Re: Writing "ones" instead of "zeroes" when wiping disk

[Todd C. Miller]

On Thu, 11 Jan 2018 22:09:32 -0500, "trondd" wrote:

> A 1 is too narrow to fully cover the original data.

You need to use an 8 to wipe out all seven segments.

 - todd

Re: Writing "ones" instead of "zeroes" when wiping disk

[Nick Holland]

On 01/11/18 09:45, Andreas Thulin wrote:
> Hi!
> 
> Again, an ignorant question (as usual):
> 
> How might I do something similar to
> 
> # dd if=/dev/one of=/dev/sd0 bs=1M
> 
> as a complement to the usual and well-described
> 
> # dd if=/dev/zero of=/dev/sd0 bs=1M
> 
> followed by
> 
> # dd if=/dev/urandom of=/dev/sd0 bs=1M
> 
> in order to achieve paranoid disk-wiping?

Another answer to your question might be to change those zeros to ones.
One way to do that:

# tr "\0" "\377" 

Re: Writing "ones" instead of "zeroes" when wiping disk

[trondd]

On Thu, January 11, 2018 5:12 pm, worik wrote:
> On 12/01/18 11:09, Jan Stary wrote:
>> On Jan 11 14:45:21, andreasthu...@gmail.com wrote:
>>> in order to achieve paranoid disk-wiping?
>> Ones are not nearly as secure as zeros.
>>
> Why not?Â
 Is it not arbitrary?
>

A 1 is too narrow to fully cover the original data.

FYI: logitech mouse LED color tool

[Jan Klemkow]

Hi,

I implemented a utility to set the LED color of Logitech mouse devices
on OpenBSD.  Some people might also use this mouse and would like to
change the LED color.

If you are interested just try it: https://github.com/younix/g403led

I just tested it with the "G403 Prodigy Gaming Mouse" model.  If it also
work for other models, let me know.

Any feedback is welcome.

bye,
Jan

After a failed checksum: What options remain?

[Charlie Eddy]

Hello,

Privateinternetaccess.org supplies secure VPNs. Their Windows installer
(v75) has a SHA256 result that does not match what is supplied on their
website.

Fucking terrible "security" solution, is it not?

As a prospective user of OpenBSD, I would hope that this never occurs, and
that free software would fulfill its promises. I am considering switching
to OpenBSD, but am afraid that I will be overcome by the difficulty of
learning Linux commands. I am not incompetent and willing to read code and
manpages, just timid, about this "big change."

As part of considering OpenBSD adoption, I am extremely focused on
security. However, trivial and fundamental issues are difficult to work
around.

My conclusion that the privateinternetaccess.org security solution is
terrible is not necessarily well-founded. The checksum could be modified
for these reasons:

- file was messed with in transit to me
- incompetent administrators did not update the checksum when they updated
the file

I suspect the latter, and unless my support ticket currently opened with
Private Internet Access is resolved to my satisfaction I will be forced to
use a free software solution. I am patient, but intolerant of stupidity.
The determination remains to be made.

GNUPG is my first step towards a cryptographically secure future. However,
in downloading it, I am confronted by a serious problem. They state the
following:

Comparing Checksums
If you are not able to use an old version of GnuPG, you can still verify
the file's SHA-1 checksum. This is less secure, because if someone modified
the files as they were transferred to you, it would not be much more effort
to modify the checksums that you see on this webpage. As such, if you use
this method, you should compare the checksums with those in release
announcement. This is sent to the gnupg-announce mailing list (among
others), which is widely mirrored. Don't use the mailing list archive on
this website, but find the announcement on several other websites and make
sure the checksum is consistent. This makes it more difficult for an
attacker to trick you into installing a modified version of the software.

As a result, I obtained an SSL/TLS server test to determine whether they
would be exposed to MITM despite their https:// prefix due to no
implementation of HSTS.

GNUPG is HSTSecure. Private Internet Access is not, another flaw in their
system.

However, the classic Orwellian security problem cannot be solved in this
case. The serious problem is that HSTS does not prevent a first-time user
from being MitM'd when they visit the site, and I may have been attacked
every single time. I have not yet verified the SHA1 sum in the archives --
are they correctly in stating that this is the best method?

How can I positively verify an OpenBSD install is secure? How can
implementing secure processes begin? Do I need to write my own checker from
scratch to know that things are operating properly? That's a joke, but it's
not that funny, is it?

If a user on a compromised device installs an operating system with
privilege separation, pledges could still be meaningless. What is the
correct way to wear a tinfoil hat?

Regards

Re: Writing "ones" instead of "zeroes" when wiping disk

[worik]

On 12/01/18 11:09, Jan Stary wrote:
> On Jan 11 14:45:21, andreasthu...@gmail.com wrote:
>> Hi!
>>
>> Again, an ignorant question (as usual):
>>
>> How might I do something similar to
>>
>> # dd if=/dev/one of=/dev/sd0 bs=1M
>>
>> as a complement to the usual and well-described
>>
>> # dd if=/dev/zero of=/dev/sd0 bs=1M
>>
>> followed by
>>
>> # dd if=/dev/urandom of=/dev/sd0 bs=1M
>>
>> in order to achieve paranoid disk-wiping?
> Ones are not nearly as secure as zeros.
>
Why not?  Is it not arbitrary?

