Re: OnLogic Helix 330

[Devin Reade]

On Tue, 2023-11-28 at 11:29 +1100, Jonathan Gray wrote:

> STD_PHYID1  67C9
> STD_PHYID2  DC00
> 
> /sys/dev/mii/miivar.h
[...]

Thanks.

So it looks like the approach here is to add a gpyphy.c and
gpyphyreg.h file, and tie it in via miidevs, correct?

I don't understand files.mii but it looks like it's only had one
commit in the last nine years; is files.mii obsolete?  If not,
where do I find out more?

Re: OnLogic Helix 330

[Devin Reade]

On Mon, 2023-11-27 at 23:30 +, Stuart Henderson wrote:
> I don't know enough about it to go into detail, but these sort of
> symptoms are making me think of issues with the PHY driver rather
> than the nic driver.

Yeah, mostly at the moment I'm trying to understand the different
obsd network device layers.  It looks like ukphy is a fallback for
when a more specific PHY is not located, which means I'm likely looking
for the PHY detection code.  This part of the code base is new to
me ... 

Devin

Re: OnLogic Helix 330

[Devin Reade]

It took me a while to get to this, and I'm just starting to investigate,
but I figured I'd give an update.  Based on Stefan's comments, I wasn't
expecting things to work, but I figured I'd post what I have so far.
The behavior seems to be consistent between the 18 Nov and 24 Nov
snapshots; the dmesg for the latter is at the end of this post, as
well as the output of `ifconfig -a` and `pcidump -v 2>&1`; for the
latter, note the PCIOCGETVPD that shows up when dumping 0:29:1.

Summary:  Two dwqe devices show, but the behavior is inconsistent.
The first bit on Observations describes some of the inconsistency in
case it provides anyone with some insight.  After that, there's a short
discussion section, followed by pcidump and dmesg outputs.

Note that em0 is configured throughout (I'm mostly connecting via
ssh while watching console). Changes are made on dwqe only.  The
cabling to the dwqe ports was validated by observing
link status and media changes when the cabling was attached to em1.

=== Observations:

Once running snapshots, I initially configured the network for dwqe0.
It came up and I was able to ping hosts on the dwqe0 network, but
I noticed that carrier state seemed unpredictable.  I then deleted
hostname.dwqe0 and started trying to determine behavior based only on
ifconfig status and media values.   In short, things seem to be
quite unpredicable.  Some sample trials are shown, below:

Trial 1:  When neither dwqe device is configured, but dwqe0 is
plugged into a switch at boot (all expected behavior):

   a.  Initially status on dwqe0 is "active", dwqe1 is "no carrier".
   b.  Unplugging the cable results in both being "no carrier".
   c.  Plugging into dwqe1 changes dwqe1 to "active"
   d.  Changing cable to dwqe0 results in dwqe0 "active", and
   dwqe1 as "no carrier".

Trial 2:  When neither dwqe device is configured, and neither device is
plugged into a switch:

   a.  Initially at boot the carrier LEDs are dark (as expected).
   b.  ifconfig does not report a status line at all (media shows
   as autoselect/none)
   c.  Plugging dwqe0 into the switch fails to result in a change
   of status or media values, the link light doesn't show
   d.  Switching the cable from dwqe0 to dwqe1 exhibits the same
   behavior as (c)

Trial 3:  Similar sequence as Trial 1, except this time:
   a.  The link light of dwqe0 comes on at boot
   b.  Neither dwqe status value is shown, media is autoselect/none,
   similar to Trial 2
   c.  The link light stays on when dwqe0 is unplugged.

Trial 4:  Following trial 3, do a shutdown and manual power-off
(but leave the power connector attached):
   a.  The link light of dwqe0 stays on while the device is powered
   down, even if the cable is detached
   b.  Detaching power caused the link light to go off.  Waiting 20s
   and reapplying power resulted in the no-link-light case of
   Trial 2, other than the fact that the cable was still connected.

Trial 5:  I actually saw this one early on, when hostname.dwqe0 was
configured, and dwqe0 was plugged in during boot:
   a.  Network connection is alive as configured.
   b.  Detatching the cable causes dwqe0 to go "no carrier"
   c.  Reattaching the cable does NOT return the status to "active".
   This seems to be intermittent.

Trial 6:  I'm pretty sure I also saw a case where the cable was
plugged into dwqe0 after boot, the link light was initially off,
but eventually lit after a few _minutes_.  I wasn't recording enough
detail at that point to be sure, though.

=== Discussion

I'm just starting to wrap my head around the network device driver code.
I've read the EuroBSDCon 2017 paper, and am going through the various
*dwqe* files in CVS, as well as pcidevs*.  Other hints are welcome.

Stefan mentioned up-thread:
> At present we are only attaching dwqe to one of several possible MAC
> PCI IDs

I'm assuming this is referring to dwqe_pci_attach, which would imply
that the attach _does_ occur already since dmesg shows the two
Elkhart Lake Ethernets?

=== ifconfig -a (trimmed, dwqe0 currently connected to switch)

dwqe0: flags=8802 mtu 1500
lladdr 84:8b:cd:4d:b5:f6
index 3 priority 0 llprio 3
media: Ethernet autoselect (none)
dwqe1: flags=8802 mtu 1500
lladdr 84:8b:cd:4d:bc:36
index 4 priority 0 llprio 3
media: Ethernet autoselect (none)

=== pcidump -v

Domain /dev/pci0:
 0:0:0: Intel Elkhart Lake Host
0x: Vendor ID: 8086, Product ID: 453a
0x0004: Command: 0006, Status: 2090
0x0008: Class: 06 Bridge, Subclass: 00 Host,
Interface: 00, Revision: 01
0x000c: BIST: 00, Header Type: 00, Latency Timer: 00,
Cache Line Size: 00
0x0010: BAR empty ()
0x0014: BAR empty ()
0x0018: BAR empty ()
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
 

OnLogic Helix 330

[Devin Reade]

(Returning after a long hiatus due to $DayJob$.)

I recently acquired an OnLogic Helix 330 (see [1] and [2]) and booted
the 7.4 install image via USB; no installation yet, no serial console
configured yet, no sharable dmesg yet.

I have the version with the four network interfaces, based on the
J6426.  Dropping to shell from the 7.4 install image, it looks like
ony two of the four are detected, via em(4) as I210.  Interestingly,
it is the two on the add-on board rather than the two integrated
ports, based on the link status in ifconfig(8).

The underlying network hardware is a Maxlinear GPY115 per [3].

Booting into Debian 12, all four interfaces are detected.  It looks like
support for the GPY115 is relatively new there.

I intend to add support for these network interfaces but in the
event anyone already has this or related work in progress, please
drop me a line either here or privately.

Once I get a proper install in place, I'll submit the usual dmesg
output.

Devin

[1]: 
[2]: 
[3]: 

Re: spamd and network whitelisting

[Devin Reade]

You might also want to look at bgp-spamd.

With respect to dealing with SPF, the simple solution (permitting an
IP if it is on the sending domain's SPF list) doesn't work too well
in the general case since it appears many spammers publish SPF records.

However what I found works well, at least for some low-volume domains,
is to identify the subset of domains for which I would like to honour
the SPF records and automatically whitelist them.

I wrote a little perl script, available as:
  
The script takes a set of whitelisted domains and queries the DNS to
build up the matching set of whitelisted IPs.  It then puts these into
a file that can be loaded as a pf table.  This permits pf to bypass
spamd for these whitelisted domains.  There is extra usage information
(and a description of current limitations) in comments at the top of
the script.

