Inquiry the status of lmbench

[Nan Xiao]

Hi misc@,

Greeting from me!

I want to use lmbench on OpenBSD, but installing it reports following error:

# pkg_add lmbench
quirks-3.7 signed on 2018-09-04T22:05:13Z
Can't find lmbench
Obsolete package: lmbench (outdated and/or no longer required by other ports)

I want to know why OpenBSD doesn't provide lmbench anymore. Because it
is not applicable of current OS and computer architecture or other
reasons? If lmbench is obsolete, what benchmark tools should be
recommended on OpenBSD? Thanks very much in advance!

Best Regards
Nan Xiao

Re: DRM without X

[Chris Cappuccio]

tfrohw...@fastmail.com [tfrohw...@fastmail.com] wrote:
> 
> 
> On September 4, 2018 2:11:11 PM UTC, Maurice McCarthy  
> wrote:
> >On 03/09/2018, Thomas de Grivel  wrote:
> >
> >> Is there any way to use the DRM drivers without X11 ?
> >
> >Probably not. The X sets in base are an integral part of the whole
> >operating system. You install them whether or not you use X.
> 
> Well, there are other display servers like Wayland, or projects like Arcan 
> (https://github.com/letoram/arcan). Haven't heard of any of them running 
> outside X11 on OpenBSD though.

Your mention of Arcan led me to this article: 
https://arcan-fe.com/2018/04/25/towards-secure-system-graphics-arcan-and-openbsd/

which suggests Arcan can run on OpenBSD,with DRM, without X11.

:)

Chris

Re: Equipment for OBSD based firewall

[Nick Holland]

On 09/04/18 00:57, Joel Wirāmu Pauling wrote:
> But - The thing that isn't mentioned here is basically Power Cost and
> Consumption vs PPS(Packet Processing Speed).
> 
> IMNSHO running on anything that doesn't ;
> 
> A) Have passive Cooling
> B) Is older than a couple of years (in intel/amd terms anything with a
> TDPW above 65W)
> 
>  - is probably not a great idea. Mainly because the on-going cost of
> supplying power to old junkers isn't worth what you can do with a
> 'newish' junker.
> 
> If you have free electricity, feel free to do what you like I guess.

TDP is the MAXIMUM power draw.  MAXIMUM (and of only the CPU)
Your OpenBSD firewall isn't going to be running at the maximum power
consumption on a P4 or newer processor very often or very long.  For
home use, you really care about idle power draw and the ability of the
HW to do the job.

Every era has its "The Answer Is" system, this year, it's PCengines and
ARM/Octeon.  Before, it was Soekris.  People get stupid with that stuff.

What's "greener", keeping something out of a landfill that draws 40w or
something brand new that draws 15W?  How many years do you have to run
the 15W system to pay for the cost of it?  How much is your time spent
fighting with its quirks worth?  Will it pay off before your ISP ups
your downlink speed to the point where your barely-does-the-job HW is
now "can't do the job"?

Some old P3/P4 systems have very modest power consumptions when idle.
Get yourself a wattmeter, and see what you have.  After install, remove
power from the CD/DVD, maybe some of the case fans, and maybe consider a
USB flash drive to boot.  Slow the clock speed, remove some RAM.  Pull
out the sound card/modem/whatever.

And when things break, unless you just HAPPEN to have a serial terminal
infrastructure laying around, an ol' keyboard and monitor used to debug
your system will beat the heck out of finding a USB to Serial adapter
and a null modem cable when you need it.

Heck, I have a serial infrastructure in my life, and I'm really
wondering if my serial-only firewall is worth the pain.  I recently
moved from a USB drive to a real hard disk because while it draws more
power, it boots and works a LOT faster (kernel and library randomization
is horrible on USB flash drives).

I get the "I hate Intel" thing, but unfortunately, most of the non-Intel
systems show why Intel (and AMD) own the serious computer market.

Nick.

Re: NodeJS apps on Httpd?

[Bogdan Kulbida]

Hi Mike,

Why don’t you run a “usual” nodejs server (probably  multiple proceses) and
proxy requests into it via httpd?

Question: Any objections or security concerns?

-Bogdan

On Wed, Sep 5, 2018 at 13:01 Chris Cappuccio  wrote:

> Michael Joy [mich...@michaeljoy.eu] wrote:
> > Does anyone have any experience of getting node apps running through
> httpd?
> > Any opinions, instructions or warnings are welcome.
>
> I think generally node apps will be run behind relayd, not httpd.
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC 
+1.802.793.8295

Re: PF rule - am I being stupid ?