Worik

-- 
  If not me then who?  If not now then when?  If not here then where?
So, here I stand, I can do no other
  r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand)

Re: Options for dealing with DES crypt password file

[Thomas Bohl]

> Are there any workarounds for me using the old DES password hashes, or do we 
> need to 'passwd ' for hundreds of users?
> 

You could give John the Ripper a try.

Re: [cwm] Can't move snaped window

[Ve Telko]

I experienced satori :) Thank you master.

11.01.2018, 20:06, "Julien Steinhauser" :
> Ve Telko  wrote:
>
>>  Hello all,
>
> Hello
>
>>  window in cwm -current snapped to screen edge can not be moved using
>>  keyboard shortcuts. Is this a feature or bug? :)
>
> What about a moveamount bigger than the snapdist ?
>
> --
> Julien

Re: Writing "ones" instead of "zeroes" when wiping disk

[Jan Stary]

On Jan 11 14:45:21, andreasthu...@gmail.com wrote:
> Hi!
> 
> Again, an ignorant question (as usual):
> 
> How might I do something similar to
> 
> # dd if=/dev/one of=/dev/sd0 bs=1M
> 
> as a complement to the usual and well-described
> 
> # dd if=/dev/zero of=/dev/sd0 bs=1M
> 
> followed by
> 
> # dd if=/dev/urandom of=/dev/sd0 bs=1M
> 
> in order to achieve paranoid disk-wiping?

Ones are not nearly as secure as zeros.

Re: Options for dealing with DES crypt password file

[Jeff Zimmerman]

I appreciate the suggestion but yeah, LDAP is totally overkill here. There's 
really only this one server that needs access to the auth info in the passwd 
file, so LDAP wouldn't really help me.

Re: Options for dealing with DES crypt password file

[Eric Furman]

On Thu, Jan 11, 2018, at 3:42 PM, Consus wrote:
> On 18:27 Thu 11 Jan, Jeff Zimmerman wrote:
> > I've got an old server (OpenBSD 4.7 old) with a mixed bag of password
> > hashes in master.passwd. A majority of the passwords (hundreds) are
> > old salted DES crypt format.
> > 
> > Am I correct in my research that everything but Blowfish was removed
> > from crypt() around OpenBSD 5.7? Are there any workarounds for me
> > using the old DES password hashes, or do we need to 'passwd '
> > for hundreds of users?
> 
> Use LDAP already.
> 

We don't really know his situation.
LDAP could be major overkill...

Re: Writing "ones" instead of "zeroes" when wiping disk

[Andrew]

On 01/11/18 14:45, Andreas Thulin wrote:

Hi!

Again, an ignorant question (as usual):

How might I do something similar to

# dd if=/dev/one of=/dev/sd0 bs=1M

as a complement to the usual and well-described

# dd if=/dev/zero of=/dev/sd0 bs=1M

followed by


Personally, given your premise of "paran0id disk-wiping", then I would
take the next step of checking if a non-random sequence of "0"s are
still on the device. Are you ready for that rabbit h0le ?? hehehe ;-)


# dd if=/dev/urandom of=/dev/sd0 bs=1M

in order to achieve paranoid disk-wiping?

BR
Andreas

Re: Performance issues as KVM guest?

[Kirill Miazine]

* Kent Watsen [2018-01-11 17:38]:
[...]
> > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/
> > > patched for Meltdown last weekend I'm seeing significant performance
> > > issues with an OpenBSD virtual instance there. It seems okay after a
> > > fresh reboot but then progressively returns to being very slow: for
> > > example "sleep 1" may take four seconds, then five, six, seven, then
> > > rather more. Curiously it does tend to be an integral multiplier.
> > > 
> > > I wondered, is anybody else seeing significant performance problems with
> > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is
> > > there anything to tweak at my end or am I reliant on the provider?
> > > 
> > > -- Mark
> > > 
> > There are a ton of threads talking about this issue, and it's not meltdown
> > specific. Please search the archives.
> > 
> > -ml
> > 
[...]
> Also, Mark, could you say some more about the issue.  For instance, how long
> after a reboot does it take until you start to notice the issue, and how
> quickly does it get worse?

I'm another customer of Bytemark experiencing the same issue. I'm taking
care of one VM there and I'm primarly noticing it in two situations:
sleep() takes a long time (e.g. sleep(1) might take up to 40 seconds)
and the clock slows down.

Right now, 9 hours after reboot, the clock on VM is 3 hours behind real
clock. And sleep(1) takes 13 secs:

km@buildfarm ~ $ time sleep 1
0m13.85s real 0m00.00s user 0m00.01s system

This all started after the host was patched and VM rebooted.

