Re: How to set ThinkPad battery charge thresholds?

[Jonathan Thornburg]

In message ,
Jan Stary asks for research/references supporting the claim that a
lithium-ion battery will last longer if it's not fully charged or
discharged.

None of these qualify as original research, but some sources for this
guideline include

https://www.wired.com/story/smartphone-battery-care-last-longer/

https://www.apple.com/batteries/maximizing-performance/

Table 4 and Figure 6 in
https://batteryuniversity.com/learn/article/how_to_prolong_lithium_based_batteries

The last of these is the most technical, and does cite some original
research.

Re: Intel wifi ipw showing up but not working

[Riccardo Mottola]

Hi Stefan,

sorry for the delayed response, but dayjob took over and for that I 
unfortunately cannot use an old OpenBSD laptop with no wireless :) Also 
I had to use another system to conveniently do the tests you asked me.


Stefan Sperling wrote:


With WEP, if the key is wrong, the interface will appear connected
but it will be unable to communicate. There is no setup phase in WEP.
You either encrypt and decrypt packets with the correct key, or you
don't.

With WPA, the link should no reach 'active' state unless you are using
the correct passphrase. This is because the AP and client will try to
negotiate a per-client session key, and if this key cannot be obtained,
the link will stay down. The interface flags will show UP, however.


Thank you for this confirmation. Right now in my studio I have thi setup

- Router which runs DHCP and offers WiFi-WPA + Wired connectivity
- Second wireless router which offers WiFi WEP, which DHCP deactivated

So, I have 3 networks, but they all the the address from the same DHCP, 
it should help "debugging"


Wired network works perfectly and I just connected remotely so I can 
easily type this email while tinkering and it restricts the issue on the 
Network part, not a fundamental incompatibility between OpenBSD and that 
DHCP server (fact that was also refuted when being able to connect with 
a Cardbus WiFi)




OK, thanks for confirming.


The script proves that the network settings if applied are correct and do
work and that I do not "mistype"!


Yes, since the WPA link is 'active' the key should be correct.


Perfect let's concentrate on WPA, since also being with one device less 
in the chain makes it easier to debug. I hope he older onboard card has 
no issues with WPA?



The next step is getting a DHCP lease.
If DHCP does not manage to obtain a lease, something is wrong.
Perhaps this driver was broken somehow for multicast encryption or decryption.


Ok. Let me follow yours. I run the commancs in the script -except 
removing the defaults routes, to keep my wired connection alive.




What does this command print before, and after, an attempt to connect?

   netstat -W ipw0



Before:
tecra$ netstat -W ipw0
ieee80211 on ipw0:
0 input packets with bad version
0 input packets too short
0 input packets from wrong bssid
0 input packet duplicates discarded
0 input packets with wrong direction
0 input multicast echo packets discarded
0 input packets from unassociated station discarded
0 input encrypted packets without wep/wpa config discarded
0 input unencrypted packets with wep/wpa config discarded
0 input wep/wpa packets processing failed
0 input packet decapsulations failed
0 input management packets discarded
0 input control packets discarded
0 input packets with truncated rate set
0 input packets with missing elements
0 input packets with elements too big
0 input packets with elements too small
0 input packets with invalid channel
0 input packets with mismatched channel
0 node allocations failed
0 input packets with mismatched ssid
0 input packets with unsupported auth algorithm
0 input authentications failed
0 input associations from wrong bssid
0 input associations without authentication
0 input associations with mismatched capabilities
0 input associations without matching rates
0 input associations with bad rsn ie
0 input deauthentication packets
0 input disassociation packets
0 input packets with unknown subtype
0 input packets failed for lack of mbufs
0 input decryptions failed on crc
0 input ahdemo management packets discarded
0 input packets with bad auth request
0 input eapol-key packets
0 input eapol-key packets with bad mic
0 input eapol-key packets replayed
0 input packets with bad tkip mic
0 input tkip mic failure notifications
0 input packets on unauthenticated port
0 output packets failed for lack of mbufs
0 output packets failed for no nodes
0 output packets of unknown management type
0 output packets on unauthenticated port
0 active scans started
0 passive scans started
0 nodes timed out
0 failures with no memory for crypto ctx
0 ccmp decryption errors
0 ccmp replayed frames
0 cmac icv errors
0 cmac replayed frames
0 tkip icv errors
0 tkip replays
0 pbac errors
0 HT negotiation failures because peer does not support MCS 0-7
0 HT negotiation failures because we do not support basic MCS set
0 HT negotiation failures because peer uses bad crypto
0 HT protection changes
0 new input block ack agreements
0 new output block ack agreements
0 input frames 

Re: pf firewall packet size

[Kevin Chadwick]

>
>
> There is just small ACK packets left. I wonder what is solution for
> small packets in OpenBSD


Checkout set prio in pf.conf...TCP ACKs with no data payload

pf firewall packet size

[da...@hajes.org]

Hi guys,

I am trying to find out way how to port my Linux netfilter into OpenBSD pf.

I want to prioritize small new SYN connection SYN/ACK, ACK.

In Linux I simply set a packet size 0-128 bytes that covers usual 3-way 
handshake. This simple rule makes all faster.


There seems to be no "packet size" capability in OpenBSD.

Something similiar used for small packets under OpenBSD

match out on egress set prio (5, 6)


next thing what may work is playing with packet flags

SYN is start of new connection so "pass out flags S/" and SYN-ACK with 
flags SA/ should do the trick no?


There is just small ACK packets left. I wonder what is solution for 
small packets in OpenBSD



thanks


Hajes

Re: pf firewall packet size

[Daniel Melameth]

On Thu, Mar 11, 2021 at 12:33 PM da...@hajes.org  wrote:
> I am trying to find out way how to port my Linux netfilter into OpenBSD pf.
>
> I want to prioritize small new SYN connection SYN/ACK, ACK.
>
> In Linux I simply set a packet size 0-128 bytes that covers usual 3-way
> handshake. This simple rule makes all faster.
>
> There seems to be no "packet size" capability in OpenBSD.
>
> Something similiar used for small packets under OpenBSD
>
> match out on egress set prio (5, 6)
>
>
> next thing what may work is playing with packet flags
>
> SYN is start of new connection so "pass out flags S/" and SYN-ACK with
> flags SA/ should do the trick no?
>
> There is just small ACK packets left. I wonder what is solution for
> small packets in OpenBSD

I believe quantum is what you are looking for--see the QUEUEING
section in pf.conf(5).

Re: Intel wifi ipw showing up but not working

[Stefan Sperling]

On Thu, Mar 11, 2021 at 08:05:53PM +0100, Riccardo Mottola wrote:
> Hi Stefan,
> 
> sorry for the delayed response, but dayjob took over and for that I
> unfortunately cannot use an old OpenBSD laptop with no wireless :) Also I
> had to use another system to conveniently do the tests you asked me.

No worries! I am not in a rush :)

> tecra$ netstat -W ipw0
> ieee80211 on ipw0:

> 10 input management packets discarded

This one looks bad. I think it means the net80211 stack ends up ignoring
the AP's assoc response frame. I believe your situation is that the
firmware is in associated state, the driver itself sets media status to
'active' in response to the firmware signalling successful association,
but the net80211 stack has not participated in the association sequence so
no WPA handshake can happen. The incoming data packets indicate that the
AP is trying to initiate the WPA handshake but net80211 doesn't expect
such packets and doesn't respond.

The way the association sequence works in this driver is pretty weird...

Can you try this patch? Does it change anything?

diff dfcb0a350e790649cafe6bd5f9f4cf2319ce75fd /usr/src
blob - 20a9b617e6d7ae0e179370512376ce8142c96986
file + sys/dev/pci/if_ipw.c
--- sys/dev/pci/if_ipw.c
+++ sys/dev/pci/if_ipw.c
@@ -1781,6 +1781,12 @@ ipw_auth_and_assoc(void *arg1)
if (error != 0)
goto fail;
 
+   /*
+* net80211 won't see the AP's AUTH response. Move to ASSOC state
+* in order to make net80211 accept the AP's assoc response.
+*/
+   ic->ic_newstate(ic, IEEE80211_S_ASSOC, -1);
+
return;
 fail:
printf("%s: association failed (error=%d)\n", sc->sc_dev.dv_xname,

pf firewall packet size

[da...@hajes.org]

Hi guys,

I am trying to find out way how to port my Linux netfilter into OpenBSD pf.

I want to prioritize small new SYN connection SYN/ACK, ACK.

In Linux I simply set a packet size 0-128 bytes that covers usual 3-way 
handshake. This simple rule makes all faster.


There seems to be no "packet size" capability in OpenBSD.

Something similiar used for small packets under OpenBSD

match out on egress set prio (5, 6)


next thing what may work is playing with packet flags

SYN is start of new connection so "pass out flags S/" and SYN-ACK with 
flags SA/ should do the trick no?


There is just small ACK packets left. I wonder what is solution for 
small packets in OpenBSD



thanks


Hajes

Re: pf firewall bridge0 vether0 blocks DHCP for bridge interfaces connected to Windows

[Stuart Henderson]

On 2021-03-11, da...@hajes.org  wrote:
> Thanks for info Claudio.
>
> Unfortunately, I have read only "Networking FAQ" 
> https://www.openbsd.org/faq/faq6.html and there is no info about it.
>
> It would be great to update this page for dummies because just very few 
> read reference manuals line by line ;-) Most follow guides. I personally 
> write everything on my web like for children.

If you're not prepared to read manpages then OpenBSD is the wrong OS for you.

> My logic behind filtering was simple...bridge/vether handles all and 
> physical interfaces are in promiscuous mode. I have filtering for 
> vether0 but didn't imagine DHCP is still at physical interface level.
>
> pf.conf updated:
>
> set skip on em1-3

This logic does not match how PF+bridge(4) works.

> Only thing that still puzzles me where to filter...bridge0 or vether0. 
> 
> If I understand correctly, vether0 should be the interface for filtering 
> because it has got IP address assigned. Physical interfaces and bridge 
> should be treated as loopback...in other words, not filtered at all.

>From bridge(4):

NOTES
   Bridged packets pass through pf(4) filters once as input on the receiving
   interface and once as output on all interfaces on which they are forwarded.
   In order to pass through the bridge packets must pass any in rules on the
   input and any out rules on the output interface.  Packets may be blocked
   either entering or leaving the bridge.

Re: pf firewall bridge0 vether0 blocks DHCP for bridge interfaces connected to Windows

[da...@hajes.org]

Thanks for info Claudio.

Unfortunately, I have read only "Networking FAQ" 
https://www.openbsd.org/faq/faq6.html and there is no info about it.


It would be great to update this page for dummies because just very few 
read reference manuals line by line ;-) Most follow guides. I personally 
write everything on my web like for children.


My logic behind filtering was simple...bridge/vether handles all and 
physical interfaces are in promiscuous mode. I have filtering for 
vether0 but didn't imagine DHCP is still at physical interface level.


pf.conf updated:

set skip on em1-3

Only thing that still puzzles me where to filter...bridge0 or vether0. 
If I understand correctly, vether0 should be the interface for filtering 
because it has got IP address assigned. Physical interfaces and bridge 
should be treated as loopback...in other words, not filtered at all.


Windows is not issue because Internet died on my Linux server once DHCP 
lease suppose to be renewed. My guess is that during boot DHCP for host 
IPs have been acquired before firewall started up and miraculously IPs 
have been assigned...only Windows machine didn't make it before firewall.


On 11/03/2021 08:49, Claudio Jeker wrote:

On Wed, Mar 10, 2021 at 08:40:55PM +0100, da...@hajes.org wrote:

Hi,

I did set up OpenBSD router/firewall on PC Engines APU4d4 box.

First interface is WAN that connects to Internet.

Remaining three interfaces are bridged with bridge0 via vether0.

firewall doesn't block LAN/bridge traffic on vether0.

DHCPD runs on bridge.

Two Linux hosts (connected to em2 and em3) connect without problem but
Windows host DHCP requests are blocked on em1.

I didn't find any info regarding pf and bridging.

Please check bridge(4) manpage, especially the NOTES section.
  

set skip on lo0
set skip on bridge0

This line is useless. Packets never show up on bridge0. You need to add
the physical interfaces and vether0 to your ruleset.
  

So far I have found a kludge for Windows "set skip on em1"

Once, above by line is present in pf.conf, Win 10 host is allowed to acquire
IP address. Interesting is that Linux has no issues to acquire IP addresses
via DHCP.

Any suggestions, please?
  
You need to fix your pf.conf.



Is it something screwed up in Windows such as short 3-way-handshake?

I doubt it. Your ruleset is most probably not allowing packets to pass
properly over the bridge. Since you did not share your pf.conf file it is
impossible to give you a better answer.

Re: pf firewall bridge0 vether0 blocks DHCP for bridge interfaces connected to Windows

[Pascal Huisman]

Dear David,

I also searched myself the rambam for over a week. I needed the ports
bridged. For next to the router in my utilitycabin, meterbox, or
whatever "meterkast" in English is, I have my tv, kodi and kitchenwifi
connected. And I refused to route the ports or add another 24/7
consumer for a switch. 

In the misc emailarchive you can find many emails about using pf rules
for dhcp traffic and requests. With big rants of mr. de Raadt who
mails you your security mails everyday. 

Your right the physical interface should handle it. File a bug. I
didn't. I didn't mail the list. Just circumvented it. Also if you look
at the networklayer. With bridging you move up a layer. So it's
probably not a bug. It's due to the design. You can look it up.

I like the little box. The apu4d. Very charmed for the poweruse
<10watt. The most secure system on it with opensmtpd, dovecat, rspamd.
Geoip blocking and blocklists. Encrypted disc, encrypted emailstorage.
GPG EtoE and GPG mailbox encryption. Next I need to host my shared
agenda from Google and store automatic backups of phone pictures so I
can closedown my Googleaccount.

-- 
Met vriendelijke groet,

Pascal Huisman


H. L. Mencken suffers from the hallucination that he is H. L. Mencken --
there is no cure for a disease of that magnitude.
-- Maxwell Bodenheim


signature.asc
Description: This is a digitally signed message part