Re: OpenBSD/hppa 7.5: install kernel boots from cdrom, but not from disk on 715/50?

[Alexander Bochmann]

...on 2024-05-05 20:32:55, Alexander Bochmann wrote:

 > but when trying to reboot from disk, the kernel hangs 
 > after "power0 at mainbus0: not available" 

7.4 looks the same, by the way.

Alex.

OpenBSD/hppa 7.5: install kernel boots from cdrom, but not from disk on 715/50?

[Alexander Bochmann]

Hi,

I tried to install OpenBSD on an HP apollo 715/50 today:
The install kernel boots from CD and installs the system, 
but when trying to reboot from disk, the kernel hangs 
after "power0 at mainbus0: not available" (right before 
the cpu0 line).

Any idea what could be wrong here?

I verified that /bsd on disk is the identical to the one 
from CD (installer says "Relinking to create unique kernel... failed."
at the end).

I have a dmesg from the install kernel, and below that 
another one when booting from disk (the same happens when 
manually booting /bsd.rd instead of /bsd):

--- >>> cut >>> ---
>> OpenBSD/hppa CDBOOT 0.2
booting dk6a:/bsd.rd: 2707456+5047296+519168=0xff817c
SPID bits: 0x0, error = -2
pdc_coproc: 0xc0, 0xc0; model 9 rev 1
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2024 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 7.5 (RAMDISK) #933: Wed Mar 20 18:17:27 MDT 2024
dera...@hppa.openbsd.org:/usr/src/sys/arch/hppa/compile/RAMDISK
HP 9000/715/50 (Scorpio) PA-RISC 1.1a
real mem = 67108864 (64MB)
rsvd mem = 524288 (512KB)
avail mem = 53362688 (50MB)
random: boothowto does not indicate good seed
mainbus0 at root [flex fff8]
pdc0 at mainbus0
power0 at mainbus0: not available
cpu0 at mainbus0 offset ffbe000 irq 31: PCXT L1-A 50MHz, FPU PCXT (Rolex - 
CMOS-26B) rev 1
cpu0: 64K(32b/l) Icache, 64K(32b/l) wr-back Dcache, 120 coherent TLB, 16 BTLB
mem0 at mainbus0 offset ffbf000: viper rev 0, size 64MB
asp0 at mainbus0 offset 82f000: Scorpio rev 1, lan 1 scsi 7
gsc0 at asp0 irq 2
"Advanced audio (ext.)" at gsc0 (type a sv 7b mod 0 hv 70) offset 100 not 
configured
"Core Centronics" at gsc0 (type a sv 74 mod 0 hv 70) offset 824000 not 
configured
com1 at gsc0 offset 822000 irq 6: ns16550a, 16 byte fifo
com0 at gsc0 offset 823000 irq 5: ns16550a, 16 byte fifo
com0: console
hil0 at gsc0 offset 821000 irq 1
ie0 at gsc0 offset 826000 irq 8: i82596DX v0.0, address 08:00:09:78:25:c4
oosiop0 at gsc0 offset 825000 irq 9: NCR53C700 rev 0, 50MHz
scsibus0 at oosiop0: 8 targets, initiator 7
oosiop0: target 1 now using 8 bit asynchronous xfers
oosiop0: target 1 now using 8 bit asynchronous xfers
sd0 at scsibus0 targ 1 lun 0:  
serial.codesrc_SCSI2SD_2024050501_
sd0: 2048MB, 512 bytes/sector, 4194304 sectors
oosiop0: target 2 now using 8 bit asynchronous xfers
sd1 at scsibus0 targ 2 lun 0:  
serial.codesrc_SCSI2SD_2024050502_
sd1: 4096MB, 512 bytes/sector, 8388608 sectors
oosiop0: target 3 now using 8 bit asynchronous xfers
sd2 at scsibus0 targ 3 lun 0:  
serial.codesrc_SCSI2SD_2024050503_
sd2: 4096MB, 512 bytes/sector, 8388608 sectors
oosiop0: target 4 now using 8 bit asynchronous xfers
sd3 at scsibus0 targ 4 lun 0:  
serial.codesrc_SCSI2SD_2024050504_
sd3: 4736MB, 512 bytes/sector, 9700352 sectors
oosiop0: target 6 now using 8 bit synchronous xfers
oosiop0: target 6 now using 8 bit synchronous xfers
cd0 at scsibus0 targ 6 lun 0:  removable
sti0 at mainbus0 offset 400: rev 8.02;10, ID 0x27F1239240A00499
sti0: HPA1991AC16, 2048x1024 frame buffer, 1024x768x8 display
sti0: 8x16 font type 1, 16 bpc, charset 0-255
wsdisplay0 at sti0 mux 1
wsdisplay0: screen 0 added (std, vt100 emulation)
softraid0 at root
scsibus1 at softraid0: 256 targets
oosiop0: target 1 now using 8 bit asynchronous xfers
hilkbd0 at hil0 code 1: 109-key keyboard, layout 1f
wskbd0 at hilkbd0 mux 1
wskbd0: connecting to wsdisplay0
"Mouse" at hil0 id 68 code 2 not configured
oosiop0: target 2 now using 8 bit asynchronous xfers
oosiop0: target 3 now using 8 bit asynchronous xfers
oosiop0: target 4 now using 8 bit asynchronous xfers
bootpath: 2/0/1.6 class=1 flags=0 hpa=0xf0825000 spa=0x0 io=0x6b24
root on rd0a swap on rd0b dump on rd0b
clock: failed to fetch (-13)
WARNING: bad clock chip time
WARNING: CHECK AND RESET THE DATE!
erase ^?, werase ^W, kill ^U, intr ^C, status ^T

Welcome to the OpenBSD/hppa 7.5 installation program.
--- <<< cut <<< ---


Disk boot:

--- >>> cut >>> ---
>> OpenBSD/hppa BOOT 1.11
boot>
NOTE: random seed is being reused.
booting dk4a:/bsd: 5107712+1823748+650236 [284920+110+279184+258064]=0xff817c
SPID bits: 0x0, error = -2
WARNING: PDC_COPROC error -3, assuming 1.1 FPU
[ using 822812 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2024 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 7.5 (GENERIC) #946: Wed Mar 20 17:20:03 MDT 2024
dera...@hppa.openbsd.org:/usr/src/sys/arch/hppa/compile/GENERIC
HP 9000/715/50 (Scorpio) PA-RISC 1.1a
real mem = 67108864 (64MB)
rsvd mem = 524288 (512KB)
avail mem = 55631872 (53MB)
random: boothowto does not indicate good seed
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root [flex fff8]
pdc0 at mainbus0
power0 at mainbus0: not available
--- <<< cut <<< ---

Alex.

Re: cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

...on 2024-01-27 17:46:07, Alexander Bochmann wrote:

 > Is this expected, or a result of some error I made during upgrades?

As it turns out, the error I made was not actually running
pkg_delete -a at any point, and misinterpreting the output 
of pkg_delete -an (which is why I didn't run the former)...

It seems now all the stray libraries are gone.

Sorry for the extended noise,

Alex.

Re: cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

...on 2024-01-27 19:58:45, Alexander Bochmann wrote:

 > I tried pkg_delete -a earlier today, but while it gave me a bunch 
 > of files that I think were from base (/usr/X11R6 mostly), it didn't 
 > turn up anything from /usr/local on this system.

It's been pointed out that this is impossible, and indeed 
what I was thinking of was actually pkg_check -F output...

Alex.

Re: cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

...on 2024-01-27 20:43:17, Jan Stary wrote:

 > That's definitely weird. Which packages own these files?
 > $ pkg_info -E /usr/local/lib/libvpx.so.8.0
 > $ doas pkg_check -Fq

pkg_info -E returns no output for any version but the latest, 
which is then (in this case - I just picked libvpx as an example 
from a long list of libs):

 > # pkg_info -E /usr/local/lib/libvpx.so.16.0
 > /usr/local/lib/libvpx.so.16.0: libvpx-1.13.1v0
 > libvpx-1.13.1v0 Google VP8/VP9 video codec

The only files mentioned by pkg_check -Fq in /usr/local 
are from stuff I built myself, outside of packages.
None of the outdated shared libs turn up.

 > > Usually I'm just running pkg_add -u to pull fresh versions of packages.
 > > And is there some "standard" way to get rid of the old versions? 
 > pkg_add generally replaces the old version with the new versions.

Yes, at least that's true for the binaries and manpages and such...

Alex.

Re: cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

...on 2024-01-27 20:01:55, Omar Polo wrote:

 > I think you're mixing up pkg_delete and sysclean.  sysclean will give
 > you a list of extra files that are not needed, while pkg_delete handles
 > packages.

Nope, I looked at both, and neither handles old shared libraries 
from upgraded packages in /usr/local.

I had a quick skim over the pkg* sources, and while my Perl is far 
too rusty to really understand what's going on, there's a comment 
in PkgAdd.pm that looks related:

 > sub delete_old_packages($set, $state)
 > {
 > [..]
 >  $set->cleanup_old_shared($state);
 >  # Here there should be code to handle old libs
 > }

Hrm.

I mean, it takes a couple of years of running pkg_add -u to 
turn into a problem, when your /usr/local is too small... ;)

Alex.

Re: cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

...on 2024-01-27 18:50:01, Nowarez Market wrote:

 > _Did_ you check sysclean for your own purpose ?

sysclean (also mentioned in a direct mail by someone else) 
doesn't seem to help in this case. While it gives me input 
for yet another cleanup task, none of the files mentioned 
in sysclean output on this system are from /usr/local

Alex.

Re: cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

...on 2024-01-27 19:35:18, Omar Polo wrote:

 > does pkg_delete -a help?  It should remove all the packages not needed,

I tried pkg_delete -a earlier today, but while it gave me a bunch 
of files that I think were from base (/usr/X11R6 mostly), it didn't 
turn up anything from /usr/local on this system.

Alex.

cleaning up /usr/local/lib after (many) upgrades?

[Alexander Bochmann]

Hi -

I'm looking at one of my OpenBSD systems here that has been upgraded 
over a long time, and has /usr/local running out of space. 

It seems there's a lot of old versions of shared libraries in 
/usr/local/lib, like for example:

 > # ls -al /usr/local/lib/libvpx.so.*
 > -rw-r--r--  1 root  bin  1909442 Mar 27  2018 /usr/local/lib/libvpx.so.10.0
 > -rw-r--r--  1 root  bin  2047296 Oct 11  2018 /usr/local/lib/libvpx.so.11.0
 > -rw-r--r--  1 root  bin  3182104 Apr 19  2021 /usr/local/lib/libvpx.so.12.0
 > -rw-r--r--  1 root  bin  2049592 Sep 26  2021 /usr/local/lib/libvpx.so.13.0
 > -rw-r--r--  1 root  bin  2062112 Sep 29  2022 /usr/local/lib/libvpx.so.14.0
 > -rw-r--r--  1 root  bin  2057584 Mar 25  2023 /usr/local/lib/libvpx.so.15.0
 > -rw-r--r--  1 root  bin  2069504 Oct  6 00:20 /usr/local/lib/libvpx.so.16.0
 > -rw-r--r--  1 root  bin  1869707 Jul 26  2016 /usr/local/lib/libvpx.so.7.0
 > -rw-r--r--  1 root  bin  1909806 Oct  2  2017 /usr/local/lib/libvpx.so.8.0

Is this expected, or a result of some error I made during upgrades?
Usually I'm just running pkg_add -u to pull fresh versions of packages.

And is there some "standard" way to get rid of the old versions? 
I could probably compare whatever is there against the pkglocate 
database or check each file against pkglocate individually and parse 
the output or something, but I'd assume I'm not the first user to 
run into this?

Alex.

Re: Historical Reasons For Default NAT Source Port Modification

[Alexander Bochmann]

...on 2022-05-16 17:57:06, Stuart Henderson wrote:

 > On 2022-05-16, Alexander Bochmann  wrote:
 > > I seem to remember firewall rules that allowed only udp/53 as _source_ 
 > > port 
 > > for DNS traffic.
 > Such rules often existed to cover replies, before the days
 > of stateful firewalls.

I admit this is rather useless trivia, but a copy of an old (1999)
ORA bookshelf CD with the DNS & BIND book has this:

 > BIND 4 name servers always send queries from port 53, the well-known port 
 > for DNS servers, to port 53. Resolvers, on the other hand, usually send 
 > queries from high-numbered ports (above 1023) to port 53. Though name 
 > servers clearly have to send their queries to the DNS port on a remote host, 
 > there's no reason they have to send the queries from the DNS port. And, 
 > wouldn't you know it, BIND 8 name servers don't send queries from port 53 by 
 > default. Instead, they send queries from high-numbered ports, same as 
 > resolvers do.
 > 
 > This can cause problems with packet filtering firewalls that have been 
 > configured to allow server-to-server traffic but not resolver-to-server 
 > traffic, because they typically expect server-to-server traffic to originate 
 > from port 53 and terminate at port 53.

Also some old NFS servers required that client traffic originated 
from ports < 1024 in order to "prove" that the client service 
was running with root privileges. I assume that some other stuff 
worked on that kind of heuristics too, but I don't remember about 
any good examples.

Alex.

Re: Historical Reasons For Default NAT Source Port Modification

[Alexander Bochmann]

Hi,

...on 2022-05-16 13:23:31, Philipp Buehler wrote:

 > I cannot recall many applications from 20y ago that have been very keen
 > on sending from certain ports (besides IKE already mentioned by JJ).

I seem to remember firewall rules that allowed only udp/53 as _source_ port 
for DNS traffic.

Might have been more than 20 years ago.

Alex.

Re: lighttpd vs. libressl on 6.9?

[Alexander Bochmann]

Hi Ben -

thanks for replying :)

...on Mon, Aug 23, 2021 at 09:48:16AM -0400, b...@0x1bi.net wrote:

 > Try compiling lighthttpd by hand from the ports tree with
 > debug flags and run it with ktrace to see what's happening.

I fear that might be more effort than I'm able to invest right now, 
given that the problem occurs rather rarely (about once a month 
maybe), and I don't currently have a way to reproduce it other than 
by waiting for some random client that triggers the error.

I have changed my historic (*cough*) lighttpd TLS configuration 
to support only "modern" encryption, which might have the side effect 
of just not permitting any problematic combinations. I'll just wait 
if it happens again now before I take any other action.

 > I'd recommend switching to the builtin httpd if the problem
 > persists.

Yeah, unfortunately my configuration has a ton of rules, and 
I'm not too keen on rewriting all that. 

(I had one reply on the Fediverse from someone who had seen the 
same effect, just much more often, but they switched to a different 
web server and didn't look for a root cause either.)

Alex.

lighttpd vs. libressl on 6.9?

[Alexander Bochmann]

Hi -

I've been running lighttpd from ports as web server on one of my 
OpenBSD systems for years, with no problems. Ever since upgrading to 
6.9, it's been crashing every few weeks, and the last lines in the 
lighttpd error log are something like this each time:

 > mod_openssl.c.3095) SSL: 1 error:06FFF064:digital envelope 
 > routines:CRYPTO_internal:bad decrypt
 > mod_openssl.c.3095) SSL: 1 error:1404C119:SSL routines:ST_OK:decryption 
 > failed or bad record mac

Is there any known incompatibility between lighttpd-1.4.59 and the version 
of LibreSSL in OpenBSD 6.9? 

Alex.