Bytemark guys are looking at the issue and doing their own debugging.
Here're findings so far:

I spun a few OpenBSD VMs up and left them overnight - looks like the
clock isn't drifting but there's still the 'time sleep 1' issue.
My testing results seemed to concur with User_4574's, virtio was slowing
down only a few minutes after a fresh install whereas compatibility
would stick at 1s, jump to 2s, etc. 
   
> 
> Thanks,
> Kent
> 

-- 
-- Kirill Miazine 

Re: Options for dealing with DES crypt password file

[Consus]

On 18:27 Thu 11 Jan, Jeff Zimmerman wrote:
> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password
> hashes in master.passwd. A majority of the passwords (hundreds) are
> old salted DES crypt format.
> 
> Am I correct in my research that everything but Blowfish was removed
> from crypt() around OpenBSD 5.7? Are there any workarounds for me
> using the old DES password hashes, or do we need to 'passwd '
> for hundreds of users?

Use LDAP already.

Re: Writing "ones" instead of "zeroes" when wiping disk

[x9p]

On Thu, January 11, 2018 3:16 pm, L. V. Lammert wrote:
> On Thu, 11 Jan 2018, STeve Andre' wrote:
>
>> Don't bother.   Wiping the disk twice is enough.   If you are storing state
>> secrets melt the disk.
>>
> An anvil big hammer also works well and gives some exercise in the
> process.
>
>   Lee
>
>

+1 to big hammer. boys are changing disk firmware nowadays... go figure...

cheers.

--
x9p | PGP : 0x03B50AF5EA4C8D80 / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 
E7EE

"I don't know where I'm going from here, but I promise it won't be boring." - 
David Bowie

Re: [cwm] Can't move snaped window

[Julien Steinhauser]

Ve Telko  wrote:

> 
> Hello all,
> 

Hello

> window in cwm -current snapped to screen edge can not be moved using
> keyboard shortcuts. Is this a feature or bug? :)

What about a moveamount bigger than the snapdist ?

--
Julien

Re: Options for dealing with DES crypt password file

[Jeff Zimmerman]

I completely understand. The running chainsaw analogy is pretty accurate here. 
OpenBSD is as secure as it is because you all remove as many chainsaws as 
possible. We needed to update those hashes anyway someday. I just wasn't 
expecting that day to be today.


Thanks again!


From: Theo de Raadt 
Sent: Thursday, January 11, 2018 12:49:33 PM
To: Jeff Zimmerman
Cc: misc@openbsd.org
Subject: Re: Options for dealing with DES crypt password file

> I was hoping that there was some hidden switch somewhere that would turn
> the classic crypt back on. No such luck.

That'd be like leaving a running chainsaw on the floor at a daycare center.

When something is dangerous, we get rid of it.

Re: Options for dealing with DES crypt password file

[Theo de Raadt]

> I was hoping that there was some hidden switch somewhere that would turn 
> the classic crypt back on. No such luck.

That'd be like leaving a running chainsaw on the floor at a daycare center.

When something is dangerous, we get rid of it.

Re: Options for dealing with DES crypt password file

[Jeff Zimmerman]

I know, I'm ashamed to say that yes, this machine has been running (behind a 
restrictive firewall) for all of these years.


I was hoping that there was some hidden switch somewhere that would turn the 
classic crypt back on. No such luck.


But thank you for the quick response. I've been using OpenBSD for a lot of 
years and really appreciate your efforts Theo, and the efforts of everyone 
associated with the project.


From: Theo de Raadt 
Sent: Thursday, January 11, 2018 12:29:59 PM
To: Jeff Zimmerman
Cc: misc@openbsd.org
Subject: Re: Options for dealing with DES crypt password file

> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes
> in master.passwd. A majority of the passwords (hundreds) are old salted
> DES crypt format.

bummer

> Am I correct in my research that everything but Blowfish was removed from
> crypt() around OpenBSD 5.7? Are there any workarounds for me using the old
> DES password hashes, or do we need to 'passwd ' for hundreds of users?

There are no workarounds.  The hashes cannot be reversed to make new
passwords, and the legacy methods are removed intentionally because they
are super weak

You been running that on the internet?  the shame!

Re: firefox-esr and icedtea-web

[mk]

Apologize the noise. Just for the record:


Firefox limits NPAPI support (technology required for Java applets)

64-bit Firefox

The 64-bit version of Firefox does not support NPAPI plug-ins, 
including

Java.

Firefox 52 and above

Beginning with Firefox 52 (released March 2017), plug-in support is
limited to Adobe Flash, and drops support for NPAPI, impacting plugins
for Java, Silverlight, and other similar NPAPI based plugins.

Re: Options for dealing with DES crypt password file

[Theo de Raadt]

> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes
> in master.passwd. A majority of the passwords (hundreds) are old salted
> DES crypt format.

bummer

> Am I correct in my research that everything but Blowfish was removed from
> crypt() around OpenBSD 5.7? Are there any workarounds for me using the old
> DES password hashes, or do we need to 'passwd ' for hundreds of users?