This does require one to reload the pf configuration, however (due to
paranoia) the current version of the script doesn't do that. Instead,
it mails root if something has changed that would require the
configuration to be updated.  Experience shows that this doesn't trip
very often.

I invoke the script from daily.local as something like:

  /usr/local/sbin/gen-spf-whitelist \
  example.com \
  example.tld \
  something.else.net \
  (...)

I qualified the above by mentioning I was using it on some low-volume
domains because the current mechanism probably doesn't scale well
with respect to maintaining the list of domains.  It could probably
benefit from a couple of substantive changes:

- permit the whitelisted IPs to be updated without needing to have pf reload
 it's rules.  This implies updating the pf table directly, in a manner
 similar to what is used for bgp-spamd.

- be able to tie in with a client management system that permits users
 to request domains to be whitelisted (only SPF-publishing domains could
 be whitelisted this way using this mechanism).

Potential candidate domains for inclusion will be obvious.  If you
'grep GREY /var/log/daemon', the most likely potential candidates are
those where you will see multiple delivery attempts from the same domain
to the same recipient but where the originating IPs differ (although
likely in the same net block).

Devin

for those needing narrow SCSI disks

[Devin Reade]

For those people needing narrow SCSI disks to keep old hardware
going, I happened to see this page the other day:
  

They appear to be newer SSD and spinning rust packaged in a 3.5"
form factor with a narrow SCSI interface.  I have no idea as to
the quality or cost, although I would expect the per-unit cost to
be higher than modern drives due to (lack of) economies of scale.

Devin

Re: Random delay on incoming SMTP connection to OpenSMTPD

[Devin Reade]

--On Friday, June 10, 2016 09:04:07 PM + ML mail  
wrote:



Well right now I have max-children on 50, so you mean lowering this value
to something like 10?  But then if I receive 20 simultaneous incoming SMTP
connection, what will happen to the 10 others?Will they fail/timeout or
simply wait?


You're going to have to check the spamassassin docs because I don't
recall offhand.  Or test empirically.  The idea, if you've got too
many simultaneous scans going on, is to reduce the number of scans
to something your machine can handle without tuning it so low that
mail starts getting rejected.

I use MailScanner as part of the mix so during bursts messages get
accepted into a disk queue and then scanned at a reasonable rate.  As long
as the average scan rate exceeds the average receive rate, everything
is fine.  What you're going to have to check, though, is if spamassassin
will queue things when it gets busy or if just doesn't accept the
connection.

If you tune things down and can't find a workable midpoint between
rejecting too much and thrashing your machine, it argues that you either
need a beefier machine or less processing per message.

Either way, trying random delays in smtpd doesn't feel like the right
answer.

Devin

Re: Random delay on incoming SMTP connection to OpenSMTPD

[Devin Reade]

Seems like the wrong solution. How about altering spamassassin's max-children
parameter instead?

Re: what would break arp on carp?

[Devin Reade]

--On Monday, April 04, 2016 12:26:06 AM +0300 Mihai Popescu 
 wrote:



However, if carp IS in use, I can see the upstream router do the arp
request, followed by the firewall arp reply (with the carp MAC),


Is it the 'carp MAC' the MAC of vr2?


No.  It is the lladdr shown in a `ifconfig carp2`, which would be
00:00:5e:00:01:03.  The lladdr of vr2 (the underlying carpdev) is
different.


however the upstream router seems to ignore the answer and does
continuous arp requests.


Maybe that router is not receiving the arp response. Why would someone
ignore an ARP message?


Indeed.  It's not clear why the arp replies are honoured in the non-carp
case but not in the carp case.

Devin

what would break arp on carp?

[Devin Reade]

I have an OpenBSD 5.8 stable carp setup where one of my upstream links
is serviced by a cable provider, a static IP is assigned, and I would
normally have no IP assigned to the carpdev:

# cat hostname.vr2
up
# cat hostname.carp2
inet aa.bb.cc.dd 255.255.255.248 NONE vhid 3 pass somepass
!/sbin/route -qn add -host -mpath default aa.bb.cc.ee

This has worked for a few years.  This past week, there was an equipment
change for the upstream router of that link, judging by the change in the
MAC of the gateway IP (aa.bb.cc.ee).

Since that change, that network segment hasn't been able to take any
carp-based traffic.  If I shut down one of the firewalls and revert that 
link

on the remaining firewall to a non-carp link, then the traffic is
handled normally.

After some splunking (by using a hub on the upstream segment and sniffing
with tcpdump from another host with a static IP on the same segment) what
I can see is that when carp is NOT in use, the upstream router will do
the usual arp request and the firewall will do an arp reply with the MAC
of vr2, and everything is fine.

However, if carp IS in use, I can see the upstream router do the arp
request, followed by the firewall arp reply (with the carp MAC), however
the upstream router seems to ignore the answer and does continuous arp
requests.

I suspect that the fix for this is out of my control (since it seems
to be the upstream that is having problems), but I'm trying to understand
what would cause it.  Any thoughts?

I figured that the upstream might be blacklisting VRRP MACs, so I tried
assigning a non-VRRP MAC via lladdr in hostname.carp2, but that had no
effect on the outcome.  I also tried using a high-numbered vhid in case
vhid 3 was causing a conflict.

The cable company's troubleshooting procedure includes rebooting the
cable modem on MAC changes (presumably to clear the ARP cache), so that
was done on each configuration change.  A clear cache is confirmed in
that the original arp request from the upstream is sent to the ethernet
broadcast address.

Clues welcome.

Devin

Re: libc issues on last snapshot

[Devin Reade]

On Mar 22, 2016, at 05:51, Mihai Popescu  wrote:

>> Is there any verification of the contents of the tar balls being done?
> 
> I don't know about you, but I don't feel like have balls verified.

You only have to worry if they're covered in tar. 

OpenSSL changes coming Tuesday

[Devin Reade]

Operators:

Apparently there are high severity security patches coming for OpenSSL on
Tuesday 01 Mar 2015:



I have no idea if/how this affects LibreSSL, and we can't necessarily expect
info from those in the know until then.  So keep your calendar open.

Devin

Re: Industrial use of line printers, does/would your company/organization use them with our lpd?

[Devin Reade]

--On Wednesday, February 17, 2016 11:49:30 AM -0600 Chris Bennett
 wrote:

> I do see that lpc, lpq, lprm are dinosaurs and have to be made extinct
> and replaced with something more functional with more information output
> and better capabilities.

Whatever changes may happen under the hood, I would like to see
at least the basic operations of lpr, lpq, and lprm remain available
under those names, using the existing syntax.  I'm no fan of CUPS, but I 
get by with it on linux because of the lpr compatibility shim.

Devin

Re: anyone using msk(4) NICs?

[Devin Reade]

--On Monday, January 11, 2016 12:38:51 PM -0800 Chris Cappuccio
 wrote:

> I wouldn't just assume the problem is hardware. In fact, you should
> provide a dmesg, trace, etc.

It's already reported in bugs@, so I figured it would be redundant
here.  See:

  

The followup on this list was mainly to confirm my suspicion that, as you
put it,
"it's not an incredibly popular [NIC]".

Thanks,
Devin

anyone using msk(4) NICs?

[Devin Reade]

I reported a problem on the bugs@ list in that I have a machine that
panics if the msk(4) interface is used, but works fine with an em(4)
interface.