[Bob Smith]

> I think it is caused by the packets blocked having the RST flag set -- a
> consequence of specifying "flags S/SA" in rule @39. Check out man
> pf.conf. Look for section about "flags a/b | any" (line 317 here).

The S/SA wasn't set explicitly my me, its the default.

Out of interest, would this possibly be a PF behaviour change somewhere between 
6.1 and 6.3 ? I'm trying to troubleshoot a VoIP phone that has stopped 
functioning, and the only change has been an upgrade to 6.3.

Re: PF rule - am I being stupid ?

[Erling Westenvik]

On Wed, Sep 05, 2018 at 05:14:14PM +, Bob Smith wrote:
> I'm banging my head against a brick wall here trying to figure out why PF (on 
> OpenBSD 6.3) is allowing some packets but blocking others ?
> Here's the tcpdump:
> Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 
> > 198.51.100.158.20001: udp 47
> Sep 05 18:07:45.084220 rule 39/(match) pass out on em2: 192.0.2.150.49156 > 
> 198.51.100.158.20001: udp 47
> Sep 05 18:08:01.136633 rule 39/(match) pass in on vlan108: 192.0.2.150.49157 
> > 198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
> Sep 05 18:08:01.136661 rule 39/(match) pass out on em2: 192.0.2.150.49157 > 
> 198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
> Sep 05 18:08:25.607885 rule 11/(match) block in on vlan108: 192.0.2.150.6998 
> > 198.51.100.158.6801: R 16764161:16764161(0) ack 209207857 win 4224 [tos 
> 0x60]
> Sep 05 18:08:27.919688 rule 11/(match) block in on vlan108: 192.0.2.150.6978 
> > 198.51.100.158.6802: R 17473283:17473283(0) ack 3296254713 win 4224 [tos 
> 0x60]
> Sep 05 18:08:32.594889 rule 11/(match) block in on vlan108: 192.0.2.150.6930 
> > 198.51.100.158.6800: R 18671363:18671363(0) ack 3527351279 win 4224 [tos 
> 0x60]
> 
> Here are the rules concerned:
> @11 block drop log all
> @39 pass log quick inet from 192.0.2.150 to 198.51.100.158 flags S/SA

I think it is caused by the packets blocked having the RST flag set -- a
consequence of specifying "flags S/SA" in rule @39. Check out man
pf.conf. Look for section about "flags a/b | any" (line 317 here). 

Re: NodeJS apps on Httpd?

[Chris Cappuccio]

Michael Joy [mich...@michaeljoy.eu] wrote:
> Does anyone have any experience of getting node apps running through httpd?
> Any opinions, instructions or warnings are welcome.

I think generally node apps will be run behind relayd, not httpd.

PPPoE without IPv6

[Mario Theodoridis]

Hi everyone,

i'm having a bit of a hard time trying to connect to my ISP (Stiegeler 
IT) seemingly because i don't have IPv6 enabled.


My /etc/hostname.pppoe0

inet 0.0.0.0 255.255.255.255 NONE \
pppoedev em0 authproto chap debug \
authname 'user' authkey 'pass' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1


My /etc/hostname.em0

up


The failing end of tcpdump on a linux box in between me and the AC reveals
# tcpdump -n -vvv -i br0 ether proto 0x8864 or ether proto 0x8863
...
22:58:54.805821 PPPoE  [ses 0xf0f] CHAP, Success (0x03), id 1, Msg
22:58:54.806382 PPPoE  [ses 0xf0f] IPCP, Conf-Request (0x01), id 1, 
length 12

encoded length 10 (=Option(s) length 6)
0x:  8021 0101 000a
  IP-Addr Option (0x03), length 6: 1.1.1.1
0x:  0101 0101
22:58:54.806390 PPPoE  [ses 0xf0f] IP6CP, Conf-Request (0x01), id 1, 
length 16

encoded length 14 (=Option(s) length 10)
0x:  8057 0101 000e
  Interface-ID Option (0x01), length 10: 76a0:2fff:fe7b:9780
0x:  76a0 2fff fe7b 9780
22:58:54.813051 PPPoE  [ses 0xf0f] LCP, Term-Request (0x05), id 117, 
length 6

