Re: Supporting the OpenBSD Project through a Registered Charity

[Charlie Jones]

On 2023-08-29 21:14:43 Stuart Henderson  wrote:

>On 2023-08-29, Katherine Mcmillan  wrote:

>> To clarify, I'm looking for something with a similar structure at the US 
>> PostgreSQL

>> Association (which is a registered 501(c)(3) public charitable entity), but 
>> for BSD

>> or OpenBSD.

>I'm pretty sure there is nothing for OpenBSD like this.

Perhaps SPI (Software in the Public Interest) provides this capability

(if I understand correctly).  I discovered this when I tried to donate

to Libreoffice, which is headquartered in Germany.

>From SPI's wikipedia page:

   Software in the Public Interest, Inc. (SPI) is a US 501(c)(3)

non-profit organization domiciled in New York State formed to help

other organizations create and distribute free open-source software

and open-source hardware. Anyone is eligible to apply for membership,

and contributing membership is available to those who participate in

the free software community.

Their web page is:

    www.spi-inc.org

As nearly as I can tell, SPI handles all the paperwork and

interactions with the IRS, and allows people in the U.S. to donate to

a 501(c)3.  This gives the donor a tax benefit.  Donors who are used

to donating through a Donor Advised Fund are restricted by the DAF to

501(c)3 recipients.  So OpenBSD might possibly attract some new donors.

Katherine Mcmillan mentioned PostgreSQL.  I see on

    https://www.spi-inc.org/projects/

that PostgreSQL is one of the projects that already use SPI for its

donations.

The downside is that SPI charges 5% for this service.  It looks to me

like Paypal and the credit cards charge about half that, but they

don't provide 501(c)3 status.

I have no connection with SPI, other than donating through them, and I

don't know for sure how easy it would be for OpenBSD to interact with

them.  And I am not advocating for them, just mentioning their

existence on the off chance that people were not familiar with them.

-- Sent with https://mailfence.com  Secure and private email

Re: File transfer using ftp from bsd.rd booted system

[Charlie Jones]

On Aug 28 06:34:01, Jan Stary wrote:

>On Aug 27 22:56:59, ch...@mailfence.com wrote:

>> I would like be able to transfer files over ethernet from a system

>> that has been booted from bsd.rd

>

>Why do you need that?

>

>(The only case where I want to have files from a bsd.rd boot

>is a dmesg of a machine I am looking at, without installing.

>Which I save on the media I booted from.)

I do indeed desire this capability in order to save a dmesg from a

system booted from bsd.rd.  I would prefer not to use a usb flash

drive because of concerns about BadUSB attacks.

I can't save the file on the CD which I booted from, hence my desire

to use ethernet.  However, after some thought, I realized that I could

use dd to save the file to an un-allocated portion of the hard drive,

and then read it back after booting a different OS.  So I've got the

dmesg, which I'll include a post to come soon, about my inability to

get the installed system to boot.

-- Sent with https://mailfence.com  Secure and private email

File transfer using ftp from bsd.rd booted system

[Charlie Jones]

Hello,

TL;DR:

I would like be able to transfer files over ethernet from a system

that has been booted from bsd.rd, to an installed OpenBSD system.

This does not seem to be possible.  If it is somehow possible, because

I am missing something, or perhaps because there is an undocumented

feature that allows it, I would appreciate any pointers.

More details:

On any installed OpenBSD system, if one types 'ftp', one gets a

prompt, and then can issue 'open' or other commands.

The complete list of possibilities is:

 ftp [-46AadEegiMmnptVv] [-D title] [-k seconds] [-P port] [-r seconds]

 [-s sourceaddr] [host [port]]

 ftp [-C] [-N name] [-o output] [-s sourceaddr]

 ftp://[user:password@]host[:port]/file[/] ...

 ftp [-CTu] [-c cookie] [-N name] [-o output] [-S ssl_options]

 [-s sourceaddr] [-U useragent] [-w seconds]

 http[s]://[user:password@]host[:port]/file ...

 ftp [-C] [-N name] [-o output] [-s sourceaddr] file:file ...

 ftp [-C] [-N name] [-o output] [-s sourceaddr] host:/file[/] ...

The first option is the one that I need.

On a system booted from bsd.rd, however, if one enters 'ftp', one gets

a "usage" response, informing you that that 'ftp' requires arguments,

and that just 'ftp' is not an acceptable command line on that system.

The response is:

usage:  ftp [-N name] [-o output] ftp://[user:password@]host[:port]/file[/] ...

    ftp [-N name] [-o output] [-S ssl_options] [-w seconds]

    http[s]://[user:password@]host[:port]/file ...

    ftp [-N name] [-o output] [-s sourceaddr] file:file ...

    ftp [-N name] [-o output] [-s sourceaddr] host:/file[/] ...

So the first option, which would allow sending a file, is absent.

I can't solve the problem by running ftpd on the bsd.rd system,

because ftpd is not there (understandably, room is tight).  Similarly

neither ssh nor sshd is available either.

Please note, I am not complaining about the (possible) lack of an

capability; it may well be that it was intentionally left out.  I just

want to know if I am missing something that would allow me transfer

a file using ftp.

Thanks

-- Sent with https://mailfence.com  Secure and private email

Re: PF: Redirect SOCKS connections to another server on a different net

[Charlie]

Below comes the solution to this problem. For the explanations on why it works,
you may refer to the original answer [1].

# sysctl net.inet.ip.forwarding=1
# cat /etc/pf.conf
  ...
  pass in on re0 proto tcp from any to (re0) port 1080 rdr-to 10.64.0.1 tag nat
  pass out on wg0 proto tcp nat-to (wg0) tagged nat
  ...

[1]
https://marc.info/?l=openbsd-pf=168215778109013=2

Cheers,
Charlie

PF: Redirect SOCKS connections to another server on a different net

[Charlie]

On an OpenBSD 7.2 system, I have access to a SOCKS proxy server
through VPN. After the VPN connection is established, any program that
supports SOCKS proxy can reach it by setting the relevant local VPN
address, 10.64.0.1, and the usual port number 1080.

I want to share the access to this proxy server on my OpenBSD machine
with other systems in my home network. So basically what I want is to
open a 1080 port on the OpenBSD server and redirect it to the local
VPN address 10.64.0.1. I have been successful in doing so with the
help of the "socat" program:

$ socat tcp-listen:1080,bind=192.168.1.10,reuseaddr,fork \
tcp:10.64.0.1:1080

I would very much like to replace the above command with pf rule(s).
All the combinations I tried with "rdr-to", "nat-to", "divert-to",
"synproxy state", etc. did not work. Could someone kindly point me in
the right direction (pun intended)?

Below is an illustration of my setup and the desired forwarding.

 ,--- OpenBSD system . VPN 
 |   |   / \
  ,--+-.,+. .---.
  | re0|| wg0:| | 10.64.0.1 |
  | 192.168.1.0/24 || 10.76.150.11/32 |-|   |
  :1080<===>:1080   |
  `--+-'`+' `---'
 |   |
     `---'

Cheers,
Charlie

Gigenet Mirror x*69.tgz Failing to Verify Sets

[Charlie Burnett]

Hi,
Currently the gigenet mirror is failing to verify for all four X packages
on snapshot. They verify fine when I point it towards cdn.openbsd.org, but
this is the case for both when trying to install from both bsd.rd and an
install iso. This is in a VM but I wouldn't see how that'd affect it. Oddly
enough, I just upgraded my personal machine earlier today without any
issues. Not sure what would need to be done about it, but I figured someone
oughta be told!

Best Regards,
Charlie Burnett

Re: Chromium with WebAssembly flavor?

[Charlie Burnett]

Ah, well now I feel dumb... my sincere apologies for the spam then. Thanks
for the help, I had no idea! :)

On Sat, Jan 30, 2021 at 7:40 AM Thomas Frohwein 
wrote:

> On Fri, Jan 29, 2021 at 09:44:26PM -0600, Charlie Burnett wrote:
> > Hi,
> > I wasn't sure if this was worthy of ports or not, so I wanted to throw
> this
> > out here first. I don't like Zoom, and I understand WebAssembly has some
> > inherent issues in it, but I imagine a good number of people don't have a
> > choice and have to use it as well in light of the current state of
> things.
> > On top of this, Citrix apps need it enabled as well. Wouldn't it be
> > reasonable to make a flavor with ENABLE_WASM set for chromium then?
>
> I think you misunderstand how this works. ENABLE_WASM is for the runtime
> environment; you don't need to rebuild the whole port. In fact, if set
> ENABLE_WASM for a build of the port, it likely still won't enable
> WebAssembly.
>
> Take an example webpage that checks for WebAssembly (for example [1]):
>
> $ chrome
>
> => "WebAssembly is not supported in your browser"
>
> $ ENABLE_WASM=1 chrome
>
> => "WebAssembly is supported in your browser"
>
> > Compiling chrome manually with the flag is a beast, and my laptop will
> > usually throw a kernel panic before it'll finish compiling, plus as a
> > package it's updated quite regularly which means it needs to be
> recompiled
> > quite regularly.
> > Best regards,
> > Charlie
>
> [1] https://d2jta7o2zej4pf.cloudfront.net/
>

Chromium with WebAssembly flavor?

[Charlie Burnett]

Hi,
I wasn't sure if this was worthy of ports or not, so I wanted to throw this
out here first. I don't like Zoom, and I understand WebAssembly has some
inherent issues in it, but I imagine a good number of people don't have a
choice and have to use it as well in light of the current state of things.
On top of this, Citrix apps need it enabled as well. Wouldn't it be
reasonable to make a flavor with ENABLE_WASM set for chromium then?
Compiling chrome manually with the flag is a beast, and my laptop will
usually throw a kernel panic before it'll finish compiling, plus as a
package it's updated quite regularly which means it needs to be recompiled
quite regularly.
Best regards,
Charlie

DHCPD issue

[Charlie Burnett]

Hi,
I've set up a good deal of openbsd firewalls in a professional environment
before with little to no issue. I'm trying to set one up for me personally
though, and am having some bizarre issues, with no clue where to begin
trying to fix them. This is on an APU unit from PC Engines. I've managed to
figure out a couple things when trying to debug this:
1. I cannot connect to the internet properly unless only em0 (which is the
ethernet port I have connected to the external network) has a hostname
file- I have to either add back the hostname files after boot and run
/etc/netsetup or manually set up the internal network ports through
ifconfig.
2. Even once the box is connected properly to the network, its' seemingly
unable to assign leases to other clients, attempting to connect to it
through another OpenBSD machine results in it timing out while getting a
lease.
3. Using the same exact config, I ran it behind a standard proprietary
router (linksys) that connects fine externally. Using that, the box
functions as expected.
4. Using an openwrt router I get similar errors.
5. I'm using both config that I've used on external networks as well as
subnetworks on a corporate network that worked, and the default config from
the setting up a router page for a sanity check.
6. I assumed it was DHCP, but nonetheless as a sanity check I had pf pass
through anything and everything, worked internally as well as externally.
I'm at a complete loss- seeing as it occurs on openwrt I assume that its'
probably because of however the hell my landlord set up the network, but
anyone remotely have an idea how to begin debugging this? I don't like
particularly having a proprietary router running especially without a
firewall I trust.
Best,
Charlie

AMDGPU Bug

[Charlie Burnett]

Hi,
I'm still getting the issue from earlier where X freezes entirely and I
can't get it to work, though I've got no clue what's triggering it now,
there seem to be no *regular* outputs to /var/log/messages with the crash.
However, I was trying to trigger the bug earlier so I could hopefully
provide more information, and I got a the same
VM_L2_PROTECTION_FAULT_STATUS as before, but now with an added "[drm]
*ERROR* Failed to initialize parser -88!". Here I tried running blender to
put some load on the GPU. I say new because I was able to fix this bug by
restarting X, and my display got real buggy though I was able to still move
the cursor, although not interact with it. I can send a picture of the
display if that's helpful, though it seemed to just have random pixels all
over the screen. Below is the error that got kicked out when doing this,
though I can't see any difference from last time.

drm:pid27591:gmc_v9_0_process_interrupt *ERROR* [gfxhub0] retry page fault
(src_id:0 ring:0 vmid:3 pasid:32820, for process  pid 0 thread gnome-shell
pid 37788)
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*   in page starting at
address 0x800108a64000 from client 27
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*
VM_L2_PROTECTION_FAULT_STATUS:0x003C0041
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*   MORE_FAULTS: 0x1
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*   WALKER_ERROR: 0x0
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*   PERMISSION_FAULTS: 0x4
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*   MAPPING_ERROR: 0x0
drm:pid27591:gmc_v9_0_process_interrupt *ERROR*   RW: 0x1

Let me know if there's any other info I can give that would help! :)

Re: AMDGPU

[Charlie Burnett]

For sure, whatever helps!
Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* sdma_v4_0: Failed to load firmware
"amdgpu/vega20_sdma.bin"
Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* Failed to load sdma firmware!
Jun 27 18:58:21 tabr /bsd: drm:pid0:psp_v11_0_init_microcode *ERROR* psp
v11.0: Failed to load firmware "amdgpu/vega20_sos.bin"
Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* Failed to load psp firmware!
Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* sw_init of IP block  failed -2
Jun 27 18:58:21 tabr /bsd: drm:pid0:amdgpu_device_init *ERROR*
amdgpu_device_ip_init failed
Jun 27 18:58:21 tabr /bsd: drm:pid0:amdgpu_attachhook *ERROR* Fatal error
during GPU init
That's with the old firmware, and yeah that's with the newest firmware. I
had to use newer firmware on your newdrm branch as well. Let me know how I
can help! :)


On Mon, Jun 29, 2020 at 11:50 PM Jonathan Gray  wrote:

> On Mon, Jun 29, 2020 at 11:13:49PM -0500, Charlie Burnett wrote:
> > Hi,
> >
> > Wasn’t sure who to tell this to, but with Vega 20 hardware under
> -current,
> > there is an issue with the firmware, where it cannot load. Manually
> > installing the latest amdgpu firmware from kernel.org fixes this
> seemingly.
>
> can you show the output when the 20200421 firmware failed to load?
> you are referring to the following in linux-firmware 20200619 and later?
>
> commit f73f82cd4b7506a22a9aa1aa19e009fac3092eef
> Author: Alex Deucher 
> Date:   Mon Jun 15 17:33:26 2020 -0400
>
> amdgpu: add vega20 TA firmware from 20.20 release
>
> Based on internal commit:
> c6aa2bdaa30af815fc257f2b0e50f6c66d74045c
>
> Signed-off-by: Alex Deucher 
> Signed-off-by: Josh Boyer 
>
>  amdgpu/vega20_ta.bin | Bin 0 -> 54016 bytes
>  1 file changed, 0 insertions(+), 0 deletions(-)
>
> commit 9ecaba882d78501d2ab2f6bd9407409128b351ed
> Author: Alex Deucher 
> Date:   Mon Jun 15 17:30:20 2020 -0400
>
> amdgpu: update vega20 firmware from 20.20 release
>
> Based on internal commit:
> c6aa2bdaa30af815fc257f2b0e50f6c66d74045c
>
> Signed-off-by: Alex Deucher 
> Signed-off-by: Josh Boyer 
>
>  amdgpu/vega20_asd.bin   | Bin 147968 -> 160256 bytes
>  amdgpu/vega20_ce.bin| Bin 9344 -> 9344 bytes
>  amdgpu/vega20_me.bin| Bin 17536 -> 17536 bytes
>  amdgpu/vega20_mec.bin   | Bin 268048 -> 268048 bytes
>  amdgpu/vega20_mec2.bin  | Bin 268048 -> 268048 bytes
>  amdgpu/vega20_pfp.bin   | Bin 21632 -> 21632 bytes
>  amdgpu/vega20_sdma.bin  | Bin 17408 -> 17408 bytes
>  amdgpu/vega20_sdma1.bin | Bin 17408 -> 17408 bytes
>  amdgpu/vega20_smc.bin   | Bin 262912 -> 262912 bytes
>  amdgpu/vega20_sos.bin   | Bin 170896 -> 174992 bytes
>  10 files changed, 0 insertions(+), 0 deletions(-)
>
> > There's also an issue that I've been unable to figure out for a while
> here
> > as well, in that undergoing a CPU intensive task will freeze up the
> entire
> > system. Disabling all power management options and setting the
> > amdgpu_vm_update_mode to 3 lessens the occurrence of this, and using an
> > HDMI connection instead of a DisplayPort with said modifications
> seemingly
> > eliminates it. Just switching amdgpu_vm_update_mode to 3 without anything
> > else leads to issues, in which when launching X in which only a small
> > square of seemingly random pixels are displayed. Using a vanilla kernel,
> > only "Waiting for fences timed out!" appears. However, turning on
> > amdgpu_debug_vm in amdgpu_drv.c will output quite a few DRM errors for
> > "gmc_v9_0_process_interrupt", sometimes in the tens of thousands. Any
> hang
> > ups require a hard reboot. With amdgpu_vm_update_mode set to 3, the crash
> > occurs differently in that whichever windows are using a bunch of GPU/CPU
> > time turn a lime green color. They're completely functional at first,
> > however if I keep putting heavy loads on both the screen becomes
> pixelated
> > on any changed pixels for those windows. I have a huge amount of logs for
> > these, however from a couple weeks of trying to fix it myself they didn't
> > offer much beyond what was stated in this email.
>
> this is similar to what is seen on vega10 and other parts
>

AMDGPU

[Charlie Burnett]

Hi,

Wasn’t sure who to tell this to, but with Vega 20 hardware under -current,
there is an issue with the firmware, where it cannot load. Manually
installing the latest amdgpu firmware from kernel.org fixes this seemingly.
There's also an issue that I've been unable to figure out for a while here
as well, in that undergoing a CPU intensive task will freeze up the entire
system. Disabling all power management options and setting the
amdgpu_vm_update_mode to 3 lessens the occurrence of this, and using an
HDMI connection instead of a DisplayPort with said modifications seemingly
eliminates it. Just switching amdgpu_vm_update_mode to 3 without anything
else leads to issues, in which when launching X in which only a small
square of seemingly random pixels are displayed. Using a vanilla kernel,
only "Waiting for fences timed out!" appears. However, turning on
amdgpu_debug_vm in amdgpu_drv.c will output quite a few DRM errors for
"gmc_v9_0_process_interrupt", sometimes in the tens of thousands. Any hang
ups require a hard reboot. With amdgpu_vm_update_mode set to 3, the crash
occurs differently in that whichever windows are using a bunch of GPU/CPU
time turn a lime green color. They're completely functional at first,
however if I keep putting heavy loads on both the screen becomes pixelated
on any changed pixels for those windows. I have a huge amount of logs for
these, however from a couple weeks of trying to fix it myself they didn't
offer much beyond what was stated in this email.

Best regards,
Charlie

Re: Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3 can run openbsd

[Charlie Burnett]

Ryzen 3 Vega is based on the Raven architecture, which has worked for me on
machines before so I'm not sure you'd have much issue with it, I'd imagine
it'd just work "out of the box". Wireless is up in the air, since the card
didn't seem to be listed on the specifications online.

On Mon, May 25, 2020 at 10:49 AM flint pyrite 
wrote:

> You probably should check for wifi compatibility.
>
> On Sun, May 24, 2020 at 9:50 PM Digital Crow 
> wrote:
>
> > Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3  can run openbsd
> > I have problems with freebsd i can't run xorg it has a problem with efi
> > framebuffer and amdgpu driver.
> > It seems that this laptop can boot only efi partitions there's no setting
> > on bios about csm or anything else related to it.
> > Is it possible  openbsd would work ?
> > Also is the process the same as freebsd ?
> > I need to install drm-kmod and add kld_list amdgpu on rc.conf
> > The openbsd installer create efi boot partition ?
> > I think this laptop can boot only efi partitions
> >
>

Process Isolation

[Charlie Burnett]

Hey y'all,

Sorry if this has been answered before but I couldn't find a satisfactory
answer searching for it, and this is more of an academic question. So
security focused Linux distros like Qubes go to extremes to
compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
program which is seemingly the gold standard for process isolation when you
can't be bothered to go to the extent Qubes does. I've been trying to read
as much OpenBSD source as I can as I find some of the security tricks
y'all've come up with damn interesting. I know that once upon a time we had
sysjail, but nowadays we have just have chroot which most systems do. What
is OpenBSD's solution to this? I'm sure I've read through it I just didn't
realize the purpose.

I apologize if this was a question I've somehow missed the answer to!

Re: wpa_supplicant error

[Charlie Burnett]

Well, I at least have a tangible error now. Observing through wpa_cli, I
get the following:
<3>CTRL-EVENT-EAP-STATUS status=‘eap parameter needed’ parameter=‘PASSWORD’
<3>CTRL-REQ-PASSWORD-0: Password needed for SSID eduroam
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
Authentication with $BSSID timed out.

Out of curiosity I switched it to WPA2-PSK and it says it successfully
associated, however I can’t ping anything and trying to use dhclient just
results in it timing out/sleeping.

I know my password is correct as well

On Mon, Feb 3, 2020 at 4:42 AM Raf Czlonka  wrote:

> On Sun, Feb 02, 2020 at 09:42:52PM GMT, Charlie Burnett wrote:
> > Hey @misc,
> > I've used OpenBSD on my desktop and server for a while, however they both
> > have an Ethernet connection. I recently got my hands on a thinkpad x1 6th
> > gen in order to ensure compatibility with OpenBSD. I can connect fine via
> > the /etc/hostname.if with /etc/netstart, however I need to be able to
> > connect to eduroam for class. I was using linux on my past laptop,
> however
> > I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf
> > over, however whenever I try to connect to a network I get hung up in the
> > same spot. The conf works fine on linux, so the credentials are correct.
> > I've also ensured the interface was up with "doas ifconfig iwm0 up"
> Here's
> > the output from attempting to connect with "doas wpa_supplicant -i iwm0
> -c
> > /etc/wpa_supplicant.conf -D openbsd -dd":
> > wpa_supplicant v2.9
> > Successfully initialized wpa_supplicant
> > Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver
> > 'openbsd' ctrl_interface 'N/A' bridge 'N/A'
> > Configuration file '/etc/wpa_supplicant.conf' ->
> '/etc/wpa_supplicant.conf'
> > Reading configuration file '/etc/wpa_supplicant.conf'
> > ctrl_interface='/var/run/wpa_supplicant'
> > ctrl_interface_group='wheel'
> > eapol_version=2
> > ap_scan=1
> > fast_reauth=1
> > update_config=1
> > Line: 11 - start of a new network block
> > ssid - hexdump_ascii(len=): HOME
> > key_mgmt: 0x2
> > PSK - hexdump(len=): [REMOVED]
> > Line: 19 - start of a new network block
> > ssid - hexdump_ascii(len=7): eduroam
> > scan_ssid=1 (0x1)
> > key_mgmt: 0x1
> > eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00
> 00 00
> > phase2 - hexdump_ascii(len=):
> >  61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2
> > auth_alg: 0x1
> > identity - hexdump_ascii(len=):
> > ca_cert - hexdump_ascii(len=):
> >  2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41   /etc/ssl/certs/A
> >  64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c   ddTrust_External
> >  5f 52 6f 6f 74 2e 70 65 6d_Root.pem
> > password - hexdump_ascii(len=): [REMOVED]
> > Line: 32 - start of a new network block
> > ssid - hexdump_ascii(len=):   HOME2
> > PSK - hexdump(len=): [REMOVED]
> > Priority group 0
> >id=0 ssid='HOME'
> >id=1 ssid='eduroam'
> >id=2 ssid='HOME2'
> > Add interface iwm0 to a new radio N/A
> > iwm0: Failed to attach pkt_type filter
> > iwm0: Own MAC address: 38:00:25:6c:76:6d
> > iwm0: RSN: flushing PMKID list in the driver
> > iwm0: Setting scan request: 0.10 sec
> > ENGINE: Loading builtin engines
> > ENGINE: Loading builtin engines
> > EAPOL: SUPP_PAE entering state DISCONNECTED
> > EAPOL: Supplicant port status: Unauthorized
> > EAPOL: KEY_RX entering state NO_KEY_RECEIVE
> > EAPOL: SUPP_BE entering state INITIALIZE
> > EAP: EAP entering state DISABLED
> > ctrl_interface_group=0 (from group name 'wheel')
> > iwm0: Added interface iwm0
> > iwm0: State: DISCONNECTED -> DISCONNECTED
> > iwm0: Using OpenBSD - overriding ap_scan configuration
> > EAPOL: disable timer tick
> >
> > Here is the output after sending a ctrl-C to the terminal:
> >  ^Ciwm0: Removing interface iwm0
> > iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00
> > pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING)
> state=DISCONNECTED
> > iwm0: State: DISCONNECTED -> DISCONNECTED
> > EAPOL: External notification - portEnabled=0
> > EAPOL: External notification - portValid=0
> > iwm0: WPA: Clear old PMK and PTK
> > iwm0: Cancelling scan request
> > iwm0: Cancelling authentication timeout
> > Remove interface iwm0 from radio
> > Remove radio
> > iwm0: CTRL-EVENT-TERMINATING
> >
>
> Hi Charlie,
>
> eduroam works just fine on OpenBSD with wpa_supplic

Re: wpa_supplicant error

[Charlie Burnett]

Well, I’m a dumbass.

I just needed to swap out “psk” for “password” in my file. All working now.

On Tue, Feb 4, 2020 at 4:59 PM Charlie Burnett  wrote:

> Well, I at least have a tangible error now. Observing through wpa_cli, I
> get the following:
> <3>CTRL-EVENT-EAP-STATUS status=‘eap parameter needed’ parameter=‘PASSWORD’
> <3>CTRL-REQ-PASSWORD-0: Password needed for SSID eduroam
> <3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
> Authentication with $BSSID timed out.
>
> Out of curiosity I switched it to WPA2-PSK and it says it successfully
> associated, however I can’t ping anything and trying to use dhclient just
> results in it timing out/sleeping.
>
> I know my password is correct as well
>
> On Mon, Feb 3, 2020 at 4:42 AM Raf Czlonka  wrote:
>
>> On Sun, Feb 02, 2020 at 09:42:52PM GMT, Charlie Burnett wrote:
>> > Hey @misc,
>> > I've used OpenBSD on my desktop and server for a while, however they
>> both
>> > have an Ethernet connection. I recently got my hands on a thinkpad x1
>> 6th
>> > gen in order to ensure compatibility with OpenBSD. I can connect fine
>> via
>> > the /etc/hostname.if with /etc/netstart, however I need to be able to
>> > connect to eduroam for class. I was using linux on my past laptop,
>> however
>> > I connected through wpa_supplicant on it. I copied my
>> wpa_supplicant.conf
>> > over, however whenever I try to connect to a network I get hung up in
>> the
>> > same spot. The conf works fine on linux, so the credentials are correct.
>> > I've also ensured the interface was up with "doas ifconfig iwm0 up"
>> Here's
>> > the output from attempting to connect with "doas wpa_supplicant -i iwm0
>> -c
>> > /etc/wpa_supplicant.conf -D openbsd -dd":
>> > wpa_supplicant v2.9
>> > Successfully initialized wpa_supplicant
>> > Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver
>> > 'openbsd' ctrl_interface 'N/A' bridge 'N/A'
>> > Configuration file '/etc/wpa_supplicant.conf' ->
>> '/etc/wpa_supplicant.conf'
>> > Reading configuration file '/etc/wpa_supplicant.conf'
>> > ctrl_interface='/var/run/wpa_supplicant'
>> > ctrl_interface_group='wheel'
>> > eapol_version=2
>> > ap_scan=1
>> > fast_reauth=1
>> > update_config=1
>> > Line: 11 - start of a new network block
>> > ssid - hexdump_ascii(len=): HOME
>> > key_mgmt: 0x2
>> > PSK - hexdump(len=): [REMOVED]
>> > Line: 19 - start of a new network block
>> > ssid - hexdump_ascii(len=7): eduroam
>> > scan_ssid=1 (0x1)
>> > key_mgmt: 0x1
>> > eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00
>> 00 00
>> > phase2 - hexdump_ascii(len=):
>> >  61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2
>> > auth_alg: 0x1
>> > identity - hexdump_ascii(len=):
>> > ca_cert - hexdump_ascii(len=):
>> >  2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41   /etc/ssl/certs/A
>> >  64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c   ddTrust_External
>> >  5f 52 6f 6f 74 2e 70 65 6d_Root.pem
>> > password - hexdump_ascii(len=): [REMOVED]
>> > Line: 32 - start of a new network block
>> > ssid - hexdump_ascii(len=):   HOME2
>> > PSK - hexdump(len=): [REMOVED]
>> > Priority group 0
>> >id=0 ssid='HOME'
>> >id=1 ssid='eduroam'
>> >id=2 ssid='HOME2'
>> > Add interface iwm0 to a new radio N/A
>> > iwm0: Failed to attach pkt_type filter
>> > iwm0: Own MAC address: 38:00:25:6c:76:6d
>> > iwm0: RSN: flushing PMKID list in the driver
>> > iwm0: Setting scan request: 0.10 sec
>> > ENGINE: Loading builtin engines
>> > ENGINE: Loading builtin engines
>> > EAPOL: SUPP_PAE entering state DISCONNECTED
>> > EAPOL: Supplicant port status: Unauthorized
>> > EAPOL: KEY_RX entering state NO_KEY_RECEIVE
>> > EAPOL: SUPP_BE entering state INITIALIZE
>> > EAP: EAP entering state DISABLED
>> > ctrl_interface_group=0 (from group name 'wheel')
>> > iwm0: Added interface iwm0
>> > iwm0: State: DISCONNECTED -> DISCONNECTED
>> > iwm0: Using OpenBSD - overriding ap_scan configuration
>> > EAPOL: disable timer tick
>> >
>> > Here is the output after sending a ctrl-C to the terminal:
>> >  ^Ciwm0: Removing interface iwm0
>> > iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00
>> > pend

Re: wpa_supplicant error

[Charlie Burnett]

Yep I've been using that for a while, however I don't believe it's possible
to connect to eduroam through hostname.if config files :/

On Sun, Feb 2, 2020 at 4:01 PM Edgar Pettijohn 
wrote:

> Try without wpa_supplicant
>
> /etc/hostname.iwm0
> nwid yournwid wpakey yourwpakey
> dhcp
>
> sh /etc/netstart
>
> On Feb 2, 2020 3:42 PM, Charlie Burnett  wrote:
> >
> > Hey @misc,
> > I've used OpenBSD on my desktop and server for a while, however they both
> > have an Ethernet connection. I recently got my hands on a thinkpad x1 6th
> > gen in order to ensure compatibility with OpenBSD. I can connect fine via
> > the /etc/hostname.if with /etc/netstart, however I need to be able to
> > connect to eduroam for class. I was using linux on my past laptop,
> however
> > I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf
> > over, however whenever I try to connect to a network I get hung up in the
> > same spot. The conf works fine on linux, so the credentials are correct.
> > I've also ensured the interface was up with "doas ifconfig iwm0 up"
> Here's
> > the output from attempting to connect with "doas wpa_supplicant -i iwm0
> -c
> > /etc/wpa_supplicant.conf -D openbsd -dd":
> > wpa_supplicant v2.9
> > Successfully initialized wpa_supplicant
> > Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver
> > 'openbsd' ctrl_interface 'N/A' bridge 'N/A'
> > Configuration file '/etc/wpa_supplicant.conf' ->
> '/etc/wpa_supplicant.conf'
> > Reading configuration file '/etc/wpa_supplicant.conf'
> > ctrl_interface='/var/run/wpa_supplicant'
> > ctrl_interface_group='wheel'
> > eapol_version=2
> > ap_scan=1
> > fast_reauth=1
> > update_config=1
> > Line: 11 - start of a new network block
> > ssid - hexdump_ascii(len=): HOME
> > key_mgmt: 0x2
> > PSK - hexdump(len=): [REMOVED]
> > Line: 19 - start of a new network block
> > ssid - hexdump_ascii(len=7): eduroam
> > scan_ssid=1 (0x1)
> > key_mgmt: 0x1
> > eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00
> 00 00
> > phase2 - hexdump_ascii(len=):
> >  61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2
> > auth_alg: 0x1
> > identity - hexdump_ascii(len=):
> > ca_cert - hexdump_ascii(len=):
> >  2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41   /etc/ssl/certs/A
> >  64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c   ddTrust_External
> >  5f 52 6f 6f 74 2e 70 65 6d_Root.pem
> > password - hexdump_ascii(len=): [REMOVED]
> > Line: 32 - start of a new network block
> > ssid - hexdump_ascii(len=):   HOME2
> > PSK - hexdump(len=): [REMOVED]
> > Priority group 0
> >id=0 ssid='HOME'
> >id=1 ssid='eduroam'
> >id=2 ssid='HOME2'
> > Add interface iwm0 to a new radio N/A
> > iwm0: Failed to attach pkt_type filter
> > iwm0: Own MAC address: 38:00:25:6c:76:6d
> > iwm0: RSN: flushing PMKID list in the driver
> > iwm0: Setting scan request: 0.10 sec
> > ENGINE: Loading builtin engines
> > ENGINE: Loading builtin engines
> > EAPOL: SUPP_PAE entering state DISCONNECTED
> > EAPOL: Supplicant port status: Unauthorized
> > EAPOL: KEY_RX entering state NO_KEY_RECEIVE
> > EAPOL: SUPP_BE entering state INITIALIZE
> > EAP: EAP entering state DISABLED
> > ctrl_interface_group=0 (from group name 'wheel')
> > iwm0: Added interface iwm0
> > iwm0: State: DISCONNECTED -> DISCONNECTED
> > iwm0: Using OpenBSD - overriding ap_scan configuration
> > EAPOL: disable timer tick
> >
> > Here is the output after sending a ctrl-C to the terminal:
> > ^Ciwm0: Removing interface iwm0
> > iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00
> > pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING)
> state=DISCONNECTED
> > iwm0: State: DISCONNECTED -> DISCONNECTED
> > EAPOL: External notification - portEnabled=0
> > EAPOL: External notification - portValid=0
> > iwm0: WPA: Clear old PMK and PTK
> > iwm0: Cancelling scan request
> > iwm0: Cancelling authentication timeout
> > Remove interface iwm0 from radio
> > Remove radio
> > iwm0: CTRL-EVENT-TERMINATING
> >
> >
> > And here's my wpa_supplicant.conf (with ssid's and psk's removed):
> > ctrl_interface=/var/run/wpa_supplicant
> > ctrl_interface_group=wheel
> > eapol_version=2
> > ap_scan=1
> > fast_reauth=1
> > update_config=1
> >
> > network={
> > ssid="HOME"
> > psk=PASSWORD
> > }
> >
> > # Eduroam
> > network={
> > ssid="eduroam"
> > scan_ssid=1
> > key_mgmt=WPA-EAP
> > eap=PEAP
> > phase2="auth=MSCHAPV2"
> > auth_alg=OPEN
> > identity="burne...@umn.edu"
> > ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem"
> > password="Here I am, here I remain."
> > }
> >
> > network={
> > ssid="HOME2"
> > psk=PASSWORD
> > }
> >
> > Any help would be very much appreciated!
>

wpa_supplicant error

[Charlie Burnett]

Hey @misc,
I've used OpenBSD on my desktop and server for a while, however they both
have an Ethernet connection. I recently got my hands on a thinkpad x1 6th
gen in order to ensure compatibility with OpenBSD. I can connect fine via
the /etc/hostname.if with /etc/netstart, however I need to be able to
connect to eduroam for class. I was using linux on my past laptop, however
I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf
over, however whenever I try to connect to a network I get hung up in the
same spot. The conf works fine on linux, so the credentials are correct.
I've also ensured the interface was up with "doas ifconfig iwm0 up" Here's
the output from attempting to connect with "doas wpa_supplicant -i iwm0 -c
/etc/wpa_supplicant.conf -D openbsd -dd":
wpa_supplicant v2.9
Successfully initialized wpa_supplicant
Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver
'openbsd' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel'
eapol_version=2
ap_scan=1
fast_reauth=1
update_config=1
Line: 11 - start of a new network block
ssid - hexdump_ascii(len=): HOME
key_mgmt: 0x2
PSK - hexdump(len=): [REMOVED]
Line: 19 - start of a new network block
ssid - hexdump_ascii(len=7): eduroam
scan_ssid=1 (0x1)
key_mgmt: 0x1
eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00
phase2 - hexdump_ascii(len=):
 61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2
auth_alg: 0x1
identity - hexdump_ascii(len=):
ca_cert - hexdump_ascii(len=):
 2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41   /etc/ssl/certs/A
 64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c   ddTrust_External
 5f 52 6f 6f 74 2e 70 65 6d_Root.pem
password - hexdump_ascii(len=): [REMOVED]
Line: 32 - start of a new network block
ssid - hexdump_ascii(len=):   HOME2
PSK - hexdump(len=): [REMOVED]
Priority group 0
   id=0 ssid='HOME'
   id=1 ssid='eduroam'
   id=2 ssid='HOME2'
Add interface iwm0 to a new radio N/A
iwm0: Failed to attach pkt_type filter
iwm0: Own MAC address: 38:00:25:6c:76:6d
iwm0: RSN: flushing PMKID list in the driver
iwm0: Setting scan request: 0.10 sec
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
ctrl_interface_group=0 (from group name 'wheel')
iwm0: Added interface iwm0
iwm0: State: DISCONNECTED -> DISCONNECTED
iwm0: Using OpenBSD - overriding ap_scan configuration
EAPOL: disable timer tick

Here is the output after sending a ctrl-C to the terminal:
 ^Ciwm0: Removing interface iwm0
iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00
pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) state=DISCONNECTED
iwm0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
iwm0: WPA: Clear old PMK and PTK
iwm0: Cancelling scan request
iwm0: Cancelling authentication timeout
Remove interface iwm0 from radio
Remove radio
iwm0: CTRL-EVENT-TERMINATING


And here's my wpa_supplicant.conf (with ssid's and psk's removed):
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=2
ap_scan=1
fast_reauth=1
update_config=1

network={
ssid="HOME"
psk=PASSWORD
}

# Eduroam
network={
ssid="eduroam"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
phase2="auth=MSCHAPV2"
auth_alg=OPEN
identity="burne...@umn.edu"
ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem"
password="Here I am, here I remain."
}

network={
ssid="HOME2"
psk=PASSWORD
}

Any help would be very much appreciated!

Anyone gotten touchscreen on Thinkpad X1 working?

[Charlie Burnett]

Hey all,
I recently picked up an X1 carbon 6th gen that happened to have the
touchscreen option on it. Everything works great otherwise, but I don't
seem to have any luck on the touchscreen issue. I don't see anything
relevant in dmesg either, shown below. Any ideas?