There is a possibility that I have bad hardware as I've been able to
replicate this on 5.9 beta, 5.8 release, and now 5.7 release.  I find
it unlikely that msk(4) has been broken that long.

Is anyone running a machine using the msk NIC, for any of those
versions of OpenBSD?  If so and you can send traffic over your
msk for more than a few minutes without causing a panic, I'll treat
it as dead hardware and move along.

For that matter if you have msk running successfully on an earlier
version of OpenBSD, let me know what version and I can test against it.

Thanks,
Devin

restrictions for kernel interrupt context

[Devin Reade]

The usbd_open_pipe_intr(9) man page discusses the usbd_callback type and
the usbd_transfer(9) man page mentions the associated interrupt context in
which (presumably) that callback executes.

Are there any particular restrictions that apply while running from within
that interrupt context?

In particular, I'm wondering if it's safe to invoke add_true_randomness(9) 
from

within that interrupt context.

In addition to the specific answer, pointers to docs/references are welcome.

Devin

Re: authentication infra structure

[Devin Reade]

--On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke
 wrote:

> If you had about 10k users and 5k machine how would you manage
> authenticating issues? Keep in mind that this is a very heterogenous
> environment with ldap, ftp, smtp, pop3, traditional unix boxes etc 

You've already got the key to that solution (LDAP).  Do you mean
things like provisioning and credential management?  I've not used it,
but you might want to look at FreeIPA.  Although it uses KDC at the
core, IIRC you can have LDAP-only clients authenticate to it.

Once you have the core, then you need to look at the service-specific
docs (your ftp server, MDA, etc) as to how to wire them into LDAP.

Of course, with that many machines I hope you're already using some
kind of automated provisioning for at least configuration (puppet,
cfengine, etc).

Devin

Re: A branded USB stick as an alternative to the CD set?

[Devin Reade]

I suspect the answer is that this falls into the category of too
expensive/distracting to bother, based on the overall benefit.

I find that having a DVD reader/writer in an external USB-connected
enclosure works well for optical-diskless machines.

Devin

Re: state of SSD by OpenBSD

[Devin Reade]

--On Thursday, November 12, 2015 10:13:34 PM -0500 Nick Holland
 wrote:

> And if you deploy a lot of SSDs, [...]  Some models are good,
> some are crap, you can't say which is which until after they are out of
> production.

In other words, the same as with mechanicals.  At any given time, the
"best" manufacture of two years prior is shit today and vice versa.
Hope for the best and plan for failure ...

<* peers over at the case of narrow SCSI drives sitting on the spare
   parts shelf and wonder if they'll still spin up; they probably will *>

Devin

Re: Exposing the rc(8) constructed pf ruleset, some patches

[Devin Reade]

> On Oct 19, 2015, at 18:26, Karl O. Pinc  wrote:

> But if you write DNS names into your pf.conf
> file then step 2 can be eliminated.  All
> that's required is to reload the rules.
>
> Eliminating an extra editing step reduces
> error.

Unless of course your DNS is on your LAN and after a major power outage
everything is trying to cold boot at once, and now your pf rules won't resolve
because no DNS is available.

Network services should form a DAG, and your firewall should be near the root
of the graph.  Of course, so should DNS. Be sure of what you have and that
it's deterministic and properly ordered, or you will get bitten in the middle
of your vacation (Murphy's Law and all ...)

Devin

Re: Linux crypt(3)

[Devin Reade]

> On Oct 17, 2015, at 04:31, Adam Wysocki  wrote:
>
> Hi misc,
>
> I'm migrating one of my servers from Linux to OpenBSD and I need a method
> to authenticate users based on passwords treated with Linux crypt()
> function. Passwords are encrypted with salted DES, without glibc2
> extensions. For example:
>
> $ htpasswd -nbd test test
> test:MbfD9Vq5SL5aE

As you're looking into solutions, make sure you're looking at the right
problem. Your text sounds like you're migrating system account passwords, but
htpasswd is usually used for web server credentials. I've not seen a Linux
system use traditional crypt in quite a few years; they're usually salted MD5
hashes.

Devin

Re: Passwd cipher for YP

[Devin Reade]

--On Wednesday, October 14, 2015 08:51:06 AM -0600 Theo de Raadt 
 wrote:



Do you have any other tips on how to handle logins in a mixed OS YP
network?


These days, I would recommend using YP in fewer places.  I wrote the
code, but even I don't use it.  Each time I make changes that need testing
in a YP environment, my test group has shrunk again...


I suspect that the best bet for general interop will be an LDAP-based
infrastructure.  You may need to verify that all OSes can use a
common subset of a valid schema, as well as probably needing a minimal
PKI for SSL. If NFS is in the picture, watch for NFS version compatibility
and username mapping ideosyncracies (search for idmapd).

Devin

Re: OpenBSD Home Server: Hints and Advices

[Devin Reade]

--On Tuesday, September 29, 2015 01:14:39 PM +0200 Benny Lofgren 
 wrote:



However, even with mirrored drives, IT IS NOT A BACKUP. What if there is
a fire? What if someone burglars your house and steals the server? What
if someone accidentally knocks it over and all disks in it are damaged
by G-force overload? As Stuart says, mirroring is redundancy for
OPERATION, not for backup. In other words, if your system is mirrored
your server won't go offline if one disk dies on you, but will give you
time to replace the drive and re-mirror it before the other one goes too.

If you want to set up a combined home server/backup solution, it would
in fact be better *not* to mirror your two drives, but to use one for
your server needs and the other for backing up what's on the first.


To the OP, while most of the advice on this thread has been good, I'd
be careful of that one.  *Keep* your drives in a mirrored configuration
and have *additional* disks for backup purposes.

Over the years, even with buying what appeared to be the most robust
commodity drives available at any given time, I've had far instances
of failed drives than having to restore from backup due to accidental
deletion, etc.  But because those disks have always been part of a
redundant RAID configration, all a bad disk means is a few minutes
to replace the faulty disk and then the server is back in operation
without any loss. (Of course, it may take a large number of hours after
that for the resilvering to complete, depending on disk size and
RAID type, but the server is operational in the interim.)

Yes, the additional disks cost more but in the scheme of things disks
are cheap and this should be part of your initial budget.


THEN look at a backup solution, too. One with geographical redundancy,
which is absolutely crucial. That is, somewhere else but in your home.

But don't just do one without the other, because it WILL make you sorry
in the end.


Absolutely correct.

Deciding how to do backups is always a question of balancing things,
including but not limited to:
 - if the worst happens, how much data can you afford to lose?  A day?
   A week?  A month?  (You can take the answer to be less than a day,
   right down to "none", but you're talking about progressively more
   complex and expensive.  Even large corporations don't use "none"
   for most of their data, if any.)
 - cost of disks
 - availability / cost of network bandwidth
 - level of automation (the less automation, the more disciplined
   you need to be in keeping backups current)

Let's say you low-ball this.  Assume that if something bad happens, you're
willing to live with losing everything you did in the last month, and
if there was something you deleted by accident more than two months ago
you willing to say it's gone forever.  Let's also assume that the amount
of data that you're backing up is not more than the size of the largest
hard drive you can currently buy.  In that case, the ABSOLUTE MINIMUM
you're looking at for backups is four disks:

  - Disks 1 and 2 are in a mirrored RAID in your file server

  - Disks 3 and 4 are for backups

  - Each month, take a snapshot of what is on your fileserver.  The
first month it goes to disk 3 (bonus points for encrypting
disk 3).  As soon as your backup is complete, take disk 3 off-site
(such as to your office, to a safety deposit box, etc.  Note that
smaller safety deposit boxes may be too small for 3.5" drives).
Ideally your off-site is far enough away so that when the
tornado hits your house while everyone is away at work/school,
that your offsite isn't destroyed as well.  This becomes more
difficult if you're in an earthquake zone.

