Relayd - block bad bots

[Michal]

Hey

I'm running a small VM on OpenBSD where my site resides. My stack is
pf/relayd/httpd.

I see a significant traffic coming from bad bots, like mj12. I'd love
to completely block them and Relayd seems like the best place. I tried to
block by "User-Agent" header, however there is no support for globs
there. This means I would need to constantly adjust my filters when they
release new version into the wild.

Has anyone had any success with achieving something similiar? Frankly I
was a bit surprised that globs in value are not supported. Seems like a
great use case.

---

Michal

Re: Default partitioning scheme ran out of space for updates

[michal . lyszczek]

On 2023-05-13 11:16:13, Allan Streib wrote:
> On Sat, May 13, 2023, at 09:19, Sylvain Saboua wrote:
> 
> > Filesystem SizeUsed   Avail Capacity  Mounted on
> > /dev/sd1a  986M986M  -49.1M   105%/
> 
> You have something else using space on your root partition.
> 
> From my machine, (7.3 amd64):
> 
> /dev/sd0a 1005M214M740M23%/
> 
I can confirm that

> /dev/sd0a  3.9G168M3.5G 4%/

And that's with ~60megs of my stuff in /root

Try running "ncdu -x /" and see what is taking so much space.

-- 
.-.---.--.-.
| Michal Lyszczek | Embedded C, Linux |   Company Address|  .-. opensource |
| +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 |  oo|  supporter |
| https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\  & |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:   813 349 58 78 |(\_;/) programer |
`--^--^--^-'

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

[Michal Šmucr]

po 7. 11. 2022 v 13:38 odesílatel Eric JACQUOT  napsal:
> Hi,
>
> Could you try with this inet6 conf in your /etc/hostname.vio0 :
>
> inet6  [yourvpsipv6] 121
> !route add -inet6 -net 2001:db8:efef::1/128 -cloning -link -iface vio0
> !route add -inet6 default 2001:db8:efef::1
>

Hi Eric,

That was it! The cloning modifier did the trick.
I tried almost the exact same thing before, but missed this modifier,
that's why it didn't work.
I had no clue :)

In the end it was enough to add just the host route to the gateway.
!route add -inet6 2001:db8:efef::1 -cloning -link -iface vio0
was appended to /etc/hostname.vio
and 2001:db8:efef::1 went normally to /etc/mygate

Works like a charm now. Thank you so much for the help.

Michal

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

[Michal Šmucr]

>
> I'm sorry, I wasn't thinking very well.
>
> Have you tried using fe80::1%vio0 as the default IPv6 gateway?
>

No need to be sorry, I am grateful for any ideas :)

And yes, I've also tried fe80::1%vio0
AFAIK that's a bit of a special case and a way how Hetzner (known
German cloud provider) routes IPv6 to their VPS.
I also installed and used some systems to their cloud, so it also came
to my mind, but it didn't work in this particular case.

Michal

Re: OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

[Michal Šmucr]

Thank you very much for the reply, Kirill.

> > try with
> >
> > route add -inet6 2001:db8:efef::1 -llinfo -link -static -iface vio0
>
> ... that is, try the above before you try to add 2001:db8:efef::1 as
> default gateway.

I already tested something similar in my previous attempts with flags
and link, but it also didn't work.
Here's how it behaves, when I use the exact command you've advised. I
removed all previous IPV6 addresses and flushed all routes before
testing.

$ ifconfig vio0 inet6 2001:db8:efef::d9e:18d2:b761:0/121
$ route add  -inet6 2001:db8:efef::1  -llinfo -link -static -iface vio0
add host 2001:db8:efef::1: gateway vio0

$ route -n show -inet6
Routing tables

Internet6:
DestinationGateway
Flags   Refs  Use   Mtu  Prio Iface
::1::1UHl
  0   20 32768 1 lo0
2001:db8:efef::1  link#1 UHLS
 01 - 8 vio0
2001:db8:efef::d9e:18d2:b761:0/121
2001:db8:efef::d9e:18d2:b761:0 UCn00 - 4
vio0
2001:db8:efef::d9e:18d2:b761:0 62:86:db:bc:c6:74  UHLl
  00 - 1 vio0
...
$ ping6 2001:db8:efef::1
PING 2001:db8:efef::1 (2001:db8:efef::1): 56 data bytes
ping6: sendmsg: Invalid argument
ping: wrote 2001:db8:efef::1 64 chars, ret=-1

At this point 2001:db8:efef::1 is inaccessible with normal ping, so it
shouldn't work as a default gateway.
But nevertheless I've tried that.
$ route add -inet6 default 2001:db8:efef::1
add net default: gateway 2a02:25b0:::1
$ ping6 www.google.com
PING www.google.com (2a00:1450:4014:80a::2004): 56 data bytes
ping6: sendmsg: Invalid argument
ping: wrote www.google.com 64 chars, ret=-1

So unfortunately adding a route this way also doesn't work.

Thank you,

Michal

OpenBSD 7.2 on VPS, routing via IPv6 gateway outside of interface prefix

[Michal Šmucr]

Hello to all,

I'm looking for possible opinions or advice regarding IPv6 setup at new VPS.
Probably the most common approach is a VPS provider gives you /64
prefix length with gateway within the subnet.
Works everywhere, it's also the smallest usable prefix length for use
with SLAAC.
However in this case, the VPS has /121 prefix length and its gateway
is outside of the subnet.
Something like this:
VPS IP: 2001:db8:efef::d9e:18d2:b761:0/121
GW: 2001:db8:efef::1/48

Before this OpenBSD VPS I installed another one there with Linux,
where it surprisingly went without issues.
Unfortunately with the BSD that setup wasn't successful.
I came up with two workarounds. First I can set /48 prefix for the
interface and it will work, compared to IPV4 there shouldn't
be issues like with a wider mask and broadcasts and if I won't use any
IP outside of the "designated" prefix, it will likely be fine.
The other one is route everything via link-local address of particular
gateway (eg. use address like fe80:::::%vio0 which I
found),
it also works, but it will be sensitive for any failovers or changes
on their hardware,
as the link local address might change and VPS will be essentially
disconnected until manual fix.

Anyway I'm still curious why it was possible to set up on Linux and
not on OpenBSD.
I just booted CentOS live ISO at the exact same VPS and tried to debug
that step-by-step without any init scripts or NetworkManager.
On CentOS I can do the following steps..

$ ip -6 addr add 2001:db8:efef::d9e:18d2:b761:0/121 dev eth0 noprefixroute
$ ip -6 route add 2001:db8:efef::1 dev eth0
$ ip -6 route add default via 2001:db8:efef::1 dev eth0

Then it will work as expected, the important part is noprefixroute
option at first command.
This will prevent creation (and deletion) of prefix route during IP
address assignment, if I omitted that, setup didn't work.

On OpenBSD I tried..

$ ifconfig vio0 inet6 2001:db8:efef::d9e:18d2:b761:0/121
$ route add -inet6 default 2001:db8:efef::1
add net default: gateway 2001:db8:efef::1: Network is unreachable

Well, that sounds logical. So I tried to tell how to reach the gateway first.
It should be directly accessible, so after few failed attempts and
digging in man page
I thought the -iface modifier with the local address of the interface
as destination should do the trick.
$ route add -inet6 2001:db8:efef::1 2001:db8:efef::d9e:18d2:b761:0 -iface
$ ping6 2001:db8:efef::1
PING 2001:db8:efef::1 (2001:db8:efef::1): 56 data bytes
ping6: sendmsg: Invalid argument

ehh.. no dice
I tried a couple of other things, like adding an additional network
route to /48 prefix, and experimenting with some additional flags,
when adding. But it never worked.

Is it impossible to achieve?
Like without the equivalent of Linux noprefixroute option, there will
always be an already automatically declared offending route.
Or do I have some mistakes there?

Thank you,

Michal

Re: No valid root disk found when upgrading

[michal . lyszczek]

On 2022-04-22 07:56:25, Stuart Henderson wrote:
> On 2022-04-21, Stuart Henderson  wrote:
> >> upgrade# cd /dev; sh MAKEDEV sd0
> >> upgrade# mount -t ffs -r /dev/sd0a /mnt
> >> upgrade# ls /mnt
> >> .cshrc  bsd dev sbin
> >> .profilebsd.booted  etc sys
> >> altroot bsd.rd  hometmp
> >> auto_upgrade.conf   bsd.sp  mailwrapper.coreusr
> >> bin bsd.upgrade rootvar
> >> upgrade# df -h
> >> Filesystem SizeUsed   Avail Capacity  Mounted on
> >> /dev/rd0a  3.5M3.0M451K87%/
> >> /dev/sd0a  3.9G677M3.0G18%/mnt
> >>
> >>> it's worth seeing what "sysctl hw.disknames" says too
> >> upgrade# sysctl hw.disknames
> >> hw.disknames=sd0:dc999ef6267325df,rd0:a8c7c8e3bbaa0da7
> >
> > That looks sane too..
> 
> Oh I didn't look close enough. You are missing /mnt. mkdir it and
> that shoukd fix the problem.
Yup, that was the problem. Thank you!
Guess I must have removed it at some point from my rootfs.
Thanks again for the help Stuart.

-- 
.-.---.--.-.
| Michal Lyszczek | Embedded C, Linux |   Company Address|  .-. opensource |
| +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 |  oo|  supporter |
| https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\  & |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:   813 349 58 78 |(\_;/) programer |
`--^--^--^-'


signature.asc
Description: PGP signature

Re: No valid root disk found when upgrading

[michal . lyszczek]

Hello Stuart,
Thanks for your reply, here is more data
On 2022-04-21 21:43:08, Stuart Henderson wrote:
> if you boot the upgrade kernel and drop to a shell, what do you
> get from this?
> 
> cd /dev; sh MAKEDEV sd0
> mount -t ffs -r /dev/sd0a /mnt
> ls /mnt
Sadly, nothing that would raise any flags or ideas in my brain,
everything seems to work fine

upgrade# cd /dev; sh MAKEDEV sd0
upgrade# mount -t ffs -r /dev/sd0a /mnt
upgrade# ls /mnt
.cshrc  bsd dev sbin
.profilebsd.booted  etc sys
altroot bsd.rd  hometmp
auto_upgrade.conf   bsd.sp  mailwrapper.coreusr
bin bsd.upgrade rootvar
upgrade# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/rd0a  3.5M3.0M451K87%/
/dev/sd0a  3.9G677M3.0G18%/mnt

> it's worth seeing what "sysctl hw.disknames" says too
upgrade# sysctl hw.disknames
hw.disknames=sd0:dc999ef6267325df,rd0:a8c7c8e3bbaa0da7

> (similar to what's used for the "is_rootdisk()" check in
> src/distrib/miniroot/install.sub)
Is there a way to run upgrade script with "set -x" globally?
I tried to run /bin/ksh -x /upgrade.sh, but it seems -x is
discarded in functions and I can only see debug up untile
+do_ugrade function call.

Maybe replacing all "() {" with "() {\nset -x" will do the trick?

-- 
.-----.---.--.-.
| Michal Lyszczek | Embedded C, Linux |   Company Address|  .-. opensource |
| +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 |  oo|  supporter |
| https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\  & |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:   813 349 58 78 |(\_;/) programer |
`--^--^--^-'


signature.asc
Description: PGP signature

No valid root disk found when upgrading

[michal . lyszczek]

Hello,

So I have OpenBSD 6.8 (yeah I know), and are trying to upgrade to
6.9 (and version by version until 7.1:)). Problem is that installer
does not see disk. This is my very first time I upgrade OpenBSD,
so I might be missing something simple. I've read through the upgrade
documentation, and tried to google my problem but I could not fix
my problem.

I upgrade with sysupgrade. After boot I try to select root disk:
> Available disks are: .
> Which disk is the root disk? ('?' for details) ?
> sd0: NVMe, Samsung SSD 970, 2B2Q  (232.9G)
> Available disks are: .
> Which disk is the root disk? ('?' for details) sd0
> sd0 is not a valid root disk.
> Available disks are: .

Going into shell, /dev/sd0* do not exist. So I tried to create nodes:
> upgrade# ./MAKEDEV sd0

Now disklabel shows proper disk info
(label is from samsung 960, even though I have samsung 970 disk.
I migrated some time ago from 960 to 970, guess I must have used
dd to do it, hence label from previous disk. I assure you I have
only 1 disk inserted, and no usb disks).
> upgrade# disklabel sd0
> # /dev/rsd0c:
> type: SCSI
> disk: SCSI disk
> label: Samsung SSD 960
> duid: dc999ef6267325df
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 30401
> total sectors: 488397168
> boundstart: 1024
> boundend: 488397105
> drivedata: 0
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a:  8400960 1024  4.2BSD   2048 16384 12960
>   b: 67119581  8401984swap
>   c:4883971680  unused
>   d:134223072 75521568  4.2BSD   2048 16384 12960
>   e:278652416209744640  4.2BSD   4096 32768 26062
>   i:  960   64   MSDOS

fdisk
> upgrade# fdisk /dev/rsd0c
> Disk: /dev/rsd0c   Usable LBA: 64 to 488397104 [488397168 Sectors]
>#: type [   start: size ]
> 
>1: EFI Sys  [  64:  960 ]
>3: OpenBSD  [1024:488396081 ]

But when I exit shell I still have the very same problem as at the
beginning and I can't select root disk. Strange thing is, that when
I exit shell to installer, and then go back to shell with "!",
/dev/sd0 disappears.


More info:
==

Disk is detected in bsd.upgrade kernel
> upgrade# dmesg | grep -i samsung
> nvme0 at pci1 dev 0 function 0 "Samsung SM981/PM981 NVMe" rev 0x00: msix, 
> NVMe 1.3
> nvme0: Samsung SSD 970 EVO Plus 250GB, firmware 2B2QEXM7, serial 
> S4EUNX0R502629B
> sd0 at scsibus1 targ 1 lun 0: 
> nvme0 at pci1 dev 0 function 0 "Samsung SM981/PM981 NVMe" rev 0x00: msix, 
> NVMe 1.3
> nvme0: Samsung SSD 970 EVO Plus 250GB, firmware 2B2QEXM7, serial 
> S4EUNX0R502629B
> sd0 at scsibus0 targ 1 lun 0: 

It seems I am booting with uefi
> >> OpenBSD/amd64 BOOTX64 3.54
> boot>

When system is booted root disk is sd0
> # mount | grep sd0a
> # /dev/sd0a on / type ffs (local)


I don't know what else might be usefull. I have no idea what else I can
do here :(

-- 
.-.---.--.-.
| Michal Lyszczek | Embedded C, Linux |   Company Address|  .-. opensource |
| +48 727 564 419 | Software Engineer | Akacjowa 10a; 55-330 |  oo|  supporter |
| https://bofc.pl `.--: Brzezinka Sredzka PL | /`'\  & |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:   813 349 58 78 |(\_;/) programer |
`--^--^--^-'


signature.asc
Description: PGP signature

Re: pf queue on packets with state

[michal . lyszczek]

Hi Stuart, thank you for your clear reply
On 2021-02-02 22:41:49, Stuart Henderson wrote:
> Whichever rule creates state for the packets that you want to send
> to a queue should have the queue assignment. The queue name is attached
> to the PF state; when the packet is transmitted outbound it will use
> the queue of that name on that interface.

Yup, that was is. Instead of doing

  match out on $i_lan all set queue q_lte_in_http set prio 0

I did it "the opoosite" way

  match in on $i_lan all set queue q_lte_in_http set prio 0

Also in my real rules I've changed "from port $p_http" to "to port $p_http",
and it started to match queues as expected. Thank you!

I did read something around these lines on the openbsd forum, that queues
are tied to input state, but I was just trying to do "pass in $i_lan".
It never occured to me to try do 'set queue' during 'in' part. I've read
about queueing in pf.conf(5) and nothing there hints this also.

> You don't want queue names dealing with in/out/interface. Just the type
> of traffic / queue policy / whatever. For example "user1", "user2", ..
> or "http", "dns", .. or "high/med/low" or something.
> 
Yes, I am indeed queueing by service dns/ssh/games, but my firewall has
multiple WAN interfaces with different speed so I also must specify this.
In examples I wanted to keep things to bare minimum so people do not have
to waste time thinking what mess I have in my pf.conf :D

> I find it easier to make the match rule setting the queue quite wide,
> then do anything more complex (IP/port restrictions etc) in pass/block
> rules.

> You should use some variant of "block" covering all traffic as your
> first rule ("block" / "block log" etc) so that packets are not allowed
> to pass unless they create state. This makes it easier to figure out
> the queues, and prevents state tracking getting messed up with TCP (the
> TCP state must be created from a SYN packet not an intermediate packet
> otherwise it doesn't know what the window-scaling value is, which will
> cause longer lasting or fast connections to get dropped incorrectly).

That's what I think too, I use pf in "block by default" and have rules
to block everything at top. And I intend to queue packets by service port
or IP.

> > Is there any way to limit ingress on some ips/ports? I'd like to limit
> > greedy apps like youtube or netflix from taking all the bandwidth.
> 
> Good luck finding the relevant IPs for these ;) You might like to play
> with "burst" and see if you can do something that way. (e.g. standard
> bandwidth is slower, but allow a fast initial burst). But you'll probably
> need to do that with separate queues per IP and it gets to be a pain.

