sysupgrade(8) and FAQ 4 - File Sets

[Russell Ault]

Hi all!

First, I'd like to say thank you to the developers for sysupgrade(8).
As a hobbyist with limited time and energy, anything that reduces the
pain of keeping software up-to-date is always going to be a boon for
security (in the sense that I'm more likely to find the time to do an
upgrade that is relatively quick and straightforward). Between
syspatch and sysupgrade, running OpenBSD has gotten a lot easier over
the last few years, and I really appreciate it!

I have a suggestion, though: for the sake of us dabblers (who do read
the FAQs and the manual, but aren't necessarily mailing list
subscribers), I'd like to propose the following update to FAQ 4,
under the heading "File Sets". Instead of:

New users are recommended to install all of them.

I propose the following:

Installing all file sets is standard practice, even on headless
systems. Only skip a file set if you have a very good reason to
do so.

This will bring the FAQ more in-line with the tone of what I've been
reading on the mailing lists recently, and makes the target audience
of this instruction clearer (I've been using OpenBSD on and off for
nearly fifteen years, so my status as a "new" user is somewhat
ambiguous, at least in my own head). It will also help to clarify
sysupdate's behaviour (which otherwise can come as a surprise during
an operation when all surprises in particular are unwelcome).

Thanks!

Sincerely,

Russell Ault

sysupgrade(8) and FAQ 4 - File Sets

[Russell Ault]

Hi all!

First, I'd like to say  to say thank you to the developers for
sysupgrade(8). As a hobbyist with limited time and energy, anything
that reduces the pain of keeping software up-to-date is always going
to be a boon for security (in the sense that I'm more likely to find
the time to do an upgrade that is relatively quick and
straightforward). Between syspatch and sysupgrade, running OpenBSD
has gotten a lot easier over the last few years, and I really
appreciate it!

I have a suggestion, though: for the sake of us dabblers (who do read
the FAQs and the manual, but aren't necessarily mailing list
subscribers), I'd like to propose the following update to FAQ 4,
under the heading "File Sets". Instead of:

New users are recommended to install all of them.

I propose the following:

Installing all file sets is standard practice, even on headless
systems. Only skip a file set if you have a very good reason to
do so.

This will bring the FAQ more in-line with the tone of what I've been
reading on the mailing lists recently, and makes the target audience
clearer (I've been using OpenBSD on and off for nearly fifteen years,
so my status as a "new" user is somewhat ambiguous, at least in my
own head). It will also help to clarify sysupdate's behaviour (which
otherwise can come as a surprise during an operation when all
surprises in particular are unwelcome).

Thanks!

Sincerely,

Russell Ault

Re: Certain size packets not passing through a L2 over L3 IPsec tunnel

[Russell Sutherland]

Ok... I've updated both ends of the tunnel to OpenBSD 6.5 and the same problem 
exists when trying to pass packets of a certain size.

Any ideas on how to fix or work around this issue?

Thanks in advance.

Russell P. Sutherland   Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS   Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102  Cell: +1.416.803.0080
University of TorontoFax:   +1.416.978.6620
Toronto, ON  M5S 1C1

From: Russell Sutherland
Sent: Thursday, October 10, 2019 16:25
To: misc@openbsd.org 
Subject: Certain size packets not passing through a L2 over L3 IPsec tunnel

I've set up a L2overL3 tunnel using the template as found in "man etherip". I 
am running OpenBSD 5.9, which I believe is the first version to support the 
etherip interface.

I find the bridge/tunnel does not pass a small range of specific sized packets.

E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local 
end:

ping -s 1388 1.2.3.4 works
ping -s 1396 1.2.3.4 works

All other sizes, 1389 to 1395 inclusive fail.

Is there some way to remedy this?


Thanks in advance.

Russell P. Sutherland   Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS   Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102  Cell: +1.416.803.0080
University of TorontoFax:   +1.416.978.6620
Toronto, ON  M5S 1C1

Certain size packets not passing through a L2 over L3 IPsec tunnel

[Russell Sutherland]

I've set up a L2overL3 tunnel using the template as found in "man etherip". I 
am running OpenBSD 5.9, which I believe is the first version to support the 
etherip interface.

I find the bridge/tunnel does not pass a small range of specific sized packets.

E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local 
end:

ping -s 1388 1.2.3.4 works
ping -s 1396 1.2.3.4 works

All other sizes, 1389 to 1395 inclusive fail.

Is there some way to remedy this?


Thanks in advance.

Russell P. Sutherland   Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS   Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102  Cell: +1.416.803.0080
University of TorontoFax:   +1.416.978.6620
Toronto, ON  M5S 1C1

Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command

[Russell Sutherland]

Done.