OpenBSD 6.6-current (GENERIC.MP) #618: Thu Jan 23 23:58:32 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17031843840 (16242MB)
avail mem = 16503181312 (15738MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x5a63b000 (62 entries)
bios0: vendor LENOVO version "N23ET66W (1.41 )" date 09/02/2019
bios0: LENOVO 20KGSCVN00
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT
SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2
MSDM NHLT ASF! FPDT UEFI WPBT
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4)
RP02(S4) PXSX(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4)
PXSX(S4) RP07(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1790.09 MHz, 06-8e-0a
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.83 MHz, 06-8e-0a
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.83 MHz, 06-8e-0a
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.83 MHz, 06-8e-0a
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.82 MHz, 06-8e-0a
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 

Trouble recognizing Surface Book Keyboard

[Charlie Burnett]

Hey y’all,
I recently got a surface book for a real good price since I was due for an
upgrade, and since I usually run OpenBSD on my daily machine I went ahead
and installed it. I’m aware that the wireless card isn’t supported, but
I’ve got a usb one that works fine. During the installation it had no
trouble using the keyboard. After the reboot however the keyboard and
trackpad were non responsive. I can use a usb keyboard while booted but
can’t figure out why it won’t pick up the actual keyboard. Any help would
be greatly appreciated! Attached the dmesg below.


OpenBSD 6.6-current (RAMDISK_CD) #542: Fri Dec 27 08:43:35 MST 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8495235072 (8101MB)
avail mem = 8233758720 (7852MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.1 @ 0x8be35000 (15 entries)
bios0: vendor Microsoft Corporation version "91.2706.768" date 04/18/2019
bios0: Microsoft Corporation Surface Book
acpi0 at bios0: ACPI 5.0
acpi0: tables DSDT FACP SSDT TPM2 MSDM SSDT HPET APIC MCFG LPIT SSDT SSDT
SSDT DMAR NHLT FPDT WSMT BGRT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2295.32 MHz, 06-4e-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus 1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus -1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpiprt9 at acpi0: bus 2 (RP09)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus -1 (RP11)
acpiprt12 at acpi0: bus 3 (RP12)
acpiprt13 at acpi0: bus -1 (RP13)
acpiprt14 at acpi0: bus -1 (RP14)
acpiprt15 at acpi0: bus -1 (RP15)
acpiprt16 at acpi0: bus -1 (RP16)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpiec0 at acpi0
acpicpu at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
acpitz at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
"PNP0A08" at acpi0 not configured
"ACPI0003" at acpi0 not configured
"PNP0C0A" at acpi0 not configured
"PNP0C0A" at acpi0 not configured
"MSHW0029" at acpi0 not configured
"MSHW0040" at acpi0 not configured
acpicmos0 at acpi0
"INT344B" at acpi0 not configured
"MSHW0030" at acpi0 not configured
"MAX34407" at acpi0 not configured
"INT3472" at acpi0 not configured
"INT33BE" at acpi0 not configured
"INT3472" at acpi0 not configured
"INT347A" at acpi0 not configured
"INT3472" at acpi0 not configured
"INT347E" at acpi0 not configured
"MSHW0085" at acpi0 not configured
"MSHW0005" at acpi0 not configured
"MSHW0080" at acpi0 not configured
"MSHW0036" at acpi0 not configured
"MSHW0041" at acpi0 not configured
"MSHW0042" at acpi0 not configured
"MSHW0045" at acpi0 not configured
"MSHW0076" at acpi0 not configured
"INT33A1" at acpi0 not configured
"PNP0C0D" at acpi0 not configured
"IFX0562" at acpi0 not configured
cpu0: using VERW MDS workaround
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 6G Host" rev 0x08
"Intel HD Graphics 520" rev 0x07 at pci0 dev 2 function 0 not configured
vendor "Intel", unknown product 0x1919 (class multimedia subclass
miscellaneous, rev 0x01) at pci0 dev 5 function 0 not configured
"Intel Core GMM" rev 0x00 at pci0 dev 8 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x21: msi, xHCI
1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 

Re: Desktop full text search

[Charlie Burnett]

Try pdfgrep and catdoc in ports/pkg for documents I’d say, you could
probably rig up a simple shell script to do it automatically...
unfortunately don’t know what program(s) would be faster than grep?

On Wed, Sep 18, 2019 at 3:26 PM Oriol Demaria  wrote:

> Exactly I do the same... but is falling short or too slow. :)
>
> ---
> Oriol Demaria
> 2FFED630C16E4FF8
>
> On 18/09/2019 17:01, Charlie Burnett wrote:
> > I use Gnome as a DE but I still just do it through a terminal-
> > grep -R * “foo”
> > from whatever directory I wanna find the text in, replace foo with the
> > text
> > you want.
> >
> > On Wed, Sep 18, 2019 at 10:38 AM Oriol Demaria 
> > wrote:
> >
> >> So finding some code between large amounts of repos can be tricky. I
> >> don't use Gnome or KDE so I was wondering what do people use for this.
> >> Been looking at the ports and I see Xapian and others. Any advice on
> >> a nice setup?
> >>
> >> Regards,
> >>
> >> --
> >> Oriol Demaria
> >> 2FFED630C16E4FF8
> >>
> >>
>

Re: AMDGPU in current issue

[Charlie Burnett]

Hey, apologies to continually bother you with this, but I've gotten a
driver that compiles and detects the card... however it seems to be having
powerplay table issues, I was wondering if this was ever an issue when
initially porting, and if so how'd you go about fixing it?
Leaving the powerplay untouched and only altering the amdgpu subdirectory
results in this error in the following error in dmesg:
initializing kernel modesetting (VEGA20 0x1002:0x66AF 0x1002:0x081E 0xC1).
amdgpu_device_resize_fb_bar: stub
amdgpu: [powerplay] smc start failed
amdgpu: [powerplay] powerplay hw init failed
[drm] *ERROR* hw_init of IP block  failed -22
drm:pid0:amdgpu_device_init *ERROR* amdgpu_device_ip_init failed
drm:pid0:amdgpu_attachhook *ERROR* Fatal error during GPU init
efifb0 at mainbus0: 3440x1440, 32bpp
wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0
wskbd1: connecting to wsdisplay0
wskbd2: connecting to wsdisplay0
wskbd3: connecting to wsdisplay0
wskbd4: connecting to wsdisplay0
wsdisplay0: screen 1-5 added (std, vt100 emulation)

Compiling the kernel with the additional powerplay changes relevant to vega
20 results in a similar message, although instead of the "hw_init" having
issues, it complains about "Unmatch PPTable version, vbios update may be
needed". I'd post a diff, but trying to generate a diff through cvs isn't
picking up the files I've added even with the --new-file option, but I'm
rather unfamiliar with cvs/diff in general so it's probable I screwed the
pooch on that part somehow. Any help would be very much appreciated, and
thanks for the help you've given already!

On Wed, Sep 4, 2019 at 8:04 PM Jonathan Gray  wrote:

> amdgpu tracks the linux-4.19.y (lts) branch of linux-stable
> currently this is 4.19.69
>
> On Wed, Sep 04, 2019 at 10:28:51AM -0500, Charlie Burnett wrote:
> > Thanks for the advice!
> > Do you happen to have a link to the commit amdgpu is at currently?
> >
> > On Wed, Sep 4, 2019 at 9:44 AM Jonathan Gray  wrote:
> >
> > > Look for individual post 4.19 linux commits that are relevant.
> > > We have in the past taken small patches to enable more
> > > generations of hardware.
> > >
> > > On Wed, Sep 04, 2019 at 08:11:24AM -0500, Charlie Burnett wrote:
> > > > Hey,
> > > > I???ve been trying to write a patch to get vega 20 working, but due
> to a
> > > > screw up on my end I lost the progress I???d made. Before I start
> over
> > > again,
> > > > I was wondering if you had any advice on how to do it? Before, I was
> > > trying
> > > > to more or less just port the vega 20 hwmgr files in from FreeBSD drm
> > > next
> > > > which is at linux drm 5.0 as well as the other files which seemed to
> > > > mention Vega 20 or seemed to be needed to compile. I wasn???t having
> much
> > > > luck as you can imagine, and currently I???m still in university so
> my
> > > > experience with kernel patching isn???t fantastic, I was wondering
> if you
> > > > might have any advice where to begin if I???m having to start from
> > > scratch?
> > > > Best regards,
> > > > Charlie Burnett
> > > >
> > > > On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray  wrote:
> > > >
> > > > > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote:
> > > > > > Hey-
> > > > > > I'd been messing around with the AMDGPU on current (which I'm
> aware
> > > is
> > > > > very
> > > > > > experimental) and had very few issues with it using a Vega 56
> GPU. I
> > > > > > recently swapped to another Vega GPU (Radeon VII) and have issues
> > > with
> > > > > the
> > > > > > display not showing anything. Still boots fine, in that I can
> still
> > > enter
> > > > > > commands (i.e. reboot) so it has to be a display issue. I tried
> > > searching
> > > > > > for the diff where the firmware was added which I'm certain I saw
> > > (for
> > > > > Vega
> > > > > > 20) but can't seem to find it in the commit history. Anyone have
> a
> > > fix
> > > > > for
> > > > > > it, and if not, who should I talk to if I wanted to help get it
> > > working?
> > > > > I
> > > > > > saw most of the AMDGPU commits have been by @jonathangray if he
> > > would be
> > > > > > the best option.
> > > > > > Thanks!
> > > > >
> > > > > vega20 firmware was added when ports/sysutils/firmw

Re: AMDGPU in current issue

[Charlie Burnett]

My apologies for bothering the mailing list once more-
I found the relevant commit for this in the linux git history, and found
the relevant changes. I added those changes locally on my machine, however
when I compile I get the following:
ld -T ld.script -X --warn-common -nopie -o bsd ${SYSTEM_HEAD} vers.o ${OBJS}
ld: error: undefined symbol: psp_v11_0_set_psp_funcs
>>> referenced by amdgpu_psp.c:62
(/usr/src/sys/dev/pci/drm/amd/amdgpu/amdgpu_psp.c:62)
>>>   amdgpu_psp.o:(psp_sw_init)

ld: error: undefined symbol: vega20_smu_funcs
>>> referenced by hwmgr.c:164
(/usr/src/sys/dev/pci/drm/amd/powerplay/hwmgr/hwmgr.c:164)
>>>   hwmgr.o:(hwmgr_early_init)

ld: error: undefined symbol: vega20_hwmgr_init
>>> referenced by hwmgr.c:165
(/usr/src/sys/dev/pci/drm/amd/powerplay/hwmgr/hwmgr.c:165)
>>>   hwmgr.o:(hwmgr_early_init)

ld: error: undefined symbol: nbio_v7_4_funcs
>>> referenced by soc15.c:501
(/usr/src/sys/dev/pci/drm/amd/amdgpu/soc15.c:501)
>>>   soc15.o:(soc15_set_ip_blocks)

ld: error: undefined symbol: nbio_v7_4_funcs
>>> referenced by soc15.c:501
(/usr/src/sys/dev/pci/drm/amd/amdgpu/soc15.c:501)
>>>   soc15.o:(soc15_set_ip_blocks)
*** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC.MP (Makefile:1426
'bsd': @echo ld -T ld.script -X --warn-common -nopie -o bsd '${SYST...)
>From what I can tell, these all mention functions added in new files added
from the linux drm... is there anything in particular I need to do to make
sure the compiler picks up the relevant files, or maybe something to the
Makefile? I can post a diff of what I've done so far if that would be
useful.

Thanks again for all the help.

On Wed, Sep 4, 2019 at 9:44 AM Jonathan Gray  wrote:

> Look for individual post 4.19 linux commits that are relevant.
> We have in the past taken small patches to enable more
> generations of hardware.
>
> On Wed, Sep 04, 2019 at 08:11:24AM -0500, Charlie Burnett wrote:
> > Hey,
> > I???ve been trying to write a patch to get vega 20 working, but due to a
> > screw up on my end I lost the progress I???d made. Before I start over
> again,
> > I was wondering if you had any advice on how to do it? Before, I was
> trying
> > to more or less just port the vega 20 hwmgr files in from FreeBSD drm
> next
> > which is at linux drm 5.0 as well as the other files which seemed to
> > mention Vega 20 or seemed to be needed to compile. I wasn???t having much
> > luck as you can imagine, and currently I???m still in university so my
> > experience with kernel patching isn???t fantastic, I was wondering if you
> > might have any advice where to begin if I???m having to start from
> scratch?
> > Best regards,
> > Charlie Burnett
> >
> > On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray  wrote:
> >
> > > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote:
> > > > Hey-
> > > > I'd been messing around with the AMDGPU on current (which I'm aware
> is
> > > very
> > > > experimental) and had very few issues with it using a Vega 56 GPU. I
> > > > recently swapped to another Vega GPU (Radeon VII) and have issues
> with
> > > the
> > > > display not showing anything. Still boots fine, in that I can still
> enter
> > > > commands (i.e. reboot) so it has to be a display issue. I tried
> searching
> > > > for the diff where the firmware was added which I'm certain I saw
> (for
> > > Vega
> > > > 20) but can't seem to find it in the commit history. Anyone have a
> fix
> > > for
> > > > it, and if not, who should I talk to if I wanted to help get it
> working?
> > > I
> > > > saw most of the AMDGPU commits have been by @jonathangray if he
> would be
> > > > the best option.
> > > > Thanks!
> > >
> > > vega20 firmware was added when ports/sysutils/firmware/amdgpu was
> > > updated to 20190312.
> > >
> > > vega20 is marked as experimental in the version of drm we have, but we
> > > don't currently check the flag on probe like linux does.
> > >
> > > The following diff will prevent amdgpu from matching on devices
> > > in the amdgpu_pciidlist table with the AMD_EXP_HW_SUPPORT flag
> > > (currently these are all vega20 ids).
> > >
> > > Index: sys/dev/pci/drm/include/drm/drm_drv.h
> > > ===
> > > RCS file: /cvs/src/sys/dev/pci/drm/include/drm/drm_drv.h,v
> > > retrieving revision 1.2
> > > diff -u -p -r1.2 drm_drv.h
> > > --- sys/

Re: AMDGPU in current issue

[Charlie Burnett]

Thanks for the advice!
Do you happen to have a link to the commit amdgpu is at currently?

On Wed, Sep 4, 2019 at 9:44 AM Jonathan Gray  wrote:

> Look for individual post 4.19 linux commits that are relevant.
> We have in the past taken small patches to enable more
> generations of hardware.
>
> On Wed, Sep 04, 2019 at 08:11:24AM -0500, Charlie Burnett wrote:
> > Hey,
> > I???ve been trying to write a patch to get vega 20 working, but due to a
> > screw up on my end I lost the progress I???d made. Before I start over
> again,
> > I was wondering if you had any advice on how to do it? Before, I was
> trying
> > to more or less just port the vega 20 hwmgr files in from FreeBSD drm
> next
> > which is at linux drm 5.0 as well as the other files which seemed to
> > mention Vega 20 or seemed to be needed to compile. I wasn???t having much
> > luck as you can imagine, and currently I???m still in university so my
> > experience with kernel patching isn???t fantastic, I was wondering if you
> > might have any advice where to begin if I???m having to start from
> scratch?
> > Best regards,
> > Charlie Burnett
> >
> > On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray  wrote:
> >
> > > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote:
> > > > Hey-
> > > > I'd been messing around with the AMDGPU on current (which I'm aware
> is
> > > very
> > > > experimental) and had very few issues with it using a Vega 56 GPU. I
> > > > recently swapped to another Vega GPU (Radeon VII) and have issues
> with
> > > the
> > > > display not showing anything. Still boots fine, in that I can still
> enter
> > > > commands (i.e. reboot) so it has to be a display issue. I tried
> searching
> > > > for the diff where the firmware was added which I'm certain I saw
> (for
> > > Vega
> > > > 20) but can't seem to find it in the commit history. Anyone have a
> fix
> > > for
> > > > it, and if not, who should I talk to if I wanted to help get it
> working?
> > > I
> > > > saw most of the AMDGPU commits have been by @jonathangray if he
> would be
> > > > the best option.
> > > > Thanks!
> > >
> > > vega20 firmware was added when ports/sysutils/firmware/amdgpu was
> > > updated to 20190312.
> > >
> > > vega20 is marked as experimental in the version of drm we have, but we
> > > don't currently check the flag on probe like linux does.
> > >
> > > The following diff will prevent amdgpu from matching on devices
> > > in the amdgpu_pciidlist table with the AMD_EXP_HW_SUPPORT flag
> > > (currently these are all vega20 ids).
> > >
> > > Index: sys/dev/pci/drm/include/drm/drm_drv.h
> > > ===
> > > RCS file: /cvs/src/sys/dev/pci/drm/include/drm/drm_drv.h,v
> > > retrieving revision 1.2
> > > diff -u -p -r1.2 drm_drv.h
> > > --- sys/dev/pci/drm/include/drm/drm_drv.h   25 Jul 2019 05:48:16
> > > -  1.2
> > > +++ sys/dev/pci/drm/include/drm/drm_drv.h   2 Aug 2019 03:29:58
> -
> > > @@ -291,5 +291,7 @@ static inline bool drm_drv_uses_atomic_m
> > >  intdrm_dev_register(struct drm_device *, unsigned long);
> > >  void   drm_dev_unregister(struct drm_device *);
> > >  intdrm_getpciinfo(struct drm_device *, void *, struct drm_file *);
> > > +const struct drm_pcidev*drm_find_description(int, int,
> > > +const struct drm_pcidev *);
> > >
> > >  #endif
> > > Index: sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c
> > > ===
> > > RCS file: /cvs/src/sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c,v
> > > retrieving revision 1.3
> > > diff -u -p -r1.3 amdgpu_kms.c
> > > --- sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 4 Jul 2019 03:39:07
> -
> > >  1.3
> > > +++ sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 2 Aug 2019 03:35:35
> -
> > > @@ -1337,10 +1337,23 @@ int amdgpu_debugfs_firmware_init(struct
> > >  int
> > >  amdgpu_probe(struct device *parent, void *match, void *aux)
> > >  {
> > > +   struct pci_attach_args *pa = aux;
> > > +   const struct drm_pcidev *id_entry;
> > > +   unsigned long flags = 0;
> > > +
> > > if (amdgpu_fatal_error)
> > > return 0;
> > > -   if (drm_pciprobe(aux, amdgpu_pciidlist))
> > > -   return 20;
> > > +
> > > +   id_entry = drm_find_description(PCI_VENDOR(pa->pa_id),
> > > +   PCI_PRODUCT(pa->pa_id), amdgpu_pciidlist);
> > > +   if (id_entry != NULL) {
> > > +   flags = id_entry->driver_data;
> > > +   if (flags & AMD_EXP_HW_SUPPORT)
> > > +   return 0;
> > > +   else
> > > +   return 20;
> > > +   }
> > > +
> > > return 0;
> > >  }
> > >
> > >
> > >
>

Re: AMDGPU in current issue

[Charlie Burnett]

Hey,
I’ve been trying to write a patch to get vega 20 working, but due to a
screw up on my end I lost the progress I’d made. Before I start over again,
I was wondering if you had any advice on how to do it? Before, I was trying
to more or less just port the vega 20 hwmgr files in from FreeBSD drm next
which is at linux drm 5.0 as well as the other files which seemed to
mention Vega 20 or seemed to be needed to compile. I wasn’t having much
luck as you can imagine, and currently I’m still in university so my
experience with kernel patching isn’t fantastic, I was wondering if you
might have any advice where to begin if I’m having to start from scratch?
Best regards,
Charlie Burnett

On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray  wrote:

> On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote:
> > Hey-
> > I'd been messing around with the AMDGPU on current (which I'm aware is
> very
> > experimental) and had very few issues with it using a Vega 56 GPU. I
> > recently swapped to another Vega GPU (Radeon VII) and have issues with
> the
> > display not showing anything. Still boots fine, in that I can still enter
> > commands (i.e. reboot) so it has to be a display issue. I tried searching
> > for the diff where the firmware was added which I'm certain I saw (for
> Vega
> > 20) but can't seem to find it in the commit history. Anyone have a fix
> for
> > it, and if not, who should I talk to if I wanted to help get it working?
> I
> > saw most of the AMDGPU commits have been by @jonathangray if he would be
> > the best option.
> > Thanks!
>
> vega20 firmware was added when ports/sysutils/firmware/amdgpu was
> updated to 20190312.
>
> vega20 is marked as experimental in the version of drm we have, but we
> don't currently check the flag on probe like linux does.
>
> The following diff will prevent amdgpu from matching on devices
> in the amdgpu_pciidlist table with the AMD_EXP_HW_SUPPORT flag
> (currently these are all vega20 ids).
>
> Index: sys/dev/pci/drm/include/drm/drm_drv.h
> ===
> RCS file: /cvs/src/sys/dev/pci/drm/include/drm/drm_drv.h,v
> retrieving revision 1.2
> diff -u -p -r1.2 drm_drv.h
> --- sys/dev/pci/drm/include/drm/drm_drv.h   25 Jul 2019 05:48:16
> -  1.2
> +++ sys/dev/pci/drm/include/drm/drm_drv.h   2 Aug 2019 03:29:58 -
> @@ -291,5 +291,7 @@ static inline bool drm_drv_uses_atomic_m
>  intdrm_dev_register(struct drm_device *, unsigned long);
>  void   drm_dev_unregister(struct drm_device *);
>  intdrm_getpciinfo(struct drm_device *, void *, struct drm_file *);
> +const struct drm_pcidev*drm_find_description(int, int,
> +const struct drm_pcidev *);
>
>  #endif
> Index: sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c
> ===
> RCS file: /cvs/src/sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 amdgpu_kms.c
> --- sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 4 Jul 2019 03:39:07 -
>  1.3
> +++ sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 2 Aug 2019 03:35:35 -
> @@ -1337,10 +1337,23 @@ int amdgpu_debugfs_firmware_init(struct
>  int
>  amdgpu_probe(struct device *parent, void *match, void *aux)
>  {
> +   struct pci_attach_args *pa = aux;
> +   const struct drm_pcidev *id_entry;
> +   unsigned long flags = 0;
> +
> if (amdgpu_fatal_error)
> return 0;
> -   if (drm_pciprobe(aux, amdgpu_pciidlist))
> -   return 20;
> +
> +   id_entry = drm_find_description(PCI_VENDOR(pa->pa_id),
> +   PCI_PRODUCT(pa->pa_id), amdgpu_pciidlist);
> +   if (id_entry != NULL) {
> +   flags = id_entry->driver_data;
> +   if (flags & AMD_EXP_HW_SUPPORT)
> +   return 0;
> +   else
> +   return 20;
> +   }
> +
> return 0;
>  }
>
>
>

Re: xenodm having issues when launching a wm

[Charlie Burnett]

Are you using a modified xorg.conf.d, and mind showing your xsession?

On Thu, Aug 22, 2019 at 2:58 PM kaletaa  wrote:

> Hello,
> xenodm is having issues while starting a dwm session,
> I'm using a Thinkpad x220, OpenBSD 6.5
>
> dmesg
> 
>
> OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019
> dera...@amd64.openbsd.org
> :/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4156157952 (3963MB)
> avail mem = 4020576256 (3834MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (65 entries)
> bios0: vendor LENOVO version "8DET55WW (1.25 )" date 11/01/2011
> bios0: LENOVO 42912XG
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA
> SSDT SSDT UEFI UEFI UEFI
> acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4)
> EHC1(S3) EHC2(S3) HDEF(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.54 MHz, 06-2a-07
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.41 MHz, 06-2a-07
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 1, core 0, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.42 MHz, 06-2a-07
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 1, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.41 MHz, 06-2a-07
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf800, bus 0-63
> acpiec0 at acpi0
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PEG_)
> acpiprt2 at acpi0: bus 2 (EXP1)
> acpiprt3 at acpi0: bus 3 (EXP2)
> acpiprt4 at acpi0: bus 5 (EXP4)
> acpiprt5 at acpi0: bus 13 (EXP5)
> acpiprt6 at acpi0: bus -1 (EXP7)
> acpicpu0 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1
> halt), PSS
> acpicpu1 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1
> halt), PSS
> acpicpu2 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1
> halt), PSS
> acpicpu3 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1
> halt), PSS
> acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
> acpitz0 at acpi0: critical temperature is 99 degC
> acpibtn0 at acpi0: LID_
> acpibtn1 at acpi0: SLPB
> acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
> acpicmos0 at acpi0
> tpm0 at acpi0: TPM_ addr 0xfed4/0x5000: device 0x104a rev 0x4e
> acpibat0 at acpi0: BAT0 model "45N1023" serial 15921 type LION oem "SANYO"
> acpiac0 at acpi0: AC unit offline
> acpithinkpad0 at acpi0
> "PNP0C14" at acpi0 not configured
> "PNP0C14" at acpi0 not configured
> acpidock0 at acpi0: GDCK not docked (0)
> acpivideo0 at acpi0: VID_
> acpivout at acpivideo0 not configured
> acpivideo1 at acpi0: VID_
> cpu0: Enhanced SpeedStep 797 MHz: speeds: 2601, 2600, 2400, 2200, 2000,
> 1800, 1600, 1400, 1200, 1000, 800 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
> inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 

AMDGPU in current issue

[Charlie Burnett]

Hey-
I'd been messing around with the AMDGPU on current (which I'm aware is very
experimental) and had very few issues with it using a Vega 56 GPU. I
recently swapped to another Vega GPU (Radeon VII) and have issues with the
display not showing anything. Still boots fine, in that I can still enter
commands (i.e. reboot) so it has to be a display issue. I tried searching
for the diff where the firmware was added which I'm certain I saw (for Vega
20) but can't seem to find it in the commit history. Anyone have a fix for
it, and if not, who should I talk to if I wanted to help get it working? I
saw most of the AMDGPU commits have been by @jonathangray if he would be
the best option.
Thanks!

Re: UEFI Issue

[Charlie Burnett]

Yeahhh... I've just decided to return it and get a X1 6th gen and just get
a supported wacom usb drawing tablet for notes, no OpenBSD is kind of a
dealbreaker for me. Also keyboard on it was screwy and didn't work half the
time even with Windows so not the best machine. And Legacy mode was also a
no-go, as there was no legacy mode and any and all CSM support had been
disabled, which is rather frustrating. Also, tried booting through rEFInd,
grub, took the hard drive out and installed it on a different machine, none
worked sadly. Oddly enough, certain Linux distros seemed to have a similar
issue (namely the most recent Gentoo minimal iso) so I'm guessing there was
something really weird with the EFI on it. I've got a few old/cheap
machines with issues along the same lines, I'll try to figure out what the
issue was if I can. I appreciate all y'all's help though!

On Fri, Jul 19, 2019 at 8:14 AM Kristjan Komloši 
wrote:

> On Tue, 2019-07-16 at 18:32 +0000, Charlie Burnett wrote:
> > Hey, I'm looking to get OpenBSD working in UEFI only mode on newer
> > Thinkpad
> > X1 devices, because for whatever reason it hangs when loading into
> > memory
> > without CSM enabled, and some of the X1 devices no longer have a CSM
> > option. Does anyone have a fix, or advice on where I would start
> > looking if
> > I was going to patch it myself?
> New Lenovo laptops are getting kinda infamous for their comically bad
> UEFI implementations. They hardly boot anything but Windows. You may be
> on a blind path there.
>
> Try disabling secure boot if you haven't done so already, and try
> chainloading OpenBSD through a boot manager like rEFInd (I've been
> booting OpenBSD with it for a long time, albeit with CSM support).
>
> --
> Kristjan Komloši
> Mail: kristjan.koml...@gmail.com
> Tel:  +386 31 679 339
>
>

UEFI Issue

[Charlie Burnett]

Hey, I'm looking to get OpenBSD working in UEFI only mode on newer Thinkpad
X1 devices, because for whatever reason it hangs when loading into memory
without CSM enabled, and some of the X1 devices no longer have a CSM
option. Does anyone have a fix, or advice on where I would start looking if
I was going to patch it myself?

Re: X1 Thinkpad Tablet Freeze on Boot

[Charlie Burnett]

 Ah- I'm just now seeing the note about the screen going black after the
kernel loads into memory, and doing some more digging shows the same kind
of issue when CSM isn't enabled. Unfortunately they had said that CSM
wasn't supported with the tablet...
https://forums.lenovo.com/t5/ThinkPad-Tablets/Unable-to-enable-CSM-in-BIOS/m-p/4472630
Any ideas where to go from here? Either way I appreciate the advice. At
least I know where to start looking!

On Mon, Jul 15, 2019 at 1:43 PM Todd C. Miller  wrote:

> You probably need to make some changes to the bios settings, if you
> haven't already done so.  Try disabling "secure boot" and enabling
> "CSM Support" and see if that makes a difference.
>
> Some of the info at https://jcs.org/2017/09/01/thinkpad_x1c may
> also be applicable.
>
>  - todd
>

X1 Thinkpad Tablet Freeze on Boot

[Charlie Burnett]

First time actually submitting a bug so let me know if there's anything I
missed, or if this is the wrong way to submit it-
Trying to install OpenBSD on Thinkpad Tablet X1 Gen 3 currently. Every boot
gets hung on "entry point at 0x1001000". Can't get to dmesg or I'd try to
give more specifics. Have tried:
- Regular install via USB and install65.fs (both current and stable)
- Taking SSD out and installing via my already working OpenBSD machine
- Installing via CD
- Throwing a bsd.rd in an EFI partition and trying to boot it via GRUB
- Booting an external hard drive with working OpenBSD system on it
Any help would be welcome at this point- not a programmer by trade, but if
someone can direct me to at least how to debug it, I can try to put a
temporary fix together and send it to someone who knows what the hell
they're doing.

Trustico CEO Emailed Many Keys Stupidly: 20k https certificates compromised and revoked

[Charlie Eddy]

https://mobile.twitter.com/svblxyz/status/969220402768736258
Please comment on this exciting bad news.
Here is another link for your convenience:
https://news.ycombinator.com/item?id=16485801

Cheers

Re: Supermicro SuperServer E200-9A

[Charlie Eddy]

Mihai,

Your extrapolation is the only issue here as OP did not describe a linear
causal relationship.

See below.

> I want to build a OpenBSD firewall. And I have bought a Supermicro
> SuperServer E200-9A. There is installed a A2SDi-4C-HLN4F motherboard in
it.

On Tue, Feb 27, 2018 at 11:01 AM, Rupert Gallagher <r...@protonmail.com>
wrote:

> I did not purchase the board, yet. The OP did. And he did well. Both Linux
> and FreeBSD run on it.
>
> ‐‐‐ Original Message ‐‐‐
>
> On 27 February 2018 4:22 PM, Charlie Eddy <charlie.e...@occipital.com>
> wrote:
>
> > Rupert, I strongly suggest you actively search as quickly as possible as
> > Stuart suggested, or return your product. Not the first time this has
> > happened so don't take it personally.
>

Re: Supermicro SuperServer E200-9A

[Charlie Eddy]

great news then

On Mon, Feb 26, 2018 at 3:26 PM, Rupert Gallagher 
wrote:

> Note on passing: the C2000 are officially retired and discontinued.
>
> Sent from ProtonMail Mobile
>
> On Mon, Feb 26, 2018 at 23:21, Stuart Henderson 
> wrote:
>
> > On 2018-02-26, OpenBSD user wrote: > Hello > > I want to build a OpenBSD
> firewall. And I have bought a Supermicro > SuperServer E200-9A. There is
> installed a A2SDi-4C-HLN4F motherboard in it. > > I'm trying to installed
> OpenBSD 6.2 on it, but I have some problems. > > First I tried to boot it
> from an usb stick and thought I could use the > installed keyboard to
> control the installation. But under the boot > process and before I could
> type "i" for install, it had turned the > keyboard off. > > Then I tried to
> control the installation from the IPMI port. I can > control the
> installation through it, but when I'm went to configure the > NIC's there
> is only a VLAN installed. Beside the IPMI port there is also > 4 other
> NIC's installed on the motherboard. And I can't see them. I type > "done"
> but when the installation come to the installed hdd, there is > none to
> choose between. > > I have visit the manufacturer site, but there isn't any
> drivers to any *BSD. > > I have googled for other who have problems, but I
> can't find any solutions. > > How do I installed OpenBSD 6.2 on the E200-9A
> ? > > Please help. > > Thanks in advance > > This machine has a lot of
> rather new hardware in (C3000 Denverton) and is really not at all supported
> yet. I found a dmesg from RAMDISK_CD on one of these and it's full of
> failure starting with being unable to enable acpi (so interrupt routing and
> other things aren't working), plus we haven't even got skeleton pcidevs
> entries for most of the devices (ahci, nic, etc). Realistically, at the
> moment, I'd say the best chances of getting this machine supported are if
> you can get similar hardware in the hands of a developer if there is anyone
> with interest, skills and time to look into it, remote debugging of a
> system in this state is going to be slow and painful.. OpenBSD 6.2-current
> (RAMDISK_CD) #379: Wed Jan 24 12:58:41 MST 2018 dera...@amd64.openbsd.org:
> /usr/src/sys/al mem = 4250882048 (4053MB) avail mem = 4118294528 (3927MB)
> mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f0c7000 (31
> entries) bios0: vendor American Megatrends Inc. version "1.0" date
> 08/02/2017 bios0: Supermicro Super Server acpi0 at bios0: rev 2, can't
> enable ACPI cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Atom(TM) CPU
> C3338 @ 1.50: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,
> PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,
> CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,
> AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,
> ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT
> cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon debug cpu0:
> mwait min=64, max=64, C-substates=0.2.0.2, IBE pci0 at mainbus0 bus 0
> 0:31:5: mem address conflict 0xfe01/0x1000 pchb0 at pci0 dev 0 function
> 0 vendor "Intel", unknown product 0x1980 rev 0x11 pchb1 at pci0 dev 4
> function 0 vendor "Intel", unknown product 0x19a1 rev 0x11 vendor "Intel",
> unknown product 0x19a2 (class system subclass root complex event, rev 0x11)
> at pci0 dev 5 function 0 not configured ppb0 at pci0 dev 10 function 0
> vendor "Intel", unknown product 0x19a5 rev 0x11 pci1 at ppb0 bus 1 ppb1 at
> pci0 dev 17 function 0 vendor "Intel", unknown product 0x19ab rev 0x11 pci2
> at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 "ASPEED Technology AST1150 PCI"
> rev 0x03 pci3 at ppb2 bus 3 "ASPEED Technology AST2000" rev 0x30 at pci3
> dev 0 function 0 not configured vendor "Intel", unknown product 0x19ac
> (class system subclass miscellaneous, rev 0x11) at pci0 dev 18 function 0
> not configured ahci0 at pci0 dev 19 function 0 vendor "Intel", unknown
> product 0x19b2 rev 0x11: unable to map interrupt ahci1 at pci0 dev 20
> function 0 vendor "Intel", unknown product 0x19c2 rev 0x11: unable to map
> interrupt xhci0 at pci0 dev 21 function 0 vendor "Intel", unknown product
> 0x19d0 rev 0x11: couldn't map interrupt ppb3 at pci0 dev 22 function 0
> vendor "Intel", unknown product 0x19d1 rev 0x11 pci4 at ppb3 bus 4 vendor
> "Intel", unknown product 0x15e5 (class network subclass ethernet, rev 0x11)
> at pci4 dev 0 function 0 not configured vendor "Intel", unknown product
> 0x15e5 (class network subclass ethernet, rev 0x11) at pci4 dev 0 function 1
> not configured ppb4 at pci0 dev 23 function 0 vendor "Intel", unknown
> product 0x19d2 rev 0x11 pci5 at ppb4 bus 5 vendor "Intel", unknown product
> 0x15e5 (class network subclass ethernet, rev 0x11) at pci5 dev 0 function 0
> not configured vendor "Intel", unknown product 0x15e5 (class network
> subclass ethernet, rev 0x11) at pci5 

Re: Supermicro SuperServer E200-9A

[Charlie Eddy]

I would "bump" the issue for this specific case, but I think it is a very
laughable mistake to argue over the definition of new.

Rupert, I strongly suggest you actively search as quickly as possible as
Stuart suggested, or return your product. Not the first time this has
happened so don't take it personally.

It would also be cool if someone has:

1) A contact list of devs who are chill and want to program new things such
as a Supermicro
SuperServer E200-9A with an A2SDi-4C-HLN4F motherboard in it.

2) A specific recommendation for an alternative device that will provide
similar sweet functionality.

My idea of (2) is one of the following:
https://www.openbsd.org/octeon.html
https://www.openbsd.org/sgi.html
... but I could be totally wrong, I am not that smart and very busy.

Regards,
Charlie

On Tue, Feb 27, 2018 at 5:51 AM, Stuart Henderson <s...@spacehopper.org>
wrote:

> On 2018/02/27 08:30, Rupert Gallagher wrote:
> > Not new at all.
> >
> > https://www.servethehome.com/intel-atom-c3338-benchmarks-
> why-denverton-is-so-sweet/
> >
> > https://www.servethehome.com/intel-atom-c3558-linux-
> benchmarks-and-review/
> >
> > https://www.servethehome.com/
> > intel-atom-c3958-16-core-top-end-embedded-qat-linux-
> benchmarks-and-review/
>
> Launch date q3 '17 is pretty new.
>
> > Sent from ProtonMail Mobile
> >
> >
> > On Mon, Feb 26, 2018 at 23:21, Stuart Henderson <s...@spacehopper.org>
> wrote:
> >
> > On 2018-02-26, OpenBSD user wrote: > Hello > > I want to build a
> OpenBSD firewall. And I
> > have bought a Supermicro > SuperServer E200-9A. There is installed a
> A2SDi-4C-HLN4F
> > motherboard in it. > > I'm trying to installed OpenBSD 6.2 on it,
> but I have some problems.
> > > > First I tried to boot it from an usb stick and thought I could
> use the > installed
> > keyboard to control the installation. But under the boot > process
> and before I could type
> > "i" for install, it had turned the > keyboard off. > > Then I tried
> to control the
> > installation from the IPMI port. I can > control the installation
> through it, but when I'm
> > went to configure the > NIC's there is only a VLAN installed. Beside
> the IPMI port there is
> > also > 4 other NIC's installed on the motherboard. And I can't see
> them. I type > "done"
> > but when the installation come to the installed hdd, there is > none
> to choose between. > >
> > I have visit the manufacturer site, but there isn't any drivers to
> any *BSD. > > I have
> > googled for other who have problems, but I can't find any solutions.
> > > How do I installed
> > OpenBSD 6.2 on the E200-9A ? > > Please help. > > Thanks in advance
> > > This machine has a
> > lot of rather new hardware in (C3000 Denverton) and is really not at
> all supported yet. I
> > found a dmesg from RAMDISK_CD on one of these and it's full of
> failure starting with being
> > unable to enable acpi (so interrupt routing and other things aren't
> working), plus we
> > haven't even got skeleton pcidevs entries for most of the devices
> (ahci, nic, etc).
> > Realistically, at the moment, I'd say the best chances of getting
> this machine supported
> > are if you can get similar hardware in the hands of a developer if
> there is anyone with
> > interest, skills and time to look into it, remote debugging of a
> system in this state is
> > going to be slow and painful.. OpenBSD 6.2-current (RAMDISK_CD)
> #379: Wed Jan 24 12:58:41
> > MST 2018 dera...@amd64.openbsd.org:/usr/src/sys/al mem = 4250882048
> (4053MB) avail mem =
> > 4118294528 (3927MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev.
> 3.0 @ 0x7f0c7000 (31
> > entries) bios0: vendor American Megatrends Inc. version "1.0" date
> 08/02/2017 bios0:
> > Supermicro Super Server acpi0 at bios0: rev 2, can't enable ACPI
> cpu0 at mainbus0:
> > (uniprocessor) cpu0: Intel(R) Atom(TM) CPU C3338 @ 1.50:
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,
> PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,
> CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,
> AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,
> ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT
> > cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon
> debug cpu0: mwait min=64,
> > max=64, C-substates=0.2.0.2, IBE pci0 at m

Re: Why is so slow the download speed in OpenBSD?