There are no workarounds.  The hashes cannot be reversed to make new
passwords, and the legacy methods are removed intentionally because they
are super weak

You been running that on the internet?  the shame!

Options for dealing with DES crypt password file

[Jeff Zimmerman]

I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes in 
master.passwd. A majority of the passwords (hundreds) are old salted DES crypt 
format.


Am I correct in my research that everything but Blowfish was removed from 
crypt() around OpenBSD 5.7? Are there any workarounds for me using the old DES 
password hashes, or do we need to 'passwd ' for hundreds of users?

Re: Performance issues as KVM guest?

[Todd C. Miller]

This sounds like the same issue as was described here:
https://marc.info/?l=openbsd-bugs=151430928212450=2

 - todd

Re: Writing "ones" instead of "zeroes" when wiping disk

[Raul Miller]

On Thu, Jan 11, 2018 at 12:16 PM, L. V. Lammert  wrote:
> On Thu, 11 Jan 2018, STeve Andre' wrote:
>
>> Don't bother.   Wiping the disk twice is enough.   If you are storing state
>> secrets melt the disk.
>>
> An anvil big hammer also works well and gives some exercise in the
> process.

Might be more secure to sell it to Hollywood, as a movie script.
They'll change it beyond recognition.

-- 
Raul

Re: Performance issues as KVM guest?

[Mike Larkin]

On Thu, Jan 11, 2018 at 05:38:18PM +, Kent Watsen wrote:
> On 1/10/18 1:53 PM, Mike Larkin wrote:
> > On Wed, Jan 10, 2018 at 03:51:19PM +, Mark Carroll wrote:
> > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/
> > > patched for Meltdown last weekend I'm seeing significant performance
> > > issues with an OpenBSD virtual instance there. It seems okay after a
> > > fresh reboot but then progressively returns to being very slow: for
> > > example "sleep 1" may take four seconds, then five, six, seven, then
> > > rather more. Curiously it does tend to be an integral multiplier.
> > > 
> > > I wondered, is anybody else seeing significant performance problems with
> > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is
> > > there anything to tweak at my end or am I reliant on the provider?
> > > 
> > > -- Mark
> > > 
> > There are a ton of threads talking about this issue, and it's not meltdown
> > specific. Please search the archives.
> > 
> > -ml
> > 
> 
> Really? I just searched the last two years of list email for subject lines
> having substrings "virt", "kvm", "perf", and "slow", and didn't see anything
> on this specific issue.   Can you provide a link, or the name of the thread,
> or some keywords?
> 
> Also, Mark, could you say some more about the issue.  For instance, how long
> after a reboot does it take until you start to notice the issue, and how
> quickly does it get worse?
> 
> Thanks,
> Kent
> 

IIRC several of the threads referred to proxmox.

Re: Writing "ones" instead of "zeroes" when wiping disk

[L. V. Lammert]

On Thu, 11 Jan 2018, STeve Andre' wrote:

> Don't bother.   Wiping the disk twice is enough.   If you are storing state
> secrets melt the disk.
>
An anvil big hammer also works well and gives some exercise in the
process.

Lee

[cwm] Can't move snaped window

[Ve Telko]

Hello all,

window in cwm -current snapped to screen edge can not be moved using
keyboard shortcuts. Is this a feature or bug? :)

Thanks, Ve.

Re: Performance issues as KVM guest?

[Kent Watsen]

On 1/10/18 1:53 PM, Mike Larkin wrote:

On Wed, Jan 10, 2018 at 03:51:19PM +, Mark Carroll wrote:

Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/
patched for Meltdown last weekend I'm seeing significant performance
issues with an OpenBSD virtual instance there. It seems okay after a
fresh reboot but then progressively returns to being very slow: for
example "sleep 1" may take four seconds, then five, six, seven, then
rather more. Curiously it does tend to be an integral multiplier.

I wondered, is anybody else seeing significant performance problems with
OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is
there anything to tweak at my end or am I reliant on the provider?

-- Mark


There are a ton of threads talking about this issue, and it's not meltdown
specific. Please search the archives.

-ml



Really? I just searched the last two years of list email for subject 
lines having substrings "virt", "kvm", "perf", and "slow", and didn't 
see anything on this specific issue.   Can you provide a link, or the 
name of the thread, or some keywords?


Also, Mark, could you say some more about the issue.  For instance, how 
long after a reboot does it take until you start to notice the issue, 
and how quickly does it get worse?


Thanks,
Kent

Re: Writing "ones" instead of "zeroes" when wiping disk

[STeve Andre']

Don't bother.   Wiping the disk twice is enough.   If you are storing state 
secrets melt the disk.


Back in the days of sub 1G disks it might have been possible to get inter 
track gap data that was usable. Maybe.  But not multi T disks.