Russell P. Sutherland   Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS   Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102  Cell: +1.416.803.0080
University of TorontoFax:   +1.416.978.6620
Toronto, ON  M5S 1C1

From: owner-m...@openbsd.org  on behalf of Hrvoje 
Popovski 
Sent: Wednesday, June 5, 2019 05:59
To: misc@openbsd.org
Subject: Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command

On 4.6.2019. 21:22, Russell Sutherland wrote:
> I tried loading current on the device and the same result:
>
> OpenBSD 6.5-current (GENERIC.MP) #5: Mon Jun  3 07:46:49 MDT 2019
>
> # netstat -in
> NameMtu   Network Address  Ipkts IfailOpkts Ofail 
> Colls
> lo0 327680 00 0 > 0
> lo0 32768 ::1/128 ::1  0 00 0 > 0
> lo0 32768 fe80::%lo0/ fe80::1%lo0  0 00 0 > 0
> lo0 32768 127/8   127.0.0.10 00 0 > 0
> em0 150000:0d:b9:43:9b:3031715 0   120479 7 > 0
> em1 150000:0d:b9:43:9b:31   123252   11630860 0 > 0
> em2 150000:0d:b9:43:9b:32 1672 0  625 0 > 0
> em2 1500  128.100.103 128.100.103.831672 0  625 0 > 0
> enc0*   00 00 0 > 0
> bridge0 1500152255 0   151339 0 > 0
> pflog0  331360 0   70 0 > 0
> freenas-fw# ifconfig bridge0
> bridge0: flags=4WARNING: SPL NOT LOWERED ON S1
> YSCALL 5index 6 llprio 34 3 EXIT 0
> groups: bridg 9
> e
> priorStopped at  savectx+0xb1:   movl$0,%gs:0x530
> ddb{2}>


Hi,

can you take a look at this link
https://www.openbsd.org/ddb.html

when your box is up and running execute sendbug -P > bridge-problem.txt
and when your box is in ddb type this commands
trace, ps

and send all those to b...@openbsd.org mailing list ...

Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command

[Russell Sutherland]

I tried loading current on the device and the same result:

OpenBSD 6.5-current (GENERIC.MP) #5: Mon Jun  3 07:46:49 MDT 2019

# netstat -in
NameMtu   Network Address  Ipkts IfailOpkts Ofail Colls
lo0 327680 00 0 0
lo0 32768 ::1/128 ::1  0 00 0 0
lo0 32768 fe80::%lo0/ fe80::1%lo0  0 00 0 0
lo0 32768 127/8   127.0.0.10 00 0 0
em0 150000:0d:b9:43:9b:3031715 0   120479 7 0
em1 150000:0d:b9:43:9b:31   123252   11630860 0 0
em2 150000:0d:b9:43:9b:32 1672 0  625 0 0
em2 1500  128.100.103 128.100.103.831672 0  625 0 0
enc0*   00 00 0 0
bridge0 1500152255 0   151339 0 0
pflog0  331360 0   70 0 0
freenas-fw# ifconfig bridge0
bridge0: flags=4WARNING: SPL NOT LOWERED ON S1
YSCALL 5index 6 llprio 34 3 EXIT 0
groups: bridg 9
e
priorStopped at  savectx+0xb1:   movl$0,%gs:0x530
ddb{2}>







Russell P. Sutherland   Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS   Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102  Cell: +1.416.803.0080
University of Toronto    Fax:   +1.416.978.6620
Toronto, ON  M5S 1C1  



From: owner-m...@openbsd.org  on behalf of Stuart 
Henderson 
Sent: Tuesday, June 4, 2019 13:53
To: misc@openbsd.org
Subject: Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
 
>There was a crash fixed in bridge(4) a few weeks ago, can you try reproducing
on -current?


