Re: Writing "ones" instead of "zeroes" when wiping disk
On Thu, 11 Jan 2018 22:09:32 -0500, "trondd" wrote: > A 1 is too narrow to fully cover the original data. You need to use an 8 to wipe out all seven segments. - todd
Re: Writing "ones" instead of "zeroes" when wiping disk
On 01/11/18 09:45, Andreas Thulin wrote: > Hi! > > Again, an ignorant question (as usual): > > How might I do something similar to > > # dd if=/dev/one of=/dev/sd0 bs=1M > > as a complement to the usual and well-described > > # dd if=/dev/zero of=/dev/sd0 bs=1M > > followed by > > # dd if=/dev/urandom of=/dev/sd0 bs=1M > > in order to achieve paranoid disk-wiping? Another answer to your question might be to change those zeros to ones. One way to do that: # tr "\0" "\377"
Re: Writing "ones" instead of "zeroes" when wiping disk
On Thu, January 11, 2018 5:12 pm, worik wrote: > On 12/01/18 11:09, Jan Stary wrote: >> On Jan 11 14:45:21, andreasthu...@gmail.com wrote: >>> in order to achieve paranoid disk-wiping? >> Ones are not nearly as secure as zeros. >> > Why not? Is it not arbitrary? > A 1 is too narrow to fully cover the original data.
FYI: logitech mouse LED color tool
Hi, I implemented a utility to set the LED color of Logitech mouse devices on OpenBSD. Some people might also use this mouse and would like to change the LED color. If you are interested just try it: https://github.com/younix/g403led I just tested it with the "G403 Prodigy Gaming Mouse" model. If it also work for other models, let me know. Any feedback is welcome. bye, Jan
After a failed checksum: What options remain?
Hello, Privateinternetaccess.org supplies secure VPNs. Their Windows installer (v75) has a SHA256 result that does not match what is supplied on their website. Fucking terrible "security" solution, is it not? As a prospective user of OpenBSD, I would hope that this never occurs, and that free software would fulfill its promises. I am considering switching to OpenBSD, but am afraid that I will be overcome by the difficulty of learning Linux commands. I am not incompetent and willing to read code and manpages, just timid, about this "big change." As part of considering OpenBSD adoption, I am extremely focused on security. However, trivial and fundamental issues are difficult to work around. My conclusion that the privateinternetaccess.org security solution is terrible is not necessarily well-founded. The checksum could be modified for these reasons: - file was messed with in transit to me - incompetent administrators did not update the checksum when they updated the file I suspect the latter, and unless my support ticket currently opened with Private Internet Access is resolved to my satisfaction I will be forced to use a free software solution. I am patient, but intolerant of stupidity. The determination remains to be made. GNUPG is my first step towards a cryptographically secure future. However, in downloading it, I am confronted by a serious problem. They state the following: Comparing Checksums If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software. As a result, I obtained an SSL/TLS server test to determine whether they would be exposed to MITM despite their https:// prefix due to no implementation of HSTS. GNUPG is HSTSecure. Private Internet Access is not, another flaw in their system. However, the classic Orwellian security problem cannot be solved in this case. The serious problem is that HSTS does not prevent a first-time user from being MitM'd when they visit the site, and I may have been attacked every single time. I have not yet verified the SHA1 sum in the archives -- are they correctly in stating that this is the best method? How can I positively verify an OpenBSD install is secure? How can implementing secure processes begin? Do I need to write my own checker from scratch to know that things are operating properly? That's a joke, but it's not that funny, is it? If a user on a compromised device installs an operating system with privilege separation, pledges could still be meaningless. What is the correct way to wear a tinfoil hat? Regards
Re: Writing "ones" instead of "zeroes" when wiping disk
On 12/01/18 11:09, Jan Stary wrote: > On Jan 11 14:45:21, andreasthu...@gmail.com wrote: >> Hi! >> >> Again, an ignorant question (as usual): >> >> How might I do something similar to >> >> # dd if=/dev/one of=/dev/sd0 bs=1M >> >> as a complement to the usual and well-described >> >> # dd if=/dev/zero of=/dev/sd0 bs=1M >> >> followed by >> >> # dd if=/dev/urandom of=/dev/sd0 bs=1M >> >> in order to achieve paranoid disk-wiping? > Ones are not nearly as secure as zeros. > Why not? Is it not arbitrary? Worik -- If not me then who? If not now then when? If not here then where? So, here I stand, I can do no other r...@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand)
Re: Options for dealing with DES crypt password file
> Are there any workarounds for me using the old DES password hashes, or do we > need to 'passwd ' for hundreds of users? > You could give John the Ripper a try.