Sectors mapped out are a problem though, and multiple writes aren't going 
to touch those.  If you encrypt the disk I question how much value a few 
encrypted sectors would be to anyone.


Worry far more over lost usb sticks or portable usb disks.  That's a far 
bigger problem.


STeve Andre'


Sent with AquaMail for Android
http://www.aqua-mail.com


On January 11, 2018 9:46:25 AM Andreas Thulin  wrote:


Hi!

Again, an ignorant question (as usual):

How might I do something similar to

# dd if=/dev/one of=/dev/sd0 bs=1M

as a complement to the usual and well-described

# dd if=/dev/zero of=/dev/sd0 bs=1M

followed by

# dd if=/dev/urandom of=/dev/sd0 bs=1M

in order to achieve paranoid disk-wiping?

BR
Andreas

Re: Writing "ones" instead of "zeroes" when wiping disk

[Base Pr1me]

You can adapt my linux bash script for such pointlessly "paranoid"
purposes. I use it to prove to HIPAA auditors just how paranoid I can be,
and it's above NIST requirements in the US.

https://github.com/spoollord/shredder

Would require you to pkg_add pv base64. Or, just adapt the script without
those.

On Thu, Jan 11, 2018 at 8:26 AM, Ingo Schwarze  wrote:

> Hi Andreas,
>
> Andreas Thulin wrote on Thu, Jan 11, 2018 at 02:45:21PM +:
>
> > Again, an ignorant question (as usual):
> > How might I do something similar to
> > # dd if=/dev/one of=/dev/sd0 bs=1M
>
>   jot -cs '' 512 255 255
>
> writes 512 bytes with all bits set.  Feel free to use larger numbers
> than 512.  For large numbers, this is certainly slower than dd
> because it uses an explicit loop with some conditionals and one
> printf(3) for each byte.
>
>   perl -e 'print "\xff"x512'
>
> may be faster.  If i needed maximum speed, i'd probably write a two-line
> C program.
>
>   while true; do echo -n "\0377"; done
>
> works for the purist, but will hardly be fast.
>
> Btw., you are asking for "Hello World!", kind of.
> It may be hard to find a program that can't solve your task...  ;)
>
> > as a complement to the usual and well-described
> > # dd if=/dev/zero of=/dev/sd0 bs=1M
> > followed by
> > # dd if=/dev/urandom of=/dev/sd0 bs=1M
> > in order to achieve paranoid disk-wiping?
>
> I have no idea whether or not such paranoia makes sense.
> Maybe, maybe not.
>
> Yours,
>   Ingo
>
>

Re: Writing "ones" instead of "zeroes" when wiping disk

[Ingo Schwarze]

Hi Andreas,

Andreas Thulin wrote on Thu, Jan 11, 2018 at 02:45:21PM +:

> Again, an ignorant question (as usual):
> How might I do something similar to
> # dd if=/dev/one of=/dev/sd0 bs=1M

  jot -cs '' 512 255 255

writes 512 bytes with all bits set.  Feel free to use larger numbers
than 512.  For large numbers, this is certainly slower than dd
because it uses an explicit loop with some conditionals and one
printf(3) for each byte.

  perl -e 'print "\xff"x512'

may be faster.  If i needed maximum speed, i'd probably write a two-line
C program.

  while true; do echo -n "\0377"; done

works for the purist, but will hardly be fast.

Btw., you are asking for "Hello World!", kind of.
It may be hard to find a program that can't solve your task...  ;)

> as a complement to the usual and well-described
> # dd if=/dev/zero of=/dev/sd0 bs=1M
> followed by
> # dd if=/dev/urandom of=/dev/sd0 bs=1M
> in order to achieve paranoid disk-wiping?

I have no idea whether or not such paranoia makes sense.
Maybe, maybe not.

Yours,
  Ingo

Writing "ones" instead of "zeroes" when wiping disk

[Andreas Thulin]

Hi!

Again, an ignorant question (as usual):

How might I do something similar to

# dd if=/dev/one of=/dev/sd0 bs=1M

as a complement to the usual and well-described

# dd if=/dev/zero of=/dev/sd0 bs=1M

followed by

# dd if=/dev/urandom of=/dev/sd0 bs=1M

in order to achieve paranoid disk-wiping?

BR
Andreas

Re: Wifi Ierrs

[Raimo Niskanen]