[Charlie Eddy]

Nice!

>From Stefan's mail:
>"In the current implementation, the wifi layer selects a transmit rate
based
>on the number of frame transmission retries reported by wpi(4) firmware."

That's the "automatically selected optimal media type", comme ci comme ca
defined w/r/t the strictness of your definition.

>"If you find that one of these commands makes it work as fast as it does on
>Windows, we can conclude that the problem is with OpenBSD's rate selection
>algorithm. This algorithm is very old and dates from a time when wifi
networks
>were much less densly deployed."

It looks like OpenBSD is like driving a beautiful old car.
Malfunction doesn't make sense to say even though existing properties of
the OS and existing properties of the world aren't making it easy.

On Wed, Feb 14, 2018 at 1:47 PM, Zsolt Kantor 
wrote:

>
>
> Now, I just switched to OpenBSD, and executed the commands as you wrote
> down. AND IT WORKS!
> You have more in depth network knowledge than me, so I just will write
> down what I did, and I have also some questions related to that media
> option of the ifconfig (which I, to be honest don't really understand).
> So, I used the same mirror (https://ftp2.eu.openbsd.org/
> pub/OpenBSD/6.2/amd64/) for testing and used only wget for downloads.
> With wget the download speed is a bit higher compared to firefox or
> chromium, I think because wget is more 'light', command line tool, more
> optimized (probably the code is more clear), firefox and chromium opens
> slower maybe also bloat in code, so the download rate is also less.
> Now back to the point. I logged in to Xfce, I opened a terminal with two
> tabs, one for normal user, to execute the downloads, with the following
> command: 'wget https://ftp2.eu.openbsd.org/pub/OpenBSD/6.2/amd64/
> install62.fs', and one for root user to use ifconfig to make those
> settings. After every ifconfig change, I switched to the normal user tab
> and started the download process (sometimes, when I saw some unusual
> fluctuation I interrupted the download process and started again, waited a
> while to see what happens, than if the download process was not stable I
> waited a little to be just sure, after that started the process again and
> so on, to have a more precise report).
> Here are the test results:
> OFDM6: max: 1.30MB/s, min: 700KB/s (this config. is not stable, sometimes
> drops from 1.20MB/s to 700KB and back)
> OFDM9: average: 1.45MB/s (more stable, do not drops above 1.30MB)
> OFDM12: quite stable as with OFDM9, sometimes reaches a max. of 1.70MB/s
> OFDM18: stable, average: 1.50MB (I saw also 1.80MB/s for fractions of
> seconds)
> OFDM24: At the first try was not stable, fluctuated between 900KB/s and
> 1.70Mb/s, at the second try it was stable, avg: 1.55MB/s (for fractions of
> seconds 1.80MB/s), at the third, fourth . . . tries was stable, avg: 1.60MB
> OFDM36: quiet stable, avg: 1.55MB/s
> OFDM48: not so stable, 700KB/s, 800KB/s, rarely reaches  1000KB/s (but
> immediately drops)
> OFDM54: not stable at all, between 700KB and 900KB (sometimes reaches
> 1.1MB/s, rarely drops down to 300KB/s), the avg. rate is 700-750KB.
>
> These for the tests. Now, I have a few questions. In the ifconfig manual
> at the media option states that if it is used with no arguments displays
> all available media. In my case it looks like this:
>
> supported media:
> media autoselect
> media autoselect mediaopt monitor
> media autoselect mode 11a
> media autoselect mode 11a mediaopt monitor
> media autoselect mode 11b
> media autoselect mode 11b mediaopt monitor
> media autoselect mode 11g
> media autoselect mode 11g mediaopt monitor
>
> But what you proposed to me to try is OFDM6, 9, 12 . . . In the supported
> media list I don't find those types, why?
>
> The second question is: now theoretically the problem is solved, to be
> honest I have no clue about media types, radio frequencies and such things,
> but based on my tests it's need to be corrected something in OpenBSD
> related to this issue? Or it is more like a user side configuration? If
> somebody would ask me I think the optimal media type should ne
> automatically selected by the system (driver, firmware . . . I don't know
> who's in charge for this), and not by the user (after the system is
> installed).
> That's all, thanks again. For me the problem is solved. You need to decide
> if this is a malfunction or not.
>
> Thanks again.
>
>
>
>
> On Wednesday, February 14, 2018 9:36 PM, Zsolt Kantor <
> zsoltkan...@yahoo.co.uk> wrote:
>
>
>
> You told me a very interesting thing, and I need to admit that I did not
> thought about this (although in the past I wrote some ping program using
> sockets, so I have a basic knowledge about networking in general). I will
> try that, but right now I need to resolve other things (not related to
> OpenBSD), I also thought to do some wireshark tests in  Win and BSD and
> check the traffic, the packets, and the times between the packets sent 

Re: considering a move to OpenBSD

[Charlie Eddy]

Thanks Daniel. Definitely the correct answer.

On Thu, Feb 8, 2018 at 4:07 PM, Daniel Bolgheroni <dan...@bolgh.eng.br>
wrote:

> On Thu, Feb 08, 2018 at 09:41:20PM +, Charlie Eddy wrote:
> > hello misc,
> >
> > I am considering a move to OpenBSD, since I subscribed to this mailing
> list
> > some time ago (~few months). I want to take advantage of security.
> >
> > However, a programmer who I know personally and respect considers OpenBSD
> > to be old-school, in a negative sense. He recommends Arch Linux as
> > superior, because more new. Does the difference boil down to one's
> > definition of free software, and then compliance with that definition?
> >
> > I have read up on this a lot, and this is a serious question. I have
> heard
> > that it is unimportant what *nix you're on after a few years of using one
> > or the other, in terms of functionality. I am interested in embedded
> > devices. I think that bends the needle towards Arch, but the security of
> > OpenBSD is also attractive. What considerations should I take into
> account?
>
> I don't think that, if you ask the same question on an Arch Linux
> mailing list, people will suggest you to run OpenBSD. Since you're on an
> OpenBSD mailing list, the odds are people here will... nevermind.
>
> There are a lot (really, a lot) of things you should consider.
> Honestly, these opiniated, one-sentence answers like these should ring
> bells on your head, and work as an alert (because it's newer? really?).
>
> That being said, the mindset of "going to shop" when choosing software
> (e.g. comparing project features to see which one "offers more for the
> lowest price") is just wrong. What do you really need? "Embedded",
> "security" or any single-worded reason won't say much.
>
> No words here will spare you the work you have to do by yourself. Install
> it and put it to work. Then, then take your own conclusions.
>
> --
> db
>

considering a move to OpenBSD

[Charlie Eddy]

hello misc,

I am considering a move to OpenBSD, since I subscribed to this mailing list
some time ago (~few months). I want to take advantage of security.

However, a programmer who I know personally and respect considers OpenBSD
to be old-school, in a negative sense. He recommends Arch Linux as
superior, because more new. Does the difference boil down to one's
definition of free software, and then compliance with that definition?

I have read up on this a lot, and this is a serious question. I have heard
that it is unimportant what *nix you're on after a few years of using one
or the other, in terms of functionality. I am interested in embedded
devices. I think that bends the needle towards Arch, but the security of
OpenBSD is also attractive. What considerations should I take into account?

Regards,
Charlie

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

Hello Jonathan Thornburg,

That is quite simple. The post will work.

https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612

Regards,

On Wed, Feb 7, 2018 at 6:42 AM, Jeroen  wrote:

> With HTTPS, can you be sure that the server isn't comprimised? With or
> without HTTPS, it's always a good idea to check wether the address is
> correct (a foundation has to be registered and at other places).
>
> On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote:
> > From  http://www.openbsdfoundation.org/donations.html :
> > >  Donations may be made by cheque in CAD/EUR/USD funds to:
> > >
> > > The OpenBSD Foundation
> > > 8101 160 Street
> > > Edmonton, Alberta, Canada
> > > T5R 2G9
> >
> > Without https, how can one verify that that is the correct address?
> >
> >
>
>

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

thank you for providing that email address, case closed as far as I'm
concerned

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

"Can I update the value of "hosted_button_id" and
send you to my Paypal account ?"

this

is much cleaner, more logical, more formal, and more sensible than

"No need to have this one https type really there isn't any information
you enter on it..."

On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondras  wrote:

> > If you actually donate and click on any links there you would see it
> > bring you to a secure page.
> >
>
> But is this the right link ? Can I update the value of "hosted_button_id"
> and
> send you to my Paypal account ?
>
> Denis
>
>

Re: OpenBSD Foundation on HTTPS

[Charlie Eddy]

agreed - using HTTP instead of HTTPS is a great way to encourage that
activity, and since I love having my head in the sand like an ostrich I
encourage us to not encrypt the donation links to the most secure operating
system available to the public. That way we can't donate securely to the
foundation we support - the sand is great from down here

On Tue, Feb 6, 2018 at 3:32 AM, Hess THR  wrote:

> troll on
>
> hey, yeah, you are absolutely right!
>
> no one would ever modify (since plain http) the example.:
>
> http://www.openbsdfoundation.org/donations.html
>
> page, where are the PayPal donation links, bitcoin donation links are,
> without anybody noticing!
>
> Why would someone do something like this? we live in a perfect world
> without bad people! yay pink ponies!
>
> troll off
>
>
> > Sent: Tuesday, February 06, 2018 at 12:23 PM
> > From: "Ian Sutton" 
> > To: "Hess THR" 
> > Cc: "misc@OpenBSD.org" 
> > Subject: Re: OpenBSD Foundation on HTTPS
> >
> > Hi,
> >
> > There is no need. There is nothing secret on those web servers, there
> > is no logical reason to encrypt it. This issue has been discussed to
> > death. Please check archives.
> >
> > Ian
> >
> > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR  wrote:
> > > Hello,
> > >
> > > because HTTPS increases the authenticity, integrity, privacy:
> https://en.wikipedia.org/wiki/HTTPS
> > >
> > > going to apache/iis/nginx/linux will not increase "security". since
> they have very buggy code.
> > >
> > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
> the code in the base?
> > >
> > >
> > >> Sent: Friday, December 15, 2017 at 12:11 PM
> > >> From: "Vivek Vinod" 
> > >> To: "Hess THR" 
> > >> Subject: Re: OpenBSD Foundation on HTTPS
> > >>
> > >> 1) Why do you want https support?
> > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
> we shift to IIS as well? Wait, I guess more people use Linux, so we should
> stop using OpenBSD all together.
> > >>
> > >>
> > >> -Original Message-
> > >> From:  on behalf of Hess THR <
> hessnovth...@mail.com>
> > >> Date: Friday, 15 December 2017 at 4:20 PM
> > >> To: , 
> > >> Subject: OpenBSD Foundation on HTTPS
> > >>
> > >> Hello, Just noticed that the: http://www.openbsdfoundation.org/
> doesn't
> > >> supports HTTPS, while in 2017 Dec, ~70% of the websites does:
> > >> https://letsencrypt.org/stats/#percent-pageloads Can we have
> HTTPS for
> > >> the OpenBSD Foundation? Which Official OpenBSD related domain
> hasn't got
> > >> HTTPS yet? I whish you happy holidays and again, Thanks for all
> the work!
> > >> BTW, wow:
> > >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
> donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
> > >>
> > >
> >
>
>

Re: Disable external USB devices

[Charlie Eddy]

oh and lastly to understand a bit more about why you don't need to be an
ultrasmart blackhat:
even USB keyboards are dangerous and lots of things can pretend to be usb
https://www.youtube.com/watch?v=00A36VABIA4

and postscript:
for a usb firewall, so to speak, https://wiki.wireshark.org/CaptureSetup/USB
Can probably get it done with usbmon and libpcap. Could get a poc in scapy
Probably iptables can be reused
Prevent both rubber duckies and packet injection attacks against bluetooth
mice that are seen as keyboards

On Wed, Jan 24, 2018 at 4:40 PM, Charlie Eddy <charlie.e...@occipital.com>
wrote:

> Hi stefan,
> i asked this a bit ago (or similar)
> 1. https://usbguard.github.io/
> 2. you can just disable USB ports or controller in BIOS, but that's not
> exciting at all.
> 3. this diff, which one person used once:
>
> Index: sys/dev/usb/uhub.c
> ===
> RCS file: /cvs/src/sys/dev/usb/uhub.c,v
> retrieving revision 1.89
> diff -u -p -u -r1.89 uhub.c
> --- sys/dev/usb/uhub.c  2 Sep 2016 09:14:59 -   1.89
> +++ sys/dev/usb/uhub.c  1 Jan 2017 22:52:53 -
> @@ -55,6 +55,9 @@
>  #define DEVNAME(sc)((sc)->sc_dev.dv_xname)
> +/* controls enabling/disabling of USB bus probing */
> +int busprobe = 1;
> +
>  struct uhub_softc {
> struct device   sc_dev; /* base device */
> struct usbd_device  *sc_hub;/* USB device */
> @@ -439,6 +442,9 @@ uhub_explore(struct usbd_device *dev)
> usbd_clear_port_feature(sc->sc_hub, port,
> UHF_C_PORT_LINK_STATE);
> }
> +
> +   if (!busprobe)
> +   return (0);
> /* Recursive explore. */
> if (up->device != NULL && up->device->hub != NULL)
> Index: sys/dev/usb/usb.c
> ===
> RCS file: /cvs/src/sys/dev/usb/usb.c,v
> retrieving revision 1.111
> diff -u -p -u -r1.111 usb.c
> --- sys/dev/usb/usb.c   18 May 2016 18:28:58 -  1.111
> +++ sys/dev/usb/usb.c   1 Jan 2017 22:52:53 -
> @@ -87,6 +87,8 @@ int   usb_noexplore = 0;
>  #define DPRINTFN(n,x)
>  #endif
> +extern int busprobe;
> +
>  struct usb_softc {
> struct devicesc_dev;/* base device */
> struct usbd_bus  *sc_bus;   /* USB controller */
> @@ -607,6 +609,14 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
>  #endif
> break;
>  #endif /* USB_DEBUG */
> +   case USB_GET_BUS_PROBE:
> +   *(unsigned int *)data = busprobe;
> +   break;
> +   case USB_SET_BUS_PROBE:
> +   if ((error = suser(curproc, 0)) != 0)
> +   return (error);
> +   busprobe = !!*(unsigned int *)data;
> +   break;
> case USB_REQUEST:
> {
> struct usb_ctl_request *ur = (void *)data;
> Index: sys/dev/usb/usb.h
> ===
> RCS file: /cvs/src/sys/dev/usb/usb.h,v
> retrieving revision 1.57
> diff -u -p -u -r1.57 usb.h
> --- sys/dev/usb/usb.h   19 Jun 2016 22:13:07 -  1.57
> +++ sys/dev/usb/usb.h   1 Jan 2017 22:52:53 -
> @@ -760,6 +760,8 @@ struct usb_device_stats {
>  #define USB_DEVICE_GET_CDESC   _IOWR('U', 6, struct usb_device_cdesc)
>  #define USB_DEVICE_GET_FDESC   _IOWR('U', 7, struct usb_device_fdesc)
>  #define USB_DEVICE_GET_DDESC   _IOWR('U', 8, struct usb_device_ddesc)
> +#define USB_GET_BUS_PROBE  _IOR ('U', 9,  unsigned int)
> +#define USB_SET_BUS_PROBE  _IOW ('U', 10, unsigned int)
>  /* Generic HID device */
>  #define USB_GET_REPORT_DESC_IOR ('U', 21, struct usb_ctl_report_desc)
> Index: usr.sbin/usbdevs/usbdevs.8
> ===
> RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.8,v
> retrieving revision 1.9
> diff -u -p -u -r1.9 usbdevs.8
> --- usr.sbin/usbdevs/usbdevs.8  26 Jun 2008 05:42:21 -  1.9
> +++ usr.sbin/usbdevs/usbdevs.8  1 Jan 2017 22:52:53 -
> @@ -39,6 +39,7 @@
>  .Op Fl dv
>  .Op Fl a Ar addr
>  .Op Fl f Ar dev
> +.Op Fl p Ns Op Ar on | off
>  .Sh DESCRIPTION
>  .Nm
>  prints a listing of all USB devices connected to the system
> @@ -53,6 +54,10 @@ Only print information about the device
>  Show the device drivers associated with each device.
>  .It Fl f Ar dev
>  Only print information for the given USB controller.
> +.It Fl p Ns Op Ar on | off
> +Enable or disable USB bus probing.  The default
> +is
> +.Ar on .
>  .It Fl v
>  Be verbose.
>  .El
> Index: usr.sbin/usbdevs/u

Re: Disable external USB devices

[Charlie Eddy]

Hi stefan,
i asked this a bit ago (or similar)
1. https://usbguard.github.io/
2. you can just disable USB ports or controller in BIOS, but that's not
exciting at all.
3. this diff, which one person used once:

Index: sys/dev/usb/uhub.c
===
RCS file: /cvs/src/sys/dev/usb/uhub.c,v
retrieving revision 1.89
diff -u -p -u -r1.89 uhub.c
--- sys/dev/usb/uhub.c  2 Sep 2016 09:14:59 -   1.89
+++ sys/dev/usb/uhub.c  1 Jan 2017 22:52:53 -
@@ -55,6 +55,9 @@
 #define DEVNAME(sc)((sc)->sc_dev.dv_xname)
+/* controls enabling/disabling of USB bus probing */
+int busprobe = 1;
+
 struct uhub_softc {
struct device   sc_dev; /* base device */
struct usbd_device  *sc_hub;/* USB device */
@@ -439,6 +442,9 @@ uhub_explore(struct usbd_device *dev)
usbd_clear_port_feature(sc->sc_hub, port,
UHF_C_PORT_LINK_STATE);
}
+
+   if (!busprobe)
+   return (0);
/* Recursive explore. */
if (up->device != NULL && up->device->hub != NULL)
Index: sys/dev/usb/usb.c
===
RCS file: /cvs/src/sys/dev/usb/usb.c,v
retrieving revision 1.111
diff -u -p -u -r1.111 usb.c
--- sys/dev/usb/usb.c   18 May 2016 18:28:58 -  1.111
+++ sys/dev/usb/usb.c   1 Jan 2017 22:52:53 -
@@ -87,6 +87,8 @@ int   usb_noexplore = 0;
 #define DPRINTFN(n,x)
 #endif
+extern int busprobe;
+
 struct usb_softc {
struct devicesc_dev;/* base device */
struct usbd_bus  *sc_bus;   /* USB controller */
@@ -607,6 +609,14 @@ usbioctl(dev_t devt, u_long cmd, caddr_t
 #endif
break;
 #endif /* USB_DEBUG */
+   case USB_GET_BUS_PROBE:
+   *(unsigned int *)data = busprobe;
+   break;
+   case USB_SET_BUS_PROBE:
+   if ((error = suser(curproc, 0)) != 0)
+   return (error);
+   busprobe = !!*(unsigned int *)data;
+   break;
case USB_REQUEST:
{
struct usb_ctl_request *ur = (void *)data;
Index: sys/dev/usb/usb.h
===
RCS file: /cvs/src/sys/dev/usb/usb.h,v
retrieving revision 1.57
diff -u -p -u -r1.57 usb.h
--- sys/dev/usb/usb.h   19 Jun 2016 22:13:07 -  1.57
+++ sys/dev/usb/usb.h   1 Jan 2017 22:52:53 -
@@ -760,6 +760,8 @@ struct usb_device_stats {
 #define USB_DEVICE_GET_CDESC   _IOWR('U', 6, struct usb_device_cdesc)
 #define USB_DEVICE_GET_FDESC   _IOWR('U', 7, struct usb_device_fdesc)
 #define USB_DEVICE_GET_DDESC   _IOWR('U', 8, struct usb_device_ddesc)
+#define USB_GET_BUS_PROBE  _IOR ('U', 9,  unsigned int)
+#define USB_SET_BUS_PROBE  _IOW ('U', 10, unsigned int)
 /* Generic HID device */
 #define USB_GET_REPORT_DESC_IOR ('U', 21, struct usb_ctl_report_desc)
Index: usr.sbin/usbdevs/usbdevs.8
===
RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.8,v
retrieving revision 1.9
diff -u -p -u -r1.9 usbdevs.8
--- usr.sbin/usbdevs/usbdevs.8  26 Jun 2008 05:42:21 -  1.9
+++ usr.sbin/usbdevs/usbdevs.8  1 Jan 2017 22:52:53 -
@@ -39,6 +39,7 @@
 .Op Fl dv
 .Op Fl a Ar addr
 .Op Fl f Ar dev
+.Op Fl p Ns Op Ar on | off
 .Sh DESCRIPTION
 .Nm
 prints a listing of all USB devices connected to the system
@@ -53,6 +54,10 @@ Only print information about the device
 Show the device drivers associated with each device.
 .It Fl f Ar dev
 Only print information for the given USB controller.
+.It Fl p Ns Op Ar on | off
+Enable or disable USB bus probing.  The default
+is
+.Ar on .
 .It Fl v
 Be verbose.
 .El
Index: usr.sbin/usbdevs/usbdevs.c
===
RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 usbdevs.c
--- usr.sbin/usbdevs/usbdevs.c  22 Dec 2015 08:36:40 -  1.25
+++ usr.sbin/usbdevs/usbdevs.c  1 Jan 2017 22:52:53 -
@@ -30,14 +30,15 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
+#include 
+#include 
+#include 
+#include 
+#include 
 #include 
 #include 
 #include 
-#include 
-#include 
 #include 
-#include 
-#include 
 #include 
 #ifndef nitems
@@ -46,21 +47,23 @@
 #define USBDEV "/dev/usb"
-int verbose = 0;
-int showdevs = 0;
+int verbose;
+int showdevs;
+int getprobe;
+int setprobe;
 void usage(void);
 void usbdev(int f, int a, int rec);
 void usbdump(int f);
 void dumpone(char *name, int f, int addr);
-int main(int, char **);
+void busprobe(int f, unsigned int probe);
 extern char *__progname;
 void
 usage(void)
 {
-   fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev]\n", __progname);
+   fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev] [-p[on |
off]]\n", __progname);
exit(1);
 }
@@ -177,6 +180,21 @@ dumpone(char *name, int f, int addr)
 

USB Firewall

[Charlie Eddy]

Hello,

Is there a method to detect and halt additional USB devices being added
after initializing connections? Concerned about widespread vulnerability of
keystroke injection.