Re: [cwm] Can't move snaped window
I experienced satori :) Thank you master. 11.01.2018, 20:06, "Julien Steinhauser": > Ve Telko wrote: > >> Hello all, > > Hello > >> window in cwm -current snapped to screen edge can not be moved using >> keyboard shortcuts. Is this a feature or bug? :) > > What about a moveamount bigger than the snapdist ? > > -- > Julien
Re: Writing "ones" instead of "zeroes" when wiping disk
On Jan 11 14:45:21, andreasthu...@gmail.com wrote: > Hi! > > Again, an ignorant question (as usual): > > How might I do something similar to > > # dd if=/dev/one of=/dev/sd0 bs=1M > > as a complement to the usual and well-described > > # dd if=/dev/zero of=/dev/sd0 bs=1M > > followed by > > # dd if=/dev/urandom of=/dev/sd0 bs=1M > > in order to achieve paranoid disk-wiping? Ones are not nearly as secure as zeros.
Re: Options for dealing with DES crypt password file
I appreciate the suggestion but yeah, LDAP is totally overkill here. There's really only this one server that needs access to the auth info in the passwd file, so LDAP wouldn't really help me.
Re: Options for dealing with DES crypt password file
On Thu, Jan 11, 2018, at 3:42 PM, Consus wrote: > On 18:27 Thu 11 Jan, Jeff Zimmerman wrote: > > I've got an old server (OpenBSD 4.7 old) with a mixed bag of password > > hashes in master.passwd. A majority of the passwords (hundreds) are > > old salted DES crypt format. > > > > Am I correct in my research that everything but Blowfish was removed > > from crypt() around OpenBSD 5.7? Are there any workarounds for me > > using the old DES password hashes, or do we need to 'passwd ' > > for hundreds of users? > > Use LDAP already. > We don't really know his situation. LDAP could be major overkill...
Re: Writing "ones" instead of "zeroes" when wiping disk
On 01/11/18 14:45, Andreas Thulin wrote: Hi! Again, an ignorant question (as usual): How might I do something similar to # dd if=/dev/one of=/dev/sd0 bs=1M as a complement to the usual and well-described # dd if=/dev/zero of=/dev/sd0 bs=1M followed by Personally, given your premise of "paran0id disk-wiping", then I would take the next step of checking if a non-random sequence of "0"s are still on the device. Are you ready for that rabbit h0le ?? hehehe ;-) # dd if=/dev/urandom of=/dev/sd0 bs=1M in order to achieve paranoid disk-wiping? BR Andreas
Re: Performance issues as KVM guest?
* Kent Watsen [2018-01-11 17:38]: [...] > > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/ > > > patched for Meltdown last weekend I'm seeing significant performance > > > issues with an OpenBSD virtual instance there. It seems okay after a > > > fresh reboot but then progressively returns to being very slow: for > > > example "sleep 1" may take four seconds, then five, six, seven, then > > > rather more. Curiously it does tend to be an integral multiplier. > > > > > > I wondered, is anybody else seeing significant performance problems with > > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is > > > there anything to tweak at my end or am I reliant on the provider? > > > > > > -- Mark > > > > > There are a ton of threads talking about this issue, and it's not meltdown > > specific. Please search the archives. > > > > -ml > > [...] > Also, Mark, could you say some more about the issue. For instance, how long > after a reboot does it take until you start to notice the issue, and how > quickly does it get worse? I'm another customer of Bytemark experiencing the same issue. I'm taking care of one VM there and I'm primarly noticing it in two situations: sleep() takes a long time (e.g. sleep(1) might take up to 40 seconds) and the clock slows down. Right now, 9 hours after reboot, the clock on VM is 3 hours behind real clock. And sleep(1) takes 13 secs: km@buildfarm ~ $ time sleep 1 0m13.85s real 0m00.00s user 0m00.01s system This all started after the host was patched and VM rebooted. Bytemark guys are looking at the issue and doing their own debugging. Here're findings so far: I spun a few OpenBSD VMs up and left them overnight - looks like the clock isn't drifting but there's still the 'time sleep 1' issue. My testing results seemed to concur with User_4574's, virtio was slowing down only a few minutes after a fresh install whereas compatibility would stick at 1s, jump to 2s, etc. > > Thanks, > Kent > -- -- Kirill Miazine
Re: Options for dealing with DES crypt password file
On 18:27 Thu 11 Jan, Jeff Zimmerman wrote: > I've got an old server (OpenBSD 4.7 old) with a mixed bag of password > hashes in master.passwd. A majority of the passwords (hundreds) are > old salted DES crypt format. > > Am I correct in my research that everything but Blowfish was removed > from crypt() around OpenBSD 5.7? Are there any workarounds for me > using the old DES password hashes, or do we need to 'passwd ' > for hundreds of users? Use LDAP already.