On Thu, Jan 11, 2018 at 01:43:11PM +0100, Stefan Sperling wrote:
> On Thu, Jan 11, 2018 at 10:51:32AM +0100, Raimo Niskanen wrote:
> > Hello misc!
> > 
> > I have an PC Engines Alix 2d13 with an Atheros AR9280 running WPA2-PSK,
> > and see a lot of input errors over WiFi.  netstat -ivn shows:
> > 
> > NameMtu   Network Address  Ipkts IerrsOpkts Oerrs   
> > Colls
> > athn0   1500  172.17/16   172.17.0.1 1160154 4029261  1485342 61906 > > 0
> > 
> > I have tried calling "netstat -W athn0" with 10 seconds intervals and get
> > typically over such intervals:
> > 
> > 170 input unencrypted packets with wep/wpa config discarded
> > 12 input packets with mismatched channel
> > 8 input packets with mismatched ssid
> > 2 input frames below block ack window start
> > 
> > So is this normal for a congested neighbourhood (6 stories apartment house
> > - lots of APs around in the house on the 2.4 GHz band), or can anybody 
> > think of
> > a setting to tweak?  The router runs OpenBSD 6.2 stable (patched).
> > 
> > Best regards
> > -- 
> > 
> > / Raimo Niskanen
> > 
> 
> These are the numbers for my AP at home:
> 
> $ netstat -nI athn0 
> NameMtu   Network Address  Ipkts IerrsOpkts Oerrs 
> Colls
> athn0   150004:f0:21:17:3c:6a  2235626 123714  3743974 43802
>  0
> 
> The wifi network is usable but relatively slow.
> 
> This same card worked perfectly fine on a clean wifi channel up in
> the Canadian mountains where there was virtually no interference.
> Up there I got about 3MB/s transfer rates if I recall correctly.
> 
> After some code inspection I've done recently I came to the conclusion
> that this problem might be due to the fact that our driver does not
> run the regular calibration routines which other OS drivers use.
> If someone looked into that it might help fix the known issues we
> have with these devices. There is calibration code in our driver
> already but most of it is not being called yet. And what's there now
> needs to be cross-checked with other OSs since there are probably bugs.

Ok.  Interesting to know, but unfortunately way out of my competence
domain...  I hope for others to pick up this ball.

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Bitmask for 224.0.0.0 in Martians PF table entry

[Aham Brahmasmi]

Thank you Kapetanakis Giannis and Mike Coddington for your helpful
replies. I will now use /3, since I do not think that I will use
multicast.

Regards,
ab

Re: Probable mistake in PF tagging example ruleset order

[Aham Brahmasmi]

(Resending, I fessed up the inline reply)

Arigato gojaimas Trondd san for your very helpful reply.

I had understood from the documentation that tags were sticky. I also
understood that a packet can only have zero or one tag at any time.
Also, that a tag cannot be removed, but only replaced.

However, I had not understood that the rule evaluation happens on every
interface. I now know that the "tags are sticky" actually implies that
the tags persist across evaluations on interfaces.

Also, I can now fully understand this line - "With tagging, it's
possible to do such things as create "trusts" between interfaces and
determine if packets have been processed by translation rules."

Frankly, it is my mistake. Reading back pf.conf's man page, it is there
on the second paragraph.
"Each time a packet processed by the packet filter comes in on or goes
out through an interface, the filter rules are evaluated in sequential
order, from first to last."
And NAT implies two interface traversals.
Mea Culpa.

Thanks.

Regards,
ab

Re: Probable mistake in PF tagging example ruleset order

[Aham Brahmasmi]

Arigato gojaimas Trondd san for your very helpful reply. 
 

Sent: Thursday, January 11, 2018 at 3:17 AM
From: trondd 
To: "Aham Brahmasmi" 
Cc: misc@openbsd.org
Subject: Re: Probable mistake in PF tagging example ruleset order
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
> Hi,
>
> I am trying to learn and understand the pf tagging mechanism. I was
> wondering whether my understanding of the order in the example at
> https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
> there might be a mistake in the order. The relevant lines are
>

Read the rules tagging follows again. Tags are sticky. Also a packet
passing through the firewall, say from a LAN machine to the internet, will
be evaluated twice. If it gets tagged the first time, it'll have that tag
already when evaluated the second time. If it matches a rule which tags
it, then matches another rule later, it still has the tag from the first
match.
 

> ...
> pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress)
> pass in on $int_if from $int_net tag LAN_INET
> ...
> pass out quick on egress tagged LAN_INET_NAT
> ...
>
> My understanding:
> For the first line, an IPv4 packet that is already tagged with LAN_INET
> will now have the tag LAN_INET_NAT, and will be passed out on the
> egress interface after Network Address Translation.
>
> For the second line, a packet that is coming from the internal network
> on the internal interface will be passed and tagged with LAN_INET.
>
> For the third line, a packet that is tagged with LAN_INET_NAT will be
> passed out on the egress interface, and the rule evaluation will stop.
>
> Now, if my understanding is correct, then a packet will never match the
> first line, since the LAN_INET tagging happens only in the second line.
> And if that is the case, the third line will also not match, since the
> LAN_INET_NAT tagging happens in the first line.
>

Don't just read the rules from top to bottom. Follow the packet. Where
is the packet coming from? Where is it going? If there is a packet
coming from the LAN through this firewall to the internet what rules
match? Does that rule tag the packet? Does evaluation continue?

That's pass 1. Since this packet is not destined for this machine, but
for something on the internet, it has to leave this machine. So now it's
evaluated as an outgoing packet. Did it get tagged before? What rules
match based on direction and tag? Does it get a new tag? Does evaluation
continue? Does it match anything else?