After a failed checksum: What options remain?

[Charlie Eddy]

Hello,

Privateinternetaccess.org supplies secure VPNs. Their Windows installer
(v75) has a SHA256 result that does not match what is supplied on their
website.

Fucking terrible "security" solution, is it not?

As a prospective user of OpenBSD, I would hope that this never occurs, and
that free software would fulfill its promises. I am considering switching
to OpenBSD, but am afraid that I will be overcome by the difficulty of
learning Linux commands. I am not incompetent and willing to read code and
manpages, just timid, about this "big change."

As part of considering OpenBSD adoption, I am extremely focused on
security. However, trivial and fundamental issues are difficult to work
around.

My conclusion that the privateinternetaccess.org security solution is
terrible is not necessarily well-founded. The checksum could be modified
for these reasons:

- file was messed with in transit to me
- incompetent administrators did not update the checksum when they updated
the file

I suspect the latter, and unless my support ticket currently opened with
Private Internet Access is resolved to my satisfaction I will be forced to
use a free software solution. I am patient, but intolerant of stupidity.
The determination remains to be made.

GNUPG is my first step towards a cryptographically secure future. However,
in downloading it, I am confronted by a serious problem. They state the
following:

Comparing Checksums
If you are not able to use an old version of GnuPG, you can still verify
the file's SHA-1 checksum. This is less secure, because if someone modified
the files as they were transferred to you, it would not be much more effort
to modify the checksums that you see on this webpage. As such, if you use
this method, you should compare the checksums with those in release
announcement. This is sent to the gnupg-announce mailing list (among
others), which is widely mirrored. Don't use the mailing list archive on
this website, but find the announcement on several other websites and make
sure the checksum is consistent. This makes it more difficult for an
attacker to trick you into installing a modified version of the software.

As a result, I obtained an SSL/TLS server test to determine whether they
would be exposed to MITM despite their https:// prefix due to no
implementation of HSTS.

GNUPG is HSTSecure. Private Internet Access is not, another flaw in their
system.

However, the classic Orwellian security problem cannot be solved in this
case. The serious problem is that HSTS does not prevent a first-time user
from being MitM'd when they visit the site, and I may have been attacked
every single time. I have not yet verified the SHA1 sum in the archives --
are they correctly in stating that this is the best method?

How can I positively verify an OpenBSD install is secure? How can
implementing secure processes begin? Do I need to write my own checker from
scratch to know that things are operating properly? That's a joke, but it's
not that funny, is it?

If a user on a compromised device installs an operating system with
privilege separation, pledges could still be meaningless. What is the
correct way to wear a tinfoil hat?

Regards

Re: Kernel memory leaking on Intel CPUs?

[Charlie Eddy]

Excuse me, I can support the far-seeing generalities in the message you
linked but am confused about the specifics. It looks like processor hangs,
and deadlock, and poorly documented page table handling by the MMU, are
concrete issues specified.

Respectfully: Are there any direct links to Meltdown or Spectre founded in
the bugs noted in these errata? Or, is this a straw man argument against a
chip manufacturer?

If there are not any direct links, but the argument against Intel itself
still stands, is that because there are other chip manufacturers who have
proven that it is possible to write unexploitable code?

Please let me know.

2018-01-10 3:21 GMT-08:00 Zbyszek Żółkiewski :

> 10 years passed, Theo de Raadt: https://marc.info/?l=openbsd-
> misc=118296441702631
>
> _
> Zbyszek Żółkiewski
>
> >
> > https://spectreattack.com/
> >
>
>

Re: obligatory leaving letter

[Charlie Eddy]

Can someone advise what occurred in NetBSD re this user?

Re: [cwm] list all available items

[Charlie Eddy]

Just a note that cwm is an old welsh word for a mountain pass, one of the
few OED words with no vowel

Re: ASLR: How Robust is the Randomness?

[Charlie Eddy]

Hello all,

As a newcomer to this list, I would like a recommendation on further
reading about this specific topic. I am unable to understand it, where
normally I have some comprehension of what is going on.

Thanks,
Charlie

On Tue, Nov 28, 2017 at 10:19 AM, <leo_...@volny.cz> wrote:

> theo wrote:
> > That interpretation is wrong.
>
> Could be, I'm no genius :)
>
> > You don't understand fork+exec.
>
> Wha?
>
> > There
> > is no decision to stop using an address space after failure. Instead,
> > address spaces are intentionally split ahead of time to ensure a
> > specific pointer value is only valid in one process image. Other
> > similar load-images have unique layouts with unique pointer values.
> > So when failure happens, there is no other context where crash-learned
> > information can be reapplied in a non-crashed process image with the
> > same mapping.
>
> Uhm, how do I put this...
>
> In the old model, if an attack causes a specific child to crash, and it
> has been created using a simple fork, the parent, and all other
> children -- past, present, and future -- will *continue to use* the
> address space{, layout} that is common to them all.
>
> In the new situation, children do an exec immediately, before
> interacting with the peer. Hence, the addr space gets randomized, and
> it will not be like the parent's, or like that of any other children
> (given sufficient entropy).
>
> Hence, repeating the same attack will most likely fail.
>
> What is the part that I don't understand?
>
> > Don't change my words.
>
> Sorry, didn't mean to. It was a mere suggestion.
>
> > It is over your head. Or learn to read. Or learn to not reply before
> > you think.
>
> Criticism is welcome. Unwarranted preconceptions are not.
>
> (hmm, now what makes a preconception 'unwarranted'...?)
>
> --schaafuit.
>
>

session security on OpenBSD vs popular options

[Charlie Eddy]

Hello,

Please let me know how to find information on OpenBSD security as it
relates to web browser sessions.

For instance, I am aware that some attack vectors depend on browser
connections with OS components. What security flaws exist that OpenBSD
specifically is able to address?

Thanks,
Charlie Eddy

Re: is there something missing in pledge?

[Charlie Eddy]

I don't know how much Dutch Theo may or may not have but this is the
funniest OpenBSD discussion ever

GPU error: i915_hangcheck_hung on ThinkPad x201

[Charlie]

Hi,

I run OpenBSD 5.6-stable on a Lenovo x201 (patched to the latest errata - 
016). I use XFCE as my desktop environment. Every so often when I am 
moving a window, specifically trying to snap it to the left-hand side of 
my screen, X freezes up for a few seconds, and the following message is 
printed to the console:

error: [drm:pid31847:i915_hangcheck_hung] *ERROR* Hangcheck timer 
elapsed... GPU hung
error: [drm:pid31847:i915_hangcheck_hung] *ERROR* Hangcheck timer 
elapsed... GPU hung
error: [drm:pid31975:i915_reset] *ERROR* GPU hanging too fast, declaring 
wedged!
error: [drm:pid31975:i915_reset] *ERROR* Failed to reset chip.

After this occurs, everything continues working, but X is laggy, 
especially in certain applications. The best fix I've found is to reboot 
the system.

This appears to be the only relevant entry from /var/log/Xorg.0.log:

[ 62471.544] (EE) intel(0): Detected a hung GPU, disabling acceleration.

If I can provide any further information that might lead to fixing this 
problem, I will be happy to do so.

Thank you!

Charlie

Re: Seagate ST3250310AS not recognized

[Charlie Farinella]

- Original Message -
 On 03/26/14 16:59, Charlie Farinella wrote:
  I'm trying to install OpenBSD 5.4 on a Dell Vostro 400, it's
  several
  years old but not ancient.  4GB RAM, 250GB Seagate ST3250310AS hard
  drive.  The installation goes normally until it tries to find the
  hard drive and then tells me no hard drive is available.
  
  I've wiped the drive (it had ESXi on it before), repartitioned it,
  unpartitioned it, installed Linux, installed FreeBSD all without
  problem, but no matter what I do to it, OpenBSD won't see it.
  
  I would really like to get this working so any suggestions or
  guidance is very much appreciated.
 
 First of all, your report sucks.
 Normally, I try to just ignore bad reports, even when I have a
 possible
 W.A.G., but I'm going to try something new...  I'm going to say you
 owe
 the project a $50 donation if I'm right.  And if I'm wrong, you get
 to
 buy the 5.5 CDs when they come out and say ha ha! you were WRONG!
 
 First of all, if you hooked the drive up properly and it is seen in
 the
 bios and all, it isn't a matter of the /drive/ not being recognized,
 or
 anything on the drive left over, there's something wrong with the
 handling of the drive by the interface.
 
 All that stuff that goes scrolling by the screen on boot?  it's
 important. it's called the dmesg.  Read it, it will tell you why
 things didn't work.  You may well have to interpret things, but
 somewhere on your dmesg, the chip that is your SATA interface will
 show
 up, and right there, it will probably give you a good idea why it
 isn't
 acting like a disk interface.  And while it looks like gibberish,
 it's
 actually fairly readable.
 
 My wild guess: you have an ahci interface (this is good), configured
 in
 the BIOS for RAID (this is bad).  Dell shipped a lot of machines with
 one disk, with the interface configured in the BIOS as a RAID.
  This
 is really just a lame BIOS-assisted OS-based RAID system, like most
 cheap RAID options, but if the OS doesn't support the RAID idea and
 it
 is a multi-booting system, bad things can happen when the BIOS
 helps
 you by copying one drive over your other drive, so OpenBSD (and at
 least
 some Linux kernels, I've seen) won't touch the drive if it was in the
 unsupported RAID configuration mode.
 
 Nick.
 

First:  
  Thanks to all who replied, I appreciate people trying to help.

Second:  
  Nick was right and I am very appreciative that he took the time to help.  I 
now know more than I knew before, and have a working system.  :-)

Third:  
Our company has been using OpenBSD since version 3.2, purchasing CD sets, 
t-shirts and mugs over the years, I'll be sure we kick in the $50.00 donation.

Thank you again.

--charlie

--
Charles Farinella
Systems Administrator
Appropriate Solutions, Inc.
603-924-6079

Seagate ST3250310AS not recognized

[Charlie Farinella]

I'm trying to install OpenBSD 5.4 on a Dell Vostro 400, it's several years old 
but not ancient.  4GB RAM, 250GB Seagate ST3250310AS hard drive.  The 
installation goes normally until it tries to find the hard drive and then tells 
me no hard drive is available.  

I've wiped the drive (it had ESXi on it before), repartitioned it, 
unpartitioned it, installed Linux, installed FreeBSD all without problem, but 
no matter what I do to it, OpenBSD won't see it.

I would really like to get this working so any suggestions or guidance is very 
much appreciated.

Thanks,

--charlie

--
Charles Farinella
Systems Administrator
Appropriate Solutions, Inc.
603-924-6079

interface not reporting the correct IP address

[Charlie Farinella]

I have an interface configured with a primary address and 2 aliases like 
so:

inet   173.xxx.xxx.254   255.255.255.224 NONE
inet alias   173.xxx.xxx.251   255.255.255.255
inet alias   173.xxx.xxx.252   255.255.255.255

If I visit http://www.whatismyip.com I am expecting to constently see it 
report the first (173.xxx.xxx.254) address, but instead it reports any of 
the three addresses.

How can I guarantee that all traffic from this machine is seen as coming 
from the main IP address?

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
cfarine...@appropriatesolutions.com
voice: 603.924.6079   fax: 603.924.8668

Re: interface not reporting the correct IP address

[Charlie Farinella]

On Monday, February 28, 2011 02:52:07 PM Peter [prive] wrote:
   Hi,
 
 I have had the same symptom
 You have to use nat or you will have rotating from addresses.
 
 Peter

I thought I had done that, but a second look showed that to be the 
problem.  Thanks for your help.

 On 28-Feb-11 15:18, Charlie Farinella wrote:
  I have an interface configured with a primary address and 2 aliases
  like so:
  
  inet   173.xxx.xxx.254   255.255.255.224 NONE
  inet alias   173.xxx.xxx.251   255.255.255.255
  inet alias   173.xxx.xxx.252   255.255.255.255
  
  If I visit http://www.whatismyip.com I am expecting to constently see
  it report the first (173.xxx.xxx.254) address, but instead it
  reports any of the three addresses.
  
  How can I guarantee that all traffic from this machine is seen as
  coming from the main IP address?

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
cfarine...@appropriatesolutions.com
voice: 603.924.6079   fax: 603.924.8668

Re: i7-720QM one more time

[Charlie Root]

Ted,

Thanks for your looking at my post.
Come to think about the wsmouse, I believe that Xorg -configure set it to 
wsmouse0, so I tried wsmouse1 (no joy, niether the trackpad or the wireless 
mouse worrked.  I don't believe is has ever been set to simply wsmouse.  I'll 
give that a try.

So, I take it that the wireless device and my speed step issues are already in 
the queue from the way you responded.  If I can do anything to help, I would 
enjoy contributing to OpenBSD in anyway that I can.

I'll follow up with news about the X mouse issue.

Thanks,

--kyle

df - du discrepancy

[Charlie Farinella]

I have an OpenBSD 4.4 machine running just a few things;
OSSEC, named and openvpn.

After it's been up for a few weeks I start seeing discrepancies between what df 
tells me is free space and how much space du reports as being used.  A few 
weeks ago I got 'disk full' errors and rebooted the thing which solved it for 
the moment, but not permanently.

Here is an example of what I'm seeing:

# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a  3.6G1.1G2.3G32%/

# du -sh *
2.0Kaltroot
4.5Mbin
44.0K   boot
6.6Mbsd
5.3Mbsd.rd
38.0K   dev
2.8Metc
94.0K   home
2.0Kipp.txt
6.0Klost+found
2.0Kmnt
2.0Kopenvpn-status.log
78.0K   root
10.7M   sbin
2.0Kstand
0B  sys
2.0Ktmp
505Musr
10.2M   var

This looks to me like there is a discrepancy of several hundred megabytes and 
each day I get an approximate 1% increase in the df used report.  How can I 
find out what's using this space and how can I prevent it?

thanks,

-- 
Charles Farinella
Appropriate Solutions, Inc.
603.924.6079

ospfd cant change router-id's in 4.5

[Charlie Allom]

Hi,

when I change my router-id within /etc/ospfd.conf, my OSPF neighbour
will not go past EXSTA, but Cisco IOS will see the router-id as a new
router and go all the way to FULL.

How can I clear the neighbour association? `ospfctl reload` does nothing. I
would prefer not to kill the process as it is now the single stub router for a
lot of routes. Is this a bug or a feature request? :)

This neighbours router-id is now 94.228.64.5, yet:

Neighbor 193.34.28.2, interface address 89.200.217.2
  Area 0.0.0.0, interface em3
  Neighbor priority is 1, State is EXSTA, 99 state changes
  DR is 89.200.217.3, BDR is 89.200.217.12
  Options *|*|-|-|-|-|E|*
  Dead timer due in 00:00:35
  Uptime 00:00:00
  Database Summary List 0
  Link State Request List 0

it flip flops from:
  DR is 89.200.217.3, BDR is 89.200.217.12 (this is correct when FULL)
to
  DR is 89.200.217.12, BDR is 0.0.0.0

and the log from the changed router:

spf_calc: area 0.0.0.0 calculated
recv_db_description: dupe from ID 193.34.28.3
nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for 
neighbor ID 193.34.28.3 from INIT to 2-WAY
if_act_elect: interface em3 old dr 89.200.217.12 new dr 89.200.217.3, old bdr 
none new bdr 89.200.217.12
nbr_fsm: event ADJ_OK resulted in action EVAL and changing state for neighbor 
ID 193.34.28.3 from 2-WAY to EXSTA
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan255
orig_rtr_lsa: stub net, interface vlan208
orig_rtr_lsa: stub net, interface vlan207
orig_rtr_lsa: stub net, interface em3
orig_rtr_lsa: stub net, interface em2
if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for 
interface em3 from OTHER to OTHER
recv_ls_update: packet ignored in state EXSTA, neighbor ID 193.34.28.3
spf_calc: area 0.0.0.0 calculated
recv_db_description: dupe from ID 193.34.28.3
if_act_elect: interface em3 old dr 89.200.217.3 new dr 89.200.217.12, old bdr 
89.200.217.12 new bdr none
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan255
orig_rtr_lsa: stub net, interface vlan208
orig_rtr_lsa: stub net, interface vlan207
orig_rtr_lsa: transit net, interface em3
orig_rtr_lsa: stub net, interface em2
if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for 
interface em3 from OTHER to OTHER
nbr_fsm: event 1_WAY_RECEIVED resulted in action CLEAR_LISTS and changing state 
for neighbor ID 193.34.28.3 from EXSTA to INIT
s

Regards,
  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

Re: why wont my vlan interface accept this /28 ?

[Charlie Allom]

On Fri, Feb 06, 2009 at 04:16:57PM +0100, Simen Stavdal wrote:
 Hello,
 
 I've had a similar issue before, and cannot quite remember in detail, but it
 was something like this ;

thanks Simon for that - it's similar but not the same issue. uux
[hmnbx4r...@gatekeeper.wzrd.com] on #openbsd sorted me out.

14:00 uux yeled: I think it is on 4.3.  routing table snafu.

You can't create an interface (on a vlan?) if the network is already in
your route table. I am sharing my routes on both firewalls with OSPF so
this is where the issue arises.

uux came up with the idea of installing the vlan interface on boot time
(ie rebooting the box) and getting around this problem.

Does anyone know if this has been fixed?

Regards,
  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

Re: pf drops fragged IPv6 unconditionally

[Charlie Allom]

On Fri, Dec 05, 2008 at 01:56:04PM -0600, Todd T. Fries wrote:
 It was not stated, but I've setup firewalls in the past, I presume you
 have a firewall that is doing 'block in' as a catchall (which catches
 the fragments) ..
 
 Set your return policy on that rule if you wish it to return.

ok but the block-policy already says return. adding return to this
has no affect: block return in log (all) on $ext_if

Am I missing something here?

Regards,
  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

pf drops fragged IPv6 unconditionally

[Charlie Allom]

After wondering why my email was seeing MTU-like issues once I enabled
an  record, I see that pf is dropping IPv6 packets that are
fragmented.

pf.conf(5):
1546: Currently, only IPv4 fragments are supported and IPv6 fragments are
  blocked unconditionally.

in pf.c, under #ifdef INET6:
4402:   do {
switch (pd2.proto) {
case IPPROTO_FRAGMENT:
/*
 * ICMPv6 error messages for
 * non-first fragments
 */
REASON_SET(reason, PFRES_FRAG);
return (PF_DROP);

I think that's the part we just don't bother parsing them. Or one of them. I've 
had enable 'pass in inet6'.

Does anyone have any patches to enable this?

  C.

-- 
 020 7729 4797
 http://blog.playlouder.com/

Re: pf drops fragged IPv6 unconditionally

[Charlie Allom]

On Fri, Dec 05, 2008 at 12:43:33PM -0600, Todd T. Fries wrote:
 
 Theory suggests that PMTUD should handle things such that fragments do not
 appear, but encapsulation and tunneling via IPSec tend to generate them
 anyway..

Are we not breaking PMUTD by silently dropping these? Shouldn't there
be a way of implying something like 'block-policy return' ?

  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

Re: pf: scrub in log ?

[Charlie Allom]

On Fri, Nov 28, 2008 at 10:50:00AM +, td wrote:
 Charlie Allom wrote:
  Hi,
  
  scrub in log... passes pfctl -nf but doesn't report anything.
  
  I know for a fact that it is doing *something* - does anyone know if
  it's possible to see a real time activity of 'scrub' from pflog0 ?
  
  Regards,
C.
 tcpdump?

figuring out what has changed on an external interface and the one past
the scrub $if isn't my idea of a fun day.

but so far that's what I've been doing..

-- 
 020 7729 4797
 http://blog.playlouder.com/

pf: scrub in log ?

[Charlie Allom]

Hi,

scrub in log... passes pfctl -nf but doesn't report anything.

I know for a fact that it is doing *something* - does anyone know if
it's possible to see a real time activity of 'scrub' from pflog0 ?

Regards,
  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

Re: OpenOSPFd fails to form adjancy if remote router-id changes

[Charlie Allom]

On Fri, Sep 05, 2008 at 02:59:47PM -0700, andrew fresh wrote:
 The problem I am seeing is that if I don't specify a router-id in
 ospfd.conf, then if the highest IP on a peer router changes the automatic
 Router ID, the session fails to start with a failed to form adjacency with
 old ID error.

I see this from some fallout of a bug I discovered:

/etc/ospfd.conf:
router-id 34.193.28.3
area 0.0.0.0 {
interface em3 {
}
}

int em3 has 4 (inclusive) neighbours:

ID  Pri StateDeadTime Address Iface Uptime
228.94.64.2 1   FULL/DR  00:00:37 200.89.217.12   em3 1d12h24m
34.193.28.2 1   FULL/BCKUP   00:00:35 200.89.217.2em3 1d12h24m
200.89.217.37   1   2-WAY/OTHER  00:00:37 200.89.217.11   em3   -

here is 200.89.217.37:

!
router ospf 10
 router-id 228.94.64.1
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 passive-interface GigabitEthernet0/0.200
 passive-interface GigabitEthernet0/1.3
 passive-interface GigabitEthernet0/1.102
 passive-interface GigabitEthernet0/1.255
 network 200.89.217.8 0.0.0.7 area 0
 network 200.89.217.32 0.0.0.7 area 0
 network 200.89.219.0 0.0.0.255 area 0
 network 228.94.65.0 0.0.0.255 area 0
 network 228.94.64.0 0.0.15.255 area 0
 network 101.146.142.0 0.0.0.127 area 0
 network 101.146.142.128 0.0.0.127 area 0
 network 34.193.28.0 0.0.3.255 area 0
 default-information originate always
!

200.89.217.37 is now 228.94.64.1 and I get this in the logs (after I
`clear ip ospf proc'):

Nov 19 12:56:33 hadrian ospfd[26460]: nbr_adj_timer: failed to form adjacency 
with 200.89.217.37

however if I change another router-id within the mesh, I can hang the
entire OS:

rtfree: 0xd99fd004 not freed (neg refs)
rtfree: 0xd99fd004 not freed (neg refs)
rtfree: 0xd99fd004 not freed (neg refs)
rtfree: 0xd99fd004 not freed (neg refs)

It needs a hard reset.

A limitation of my routes?
13:08 hadrian:~# ospfctl sh f|wc -l
  99 
13:08 hadrian:~# 

 
 Here is a description of how to repeat the problem as well as log messages.
 If there is any more information I should gather, let me know.

You should send-pr.

In fact I will now.

-- 
 020 7729 4797
 http://blog.playlouder.com/

Re: no pg_dump?

[Charlie Farinella]

On Thursday 06 November 2008, Stuart Henderson wrote:
  Thank you.
 
  I have everything on the list except:
 
  /usr/local/bin/pg_config
  /usr/local/bin/pg_dump
  /usr/local/bin/pg_dumpall
  /usr/local/bin/pg_restore
 
 These are certainly in the 4.4-release i386 package.
 
  I also have a live system with data in it, so shutting it down is an
  issue.
 
  What would you suggest I do?  I can do pkg_delete on all installed
  PostgreSQL packages and start over I suppose, or build PostgreSQL 
from
  source.
 
  I ran pkg_add -u for the client package, but that didn't help.
 
 you can try pkg_add -ri -F installed postgresql-client,
 but try and work out where they went...

As others have mentioned, there must have been an interuption of some 
kind during the original install, I vaguely remember something 
happening, but don't remember the details, but it must have been this 
server.  The above command worked for me and once again I would like to 
thank everyone for their help.  

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

openbsd fail2ban

[Charlie Clark]

Hi,

I have noticed that people constantly try to brute force sshd on my 
openbsd box, on my server I use fail2ban to prevent this and wondered if 
there is a similar solution for openbsd.


Regards,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: openbsd fail2ban

[Charlie Clark]

Hi Marcus,

If you come across this program again would I be able to steal it off of 
you, it will implement it as suggested before using pf state table 
tracking but your program sounds very interesting and I would still like 
to see it.


Thank you everyone for your answers.

Thanks,

Charlie

Marcus Andree wrote:

I've written a small program about 5 years ago. It was a daemon that
implemented a
 service similar to  port knocking but entirely in user level,
calling pfctl by exec()
system calls to insert/remove remote IP addresses in a pf table holding machines
able to connect to the ssh daemon via port 22.

It was a ugly hack but it worked for us. I shall have a backup copy somewhere on
my powerbook at home...

On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote:
  

Hi,

I have noticed that people constantly try to brute force sshd on my openbsd
box, on my server I use fail2ban to prevent this and wondered if there is a
similar solution for openbsd.

Regards,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052





  



--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

no pg_dump?

[Charlie Farinella]

I've installed postgresql client, server and contribs from packages on a 
new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included 
that I can find.  Where can I get these tools? 

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: no pg_dump?

[Charlie Farinella]

On Thursday 06 November 2008, Antoine Jacoutot wrote:
 On Thu, 6 Nov 2008, Charlie Farinella wrote:
 
  I've installed postgresql client, server and contribs from packages 
on a 
  new 4.4 OpenBSD machine and there is no pg_dump or pg_restore 
included 
  that I can find.  Where can I get these tools? 
 
 They should be under /usr/local/bin/

You would think, I know!  I have psql, pg_ctl, pg_standby, 
pg_controldata, pg_resetxlog, pgbench, postgres, but no pg_dump, 
pg_dumpall, or pg_restore.

pkg_info shows:

postgresql-client-8.3.3 PostgreSQL RDBMS (client)
postgresql-contrib-8.3.3 PostgreSQL RDBMS contributions
postgresql-server-8.3.3 PostgreSQL RDBMS (server)

I'm at a loss.

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: no pg_dump?

[Charlie Farinella]

On Thursday 06 November 2008, Pierre-Emmanuel Andri wrote:
 Le Thu, 6 Nov 2008 17:06:54 -0500,
 Charlie Farinella [EMAIL PROTECTED] a icrit :

  I've installed postgresql client, server and contribs from packages
  on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore
  included that I can find.  Where can I get these tools?
 
  --charlie
 


http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
.html

Thank you.

I have everything on the list except:

/usr/local/bin/pg_config
/usr/local/bin/pg_dump
/usr/local/bin/pg_dumpall
/usr/local/bin/pg_restore

I also have a live system with data in it, so shutting it down is an
issue.

What would you suggest I do?  I can do pkg_delete on all installed
PostgreSQL packages and start over I suppose, or build PostgreSQL from
source.

I ran pkg_add -u for the client package, but that didn't help.


Charles Farinella
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: routing problem

[Charlie Clark]

I have tried doing a route-to rule but it makes no difference, I set it 
up like this:


pass in quick on $ext_if route-to { ( $int_if (IP of host in DMZ ) } 
from any to (IP of host in DMZ)


But my router still does not pass the packets onto the host in the DMZ, 
I haven't tried a reply-to rule but I would have thought that the 
route-to rule should tell the router to pass all packets with the 
destination (IP of host in DMZ) on to (IP of host in DMZ).


For example even when this route-to rule is active and I try to ping a 
host in the DMZ from the outside net, it gets no further than the 
routers ext_if


It seems that any packet that comes into ext_if destined for any IP in 
the DMZ does not get any further, even with route-to rule, which I don't 
think is needed as all of the hosts are in the router's routing table 
and are on the same network as the router.


Thanks,

Charlie


Daniel Anderson wrote:
Instead of giving you the obligatory man pf.conf reply, I will do one better 
and reference an old reply I posed to the list with a sample pf.conf where 
someone asked basically the same thing. I omitted the part that matters in 
this example conf, but explain what you need to insert to get it to fly.


http://marc.info/?l=openbsd-miscm=120665186412690w=2

It all can be found under the man page on searching for reply-to or route-to.
This worked for me, so if anybody has got a more elegant means of doing it 
they should post.


-
On Monday 20 October 2008 04:20:15 am Charlie Clark wrote:
  

Hi,

I am trying to setup an openbsd router but are having a big problem
getting it to work.
Here is the scenario:

The router has 3 public IP's, with 2 internet connections and sits just
outside a DMZ. Behind the router there are a number of hosts with public
IP's (DMZ).
All of the interfaces on the router are on different subnets.
Let's say that the 3 interfaces are:

int_if = the interface which is directly connected to the DMZ
ext_if = the first internet connection (NOTE this ISP is the ISP which
allocated the IP's in the DMZ so there is no natting done on this
interface) ext2_if = the second internet connection  (NOTE  there is
natting on this interface so everything works fine here)

I have setup aproxyd to answer arp requests on ext_if for all of the
IP's in the DMZ using the layout:

proxy (IP) (MAC of ext_if)

If I ping any IP on the net from a host in the DMZ and do a tcpdump on
the router at the same time, I can see the packet coming in int_if, then
going out ext_if, then the reply coming back in ext_if but then
disappearing. It doesn't seem to be passing the packets, destined for
the hosts in the DMZ, on to them.

Is there something I am missing here?
The filter rules look fine and nothing is being blocked

I would appreciate any help.

Thanks,




  



--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

routing problem

[Charlie Clark]

Hi,

I am trying to setup an openbsd router but are having a big problem 
getting it to work.

Here is the scenario:

The router has 3 public IP's, with 2 internet connections and sits just 
outside a DMZ. Behind the router there are a number of hosts with public 
IP's (DMZ).

All of the interfaces on the router are on different subnets.
Let's say that the 3 interfaces are:

int_if = the interface which is directly connected to the DMZ
ext_if = the first internet connection (NOTE this ISP is the ISP which 
allocated the IP's in the DMZ so there is no natting done on this interface)
ext2_if = the second internet connection  (NOTE  there is natting on 
this interface so everything works fine here)


I have setup aproxyd to answer arp requests on ext_if for all of the 
IP's in the DMZ using the layout:


proxy (IP) (MAC of ext_if)

If I ping any IP on the net from a host in the DMZ and do a tcpdump on 
the router at the same time, I can see the packet coming in int_if, then 
going out ext_if, then the reply coming back in ext_if but then 
disappearing. It doesn't seem to be passing the packets, destined for 
the hosts in the DMZ, on to them.


Is there something I am missing here?
The filter rules look fine and nothing is being blocked

I would appreciate any help.

Thanks,


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: RES: RES: Filtering outgoing connections in pf

[Charlie Clark]

But it can still be a router if it does not do natting, a router with 
only public IP's


Cezary Morga wrote:

Dnia Eroda, 15 paE:dziernika 2008, cgc napisaE:
  

And any box that is doing packet filtering between 2 or more
networks, eg. a private network and the internet, is a router as far
as I am aware



If it's natting or filtering packets it's a gateway.
--
Cezary Morga
If you live to be one hundred, you've got it made. Very few people die
past that age. (George Burns)


  



--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: RES: RES: RES: Filtering outgoing connections in pf

[Charlie Clark]

That looks like it should work fine apart from the capital letters in 
your macro's


Regards,

Charlie

Ricardo Augusto de Souza wrote:

Hi,



I wanna allow local users ( 10.10.0.0/24 ) to Access internet just using port 
80, 25 110 and 53 udp.

I wanna allow full access to 10.10.20.0/24 to the internet.  I mean, no 
restriction.





Easy like that.



I used openBSD 3.8 in the past and I was able to filter packets in $ext_if from 
my local network ( 10.10.0.0/24 ).



Tests:



1) 


Users_tcp_ports = { 25, 80, 110, 443 }

Users_udp_ports = { 53, 123 }

Normal_users = 10.10.0.0/24

Power_users = 10.10.20.0/24





nat on $ext_if from $normal_users to any port $users_tcp_ports  - ($ext_if) 
tagged NORMAL_USERS_NAT

nat on $ext_if from $power_users to any - ($ext_if) tagged POWER_USERS_NAT







#outgoing

Block out on $ext_if

Pass out quick on $ext_if from ($ext_if) to any 




#filtering on $int_if

Pass in quick on $int_if inet proto tcp from $normal_users to any port 
$users_tcp_ports

Pass In quick on $int_if inet proto tcp from $power_users to any



Should this solve my problem?

I still have no test enviroment. I have around 300 users already going to the 
internet and to other WAN sites trhough this openBSD.



Plz, post me your suggestios.



Thanks



-Mensagem original-

De: cgc [mailto:[EMAIL PROTECTED] 


Enviada em: quarta-feira, 15 de outubro de 2008 16:21

Para: Ricardo Augusto de Souza

Cc: misc@openbsd.org

Assunto: Re: RES: RES: Filtering outgoing connections in pf



What exactly are you trying to achieve? what pc's do you want to have

access to what ports? Are you just allowing every pc in the 10.10.0.0/16

network the same access or not? And access to what? Just web traffic?

pings? dns? ...  You will have to be abit more specific 


And any box that is doing packet filtering between 2 or more networks, eg.

a private network and the internet, is a router as far as I am aware



Regards,



Charlie



On Wed, 15 Oct 2008 16:06:16 -0300, Ricardo Augusto de Souza

[EMAIL PROTECTED] wrote:

  

This sounds good.



  

But my openBSD is working like a router.



  

If I remove the rule pass in quick on $int_if I will have a lot of pcs



  

that cannot access other subnets.



  

Do u know what protocol I must allow to routes work?



  

  

thank



  

  

-Mensagem original-



  
De: cgc [mailto:[EMAIL PROTECTED] 



  

Enviada em: quarta-feira, 15 de outubro de 2008 15:49



  

Para: Ricardo Augusto de Souza



  

Cc: misc@openbsd.org



  

Assunto: Re: RES: Filtering outgoing connections in pf



  

  

let me give you an example, if you just want 10.10.0.0/16 to have port 80



  

access then you need 3 rules:



  

  

#the nat



  

nat on $ext_if from 10.10.0.0/16 to any port 80 - ($ext_if)



  

  

#allow through $int_if



  

pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80



  

  

#and finally allow through $ext_if



  

pass out quick on $ext_if proto tcp from ($ext_if) to any



  

  

You can lock $ext_if down to just port 80 but the point is $int_if is



  

where



  

you do the filtering for 10.10.0.0/16



  

  

Correct me if I am wrong.



  

  

Regards,



  

  

Charlie



  

  

On Wed, 15 Oct 2008 14:44:43 -0300, Ricardo Augusto de Souza



  

[EMAIL PROTECTED] wrote:



  

Is is possible filter outgoing packets in $ext_if even doing NAT?
  


  

I mean, after  nat on $ext_if from 10.10.0.0/16 to any - ($ext_if) all
  


  

packets from 10.10.0.0/16 will be translated to $ext_if.
  


  

I wish I could filter 10.10.0.0/16 packets in $ext_if.
  


  

  

Is is possible?
  


  

  

Thanks
  


  

-Mensagem original-
  


  

De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
  


  

Ricardo Augusto de Souza
  


  

Enviada em: quarta-feira, 15 de outubro de 2008 13:01
  


  

Para: misc@openbsd.org
  


  

Assunto: Filtering outgoing connections in pf
  


  

  

Hi,
  


  

  

  

  

I AM confused with some PF rules.
  


  

  

I am trying to allow just some ports to my local users.
  


  

  

I am using block out  on $ext_if but I think I would be able to choose
  


  

ports my lan users will access with rule
  


  

  

Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
  


  

110 } keep state .
  


  

  

  

  
It seems to be ok, but I had to add this rule: Pass out on $ext_if 
  


  

from



  

$ext_if  to any ( without this rule my box cannot connect to the
  


  

internet ).  With this rule, All users can connect to any out port.
  


  

  

  

  

Question: What is the right way to have my box at the internet and  my
  


  

users  can only access that selected ports

Re: RES: Filtering outgoing connections in pf

[Charlie Clark]

Private IP's like those in 10.10.0.0/16 have to be natted using

nat on $ext_if from 10.10.0.0/16 to any - ($ext_if)

so the packets exiting $ext_if are coming from ($ext_if) and not from 
10.10.0.0/16


Regards,

Charlie

Ricardo Augusto de Souza wrote:

I didn4t understand what u Said.
Could u please explain me better.

Sorry to bother u.

Thanks

-Mensagem original-
De: Charlie Clark [mailto:[EMAIL PROTECTED] 
Enviada em: quarta-feira, 15 de outubro de 2008 13:38

Para: Ricardo Augusto de Souza
Assunto: Re: Filtering outgoing connections in pf

Hi Ricardo,

Thats because the packets going out have to be natted so they are not 
coming from 10.10.0.0/16 but instead they are coming from $ext_if


Regards,

Charlie

Ricardo Augusto de Souza wrote:
  

Hi,



I AM confused with some PF rules.

I am trying to allow just some ports to my local users.

I am using block out  on $ext_if but I think I would be able to choose
ports my lan users will access with rule

Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
110 } keep state .



It seems to be ok, but I had to add this rule: Pass out on $ext_if  from
$ext_if  to any ( without this rule my box cannot connect to the
internet ).  With this rule, All users can connect to any out port.



Question: What is the right way to have my box at the internet and  my
users  can only access that selected ports?





Thanks







My pf.conf:



set loginterface xl1

set skip on lo0

scrub in



set require-order yes

set state-policy if-bound



altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }

queue q_pri priority 7

queue q_def priority 1 priq(default)





# interface externa WAN

ext_if=xl1

# interface interna LAN

int_if=xl0

# interface MPLS

mpls_if =bge0

#interfaces VPn tuneis

vpn_if ={ tun0, tun1, tun2, tun3, tun4 }

vpn_net ={ 10.10.9.0/26 }

#Default GW

gw=200.162.41.33



table badsites persist file /etc/badsites.txt

winupdate = { 65.54.87.0/24 } 







# Variaveis

##



#

#1 - Redirecionamento ambiente de homologocao

###

ws_ip = { 10.10.100.21 }

ws_ports = { 8101, 8102, 8103 }





#2- Variaveis uteis



lan = { 10.10.0.0/16 }

cmt_lan = { 10.10.0.0/24 }

ti_lan = { 10.10.20.0/26 }

call_center_lan = { 10.10.60.0/26 }

rede_mpls  = { 10.100.0.0/16 }

ip_admin = { 10.10.20.100 }

msn = 207.46.0.0/16



# portas



portas_saida_tcp =  {25, 80, 110,443 }

portas_saida_udp =  { 53, 443 }

portas_entrada_tcp =  { 22,1981, 810} 

portas_entrada_udp =  { 1194 }

ip_rose =  { 10.10.0.56 } 

porta_rose =  { 2631 } 

oracle_desenv = { 10.10.100.13, 10.10.100.14 }

ips_adm_ext = { 189.33.76.0/26 } 



#teste internet lojas MPLS

rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 -
$int_if port 3128



#redirect para servidor NTP

rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123
- 10.10.100.254 port 123



#redirect para os servidores do DTC enviarem email pelo sol

rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
- 10.10.0.2 port 25

nat on $int_if from any to 10.10.0.2 - $int_if





# squid trasparente

rdr pass on $int_if inet proto tcp from $lan to any port 80 - $int_if
port 3128



rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 -
10.10.100.13 port 1521

rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 -
10.10.100.14 port 1521

nat on $int_if from any to $oracle_desenv port 1521 - $int_if





# redirecionamento para lan, foi necessario fazer nat tb.

rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports -
$ws_ip

nat on $int_if from any to $ws_ip - $int_if





#

# NAT  ##

#



#nat para dar acesso a internet para a lan

nat on $ext_if from $lan to !($ext_if) - $ext_if

nat on $mpls_if  from $lan to any - $mpls_if





# bloqueia a entrada de tudo e saida de tudo

block in on $ext_if



#regras de entrada



# libera entrada de tudo na interface interna

pass in on $int_if proto udp from $lan to $int_if port 53

pass in on $int_if from any to $lan  modulate state

pass in on $int_if from $rede_mpls to $lan  modulate state



#liberar acesso rede mpls

pass in quick on $mpls_if from any to any

#pass in quick on $mpls_if from $rede_mpls to any



# libera a entrada na interface externa

pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state

pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state

pass in quick on $ext_if proto udp from any to $ext_if port
$portas_entrada_udp keep state

pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
S/SAFR keep state (max 256)



#VPN

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
modulate state

pass in quick on $ext_if proto gre from any to $ext_if keep state

pass out quick on $ext_if proto gre from $ext_if

Re: route-to doesnot work for me - what am i doing wrong

[Charlie Clark]

Hi Siju,

isn't this:

pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state


meant to be like this:

pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from
hifxchn2 to any keep state



Regards,

Charlie

Siju George wrote:

Hi,

I have firewall

sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection

I have a line in pf.conf


to route requests from hosts in hifxchn2 through the rl2 internet
connection but it does not seem to work.

the full pf.conf is below

===
##NETWORK INTERFACES
#
int_if=sk0#HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if=rl1#Dataone Connection - rl2 interface
Connected to the Dataone Router.
ext_if2=rl2
ext_ifgw=122.166.40.1
proxy=122.166.40.36


#Private IP Address Range Specified by RFC 1918.
#
priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }


#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users

#Websites to which bypassing SQUID is allowed.
#
table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites
table lanspl persist file /etc/pf-tables/lanspl
table adm persist file /etc/pf-tables/adms
table vtcservers persist file /etc/pf-tables/vtcservers
table bannedIPs persist file /etc/pf-tables/bannedIPs
table authpf_users persist
table hifxchn2 persist file /etc/pf-tables/hifxchn2

#Traffic Normalization - Required for pppoe connection.
#
scrub on $ext_if all no-df random-id fragment reassemble

###Network Address Translation and Port Redirection
###The First Matching rule wins here for any packet and no further
nat or rdr rules are checked.
nat-anchor authpf/*
rdr-anchor authpf/*
binat-anchor authpf/*

nat pass on $ext_if from adm to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -
127.0.0.1 port 8021

# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 -
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 -
172.16.4.12 port 443

###
#
nat on $ext_if from bypass-squid-users to any - ($ext_if)

#NAT connections to specified websites.
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if)
nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2)

#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }

#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)

#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#

no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080

###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.

block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep state

#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to bannedIPs

#Allow all traffic on the localhost interface.

pass quick on lo0 all

#Allow Traffic from HIFX LAN to pass through the firewall  also allow
traffic from firewall to enter the LAN.

pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state


pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
hifxchn2 to any keep state

pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state



#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state


#ftp-proxy
anchor ftp-proxy/*
pass out proto tcp from $proxy to any port 21 keep state

#authpf
anchor authpf

Re: pfctl

[Charlie Clark]

openbsd misc wrote:

interessting point. How about dumping it to a file or something so you are
able to check what was loaded last time (e.g. a file with 400 under
/var/whatever)?

  
What I want is, I have a script that when I commit a ruleset with pfctl 
it uses pfctl to query the loaded rules and outputs that to a file, I 
get the rulesets there using fwbuilder, which loads the ruleset directly 
using pfctl, I have another script which checks the currently loaded 
ruleset against the file that my commit script creates and does a diff, 
if the ruleset hasn't been commited using my script (or doesn't match 
the file) after a minute, it will roll the rules back. This is good 
incase an admin loads a ruleset which locks them out. But I have no way 
to get my set to recognize changes to options so when I try to commit a 
ruleset using my script it thinks that I'm trying to commit the same 
ruleset.


Does this make more sence?

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

Almir Karic wrote:

diff of a loaded ruleset is not that useful (for humans) IMHO, a 
better way would be to diff the ruleset (possibly excluding the 
comments and spaces etc). even better way to do that would be to 
JustDoIt (no diff checking whatsoever, and let the admins reload the 
rule when they commit any changes to it.


With no diff it would mean that if the admin loaded a ruleset which 
locked him/her out, they would have to go to the box and change the 
rules, not ideal if you have alot of boxes scattered over distances.
And if we diff'ed the ruleset, how could you be sure that the ruleset 
was loaded correctly, which means that the file it creates to compare 
newly loaded rulesets against might not have been the currently running 
config


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

Then, if this is still
such a big issue, you can write some scripts that will give you
something along the lines of Junipers 'commit confirmed' .. you first
enable a ruleset which will be automatically reverted in 5 or 10 (or
however many you like) minutes. Then, if you don't lock yourself out,
and your changes look good, you stop the revert from happening (ie,
you 'commit confirmed').
  
I have, this is the script I am talking about, I want to know how to 
make the script know about option changes, eg. block policy, state 
policy and skip options.

I wonder .. what would you do if that same admin that locked himself
out did an accidental halt or rm -rf / ? Surely you have a means to
fix that ? Why is the firewall so special ?
  

I have, the root is mounted readonly, and halt is not possible :)


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

don't you have some way to handle the other situations where pfctl -sr
doesn't output exactly what pfctl -f was fed as input? how do you handle
macros or the ruleset optimiser?
  

There are no macro's as I'm using fwbuilder to build the ruleset and isn't the 
ruleset optimiser is set using a set option, at the moment I cannot query any 
'set' options in my ruleset to compare new rulesets against


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

Stuart Henderson wrote:

On 2008/07/28 11:37, Charlie Clark wrote:
  

don't you have some way to handle the other situations where pfctl -sr
doesn't output exactly what pfctl -f was fed as input? how do you handle
macros or the ruleset optimiser?
  
  

There are no macro's as I'm using fwbuilder to build the
ruleset and isn't the ruleset optimiser is set using a set
option,



it's on by default.

  
In this case would 'pfctl -sr' or 'pfctl -sn' not show the new optimized 
ruleset?


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

Stuart Henderson wrote:

On 2008-07-28, Charlie Clark [EMAIL PROTECTED] wrote:
  

Stuart Henderson wrote:


On 2008/07/28 11:37, Charlie Clark wrote:
  
  

don't you have some way to handle the other situations where pfctl -sr
doesn't output exactly what pfctl -f was fed as input? how do you handle
macros or the ruleset optimiser?
  
  
  

There are no macro's as I'm using fwbuilder to build the
ruleset and isn't the ruleset optimiser is set using a set
option,



it's on by default.

  
  
In this case would 'pfctl -sr' or 'pfctl -sn' not show the new optimized 
ruleset?





Yes, and it won't match what you fed it. So your diff will fail won't it?


  
No not if both of the files which are being compared were created using 
pfctl -s


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

pfctl

[Charlie Clark]

Hi,

I have noticed that you are unable to view the currently loaded options 
for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set 
skip on tun0.
Is this going to be implemented soon or is it there and I'm missing 
something?


Regards,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

Stuart Henderson wrote:

On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote:
  

Hi,

I have noticed that you are unable to view the currently loaded options 
for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set 
skip on tun0.
Is this going to be implemented soon or is it there and I'm missing 
something?


Regards,




Someone asked about this recently.
http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b


  
Yes sorry I posted this by accident, I still haven't got a valid 
solution for this though.


--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: pfctl

[Charlie Clark]

Henning Brauer wrote:

* Charlie Clark [EMAIL PROTECTED] [2008-07-25 14:41]:
  
Is this going to be implemented soon or is it there and I'm missing 
something?



that is probably never going to be implemented, as some options just
affect further parsing and aren't loaded to the kernel.

  
OK, would there be any other way to query the options that were last 
loaded into pf?



Thanks,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

failed make on openssh 5.1

[Charlie Farinella]

I have been asked to upgrade OpenSSH on an OpenBSD 4.1 server from 4.6 
to 5.1.  I have followed the instructions at 
http://www.openssh.org/openbsd.html and am getting the error below 
during 'make'.  I have downloaded the source and the patch as 
instructed and followed these instructions to the letter:

# cd /usr/src/usr.bin
# tar xvfz .../openssh-5.1.tgz
# cd ssh
# patch -p0  /path/to/openssh43_5.1.patch
# make obj
# make cleandir
# make depend
# make

Here are the results.  I don't know what the 'arc4random_uniform' error 
indicates, if someone can point me in the right direction, I'd 
appreciate the help.
===
cc   -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o 
sshconnect1.o sshconnect2.o 
mux.o -L/usr/src/usr.bin/ssh/ssh/../lib/obj -lssh -lgssapi -lkrb5 -lcrypto -lz 
-ldes
/usr/src/usr.bin/ssh/ssh/../lib/obj/libssh.a(dh.o)(.text+0x438): In 
function `choose_dh':
/usr/src/usr.bin/ssh/dh.c:166: undefined reference to 
`arc4random_uniform'
collect2: ld returned 1 exit status
*** Error code 1

Stop in /usr/src/usr.bin/ssh/ssh (line 95 of /usr/share/mk/bsd.prog.mk).
*** Error code 1
===

thanks,

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: failed make on openssh 5.1

[Charlie Farinella]

On Tuesday 22 July 2008, Charlie Farinella wrote:
 I have been asked to upgrade OpenSSH on an OpenBSD 4.1 server from 4.6 
 to 5.1.  I have followed the instructions at 
 http://www.openssh.org/openbsd.html and am getting the error below 
 during 'make'.  I have downloaded the source and the patch as 
 instructed and followed these instructions to the letter:

To answer my own question, no sooner had I hit 'send' than I noticed the 
patch number indicated 4.3.  I have downloaded OpenSSH 5.0, the 
appropriate 4.1 - 5.0  patch and all is well.

Sorry for the noise.

--charlie

 # cd /usr/src/usr.bin
 # tar xvfz .../openssh-5.1.tgz
 # cd ssh
 # patch -p0  /path/to/openssh43_5.1.patch
 # make obj
 # make cleandir
 # make depend
 # make
 
 Here are the results.  I don't know what the 'arc4random_uniform' 
error 
 indicates, if someone can point me in the right direction, I'd 
 appreciate the help.
 ===
 cc   -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o 
 sshconnect1.o sshconnect2.o 
 
mux.o -L/usr/src/usr.bin/ssh/ssh/../lib/obj -lssh -lgssapi -lkrb5 -lcrypto -lz 
-ldes
 /usr/src/usr.bin/ssh/ssh/../lib/obj/libssh.a(dh.o)(.text+0x438): In 
 function `choose_dh':
 /usr/src/usr.bin/ssh/dh.c:166: undefined reference to 
 `arc4random_uniform'
 collect2: ld returned 1 exit status
 *** Error code 1
 
 Stop in /usr/src/usr.bin/ssh/ssh (line 95 
of /usr/share/mk/bsd.prog.mk).
 *** Error code 1
 ===
 
 thanks,
 
 --charlie
 
 -- 
 
 Charles Farinella 
 Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
 [EMAIL PROTECTED]
 voice: 603.924.6079   fax: 603.924.8668
 
 
 



-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

pfctl

[Charlie Clark]

Hi,

I have noticed that you are unable to view the currently loaded options 
for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set 
skip on tun0.
Is this going to be implemented soon or is it there and I'm missing 
something?


Regards,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

openospfd default routes

[Charlie Allom]

Hi,

I am trying to setup an active/active routing firewall setup with OSPF
so it load shares the traffic equally.

I am have created a test lab with IOS ASBR's that have
`default-information originate always` so I then can see 2 routes to
0.0.0.0/0.0.0.0 via 2 routes.

It seems there is a limitation with *bsd's kernels in that they do not
allow for ECMP routing. ie, they can have only one default route at one
time.

Does OpenOSPFd work around this (and I've just got my setup wrong) or
is the sad truth that OSPF prefixes will work, except the for the
default route? (ie quagga on *bsd has this issue).

Cheers.
  C.
-- 
 020 7729 4797
 http://devblog.playlouder.com/

Re: Dell sc440 / broadcom bcm5754 nic [resolution]

[Charlie Farinella]

On Tuesday 24 July 2007, Chris Kuethe wrote:
 On 7/24/07, Charlie Farinella [EMAIL PROTECTED] 
wrote:
  Thank you, I think this will solve my problem, but I have no idea 
how to
  proceed.  I assume I need to recompile the kernel and swap out the 
new
  if_bge.c file for the one included with the OS.  Is that correct?  
I've
  looked briefly at docs and some how-to's but haven't seen any 
specific
  instructions.  If anyone knows of some documentation for this, a
  pointer would be appreciated.
 
 much like the instructions at the beginning of other patches...
 general information on how to patch an openbsd is in the FAQ
 http://www.openbsd.org/faq/faq10.html#Patches
 http://www.openbsd.org/faq/faq5.html#Building

For anyone else with the same problem:

I ended up downloading the entire /sys directory from current, then 
compile and install.  That worked!

Thanks to all for your help.  :-)

 let me know if this doesn't apply or doesn't work.
 
 save the diff below (into /tmp/bgediff, for example)
 cd /sys/dev/pci
 patch -C  /tmp/bgediff (check that the diff would apply correctly)
 patch  /tmp/bgediff
 cd /sys/arch/i386/conf/   (assuming you're running i386)
 config GENERIC
 cd ../compile/GENERIC
 make clean depend bsd
 make install
 reboot
 
 
 Index: if_bge.c
 ===
 RCS file: /cvs/src/sys/dev/pci/if_bge.c,v
 Retrieving revision 1.211
 Retrieving revision 1.212
 server -u -N -p -r1.211 -r1.212 if_bge.c
 --- if_bge.c  24 Jul 2007 14:42:551.211
 +++ if_bge.c  24 Jul 2007 14:42:551.212
 @@ -1384,16 +1384,21 @@ bge_blockinit(struct bge_softc *sc)
   }
 
   /*
 -  * Set the BD ring replentish thresholds. The recommended
 +  * Set the BD ring replenish thresholds. The recommended
* values are 1/8th the number of descriptors allocated to
* each ring.
*/
   i = BGE_STD_RX_RING_CNT / 8;
 
 - /* Use a value of 8 for these chips to workaround HW errata */
 + /*
 +  * Use a value of 8 for the following chips to workaround HW errata.
 +  * Some of these chips have been added based on empirical
 +  * evidence (they don't work unless this is done).
 +  */
   if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5750 ||
   BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5752 ||
 - BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5755)
 + BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5755 ||
 + BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5787)
   i = 8;
 
   CSR_WRITE_4(sc, BGE_RBDI_STD_REPL_THRESH, i);
 
 -- 
 GDB has a 'break' feature; why doesn't it have 'fix' too?
 
 
 



-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: Dell sc440 / broadcom bcm5754 nic

[Charlie Farinella]

On Thursday 19 July 2007, David Gwynne wrote:
 On Thu, Jul 19, 2007 at 10:47:55AM -0400, Charlie Farinella wrote:
  Our company has purchased 3 of these servers, and I would like very 
much 
  to get the onboard nic working on at least one of them.  
  
  I have installed OpenBSD 4.1 and it seems to recognize the interface 
  correctly and use the correct driver ( bge )  for it, but it is not 
  responsive.  It will not connect to our network at all.  Googling 
tells 
  me some others have had the same problem, but I haven't found any 
  solutions so far.
 
 If you apply revision 1.212 of src/sys/dev/pci/if_bge.c then your nic
 will start working.
 
 dlg

Thank you, I think this will solve my problem, but I have no idea how to 
proceed.  I assume I need to recompile the kernel and swap out the new 
if_bge.c file for the one included with the OS.  Is that correct?  I've 
looked briefly at docs and some how-to's but haven't seen any specific 
instructions.  If anyone knows of some documentation for this, a 
pointer would be appreciated.

thanks again.
 
  
  ifconfig output looks normal, dmesg provides:
  ==
  bge0 at pci4 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5787 
A2 
  (0xb002):
  irq 10, address 00:1a:a0:24:03:ef
  brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev.0
  ==
  Pointers, etc. would be a big help.
  
  Thanks,
  
  --charlie
  
  -- 
 
 
  Charles Farinella 
  Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
  [EMAIL PROTECTED]
  voice: 603.924.6079   fax: 603.924.8668
 
 
 



-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Dell sc440 / broadcom bcm5754 nic

[Charlie Farinella]

Our company has purchased 3 of these servers, and I would like very much 
to get the onboard nic working on at least one of them.  

I have installed OpenBSD 4.1 and it seems to recognize the interface 
correctly and use the correct driver ( bge )  for it, but it is not 
responsive.  It will not connect to our network at all.  Googling tells 
me some others have had the same problem, but I haven't found any 
solutions so far.

ifconfig output looks normal, dmesg provides:
==
bge0 at pci4 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5787 A2 
(0xb002):
irq 10, address 00:1a:a0:24:03:ef
brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev.0
==
Pointers, etc. would be a big help.

Thanks,

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668