Re: Writing "ones" instead of "zeroes" when wiping disk
On Thu, January 11, 2018 3:16 pm, L. V. Lammert wrote: > On Thu, 11 Jan 2018, STeve Andre' wrote: > >> Don't bother. Wiping the disk twice is enough. If you are storing state >> secrets melt the disk. >> > An anvil big hammer also works well and gives some exercise in the > process. > > Lee > > +1 to big hammer. boys are changing disk firmware nowadays... go figure... cheers. -- x9p | PGP : 0x03B50AF5EA4C8D80 / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE "I don't know where I'm going from here, but I promise it won't be boring." - David Bowie
Re: [cwm] Can't move snaped window
Ve Telkowrote: > > Hello all, > Hello > window in cwm -current snapped to screen edge can not be moved using > keyboard shortcuts. Is this a feature or bug? :) What about a moveamount bigger than the snapdist ? -- Julien
Re: Options for dealing with DES crypt password file
I completely understand. The running chainsaw analogy is pretty accurate here. OpenBSD is as secure as it is because you all remove as many chainsaws as possible. We needed to update those hashes anyway someday. I just wasn't expecting that day to be today. Thanks again! From: Theo de RaadtSent: Thursday, January 11, 2018 12:49:33 PM To: Jeff Zimmerman Cc: misc@openbsd.org Subject: Re: Options for dealing with DES crypt password file > I was hoping that there was some hidden switch somewhere that would turn > the classic crypt back on. No such luck. That'd be like leaving a running chainsaw on the floor at a daycare center. When something is dangerous, we get rid of it.
Re: Options for dealing with DES crypt password file
> I was hoping that there was some hidden switch somewhere that would turn > the classic crypt back on. No such luck. That'd be like leaving a running chainsaw on the floor at a daycare center. When something is dangerous, we get rid of it.
Re: Options for dealing with DES crypt password file
I know, I'm ashamed to say that yes, this machine has been running (behind a restrictive firewall) for all of these years. I was hoping that there was some hidden switch somewhere that would turn the classic crypt back on. No such luck. But thank you for the quick response. I've been using OpenBSD for a lot of years and really appreciate your efforts Theo, and the efforts of everyone associated with the project. From: Theo de RaadtSent: Thursday, January 11, 2018 12:29:59 PM To: Jeff Zimmerman Cc: misc@openbsd.org Subject: Re: Options for dealing with DES crypt password file > I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes > in master.passwd. A majority of the passwords (hundreds) are old salted > DES crypt format. bummer > Am I correct in my research that everything but Blowfish was removed from > crypt() around OpenBSD 5.7? Are there any workarounds for me using the old > DES password hashes, or do we need to 'passwd ' for hundreds of users? There are no workarounds. The hashes cannot be reversed to make new passwords, and the legacy methods are removed intentionally because they are super weak You been running that on the internet? the shame!
Re: firefox-esr and icedtea-web
Apologize the noise. Just for the record: Firefox limits NPAPI support (technology required for Java applets) 64-bit Firefox The 64-bit version of Firefox does not support NPAPI plug-ins, including Java. Firefox 52 and above Beginning with Firefox 52 (released March 2017), plug-in support is limited to Adobe Flash, and drops support for NPAPI, impacting plugins for Java, Silverlight, and other similar NPAPI based plugins.
Re: Options for dealing with DES crypt password file
> I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes > in master.passwd. A majority of the passwords (hundreds) are old salted > DES crypt format. bummer > Am I correct in my research that everything but Blowfish was removed from > crypt() around OpenBSD 5.7? Are there any workarounds for me using the old > DES password hashes, or do we need to 'passwd ' for hundreds of users? There are no workarounds. The hashes cannot be reversed to make new passwords, and the legacy methods are removed intentionally because they are super weak You been running that on the internet? the shame!
Options for dealing with DES crypt password file
I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes in master.passwd. A majority of the passwords (hundreds) are old salted DES crypt format. Am I correct in my research that everything but Blowfish was removed from crypt() around OpenBSD 5.7? Are there any workarounds for me using the old DES password hashes, or do we need to 'passwd ' for hundreds of users?
Re: Performance issues as KVM guest?
This sounds like the same issue as was described here: https://marc.info/?l=openbsd-bugs=151430928212450=2 - todd
Re: Writing "ones" instead of "zeroes" when wiping disk
On Thu, Jan 11, 2018 at 12:16 PM, L. V. Lammertwrote: > On Thu, 11 Jan 2018, STeve Andre' wrote: > >> Don't bother. Wiping the disk twice is enough. If you are storing state >> secrets melt the disk. >> > An anvil big hammer also works well and gives some exercise in the > process. Might be more secure to sell it to Hollywood, as a movie script. They'll change it beyond recognition. -- Raul
Re: Performance issues as KVM guest?
