
>>> you _actually_ saw there?
> 
> 
> Philip Guenther

Re: Broadcast/Multicast & NTP - CAPWAP

2017-12-31 Thread Patrick Dohman


> On Dec 30, 2017, at 7:06 PM, Philip Guenther  wrote:
> 
> 
> Uh, no.
> 
> Frankly, this sounds like grasping at straws; you need to pause and 
> actually write down *testable* details before trying to come up with
> (more) hypotheses.  As I wrote before:
> 
>>> If the latter, then you should take it down a level and describe what you 
>>> tried to do, what you expected to see "on the wire/in the air", and what 
>>> you _actually_ saw there?
> 

I’ll go ahead update the Wi-Fi password & see if that makes things worse.
Regards
Patrick

Re: Broadcast/Multicast & NTP - CAPWAP

2017-12-30 Thread Patrick Dohman

Thanks for the reply.
I’m looking to determine if the cause of intermittent subnet “collisions” that 
necessitate power cycle of numerous networks hosts is the result of OpenBSD 
security configurations
Please note the openbsd host is reachable via SSH however ICMP form the host 
and from other hosts on the subnet fail and DNS lookups on the Puffy machine 
fail following the network failure. 
In addition wifi appears related as 802.11 is constantly active and may be 
requesting configuration change during channel/frequency update.
Essentially If security configurations that disable for example broadcast echo 
& address mask query can lead to unexpected results. 
For example MTU size & TCP window scaling options requiring the results of a 
broadcast ICMP echo.
Or if unintended result of the stateless UDP traffic never reaching it’s 
destination due to security config can result in ICMP UDP MTU errors.
Regards
Patrick

> On Dec 30, 2017, at 5:55 PM, Philip Guenther <guent...@gmail.com> wrote:
> 
> On Sat, 30 Dec 2017, Patrick Dohman wrote:
>> At this point it appears that openbsd security configurations may result 
>> in a los of UDP ICMP traffic to all hosts on a segment. If possible 
>> please clarify if any of the following are required foe the proper 
>> operation of NTP/CAPWAP on a broadcast/multicast segment.
> 
> Do you just want to hope that someone on this list has already deployed 
> "CAPWAP" with OpenBSD and wait for them to answer, or are you interested 
> in trying to debug it?
> 
> If the latter, then you should take it down a level and describe what you 
> tried to do, what you expected to see "on the wire/in the air", and what 
> you _actually_ saw there?
> 
> 
> (Reading at least one 120+ page standard written by Cisco just to 
> understand the background to someone else's problem is a high barrier to 
> assistance by others who are familiar with networking but not with CAPWAP 
> and/or LWAPP.)
> 
> 
> Philip Guenther

Broadcast/Multicast & NTP - CAPWAP

2017-12-30 Thread Patrick Dohman

At this point it appears that openbsd security configurations may result in a 
los of UDP ICMP traffic to all hosts on a segment.
If possible please clarify if any of the following are required foe the proper 
operation of NTP/CAPWAP on a broadcast/multicast segment. 

[patrick@bully ~]$sysctl | grep multi  
net.inet.ip.multipath=0
net.inet6.ip6.multipath=0
net.inet6.ip6.multicast_mtudisc=0

[patrick@bully ~]$sysctl | grep 'net.inet' | grep '=0' 
net.inet.ip.forwarding=0
net.inet.ip.sourceroute=0
net.inet.ip.directed-broadcast=0
net.inet.ip.encdebug=0
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ifq.len=0
net.inet.ip.ifq.drops=0
net.inet.ip.mforwarding=0
net.inet.ip.multipath=0
net.inet.ip.arpqueued=0
net.inet.icmp.maskrepl=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.rediraccept=0
net.inet.ipip.allow=0
net.inet.tcp.ackonpush=0
net.inet.tcp.ecn=0
net.inet.tcp.always_keepalive=0
net.inet.gre.allow=0
net.inet.gre.wccp=0
net.inet.mobileip.allow=0
net.inet.etherip.allow=0
net.inet.ipcomp.enable=0
net.inet.carp.preempt=0

Regards
Patrick

Re: ECDH

2017-08-31 Thread Patrick Dohman

I got this working last night.

It appears the certificate was being created incorrectly that certificate 
authority  is unwanted & that the SSL client extension is needed.
Regards
Patrick


> On Aug 30, 2017, at 4:36 PM, Patrick Dohman <patrick_doh...@centurylink.net> 
> wrote:
> 
> 
>> Because they copied M$IE. This is no longer the case with the latest version 
>> of FF.
> 
> 
> I read this afternoon that conversion of the certificate type from PEM format 
> to the likes of PKCS#12 allows Firefox to cope 
> with a client server certificate exchange. However this config will likely 
> break Shodan & urchin analytics. 
> 
> I may attempt to test this in the next release...
> 
> 
>> We do not trust browsers keychain management. We use their own keychain with 
>> care, and avoid linking it with system keychain.
> 
> The default Apache SSL verify depth of 10 certificate authorities is often 
> unnecessary & may exacerbate the complex knob patching Ted is attempting 
> simplify. 
> 
> Regards
> Patrick
>

Re: ECDH

2017-08-30 Thread Patrick Dohman


> Because they copied M$IE. This is no longer the case with the latest version 
> of FF.


I read this afternoon that conversion of the certificate type from PEM format 
to the likes of PKCS#12 allows Firefox to cope 
with a client server certificate exchange. However this config will likely 
break Shodan & urchin analytics. 

I may attempt to test this in the next release...


> We do not trust browsers keychain management. We use their own keychain with 
> care, and avoid linking it with system keychain.

The default Apache SSL verify depth of 10 certificate authorities is often 
unnecessary & may exacerbate the complex knob patching Ted is attempting 
simplify. 

Regards
Patrick

Re: ECDH

2017-08-29 Thread Patrick Dohman

I’ve read that SHA1 can be brute forced however why Mozilla Firefox forces a 
ECDH is misunderstood if attempting to negotiate for example RSA

In my experience sea monkey can authenticate correctly against an apple 
key-chain however Firefox returns cipher suite errors
Regards
Patrick


> On Aug 29, 2017, at 2:25 PM, Rupert Gallagher <r...@protonmail.com> wrote:
> 
> https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox=53=Win%207=142
> 
> Sent from ProtonMail Mobile
> 
> On Tue, Aug 29, 2017 at 5:08 PM, Patrick Dohman 
> <patrick_doh...@centurylink.net> wrote:
> 
>> My current understanding is that Mozilla Firefox also has issues with ECDHE. 
>> For example applications implementing a web server and library specific 
>> cipher suites may be incompatible with Firefox if ECDHE is enabled . However 
>> the same self signed certificate installed in different web server for 
>> example apache are compatible with Firefox with ECDHE enabled. My current 
>> hypothesis is that not all open source projects ‘"purchased" a class three 
>> public certificate authority from the likes of Symantec with prevents the 
>> certificate store from falling back to a SSL 3.0 That essentially to all 
>> certificate stores are equal & that hashing an appropriate algorithm is 
>> becoming non standardized in the event that the certificate is not a trusted 
>> root. Regards Patrick > On Aug 29, 2017, at 8:23 AM, Rupert Gallagher wrote: 
>> > >> Clean up the EC key/curve configuration handling. We no longer support 
>> ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher 
>> list. As such, permanently enable automatic EC curve selection and 
>> generation, effectively disabling all of the configuration knobs. > > 
>> https://www.tedunangst.com/flak/post/openbsd-changes-of-note-627 > > The 
>> description @protonmail.com>

Re: ECDH

2017-08-29 Thread Patrick Dohman

My current understanding is that Mozilla Firefox also has issues with ECDHE.
For example applications implementing a web server and library specific cipher 
suites may be incompatible with Firefox if ECDHE is enabled .
However the same self signed certificate installed in different web server for 
example apache are compatible with Firefox with ECDHE enabled.
My current hypothesis is that not all open source projects ‘”purchased” a class 
three public certificate authority from the likes of Symantec with prevents the 
certificate store
from falling back to a SSL 3.0
That essentially to all certificate stores are equal & that hashing an 
appropriate algorithm is becoming non standardized in the event that the 
certificate is not a trusted root.

Regards
Patrick

> On Aug 29, 2017, at 8:23 AM, Rupert Gallagher  wrote:
> 
>> Clean up the EC key/curve configuration handling. We no longer support ECDH 
>> and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As 
>> such, permanently enable automatic EC curve selection and generation, 
>> effectively disabling all of the configuration knobs.
> 
> https://www.tedunangst.com/flak/post/openbsd-changes-of-note-627
> 
> The description

Re: fu: re: spam

2017-08-27 Thread Patrick Dohman

Tell us about the webmail…. ;)

Regards
Patrick


> On Aug 27, 2017, at 5:41 AM, leo_...@volny.cz wrote:
> 
> *curses* this pos webmail poop hid from me that that was a private msg,
> so I sent to the list. grrr!
> 
> another reason to drop the matter, though :/
> 
>--schaafuit.
>

Re: PPPoE disconnecting frequently

2017-03-19 Thread Patrick Dohman

At this point I’m considering leasing a routable public IP address or a
block of addresses for the ZyXEL

In this way the ATM/PTM traffic & PPPoE encapsulation is telco/ISP specific &
an OpenBSD device can be assigned an ethernet port & public IP if needed

Regards
Patrick

> On Mar 19, 2017, at 2:11 PM, Tom Murphy  wrote:
>
> Hi,
>
> Another thing to check is whether the PPPoE tunnel is trying to negotiate
> IPv6. I had this happen with my ISP. I was disconnecting every 5-6 minutes.
> I ended up changing my hostname.pppoe0 to:
>
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev re0 authproto chap \
> authname 'u...@example.com' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::
>
>
> It stopped disconnecting me every 5 minutes after that. Even though it's
> still using IPv4, something on the other end wasn't liking the fact that I
> "had no IPv6 support" on my side.
>
> Hope this helps,
>
> Tom

Re: PPPoE disconnecting frequently

2017-03-19 Thread Patrick Dohman

I’ve also been troubleshooting frequent PPPoE issues with an OpenBSD router
at this point my troubleshooting has resulted in the following:

The residential ISP supplied ZyXEL C100Z currently supports forty five days
plus of PPPoE uptime

It appears the C100Z  PTM (Packet Transfer Mode) traffic is 802.1q VLAN tagged
201 perhaps to support VOIP prioritization.