22:58:54.814333 PPPoE  [ses 0xf0f] LCP, Term-Ack (0x06), id 117, length 6
22:58:54.837301 PPPoE PADT [ses 0xf0f]

/var/log/messages has

Sep  5 18:15:21 obsd /bsd: pppoe0: chap success
Sep  5 18:15:21 obsd /bsd: pppoe0: phase network
Sep  5 18:15:21 obsd /bsd: pppoe0: ipcp open(starting)
Sep  5 18:15:21 obsd /bsd: pppoe0: ipv6cp_open(): no IPv6 interface
Sep  5 18:15:21 obsd /bsd: pppoe0: lcp close(opened)
Sep  5 18:15:21 obsd /bsd: pppoe0: lcp opened->closing
Sep  5 18:15:21 obsd /bsd: pppoe0: lcp output 
Sep  5 18:15:21 obsd /bsd: pppoe0 (8864) state=3, session=0xf0f output 
-> 74:a0:2f:7b:97:80, len=12



At the same my Fritz Box, which i'd like to get rid of, answer with "no 
thank you" instead.


16:24:30.496227 PPPoE  [ses 0xff8e] LCP, Prot-Reject (0x08), id 3, length 22
encoded length 20 (=Option(s) length 16)
0x:  c021 0803 0014
  Rejected IP6CP Protocol (0x8057)
  Rejected Packet
0x:  0101 000e 010a 76a0 2fff fe7b 9780 
0x0010:  

The man 4 pppoe mentions what to do when ipv6 this there, but doesn't 
really elaborate on the effects of its absence. The reason i still have 
IPv6 disabled is, i simply haven't wrapped my head around it and 
therefore left it off.


Need i enable it, or does some other setting suffice?
Clue sticks would be appreciated.

This is
# uname -a
OpenBSD obsd.schmut.com 6.2 GENERIC.MP#2 amd64

running on PC-Engines APU2

Let me know what else to report if this was too little to make sense.



--
Mit freundlichen Grüßen/Best regards

Mario

Re: Lesser evil

[Raul Miller]

On Wed, Sep 5, 2018 at 1:05 PM Kevin Chadwick  wrote:
> *yawn* This is nonsense!

You don't like generally useful procedures which happen to be useful
for dealing with statistically unlikely events?

-- 
Raul

Re: Equipment for OBSD based firewall

[Bob Smith]

I am a big fan of Decisio (https://www.deciso.com/product-catalog/)

Yes, it comes out of the box with "another BSD" preloaded, but you can easily 
take care of that in a few minutes courtesy of a USB console and a USB key with 
Mr de Raadt's opus magnum on it. ;-)




‐‐‐ Original Message ‐‐‐
On September 4, 2018 12:17 AM, Bogdan Kulbida  wrote:

> Ladies and gentlemen,
>
> I need to build a pf OBSD firewall for a small office. What minimally
> feasible equipment would you recommend in order to achieve this goal?
>
> Thank you!
>
> ---
>
> Best regards,
> Bogdan Kulbida
> Founder and CEO, Konstankino LLC http://konstankino.com
> +1.802.793.8295

PF rule - am I being stupid ?

[Bob Smith]

Hi,

I'm banging my head against a brick wall here trying to figure out why PF (on 
OpenBSD 6.3) is allowing some packets but blocking others ?

Here's the tcpdump:
Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 > 
198.51.100.158.20001: udp 47
Sep 05 18:07:45.084220 rule 39/(match) pass out on em2: 192.0.2.150.49156 > 
198.51.100.158.20001: udp 47
Sep 05 18:08:01.136633 rule 39/(match) pass in on vlan108: 192.0.2.150.49157 > 
198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
Sep 05 18:08:01.136661 rule 39/(match) pass out on em2: 192.0.2.150.49157 > 
198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
Sep 05 18:08:25.607885 rule 11/(match) block in on vlan108: 192.0.2.150.6998 > 
198.51.100.158.6801: R 16764161:16764161(0) ack 209207857 win 4224 [tos 0x60]
Sep 05 18:08:27.919688 rule 11/(match) block in on vlan108: 192.0.2.150.6978 > 
198.51.100.158.6802: R 17473283:17473283(0) ack 3296254713 win 4224 [tos 0x60]
Sep 05 18:08:32.594889 rule 11/(match) block in on vlan108: 192.0.2.150.6930 > 
198.51.100.158.6800: R 18671363:18671363(0) ack 3527351279 win 4224 [tos 0x60]

Here are the rules concerned:
@11 block drop log all
@39 pass log quick inet from 192.0.2.150 to 198.51.100.158 flags S/SA

NodeJS apps on Httpd?

[Michael Joy]

Does anyone have any experience of getting node apps running through httpd?
Any opinions, instructions or warnings are welcome.

Re: Lesser evil

[Kevin Chadwick]

On Wed, 5 Sep 2018 11:11:06 -0400


> So: back to the disk-wipe malware (and most other malware). Good
> backups limit the impact that. And, you need a diversity of backup
> mechanisms to defend against the backups getting hit by malware.

*yawn* This is nonsense!

Re: Lesser evil

[Raul Miller]

On Wednesday, September 5, 2018, Kevin Chadwick  wrote:
> I meant that an OpenBSD user using Windows should not get a virus or
> could handle them if downloading illegal software. I am yet to see a
> truly clever system entry in the press. They always rely on user
> idiocy or poor setup. Whether Viri with these properties are the only
> ones caught is another question.
>
> Additionally I don't see the "think disk". If the partition is
> intact then surely it is not difficult to fix and with some boot
> loaders like GAG would likely be unaffected. It used to be the case
> that the windows bootloader was needed for hibernate support but I
> haven't seen that for a while. It is certainly true that the
> bootloader/bios itself could be targeted. If something breaks
> then at least you know.

You are overlooking some important issues:

One has to do with the nature of the press — it’s primary audience has
little to no technical background, and reporters have little training
on machine design and implementation. They are not very capable of
describing truly clever system entry. Also, common events tend to not
be "news". [How often do you hear about any of the suffering from the
leading causes of mortality? Instead you mostly hear about the rare
events.]

Another has to do with counter measures—any effective malware
mechanism gets attention and *eventually* gets squashed. This is a
statistical issue, but there are some other implications -- hold that
thought.

Another issue has to do with the nature of bug reporting systems: as
the user population increases, they become overwhelmed. Approaches
which worked well when the user population was mostly well educated
college students don't work so well when the user population is mostly
not.

Yet another issue has to do with the nature of malware itself: it’s a
mix of taking advantage of design defects (which are never in short
supply) and social structures (which, ok, do partially adapt to the
pressures but also tend to be more than a little imperfect).

Anyways:

1) you don’t have adequate knowledge of what other people are going
through—you can’t.

2) eventually someone with adequate, relevant knowledge is going to
trip over a malware deployment.

Put different: disk wipes are being limited by social issues more than
by technical issues. Disk wipes with broad propagation probably gets
lots of people really upset. And [this year, at least] there's no
effective border control on malware vectors, so state actors aren't
going to be using such things unless they feel they're backed into a
corner where unleashing such problems seems to offer them a way
forwards. (Because their own people will get hit, also - both by the
malware itself and possibly by the reactions from other state actors.)

But that only holds for large scale malware deployments.

There's another possibility which involves being specifically
targeted. It's difficult to think what the motivations would be for
this, but that's not an actual obstacle. If this sort of thing
happens, it would rely on social structures for concealment (in other
words, its point might be to make you look stupid - so to defend
against this kind of thing you would have to be comfortable with
dealing with having people think you look stupid. For example.)  But,
hey, there's no such thing as bullies, right? On the positive side,
this sort of thing is statistically unlikely, for most people.

Anyways... generalities that are usually correct can't always be
correct. And, when debugging, you sort of have to consider a lot of
unlikely possibilities until you have the problem isolated and solved.
So you are going to see discussion here about possibilities which are
mostly irrelevant to you, but which still have some use in helping
people reason about the problems they encounter.

So: back to the disk-wipe malware (and most other malware). Good
backups limit the impact that. And, you need a diversity of backup
mechanisms to defend against the backups getting hit by malware.

So your computer got wiped out - if you've got several of them each
running different OSes, perhaps with some other partitioning, you just
switch to a different one. (And software developers - especially
low-level software developers - tend to crash their own systems a lot
already, so in that sense it might not seem like such a big deal. If
you are a developer, malware is really just a consequence of bad
design.)

Anyways, that's enough words from me to last you way way too long...

Sorry about that.

-- 
Raul

Re: WiFi: Join + wpa_supplicant

[Stefan Wollny]

Am 09/05/18 um 14:37 schrieb Stefan Sperling:

Hi Stefan!

> On Wed, Sep 05, 2018 at 01:39:53PM +0200, Stefan Wollny wrote:
>> After a 'sh /etc/netstart' 'ifconfig gives me the following:
>>
>> iwm0: flags=8943 mtu 1500
>> lladdr 80:fa:5b:14:xx:yy
>> index 1 priority 4 llprio 3
>> trunk: trunkdev trunk0
>> groups: wlan
>> media: IEEE802.11 autoselect (HT-MCS0 mode 11n)
>> status: no network
>> ieee80211: join  chan 36 bssid 84:b2:61:96:aa:bb 83%
>> wpaprotos wpa2 wpaakms 802.1x wpaciphers ccmp wpagroupcipher ccmp
>> ...
>> trunk0: flags=8843 mtu 1500
>> lladdr 80:fa:5b:14:xx:yy
>> index 7 priority 0 llprio 3
>> trunk: trunkproto failover
>> trunkport iwm0
>> trunkport re0 master
>> groups: trunk
>> media: Ethernet autoselect
>> status: no carrier
>>
>> Only after I had commented the join-line for this network I was able to
>> reattach to my mobile phone's net.
> 
> Let me guess: Your mobile phone is on a 2 GHz channel (1-13)?

BINGO!

> 
> If that is true, then the AP on channel 36 (5 GHz) with good RSSI (83%)
> will always win because this is how join was taught to make decisions:
> 
>  * Given two APs, determine the "better" one of the two.
>  * We compute a score based on the following attributes:o
>  *
>  *  crypto: wpa2 > wpa1 > wep > open
>  *  band: 5 GHz > 2 GHz provided 5 GHz rssi is above threshold
>  *  rssi: rssi1 > rssi2 as a numeric comparison with a slight
>  * disadvantage for 2 GHz APs
>  *
>  * Crypto carries most weight, followed by band, followed by rssi.
> 

Another fine example of OpenBSD's philosophy of "sane defaults"!

>> Attaching to this particular net would be helpful - saves some time
>> avoiding workaraounds...
> 
> You can use 'ifconfig iwm0 nwid phone' to override auto-join decisions
> and always attach to a network called 'phone'. To re-enable automatic
> network selection you can use: ifconfig iwm0 -nwid
> 
Thank you for the hint - I have tried it before but did s.th. wrong as
now it "just works".

Best,
STEFAN

growisofs unable to allocate 56 bytes

[Allan Streib]

This has been a recurring problem for a least a couple of releases. I'm
currently on 6.3 release with syspatches. Generally happens after
machine has been up for a while; if I reboot and burn the DVD right away
it usually works.

$ doas growisofs -dvd-compat -Z /dev/rcd0c=rhel-server-7.5-x86_64-dvd.iso  
:-( unable to allocate 56 bytes: Cannot allocate memory

$ ulimit -a
time(cpu-seconds)unlimited
file(blocks) unlimited
coredump(blocks) unlimited
data(kbytes) 2097152
stack(kbytes)16384
lockedmem(kbytes)10808805
memory(kbytes)   32419944
nofiles(descriptors) 512
processes256

$ top | grep ^Mem
Memory: Real: 5431M/7626M act/tot Free: 23G Cache: 976M Swap: 0K/8302M


OpenBSD 6.3 (GENERIC.MP) #8: Sat Aug  4 16:56:56 CEST 2018

r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34249834496 (32663MB)
avail mem = 33204748288 (31666MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xebc60 (115 entries)
bios0: vendor American Megatrends Inc. version "3402" date 08/18/2016
bios0: ASUS All Series
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG ASF! SSDT UEFI HPET MSCT SLIT SRAT 
WDDT SSDT
acpi0: wakeup devices IP2P(S3) XHCI(S4) EHC1(S4) EHC2(S4) RP01(S4) RP02(S4) 
RP03(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4) BR1B(S4) 
BR2A(S4) BR2B(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.67 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpitimer0: recalibrated TSC frequency 2998278840 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 8 (application processor)
cpu4: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 4, package 0
cpu5 at mainbus0: apid 10 (application processor)
cpu5: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu5: 

Re: WiFi: Join + wpa_supplicant

[Stefan Sperling]