On Thu, Jan 11, 2018 at 05:38:18PM +, Kent Watsen wrote: > On 1/10/18 1:53 PM, Mike Larkin wrote: > > On Wed, Jan 10, 2018 at 03:51:19PM +, Mark Carroll wrote: > > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/ > > > patched for Meltdown last weekend I'm seeing significant performance > > > issues with an OpenBSD virtual instance there. It seems okay after a > > > fresh reboot but then progressively returns to being very slow: for > > > example "sleep 1" may take four seconds, then five, six, seven, then > > > rather more. Curiously it does tend to be an integral multiplier. > > > > > > I wondered, is anybody else seeing significant performance problems with > > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is > > > there anything to tweak at my end or am I reliant on the provider? > > > > > > -- Mark > > > > > There are a ton of threads talking about this issue, and it's not meltdown > > specific. Please search the archives. > > > > -ml > > > > Really? I just searched the last two years of list email for subject lines > having substrings "virt", "kvm", "perf", and "slow", and didn't see anything > on this specific issue. Can you provide a link, or the name of the thread, > or some keywords? > > Also, Mark, could you say some more about the issue. For instance, how long > after a reboot does it take until you start to notice the issue, and how > quickly does it get worse? > > Thanks, > Kent > IIRC several of the threads referred to proxmox.
Re: Writing "ones" instead of "zeroes" when wiping disk
On Thu, 11 Jan 2018, STeve Andre' wrote: > Don't bother. Wiping the disk twice is enough. If you are storing state > secrets melt the disk. > An anvil big hammer also works well and gives some exercise in the process. Lee
[cwm] Can't move snaped window
Hello all, window in cwm -current snapped to screen edge can not be moved using keyboard shortcuts. Is this a feature or bug? :) Thanks, Ve.
Re: Performance issues as KVM guest?
On 1/10/18 1:53 PM, Mike Larkin wrote: On Wed, Jan 10, 2018 at 03:51:19PM +, Mark Carroll wrote: Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/ patched for Meltdown last weekend I'm seeing significant performance issues with an OpenBSD virtual instance there. It seems okay after a fresh reboot but then progressively returns to being very slow: for example "sleep 1" may take four seconds, then five, six, seven, then rather more. Curiously it does tend to be an integral multiplier. I wondered, is anybody else seeing significant performance problems with OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is there anything to tweak at my end or am I reliant on the provider? -- Mark There are a ton of threads talking about this issue, and it's not meltdown specific. Please search the archives. -ml Really? I just searched the last two years of list email for subject lines having substrings "virt", "kvm", "perf", and "slow", and didn't see anything on this specific issue. Can you provide a link, or the name of the thread, or some keywords? Also, Mark, could you say some more about the issue. For instance, how long after a reboot does it take until you start to notice the issue, and how quickly does it get worse? Thanks, Kent
Re: Writing "ones" instead of "zeroes" when wiping disk
Don't bother. Wiping the disk twice is enough. If you are storing state secrets melt the disk. Back in the days of sub 1G disks it might have been possible to get inter track gap data that was usable. Maybe. But not multi T disks. Sectors mapped out are a problem though, and multiple writes aren't going to touch those. If you encrypt the disk I question how much value a few encrypted sectors would be to anyone. Worry far more over lost usb sticks or portable usb disks. That's a far bigger problem. STeve Andre' Sent with AquaMail for Android http://www.aqua-mail.com On January 11, 2018 9:46:25 AM Andreas Thulinwrote: Hi! Again, an ignorant question (as usual): How might I do something similar to # dd if=/dev/one of=/dev/sd0 bs=1M as a complement to the usual and well-described # dd if=/dev/zero of=/dev/sd0 bs=1M followed by # dd if=/dev/urandom of=/dev/sd0 bs=1M in order to achieve paranoid disk-wiping? BR Andreas
Re: Writing "ones" instead of "zeroes" when wiping disk
You can adapt my linux bash script for such pointlessly "paranoid" purposes. I use it to prove to HIPAA auditors just how paranoid I can be, and it's above NIST requirements in the US. https://github.com/spoollord/shredder Would require you to pkg_add pv base64. Or, just adapt the script without those. On Thu, Jan 11, 2018 at 8:26 AM, Ingo Schwarzewrote: > Hi Andreas, > > Andreas Thulin wrote on Thu, Jan 11, 2018 at 02:45:21PM +: > > > Again, an ignorant question (as usual): > > How might I do something similar to > > # dd if=/dev/one of=/dev/sd0 bs=1M > > jot -cs '' 512 255 255 > > writes 512 bytes with all bits set. Feel free to use larger numbers > than 512. For large numbers, this is certainly slower than dd > because it uses an explicit loop with some conditionals and one > printf(3) for each byte. > > perl -e 'print "\xff"x512' > > may be faster. If i needed maximum speed, i'd probably write a two-line > C program. > > while true; do echo -n "\0377"; done > > works for the purist, but will hardly be fast. > > Btw., you are asking for "Hello World!", kind of. > It may be hard to find a program that can't solve your task... ;) > > > as a complement to the usual and well-described > > # dd if=/dev/zero of=/dev/sd0 bs=1M > > followed by > > # dd if=/dev/urandom of=/dev/sd0 bs=1M > > in order to achieve paranoid disk-wiping? > > I have no idea whether or not such paranoia makes sense. > Maybe, maybe not. > > Yours, > Ingo > >
Re: Writing "ones" instead of "zeroes" when wiping disk
Hi Andreas, Andreas Thulin wrote on Thu, Jan 11, 2018 at 02:45:21PM +: > Again, an ignorant question (as usual): > How might I do something similar to > # dd if=/dev/one of=/dev/sd0 bs=1M jot -cs '' 512 255 255 writes 512 bytes with all bits set. Feel free to use larger numbers than 512. For large numbers, this is certainly slower than dd because it uses an explicit loop with some conditionals and one printf(3) for each byte. perl -e 'print "\xff"x512' may be faster. If i needed maximum speed, i'd probably write a two-line C program. while true; do echo -n "\0377"; done works for the purist, but will hardly be fast. Btw., you are asking for "Hello World!", kind of. It may be hard to find a program that can't solve your task... ;) > as a complement to the usual and well-described > # dd if=/dev/zero of=/dev/sd0 bs=1M > followed by > # dd if=/dev/urandom of=/dev/sd0 bs=1M > in order to achieve paranoid disk-wiping? I have no idea whether or not such paranoia makes sense. Maybe, maybe not. Yours, Ingo
Writing "ones" instead of "zeroes" when wiping disk
Hi! Again, an ignorant question (as usual): How might I do something similar to # dd if=/dev/one of=/dev/sd0 bs=1M as a complement to the usual and well-described # dd if=/dev/zero of=/dev/sd0 bs=1M followed by # dd if=/dev/urandom of=/dev/sd0 bs=1M in order to achieve paranoid disk-wiping? BR Andreas
Re: Wifi Ierrs
On Thu, Jan 11, 2018 at 01:43:11PM +0100, Stefan Sperling wrote: > On Thu, Jan 11, 2018 at 10:51:32AM +0100, Raimo Niskanen wrote: > > Hello misc! > > > > I have an PC Engines Alix 2d13 with an Atheros AR9280 running WPA2-PSK, > > and see a lot of input errors over WiFi. netstat -ivn shows: > > > > NameMtu Network Address Ipkts IerrsOpkts Oerrs > > Colls > > athn0 1500 172.17/16 172.17.0.1 1160154 4029261 1485342 61906 > > 0 > > > > I have tried calling "netstat -W athn0" with 10 seconds intervals and get > > typically over such intervals: > > > > 170 input unencrypted packets with wep/wpa config discarded > > 12 input packets with mismatched channel > > 8 input packets with mismatched ssid > > 2 input frames below block ack window start > > > > So is this normal for a congested neighbourhood (6 stories apartment house > > - lots of APs around in the house on the 2.4 GHz band), or can anybody > > think of > > a setting to tweak? The router runs OpenBSD 6.2 stable (patched). > > > > Best regards > > -- > > > > / Raimo Niskanen > > > > These are the numbers for my AP at home: > > $ netstat -nI athn0 > NameMtu Network Address Ipkts IerrsOpkts Oerrs > Colls > athn0 150004:f0:21:17:3c:6a 2235626 123714 3743974 43802 > 0 > > The wifi network is usable but relatively slow. > > This same card worked perfectly fine on a clean wifi channel up in > the Canadian mountains where there was virtually no interference. > Up there I got about 3MB/s transfer rates if I recall correctly. > > After some code inspection I've done recently I came to the conclusion > that this problem might be due to the fact that our driver does not > run the regular calibration routines which other OS drivers use. > If someone looked into that it might help fix the known issues we > have with these devices. There is calibration code in our driver > already but most of it is not being called yet. And what's there now > needs to be cross-checked with other OSs since there are probably bugs. Ok. Interesting to know, but unfortunately way out of my competence domain... I hope for others to pick up this ball. -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: Bitmask for 224.0.0.0 in Martians PF table entry
Thank you Kapetanakis Giannis and Mike Coddington for your helpful replies. I will now use /3, since I do not think that I will use multicast. Regards, ab
Re: Probable mistake in PF tagging example ruleset order
(Resending, I fessed up the inline reply) Arigato gojaimas Trondd san for your very helpful reply. I had understood from the documentation that tags were sticky. I also understood that a packet can only have zero or one tag at any time. Also, that a tag cannot be removed, but only replaced. However, I had not understood that the rule evaluation happens on every interface. I now know that the "tags are sticky" actually implies that the tags persist across evaluations on interfaces. Also, I can now fully understand this line - "With tagging, it's possible to do such things as create "trusts" between interfaces and determine if packets have been processed by translation rules." Frankly, it is my mistake. Reading back pf.conf's man page, it is there on the second paragraph. "Each time a packet processed by the packet filter comes in on or goes out through an interface, the filter rules are evaluated in sequential order, from first to last." And NAT implies two interface traversals. Mea Culpa. Thanks. Regards, ab