Re: ssh X forwarding and google-chrome

[Alexander Bochmann]

...on Thu, Jul 02, 2020 at 05:33:20PM +0300, Gregory Edigarov wrote:

 > "ssh -Y  google-chrome" just shows an empty and blank window, no
 > menu, no address bar.
 > May be there is some command line flags I am not aware of?

You could try google-chome --disable-gpu, though I don't know if that 
still works.

Alex.

Re: Adding default IPv6 route fails on 6.1

[Alexander Bochmann]

...on Wed, Apr 12, 2017 at 11:12:28AM +0200, Sterling Archer wrote:
 > On Wed, Apr 12, 2017 at 9:59 AM, Dimitris Papastamos  wrote:
 > > Try this instead:
 > > !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
 > That did the trick, dhcpcd is receiving router advertisments from
 > my ISP now. Thanks, Dimitris.

On that note - there's several cloud VM providers out there 
who assign a IPv6 network to customer VMs and then expect that 
fe80::1 is used as default gateway.

In those cases, an interface tag is required too, as the 
system will usually have at least one other link-local 
network on the lo0 interface (that's not new in 6.1)... 

So, depending on the interface name, something like this works:

 > # fgrep fe80 /etc/mygate
 > fe80::1%vio0

Alex.

Re: how to debug OpenBSD virtio-scsi killing qemu-kvm VM?

[Alexander Bochmann]

...on Wed, Mar 15, 2017 at 10:29:25AM -0400, Jiri B wrote:

 > >  > bios0: vendor SeaBIOS version 
 > > "debian/1.7.5-1-0-g506b58d-dirty-20140812_231322-gandalf" date 04/01/2014
 > >  > bios0: QEMU Standard PC (i440FX + PIIX, 1996)
 > it doesn't say anything about qemu-kvm version :/

Nope, but:

 > >  > sd0 at scsibus2 targ 0 lun 0:  SCSI3 
 > > 0/direct fixed

That sais "2.1", and that's actually the version of the qemu-kvm 
package in Debian jessie.

The qemu harddisk in your dmesg reports "2.5", so I'm probably 
wrong and you're actually on a newer qemu version than my VM.

Alex.

Re: how to debug OpenBSD virtio-scsi killing qemu-kvm VM?

[Alexander Bochmann]

Hi,

...on Mon, Mar 13, 2017 at 11:26:42AM -0400, Jiri B wrote:

 > it seems virtio-scsi is not working correctly in OpenBSD, I gave it
 > a try today and OpenBSD VM was killed with:
 >   2017-03-13T15:29:00.814657Z qemu-kvm: wrong size for virtio-scsi headers
 > on EL7 with qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64.
 > I found a bug stating it is OpenBSD's fault
 >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768517

Hrm - I've been running a OpenBSD 6.0-stable VM with a hosting 
provider that seems to be using qemu-kvm for half a year, and 
have yet to run into that problem. I don't have any information 
about their platform except that their SeaBIOS identifies as debian:

 > bios0: vendor SeaBIOS version 
 > "debian/1.7.5-1-0-g506b58d-dirty-20140812_231322-gandalf" date 04/01/2014
 > bios0: QEMU Standard PC (i440FX + PIIX, 1996)
 [..]
 > virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00
 > vioscsi0 at virtio1: qsize 128
 > scsibus2 at vioscsi0: 255 targets
 > probe(vioscsi0:0:0): Check Condition (error 0) on opcode 0x0
 > sd0 at scsibus2 targ 0 lun 0:  SCSI3 0/direct 
 > fixed
 > sd0: 61440MB, 512 bytes/sector, 125829120 sectors, thin
 > virtio1: msix shared

Maybe it is actually a Linux bug that has been fixed by everyone 
except Red Hat in their undead backports kernel?

Alex.

Re: softraid crypto performance on Sun Fire T1000

[Alexander Bochmann]

Hi,

...on Sat, Oct 29, 2016 at 03:06:05PM +0200, Jonathan Schleifer wrote:

 > While a single core of the T1000 is quite slow, this just seems too slow,
 > making this setup unusable. openssl speed shows 10 MB/s for AES-128-CBC and 7
 > MB/s for AES-256-CBC on a single core. So a single core is definitely capable
 > of more than just 2 MB/s. While even 10 MB/s is still slow for today, it's

A long time ago, compiler flags made a hell of a difference 
for openssl on sparc64 (and I assume that kernel crypto might 
behave in a similar way)...

I don't know about the current defaults in OpenBSD/sparc64, 
but for a T1 cpu, you could try rebuilding the kernel with 
something like "-mcpu=v9 -mtune=niagara" in mk.conf COPTS, 
and check if you see an improvement.

You'll be on your own with any problems though - custom 
compiler otimizations for the system are generally frowned 
upon :)

Alex.

Re: LibreSSL on old OpenBSD

[Alexander Bochmann]

...on Fri, Aug 12, 2016 at 08:53:36AM +, Roderick wrote:

 > I know, you will complain, because I mention here that I still use
 > OpenBSD 4.8 in a machine. But my question is more general.
 > I was unable to install LibreSSL-2.4.2, but installing openssl-1.0.2h
 > was possible without problems.

As others have written, trying to mix up different versions 
of software from the OpenBSD project usually won't work, 
as their development is tightly coupled.

If you're serious about backporting software to old OpenBSD 
releases for whatever reason, the -portable versions are usually 
a better starting point, but still will require a good chunk 
of knowledgeable work - much better spent on a system upgrade.

That said, even ancient versions of OpenBSD are still a viable 
target for old-style UNIXy software. OpenSSL 1.0.1t and Sendmail 
8.15.2 on OpenBSD 4.2? No problem. lighttpd and php 5.6.24 on 
OpenBSD 4.6? Works fine. Etc. 

Just don't expect any sympathy or even support from anyone.
Don't ask, don't tell.

(Especially, don't ask why I would know about any of those examples.)

Alex.

Re: 5.8/sparc64 - boot from softraid(4) fails?

[Alexander Bochmann]

Hi,

 > ...on Sun, Dec 06, 2015 at 06:02:35PM +0100, Stefan Sperling wrote:
 >  > Can you show the output of 'devalias' at the ok> prompt?
 >  > If your disks are more than 4 levels deep inside the device tree
 >  > then the diskprobe loop in the boot loader won't see them.

Finally got around testing your patch (probably just barely, 
as disk0 is the 10. entry in the devalias list, see previous 
reply on the list):

 > Rebooting with command: boot disk0 sr0a:/bsd
 > Boot device: /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@0,0  File 
 > and args: sr0a:/bsd
 > OpenBSD IEEE 1275 Bootblock 1.4
 > >> OpenBSD BOOT 1.7
 > Can't read disk label.
 > Can't open disk label package
 > sr0*
 > Booting sr0:a/bsd
 > 8311464@0x100+3416@0x17ed2a8+209312@0x180+3984992@0x18331a0

Thanks!

Alex.

Re: 5.8/sparc64 - boot from softraid(4) fails?

[Alexander Bochmann]

Hi,

coming back to this after some time...

...on Sun, Dec 06, 2015 at 06:02:35PM +0100, Stefan Sperling wrote:

 > Can you show the output of 'devalias' at the ok> prompt?
 > If your disks are more than 4 levels deep inside the device tree
 > then the diskprobe loop in the boot loader won't see them.

I guess that's the reason then:

ok devalias
vx-rootmirr/pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@1,0:a
net/pci@1e,60/pci@0/pci@9/pci@0/network@4
net0   /pci@1e,60/pci@0/pci@9/pci@0/network@4
net1   /pci@1e,60/pci@0/pci@9/pci@0/network@4,1
net2   /pci@1e,60/pci@0/pci@a/pci@0/network@4
net3   /pci@1e,60/pci@0/pci@a/pci@0/network@4,1
cdrom  /pci@1e,60/pci@0/pci@1/pci@0/ide@1f/cdrom@0,0:f
ide/pci@1e,60/pci@0/pci@1/pci@0/ide@1f
disk   /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@0,0
disk0  /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@0,0
disk1  /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@1,0
disk2  /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@2,0
disk3  /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@3,0
scsi   /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1
ttya   /ebus@1f,464000/serial@2,80
ttyb   /ebus@1f,464000/serial@2,40
sc-control /ebus@1f,464000/rmc-comm@2,0
name   aliases

 > If so, the following (untested) diff might fix the problem (adjusting
 > to an arbitrarily chosen higher recursion level of 10).

Ok, I'll try that now.

Alex.

Re: 5.8/sparc64 - boot from softraid(4) fails?

[Alexander Bochmann]

Hi,

thanks for your answer.

...on Sun, Dec 06, 2015 at 06:02:35PM +0100, Stefan Sperling wrote:

 > Can you show the output of 'devalias' at the ok> prompt?

Will need a couple of days, as the machine is currently at 
a friend's place. I'll post an update as soon as I have the 
devalias output.

 > The easiest way to try this diff is to build a new release on another
 > sparc64 system (see man release(8)) and install that.

That will need even more time, as I don't currently have 
another sparc64 box on 5.8 :) I can probably try that sometime 
late next week.

Alex.

5.8/sparc64 - boot from softraid(4) fails?

[Alexander Bochmann]

I recently tried to install OpenBSD 5.8 on a Sun Fire, 
using a RAID-1 softraid as boot device. System doesn't 
boot though, and ends up with this:

 > Sun Fire V245, No Keyboard
 > Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 > OpenBoot 4.25.10, 4096 MB memory installed, Serial #67141234.
 > Ethernet address 0:12:33:0:11:aa, Host ID: 8400123a.
 > 
 > Rebooting with command: boot
 > Boot device: disk0  File and args: sr0a:/bsd
 > OpenBSD IEEE 1275 Bootblock 1.4
 > >> OpenBSD BOOT 1.7
 > Unknown device: sr0
 > Cannot boot from softraid: Unknown error: code 19
 > Program terminated

As the documentation for booting from softraid on sparc64 
feels somewhat sparse, I'm not actually shure I set things up 
correctly:

- from the install cd, created disklabels with a RAID 
  partition on sd0 and sd1
- assembled softraid with bioctl:

 > # bioctl -c 1 -l /dev/sd0a,/dev/sd1a softraid0
 > sd4 at scsibus2 targ 1 lun 0:  SCSI2 0/direct fixed
 > sd4: 70004MB, 512 bytes/sector, 143369136 sectors
 > softraid0: RAID 1 volume attached as sd4

(the system has two other disks)

- ran ./install to install OpenBSD to sd4
- rebooted and set boot parameters as per boot_sparc64(8)

Any steps I am missing? Any hints how to further debug this?

Thanks,

Alex.

Re: Backup of OpenBSD to Linux box

[Alexander Bochmann]

...on Mon, Jun 15, 2015 at 07:46:31AM +0100, Bernd Schoeller wrote:

  There are a number of remote backup systems floating around
  (rdiff-backup, rsnapshot, etc.) and of course there are in-house
  solutions (dump/restore), though I don't know if these are
  interoperable.

restore on Linux can read backups created with dump 
on a BSD system.

  Is there somebody on the list who has a similar setup and could
  point me at a solution that works for him/her?

If you're backing up more than one host, some backup 
management system like Amanda/Zmanda or Bacula might 
be useful.

Alex.

Re: Comparing large amounts of files

[Alexander Bochmann]

Hi,

...on Fri, Dec 11, 2009 at 06:52:09PM -0500, STeve Andre' wrote:

   Compare how?
  I should have been more clear I suppose.  I'd like to know
  the files that are identical, files that are of the same
  name but different across directories, possibly several
  directories.

Maybe you could use something like this in the 
directory you're looking at:

find . -type f -print0 | xargs -0 -r -n 100 md5 -r  md5sums

You could now just sort the md5sums file to find 
all entries with the same md5... Or sort by filename 
(will need some more logic if files are distributed 
over several subdirectories) to weed out those with 
the same name and different checksums.

Alex.

Re: How to disable IPv6?

[Alexander Bochmann]

Hi,

...on Sun, Dec 06, 2009 at 05:15:14PM -0600, Todd T. Fries wrote:

  Between pf, 'ifconfig em0 -inet6' and 'echo family inet4  /etc/resolv.conf'
  you should have about all the anti v6 knobs a budding newbie should need.

Thanks for putting all the required info into one place.

Alex.

pf route-to doesn't work for me after upgrading to 4.6

[Alexander Bochmann]

Hi,

did anything change in regard to pf rules with the 
route-to option in recent versions of OpenBSD?

I've just reinstalled an old system that was running 
OpenBSD 3.9 with 4.6, and gave it my old pf rulesets.

There is a rule that is supposed to send all traffic 
originating from a certain local network into a tunnel 
instead of to the default gateway. Which it did with 3.9.

Now it seems to do nothing - outgoing traffic just 
follows the default route, regardless of the route-to 
rule.

It was basically something like this:

pass in quick on $int_if route-to $vpn_if from $special_net \
  to ! localnets keep state 

(The relevant traffic comes in through $vpn_if by itself.)

Also tried binding the rule on the external interface, 
and using the route-to syntax with gateway address, 
but that didn't work either.

Alex.

Re: pf route-to doesn't work for me after upgrading to 4.6

[Alexander Bochmann]

Hi,

...on Fri, Dec 04, 2009 at 03:46:22PM +, Fred Crowson wrote:
  pf has virtually been rewritten in that time

Ok, what bit me from that is that the default for rules was 
changed to keep state in the meantime and some other stuff 
that was relying on the old semantics interfered with the 
policy routing.

After kicking that out, things magically work as expected...
Seems I'll better rewrite the whole ruleset.

(Why do I always find these things just after writing to 
the list, and not before?)

Thanks for the answers,

Alex.

Re: Anyone using munin?

[Alexander Bochmann]

Hi,

...on Thu, Apr 02, 2009 at 05:44:32PM -0700, Marc Runkel wrote:

  Trying to set up munin work with OpenBSD and was wondering if anyone had some
  plugins pre-written?  In particular interface statistics but I'll take just
  about anything.

I have a bunch of badly hacked munin plugins I've 
been running for some time, which you could try to 
use as an inspiration. 
Warning: Undocumented cut  paste code from other 
existing plugins. I'll take no responsibility if 
it breaks your brain (or computer).

They do at least basic IF Statistics, cpu, disk, 
temperature sensors.

Can be downloaded from here:

http://ozeanos.gxis.de/temp/filepile/munin-plugins-obsd39.tar.gz

Alex.

Re: European orders

[Alexander Bochmann]

Hi,

...on Mon, Mar 30, 2009 at 10:35:08PM +0200, Daniel Seuffert wrote:

  I know Wim personally for many years, I have seen some of his work and
  I have the deepest respect for him and what he has done.

Absolutely. From my point of view, Wim's constant presence 
and marketing activity was an important factor in the past 
success of the project, and he is to be commended for that. 
He did so much more than just reselling CDs and merchandise - 
which exactly seems to be the problem now.
Wim was the figurehead who did all the talking and organizing, 
and that's why I was buying my stuff from him (and would 
continue to do so in the - improbable - case of a solution 
for all this mess).

As for the bickering about details of obviously undocumented 
arrangements - well, they are just that: undocumented arrangements. 
Can work, can lead into a disaster, with a certain longterm bias to 
the second option, when money is involved. No surprises there.

Alex.

the death of the oldest OpenBSD system on the net...

[Alexander Bochmann]

...was rather unspectacular: Hardware failiure.

The system's name was base, originally installed with 
OpenBSD 2.3 on Jun 12, 1998:

-rw-r--r--  1 root  wheel  5 Jun 12  1998 etc/myname

It ran the OpenBSD 2.3 kernel and most of the userland until 
it stopped responding about three weeks ago and couldn't be 
resurrected.

Small hardware problems had happened before, as with most 
systems that have been running uninterrupted for nearly 10 
years, but this time I decided against getting it up again: 
Running modern software had gotten a real chore (never managed 
to backport OpenSSH, for example, so it still had the last 
version of the old ssh.com daemon (1.2.32?). 
(Well, that, and the 2.3 GENERIC kernel reliably shot down 
the VMWare session I tried to get it running in.)

Good old internet software like sendmail or bind never were 
a problem though, even in their most recent versions (which may 
or may not be a compliment, depending on your point of view).

To my knowlege, the system never was hacked - despite running 
software like qpop 2.53 or really, really old versions of 
apache and php. (I sometimes found core files, but I guess 
the system was just too obscure to be a valid target for 
any type of automated attack.)

base had lots of old stuff still lying around, like an emergency 
netboot environment for the sun3/160 that it had replaced as main 
server for infra.de back at the time, an Amanda client for my 
old employer's network backup system that's long gone, or the 
configuration for half a dozen UUCP feeds which have lost 
their peers ages ago.

Gone are the days when 32MB RAM was a lot, a stripped down OpenBSD 
kernel had a whopping 1MB, and a handful of blacklists got rid 
of almost all of the spam.

-rwxr-xr-x   1 root  wheel1056157 Jul 31  2002 /bsd

Alex.

Re: the death of the oldest OpenBSD system on the net...

[Alexander Bochmann]

...on Sun, Mar 16, 2008 at 05:11:10PM +0300, Nickolay A. Burkov wrote:

  Thanks for interesting story; very sadly.
  Just out of curiosity, what hardware was it?

Can't find a dmesg currently, but from memory the 
original setup was something like:

Pentium-133, 32MB RAM. 4GB Quantum IDE HDD, 3Com 509(?) ISA.
I think some 512k Trident VGA graphics card. As far as I 
remember, most of the stuff had been 2nd hand even in '98.

Back then, that was more than enough to run a mailserver for 
maybe 100 users (sendmail, qpop, uucp), bind, an nntpcache, 
squid proxy, radius (for an Ascend Max E1 dialin router I 
still have at home), and the web server.

A couple of years ago, the mainboard had been replaced by 
something with a K6-233 CPU as the old one had died. The 
harddisk survived to the end (although that may have been 
the component that finally failed - didn't have a chance 
to get access to the hardware yet).

Alex.

Re: 202 days Uptime in OpenBSD 3.6

[Alexander Bochmann]

...on Mon, Jan 15, 2007 at 11:20:27AM -0700, Darren Spruell wrote:

  On 1/15/07, Alexander Bochmann [EMAIL PROTECTED] wrote:
  Last login: Sun Jan  7 19:22:19 2007 from xxx
  OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002
  Do you sleep well at night exposing that system to the Internet?

Yes. The setup is obscure enough to require a very targeted 
attack, and I'm still waiting for someone to come along and 
do that. Also, the services on the machine used to run on a 
SunOS 4 sun3 before this one was set up - so it's kind of a 
tradition to use an outdated system ;)

  One would question the amount of effort to ensure patch application 

Shure. But it's fun. Well, some strange kind of fun, at least.
Also I can brag about it now and then.

Alex.

Re: 202 days Uptime in OpenBSD 3.6

[Alexander Bochmann]

...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote:

  hmm, why are people so proud of their uptimes when it only show they
  don't care for their systems?

Bah, uptimes (is it that time of the year again?)...

Last login: Sun Jan  7 19:22:19 2007 from xxx
OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002

Welcome to OpenBSD: The proactively secure Unix-like operating system.

{104} ls -al /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Jun 12  1998 /etc/localtime - 
/usr/share/zoneinfo/Europe/Berlin

That's an Internet-connected system, running mail, web, DNS. 

It gets increasingly difficult to talk current software into 
compiling on that platform, though.

Alex.

Re: Compilers make a system less secure?

[Alexander Bochmann]

...on Tue, May 02, 2006 at 03:49:26PM +0400, Anton Karpov wrote:

  But what if your system has no compiler? When attacker should compile his
  sploit anywhere, and transfer binary evil code onto your box. E.g. he has to
  have access to the similar machine, maybe with similas OS version and arch.

I know not having a compiler has been considered secure systems 
best practice for a long, long time - but it comes from a distant 
past when compilers for networked systems were expensive tools, 
using expensive operating systems on expensive hardware. So you 
wouldn't have had ready access to a Solaris box with Sun Forte on 
it to compile things yourself, and that may have been a major 
obstacle.

In todays world, quickly whipping up a build environment for 
most systems out there is a no-brainer, and thanks to stuff like 
qemu you don't even need the appropriate hardware.

In short, it may help to discourage a few low-skill attackers 
(same as getting rid of perl, for example), at the cost of 
making your own life as systems administrator so much more 
tedious. 

Just isn't worth the trade-off anymore, IMHO.

Alex.

Re: Compilers make a system less secure?

[Alexander Bochmann]

...on Tue, May 02, 2006 at 09:46:01AM -0500, Graham Toal wrote:

  Back in the old days when the only access to a system was
  by a modem to a login prompt, and there was no networking
  available to make things easy, the only way to get a
  binary on to a machine was to somehow enter it from the
  keyboard (or equivalent, eg pulling it in via tip's ~ escapes)

Ok, that was well before my time then :)

I remember transferring binaries through a non 8-bit 
clean dialup pad with kermit, but that's another program 
you wouldn't want to have on a secure host.

It did get me around a lot of restrictions the admins 
thought they had placed on the system, though...

Alex.

Re: C Compiler Prob

[Alexander Bochmann]

...on Thu, Mar 30, 2006 at 12:49:29PM +0200, oliver simon wrote:

  checking for gcc... egcc

egcc?

Alex.

Re: openbsd and the money -solutions

[Alexander Bochmann]

...on Sat, Mar 25, 2006 at 08:25:32AM +0100, Jurjen Oskam wrote:

   There is no reason to provide funding from a business standpoint.  What 
   does
   the business gain?
  Does having a business standpoint require shutting off all common sense?

In todays world: Mostly. Modern businesses have developed an 
own definition of morality and common sense, which is not 
necessarily compatible with whatever individuals may think.

In that environment, the ethics applied by the OpenBSD 
community are deeply anachronistic - which makes them 
great for some people, and a pain for others, regardless 
of any technical merits.

My guess is that especially (US-based) public companies 
don't want to be seen associated with OpenBSD (by donating, 
for example), as they fear damage to their business 
reputation from that.

Alex.

Re: Sendmail security problem

[Alexander Bochmann]

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:

  I installed 8.13.6 last night from the source tar ball on two machines 
  (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging 
  along happily. Can't speak to the specific security issue though.

Replacing OpenBSDs sendmail with sendmail.org's version 
is a non-issue (as in just works) on any OpenBSD version 
which ships = 8.12. 

If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc 
contains the ENVDEFs to add to site.config.m4.

Alex.

Re: OpenBSD and the money

[Alexander Bochmann]

...on Thu, Mar 23, 2006 at 02:20:08PM -0500, Peter Fraser wrote:

  I recognize that government grants come with red-tape, and people are
  often disdainful of taking hand-outs.  In this case, however, I'd
  think the pros outweigh the cons.  Don't you have a wish-list of things
  you'd implement or improve if you got sufficient funding?

I don't think it's a viable path for the project as 
a whole, although it may be remotely possible to get 
funding for certain development goals. It still takes 
away lots of freedoms, and needs some people who find 
fun in hacking organizational structures instead of 
coding.

The PyPy people (http://pypy.org/) had a presentation 
on how they went for EU funding, 
http://events.ccc.de/congress/2005/fahrplan/attachments/557-Paper_OpenSourceEuFundingAndAgileMethods.pdf

Start reading on page 3, How and why EU funding, 
and maybe replace the term sprint with hackathon. 

Then, have a look around here and think again...

Nah.

Alex.

Re: openbsd and the money

[Alexander Bochmann]

...on Fri, Mar 24, 2006 at 01:42:48PM +0100, Hannah Schroeter wrote:

  I don't actually understand what that whining about tax deduction is
  about.

My guess is that it's not about the tax deduction in 
itself (although that certainly helps), it's about 
the receipt.

Companies very much like to generate a proper paper 
trail when they hand out money, and not only for the 
tax office. So it's probably easier to get a company 
to order a few hundred CDs instead of a donation.

(On the other side, I don't know how the incoming 
donations are handled by OpenBSD, but they most 
probably are also subject to taxation somewhere.)

Alex.

Re: openbsd and the money

[Alexander Bochmann]

...on Fri, Mar 24, 2006 at 02:52:55PM +0100, Alexander Bochmann wrote:

  So it's probably easier to get a company 
  to order a few hundred CDs instead of a donation.

By the way, the golden CD signed by all core 
developers for $9000 might just be the thing 
to add to the store. :)

Alex.

Re: Reminder about the X Aperture

[Alexander Bochmann]

...on Tue, Mar 14, 2006 at 05:41:44PM -0700, Theo de Raadt wrote:

Yes, they have DMA engines.  If the privilege seperate X server has a
bug, it can still wiggle the IO registers of the card to do DMA to
physical addresses, entirely bypassing system security.
   Wow. As if running a binary blob was not bad enough, video card  
   binary blobs are suddenly found to be all-powerful.
  This issue is not about binary blobs for video cards.

Using GPU shader programs to read from main 
memory was one of the ways mentioned as a 
possible attack on the XBox 360 security system 
in a presentation at 22C3 last year, though 
limited by the system's memory encryption in 
that case.

(Could well be contained in some binary blob, 
but that's another issue.)

Alex.

Re: Traffic analysis on a per service basis

[Alexander Bochmann]

...on Fri, Mar 03, 2006 at 03:33:53AM +0100, Martin Schr?der wrote:

  On 2006-03-02 19:01:13 -0600, eric wrote:
   Best you'll find for reliable traffic accounting (and the most flexible) is
   argus http://www.qosient.com/argus/. I'd recommend that route, then using
  Seems to be quiet since 2004-05 and has its own license :-(

The argus mailinglist ist still quite active.

Alex.

Re: help with source-routing

[Alexander Bochmann]

Hi,

...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:

  hme1 - 10.50.0.10
  hme0 - 217.5.23.69
  hme0_alias - 217.5.23.70
  default-gw is 10.50.0.1
  If you want to connect to e.g. 193.44.25.2, the machine has to go there
  with one of it4s official IPs 217...

Are you shure that's a sane setup? Why do you 
want to reach the outside world through an interface 
on a private segment when you have official addresses 
on another interface? And why is there no address 
translation elsewhere between your private segment 
and wherever it connects to the Internet?

  How can we solve that problem ? I read a lot about pf and other things,
  but nothing I tried is working ...

You can NAT the traffic going out through hme1, but you 
will have a nice split routing situation, as the traffic 
flowing back to you will probably come in through hme0.
Not that that's a problem, it just doesn't make any sense.

Alex.

Re: help with source-routing

[Alexander Bochmann]

...on Fri, Mar 03, 2006 at 03:03:23PM +0100, oliver simon wrote:

  Internal Network is another IP-Range ... DMZ has official IPs for the
  services and its private ip-range for the hosts themself.
  DMZ: 10.50.0.0/24 + Official IPs for services
  Internal(!)Lan: 10.23.0.0/24
  DBNet (e.g.): 10.28.0.0/24

Usually, you would do proxying or NAT for the official 
service addresses on your outer gateway. Not much use 
having them on the DMZ network, it just adds unneccessary 
complexity. 

Alex.
(Yes, I know that doesn't answer your question :) ...)

Re: sendmail and Undeliverables

[Alexander Bochmann]

...on Wed, Mar 01, 2006 at 05:01:52PM -0600, Joel Gudknecht wrote:

  I'm concerned that sendmail is even accepting these messages as they
  have nothing to do with my domain and I don't know how to prevent this
  behavior, any info on this subject would be appreciated, thank you.

From the snippet you posted, it seems as if someone 
sends spam using your address/domain as sender, and 
you get the bounces. Unfortunately, nothing unusual 
about that, and not much you can do.

Alex.

Re: Problem with squirrelmail

[Alexander Bochmann]

...on Thu, Mar 02, 2006 at 01:07:09PM +0200, Gabriel George POPA wrote:

 I have a small problem with squirrelmail. The problem is that users 
  cannot read their mail messages if they are too large (though not very
 [..]
  going on? Settings from /etc/inetd.conf:
  # IMAP server from PINE
  imap2streamtcpnowaitroot/usr/sbin/imapd 
  imapd

That doesn't really explain your problem, but if you 
are running an imapd from inetd and have enough users, 
you will certainly run into the default spawn limit 
of 256 connections in 60 seconds. 

Try cranking that up to a sensible number for your 
environment (nowait.2048 or something).

Alex.

Re: Regarding a SPARCSTATION 1+

[Alexander Bochmann]

...on Sun, Jan 29, 2006 at 02:14:38PM +0200, Gabriel George POPA wrote:

I'm wondering if OpenBSD 3.8 will work on a SPARCSTATION 1+ computer. 
  Does anyone have a toy like this running OpenBSD?

Not currently, but I had an SS1+ under OpenBSD until 
about 3.2 (I think). Everything should work fine, 
but don't try to use ffs softupdates (see 
http://www.openbsd.org/faq/faq14.html#SoftUpdates).

The other standard advice is to recompile at least 
libssl with -mcpu=supersparc, otherwise you won't 
have much fun with ssh on this box (I rebuilt the 
whole system with that switch, but then that doesn't 
mean it works for anyone else).

Alex.

Re: Regarding a SPARCSTATION 1+

[Alexander Bochmann]

...on Sun, Jan 29, 2006 at 07:38:50PM +0100, Alexander Bochmann wrote:

  The other standard advice is to recompile at least 
  libssl with -mcpu=supersparc, otherwise you won't 

Sorry, that's crap - the SS1+ doesn't have 
a supersparc CPU.

Alex.

Re: Squid and named DNS

[Alexander Bochmann]

Hi,

...on Fri, Jan 27, 2006 at 12:10:22PM +0200, Kiraly Zoltan wrote:

  I use Squid to filter web content like ad and pop-up (adzaper), I don't
  use Squid for cache.
  The problem is, when i use Squid  many webpage open slow, for example
  sometimes i wait much in Firefox at Waiting for www.pagexy.com...
  message. Without Squid all page open faster.

I assume that with your contentfilter setup squid won't 
pass data until it's been fully loaded - otherwise the 
content filter can't be shure to block the transmission 
if it detects anything harmful. So you will see a considerable 
delay more or less by design.

Not using caching is also counterproductive, as you'll 
have the system scanning everything all over again.

  I hear Squid don't really like named, is true? or anyone use Squid with
  named and don't have problems, any idea?

That sounds like a bit of crap to me, in what way should 
squid not like named? Ok, both can be memory hogs, 
depending on their configuration, so if you're low on memory 
you wouldn't want to have both on the same box, but that's 
about it...

I doubt DNS is your problem, but your setup is probably 
suboptimal. Squid does it's own DNS caching, so letting 
it access a server that is forward-only itself (basically 
another cache level) at least won't do much good.

Alex.

Re: Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack

[Alexander Bochmann]

...on Wed, Jan 25, 2006 at 02:09:58PM +0200, Gabriel George POPA wrote:

  Yahoo! do not accept some mails from me). I've noticed that the mailstats 
  command reports 13 (!!!) messages sent (!) outside. My computer is a 
  small server running OpenBSD 3.8, MySQL+PHP+Apache for the website; it's a 
  FRESH install so that I don't think it's a problem in the system. I have 
  around 
  30 users that use POP3+Outlook Express to send and receive their mail 
  messages.

It's quite unprobable that your box can be used as 
relay without some additional software or some sort 
of configuration problem.

How about some more info on what you are running on that 
web site? The usual feedback script abuse comes to mind.

Also, you have all the logfiles on your machine, try to 
single out a specific spam message (I assume you have a 
few samples) and find out how it came into your system. 

Alex.

OpenBSD-specific plugins for Munin, anyone?

[Alexander Bochmann]

Hi,

I've recently been playing with Munin again
(http://munin.projects.linpro.no/), and noticed 
there are nearly no plugins for OpenBSD.

While I have adapted a few for my needs, I 
shurely can't be the first to do that?

(Munin is a(nother) simple, low-configuration 
software using rrdtool to create pretty graphs 
of different things happening on networked systems. 
I'm using it because I'm lazy. Having to write my 
own plugins is bad in that respect.)

Alex.

Re: Apache logs filled with remote exploit trials

[Alexander Bochmann]

...on Mon, Jan 16, 2006 at 12:34:54PM +0100, Didier Wiroth wrote:

  [Sun Jan 15 20:53:24 2006] [error] [client 69.60.121.159] File does not
  exist: /htdocs/xmlsrv/xmlrpc.php
  How do you handle these kind of attacks?

Ignoring them, mostly. It's the attack script 
of the month.

  How or what do I have to use to dynamically block client Ips, that tries
  these type of attacks?

In my case, most of them seem to come from some 
dialup/DSL ranges with dynamic addresses, so blocking 
is not much use.

If you're annoyed enough, you might try mod_security 
(if you run apache), or simply catch all access to 
an xmlrpc.php with a mod_rewrite rule. If you don't 
need it somewhere, that is.

Alex.

Re: CPU time off by a factor of two

[Alexander Bochmann]

...on Fri, Nov 25, 2005 at 03:43:52PM +0800, Uwe Dippel wrote:

  It's a bug, so it seems now.
  Sorry, last night I didn't have access so my answer is late:
  I simply rebooted to single-CPU-kernel; compiled by myself, just as well,
  and it runs like hell. Exact, I mean. Not a single second off after three
  hours. (so says ntpdate.)

That sounds quite a bit like what I remember reading 
about, something like the TSC might run at different 
speeds on different cores depending on thermal throttling, 
SpeedStep, ACPI state, whatever. So if you're switching 
to a counter on another core without taking that into 
account, you're in trouble. Which doesn't mean that's 
the problem here :)

Alex.
(no, I actually have no idea what I'm talking about)

Re: certification of firewall product / mess in my head

[Alexander Bochmann]

Hi,

...on Tue, Sep 13, 2005 at 10:12:11AM +0200, qstreb wrote:

  Yesterday i got surprised, it looks that in Germany (and some other 
  countries)
  there are some lows/requirenments/obligations that in case a firewall 
  (appliance) is owned
  by third parties and they produce any damages to others
  for the damage are responsible even the chiefs,
  but if this appliance is certified these people dont have such trouble.

That sounds a bit like fallout from the 
Sarbanes-Oxley Act (for a short summary, see 
http://en.wikipedia.org/wiki/Sarbanes-oxley), 
and last time I looked, Germany was not a part 
of the USA. On the other hand, I haven't 
followed our legislation in that sector recently, 
and if your company is incorporated in the 
US or does business with US-based companies, 
you will be affected either way.

I assume that certification in that context 
is supposed to prove kind of due diligence 
in your itsec efforts.

A proper documentation of you firewall setup 
should do the same, but in the end it's 
probably better to talk to a lawyer than 
to system administrators :)

Alex.

Re: sendmail and clamd

[Alexander Bochmann]

...on Tue, Sep 06, 2005 at 03:13:01PM +0200, Cristian Del Carlo wrote:

  i am planning to use openbsd as mail server with sendmail and clamd as 
  antivirus on intel machine.
  What can i use to connect sendmail and clamd? 
  I know that there are several methods : milter, amavis etc...

Depends on your hardware and the amount of 
traffic you expect (and some other things).

I'm successfully using smtp-vilter as milter 
for clamav, but I haven't followed the latest
development on OpenBSD pthreads, and people 
used to say that there's problems with the 
thread implementation (search the archives 
for specifics) - so going with milters might 
not be the optimal solution for a high-volume 
system.

I've done some setups with MailScanner, which 
works quite nice even unter extreme loads, 
but is queue-based instead of being plugged 
into the MTA like a milter in sendmail, so 
mails have to be fully accepted into the system 
befor MailScanner can work on them.

Alex.

Re: Lifecycle question

[Alexander Bochmann]

...on Mon, Sep 05, 2005 at 03:35:19PM +0200, Stephan A. Rickauer wrote:

  Henning Brauer schrieb:
  you don't have to reinstall at all. hogwash by some people here. I have 
  about a hundred servers in production, some are upgraded ever since 2.7 
  times or so. upgrade typically takes us 5 minutes and one reboot a box.
  Well, I am thinking of using OpenBSD for our firewalls. Those I do want 
  to upgrade regularly. Not because of features, but because of patches.

For a simple filtering firewall, you won't 
need to do much for an upgrade. Perhaps 
touching a few files in /etc according to 
the upgrade document, and if you use any 
ports or local binaries, getting them up 
to the current version.

The basic layout of things hasn't been 
changed for a long time, it's not as if 
suddenly config files will have to be 
in a different directory because someone 
wants to be compatible with some standards 
document or so.

On the other hand, there's little incentive 
to upgrade such a setup at all (except for 
the exercise) - there are rarely catastrophic 
bugs that will be able to compromise your 
system, and throwing in a new version of 
things like openssh or zlib will usually 
work a couple of versions back from the 
current release, even if there's no formal 
patch. 
(In reality, if there's a case where you really, 
really need to upgrade such a system after a 
few years, it will probably hurt - currently 
have that with a 3.3 box with so many local 
changes that it barely looks like OpenBSD 
anymore...).

Alex.

Re: OpenBSD 3.8 negative free space (?WTF?)

[Alexander Bochmann]

...on Wed, Aug 24, 2005 at 12:24:46PM -0700, Ray Percival wrote:

  ~5% to be exact. 

To be more exact, it depends on the -m option 
value you used when last running newfs or tunefs 
on the filesystem. :)

See the description in the tunefs(8) man page.

Alex.

Re: 3.8 beta requests

[Alexander Bochmann]

...on Tue, Aug 23, 2005 at 09:42:02AM +0200, J. Lievisse Adriaanse wrote:

  I wonder what the theme for this release will be...

Something like we help making your 
software more secure - by default?

(Ok, it's not more secure, but more 
correct, probably...)

Generally I think it's a really good 
idea to go ahead with this - everything 
that helps developing software with less 
errors is a step forward, even if some 
programmers (and users) may hate it.

Alex.

Re: x86 rings?

[Alexander Bochmann]

...on Thu, Aug 04, 2005 at 08:18:40PM -0500, Dave Feustel wrote:

  some very specialized applications. Intel had a chip (the 960mp?) used in 
  the military
  that used segmented addressing, but I don't think it has been used anywhere 
  else
  but possibly in HP printers years ago, and (I think) without the 
  segmentation).

I've seen a lot of i960s as embedded CPUs on RAID 
controllers and the like in the 1990s, but obviously 
they were stripped down from the military i960MX version
(see Wikipedia, http://en.wikipedia.org/wiki/Intel_i960).

Alex.

Re: Need Quad Ethernet for router box

[Alexander Bochmann]

Hi,

...on Thu, Jul 21, 2005 at 11:50:20AM -0400, Bill Chmura wrote:

  Ethernet wise, currently the whole mess is at 100MB...  It will be that
  way at least for 12 months after this.   As far as heavily used, I just
  got on the scene myself and the usage is way down.  School, summers
  off.  But the end of the year is crazy for them network wise.  So in
  the end, all I can say at this point is that its barely running at peak
  usage on 100MB.

As others suggested, getting a decent switch with VLAN 
support and using a single GigE trunk to you router 
might be a good start (and even cheaper as a bunch 
of 4-port GigE cards). I don't think you will run into 
bandwidth problems on the trunk if everything is at 
100mbit now, and you will just have much more flexibility 
with the segmentation. You can still push high-volume 
VLANs to another trunk port (or dedicated links to the 
router) later, if that turns out to be neccessary.

Also, will all the traffic really pass the router, 
or will much of it be local to the respective segments? 
Thinking about how to redesign the network to reduce 
the load on the router might be a good idea.

Alex.

Re: Amanda port WO gnuplot?

[Alexander Bochmann]

Hi,

...on Tue, Jul 19, 2005 at 09:43:45PM -0400, stan wrote:

  I'm building several new 3.7 machines. These machines will be Amanda
  clients (only, not servers)/ Looks like the amanda port depends on gnuplot,
  which depends on X11.

Build on a machine that has the dependencies 
installed and then copy the -client package 
over to your systems. 

Should work fine, as there are no library 
dependencies against X11 or such (but I didn't 
test it, as I always build my amanda clients 
from the original sources instead of using the 
port).

Alex.

Re: How to change flags of a route?

[Alexander Bochmann]

...on Tue, Jul 19, 2005 at 10:29:34AM +0200, Michael Adam wrote:

  The scenario is the following: On an OpenBSD firewall and
  router, I have an interface if0 with address 192.168.1.1/24.
  Now, there is a host 192.168.1.2 which sits behind a third host
  192.168.1.3 from the network segment of if0. So I would like to
  set a host route as follows:
  route add -host 192.168.1.2 192.168.1.3

That setup is broken by design. 

The only real way to make this work is 
to have 192.168.1.2 do proxy-arp for 
192.168.1.3, which will solve your routing 
problem automatically, as the ARP request 
won't fail anymore, and you won't need to 
set up anything on your gateway.

Alex.

Re: Compiling for VIA Samuel 2 (CentaurHauls 686-class) 533 MHz

[Alexander Bochmann]

...on Sun, Jul 17, 2005 at 05:25:39PM +0100, matt lawless wrote:

  fed up of kernel panics on my EPIA 5000 I decided to make from source
  but can't find what settings use to get it to compile for this
  restricted processor. GCC borks when I try and compile it on the EPIA :
  
  /usr/src/sys/sys/time.h: In function `bintime2timeval':
  /usr/src/sys/sys/time.h:207: internal compiler error: Segmentation fault
  Please submit a full bug report,

That seems to be a quite certain indicator 
for memory problems.

From my experience, I can say that OpenBSD 
runs fine even on the more broken Via EPIA 
boards (except from the usual watchdog timeout 
and rx packet lost messages on the vr ethernet 
when running at 100/fdx).

  OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
  [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
  cpu0: VIA Samuel 2 (CentaurHauls 686-class) 533 MHz
  cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX

Looks exactly like one of mine, which has been 
running 3.5, 3.6, and 3.7 without any unexpected 
problems.

Alex.

Re: getting dhclient to update bind forwarders IPs

[Alexander Bochmann]

Hi,

...on Tue, Jul 12, 2005 at 02:02:11PM +0200, Rapha??l Berbain wrote:

  I have a box running bind as a cache+forwarder setup.  It connects to
  the ISP through DHCP.  When dhclient kicks in, it fetches the
  ISP-provided DNS IPs and by default puts those in /etc/resolv.conf.
  Instead of that, I'd like /etc/resolv.conf to point to localhost.
  I'd also like dhclient to tell bind to use the DNS IPs it got by dhcp
  as forwarders.  I can think of several ways to keep /etc/resolv.conf
  pointing to localhost, but I can't find a way to have dhclient update
  bind's idea of forwarders IPs.

dhclient has the supersede option for the first 
part, something like supersede domain-name-servers 127.0.0.1; 
in your interface section, see dhclient.conf(5) for 
details.

For the other part, if you're running your own nameserver, 
why would you want to use forwarders at all? 

The only way to change the bind settings would be through 
a script that does it. But I don't think you could run 
it from dhclient, as there's no way I know of to pass the 
retrieved name server information to a script.

Possibly write a script that requests the name server data 
from the DHCP server independent of dhclient, and update 
the bind config from there.
 
Alex.

Re: OT: Hardware keyloggers embedded in new keyboards?

[Alexander Bochmann]

...on Mon, Jun 20, 2005 at 07:08:18AM -0500, Dave Feustel wrote:

  If one-time passwords capability is built into OpenBSD, where can I read 
  about
  how to use them?

skey(1) will start you off.

Alex.

Re: OT: Hardware keyloggers embedded in new keyboards?

[Alexander Bochmann]

...on Mon, Jun 20, 2005 at 07:32:09AM -0500, Dave Feustel wrote:

   One Time Passwords such as skey(1) are also good for insecure environments.
  I just read the man page for skey, but I still don't quite understand
  how it works. Would I use a calculator to generate a response that I
  type in response to a challenge, or what? 

s/key has been around for a long time. Ask Google.

Alex.

Re: OT: Hardware keyloggers embedded in new keyboards?

[Alexander Bochmann]

...on Mon, Jun 20, 2005 at 07:24:16AM -0500, Dave Feustel wrote:

  Here is a relevant link:
  http://www.rumormillnews.com/cgi-bin/forum.cgi?read=73190

That's just the same thing all over.

  We may get to find out - see the above link which is apparently the source
  material for the snopes article you reference below. While it does pay to be
  sceptical of reports like the one snopes criticizes, I do not trust snopes

The pictures from the original article have supposedly 
been taken from http://www.dansdata.com/keyghost.htm.

The snippets which were used to fake the homeland security 
letter were in the same directory as the original lol.htm

How do you make shure your version of OpenBSD isn't 
rigged to use some covert channel to send off keyboard 
input data to somewhere else, by the way?

Alex.

Re: Sun ELC?

[Alexander Bochmann]

...on Fri, Jun 03, 2005 at 07:15:51AM +0100, Peter Galbavy wrote:

  Gordon Grieder wrote:
  Before I start following sparc@ (if I go ahead with this): I recently
  inherited a Sun ELC. It's an ancient all-in-one thing that looks
  Now ? Might work as a non caching nameserver - memory is rather limited, 
  while CPU is OK-ish.

Up until three years ago or so, I was running a 
backup MX for about 50 customers on an 25MHz SS1+ 
(and one of them had roughly 6000 mail users), with 
postfix on OpenBSD.

Probably wouldn't work with today's spam levels 
though, regardless of the software used. At the 
time, disk space (an external 4GB disk for the 
spool filled up in about a day when the largest 
customer was offline) was more of a problem than 
CPU power.

Alex.

Re: Wifi frustration (SUCCESS)

[Alexander Bochmann]

Hi,

...on Sun, May 22, 2005 at 03:16:51PM -0400, Steve Shockley wrote:

  No, it's hard to find new Prism-based cards anymore except for a few USB 
  ones, and last I looked wi on usb didn't work as an access point.

At least according to the manpage, it still 
doesn't work  is supposed to be buggy 
alltogether... 

Alex.