On Wed, Sep 05, 2018 at 01:39:53PM +0200, Stefan Wollny wrote:
> After a 'sh /etc/netstart' 'ifconfig gives me the following:
> 
> iwm0: flags=8943 mtu 1500
> lladdr 80:fa:5b:14:xx:yy
> index 1 priority 4 llprio 3
> trunk: trunkdev trunk0
> groups: wlan
> media: IEEE802.11 autoselect (HT-MCS0 mode 11n)
> status: no network
> ieee80211: join  chan 36 bssid 84:b2:61:96:aa:bb 83%
> wpaprotos wpa2 wpaakms 802.1x wpaciphers ccmp wpagroupcipher ccmp
> ...
> trunk0: flags=8843 mtu 1500
> lladdr 80:fa:5b:14:xx:yy
> index 7 priority 0 llprio 3
> trunk: trunkproto failover
> trunkport iwm0
> trunkport re0 master
> groups: trunk
> media: Ethernet autoselect
> status: no carrier
> 
> Only after I had commented the join-line for this network I was able to
> reattach to my mobile phone's net.

Let me guess: Your mobile phone is on a 2 GHz channel (1-13)?

If that is true, then the AP on channel 36 (5 GHz) with good RSSI (83%)
will always win because this is how join was taught to make decisions:

 * Given two APs, determine the "better" one of the two.
 * We compute a score based on the following attributes:
 *
 *  crypto: wpa2 > wpa1 > wep > open
 *  band: 5 GHz > 2 GHz provided 5 GHz rssi is above threshold
 *  rssi: rssi1 > rssi2 as a numeric comparison with a slight
 * disadvantage for 2 GHz APs
 *
 * Crypto carries most weight, followed by band, followed by rssi.

> Attaching to this particular net would be helpful - saves some time
> avoiding workaraounds...

You can use 'ifconfig iwm0 nwid phone' to override auto-join decisions
and always attach to a network called 'phone'. To re-enable automatic
network selection you can use: ifconfig iwm0 -nwid

Re: WiFi: Join + wpa_supplicant

[Stefan Wollny]

Am 09/05/18 um 13:05 schrieb Peter Hessler:
> On 2018 Sep 05 (Wed) at 12:12:05 +0200 (+0200), Stefan Wollny wrote:
> :Hi there,
> :
> :I am a little bit confused: Do I read the docs correct assuming that
> :defining a join-list in /etc/hostname. and wpa_supplicant are
> :mutually exclusive?
> :
> :I have set up a join-list and now I need to attach to a network where I
> :can only login with credetials "user" and "user-password"...
> :
> :TIA.
> :
> :Kind regards,
> :STEFAN
> :
> 
> Hi Stefan
> 
> While they are not mutually exclusive, more work will need to be done in
> wpa_supplicant to make this a transparent exercise.  While I'm not a
> regular user of wpa_supplicant, if you restart wpa_supplicant once you
> are connected to an 802.1X network it should work.
> 
> 
Hi Peter,

thank you for your reply - unfortunately the system does not connect.

I have set up networks via trunk-interface with hostname.iwm0 having the
join-list. This "just works" (well done, btw!).

After setting up the wpa_supplicant in the rc.d-file (changed the
default ath0 to iwm0) and wpa_supplicant.conf (with the applicable
credentials) I added to hostname.iwm0 the following:
join  wpa wpaakms 802.1x

After a 'sh /etc/netstart' 'ifconfig gives me the following:

iwm0: flags=8943 mtu 1500
lladdr 80:fa:5b:14:xx:yy
index 1 priority 4 llprio 3
trunk: trunkdev trunk0
groups: wlan
media: IEEE802.11 autoselect (HT-MCS0 mode 11n)
status: no network
ieee80211: join  chan 36 bssid 84:b2:61:96:aa:bb 83%
wpaprotos wpa2 wpaakms 802.1x wpaciphers ccmp wpagroupcipher ccmp
...
trunk0: flags=8843 mtu 1500
lladdr 80:fa:5b:14:xx:yy
index 7 priority 0 llprio 3
trunk: trunkproto failover
trunkport iwm0
trunkport re0 master
groups: trunk
media: Ethernet autoselect
status: no carrier

Only after I had commented the join-line for this network I was able to
reattach to my mobile phone's net.

Attaching to this particular net would be helpful - saves some time
avoiding workaraounds...

Adding a dmesg to avoid questions.

Thanks in advance!

Kind regards,
STEFAN



OpenBSD 6.4-beta (GENERIC.MP) #286: Sat Sep  1 22:23:18 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17079074816 (16287MB)
avail mem = 1655720 (15785MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb500 (35 entries)
bios0: vendor American Megatrends Inc. version "1.03.06" date 06/25/2014
bios0: Notebook W65_67SZ
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT ASF! SSDT SSDT SSDT MCFG HPET SSDT
SSDT SSDT DMAR
acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) PXSX(S4) RP03(S4)
PXSX(S4) RP04(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S3)
EHC2(S3) XHC_(S3) HDEF(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4210M CPU @ 2.60GHz, 3093.24 MHz, 06-3c-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4210M CPU @ 2.60GHz, 3092.84 MHz, 06-3c-03
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-4210M CPU @ 2.60GHz, 3092.84 MHz, 06-3c-03
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: 

Re: WiFi: Join + wpa_supplicant

[Peter Hessler]

On 2018 Sep 05 (Wed) at 12:12:05 +0200 (+0200), Stefan Wollny wrote:
:Hi there,
:
:I am a little bit confused: Do I read the docs correct assuming that
:defining a join-list in /etc/hostname. and wpa_supplicant are
:mutually exclusive?
:
:I have set up a join-list and now I need to attach to a network where I
:can only login with credetials "user" and "user-password"...
:
:TIA.
:
:Kind regards,
:STEFAN
:

Hi Stefan

While they are not mutually exclusive, more work will need to be done in
wpa_supplicant to make this a transparent exercise.  While I'm not a
regular user of wpa_supplicant, if you restart wpa_supplicant once you
are connected to an 802.1X network it should work.


-- 
Brain fried -- Core dumped

WiFi: Join + wpa_supplicant

[Stefan Wollny]

Hi there,

I am a little bit confused: Do I read the docs correct assuming that
defining a join-list in /etc/hostname. and wpa_supplicant are
mutually exclusive?

I have set up a join-list and now I need to attach to a network where I
can only login with credetials "user" and "user-password"...

TIA.

Kind regards,
STEFAN

Re: Lesser evil

[Kevin Chadwick]

On Wed, 5 Sep 2018 11:09:01 +0100


> If the partition is
> intact then surely it is not difficult to fix and with some boot
> loaders like GAG would likely be unaffected. 

I should probably say that GAG won't work with UEFI. UEFI sucks in so
many ways and yet could have been great.

Re: Lesser evil

[Kevin Chadwick]

On Tue, 4 Sep 2018 17:00:07 -0400


> >> I would not try to dual boot Windows and OpenBSD.  There are too
> >> many disgusting viri out that smash parts of partitions.   OpenBSD
> >> or anything else on the disk is a sitting duck once not active.
> >> Don't do it.  The AV situation on Windows is out of control--a
> >> conservative estimate is that there are 4M pieces of malware out
> >> for Windows.  
> > Personally I feel this is a red herring. If you are finding viri on
> > your system then OpenBSD helps but could be hacked too. Viri are
> > unlikely with a security conscious OpenBSD user. You are doing
> > something wrong or need to silo your actions.
> >
> >  
> Um, maybe I'm not writing well.  I'm talking about a dual-boot Windows
> OpenBSD system, which gets a Windows virus, which wipes out the
> disk.  Effectively asleep, OpenBSD gets creamed.   That's what I mean
> about dual-booting being a risk.

Sorry, I was being terribly unclear.

I meant that an OpenBSD user using Windows should not get a virus or
could handle them if downloading illegal software. I am yet to see a
truly clever system entry in the press. They always rely on user
idiocy or poor setup. Whether Viri with these properties are the only
ones caught is another question.

Additionally I don't see the "think disk". If the partition is
intact then surely it is not difficult to fix and with some boot
loaders like GAG would likely be unaffected. It used to be the case
that the windows bootloader was needed for hibernate support but I
haven't seen that for a while. It is certainly true that the
bootloader/bios itself could be targeted. If something breaks
then at least you know.

The OpenBSD partition can be edited (not very safely) from Windows
and Linux but Viri are unlikely to do this unless an active attacker is
after you in which case you best be careful with OpenBSD too and
hacking not viri will be the worry with Windows also.