Re: Probable mistake in PF tagging example ruleset order
Arigato gojaimas Trondd san for your very helpful reply. Sent: Thursday, January 11, 2018 at 3:17 AM From: tronddTo: "Aham Brahmasmi" Cc: misc@openbsd.org Subject: Re: Probable mistake in PF tagging example ruleset order On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote: > Hi, > > I am trying to learn and understand the pf tagging mechanism. I was > wondering whether my understanding of the order in the example at > https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then > there might be a mistake in the order. The relevant lines are > Read the rules tagging follows again. Tags are sticky. Also a packet passing through the firewall, say from a LAN machine to the internet, will be evaluated twice. If it gets tagged the first time, it'll have that tag already when evaluated the second time. If it matches a rule which tags it, then matches another rule later, it still has the tag from the first match. > ... > pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress) > pass in on $int_if from $int_net tag LAN_INET > ... > pass out quick on egress tagged LAN_INET_NAT > ... > > My understanding: > For the first line, an IPv4 packet that is already tagged with LAN_INET > will now have the tag LAN_INET_NAT, and will be passed out on the > egress interface after Network Address Translation. > > For the second line, a packet that is coming from the internal network > on the internal interface will be passed and tagged with LAN_INET. > > For the third line, a packet that is tagged with LAN_INET_NAT will be > passed out on the egress interface, and the rule evaluation will stop. > > Now, if my understanding is correct, then a packet will never match the > first line, since the LAN_INET tagging happens only in the second line. > And if that is the case, the third line will also not match, since the > LAN_INET_NAT tagging happens in the first line. > Don't just read the rules from top to bottom. Follow the packet. Where is the packet coming from? Where is it going? If there is a packet coming from the LAN through this firewall to the internet what rules match? Does that rule tag the packet? Does evaluation continue? That's pass 1. Since this packet is not destined for this machine, but for something on the internet, it has to leave this machine. So now it's evaluated as an outgoing packet. Did it get tagged before? What rules match based on direction and tag? Does it get a new tag? Does evaluation continue? Does it match anything else? I had understood from the documentation that tags were sticky. I also understood that a packet can only have zero or one tag at any time. Also, that a tag cannot be removed, but only replaced. However, I had not understood that the rule evaluation happens on every interface. I now know that the "tags are sticky" actually implies that the tags persist across evaluations on interfaces. Also, I can now fully understand this line - "With tagging, it's possible to do such things as create "trusts" between interfaces and determine if packets have been processed by translation rules." Frankly, it is my mistake. Reading back pf.conf's man page, it is there on the second paragraph. "Each time a packet processed by the packet filter comes in on or goes out through an interface, the filter rules are evaluated in sequential order, from first to last." And NAT implies two interface traversals. Mea Culpa. > If my understanding is correct, then we may need to switch the order of > the first and second lines. > > The complete ruleset is > > int_if = "dc0" > dmz_if = "dc1" > int_net = "10.0.0.0/24" > dmz_net = "192.168.0.0/24" > www_server = "192.168.0.5" > mail_server = "192.168.0.10" > > table persist file "/etc/spammers" > # classification -- classify packets based on the defined firewall > # policy. > block all > pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress) > pass in on $int_if from $int_net tag LAN_INET > pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ > pass in on egress proto tcp to $www_server port 80 tag INET_DMZ > pass in on egress proto tcp from to port smtp tag SPAMD rdr-to \ > 127.0.0.1 port 8025 > > # policy enforcement -- pass/block based on the defined firewall policy. > pass in quick on egress tagged SPAMD > pass out quick on egress tagged LAN_INET_NAT > pass out quick on $dmz_if tagged LAN_DMZ > pass out quick on $dmz_if tagged INET_DMZ > > Thanks. > > Regards, > ab > -|-|-|-|-|-|-|-- > Thanks. Regards, ab
Re: Wifi Ierrs