I had understood from the documentation that tags were sticky. I also
understood that a packet can only have zero or one tag at any time.
Also, that a tag cannot be removed, but only replaced.

However, I had not understood that the rule evaluation happens on every
interface. I now know that the "tags are sticky" actually implies that
the tags persist across evaluations on interfaces.

Also, I can now fully understand this line - "With tagging, it's
possible to do such things as create "trusts" between interfaces and
determine if packets have been processed by translation rules."

Frankly, it is my mistake. Reading back pf.conf's man page, it is there
on the second paragraph.
"Each time a packet processed by the packet filter comes in on or goes
out through an interface, the filter rules are evaluated in sequential
order, from first to last."
And NAT implies two interface traversals.
Mea Culpa.


> If my understanding is correct, then we may need to switch the order of
> the first and second lines.
>
> The complete ruleset is
>
> int_if = "dc0"
> dmz_if = "dc1"
> int_net = "10.0.0.0/24"
> dmz_net = "192.168.0.0/24"
> www_server = "192.168.0.5"
> mail_server = "192.168.0.10"
>
> table  persist file "/etc/spammers"
> # classification -- classify packets based on the defined firewall
> # policy.
> block all
> pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress)
> pass in on $int_if from $int_net tag LAN_INET
> pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ
> pass in on egress proto tcp to $www_server port 80 tag INET_DMZ
> pass in on egress proto tcp from  to port smtp tag SPAMD rdr-to \
> 127.0.0.1 port 8025
>
> # policy enforcement -- pass/block based on the defined firewall policy.
> pass in quick on egress tagged SPAMD
> pass out quick on egress tagged LAN_INET_NAT
> pass out quick on $dmz_if tagged LAN_DMZ
> pass out quick on $dmz_if tagged INET_DMZ
>
> Thanks.
>
> Regards,
> ab
> -|-|-|-|-|-|-|--
>

 

Thanks.

Regards,
ab

Re: Wifi Ierrs

[Stefan Sperling]

On Thu, Jan 11, 2018 at 10:51:32AM +0100, Raimo Niskanen wrote:
> Hello misc!
> 
> I have an PC Engines Alix 2d13 with an Atheros AR9280 running WPA2-PSK,
> and see a lot of input errors over WiFi.  netstat -ivn shows:
> 
> NameMtu   Network Address  Ipkts IerrsOpkts Oerrs 
> Colls
> athn0   1500  172.17/16   172.17.0.1 1160154 4029261  1485342 61906   > 0
> 
> I have tried calling "netstat -W athn0" with 10 seconds intervals and get
> typically over such intervals:
> 
> 170 input unencrypted packets with wep/wpa config discarded
> 12 input packets with mismatched channel
> 8 input packets with mismatched ssid
> 2 input frames below block ack window start
> 
> So is this normal for a congested neighbourhood (6 stories apartment house
> - lots of APs around in the house on the 2.4 GHz band), or can anybody think 
> of
> a setting to tweak?  The router runs OpenBSD 6.2 stable (patched).
> 
> Best regards
> -- 
> 
> / Raimo Niskanen
> 

These are the numbers for my AP at home:

$ netstat -nI athn0 
NameMtu   Network Address  Ipkts IerrsOpkts Oerrs Colls
athn0   150004:f0:21:17:3c:6a  2235626 123714  3743974 43802 0

The wifi network is usable but relatively slow.

This same card worked perfectly fine on a clean wifi channel up in
the Canadian mountains where there was virtually no interference.
Up there I got about 3MB/s transfer rates if I recall correctly.

After some code inspection I've done recently I came to the conclusion
that this problem might be due to the fact that our driver does not
run the regular calibration routines which other OS drivers use.
If someone looked into that it might help fix the known issues we
have with these devices. There is calibration code in our driver
already but most of it is not being called yet. And what's there now
needs to be cross-checked with other OSs since there are probably bugs.

Re: Lenovo T60p touchpad not working (6.2-stable/amd64)

[Jonathan Thornburg]

A further update... after a suspend-resume cycle (suspend-to-RAM,
which 'just works' via Fn-F4), the touchpad works fine.  'dmesg' shows
15 new lines appended after my most recent suspend-resume cycle, but
none of them mention the mouse (pms0) explicitly:

WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577
WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577
uhub0 detached
uhub1 detached
uhub2 detached
uhub3 detached
uhub4 detached
uhub0 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub1 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub2 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub3 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub4 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
drm:pid80100:radeon_bo_unpin *WARNING* 0x80444390 unpin not necessary
WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577
WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577

Do other T60/T60p users see touchpad problems?

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Wifi Ierrs

[Raimo Niskanen]

Hello misc!