  - The second month you repeat the process with disk 4, *before*
moving disk 3.  When your backup to disk 4 is complete, take it
offsite and bring disk 3 back, ready to use for next month.  If
you find that you have to recover something from disk 4 during
the next month, return disk 3 to the offsite location before you
bring back disk 4.

  - Periodically do a test recovery of some of your files (into a
temporary directory) to ensure that the backups are actually
usable.  The first time you do this should be after your first-ever
backup.

This takes discipline; you need to remember to do this on a regular
basis, or at some point you'll find that your only available backup
is three years old and you've lost precious pictures of your kids'
early years.

Probably your best tools for doing this basic level are dump(8) and
restore(8), using a level zero dump.  Read the man pages.  Bonus points
for scripting them so that you get the correct invocation every time.

Remember, that's the MINIMUM strategy.  Doing a web search for "data backup
strategies" will give you more background information.  Some links
that (with a quick skim) seem to provide a reasonable background are:

Re: OpenBSD Home Server: Hints and Advices

[Devin Reade]

--On Tuesday, September 29, 2015 11:38:00 AM -0600 Devin Reade 
<g...@gno.org> wrote:



To the OP, while most of the advice on this thread has been good, I'd
be careful of that one.  *Keep* your drives in a mirrored configuration
and have *additional* disks for backup purposes.


Just to clarify, I was referring specifically to the comment about
not using mirroring; I didn't trim quite enough quoting in my original
response.

The other thing I forgot to mention is replacing failed drives from
a mirrored RAID works a lot better if you've got a daemon monitoring
the SMART attributes.

Devin

Re: Making IPv6 NAT prefer privacy address

[Devin Reade]

> On Sep 24, 2015, at 07:49, Giancarlo Razzolini  wrote:
> 
> Em 24-09-2015 08:36, Stuart Henderson escreveu:
>> What is the purpose of IPv6? The main purpose that I see is "ability to
>> continue getting internet addresses after v4 runout". (If it had been left
>> at that and didn't change a bunch of other things at the same time, perhaps
>> more people would be using it already).
> 
> This sure is the purpose now. Short term. But one of the main reasons
> the address space is so large, is for every connected device be
> accessible from every other.

Another consideration that has entered the picture since that idea came out, 
though, is how much easier it will be in the non-NAT world for advertisers or 
whomever to track individuals' behaviour. Not everyone likes that. 

Re: Soekris 4501 and OpenBSd 5.7

[Devin Reade]

> On Sep 16, 2015, at 00:40, Markus Rosjat  wrote:
> 
> Hi there,
> 
> just a simple question, is it possible to install a 5.7 on a soekris 4501? 

I don't know about the 4501, but the 5501 works fine. Any chance you grabbed 
the 64 bit image by mistake?

Devin

Re: Recommended Industrial PCs?

[Devin Reade]

--On Wednesday, August 26, 2015 09:11:22 PM +0200 Martin Haufschild
martin.haufsch...@uni-rostock.de wrote:

 can someone recommend me an Industrial PC (IPC) to use with OpenBSD? I
 would like to have a lot of hardware supported from this IPC by OpenBSD.

Lanners are solid: http://www.lannerinc.com/

Caveat: I've not used graphics on them; only text mode.  The graphics
may be fine but I can't attest to it.

Devin

Re: Starting isc_named earlier

[Devin Reade]

--On Monday, August 24, 2015 12:27:06 AM + Stuart Henderson 
s...@spacehopper.org wrote:



Having NFS rely on DNS is not ideal. I don't see why dhcpd would
need DNS to run at all?


If you have a 'fixed-address' definition in a 'host' block, and
the fixed-address uses a FQDN rather than an IP, you will have
problems booting the DHCP server if no DNS server is reachable.
IIRC, the DHCP daemon will fail to start and as a consequence
the server takes a lot longer to come up.

This burned me in the past after cold restart of everything on the
network, where the internal DNS servers come up slower than the
DHCP server.

A solution of course is to use an IP in the fixed-address definition.

Devin

weird carp failover behavior

[Devin Reade]

I'm trying to understand an odd behavior during carp failover
where one uplink goes numb until the demarc equipment is power
cycled.

Consider the following:

ISP1-demarc   ISP2-demarc
 |   |
 SW1 (Net1) SW2 (Net2) - C
 |\ /|
 | X |
 |/ \|
  FW-A - FW-B
 |\ /|
 | X |
 |/ \|
 SW3 (Net3) SW4 (Net4)
   (no NAT) (NAT)
 |
 H4

ISP1-demarc and ISP2-demarc are the respective ISP's equipment (outside
of my control, other than power cycling them).  SWn are all unmanaged
switches.

FW-A, FW-B, and C are all OpenBSD boxes.  FW-A and FW-B, in particular,
are running 5.7-STABLE in a master/slave carp configuration.  Things
are set up so that traffic to/from Net3 is sent via ISP1 (no NAT) and
traffic to/from Net4 is sent via ISP2 (using NAT on on FW-A and FW-B).
H4 is a host sitting on Net4 in private address space.

Static IPs are used throughout, including on both the SW1 and SW2
subnets.  FW-n are routers, not bridges.  Pfsync is running via
a crossover cable between FW-A and FW-B.

Behavior:

In normal operations everything works as expected.  During a carp
failover, everything for Net3 via ISP1 also works as expected.
However, during a failover I lose connectivity on Net4, in a qualified
manner (see below) until ISP2-demarc is power cycled.

The obvious first answer is that ISP2-demarc (which is a Motorola
cable modem) probably has a limited number of MAC slots available
to it.  However, that doesn't seem quite right.  More details ...

Before failover, I set up a 'ping -n' running on H4 and going to
a host elsewhere on the Internet (call it EXT).  I also set up
a 'ping -n' on C going to the carp IP of FW-A and FW-B on Net2
(lets call that Carp2).

Now comes the wierd part.  If I shut down the master, FW-A, I see
the following:

 1. the running pings from C to Carp2 continue to work until ^C
 2. the running pings from H4 to EXT continue to work until ^C
 3. a concurrent newly created ping from C to Carp2 fails
 4. a concurrent newly created ping from H4 to EXT fails
 5. all other outbound traffic from Net4 fails (this is just
a generalization of (4).

If I power cycle ISP2-demarc, sanity returns.  That is, until
FW-A comes back up and FW-B is demoted again.  Then I get the same
type of failures until ISP2-demarc is power cycled again.

Power cycling switch SW2 instead of ISP2-demarc does not affect the
outcome.

Ok, so how about the MACs?  On Net2 we have the following MACs:

 - ISP2-demarc-mac (on ISP2-demarc)
 - C-mac (on C)
 - FW-A-mac (physical MAC on FW-A)
 - FW-B-mac (physical MAC on FW-B)
 - Carp2-mac (the virtual MAC used by Carp2, which I've verified
   to be the same for both FW-A and FW-B when they are respectively
   running as master.

One wart here, and a difference between Net1 and Net2 is that on
Net1 both firewalls have their own IPs in addition to the Carp1
IP.  However, on Net2 both firewall's hostname.if file contains
only the 'up' keyword; no IP is used on that network until the
machine becomes the carp master.

So that means that when H4 is pinging EXT, the pings are being
NAT'd to use the Carp1 IP.  Therefore I wouldn't expect a failover
to cause the modem's MAC slots to overflow.

But the *really* weird part is what is happening with C; why would
C not be able to ping Carp1 until ISP2-demarc is power-cycled, especially
with SW2 isolating the latter from Carp1 and C?

And the story with C gets better.  If I set up a tcpdump on FW-B's Net2
interface, I see the following sequence of events:

 - before killing FW-A, I see arp requests and CARPv2 advertisements
   from FW-A (based on the skew), and that's about it (as expected)
 - upon shutting down FW-A, I see a CARPv2 packet from FW-B, and then
   start seeing the ping request/reply pairs coming in from C (as expected)
 - upon killing and restarting C's ping to Carp2, I no longer see the
   response on C, but I'm seeing both the request and response in FW-B's
   tcpdump.  On C, I see only the echo response. (NOT expected)

Does this last bit point the finger at SW2 being the culprit (perhaps
not routing packets to the appropriate NIC port), even though power
cycling SW2 isn't sufficient to fix the problem?

Any other thoughts?

Devin

dmesg: OneRNG hardware RNG plugged into Soekris 5501

[Devin Reade]

I've got one of the early units from http://onerng.info, intended
for providing input data to /dev/random.  They currently have
support for Linux via a simple command set to the device.
(See the shell scripts in the tarball listed at 
http://onerng.info/onerng.)


I figured I'd plug this into a Soekris 5501 running 5.7-STABLE and
see what turned up.

It looks like it attaches as /dev/cuaU0, but I've not been able
to talk to it yet.  I briefly tried 'cu -l cuaU0 -9600' but couldn't
get a response.  I can cat some commands to it per the site's shell
scripts, but can't retrieve any data from it via dd.

For your viewing pleasure.

===
usbdevs -dv is below.
===

Controller /dev/usb0:
[...]
Controller /dev/usb1:
addr 1: full speed, self powered, config 1, OHCI root hub(0x), 
AMD(0x1022), rev 1.00

 uhub1
port 1 addr 2: full speed, power 200 mA, config 1, 00(0x6086), Moonbase 
Otago http://www.moonbaseotago.com/random(0x1d50), rev 0.09, iSerialNumber 
00

  umodem0
port 2 powered
port 3 powered
port 4 powered

===
dmesg is below.  The device was inserted right at the end after the
system was fully running
===

OpenBSD 5.7 (GENERIC) #0: Wed Aug 19 00:46:25 MDT 2015
   r...@defender.gno.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 
500 MHz

cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 536363008 (511MB)
avail mem = 515227648 (491MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, 
address 00:00:24:cb:a8:cc
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 VIA VT6105M RhineIII rev 0x96: irq 5, 
address 00:00:24:cb:a8:cd
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
vr2 at pci0 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 9, 
address 00:00:24:cb:a8:ce
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
vr3 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, 
address 00:00:24:cb:a8:cf
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034

ppb0 at pci0 dev 14 function 0 TI PCI2250 rev 0x02
pci1 at ppb0 bus 1
sis0 at pci1 dev 0 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 
10, address 00:00:24:cc:ce:54

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci1 dev 1 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 
7, address 00:00:24:cc:ce:55

nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
glxpcib0 at pci0 dev 20 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit 
3579545Hz timer, watchdog, gpio, i2c

gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-008G
wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 AMD CS5536 USB rev 0x02: irq 15, version 
1.0, legacy support

ehci0 at pci0 dev 21 function 1 AMD CS5536 USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (27ad36c1798f64a1.a) swap on wd0b dump 

NSA transition to quantum resistant algorithms

[Devin Reade]

Interesting background info, including recommended minimum key sizes during the 
interim:

http://m.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

resource impact of bgp-spamd

[Devin Reade]

In general terms, what kind of additional memory/disk/cpu usage is
incurred through the use of a bgp-spamd client?  Is this something that is
likely able to run on a low end device like a Soekris 5501, or is
it something more suited to a Real Server?

(I don't see any dedicated mailing list on the bgp-spamd.net web page,
so hopefully this is an appropriate place to ask.)

Devin

Re: Crash cart console adapters compatible with OpenBSD?

[Devin Reade]

 On Jan 15, 2015, at 23:46, Sean Kamath kam...@moltingpenguin.com wrote:
 
 I've got about 10 of these where I work (Adder iPEPS: 
 http://www.adder.com/products/adderlink-ipeps).
 

I'll second it; I've used them a fair amount and they're quite stable. Yes, 
they use RealVNC, and encrypted connections. 

Devin

Re: Crash cart console adapters compatible with OpenBSD?

[Devin Reade]

 On Jan 16, 2015, at 03:05, Stuart Henderson s...@spacehopper.org wrote:
 
 On 2015-01-16, Sean Kamath kam...@moltingpenguin.com wrote:
 I've got about 10 of these where I work (Adder iPEPS: 
 http://www.adder.com/products/adderlink-ipeps).
 
 I have one of these (vga version) too. As long as you don't use encryption it
 can communicate with any standard VNC client, unlike most similar devices 
 which
 need a proprietary client. It's much easier to carry to a datacentre than the
 10 lcd and keyboard I used to use.

True, although the RealVNC client are also free for downloading. (For the OSes 
where they actually provide the client, of course.) It's the server that you 
pay for, and that's included in the price of the iPEPS. 

I often use a config where one such unit acts as a front for an inexpensive 
electronic KVM switch so as to amortize the cost, with the down side that you 
can only see one server console at a time. 

Devin

Re: Crash cart console adapters compatible with OpenBSD?

[Devin Reade]

 On Jan 16, 2015, at 14:23, Stuart Henderson s...@spacehopper.org wrote:
 
 Considering which mailing list this is on, and the compatible with
 OpenBSD in the subject, a binary-only client which doesn't run on
 OpenBSD isn't terribly useful ;)

My head is bowed in shame :)

Well, in an attempt to dig myself out of the hole, the OP *did* say, or in a 
pinch, Linux ...

Devin

5.6 CDs

[Devin Reade]

I just got my 5.6 CD set (I ordered late).

I love that artwork and the movie misquotes.  How apropos.

Thanks to all involved (in the entire release).

Devin

Re: low power device

[Devin Reade]

--On Friday, September 12, 2014 03:27:39 PM +0200 Martijn van Duren
martijn...@gmail.com wrote:

 Because this PC requires more power then should necessary for its
 purpose I would like to acquire something like a pandaboard, which is
 low power, and has at least 2 sata ports, 1 network port and if possible
 supported audio for network playback.

For a more rugged solution, Lanner has some nice devices.  Most of 
the fanless ones have space for only one 2.5 drive internal, but 
you may find something in the line that you like.

I have a LEC-2010 that has been running OpenBSD the last few years
quite nicely.  (That particular model doesn't have many network
ports but has a lot of serial ports.)

http://www.lannerinc.com or
http://www.lannerinc.com/products/all-purpose-box-computers/industrial-automation/

Being industrial computers, you'll pay more than for hobby boards,
though.

Devin

Re: LibreSSL @ BSDCan 2014

[Devin Reade]

 On May 18, 2014, at 4:18, Marc Espie es...@nerim.net 
 
 Actually, if you were awake at the time of the talk, you probably heard
 something of a distant rumble.
 
 Bob is the only OpenBSD developer who's a match to the humpback whale in
 terms of sound carrying power.

That comes from all those years of chasing the malcontents out of the undergrad 
computer labs with an axe ...

Big endian options

[Devin Reade]

The recent news elsewhere about Debian no longer actively testing
on sparc plaforms got me to thinking.  It's been very handy over
the years to be able to test programs on both big-endian and little-endian
machines (for the same reason that it's good to test across different
compilers and operating systems).  However, a lot of the big-endian
hardware out there is getting a bit long in the tooth.

If one is to consider only hardware that is still being manufactured
(ie: bought new), what are our options now?  Sparc is still around,
of course, although I had serious doubts about how long it would be
around when Oracle bought Sun.  There's IBM's Power architecture, but
it looks like more recent versions of that will (optionally) run
little-endian natively, which makes me wonder about long-term
directions there.

Am I missing anything?

The question is two-fold: In one way I'm asking about things that
OpenBSD will currently run on, and in the other just asking about
what's available for hardware regardless of whether OpenBSD will
currently run on it.

Devin

Re: BackupPC

[Devin Reade]

Quoting Martin Schröder mar...@oneiros.de:


quote src=https://en.wikipedia.org/wiki/Bacula#History;
In 2010, a fork named Bareos was established, the project published
first packages in February 2013.[7] Bareos introduces many new
features and eases configuration.[8]
/quote

[...]

I've used neither.


This may be getting somewhat OT, but since Bareos was brought up:

Be aware that there is a lawsuit in progress[1] against Bareos in that
they are alleged to have committed industrial espionage against
Bacula Systems in that they've intentionally stolen proprietary source code,
removed copyright notices, and published it as their own.  My recommendation
would be to stay away from Bareos.  OTOH, Bacula is (speaking from experience)
a solid open source product and the community edition *does* do a
form of deduplication[2] (file level, not block level), although that's
one of the few features that I've not used.

For the record, Bacula Systems has a policy of migrating their enterprise
features into the community edition after a set length of time, and they
seem to follow that policy.  Certainly the community edition has not suffered
since the enterprise edition was created.

The Bacula founder (Kern Sibbald) has also been involved in other open source
projects, including a former key developer and project manager for apcupsd.
I tend to believe his side of the story.

[1] http://bacula.org/en/?page=news
[2]  
http://www.bacula.org/en/dev-manual/main/main/File_Deduplication_using_Ba.html


Devin

Re: Are there any default password managers in OpenBSD?

[Devin Reade]

--On Thursday, December 05, 2013 08:20:07 AM +0100 obsd, cgi 
obsd...@postafiok.hu wrote:



- Are there any best-practises to generate a password? - that are kept in
password manager, so ex.: 128 char long with special/random chars, etc.


Diceware: http://world.std.com/~reinhold/diceware.html

But it's not in ports, it's in your games cupboard ...

Devin

software stack for portable application

[Devin Reade]

I have a software project that is initially targeted at Linux but
that I would like to have running on OpenBSD as well.  This being
new development, I have the flexibility of selecting the software
stack and I'd prefer to use one that minimizes the pain of making
it work on other platforms. Primary concern are workstation-based
platforms (OS-X and MS) but I'd prefer to avoid shooting myself in
the foot for IOS/Android if at all feasible.

So I'm soliciting recommendations for a software stack that will
work on Linux and OpenBSD, and hopefully others.  From a broad
perspective, I'm looking at:

- C/C++ source language
- graphical client abstraction (thick client, not browser based)
- network abstraction
- threading abstraction
- local disk I/O
- minimizing dependencies on any particular window manager
- libraries/frameworks that are sufficiently mainstream as to
 be unlikely to be abandon-ware in five years' time
- open source licensed (preferably BSD/Apache style, LGPL would
 be ok, GPL if necessary)

A bit of reading has me leaning toward basing things on Qt4 and
the Boost libraries, however if people know of warts when using
those on OpenBSD, or if there are additional/alternate solutions
then I'd prefer to find out about them now rather than later.

Thanks in advance,
Devin

watchdog on Atom N270

[Devin Reade]

I just picked up a Lanner LEC-2010P, which is a fanless embedded
Atom N270 industrial control system.  It seems to work just fine so
far, overall. Since the N270 isn't all that new, I was a bit surprised
though to find that its hardware watchdog wasn't detected (no criticism
implied).

The user manual for the LEC-2010P shows sample code for talking to
the watchdog of the Winbond W83697UHG (just C source intended to be
run under MS Windows).  I've also managed to locate a data sheet for
the W83697UHG.  Both the manual and the data sheet are available on
request.

dmesg below (and sent to dmesg@)

Devin

OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Genuine Intel(R) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MOVBE,LAHF,PERF
real mem  = 2138370048 (2039MB)
avail mem = 2092429312 (1995MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 05/31/10, BIOS32 rev. 0 @ 0xf0010, SMBIOS 
rev. 2.4 @ 0xfd230 (28 entries)
bios0: vendor American Megatrends Inc. version 080015 date 05/31/2010
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB ASF! SSDT
acpi0: wakeup devices P0P2(S4) P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) 
EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Genuine Intel(R) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MOVBE,LAHF,PERF
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 2
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P0P1)
acpiprt2 at acpi0: bus 1 (P0P4)
acpiprt3 at acpi0: bus 2 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
acpiprt5 at acpi0: bus -1 (P0P7)
acpiprt6 at acpi0: bus -1 (P0P8)
acpiprt7 at acpi0: bus -1 (P0P9)
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
bios0: ROM list: 0xc/0xec00!
cpu0: Enhanced SpeedStep 1597 MHz: speeds: 1600, 1333, 1067, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GME Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel 82945GME Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0 at vga1: apic 2 int 16
drm0 at inteldrm0
Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi
azalia0: codecs: Realtek ALC888
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: apic 2 int 16
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), 
apic 2 int 16, address 00:90:0b:28:3f:84
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: apic 2 int 17
pci2 at ppb1 bus 2
re1 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), 
apic 2 int 17, address 00:90:0b:28:3f:85
rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 2 int 23
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 2 int 19
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 2 int 18
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 2 int 16
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2
pci3 at ppb2 bus 3
ichpcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 2 Intel 82801GBM SATA rev 0x02: DMA, channel 
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: INTEL SSDSA2M040G2GC
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
wd1 at pciide0 channel 1 drive 0: TS4GCF150
wd1: 1-sector PIO, LBA, 3823MB, 7831152 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x02: apic 2 int 19
iic0 at ichiic0
spdmem0 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-4200CL3 SO-DIMM
usb1 

Re: remote management

[Devin Reade]

--On Monday, May 13, 2013 09:24:13 PM +0200 Tony Berth
tonybe...@googlemail.com wrote:

 I would like to know what kind of environment you use for remote
 management of one or more openbsd servers. Which KVM over IP solution
 would you recomend.

For OpenBSD I usually try to have hardware with a decent serial
console or integrated OOB mechanisms like the Sun ALOMs.  (Those
that use a *different* ethernet jack than that used by the OS.)

If I am forced into a situation that mandates a KVM type of setup,
then one solution that has worked well for me is the 
AdderLink iPEPS http://www.adder.com/products/adderlink-ipeps 
or iPEPS-DA http://www.adder.com/products/adderlink-ipeps-da.
One nice thing about the AdderLink products is that they use 
the commercial RealVNC (encrypted) for remote management so that
you're not faced with having to do something annoying like
starting MS-Windows in a VM just to be able to run the tools to
access your remote servers.  (Yes, I'm looking at you, VMWare.)
(And you other remote management solutions that need windows-specific
clients.)

The AdderLink can be a bit expensive for small businesses and hobbiests
in their recommended one-per-server configuration (approx USD 500),
however if you don't have to have different access levels for different
servers' consoles, and can put up with accessing the console of only
one server at a time, then you can amortize this cost by putting a
decent non-networked (but electronic) KVM switch between the AdderLink
and multiple servers.  That price also seems comparable to similar 
types of technology.

And for the record, the DLink DKVM-8E does *not* constitue a 
decent KVM switch; it's crap.

It looks like AdderLink have DVI/HDMI versions of the iPEPS available,
too, although I've not used them.

Besides using encrypted network traffic and supporting a small number
of login accounts, the AdderLink offers rudimentary source-IP-based
access control.  It's still a good idea to use a segrated admin subnet
if you can, just on general principles.

Devin

Re: watchdog timeout with re0 after MSI change

[Devin Reade]

John Danks john.da...@gmail.com wrote:

 Unrelated but this machine pauses for a good 30 seconds on boot and
 resume after ahci1 is detected. I think it started when I added the
 Intel SSD.

On the SSD topic (and in case it helps trigger a thought), I was
running into a problem on a Soekris box and a largish SSD where
sometimes shortly after boot the disk would error out.  After asking
around, the solution seemed to be increasing the Soekris' pause-at-boot
from 5 seconds to 15.  The extra time seemed to be needed to stablize
the SSD from a cold boot.  I saw this on multiple machines using an
Intel SSDSA2M040G2GC, which otherwise seems to be a good drive.

Devin

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Devin Reade]

Benny Lofgren bl-li...@lofgren.biz wrote:

 On 2011-04-21 22.27, P. Pruett wrote:
 how about donate
 [snip]

 The reason for my initial suggestion, which was along the lines Rafal whom
 you commented also thought, was that a donation *ISN'T A FUCKING OPTION*
 where I and others live.

The other thing is that, based on Theo's 18 April post, funds from
donations (or going to the openbsd foundation) don't go into the same
bucket as funds from CD sales. If I'm interested in putting my funds
into the CD bucket, donations and contributions to the foundation
don't get me there.

Question, Theo:

If I was to say the following, would it work without causing an
unacceptable amount of work?

My company wants to pay you to develop or fix feature (where feature
is already on the short list of what is planned for the next release).
It is worth value to us.  If you're interested, send us an invoice
(from either you personally or your corporation or other business
entity) in some readily machine readable format (text file,
spread sheet, pdf, it doesn't matter) that lists the amount
and the feature. We'll send you the check immediately, and consider
the deliverable complete when the *initial* version is committed.

That deliverable is intented to be unobtrusive.  It doesn't say
that it *must* be in the next release.  It also doesn't imply
any sort of user acceptance test or support requirement. It allows
for the possibility for you to pass the funds along and have
another developer implement it.  It is similar to other open
source projects where a company might put up a bounty to have a
certain feature implemented (other than in those cases, it is open to 
whomever grabs it first).

So, does that take too much time away from development, or is for
some other reason (tax, etc) unworkable?

A possible valid response is, we don't care that it's going into
the donation fund bucket rather than the CD fund bucket.  A simple
yes or no also suffices; a long explanation either way is not
required.

And for you undesirables out there:  Unsolicited requests for funds
will go into the bit bucket with all the other spam, so don't try.
Not that you'll listen anyway.

Devin

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Devin Reade]

Kapetanakis Giannis bil...@edu.physics.uoc.gr wrote:

 On 23/04/11 19:19, Scott Stanley wrote:

 But isn't it an order of magnitude [simpler] to follow the suggestion
 Marco/Benny put forth and purchase a bunch of CDs and make a note to
 ship only one (thus eliminating the waste of resources)?

What I haven't heard from the developers is, does the don't ship them
aspect cause (tax/accounting/other) problems for either the project or the
CD reseller?

 Apparently the OP wants to get his job as well funding the project.

If you're referring to me, and if you meant trying to keep his job
as well as funding ..., then hardly.

I'm an independent consultant and consequently am both the CEO and
only employee of my corporation.  Any such contribution ultimately
comes out of my own pocket, and doesn't contribute to me keeping my job.
I don't have the cycles available to assist in OpenBSD development,
and don't have the funds or inclination to hire an *employee* to
do such work.  I *was* saying that I'd consider paying the project
for a specific feature, just as I may pay other professionals for a
small chunk of their time for other projects (which would typically
be fixed cost or time  materials).

(If I misinterpreted your comment, ignore the diatribe.)

I was originally considering a donation to the foundation until the
dual funding model was pointed out, and was suggesting an alternative
that I was hoping would not be too onerous.

If the buy 10 CDs, ship 1 model actually works for the developers,
then yes it's an option.  But I haven't actually heard a confirmation
that it works.

Devin
-- 
It is far, far better to have a bastard in the 
family than an unemployed son-in-law.   - Robert Heinlein

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Devin Reade]

Theo de Raadt dera...@cvs.openbsd.org wrote:

 I think I do more than enough and don't need to make promises to
 outsiders just to keep this project alive.  I bet all the developers
 feel the same way.

Fair enough.  Ignoring my particular case for the moment, I was trying
to generalize the suggestion with the thought that most corporate 
sponsers would need at least a rudimentary, this is why we're spending
the money, and that is how we know when we're done statement in their
records.  Not for you, but for themselves. As far as promises to outsiders
is concerned, I hadn't intended that as any more than, when feature,
which we were planning on doing anyway, is ready, I will promise to
commit it.  That they would have committed it anyway is IMO irrelevent.

 Do we have to sell our souls as well?

Of course not. However I was under the impression that there was 
instances of funding in the past (DARPA? [at the risk of stirring
up bad blood]), and thus figured that it was worth it to ask the question.
I can't know in advance where in the spectrum someone sits between M$
and Stallman and what constitutes selling of one's soul, but thought
my suggestion was a variation that hadn't been discussed (or at least
not recently).

That the answer (for Theo at least) is no is fine, and I can respect
the reasons.  The discussion has given me (and perhaps others) at least
a couple of options for CD bucket contributions, and thanks for taking
the time to clarify things. I'll start with ammending my outstanding CD
order accordingly.

Devin

Advice on pf no-sync

[Devin Reade]

I understand (from pf.conf(5)) what no-sync is supposed to do, however
the only example I've seen of it in use is on the pfsync and carp
examples in pfsync(4).

I was wondering if anyone had some advice on some specific examples of
when the use of no-sync is appropriate, specifically in a two-node
firewall cluster that uses pfsync.  Assume that there are DMZ and
internal network segments, some of which are routable and some of 
which are NAT'd private space.  Further assume that some services
are hosted from the firewall nodes themselves.

I understand that most pf rules under these circumstances would *not*
use no-sync, but it's not clear if there's anything other than 
pfsync/carp that should/might.

Thanks in advance.

Devin

Re: carp + client avahi-daemon = OpenBSD kernel hang

[Devin Reade]

--On Monday, October 04, 2010 12:11:01 PM + Stuart Henderson
s...@spacehopper.org wrote:

 On 2010-10-03, Devin Reade g...@gno.org wrote:
 snip *excellent* write-up of the problem and network layout;
 if only all problem reports were this good!

Thanks.  I'm also a developer, just not in the OpenBSD kernel.

 Until you can move to a dedicated nic, I would
 suggest switching to using syncpeer in pfsync config, and ipsec [snip]

I forgot to include /etc/hostname.pfsync0, but it is using syncpeer on vr0.

 So basically there are untrusted machines on the interface on which you
 also run pfsync.

That depends on your definition of untrusted.  vr0 being the DMZ, all
machines there are under my control and I'm pretty confident that there's
nothing malicious happening.  It is true, though, that there is traffic
other than pfsync on that segment.

Are you suspecting that other traffic (and in particular avahi-daemon)
is interfering with pfsync?

The dual-port NICs arrived, so I can put pfsync on its own interface
now and see if that affects the situation.

One other recent datapoint:  In following Kenneth's suggestion of breaking
into the kernel, I disabled the watchdog and set
 ddb.panic=1
 ddb.console=1
Since then I have had time to trigger only one failure so far (again,
no panic, no automatic drop to ddb), but in that case when I did a
'continue' in ddb, the failed machine returned to operation.  So it
looks like the hang may not have been a permanent hang, but just long
enough to (previously) trigger the watchdog which had a timeout 32 seconds.
But that's still inconclusive.  (I have nothing else useful to add
yet re ddb.)

Devin

Re: carp + client avahi-daemon = OpenBSD kernel hang

[Devin Reade]

Kenneth R Westerback kwesterb...@rogers.com wrote:

 You seem to be using a custom compiled kernel. I didn't spot any
 explanation of that (-stable patches? changes to kernel config?).
 Non-GENERIC kernels make developers nervous.

Nothing custom; it's 4.7 stable with patches 001 through 006 applied,
which required recompiling the kernel.  No changes to the kernel config.

Thanks for the suggestions.  I'll wait a few days on the 2nd one
(-current snapshot) in case anyone has any other suggestions with
the config that is in place now.

Devin
-- 
Very funny, Scotty.  Now beam down my clothes. 

carp + client avahi-daemon = OpenBSD kernel hang

[Devin Reade]

I've got a problem where I have a couple of OpenBSD firewalls 
running in a redundant configuration using carp, and have found 
that CentOS 5.5 (Linux) boxes running on a protected network, if
they have avahi-daemon running, will cause the OpenBSD kernels to lock
up hard.  This is very reproducable.

While I can avoid the problem by not running avahi-daemon on the
Linux machines, I'd really prefer to find the source of the problem
on the OpenBSD side and fix it.  From my perspective, there is nothing
that a remote host should be able to do that should lock up a
an OpenBSD kernel. (And lest anyone be offended by my calling it a
problem on the OpenBSD side, I'm quite willing to believe that there
is bad ju-ju in my config and am not necessarily blaming OpenBSD per se.)

If anyone has suggestions on how I can proceed to diagnose the problem,
I would appreciate it.

Details follow.

==

Okay, the short version is that I noticed the problem weeks back that
whenever I booted or shut down a new CentOS 5.5 box, it would cause one
of the two redundant firewalls to lock up.  The firewalls are Soekris
net5501-70 machines, with the hardware watchdog enabled. So eventually
the watchdog would kick the firewall and it would come back.

Over a period of time I worked on elimination of various potential 
problem areas, such as doing memory checks, checking for bad power, 
power overloads, etc.  Without going into the details, I was able to
narrow it down to the point that the lockup was reproducable *every*
time avahi-daemon on the Linux box was started or stopped, *and* both
firewalls in the carp cluster were running.  If avahi-daemon is 
disabled or if the secondary firewall is shut down, there is no problem.

There is no kernel panic on the OpenBSD side; it just locks up hard.
There are no interesting diagnostics in either the OpenBSD or Linux
logs.  Running tcpdump shows that the avahi multicast traffic is the
last thing that occurs on the DMZ before the kernel locks up.

Most of the time, shutting down the CentOS host will kill the firewall
that is normally the backup, and starting up the CentOS host will kill
the firewall that is normally the primary, however I've seen the shutdown
kill the primary on occasion although I cannot definitively say that
the nominal primary was in fact the current master on the carp devices
on these occasions.

I have verified that this occurs with a bare-bones 64 bit CentOS
installation; although the original machine that triggered this is
a xen server, I've verified that it can happen with a non-xen server.

Interestingly, though, not all CentOS boxes will trigger this behavior;
there are CentOS 5.5 machines on both the DMZ and the internal network
that can be rebooted without affecting the firewall, and I've verified
that they also have avahi-daemon running.

I provide more details on the topology and environment below.

I *could* simplify my topology to see if that eliminates the problem,
but wanted to see if anyone has any ideas first in case a config change
causes the problem to go away without knowing why; I'd rather fix the
problem than avoid it.

I've attached various config files below, sanitized by running them
through perl (so the substitutions are at least self-consistent).  If someone
is willing to look at this in depth and needs the raw configs, contact me
directly.

Description of Environment
==

The topology is too ugly for ascii art, so I'll just describe it.  Both
soekris boxes use the following config:

vr0:  switch to dmz
vr1:  switch to upstream 1 demarc
vr2:  switch to upstream 2 demarc
vr3:  switch to guest network
fxp0: switch to internal network

Until I get a two-port lan card, pfsync is occuring via vr0 (the dmz link).

All switches are consumer grade non-managed DLink DGS-1005G or DGS-1008G
10/100/1000 Mb switches.  I've tried other non-managed switches and the 
problem persists.

I have seen the problem with clean install CentOS 5.5 servers in
the DMZ, both 64 bit, with slightly different hardware.  One has a
Intel Pro/1000 NIC, the other uses an RTL8168b/8111b.  However, I also
have other CentOS 5.5 machines both in the DMZ and on the internal 
net which do *not* trigger the problem.  These others are mix of 32 and
64 bit machines.

Both upstreams use static IPs.  Upstream 1 has been in operation for
a few years with an older single-host non-Soekris OpenBSD firewall,
and everything including the DMZ used NAT (with RFC-1918 IPs).
With the introduction of upstream 2, the DMZ will be moved to routable
IPs.  Currently the DMZ is mixed, with most hosts being private IPs 
and one (not yet production) host having a routable address.  The CentOS
boxes that trigger the problem are both using routable addresses (I
don't know if that's relevant). The pf config is such that
traffic for the routable IPs will be via upstream 2 and traffic for the
NAT'd IPs will 

Re: No SSH on External Interfaces After pf.conf Rewrite for Load Balancing Outgoing Traffic

[Devin Reade]

dontek don...@gmail.com wrote:

 In rewriting the ruleset I've
 had no problems with connectivity with the exception of getting an SSH
 connection to the firewall to work on either of the two external
 interfaces.
[...]
 pass log quick on $EXT_IF_1 inet proto tcp from any to ($EXT_IF_1)
 port ssh keep state
 pass log quick on $EXT_IF_2 inet proto tcp from any to ($EXT_IF_2)
 port ssh keep state

Use reply-to for your ssh rules:

pass log quick on $EXT_IF_1 inet proto tcp from any to ($EXT_IF_1) port ssh 
keep state reply-to ($EXT_IF_1 $EXT_GATE_1)

(And for the 2nd one, too)

Devin

carp and OS upgrades

[Devin Reade]

Ignoring aspects common to all OpenBSD upgrades, and the ideosyncracies
that get mentioned in the release notes for specific upgrades, does anyone
have general comments, suggestions, warnings, etc regarding upgrading
a pair of firewalls that are running in a typical redundant config
using carp, pfsync, et al?

It is not the case that I'm part way through an upgrade and have a 
problem.  It's more that I'm interested in what I can expect when
I run into this situation.

Devin
-- 
If you're not part of the solution, you're part of the precipitate.
- Stephen Wright