On Thu, Jan 11, 2018 at 10:51:32AM +0100, Raimo Niskanen wrote: > Hello misc! > > I have an PC Engines Alix 2d13 with an Atheros AR9280 running WPA2-PSK, > and see a lot of input errors over WiFi. netstat -ivn shows: > > NameMtu Network Address Ipkts IerrsOpkts Oerrs > Colls > athn0 1500 172.17/16 172.17.0.1 1160154 4029261 1485342 61906 > 0 > > I have tried calling "netstat -W athn0" with 10 seconds intervals and get > typically over such intervals: > > 170 input unencrypted packets with wep/wpa config discarded > 12 input packets with mismatched channel > 8 input packets with mismatched ssid > 2 input frames below block ack window start > > So is this normal for a congested neighbourhood (6 stories apartment house > - lots of APs around in the house on the 2.4 GHz band), or can anybody think > of > a setting to tweak? The router runs OpenBSD 6.2 stable (patched). > > Best regards > -- > > / Raimo Niskanen > These are the numbers for my AP at home: $ netstat -nI athn0 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls athn0 150004:f0:21:17:3c:6a 2235626 123714 3743974 43802 0 The wifi network is usable but relatively slow. This same card worked perfectly fine on a clean wifi channel up in the Canadian mountains where there was virtually no interference. Up there I got about 3MB/s transfer rates if I recall correctly. After some code inspection I've done recently I came to the conclusion that this problem might be due to the fact that our driver does not run the regular calibration routines which other OS drivers use. If someone looked into that it might help fix the known issues we have with these devices. There is calibration code in our driver already but most of it is not being called yet. And what's there now needs to be cross-checked with other OSs since there are probably bugs.
Re: Lenovo T60p touchpad not working (6.2-stable/amd64)
A further update... after a suspend-resume cycle (suspend-to-RAM, which 'just works' via Fn-F4), the touchpad works fine. 'dmesg' shows 15 new lines appended after my most recent suspend-resume cycle, but none of them mention the mouse (pms0) explicitly: WARNING !(rw_status(_config->mutex) == 0x0001UL) && !drm_modeset_is_locked(_config->connection_mutex) failed at /sys/dev/pci/drm/drm_crtc.h:1577 WARNING !(rw_status(_config->mutex) == 0x0001UL) && !drm_modeset_is_locked(_config->connection_mutex) failed at /sys/dev/pci/drm/drm_crtc.h:1577 uhub0 detached uhub1 detached uhub2 detached uhub3 detached uhub4 detached uhub0 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 uhub1 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 uhub2 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 uhub3 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 uhub4 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 drm:pid80100:radeon_bo_unpin *WARNING* 0x80444390 unpin not necessary WARNING !(rw_status(_config->mutex) == 0x0001UL) && !drm_modeset_is_locked(_config->connection_mutex) failed at /sys/dev/pci/drm/drm_crtc.h:1577 WARNING !(rw_status(_config->mutex) == 0x0001UL) && !drm_modeset_is_locked(_config->connection_mutex) failed at /sys/dev/pci/drm/drm_crtc.h:1577 Do other T60/T60p users see touchpad problems? -- -- "Jonathan Thornburg [remove -animal to reply]"Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA currently visiting Max-Plack-Institute fuer Gravitationsphysik (Albert-Einstein-Institut), Potsdam-Golm, Germany "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984"
Wifi Ierrs
Hello misc! I have an PC Engines Alix 2d13 with an Atheros AR9280 running WPA2-PSK, and see a lot of input errors over WiFi. netstat -ivn shows: NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls athn0 1500 172.17/16 172.17.0.1 1160154 4029261 1485342 61906 0 I have tried calling "netstat -W athn0" with 10 seconds intervals and get typically over such intervals: 170 input unencrypted packets with wep/wpa config discarded 12 input packets with mismatched channel 8 input packets with mismatched ssid 2 input frames below block ack window start So is this normal for a congested neighbourhood (6 stories apartment house - lots of APs around in the house on the 2.4 GHz band), or can anybody think of a setting to tweak? The router runs OpenBSD 6.2 stable (patched). Best regards -- / Raimo Niskanen
Re: state of Netdata on OpenBSD
On 10.01.18 18:58, Alceu R. de Freitas Jr. wrote: Hello folks, I'm considering installing Netdata on OpenBSD 6.2, but I found this issue on Github: https://github.com/firehol/netdata/issues/1083 Unfortunately, it doesn't tell if Netdata works out of the box on OpenBSD, if requires the Collectd (supposedly integrated with it) or if it doesn't work at all. Did you guys have any success in using it? It did gave a shot to Collected, the problem was to get a decent web app to visualize the charts... Collectd is capable of writting the data it collects to several time series databases like influx or prometheus. You can use Grafana then, to visualize the data. The problem here is that you're still on your own to make the nice looking dashboard.