I have an PC Engines Alix 2d13 with an Atheros AR9280 running WPA2-PSK,
and see a lot of input errors over WiFi.  netstat -ivn shows:

NameMtu   Network Address  Ipkts IerrsOpkts Oerrs   
Colls
athn0   1500  172.17/16   172.17.0.1 1160154 4029261  1485342 61906 0

I have tried calling "netstat -W athn0" with 10 seconds intervals and get
typically over such intervals:

170 input unencrypted packets with wep/wpa config discarded
12 input packets with mismatched channel
8 input packets with mismatched ssid
2 input frames below block ack window start

So is this normal for a congested neighbourhood (6 stories apartment house
- lots of APs around in the house on the 2.4 GHz band), or can anybody think of
a setting to tweak?  The router runs OpenBSD 6.2 stable (patched).

Best regards
-- 

/ Raimo Niskanen

Re: state of Netdata on OpenBSD

[Gregory Edigarov]

On 10.01.18 18:58, Alceu R. de Freitas Jr. wrote:

Hello folks,
I'm considering installing Netdata on OpenBSD 6.2, but I found this issue on 
Github:
https://github.com/firehol/netdata/issues/1083
Unfortunately, it doesn't tell if Netdata works out of the box on OpenBSD, if 
requires the Collectd (supposedly integrated with it) or if it doesn't work at 
all.
Did you guys have any success in using it?
It did gave a shot to Collected, the problem was to get a decent web app to 
visualize the charts...


Collectd is capable of writting the data it collects to several time 
series databases like influx or prometheus.
You can use Grafana then, to visualize the data. The problem here is 
that you're still on your own to make the

nice looking dashboard.

Re: Panic: ffs_blkfree on 6.0 GENERIC.MP

[George Kourvoulis]

We tracked the problem to the underlying storage of the VM, so it is not
OpenBSD related.


On Wed, Jan 10, 2018 at 12:50 PM, George Kourvoulis 
wrote:

> Hello,
>
> Today I have found one of my gateways (VM on esxi 6.5) in the state that
> is shown here:
> https://imgur.com/a/SV687
>
> Unfortunately I didn't have time to gather more info because I had to
> reboot the machine in order to resume operations.
>
> Any pointers would be much appreciated.
>
> Thanks,
> George
>
> PS. Here is the output of my dmesg:
>
> OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 2130640896 <21%203064%200896> (2031MB)
> avail mem = 2061656064 (1966MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (239 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 04/05/2016
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
> S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3)
> S11F(S3) S12F(S3) S13F(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2397.56 MHz
> cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,
> SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,
> AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,
> ITSC,FSGSBASE,SMEP,ERMS,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 65MHz
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xf000, bus 0-127
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> "PNP0001" at acpi0 not configured
> "PNP0303" at acpi0 not configured
> "PNP0F13" at acpi0 not configured
> "PNP0A05" at acpi0 not configured
> "PNP0400" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> "PNP0700" at acpi0 not configured
> acpiac0 at acpi0: AC unit online
> pvbus0 at mainbus0: VMware
> vmt0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0:  ATAPI
> 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
> disabled
> "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
> vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1
> int 17
> mpi0: 0, firmware 1.3.41.32
> scsibus2 at mpi0: 16 targets, initiator 7
> sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct
> fixed
> sd0: 10240MB, 512 bytes/sector, 20971520 sectors
> mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
> ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
> pci2 at ppb1 bus 2
> em0 at pci2 dev 0 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
> address 00:50:56:b8:fd:45
> em1 at pci2 dev 2 function 0 "Intel 82545EM" rev 0x01: apic 1 int 16,
> address 00:50:56:b8:f4:6a
> em2 at pci2 dev 3 function 0 "Intel 82545EM" rev 0x01: apic 1 int 17,
> address 00:50:56:b8:9f:11
> em3 at pci2 dev 4 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
> address 00:50:56:b8:d7:85
> ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
> pci3 at ppb2 bus 3
> ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
> pci5 at ppb4 bus 5
> ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
> pci6 at ppb5 bus 6
> ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
> pci7 at ppb6 bus 7
> ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01
> pci8 at ppb7 bus 8
> ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01
> pci9 at ppb8 bus 9
> ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01
> pci10 at ppb9 bus 10
> ppb10 at pci0 dev 22 function 

Re: Bitmask for 224.0.0.0 in Martians PF table entry

[Kapetanakis Giannis]

On 10/01/18 20:55, Aham Brahmasmi wrote:
> Hi,
> 
> What is the correct bitmask for the 224.0.0.0 Martian table entry in
> pf.conf?
> 
> There are two bitmasks in two links on this page -
> http://www.team-cymru.org/bogon-reference-http.html. /3 in the The Text
> Bogon List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in
> https://www.openbsd.org/faq/pf/example1.html.
> 
> I think it should be /3, but I am still learning pf.
> 
> Thanks.
> 
> Regards,
> ab
> 

See here:
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
224/4 is the multicast allocation (224-239)
240/4 is for future use (240-255)

224/3 is both of the above

if you don't use multicast then 224/3 should be ok, otherwise 240/4

G
ps. for multicast specific see 
https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml