Re: Supporting the OpenBSD Project through a Registered Charity
On 2023-08-29 21:14:43 Stuart Henderson wrote: >On 2023-08-29, Katherine Mcmillan wrote: >> To clarify, I'm looking for something with a similar structure at the US >> PostgreSQL >> Association (which is a registered 501(c)(3) public charitable entity), but >> for BSD >> or OpenBSD. >I'm pretty sure there is nothing for OpenBSD like this. Perhaps SPI (Software in the Public Interest) provides this capability (if I understand correctly). I discovered this when I tried to donate to Libreoffice, which is headquartered in Germany. >From SPI's wikipedia page: Software in the Public Interest, Inc. (SPI) is a US 501(c)(3) non-profit organization domiciled in New York State formed to help other organizations create and distribute free open-source software and open-source hardware. Anyone is eligible to apply for membership, and contributing membership is available to those who participate in the free software community. Their web page is: www.spi-inc.org As nearly as I can tell, SPI handles all the paperwork and interactions with the IRS, and allows people in the U.S. to donate to a 501(c)3. This gives the donor a tax benefit. Donors who are used to donating through a Donor Advised Fund are restricted by the DAF to 501(c)3 recipients. So OpenBSD might possibly attract some new donors. Katherine Mcmillan mentioned PostgreSQL. I see on https://www.spi-inc.org/projects/ that PostgreSQL is one of the projects that already use SPI for its donations. The downside is that SPI charges 5% for this service. It looks to me like Paypal and the credit cards charge about half that, but they don't provide 501(c)3 status. I have no connection with SPI, other than donating through them, and I don't know for sure how easy it would be for OpenBSD to interact with them. And I am not advocating for them, just mentioning their existence on the off chance that people were not familiar with them. -- Sent with https://mailfence.com Secure and private email
Re: File transfer using ftp from bsd.rd booted system
On Aug 28 06:34:01, Jan Stary wrote: >On Aug 27 22:56:59, ch...@mailfence.com wrote: >> I would like be able to transfer files over ethernet from a system >> that has been booted from bsd.rd > >Why do you need that? > >(The only case where I want to have files from a bsd.rd boot >is a dmesg of a machine I am looking at, without installing. >Which I save on the media I booted from.) I do indeed desire this capability in order to save a dmesg from a system booted from bsd.rd. I would prefer not to use a usb flash drive because of concerns about BadUSB attacks. I can't save the file on the CD which I booted from, hence my desire to use ethernet. However, after some thought, I realized that I could use dd to save the file to an un-allocated portion of the hard drive, and then read it back after booting a different OS. So I've got the dmesg, which I'll include a post to come soon, about my inability to get the installed system to boot. -- Sent with https://mailfence.com Secure and private email
File transfer using ftp from bsd.rd booted system
Hello, TL;DR: I would like be able to transfer files over ethernet from a system that has been booted from bsd.rd, to an installed OpenBSD system. This does not seem to be possible. If it is somehow possible, because I am missing something, or perhaps because there is an undocumented feature that allows it, I would appreciate any pointers. More details: On any installed OpenBSD system, if one types 'ftp', one gets a prompt, and then can issue 'open' or other commands. The complete list of possibilities is: ftp [-46AadEegiMmnptVv] [-D title] [-k seconds] [-P port] [-r seconds] [-s sourceaddr] [host [port]] ftp [-C] [-N name] [-o output] [-s sourceaddr] ftp://[user:password@]host[:port]/file[/] ... ftp [-CTu] [-c cookie] [-N name] [-o output] [-S ssl_options] [-s sourceaddr] [-U useragent] [-w seconds] http[s]://[user:password@]host[:port]/file ... ftp [-C] [-N name] [-o output] [-s sourceaddr] file:file ... ftp [-C] [-N name] [-o output] [-s sourceaddr] host:/file[/] ... The first option is the one that I need. On a system booted from bsd.rd, however, if one enters 'ftp', one gets a "usage" response, informing you that that 'ftp' requires arguments, and that just 'ftp' is not an acceptable command line on that system. The response is: usage: ftp [-N name] [-o output] ftp://[user:password@]host[:port]/file[/] ... ftp [-N name] [-o output] [-S ssl_options] [-w seconds] http[s]://[user:password@]host[:port]/file ... ftp [-N name] [-o output] [-s sourceaddr] file:file ... ftp [-N name] [-o output] [-s sourceaddr] host:/file[/] ... So the first option, which would allow sending a file, is absent. I can't solve the problem by running ftpd on the bsd.rd system, because ftpd is not there (understandably, room is tight). Similarly neither ssh nor sshd is available either. Please note, I am not complaining about the (possible) lack of an capability; it may well be that it was intentionally left out. I just want to know if I am missing something that would allow me transfer a file using ftp. Thanks -- Sent with https://mailfence.com Secure and private email
Re: PF: Redirect SOCKS connections to another server on a different net
Below comes the solution to this problem. For the explanations on why it works, you may refer to the original answer [1]. # sysctl net.inet.ip.forwarding=1 # cat /etc/pf.conf ... pass in on re0 proto tcp from any to (re0) port 1080 rdr-to 10.64.0.1 tag nat pass out on wg0 proto tcp nat-to (wg0) tagged nat ... [1] https://marc.info/?l=openbsd-pf=168215778109013=2 Cheers, Charlie
PF: Redirect SOCKS connections to another server on a different net
On an OpenBSD 7.2 system, I have access to a SOCKS proxy server through VPN. After the VPN connection is established, any program that supports SOCKS proxy can reach it by setting the relevant local VPN address, 10.64.0.1, and the usual port number 1080. I want to share the access to this proxy server on my OpenBSD machine with other systems in my home network. So basically what I want is to open a 1080 port on the OpenBSD server and redirect it to the local VPN address 10.64.0.1. I have been successful in doing so with the help of the "socat" program: $ socat tcp-listen:1080,bind=192.168.1.10,reuseaddr,fork \ tcp:10.64.0.1:1080 I would very much like to replace the above command with pf rule(s). All the combinations I tried with "rdr-to", "nat-to", "divert-to", "synproxy state", etc. did not work. Could someone kindly point me in the right direction (pun intended)? Below is an illustration of my setup and the desired forwarding. ,--- OpenBSD system . VPN | | / \ ,--+-.,+. .---. | re0|| wg0:| | 10.64.0.1 | | 192.168.1.0/24 || 10.76.150.11/32 |-| | :1080<===>:1080 | `--+-'`+' `---' | | `---' Cheers, Charlie
Gigenet Mirror x*69.tgz Failing to Verify Sets
Hi, Currently the gigenet mirror is failing to verify for all four X packages on snapshot. They verify fine when I point it towards cdn.openbsd.org, but this is the case for both when trying to install from both bsd.rd and an install iso. This is in a VM but I wouldn't see how that'd affect it. Oddly enough, I just upgraded my personal machine earlier today without any issues. Not sure what would need to be done about it, but I figured someone oughta be told! Best Regards, Charlie Burnett
Re: Chromium with WebAssembly flavor?
Ah, well now I feel dumb... my sincere apologies for the spam then. Thanks for the help, I had no idea! :) On Sat, Jan 30, 2021 at 7:40 AM Thomas Frohwein wrote: > On Fri, Jan 29, 2021 at 09:44:26PM -0600, Charlie Burnett wrote: > > Hi, > > I wasn't sure if this was worthy of ports or not, so I wanted to throw > this > > out here first. I don't like Zoom, and I understand WebAssembly has some > > inherent issues in it, but I imagine a good number of people don't have a > > choice and have to use it as well in light of the current state of > things. > > On top of this, Citrix apps need it enabled as well. Wouldn't it be > > reasonable to make a flavor with ENABLE_WASM set for chromium then? > > I think you misunderstand how this works. ENABLE_WASM is for the runtime > environment; you don't need to rebuild the whole port. In fact, if set > ENABLE_WASM for a build of the port, it likely still won't enable > WebAssembly. > > Take an example webpage that checks for WebAssembly (for example [1]): > > $ chrome > > => "WebAssembly is not supported in your browser" > > $ ENABLE_WASM=1 chrome > > => "WebAssembly is supported in your browser" > > > Compiling chrome manually with the flag is a beast, and my laptop will > > usually throw a kernel panic before it'll finish compiling, plus as a > > package it's updated quite regularly which means it needs to be > recompiled > > quite regularly. > > Best regards, > > Charlie > > [1] https://d2jta7o2zej4pf.cloudfront.net/ >
Chromium with WebAssembly flavor?
Hi, I wasn't sure if this was worthy of ports or not, so I wanted to throw this out here first. I don't like Zoom, and I understand WebAssembly has some inherent issues in it, but I imagine a good number of people don't have a choice and have to use it as well in light of the current state of things. On top of this, Citrix apps need it enabled as well. Wouldn't it be reasonable to make a flavor with ENABLE_WASM set for chromium then? Compiling chrome manually with the flag is a beast, and my laptop will usually throw a kernel panic before it'll finish compiling, plus as a package it's updated quite regularly which means it needs to be recompiled quite regularly. Best regards, Charlie
DHCPD issue
Hi, I've set up a good deal of openbsd firewalls in a professional environment before with little to no issue. I'm trying to set one up for me personally though, and am having some bizarre issues, with no clue where to begin trying to fix them. This is on an APU unit from PC Engines. I've managed to figure out a couple things when trying to debug this: 1. I cannot connect to the internet properly unless only em0 (which is the ethernet port I have connected to the external network) has a hostname file- I have to either add back the hostname files after boot and run /etc/netsetup or manually set up the internal network ports through ifconfig. 2. Even once the box is connected properly to the network, its' seemingly unable to assign leases to other clients, attempting to connect to it through another OpenBSD machine results in it timing out while getting a lease. 3. Using the same exact config, I ran it behind a standard proprietary router (linksys) that connects fine externally. Using that, the box functions as expected. 4. Using an openwrt router I get similar errors. 5. I'm using both config that I've used on external networks as well as subnetworks on a corporate network that worked, and the default config from the setting up a router page for a sanity check. 6. I assumed it was DHCP, but nonetheless as a sanity check I had pf pass through anything and everything, worked internally as well as externally. I'm at a complete loss- seeing as it occurs on openwrt I assume that its' probably because of however the hell my landlord set up the network, but anyone remotely have an idea how to begin debugging this? I don't like particularly having a proprietary router running especially without a firewall I trust. Best, Charlie
AMDGPU Bug
Hi, I'm still getting the issue from earlier where X freezes entirely and I can't get it to work, though I've got no clue what's triggering it now, there seem to be no *regular* outputs to /var/log/messages with the crash. However, I was trying to trigger the bug earlier so I could hopefully provide more information, and I got a the same VM_L2_PROTECTION_FAULT_STATUS as before, but now with an added "[drm] *ERROR* Failed to initialize parser -88!". Here I tried running blender to put some load on the GPU. I say new because I was able to fix this bug by restarting X, and my display got real buggy though I was able to still move the cursor, although not interact with it. I can send a picture of the display if that's helpful, though it seemed to just have random pixels all over the screen. Below is the error that got kicked out when doing this, though I can't see any difference from last time. drm:pid27591:gmc_v9_0_process_interrupt *ERROR* [gfxhub0] retry page fault (src_id:0 ring:0 vmid:3 pasid:32820, for process pid 0 thread gnome-shell pid 37788) drm:pid27591:gmc_v9_0_process_interrupt *ERROR* in page starting at address 0x800108a64000 from client 27 drm:pid27591:gmc_v9_0_process_interrupt *ERROR* VM_L2_PROTECTION_FAULT_STATUS:0x003C0041 drm:pid27591:gmc_v9_0_process_interrupt *ERROR* MORE_FAULTS: 0x1 drm:pid27591:gmc_v9_0_process_interrupt *ERROR* WALKER_ERROR: 0x0 drm:pid27591:gmc_v9_0_process_interrupt *ERROR* PERMISSION_FAULTS: 0x4 drm:pid27591:gmc_v9_0_process_interrupt *ERROR* MAPPING_ERROR: 0x0 drm:pid27591:gmc_v9_0_process_interrupt *ERROR* RW: 0x1 Let me know if there's any other info I can give that would help! :)
Re: AMDGPU
For sure, whatever helps! Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* sdma_v4_0: Failed to load firmware "amdgpu/vega20_sdma.bin" Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* Failed to load sdma firmware! Jun 27 18:58:21 tabr /bsd: drm:pid0:psp_v11_0_init_microcode *ERROR* psp v11.0: Failed to load firmware "amdgpu/vega20_sos.bin" Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* Failed to load psp firmware! Jun 27 18:58:21 tabr /bsd: [drm] *ERROR* sw_init of IP block failed -2 Jun 27 18:58:21 tabr /bsd: drm:pid0:amdgpu_device_init *ERROR* amdgpu_device_ip_init failed Jun 27 18:58:21 tabr /bsd: drm:pid0:amdgpu_attachhook *ERROR* Fatal error during GPU init That's with the old firmware, and yeah that's with the newest firmware. I had to use newer firmware on your newdrm branch as well. Let me know how I can help! :) On Mon, Jun 29, 2020 at 11:50 PM Jonathan Gray wrote: > On Mon, Jun 29, 2020 at 11:13:49PM -0500, Charlie Burnett wrote: > > Hi, > > > > Wasn’t sure who to tell this to, but with Vega 20 hardware under > -current, > > there is an issue with the firmware, where it cannot load. Manually > > installing the latest amdgpu firmware from kernel.org fixes this > seemingly. > > can you show the output when the 20200421 firmware failed to load? > you are referring to the following in linux-firmware 20200619 and later? > > commit f73f82cd4b7506a22a9aa1aa19e009fac3092eef > Author: Alex Deucher > Date: Mon Jun 15 17:33:26 2020 -0400 > > amdgpu: add vega20 TA firmware from 20.20 release > > Based on internal commit: > c6aa2bdaa30af815fc257f2b0e50f6c66d74045c > > Signed-off-by: Alex Deucher > Signed-off-by: Josh Boyer > > amdgpu/vega20_ta.bin | Bin 0 -> 54016 bytes > 1 file changed, 0 insertions(+), 0 deletions(-) > > commit 9ecaba882d78501d2ab2f6bd9407409128b351ed > Author: Alex Deucher > Date: Mon Jun 15 17:30:20 2020 -0400 > > amdgpu: update vega20 firmware from 20.20 release > > Based on internal commit: > c6aa2bdaa30af815fc257f2b0e50f6c66d74045c > > Signed-off-by: Alex Deucher > Signed-off-by: Josh Boyer > > amdgpu/vega20_asd.bin | Bin 147968 -> 160256 bytes > amdgpu/vega20_ce.bin| Bin 9344 -> 9344 bytes > amdgpu/vega20_me.bin| Bin 17536 -> 17536 bytes > amdgpu/vega20_mec.bin | Bin 268048 -> 268048 bytes > amdgpu/vega20_mec2.bin | Bin 268048 -> 268048 bytes > amdgpu/vega20_pfp.bin | Bin 21632 -> 21632 bytes > amdgpu/vega20_sdma.bin | Bin 17408 -> 17408 bytes > amdgpu/vega20_sdma1.bin | Bin 17408 -> 17408 bytes > amdgpu/vega20_smc.bin | Bin 262912 -> 262912 bytes > amdgpu/vega20_sos.bin | Bin 170896 -> 174992 bytes > 10 files changed, 0 insertions(+), 0 deletions(-) > > > There's also an issue that I've been unable to figure out for a while > here > > as well, in that undergoing a CPU intensive task will freeze up the > entire > > system. Disabling all power management options and setting the > > amdgpu_vm_update_mode to 3 lessens the occurrence of this, and using an > > HDMI connection instead of a DisplayPort with said modifications > seemingly > > eliminates it. Just switching amdgpu_vm_update_mode to 3 without anything > > else leads to issues, in which when launching X in which only a small > > square of seemingly random pixels are displayed. Using a vanilla kernel, > > only "Waiting for fences timed out!" appears. However, turning on > > amdgpu_debug_vm in amdgpu_drv.c will output quite a few DRM errors for > > "gmc_v9_0_process_interrupt", sometimes in the tens of thousands. Any > hang > > ups require a hard reboot. With amdgpu_vm_update_mode set to 3, the crash > > occurs differently in that whichever windows are using a bunch of GPU/CPU > > time turn a lime green color. They're completely functional at first, > > however if I keep putting heavy loads on both the screen becomes > pixelated > > on any changed pixels for those windows. I have a huge amount of logs for > > these, however from a couple weeks of trying to fix it myself they didn't > > offer much beyond what was stated in this email. > > this is similar to what is seen on vega10 and other parts >
AMDGPU
Hi, Wasn’t sure who to tell this to, but with Vega 20 hardware under -current, there is an issue with the firmware, where it cannot load. Manually installing the latest amdgpu firmware from kernel.org fixes this seemingly. There's also an issue that I've been unable to figure out for a while here as well, in that undergoing a CPU intensive task will freeze up the entire system. Disabling all power management options and setting the amdgpu_vm_update_mode to 3 lessens the occurrence of this, and using an HDMI connection instead of a DisplayPort with said modifications seemingly eliminates it. Just switching amdgpu_vm_update_mode to 3 without anything else leads to issues, in which when launching X in which only a small square of seemingly random pixels are displayed. Using a vanilla kernel, only "Waiting for fences timed out!" appears. However, turning on amdgpu_debug_vm in amdgpu_drv.c will output quite a few DRM errors for "gmc_v9_0_process_interrupt", sometimes in the tens of thousands. Any hang ups require a hard reboot. With amdgpu_vm_update_mode set to 3, the crash occurs differently in that whichever windows are using a bunch of GPU/CPU time turn a lime green color. They're completely functional at first, however if I keep putting heavy loads on both the screen becomes pixelated on any changed pixels for those windows. I have a huge amount of logs for these, however from a couple weeks of trying to fix it myself they didn't offer much beyond what was stated in this email. Best regards, Charlie
Re: Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3 can run openbsd
Ryzen 3 Vega is based on the Raven architecture, which has worked for me on machines before so I'm not sure you'd have much issue with it, I'd imagine it'd just work "out of the box". Wireless is up in the air, since the card didn't seem to be listed on the specifications online. On Mon, May 25, 2020 at 10:49 AM flint pyrite wrote: > You probably should check for wifi compatibility. > > On Sun, May 24, 2020 at 9:50 PM Digital Crow > wrote: > > > Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3 can run openbsd > > I have problems with freebsd i can't run xorg it has a problem with efi > > framebuffer and amdgpu driver. > > It seems that this laptop can boot only efi partitions there's no setting > > on bios about csm or anything else related to it. > > Is it possible openbsd would work ? > > Also is the process the same as freebsd ? > > I need to install drm-kmod and add kld_list amdgpu on rc.conf > > The openbsd installer create efi boot partition ? > > I think this laptop can boot only efi partitions > > >
Process Isolation
Hey y'all, Sorry if this has been answered before but I couldn't find a satisfactory answer searching for it, and this is more of an academic question. So security focused Linux distros like Qubes go to extremes to compartmentalize/isolate any and all programs it can. FreeBSD has it's jail program which is seemingly the gold standard for process isolation when you can't be bothered to go to the extent Qubes does. I've been trying to read as much OpenBSD source as I can as I find some of the security tricks y'all've come up with damn interesting. I know that once upon a time we had sysjail, but nowadays we have just have chroot which most systems do. What is OpenBSD's solution to this? I'm sure I've read through it I just didn't realize the purpose. I apologize if this was a question I've somehow missed the answer to!
Re: wpa_supplicant error
Well, I at least have a tangible error now. Observing through wpa_cli, I get the following: <3>CTRL-EVENT-EAP-STATUS status=‘eap parameter needed’ parameter=‘PASSWORD’ <3>CTRL-REQ-PASSWORD-0: Password needed for SSID eduroam <3>CTRL-EVENT-EAP-FAILURE EAP authentication failed Authentication with $BSSID timed out. Out of curiosity I switched it to WPA2-PSK and it says it successfully associated, however I can’t ping anything and trying to use dhclient just results in it timing out/sleeping. I know my password is correct as well On Mon, Feb 3, 2020 at 4:42 AM Raf Czlonka wrote: > On Sun, Feb 02, 2020 at 09:42:52PM GMT, Charlie Burnett wrote: > > Hey @misc, > > I've used OpenBSD on my desktop and server for a while, however they both > > have an Ethernet connection. I recently got my hands on a thinkpad x1 6th > > gen in order to ensure compatibility with OpenBSD. I can connect fine via > > the /etc/hostname.if with /etc/netstart, however I need to be able to > > connect to eduroam for class. I was using linux on my past laptop, > however > > I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf > > over, however whenever I try to connect to a network I get hung up in the > > same spot. The conf works fine on linux, so the credentials are correct. > > I've also ensured the interface was up with "doas ifconfig iwm0 up" > Here's > > the output from attempting to connect with "doas wpa_supplicant -i iwm0 > -c > > /etc/wpa_supplicant.conf -D openbsd -dd": > > wpa_supplicant v2.9 > > Successfully initialized wpa_supplicant > > Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver > > 'openbsd' ctrl_interface 'N/A' bridge 'N/A' > > Configuration file '/etc/wpa_supplicant.conf' -> > '/etc/wpa_supplicant.conf' > > Reading configuration file '/etc/wpa_supplicant.conf' > > ctrl_interface='/var/run/wpa_supplicant' > > ctrl_interface_group='wheel' > > eapol_version=2 > > ap_scan=1 > > fast_reauth=1 > > update_config=1 > > Line: 11 - start of a new network block > > ssid - hexdump_ascii(len=): HOME > > key_mgmt: 0x2 > > PSK - hexdump(len=): [REMOVED] > > Line: 19 - start of a new network block > > ssid - hexdump_ascii(len=7): eduroam > > scan_ssid=1 (0x1) > > key_mgmt: 0x1 > > eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 > 00 00 > > phase2 - hexdump_ascii(len=): > > 61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2 > > auth_alg: 0x1 > > identity - hexdump_ascii(len=): > > ca_cert - hexdump_ascii(len=): > > 2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41 /etc/ssl/certs/A > > 64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c ddTrust_External > > 5f 52 6f 6f 74 2e 70 65 6d_Root.pem > > password - hexdump_ascii(len=): [REMOVED] > > Line: 32 - start of a new network block > > ssid - hexdump_ascii(len=): HOME2 > > PSK - hexdump(len=): [REMOVED] > > Priority group 0 > >id=0 ssid='HOME' > >id=1 ssid='eduroam' > >id=2 ssid='HOME2' > > Add interface iwm0 to a new radio N/A > > iwm0: Failed to attach pkt_type filter > > iwm0: Own MAC address: 38:00:25:6c:76:6d > > iwm0: RSN: flushing PMKID list in the driver > > iwm0: Setting scan request: 0.10 sec > > ENGINE: Loading builtin engines > > ENGINE: Loading builtin engines > > EAPOL: SUPP_PAE entering state DISCONNECTED > > EAPOL: Supplicant port status: Unauthorized > > EAPOL: KEY_RX entering state NO_KEY_RECEIVE > > EAPOL: SUPP_BE entering state INITIALIZE > > EAP: EAP entering state DISABLED > > ctrl_interface_group=0 (from group name 'wheel') > > iwm0: Added interface iwm0 > > iwm0: State: DISCONNECTED -> DISCONNECTED > > iwm0: Using OpenBSD - overriding ap_scan configuration > > EAPOL: disable timer tick > > > > Here is the output after sending a ctrl-C to the terminal: > > ^Ciwm0: Removing interface iwm0 > > iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00 > > pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) > state=DISCONNECTED > > iwm0: State: DISCONNECTED -> DISCONNECTED > > EAPOL: External notification - portEnabled=0 > > EAPOL: External notification - portValid=0 > > iwm0: WPA: Clear old PMK and PTK > > iwm0: Cancelling scan request > > iwm0: Cancelling authentication timeout > > Remove interface iwm0 from radio > > Remove radio > > iwm0: CTRL-EVENT-TERMINATING > > > > Hi Charlie, > > eduroam works just fine on OpenBSD with wpa_supplic
Re: wpa_supplicant error
Well, I’m a dumbass. I just needed to swap out “psk” for “password” in my file. All working now. On Tue, Feb 4, 2020 at 4:59 PM Charlie Burnett wrote: > Well, I at least have a tangible error now. Observing through wpa_cli, I > get the following: > <3>CTRL-EVENT-EAP-STATUS status=‘eap parameter needed’ parameter=‘PASSWORD’ > <3>CTRL-REQ-PASSWORD-0: Password needed for SSID eduroam > <3>CTRL-EVENT-EAP-FAILURE EAP authentication failed > Authentication with $BSSID timed out. > > Out of curiosity I switched it to WPA2-PSK and it says it successfully > associated, however I can’t ping anything and trying to use dhclient just > results in it timing out/sleeping. > > I know my password is correct as well > > On Mon, Feb 3, 2020 at 4:42 AM Raf Czlonka wrote: > >> On Sun, Feb 02, 2020 at 09:42:52PM GMT, Charlie Burnett wrote: >> > Hey @misc, >> > I've used OpenBSD on my desktop and server for a while, however they >> both >> > have an Ethernet connection. I recently got my hands on a thinkpad x1 >> 6th >> > gen in order to ensure compatibility with OpenBSD. I can connect fine >> via >> > the /etc/hostname.if with /etc/netstart, however I need to be able to >> > connect to eduroam for class. I was using linux on my past laptop, >> however >> > I connected through wpa_supplicant on it. I copied my >> wpa_supplicant.conf >> > over, however whenever I try to connect to a network I get hung up in >> the >> > same spot. The conf works fine on linux, so the credentials are correct. >> > I've also ensured the interface was up with "doas ifconfig iwm0 up" >> Here's >> > the output from attempting to connect with "doas wpa_supplicant -i iwm0 >> -c >> > /etc/wpa_supplicant.conf -D openbsd -dd": >> > wpa_supplicant v2.9 >> > Successfully initialized wpa_supplicant >> > Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver >> > 'openbsd' ctrl_interface 'N/A' bridge 'N/A' >> > Configuration file '/etc/wpa_supplicant.conf' -> >> '/etc/wpa_supplicant.conf' >> > Reading configuration file '/etc/wpa_supplicant.conf' >> > ctrl_interface='/var/run/wpa_supplicant' >> > ctrl_interface_group='wheel' >> > eapol_version=2 >> > ap_scan=1 >> > fast_reauth=1 >> > update_config=1 >> > Line: 11 - start of a new network block >> > ssid - hexdump_ascii(len=): HOME >> > key_mgmt: 0x2 >> > PSK - hexdump(len=): [REMOVED] >> > Line: 19 - start of a new network block >> > ssid - hexdump_ascii(len=7): eduroam >> > scan_ssid=1 (0x1) >> > key_mgmt: 0x1 >> > eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 >> 00 00 >> > phase2 - hexdump_ascii(len=): >> > 61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2 >> > auth_alg: 0x1 >> > identity - hexdump_ascii(len=): >> > ca_cert - hexdump_ascii(len=): >> > 2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41 /etc/ssl/certs/A >> > 64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c ddTrust_External >> > 5f 52 6f 6f 74 2e 70 65 6d_Root.pem >> > password - hexdump_ascii(len=): [REMOVED] >> > Line: 32 - start of a new network block >> > ssid - hexdump_ascii(len=): HOME2 >> > PSK - hexdump(len=): [REMOVED] >> > Priority group 0 >> >id=0 ssid='HOME' >> >id=1 ssid='eduroam' >> >id=2 ssid='HOME2' >> > Add interface iwm0 to a new radio N/A >> > iwm0: Failed to attach pkt_type filter >> > iwm0: Own MAC address: 38:00:25:6c:76:6d >> > iwm0: RSN: flushing PMKID list in the driver >> > iwm0: Setting scan request: 0.10 sec >> > ENGINE: Loading builtin engines >> > ENGINE: Loading builtin engines >> > EAPOL: SUPP_PAE entering state DISCONNECTED >> > EAPOL: Supplicant port status: Unauthorized >> > EAPOL: KEY_RX entering state NO_KEY_RECEIVE >> > EAPOL: SUPP_BE entering state INITIALIZE >> > EAP: EAP entering state DISABLED >> > ctrl_interface_group=0 (from group name 'wheel') >> > iwm0: Added interface iwm0 >> > iwm0: State: DISCONNECTED -> DISCONNECTED >> > iwm0: Using OpenBSD - overriding ap_scan configuration >> > EAPOL: disable timer tick >> > >> > Here is the output after sending a ctrl-C to the terminal: >> > ^Ciwm0: Removing interface iwm0 >> > iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00 >> > pend
Re: wpa_supplicant error
Yep I've been using that for a while, however I don't believe it's possible to connect to eduroam through hostname.if config files :/ On Sun, Feb 2, 2020 at 4:01 PM Edgar Pettijohn wrote: > Try without wpa_supplicant > > /etc/hostname.iwm0 > nwid yournwid wpakey yourwpakey > dhcp > > sh /etc/netstart > > On Feb 2, 2020 3:42 PM, Charlie Burnett wrote: > > > > Hey @misc, > > I've used OpenBSD on my desktop and server for a while, however they both > > have an Ethernet connection. I recently got my hands on a thinkpad x1 6th > > gen in order to ensure compatibility with OpenBSD. I can connect fine via > > the /etc/hostname.if with /etc/netstart, however I need to be able to > > connect to eduroam for class. I was using linux on my past laptop, > however > > I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf > > over, however whenever I try to connect to a network I get hung up in the > > same spot. The conf works fine on linux, so the credentials are correct. > > I've also ensured the interface was up with "doas ifconfig iwm0 up" > Here's > > the output from attempting to connect with "doas wpa_supplicant -i iwm0 > -c > > /etc/wpa_supplicant.conf -D openbsd -dd": > > wpa_supplicant v2.9 > > Successfully initialized wpa_supplicant > > Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver > > 'openbsd' ctrl_interface 'N/A' bridge 'N/A' > > Configuration file '/etc/wpa_supplicant.conf' -> > '/etc/wpa_supplicant.conf' > > Reading configuration file '/etc/wpa_supplicant.conf' > > ctrl_interface='/var/run/wpa_supplicant' > > ctrl_interface_group='wheel' > > eapol_version=2 > > ap_scan=1 > > fast_reauth=1 > > update_config=1 > > Line: 11 - start of a new network block > > ssid - hexdump_ascii(len=): HOME > > key_mgmt: 0x2 > > PSK - hexdump(len=): [REMOVED] > > Line: 19 - start of a new network block > > ssid - hexdump_ascii(len=7): eduroam > > scan_ssid=1 (0x1) > > key_mgmt: 0x1 > > eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 > 00 00 > > phase2 - hexdump_ascii(len=): > > 61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2 > > auth_alg: 0x1 > > identity - hexdump_ascii(len=): > > ca_cert - hexdump_ascii(len=): > > 2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41 /etc/ssl/certs/A > > 64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c ddTrust_External > > 5f 52 6f 6f 74 2e 70 65 6d_Root.pem > > password - hexdump_ascii(len=): [REMOVED] > > Line: 32 - start of a new network block > > ssid - hexdump_ascii(len=): HOME2 > > PSK - hexdump(len=): [REMOVED] > > Priority group 0 > >id=0 ssid='HOME' > >id=1 ssid='eduroam' > >id=2 ssid='HOME2' > > Add interface iwm0 to a new radio N/A > > iwm0: Failed to attach pkt_type filter > > iwm0: Own MAC address: 38:00:25:6c:76:6d > > iwm0: RSN: flushing PMKID list in the driver > > iwm0: Setting scan request: 0.10 sec > > ENGINE: Loading builtin engines > > ENGINE: Loading builtin engines > > EAPOL: SUPP_PAE entering state DISCONNECTED > > EAPOL: Supplicant port status: Unauthorized > > EAPOL: KEY_RX entering state NO_KEY_RECEIVE > > EAPOL: SUPP_BE entering state INITIALIZE > > EAP: EAP entering state DISABLED > > ctrl_interface_group=0 (from group name 'wheel') > > iwm0: Added interface iwm0 > > iwm0: State: DISCONNECTED -> DISCONNECTED > > iwm0: Using OpenBSD - overriding ap_scan configuration > > EAPOL: disable timer tick > > > > Here is the output after sending a ctrl-C to the terminal: > > ^Ciwm0: Removing interface iwm0 > > iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00 > > pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) > state=DISCONNECTED > > iwm0: State: DISCONNECTED -> DISCONNECTED > > EAPOL: External notification - portEnabled=0 > > EAPOL: External notification - portValid=0 > > iwm0: WPA: Clear old PMK and PTK > > iwm0: Cancelling scan request > > iwm0: Cancelling authentication timeout > > Remove interface iwm0 from radio > > Remove radio > > iwm0: CTRL-EVENT-TERMINATING > > > > > > And here's my wpa_supplicant.conf (with ssid's and psk's removed): > > ctrl_interface=/var/run/wpa_supplicant > > ctrl_interface_group=wheel > > eapol_version=2 > > ap_scan=1 > > fast_reauth=1 > > update_config=1 > > > > network={ > > ssid="HOME" > > psk=PASSWORD > > } > > > > # Eduroam > > network={ > > ssid="eduroam" > > scan_ssid=1 > > key_mgmt=WPA-EAP > > eap=PEAP > > phase2="auth=MSCHAPV2" > > auth_alg=OPEN > > identity="burne...@umn.edu" > > ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem" > > password="Here I am, here I remain." > > } > > > > network={ > > ssid="HOME2" > > psk=PASSWORD > > } > > > > Any help would be very much appreciated! >
wpa_supplicant error
Hey @misc, I've used OpenBSD on my desktop and server for a while, however they both have an Ethernet connection. I recently got my hands on a thinkpad x1 6th gen in order to ensure compatibility with OpenBSD. I can connect fine via the /etc/hostname.if with /etc/netstart, however I need to be able to connect to eduroam for class. I was using linux on my past laptop, however I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf over, however whenever I try to connect to a network I get hung up in the same spot. The conf works fine on linux, so the credentials are correct. I've also ensured the interface was up with "doas ifconfig iwm0 up" Here's the output from attempting to connect with "doas wpa_supplicant -i iwm0 -c /etc/wpa_supplicant.conf -D openbsd -dd": wpa_supplicant v2.9 Successfully initialized wpa_supplicant Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver 'openbsd' ctrl_interface 'N/A' bridge 'N/A' Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group='wheel' eapol_version=2 ap_scan=1 fast_reauth=1 update_config=1 Line: 11 - start of a new network block ssid - hexdump_ascii(len=): HOME key_mgmt: 0x2 PSK - hexdump(len=): [REMOVED] Line: 19 - start of a new network block ssid - hexdump_ascii(len=7): eduroam scan_ssid=1 (0x1) key_mgmt: 0x1 eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 phase2 - hexdump_ascii(len=): 61 75 74 68 3d 4d 53 43 48 41 50 56 32auth=MSCHAPV2 auth_alg: 0x1 identity - hexdump_ascii(len=): ca_cert - hexdump_ascii(len=): 2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41 /etc/ssl/certs/A 64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c ddTrust_External 5f 52 6f 6f 74 2e 70 65 6d_Root.pem password - hexdump_ascii(len=): [REMOVED] Line: 32 - start of a new network block ssid - hexdump_ascii(len=): HOME2 PSK - hexdump(len=): [REMOVED] Priority group 0 id=0 ssid='HOME' id=1 ssid='eduroam' id=2 ssid='HOME2' Add interface iwm0 to a new radio N/A iwm0: Failed to attach pkt_type filter iwm0: Own MAC address: 38:00:25:6c:76:6d iwm0: RSN: flushing PMKID list in the driver iwm0: Setting scan request: 0.10 sec ENGINE: Loading builtin engines ENGINE: Loading builtin engines EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: Supplicant port status: Unauthorized EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED ctrl_interface_group=0 (from group name 'wheel') iwm0: Added interface iwm0 iwm0: State: DISCONNECTED -> DISCONNECTED iwm0: Using OpenBSD - overriding ap_scan configuration EAPOL: disable timer tick Here is the output after sending a ctrl-C to the terminal: ^Ciwm0: Removing interface iwm0 iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00 pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) state=DISCONNECTED iwm0: State: DISCONNECTED -> DISCONNECTED EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 iwm0: WPA: Clear old PMK and PTK iwm0: Cancelling scan request iwm0: Cancelling authentication timeout Remove interface iwm0 from radio Remove radio iwm0: CTRL-EVENT-TERMINATING And here's my wpa_supplicant.conf (with ssid's and psk's removed): ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel eapol_version=2 ap_scan=1 fast_reauth=1 update_config=1 network={ ssid="HOME" psk=PASSWORD } # Eduroam network={ ssid="eduroam" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP phase2="auth=MSCHAPV2" auth_alg=OPEN identity="burne...@umn.edu" ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem" password="Here I am, here I remain." } network={ ssid="HOME2" psk=PASSWORD } Any help would be very much appreciated!
Anyone gotten touchscreen on Thinkpad X1 working?
Hey all, I recently picked up an X1 carbon 6th gen that happened to have the touchscreen option on it. Everything works great otherwise, but I don't seem to have any luck on the touchscreen issue. I don't see anything relevant in dmesg either, shown below. Any ideas? OpenBSD 6.6-current (GENERIC.MP) #618: Thu Jan 23 23:58:32 MST 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17031843840 (16242MB) avail mem = 16503181312 (15738MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x5a63b000 (62 entries) bios0: vendor LENOVO version "N23ET66W (1.41 )" date 09/02/2019 bios0: LENOVO 20KGSCVN00 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2 MSDM NHLT ASF! FPDT UEFI WPBT acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1790.09 MHz, 06-8e-0a cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.83 MHz, 06-8e-0a cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.83 MHz, 06-8e-0a cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.83 MHz, 06-8e-0a cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1795.82 MHz, 06-8e-0a cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 1, core 0, package 0 cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz,
Trouble recognizing Surface Book Keyboard
Hey y’all, I recently got a surface book for a real good price since I was due for an upgrade, and since I usually run OpenBSD on my daily machine I went ahead and installed it. I’m aware that the wireless card isn’t supported, but I’ve got a usb one that works fine. During the installation it had no trouble using the keyboard. After the reboot however the keyboard and trackpad were non responsive. I can use a usb keyboard while booted but can’t figure out why it won’t pick up the actual keyboard. Any help would be greatly appreciated! Attached the dmesg below. OpenBSD 6.6-current (RAMDISK_CD) #542: Fri Dec 27 08:43:35 MST 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 8495235072 (8101MB) avail mem = 8233758720 (7852MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.1 @ 0x8be35000 (15 entries) bios0: vendor Microsoft Corporation version "91.2706.768" date 04/18/2019 bios0: Microsoft Corporation Surface Book acpi0 at bios0: ACPI 5.0 acpi0: tables DSDT FACP SSDT TPM2 MSDM SSDT HPET APIC MCFG LPIT SSDT SSDT SSDT DMAR NHLT FPDT WSMT BGRT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2295.32 MHz, 06-4e-03 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus -1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 1 (RP05) acpiprt6 at acpi0: bus -1 (RP06) acpiprt7 at acpi0: bus -1 (RP07) acpiprt8 at acpi0: bus -1 (RP08) acpiprt9 at acpi0: bus 2 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at acpi0: bus 3 (RP12) acpiprt13 at acpi0: bus -1 (RP13) acpiprt14 at acpi0: bus -1 (RP14) acpiprt15 at acpi0: bus -1 (RP15) acpiprt16 at acpi0: bus -1 (RP16) acpiprt17 at acpi0: bus -1 (RP17) acpiprt18 at acpi0: bus -1 (RP18) acpiprt19 at acpi0: bus -1 (RP19) acpiprt20 at acpi0: bus -1 (RP20) acpiprt21 at acpi0: bus -1 (RP21) acpiprt22 at acpi0: bus -1 (RP22) acpiprt23 at acpi0: bus -1 (RP23) acpiprt24 at acpi0: bus -1 (RP24) acpiec0 at acpi0 acpicpu at acpi0 not configured acpitz at acpi0 not configured acpitz at acpi0 not configured acpitz at acpi0 not configured acpitz at acpi0 not configured acpitz at acpi0 not configured acpitz at acpi0 not configured acpitz at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured "PNP0A08" at acpi0 not configured "ACPI0003" at acpi0 not configured "PNP0C0A" at acpi0 not configured "PNP0C0A" at acpi0 not configured "MSHW0029" at acpi0 not configured "MSHW0040" at acpi0 not configured acpicmos0 at acpi0 "INT344B" at acpi0 not configured "MSHW0030" at acpi0 not configured "MAX34407" at acpi0 not configured "INT3472" at acpi0 not configured "INT33BE" at acpi0 not configured "INT3472" at acpi0 not configured "INT347A" at acpi0 not configured "INT3472" at acpi0 not configured "INT347E" at acpi0 not configured "MSHW0085" at acpi0 not configured "MSHW0005" at acpi0 not configured "MSHW0080" at acpi0 not configured "MSHW0036" at acpi0 not configured "MSHW0041" at acpi0 not configured "MSHW0042" at acpi0 not configured "MSHW0045" at acpi0 not configured "MSHW0076" at acpi0 not configured "INT33A1" at acpi0 not configured "PNP0C0D" at acpi0 not configured "IFX0562" at acpi0 not configured cpu0: using VERW MDS workaround pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 6G Host" rev 0x08 "Intel HD Graphics 520" rev 0x07 at pci0 dev 2 function 0 not configured vendor "Intel", unknown product 0x1919 (class multimedia subclass miscellaneous, rev 0x01) at pci0 dev 5 function 0 not configured "Intel Core GMM" rev 0x00 at pci0 dev 8 function 0 not configured xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x21: msi, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration
Re: Desktop full text search
Try pdfgrep and catdoc in ports/pkg for documents I’d say, you could probably rig up a simple shell script to do it automatically... unfortunately don’t know what program(s) would be faster than grep? On Wed, Sep 18, 2019 at 3:26 PM Oriol Demaria wrote: > Exactly I do the same... but is falling short or too slow. :) > > --- > Oriol Demaria > 2FFED630C16E4FF8 > > On 18/09/2019 17:01, Charlie Burnett wrote: > > I use Gnome as a DE but I still just do it through a terminal- > > grep -R * “foo” > > from whatever directory I wanna find the text in, replace foo with the > > text > > you want. > > > > On Wed, Sep 18, 2019 at 10:38 AM Oriol Demaria > > wrote: > > > >> So finding some code between large amounts of repos can be tricky. I > >> don't use Gnome or KDE so I was wondering what do people use for this. > >> Been looking at the ports and I see Xapian and others. Any advice on > >> a nice setup? > >> > >> Regards, > >> > >> -- > >> Oriol Demaria > >> 2FFED630C16E4FF8 > >> > >> >
Re: AMDGPU in current issue
Hey, apologies to continually bother you with this, but I've gotten a driver that compiles and detects the card... however it seems to be having powerplay table issues, I was wondering if this was ever an issue when initially porting, and if so how'd you go about fixing it? Leaving the powerplay untouched and only altering the amdgpu subdirectory results in this error in the following error in dmesg: initializing kernel modesetting (VEGA20 0x1002:0x66AF 0x1002:0x081E 0xC1). amdgpu_device_resize_fb_bar: stub amdgpu: [powerplay] smc start failed amdgpu: [powerplay] powerplay hw init failed [drm] *ERROR* hw_init of IP block failed -22 drm:pid0:amdgpu_device_init *ERROR* amdgpu_device_ip_init failed drm:pid0:amdgpu_attachhook *ERROR* Fatal error during GPU init efifb0 at mainbus0: 3440x1440, 32bpp wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0 wskbd1: connecting to wsdisplay0 wskbd2: connecting to wsdisplay0 wskbd3: connecting to wsdisplay0 wskbd4: connecting to wsdisplay0 wsdisplay0: screen 1-5 added (std, vt100 emulation) Compiling the kernel with the additional powerplay changes relevant to vega 20 results in a similar message, although instead of the "hw_init" having issues, it complains about "Unmatch PPTable version, vbios update may be needed". I'd post a diff, but trying to generate a diff through cvs isn't picking up the files I've added even with the --new-file option, but I'm rather unfamiliar with cvs/diff in general so it's probable I screwed the pooch on that part somehow. Any help would be very much appreciated, and thanks for the help you've given already! On Wed, Sep 4, 2019 at 8:04 PM Jonathan Gray wrote: > amdgpu tracks the linux-4.19.y (lts) branch of linux-stable > currently this is 4.19.69 > > On Wed, Sep 04, 2019 at 10:28:51AM -0500, Charlie Burnett wrote: > > Thanks for the advice! > > Do you happen to have a link to the commit amdgpu is at currently? > > > > On Wed, Sep 4, 2019 at 9:44 AM Jonathan Gray wrote: > > > > > Look for individual post 4.19 linux commits that are relevant. > > > We have in the past taken small patches to enable more > > > generations of hardware. > > > > > > On Wed, Sep 04, 2019 at 08:11:24AM -0500, Charlie Burnett wrote: > > > > Hey, > > > > I???ve been trying to write a patch to get vega 20 working, but due > to a > > > > screw up on my end I lost the progress I???d made. Before I start > over > > > again, > > > > I was wondering if you had any advice on how to do it? Before, I was > > > trying > > > > to more or less just port the vega 20 hwmgr files in from FreeBSD drm > > > next > > > > which is at linux drm 5.0 as well as the other files which seemed to > > > > mention Vega 20 or seemed to be needed to compile. I wasn???t having > much > > > > luck as you can imagine, and currently I???m still in university so > my > > > > experience with kernel patching isn???t fantastic, I was wondering > if you > > > > might have any advice where to begin if I???m having to start from > > > scratch? > > > > Best regards, > > > > Charlie Burnett > > > > > > > > On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray wrote: > > > > > > > > > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote: > > > > > > Hey- > > > > > > I'd been messing around with the AMDGPU on current (which I'm > aware > > > is > > > > > very > > > > > > experimental) and had very few issues with it using a Vega 56 > GPU. I > > > > > > recently swapped to another Vega GPU (Radeon VII) and have issues > > > with > > > > > the > > > > > > display not showing anything. Still boots fine, in that I can > still > > > enter > > > > > > commands (i.e. reboot) so it has to be a display issue. I tried > > > searching > > > > > > for the diff where the firmware was added which I'm certain I saw > > > (for > > > > > Vega > > > > > > 20) but can't seem to find it in the commit history. Anyone have > a > > > fix > > > > > for > > > > > > it, and if not, who should I talk to if I wanted to help get it > > > working? > > > > > I > > > > > > saw most of the AMDGPU commits have been by @jonathangray if he > > > would be > > > > > > the best option. > > > > > > Thanks! > > > > > > > > > > vega20 firmware was added when ports/sysutils/firmw
Re: AMDGPU in current issue
My apologies for bothering the mailing list once more- I found the relevant commit for this in the linux git history, and found the relevant changes. I added those changes locally on my machine, however when I compile I get the following: ld -T ld.script -X --warn-common -nopie -o bsd ${SYSTEM_HEAD} vers.o ${OBJS} ld: error: undefined symbol: psp_v11_0_set_psp_funcs >>> referenced by amdgpu_psp.c:62 (/usr/src/sys/dev/pci/drm/amd/amdgpu/amdgpu_psp.c:62) >>> amdgpu_psp.o:(psp_sw_init) ld: error: undefined symbol: vega20_smu_funcs >>> referenced by hwmgr.c:164 (/usr/src/sys/dev/pci/drm/amd/powerplay/hwmgr/hwmgr.c:164) >>> hwmgr.o:(hwmgr_early_init) ld: error: undefined symbol: vega20_hwmgr_init >>> referenced by hwmgr.c:165 (/usr/src/sys/dev/pci/drm/amd/powerplay/hwmgr/hwmgr.c:165) >>> hwmgr.o:(hwmgr_early_init) ld: error: undefined symbol: nbio_v7_4_funcs >>> referenced by soc15.c:501 (/usr/src/sys/dev/pci/drm/amd/amdgpu/soc15.c:501) >>> soc15.o:(soc15_set_ip_blocks) ld: error: undefined symbol: nbio_v7_4_funcs >>> referenced by soc15.c:501 (/usr/src/sys/dev/pci/drm/amd/amdgpu/soc15.c:501) >>> soc15.o:(soc15_set_ip_blocks) *** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC.MP (Makefile:1426 'bsd': @echo ld -T ld.script -X --warn-common -nopie -o bsd '${SYST...) >From what I can tell, these all mention functions added in new files added from the linux drm... is there anything in particular I need to do to make sure the compiler picks up the relevant files, or maybe something to the Makefile? I can post a diff of what I've done so far if that would be useful. Thanks again for all the help. On Wed, Sep 4, 2019 at 9:44 AM Jonathan Gray wrote: > Look for individual post 4.19 linux commits that are relevant. > We have in the past taken small patches to enable more > generations of hardware. > > On Wed, Sep 04, 2019 at 08:11:24AM -0500, Charlie Burnett wrote: > > Hey, > > I???ve been trying to write a patch to get vega 20 working, but due to a > > screw up on my end I lost the progress I???d made. Before I start over > again, > > I was wondering if you had any advice on how to do it? Before, I was > trying > > to more or less just port the vega 20 hwmgr files in from FreeBSD drm > next > > which is at linux drm 5.0 as well as the other files which seemed to > > mention Vega 20 or seemed to be needed to compile. I wasn???t having much > > luck as you can imagine, and currently I???m still in university so my > > experience with kernel patching isn???t fantastic, I was wondering if you > > might have any advice where to begin if I???m having to start from > scratch? > > Best regards, > > Charlie Burnett > > > > On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray wrote: > > > > > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote: > > > > Hey- > > > > I'd been messing around with the AMDGPU on current (which I'm aware > is > > > very > > > > experimental) and had very few issues with it using a Vega 56 GPU. I > > > > recently swapped to another Vega GPU (Radeon VII) and have issues > with > > > the > > > > display not showing anything. Still boots fine, in that I can still > enter > > > > commands (i.e. reboot) so it has to be a display issue. I tried > searching > > > > for the diff where the firmware was added which I'm certain I saw > (for > > > Vega > > > > 20) but can't seem to find it in the commit history. Anyone have a > fix > > > for > > > > it, and if not, who should I talk to if I wanted to help get it > working? > > > I > > > > saw most of the AMDGPU commits have been by @jonathangray if he > would be > > > > the best option. > > > > Thanks! > > > > > > vega20 firmware was added when ports/sysutils/firmware/amdgpu was > > > updated to 20190312. > > > > > > vega20 is marked as experimental in the version of drm we have, but we > > > don't currently check the flag on probe like linux does. > > > > > > The following diff will prevent amdgpu from matching on devices > > > in the amdgpu_pciidlist table with the AMD_EXP_HW_SUPPORT flag > > > (currently these are all vega20 ids). > > > > > > Index: sys/dev/pci/drm/include/drm/drm_drv.h > > > === > > > RCS file: /cvs/src/sys/dev/pci/drm/include/drm/drm_drv.h,v > > > retrieving revision 1.2 > > > diff -u -p -r1.2 drm_drv.h > > > --- sys/
Re: AMDGPU in current issue
Thanks for the advice! Do you happen to have a link to the commit amdgpu is at currently? On Wed, Sep 4, 2019 at 9:44 AM Jonathan Gray wrote: > Look for individual post 4.19 linux commits that are relevant. > We have in the past taken small patches to enable more > generations of hardware. > > On Wed, Sep 04, 2019 at 08:11:24AM -0500, Charlie Burnett wrote: > > Hey, > > I???ve been trying to write a patch to get vega 20 working, but due to a > > screw up on my end I lost the progress I???d made. Before I start over > again, > > I was wondering if you had any advice on how to do it? Before, I was > trying > > to more or less just port the vega 20 hwmgr files in from FreeBSD drm > next > > which is at linux drm 5.0 as well as the other files which seemed to > > mention Vega 20 or seemed to be needed to compile. I wasn???t having much > > luck as you can imagine, and currently I???m still in university so my > > experience with kernel patching isn???t fantastic, I was wondering if you > > might have any advice where to begin if I???m having to start from > scratch? > > Best regards, > > Charlie Burnett > > > > On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray wrote: > > > > > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote: > > > > Hey- > > > > I'd been messing around with the AMDGPU on current (which I'm aware > is > > > very > > > > experimental) and had very few issues with it using a Vega 56 GPU. I > > > > recently swapped to another Vega GPU (Radeon VII) and have issues > with > > > the > > > > display not showing anything. Still boots fine, in that I can still > enter > > > > commands (i.e. reboot) so it has to be a display issue. I tried > searching > > > > for the diff where the firmware was added which I'm certain I saw > (for > > > Vega > > > > 20) but can't seem to find it in the commit history. Anyone have a > fix > > > for > > > > it, and if not, who should I talk to if I wanted to help get it > working? > > > I > > > > saw most of the AMDGPU commits have been by @jonathangray if he > would be > > > > the best option. > > > > Thanks! > > > > > > vega20 firmware was added when ports/sysutils/firmware/amdgpu was > > > updated to 20190312. > > > > > > vega20 is marked as experimental in the version of drm we have, but we > > > don't currently check the flag on probe like linux does. > > > > > > The following diff will prevent amdgpu from matching on devices > > > in the amdgpu_pciidlist table with the AMD_EXP_HW_SUPPORT flag > > > (currently these are all vega20 ids). > > > > > > Index: sys/dev/pci/drm/include/drm/drm_drv.h > > > === > > > RCS file: /cvs/src/sys/dev/pci/drm/include/drm/drm_drv.h,v > > > retrieving revision 1.2 > > > diff -u -p -r1.2 drm_drv.h > > > --- sys/dev/pci/drm/include/drm/drm_drv.h 25 Jul 2019 05:48:16 > > > - 1.2 > > > +++ sys/dev/pci/drm/include/drm/drm_drv.h 2 Aug 2019 03:29:58 > - > > > @@ -291,5 +291,7 @@ static inline bool drm_drv_uses_atomic_m > > > intdrm_dev_register(struct drm_device *, unsigned long); > > > void drm_dev_unregister(struct drm_device *); > > > intdrm_getpciinfo(struct drm_device *, void *, struct drm_file *); > > > +const struct drm_pcidev*drm_find_description(int, int, > > > +const struct drm_pcidev *); > > > > > > #endif > > > Index: sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c > > > === > > > RCS file: /cvs/src/sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c,v > > > retrieving revision 1.3 > > > diff -u -p -r1.3 amdgpu_kms.c > > > --- sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 4 Jul 2019 03:39:07 > - > > > 1.3 > > > +++ sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 2 Aug 2019 03:35:35 > - > > > @@ -1337,10 +1337,23 @@ int amdgpu_debugfs_firmware_init(struct > > > int > > > amdgpu_probe(struct device *parent, void *match, void *aux) > > > { > > > + struct pci_attach_args *pa = aux; > > > + const struct drm_pcidev *id_entry; > > > + unsigned long flags = 0; > > > + > > > if (amdgpu_fatal_error) > > > return 0; > > > - if (drm_pciprobe(aux, amdgpu_pciidlist)) > > > - return 20; > > > + > > > + id_entry = drm_find_description(PCI_VENDOR(pa->pa_id), > > > + PCI_PRODUCT(pa->pa_id), amdgpu_pciidlist); > > > + if (id_entry != NULL) { > > > + flags = id_entry->driver_data; > > > + if (flags & AMD_EXP_HW_SUPPORT) > > > + return 0; > > > + else > > > + return 20; > > > + } > > > + > > > return 0; > > > } > > > > > > > > > >
Re: AMDGPU in current issue
Hey, I’ve been trying to write a patch to get vega 20 working, but due to a screw up on my end I lost the progress I’d made. Before I start over again, I was wondering if you had any advice on how to do it? Before, I was trying to more or less just port the vega 20 hwmgr files in from FreeBSD drm next which is at linux drm 5.0 as well as the other files which seemed to mention Vega 20 or seemed to be needed to compile. I wasn’t having much luck as you can imagine, and currently I’m still in university so my experience with kernel patching isn’t fantastic, I was wondering if you might have any advice where to begin if I’m having to start from scratch? Best regards, Charlie Burnett On Thu, Aug 1, 2019 at 11:06 PM Jonathan Gray wrote: > On Fri, Aug 02, 2019 at 03:11:54AM -0500, Charlie Burnett wrote: > > Hey- > > I'd been messing around with the AMDGPU on current (which I'm aware is > very > > experimental) and had very few issues with it using a Vega 56 GPU. I > > recently swapped to another Vega GPU (Radeon VII) and have issues with > the > > display not showing anything. Still boots fine, in that I can still enter > > commands (i.e. reboot) so it has to be a display issue. I tried searching > > for the diff where the firmware was added which I'm certain I saw (for > Vega > > 20) but can't seem to find it in the commit history. Anyone have a fix > for > > it, and if not, who should I talk to if I wanted to help get it working? > I > > saw most of the AMDGPU commits have been by @jonathangray if he would be > > the best option. > > Thanks! > > vega20 firmware was added when ports/sysutils/firmware/amdgpu was > updated to 20190312. > > vega20 is marked as experimental in the version of drm we have, but we > don't currently check the flag on probe like linux does. > > The following diff will prevent amdgpu from matching on devices > in the amdgpu_pciidlist table with the AMD_EXP_HW_SUPPORT flag > (currently these are all vega20 ids). > > Index: sys/dev/pci/drm/include/drm/drm_drv.h > === > RCS file: /cvs/src/sys/dev/pci/drm/include/drm/drm_drv.h,v > retrieving revision 1.2 > diff -u -p -r1.2 drm_drv.h > --- sys/dev/pci/drm/include/drm/drm_drv.h 25 Jul 2019 05:48:16 > - 1.2 > +++ sys/dev/pci/drm/include/drm/drm_drv.h 2 Aug 2019 03:29:58 - > @@ -291,5 +291,7 @@ static inline bool drm_drv_uses_atomic_m > intdrm_dev_register(struct drm_device *, unsigned long); > void drm_dev_unregister(struct drm_device *); > intdrm_getpciinfo(struct drm_device *, void *, struct drm_file *); > +const struct drm_pcidev*drm_find_description(int, int, > +const struct drm_pcidev *); > > #endif > Index: sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c > === > RCS file: /cvs/src/sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c,v > retrieving revision 1.3 > diff -u -p -r1.3 amdgpu_kms.c > --- sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 4 Jul 2019 03:39:07 - > 1.3 > +++ sys/dev/pci/drm/amd/amdgpu/amdgpu_kms.c 2 Aug 2019 03:35:35 - > @@ -1337,10 +1337,23 @@ int amdgpu_debugfs_firmware_init(struct > int > amdgpu_probe(struct device *parent, void *match, void *aux) > { > + struct pci_attach_args *pa = aux; > + const struct drm_pcidev *id_entry; > + unsigned long flags = 0; > + > if (amdgpu_fatal_error) > return 0; > - if (drm_pciprobe(aux, amdgpu_pciidlist)) > - return 20; > + > + id_entry = drm_find_description(PCI_VENDOR(pa->pa_id), > + PCI_PRODUCT(pa->pa_id), amdgpu_pciidlist); > + if (id_entry != NULL) { > + flags = id_entry->driver_data; > + if (flags & AMD_EXP_HW_SUPPORT) > + return 0; > + else > + return 20; > + } > + > return 0; > } > > >
Re: xenodm having issues when launching a wm
Are you using a modified xorg.conf.d, and mind showing your xsession? On Thu, Aug 22, 2019 at 2:58 PM kaletaa wrote: > Hello, > xenodm is having issues while starting a dwm session, > I'm using a Thinkpad x220, OpenBSD 6.5 > > dmesg > > > OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019 > dera...@amd64.openbsd.org > :/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4156157952 (3963MB) > avail mem = 4020576256 (3834MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (65 entries) > bios0: vendor LENOVO version "8DET55WW (1.25 )" date 11/01/2011 > bios0: LENOVO 42912XG > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA > SSDT SSDT UEFI UEFI UEFI > acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4) > EHC1(S3) EHC2(S3) HDEF(S4) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpihpet0 at acpi0: 14318179 Hz > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.54 MHz, 06-2a-07 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.41 MHz, 06-2a-07 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 1, core 0, package 0 > cpu2 at mainbus0: apid 2 (application processor) > cpu2: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.42 MHz, 06-2a-07 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu2: 256KB 64b/line 8-way L2 cache > cpu2: smt 0, core 1, package 0 > cpu3 at mainbus0: apid 3 (application processor) > cpu3: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz, 797.41 MHz, 06-2a-07 > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN > cpu3: 256KB 64b/line 8-way L2 cache > cpu3: smt 1, core 1, package 0 > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins > acpimcfg0 at acpi0 > acpimcfg0: addr 0xf800, bus 0-63 > acpiec0 at acpi0 > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus -1 (PEG_) > acpiprt2 at acpi0: bus 2 (EXP1) > acpiprt3 at acpi0: bus 3 (EXP2) > acpiprt4 at acpi0: bus 5 (EXP4) > acpiprt5 at acpi0: bus 13 (EXP5) > acpiprt6 at acpi0: bus -1 (EXP7) > acpicpu0 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1 > halt), PSS > acpicpu1 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1 > halt), PSS > acpicpu2 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1 > halt), PSS > acpicpu3 at acpi0: C3(200@109 io@0x416), C2(500@80 io@0x414), C1(1000@1 > halt), PSS > acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2 > acpitz0 at acpi0: critical temperature is 99 degC > acpibtn0 at acpi0: LID_ > acpibtn1 at acpi0: SLPB > acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 > acpicmos0 at acpi0 > tpm0 at acpi0: TPM_ addr 0xfed4/0x5000: device 0x104a rev 0x4e > acpibat0 at acpi0: BAT0 model "45N1023" serial 15921 type LION oem "SANYO" > acpiac0 at acpi0: AC unit offline > acpithinkpad0 at acpi0 > "PNP0C14" at acpi0 not configured > "PNP0C14" at acpi0 not configured > acpidock0 at acpi0: GDCK not docked (0) > acpivideo0 at acpi0: VID_ > acpivout at acpivideo0 not configured > acpivideo1 at acpi0: VID_ > cpu0: Enhanced SpeedStep 797 MHz: speeds: 2601, 2600, 2400, 2200, 2000, > 1800, 1600, 1400, 1200, 1000, 800 MHz > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09 > inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics
AMDGPU in current issue
Hey- I'd been messing around with the AMDGPU on current (which I'm aware is very experimental) and had very few issues with it using a Vega 56 GPU. I recently swapped to another Vega GPU (Radeon VII) and have issues with the display not showing anything. Still boots fine, in that I can still enter commands (i.e. reboot) so it has to be a display issue. I tried searching for the diff where the firmware was added which I'm certain I saw (for Vega 20) but can't seem to find it in the commit history. Anyone have a fix for it, and if not, who should I talk to if I wanted to help get it working? I saw most of the AMDGPU commits have been by @jonathangray if he would be the best option. Thanks!
Re: UEFI Issue
Yeahhh... I've just decided to return it and get a X1 6th gen and just get a supported wacom usb drawing tablet for notes, no OpenBSD is kind of a dealbreaker for me. Also keyboard on it was screwy and didn't work half the time even with Windows so not the best machine. And Legacy mode was also a no-go, as there was no legacy mode and any and all CSM support had been disabled, which is rather frustrating. Also, tried booting through rEFInd, grub, took the hard drive out and installed it on a different machine, none worked sadly. Oddly enough, certain Linux distros seemed to have a similar issue (namely the most recent Gentoo minimal iso) so I'm guessing there was something really weird with the EFI on it. I've got a few old/cheap machines with issues along the same lines, I'll try to figure out what the issue was if I can. I appreciate all y'all's help though! On Fri, Jul 19, 2019 at 8:14 AM Kristjan Komloši wrote: > On Tue, 2019-07-16 at 18:32 +0000, Charlie Burnett wrote: > > Hey, I'm looking to get OpenBSD working in UEFI only mode on newer > > Thinkpad > > X1 devices, because for whatever reason it hangs when loading into > > memory > > without CSM enabled, and some of the X1 devices no longer have a CSM > > option. Does anyone have a fix, or advice on where I would start > > looking if > > I was going to patch it myself? > New Lenovo laptops are getting kinda infamous for their comically bad > UEFI implementations. They hardly boot anything but Windows. You may be > on a blind path there. > > Try disabling secure boot if you haven't done so already, and try > chainloading OpenBSD through a boot manager like rEFInd (I've been > booting OpenBSD with it for a long time, albeit with CSM support). > > -- > Kristjan Komloši > Mail: kristjan.koml...@gmail.com > Tel: +386 31 679 339 > >
UEFI Issue
Hey, I'm looking to get OpenBSD working in UEFI only mode on newer Thinkpad X1 devices, because for whatever reason it hangs when loading into memory without CSM enabled, and some of the X1 devices no longer have a CSM option. Does anyone have a fix, or advice on where I would start looking if I was going to patch it myself?
Re: X1 Thinkpad Tablet Freeze on Boot
Ah- I'm just now seeing the note about the screen going black after the kernel loads into memory, and doing some more digging shows the same kind of issue when CSM isn't enabled. Unfortunately they had said that CSM wasn't supported with the tablet... https://forums.lenovo.com/t5/ThinkPad-Tablets/Unable-to-enable-CSM-in-BIOS/m-p/4472630 Any ideas where to go from here? Either way I appreciate the advice. At least I know where to start looking! On Mon, Jul 15, 2019 at 1:43 PM Todd C. Miller wrote: > You probably need to make some changes to the bios settings, if you > haven't already done so. Try disabling "secure boot" and enabling > "CSM Support" and see if that makes a difference. > > Some of the info at https://jcs.org/2017/09/01/thinkpad_x1c may > also be applicable. > > - todd >
X1 Thinkpad Tablet Freeze on Boot
First time actually submitting a bug so let me know if there's anything I missed, or if this is the wrong way to submit it- Trying to install OpenBSD on Thinkpad Tablet X1 Gen 3 currently. Every boot gets hung on "entry point at 0x1001000". Can't get to dmesg or I'd try to give more specifics. Have tried: - Regular install via USB and install65.fs (both current and stable) - Taking SSD out and installing via my already working OpenBSD machine - Installing via CD - Throwing a bsd.rd in an EFI partition and trying to boot it via GRUB - Booting an external hard drive with working OpenBSD system on it Any help would be welcome at this point- not a programmer by trade, but if someone can direct me to at least how to debug it, I can try to put a temporary fix together and send it to someone who knows what the hell they're doing.
Trustico CEO Emailed Many Keys Stupidly: 20k https certificates compromised and revoked
https://mobile.twitter.com/svblxyz/status/969220402768736258 Please comment on this exciting bad news. Here is another link for your convenience: https://news.ycombinator.com/item?id=16485801 Cheers
Re: Supermicro SuperServer E200-9A
Mihai, Your extrapolation is the only issue here as OP did not describe a linear causal relationship. See below. > I want to build a OpenBSD firewall. And I have bought a Supermicro > SuperServer E200-9A. There is installed a A2SDi-4C-HLN4F motherboard in it. On Tue, Feb 27, 2018 at 11:01 AM, Rupert Gallagher <r...@protonmail.com> wrote: > I did not purchase the board, yet. The OP did. And he did well. Both Linux > and FreeBSD run on it. > > ‐‐‐ Original Message ‐‐‐ > > On 27 February 2018 4:22 PM, Charlie Eddy <charlie.e...@occipital.com> > wrote: > > > Rupert, I strongly suggest you actively search as quickly as possible as > > Stuart suggested, or return your product. Not the first time this has > > happened so don't take it personally. >
Re: Supermicro SuperServer E200-9A
great news then On Mon, Feb 26, 2018 at 3:26 PM, Rupert Gallagherwrote: > Note on passing: the C2000 are officially retired and discontinued. > > Sent from ProtonMail Mobile > > On Mon, Feb 26, 2018 at 23:21, Stuart Henderson > wrote: > > > On 2018-02-26, OpenBSD user wrote: > Hello > > I want to build a OpenBSD > firewall. And I have bought a Supermicro > SuperServer E200-9A. There is > installed a A2SDi-4C-HLN4F motherboard in it. > > I'm trying to installed > OpenBSD 6.2 on it, but I have some problems. > > First I tried to boot it > from an usb stick and thought I could use the > installed keyboard to > control the installation. But under the boot > process and before I could > type "i" for install, it had turned the > keyboard off. > > Then I tried to > control the installation from the IPMI port. I can > control the > installation through it, but when I'm went to configure the > NIC's there > is only a VLAN installed. Beside the IPMI port there is also > 4 other > NIC's installed on the motherboard. And I can't see them. I type > "done" > but when the installation come to the installed hdd, there is > none to > choose between. > > I have visit the manufacturer site, but there isn't any > drivers to any *BSD. > > I have googled for other who have problems, but I > can't find any solutions. > > How do I installed OpenBSD 6.2 on the E200-9A > ? > > Please help. > > Thanks in advance > > This machine has a lot of > rather new hardware in (C3000 Denverton) and is really not at all supported > yet. I found a dmesg from RAMDISK_CD on one of these and it's full of > failure starting with being unable to enable acpi (so interrupt routing and > other things aren't working), plus we haven't even got skeleton pcidevs > entries for most of the devices (ahci, nic, etc). Realistically, at the > moment, I'd say the best chances of getting this machine supported are if > you can get similar hardware in the hands of a developer if there is anyone > with interest, skills and time to look into it, remote debugging of a > system in this state is going to be slow and painful.. OpenBSD 6.2-current > (RAMDISK_CD) #379: Wed Jan 24 12:58:41 MST 2018 dera...@amd64.openbsd.org: > /usr/src/sys/al mem = 4250882048 (4053MB) avail mem = 4118294528 (3927MB) > mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f0c7000 (31 > entries) bios0: vendor American Megatrends Inc. version "1.0" date > 08/02/2017 bios0: Supermicro Super Server acpi0 at bios0: rev 2, can't > enable ACPI cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Atom(TM) CPU > C3338 @ 1.50: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM, > PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG, > CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE, > AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF, > ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT > cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon debug cpu0: > mwait min=64, max=64, C-substates=0.2.0.2, IBE pci0 at mainbus0 bus 0 > 0:31:5: mem address conflict 0xfe01/0x1000 pchb0 at pci0 dev 0 function > 0 vendor "Intel", unknown product 0x1980 rev 0x11 pchb1 at pci0 dev 4 > function 0 vendor "Intel", unknown product 0x19a1 rev 0x11 vendor "Intel", > unknown product 0x19a2 (class system subclass root complex event, rev 0x11) > at pci0 dev 5 function 0 not configured ppb0 at pci0 dev 10 function 0 > vendor "Intel", unknown product 0x19a5 rev 0x11 pci1 at ppb0 bus 1 ppb1 at > pci0 dev 17 function 0 vendor "Intel", unknown product 0x19ab rev 0x11 pci2 > at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 "ASPEED Technology AST1150 PCI" > rev 0x03 pci3 at ppb2 bus 3 "ASPEED Technology AST2000" rev 0x30 at pci3 > dev 0 function 0 not configured vendor "Intel", unknown product 0x19ac > (class system subclass miscellaneous, rev 0x11) at pci0 dev 18 function 0 > not configured ahci0 at pci0 dev 19 function 0 vendor "Intel", unknown > product 0x19b2 rev 0x11: unable to map interrupt ahci1 at pci0 dev 20 > function 0 vendor "Intel", unknown product 0x19c2 rev 0x11: unable to map > interrupt xhci0 at pci0 dev 21 function 0 vendor "Intel", unknown product > 0x19d0 rev 0x11: couldn't map interrupt ppb3 at pci0 dev 22 function 0 > vendor "Intel", unknown product 0x19d1 rev 0x11 pci4 at ppb3 bus 4 vendor > "Intel", unknown product 0x15e5 (class network subclass ethernet, rev 0x11) > at pci4 dev 0 function 0 not configured vendor "Intel", unknown product > 0x15e5 (class network subclass ethernet, rev 0x11) at pci4 dev 0 function 1 > not configured ppb4 at pci0 dev 23 function 0 vendor "Intel", unknown > product 0x19d2 rev 0x11 pci5 at ppb4 bus 5 vendor "Intel", unknown product > 0x15e5 (class network subclass ethernet, rev 0x11) at pci5 dev 0 function 0 > not configured vendor "Intel", unknown product 0x15e5 (class network > subclass ethernet, rev 0x11) at pci5
Re: Supermicro SuperServer E200-9A
I would "bump" the issue for this specific case, but I think it is a very laughable mistake to argue over the definition of new. Rupert, I strongly suggest you actively search as quickly as possible as Stuart suggested, or return your product. Not the first time this has happened so don't take it personally. It would also be cool if someone has: 1) A contact list of devs who are chill and want to program new things such as a Supermicro SuperServer E200-9A with an A2SDi-4C-HLN4F motherboard in it. 2) A specific recommendation for an alternative device that will provide similar sweet functionality. My idea of (2) is one of the following: https://www.openbsd.org/octeon.html https://www.openbsd.org/sgi.html ... but I could be totally wrong, I am not that smart and very busy. Regards, Charlie On Tue, Feb 27, 2018 at 5:51 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2018/02/27 08:30, Rupert Gallagher wrote: > > Not new at all. > > > > https://www.servethehome.com/intel-atom-c3338-benchmarks- > why-denverton-is-so-sweet/ > > > > https://www.servethehome.com/intel-atom-c3558-linux- > benchmarks-and-review/ > > > > https://www.servethehome.com/ > > intel-atom-c3958-16-core-top-end-embedded-qat-linux- > benchmarks-and-review/ > > Launch date q3 '17 is pretty new. > > > Sent from ProtonMail Mobile > > > > > > On Mon, Feb 26, 2018 at 23:21, Stuart Henderson <s...@spacehopper.org> > wrote: > > > > On 2018-02-26, OpenBSD user wrote: > Hello > > I want to build a > OpenBSD firewall. And I > > have bought a Supermicro > SuperServer E200-9A. There is installed a > A2SDi-4C-HLN4F > > motherboard in it. > > I'm trying to installed OpenBSD 6.2 on it, > but I have some problems. > > > > First I tried to boot it from an usb stick and thought I could > use the > installed > > keyboard to control the installation. But under the boot > process > and before I could type > > "i" for install, it had turned the > keyboard off. > > Then I tried > to control the > > installation from the IPMI port. I can > control the installation > through it, but when I'm > > went to configure the > NIC's there is only a VLAN installed. Beside > the IPMI port there is > > also > 4 other NIC's installed on the motherboard. And I can't see > them. I type > "done" > > but when the installation come to the installed hdd, there is > none > to choose between. > > > > I have visit the manufacturer site, but there isn't any drivers to > any *BSD. > > I have > > googled for other who have problems, but I can't find any solutions. > > > How do I installed > > OpenBSD 6.2 on the E200-9A ? > > Please help. > > Thanks in advance > > > This machine has a > > lot of rather new hardware in (C3000 Denverton) and is really not at > all supported yet. I > > found a dmesg from RAMDISK_CD on one of these and it's full of > failure starting with being > > unable to enable acpi (so interrupt routing and other things aren't > working), plus we > > haven't even got skeleton pcidevs entries for most of the devices > (ahci, nic, etc). > > Realistically, at the moment, I'd say the best chances of getting > this machine supported > > are if you can get similar hardware in the hands of a developer if > there is anyone with > > interest, skills and time to look into it, remote debugging of a > system in this state is > > going to be slow and painful.. OpenBSD 6.2-current (RAMDISK_CD) > #379: Wed Jan 24 12:58:41 > > MST 2018 dera...@amd64.openbsd.org:/usr/src/sys/al mem = 4250882048 > (4053MB) avail mem = > > 4118294528 (3927MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. > 3.0 @ 0x7f0c7000 (31 > > entries) bios0: vendor American Megatrends Inc. version "1.0" date > 08/02/2017 bios0: > > Supermicro Super Server acpi0 at bios0: rev 2, can't enable ACPI > cpu0 at mainbus0: > > (uniprocessor) cpu0: Intel(R) Atom(TM) CPU C3338 @ 1.50: > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM, > PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG, > CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE, > AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF, > ITSC,FSGSBASE,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT > > cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon > debug cpu0: mwait min=64, > > max=64, C-substates=0.2.0.2, IBE pci0 at m
Re: Why is so slow the download speed in OpenBSD?
Nice! >From Stefan's mail: >"In the current implementation, the wifi layer selects a transmit rate based >on the number of frame transmission retries reported by wpi(4) firmware." That's the "automatically selected optimal media type", comme ci comme ca defined w/r/t the strictness of your definition. >"If you find that one of these commands makes it work as fast as it does on >Windows, we can conclude that the problem is with OpenBSD's rate selection >algorithm. This algorithm is very old and dates from a time when wifi networks >were much less densly deployed." It looks like OpenBSD is like driving a beautiful old car. Malfunction doesn't make sense to say even though existing properties of the OS and existing properties of the world aren't making it easy. On Wed, Feb 14, 2018 at 1:47 PM, Zsolt Kantorwrote: > > > Now, I just switched to OpenBSD, and executed the commands as you wrote > down. AND IT WORKS! > You have more in depth network knowledge than me, so I just will write > down what I did, and I have also some questions related to that media > option of the ifconfig (which I, to be honest don't really understand). > So, I used the same mirror (https://ftp2.eu.openbsd.org/ > pub/OpenBSD/6.2/amd64/) for testing and used only wget for downloads. > With wget the download speed is a bit higher compared to firefox or > chromium, I think because wget is more 'light', command line tool, more > optimized (probably the code is more clear), firefox and chromium opens > slower maybe also bloat in code, so the download rate is also less. > Now back to the point. I logged in to Xfce, I opened a terminal with two > tabs, one for normal user, to execute the downloads, with the following > command: 'wget https://ftp2.eu.openbsd.org/pub/OpenBSD/6.2/amd64/ > install62.fs', and one for root user to use ifconfig to make those > settings. After every ifconfig change, I switched to the normal user tab > and started the download process (sometimes, when I saw some unusual > fluctuation I interrupted the download process and started again, waited a > while to see what happens, than if the download process was not stable I > waited a little to be just sure, after that started the process again and > so on, to have a more precise report). > Here are the test results: > OFDM6: max: 1.30MB/s, min: 700KB/s (this config. is not stable, sometimes > drops from 1.20MB/s to 700KB and back) > OFDM9: average: 1.45MB/s (more stable, do not drops above 1.30MB) > OFDM12: quite stable as with OFDM9, sometimes reaches a max. of 1.70MB/s > OFDM18: stable, average: 1.50MB (I saw also 1.80MB/s for fractions of > seconds) > OFDM24: At the first try was not stable, fluctuated between 900KB/s and > 1.70Mb/s, at the second try it was stable, avg: 1.55MB/s (for fractions of > seconds 1.80MB/s), at the third, fourth . . . tries was stable, avg: 1.60MB > OFDM36: quiet stable, avg: 1.55MB/s > OFDM48: not so stable, 700KB/s, 800KB/s, rarely reaches 1000KB/s (but > immediately drops) > OFDM54: not stable at all, between 700KB and 900KB (sometimes reaches > 1.1MB/s, rarely drops down to 300KB/s), the avg. rate is 700-750KB. > > These for the tests. Now, I have a few questions. In the ifconfig manual > at the media option states that if it is used with no arguments displays > all available media. In my case it looks like this: > > supported media: > media autoselect > media autoselect mediaopt monitor > media autoselect mode 11a > media autoselect mode 11a mediaopt monitor > media autoselect mode 11b > media autoselect mode 11b mediaopt monitor > media autoselect mode 11g > media autoselect mode 11g mediaopt monitor > > But what you proposed to me to try is OFDM6, 9, 12 . . . In the supported > media list I don't find those types, why? > > The second question is: now theoretically the problem is solved, to be > honest I have no clue about media types, radio frequencies and such things, > but based on my tests it's need to be corrected something in OpenBSD > related to this issue? Or it is more like a user side configuration? If > somebody would ask me I think the optimal media type should ne > automatically selected by the system (driver, firmware . . . I don't know > who's in charge for this), and not by the user (after the system is > installed). > That's all, thanks again. For me the problem is solved. You need to decide > if this is a malfunction or not. > > Thanks again. > > > > > On Wednesday, February 14, 2018 9:36 PM, Zsolt Kantor < > zsoltkan...@yahoo.co.uk> wrote: > > > > You told me a very interesting thing, and I need to admit that I did not > thought about this (although in the past I wrote some ping program using > sockets, so I have a basic knowledge about networking in general). I will > try that, but right now I need to resolve other things (not related to > OpenBSD), I also thought to do some wireshark tests in Win and BSD and > check the traffic, the packets, and the times between the packets sent
Re: considering a move to OpenBSD
Thanks Daniel. Definitely the correct answer. On Thu, Feb 8, 2018 at 4:07 PM, Daniel Bolgheroni <dan...@bolgh.eng.br> wrote: > On Thu, Feb 08, 2018 at 09:41:20PM +, Charlie Eddy wrote: > > hello misc, > > > > I am considering a move to OpenBSD, since I subscribed to this mailing > list > > some time ago (~few months). I want to take advantage of security. > > > > However, a programmer who I know personally and respect considers OpenBSD > > to be old-school, in a negative sense. He recommends Arch Linux as > > superior, because more new. Does the difference boil down to one's > > definition of free software, and then compliance with that definition? > > > > I have read up on this a lot, and this is a serious question. I have > heard > > that it is unimportant what *nix you're on after a few years of using one > > or the other, in terms of functionality. I am interested in embedded > > devices. I think that bends the needle towards Arch, but the security of > > OpenBSD is also attractive. What considerations should I take into > account? > > I don't think that, if you ask the same question on an Arch Linux > mailing list, people will suggest you to run OpenBSD. Since you're on an > OpenBSD mailing list, the odds are people here will... nevermind. > > There are a lot (really, a lot) of things you should consider. > Honestly, these opiniated, one-sentence answers like these should ring > bells on your head, and work as an alert (because it's newer? really?). > > That being said, the mindset of "going to shop" when choosing software > (e.g. comparing project features to see which one "offers more for the > lowest price") is just wrong. What do you really need? "Embedded", > "security" or any single-worded reason won't say much. > > No words here will spare you the work you have to do by yourself. Install > it and put it to work. Then, then take your own conclusions. > > -- > db >
considering a move to OpenBSD
hello misc, I am considering a move to OpenBSD, since I subscribed to this mailing list some time ago (~few months). I want to take advantage of security. However, a programmer who I know personally and respect considers OpenBSD to be old-school, in a negative sense. He recommends Arch Linux as superior, because more new. Does the difference boil down to one's definition of free software, and then compliance with that definition? I have read up on this a lot, and this is a serious question. I have heard that it is unimportant what *nix you're on after a few years of using one or the other, in terms of functionality. I am interested in embedded devices. I think that bends the needle towards Arch, but the security of OpenBSD is also attractive. What considerations should I take into account? Regards, Charlie
Re: OpenBSD Foundation on HTTPS
Hello Jonathan Thornburg, That is quite simple. The post will work. https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612 Regards, On Wed, Feb 7, 2018 at 6:42 AM, Jeroenwrote: > With HTTPS, can you be sure that the server isn't comprimised? With or > without HTTPS, it's always a good idea to check wether the address is > correct (a foundation has to be registered and at other places). > > On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote: > > From http://www.openbsdfoundation.org/donations.html : > > > Donations may be made by cheque in CAD/EUR/USD funds to: > > > > > > The OpenBSD Foundation > > > 8101 160 Street > > > Edmonton, Alberta, Canada > > > T5R 2G9 > > > > Without https, how can one verify that that is the correct address? > > > > > >
Re: OpenBSD Foundation on HTTPS
thank you for providing that email address, case closed as far as I'm concerned
Re: OpenBSD Foundation on HTTPS
"Can I update the value of "hosted_button_id" and send you to my Paypal account ?" this is much cleaner, more logical, more formal, and more sensible than "No need to have this one https type really there isn't any information you enter on it..." On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondraswrote: > > If you actually donate and click on any links there you would see it > > bring you to a secure page. > > > > But is this the right link ? Can I update the value of "hosted_button_id" > and > send you to my Paypal account ? > > Denis > >
Re: OpenBSD Foundation on HTTPS
agreed - using HTTP instead of HTTPS is a great way to encourage that activity, and since I love having my head in the sand like an ostrich I encourage us to not encrypt the donation links to the most secure operating system available to the public. That way we can't donate securely to the foundation we support - the sand is great from down here On Tue, Feb 6, 2018 at 3:32 AM, Hess THRwrote: > troll on > > hey, yeah, you are absolutely right! > > no one would ever modify (since plain http) the example.: > > http://www.openbsdfoundation.org/donations.html > > page, where are the PayPal donation links, bitcoin donation links are, > without anybody noticing! > > Why would someone do something like this? we live in a perfect world > without bad people! yay pink ponies! > > troll off > > > > Sent: Tuesday, February 06, 2018 at 12:23 PM > > From: "Ian Sutton" > > To: "Hess THR" > > Cc: "misc@OpenBSD.org" > > Subject: Re: OpenBSD Foundation on HTTPS > > > > Hi, > > > > There is no need. There is nothing secret on those web servers, there > > is no logical reason to encrypt it. This issue has been discussed to > > death. Please check archives. > > > > Ian > > > > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: > > > Hello, > > > > > > because HTTPS increases the authenticity, integrity, privacy: > https://en.wikipedia.org/wiki/HTTPS > > > > > > going to apache/iis/nginx/linux will not increase "security". since > they have very buggy code. > > > > > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting > the code in the base? > > > > > > > > >> Sent: Friday, December 15, 2017 at 12:11 PM > > >> From: "Vivek Vinod" > > >> To: "Hess THR" > > >> Subject: Re: OpenBSD Foundation on HTTPS > > >> > > >> 1) Why do you want https support? > > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest > we shift to IIS as well? Wait, I guess more people use Linux, so we should > stop using OpenBSD all together. > > >> > > >> > > >> -Original Message- > > >> From: on behalf of Hess THR < > hessnovth...@mail.com> > > >> Date: Friday, 15 December 2017 at 4:20 PM > > >> To: , > > >> Subject: OpenBSD Foundation on HTTPS > > >> > > >> Hello, Just noticed that the: http://www.openbsdfoundation.org/ > doesn't > > >> supports HTTPS, while in 2017 Dec, ~70% of the websites does: > > >> https://letsencrypt.org/stats/#percent-pageloads Can we have > HTTPS for > > >> the OpenBSD Foundation? Which Official OpenBSD related domain > hasn't got > > >> HTTPS yet? I whish you happy holidays and again, Thanks for all > the work! > > >> BTW, wow: > > >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_ > donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 > > >> > > > > > > >
Re: Disable external USB devices
oh and lastly to understand a bit more about why you don't need to be an ultrasmart blackhat: even USB keyboards are dangerous and lots of things can pretend to be usb https://www.youtube.com/watch?v=00A36VABIA4 and postscript: for a usb firewall, so to speak, https://wiki.wireshark.org/CaptureSetup/USB Can probably get it done with usbmon and libpcap. Could get a poc in scapy Probably iptables can be reused Prevent both rubber duckies and packet injection attacks against bluetooth mice that are seen as keyboards On Wed, Jan 24, 2018 at 4:40 PM, Charlie Eddy <charlie.e...@occipital.com> wrote: > Hi stefan, > i asked this a bit ago (or similar) > 1. https://usbguard.github.io/ > 2. you can just disable USB ports or controller in BIOS, but that's not > exciting at all. > 3. this diff, which one person used once: > > Index: sys/dev/usb/uhub.c > === > RCS file: /cvs/src/sys/dev/usb/uhub.c,v > retrieving revision 1.89 > diff -u -p -u -r1.89 uhub.c > --- sys/dev/usb/uhub.c 2 Sep 2016 09:14:59 - 1.89 > +++ sys/dev/usb/uhub.c 1 Jan 2017 22:52:53 - > @@ -55,6 +55,9 @@ > #define DEVNAME(sc)((sc)->sc_dev.dv_xname) > +/* controls enabling/disabling of USB bus probing */ > +int busprobe = 1; > + > struct uhub_softc { > struct device sc_dev; /* base device */ > struct usbd_device *sc_hub;/* USB device */ > @@ -439,6 +442,9 @@ uhub_explore(struct usbd_device *dev) > usbd_clear_port_feature(sc->sc_hub, port, > UHF_C_PORT_LINK_STATE); > } > + > + if (!busprobe) > + return (0); > /* Recursive explore. */ > if (up->device != NULL && up->device->hub != NULL) > Index: sys/dev/usb/usb.c > === > RCS file: /cvs/src/sys/dev/usb/usb.c,v > retrieving revision 1.111 > diff -u -p -u -r1.111 usb.c > --- sys/dev/usb/usb.c 18 May 2016 18:28:58 - 1.111 > +++ sys/dev/usb/usb.c 1 Jan 2017 22:52:53 - > @@ -87,6 +87,8 @@ int usb_noexplore = 0; > #define DPRINTFN(n,x) > #endif > +extern int busprobe; > + > struct usb_softc { > struct devicesc_dev;/* base device */ > struct usbd_bus *sc_bus; /* USB controller */ > @@ -607,6 +609,14 @@ usbioctl(dev_t devt, u_long cmd, caddr_t > #endif > break; > #endif /* USB_DEBUG */ > + case USB_GET_BUS_PROBE: > + *(unsigned int *)data = busprobe; > + break; > + case USB_SET_BUS_PROBE: > + if ((error = suser(curproc, 0)) != 0) > + return (error); > + busprobe = !!*(unsigned int *)data; > + break; > case USB_REQUEST: > { > struct usb_ctl_request *ur = (void *)data; > Index: sys/dev/usb/usb.h > === > RCS file: /cvs/src/sys/dev/usb/usb.h,v > retrieving revision 1.57 > diff -u -p -u -r1.57 usb.h > --- sys/dev/usb/usb.h 19 Jun 2016 22:13:07 - 1.57 > +++ sys/dev/usb/usb.h 1 Jan 2017 22:52:53 - > @@ -760,6 +760,8 @@ struct usb_device_stats { > #define USB_DEVICE_GET_CDESC _IOWR('U', 6, struct usb_device_cdesc) > #define USB_DEVICE_GET_FDESC _IOWR('U', 7, struct usb_device_fdesc) > #define USB_DEVICE_GET_DDESC _IOWR('U', 8, struct usb_device_ddesc) > +#define USB_GET_BUS_PROBE _IOR ('U', 9, unsigned int) > +#define USB_SET_BUS_PROBE _IOW ('U', 10, unsigned int) > /* Generic HID device */ > #define USB_GET_REPORT_DESC_IOR ('U', 21, struct usb_ctl_report_desc) > Index: usr.sbin/usbdevs/usbdevs.8 > === > RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.8,v > retrieving revision 1.9 > diff -u -p -u -r1.9 usbdevs.8 > --- usr.sbin/usbdevs/usbdevs.8 26 Jun 2008 05:42:21 - 1.9 > +++ usr.sbin/usbdevs/usbdevs.8 1 Jan 2017 22:52:53 - > @@ -39,6 +39,7 @@ > .Op Fl dv > .Op Fl a Ar addr > .Op Fl f Ar dev > +.Op Fl p Ns Op Ar on | off > .Sh DESCRIPTION > .Nm > prints a listing of all USB devices connected to the system > @@ -53,6 +54,10 @@ Only print information about the device > Show the device drivers associated with each device. > .It Fl f Ar dev > Only print information for the given USB controller. > +.It Fl p Ns Op Ar on | off > +Enable or disable USB bus probing. The default > +is > +.Ar on . > .It Fl v > Be verbose. > .El > Index: usr.sbin/usbdevs/u
Re: Disable external USB devices
Hi stefan, i asked this a bit ago (or similar) 1. https://usbguard.github.io/ 2. you can just disable USB ports or controller in BIOS, but that's not exciting at all. 3. this diff, which one person used once: Index: sys/dev/usb/uhub.c === RCS file: /cvs/src/sys/dev/usb/uhub.c,v retrieving revision 1.89 diff -u -p -u -r1.89 uhub.c --- sys/dev/usb/uhub.c 2 Sep 2016 09:14:59 - 1.89 +++ sys/dev/usb/uhub.c 1 Jan 2017 22:52:53 - @@ -55,6 +55,9 @@ #define DEVNAME(sc)((sc)->sc_dev.dv_xname) +/* controls enabling/disabling of USB bus probing */ +int busprobe = 1; + struct uhub_softc { struct device sc_dev; /* base device */ struct usbd_device *sc_hub;/* USB device */ @@ -439,6 +442,9 @@ uhub_explore(struct usbd_device *dev) usbd_clear_port_feature(sc->sc_hub, port, UHF_C_PORT_LINK_STATE); } + + if (!busprobe) + return (0); /* Recursive explore. */ if (up->device != NULL && up->device->hub != NULL) Index: sys/dev/usb/usb.c === RCS file: /cvs/src/sys/dev/usb/usb.c,v retrieving revision 1.111 diff -u -p -u -r1.111 usb.c --- sys/dev/usb/usb.c 18 May 2016 18:28:58 - 1.111 +++ sys/dev/usb/usb.c 1 Jan 2017 22:52:53 - @@ -87,6 +87,8 @@ int usb_noexplore = 0; #define DPRINTFN(n,x) #endif +extern int busprobe; + struct usb_softc { struct devicesc_dev;/* base device */ struct usbd_bus *sc_bus; /* USB controller */ @@ -607,6 +609,14 @@ usbioctl(dev_t devt, u_long cmd, caddr_t #endif break; #endif /* USB_DEBUG */ + case USB_GET_BUS_PROBE: + *(unsigned int *)data = busprobe; + break; + case USB_SET_BUS_PROBE: + if ((error = suser(curproc, 0)) != 0) + return (error); + busprobe = !!*(unsigned int *)data; + break; case USB_REQUEST: { struct usb_ctl_request *ur = (void *)data; Index: sys/dev/usb/usb.h === RCS file: /cvs/src/sys/dev/usb/usb.h,v retrieving revision 1.57 diff -u -p -u -r1.57 usb.h --- sys/dev/usb/usb.h 19 Jun 2016 22:13:07 - 1.57 +++ sys/dev/usb/usb.h 1 Jan 2017 22:52:53 - @@ -760,6 +760,8 @@ struct usb_device_stats { #define USB_DEVICE_GET_CDESC _IOWR('U', 6, struct usb_device_cdesc) #define USB_DEVICE_GET_FDESC _IOWR('U', 7, struct usb_device_fdesc) #define USB_DEVICE_GET_DDESC _IOWR('U', 8, struct usb_device_ddesc) +#define USB_GET_BUS_PROBE _IOR ('U', 9, unsigned int) +#define USB_SET_BUS_PROBE _IOW ('U', 10, unsigned int) /* Generic HID device */ #define USB_GET_REPORT_DESC_IOR ('U', 21, struct usb_ctl_report_desc) Index: usr.sbin/usbdevs/usbdevs.8 === RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.8,v retrieving revision 1.9 diff -u -p -u -r1.9 usbdevs.8 --- usr.sbin/usbdevs/usbdevs.8 26 Jun 2008 05:42:21 - 1.9 +++ usr.sbin/usbdevs/usbdevs.8 1 Jan 2017 22:52:53 - @@ -39,6 +39,7 @@ .Op Fl dv .Op Fl a Ar addr .Op Fl f Ar dev +.Op Fl p Ns Op Ar on | off .Sh DESCRIPTION .Nm prints a listing of all USB devices connected to the system @@ -53,6 +54,10 @@ Only print information about the device Show the device drivers associated with each device. .It Fl f Ar dev Only print information for the given USB controller. +.It Fl p Ns Op Ar on | off +Enable or disable USB bus probing. The default +is +.Ar on . .It Fl v Be verbose. .El Index: usr.sbin/usbdevs/usbdevs.c === RCS file: /cvs/src/usr.sbin/usbdevs/usbdevs.c,v retrieving revision 1.25 diff -u -p -u -r1.25 usbdevs.c --- usr.sbin/usbdevs/usbdevs.c 22 Dec 2015 08:36:40 - 1.25 +++ usr.sbin/usbdevs/usbdevs.c 1 Jan 2017 22:52:53 - @@ -30,14 +30,15 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#include +#include +#include +#include +#include #include #include #include -#include -#include #include -#include -#include #include #ifndef nitems @@ -46,21 +47,23 @@ #define USBDEV "/dev/usb" -int verbose = 0; -int showdevs = 0; +int verbose; +int showdevs; +int getprobe; +int setprobe; void usage(void); void usbdev(int f, int a, int rec); void usbdump(int f); void dumpone(char *name, int f, int addr); -int main(int, char **); +void busprobe(int f, unsigned int probe); extern char *__progname; void usage(void) { - fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev]\n", __progname); + fprintf(stderr, "usage: %s [-dv] [-a addr] [-f dev] [-p[on | off]]\n", __progname); exit(1); } @@ -177,6 +180,21 @@ dumpone(char *name, int f, int addr)
USB Firewall
Hello, Is there a method to detect and halt additional USB devices being added after initializing connections? Concerned about widespread vulnerability of keystroke injection.
After a failed checksum: What options remain?
Hello, Privateinternetaccess.org supplies secure VPNs. Their Windows installer (v75) has a SHA256 result that does not match what is supplied on their website. Fucking terrible "security" solution, is it not? As a prospective user of OpenBSD, I would hope that this never occurs, and that free software would fulfill its promises. I am considering switching to OpenBSD, but am afraid that I will be overcome by the difficulty of learning Linux commands. I am not incompetent and willing to read code and manpages, just timid, about this "big change." As part of considering OpenBSD adoption, I am extremely focused on security. However, trivial and fundamental issues are difficult to work around. My conclusion that the privateinternetaccess.org security solution is terrible is not necessarily well-founded. The checksum could be modified for these reasons: - file was messed with in transit to me - incompetent administrators did not update the checksum when they updated the file I suspect the latter, and unless my support ticket currently opened with Private Internet Access is resolved to my satisfaction I will be forced to use a free software solution. I am patient, but intolerant of stupidity. The determination remains to be made. GNUPG is my first step towards a cryptographically secure future. However, in downloading it, I am confronted by a serious problem. They state the following: Comparing Checksums If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software. As a result, I obtained an SSL/TLS server test to determine whether they would be exposed to MITM despite their https:// prefix due to no implementation of HSTS. GNUPG is HSTSecure. Private Internet Access is not, another flaw in their system. However, the classic Orwellian security problem cannot be solved in this case. The serious problem is that HSTS does not prevent a first-time user from being MitM'd when they visit the site, and I may have been attacked every single time. I have not yet verified the SHA1 sum in the archives -- are they correctly in stating that this is the best method? How can I positively verify an OpenBSD install is secure? How can implementing secure processes begin? Do I need to write my own checker from scratch to know that things are operating properly? That's a joke, but it's not that funny, is it? If a user on a compromised device installs an operating system with privilege separation, pledges could still be meaningless. What is the correct way to wear a tinfoil hat? Regards
Re: Kernel memory leaking on Intel CPUs?
Excuse me, I can support the far-seeing generalities in the message you linked but am confused about the specifics. It looks like processor hangs, and deadlock, and poorly documented page table handling by the MMU, are concrete issues specified. Respectfully: Are there any direct links to Meltdown or Spectre founded in the bugs noted in these errata? Or, is this a straw man argument against a chip manufacturer? If there are not any direct links, but the argument against Intel itself still stands, is that because there are other chip manufacturers who have proven that it is possible to write unexploitable code? Please let me know. 2018-01-10 3:21 GMT-08:00 Zbyszek Żółkiewski: > 10 years passed, Theo de Raadt: https://marc.info/?l=openbsd- > misc=118296441702631 > > _ > Zbyszek Żółkiewski > > > > > https://spectreattack.com/ > > > >
Re: obligatory leaving letter
Can someone advise what occurred in NetBSD re this user?
Re: [cwm] list all available items
Just a note that cwm is an old welsh word for a mountain pass, one of the few OED words with no vowel
Re: ASLR: How Robust is the Randomness?
Hello all, As a newcomer to this list, I would like a recommendation on further reading about this specific topic. I am unable to understand it, where normally I have some comprehension of what is going on. Thanks, Charlie On Tue, Nov 28, 2017 at 10:19 AM, <leo_...@volny.cz> wrote: > theo wrote: > > That interpretation is wrong. > > Could be, I'm no genius :) > > > You don't understand fork+exec. > > Wha? > > > There > > is no decision to stop using an address space after failure. Instead, > > address spaces are intentionally split ahead of time to ensure a > > specific pointer value is only valid in one process image. Other > > similar load-images have unique layouts with unique pointer values. > > So when failure happens, there is no other context where crash-learned > > information can be reapplied in a non-crashed process image with the > > same mapping. > > Uhm, how do I put this... > > In the old model, if an attack causes a specific child to crash, and it > has been created using a simple fork, the parent, and all other > children -- past, present, and future -- will *continue to use* the > address space{, layout} that is common to them all. > > In the new situation, children do an exec immediately, before > interacting with the peer. Hence, the addr space gets randomized, and > it will not be like the parent's, or like that of any other children > (given sufficient entropy). > > Hence, repeating the same attack will most likely fail. > > What is the part that I don't understand? > > > Don't change my words. > > Sorry, didn't mean to. It was a mere suggestion. > > > It is over your head. Or learn to read. Or learn to not reply before > > you think. > > Criticism is welcome. Unwarranted preconceptions are not. > > (hmm, now what makes a preconception 'unwarranted'...?) > > --schaafuit. > >
session security on OpenBSD vs popular options
Hello, Please let me know how to find information on OpenBSD security as it relates to web browser sessions. For instance, I am aware that some attack vectors depend on browser connections with OS components. What security flaws exist that OpenBSD specifically is able to address? Thanks, Charlie Eddy
Re: is there something missing in pledge?
I don't know how much Dutch Theo may or may not have but this is the funniest OpenBSD discussion ever
GPU error: i915_hangcheck_hung on ThinkPad x201
Hi, I run OpenBSD 5.6-stable on a Lenovo x201 (patched to the latest errata - 016). I use XFCE as my desktop environment. Every so often when I am moving a window, specifically trying to snap it to the left-hand side of my screen, X freezes up for a few seconds, and the following message is printed to the console: error: [drm:pid31847:i915_hangcheck_hung] *ERROR* Hangcheck timer elapsed... GPU hung error: [drm:pid31847:i915_hangcheck_hung] *ERROR* Hangcheck timer elapsed... GPU hung error: [drm:pid31975:i915_reset] *ERROR* GPU hanging too fast, declaring wedged! error: [drm:pid31975:i915_reset] *ERROR* Failed to reset chip. After this occurs, everything continues working, but X is laggy, especially in certain applications. The best fix I've found is to reboot the system. This appears to be the only relevant entry from /var/log/Xorg.0.log: [ 62471.544] (EE) intel(0): Detected a hung GPU, disabling acceleration. If I can provide any further information that might lead to fixing this problem, I will be happy to do so. Thank you! Charlie
Re: Seagate ST3250310AS not recognized
- Original Message - On 03/26/14 16:59, Charlie Farinella wrote: I'm trying to install OpenBSD 5.4 on a Dell Vostro 400, it's several years old but not ancient. 4GB RAM, 250GB Seagate ST3250310AS hard drive. The installation goes normally until it tries to find the hard drive and then tells me no hard drive is available. I've wiped the drive (it had ESXi on it before), repartitioned it, unpartitioned it, installed Linux, installed FreeBSD all without problem, but no matter what I do to it, OpenBSD won't see it. I would really like to get this working so any suggestions or guidance is very much appreciated. First of all, your report sucks. Normally, I try to just ignore bad reports, even when I have a possible W.A.G., but I'm going to try something new... I'm going to say you owe the project a $50 donation if I'm right. And if I'm wrong, you get to buy the 5.5 CDs when they come out and say ha ha! you were WRONG! First of all, if you hooked the drive up properly and it is seen in the bios and all, it isn't a matter of the /drive/ not being recognized, or anything on the drive left over, there's something wrong with the handling of the drive by the interface. All that stuff that goes scrolling by the screen on boot? it's important. it's called the dmesg. Read it, it will tell you why things didn't work. You may well have to interpret things, but somewhere on your dmesg, the chip that is your SATA interface will show up, and right there, it will probably give you a good idea why it isn't acting like a disk interface. And while it looks like gibberish, it's actually fairly readable. My wild guess: you have an ahci interface (this is good), configured in the BIOS for RAID (this is bad). Dell shipped a lot of machines with one disk, with the interface configured in the BIOS as a RAID. This is really just a lame BIOS-assisted OS-based RAID system, like most cheap RAID options, but if the OS doesn't support the RAID idea and it is a multi-booting system, bad things can happen when the BIOS helps you by copying one drive over your other drive, so OpenBSD (and at least some Linux kernels, I've seen) won't touch the drive if it was in the unsupported RAID configuration mode. Nick. First: Thanks to all who replied, I appreciate people trying to help. Second: Nick was right and I am very appreciative that he took the time to help. I now know more than I knew before, and have a working system. :-) Third: Our company has been using OpenBSD since version 3.2, purchasing CD sets, t-shirts and mugs over the years, I'll be sure we kick in the $50.00 donation. Thank you again. --charlie -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079
Seagate ST3250310AS not recognized
I'm trying to install OpenBSD 5.4 on a Dell Vostro 400, it's several years old but not ancient. 4GB RAM, 250GB Seagate ST3250310AS hard drive. The installation goes normally until it tries to find the hard drive and then tells me no hard drive is available. I've wiped the drive (it had ESXi on it before), repartitioned it, unpartitioned it, installed Linux, installed FreeBSD all without problem, but no matter what I do to it, OpenBSD won't see it. I would really like to get this working so any suggestions or guidance is very much appreciated. Thanks, --charlie -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079
interface not reporting the correct IP address
I have an interface configured with a primary address and 2 aliases like so: inet 173.xxx.xxx.254 255.255.255.224 NONE inet alias 173.xxx.xxx.251 255.255.255.255 inet alias 173.xxx.xxx.252 255.255.255.255 If I visit http://www.whatismyip.com I am expecting to constently see it report the first (173.xxx.xxx.254) address, but instead it reports any of the three addresses. How can I guarantee that all traffic from this machine is seen as coming from the main IP address? -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) cfarine...@appropriatesolutions.com voice: 603.924.6079 fax: 603.924.8668
Re: interface not reporting the correct IP address
On Monday, February 28, 2011 02:52:07 PM Peter [prive] wrote: Hi, I have had the same symptom You have to use nat or you will have rotating from addresses. Peter I thought I had done that, but a second look showed that to be the problem. Thanks for your help. On 28-Feb-11 15:18, Charlie Farinella wrote: I have an interface configured with a primary address and 2 aliases like so: inet 173.xxx.xxx.254 255.255.255.224 NONE inet alias 173.xxx.xxx.251 255.255.255.255 inet alias 173.xxx.xxx.252 255.255.255.255 If I visit http://www.whatismyip.com I am expecting to constently see it report the first (173.xxx.xxx.254) address, but instead it reports any of the three addresses. How can I guarantee that all traffic from this machine is seen as coming from the main IP address? -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) cfarine...@appropriatesolutions.com voice: 603.924.6079 fax: 603.924.8668
Re: i7-720QM one more time
Ted, Thanks for your looking at my post. Come to think about the wsmouse, I believe that Xorg -configure set it to wsmouse0, so I tried wsmouse1 (no joy, niether the trackpad or the wireless mouse worrked. I don't believe is has ever been set to simply wsmouse. I'll give that a try. So, I take it that the wireless device and my speed step issues are already in the queue from the way you responded. If I can do anything to help, I would enjoy contributing to OpenBSD in anyway that I can. I'll follow up with news about the X mouse issue. Thanks, --kyle
df - du discrepancy
I have an OpenBSD 4.4 machine running just a few things; OSSEC, named and openvpn. After it's been up for a few weeks I start seeing discrepancies between what df tells me is free space and how much space du reports as being used. A few weeks ago I got 'disk full' errors and rebooted the thing which solved it for the moment, but not permanently. Here is an example of what I'm seeing: # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 3.6G1.1G2.3G32%/ # du -sh * 2.0Kaltroot 4.5Mbin 44.0K boot 6.6Mbsd 5.3Mbsd.rd 38.0K dev 2.8Metc 94.0K home 2.0Kipp.txt 6.0Klost+found 2.0Kmnt 2.0Kopenvpn-status.log 78.0K root 10.7M sbin 2.0Kstand 0B sys 2.0Ktmp 505Musr 10.2M var This looks to me like there is a discrepancy of several hundred megabytes and each day I get an approximate 1% increase in the df used report. How can I find out what's using this space and how can I prevent it? thanks, -- Charles Farinella Appropriate Solutions, Inc. 603.924.6079
ospfd cant change router-id's in 4.5
Hi, when I change my router-id within /etc/ospfd.conf, my OSPF neighbour will not go past EXSTA, but Cisco IOS will see the router-id as a new router and go all the way to FULL. How can I clear the neighbour association? `ospfctl reload` does nothing. I would prefer not to kill the process as it is now the single stub router for a lot of routes. Is this a bug or a feature request? :) This neighbours router-id is now 94.228.64.5, yet: Neighbor 193.34.28.2, interface address 89.200.217.2 Area 0.0.0.0, interface em3 Neighbor priority is 1, State is EXSTA, 99 state changes DR is 89.200.217.3, BDR is 89.200.217.12 Options *|*|-|-|-|-|E|* Dead timer due in 00:00:35 Uptime 00:00:00 Database Summary List 0 Link State Request List 0 it flip flops from: DR is 89.200.217.3, BDR is 89.200.217.12 (this is correct when FULL) to DR is 89.200.217.12, BDR is 0.0.0.0 and the log from the changed router: spf_calc: area 0.0.0.0 calculated recv_db_description: dupe from ID 193.34.28.3 nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for neighbor ID 193.34.28.3 from INIT to 2-WAY if_act_elect: interface em3 old dr 89.200.217.12 new dr 89.200.217.3, old bdr none new bdr 89.200.217.12 nbr_fsm: event ADJ_OK resulted in action EVAL and changing state for neighbor ID 193.34.28.3 from 2-WAY to EXSTA orig_rtr_lsa: area 0.0.0.0 orig_rtr_lsa: stub net, interface vlan255 orig_rtr_lsa: stub net, interface vlan208 orig_rtr_lsa: stub net, interface vlan207 orig_rtr_lsa: stub net, interface em3 orig_rtr_lsa: stub net, interface em2 if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for interface em3 from OTHER to OTHER recv_ls_update: packet ignored in state EXSTA, neighbor ID 193.34.28.3 spf_calc: area 0.0.0.0 calculated recv_db_description: dupe from ID 193.34.28.3 if_act_elect: interface em3 old dr 89.200.217.3 new dr 89.200.217.12, old bdr 89.200.217.12 new bdr none orig_rtr_lsa: area 0.0.0.0 orig_rtr_lsa: stub net, interface vlan255 orig_rtr_lsa: stub net, interface vlan208 orig_rtr_lsa: stub net, interface vlan207 orig_rtr_lsa: transit net, interface em3 orig_rtr_lsa: stub net, interface em2 if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for interface em3 from OTHER to OTHER nbr_fsm: event 1_WAY_RECEIVED resulted in action CLEAR_LISTS and changing state for neighbor ID 193.34.28.3 from EXSTA to INIT s Regards, C. -- 020 7729 4797 http://blog.playlouder.com/
Re: why wont my vlan interface accept this /28 ?
On Fri, Feb 06, 2009 at 04:16:57PM +0100, Simen Stavdal wrote: Hello, I've had a similar issue before, and cannot quite remember in detail, but it was something like this ; thanks Simon for that - it's similar but not the same issue. uux [hmnbx4r...@gatekeeper.wzrd.com] on #openbsd sorted me out. 14:00 uux yeled: I think it is on 4.3. routing table snafu. You can't create an interface (on a vlan?) if the network is already in your route table. I am sharing my routes on both firewalls with OSPF so this is where the issue arises. uux came up with the idea of installing the vlan interface on boot time (ie rebooting the box) and getting around this problem. Does anyone know if this has been fixed? Regards, C. -- 020 7729 4797 http://blog.playlouder.com/
Re: pf drops fragged IPv6 unconditionally
On Fri, Dec 05, 2008 at 01:56:04PM -0600, Todd T. Fries wrote: It was not stated, but I've setup firewalls in the past, I presume you have a firewall that is doing 'block in' as a catchall (which catches the fragments) .. Set your return policy on that rule if you wish it to return. ok but the block-policy already says return. adding return to this has no affect: block return in log (all) on $ext_if Am I missing something here? Regards, C. -- 020 7729 4797 http://blog.playlouder.com/
pf drops fragged IPv6 unconditionally
After wondering why my email was seeing MTU-like issues once I enabled an record, I see that pf is dropping IPv6 packets that are fragmented. pf.conf(5): 1546: Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally. in pf.c, under #ifdef INET6: 4402: do { switch (pd2.proto) { case IPPROTO_FRAGMENT: /* * ICMPv6 error messages for * non-first fragments */ REASON_SET(reason, PFRES_FRAG); return (PF_DROP); I think that's the part we just don't bother parsing them. Or one of them. I've had enable 'pass in inet6'. Does anyone have any patches to enable this? C. -- 020 7729 4797 http://blog.playlouder.com/
Re: pf drops fragged IPv6 unconditionally
On Fri, Dec 05, 2008 at 12:43:33PM -0600, Todd T. Fries wrote: Theory suggests that PMTUD should handle things such that fragments do not appear, but encapsulation and tunneling via IPSec tend to generate them anyway.. Are we not breaking PMUTD by silently dropping these? Shouldn't there be a way of implying something like 'block-policy return' ? C. -- 020 7729 4797 http://blog.playlouder.com/
Re: pf: scrub in log ?
On Fri, Nov 28, 2008 at 10:50:00AM +, td wrote: Charlie Allom wrote: Hi, scrub in log... passes pfctl -nf but doesn't report anything. I know for a fact that it is doing *something* - does anyone know if it's possible to see a real time activity of 'scrub' from pflog0 ? Regards, C. tcpdump? figuring out what has changed on an external interface and the one past the scrub $if isn't my idea of a fun day. but so far that's what I've been doing.. -- 020 7729 4797 http://blog.playlouder.com/
pf: scrub in log ?
Hi, scrub in log... passes pfctl -nf but doesn't report anything. I know for a fact that it is doing *something* - does anyone know if it's possible to see a real time activity of 'scrub' from pflog0 ? Regards, C. -- 020 7729 4797 http://blog.playlouder.com/
Re: OpenOSPFd fails to form adjancy if remote router-id changes
On Fri, Sep 05, 2008 at 02:59:47PM -0700, andrew fresh wrote: The problem I am seeing is that if I don't specify a router-id in ospfd.conf, then if the highest IP on a peer router changes the automatic Router ID, the session fails to start with a failed to form adjacency with old ID error. I see this from some fallout of a bug I discovered: /etc/ospfd.conf: router-id 34.193.28.3 area 0.0.0.0 { interface em3 { } } int em3 has 4 (inclusive) neighbours: ID Pri StateDeadTime Address Iface Uptime 228.94.64.2 1 FULL/DR 00:00:37 200.89.217.12 em3 1d12h24m 34.193.28.2 1 FULL/BCKUP 00:00:35 200.89.217.2em3 1d12h24m 200.89.217.37 1 2-WAY/OTHER 00:00:37 200.89.217.11 em3 - here is 200.89.217.37: ! router ospf 10 router-id 228.94.64.1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface GigabitEthernet0/0.200 passive-interface GigabitEthernet0/1.3 passive-interface GigabitEthernet0/1.102 passive-interface GigabitEthernet0/1.255 network 200.89.217.8 0.0.0.7 area 0 network 200.89.217.32 0.0.0.7 area 0 network 200.89.219.0 0.0.0.255 area 0 network 228.94.65.0 0.0.0.255 area 0 network 228.94.64.0 0.0.15.255 area 0 network 101.146.142.0 0.0.0.127 area 0 network 101.146.142.128 0.0.0.127 area 0 network 34.193.28.0 0.0.3.255 area 0 default-information originate always ! 200.89.217.37 is now 228.94.64.1 and I get this in the logs (after I `clear ip ospf proc'): Nov 19 12:56:33 hadrian ospfd[26460]: nbr_adj_timer: failed to form adjacency with 200.89.217.37 however if I change another router-id within the mesh, I can hang the entire OS: rtfree: 0xd99fd004 not freed (neg refs) rtfree: 0xd99fd004 not freed (neg refs) rtfree: 0xd99fd004 not freed (neg refs) rtfree: 0xd99fd004 not freed (neg refs) It needs a hard reset. A limitation of my routes? 13:08 hadrian:~# ospfctl sh f|wc -l 99 13:08 hadrian:~# Here is a description of how to repeat the problem as well as log messages. If there is any more information I should gather, let me know. You should send-pr. In fact I will now. -- 020 7729 4797 http://blog.playlouder.com/
Re: no pg_dump?
On Thursday 06 November 2008, Stuart Henderson wrote: Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore These are certainly in the 4.4-release i386 package. I also have a live system with data in it, so shutting it down is an issue. What would you suggest I do? I can do pkg_delete on all installed PostgreSQL packages and start over I suppose, or build PostgreSQL from source. I ran pkg_add -u for the client package, but that didn't help. you can try pkg_add -ri -F installed postgresql-client, but try and work out where they went... As others have mentioned, there must have been an interuption of some kind during the original install, I vaguely remember something happening, but don't remember the details, but it must have been this server. The above command worked for me and once again I would like to thank everyone for their help. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
openbsd fail2ban
Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: openbsd fail2ban
Hi Marcus, If you come across this program again would I be able to steal it off of you, it will implement it as suggested before using pf state table tracking but your program sounds very interesting and I would still like to see it. Thank you everyone for your answers. Thanks, Charlie Marcus Andree wrote: I've written a small program about 5 years ago. It was a daemon that implemented a service similar to port knocking but entirely in user level, calling pfctl by exec() system calls to insert/remove remote IP addresses in a pf table holding machines able to connect to the ssh daemon via port 22. It was a ugly hack but it worked for us. I shall have a backup copy somewhere on my powerbook at home... On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052 -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
no pg_dump?
I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: no pg_dump?
On Thursday 06 November 2008, Antoine Jacoutot wrote: On Thu, 6 Nov 2008, Charlie Farinella wrote: I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? They should be under /usr/local/bin/ You would think, I know! I have psql, pg_ctl, pg_standby, pg_controldata, pg_resetxlog, pgbench, postgres, but no pg_dump, pg_dumpall, or pg_restore. pkg_info shows: postgresql-client-8.3.3 PostgreSQL RDBMS (client) postgresql-contrib-8.3.3 PostgreSQL RDBMS contributions postgresql-server-8.3.3 PostgreSQL RDBMS (server) I'm at a loss. --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: no pg_dump?
On Thursday 06 November 2008, Pierre-Emmanuel Andri wrote: Le Thu, 6 Nov 2008 17:06:54 -0500, Charlie Farinella [EMAIL PROTECTED] a icrit : I've installed postgresql client, server and contribs from packages on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included that I can find. Where can I get these tools? --charlie http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents .html Thank you. I have everything on the list except: /usr/local/bin/pg_config /usr/local/bin/pg_dump /usr/local/bin/pg_dumpall /usr/local/bin/pg_restore I also have a live system with data in it, so shutting it down is an issue. What would you suggest I do? I can do pkg_delete on all installed PostgreSQL packages and start over I suppose, or build PostgreSQL from source. I ran pkg_add -u for the client package, but that didn't help. Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: routing problem
I have tried doing a route-to rule but it makes no difference, I set it up like this: pass in quick on $ext_if route-to { ( $int_if (IP of host in DMZ ) } from any to (IP of host in DMZ) But my router still does not pass the packets onto the host in the DMZ, I haven't tried a reply-to rule but I would have thought that the route-to rule should tell the router to pass all packets with the destination (IP of host in DMZ) on to (IP of host in DMZ). For example even when this route-to rule is active and I try to ping a host in the DMZ from the outside net, it gets no further than the routers ext_if It seems that any packet that comes into ext_if destined for any IP in the DMZ does not get any further, even with route-to rule, which I don't think is needed as all of the hosts are in the router's routing table and are on the same network as the router. Thanks, Charlie Daniel Anderson wrote: Instead of giving you the obligatory man pf.conf reply, I will do one better and reference an old reply I posed to the list with a sample pf.conf where someone asked basically the same thing. I omitted the part that matters in this example conf, but explain what you need to insert to get it to fly. http://marc.info/?l=openbsd-miscm=120665186412690w=2 It all can be found under the man page on searching for reply-to or route-to. This worked for me, so if anybody has got a more elegant means of doing it they should post. - On Monday 20 October 2008 04:20:15 am Charlie Clark wrote: Hi, I am trying to setup an openbsd router but are having a big problem getting it to work. Here is the scenario: The router has 3 public IP's, with 2 internet connections and sits just outside a DMZ. Behind the router there are a number of hosts with public IP's (DMZ). All of the interfaces on the router are on different subnets. Let's say that the 3 interfaces are: int_if = the interface which is directly connected to the DMZ ext_if = the first internet connection (NOTE this ISP is the ISP which allocated the IP's in the DMZ so there is no natting done on this interface) ext2_if = the second internet connection (NOTE there is natting on this interface so everything works fine here) I have setup aproxyd to answer arp requests on ext_if for all of the IP's in the DMZ using the layout: proxy (IP) (MAC of ext_if) If I ping any IP on the net from a host in the DMZ and do a tcpdump on the router at the same time, I can see the packet coming in int_if, then going out ext_if, then the reply coming back in ext_if but then disappearing. It doesn't seem to be passing the packets, destined for the hosts in the DMZ, on to them. Is there something I am missing here? The filter rules look fine and nothing is being blocked I would appreciate any help. Thanks, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
routing problem
Hi, I am trying to setup an openbsd router but are having a big problem getting it to work. Here is the scenario: The router has 3 public IP's, with 2 internet connections and sits just outside a DMZ. Behind the router there are a number of hosts with public IP's (DMZ). All of the interfaces on the router are on different subnets. Let's say that the 3 interfaces are: int_if = the interface which is directly connected to the DMZ ext_if = the first internet connection (NOTE this ISP is the ISP which allocated the IP's in the DMZ so there is no natting done on this interface) ext2_if = the second internet connection (NOTE there is natting on this interface so everything works fine here) I have setup aproxyd to answer arp requests on ext_if for all of the IP's in the DMZ using the layout: proxy (IP) (MAC of ext_if) If I ping any IP on the net from a host in the DMZ and do a tcpdump on the router at the same time, I can see the packet coming in int_if, then going out ext_if, then the reply coming back in ext_if but then disappearing. It doesn't seem to be passing the packets, destined for the hosts in the DMZ, on to them. Is there something I am missing here? The filter rules look fine and nothing is being blocked I would appreciate any help. Thanks, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: RES: RES: Filtering outgoing connections in pf
But it can still be a router if it does not do natting, a router with only public IP's Cezary Morga wrote: Dnia Eroda, 15 paE:dziernika 2008, cgc napisaE: And any box that is doing packet filtering between 2 or more networks, eg. a private network and the internet, is a router as far as I am aware If it's natting or filtering packets it's a gateway. -- Cezary Morga If you live to be one hundred, you've got it made. Very few people die past that age. (George Burns) -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: RES: RES: RES: Filtering outgoing connections in pf
That looks like it should work fine apart from the capital letters in your macro's Regards, Charlie Ricardo Augusto de Souza wrote: Hi, I wanna allow local users ( 10.10.0.0/24 ) to Access internet just using port 80, 25 110 and 53 udp. I wanna allow full access to 10.10.20.0/24 to the internet. I mean, no restriction. Easy like that. I used openBSD 3.8 in the past and I was able to filter packets in $ext_if from my local network ( 10.10.0.0/24 ). Tests: 1) Users_tcp_ports = { 25, 80, 110, 443 } Users_udp_ports = { 53, 123 } Normal_users = 10.10.0.0/24 Power_users = 10.10.20.0/24 nat on $ext_if from $normal_users to any port $users_tcp_ports - ($ext_if) tagged NORMAL_USERS_NAT nat on $ext_if from $power_users to any - ($ext_if) tagged POWER_USERS_NAT #outgoing Block out on $ext_if Pass out quick on $ext_if from ($ext_if) to any #filtering on $int_if Pass in quick on $int_if inet proto tcp from $normal_users to any port $users_tcp_ports Pass In quick on $int_if inet proto tcp from $power_users to any Should this solve my problem? I still have no test enviroment. I have around 300 users already going to the internet and to other WAN sites trhough this openBSD. Plz, post me your suggestios. Thanks -Mensagem original- De: cgc [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 15 de outubro de 2008 16:21 Para: Ricardo Augusto de Souza Cc: misc@openbsd.org Assunto: Re: RES: RES: Filtering outgoing connections in pf What exactly are you trying to achieve? what pc's do you want to have access to what ports? Are you just allowing every pc in the 10.10.0.0/16 network the same access or not? And access to what? Just web traffic? pings? dns? ... You will have to be abit more specific And any box that is doing packet filtering between 2 or more networks, eg. a private network and the internet, is a router as far as I am aware Regards, Charlie On Wed, 15 Oct 2008 16:06:16 -0300, Ricardo Augusto de Souza [EMAIL PROTECTED] wrote: This sounds good. But my openBSD is working like a router. If I remove the rule pass in quick on $int_if I will have a lot of pcs that cannot access other subnets. Do u know what protocol I must allow to routes work? thank -Mensagem original- De: cgc [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 15 de outubro de 2008 15:49 Para: Ricardo Augusto de Souza Cc: misc@openbsd.org Assunto: Re: RES: Filtering outgoing connections in pf let me give you an example, if you just want 10.10.0.0/16 to have port 80 access then you need 3 rules: #the nat nat on $ext_if from 10.10.0.0/16 to any port 80 - ($ext_if) #allow through $int_if pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80 #and finally allow through $ext_if pass out quick on $ext_if proto tcp from ($ext_if) to any You can lock $ext_if down to just port 80 but the point is $int_if is where you do the filtering for 10.10.0.0/16 Correct me if I am wrong. Regards, Charlie On Wed, 15 Oct 2008 14:44:43 -0300, Ricardo Augusto de Souza [EMAIL PROTECTED] wrote: Is is possible filter outgoing packets in $ext_if even doing NAT? I mean, after nat on $ext_if from 10.10.0.0/16 to any - ($ext_if) all packets from 10.10.0.0/16 will be translated to $ext_if. I wish I could filter 10.10.0.0/16 packets in $ext_if. Is is possible? Thanks -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo Augusto de Souza Enviada em: quarta-feira, 15 de outubro de 2008 13:01 Para: misc@openbsd.org Assunto: Filtering outgoing connections in pf Hi, I AM confused with some PF rules. I am trying to allow just some ports to my local users. I am using block out on $ext_if but I think I would be able to choose ports my lan users will access with rule Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25, 110 } keep state . It seems to be ok, but I had to add this rule: Pass out on $ext_if from $ext_if to any ( without this rule my box cannot connect to the internet ). With this rule, All users can connect to any out port. Question: What is the right way to have my box at the internet and my users can only access that selected ports
Re: RES: Filtering outgoing connections in pf
Private IP's like those in 10.10.0.0/16 have to be natted using nat on $ext_if from 10.10.0.0/16 to any - ($ext_if) so the packets exiting $ext_if are coming from ($ext_if) and not from 10.10.0.0/16 Regards, Charlie Ricardo Augusto de Souza wrote: I didn4t understand what u Said. Could u please explain me better. Sorry to bother u. Thanks -Mensagem original- De: Charlie Clark [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 15 de outubro de 2008 13:38 Para: Ricardo Augusto de Souza Assunto: Re: Filtering outgoing connections in pf Hi Ricardo, Thats because the packets going out have to be natted so they are not coming from 10.10.0.0/16 but instead they are coming from $ext_if Regards, Charlie Ricardo Augusto de Souza wrote: Hi, I AM confused with some PF rules. I am trying to allow just some ports to my local users. I am using block out on $ext_if but I think I would be able to choose ports my lan users will access with rule Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25, 110 } keep state . It seems to be ok, but I had to add this rule: Pass out on $ext_if from $ext_if to any ( without this rule my box cannot connect to the internet ). With this rule, All users can connect to any out port. Question: What is the right way to have my box at the internet and my users can only access that selected ports? Thanks My pf.conf: set loginterface xl1 set skip on lo0 scrub in set require-order yes set state-policy if-bound altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) # interface externa WAN ext_if=xl1 # interface interna LAN int_if=xl0 # interface MPLS mpls_if =bge0 #interfaces VPn tuneis vpn_if ={ tun0, tun1, tun2, tun3, tun4 } vpn_net ={ 10.10.9.0/26 } #Default GW gw=200.162.41.33 table badsites persist file /etc/badsites.txt winupdate = { 65.54.87.0/24 } # Variaveis ## # #1 - Redirecionamento ambiente de homologocao ### ws_ip = { 10.10.100.21 } ws_ports = { 8101, 8102, 8103 } #2- Variaveis uteis lan = { 10.10.0.0/16 } cmt_lan = { 10.10.0.0/24 } ti_lan = { 10.10.20.0/26 } call_center_lan = { 10.10.60.0/26 } rede_mpls = { 10.100.0.0/16 } ip_admin = { 10.10.20.100 } msn = 207.46.0.0/16 # portas portas_saida_tcp = {25, 80, 110,443 } portas_saida_udp = { 53, 443 } portas_entrada_tcp = { 22,1981, 810} portas_entrada_udp = { 1194 } ip_rose = { 10.10.0.56 } porta_rose = { 2631 } oracle_desenv = { 10.10.100.13, 10.10.100.14 } ips_adm_ext = { 189.33.76.0/26 } #teste internet lojas MPLS rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 - $int_if port 3128 #redirect para servidor NTP rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123 - 10.10.100.254 port 123 #redirect para os servidores do DTC enviarem email pelo sol rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25 - 10.10.0.2 port 25 nat on $int_if from any to 10.10.0.2 - $int_if # squid trasparente rdr pass on $int_if inet proto tcp from $lan to any port 80 - $int_if port 3128 rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 - 10.10.100.13 port 1521 rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 - 10.10.100.14 port 1521 nat on $int_if from any to $oracle_desenv port 1521 - $int_if # redirecionamento para lan, foi necessario fazer nat tb. rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports - $ws_ip nat on $int_if from any to $ws_ip - $int_if # # NAT ## # #nat para dar acesso a internet para a lan nat on $ext_if from $lan to !($ext_if) - $ext_if nat on $mpls_if from $lan to any - $mpls_if # bloqueia a entrada de tudo e saida de tudo block in on $ext_if #regras de entrada # libera entrada de tudo na interface interna pass in on $int_if proto udp from $lan to $int_if port 53 pass in on $int_if from any to $lan modulate state pass in on $int_if from $rede_mpls to $lan modulate state #liberar acesso rede mpls pass in quick on $mpls_if from any to any #pass in quick on $mpls_if from $rede_mpls to any # libera a entrada na interface externa pass in quick on $ext_if proto tcp from any to $ext_if port $portas_entrada_tcp keep state pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports keep state pass in quick on $ext_if proto udp from any to $ext_if port $portas_entrada_udp keep state pass in quick on $ext_if proto tcp from any to $int_if port 443 flags S/SAFR keep state (max 256) #VPN pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state pass in quick on $ext_if proto gre from any to $ext_if keep state pass out quick on $ext_if proto gre from $ext_if
Re: route-to doesnot work for me - what am i doing wrong
Hi Siju, isn't this: pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state meant to be like this: pass in quick on $int_if route-to { ( $ext_if2 $ext_ifgw ) } from hifxchn2 to any keep state Regards, Charlie Siju George wrote: Hi, I have firewall sk0 - LAN Interface rl1 - Primary internet connection rl2 - secondary Internet connection I have a line in pf.conf to route requests from hosts in hifxchn2 through the rl2 internet connection but it does not seem to work. the full pf.conf is below === ##NETWORK INTERFACES # int_if=sk0#HiFX LAN Interface - Connected to Main Swithches - using 172.16.0.0/12 Range. ext_if=rl1#Dataone Connection - rl2 interface Connected to the Dataone Router. ext_if2=rl2 ext_ifgw=122.166.40.1 proxy=122.166.40.36 #Private IP Address Range Specified by RFC 1918. # priv_nets={ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } #Computers in HiFX LAN that are permitted to bypass squid to make HTTP and HTTPS connections directly to the Internet # table bypass-squid-users persist file /etc/pf-tables/bypass-squid-users #Websites to which bypassing SQUID is allowed. # table bypass-squid-sites persist file /etc/pf-tables/bypass-squid-sites table lanspl persist file /etc/pf-tables/lanspl table adm persist file /etc/pf-tables/adms table vtcservers persist file /etc/pf-tables/vtcservers table bannedIPs persist file /etc/pf-tables/bannedIPs table authpf_users persist table hifxchn2 persist file /etc/pf-tables/hifxchn2 #Traffic Normalization - Required for pppoe connection. # scrub on $ext_if all no-df random-id fragment reassemble ###Network Address Translation and Port Redirection ###The First Matching rule wins here for any packet and no further nat or rdr rules are checked. nat-anchor authpf/* rdr-anchor authpf/* binat-anchor authpf/* nat pass on $ext_if from adm to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 # redirect to beergas website rdr pass on $ext_if inet proto tcp from any to any port 80 - 172.16.4.12 port 80 rdr pass on $ext_if inet proto tcp from any to any port 443 - 172.16.4.12 port 443 ### # nat on $ext_if from bypass-squid-users to any - ($ext_if) #NAT connections to specified websites. nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if) nat on $ext_if from any to bypass-squid-sites port { 80, 443 } - ($ext_if2) #Block NAT for other hosts to port 80 and 443 on the Internet. #They should all go via SQUID CACHE PROXY # no nat on $ext_if from any to any port { 80, 443 } no nat on $ext_if2 from any to any port { 80, 443 } #Allow NAT for rest of the Computers to Internet - port 80 and 443 is already blocked for these hosts by the rule above. # nat on $ext_if from $int_if:network to any - ($ext_if) nat on $ext_if2 from $int_if:network to any - ($ext_if2) #The SQUID CACHE PROXY Listens on localhost interface port 8080 for security reasons. #PROXY configuration for computers in the HIFX LAN Machine in the IP Address of $int_if and port 8080 #Hence all Traffic comming to $int_if port 8080 should be redirected to SQUID running on localhost:8080 # no rdr on $int_if from any to 70.86.222.30 rdr on $int_if proto tcp from any to any port 8080 - 127.0.0.1 port 8080 ###Filter Rules. ###The last matching rule wins here for packets except when the quick word is used in which case Further rules are not processed. #Starting with a Deny all Traffic Policy. Later rules open up the firewall for required traffic. block all pass in quick on $ext_if inet proto tcp from any to any port ssh keep state #Blocking RFC1918 Traffic. block in log quick on $ext_if from $priv_nets to any block out log quick on $ext_if from any to $priv_nets block out log quick on $ext_if from any to bannedIPs #Allow all traffic on the localhost interface. pass quick on lo0 all #Allow Traffic from HIFX LAN to pass through the firewall also allow traffic from firewall to enter the LAN. pass in quick on $int_if from any to $int_if keep state pass out quick on $int_if from $int_if to any keep state pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from hifxchn2 to any keep state pass in quick on $int_if from $int_if:network to any keep state pass out quick on $int_if from any to $int_if:network keep state #Allow Trafficfrom Firewall to pass out to the Internet. pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if2 proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $ext_if2 proto { udp, icmp } all keep state #ftp-proxy anchor ftp-proxy/* pass out proto tcp from $proxy to any port 21 keep state #authpf anchor authpf
Re: pfctl
openbsd misc wrote: interessting point. How about dumping it to a file or something so you are able to check what was loaded last time (e.g. a file with 400 under /var/whatever)? What I want is, I have a script that when I commit a ruleset with pfctl it uses pfctl to query the loaded rules and outputs that to a file, I get the rulesets there using fwbuilder, which loads the ruleset directly using pfctl, I have another script which checks the currently loaded ruleset against the file that my commit script creates and does a diff, if the ruleset hasn't been commited using my script (or doesn't match the file) after a minute, it will roll the rules back. This is good incase an admin loads a ruleset which locks them out. But I have no way to get my set to recognize changes to options so when I try to commit a ruleset using my script it thinks that I'm trying to commit the same ruleset. Does this make more sence? -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
Almir Karic wrote: diff of a loaded ruleset is not that useful (for humans) IMHO, a better way would be to diff the ruleset (possibly excluding the comments and spaces etc). even better way to do that would be to JustDoIt (no diff checking whatsoever, and let the admins reload the rule when they commit any changes to it. With no diff it would mean that if the admin loaded a ruleset which locked him/her out, they would have to go to the box and change the rules, not ideal if you have alot of boxes scattered over distances. And if we diff'ed the ruleset, how could you be sure that the ruleset was loaded correctly, which means that the file it creates to compare newly loaded rulesets against might not have been the currently running config -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
Then, if this is still such a big issue, you can write some scripts that will give you something along the lines of Junipers 'commit confirmed' .. you first enable a ruleset which will be automatically reverted in 5 or 10 (or however many you like) minutes. Then, if you don't lock yourself out, and your changes look good, you stop the revert from happening (ie, you 'commit confirmed'). I have, this is the script I am talking about, I want to know how to make the script know about option changes, eg. block policy, state policy and skip options. I wonder .. what would you do if that same admin that locked himself out did an accidental halt or rm -rf / ? Surely you have a means to fix that ? Why is the firewall so special ? I have, the root is mounted readonly, and halt is not possible :) -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
don't you have some way to handle the other situations where pfctl -sr doesn't output exactly what pfctl -f was fed as input? how do you handle macros or the ruleset optimiser? There are no macro's as I'm using fwbuilder to build the ruleset and isn't the ruleset optimiser is set using a set option, at the moment I cannot query any 'set' options in my ruleset to compare new rulesets against -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
Stuart Henderson wrote: On 2008/07/28 11:37, Charlie Clark wrote: don't you have some way to handle the other situations where pfctl -sr doesn't output exactly what pfctl -f was fed as input? how do you handle macros or the ruleset optimiser? There are no macro's as I'm using fwbuilder to build the ruleset and isn't the ruleset optimiser is set using a set option, it's on by default. In this case would 'pfctl -sr' or 'pfctl -sn' not show the new optimized ruleset? -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
Stuart Henderson wrote: On 2008-07-28, Charlie Clark [EMAIL PROTECTED] wrote: Stuart Henderson wrote: On 2008/07/28 11:37, Charlie Clark wrote: don't you have some way to handle the other situations where pfctl -sr doesn't output exactly what pfctl -f was fed as input? how do you handle macros or the ruleset optimiser? There are no macro's as I'm using fwbuilder to build the ruleset and isn't the ruleset optimiser is set using a set option, it's on by default. In this case would 'pfctl -sr' or 'pfctl -sn' not show the new optimized ruleset? Yes, and it won't match what you fed it. So your diff will fail won't it? No not if both of the files which are being compared were created using pfctl -s -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
pfctl
Hi, I have noticed that you are unable to view the currently loaded options for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set skip on tun0. Is this going to be implemented soon or is it there and I'm missing something? Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
Stuart Henderson wrote: On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that you are unable to view the currently loaded options for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set skip on tun0. Is this going to be implemented soon or is it there and I'm missing something? Regards, Someone asked about this recently. http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b Yes sorry I posted this by accident, I still haven't got a valid solution for this though. -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
Re: pfctl
Henning Brauer wrote: * Charlie Clark [EMAIL PROTECTED] [2008-07-25 14:41]: Is this going to be implemented soon or is it there and I'm missing something? that is probably never going to be implemented, as some options just affect further parsing and aren't loaded to the kernel. OK, would there be any other way to query the options that were last loaded into pf? Thanks, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/ Lemon Computing is a limited company registered in England Wales under Company No. 03697052
failed make on openssh 5.1
I have been asked to upgrade OpenSSH on an OpenBSD 4.1 server from 4.6 to 5.1. I have followed the instructions at http://www.openssh.org/openbsd.html and am getting the error below during 'make'. I have downloaded the source and the patch as instructed and followed these instructions to the letter: # cd /usr/src/usr.bin # tar xvfz .../openssh-5.1.tgz # cd ssh # patch -p0 /path/to/openssh43_5.1.patch # make obj # make cleandir # make depend # make Here are the results. I don't know what the 'arc4random_uniform' error indicates, if someone can point me in the right direction, I'd appreciate the help. === cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L/usr/src/usr.bin/ssh/ssh/../lib/obj -lssh -lgssapi -lkrb5 -lcrypto -lz -ldes /usr/src/usr.bin/ssh/ssh/../lib/obj/libssh.a(dh.o)(.text+0x438): In function `choose_dh': /usr/src/usr.bin/ssh/dh.c:166: undefined reference to `arc4random_uniform' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/usr.bin/ssh/ssh (line 95 of /usr/share/mk/bsd.prog.mk). *** Error code 1 === thanks, --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: failed make on openssh 5.1
On Tuesday 22 July 2008, Charlie Farinella wrote: I have been asked to upgrade OpenSSH on an OpenBSD 4.1 server from 4.6 to 5.1. I have followed the instructions at http://www.openssh.org/openbsd.html and am getting the error below during 'make'. I have downloaded the source and the patch as instructed and followed these instructions to the letter: To answer my own question, no sooner had I hit 'send' than I noticed the patch number indicated 4.3. I have downloaded OpenSSH 5.0, the appropriate 4.1 - 5.0 patch and all is well. Sorry for the noise. --charlie # cd /usr/src/usr.bin # tar xvfz .../openssh-5.1.tgz # cd ssh # patch -p0 /path/to/openssh43_5.1.patch # make obj # make cleandir # make depend # make Here are the results. I don't know what the 'arc4random_uniform' error indicates, if someone can point me in the right direction, I'd appreciate the help. === cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L/usr/src/usr.bin/ssh/ssh/../lib/obj -lssh -lgssapi -lkrb5 -lcrypto -lz -ldes /usr/src/usr.bin/ssh/ssh/../lib/obj/libssh.a(dh.o)(.text+0x438): In function `choose_dh': /usr/src/usr.bin/ssh/dh.c:166: undefined reference to `arc4random_uniform' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/usr.bin/ssh/ssh (line 95 of /usr/share/mk/bsd.prog.mk). *** Error code 1 === thanks, --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668 -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
pfctl
Hi, I have noticed that you are unable to view the currently loaded options for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set skip on tun0. Is this going to be implemented soon or is it there and I'm missing something? Regards, -- Charlie Clark Network Engineer Lemon Computing Ltd Unit 9 26-28 Priests Bridge London SW14 8TA UK Tel: +44 208 878 2138 Fax: +44 208 878 2163 Email: [EMAIL PROTECTED] Site: http://www.lemon-computing.com/
openospfd default routes
Hi, I am trying to setup an active/active routing firewall setup with OSPF so it load shares the traffic equally. I am have created a test lab with IOS ASBR's that have `default-information originate always` so I then can see 2 routes to 0.0.0.0/0.0.0.0 via 2 routes. It seems there is a limitation with *bsd's kernels in that they do not allow for ECMP routing. ie, they can have only one default route at one time. Does OpenOSPFd work around this (and I've just got my setup wrong) or is the sad truth that OSPF prefixes will work, except the for the default route? (ie quagga on *bsd has this issue). Cheers. C. -- 020 7729 4797 http://devblog.playlouder.com/
Re: Dell sc440 / broadcom bcm5754 nic [resolution]
On Tuesday 24 July 2007, Chris Kuethe wrote: On 7/24/07, Charlie Farinella [EMAIL PROTECTED] wrote: Thank you, I think this will solve my problem, but I have no idea how to proceed. I assume I need to recompile the kernel and swap out the new if_bge.c file for the one included with the OS. Is that correct? I've looked briefly at docs and some how-to's but haven't seen any specific instructions. If anyone knows of some documentation for this, a pointer would be appreciated. much like the instructions at the beginning of other patches... general information on how to patch an openbsd is in the FAQ http://www.openbsd.org/faq/faq10.html#Patches http://www.openbsd.org/faq/faq5.html#Building For anyone else with the same problem: I ended up downloading the entire /sys directory from current, then compile and install. That worked! Thanks to all for your help. :-) let me know if this doesn't apply or doesn't work. save the diff below (into /tmp/bgediff, for example) cd /sys/dev/pci patch -C /tmp/bgediff (check that the diff would apply correctly) patch /tmp/bgediff cd /sys/arch/i386/conf/ (assuming you're running i386) config GENERIC cd ../compile/GENERIC make clean depend bsd make install reboot Index: if_bge.c === RCS file: /cvs/src/sys/dev/pci/if_bge.c,v Retrieving revision 1.211 Retrieving revision 1.212 server -u -N -p -r1.211 -r1.212 if_bge.c --- if_bge.c 24 Jul 2007 14:42:551.211 +++ if_bge.c 24 Jul 2007 14:42:551.212 @@ -1384,16 +1384,21 @@ bge_blockinit(struct bge_softc *sc) } /* - * Set the BD ring replentish thresholds. The recommended + * Set the BD ring replenish thresholds. The recommended * values are 1/8th the number of descriptors allocated to * each ring. */ i = BGE_STD_RX_RING_CNT / 8; - /* Use a value of 8 for these chips to workaround HW errata */ + /* + * Use a value of 8 for the following chips to workaround HW errata. + * Some of these chips have been added based on empirical + * evidence (they don't work unless this is done). + */ if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5750 || BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5752 || - BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5755) + BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5755 || + BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5787) i = 8; CSR_WRITE_4(sc, BGE_RBDI_STD_REPL_THRESH, i); -- GDB has a 'break' feature; why doesn't it have 'fix' too? -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Re: Dell sc440 / broadcom bcm5754 nic
On Thursday 19 July 2007, David Gwynne wrote: On Thu, Jul 19, 2007 at 10:47:55AM -0400, Charlie Farinella wrote: Our company has purchased 3 of these servers, and I would like very much to get the onboard nic working on at least one of them. I have installed OpenBSD 4.1 and it seems to recognize the interface correctly and use the correct driver ( bge ) for it, but it is not responsive. It will not connect to our network at all. Googling tells me some others have had the same problem, but I haven't found any solutions so far. If you apply revision 1.212 of src/sys/dev/pci/if_bge.c then your nic will start working. dlg Thank you, I think this will solve my problem, but I have no idea how to proceed. I assume I need to recompile the kernel and swap out the new if_bge.c file for the one included with the OS. Is that correct? I've looked briefly at docs and some how-to's but haven't seen any specific instructions. If anyone knows of some documentation for this, a pointer would be appreciated. thanks again. ifconfig output looks normal, dmesg provides: == bge0 at pci4 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5787 A2 (0xb002): irq 10, address 00:1a:a0:24:03:ef brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev.0 == Pointers, etc. would be a big help. Thanks, --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668 -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668
Dell sc440 / broadcom bcm5754 nic
Our company has purchased 3 of these servers, and I would like very much to get the onboard nic working on at least one of them. I have installed OpenBSD 4.1 and it seems to recognize the interface correctly and use the correct driver ( bge ) for it, but it is not responsive. It will not connect to our network at all. Googling tells me some others have had the same problem, but I haven't found any solutions so far. ifconfig output looks normal, dmesg provides: == bge0 at pci4 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5787 A2 (0xb002): irq 10, address 00:1a:a0:24:03:ef brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev.0 == Pointers, etc. would be a big help. Thanks, --charlie -- Charles Farinella Appropriate Solutions, Inc. (www.AppropriateSolutions.com) [EMAIL PROTECTED] voice: 603.924.6079 fax: 603.924.8668