I found some sites with ip ranges for netflix and youtube, they are quite
broad, but it's better than crippled network.


Thank you again for clarification and explaining this to me.

-- 
.-.---.-.--.
| Michal Lyszczek | Embedded C, Linux |   Company Address   |  .-. open source |
| +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 |  oo|  supporter  |
| https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\  &  |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:  813 349 58 78 |(\_;/) programer  |
`--^--^-^--'


signature.asc
Description: PGP signature

pf queue on packets with state

[michal . lyszczek]

Hi, I'm trying to setup queues on my LTE interface. This machine is firewall
machine with two interfaces: wan and lan. Egress traffic is queueing without
a problem. Rules like

  match out on $i_wan proto {tcp udp} to any port $p_dns set queue 
q_lte_out_dns set prio 6

work as intended and I can see that rules are being matched in systat queue
and rules.

Problem is with ingress packets. Yes, I know people say it makes no sense to
do it, but I belive it can work for TCP traffic. The slower program is
receiving data, the slower it will ACK, the slower server will be sending
data, and there should be more space for other packets.

Anyway, it does not seem to work for me. I try the most basic rules:

  queue q_lte_in_root on $i_lan bandwidth 20M max 20M qlimit 50

This works as intended, speedtests do indeed show my speed is more or less
20Mbit. Now I add 2 more queues, default and for http

  queue q_lte_in_std  parent q_lte_in_root bandwidth 512K default qlimit 50
  queue q_lte_in_http parent q_lte_in_root bandwidth 512K qlimit 50

And I create match rule:

  match out on $i_lan all set queue q_lte_in_http set prio 0

And this rule is matched only by a handful of packets. systat queue
shows that majority of packets go through q_lte_in_std, and only some
of the packets go through q_lte_in_http. systat rules also shows only
some of the packets are being matched by that rule.


I don't know, it looks like only packets without state match "match"
rule and are being queued properly? I know filtering will be skipped
for packets that have state but queueing is not skipped. So why can't
I queue packets ingressing on LTE that are being egressed on LAN
interface?

Is there any way to limit ingress on some ips/ports? I'd like to limit
greedy apps like youtube or netflix from taking all the bandwidth.

I read pf.conf man and searched the whole net but I couldn't find
answer to my question. I think I could make it work if I made pf
stateless by default? Performance is not an issue here, machine
can take it, but I couldn't find a way to do stateless by default.

Any ideas? Maybe I didn't read something carefully enough?


-- 
.-.---.-.--.
| Michal Lyszczek | Embedded C, Linux |   Company Address   |  .-. open source |
| +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 |  oo|  supporter  |
| https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\  &  |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:  813 349 58 78 |(\_;/) programer  |
`--^--^-^--'


signature.asc
Description: PGP signature

Re: Bridging multiple WAN via VLAN

[michal . lyszczek]

On 2020-12-02 09:52:53, Stuart Henderson wrote:
> On 2020-12-01, michal.lyszc...@bofc.pl  wrote:
> > Is it possible? Or am I imaging things and it's better to do it with
> > dhcp/pf routing? If it's possible to do with vlans on layer2, then
> > what am I suppose to look for? I can read man pages, but honestly
> > I don't really know how to approach that problem, so some keywords,
> > programs, rfcs would be nice to have:)
> 
> If they were wired ethernet interfaces then you could do this directly
> with bridge. But bridge needs an ethernet-type layer 2 interface.
> 
> The LTE devices are a layer 3 type interface so this would need to be
> routed (and usually also natted, unless you have a fancy provider that
> can route a block of addresses to it).
Yeah.. I didn't think about that.

> With wifi, an AP often works by bridging to ethernet and that is OK,
> but when connecting a wired device behind a wireless client there are
> problems. The standard frame format has source/destination/AP MAC
> addresses, but for "client bridge" to work it needs a fourth so it
> can pass on the MAC address of the wired client. APs that support
> WDS mode can cope with this, but OpenBSD doesn't have support for
> this, either in client or in AP mode.
> 
> So normally you'll need to use routing and possibly NAT to have
> OpenBSD connect a wired client to a wifi interface.
You made me realize that forcing it do be done on layer2 is way
more complicated and hacky than simple NAT with redirect all, to
specific vlan. NAT is simpler, more clean, and I probably will
still be able to perform good packet queueing and redundancy
on main router. RPI4 should have enough power to forward two
networks that will probably never get faster than 20Mbps each.

Thanks for explanation and opening my eyes:)

-- 
.-.---.-.--.
| Michal Lyszczek | Embedded C, Linux |   Company Address   |  .-. open source |
| +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 |  oo|  supporter  |
| https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\  &  |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:  813 349 58 78 |(\_;/) programer  |
`--^--^-^--'


signature.asc
Description: PGP signature

Bridging multiple WAN via VLAN

[michal . lyszczek]

Hello,
I was wondering if and how I could bridge 2 WAN interfaces into single
cable over vlan. Sounds cryptic, so let's start with the diagram of what
I'd like to achieve:

  lte   wifi
  \|/   \|/   I have 2 WAN interfaces, LTE and WIFI
   | |Both are connected to OBSD1 box via
   | |USB cable, installation is on a rooftop
  +---+
  | OBSD1 |   OBSD1 is a raspberry pi 4 network thingy
  +---+
  |   From the roof, to my server goes single
  |   CAT5E ethernet cable
  +---+
  | OBSD2 |   OBSD2 is a firewall/router
  +---+
  |   |   |   The rest are various computers, I got that
  |   |   |   part covered
  |   |   |
 LAN DMZ IOT


Now, both LTE and WIFI are USB devices that can give OBSD1 direct
IP address - like modem. I know I could simply operate OBSD1 like
router - install dhcpd to give IP to OBSD2 and forward traffic with
pf. But that seems like unnecessary overhead and I'd like to setup
packet priority/queueing on OBSD2 and treat OBSD1 like a stupid device.

So I was wondering, is it possible to bridge network so that:
(it's easier with another diagram)

  IPIP
1.2.3.4   4.3.2.1
  \|/   \|/
   | |
 +-o-*-+  o - lte usb modem; * - wifi usb card
 | | | |
 |   vlan1 vlan2   |  OBSD1 packs raw layer2 frames into
 | `+' |  separate vlans
 |  |  |
 +--o--+  o - em0 interface
|
| Data goes through single cable
|
 +--o--+  o - em0 interface
 |  |  |
 |.-+-.|  OBSD2 unpacks vlan1 and 2 into separate
 |  vlan1   vlan2  |  virtual interfaces.
 | 1.2.3.4 4.3.2.1 |
 +-+

Now I'd like for vlan1 and vlan2 on OBSD2 to have 1.2.3.4 and 4.3.2.1
IPs, so that I can perform redundancy/load balancing/queueing/whatever
directly on OBSD2 device, and treat OBSD1 like some kind of stupid
switch/hub. Hope it's clear what I'd like to do.



Is it possible? Or am I imaging things and it's better to do it with
dhcp/pf routing? If it's possible to do with vlans on layer2, then
what am I suppose to look for? I can read man pages, but honestly
I don't really know how to approach that problem, so some keywords,
programs, rfcs would be nice to have:)

Or just tell me I'm stupid and overengineering things and I should
go with routing way:)

Thanks in advance for any help with this.

-- 
.-.---.-.--.
| Michal Lyszczek | Embedded C, Linux |   Company Address   |  .-. open source |
| +48 727 564 419 | Software Engineer | Leszczynskiego 4/29 |  oo|  supporter  |
| https://bofc.pl `.--: 50-078 Wroclaw, Pol | /`'\  &  |
| GPG FF1EBFE7E3A974B1 | Bits of Code | NIP:  813 349 58 78 |(\_;/) programer  |
`--^--^-^--'


signature.asc
Description: PGP signature

Re: opening fifo locks process in D state

[michal . lyszczek]

On 2018-09-20 09:13:42, Alexandre Ratchov wrote:
> On Wed, Sep 19, 2018 at 11:32:40PM +0200, michal.lyszc...@bofc.pl wrote:
> > Hello,
> >
> > I've stumbled upon a weird problem. Long story short, I try to open
> > fifo two times, once O_WRONLY and once O_RDONLY, both in separate
> > threads - but on process. Unfortunately both threads are locked in
> > open() functions.
> >
> > I prepared very small program that reproduces this problem for me,
> > please see attached file and note that there is no error handling
> > for readability.
> >
> > !!! Also note, this program may get stuck in D state,
> > and you won't be able to SIGKILL it.
> >
> > Anyone got any idea why is this happening? Is something wrong with
> > my code?
>
> This is a kernel bug, no program may behave like this.
>
> > It works properly on netbsd, freebsd, aix, hpux and linux.
> >
> > I don't know what info exactly you might need, but here is uname,
> > it's almost clean system, I didn't make much changes, and
> > especially not in the core.
> >
> > # uname -a
> > OpenBSD bbs-i686-builder-openbsd.kurwinet.pl 6.2 GENERIC#163 i386
>
> This is a old OpenBSD version; I reproduced it on 6.3 but not
> on -current (this doesn't mean the bug was fixed).

I confirm, just upgraded my system to: OpenBSD 6.3 GENERIC#490 i386 and
problem is the same.

I found a workaround. When I change flags in both open() to O_RDWR, the
problem goes away, it's not much but it's something.

Should I post a bug report? I cannot find a way to check if that was
already reported or not.

-- 
Best Regards

opening fifo locks process in D state

[michal . lyszczek]

Hello,

I've stumbled upon a weird problem. Long story short, I try to open
fifo two times, once O_WRONLY and once O_RDONLY, both in separate
threads - but on process. Unfortunately both threads are locked in
open() functions.

I prepared very small program that reproduces this problem for me,
please see attached file and note that there is no error handling
for readability.

!!! Also note, this program may get stuck in D state,
and you won't be able to SIGKILL it.

Anyone got any idea why is this happening? Is something wrong with
my code? It works properly on netbsd, freebsd, aix, hpux and linux.

I don't know what info exactly you might need, but here is uname,
it's almost clean system, I didn't make much changes, and
especially not in the core.

# uname -a
OpenBSD bbs-i686-builder-openbsd.kurwinet.pl 6.2 GENERIC#163 i386

Output of program on openbsd
$ ./a.out
opening ./test-fifo O_WRONLY
opening ./test-fifo O_RDONLY

and on linux
$ ./a.out
opening /tmp/test-fifo O_WRONLY
opening /tmp/test-fifo O_RDONLY
opened /tmp/test-fifo O_RDONLY
opened /tmp/test-fifo O_WRONLY
producer read: test message

-- 
Best Regards
/* test of unix fifo
 *
 * compile:
 * gcc fifo.c -pthread
 */

#include 
#include 
#include 
#include 
#include 
#include 
#include 

static const char *fifo_path = "/tmp/test-fifo";
static const char *str = "test message";

void *consumer(void *arg)
{
	int fd;

	printf("opening %s O_WRONLY\n", fifo_path);
	fd = open(fifo_path, O_WRONLY);
	printf("opened %s O_WRONLY\n", fifo_path);

	write(fd, str, strlen(str));
	close(fd);
	return NULL;
}

void *producer(void *arg)
{
	int fd;
	char buf[16] = {0};

	printf("opening %s O_RDONLY\n", fifo_path);
	fd = open(fifo_path, O_RDONLY);
	printf("opened %s O_RDONLY\n", fifo_path);

	read(fd, buf, strlen(str));
	printf("producer read: %s\n", buf);
	close(fd);
	return NULL;
}

int main(void)
{
	pthread_t consumer_t;
	pthread_t producer_t;

	unlink(fifo_path);
	mkfifo(fifo_path, 0777);

	pthread_create(_t, NULL, consumer, NULL);
	pthread_create(_t, NULL, producer, NULL);

	pthread_join(producer_t, NULL);
	pthread_join(consumer_t, NULL);

	return 0;
}

Re: syspatch ideas

[Michal Bozon]

On 2017-05-15 Mon 02:50, Theo de Raadt wrote:
> ...
> This system is intentionally simple, to create robustness via simplicity.
> 
> I think you are being critical because you think it is amusing.
> 

(please not that the subject is still "syspatch ideas")

Syspatch infrastructure itself is amusing, not necessarily it is so
for currently available syspatch(8) feature set.

Yet more than discussed patchset revert feature i do miss
-v(erbose) option and/or mentioned -L(ist patched files) option.

It reminds me the discomfort of absence of -v option to rm(1) -r $dir
(which is fakeable by doing `find $dir` beforehand; manual listing
of syspatch-patched files is much more complicated)

Re: syspatch ideas

[Michal Bozon]

On 2017-05-15 Mon 08:19, Michal Bozon wrote:
> > > ...
> > ...
> ...
> Reverting the last patchset would be reverting the patches from the last
> patchset file, and removing that file.
> 

correction/addition: in the reverse order

Re: syspatch ideas

[Michal Bozon]

On 2017-05-15 Mon 02:23, Theo de Raadt wrote:
> >On 2017-05-15 Mon 01:31, Theo de Raadt wrote:
> >> >2) Notion of transactions
> >> >
> >> >Often, more patches are installed at once, with the single `syspatch`
> >> >command. One might want to be able to revert all those patches at once
> >> >as well. A notion of transactions could be made by adding a notion
> >> >of transactions, but that would add more unnecessary complexity.
> >> >
> >> >It can be solved simpler way, by adding the line with the list of
> >> >patches applied, e.g.
> >> >
> >> >  # syspatch
> >> >  Installing patch 005_pf_src_tracking
> >> >  Get/Verify syspatch61-006_libssl.tgz 100% |*|  2276 KB
> >> > 00:04
> >> >  Installing patch 006_libssl
> >> >  Get/Verify syspatch61-007_freetyp... 100% |*|   732 KB
> >> > 00:01
> >> >  Installing patch 007_freetype
> >> >  Missing set, skipping patch 007_freetype
> >> >  Patches applied: 5,6
> >> >
> >> >and by adding support for -r optional argument, which could be comma 
> >> >separated
> >> >patch number list.
> >> 
> >> That is incorrect.
> >> 
> >> The usage situations are no patches, or all of the patches, or a
> >> subset and you are about to install to get more /all of them.  You
> >> don't get to choose which you want, unless all newer ones are ripped out 
> >> also.
> >> 
> >> We don't manage dependencies.
> >> 
> >> This tooling is designed to make errata handling EASY FOR US.  Otherwise,
> >> we would not bother building this service.
> >> 
> >
> >Here i agree.
> >
> >If not providing easy ability to revert arbitrary list of patches, what about
> >handle "transactions" or "syspatch sessions" or "patchsets" internally:
> >
> >After successful application of patch(es), create 
> >/var/syspatch/patchset.$TIMESTAMP
> >with list of applied patches (line by line).
> >
> >Reverting the last patchset would be reverting the patches from the last
> >patchset file, and removing that file.
> 
> You haven't justified need.
> 
> They are either installed, or not, and existence of files and directories
> already indicates the patchlevel.
> 

I think the justification is:

Why do i even need to revert a patch? Only because something got broken
by the last syspatch command, that may have applied multiple patches.
I might not now which patch caused the problem.

If the problematic patch was not the last one from the set,
reverting with -r does not help, because it reverts single last patch only.

Well, applying `syspatch -r` repeatedly is a sort of solution as well.

Re: syspatch ideas

[Michal Bozon]

On 2017-05-15 Mon 01:31, Theo de Raadt wrote:
> >2) Notion of transactions
> >
> >Often, more patches are installed at once, with the single `syspatch`
> >command. One might want to be able to revert all those patches at once
> >as well. A notion of transactions could be made by adding a notion
> >of transactions, but that would add more unnecessary complexity.
> >
> >It can be solved simpler way, by adding the line with the list of
> >patches applied, e.g.
> >
> >  # syspatch
> >  Installing patch 005_pf_src_tracking
> >  Get/Verify syspatch61-006_libssl.tgz 100% |*|  2276 KB00:04
> >  Installing patch 006_libssl
> >  Get/Verify syspatch61-007_freetyp... 100% |*|   732 KB00:01
> >  Installing patch 007_freetype
> >  Missing set, skipping patch 007_freetype
> >  Patches applied: 5,6
> >
> >and by adding support for -r optional argument, which could be comma 
> >separated
> >patch number list.
> 
> That is incorrect.
> 
> The usage situations are no patches, or all of the patches, or a
> subset and you are about to install to get more /all of them.  You
> don't get to choose which you want, unless all newer ones are ripped out also.
> 
> We don't manage dependencies.
> 
> This tooling is designed to make errata handling EASY FOR US.  Otherwise,
> we would not bother building this service.
> 

Here i agree.

If not providing easy ability to revert arbitrary list of patches, what about
handle "transactions" or "syspatch sessions" or "patchsets" internally:

After successful application of patch(es), create 
/var/syspatch/patchset.$TIMESTAMP
with list of applied patches (line by line).

Reverting the last patchset would be reverting the patches from the last
patchset file, and removing that file.

syspatch ideas

[Michal Bozon]

Hi,
the syspatch utility for now knows only three options:

 -c(heck for available plugins and list them)
 -l(ist installed patches - "id"'s only)
 -r(evert most recent patch)
.. and recently apparently also
 -R(evert all patches)

Here are two additional features that would be very useful:

1)
 -L(ist files of the recent patch)

For now, i'm doing that with:
  tar tzf /var/syspatch/"$(ls -tr /var/syspatch/ | tail -n 1)"/*.tgz

2) Notion of transactions

Often, more patches are installed at once, with the single `syspatch`
command. One might want to be able to revert all those patches at once
as well. A notion of transactions could be made by adding a notion
of transactions, but that would add more unnecessary complexity.

It can be solved simpler way, by adding the line with the list of
patches applied, e.g.

  # syspatch
  Installing patch 005_pf_src_tracking
  Get/Verify syspatch61-006_libssl.tgz 100% |*|  2276 KB00:04
  Installing patch 006_libssl
  Get/Verify syspatch61-007_freetyp... 100% |*|   732 KB00:01
  Installing patch 007_freetype
  Missing set, skipping patch 007_freetype
  Patches applied: 5,6

and by adding support for -r optional argument, which could be comma separated
patch number list.

(And this optional argument support would be also nice for the proposed -L 
option)


thanks for very handy feature,
Michal Bozon

Re: thinkpad x220 with OpenBSD 6.1

[Michal Bozon]

On 2017-04-14 Fri 13:28, "misc nick" wrote:
> This e-mail is complementary to the one i sent at dm...@openbsd.org.
> 
> After the completion of the installation process, everything works except:
> 
> -screen brightness controlled by the keyboard
> -suspend/resume when i close the lid
> 
> Both minor issues were resolved when i suspended the laptop from the command 
> line (zzz). Now everything works.
> 
> Thank you OpenBSD team.

same here,
even external display works,
even though it is DVI cable through DVI/DisplayPort adaptor;
it is seen in xrandr as HDMI1.

But when connected via the dock,
(in linux seen as HDMI2), it does not work for me.

Re: [PATCH] Installer bug (MSDOS tildes)

[Michal Bozon]

The comment for the mentioned patch reversion was:

  the map-to-lowercase scheme for msdos is not going to work, because other
  filesystems can contain mixed case files (ie. sgi).
  discussed with krw and halex

which makes not much sense for me, because the fix was a conditional treatment
for MSDOS filesystem.

(which also is not very transparent - i was unable to find the referenced
discussion with krw and alex, but the issue Why OpenBSD does not
yet (or anymore) have a bug tracker system is for another discussion)

For the reference, quoted URLs fixed would be:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev1.750
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev1.752


On 2017-05-10 Wed 13:27, Theo Buehler wrote:
> A similar diff was briefly committed in 1.750 for the reason you mention:
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev750
> It was backed out again in
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev752
> > ...

Re: [PATCH] Installer bug (MSDOS tildes)

[Michal Bozon]

There was a "typo" in my patch, this should be a correct one:

--- /usr/src/distrib/miniroot/install.sub.ooo   Wed May 10 12:19:56 2017
+++ /usr/src/distrib/miniroot/install.sub   Wed May 10 12:48:31 2017
@@ -1804,7 +1804,7 @@
 fi
 
 # Always mount msdos partitions with -s to get lower case names.
-grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
+grep -q "^  $resp: .*MSDOS" $_file && _opts="-l"
 mount -o ro,$_opts /dev/$_dev$resp /mnt2
 }

I am not sure why "-s" flag is used, maybe it fixed some problem,
but it has introduced another one.

MB


On 2017-05-10 Wed 12:34, Michal Bozon wrote:
> Hi,
> there is a typo in install.sub
> causing problems e.g. when removable FAT32 formatted
> disk with installation files is attached,
> and "disk" is selected as install media:
> 
> INSTALL.i386 not found ...
> (because it is visible as instal~1.i38)
> 
> Directory does not contain SHA256.sig ...
> (because it is visible as sha256.sig)
> 
> here is the patch:
> 
> --- /usr/src/distrib/miniroot/install.sub
> +++ /usr/src/distrib/miniroot/install.sub
> @@ -1805,7 +1805,7 @@
>  
>  # Always mount msdos partitions with -s to get lower case names.
>  grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
> -mount -o ro,$_opts /dev/$_dev$resp /mnt2
> +mount -o ro $_opts /dev/$_dev$resp /mnt2
>  }
> 
> 
> regards,
> Michal Bozon

[PATCH] Installer bug (MSDOS tildes)

[Michal Bozon]

Hi,
there is a typo in install.sub
causing problems e.g. when removable FAT32 formatted
disk with installation files is attached,
and "disk" is selected as install media:

INSTALL.i386 not found ...
(because it is visible as instal~1.i38)

Directory does not contain SHA256.sig ...
(because it is visible as sha256.sig)

here is the patch:

--- /usr/src/distrib/miniroot/install.sub
+++ /usr/src/distrib/miniroot/install.sub
@@ -1805,7 +1805,7 @@
 
 # Always mount msdos partitions with -s to get lower case names.
 grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
-mount -o ro,$_opts /dev/$_dev$resp /mnt2
+mount -o ro $_opts /dev/$_dev$resp /mnt2
 }


regards,
Michal Bozon

Re: not exactly (Re: systrace removed? Why?)

[Michal Bozon]

if someone's interested, here a list of fs differences
between 6.0 upgraded from 5.9, and 6.0 install, i found,
with some obvious differences like smtpd spool or sysmerge
backups removed (amd64/qemu):

http://pastebin.com/raw/VPkdbvxy (text/plain)

(not pasting because of long lines)

hth

Re: not exactly (Re: systrace removed? Why?)

[Michal Bozon]

> > good(?) news: sysmerge is gone in 6.0
> > but not removed by 5.9 to 6.0 uprade process.
> > 
> 
> I really have a hard time understanding what you're trying to point out.
> 
> Yes, systrace is gone, but it's an ordinary binary that does no harm,
> feel free to remove it if it makes you feel better.
> 
> sysmerge isn't gone, but it is executed automatically if you use a
> bsd.rd upgrade, hence it's only mentioned in the manual upgrade process.

ok, never mind,
i have just spotted it when comparing fs trees of
freshly installed 6.0 and
freshly installed/upgraded 5.9/6.0

.. and made sure to report it immediately,
since the removal of systrace is advertised
as a security enhancement :)

Re: not exactly (Re: systrace removed? Why?)

[Michal Bozon]

> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.

s/sysmerge/systrace/

not exactly (Re: systrace removed? Why?)

[Michal Bozon]

> Why?

good(?) news: sysmerge is gone in 6.0
but not removed by 5.9 to 6.0 uprade process.

Re: lyrics.html nit.

[Michal Bozon]

> -With twitchy fingers on flashing keys
> +Twitchy fingers, flashing keys
> 
> -always claiming "it was just a prank!"
> +Claiming "it was just a prank!"

hi, this time (60c), i hear this:

 Money, donate your pay.
 Automate with a cron job and we'll be ok.
+Money, donate your pay.
 Thoughtful programming versus "just make it fast".
 ...
 Not donating, it's a crime.
 ...

finnally, i would do s/\.$//, to be consistent.

ps: not guilty, bought at least 0b100 mugs

Re: hostname.if manpage enhancement: be clearer about #

[Michal Bozon]

> Even adding "debug" keyword did not assure me
> whether the problem is with my password definition:
> wpakey s3cur3-as-#311, for illustration (was not sure
> if the '#' has to be escaped somehow); or somewhere
> else. Finally, it was the latter, but it took me a while
> to realize that.

.. or maybe i should use simple english:

$ grep key /etc/hostname.ath0
wpakey s3cur3-as-#311

$ doas ifconfig ath0 | perl -ne 'print if /status|key/'
status: active
ieee80211: nwid m ... wpakey 
0x15b752645ecc6e52bf04052097af3d16031019d953f5c96cbdfeeabd223b2c89 ...

$ ./wpakey.pl 's3cur3-as-#311' m 
0x15b752645ecc6e52bf04052097af3d16031019d953f5c96cbdfeeabd223b2c89

$ cat wpakey.pl
#!/usr/bin/perl
use strict;
my $pw = $ARGV[0];
my $salt = $ARGV[1];
use Crypt::PBKDF2;
my $kdf = Crypt::PBKDF2->new(
  hash_class => "HMACSHA1",
  iterations => 4096,
  output_len => 32
);
my $h = $kdf->PBKDF2_hex($salt, $pw);
print "0x$h\n";

Re: hostname.if manpage enhancement: be clearer about #

[Michal Bozon]

Theo de Raadt wrote:
> > > As i said, my config with # in the password worked
> > > without any escaping or quoting needed.
> > > 
> > 
> > i understood from your mail that you'd had to escape it.
> 
> that is correct.
...

now i'm jealous, i want to be able to read other
people's thoughts too.

Re: hostname.if manpage enhancement: be clearer about #

[Michal Bozon]

> On Mon, Aug 08, 2016 at 10:23:22AM +0200, Michal Bozon wrote:
> > Hi, I've had an issue connecting to a wireless network
> > (by doas sh /etc/netstart $if). Its password contained
> > '#' character(s).
> > 
> > Even adding "debug" keyword did not assure me
> > whether the problem is with my password definition:
> > wpakey s3cur3-as-#311, for illustration (was not sure
> > if the '#' has to be escaped somehow); or somewhere
> > else. Finally, it was the latter, but it took me a while
> > to realize that.
> > 
> > Current hostname.if manpage is not absolutely clear:
> > 
> >   #Comments are allowed.  Anything following a comment
> >   character is treated as a comment.
> > 
> > It suggests that what is before '#' might have a meaning,
> > while the broader context of the definition strongly suggests
> > that comment it is when '#' "keyword" is at the beginning.
> > 
> > Looking into /etc/netstart might also be confusing -
> > just at the beginning, there's stripcom() function definition,
> > which clearly strips the input line from '#' and following.
> > However, this function is NOT applied to /etc/hostname.if,
> > it is treated differently, entire line beginning with '#'
> > is skipped (see # Skip comments and empty lines).
> > 
> > I am therefore proposing following or similar change:
> > 
> > --- /usr/src/share/man/man5/hostname.if.5
> > +++ /usr/src/share/man/man5/hostname.if.5
> > @@ -201,7 +201,7 @@
> >  the interface, such as 64.
> >  .It Li #
> >  Comments are allowed.
> > -Anything following a comment character is treated as a comment.
> > +Line beginning with a comment character is treated as a comment.
> >  .It Li \&! Ns Ar command
> >  Arbitrary shell commands can be executed using this directive, as
> >  long as they are available in the single-user environment (for
> > 
> 
> hi.
> 
> the diff as-is is wrong. i mean it's valid to have this in your
> hostname.if file:
> 
>   up  # blah blah
> 
> that's a very common construct, and is allowed.
> 
> however it might be that to the list of things that should be double
> quoted (whitespace and single quotes) we should add the comment
> character. i'm not sure though.
> 
> jmc


Indeed, my initial analysis was not correct, it is more, say,
complicated.

As i said, my config with # in the password worked
without any escaping or quoting needed.

!echo foo # boo
will echo foo

!echo foo#boo
will echo foo#boo

up # blah blah
will work just because if fact it is ignored, because the interface is
up-ped automatically, implicitly

dhcp # blah blah
will NOT work, because in the end it is interpreted as cmd:
ifconfig ath0 # blah blah   down;dhclient ath0

Re: ksh, ctrl-r followed by arrow key leaves "[D" or "[C" artifacts

[Michal Bozon]

Hi, this also bugs me. But ksh is not bash. Try hitting ESC
before an arrow. (I'm not sure if it is a consistent keystroke
behavior of ksh or not)

Here's one of older threads to this:

https://marc.info/?t=12126533981=1=2


regards,
Michal Bozon


Dave Cohen wrote:

...
I'll try to describe an annoyance with my ksh setup.  Web and man
page searching has not provided a solution.  I'm relatively new to
both ksh and openbsd. I'm on version
5.9 release.

Problem happens when I navigate command history with ctrl-r, then use
left or right arrow.  Hitting left arrow writes "[D", right inserts
"[C".  I'm hitting the arrow keys so I can edit my prior command.
It's a habit I'm used to that works in bash.
...

hostname.if manpage enhancement: be clearer about #

[Michal Bozon]

Hi, I've had an issue connecting to a wireless network
(by doas sh /etc/netstart $if). Its password contained
'#' character(s).

Even adding "debug" keyword did not assure me
whether the problem is with my password definition:
wpakey s3cur3-as-#311, for illustration (was not sure
if the '#' has to be escaped somehow); or somewhere
else. Finally, it was the latter, but it took me a while
to realize that.

Current hostname.if manpage is not absolutely clear:

  #Comments are allowed.  Anything following a comment
  character is treated as a comment.

It suggests that what is before '#' might have a meaning,
while the broader context of the definition strongly suggests
that comment it is when '#' "keyword" is at the beginning.

Looking into /etc/netstart might also be confusing -
just at the beginning, there's stripcom() function definition,
which clearly strips the input line from '#' and following.
However, this function is NOT applied to /etc/hostname.if,
it is treated differently, entire line beginning with '#'
is skipped (see # Skip comments and empty lines).

I am therefore proposing following or similar change:

--- /usr/src/share/man/man5/hostname.if.5
+++ /usr/src/share/man/man5/hostname.if.5
@@ -201,7 +201,7 @@
 the interface, such as 64.
 .It Li #
 Comments are allowed.
-Anything following a comment character is treated as a comment.
+Line beginning with a comment character is treated as a comment.
 .It Li \&! Ns Ar command
 Arbitrary shell commands can be executed using this directive, as
 long as they are available in the single-user environment (for

Re: lyrics.html nit.

[Michal Bozon]

this is what i hear:


-With twitchy fingers on flashing keys
+Twitchy fingers, flashing keys

-always claiming "it was just a prank!"
+Claiming "it was just a prank!"


regards,
michal bozon

"Abort trap" when pledge()d and compiled with -pg

[Michal Mazurek]

When compiling a program that calls pledge(2) with "-pg" the resulting
binary will execute seemingly fine, but at the very end die with:
Abort trap (core dumped)
I think the problem lies in a call to profil(2).

Is this a bug or a feature?

-- 
Michal Mazurek

Re: CD's arrived

[Michal Bozon]

On 2015-10-08 Thu 16:33, Aaron Poffenberger wrote:
> On 10/08/15 16:13, ian kremlin wrote:
> >Hello
> >
> >Syracuse, NY -- no CD, but poster has arrived. looks great!
> >
> >http://ce.gl/openbsd-5.8-poster.jpg
> >
> >ian
> >
> >On Wed, Oct 7, 2015 at 10:51 AM, M Wheeler <6f84c...@refn.co.uk> wrote:
> >>CD's arrived today UK. Thanks again.
> >
> Bonus points for effective use of Symbolics keyboard, manual and panel!
> 

Does it mean that the poster did arrive rather in a tube instead of
a large flat envelope?

Re: 2^64 - 39 ...

[Michal Bozon]

> ...
> Michael
> 

you have won!


> 
> --- /usr/src/games/factor/factor.c  Wed Oct 28 00:59:24 2009
> +++ factor.cTue Sep  8 20:06:44 2015
> @@ -192,6 +192,19 @@ pr_fact(u_int64_t val) /* Factor this value. 
> */
> (void)putchar('\n');
>  }
>  
> +static u_int32_t
> +int_sqrt(u_int64_t y)
> +{
> +int i;
> +u_int32_t m_i;
> +u_int32_t m = 0;
> + 
> +for (i = 32; i >= 0; i--) {
> +m_i = m | (1U << i);
> +if ((u_int32_t)m_i * m_i <= y) m = m_i;
> +}
> +return m;
> +}
>  
>  /* At this point, our number may have factors greater than those in primes[];
>   * however, we can generate primes up to 32 bits (see primes(6)), which is
> @@ -208,7 +221,7 @@ pr_bigfact(u_int64_t val)   /* Factor this value. */
> char table[TABSIZE];/* Eratosthenes sieve of odd numbers */
>  
> start = *pr_limit + 2;
> -   stop  = (ubig)sqrt((double)val);
> +   stop  = int_sqrt(val);
> if ((stop & 0x1) == 0)
> stop++;
> /*

Re: 2^64 - 39 ...

[Michal Bozon]

.. i was wondering before, why *bin/factor is in games, now i get it.
Very nice observation!

Another factor game fake primes:

18446744073709551503 == 2^64 - 113 == 119026343 * 154980348121
18446744073709551499 == 2^64 - 117 == 363269 * 50779846542671
18446744073709551491 == 2^64 - 125 == 315781601 * 58416145891
18446744073709551461 == 2^64 - 155 == 76511 * 241099241595451
...
i like this one:

18446744073709551043 == 2^64 - 573 == 83401 * 95279 * 2321406917


m.


> ... is the greatest composite OpenBSD prime.
...
> $ /usr/games/factor $n
...

Re: 2^64 - 39 ...

[Michal Bozon]

there's more..

  * worst case is 18446744030759878681, which is
previous_prime(sqrt(2^64))^2, which is
4294967291^2

  * _smallest_ OpenBSD composite prime seems to be 4295360521,
which is 65539^2


Michal Bozon

Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem

[Michal Lesniewski]

On 14.05.2015 15:02, Joel Sing wrote:

On Thursday 14 May 2015, Michal Lesniewski wrote:

Hello,

I'm trying to configure OpenBSD 5.7 httpd with tls with
intermediate/chain certificate without no success.

my httpd.conf:

server default {
  listen on 10.11.0.200 tls port 443

  tls {
  certificate /etc/ssl/server-unified.pem
  key /etc/ssl/private/server.key
  }

  root /htdocs/default
}

types {
  include /usr/share/misc/mime.types
}



My certificate is intermediate/chain certificate. That mean I need to
supply next level certificate that is between my certificate and CA.

I made that chain certificate concatenating PEM format files with
corresponding certs (all certs Signature Algorithm:
sha256WithRSAEncryption)

cat server.pem sub.class2.server.ca.pem ca-sha2.pem 
/etc/ssl/server-unified.pem

server-unified.pem looks like:

-BEGIN CERTIFICATE-
(Primary SSL certificate: server.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Intermediate certificate: sub.class2.server.ca.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Root certificate: ca-sha2.pem)
-END CERTIFICATE-

Certificate and key installed in default locations:

# ls -alh /etc/ssl/private/server.key
-r  1 root  wheel   6.2K May 13 19:40 /etc/ssl/private/server.key
# ls -alh /etc/ssl/server.pem
-rw-r--r--  1 root  wheel   3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r--  1 root  wheel   8.0K May 14 13:53 /etc/ssl/server-unified.pem


I try to test using openssl s_client:

michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(0003)
GET / HTTP/1.0



httpd log:


# httpd -dvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default


there is no server_tls_init
nothing apears when started openssl s_client command

This smells very much like the same problem that has been mentioned on the
list earlier - with a 6KB private key and a 8KB bundle, you're almost
certainly hitting the 16K limit for a single imsg. Unfortunately there were
missing return value checks which means that this fails silently. If you can
try httpd from -current you will likely see an error instead of a silent
failure. Otherwise you can try removing one of the certificates from the
bundle in order to reduce the size and see if it then
reports server_tls_init and starts working.

tested on -current:

# httpd -dv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default': 
Result too large

fatal: send server: Result too large
socket_rlimit: max open files 1024
logger exiting, pid 4965
socket_rlimit: max open files 1024
server exiting, pid 10727
server exiting, pid 32594
server exiting, pid 5337

Above situation occurs when I have server cert + intermediate + ca and 
only server cert + intermediate in server-chain.pem.

httpd starts only when I supply only my server cert to it.
Is there any solution to run httpd with such big private key?

OpenBSD 5.7 httpd tls intermediate/chain certificate problem

[Michal Lesniewski]

Hello,

I'm trying to configure OpenBSD 5.7 httpd with tls with 
intermediate/chain certificate without no success.


my httpd.conf:

server default {
listen on 10.11.0.200 tls port 443

tls {
certificate /etc/ssl/server-unified.pem
key /etc/ssl/private/server.key
}

root /htdocs/default
}

types {
include /usr/share/misc/mime.types
}



My certificate is intermediate/chain certificate. That mean I need to 
supply next level certificate that is between my certificate and CA.


I made that chain certificate concatenating PEM format files with 
corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption)


cat server.pem sub.class2.server.ca.pem ca-sha2.pem  
/etc/ssl/server-unified.pem


server-unified.pem looks like:

-BEGIN CERTIFICATE-
(Primary SSL certificate: server.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Intermediate certificate: sub.class2.server.ca.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Root certificate: ca-sha2.pem)
-END CERTIFICATE-

Certificate and key installed in default locations:

# ls -alh /etc/ssl/private/server.key
-r  1 root  wheel   6.2K May 13 19:40 /etc/ssl/private/server.key
# ls -alh /etc/ssl/server.pem
-rw-r--r--  1 root  wheel   3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r--  1 root  wheel   8.0K May 14 13:53 /etc/ssl/server-unified.pem


I try to test using openssl s_client:

michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(0003)
GET / HTTP/1.0



httpd log:


# httpd -dvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default


there is no server_tls_init
nothing apears when started openssl s_client command


^Clogger exiting, pid 20328
server exiting, pid 17109
server exiting, pid 6140
server exiting, pid 16603
parent terminating, pid 11859


I tested combinations with unified certificate like:

cat server.pem sub.class2.server.ca.pem  /etc/ssl/server-unified.pem
cat ca-sha2.pem sub.class2.server.ca.pem server.pem  
/etc/ssl/server-unified.pem

cat sub.class2.server.ca.pem server.pem  /etc/ssl/server-unified.pem

but situation is always as described above.


When I try to change in config file tls certificate to:

tls certificate /etc/ssl/server.pem

where server.pem is PEM format file certificate from my CA (there is no 
entire SSL certificate trust chain) and start httpd:


# httpd -dvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_tls_init: setting up TLS for default
server_launch: running server default
server_tls_init: setting up TLS for default
server_tls_init: setting up TLS for default
server_launch: running server default
server_launch: running server default
server_launch: running server default
default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] GET / HTTP/1.0 200 7
server default, client 1 (1 active), 10.11.0.100:52805 - 
10.11.0.200:443, done

^Clogger exiting, pid 5930
server exiting, pid 19884
server exiting, pid 26372
server exiting, pid 14384
parent terminating, pid 22451


I try to test using openssl s_client like before:

michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(0003)
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, 
emailAddress = XXX

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, 
emailAddress = XXX

verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX, 
emailAddress = XXX

verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Class 2 Primary Intermediate Server CA

---
Server certificate
-BEGIN CERTIFICATE-
(Primary SSL certificate: server.pem)
-END CERTIFICATE-
subject=/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Class 2 Primary Intermediate Server CA

Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem

[Michal Lesniewski]

On 14.05.2015 14:43, Abel Abraham Camarillo Ojeda wrote:

On Thu, May 14, 2015 at 7:35 AM, Michal Lesniewski
open...@michal.wildnet.pl wrote:

Hello,

I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain
certificate without no success.

my httpd.conf:

server default {
 listen on 10.11.0.200 tls port 443

 tls {
 certificate /etc/ssl/server-unified.pem
 key /etc/ssl/private/server.key
 }


I think this should be

tls certificate /etc/ssl/server-unified.pem
tls key /etc/ssl/private/server.key


the same situation




 root /htdocs/default
}

types {
 include /usr/share/misc/mime.types
}



My certificate is intermediate/chain certificate. That mean I need to supply
next level certificate that is between my certificate and CA.

I made that chain certificate concatenating PEM format files with
corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption)

cat server.pem sub.class2.server.ca.pem ca-sha2.pem 
/etc/ssl/server-unified.pem

server-unified.pem looks like:

-BEGIN CERTIFICATE-
(Primary SSL certificate: server.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Intermediate certificate: sub.class2.server.ca.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Root certificate: ca-sha2.pem)
-END CERTIFICATE-

Certificate and key installed in default locations:

# ls -alh /etc/ssl/private/server.key
-r  1 root  wheel   6.2K May 13 19:40 /etc/ssl/private/server.key
# ls -alh /etc/ssl/server.pem
-rw-r--r--  1 root  wheel   3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r--  1 root  wheel   8.0K May 14 13:53 /etc/ssl/server-unified.pem


I try to test using openssl s_client:

michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(0003)
GET / HTTP/1.0



httpd log:


# httpd -dvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default


there is no server_tls_init
nothing apears when started openssl s_client command


^Clogger exiting, pid 20328
server exiting, pid 17109
server exiting, pid 6140
server exiting, pid 16603
parent terminating, pid 11859


I tested combinations with unified certificate like:

cat server.pem sub.class2.server.ca.pem  /etc/ssl/server-unified.pem
cat ca-sha2.pem sub.class2.server.ca.pem server.pem 
/etc/ssl/server-unified.pem
cat sub.class2.server.ca.pem server.pem  /etc/ssl/server-unified.pem

but situation is always as described above.


When I try to change in config file tls certificate to:

 tls certificate /etc/ssl/server.pem

where server.pem is PEM format file certificate from my CA (there is no
entire SSL certificate trust chain) and start httpd:

# httpd -dvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_tls_init: setting up TLS for default
server_launch: running server default
server_tls_init: setting up TLS for default
server_tls_init: setting up TLS for default
server_launch: running server default
server_launch: running server default
server_launch: running server default
default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] GET / HTTP/1.0 200 7
server default, client 1 (1 active), 10.11.0.100:52805 - 10.11.0.200:443,
done
^Clogger exiting, pid 5930
server exiting, pid 19884
server exiting, pid 26372
server exiting, pid 14384
parent terminating, pid 22451


I try to test using openssl s_client like before:

michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(0003)
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 2 Primary Intermediate Server CA
---
Server certificate
-BEGIN

Re: OpenBSD 5.7 httpd tls intermediate/chain certificate problem

[Michal Lesniewski]

On 14.05.2015 16:01, Joel Sing wrote:

On Thursday 14 May 2015, Michal Lesniewski wrote:

On 14.05.2015 15:02, Joel Sing wrote:

On Thursday 14 May 2015, Michal Lesniewski wrote:

Hello,

I'm trying to configure OpenBSD 5.7 httpd with tls with
intermediate/chain certificate without no success.

my httpd.conf:

server default {
   listen on 10.11.0.200 tls port 443

   tls {
   certificate /etc/ssl/server-unified.pem
   key /etc/ssl/private/server.key
   }

   root /htdocs/default
}

types {
   include /usr/share/misc/mime.types
}



My certificate is intermediate/chain certificate. That mean I need to
supply next level certificate that is between my certificate and CA.

I made that chain certificate concatenating PEM format files with
corresponding certs (all certs Signature Algorithm:
sha256WithRSAEncryption)

cat server.pem sub.class2.server.ca.pem ca-sha2.pem 
/etc/ssl/server-unified.pem

server-unified.pem looks like:

-BEGIN CERTIFICATE-
(Primary SSL certificate: server.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Intermediate certificate: sub.class2.server.ca.pem)
-END CERTIFICATE-
-BEGIN CERTIFICATE-
(Root certificate: ca-sha2.pem)
-END CERTIFICATE-

Certificate and key installed in default locations:

# ls -alh /etc/ssl/private/server.key
-r  1 root  wheel   6.2K May 13 19:40
/etc/ssl/private/server.key # ls -alh /etc/ssl/server.pem
-rw-r--r--  1 root  wheel   3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r--  1 root  wheel   8.0K May 14 13:53
/etc/ssl/server-unified.pem


I try to test using openssl s_client:

michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(0003)
GET / HTTP/1.0



httpd log:


# httpd -dvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default


there is no server_tls_init
nothing apears when started openssl s_client command

This smells very much like the same problem that has been mentioned on
the list earlier - with a 6KB private key and a 8KB bundle, you're almost
certainly hitting the 16K limit for a single imsg. Unfortunately there
were missing return value checks which means that this fails silently. If
you can try httpd from -current you will likely see an error instead of a
silent failure. Otherwise you can try removing one of the certificates
from the bundle in order to reduce the size and see if it then
reports server_tls_init and starts working.

tested on -current:

# httpd -dv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default':
Result too large
fatal: send server: Result too large
socket_rlimit: max open files 1024
logger exiting, pid 4965
socket_rlimit: max open files 1024
server exiting, pid 10727
server exiting, pid 32594
server exiting, pid 5337

Above situation occurs when I have server cert + intermediate + ca and
only server cert + intermediate in server-chain.pem.
httpd starts only when I supply only my server cert to it.
Is there any solution to run httpd with such big private key?

Try this (albeit only tested a little beyond compilation...)

Index: config.c
===
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.37
diff -u -p -r1.37 config.c
--- config.c11 Apr 2015 14:52:49 -  1.37
+++ config.c14 May 2015 13:58:57 -
@@ -193,14 +193,6 @@ config_setserver(struct httpd *env, stru
iov[c].iov_base = srv-srv_conf.return_uri;
iov[c++].iov_len = srv-srv_conf.return_uri_len;
}
-   if (srv-srv_conf.tls_cert_len != 0) {
-   iov[c].iov_base = srv-srv_conf.tls_cert;
-   iov[c++].iov_len = srv-srv_conf.tls_cert_len;
-   }
-   if (srv-srv_conf.tls_key_len != 0) {
-   iov[c].iov_base = srv-srv_conf.tls_key;
-   iov[c++].iov_len = srv-srv_conf.tls_key_len;
-   }
  
  		if (id == PROC_SERVER 

(srv-srv_conf.flags  SRVFLAG_LOCATION) == 0) {
@@ -220,6 +212,9 @@ config_setserver(struct httpd *env, stru
return (-1

Huawei E3272 USB 4G LTE modem (no HiLink)

[Michal Lesniewski]

 Address Map rev 0x00
pchb3 at pci0 dev 24 function 2 AMD AMD64 11h DRAM Cfg rev 0x00
km0 at pci0 dev 24 function 3 AMD AMD64 11h Misc Cfg rev 0x00
pchb4 at pci0 dev 24 function 4 AMD AMD64 11h Link Cfg rev 0x00
usb2 at ohci0: USB revision 1.0
uhub2 at usb2 ATI OHCI root hub rev 1.00/1.00 addr 1
usb3 at ohci1: USB revision 1.0
uhub3 at usb3 ATI OHCI root hub rev 1.00/1.00 addr 1
usb4 at ohci2: USB revision 1.0
uhub4 at usb4 ATI OHCI root hub rev 1.00/1.00 addr 1
usb5 at ohci3: USB revision 1.0
uhub5 at usb5 ATI OHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (bb547cb10c3cf0e4.a) swap on wd0b dump on wd0b
drm: initializing kernel modesetting (RS780 0x1002:0x9610 0x103C:0x1721).
radeondrm0: VRAM: 256M 0xC000 - 0xCFFF (256M used)
radeondrm0: GTT: 512M 0xA000 - 0xBFFF
drm: PCIE GART of 512M enabled (table at 0xC004).
No connectors reported connected with modes
Cannot find any crtc or sizes - going 1024x768
radeondrm0: 1024x768
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)


modem connected:

umsm0 at uhub0 port 6 configuration 1 interface 0 HUAWEI Technology 
HUAWEI Mobile rev 2.00/1.02 addr 2

umsm0 detached
urndis0 at uhub0 port 6 configuration 1 interface 0 HUAWEI Technology 
HUAWEI Mobile rev 2.00/1.02 addr 2
urndis0: using Vendorurndis0: ctrl message error: wrong size 3736059565 
 1024

urndis0: unable to get query response
: unable to get hardware address
urndis1 at uhub0 port 6 configuration 1 interface 2 HUAWEI Technology 
HUAWEI Mobile rev 2.00/1.02 addr 2
urndis1: using Vendorurndis1: ctrl message error: wrong size 3736059565 
 1024

urndis1: unable to get query response
: unable to get hardware address
umass0 at uhub0 port 6 configuration 1 interface 4 HUAWEI Technology 
HUAWEI Mobile rev 2.00/1.02 addr 2

umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0: HUAWEI, TF CARD Storage, 2.31 SCSI2 
0/direct removable
urndis2 at uhub0 port 6 configuration 1 interface 5 HUAWEI Technology 
HUAWEI Mobile rev 2.00/1.02 addr 2

urndis2: no data interface


modem disconnected:

urndis0 detached
urndis1 detached
sd0 detached
scsibus2 detached
umass0 detached
urndis2 detached


usbdevs:

# usbdevs -dv
Controller /dev/usb0:
addr 1: high speed, self powered, config 1, EHCI root hub(0x), 
ATI(0x1002), rev 1.00

  uhub0
 port 1 powered
 port 2 powered
 port 3 powered
 port 4 powered
 port 5 powered
 port 6 addr 2: high speed, power 500 mA, config 1, HUAWEI 
Mobile(0x1c1e), HUAWEI Technology(0x12d1), rev 1.02

   urndis0
   urndis1
   umass0
   urndis2
Controller /dev/usb1:
addr 1: high speed, self powered, config 1, EHCI root hub(0x), 
ATI(0x1002), rev 1.00

  uhub1
 port 1 powered
 port 2 powered
 port 3 powered
 port 4 powered
 port 5 powered
 port 6 powered
Controller /dev/usb2:
addr 1: full speed, self powered, config 1, OHCI root hub(0x), 
ATI(0x1002), rev 1.00

  uhub2
 port 1 powered
 port 2 powered
 port 3 powered
Controller /dev/usb3:
addr 1: full speed, self powered, config 1, OHCI root hub(0x), 
ATI(0x1002), rev 1.00

  uhub3
 port 1 powered
 port 2 powered
 port 3 powered
Controller /dev/usb4:
addr 1: full speed, self powered, config 1, OHCI root hub(0x), 
ATI(0x1002), rev 1.00

  uhub4
 port 1 powered
 port 2 powered
 port 3 powered
Controller /dev/usb5:
addr 1: full speed, self powered, config 1, OHCI root hub(0x), 
ATI(0x1002), rev 1.00

  uhub5
 port 1 powered
 port 2 powered
 port 3 powered

Best Regards,
Michal

Scrolling the terminal is slow on -current

[Michal Mazurek]

: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics touchpad, firmware 6.2
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
uhidev0 at uhub1 port 1 configuration 1 interface 0 vendor 0x04fc USB 
Multi-Smart Mouse rev 2.00/16.11 addr 2
uhidev0: iclass 3/1, 3 report ids
ums0 at uhidev0 reportid 1: 5 buttons, Z dir
wsmouse2 at ums0 mux 0
uhid0 at uhidev0 reportid 3: input=2, output=0, feature=0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (a1b91d15922da01d.a) swap on wd0b dump on wd0b


-- 
Michal Mazurek

Installing OpenBSD on a TS-412 Turbo NAS

[Michal Mazurek]

Has anybody successfully installed OpenBSD on a QNAP TS-412 Turbo NAS? I'm
looking for a NAS that I can keep in my room, and would like to run OpenBSD.

-- 
Michal Mazurek

Re: alix2d2 LM86, no hw.sensors

[Michal Mazurek]

On Sun, Feb 19, 2012 at 01:12:13PM +0100, Mike Belopuhov wrote:
 and i forgot to mention that kernel config has to be patched too.
 thanks to shadchin@ for reminding.

It didn't work, here is the dmesg:

[15:19:ttyp0][root@T3:~:5]$ sysctl hw
hw.machine=i386
hw.model=Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class)
hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=wd0:c8fc559b0e991404
hw.diskcount=1
hw.cpuspeed=499
hw.physmem=267976704
hw.usermem=267964416
hw.ncpufound=1
hw.allowpowerdown=1


OpenBSD 5.0 (GENERIC.MP) #0: Mon Feb 20 09:41:29 CET 2012
r...@t3.nmi:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 267976704 (255MB)
avail mem = 253517824 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address 
00:0d:b9:25:8f:ec
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr1 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15, address 
00:0d:b9:25:8f:ed
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit 
3579545Hz timer, watchdog, gpio, i2c freq=0x7f
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
glxpcib0: negative ack, flags=0
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFAA-004G
wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12, version 1.0, 
legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (c8fc559b0e991404.a) swap on wd0b dump on wd0b
clock: unknown CMOS layout

-- 
Michal Mazurek

alix2d2 LM86, no hw.sensors

[Michal Mazurek]

I have an alix2d2 running OpenBSD 5.0. There are no hw.sensors.
The producer says there is an LM86 on board, which is supported by the
maxtmp driver. It appears the driver is present in generic. I tried starting
sensorsd but got:
daemon:Feb 17 13:12:04 T1 sensorsd[10445]: startup, system has 0 sensors

How can I read the temperature of my alix2d2 running OpenBSD 5.0?

[15:59:ttyp1][root@T3:~:1]$ sysctl hw
hw.machine=i386
hw.model=Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class)
hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=wd0:c8fc559b0e991404
hw.diskcount=1
hw.cpuspeed=499
hw.physmem=267976704
hw.usermem=267964416
hw.ncpufound=1
hw.allowpowerdown=1
[15:59:ttyp1][root@T3:~:2]$ uname -a
OpenBSD T3.nmi 5.0 GENERIC.MP#59 i386

dmesg:
OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 267976704 (255MB)
avail mem = 253521920 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address 
00:0d:b9:25:8f:ec
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr1 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15, address 
00:0d:b9:25:8f:ed
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit 
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFAA-004G
wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12, version 1.0, 
legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (c8fc559b0e991404.a) swap on wd0b dump on wd0b

-- 
Michal Mazurek

Re: man page sources?

[Michal Mazurek]

On Sun, Oct 23, 2011 at 02:14:02PM +0200, Ingo Schwarze wrote:
 I committed build system changes to install source manuals
 and no longer install formatted manuals from 5.0 onwards.

This is nice, now I can do something like this in /etc/man.conf:
 _build.[1-9n] /usr/bin/mandoc %s
 _build.[1-9n] /usr/bin/mandoc -Owidth=`stty size | 
 awk '{print $2 - 2}'` %s
to have the manpage fit my display. Especially usefull if I have split
screen in a tiling window manager, and the terminals are smaller than 80
columns.

-- 
Michal Mazurek

Absurdly high temperature reading - system shutdown

[Michal Mazurek]

After moving my old laptop around I got home, booted it and got a very
distressing message:

messages.2.gz:Jun 14 22:40:09 hopek /bsd: acpitz2: Critical temperature
4938C (52112K), shutting down

Perhaps some dust moved around, or a cable disconnected.
Unfortunately, the system shut down before it booted. I booted bsd.rd,
read some manpages and booted with -c 'disable acpitz' - everything
worked fine. I attach a diff to only shutdown if the temperature is
below 2000C. If it's above then it's too late to shut down anyway :)

BTW, for no apparent reason my laptop started working fine again.


Index: acpitz.c
===
RCS file: /cvs/src/sys/dev/acpi/acpitz.c,v
retrieving revision 1.43
diff -u -r1.43 acpitz.c
--- acpitz.c15 Jun 2011 00:15:54 -  1.43
+++ acpitz.c16 Jun 2011 15:09:14 -
@@ -326,11 +326,17 @@
}
/* critical trip points */
if (sc-sc_crt != -1  sc-sc_crt = sc-sc_tmp) {
-   /* do critical shutdown */
-   printf(%s: critical temperature exceeded %dC (%dK), shutting 
-   down\n,
-   DEVNAME(sc), KTOC(sc-sc_tmp), sc-sc_tmp);
-   psignal(initproc, SIGUSR2);
+   if (KTOC(sc-sc_tmp)  2000) {
+   printf(%s: absurdly high temperature %dC (%dK), 
+   doing nothing\n,
+   DEVNAME(sc), KTOC(sc-sc_tmp), sc-sc_tmp);
+   } else {
+   /* do critical shutdown */
+   printf(%s: critical temperature exceeded %dC (%dK), 
+   shutting down\n,
+   DEVNAME(sc), KTOC(sc-sc_tmp), sc-sc_tmp);
+   psignal(initproc, SIGUSR2);
+   }
}
if (sc-sc_hot != -1  sc-sc_hot = sc-sc_tmp) {
printf(%s: _HOT temperature\n, DEVNAME(sc));

-- 
Michal Mazurek

Re: Absurdly high temperature reading - system shutdown

[Michal Mazurek]

It was pointed out to me to attach acpidump and dmesg. Kernel is custom
built to include bce.

-- 
Michal Mazurek

[demime 1.01d removed an attachment of type application/octet-stream]

[demime 1.01d removed an attachment of type application/octet-stream]

[demime 1.01d removed an attachment of type application/octet-stream]

[demime 1.01d removed an attachment of type application/octet-stream]

[demime 1.01d removed an attachment of type application/octet-stream]
RSD PTR: Checksum=172, OEMID=HP, RsdtAddress=0x1f7efc84


RSDT: Length=48, Revision=1, Checksum=85,
OEMID=HP, OEM Table ID=099C, OEM Revision=0x21110520,
Creator ID=HP, Creator Revision=0x1


Entries={ 0x1f7efc00, 0x1f7efcb4, 0x1f7efd10 }


DSDT=0x1f7efd4c
INT_MODEL=PIC
SCI_INT=9
SMI_CMD=0xb2, ACPI_ENABLE=0xf1, ACPI_DISABLE=0xf0, S4BIOS_REQ=0xf2
PM1a_EVT_BLK=0x1000-0x1003
PM1a_CNT_BLK=0x1004-0x1005
PM2_CNT_BLK=0x1020-0x1020
PM2_TMR_BLK=0x1008-0x100b
PM2_GPE0_BLK=0x1028-0x102f
P_LVL2_LAT=2ms, P_LVL3_LAT=38ms
FLUSH_SIZE=0, FLUSH_STRIDE=0
DUTY_OFFSET=1, DUTY_WIDTH=3
DAY_ALRM=13, MON_ALRM=0, CENTURY=50
Flags={WBINVD,PROC_C1,SLP_BUTTON,RTC_S4}


DSDT: Length=32088, Revision=1, Checksum=211,
OEMID=HP, OEM Table ID=DAU00, OEM Revision=0x1,
Creator ID=MSFT, Creator Revision=0x10e


APIC: Length=90, Revision=1, Checksum=66,
OEMID=HP, OEM Table ID=099C, OEM Revision=0x1,
Creator ID=HP, Creator Revision=0x1


MCFG: Length=60, Revision=1, Checksum=112,
OEMID=HP, OEM Table ID=099C, OEM Revision=0x1,
Creator ID=HP, Creator Revision=0x1
OpenBSD 4.9-stable (HOPEK) #0: Sun May  1 19:13:58 CEST 2011
r...@hopek.jasminek.net:/usr/src/sys/arch/i386/compile/HOPEK
cpu0: Intel(R) Celeron(R) M processor 1.40GHz (GenuineIntel 686-class) 1.40 
GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF
real mem  = 527855616 (503MB)
avail mem = 509075456 (485MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/21/05, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.3 @ 0xfc68f (23 entries)
bios0: vendor Hewlett-Packard version 68DTD Ver. F.0C date 11/21/2005
bios0: Hewlett-Packard HP Compaq nx6110 (PY536ES#AKD)
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG
acpi0: wakeup devices C068(S5) C0BB(S3) C0C2(S3) C0C3(S3) C0C4(S3) C0C5(S3) 
C0CC(S5) C1CD(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfec01000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 2 (C068)
acpiprt1 at acpi0: bus 0 (C002)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2, C1
acpipwrres0 at acpi0: C1A6
acpipwrres1 at acpi0: C1AE
acpipwrres2 at acpi0: C1B5
acpipwrres3 at acpi0: C1C5
acpipwrres4 at acpi0: C244
acpipwrres5 at acpi0: C245
acpipwrres6 at acpi0: C246
acpipwrres7 at acpi0: C247
acpitz0 at acpi0: critical temperature 102 degC
acpitz1 at acpi0: critical temperature 103 degC
acpitz2 at acpi0: critical temperature 102 degC
acpitz3 at acpi0: critical temperature 110 degC
acpibat0 at acpi0: C174 model Primary serial 03121 2005/12/21 type LIon oem 
Hewlett-Packard
acpibat1 at acpi0: C173 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: C1E8
acpibtn1 at acpi0: C1E9
acpivideo0 at acpi0: C055
acpivout0 at acpivideo0: C103
acpivout1 at acpivideo0: C104
acpivout2 at acpivideo0: C105
acpivout3 at acpivideo0: C106
bios0: ROM list: 0xc/0x1!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82915GM Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel 82915GM Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xc000, size 0x1000
inteldrm0 at vga1: apic 1 int 16 (irq 11)
drm0 at inteldrm0
Intel 82915GM Video rev 0x03 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: apic 1 int 23 
(irq 11)
uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: apic 1 int 17 
(irq 10)
uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: apic 1 int 18 
(irq 10)
uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: apic 1 int 19 
(irq 10)
ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: apic 1 int 23 
(irq 11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xd3
pci1 at ppb0 bus 2
iwi0 at pci1 dev 4 function 0 Intel PRO/Wireless 2200BG rev 0x05: apic 1 int 
21 (irq 11), address 00:0e:35:41:65:91
cbb0 at pci1 dev 6 function 0 TI PCI7XX1 CardBus rev

Re: CARP and routing

[Michal]

On 25/11/10 12:22, Toni Mueller wrote:

Hi,

I discover that CARP and routing don't always mix well:

   Internet --- host1   host2

If host1 and host2 have a CARP interface with the same IP, then packets
destined for that IP don't ever reach host2, even if the interface on
host1 is in BACKUP state.



Kind regards,
--Toni++


Wait, do you mean;


    Host1
Internet --- |
    Host 2

Re: CARP and routing

[Michal]

On 25/11/10 13:20, Robert Hoffmann wrote:

On Thu, 25 Nov 2010 13:22:13 +0100
Toni Muelleropenbsd-m...@oeko.net  wrote:

   Internet --- host1   host2

Because your setup should rather look like this?

Internet --- switch --- host1 --- switch --- LAN
   + --- host2 +

regards,
Robert

This is what I was trying to get at...the way you draw your diagram, I 
can't understand what your trying to do with carp if you have


internet -- host1 -- host2

Re: HP Proliant NEO N36L

[Michal]

Storage Controller
 Embedded SATA Controller with Embedded RAID (0, 1)


This concerns me. Generally with RAID, it's either a known, branded raid 
controller that can easily be replaced, or software raid. Anything in 
the middle like raid on desktop motherboards I avoid for servers

Re: OT: Disadvantages of using virtual firewalls like OpenBSd

[Michal]

On 23/11/10 13:56, Bahador NazariFard wrote:

OK
You are right.
But you know in this case your security level is not higher than virtual
machine.
Because your security level in complex chained system is not higher than
weakest point.In fact you are accepting the risk of using virtual machine.
I think in this case if your virtual machine system is not stronger than
OpenBSD  you should not use it.
If one can exploit virtual machine he/she can hurt your platform.

I think virtual systems are very very useful but they are not very good for
security box.

I think virtual machine is one of your assets that you should be able to
protect it.
because it may have many guest and provide several  services for your client
.

For example in this senario you can not protect your network even your
firewall box against DoS or DDoS attack.
because your virtual machine has to get a lot of packet before your
firewall.



This is a good post. I have esxi servers and they work well, but you'd 
have a hardware firewall sitting at the front of network, unless you 
want to do firewall testing etc. If you can afford to get some esxi 
servers, I'm sure you can pay the little bit extra to get an OpenBSD 
firewall on the go, even two for that matter

Re: Building a Practical Penetration Test Lab

[Michal]

I can confirm that OpenBSD doesn't always work as a virtual machine.
So I would focus on using OpenBSD as the host and using some other OS
as a client in QEMU.


If you insist and I don't know about the latest version, then vmware is
likely much more reliable than virtualbox but still more problematic
than a true install. There is a blog on the virtual box site by theo
stating he can't believe any OS allows the problems virtualbox
introduces(d).

This post by theo was made because developers had wasted their time
fixing bugs that were caused by virtualbox. If anyone does have
problems under emulation make sure you can reproduce it natively before
reporting.


I have several OpenBSD boxes running with no problems on some ESXi servers

Re: suggestion for a new/additional OpenBSD release media option

[Michal]

For me, the ability to boot of the install media is not a requirement.  I do
all my installs via pxeboot.

If there were enough room on the DVD, you could also provide the CDROM ISOs.
If a user REALLY needed bootable media, they could
burn the ISOs to CDROMs, and do that.

Again, these are only suggestions.

You understand your user/customer base infinitely better than I do.
Obviously it is your decision what products you choose to offer.

You can have CD's with multiple types of OS and you have a choice 
screen. MS MSDN CD's often have different versions; server OS cd's have 
web, stranded and enterprise and you just get a choice screen. But 
again, its all time and effort at the end of the day

Re: availability of Building Firewalls with OpenBSD and PF, 3rd ed.

[Michal]

 The books outlined bellow are not the same book the OP was asking about...

On 21/10/10 13:11, open...@e-solutions.re wrote:

I also bought this one this morning ;-)
And have it on PDF also !! Thanks to NOSTARCH!

On Thu, 21 Oct 2010 12:03:41 +0100,alastair.john...@trinity.ox.ac.uk
wrote:

Having heard a stream of fraud stories from disgruntled devguide.net
customers, this morning I bought a copy of Book of PF, 2nd Edition
which has been updated for 4.8

http://www.nostarch.com/pf2.htm

within seconds of entering my credit card I had a PDF on my computer.

Cant argue with that.

Alastair

Re: ZFS and Storage Systems

[Michal]

It would be even better to simply ask them what exact Supermicro
hardware (specifically, model numbers) they're using to build these
systems.  You can see Supermicro mentioned in thetitle  of their site,
so that's definitely what they're using, even down to the controller
card offerings (some of which (Marvell) are known to behave oddly on
FreeBSD (yes there are success stories, but there are also follow-up
horror stories) -- consider yourself warned).

I think the best option is to just build it your self using similar 
components which I have looked at before. My ideal is build a system 
where you can extend the storage easily by adding another box instead of 
either replacing the HDD's with bigger HDD's or having multiple targets 
for the data. One target whose storage can be expanded by simply adding 
another box. However, that is harder in practice to work out

Re: Why renice not work in OpenBSD?

[Michal]

Dmitry-T  Is in OpenBSD lacks developers?

That might as well be the last message you post here.

Any little help you would get, you've just offended them.

reading his e-mails, I don't think he is trying to be offensive, I think 
his English is just poor

Re: OpenBSD on DELL R310

[Michal]

Well, it optionally comes with one of five (or so) different RAID
controllers, so if it is possible to check which - if any - it has it
would be great.

Thanks,

--
Bjvrn Sandellbi...@chalmers.se

You can look those up and check in the archives or on compatibility 
lists. I think the main ones they use are PERC

Re: project : openbsd as nas

[Michal]

On 30/08/10 13:03, Jean-Francois wrote:

Hello,

I was thinking about how to help openbsd project, and since I am not able to
help in programming, I'm thinking about starting something aroung openbsd such
as a layer making it an easy enough to manage home nas server of good quality.

I have not yet the whole picture of how to do it but maybe a project that will
take quite sometime and whose goal is to transform a standard install into a
ready to run nas server with few efforts.

I don't know yet what it will be like, probably it needs to be package or
something else, I need to study it more in details so far.

I hope that you will receive well this idea I have and maybe if you do wish,
support if it is needed.

I will then open something on my own wiki to prepare and work on the complete
project, describe it in detail and start to implement things.

Again thanks for the quality of that os and its documentation which makes it
very interesting to work on.

Regards
JF

   
Are you trying to make pure OBSD version of projects like Openfiler and 
FreeNAS? If you don't know about those, check those out as contributing 
to those may be more worth while then starting a new project

Re: another slow connection on openbsd 3.4

[Michal]

I think I can say without fear of contradiction, interest in 3.4
problems can only be measured by instruments sensitive enough to
measure pixie dust. Brandished by those rare birds, OpenBSD
Software Archeologists.

Seriously dude, you need to upgrade if you want OpenBSD help/suggestions!!

 Ken

   
I do agree with you of course, but lets not tell someone to just 
upgrade he will need some changes in his PF before it works. Hendo, 
make sure you have a really good read of the upgrade sections a there 
are small sections of your PF code that won't work and will error. If 
you can cope with your machine plugged directly into the line while you 
upgrade, then you should have very few problems, any problems have 
probably been asked before so have a search around :)

Re: OpenBSD Training

[Michal]

On 28/07/10 14:49, Robert wrote:

On Wed, 28 Jul 2010 05:50:19 -0600
Chris Bennettch...@bennettconstruction.biz  wrote:
   

My advice is to setup a server with some websites (doesn't matter if the
are real or bogus) and learn to deal with the problems that pop-up. Be
sure to get an ISP with remote IP-KVM so you can fix any mistakes that
lock you out.
 

I think it's too risky for a newcomer to go straight for a real server.

Get a dual/quad core machine with 8GB (used ones are pretty cheap) and
install the free (no licence cost) vmWare ESXi server. Use this to
host a whole network (dns, file server, email, etc.). Put another low
cost machine with 2 NICs in front of it; this will be your firewall.
Now you can simulate locally the daily business, e.g. remote
administration, remote upgrades, road warrior setups etc.
But you don't have the risk that someone roots your box because you
made a mistake. Instead you can (should!) try out to attack it ;)

When you're very confident in working with your network, yes, then you
need to go out on The Hostile Internet to learn more.

regards,
Robert

   


Apart from ESXi is free but the management isn't...you need vSphere to 
manage the thing. This seams like a very expensive way to learn an 
OS...you can install a free virtual piece of software on your computer, 
virtual box, vmware server etc and get going, or even get some very 
cheap PC's off ebay. And to be honest I wouldn't worry about a cert that 
much, just get some real experience under your belp. Certs help but they 
are not the be all and end all that some people like to make out

Re: Multiple VLANs in the same subnet on different Routing Domains

[Michal]

I've had no luck Googling this issue so thought I'd ask the experts.

Ok we have 4 firewalls providing internet connectivity whose internal interfaces
are on a single shared subnet, although the IPs are different. Outbound traffic
from the various hosts on this subnet are distributed across the firewalls by
setting the firewall internal IP's as the various different GW addresses. i.e.
Hosts A/B/C/D use FW1 as their GW, hosts E/F/G/H use FW2 as their gateway etc.

Ok so my problem is this. We have a single monitoring host that needs to send
outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote
address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to
www.apple.com, FW3 etc.


   
Agreeing with the other two, do you really need to setup your network in 
that way?

Re: Segmentation Faults shortly after install, somehow random

[Michal]

Again I got
Segmentation Fault, this time from sshd and ssh. Now I used gdb, and it
was telling me about some problem with libcrypto.so.18.0, my bad I did
not keep this file, I directly overwrote it with the lib from my backup
, which I needed to create the Softraid. After this sshd and ssh was
working normal again.

I checked my disks and my ram, they are fine.
   


How did you check them? Hopefully not by using SMART.
Did you try swapping drive cables for new ones? I have had MANY drive
problems that were from bad cables
 

I used smartctl from linux side (because Im still more familiar with it,
and I used atactl. For the ram I used mem86test, overnight, without any
errors. Because other OS is working fine, I did not consider the cables,
but I give it a try.
How should I check the hard disks?

   
I've seen memtest come back with no errors but there still been a 
problem with the ram. Memtest isn't 100% correct 100% of the time. If 
the other OS works fine, it's probably not an hardware issue. While it's 
not bad to look, it seams unlikely

Re: network access controller like medusa ?

[Michal]

On 15/07/10 13:35, Leonardo Lombardo wrote:

Hi all,

do you know if there is any project/packet/something that runs on 
openbsd similar to this http://www.medusabusiness.com/overview.html ? 
I'm interested even to abandoned or uncomplete projects.


Thanks for any advice !

Leonardo



I have no time or energy to trawl a website for you, so if you can say 
what you want, we can give you a straight answer. I have X can I do Y 
is better then saying Working out this sum then tell me if I can do the 
answer

Re: Mac mini G4

[Michal]

On 01/07/2010 14:15, Fred Snurd wrote:

fu...@safe-mail.netfu...@safe-mail.net  wrote:


I have one question: Is the any way to put the mini
in server mode (make it boot automatically after Power Loss)?


While asking about server mode, is it also possible to run a PPC mini headless?

Thanks.



Yes there is a hack using a VGA connector and a resistor...if it's what 
I'm thinking about

Re: Origin 350

[Michal]

 On Wed, May 19, 2010 at 08:09:00AM -0500, Matt Bettinger wrote:
 That is unfortunate.  I emailed theo if they could use some origin 350s 
 but got no response.  They have been recycled yesterday.  I do have sgi 
 memory etc if needed.


I don't want to sound like I'm digging at you...but that was a bit
stupid to not contact someone else or even cause a bit of noise on this
list. Remember it for next time :)

Re: nested vlans: safe to use?

[Michal]

On 11/05/2010 12:45, Toni Mueller wrote:
 Hi,
 
 I've been trying to figure out whether I can use OpenBSD in a nested
 vlan scenario. I'm looking at a data centre where I want to get two
 wires, each carrying several vlans, and funneling them home across a
 WAN link. Various switch vendors claim to be able to do it, but I
 couldn't really figure out what the current state of affairs wrt.
 OpenBSD is. On the other side of the wires or fibres, I'll be talking
 to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on
 the other side(s).
 
 The desired setup looks like this:
 
   data centre LAN --- switch --- WAN --- home (OpenBSD)
 
 I want to run at least three vlans across the WAN link, and need to
 keep the vlans strictly separated. I also need to do traffic shaping on
 a per-vlan basis. :/

First of all, how will you connect from home to the data center? Normal
household broadband? Can't do VLAN's over that. If you have leased lines
for example, say from an office to datacenter, then you can do it but
only if they are VLAN clear. I had some links once from Office to
different sites from a company called Adapt, but they where not VLAN
clear and it was problem which we had to work around, and it wasn't that
bad but once we installed VLAN clear lines it was much better.

Squid (Stupid question that I can't solve)

[Michal]

I hate to admit this, but I am stumped by what quite clearly is such a
simple problem but I can't find the answer. I've seen many sites,
tutorials, guides but just cannot figure this one out...it's probably my
bad skills with PF but admiittedly some of the things I've read are for
older version of squid and what they have does not work anymore, so I'm
reaching out for a prod in the right direction.

OpenBSD 4.6, squid from the ports (up to date). The problem is, I want
all users to pass through the squid server before heading out for a)
caching reasons and b) to log all HTTP requests. I want to transparent
and nobody can get out of it so I'm simply changing everyone's default
gateway to the proxy server in DHCP (rather then setting proxy settings
in Firefox etc). It must allow ALL traffic (SSH, SMPT, IMAP etc) and
essentially ignore that traffic, simply working as a web cache and
logger. Web traffic works fine, it goes though it, it logs it and cache
is working I guess but nothing else goes through it. SMTP, SSH, IMAP all
refuse to connect and I know it's something stupid but after searching
around I can't find an answer.

pf.conf
---
int_if=em0
ext_if=em0

set skip on lo

pass# to establish keep-state

#block in quick from urpf-failed to any # use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

# SQUID redirect
rdr on $int_if inet proto tcp from any port www to any port www -
127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any port www to 127.0.0.1 port
3128 keep state
pass out on $ext_if inet proto tcp from any port www to any port www
keep state

squid.conf

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl badwebsite url_regex /etc/squid/squid-block.acl
http_access deny badwebsite
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
acl localnet src 10.0.0.0/24
acl localnet src 10.1.0.0.0/24
acl localnet src 10.2.0.0.0/24
acl SSL_ports port 443
acl Safe_ports port 22  # SSH
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 993 # SSL/TLS imap
acl Safe_ports port 25  # smtp
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/squid/cache 1024 16 256
access_log /var/squid/logs/access.log squid
log_fqdn on
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname proxy.internaldomain.com
always_direct allow all
coredump_dir /var/squid/cache

Re: OpenBSD culture?

[Michal]

On 14/04/2010 19:27, J Sisson wrote:
 On Wed, Apr 14, 2010 at 1:19 PM, Matthias Kilian k...@outback.escape.de
 wrote:
 On Wed, Apr 14, 2010 at 12:38:56PM -0500, Ron McDowell wrote:
 Yup, nowhere in that goals page does it say anything about don't be
 rude to the casual users.  Maybe that is why OpenBSD is so far down the
 list at http://bsdstats.org/ .

 What detail in the original reply Theo sent to the OP (and quoted
 it later on this list) was rude?
 
 I think that implication was aimed at the OP who claimed Theo was rude.
 Doesn't make it so, but the OP apparently took it that way.
 

Not that I think we should start exploring this, but I think a lot of
cultures mixing is often the problem. People can see things very
different, for those who are Western here, going to the east (even huge
places like Tokyo) can be a massive shock to the system with how
different it is. I think this can cause massive problems in the way
people communicate. I'm sure someone will disagree but from past
experience I think that can often be a huge factor. A very easy example
is if I have to call an American call centre...I had to do some PCI
stuff and ended up having to call one. Everyone seams to say sir this
and sir that...I sometimes get a Is that a Mr... here (England) but
often it's never as formal as from what I experience in America.

I know that's a bad example but you get my point.

Really though, who cares. Everything seams to be ticking along well
(with development) and calling me a See You Next Tuesday won't affect
anything so I don't care

Re: OpenBSD culture?

[Michal]

 but if a questioner seems sincere there is usually a certain
 level of friendliness in Linux community towards them.

I'm on Open/Free BSD, Fedora and Debian and while sometimes I find there
can be a bit of unnecessary rudeness on the OpenBSD ML it's a truck load
better then what you see on fedora/debian lists constantly...


Where can I get this piece of software which just makes you angry as
it takes 5 seconds to search it. It's hand holding BS most of the time.
Everything is warm and fuzzy and everyone has this attitude of wow man
fedora is s much cooler then windozz LOL... but very few can back
that up other then sprouting NO VIRUS'S YYYEAAAHHH and sometimes you
get the YOU NEED TO USE SUDO WPPPyeah great.

I know there are a few Eurpeans knocking about so they might get the
joke, but I was watching a Manchester United match not long ago and
someone had the banner Man Utd Not arrogant, just better I think Obsd
is along those lines

 If you can not help yourself how can you help the project?  Get lost.

Think that says it best.

Re: Relayd

[Michal]

On 17/03/2010 22:23, Glenn Beadle wrote:
 Hello,
 
 I know this is the OpenBSD mailing list, but I'm having an issue with
 relayd on FreeBSD and was just hoping to get some direction.
 I'm currently using relayd as a load balancer, and it's working fine. 
 Now I'm trying to add ssl accelration, and that's where I'm having an
 issue.
 I can get relayd to run, and as the _relayd user I can use the random
 number generator, but when I try to make an ssl connection to the load
 balancer I get the following error:
 
 SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
 routines:SSL_GET_NEW_SESSION:ssl session id callback failed
 relay httpproxy, session 1 (1 active), 0, 192.168.103.80 - :80, SSL
 accept error
 
 
 This bug has been reported to FreeBSD, but no action has been taken on
 it in over a year.
 I'm wondering if anyone in the OpenBSD community has any insight?
 
 
 Thanks,
 Glenn
 

The FreeBSD port is quite old, does the machine have to stay FreeBSD or
could you move over to OpenBSD? I believe the port is more up todate
over here. If you have a second machine you can trial it on their using
4.6-current (basically 4.7) or wait till 4.7-release which is coming soon

Re: softdeps enabled = poor concurrent access?

[Michal]

On 24/02/2010 09:52, Jan Stary wrote:
 On Feb 23 19:20:28, Noah McNallie wrote:
 Hey guys. Noah here. I'd like to use openbsd on an older machine i have.  
 I've had it on there before and never tested something that i've been  
 testing on various operating systems lately. That's how well they do  
 while under disk io load, concurrently.

 An example would be to tar -zxvf a large tarball and in another  
 terminal, try to run a simple command. such as 'uname' or 'ls' or what  
 have you. To test responsiveness. It may not be a very good test but  
 it's a everyday usage test.

 Well, i've found on openbsd without sofdeps enabled it will do this just  
 fine. But when enabling softdeps it will not. The 'uname' or 'ls' will  
 take quite a while to complete.
 
 So, your system is slow _with_ softupdates?
 
 The machine is a 300MHz 2MB L2 sparc64 SUN Ultra 30. softdeps is almost  
 required as it speeds up something like the extraction of a tarball  
 exponentially. I'm guessing somewhere near 25x. It's very slow on this  
 machine without sofdeps.
 
 So, your system is slow _without_ softupdates?
 

I think he means untar is faster but doing ls, uname etc is slower WHILE
doing the untar. It's a fair enough question till you actually think
about it. I think Tobias Ulmer summed it up best

OT - comments from a debian user

[Michal]

I would ignore this if you don't like Off topic posts, and flame me if
you so wish, just there is a small discussion going on in a debian mail
list and this post made me chuckle a bit...reminded me of Jason's
presentation about bsd dying. In hindsight, why I said anything in the
first place I will never know.

back story
On 22/02/2010 13:01, NN9OO
N3N?O N N,N;N;N1O wrote:
  (it is, isn't it? :-) )
 
  So, yes, we are moving on from our 10year experience with gentoo, and
  are searching for our new environment. From my personal experience I
  would say debian stable - any hard evidence to support the claim? Server
  OS statistics? Statistics for stableness? Bugs? Any white papers showing
  debian's superiority?
 
  I am also doing my google research, but I'm asking if someone can point
  me to something like real hard evidence...
 
  Thanks,
  G.
Depending on what you want to use the servers for, OpenBSD
/backstory

What someone replied;

Given that the amount of resources going into Linux kernel development over
the past 10 years and moving forward is a vast ocean compared to the trickle
of resources going into *BSD kernel development, for me, the choice of
kernel is clear, as it is with many folks.  The Linux kernel walks over over
*BSD in too many categories to count.  The *BSD kernels might walk all over
the Linux kernel in only a couple of categories, if that.

These projects are hacks in the true sense of the word.  They are doing it
to prove to themselves it can be done.  It will be a very long time until
either of these is production ready, if ever.  Look at the Hurd project for
a sobering reminder.  It's 12 years old and still not close to its first
release, let alone production ready.  Probably never will be, again, due to
developer resources.

http://en.wikipedia.org/wiki/Debian_GNU/Hurd

Debian GNU/Hurd has been in development since 1998[1], but still has not
been officially released. Over 60%[2] of the software packaged for Debian
GNU/Linux has been ported to the GNU Hurd. However, the Hurd itself remains
under development, and as such is not ready for use in production systems.
The overwhelming majority of Debian users run Debian GNU/Linux, rather than
Debian GNU/Hurd.

Re: Refusal to mention OpenBSD in a MSc Advanced Networking course

[Michal]

On 14/02/2010 02:40, TS Lura wrote:
 Thank you all for the replies.
 
 I might do a lecture on my own, presenting OpenBSD.
 
 If I where to do that it, as a subsection, would be cool to give references
 to other institutions that are using OpenBSD and why they are using it.
 
 Why one would use OpenBSD, over eg. GNU/Linux.
 Now I would site preemptive security, code correctness, it's easy to use;
 enable daemons through rc.conf, pf, openssh, possibility for zfs in kernel?,
 good documentation, jailing of daemons.
 
 It would also be cool to highlight any specific snazzy functionality.
 Something that would get (MSc/geeky) people to think. ooh, that's
 cool particular in relation to networking.
 eg. I think the scrubbing of packets in PF is kinda cool, pftop, see
 the interruptcounter for the nic and serial console. :P
 
 Maybe something related to cryptography, or general network gear(routers,
 switches) , or any new cool feature in PF or something
 that's expensive with Cisco but cheap and good with *BSD. ipsec?, VoIP? cool
 feature in OpenSSH.
 
 
 .tsl
 

When I did A-Level computer Science quite a few years ago

(I don't know what the non-English equliveent of the A-Level would be, I
don't even think there is an eqivilent in the American system as we have
GCSE's then A-Levels then Uni in england...so here is a link
http://en.wikipedia.org/wiki/A_level )

I had people in my class who couldn't program and knew very little about
firewalls and such like...it was a shock that very few of them had even
built a computer and really understood things. I was no expert back
then, but I had coded PHP, bits of C, knew bits of Linux, window server
how DNS worked and such like. I had two teachers and one was off for 8
weeks with an operation and our other teacher just said carry on doing
your work in his lessons, I usually ended up teaching the other people
in the class what I thought they should learn. Many of them had trouble
grasping ideas like Database normalisation and pascal was the language
of choice and had trouble understanding little bits. I helped them
through it and showed them bits of PHP and how it was similar to other
languages and how they can move on to C and such like.

Over the last few years I've been out with a few girls who are in one
uni or other (I really should learn to not get involved with girls at
uni) and whenever I meet their friends who are doing IT related degree's
I always mention they should check out OBSD et al and give them tips on
how to get in to the industry, what would look good on their CV. Of all
my friends that go to uni to do IT related degrees, I don't think any of
them know of OpenBSD...they get taught Linux in a module but hardly much.

My point is, if you know something, share it. This isn't banking or
finance,you  don't hold the keys to get one up on people...talk to
your class, hold something outside of normal lectures/seminars etc help
a brother out as my friend would say. I dont think the you have one up
on your fellow students argument is a good one, in fact I think that's
rather shit. Share it, give your opinions...chance's are (in my
experience) they will appreciate it but always remember to back off, if
they want you to.

Re: AMD power reduction

[Michal]

On 04/02/2010 23:02, Jean-Francois wrote:
 All,
 
 I am looking forward to reduce the TDP for a server planned to be built.
 As low as possible shall be best, is AMD cool'n quiet operating with latest 
 OpenBSD ?
 
 Regards
 

Depending on what you where looking at, you can reduce the voltages (if
your BIOS has this much control) and this will lower power/heat. I've
done this on PC's with bad HSF in hot temperatures. Though, like over
clocking, it's an art that requires testing, trying and patience to find
the lowest/highest while still being stable

Re: AMD power reduction

[Michal]

 Hello,
 
 I think of doing this too.
 What I would like to understand is if I will be able to use the frequency
 change 1000 / 2000 MHz dynamic load based.
 
 Regards
 

Do you mean change the frequency depending on load on the computer...?
This is very easy in a virtual environment, I am not sure on machine. I
have seen windows software that allows you to change certain options
while in the OS, though weather you could do this in OpenBSD and
dynamically you will need to see if someone else knows the answer. GPU's
are very easy to do this with...certainly doing it manually, but CPU
stuff I'm not so sure...

Re: trac on OpenBSD current

[Michal]

 I think that this is the point. I installed from a plain
 install46.iso, but then I thought I could have choosen which ports
 tree to choose, -stable or -current. Where can I get more info about
 the upgrade process to -current?
 
 Thanks
 
 Sebastiano
 

http://openbsd.org/anoncvs.html#starting
http://www.openbsd101.com/updating.html

Some places to start. Use cvsup to download src, ports...whatever you
wish and choose the branch you want, stable or current. Do some digging

Re: another reassemble tcp problem - details for PF developers

[Michal]

snip

It may be an irrelevant coincidence but each
FTP site that this happened with was Microsoft FTP. It never happened (ie
FTP always worked fine) with other server types.

snip



I don't know if this matters, but I had some problems recently with
people downloading from external FTP servers and we found it had
something to do with the FTP client and the use of either the client of
external server using passive mode. I can't remember the exact details
but it came down to a the ms-client/server working differently then
expected...this probably won't help anyone but it might

Re: ComixWall terminated

[Michal]

So what...someone was wrong, someone's train of thought was wrong...so
what? Someone posts something and it's the wrong place...ok, say this
isn't the place and move on. If this person though they where helping
and people think they are not...well they have a different opinion but
really they haven't actually don't anything wrong. The way Theo spoke to
them in the e-mail was quite rude and you could say oh well it's only
words but then you can say oh well it's only an announcement.
Ridiculing someone and telling them to get off the list is rude and
unnecessary for someone who was only trying to help, whether they
actually where or not, and whether they where right or wrong, in reality
they didn't do any harm.

We can all hold our hands up for being wrong, having a different
opinion, sometimes doing things that are not helpful but you genuinely
thought they where. This person, I don't think, had any intent to do
anything but help. The harsh words from some people pushing them away is
not needed, then ridiculing them when they want to terminate because of
the way they have been spoken to is a sad loss. Some people are
sensitive to the way people have spoken to them. Mocking them by coming
out with gems like Do you cut yourself when somebody yells at you just
to show them? is quite unnecessary.

Re: Truncation Data Loss

[Michal]

Janne Johansson wrote:
 Nick Guenther wrote:
 
 So, as nicely summarized at

 http://www.h-online.com/open/news/item/Possible-data-loss-in-Ext4-740467.html
 ,
 ext4 is kind of broken. It won't honor fsync and, as a /feature/, will
 wait up to two minutes to write out data, leading to lots of files
 emptied to the great bitbucket in the sky if the machine goes down in
 that period.
 There is a very simple explanation for why things are so.
 Actual data file loss has never been what these things were coded for.
 filesystem *tree and meta-data*, ie. the structure of how things are
 knit together, is the main concern.  If you lose the filesystem tree
 structure, you've lost all your files, not just the newest ones.
 Therefore the goal is safe metadata handling.  The result is you can
 lose specific data in specific (newly written to) files, but the
 structure of the filesystem is consistant enough for fsck to not damage
 it.
 
 See, since it seems that BSD doesn't have this file-data consistency
 guarantee, are Linus' worries about ext4's potential data loss just
 being alarmist? It seems to me that the case described in
 https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/317781/comments/45
 is just as likely to happen on OpenBSD--if I run KDE or GNOME and mess
 around with my settings then quickly murder the system the files will
 be resurrected empty, right?
 
 It seems like some posters in this thread somehow misses the fact that
 if you have outstanding writes and the box dies. Some of your data dies
 also. New or old data, something will be missing.
 
 From the point your app does a write(), it gets buffered in the I/O
 handling, it gets buffered by the device driver for the card, it gets
 buffered in the card probably, it gets buffered on the on-disk memory
 cache and then it serially hits the platter one bit a a time until its
 all written. If you have data in this long pipe and the power goes, you
 will lose data, period.
 
 OpenBSD has chosen to try harder to keep the metadata intact, and ext4
 doesn't try at all, for the love of speed. Still, you are only moving
 around the window of opportunity for fail, and sometimes making it
 larger or smaller, but it is always there.
 
 The last comment above should really only read:
 If I quickly murder my system, the files might be gone. Nothing else.
 
 If you have writes going, data loss is a reality. Sometimes more,
 sometimes less, but its all games with statistics. If ext4 has a 50%
 chance of killing your files and FFS on obsd has 1%, you might still get
 to keep your KDE settings on either system or you may lose them all. It
 shouldn't be news to anyone that Linux always went for fast-and-insecure
 whereas the BSDs opted for slower-but-safer for the filesystems. Making
 a fuss about how insecure the penguins are this week feels like a waste
 of time to me.
 
 If you care about your data, you have backups.
 
 Regardless of if the probability is 1% or 50%, because for someone out
 there, the percentages will be against you.
 

I know this is a bit off topic, but storage devices have battery's on
RAID cards for a reason. If you are worried about read/writes etc when a
system dies, there are measures you can take

Re: Filtering scp ssh and sftp

[Michal]

Simen Stavdal wrote:

Hello misc,

I have an openbsd host running that I wish to access in different 
manners depending on where the users connect from.
This host runs sftp chrooted for internet users, and at the same time, 
I wish to administer the box with ssh.
At the same time, I do not wish to allow ssh from the internet. We 
have a policy that only vpn connected users can administer local systems.
The host is located on a dmz with one interface and one public ip 
address.


Between the users, the internet and this server I have two firewalls 
running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk).


Internet -Firewall---DMZ with SFTP server
|
  Internal users

I want to allow all ssh services for internal users, and sftp _only_ 
from the internet.
Since sftp/scp/ssh all run on the same port number (22 default), is 
there a way to filter the traffic with pf?
I've seen that you can queue the traffic with ALTQ, but is there a way 
to block/allow before this stage?

Any best practice on the subject?

Cheers,
Simon.

Change the listening IP for one of the service and block access to that 
new IP address in PF?

Re: OT: Iphone with OpenBSD

[Michal]

That whole site as brilliant rants that remind me zero punctuation videos :)

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Gilles Chehade
Sent: 18 September 2009 12:22
To: Jacob Yocom-Piatt
Cc: misc@openbsd.org
Subject: Re: OT: Iphone with OpenBSD

hehe, following a link from a link from thelinuxoniphone blog, I ran
into this:

http://www.thebestpageintheuniverse.net/c.cgi?u=iphone

made my day ;-)

Gilles

On Fri, Sep 18, 2009 at 05:10:49AM -0500, Jacob Yocom-Piatt wrote:
 Alvaro Mantilla Gimenez wrote:
 I just found this page:
 
 http://linuxoniphone.blogspot.com/2008/06/why-iphone-linux.html
 
 I don't have any idea about how/where to start. Maybe Theo can put some
 light here...I think my developer skills are far to be good enough but,
 hey...I would like to try !!
 
 


 getting openbsd working on an iphone would be a pretty serious
 undertaking and would require a lot of man hours that aren't currently
 available. you have to remember that the project is mostly driven by
 donated developer time.

 if you have 100K USD and are committed you might be able to make it
 happen. there would have to be a lot of reverse engineering on drivers
 and there is no reason to expect apple wouldn't change the chipsets
 across versions to make minute optimizations on cost. assuming you could
 get all this code written there are many man hours that go into keeping
 the arch working properly on an ongoing basis.

 there is no doubt this would be sweet but you have to be realistic when
 considering the amount of work it would take to make this happen. there
 are 10 mln iphones in circulation so there is no shortage of machines


 Regards,
 
 Alvaro
 
 beowuff escribis:
 
 Reading the article posted on undeadly.org:
 http://www.informit.com/articles/article.aspx?p=1393496
 
 I was thinking it would be cool to have an Iphone running OpenBSD...
 
 Imagine that: the most secure phone in the planet :-P
 
 Man, I have an old 1st gen iPhone just sitting there... I would so put
 OpenBSD on it. Unfortunately, I wouldn't know where to begin :(


--
Gilles Chehade
freelance developer/sysadmin/consultant

   http://www.poolp.org

Re: 4.6 postponed to Nov 1

[Michal]

How dare she...you'd only be thinking about it ;)

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Matt
Bettinger
Sent: 18 September 2009 15:39
To: Michael
Cc: m...@cvs.openbsd.org
Subject: Re: 4.6 postponed to Nov 1

On 9/18/09, Michael bele...@bsdmail.de wrote:
  Heh. I just cannot help being a little amused by this, since we are
  expecting our second kid with an ETA of Nov 1, and I thought it would
  have been a fun coincidence to have OpenBSD and (possibly) a kid
  released the same day. :-)
 
  don't name it puffy, please ;)
 
 
  Don't listen to him; there's a shiny American dollar in it if you do.

 +1 EUR

 ;-)



That funny because we have a c section scheduled Oct 1, 2009  to go in
and get my third child.  (boy). My wife REALLY believed (and maybe it
is true)  that I was going to be upgrading boxes on the same day my
sone is born.  She can rest easy now that the Release date has been
bumped up!

re,

mb

Re: OT: Iphone with OpenBSD

[Michal]

...you just kill-joyed that whole page. It's a stupid rant that's quite funny
if you like that humour and he is going on the first version of the iphone,
non-jailbreak, (you cant bring that into it by the way as he is taking both
phones as-is) So please donbt suck the humour out of everything



-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Alvaro Mantilla Gimenez
Sent: 18 September 2009 17:04
To: misc@openbsd.org
Subject: Re: OT: Iphone with OpenBSD

Jan Stary escribis:

  We will be trying to develop an entire suite of device
  drivers for undocumented hardware and then attempt to run
  a full-fledged operating system on it.

 Just hack away! After reading
 http://www.thebestpageintheuniverse.net/c.cgi?u=iphone
 of course.


Compare the two phones is not the point here...this guy does not have
any clue about what the iPhone is and probably he is using his Nokia to
give pleasure himself through his ass.

The site describes a normal iPhone. A Jailbroken iPhone with cydia and
all the packages and cool stuff is a different beast. You can run perl,
php, python, ruby, apache, svn, cvs, etc...you can manage your servers
(the example that the guy is using against the iPhone) trough the
Terminal application and connect with openssh, rdp or vnc...whatever you
want.

The keyboard comment...it is just valid for an English speaker...if you
are from other language with more complex characters then you do less
work because is more easy to select that characters and guest what? you
do less taps and the end of the day.

You can actually said: Hey, here is your small server for your small
office...right here in my pocket !! You can use it as media server,
web server, backup server Take a look to cydia and the repositories.

It has support for MMS and Video recording (yes..cycorder), IM (too many
clients...you already have problems to choose one because of that), vlc,
mplayer, mxtube (In fact...I downloaded the slackathon conferences with
that), SIP, VoIP and a lot of other cool stuff. You can, from long time
ago, personalize your ringtones without iTunes...so...that site is just
the opinion from one guy that does not know wtf he is talking about.

The actual point of the post was to have an iPhone/iPod Touch running as
small SECURE server.

It is running a BSD OS already...but not secure. That's the point of all
this post.

Regards,


 Alvaro

Re: 4.6 will be released on October 1st?

[Michal]

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Jacob Meuser
Sent: 19 August 2009 04:08
To: OpenBSD Misc
Subject: Re: 4.6 will be released on October 1st?

On Tue, Aug 18, 2009 at 10:03:58PM +0300, Lars Nooden wrote:
 wim wauters wrote:

 Actually, better to aim Theo at YouTube and their ilk so they stop using
 Flash in the first place.

 +1

 Flash is a pox.  Youtube, and any other flash site, should go over to
 open standards.  Ogg Theora comes to mind there.

*sigh*

you're blaming the wrong people.  2009 and just now streaming video/audio
is being standardised in html?

and theora?  give me a break.

either blame the w3c or the FOSS comunity in general for not creating a
superior free video codec.  don't blame youtube and the like for using
de facto standards.

--
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org



I have to agree here...they are using the standard that the majority of people
have, that works, that people understand. Of course, they *should* change to
an open standard like in HTML 5 but even that is a bit borked since Apple et
al started moaning about it because they are twaty wankers

Re: Boxes hanging intermittently. Anybody seen such ?

[Michal]

Is there a set time when this will happen, say after it's been up for ~5
hours, or is it completely random, 2 days one time, 1 hour another

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Andres Salazar
Sent: 17 August 2009 01:29
To: misc@openbsd.org
Subject: Boxes hanging intermittently. Anybody seen such ?

Hello,

During the past week two boxes two boxes on the same network have
stopped responding, they carry OpenBSD 4.5 i386 and I have logged at
every possible log to find out why this occurs however I havent been
able to spot anything unusual. All of the sudden they just stop
responding requests.

What these freezes do have in common is that when the boxes are
reached via the KVM they present the login screen, they allow text to
be entered in the login field... but upon hitting enter for it to ask
the password thats when it just hangs.

Iam afraid this will keep on happening and I woudl like to know if
anybody has experienced this before.. these have been perfectly
working boxes and it would be just odd both would have the same
problem in the same few days.

Upon a reboot everything returns to normal.

Thank you.
Andres

Re: Web GUI for named(8) ?

[Michal]

What about ISPConfig. I can vouch for webmin, but ISP config comes highly
recommended by a lot of people. You also have Cpannel but I am not sure if
that has an OpenBSD port...or ISPConfig for that matter but you didn't
mention it so though I would...



-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Dr
Alastair F. Brown
Sent: 23 July 2009 09:32
To: Rolf Sommerhalder
Cc: OpenBSD Misc List
Subject: Re: Web GUI for named(8) ?

Quoting Rolf Sommerhalder rolf.sommerhal...@alumni.ethz.ch:

 Hello list,

 Can you recommend any GUI that enables junior IT staff to maintain
 basic DNS Resource Records (such as for ex.. A, PTR, CNAME,...) for
 BIND 9 running on OpenBSD?

 Also, I will consider alternatives to named(8), provided that they
 support an authoritative, split DNS server and some simple GUI, all
 running on OpenBSD.

 So far, I have been looking at webmin, Binder, smbind, ProBIND, DNS
 Control, adadns. None of them appears to have a OpenBSD port yet.
 Their maturity  development activity appears to vary widely.

I have used webmin for a while to allow simple changes to be made to
our wireless gateway by others in the team who do not normally deal
with it (e.g. during holiday periods etc. (I have not used the BIND
module, so cannot comment on that).

In its favour -

a) simple install, just run the setup script
b) very easy updates of core system and modules
c) Custom Command module is VERY useful for setting up CLI commands
needed by staff who can never remember them (to be honest that
includes me sometimes!). Can also be safer than allowing them control
of e.g. BIND through the BIND module, from where they could do a lot
of damage

Not in its favour -

a) it is a GUI

Make sure you use SSL - requires p5-Net-SSLeay

Al

--
Dr Alastair F. Brown, Head of Computing
MRC Human Genetics Unit, Edinburgh EH4 2XU, UK
Mailto:alastair.br...@hgu.mrc.ac.uk
http://www.hgu.mrc.ac.uk/Users/Alastair.Brown/
Fax: +44 (0)131 467 8456Phone: +44 (0)131 332 2471

Re: New Project - MICO

[Michal]

I liked the video, I liked the concept, I give you more credit for using ogv
and I will defiantly have a look at MICO...but please...for love of atheism,
please dont keep highlighting bits of text if you make another one...it
made it incredibly tedious to watch at times.

All credit to the fact it's very simple to understand...so with this in
mind, when you type history we know what it is your doing and do not need
to highlight this...Just a little heads up, I know I am really am nit
picking but I've seen so many people do presentations, videos etc badly and
you end up hurting your self more. :)

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Fernando Quintero
Sent: 22 July 2009 23:22
To: tico
Cc: Astrid Sanchez; misc@openbsd.org
Subject: Re: New Project - MICO

Hi Tico, Im working in the project too.

Basically, how do you add new commands  to nsh?, coding in c?, the
idea is use a .xml file with easy fields.

And, We Think nsh is used more for routing services,like BGP, OSPF,
etc, with mico the idea is configure system's stuff and services
installed with the base system, like dhcp, dns, vpn, nfs, ssh, etc.

these are some ideas about, what we want to do.

2009/7/22 tico tico-o...@raapid.net:
 Astrid Sanchez wrote:

 Here in Colombia started some months ago the development of a
 new project called MICO. It's purpose is create a CLI to configure
 services on
 OpenBSD. MICO was presented in Campus Party Colombia and you can see the
 slides on [1], also the screencast showing the functionality implemented
 so
 far in [2].


 Hello Astrid,

 I've read your slides, but it's not clear to me what advantage MICO has
over
 nsh[A],
 which already is a CLI that configures services on OpenBSD and is well
 integrated.

 Certainly you're free to write whatever CLI or management scripts you
want,
 but I was curious why you wanted to start over? What problem with nsh are
 you trying to fix?

 !Saludos!
 Tico

 [A] http://www.nmedia.net/nsh/





--
--

Fernando Quintero
http://nonroot.blogspot.com/
*Just a nonroot User*

Re: reason for libexec?

[Michal]

As far as I'm aware ADD is on the autistic spectrum, and it is generally
believed that a lot of people in IT are on the spectrum, especially those in
the more technical areas, so in a way, your probably sort of right...in a
way.

Though, have you been tested for Asperger Syndrome?

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Theo de Raadt
Sent: 15 July 2009 17:31
To: Daniel Barowy
Cc: misc@openbsd.org
Subject: Re: reason for libexec? 

 On Wed, 15 Jul 2009, Theo de Raadt wrote:
 
  It is stuff that isn't on root's path.
 
 
 Ok-- it turns out I am even more naive than I previously thought.  I can 
 see that /usr/libexec is not in root's path on my machine (maybe that's 
 why the 'usr' part is in there?).
 
 But why not?

Becuase it is stuff that isn't SUPPOSED TO BE on root's path.


Does everyone on this list have ADD?

Cheap Sun equipment

[Michal]

With the Woolworths collapse, there are still some things up for grabs. It's
phase 4 now, almost all has gone, but people might be interested

 

http://www.hilcoind.com/sales/sale.asp?SALE_ID=1412SALE_REFERENCE_ID=DLNOCM
OFBC611200952523

Re: random crashes on a firewall with OpenBSD 4.5-stable

[Michal]

Well, you can check the Volt readings in the bios, most will give you a
reading, but I am sure there is some BSD software out there, maybe someone
in the list will know. On windows you can use Speedfan. Even if it's not
this, it's worth knowing how to check this as a simple check on servers

-Original Message-
From: Comhte [mailto:com...@daknet.org]
Sent: 26 June 2009 16:42
To: Michal
Subject: Re: random crashes on a firewall with OpenBSD 4.5-stable

Oh sorry :p
How could i test the power supply unit ?

Michal a icrit :
 Other servers?? I don't mean PDU, I mean PSU...the power supply in the
 server. If your shearing a power supply across 2 servers I would be
shocked
 :)

 -Original Message-
 From: Comete [mailto:com...@daknet.org]
 Sent: 26 June 2009 13:48
 To: Michal
 Subject: Re: random crashes on a firewall with OpenBSD 4.5-stable

 No problem with the PSU and voltage limits. The PSU isn't used at its
 full capacity and the other servers plugged on it work well.

 Could it be a bad network interface ?

 Michal a icrit :
 Just stabbing the dark here, test your Voltage Rails on your PSU. Check
 they
 are within limits. I find unexplained crash's can be traced back to PSU's
 quite often

 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
 Comhte
 Sent: 26 June 2009 12:22
 To: Misc OpenBSD
 Cc: Daniel Gracia Garallar
 Subject: Re: random crashes on a firewall with OpenBSD 4.5-stable

 Well i have tested the RAM with memtest, no error.

 maybe another idea ?

 Thanks

 Daniel Gracia Garallar a C)crit :
 Oh and maybe bad RAM; I've hit some nasty errors with these faulty
 DIMMs... :/

 ComC(te escribiC3:
 Hi,

 we are using the last OpenBSD 4.5-stable release on an old Compaq
 Proliant ML350 as a firewall with spamd. But we encounter randomly
 some system crashes (once a week or two weeks). The system always
 displays the same message:

 uvm_fault (0xd080d9e00x0,0,1) - e

 kernel: page fault trap, code=0

 Stopped at cac_pci_l0_intr_pending+0xb
 push 0x34 (%eax)

 What do you think it could be ? I thought about maybe a hardware
 problem but where exactly...

 I join my dmesg below

 Thanks for your advice !

 OpenBSD 4.5-stable (GENERIC) #9: Sun May 17 22:59:17 CEST 2009
 r...@arwen.saintlo.fr:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Pentium(R) III CPU family 1266MHz (GenuineIntel
 686-class) 1.27 GHz
 cpu0:


FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,
 FXSR,SSE
 real mem  = 267988992 (255MB)
 avail mem = 250839040 (239MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
 0xf, SMBIOS rev. 2.3 @ 0xec000 (31 entries)
 bios0: vendor Compaq version D11 date 01/29/2002
 bios0: Compaq ProLiant ML350 G2
 acpi0 at bios0: rev 0
 acpi0: tables DSDT FACP APIC SPCR
 acpi0: wakeup devices PBTN(S5)
 acpitimer0 at acpi0: 3579545 Hz, 32 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 3 (boot processor)
 cpu0: apic clock running at 132MHz
 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins
 ioapic0: misconfigured as apic 0, remapped to apid 8
 ioapic1 at mainbus0: apid 2 pa 0xfec01000, version 11, 16 pins
 ioapic1: misconfigured as apic 0, remapped to apid 2
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 2 (PCI1)
 acpicpu0 at acpi0
 acpitz0 at acpi0: critical temperature 31 degC
 acpibtn0 at acpi0: PBTN
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x1800
 0xcb000/0x1800 0xcc800/0x4000! 0xd0800/0x1800 0xee000/0x2000!
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 ServerWorks CNB20LE Host rev 0x06
 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20LE Host rev 0x06
 pci1 at pchb1 bus 2
 em0 at pci1 dev 1 function 0 Intel PRO/1000T (82544GC) rev 0x02:
 apic 2 int 0 (irq 5), address 00:02:b3:b9:0d:a4
 em1 at pci1 dev 2 function 0 Intel PRO/1000T (82544GC) rev 0x02:
 apic 2 int 2 (irq 15), address 00:02:b3:b9:0d:7d
 re0 at pci1 dev 3 function 0 D-Link Systems DGE-528T rev 0x10:
 RTL8169/8110SB (0x1000), apic 2 int 4 (irq 15), address
 00:1c:f0:6f:38:7e
 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 3
 cac0 at pci1 dev 4 function 0 DEC Compaq SMART RAID 42xx rev 0x01:
 apic 2 int 6 (irq 11), Smart Array 431
 scsibus0 at cac0: 1 targets
 sd0 at scsibus0 targ 0 lun 0: Compaq, RAID1 vol #00,  SCSI2 0/direct
 fixed
 sd0: 34727MB, 512 bytes/sec, 71122560 sec total
 re1 at pci1 dev 5 function 0 D-Link Systems DGE-528T rev 0x10:
 RTL8169/8110SB (0x1000), apic 2 int 8 (irq 15), address
 00:1c:f0:62:eb:12
 rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 3
 fxp0 at pci0 dev 1 function 0 Intel 8255x rev 0x08, i82559: apic 2
 int 10 (irq 5), address 00:02:a5:44:33:f7
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
 ahc0 at pci0 dev 2 function 0 Adaptec AHA-3960D U160 rev 0x01: apic
 2 int 11 (irq 11)
 scsibus1 at ahc0: 16 targets, initiator 7
 ahc1 at pci0 dev 2 function 1 Adaptec AHA-3960D

Re: Open Vs Free BSD

[Michal]

-Original Message-
From: owner-freebsd-sta...@freebsd.org
[mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Charlie Kester
Sent: 19 June 2009 20:24
To: freebsd-sta...@freebsd.org
Subject: Re: Open Vs Free BSD

On Fri 19 Jun 2009 at 11:23:26 PDT Michael R. Wayne wrote:

OK, I'm going to take a guess here that English may not be Michal's primary
language and re-ask his question:

   Given the several versions of *BSD, I have been led to understand
   that each excells in different ways.  How do I select which one
   is right for my application, what are the underlying reasons
   that would lead me to that choice and what are the the disadvantages
   I am risking?

This is, actually, not an inappropriate question coming from a potential
new user who is not familiar with the history surrounding the various
versions and would make an outstanding FAQ.  As an example, we run FreeBSD
on our firewalling machines because it works well enough and we prefer the
reduced support costs of using a single O/S across our network.  I am
unsure
of what the advantage of moving to OpenBSD might be and would find it very
difficult to quantify the advantages (if any) versus the increased support
resources required.

This is a very real issue.  Linux has a similar problem; I've personally
been in meetings where clients examined the myriad Linux distributions
and say It's very likely that we will make the incorrect choice.  So we'll
go with Windows.  I suspect similar events have occurred with *BSD.  So,
rather than jumping on people about them bringing up religous wars
(because,
face it, you CAN edit a file perfectly well in either vi or emacs :-), we'd
all be better served by giving them enough information to make the
right choice in their situation while realizing the tradeoffs they are
making.


I agree, this shouldn't necessarily be treated as flamebait or trolling.

But shouldn't the question be redirected to the advocacy mailing
list/team?
--

Sorry, I would just like to add that English is my first and only language.
As I said at a Terremark Europe meeting, (everyone else spoke [mostly] Dutch
and English, I speak English and bad English. I think my dyslexia and
general ignorance may have caused the confusion in my question. I was never
asking WHO WINS WHO WINS, as I have multiple OS's running, more looking
forward 2-5 years, upgrades and so forth, what should I take in to account.
From the answers I have got, I've learn that I should ask my questions
better, most importantly I think there, and OBSD may not have lots of
packages but it has brilliant security. A desktop might be served better
with Linux of FreeBSD, but at the end of the day, it's your horse, your
course. You choose as you wish.

I thank you all

Open Vs Free BSD

[Michal]

Someone once said this too me

 

Comparing FreeBSD and OpenBSD, FreeBSD is generally better at disk-related
I/O whereas OpenBSD handles net-I/O better. No test has been carried out to
prove this though.

 

Every offence to the person which said this, but they are not the best admin
ever, though they like to think they are (the worst kind I think)

 

Can anyone shed any light, the reason I ask is we where debating about a
network and he said OpenBSD on the network (routers firewall etc) and
FreeBSD as the app servers (mail, files etc etc), which I can see makes
sense.but without having evidence it's pointless making a claim.

 

Thanks :-)

Re: Open Vs Free BSD

[Michal]

It wasn't an argument or a versus anything. It was just a question relating
to what he had said and the truth in it and the two OS's being used for
different reasons. That's all. No rage, no debate or looking for any winner!

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
dem...@thephinix.org
Sent: 19 June 2009 12:42
To: freebsd-sta...@freebsd.org; misc@openbsd.org
Subject: Re: Open Vs Free BSD

Oh why can't this versus this versus that never dies? There had been
raging debate about which OSes is much better compared to the others since
time immemorial. Sure, each one has its own merits over the others and
vice versa. So why feeding this issue up since up to this very moment,
there is no winner.

 and the security is in netbsd:

  http://netbsd.gw.com/cgi-bin/man-cgi?security+8+NetBSD-5.0
  http://www.netbsd.org/~elad/recent/recent06.pdf

 On 6/19/09, Ivan Voras ivo...@freebsd.org wrote:
 Kim Attree wrote:

 NetBSD runs on just about anything. That's it's primary goal. Since I
 don't
 have any weird hardware, I've never had a use for NetBSD.

 I don't use NetBSD either but some recent development that come from
 that camp are very interesting:

 * Journalling UFS (smart journalling, not gjournal)
 * PUFFS (BSD implementation of FUSE-like system [file system in
 userland])
 * They had Xen dom0 and domU for years
 * They are starting to show decent results in SMP support, including a
 new scheduler (a bit similar to ULE); their GENERIC has SMP included
 * Possibly superpages, I'm not sure how to parse Merged amd64 and i386
 pmap. Large pages are always used if available
 * I think they are working on their own ZFS port
 * They have ported or reimplemented Linux LVM (read+write+admin)

 There are of course other things; see for example
 http://www.netbsd.org/releases/formal-5/NetBSD-5.0.html

 I have a feeling the project has been revitalized in the last few years.

 ___
 freebsd-sta...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-stable
 To unsubscribe, send any mail to
 freebsd-stable-unsubscr...@freebsd.org

Re: OpenBSD HA

[Michal]

Not that I am disagreeing or anything, more questioning...but would we say
OpenBSD is better then Nokia Checkpoint Firewalls (disregarding cost
here)...

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Joachim Schipper
Sent: 11 June 2009 10:14
To: misc@openbsd.org
Subject: Re: OpenBSD HA

O n Wed, Jun 10, 2009 at 09:13:33AM -0400, Marcos Ortiz Valmaseda wrote:
 Regards to all list.
 I have several questions about OpenBSD that I don't have clear.
 Look, we are a investigation team that we want to implant a DataCenter for
 PostgreSQL, and we are thinking to use to FreeBSD like the plataform to
let
 the databases( or the clusters of the db) and to use OpenBSD like the
firewall
 to the outside. But we are very new in OpenBSD and we want to know if we
could
 build a product above OpenBSD for all: like plataform and like firewall,
 because then we can use only one project and time to build the product
would
 be more short.
 if we would use to
 OpenBSD like a firewall Which would br the best solution to do that ?
 1- With a redundant firewall
 2- With a centralized firewall
 etc

OpenBSD is widely used as a (redundant) firewall: pf is developed on
OpenBSD, and software like pfsync makes it easy to build a redundant
firewall. The network stack has been tuned extensively, etc. In short,
OpenBSD is quite possibly the best firewall platform available today,
and is very likely the best *nix firewall platform. And it's certainly
cheaper than Cisco.

As to PostgreSQL: it works just fine on OpenBSD. I'd encourage you to at
least try (benchmark) it to see if OpenBSD can suit your needs. FreeBSD
wlll do fine as a database platform, too; but OpenBSD has a stronger
focus on security, and - as you point out - running a single OS is
easier.
If you decide not to go with OpenBSD, you may wish to consider
OpenSolaris instead of FreeBSD, which will allow you to use ZFS and
DTrace, both of which may be useful in a PostgreSQL deployment. There
are good reasons not to use (Open)Solaris (you may consider it not
truly free, Oracle may kill it, you may have trouble finding people
with experience, the userland utilities lack polish, etc), but at least
it does offer some useful things in exchange for the headache of running
two different OSes.

OpenBSD is not usually used on big iron, so if you want to have one
huge(ly expensive) database server, you may wish to go with something
else. Reputedly, Linux and (Open)Solaris both do well here; I honestly
couldn't tell you if FreeBSD is a good choice.

Joachim

Re: OpenBSD HA

[Michal]

Well yes, horse's for courses :)

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Stuart Henderson
Sent: 11 June 2009 16:51
To: misc@openbsd.org
Subject: Re: OpenBSD HA

On 2009-06-11, Michal mic...@sharescope.co.uk wrote:
 Not that I am disagreeing or anything, more questioning...but would we say
 OpenBSD is better then Nokia Checkpoint Firewalls (disregarding cost
 here)...

for what I need, sure, very much better.
but different people's needs vary.

unfortunately I can't read about checkpoint without getting the
corporate song stuck in my head. arrrgh.

http://www.ranum.com/editorials/corporate-songs/sure-1.htm