Adding a managed switch & configuring transparent PPPoE bridging resulted in
MTU issues necessitating baby jumbo’s on the non ISP router.

Perhaps the ISP. Supplied router can accommodate 802.1q VLAN tags on the PPPoE
device with a loopback that does not necessitate ethernet MTU.

In addition I speculate that the routers wireless access point supports FCC
certification on 802.11n & can accommodate frequency/channel change as
required

Regards
Patrick




> On Mar 16, 2017, at 7:46 PM, Nicholas Bachmann 
wrote:
>
> Hi all,
>
> I’m having a problem where PPPoE disconnects every 6-7 minutes. I’m
> originally saw this in 5.9; I then upgraded to 6.0 but still have the
> same issue.
>
> If I run “ifconfig pppoe0 up” right after it disconnects, it comes
> right back up again. I have a ddwrt box that can successfully keep
> this same PPPoE connection up without these disconnects, so I don’t
> think the problem is related to the ISP equipment.
>
> My hostname.pppoe0 looks like:
>
> inet 0.0.0.0 255.255.255.255 NONE \
>  pppoedev em0 authproto pap peerproto chap \
>  authname ‘username’ authkey ‘mypassword’ up
> dest 0.0.0.1
> !/sbin/route add default -ifp pppoe0 0.0.0.1
>
> In dmesg and /var/log/messages, I see only this:
> Mar 17 04:02:42 greatwall /bsd: pppoe0: LCP keepalive timeout
>
> I ran tcpdump, and this is all the pppoe traffic I see:
> 04:09:07.070988 Echo-Request, Magic-Number=1174906872
> 04:09:07.070995 Echo-Reply, Magic-Number=1072546934
> 04:09:09.231366 Configure-Request, Interface-ID=0225:baff:fe7a:03fd
> 04:09:09.231378 Configure-Ack, Interface-ID=0225:baff:fe7a:03fd
> 04:09:12.331417 Configure-Request, Interface-ID=0225:baff:fe7a:03fd
> 04:09:12.331430 Configure-Ack, Interface-ID=0225:baff:fe7a:03fd
> 04:09:15.631510 Configure-Request, Interface-ID=0225:baff:fe7a:03fd
> 04:09:15.631522 Configure-Ack, Interface-ID=0225:baff:fe7a:03fd
> 04:09:32.308186 Echo-Request, Magic-Number=1072546934
> 04:09:42.310549 Echo-Request, Magic-Number=1072546934
> 04:09:52.312791 Echo-Request, Magic-Number=1072546934
> 04:10:02.315637 Terminate-Request
> 04:10:02.342731 Configure-Request, Magic-Number=849593138,
> Max-Rx-Unit=1492, Auth-Prot CHAP/MD5[|lcp]
> 04:10:02.390879 Configure-Request, Max-Rx-Unit=1492, Auth-Prot PAP,
> Magic-Number=535689543, Vendor-Ext
> 04:10:02.390889 Configure-Ack, Max-Rx-Unit=1492, Auth-Prot PAP,
> Magic-Number=535689543[|lcp]
> 04:10:02.390995 Configure-Reject, Auth-Prot CHAP/MD5, Vendor-Ext
> 04:10:02.391001 Terminate-Request
> 04:10:02.392061 Terminate-Ack
>
> This isn't much to go on so I’d be grateful for any suggestions about
> where to troubleshoot this further.
>
> Thanks,
> Nick

Re: PC-Engines Wireless - PPPOE timeouts.

2017-01-02 Thread Patrick Dohman

In effort to troubleshoot an increase in LCP keepalive timeouts have gone
ahead & placed the APU’s PPPoE interface in debug mode

At this point it appears that for a approximately 60 seconds this morning no
lcp echo req were received & a LCP keepalive timeout occurred shortly there
after.

In addition have gone ahead & updated PF with the following changes to
facilitate Path MTU Discovery with the intention of improving stability.

# Pass all inbound ICMP echo requests specifically destination unreachable.
icmp_types = "{ echoreq, unreach }"
pass in log quick on egress inet proto icmp all icmp-type $icmp_types keep
state

#Enforces a maximum Maximum Segment Size on outgoing pppoe0 traffic only.
"match out on pppoe0 scrub (max-mss 1440)”

#Do not Normalize DF and Identification packets
“Remove match in all scrub (no-df random-id)”

Based on a review the pf log it appears that very little if no PMTU traffic
was received in the last 24 hours.

Please see below for more info:

Jan  2 04:25:36 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:25:36 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:25:36 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:25:50 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=92
Jan  2 04:25:51 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:25:51 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:25:51 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:25:51 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:26:06 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:26:06 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:26:06 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:26:06 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:26:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=92
Jan  2 04:26:21 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:26:21 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:26:21 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:26:21 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:26:36 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:26:36 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:26:36 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:26:36 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:26:46 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=92
Jan  2 04:26:51 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:26:51 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:26:51 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:26:51 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:27:06 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:27:06 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:27:06 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:27:06 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:27:14 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=92
Jan  2 04:27:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=72
Jan  2 04:27:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=72
Jan  2 04:27:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=60
Jan  2 04:27:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=253
Jan  2 04:27:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=60
Jan  2 04:27:18 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=60
Jan  2 04:27:21 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:27:21 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:27:21 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:27:21 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:27:36 Firewall /bsd: pppoe0: lcp input(opened): 
Jan  2 04:27:36 Firewall /bsd: pppoe0: got lcp echo req, sending echo rep
Jan  2 04:27:36 Firewall /bsd: pppoe0: lcp output 
Jan  2 04:27:36 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=16
Jan  2 04:27:39 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=134
Jan  2 04:27:39 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=60
Jan  2 04:27:41 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72, len=85
Jan  2 04:27:41 Firewall /bsd: pppoe0 (8864) state=3, session=0x15d2 output ->
3c:8a:b0:cd:ee:72,

Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-20 Thread Patrick Dohman

Todd

At this point I’ve elected to evaluate a MSS of 1452 to determine if a
theoretical max is beneficial.

In addition I’m currently testing a fixed MTU of 1492 on one LAN interface
in conjunction with my PS4 console.

Based on troubleshooting this afternoon it appears the number of device
interrupts has decreased by “thirty" percent.

When possible I’ll install 6.0 & hopefully configure the APUs RE(4) NICs
with (baby jumbo's) CenturyLink allowing.

Regards
Patrick

> On Dec 20, 2016, at 2:13 PM, Todd C. Miller <todd.mil...@courtesan.com>
wrote:
>
> On Tue, 20 Dec 2016 08:58:43 -0600, Patrick Dohman wrote:
>
>> I'm currently running a ZyXEL C1100Z VDSL2 modem.
>>
>> At this point the hardware WAN interface (RE1) is configured with an MTU
of
>> 1500
>>
>> In addition the PPPOE interface is configured with an MTU of 1492
>
> Are you setting the MSS to 1440 in pf.conf as per the pppoe man
> page?  If not, you should.  See the section on MTU/MSS ISSUES.
>
> I've tried using an MTU of 1508 on the ethernet interface (baby
> jumbos) but didn't get it working with Quest/Centurylink VDSL2.
> Presumably their equipment doesn't support RFC 4638.
>
> - todd

Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-20 Thread Patrick Dohman

>> us sy
>> id
>> 1 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0
>> 100
>> 0 0 0  18628 38257361   0   0   0   0   0   0   23 69  0  0
>> 100
>> 0 0 0  18628 38257361   0   0   0   0   0   0   28 69  0  0
>> 100
>> 0 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0
>> 100
>> 0 0 0  18628 38257361   0   0   0   0   0   0   22 79  0  0
>> 100
>> 0 0 0  18628 38257361   0   0   0   0   0   0   25 8   10  0  0
>> 100
>> 0 0 0  18628 38257361   0   0   0   0   0   0   24 69  0  0
>> 100
>>
>> Regards
>> Patrick
>>
>>> On Dec 15, 2016, at 5:05 AM, Stuart Henderson <s...@spacehopper.org>
>>> wrote:
>>>
>>> On 2016-12-15, Patrick Dohman <patrick_doh...@centurylink.net> wrote:
>>>> Stuart
>>>>
>>>> Please see below for more info:
>>>>
>>>> Please note the 5.7 dmesg is subsequent to a reboot.
>>>
>>> Thanks. I was wondering about a bug with LCP echoes I accidentally
>>> introduced that made it into 5.9 (fixed for 6.0).
>>>
>>> Nothing stands out from what you've sent. Some possibilities:
>>>
>>> - connection somewhere between the APU and the ISP really is dropping
>>> out
>>> (are you using the same cable for the different locations you placed the
>> APU
>>> in? could a cable be bad? check for errors on the ethernet interface)
>>>
>>> - machine too busy to handle traffic - maybe tail -f /var/log/messages
>>> in
>> the
>>> background while "vmstat -w 10" or something is running (maybe under
>> "script"),
>>> look for the timeouts in the output and see what cpu is doing at the
>>> time
>>>
>>>> pass out quick on egress inet6 proto { tcp, udp } from {
>>>> (pppoe0:network),
>>>> (athn0:network), (re2:network) } modulate state
>>>
>>> btw using (...) causes an extra address lookup to be done when the rule
>>> is evaluated (i.e. when a packet doesn't match existing state) - you may
>> need
>>> this for pppoe0 but you can save a bit of cpu with
>>>
>>> pass out quick on egress inet6 proto { tcp, udp } from {
>>> (pppoe0:network),
>>> athn0:network, re2:network } modulate state
>>>
>>> (and same for the v4 rule)
>>>
>>>> ### --- Optional Runtime Options --- ###
>>>> set optimization conservative
>>>
>>> not likely to be the problem, but you're pretty unlikely to need that.

Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-18 Thread Patrick Dohman

Stuart

Thanks for the reply

At this point it appears a specific LAN client “PS4” is responsible for a
high number of device interrupts.

Hoping to clarify if interrupts In excess of “3000” can cause PPPOE
timeouts.

#
#
Lan Streaming cat5 no switch

procsmemory   pagedisk traps  cpu
r b wavm  fre  flt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
1 0 0  18636 38255601   0   0   0   0   0   0 6872 7   10  0  9 91
0 0 0  18636 38255601   0   0   0   0   0   0 2163 79  0  4 96
0 0 0  18636 38255601   0   0   0   0   0   0 1921 9   11  0  2 98
0 0 0  18636 38255601   0   0   0   0   0   0 1943 69  0  3 97
0 0 0  18636 38255601   0   0   0   0   0   0 1705 69  0  3 97
0 0 0  18636 38255601   0   0   0   0   0   0 1849 8   10  0  3 97
0 0 0  18636 38255601   0   0   0   0   0   0 2276 69  0  4 96


Wlan Streaming

procsmemory   pagedisk traps  cpu
r b wavm freflt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
1 0 0  18632 38257321   0   0   0   0   0   0  368 7   10  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  365 8   10  0  2 98
0 0 0  18632 38257321   0   0   0   0   0   0  355109  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  362 9   10  0  2 98
0 0 0  18632 38257321   0   0   0   0   0   0  356 8   10  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  36110   10  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  365 9   10  0  2 98
0 0 0  18632 38257321   0   0   0   0   0   0  383 8   10  0  1 99

#
No Lan or Wlan traffic

procsmemory   pagedisk traps  cpu
r b wavm fre flt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
1 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   23 69  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   28 69  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   22 79  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   25 8   10  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   24 69  0  0 100

Regards
Patrick

> On Dec 15, 2016, at 5:05 AM, Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2016-12-15, Patrick Dohman <patrick_doh...@centurylink.net> wrote:
>> Stuart
>>
>> Please see below for more info:
>>
>> Please note the 5.7 dmesg is subsequent to a reboot.
>
> Thanks. I was wondering about a bug with LCP echoes I accidentally
> introduced that made it into 5.9 (fixed for 6.0).
>
> Nothing stands out from what you've sent. Some possibilities:
>
> - connection somewhere between the APU and the ISP really is dropping out
> (are you using the same cable for the different locations you placed the
APU
> in? could a cable be bad? check for errors on the ethernet interface)
>
> - machine too busy to handle traffic - maybe tail -f /var/log/messages in
the
> background while "vmstat -w 10" or something is running (maybe under
"script"),
> look for the timeouts in the output and see what cpu is doing at the time
>
>> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
>> (athn0:network), (re2:network) } modulate state
>
> btw using (...) causes an extra address lookup to be done when the rule
> is evaluated (i.e. when a packet doesn't match existing state) - you may
need
> this for pppoe0 but you can save a bit of cpu with
>
> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
> athn0:network, re2:network } modulate state
>
> (and same for the v4 rule)
>
>> ### --- Optional Runtime Options --- ###
>> set optimization conservative
>
> not likely to be the problem, but you're pretty unlikely to need that.

Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-18 Thread Patrick Dohman

Stuart

Thanks for the reply

At this point it appears a specific LAN client “PS4” is responsible for a
high number of device interrupts.

Hoping to clarify if interrupts In excess of “3000” can cause PPPOE
timeouts.

#
#
Lan Streaming cat5 no switch

 procsmemory   pagedisk traps  cpu
 r b wavm  fre  flt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
 1 0 0  18636 38255601   0   0   0   0   0   0 6872 7   10  0  9 91
 0 0 0  18636 38255601   0   0   0   0   0   0 2163 79  0  4 96
 0 0 0  18636 38255601   0   0   0   0   0   0 1921 9   11  0  2 98
 0 0 0  18636 38255601   0   0   0   0   0   0 1943 69  0  3 97
 0 0 0  18636 38255601   0   0   0   0   0   0 1705 69  0  3 97
 0 0 0  18636 38255601   0   0   0   0   0   0 1849 8   10  0  3 97
 0 0 0  18636 38255601   0   0   0   0   0   0 2276 69  0  4 96


Wlan Streaming

procsmemory   pagedisk traps  cpu
 r b wavm freflt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
 1 0 0  18632 38257321   0   0   0   0   0   0  368 7   10  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  365 8   10  0  2 98
 0 0 0  18632 38257321   0   0   0   0   0   0  355109  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  362 9   10  0  2 98
 0 0 0  18632 38257321   0   0   0   0   0   0  356 8   10  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  36110   10  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  365 9   10  0  2 98
 0 0 0  18632 38257321   0   0   0   0   0   0  383 8   10  0  1 99

#
No Lan or Wlan traffic

 procsmemory   pagedisk traps  cpu
 r b wavm fre flt  re  pi  po  fr  sr sd0  int   sys   cs us
sy id
 1 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   23 69  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   28 69  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   22 79  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   25 8   10  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   24 69  0  0 100

Regards
Patrick

> On Dec 15, 2016, at 5:05 AM, Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2016-12-15, Patrick Dohman <patrick_doh...@centurylink.net> wrote:
>> Stuart
>>
>> Please see below for more info:
>>
>> Please note the 5.7 dmesg is subsequent to a reboot.
>
> Thanks. I was wondering about a bug with LCP echoes I accidentally
> introduced that made it into 5.9 (fixed for 6.0).
>
> Nothing stands out from what you've sent. Some possibilities:
>
> - connection somewhere between the APU and the ISP really is dropping out
> (are you using the same cable for the different locations you placed the
APU
> in? could a cable be bad? check for errors on the ethernet interface)
>
> - machine too busy to handle traffic - maybe tail -f /var/log/messages in
the
> background while "vmstat -w 10" or something is running (maybe under
"script"),
> look for the timeouts in the output and see what cpu is doing at the time
>
>> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
>> (athn0:network), (re2:network) } modulate state
>
> btw using (...) causes an extra address lookup to be done when the rule
> is evaluated (i.e. when a packet doesn't match existing state) - you may
need
> this for pppoe0 but you can save a bit of cpu with
>
>  pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
>  athn0:network, re2:network } modulate state
>
> (and same for the v4 rule)
>
>> ### --- Optional Runtime Options --- ###
>> set optimization conservative
>
> not likely to be the problem, but you're pretty unlikely to need that.

Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-14 Thread Patrick Dohman

ev. 4
ppb1 at pci0 dev 5 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00),
msi, address 00:0d:b9:3b:db:31
rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 4
ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00),
msi, address 00:0d:b9:3b:db:32
rgephy2 at re2 phy 7: RTL8169S/8110S PHY, rev. 4
ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI
1.2
scsibus1 at ahci0: 32 targets
ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling
iic0 at piixpm0
pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40
ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40
pci4 at ppb3 bus 4
ohci2 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
ppb4 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00
pci5 at ppb4 bus 5
athn0 at pci5 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 2 int 16
athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 04:f0:21:17:42:6d
ohci3 at pci0 dev 22 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
ehci2 at pci0 dev 22 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb2 at ehci2: USB revision 2.0
uhub2 at usb2 "ATI EHCI root hub" rev 2.00/1.00 addr 1
pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43
pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00
pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00
pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00
pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00
pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
usb5 at ohci2: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb6 at ohci3: USB revision 1.0
uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card
Reader/Writer" rev 2.01/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0: <Multiple, Card Reader, 1.00> SCSI2 0/direct
removable serial.058f6366058F63666485
sd0: 7580MB, 512 bytes/sector, 15523840 sectors
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (245de474743bba4f.a) swap on sd0b dump on sd0b

Regards
Patrick Dohman

> On Dec 14, 2016, at 9:10 AM, Stuart Henderson <s...@spacehopper.org> wrote:
>
> Your dmesg is missing.

Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-10 Thread Patrick Dohman

Tom

Specific to your question the apu1d4 is configured to act as DSL bridge/PPPOE
gateway on one ethernet interface.

In addition a PCIe Atheros AR9281 is configured as a host-based access point
for wireless clients & a second ethernet interface is configured to supply
DHCP to la clients via a switch.

Please note the RSSI & noise of connected clients is typically considered good
& averages the following:

RSSI = -54dBm
Noise = -98dBm

Previously the apu1d4  was configured in conjunction with a DOCSIS cable modem
& intermittent modem resets were common.

I’ve gone ahead & purchased new surge protectors for all equipment including
the modern and router which seemed to increase the uptime of the bridge by
several days.

Regards
Patrick

> On Dec 10, 2016, at 4:54 AM, Tom  wrote:
>
> Hello Patrick,
>
> your mail sounds a bit confusing. I assume you have a following setup:
> - your board is configured as router.
> - your internal interface is the wireless athn0
> - your external interface is pppoe0 on a wired interface (like re0),
> but you do not tell us.
>
>>> Specifically if wireless retransmission and specifically interface can
>>> potentially cause pppope timeouts when acting as a bridge.
> ppp is never on a bridge nor acts as bridge.
>
>>> /bsd: pppoe0 LCP keepalive timeout
> This is the only useful line in your post to me. For sure your problem
> has nothing to do wireless or 80211.
> This happens when the physical connection to your ISP gets interrupted
> or, more likely, the ppp-implementation of your ISP has a different
> timeout than that which is hard coded in sys/net/if_spppsubr.c (15s
> with at least every third LCP-keepalive reaching us).
>
> To solve your problem you have two options:
> - Create at least every 30s some traffic on pppoe0 at all times.
> - Run a custum kernel. My workaround is modified if_spppsubr.c. My ISPs
> timeout-interval is 45s, so I increased MAXALIVECNT from 3 to 9. There
> is no warranty with this option at all! You are on your own.
>
>
> Good luck!

PC-Engines Wireless - PPPOE timeouts.

2016-12-09 Thread Patrick Dohman

Hoping to determine if PPPOE timeouts can be caused by 802.11 interference.

Specifically if wireless retransmission and specifically interface can
potentially cause pppope timeouts when acting as a bridge.

At this point it appears the physical location of the pc-engine results in
more frequent timeouts specifically the following error:

/bsd: pppoe0 LCP keepalive timeout

Placing the router towards the center of the room on a shelf has resulted in
35 days of uptime prior to the bridge failing & a manual DSL modem reset,

Moving the router to the floor in a corner has later resulted in 14 days of
uptime prior to a pppoe timeout.


The netstat statistics below do not seem to indicate a greater packet loss due
to the physical location

NameMtu   Network AddressIpkts   Ierrs  
 Opkts
Oerrs   Colls

PC-Engines located in corner on the floor

1:30AM  up 13 days,  6:04, 0 users, load averages: 0.11, 0.09, 0.08

athn0   150004:f0:21:17:42:6d 16413375145380   
25282948  3261
0
athn0   1500  10/8  10.0.1.116413375145380  
 25282948
3261 0

PC-Egines locate on shelf towards center of room:

1:30AM  up 36 days,  8:12, 0 users, load averages: 0.12, 0.09, 0.08

athn0   150004:f0:21:17:42:6d 28928226551562   
49261880 11086
0
athn0   1500  10/8 10.0.1.1 28928226.   551562
49261880 11086 0

Hoping to clarify if additional diagnostics exist to help troubleshoot the
pppoe issue & asset in isolating the  802.11 as a potential cause or lack
there of.

Regards
Patrick

Re: Building An Intranet For Dummies

2016-12-03 Thread Patrick Dohman

Have you looked into open atrium?

It appears to be built on Drupal.

Regards
Patrick


> On Dec 3, 2016, at 9:36 AM, Predrag Punosevac 
wrote:
>
> Hi misc,
>
> I was recently tasked with building an Intranet site for my research
> group. Traditionally we have used very weak security model to accomplish
> this task which consisted of using Daisy CMS and its internal
> authentication to hide few pages of our Wiki from praying eyes of
> strangers.
>
> I thought I could accomplish the same using DokuWiki. As you can see
> from this post
>
> https://forum.dokuwiki.org/thread/14277
>
> things are not going quite as easy as I thought. Theoretically I should
> be able to use namespaces to create tabs only visible to @user group but
> in practice I am confused about about changing namespace properties of
> the DokuWiki tabs.
>
> Long story short I decided to take a pause and think some more using the
> input of competent people how to accomplish this task.
>
> I was wondering what people around here use to create their Intranats? I
> am open for any suggestions (authpf, relayd, some kind proxy) with the
> caveat that uses should be able to authenticate just by typing their
> password into the web browser. I am perfectly OK with running second
> private DokuWiki instance.
>
> Best,
> Predrag

log monitoring recommendations?

2016-10-21 Thread Patrick Dohman

Any opinions/ideas regarding log monitoring. 
Preferably something with definable actions.
Hoping to test/obtain a fail2ban equivalent for BSD

The following utilities were located in openports.se
hatchet
logsentry
logsurfer
swatch

Regards
Patrick

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Patrick Dohman

> nonsense. daily security is mailed *if it is non-empty*. Same goes for
> weekly and mothly.
>
>   -Otto

i guess that’s explains why the output of who was omitted from the
insecurity out

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-15 Thread Patrick Dohman

The daily security out being emailed is also default disabled ;)

The monthly & weekly outs never seem to work either.

Regards
Patrick


> On Oct 15, 2016, at 11:20 AM, Peter Janos  wrote:
> 
> remote supervisor/console solutions are still turned on while the server
> is off, so simply powering off the OS isn't enough.there were/will be
> many bugs for these remote console solutions too Sent: Friday, October
> 14, 2016 at 9:48 PM
> From: "Raul Miller" 
> To: "thrph.i...@gmail.com" 
> Cc: "OpenBSD general usage list" 
> Subject: Re: What are the security features in OpenBSD 6.0 that are by
> default disabled?On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
>  wrote:
>> " The only truly secure system is one that is powered off, cast in a
> block of concrete and sealed in a lead-lined room with armed guards - and
> even then I have my doubts. "
> 
> Powered off works surprisingly well for some other operating systems.
> 
> --
> Raul

Re: starting ssh-agent on ssh login

2016-10-08 Thread Patrick Dohman

pageant & PuTTY can accomplish this.

see below for more info:

http://unixwiz.net/techtips/putty-openssh.html


Regards
Patrick



> On Oct 8, 2016, at 3:44 PM, Predrag Punosevac > wrote:
>
> ssh-agent

Re: pppoe via switch

2016-10-01 Thread Patrick Dohman

Surge protectors from the hardware store is a nice feature to ;)

> On Oct 1, 2016, at 11:36 AM, tech-lists  wrote:
>
> On 01/10/2016 14:58, Eric Huiban wrote:
>> And my last sentence is where you'll get "problems" with your ISP ! It
>> will append if you're leaking undue ethernet packets to the PPPoE
>> gateway : any broadcast or anything unknown to your dumb switch will be
>> submitted to your ISP's good will. So... don't make your ISP grumpy. ;-)
>
> aha!
>
>> You better have to use a not-so-dumb switch on which you can
>> affect/group ports all-together (without any VLAN tagging) and isolate
>> them from any other data traffic from other ports. There's always a way
>> to leak something by misconfiguration or by plugin-in other clients on
>> your switch (even if you put red-tape on unused ports... someone will do
>> that one day or another!).
>
> OK I guess best bet is to invest in a longer cat6 cable. Thanks for the
tip.
> --
> J.

Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

2016-09-28 Thread Patrick Dohman

At the risk of sounding last decade…

Sourcing a scanner that attempts to illustrates the goals of an attacker could
make for a worthwhile project.

As an aside a postfix version really ought to exist with it’s myriad of
status codes.

Regards
Patrick


> On Sep 28, 2016, at 9:04 PM, Chris Bennett
 wrote:
>
> On Wed, Sep 28, 2016 at 08:54:14PM -0400, trondd wrote:
>> On Wed, September 28, 2016 1:20 pm, Chris Bennett wrote:
>>>
>>> Right now I am using a simple script from the error log to block
>>> permanently any requests from that IP using OpenBSD pf.
>>>
>>> That simply doesn't work well enough anymore due to the time lag between
>>> 20+ requests at once getting to the log file.
>>
>> I use a combination of overload in pf with a bruteforce table and log
>> parsing.  I don't currently do the log parsing in real time.  You could
>> use your own script or something like fail2ban for that.  The combination
>> will quickly lock out rapid connection attempts, while eventually also
>> getting the slow pokes.
>
> I don't think bruteforce will be helpful in my case. I do occasionally
> get bruteforce attacks, but not very often.
> What I usually get are identical attacks of a certain set of variations
> of URLs from one IP address. A little later the same thing from another
> IP, then another, etc.
>
> One of the reasons I am thinking of a mod_perl solution is that mod_perl
> can step in very early in the Apache process. All kinds of things can be
> done long before normal access is available to other processes.
> But I have no experience using any of these parts of mod_perl. I have
> only used later functions in the cycle.
>
>>
>>> Plus, I
>>> occasionally screw up and block my own IP address so I keep an SSH
>>> session open before experimenting.
>>>
>>
>> Create a "safe" table in pf and put your often used IPs in it (assuming
>> they are static enough for this) and match that before you check the
>> bruteforce table.  Also, your rules and tables for ssh can be different
>> than that of the web server.  No reason for accidentally going to a bad
>> URL to lock you out of ssh.
>>
>
> Thanks, I hadn't thought of that. Some of my IPs are static. But I also
> travel a lot between parts of Mexico and Texas. But I will add to pf for
> that. I can add hotel IPs, when their WiFi signal is actually
> strong enough to connect. That should solve that problem.
>
> For the list, the rest is me rambling on so don't bother reading any
> further, is OT.
>
>
> I can develop on my office/home systems, but some stuff I use requires
> live testing since I don't have another production server. Live testing
> since my software depends on what is sent from another company and then
> processing on my server followed by an email customised for a customer
> to access paid content on my server. I can fake the input to a certain
> degree, but I had one customer a while ago request a refund before
> getting a username/password from my end, so that input was unexpected
> and did not follow the other company's documentation, which is of poor
> quality, so I had to fix a problem that was unexpected and basically
> undocumented.
>
>
> Thanks. Very useful for my SSH problem.
> Chris Bennett

Re: spamd question

2016-09-17 Thread Patrick Dohman

Is there such a thing as set skip on lo for ldap ;)

Regards
Patrick

> On Sep 13, 2016, at 4:03 AM, Kasper Haitsma  wrote:
> 
> Happy days, spamd-sync is working.
> 
> - pf.conf still needs rdr-to instead of divert-to
> - rc.conf.local is picky on the quotes for -n and sequence of -Y and
> -y (no sync proc in ps list)
> - the 5.0 machines are not using spamd.key :(
> 
> I'm glad it is all well documented
> 
> Date: Fri, 9 Sep 2016 12:14:18 +0100
> From: Craig Skinner 
> To: misc@openbsd.org
> Subject: Re: spamd question
> Message-ID: <20160909121418.3117d12f@fir.internal>
> 
> Hi Kasper,
> 
> On Thu, 8 Sep 2016 17:51:45 +0200 Kasper Haitsma wrote:
 5.9 -> 5.9 nothing at all
>>> 
>>> Fix this problem first.
>> 
>> if this is fixed, I trust, all is fixed.
> 
> Hopefully it's on to happy days then!!!
> 
> 
> As you've got spamd_flags=" -y bge1 & -Y bge1"
> 
> Try changing the bge1 to ipv4 addresses & restarting spamd.
> 
> If that works, then change back to bge1 and check if you also have
> 'multicast=YES' in /etc/rc.conf.local?
> 
> In older versions, it the rc parameter was called 'multicast_host', but
> the '_host' bit got dropped: http://www.openbsd.org/faq/upgrade59.html
> 
> Enabling that would need either a root 'sh /etc/netstart' or reboot.
> 
> Cheers,
> --
> Craig Skinner

Ralink 802.11n Mini PCI

2016-09-05 Thread Patrick Dohman

Hello

Hoping to determine what modern Mini PCI 802.11n adapters are supported by the
RT2800 chipset.
It appears the Ralink man page includes the following supported adapters
however a search of the internet points to most being no longer actively
manufactured.

Amigo AWI-922W. Billionton MIWLGRL.
Gigabyte GN-WIKG. Gigabyte GN-WI01GS.
Gigabyte GN-WI02GM. MSI MP54G2. MSI MS-6833.
SparkLAN WMIR-215GN. Tonze PC-620C. Zinwell ZWX-G360.

Please note the AzureWave AW-NB087H can be obtained from ebay alibaba etc
however i’d prefer a recommended option.
If possible please suggest a location to purchase the above mini-pic adapters
or an viable alternative

Regards
Patrick

Re: DigitalOcean and OpenBSD

2016-08-28 Thread Patrick Dohman

Don’t Forget BUYVM.

Regards
Patrick

> On Aug 28, 2016, at 10:07 AM, bytevolc...@safe-mail.net wrote:
>
> andrew fabbro wrote:
> ...
>> - some day in the bright shining future when vmm is done, you may be able
>> to buy an OpenBSD guest VM on an OpenBSD host...and then these piddling
>> Amazon and Microsoft Azure empires will fall as Puffy storms the net.  To
>> the cloud!
>>
>
> Those "piddling Microsoft Azure empires" may not be the best in software
development, but they are better at marketing than the OpenBSD team is, by
several orders of magnitude. And much more aggressive too.
>
> I wouldn't get your hopes up, even if vmm was capable of running complete
Windows 10+, Linux, BSD, and MacOS X installations (even if just with a little
help from a ported QEMU) by 2018.
>
> The best doesn't always win out when it comes to marketing and
mainstream/consumer use. Puffy won't be "storming the net" any time soon.

Re: donations

2016-08-21 Thread Patrick Dohman

That’s the point of the new regulatory audits ;)

> On Aug 21, 2016, at 9:01 AM, Daniel Wilkins  wrote:
>
> That works very differently as far as taxes go. Theo would have to start
reporting
> it as income  if Canada works like the US, and things are interesting from
there.
>
> On Sun, Aug 21, 2016 at 07:36:40AM -0400, Donald Allen wrote:
>> But isn't it still better to send the money directly to you, since the
>> Foundation doesn't support you financially? If I understand the different
pots
>> of money correctly, this gives you maximum flexibility to use what you
need
>> for your own support and if there is any excess, you can send it to the
>> Foundation.
>>
>>
>>> From: dera...@openbsd.org
>>> To: ed...@pettijohn-web.com
>>> CC: misc@openbsd.org
>>> Subject: Re: donations
>>> Date: Sat, 20 Aug 2016 19:24:10 -0600
>>>
 It was mentioned in another post that sales of the OpenBSD CD's
 loses money.
>>>
>>> The effort expended vs payout received is probably on par with the
>>> newspaper route I operated at age 16.
>>>
>>> I could be doing far better things than making CDs.
>>>
>>> For 20 years I really had no other choice.
>>>
 Would it be better to make dontations to the foundation?
>>>
>>> Absolutely.  Look at the results:
>>>
>>> http://www.openbsdfoundation.org/activities.html

Re: hardware recommendation for openbsd-based thin client?

2016-05-30 Thread Patrick Dohman

Has anyone tried a ViewSonic thin client?


> On May 26, 2016, at 7:40 AM, Marko Cupać  wrote:
>
> Hi,
>
> I need to implement a few dozen boxes whose only purpose will be
> connecting to RDP servers. I have figured out the software part -
> OpenBSD + slim + openbox + freerdp, but I haven't yet decided about the
> hardware part. It needs to be of amd64 architecture, and it needs to
> run OpenBSD. Local storage is not a concern, SD card would be enough.
> In fact, I'd go for diskless zero client if OpenBSD's implementation
> supported CIDR.
>
> Something like PCengines' APU, but in monitor+mouse+keyboard world.
>
> Any recommendations? Thank you in advance.
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/

SMTPD - Auth Error 535 5.7.8

2016-05-22 Thread Patrick Dohman

After migrating to a new ISP SMTPD relay TLS Auth no longer functions as
expected.

Essentially the same configuration in conjunction with a different mail server
works as needed.

Hoping to clarify if cipher type is an issue & if so how a cipher list is
configured.

Please see below for more info:

sudo cat /etc/mail/smtpd.conf
#   $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# To accept external mail, replace with: listen on all
#
listen on lo0 hostname ###-##-##-##.###.qwest.net

table aliases db:/etc/mail/aliases.db
table secrets db:/etc/mail/secrets.db

# Uncomment the following to accept external mail for domain "example.org"
#
# accept from any for domain "example.org" alias  deliver to mbox
accept for local alias  deliver to mbox
#accept from local for any relay
accept for any relay via tls+auth://la...@smtp.centurylink.net:587 \ auth



#
##

$mail -s "Firewall weekly output" -r root@###-##-###-##.###.qwest.net
###@centurylink.net < test.txt

sudo tail -f /var/log/maillog

May 22 14:49:41 Firewall smtpd[5565]: smtp-in: New session 678c45026c0fd8f5
from host ## [local]
May 22 14:49:41 Firewall smtpd[5565]: smtp-in: Accepted message 6e845123 on
session 678c45026c0fd8f5: from=,
to=<###_@centurylink.net>, size=242, ndest=1, proto=ESMTP
May 22 14:49:41 Firewall smtpd[5565]: smtp-in: Closing session
678c45026c0fd8f5
May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Connecting to
tls://205.219.233.9:587 (mail.centurylink.net) on session 678c450539abbe1e...
May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Connected on session
678c450539abbe1e
May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Started TLS on session
678c450539abbe1e: version=TLSv1/SSLv3, cipher=AES256-GCM-SHA384, bits=256
May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Server certificate
verification succeeded on session 678c450539abbe1e
May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Error on session
678c450539abbe1e: AUTH rejected: 535 5.7.8 Sorry.
May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Disabling route [] <->
205.219.233.9 (mail.centurylink.net) for 800s
May 22 14:49:43 Firewall smtpd[5565]: smtp-out: No valid route for
[connector:[]->[relay:smtp.centurylink.net,port=587,starttls,smtps,auth=secre
ts:label,mx],0x0]

Re: ntpd commandline expansion

2016-05-07 Thread Patrick Dohman

> Lyndon** is correct: if you want the clock in your virtualbox to jump,
> virtualbox is the one that should jump it.  Changing ntpd to some how
> magically detect that the VM was paused and resumed is a workaround on
> a kludge.


I agree numerous suspend resumes will result in drift however typing doas
rdate -nv pool.ntp.org  will resolve the issue.

I ran into this exact issue recently when issuing certs in conjunction with
Antoine Jacoutot new create-ami.sh script.

Re: Small FW boxes for CORP use (was: T40E APU?)

2016-03-12 Thread Patrick Dohman

The super micro IPMI/BMC is pretty genius

Superfluous access to sensor data & watch guard timers etc...

> On Mar 12, 2016, at 7:34 AM, torsten  wrote:
>
>> -Original Message-
>> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> Josh
>> Grosse
>> Sent: 12 March 2016 13:22
>> To: misc@openbsd.org
>> Subject: Re: Small FW boxes for CORP use (was: T40E APU?)
>>
>> On Sat, Mar 12, 2016 at 10:34:16AM +, Kapfhammer, Stefan wrote:
>>> But how would you feed the CAT female jack out of the original
>>> pcengines enclosure? There are no further mounting holes in it.
>>
>> I was thinking of the Alix, where enclosures are not included.
>
> I like standard 1u low power equipment and prefer supermicro for it's
> linux/BSD support,
> This is no advertising for ebay but I usually get stuff like this
>
http://www.ebay.co.uk/itm/Supermicro-1U-Server-Xeon-X3430-2-4Ghz-Quad-Core-8
>
GB-RAM-Low-Power-R210-DL120-/291687112072?hash=item43e9e81d88:g:034AAOSwcwhV
> ON9U
> then add a dual port NIC, usually HP Intel and off I go.
> The benefit is the KVM, integrated HDD's and flexibility. MY gateways are
> proxies, vpn and http servers with port forwarding to internal workstation
> and servers after authentication for vnc, sql and other

Re: OpenBSD softraid can do scrub, hotspare, hotswap? How do rebuild + those 3 really done? (Absence of docs and howtos - ultimate Q!)

2016-02-21 Thread Patrick Dohman

Another feature to look for is spin down of the dedicated hot spare.

Go Vikings :)
Patrick

> On Feb 21, 2016, at 7:23 AM, Marcus MERIGHI  wrote:
>
> ti...@openmailbox.org (Tinker), 2016.02.20 (Sat) 21:05 (CET):
>> So glad to understand better what's in the box.
>>
>> Also please note that I'm not trying to suggest to implement lots of
>> crap, am perfectly clear that high security is correlated with low
>> complexity.
>>
>> On 2016-02-21 00:29, Marcus MERIGHI wrote:
>>> ti...@openmailbox.org (Tinker), 2016.02.20 (Sat) 16:43 (CET):
>> ..
>>> You appear to mean bioctl(8). Thats the only place I could find the word
>>> 'patrol'. bioctl(8) can control more than softraid(4) devices.
>>>
>>> bio(4):
>>>The following device drivers register with bio for volume
>>>   management:
>>>
>>>  ami(4) American Megatrends Inc. MegaRAID
>>> PATA/SATA/SCSI RAID controller
>>>  arc(4) Areca Technology Corporation SAS/SATA RAID
>>> controller
>>>  cac(4) Compaq Smart Array 2/3/4 SCSI RAID controller
>>>  ciss(4)Compaq Smart Array SAS/SATA/SCSI RAID
>>>   controller
>>>  ips(4) IBM SATA/SCSI ServeRAID controller
>>>  mfi(4) LSI Logic & Dell MegaRAID SAS RAID controller
>>>  mpi(4) LSI Logic Fusion-MPT Message Passing Interface
>>>  mpii(4)LSI Logic Fusion-MPT Message Passing Interface
>>>   II
>>>  softraid(4)Software RAID
>>>
>>> It is talking about controlling a HW raid controller, in that 'patrol'
>>> paragraph, isn't it?
>>
>> So by this you mean that patrolling is really implemented for
>> softraid??
>
> No, I said the opposite.
>
> I'm sure my english language capabilities are not perfect. But what you
> make of it is really surprising! (And even funny in the cabaret way.)
>
> I'll keep trying. But sooner or later we'll have to take this off list.
> Or to newbies. There you get help from the same people but without
> having your misinterpretations in the 'official' archives for other poor
> souls to find ;-)
>
> http://mailman.theapt.org/listinfo/openbsd-newbies
>
>> (Karel and Constantine don't agree??)
>>
>> So I just do.. "bioctl -t start sdX" wher sdX is the name of my softraid
>> device, and it'll do the "scrub" as in reading through all underlying
>
> bioctl(8) is clear, I think:
> -t patrol-function
>  Control the RAID card's patrol functionality, if
>  supported. patrol-function may be one of:
>
> Why do you think it will work for softraid(4) when it says it does for
> hardware-RAID?
>
> I have a theory: you have some experience with other Operating Systems
> and their built in help system that have led you to not fully read but
> just search/skim for keywords. Do yourself (and me) a favour and read
> them fully. Top to bottom. Take every word as put there thoughtfully,
> not in a hurry. You can find manpage content discussions all over the
> archives. manpages are taken seriously.
>
> Please repeat: bio(4)/bioctl(8) controls RAID devices. These can be in
> hardware or software. Some functions (-a, -b, -H, -t, -u) are only
> useable/usefull when controlling a hardware RAID. The manpage even gives
> direct clues on whether hardware- or software RAID is the topic. First
> synopsis, second synopsis. 'The options for RAID controllers are as
> follows:' (=hardware) 'In addition to the relevant options listed above,
> the options for softraid(4) devices are as follows:' (=software).
> Did you note the 'relevant' part? That word is there on purpose, I
> suppose. It is there to tell you that not all, but the relevant parts of
> the hardware RAID parameters also apply to software RAID (that comes
> below). I would consider '-v' relevant, '-a' ('Control the RAID card's
> alarm functionality, if supported') not.
>
> (Example: what '-a' does for hardware RAID can be done with sensorsd(8)
> for software RAID (=softraid(4)). Once a softraid volume is configured,
> you get 'hw.sensors.softraid0.drive0=online (sd1), OK'.
> Try 'sysctl hw.sensors.softraid0'.)
>
>> physical media to check its internal integrity so for RAID1C that will be
>> data readability and that checksums are correct, and "doas bioctl
> softraid0"
>> will show me the % status, and if I don't get any errors before it goes
> back
>> to normal it means the patrol was successful right?
>
> No idea, never had a hardware RAID controller.
>
>> (And as usual patrol is implemented to have the lowest priority, so it
>> should not interfere extreemely much with ordinary SSD softraid
operation.)
>
> I think the patrolling is done by the hardware RAID controller.
> bioctl(8) just commands it to do so.
>
 * Rebuild - I think I saw some console dump of the status of a rebuild
 process on the net, so MAYBE or NO..?
>>>
>>> That's what it looks like:
>>>
>>> $

Re: Can I accelerate my magnet HDD using a SSD in any way?? E.g. softraid patch/ARC, dedicated hardware e.g. Intel RCS25ZB040LX="Nytro MegaRAID", anything

2016-01-31 Thread Patrick Dohman

> There is some hardware solution, e.g. Intel made the
http://ark.intel.com/products/70029/Intel-RAID-SSD-Cache-Controller-RCS25ZB04
0LX using the "Nytro MegaRAID" chip.
>
> Someone would need to port its driver to OpenBSD.
>
> Also in the past there was a "Adaptec MaxIQ". Those are the only two "Raid
controller cache" hardware solutions I am aware of, do you know any more?
>
>
>

Some of the MegaRaid cards feature cache cade.

Essentially disk cache is written to SSD before being “copied” to spinning
disk.

Keep in mind DRAM based cache can improve performance when implemented in
conjunction with hardware write back.

Also magnetic disk & SSD with super cap / fault tolerant on disk cache can
seed up I/O significantly..

Re: Can I accelerate my magnet HDD using a SSD in any way?? E.g. softraid patch/ARC, dedicated hardware e.g. Intel RCS25ZB040LX="Nytro MegaRAID", anything

2016-01-31 Thread Patrick Dohman

> Do you know any MegaRaid that a) supports that, b) is modern and not
archaic, and c) is supported by OpenBSD?
>

It appears the MFI driver provides support for the MegaRAID SAS 9260-8i

Pleas note Iâve not tested the 9260-8i on openbsd

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/mfi.4


My current understanding is that Cache Cade is licensed add-on for the 9260-8i
that can be configured in the RAID bios.

http://www.avagotech.com/products/server-storage/raid-controllers/megaraid-ca
checade-pro-software#specifications


http://www.avagotech.com/products/server-storage/raid-controllers/megaraid-sa
s-9260-8i


>
> I was mostly considering read acceleration.

Read Ahead caching is supported by the 9260-8i this essentially caches to
onboard DRAM contiguous blocks if the controllers algorithm determines they
will be needed.

>
> Can you give a practical example of this?
> )

A RAID 10 with four disks running enterprise Intel SSD disk drives with
MegaRAID disk caching enabled, Essentially the Intel Enterprise SSD on board
cache augments the NAND flash. Fault tolerance is provided by a
âcapacitorâ that flushes the cache to disk after a power loss..

Re: CD's arrived

2015-10-18 Thread Patrick Dohman

CD+Case && Coffee Mug arrived here in Saint Paul, MN

> On Oct 7, 2015, at 9:51 AM, M Wheeler <6f84c...@refn.co.uk> wrote:
> 
> CD's arrived today UK. Thanks again.

Re: update/upgrade

2015-09-22 Thread Patrick Dohman

> On Sep 20, 2015, at 9:36 PM, Quartz  wrote:
> 
>> Does your embedded storage run NOR/NAND or something like SDHC Memory
>> Cards?
>> 
>> If your systems are running SDHC you can easily create clones with a
>> laptop&  the DD utility.
> 
> A couple of them do, but it doesn't matter in this case. The main issue with 
> compiling is that it can effectively knock the system offline for hours which 
> isn't acceptable. Any process that involves shutting the machine off or 
> booting into a separate OS image has the same problem.
> 
> It's just a question of minimizing downtime.
> 


Is it possible to upgrade via separate OS? Chroot into a new system, run 
sysmerge & voila?

Re: update/upgrade

2015-09-20 Thread Patrick Dohman

> On Sep 20, 2015, at 3:49 PM, Quartz  wrote:
> 
> We have a bunch of low power embedded devices that we'd like to keep 
> reasonably up to date, but the disk space and cpu overhead of tracking 
> -stable is kind of a nonstarter. Is there another/better way of doing things 
> these days? (Other than applying dozens of patches manually).
> 

Does your embedded storage run NOR/NAND or something like SDHC Memory Cards?

If your systems are running SDHC you can easily create clones with a laptop & 
the DD utility.

Regards
Patrick

Re: requesting help working around boot failures with supermicro atom board

2015-09-13 Thread Patrick Dohman

Any thermal settings in the bios? CPU performance, Fan Speed etc..

Does the fan idle correctly? Often intel chipsets will throttle the fan during 
a bios test.

Perhaps ACPI is not routing an interrupt??

Regards
Patrick


> On Sep 11, 2015, at 5:38 PM, dewey.hyl...@gmail.com wrote:
> 
> hi all. i’m having difficulty with this board:
> 
> Supermicro X7SPE-HD-D525 rev1
> 
> i have several similar systems, each running an older version of OpenBSD for 
> a few years without incident. except this one …
> 
> running OpenBSD 5.7 i386, from cold start it boots just fine and runs until 
> rebooted. once rebooted, however, prior to anything being displayed (i assume 
> this is early in the bios post phase) i get one very long beep. super micro 
> tells me this indicates inability to correctly initialize the memory. okay, 
> so i’ve changed memory for known working components and have the same issue. 
> at this point, the only thing that gets me booting again is to remove power 
> and then restore power. it then boots fine from cold start, and fails on the 
> next reboot (as in, “reboot” from the command line). once in long-beep 
> failure mode, neither the hardware reset button nor the power button can make 
> the machine boot again. the only thing that works is removing power. every 
> once in a while it will reboot successfully, only to fail in the same manner 
> on the next attempt.
> 
> super micro has had me flash bios, clear cmos, boot from different devices 
> and with nothing connected, etc. the results are the same: when rebooting 
> from openbsd, next boot fails until power is removed/restored. super micro 
> blames openbsd.
> 
> i installed linux (same hardware, overwrite openbsd 5.7) and scheduled a 
> reboot every 5 minutes and left it overnight. i logged 554 successful reboots.
> 
> i have since installed the latest available openbsd amd64 snapshot, and am 
> seeing the same failures.
> 
> i’m wondering if something could be disabled (boot -c ?) or if something else 
> raises a red flag and might have a workaround. this has me stumped. i would 
> very much appreciate a clue stick. 
> 
> dmesg follows:
> 
> OpenBSD 5.8-current (GENERIC.MP) #1364: Wed Sep  9 17:32:01 MDT 2015
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4277665792 (4079MB)
> avail mem = 4144070656 (3952MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP APIC MCFG OEMB HPET EINJ BERT ERST HEST
> acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) 
> USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) 
> P0P6(S4) P0P7(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.23 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR
> cpu0: 512KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 199MHz
> cpu0: mwait min=64, max=64, C-substates=0.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR
> cpu1: 512KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR
> cpu2: 512KB 64b/line 8-way L2 cache
> cpu2: smt 1, core 0, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR
> cpu3: 512KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
> ioapic0: misconfigured as apic 1, remapped to apid 4
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 4 (P0P1)
> acpiprt2 at acpi0: bus 1 (P0P4)
> acpiprt3 at acpi0: bus 2 (P0P8)
> acpiprt4 at acpi0: bus 3 (P0P9)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1

Re: pf vs mp

2015-09-01 Thread Patrick Dohman

> On Sep 1, 2015, at 8:40 PM, Quartz  wrote:
>
> there won't even be any fans in the chassis or power supply, so low TDP is
super important, and that ends up meaning low performance

Embedded systems can often benefit from efficient power design & inefficiency
can unduly impact WLAN etc..

Regards
Patrick

Re: OpenBSD on Fiber

2015-08-30 Thread Patrick Dohman

Seems hardware isn’t as interesting as it once was probably due phones being 
the only devices developed for now.

There are books on virtualization try reading up on nic/io virtualization 
drivers.

Regards
Patrick


 On Aug 30, 2015, at 4:49 PM, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote:
 
 Patrick patr...@natpnk.nl writes:
 
 I understand the fact about an dedicated server and the fact that not
 ervery speedtest is the same. But there is another angle. I have installed
 FreeBSD with the same specs and also a PF enabled and in testing its is
 much better. I have also a VPS in a DC normal the speeds is average 48 and
 with OpenBSD it is average 17. So is there a good explanation for this?
 
 uber-fast and virt are not the main focuses of OpenBSD development, but
 work is being done to make the situation better.  But there is another
 angle.  How can you help?  Hint: saying it's slow doesn't help. ;)
 
 -- 
 jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: Show us your /etc/profile

2015-08-28 Thread Patrick Dohman

My back to SCO additions…


 #-#
# Print the current directory, hostname  user#
 #-#

 HOST=`hostname`
 PS1='$(print -n [${USER}@${HOST%%.*} ;[[ $HOME == $PWD ]]  print -n 
~ ||([[ ${PWD##*/} ==  ]]  print -n / || print -n 
${PWD##*/});print ]$)'
 
  #***
  HISTFILE=~/.ksh_history
  export HISTFILE
  HISTSIZE=500; export HISTSIZE
  #
 
 
  #-#
  #  a few Korn/Bash shell aliases  #
  #-#
 
  alias l=ls -la
  alias vi=“vim

Regards
Patrick


 On Aug 27, 2015, at 7:36 PM, T B phreakoci...@gmail.com wrote:
 
 Resurrecting this not-too-old thread.  You might find this one useful if
 you run CARP firewalls which gives you a dynamic prompt telling you the
 master/backup/other status.
 
 function fwStatus {
IFCONFIG=`ifconfig -a | grep carp:`
NUMCARPS=`echo $IFCONFIG | wc -l`
BACKUPCARPS=`echo $IFCONFIG | grep 'carp: BACKUP' | wc -l`
MASTERCARPS=`echo $IFCONFIG | grep 'carp: MASTER' | wc -l`
 
if [[ $MASTERCARPS == $NUMCARPS ]]; then
printf master
elif [[ $BACKUPCARPS == $NUMCARPS ]]; then
printf backup
else
printf other
fi
 }
 
 HOSTNAME=`hostname -s`
 PS1='${USER}@${HOSTNAME}:${PWD} ($(fwStatus)) $ '
 
 
 On Wed, Aug 5, 2015 at 1:43 AM, Sean Kamath kam...@moltingpenguin.com
 wrote:
 
 On Aug 2, 2015, at 8:49 AM, li...@wrant.com wrote:
 
 never
 thought of using a shell function in .profile till I read this thread.
 
 ...
 
 Functions has always been impressive once you move past the alias
 shortcomings (can't handle arguments etc), so also worth a read the
 Functions section.
 
 
 Functions have been amazingly useful and impressive for a very long time.
 They are also not limited to ksh.  In fact, my introduction to this very
 useful aspect of shell programming was from Sun's rcS script, which has
 this:
 
 # Simulates cat in sh so it doesn't need to be on the root filesystem.
 #
 shcat() {
while [ $# -ge 1 ]; do
while read i; do
echo $i
done  $1
shift
done
 }
 
 
 There have been times when I've been on systems in single user mode
 without filesystems, and knowing how to do some things we typically use
 external programs for in the shell can be a lifesaver, like echo * as a
 poor man's ls.
 
 If your directory isn't *that* large, 'for i in *;  do echo $i; done | wc
 -l' works well.  Well, for some definition of 'well'.
 
 My point is that shell functions allow you to do some fairly complex
 stuff, and if you're careful, you can avoid execs.  There are places the
 shell forks, however.  It can be a fun exercise to find them with profiling
 tools. :-)
 
 Sean

Re: bpf_mtap/SRP on -current/amd64 panics after a few minutes

2015-08-22 Thread Patrick Dohman

 On Aug 22, 2015, at 12:22 PM, Mattieu Baptiste mattie...@gmail.com wrote:

 acpicpu0 at acpi0: !C2(0@100 io@0x841), C1(@1 halt!), PSS
 acpicpu1 at acpi0: !C2(0@100 io@0x841), C1(@1 halt!), PSS


These look suspicious.

Perhaps the  acpicpu driver is the culprit. 5.8 appears to of added the
following:

acpicpu(4) http://www.openbsd.org/cgi-bin/man.cgi?query=acpicpusec=4 uses
ACPI C-state information to reduce power consumption of idle CPUs.

A  âcoolâ feature imho that might add life to a fanless.

Re: weird carp failover behavior

2015-08-20 Thread Patrick Dohman

Anything in your modem logs? DOCSIS layer 2 is a strange beast :)

Any cabling issue such attenuators or splitters behind the modem?

Regards
Patrick



 On Aug 19, 2015, at 2:34 PM, Devin Reade g...@gno.org wrote:
 
 I'm trying to understand an odd behavior during carp failover
 where one uplink goes numb until the demarc equipment is power
 cycled.
 
 Consider the following:
 
 ISP1-demarc   ISP2-demarc
 |   |
 SW1 (Net1) SW2 (Net2) - C
 |\ /|
 | X |
 |/ \|
  FW-A - FW-B
 |\ /|
 | X |
 |/ \|
 SW3 (Net3) SW4 (Net4)
   (no NAT) (NAT)
 |
 H4
 
 ISP1-demarc and ISP2-demarc are the respective ISP's equipment (outside
 of my control, other than power cycling them).  SWn are all unmanaged
 switches.
 
 FW-A, FW-B, and C are all OpenBSD boxes.  FW-A and FW-B, in particular,
 are running 5.7-STABLE in a master/slave carp configuration.  Things
 are set up so that traffic to/from Net3 is sent via ISP1 (no NAT) and
 traffic to/from Net4 is sent via ISP2 (using NAT on on FW-A and FW-B).
 H4 is a host sitting on Net4 in private address space.
 
 Static IPs are used throughout, including on both the SW1 and SW2
 subnets.  FW-n are routers, not bridges.  Pfsync is running via
 a crossover cable between FW-A and FW-B.
 
 Behavior:
 
 In normal operations everything works as expected.  During a carp
 failover, everything for Net3 via ISP1 also works as expected.
 However, during a failover I lose connectivity on Net4, in a qualified
 manner (see below) until ISP2-demarc is power cycled.
 
 The obvious first answer is that ISP2-demarc (which is a Motorola
 cable modem) probably has a limited number of MAC slots available
 to it.  However, that doesn't seem quite right.  More details ...
 
 Before failover, I set up a 'ping -n' running on H4 and going to
 a host elsewhere on the Internet (call it EXT).  I also set up
 a 'ping -n' on C going to the carp IP of FW-A and FW-B on Net2
 (lets call that Carp2).
 
 Now comes the wierd part.  If I shut down the master, FW-A, I see
 the following:
 
 1. the running pings from C to Carp2 continue to work until ^C
 2. the running pings from H4 to EXT continue to work until ^C
 3. a concurrent newly created ping from C to Carp2 fails
 4. a concurrent newly created ping from H4 to EXT fails
 5. all other outbound traffic from Net4 fails (this is just
a generalization of (4).
 
 If I power cycle ISP2-demarc, sanity returns.  That is, until
 FW-A comes back up and FW-B is demoted again.  Then I get the same
 type of failures until ISP2-demarc is power cycled again.
 
 Power cycling switch SW2 instead of ISP2-demarc does not affect the
 outcome.
 
 Ok, so how about the MACs?  On Net2 we have the following MACs:
 
 - ISP2-demarc-mac (on ISP2-demarc)
 - C-mac (on C)
 - FW-A-mac (physical MAC on FW-A)
 - FW-B-mac (physical MAC on FW-B)
 - Carp2-mac (the virtual MAC used by Carp2, which I've verified
   to be the same for both FW-A and FW-B when they are respectively
   running as master.
 
 One wart here, and a difference between Net1 and Net2 is that on
 Net1 both firewalls have their own IPs in addition to the Carp1
 IP.  However, on Net2 both firewall's hostname.if file contains
 only the 'up' keyword; no IP is used on that network until the
 machine becomes the carp master.
 
 So that means that when H4 is pinging EXT, the pings are being
 NAT'd to use the Carp1 IP.  Therefore I wouldn't expect a failover
 to cause the modem's MAC slots to overflow.
 
 But the *really* weird part is what is happening with C; why would
 C not be able to ping Carp1 until ISP2-demarc is power-cycled, especially
 with SW2 isolating the latter from Carp1 and C?
 
 And the story with C gets better.  If I set up a tcpdump on FW-B's Net2
 interface, I see the following sequence of events:
 
 - before killing FW-A, I see arp requests and CARPv2 advertisements
   from FW-A (based on the skew), and that's about it (as expected)
 - upon shutting down FW-A, I see a CARPv2 packet from FW-B, and then
   start seeing the ping request/reply pairs coming in from C (as expected)
 - upon killing and restarting C's ping to Carp2, I no longer see the
   response on C, but I'm seeing both the request and response in FW-B's
   tcpdump.  On C, I see only the echo response. (NOT expected)
 
 Does this last bit point the finger at SW2 being the culprit (perhaps
 not routing packets to the appropriate NIC port), even though power
 cycling SW2 isn't sufficient to fix the problem?
 
 Any other thoughts?
 
 Devin

Re: SPARC minimum hardware specification

2015-07-18 Thread Patrick Dohman

If I’m not mistaken the PS3 had a PPC as well.

Many of the intel alternatives do a better job at math  calculations in my 
opinion while PPC  SPARC may need additional time to execute operations often 
there are fewer errors and the results are far more accurate.

This quite obvious on the PS3. Things like X  Y coordinate mappings were often 
very accurate. Seemingly intel aims to disregard this type of accuracy.

Regards
Patrick


 On Jul 18, 2015, at 9:19 AM, Seth l...@sysfu.com wrote:
 
 On Fri, 17 Jul 2015 09:15:14 -0700, BSD b...@cpscoatings.net wrote:
 The replies to the OP seem discouraging. If not Oracle, and not
 Fujitsu, then what? If not a sparc desktop, then what about a sparc
 router? A RISC anything??
 
 You might be interested in Bunny's Novena project [1] [2]
 
 [1] http://www.mail-archive.com/misc%40openbsd.org/msg126490.html
 
 [2] https://www.crowdsupply.com/sutajio-kosagi/novena

Re: OpenBSD 5.7 on HP ProLiant DL360p Gen8

2015-05-12 Thread Patrick Dohman

Thorleif

For what itâs worth we had luck with a DL360 gen9 after enabling SATA AHCI 
Legacy boot mode.

âplease note OS was CentOS 6 software raidâ

Regardless the fake RAID does eems microsoft oriented  UEFI may be an issue.

Regards
Patrick



 On May 12, 2015, at 9:39 AM, Thorleif Wiik [BCIX] thorleif.w...@bcix.de
wrote:

 Hi,

 just installed OpenBSD 5.7 on a HP ProLiant DL360p Gen8 and while booting,
 OpenBSD  is waiting for some timeouts:

 scsibus2 at atapiscsi0: 2 targets

 pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=0, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=36, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=36, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=36, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=36, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1

 pciide0:0:0: device timeout, c_bcount=36, c_skip=0,
 status=0x58DRDY,DSC,DRQ, ireason=0x1


 Any suggestions what to do to eliminate this timeouts?


 ## full dmesg ##

 dmesg





 OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

 real mem = 17127288832 (16333MB)

 avail mem = 16667447296 (15895MB)

 mpath0 at root

 scsibus0 at mpath0: 256 targets

 mainbus0 at root

 bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xbffec000 (180 entries)

 bios0: vendor HP version P71 date 02/25/2012

 bios0: HP ProLiant DL360p Gen8

 acpi0 at bios0: rev 2

 acpi0: sleep states S0 S4 S5

 acpi0: tables DSDT FACP SPCR MCFG HPET  SPMI ERST APIC SRAT  BERT
 HEST DMAR SSDT SSDT SSDT SSDT SSDT

 acpi0: wakeup devices PCI0(S5) IPT1(S5) IPT2(S5) IPT3(S5) IPT4(S5) IPT5(S5)
 IPT6(S5) IPT7(S5) IPT8(S5)

 acpitimer0 at acpi0: 3579545 Hz, 24 bits

 acpimcfg0 at acpi0 addr 0xc000, bus 0-255

 acpihpet0 at acpi0: 14318179 Hz

 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat

 cpu0 at mainbus0: apid 0 (boot processor)

 cpu0: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1995.48 MHz

 cpu0:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX

,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
 NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC

 cpu0: 256KB 64b/line 8-way L2 cache

 cpu0: smt 0, core 0, package 0

 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges

 cpu0: apic clock running at 99MHz

 cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE

 cpu1 at mainbus0: apid 2 (application processor)

 cpu1: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1995.19 MHz

 cpu1:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX

,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
 NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC

 cpu1: 256KB 64b/line 8-way L2 cache

 cpu1: smt 0, core 1, package 0

 cpu2 at mainbus0: apid 4 (application processor)

 cpu2: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1995.19 MHz

 cpu2:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX

,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
 NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC

 cpu2: 256KB 64b/line 8-way L2 cache

 cpu2: smt 0, core 2, package 0

 cpu3 at mainbus0: apid 6 (application processor)

 cpu3: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1995.19 MHz

 cpu3:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX

,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
 NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC

 cpu3: 256KB 64b/line 8-way L2 cache

 cpu3: smt 0, core 3, package 0

 cpu4 at mainbus0: apid 8 (application processor)

 cpu4: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1995.19 MHz

 cpu4:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX

,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
 NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC

 cpu4: 256KB 64b/line 8-way L2 cache

 cpu4: smt 0, core 4,

Re: Authpf vs L2PT/IPsec for Intranet

2015-05-10 Thread Patrick Dohman

Predrag

I’m new to the list but i’d thought chirp in.

What clients are people accessing your intranet with?

I’ve been presented with a similar request  am currently testing mobile access 
via ssh  port forwarding utilizing a combination of keys  the match directive.

Essentially SSH forwards port 80 after authenticating with a key. The server is 
also configured with a match directive to require key based authentication from 
all public IP’s.

This approach seems to work however it may be difficult for some end users. In 
addition It also allows shell access. Ideally I’d prefer port forwarding only.

Regards
Patrick

 On May 10, 2015, at 10:25 AM, Predrag Punosevac punoseva...@gmail.com wrote:
 
 Hi Misc,
 
 I am trying to implement Internet in my Lab. The purpose of the Internet
 is to prevent unauthorized users from viewing parts of our Wiki pages.
 Our Wiki pages don't really contain anything supper sensitive or
 critical. BTW our Wiki/Portal has built in authentication but it doesn't
 look too secure to me. I am soliciting opinions about best/simplest ways
 how to do that.
 
 About two months ago I implemented secure access to a web application to
 one of our customers using L2TP/IPSec with npppd. It works like a charm.
 It seems to me that one way to implement Intranet (actually quite secure
 way) would be to require L2PT/IPSec connection for view pages. The only
 drawback I see is a little overhead required by encryption for viewing
 few stupid Wiki pages. On the another hand entire traffic is
 encapsulated and secure from prying eyes. 
 
 The second idea I have is to use Authpf to create Authenticating
 Gateway. I have never implemented Authpf in the past but it looks rather
 straightforward. I see that lots of people are using it to protect WiFi
 hot spots. Can it be used to protect unauthorized access to a web
 server?  I am assuming that the major drawback is that the traffic will
 not be encrypted and can be eavesdropped. Yes I could then use something
 like https to encrypt the traffic.
 
 I would appreciate any comments, suggestions, and ideas. I would
 appreciate even more if people share their experience in implementing
 Intranet on their networks. 
 
 Most Kind Regards,
 Predrag Punosevac

Re: strangely slow OpenBSD server connection

2010-05-10 Thread Patrick Dohman

On Mon, May 10, 2010 at 9:56 AM, Henning Brauer lists-open...@bsws.dewrote:



 rgh!

 first, autoneg is pretty damn reliable, the few exceptions are VERY
 old.
 second, taking one side to a fixed speed is calling for trouble. you
 almost certainly end up with one side full- and the otehr half-duplex.

 so if your ISP provides ethernet to you asking them whether they set
 the port to auto or fixed is a good idea, but randomly pushing buttons
 is as idiotic as ever.


Henning all of my respect  I seem to recall you stating this previously.

I've run into at least five major issues in the last six or seven years
that boiled down to auto negotiate. If my memory serves me correctly the
vendors involved were ciscoese, dell  sonicwall.

Patrick

Re: strangely slow OpenBSD server connection

2010-05-10 Thread Patrick Dohman

On Mon, May 10, 2010 at 11:54 AM, Kurt Mosiejczuk 
kurt-openbsd-m...@se.rit.edu wrote:


 Fixing a speed below full and/or setting a duplex mode means you aren't
 using autoneg.


Not sure if this where your headed Kurt but it's a subject i'm somewhat
unclear on when it comes to GbE. Most if not all of the GbE cards I've
utilized have drivers with no configuration for duplex when running at
gigabit speeds. Basically all the duplex and flow control settings are auto
only when running at gig speeds. b.t.w my apologies to the o.p I'm not
trying to hijack the thread ;)

Re: Sendmail performance and OpenBSD

2010-05-09 Thread Patrick Dohman

 What can I do to diagnose the performance bottleneck?  The CPU is mostly
idle.

Have you tried an iostat?

http://www.openbsd.org/cgi-bin/man.cgi?query=iostatapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

83 matches

Mail list logo