Re: Panic: ffs_blkfree on 6.0 GENERIC.MP
We tracked the problem to the underlying storage of the VM, so it is not OpenBSD related. On Wed, Jan 10, 2018 at 12:50 PM, George Kourvouliswrote: > Hello, > > Today I have found one of my gateways (VM on esxi 6.5) in the state that > is shown here: > https://imgur.com/a/SV687 > > Unfortunately I didn't have time to gather more info because I had to > reboot the machine in order to resume operations. > > Any pointers would be much appreciated. > > Thanks, > George > > PS. Here is the output of my dmesg: > > OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 2130640896 <21%203064%200896> (2031MB) > avail mem = 2061656064 (1966MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (239 entries) > bios0: vendor Phoenix Technologies LTD version "6.00" date 04/05/2016 > bios0: VMware, Inc. VMware Virtual Platform > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S1 S4 S5 > acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET > acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) > S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) > S11F(S3) S12F(S3) S13F(S3) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2397.56 MHz > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL, > SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT, > AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF, > ITSC,FSGSBASE,SMEP,ERMS,ARAT > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 65MHz > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins > acpimcfg0 at acpi0 addr 0xf000, bus 0-127 > acpihpet0 at acpi0: 14318179 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpicpu0 at acpi0: C1(@1 halt!) > "PNP0001" at acpi0 not configured > "PNP0303" at acpi0 not configured > "PNP0F13" at acpi0 not configured > "PNP0A05" at acpi0 not configured > "PNP0400" at acpi0 not configured > "PNP0501" at acpi0 not configured > "PNP0501" at acpi0 not configured > "PNP0700" at acpi0 not configured > acpiac0 at acpi0: AC unit online > pvbus0 at mainbus0: VMware > vmt0 at pvbus0 > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 > ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 > pci1 at ppb0 bus 1 > pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08 > pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, > channel 0 configured to compatibility, channel 1 configured to compatibility > pciide0: channel 0 disabled (no drives) > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: ATAPI > 5/cdrom removable > cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 > piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus > disabled > "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured > vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1 > int 17 > mpi0: 0, firmware 1.3.41.32 > scsibus2 at mpi0: 16 targets, initiator 7 > sd0 at scsibus2 targ 0 lun 0: SCSI2 0/direct > fixed > sd0: 10240MB, 512 bytes/sector, 20971520 sectors > mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1 > ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02 > pci2 at ppb1 bus 2 > em0 at pci2 dev 0 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18, > address 00:50:56:b8:fd:45 > em1 at pci2 dev 2 function 0 "Intel 82545EM" rev 0x01: apic 1 int 16, > address 00:50:56:b8:f4:6a > em2 at pci2 dev 3 function 0 "Intel 82545EM" rev 0x01: apic 1 int 17, > address 00:50:56:b8:9f:11 > em3 at pci2 dev 4 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18, > address 00:50:56:b8:d7:85 > ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01 > pci3 at ppb2 bus 3 > ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01 > pci4 at ppb3 bus 4 > ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01 > pci5 at ppb4 bus 5 > ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01 > pci6 at ppb5 bus 6 > ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01 > pci7 at ppb6 bus 7 > ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01 > pci8 at ppb7 bus 8 > ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01 > pci9 at ppb8 bus 9 > ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01 > pci10 at ppb9 bus 10 > ppb10 at pci0 dev 22 function
Re: Bitmask for 224.0.0.0 in Martians PF table entry
On 10/01/18 20:55, Aham Brahmasmi wrote: > Hi, > > What is the correct bitmask for the 224.0.0.0 Martian table entry in > pf.conf? > > There are two bitmasks in two links on this page - > http://www.team-cymru.org/bogon-reference-http.html. /3 in the The Text > Bogon List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in > https://www.openbsd.org/faq/pf/example1.html. > > I think it should be /3, but I am still learning pf. > > Thanks. > > Regards, > ab > See here: https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml 224/4 is the multicast allocation (224-239) 240/4 is for future use (240-255) 224/3 is both of the above if you don't use multicast then 224/3 should be ok, otherwise 240/4 G ps. for multicast specific see https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml