netstat output shuffles (new feature?)

[patrick keshishian]

Hi,

Just installed 2015-FEB-17 amd64 snapshot[1] and at first I thought
the order of daemon start-up had changed, and for some strange
reason sshd was started after smtpd, and X?

$ netstat -afinet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp  0  0  *.ssh  *.*LISTEN
tcp  0  0  *.6000 *.*LISTEN
tcp  0  0  localhost.smtp *.*LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
udp  0  0  build.3815 otherbox.ntp
udp  0  0  *.syslog   *.*


Quick look in /etc/rc didn't confirm this.

*shrug*

about 5 minutes later:

$ netstat -afinet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp  0  0  *.6000 *.*LISTEN
tcp  0  0  localhost.smtp *.*LISTEN
tcp  0  0  *.ssh  *.*LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
udp  0  0  build.3815 otherbox.ntp
udp  0  0  *.syslog   *.*


This is what I'm used to seeing. The first processes (based
on start-up/socket bind time) at the bottom of the list (stack)
and the newest at the top.

I figured not to bother misc@ about this, but the order
changed again next time I looked at netstat.

Is this caused by some change in the kernel or netstat?

Thanks,
--patrick



[1] sysctl kern.version
kern.version=OpenBSD 5.7-beta (GENERIC) #801: Tue Feb 17 12:38:11 MST 2015
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

OpenBSD usb cannot be read on Windows

[A Y]

I used the dd'' command to make a bootable USB drive. The USB is 16G. After I
am done with the installation, I want to use the USB under Windows for other
purposes. Windows reads only 240 M.
How can I recover the 16G on the USB?

ehci_idone: ex=0xd90fd934 is done!

[frantisek holop]

recently i have bought a cheapo usb hub,
nothing fancy, just to keep the mouse,
keyboard, wifi in one place.  i have it
plugged in at boot time.

in dmesg.boot things look good. then hotplugd
starts to run and receives all these devices.
by the time i login, all the devices work
but i have this in the logs:

/var/log/messages:
Feb 18 10:25:42 hatvan attach[5808]: DEVCLASS=0, DEVNAME=uhub5
Feb 18 10:25:42 hatvan attach[26613]: DEVCLASS=3, DEVNAME=run0
Feb 18 10:25:42 hatvan attach[6382]: DEVCLASS=0, DEVNAME=ums0
Feb 18 10:25:42 hatvan attach[19471]: DEVCLASS=0, DEVNAME=uhid1
Feb 18 10:25:42 hatvan attach[7128]: DEVCLASS=0, DEVNAME=uhid2
Feb 18 10:25:42 hatvan attach[21013]: DEVCLASS=0, DEVNAME=softraid0
Feb 18 10:25:42 hatvan attach[28869]: DEVCLASS=5, DEVNAME=wsmouse2
Feb 18 10:25:42 hatvan attach[31776]: DEVCLASS=5, DEVNAME=wsmouse1
Feb 18 10:25:42 hatvan attach[24252]: DEVCLASS=0, DEVNAME=ugen0
Feb 18 10:25:42 hatvan attach[22473]: DEVCLASS=0, DEVNAME=ukbd0
Feb 18 10:25:42 hatvan attach[12734]: DEVCLASS=0, DEVNAME=uhid3
Feb 18 10:25:42 hatvan attach[20698]: DEVCLASS=0, DEVNAME=uhid0
Feb 18 10:25:42 hatvan attach[14234]: DEVCLASS=0, DEVNAME=sensordev
Feb 18 10:25:42 hatvan attach[22971]: DEVCLASS=0, DEVNAME=uhidev3
Feb 18 10:25:42 hatvan attach[30500]: DEVCLASS=0, DEVNAME=scsibus2
Feb 18 10:25:42 hatvan attach[29655]: DEVCLASS=0, DEVNAME=uhidev1
Feb 18 10:25:42 hatvan attach[6644]: DEVCLASS=0, DEVNAME=uhidev2
Feb 18 10:25:42 hatvan attach[3098]: DEVCLASS=0, DEVNAME=ums1
Feb 18 10:25:42 hatvan attach[12115]: DEVCLASS=0, DEVNAME=scsibus3
Feb 18 10:25:42 hatvan attach[7499]: DEVCLASS=5, DEVNAME=wskbd1
Feb 18 10:25:42 hatvan attach[21089]: DEVCLASS=0, DEVNAME=vscsi0
Feb 18 10:25:42 hatvan attach[23823]: DEVCLASS=0, DEVNAME=uhidev0
Feb 18 10:25:43 hatvan /bsd: ehci_idone: ex=0xd90fd934 is done!
Feb 18 10:25:43 hatvan last message repeated 2 times
Feb 18 10:25:43 hatvan /bsd: ehci_idone: ex=0xd90fda84 is done!
Feb 18 10:25:46 hatvan dhclient[4435]: run0 down; exiting

/var/log/daemon:
Feb 18 10:25:42 hatvan hotplugd[20965]: started
Feb 18 10:25:42 hatvan hotplugd[20965]: uhub5 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: run0 attached, class 3
Feb 18 10:25:42 hatvan hotplugd[20965]: wsmouse1 attached, class 5
Feb 18 10:25:42 hatvan hotplugd[20965]: ums0 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhid0 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhid1 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhid2 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhidev0 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: wskbd1 attached, class 5
Feb 18 10:25:42 hatvan hotplugd[20965]: ukbd0 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhidev1 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: wsmouse2 attached, class 5
Feb 18 10:25:42 hatvan hotplugd[20965]: ums1 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhidev2 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhid3 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: uhidev3 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: ugen0 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: scsibus2 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: vscsi0 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: sensordev attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: scsibus3 attached, class 0
Feb 18 10:25:42 hatvan hotplugd[20965]: softraid0 attached, class 0
Feb 18 10:25:46 hatvan dhclient[4435]: run0 down; exiting
Feb 18 10:25:51 hatvan dhclient[6032]: DHCPREQUEST on run0 to 255.255.255.255
Feb 18 10:25:52 hatvan dhclient[6032]: DHCPACK from 10.10.10.1 
(xx:xx:xx:xx:xx:xx)
Feb 18 10:25:52 hatvan dhclient[6032]: bound to 10.10.10.60 -- renewal in 
604780 seconds.


so i thought i'd mention it, because ehci_idone messages
are not good news :]

-f


OpenBSD 5.7-beta (GENERIC.MP) #742: Tue Feb 17 12:50:59 MST 2015
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM) Duo CPU L2400 @ 1.66GHz (GenuineIntel 686-class) 1.67 
GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,PERF
real mem  = 2137341952 (2038MB)
avail mem = 2090029056 (1993MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 03/31/11, BIOS32 rev. 0 @ 0xfd690, SMBIOS rev. 2.4 @ 
0xe0010 (67 entries)
bios0: vendor LENOVO version 7BETD8WW (2.19 ) date 03/31/2011
bios0: LENOVO 1705CTO
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT SSDT 
SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) 
EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot 

Re: Installing OpenBSD 5.6 using a USB Flash drive

[A Y]

I downloaded -current snapshot and used to install and guess
what!
I T   W O R K E D
I am just so happy after spending 13 (yes thirteen) days of full time trying
everything to make this work.
As I said before, I spent all my life working on Windows and this is the first
time I work on a non-Windows environment. Even the machine, I bought it 13
days ago. So every thing was new to me.
I would never have done it without your help, so thank you:
Raimo NiskanenJosh GrosseErling WestenvikStuart HendersonPeter N. M.
HansteenJiri BJan Stary

 From: afyous...@hotmail.com
 To: raimo+open...@erix.ericsson.se; misc@openbsd.org
 Subject: Re: Installing OpenBSD 5.6 using a USB Flash drive
 Date: Tue, 17 Feb 2015 18:22:04 +

  Oops! I did not see that 'disk' actually was among the possible set
  locations. Have you tried that?
 Yes I have.
 Could you please refer to previous discussions. If you cannot see many
emails
 included here, then there must be something wrong with Outlook.com I am
 using.

  Date: Tue, 17 Feb 2015 16:14:42 +0100
  From: raimo+open...@erix.ericsson.se
  To: misc@openbsd.org
  Subject: Re: Installing OpenBSD 5.6 using a USB Flash drive
 
  On Tue, Feb 17, 2015 at 12:51:41PM +0100, Raimo Niskanen wrote:
   On Tue, Feb 17, 2015 at 10:36:20AM +, A Y wrote:
Hi all,
I used the following command to create a USB flash drive installation
 media
(with all file sets included):
# dd if=/location/install56.fs of=/dev/rsd0c bs=1m
The USB flash drive was created successfully.
The boot process from the USB was done. However, when we came to
 installing
file sets, the following prompt was displayed:
Location of sets? (disk http or 'done') [http]
Now, what can I do to direct the installation process to look for the
 file
sets in the USB flash drive?
The documentation says:
Once the install kernel is booted, you have several options of where
to
 get
the install file sets:
CD-ROM, HTTP, Local disk partition, NFS (no mention to USB)
As adviced, I did the following from the shell:
cd /devsh MAKEDEV sd1 mkdir /mnt1mount /dev/sd1a /mnt1
But I got the following error:
Device not configured
Thank you
  
   Strange.  I think 'disk' should be among the possible set locations.
 
  Oops!  I did not see that 'disk' actually was among the possible set
  locations.  Have you tried that?
 
  
   What kind of machine is this?
  
   Use the shell for some diagnostics.
   Check your dmesg.  Does the install kernel (bsd.rd) detect the flash
 drive?
   Check what sysctl hw.disknames says.
  
   It seems the USB disk is not detected even though BIOS and boot(8)
manages
 to
   boot the kernel.  If so there might be BIOS options that can help e.g
   setting the disks to AHCI mode, depending on what kind of machine this
 is.
  
   --
  
   / Raimo Niskanen, Erlang/OTP, Ericsson AB
 
  --
 
  / Raimo Niskanen, Erlang/OTP, Ericsson AB

Performance Counters

[Sai Prajeeth]

Hi,

Is there any command that will let me access the processor's performance
counters?? I am looking for something like Linux's perf / FreeBSDs pmcstat
that will help me get the IPC (Instructions per cycle) of the system.

Thanks

Re: Help needed: pkg_add dropps connections

[David Dahlberg]

Am Mittwoch, den 18.02.2015, 08:46 +0100 schrieb Stefan Wollny:

 Only with 'pkg_add' the connection is
 entirely gone and 'pkg_add' subsequently complains about 'No route to
 host'... and only on this particular machine.

Just wildly guessing here: At least on Linux, the kernel will reply No
route to host not only if there is no route in the routing table, but
also if it received an ICMP dest unreach, including admin
prohibited.

Maybe it would be useful tcpdump the the line (maybe add lo0 in case
it's something locally generated) to see if something suspicious is
happening when the connection terminates.

-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 01:40 schrieb Nick Holland:
 On 02/17/15 18:59, Stefan Wollny wrote:
 ftp: connect: No route to host
 
 you need to fix that before you worry about anything.
 
 Once you get THAT fixed, then you can get back to worrying about your
 dropping connections.
 
 Gotta make it before you can drop it.
 


Mmmmh - it may not be related to the issue of this thread, but
/var/log/messages has nothing when the connection is lost. At connect
there are two complaints from avahi-daemon and adsuck:

~ $ date  sh reconnect
Wed Feb 18 11:56:45 CET 2015
ifconfig: SIOCGIFFLAGS: Device not configured
loopback localhostdone
BASE-ADDRESS.MCAST.N link#5   done
::/128   localhostdone
::/128   localhostdone
::127.0.0.0/128  localhostdone
::224.0.0.0/128  localhostdone
::255.0.0.0/128  localhostdone
:::0.0.0.0/128   localhostdone
2002::/128   localhostdone
2002:7f00::/128  localhostdone
2002:e000::/128  localhostdone
2002:ff00::/128  localhostdone
fe80::/128   localhostdone
fec0::/128   localhostdone
ff01::/128   localhostdone
ff02::/128   localhostdone
ifconfig: SIOCSTRUNKPORT: Device busy
ifconfig: SIOCSTRUNKPORT: Device busy
DHCPREQUEST on trunk0 to 255.255.255.255
DHCPREQUEST on trunk0 to 255.255.255.255
DHCPACK from 192.168.178.1 (00:24:fe:31:e3:ea)
bound to 192.168.178.31 -- renewal in 432000 seconds.


~ $ date  tail -f /var/log/messages
Wed Feb 18 11:56:43 CET 2015
[... older stuff omitted .. ]
Feb 18 11:56:45 idefix dhclient[26941]: trunk0 down; exiting
Feb 18 11:56:45 idefix avahi-daemon[12643]: IP_DROP_MEMBERSHIP failed:
Can't assign requested address
Feb 18 11:56:45 idefix adsuck[16092]: can't convert wire packet to struct


I'd like to point out that the connection is lost too when running
'pkg_add' right on the console. And YES - I had tried without adsuck
enabled before.

I had posted it yesterday but here is once more the reconnect-script:
~ $ cat reconnect
#/bin/sh
sudo /sbin/ifconfig em0 down
sudo /sbin/ifconfig wpi0 down
sudo /sbin/ifconfig rsu0 down
sudo /sbin/ifconfig trunk0 down
sudo /sbin/route flush
sudo sh /etc/netstart

Re: OpenBSD usb cannot be read on Windows

[Priit Kivisoo]

 I used the dd'' command to make a bootable USB drive. The USB is 16G.
 After I
 am done with the installation, I want to use the USB under Windows for
 other
 purposes. Windows reads only 240 M.
 How can I recover the 16G on the USB?


Reformat it.

Priit

Re: Serial console on Sunix 40XX (PCI)

[Hugo Villeneuve]

On Mon, Feb 16, 2015 at 10:50:35AM +0100, Radek wrote:
 I'm trying to setup a serial console. My RS-232 is an old PCIcard. 
 
 I tried this way:
 boot set tty com4
 
 /etc/ttys:
 tty00   /usr/libexec/getty std.9600   vt220   on secure
 tty04   /usr/libexec/getty std.9600   vt220   on secure
 
 but can't connect to console and the system doesn't boot. 
 What am I doing wrong?

The boot loader is a simplistic program making use of basic CPU
features and BIOS services. It can't access every device like a
fully initialized kernel can.

At startup, the boot loader will probe the available device it can
make use of. It will look like this:

probing: pc0 com0 apm pci mem[640K 990M a20=on]
disk: hd0+ hd1+*
 OpenBSD/i386 BOOT 3.26

On this computer, I can use com0 or pc0 (display) as a console.
com0 is a standard traditionnal motherboard serial port.

Look at what your boot loader tell you. Very likely, only tradionnal
serial port can be use, not something attached to a puc card.
[Note that boot loader names can be different that kernel device
names.]



Beside that, if you just want a login console on tty04, add the
local flag to the /etc/ttys file.

The truth is that there is very few DTE-to-DTE serial cable that
provide the correct signaling to support open on DCD only. 

like:

tty04   /usr/libexec/getty std.9600   vt220   on secure local

 
 # dmesg 
 OpenBSD 5.6 (GENERIC.MP) #1: Wed Feb 11 11:23:16 CET 2015
 r...@samba56.prac:/usr/src/sys/arch/i386/compile/GENERIC.MP
...
 puc0 at pci4 dev 0 function 0 Sunix 40XX rev 0x01: ports: 1 com
 com4 at puc0 port 0 apic 2 int 16: ti16750, 64 byte fifo
 com4: probed fifo depth: 32 bytes

Your dmesg didn't show traditionnal serial ports.


Good luck.

Re: netstat output shuffles (new feature?)

[patrick keshishian]

On 2/18/15, patrick keshishian pkesh...@gmail.com wrote:
 Hi,

 Just installed 2015-FEB-17 amd64 snapshot[1] and at first I thought
 the order of daemon start-up had changed, and for some strange
 reason sshd was started after smtpd, and X?

 $ netstat -afinet
 Active Internet connections (including servers)
 Proto   Recv-Q Send-Q  Local Address  Foreign Address
 (state)
 tcp  0  0  *.ssh  *.*LISTEN
 tcp  0  0  *.6000 *.*LISTEN
 tcp  0  0  localhost.smtp *.*LISTEN
 Active Internet connections (including servers)
 Proto   Recv-Q Send-Q  Local Address  Foreign Address
 (state)
 udp  0  0  build.3815 otherbox.ntp
 udp  0  0  *.syslog   *.*


 Quick look in /etc/rc didn't confirm this.

 *shrug*

 about 5 minutes later:

 $ netstat -afinet
 Active Internet connections (including servers)
 Proto   Recv-Q Send-Q  Local Address  Foreign Address
 (state)
 tcp  0  0  *.6000 *.*LISTEN
 tcp  0  0  localhost.smtp *.*LISTEN
 tcp  0  0  *.ssh  *.*LISTEN
 Active Internet connections (including servers)
 Proto   Recv-Q Send-Q  Local Address  Foreign Address
 (state)
 udp  0  0  build.3815 otherbox.ntp
 udp  0  0  *.syslog   *.*


 This is what I'm used to seeing. The first processes (based
 on start-up/socket bind time) at the bottom of the list (stack)
 and the newest at the top.

 I figured not to bother misc@ about this, but the order
 changed again next time I looked at netstat.

 Is this caused by some change in the kernel or netstat?

it is due to new qsort code in netstat.

... so never mind.

I see another difference testing this with nc. but
that would need another topic.

'nite.
--patrick




 Thanks,
 --patrick



 [1] sysctl kern.version
 kern.version=OpenBSD 5.7-beta (GENERIC) #801: Tue Feb 17 12:38:11 MST 2015
 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

Re: OpenBSD usb cannot be read on Windows

[Raimo Niskanen]

On Wed, Feb 18, 2015 at 09:37:31AM +, A Y wrote:
 I used the following command under OpenBSD 5.6:
 
 #dd if=/location/install56.fs of=/dev/rsd1c bs=1m
 
 When I try to reformat it under Windows, it formats only 240 M. So is it
 possible to format is under OpenBSD so that I can get the full size (16G)
 back?

Zero out the MBR from OpenBSD.
# dd if=/dev/null of=/dev/rsd1c bs=512 count=1

Then format it from Windows.

 
  Date: Wed, 18 Feb 2015 11:17:31 +0200
  Subject: Re: OpenBSD usb cannot be read on Windows
  From: pr...@kivisoo.ee
  To: afyous...@hotmail.com
  CC: misc@openbsd.org
 
   I used the dd'' command to make a bootable USB drive. The USB is 16G.
   After I
   am done with the installation, I want to use the USB under Windows for
   other
   purposes. Windows reads only 240 M.
   How can I recover the 16G on the USB?
  
  
  Reformat it.
 
  Priit

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: OpenBSD usb cannot be read on Windows

[A Y]

I used the following command under OpenBSD 5.6:

#dd if=/location/install56.fs of=/dev/rsd1c bs=1m

When I try to reformat it under Windows, it formats only 240 M. So is it
possible to format is under OpenBSD so that I can get the full size (16G)
back?

 Date: Wed, 18 Feb 2015 11:17:31 +0200
 Subject: Re: OpenBSD usb cannot be read on Windows
 From: pr...@kivisoo.ee
 To: afyous...@hotmail.com
 CC: misc@openbsd.org

  I used the dd'' command to make a bootable USB drive. The USB is 16G.
  After I
  am done with the installation, I want to use the USB under Windows for
  other
  purposes. Windows reads only 240 M.
  How can I recover the 16G on the USB?
 
 
 Reformat it.

 Priit

Re: Installing OpenBSD 5.6 using a USB Flash drive

[Markus Kolb]

Am 2015-02-17 17:27, schrieb A Y:

dmesg|grep ^.d0 returns only sd0
sysctl hw.disknames returns sd0 and rd0

my machine is a 10.1 inch netbook Lenovo E10-30 running Intel Celeron 
N2830
Dual Core 64 bit. Do you think I should have used amd64 installation 
instead

of i386?


Will depend mostly on your available RAM.
i386 is 32 bit.

See https://en.wikipedia.org/wiki/RAM_limit#32-bit_x86_RAM_limit

Re: OpenBSD usb cannot be read on Windows

[Dmitrij D. Czarkoff]

Priit Kivisoo said:
  Windows reads only 240 M.
  How can I recover the 16G on the USB?
 
 Reformat it.

You will likely need to get rid of mbr partition to reclaim the space.
You can do it with fdisk, dd (dd if=/dev/zero of=/dev/sdNc bs=512 count=1)
or with Windows' Disk Management tool (You can find it in Computer
Management shell).

-- 
Dmitrij D. Czarkoff

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 10:19 schrieb David Dahlberg:
 Am Mittwoch, den 18.02.2015, 08:46 +0100 schrieb Stefan Wollny:
 
 Only with 'pkg_add' the connection is
 entirely gone and 'pkg_add' subsequently complains about 'No route to
 host'... and only on this particular machine.
 
 Just wildly guessing here: At least on Linux, the kernel will reply No
 route to host not only if there is no route in the routing table, but
 also if it received an ICMP dest unreach, including admin
 prohibited.
 
 Maybe it would be useful tcpdump the the line (maybe add lo0 in case
 it's something locally generated) to see if something suspicious is
 happening when the connection terminates.
 

Hi David,

thank you for your suggestions.

Well - I am just an ordinary OpenBSD-user lacking any knowledge of the
kernel's interna. So I can't really comment on that, except that I have

pass on $ext_if inet proto icmp all icmp-type 8 code 0

in  my pf.conf.

I picked up your suggestion on watching lo0 as well (pflog0 has
nothing!). Here are the last lines before the connection is lost (below
this I post the output of netstat):

Feb 18 11:27:22.550315 127.0.0.1.53  127.0.0.1.7621: 27100 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:22.825300 127.0.0.1.44811  127.0.0.1.53: 43221+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:22.827907 127.0.0.1.53  127.0.0.1.44811: 43221 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:22.828023 127.0.0.1.34231  127.0.0.1.53: 50848+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:22.831648 127.0.0.1.53  127.0.0.1.34231: 50848 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:23.098915 127.0.0.1.16511  127.0.0.1.53: 8621+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:23.101493 127.0.0.1.53  127.0.0.1.16511: 8621 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:23.101653 127.0.0.1.46720  127.0.0.1.53: 2234+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:23.105205 127.0.0.1.53  127.0.0.1.46720: 2234 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:23.405236 127.0.0.1.45409  127.0.0.1.53: 4242+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:23.407778 127.0.0.1.53  127.0.0.1.45409: 4242 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:23.407947 127.0.0.1.16371  127.0.0.1.53: 8430+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:23.411508 127.0.0.1.53  127.0.0.1.16371: 8430 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:23.679032 127.0.0.1.2311  127.0.0.1.53: 25995+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:23.681589 127.0.0.1.53  127.0.0.1.2311: 25995 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:23.681730 127.0.0.1.37804  127.0.0.1.53: 28055+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:23.685347 127.0.0.1.53  127.0.0.1.37804: 28055 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:24.100921 127.0.0.1.18524  127.0.0.1.53: 55509+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:24.103570 127.0.0.1.53  127.0.0.1.18524: 55509 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:24.103721 127.0.0.1.36652  127.0.0.1.53: 48339+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:24.107271 127.0.0.1.53  127.0.0.1.36652: 48339 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:24.461192 127.0.0.1.45534  127.0.0.1.53: 8946+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:24.463762 127.0.0.1.53  127.0.0.1.45534: 8946 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:24.463896 127.0.0.1.13402  127.0.0.1.53: 38619+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:24.467481 127.0.0.1.53  127.0.0.1.13402: 38619 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:25.022575 127.0.0.1.48140  127.0.0.1.53: 44181+ A?
ftp.hostserver.de. (35)
Feb 18 11:27:25.025149 127.0.0.1.53  127.0.0.1.48140: 44181 1/0/0 A
217.31.80.35 (68)
Feb 18 11:27:25.025271 127.0.0.1.46973  127.0.0.1.53: 5352+ ?
ftp.hostserver.de. (35)
Feb 18 11:27:25.028825 127.0.0.1.53  127.0.0.1.46973: 5352 1/0/0 
2a00:15a8:0:100:d91f:5023:0:1 (80)
Feb 18 11:27:42.868652 127.0.0.1.17889  127.0.0.1.53: 46223+ TXT?
current.cvd.clamav.net. (40)
Feb 18 11:27:47.877392 127.0.0.1.21280  127.0.0.1.53: 46223+ TXT?
current.cvd.clamav.net. (40)
Feb 18 11:27:53.384447 127.0.0.1.44956  127.0.0.1.53: 48829+ A?
imap.web.de. (29)
Feb 18 11:27:57.887443 127.0.0.1.8685  127.0.0.1.53: 46223+ TXT?
current.cvd.clamav.net. (40)
Feb 18 11:27:58.387460 127.0.0.1.39806  127.0.0.1.53: 48829+ A?
imap.web.de. (29)
Feb 18 11:27:57.887443 127.0.0.1.8685  127.0.0.1.53: 46223+ TXT?
current.cvd.clamav.net. (40)
Feb 18 11:27:58.387460 127.0.0.1.39806  127.0.0.1.53: 48829+ A?
imap.web.de. (29)
Feb 18 11:28:08.397608 127.0.0.1.24938  127.0.0.1.53: 48829+ A?
imap.web.de. (29)
Feb 18 11:28:12.928554 127.0.0.1.53  127.0.0.1.17889: 46223 NXDomain*-
0/1/0 (147)
Feb 18 11:28:12.928576 127.0.0.1  127.0.0.1: icmp: 127.0.0.1 udp port
17889 unreachable
Feb 18 11:28:17.897755 127.0.0.1.45338  127.0.0.1.53: 46223+ TXT?
current.cvd.clamav.net. (40)
Feb 18 11:28:17.938892 127.0.0.1.53  127.0.0.1.21280: 46223 NXDomain*-
0/1/0 (147)
Feb 18 11:28:17.938915 127.0.0.1  127.0.0.1: icmp: 127.0.0.1 udp port
21280 unreachable
Feb 18 11:28:23.448486 127.0.0.1.53  127.0.0.1.44956: 48829 

Re: current/amd64 on Asus J1800I-C

[Jan Stary]

On Feb 04 09:49:59, h...@stare.cz wrote:
 On Jan 11 12:48:09, h...@stare.cz wrote:
  Continuing http://marc.info/?t=14042978995r=1w=2
  with current/amd64.
  
  On Jul 02 12:43:58, h...@stare.cz wrote:
   So I got me this Asus board with an integrated Celeron
   http://www.asus.com/Motherboards/J1800IC/specifications/
   and put 2G of Crucial RAM in it.
  
  On Jul 02 12:56:22, o...@drijf.net wrote:
   http://archives.neohapsis.com/archives/openbsd/2014-05/1637.html
  
  Thanks for the pointer.
  It can boot a kernel built with the following diff:
  
  
  Index: arch/amd64/amd64/lapic.c
  ===
  RCS file: /cvs/src/sys/arch/amd64/amd64/lapic.c,v
  retrieving revision 1.37
  diff -u -p -r1.37 lapic.c
  --- arch/amd64/amd64/lapic.c6 Jan 2015 12:50:47 -   1.37
  +++ arch/amd64/amd64/lapic.c11 Jan 2015 11:12:13 -
  @@ -190,7 +190,7 @@ lapic_set_lvt(void)
  || mpi-cpu_id == ci-ci_apicid)) {
   #ifdef DIAGNOSTIC
  if (mpi-ioapic_pin  1)
  -   panic(lapic_set_lvt: bad pin value %d,
  +   printf(lapic_set_lvt: bad pin value %d\n,
  mpi-ioapic_pin);
   #endif
  if (mpi-ioapic_pin == 0)
  
 
 With the above diff, I can run OpnBSD on that board (dmesg below).
 The default installation still panics during boot though:
 http://stare.cz/dmesg/asus-J1800IC-lapic-panic.jpg
 http://stare.cz/dmesg/asus-J1800IC-lapic-trace.jpg
 
 Can anyone please elaborate on what exactly is wrong with that board?
 What's a pin value and what does make 72 bad?

With the last amd64 snapshot (dmesg below) it boots OK. Thank you!
Edited highlights of the diff to previous dmesg follow,
previous dmesgs at http://stare.cz/dmesg/ (asus-J1800IC.*)

(1)
I don't know if it's related to the change that made the panic go away,
but among what seems to be garbage in the dmesg(1) output,
this comes right before th OpenBSD line:

  NJ1800IC.CAPWARNING! BIOS Recovery mode has been detected,
  Please put the file  into HDD or a removable USB media device,
  And then reset your computer.
  You can also insert ASUS Support CD to your CD-ROM and reset your computer,
  If you have done these, Please wait a 

(2)
-acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
+acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI SSDT
Does that mean another ACPI table is now being detected?

(3)
+acpimadt0: bogus nmi for apid 0
I suppose this is another piece of ACPI information being gathered.

(4)
-lapic_set_lvt: bad pin value 72
Oh yeah. Still, how is that pin value not bad anymore?


Please let me know what I can do
to further test/debug this not-entirely-non-problematic HW.

Thanks again!

Jan


OpenBSD 5.7-beta (GENERIC.MP) #856: Tue Feb 17 12:43:12 MST 2015
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 912130048 (869MB)
avail mem = 883990528 (843MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebd60 (43 entries)
bios0: vendor American Megatrends Inc. version 0604 date 06/10/2014
bios0: ASUS All Series
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI SSDT
acpi0: wakeup devices UAR5(S4) UAR8(S4) PS2K(S4) PS2M(S4) UAR1(S4) URIR(S4) 
XHC1(S4) EHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1800 @ 2.41GHz, 2417.21 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU J1800 @ 2.41GHz, 2416.67 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 87 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 2
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 17:20 schrieb Stefan Wollny:

 # pkg_add -ui
 quirks-2.52 signed on 2015-02-17T13:51:20Z
 Error from
 http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/adsuck-2.5.0p2.tgz
 ftp: Error retrieving file: 403 Forbidden
 #
 
 *  S U C C E S S  *
 (I don't care for that one file - the connection didn't fail!)
 
 Now we have to figure out how to make that permanent...
 


For the records: Gene gave me a hint on using 'env_keep'. I had to do my
homework first as I never had taken notice of this before 8-)

Long story short: If I am at home where I use the http_proxy, enabling
this in the sudoers file by env_keep makes my day. (Very 'difficult' to
achieve - uncomment one line!).

But if I go without the http_proxy-variable set like e.g. in a hotel the
connections still gets lost. Only difference this time is the error-note
which now says no address associated with name' and no longer 'No route
to host.

Again: A big THANK YOU to you all who helped with you time and knowledge!

Best,
STEFAN

Re: OpenBSD firefox useragent Facebook

[Dmitrij D. Czarkoff]

Erling Westenvik said:
 My Windows computers does not have this problem, neither does my laptop
 when it's connected through various gateways.

And what about user-agent from your desktop and laptop?  Do they work?

-- 
Dmitrij D. Czarkoff

Re: OpenBSD firefox useragent Facebook

[trondd]

 I've got two workstations and one laptop running
 amd64/current.
 problem, neither does my laptop when it's connected through various
 gateways.

And what do you think your user agent is when you connect through
those other gateways?  ipchicken.com should tell you.

This might have to do with which Facebook CDN node you might be
hitting and DNS caching.

CPU criteria for OpenBSD firewall

[ML mail]

Hi,

Stupid question but if you would have to choose between two different Intel 
CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks 
behind and around 50-60 Mbit/s average traffic would you rather choose the CPU 
with higher Frequency and less cores or for a CPU with lower frequency but more 
cores?

For example:

- E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores: 
http://ark.intel.com/products/83357/Intel-Xeon-Processor-E5-2630L-v3-20M-Cache-1_80-GHz
- E5-2637v3, 15M Cache, 3.50 GHz, 4 cores: 
http://ark.intel.com/products/83358/Intel-Xeon-Processor-E5-2637-v3-15M-Cache-3_50-GHz

Or asked differently, which are the importants criteria to look at first for a 
CPU intended to be used in an OpenBSD firewall?

Regards
ML

Re: CPU criteria for OpenBSD firewall

[Nick Holland]

On 02/18/15 17:30, ML mail wrote:

Hi,

Stupid question but if you would have to choose between two different
Intel CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all
/24 networks behind and around 50-60 Mbit/s average traffic would you
rather choose the CPU with higher Frequency and less cores or for a
CPU with lower frequency but more cores?

...
actually, I'd ask more useful questions.
Realistically, most modern fast CPUs (let's leave out special cases 
like the Intel Atom, though even that might do it for you) will do the 
job just fine.



 Or asked differently, which are the importants criteria to look at
first for a CPU intended to be used in an OpenBSD firewall?


Discussing the merits of a CPU that's 95% idle vs. one that's 90% idle 
really misses a few points.  If I were looking for a box, I'd look at 
more important issues:

(in no particular order.  And your criteria WILL differ from mine)
* How fast a machine boots.
* Availability of repair and upgrade parts
* Low cost, so I can get a second machine and CARP 'em together.
* General usability of the system and support by OpenBSD
* Good bus structure for application
* Well-supported NICs
* Power consumption.
* Quiet
* Simple

The last one probably deserves comment (and should probably be ranked at 
the top of my list): Simple wins out in reliability over complex.  For a 
firewall, I'd rather have two non-RAIDed systems in a CARP setup over 
one machine with multiple power supplies, RAID controllers and other 
fluff that really does nothing for you IN THIS APPLICATION.  If 
something takes your firewall down, you will lose more packets waiting 
for a super server to do its Power-on Self-test than you will because 
your processor is not the latest and greatest or theoretical best. 
I'd rather a couple few-year-old desktops that can reboot in 60 seconds 
over a super-server that spends two minutes showing you the wonderful 
RAID controller you don't care about.


Yes, OpenBSD's filtering and packet moving system uses only one 
processor, so if you are pushing the limits, you will want more 
power-per-core over more cores, but you probably won't be pushing the 
limits.  You will have N-1 cores all but completely idle, and one that 
is not very busy,  On board cache could matter too, but again, all it 
will do in your case is reduce the load on the CPU even more, but it 
won't pump any more packets.


Nick.

Re: Help needed: pkg_add dropps connections

[Marc Espie]

On Wed, Feb 18, 2015 at 10:27:12AM -0500, Alan Corey wrote:
 This is probably unrelated but I've noticed that the fetching that
 happens with make install in ports seems less robust than it used to
 be.  If my internet provider disconnects or the connection gets reset
 beyond that, it doesn't resume the download.  And I've tried setting
 FETCH_CMD to wget -c, it doesn't help much (in 5.6, that's what I have
 my 5.2 machine set to).
 
 So I do a make install, wait until I've got a working URL, then ctrl-c
 to stop it, copy the url, open another rxvt in the distfiles dir, type
 wget, paste the URL.  wget very rarely fails.
 
 I've got portsql installed and was able to make myself some partial
 fetchlists from that but my query didn't find dependencies of
 dependencies.  A scratch install of 5.6 still took a couple months.

Fetching large subsets of distfiles just works handsomely with dpb -F

Re: OpenBSD firefox useragent Facebook

[Erling Westenvik]

On Wed, Feb 18, 2015 at 04:40:04PM +0100, Alexander Salmin wrote:
 Not using facebook but have you checked on another computer? Feels
 like this is not related to OpenBSD.  Anyway, your best choice is
 using developer-tools and trying to identify which requests works and
 which does not.  Maybe you have like me, local DNS-server which blocks
 famous ad-providers IPs or similar in your hosts-file?

It's OpenBSD specific in that way that it only happens on my OpenBSD
computers. I've got two workstations and one laptop running
amd64/current. The gateway is running unbound, but the problem got
nothing to do with that. My Windows computers does not have this
problem, neither does my laptop when it's connected through various
gateways.

I might try to install 5.6 or 5.5 on some machine just to test. I think
the problem arose sometimes in between August and November.

Are there some libraries in OpenBSD that are shared between Firefox,
Seamonkey AND Chrome, and which could result in erraneous DOM behavior?

Not that many OpenBSD'ers using FaceBook, eh? *feeling dirty*

 
 On 2015-02-18 15:32:41, Erling Westenvik wrote:
 Not sure if this belongs in @misc or @ports - if any! - but I'll
 give the former a shot.
 
 All below applies to amd64/current-installations of mine.
 
 The last few months, I've been unable to tag other people when
 commenting on Facebook. I've tried resetting Firefox, disabling
 add-ons, deleting old profiles, reinstalling the browser, and even
 doing a fresh install of Firefox on a new OpenBSD installation. All
 to now avail.
 
 I suspect the user agent setting to be the culprit and have tried
 experimenting with various strings. Some of them enables me to tag
 other people, but messes up other things.
 
 Would anyone using Facebook be so kind as to provide me with a
 working user agent string for Firefox (35.0) ?
 
 Thanks,
 
 Erling
 
 PS. Just checked and neither Seamonkey nor Chrome will let me tag
 people in comments. This is getting weird...

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 17:08 schrieb Stuart Henderson:
 On 2015-02-18, Stefan Wollny stefan.wol...@web.de wrote:
 Could mss 1460 be the core of the issue? I have the following:
 
 ~ $ sudo cat /etc/pf.conf | grep mss match in all scrub (no-df
 random-id max-mss 1440)
 
 ~ $ sudo cat /etc/sysctl.conf | grep mss 
 net.inet.tcp.mssdflt=1440
 
 Neither of these make sense on a typical laptop, and they make me
 query what else you might have changed on the system.
 
 What does pfctl -si say?
 
 When you get the no route to host, what does e.g. route -n get
 8.8.8.8 say? (i.e. some host on the internet). Are you able to
 ping your fritzbox or the proxy-server at that time?
 

Hi Stuart,

to answer your question: No, the line is dead - I can't ping anything.

But I just received off-list the suggestion from Gene that the
environment variables might not being passed on to root. I followed
his advice like so:

# export http_proxy=http://192.168.178.23:3128
# export ftp_proxy=http://192.168.178.23:3128
# export
PKG_PATH=http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/
# print $http_proxy
http://192.168.178.23:3128
# print $ftp_proxy
http://192.168.178.23:3128
# print $PKG_PATH
http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/
# pkg_add -ui
quirks-2.52 signed on 2015-02-17T13:51:20Z
Error from
http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/adsuck-2.5.0p2.tgz
ftp: Error retrieving file: 403 Forbidden
#

*  S U C C E S S  *
(I don't care for that one file - the connection didn't fail!)

Now we have to figure out how to make that permanent...

At this point already I'd like to THANK YOU all who took some time to
help me!

Best,
STEFAN

Re: Installing OpenBSD 5.6 using a USB Flash drive

[A Y]

The machine has 2 M RAM, so I guess, according to the link you provided, I am
ok with i386 even though it is 32 bit and the machine is 64 bit. Am I
correct?

 Date: Wed, 18 Feb 2015 11:43:56 +0100
 From: open...@tower-net.de
 To: misc@openbsd.org
 Subject: Re: Installing OpenBSD 5.6 using a USB Flash drive

 Am 2015-02-17 17:27, schrieb A Y:
  dmesg|grep ^.d0 returns only sd0
  sysctl hw.disknames returns sd0 and rd0
 
  my machine is a 10.1 inch netbook Lenovo E10-30 running Intel Celeron
  N2830
  Dual Core 64 bit. Do you think I should have used amd64 installation
  instead
  of i386?

 Will depend mostly on your available RAM.
 i386 is 32 bit.

 See https://en.wikipedia.org/wiki/RAM_limit#32-bit_x86_RAM_limit

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 13:51 schrieb Marc Espie:
 On Tue, Feb 17, 2015 at 02:44:42PM -0800, Gene wrote:
 quirks-2.52 signed on 2015-02-14T12:43:06Z
 Error from
 http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/curl-7.40.0.tgz
 ftp: connect: No route to host

 It's using ftp. I'm not familiar with how package management works with
 OpenBSD, so I don't know if this is a weird quirk of the pkg_add command or
 if he's not setting his package source properly.
 
 pkg_add does not do network connections directly for protocols where ftp(1)
 does know how to deal.
 
 pkg_add, however, closes connections aggressively when it's got the info
 it needs. If, somehow, your ftp setup is broken, then you might overflow
 the server with 100s of connections.
 
 Just do something like:
 
 ftp 
 http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/curl-7.40.0.tgz
 
 (manually)
 
 close it halfway thru using ^C. If you don't see the connection being 
 terminated
 properly, then you don't need to look further. That's your whole issue.
 
 or do it on something larger like
 http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/texlive_base-2013p3.tgz
 
 so that you have time to abort before the whole transfer is finished.
 


OK: To rule out any implications I disabled the http-proxy in my
.profile first.

I checked for
- ftp ftp://...
- ftp http://...

Both connections were terminated after 95 seconds (according to pftop)
after closing with ^C.

Now with http-proxy-variable being unset I gave 'pkg_add' another try:

With 145 open connections the connection to the internet was lost.

OpenBSD firefox useragent Facebook

[Erling Westenvik]

Not sure if this belongs in @misc or @ports - if any! - but I'll give
the former a shot.

All below applies to amd64/current-installations of mine.

The last few months, I've been unable to tag other people when
commenting on Facebook. I've tried resetting Firefox, disabling add-ons,
deleting old profiles, reinstalling the browser, and even doing a fresh
install of Firefox on a new OpenBSD installation. All to now avail.

I suspect the user agent setting to be the culprit and have tried
experimenting with various strings. Some of them enables me to tag other
people, but messes up other things.

Would anyone using Facebook be so kind as to provide me with a working
user agent string for Firefox (35.0) ?

Thanks,

Erling

PS. Just checked and neither Seamonkey nor Chrome will let me tag people
in comments. This is getting weird...

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 15:07 schrieb Marc Espie:
 On Wed, Feb 18, 2015 at 02:32:39PM +0100, Stefan Wollny wrote:
 I checked for
 - ftp ftp://...
 - ftp http://...

 Both connections were terminated after 95 seconds (according to pftop)
 after closing with ^C.
 
 Now with http-proxy-variable being unset I gave 'pkg_add' another try:
 
 closing should be synchronous with the ^C giving you back the shell prompt.
 
 If it waits for 95 seconds, your network setup is fucked up.
 

My mistake: Bad wording...
The shell-prompt is back within 2~3 seconds. In a second xterm I had
pftop running showing me that the connection was closed after the '95
seconds' I mentioned.

Maybe I should change the SDD to another one and test with a fresh
installation...

Re: OpenBSD usb cannot be read on Windows

[A Y]

Jan,Thank you very much for the tool. It is great. I got my 16 G back.
 Date: Wed, 18 Feb 2015 11:26:44 +0100
 From: ja...@volny.cz
 To: afyous...@hotmail.com
 Subject: Re: OpenBSD usb cannot be read on Windows

 Hi AY,

 you can use HP Storage format tool on Windows, that restores the full
 capacity.


http://download.cnet.com/HP-USB-Disk-Storage-Format-Tool/3000-2094_4-10974082
.html

 Jan



 On Wed, Feb 18, 2015 at 09:37:31AM +, A Y wrote:
  I used the following command under OpenBSD 5.6:
 
  #dd if=/location/install56.fs of=/dev/rsd1c bs=1m
 
  When I try to reformat it under Windows, it formats only 240 M. So is it
  possible to format is under OpenBSD so that I can get the full size (16G)
  back?
 
   Date: Wed, 18 Feb 2015 11:17:31 +0200
   Subject: Re: OpenBSD usb cannot be read on Windows
   From: pr...@kivisoo.ee
   To: afyous...@hotmail.com
   CC: misc@openbsd.org
  
I used the dd'' command to make a bootable USB drive. The USB is
16G.
After I
am done with the installation, I want to use the USB under Windows
for
other
purposes. Windows reads only 240 M.
How can I recover the 16G on the USB?
   
   
   Reformat it.
  
   Priit
 

 --
 Be the change you want to see in the world.

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 12:09 schrieb Stefan Wollny:
 Am 02/18/15 um 01:40 schrieb Nick Holland:
 On 02/17/15 18:59, Stefan Wollny wrote:
 ftp: connect: No route to host

 you need to fix that before you worry about anything.

 Once you get THAT fixed, then you can get back to worrying about your
 dropping connections.

 Gotta make it before you can drop it.

 
 
 Mmmmh - it may not be related to the issue of this thread, but
 /var/log/messages has nothing when the connection is lost. At connect
 there are two complaints from avahi-daemon and adsuck:
 
 ~ $ date  sh reconnect
 Wed Feb 18 11:56:45 CET 2015
 ifconfig: SIOCGIFFLAGS: Device not configured
 loopback localhostdone
 BASE-ADDRESS.MCAST.N link#5   done
 ::/128   localhostdone
 ::/128   localhostdone
 ::127.0.0.0/128  localhostdone
 ::224.0.0.0/128  localhostdone
 ::255.0.0.0/128  localhostdone
 :::0.0.0.0/128   localhostdone
 2002::/128   localhostdone
 2002:7f00::/128  localhostdone
 2002:e000::/128  localhostdone
 2002:ff00::/128  localhostdone
 fe80::/128   localhostdone
 fec0::/128   localhostdone
 ff01::/128   localhostdone
 ff02::/128   localhostdone
 ifconfig: SIOCSTRUNKPORT: Device busy
 ifconfig: SIOCSTRUNKPORT: Device busy
 DHCPREQUEST on trunk0 to 255.255.255.255
 DHCPREQUEST on trunk0 to 255.255.255.255
 DHCPACK from 192.168.178.1 (00:24:fe:31:e3:ea)
 bound to 192.168.178.31 -- renewal in 432000 seconds.
 
 
 ~ $ date  tail -f /var/log/messages
 Wed Feb 18 11:56:43 CET 2015
 [... older stuff omitted .. ]
 Feb 18 11:56:45 idefix dhclient[26941]: trunk0 down; exiting
 Feb 18 11:56:45 idefix avahi-daemon[12643]: IP_DROP_MEMBERSHIP failed:
 Can't assign requested address
 Feb 18 11:56:45 idefix adsuck[16092]: can't convert wire packet to struct
 
 
 I'd like to point out that the connection is lost too when running
 'pkg_add' right on the console. And YES - I had tried without adsuck
 enabled before.
 
 I had posted it yesterday but here is once more the reconnect-script:
 ~ $ cat reconnect
 #/bin/sh
 sudo /sbin/ifconfig em0 down
 sudo /sbin/ifconfig wpi0 down
 sudo /sbin/ifconfig rsu0 down
 sudo /sbin/ifconfig trunk0 down
 sudo /sbin/route flush
 sudo sh /etc/netstart
 

OK - I changed pf.conf to log on all allowed connections. Here are the
last lines from 'tcpdump -nettti pflog0' before the connection is lost:

Feb 18 12:28:09.752328 rule 20/(match) pass out on trunk0:
192.168.178.31.26112  217.31.80.35.80: S 2557329514:2557329514(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
965690760[|tcp] (DF)
Feb 18 12:28:10.063647 rule 20/(match) pass out on trunk0:
192.168.178.31.11874  217.31.80.35.80: S 264716856:264716856(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
2436088594[|tcp] (DF)
Feb 18 12:28:10.376068 rule 20/(match) pass out on trunk0:
192.168.178.31.30104  217.31.80.35.80: S 2435427941:2435427941(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
47943579[|tcp] (DF)
Feb 18 12:28:10.655702 rule 20/(match) pass out on trunk0:
192.168.178.31.40737  217.31.80.35.80: S 2432567211:2432567211(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
1107182930[|tcp] (DF)
Feb 18 12:28:10.930614 rule 20/(match) pass out on trunk0:
192.168.178.31.41772  217.31.80.35.80: S 1999637066:1999637066(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
2831739904[|tcp] (DF)
Feb 18 12:28:12.941274 rule 20/(match) pass out on trunk0:
192.168.178.31.41934  217.31.80.35.80: S 1637879660:1637879660(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
2522921076[|tcp] (DF)
Feb 18 12:28:13.274194 rule 20/(match) pass out on trunk0:
192.168.178.31.15493  217.31.80.35.80: S 3826414152:3826414152(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
1932273166[|tcp] (DF)
Feb 18 12:28:13.563635 rule 20/(match) pass out on trunk0:
192.168.178.31.12790  217.31.80.35.80: S 1899274144:1899274144(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
771850913[|tcp] (DF)
Feb 18 12:28:13.894579 rule 20/(match) pass out on trunk0:
192.168.178.31.34868  217.31.80.35.80: S 220640463:220640463(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
1280756876[|tcp] (DF)
Feb 18 12:28:14.069995 rule 20/(match) pass out on trunk0:
192.168.178.31.20335  217.31.80.35.80: S 726036165:726036165(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
391830302[|tcp] (DF)
Feb 18 12:28:14.349303 rule 20/(match) pass out on trunk0:
192.168.178.31.2050  217.31.80.35.80: S 2533225330:2533225330(0) win
16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp
3452245743[|tcp] (DF)
Feb 18 12:28:14.696570 rule 20/(match) pass out on trunk0:

Re: Serial console on Sunix 40XX (PCI)

[Radek]

I set comaddr: 

machine comaddr 0xdf00/0x0020
set tty com4 

but I only got some kind of trash on my console output 
(ŃuBÓZ6ÁÂ$őďNŚO%âăÔkşľŚÚĄy). 

I replaced my PCIcard with other one: 

# pcidump -v
4:0:0: NetMos Nm9835
0x: Vendor ID: 9710 Product ID: 9835
0x0004: Command: 0001 Status: 0280
0x0008: Class: 07 Subclass: 80 Interface: 00 Revision: 01
0x000c: BIST: 00 Header Type: 00 Latency Timer: 20 Cache Line Size: 10
0x0010: BAR io addr: 0xdf00/0x0008
0x0014: BAR io addr: 0xde00/0x0008
0x0018: BAR io addr: 0xdd00/0x0008
0x001c: BAR io addr: 0xdc00/0x0008
0x0020: BAR io addr: 0xdb00/0x0008
0x0024: BAR io addr: 0xda00/0x0010
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 1000 Product ID: 0012
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 00 Max Lat: 00

# cat /etc/boot.conf
machine comaddr 0xdf00/0x0008
set tty com4

# dmesg
pci4 at ppb3 bus 4
puc0 at pci4 dev 0 function 0 NetMos Nm9835 rev 0x01: ports: 2 com, 1 lpt
com4 at puc0 port 0 apic 2 int 16: ns16550a, 16 byte fifo
com4: console
com5 at puc0 port 1 apic 2 int 16: ns16550a, 16 byte fifo
lpt3 at puc0 port 2 apic 2 int 16

My serial console works well now. Thanks!


On Mon, 16 Feb 2015 10:23:25 -0800
Mike Larkin mlar...@azathoth.net wrote:

 man boot
 
 search for 'comaddr'. You probably need to set that up.
 
 Also, the bootloader may not understand the 16750.
 
 -ml
 
 
 On Mon, Feb 16, 2015 at 10:50:35AM +0100, Radek wrote:
  I'm trying to setup a serial console. My RS-232 is an old PCIcard. 
  
  I tried this way:
  boot set tty com4
  
  /etc/ttys:
  tty00   /usr/libexec/getty std.9600   vt220   on secure
  tty04   /usr/libexec/getty std.9600   vt220   on secure
  
  but can't connect to console and the system doesn't boot. 
  What am I doing wrong?
  
  
  # dmesg 
  OpenBSD 5.6 (GENERIC.MP) #1: Wed Feb 11 11:23:16 CET 2015
  r...@samba56.prac:/usr/src/sys/arch/i386/compile/GENERIC.MP
  cpu0: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz (GenuineIntel 686-class) 
  3.38 GHz
  cpu0: 
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
  real mem  = 3487911936 (3326MB)
  avail mem = 3418468352 (3260MB)
  mpath0 at root
  scsibus0 at mpath0: 256 targets
  mainbus0 at root
  bios0 at mainbus0: AT/286+ BIOS, date 08/24/10, BIOS32 rev. 0 @ 0xfa810, 
  SMBIOS rev. 2.4 @ 0xf0100 (39 entries)
  bios0: vendor Award Software International, Inc. version F2 date 
  08/24/2010
  bios0: Gigabyte Technology Co., Ltd. X58-USB3
  acpi0 at bios0: rev 0
  acpi0: sleep states S0 S3 S4 S5
  acpi0: tables DSDT FACP MCFG EUDS MATS TAMG APIC SSDT
  acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) 
  HUB0(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USBE(S3) 
  USE2(S3) AZAL(S5) [...]
  acpitimer0 at acpi0: 3579545 Hz, 24 bits
  acpimcfg0 at acpi0 addr 0xf000, bus 0-63
  acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
  cpu0 at mainbus0: apid 0 (boot processor)
  mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
  cpu0: apic clock running at 134MHz
  cpu0: mwait min=64, max=64, C-substates=0.2.1.1.0, IBE
  cpu1 at mainbus0: apid 2 (application processor)
  cpu1: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz (GenuineIntel 686-class) 
  3.24 GHz
  cpu1: 
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
  cpu2 at mainbus0: apid 4 (application processor)
  cpu2: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz (GenuineIntel 686-class) 
  3.24 GHz
  cpu2: 
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
  cpu3 at mainbus0: apid 6 (application processor)
  cpu3: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz (GenuineIntel 686-class) 
  3.24 GHz
  cpu3: 
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
  cpu4 at mainbus0: apid 1 (application processor)
  cpu4: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz (GenuineIntel 686-class) 
  3.24 GHz
  cpu4: 
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
  cpu5 at mainbus0: apid 3 (application processor)
  cpu5: Intel(R) 

Re: Packet integrity error (600 bytes remaining)

[Otto Moerbeek]

On Wed, Feb 18, 2015 at 01:34:48PM +0100, Jan Stary wrote:

 I just updated my ASUS J1800I-C to the latest amd64 snapshot,
 and can no longer connect to it via ssh from my Thinkpad T400.
 The error message is
 
   Packet integrity error (600 bytes remaining) at 
 /usr/src/usr.bin/ssh/ssh/../clientloop.c:2097
   Disconnecting: Packet integrity error.
 
 It is always 600 bytes.
 The full output of ssh -vv is below.
 Note that this happens after a successful authentication via key.
 
 I ssh'd like that without problems minutes before I upgraded the ASUS to the 
 amd64 snapshot.
 I can connect now from the source Thinkpad to anywhere else without problems.
 I can connect now to the target ASUS from anywhere else without problems.
 I can connect now the other way round, from the ASUS to the Thinkpad.
 
 Needless to say, nothing has changed on my home network.
 Both machines are connected to the same switch,
 and are on the same network (192.168.111.0/24).
 
 Both dmesgs below; the target machine (ASUS) is the latest amd64 snapshot,
 the Thinkpad is a Tuesday Feb 10 amd64 snapshot. Is it crazy to think
 that this particular combination of client and server is somehow broken?
 I thought I would just report this before I upgrade the Thinkpad too.
 
   Jan

This is known, there has been a window where the ssh client was
broken. Upgrade your ssh client to -current or use -oUpdateHostkeys=no
as a workaround.

-Otto

 
 
 hans@lenovo:~$ ssh -vv media
 OpenSSH_6.7, LibreSSL 2.1
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug2: ssh_connect: needpriv 0
 debug1: Connecting to media [192.168.111.8] port 22.
 debug1: Connection established.
 debug1: identity file /home/hans/.ssh/id_rsa type 1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_rsa-cert type -1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_dsa type -1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_dsa-cert type -1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_ecdsa type -1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_ecdsa-cert type -1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_ed25519 type -1
 debug1: key_load_public: No such file or directory
 debug1: identity file /home/hans/.ssh/id_ed25519-cert type -1
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_6.7
 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x0400
 debug2: fd 3 setting O_NONBLOCK
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug2: kex_parse_kexinit: 
 curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
 debug2: kex_parse_kexinit: 
 ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
 debug2: kex_parse_kexinit: 
 aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: 
 aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
 debug2: kex_parse_kexinit: 
 umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: 
 umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
 debug2: 

Re: The CDs have signatures, too

[Joel Rees]

On Wed, Feb 18, 2015 at 1:17 AM, Christian Weisgerber
na...@mips.inka.de wrote:
 Remember, the official OpenBSD CDs carry signatures, too.

And we need to keep copies of those out-of-band. Printed copy and old
CDs where they won't get thrown away --It's a good reason to buy the
CDs now instead of later.

Periodically save/printout a copy of the cvs mirror page, too.

 https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

 | The attacks that use physical media (CD-ROMs) are particularly
 | interesting because they indicate the use of a technique known as
 | interdiction, where the attackers intercept shipped goods and
 | replace them with Trojanized versions.
 |
 | One such incident involved targeting participants at a scientific
 | conference in Houston. Upon returning home, some of the participants
 | received by mail a copy of the conference proceedings, together
 | with a slideshow including various conference materials. The
 | [compromised ?] CD-ROM used autorun.inf to execute an installer
 | that began by attempting to escalate privileges using two known
 | EQUATION group exploits. Next, it attempted to run the group's
 | DOUBLEFANTASY implant and install it onto the victim's machine. The
 | exact method by which these CDs were interdicted is unknown. We do
 | not believe the conference organizers did this on purpose. At the
 | same time, the super-rare DOUBLEFANTASY malware, together with its
 | installer with two zero-day exploits, don't end up on a CD by
 | accident.
 |
 | Another example is a Trojanized Oracle installation CD that contains
 | an EQUATIONLASER Trojan dropper alongside the Oracle installer.

 (Page 15.)

 --
 Christian naddy Weisgerber  na...@mips.inka.de




-- 
Joel Rees

Be careful when you look at conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself, as well.

Re: Help needed: pkg_add dropps connections

[Marc Espie]

On Tue, Feb 17, 2015 at 03:15:14PM +0100, Stefan Wollny wrote:
 Hello!
 
 I'd like to pick up an issue that is bugging me for some time now:
 Whenever I run 'pkg_add -ui' my connection gets terminated soon,
 reliably at the latest once packages starting with g are checked. I
 suspect it is in my pf.conf but it is not obvious to me.
 
 My system: Lenovo T60 running amd64-current. Below I provide the
 obligatory dmesg, pf.conf, rc.conf.local and sysctl.conf.
 
 Checking what is going on with 'pftop' I noticed that 'pkg_add' opens up
 hundreds of connections, all with state 'TIME_WAIT:TIME_WAIT' or
 'FIN_WAIT_2:FIN_WAIT_2'. Once around 100 such states are established the
 connection will be dropped soon. I've tried ftp.hostserver.de,
 openbsd.cs.fau.de and ftp.openbsd.org - all show the same behaviour.
 E.g. PKG_PATH is set in my .profile like so:
 PKG_PATH=http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/

All those connections get closed by pkg_add.  If you don't see them closing
in your pf log, you need to figure out why.

Re: Help needed: pkg_add dropps connections

[Marc Espie]

On Wed, Feb 18, 2015 at 02:32:39PM +0100, Stefan Wollny wrote:
 I checked for
 - ftp ftp://...
 - ftp http://...
 
 Both connections were terminated after 95 seconds (according to pftop)
 after closing with ^C.

 Now with http-proxy-variable being unset I gave 'pkg_add' another try:

closing should be synchronous with the ^C giving you back the shell prompt.

If it waits for 95 seconds, your network setup is fucked up.

Packet integrity error (600 bytes remaining)

[Jan Stary]

I just updated my ASUS J1800I-C to the latest amd64 snapshot,
and can no longer connect to it via ssh from my Thinkpad T400.
The error message is

  Packet integrity error (600 bytes remaining) at 
/usr/src/usr.bin/ssh/ssh/../clientloop.c:2097
  Disconnecting: Packet integrity error.

It is always 600 bytes.
The full output of ssh -vv is below.
Note that this happens after a successful authentication via key.

I ssh'd like that without problems minutes before I upgraded the ASUS to the 
amd64 snapshot.
I can connect now from the source Thinkpad to anywhere else without problems.
I can connect now to the target ASUS from anywhere else without problems.
I can connect now the other way round, from the ASUS to the Thinkpad.

Needless to say, nothing has changed on my home network.
Both machines are connected to the same switch,
and are on the same network (192.168.111.0/24).

Both dmesgs below; the target machine (ASUS) is the latest amd64 snapshot,
the Thinkpad is a Tuesday Feb 10 amd64 snapshot. Is it crazy to think
that this particular combination of client and server is somehow broken?
I thought I would just report this before I upgrade the Thinkpad too.

Jan


hans@lenovo:~$ ssh -vv media
OpenSSH_6.7, LibreSSL 2.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to media [192.168.111.8] port 22.
debug1: Connection established.
debug1: identity file /home/hans/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/hans/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x0400
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: 
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Re: Help needed: pkg_add dropps connections

[Marc Espie]

On Tue, Feb 17, 2015 at 02:44:42PM -0800, Gene wrote:
 quirks-2.52 signed on 2015-02-14T12:43:06Z
 Error from
 http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/curl-7.40.0.tgz
 ftp: connect: No route to host
 
 It's using ftp. I'm not familiar with how package management works with
 OpenBSD, so I don't know if this is a weird quirk of the pkg_add command or
 if he's not setting his package source properly.

pkg_add does not do network connections directly for protocols where ftp(1)
does know how to deal.

pkg_add, however, closes connections aggressively when it's got the info
it needs. If, somehow, your ftp setup is broken, then you might overflow
the server with 100s of connections.

Just do something like:

ftp 
http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/curl-7.40.0.tgz

(manually)

close it halfway thru using ^C. If you don't see the connection being terminated
properly, then you don't need to look further. That's your whole issue.

or do it on something larger like
http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/texlive_base-2013p3.tgz

so that you have time to abort before the whole transfer is finished.

Re: Help needed: pkg_add dropps connections

[Alexander Salmin]

Have you also tried without the proxy?


On 2015-02-18 13:47:26, Marc Espie wrote:
 On Tue, Feb 17, 2015 at 03:15:14PM +0100, Stefan Wollny wrote:
  Hello!
  
  I'd like to pick up an issue that is bugging me for some time now:
  Whenever I run 'pkg_add -ui' my connection gets terminated soon,
  reliably at the latest once packages starting with g are checked. I
  suspect it is in my pf.conf but it is not obvious to me.
  
  My system: Lenovo T60 running amd64-current. Below I provide the
  obligatory dmesg, pf.conf, rc.conf.local and sysctl.conf.
  
  Checking what is going on with 'pftop' I noticed that 'pkg_add' opens up
  hundreds of connections, all with state 'TIME_WAIT:TIME_WAIT' or
  'FIN_WAIT_2:FIN_WAIT_2'. Once around 100 such states are established the
  connection will be dropped soon. I've tried ftp.hostserver.de,
  openbsd.cs.fau.de and ftp.openbsd.org - all show the same behaviour.
  E.g. PKG_PATH is set in my .profile like so:
  PKG_PATH=http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/
 
 All those connections get closed by pkg_add.  If you don't see them closing
 in your pf log, you need to figure out why.

Re: Help needed: pkg_add dropps connections

[Marc Espie]

On Tue, Feb 17, 2015 at 06:10:37PM -0500, Nick Holland wrote:
 it's using the ftp(1) FTP client, which (in OpenBSD) does a wonderful job of
 fetching things via the HTTP protocol as well as the FTP protocol.
 
 now, he says it is blowing up after around 100 states.  Sounds like his
 firewall/proxy/whatever is limiting the state count per station.
 Goodness knows this works very well usually, so it's something different
 between his system and mine...and I'm putting my money on his firewall or
 proxy.

Now, pkg_add has a whole lot of magic to limit the number of active connections
to a given site down to ONE single active connection at any given time.

*however* it *does* close connections abruptly, just closing the fd connected
to ftp(1), and letting it die.

*If* those connections are not dropped properly (having to do with the machine
setup), *then* you will end up with 100s of unterminated connections...
which at some point is going to overflow the machine, of course.


This has nothing to do with ftp://  , which is another can of trouble entirely.
Aggressive NATs tend to break ftp, as any big package will have a DATA 
connection active for long, and will tend to terminate the CTRL connection
early, unless the NAT knows about ftp (which is why ftp proxies are a good
idea, and which is why I implemented the ftp-level keep-alive hack, which
actually sends NOP commands vryyy slowly on the CTRL connection while the 
DATA connection is going on, to avoid this drop).  

Again, there CAN be an issue with closing ftp connections early, as
those depend on telnet urgent signaling mechanisms, which tend to be bungled
by a lot of proxies (hey, why read the RFC when we can do a FUCKED UP UNTESTED
JOB OF writing TESTOSTERONE ladden shit ?)

As for http, well, there was some hope in using HTTP 1.1 to not terminate
the connection. Unfortunately, most http servers screwed the pooch by
being vulnerable to Byte-Range attacks (yeah, no-one learnt from the TCP
fragmentation attacks from 15 years ago. But you know, man, http is all
shiny and new, and the new generation doesn't even care about the lower
layers as long as they've got their shiny JSON and node.js, and go/rust
shitz)... so direct http 1.1 usage from pkg_add never went beyond the
planning stage, as most http servers out there will just terminate http
1.1 connections early in a fairly random way).

TL;DR:  you got to fix your network setup so you can abort partial fetches
thru ftp(1) without any dangling network state remaining after the ^C. That's
what's screwed in that specific situation.

Re: Packet integrity error (600 bytes remaining)

[Jan Stary]

  Both dmesgs below; the target machine (ASUS) is the latest amd64 snapshot,
  the Thinkpad is a Tuesday Feb 10 amd64 snapshot. Is it crazy to think
  that this particular combination of client and server is somehow broken?
  I thought I would just report this before I upgrade the Thinkpad too.
  
 This is known, there has been a window where the ssh client was
 broken. Upgrade your ssh client to -current or use -oUpdateHostkeys=no
 as a workaround.

Yes, upgrading the client to current/amd64 as well solved it. Thanks.

Jan

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 16:27 schrieb Alan Corey:
 This is probably unrelated but I've noticed that the fetching that
 happens with make install in ports seems less robust than it used to
 be.  If my internet provider disconnects or the connection gets reset
 beyond that, it doesn't resume the download.  And I've tried setting
 FETCH_CMD to wget -c, it doesn't help much (in 5.6, that's what I have
 my 5.2 machine set to).
 
 So I do a make install, wait until I've got a working URL, then ctrl-c
 to stop it, copy the url, open another rxvt in the distfiles dir, type
 wget, paste the URL.  wget very rarely fails.
 
 I've got portsql installed and was able to make myself some partial
 fetchlists from that but my query didn't find dependencies of
 dependencies.  A scratch install of 5.6 still took a couple months.
 
 On 2/18/15, owner-m...@openbsd.org owner-m...@openbsd.org wrote:
 chopped many K
 Credit is the root of all evil.  - AB1JX
 


Oh dear ... a couple of month for a scratch install??? Why don't you
just take the CD from the shelf? I'd rather stay with stable than
fiddling for month.

You see - reconneting 10~15 times while pkg_add -ui updates my installed
packages is a major annoyance, but actually I am done on a slow
hotel-WLAN within 3~4 hours. It can be achieved if there is s.th.
interesting on TV. At home with a modest fast line I am done within 30
minutes or so and my system runs with the latest current-amd64.

What bothers me most is that I just can't figure out _why_ the
connection gets lost...

Re: Help needed: pkg_add dropps connections

[Stefan Wollny]

Am 02/18/15 um 15:16 schrieb Stefan Wollny:
 Am 02/18/15 um 15:07 schrieb Marc Espie:
 On Wed, Feb 18, 2015 at 02:32:39PM +0100, Stefan Wollny wrote:
 I checked for
 - ftp ftp://...
 - ftp http://...

 Both connections were terminated after 95 seconds (according to pftop)
 after closing with ^C.

 Now with http-proxy-variable being unset I gave 'pkg_add' another try:

 closing should be synchronous with the ^C giving you back the shell prompt.

 If it waits for 95 seconds, your network setup is fucked up.

 
 My mistake: Bad wording...
 The shell-prompt is back within 2~3 seconds. In a second xterm I had
 pftop running showing me that the connection was closed after the '95
 seconds' I mentioned.
 
 Maybe I should change the SDD to another one and test with a fresh
 installation...
 

Just as a follow up: Before setting up a fresh system I did another test
(actually again) without adsuck enabled:

Long story short: Still the connection gets dropped running 'pkg_add -ui'

Re: Help needed: pkg_add dropps connections

[Stuart Henderson]

On 2015-02-18, Stefan Wollny stefan.wol...@web.de wrote:
 Could mss 1460 be the core of the issue? I have the following:

 ~ $ sudo cat /etc/pf.conf | grep mss
 match in all scrub (no-df random-id max-mss 1440)

 ~ $ sudo cat /etc/sysctl.conf | grep mss
 net.inet.tcp.mssdflt=1440

Neither of these make sense on a typical laptop, and they make me query
what else you might have changed on the system.

What does pfctl -si say?

When you get the no route to host, what does e.g. route -n get 8.8.8.8
say? (i.e. some host on the internet). Are you able to ping your fritzbox or
the proxy-server at that time?

Re: OpenBSD firefox useragent Facebook

[Alexander Salmin]

Not using facebook but have you checked on another computer? Feels like this is 
not related to OpenBSD.
Anyway, your best choice is using developer-tools and trying to identify which 
requests works and which does not.
Maybe you have like me, local DNS-server which blocks famous ad-providers IPs 
or similar in your hosts-file?

On 2015-02-18 15:32:41, Erling Westenvik wrote:
 Not sure if this belongs in @misc or @ports - if any! - but I'll give
 the former a shot.
 
 All below applies to amd64/current-installations of mine.
 
 The last few months, I've been unable to tag other people when
 commenting on Facebook. I've tried resetting Firefox, disabling add-ons,
 deleting old profiles, reinstalling the browser, and even doing a fresh
 install of Firefox on a new OpenBSD installation. All to now avail.
 
 I suspect the user agent setting to be the culprit and have tried
 experimenting with various strings. Some of them enables me to tag other
 people, but messes up other things.
 
 Would anyone using Facebook be so kind as to provide me with a working
 user agent string for Firefox (35.0) ?
 
 Thanks,
 
 Erling
 
 PS. Just checked and neither Seamonkey nor Chrome will let me tag people
 in comments. This is getting weird...

Re: Help needed: pkg_add dropps connections

[Alan Corey]

This is probably unrelated but I've noticed that the fetching that
happens with make install in ports seems less robust than it used to
be.  If my internet provider disconnects or the connection gets reset
beyond that, it doesn't resume the download.  And I've tried setting
FETCH_CMD to wget -c, it doesn't help much (in 5.6, that's what I have
my 5.2 machine set to).

So I do a make install, wait until I've got a working URL, then ctrl-c
to stop it, copy the url, open another rxvt in the distfiles dir, type
wget, paste the URL.  wget very rarely fails.

I've got portsql installed and was able to make myself some partial
fetchlists from that but my query didn't find dependencies of
dependencies.  A scratch install of 5.6 still took a couple months.

On 2/18/15, owner-m...@openbsd.org owner-m...@openbsd.org wrote:
chopped many K
Credit is the root of all evil.  - AB1JX

Re: Installing OpenBSD 5.6 using a USB Flash drive

[Alexander Hall]

On February 18, 2015 11:43:56 AM CET, Markus Kolb open...@tower-net.de wrote:
Am 2015-02-17 17:27, schrieb A Y:
 dmesg|grep ^.d0 returns only sd0
 sysctl hw.disknames returns sd0 and rd0
 
 my machine is a 10.1 inch netbook Lenovo E10-30 running Intel Celeron

 N2830
 Dual Core 64 bit. Do you think I should have used amd64 installation 
 instead
 of i386?

Will depend mostly on your available RAM.
i386 is 32 bit.

Either way, I see no reason not to run amd64 on that processor.

/Alexander 


See https://en.wikipedia.org/wiki/RAM_limit#32-bit_x86_RAM_limit

Re: CPU criteria for OpenBSD firewall

[Alexander Salmin]

I might start a flame now but the higher freq and less core model is the 
better choice unless your firewall will do other things than packetfiltering 
and routing.

On 2015-02-18 22:30:31, ML mail wrote:
 Hi,
 
 Stupid question but if you would have to choose between two different Intel 
 CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks 
 behind and around 50-60 Mbit/s average traffic would you rather choose the 
 CPU with higher Frequency and less cores or for a CPU with lower frequency 
 but more cores?
 
 For example:
 
 - E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores: 
 http://ark.intel.com/products/83357/Intel-Xeon-Processor-E5-2630L-v3-20M-Cache-1_80-GHz
 - E5-2637v3, 15M Cache, 3.50 GHz, 4 cores: 
 http://ark.intel.com/products/83358/Intel-Xeon-Processor-E5-2637-v3-15M-Cache-3_50-GHz
 
 Or asked differently, which are the importants criteria to look at first for 
 a CPU intended to be used in an OpenBSD firewall?
 
 Regards
 ML

Re: CPU criteria for OpenBSD firewall

[Gene]

To expand on Alexander's point, look at the FAQ:

http://www.openbsd.org/faq/pf/perf.html

If you aren't doing a lot of filtering, just passing traffic over multiple
interfaces, more cores might be beneficial.

-Eugene

On Wed, Feb 18, 2015 at 2:50 PM, Alexander Salmin alexan...@salmin.biz
wrote:

 I might start a flame now but the higher freq and less core model is the
 better choice unless your firewall will do other things than
 packetfiltering and routing.

 On 2015-02-18 22:30:31, ML mail wrote:
  Hi,
 
  Stupid question but if you would have to choose between two different
 Intel CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24
 networks behind and around 50-60 Mbit/s average traffic would you rather
 choose the CPU with higher Frequency and less cores or for a CPU with lower
 frequency but more cores?
 
  For example:
 
  - E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores:
 http://ark.intel.com/products/83357/Intel-Xeon-Processor-E5-2630L-v3-20M-Cache-1_80-GHz
  - E5-2637v3, 15M Cache, 3.50 GHz, 4 cores:
 
 http://ark.intel.com/products/83358/Intel-Xeon-Processor-E5-2637-v3-15M-Cache-3_50-GHz
 
  Or asked differently, which are the importants criteria to look at first
 for a CPU intended to be used in an OpenBSD firewall?
 
  Regards
  ML

Re: CPU criteria for OpenBSD firewall

[Giancarlo Razzolini]

On 19-02-2015 01:12, Eric Furman wrote:
 A firewall should be a firewall. Period.
 It's your first line of defense against attack.
 Each and every additional thing you run on it just
 makes it that much more vulnerable to attack.
Of course it does. But since not all of us have the budget for this kind
of setup, I believe this trade-off is an acceptable one, if you
understand the risks. Also, there are some things you can't do if you
run the services on a separate machine such as divert(4).

Cheers,
Giancarlo Razzolini

Re: CPU criteria for OpenBSD firewall

[Eric Furman]

On Wed, Feb 18, 2015, at 07:54 PM, Giancarlo Razzolini wrote:
 On 18-02-2015 20:30, ML mail wrote:
  Stupid question but if you would have to choose between two different Intel 
  CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks 
  behind and around 50-60 Mbit/s average traffic would you rather choose the 
  CPU with higher Frequency and less cores or for a CPU with lower frequency 
  but more cores?
 This question isn't stupid at all. And the answer is probably entirely
 based on your setup. I do have a similar system, but with less average
 traffic, 10MB/s, and one 6-port intel card. In my setup, having the
 lower frequency, more cores is better, because my firewall isn't used
 just for PF. If you're gonna use you OpenBSD firewall for other
 processes such as, proxy, dns server, web server, dhcp server, it won't
 hurt to have more cores.

A firewall should be a firewall. Period.
It's your first line of defense against attack.
Each and every additional thing you run on it just
makes it that much more vulnerable to attack.

Re: CPU criteria for OpenBSD firewall

[Giancarlo Razzolini]

On 18-02-2015 20:30, ML mail wrote:
 Stupid question but if you would have to choose between two different Intel 
 CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks 
 behind and around 50-60 Mbit/s average traffic would you rather choose the 
 CPU with higher Frequency and less cores or for a CPU with lower frequency 
 but more cores?
This question isn't stupid at all. And the answer is probably entirely
based on your setup. I do have a similar system, but with less average
traffic, 10MB/s, and one 6-port intel card. In my setup, having the
lower frequency, more cores is better, because my firewall isn't used
just for PF. If you're gonna use you OpenBSD firewall for other
processes such as, proxy, dns server, web server, dhcp server, it won't
hurt to have more cores.

Cheers,
Giancarlo Razzolini

Re: CPU criteria for OpenBSD firewall

[System Administrator]

On 18 Feb 2015 at 15:18, Gene wrote:

 To expand on Alexander's point, look at the FAQ:
 
 http://www.openbsd.org/faq/pf/perf.html
 
 If you aren't doing a lot of filtering, just passing traffic over
 multiple interfaces, more cores might be beneficial.
 
 -Eugene

Actually, at this time and the near future, passing traffic (i.e. the 
kernel network stack) happens entirely on CPU0. The network gurus *are* 
working on making the network layer multiprocessor capable, but my 
impression from watching the tech@ list is that this goal is still some 
ways off. At the present time, only userland applications can and do 
make use of the additional CPU cores.

So to quote the old-timers on this list -- only the OP can determine 
the characterstics of the specific workload and firewall configuration. 
But unless that firewall includes many CPU-intensive proxies, it will 
most likely perform best with fewer yet faster cores.

-Jacob.

 
 On Wed, Feb 18, 2015 at 2:50 PM, Alexander Salmin alexan...@salmin.biz
 wrote:
 
  I might start a flame now but the higher freq and less core model is
  the better choice unless your firewall will do other things than
  packetfiltering and routing.
 
  On 2015-02-18 22:30:31, ML mail wrote:
   Hi,
  
   Stupid question but if you would have to choose between two
   different
  Intel CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all
  /24 networks behind and around 50-60 Mbit/s average traffic would you
  rather choose the CPU with higher Frequency and less cores or for a
  CPU with lower frequency but more cores?
  
   For example:
  
   - E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores:
  http://ark.intel.com/products/83357/Intel-Xeon-Processor-E5-2630L-v3-2
  0M-Cache-1_80-GHz
   - E5-2637v3, 15M Cache, 3.50 GHz, 4 cores:
  
  http://ark.intel.com/products/83358/Intel-Xeon-Processor-E5-2637-v3-15
  M-Cache-3_50-GHz
  
   Or asked differently, which are the importants criteria to look at
   first
  for a CPU intended to be used in an OpenBSD firewall?
  
   Regards
   ML