On 2019-06-04, Lee Nelson  wrote:
> I have twice seen kernel panics in the same situation. It drops to "ddb>"
> but the system is unresponsive. Unfortunately, other than taking a picture
> of the screen with my cellphone, I do not have any further information from
> the system. On both occasions, I was issuing "ifconfig bridge42" without
> any arguments. (and no, there aren't 41 other bridges. 42 has other
> significance in my network)
>
> On Tue, Jun 4, 2019, 08:41 Russell Sutherland <
> russell.sutherl...@utoronto.ca> wrote:
>
>> I began to install resflash (https://stable.rcesoftware.com/resflash/)
>> which is based on OpenBSD) to build a small firewall on an PC Engines apu2
>> board. Three interfaces, two bridged and one with an IP for management.
>>
>> I found the system would crash and drop down to the debugger interface
>> whenever I issued the:
>>
>> # ifconfig bridge0
>>
>> command.
>>
>> # ifconfig -a
>>
>> worked fine. After discussing this with the author we thought it good to
>> try the same configuration on vanilla 6.5 install.
>>
>> This worked better, but after a short period of operation the same
>> symptoms occured:
>>
>> # ifconfig bridge0
>>
>> bridge0: flags=4WAR1
>>
>> Nindex 6 llprio ING: SPL NOT
>>
>> groups: bridgLOWEe
>>
>> priority 327RED68 hellotime 2 f ONwddelay 15 maxag e 20 holdcnt 6
>> pSYSCALL 5roto rstp
>>
>> desi4gnated: id 00:0 3 EXIT 0:00:00:00:00 pri 9
>>
>>    ority 0
>>
>> agsStopped at  savectx+0xb1:   movl    $0,%gs:0x508
>>
>> ddb{3}>
>>
>>
>> Here is the output from dmesg:
>>
>>
>> OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019
>> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 1996148736 (1903MB)
>> avail mem = 1926090752 (1836MB)
>> mpath0 at root
>> scsibus0 at mpath0: 256 targets
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x77fb7020 (7 entries)
>> bios0: vendor coreboot version "88a4f96" date 03/07/2016
>> bios0: PC Engines apu2
>> acpi0 at bios0: rev 2
>> acpi0: sleep states S0 S1 S2 S3 S4 S5
>> acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
>> acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4)
>> PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
>> acpitimer0 at acpi0: 3579545 Hz, 32 bits
>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: AMD GX-412TC SOC, 998.28 MHz, 16-30-01
>> cpu0:FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PA

OpenBSD 6.5 dumps to debugger when using ifconfig bridge command

[Russell Sutherland]

 acpi0: bus 3 (PBR7)
acpiprt5 at acpi0: bus -1 (PBR8)
acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
acpibtn0 at acpi0: PWRB
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
cpu0: 998 MHz: speeds: 1000 800 600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD AMD64 16h Root Complex" rev 0x00
pchb1 at pci0 dev 2 function 0 "AMD AMD64 16h Host" rev 0x00
ppb0 at pci0 dev 2 function 2 "AMD AMD64 16h PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I211" rev 0x03: msi, address 
00:0d:b9:43:9b:30
ppb1 at pci0 dev 2 function 3 "AMD AMD64 16h PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address 
00:0d:b9:43:9b:31
ppb2 at pci0 dev 2 function 4 "AMD AMD64 16h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address 
00:0d:b9:43:9b:32
ccp0 at pci0 dev 8 function 0 "AMD Cryptographic Co-processor v3" rev 0x00
xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev 3.00/1.00 
addr 1
ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: apic 4 int 19, 
AHCI 1.3
scsibus1 at ahci0: 32 targets
ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 18
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
addr 1
piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMBus disabled
pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11
sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4 int 16
sdhc0: SDHC 2.0, 63 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
pchb2 at pci0 dev 24 function 0 "AMD AMD64 16h Link Cfg" rev 0x00
pchb3 at pci0 dev 24 function 1 "AMD AMD64 16h Address Map" rev 0x00
pchb4 at pci0 dev 24 function 2 "AMD AMD64 16h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 16h Misc Cfg" rev 0x00
pchb5 at pci0 dev 24 function 4 "AMD AMD64 16h CPU Power" rev 0x00
pchb6 at pci0 dev 24 function 5 "AMD AMD64 16h Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
vmm0 at mainbus0: SVM/RVI
umass0 at uhub0 port 3 configuration 1 interface 0 "SanDisk Cruzer Glide" rev 
2.00/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0: 29952MB, 512 bytes/sector, 61341696 sectors
uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro Devices 
product 0x7900" rev 2.00/0.18 addr 2
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (d3fbbb47f1a19759.a) swap on sd0b dump on sd0b




Russell P. Sutherland   Email: russell . sutherland @ utoronto dawt ca
Network Engineer, I+TS   Voice: +1.416.978.0470
4 Bancroft Ave., Rm. 102  Cell: +1.416.803.0080
University of Toronto    Fax:   +1.416.978.6620
Toronto, ON  M5S 1C1  

More syntax/parsing issues in the lists/macros of pf

[Russell Sutherland]

Is it possible to use a macro variable with a network CIDR value and then
reference it later in a list?

E.g. This first example is fine:


a = “1.2.3.4”
b = “2.3.4.5”

c = “{“ $a $b “}”

works as expected, that is c ends up as a list with host values:

c = "{ 1.2.3.4 2.3.4.5 }”

But if one uses the CIDR network format for any one of the variables, a syntax
error is created:

an = “1.2.3.0/24”
bn = “2.3.0.0/16”

cn = “{“ $an $bn “}”

Output from pfctl -nvf /etc/pf.conf:

a = "1.2.3.4"
b = "2.3.4.5"
c = "{ 1.2.3.4 2.3.4.5 }"
an = "1.2.3.0/24"
bn = "2.3.0.0/16"
/etc/pf.conf:36: syntax error


—
Russell Sutherland
Supervisor, Network Development | Enterprise Infrastructure Solutions
Information Technology Services | University of Toronto
4 Bancroft Ave., Rm. 102 | Toronto, ON  M5S 1C1

russell.sutherl...@utoronto.ca
+1.416.978.0470 ~ tel
+1.416.978.6620 ~ fax

Connecting to a GRE Transparent Ethernet Bridging host

[Russell Sutherland]

Is it possible to use one of OpenBSD’s tunnelling interfaces
(gre/gif/etherip) to connect to a remote host (Edgerouter Lite) which is using
GRE in Transparent Ethernet (protocol type 0x6558) mode?

Looking at the source code in /usr/src/sys/net there is a flag for this mode
defined but I do not think it is referenced and hence not utilized.

# pwd
/usr/src/sys/net

# grep ETHERTYPE * | grep TRANS
ethertypes.h:#defineETHERTYPE_TRANSETHER0x6558  /* Trans Ether
Bridging (RFC1701)*/

—
Russell Sutherland
Supervisor, Network Development | Enterprise Infrastructure Solutions
Information Technology Services | University of Toronto
4 Bancroft Ave., Rm. 102 | Toronto, ON  M5S 1C1

russell.sutherl...@utoronto.ca
+1.416.978.0470 ~ tel
+1.416.978.6620 ~ fax

Differences between etherip(4) and gif(4)

[Russell Sutherland]

I noticed that the etherip pseudo-device appeared with OpenBSD 5.9 which is
intended for tunnelling.

Prior to this I have been using the gif pseudo device to accomplish much the
same thing (in my case L2 over L3).

Apart from specifying the mtu to lower value to avoid problems with larger
frames, is there any real advantage with the new etherip device?


—
Russell Sutherland
Supervisor, Network Development | Enterprise Infrastructure Solutions
Information Technology Services | University of Toronto
4 Bancroft Ave., Rm. 102 | Toronto, ON  M5S 1C1

russell.sutherl...@utoronto.ca
+1.416.978.0470 ~ tel
+1.416.978.6620 ~ fax

Core dumps after upgrading to OpenBSD 5.7

[Russell Sutherland]

 31 function 2 Intel 3400 SATA rev 0x05: DMA, channel 0 
configured to native-PCI, channel 1 configured to native-PCI
pciide0: using apic 0 int 20 for native-PCI interrupt
pciide1 at pci0 dev 31 function 5 Intel 3400 SATA rev 0x05: DMA, channel 0 
wired to native-PCI, channel 1 wired to native-PCI
pciide1: using apic 0 int 21 for native-PCI interrupt
atapiscsi0 at pciide1 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0: TEAC, DVD-ROM DV-28SW, R.2A ATAPI 5/cdrom 
removable
cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
uhub2 at uhub0 port 1 Intel Rate Matching Hub rev 2.00/0.00 addr 2
uhub3 at uhub2 port 1 Standard Microsystems product 0x2514 rev 2.00/0.00 addr 
3
uhub4 at uhub3 port 2 Mitsumi Electric Hub in Apple Extended USB Keyboard rev 
1.10/4.10 addr 4
uhidev0 at uhub4 port 3 configuration 1 interface 0 Mitsumi Electric Apple 
Extended USB Keyboard rev 1.10/4.10 addr 5
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub4 port 3 configuration 1 interface 1 Mitsumi Electric Apple 
Extended USB Keyboard rev 1.10/4.10 addr 5
uhidev1: iclass 3/0, 3 report ids
uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0
uhub5 at uhub1 port 1 Intel Rate Matching Hub rev 2.00/0.00 addr 2
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (6b4b6c203a57b1ac.a) swap on sd0b dump on sd0b
bnx0: address 78:2b:cb:13:e4:0c
brgphy0 at bnx0 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8
bnx1: address 78:2b:cb:13:e4:0d
brgphy1 at bnx1 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8
ukbd0: was console keyboard
wskbd0 detached
ukbd0 detached
uhidev0 detached
uhid0 detached
uhid1 detached
uhidev1 detached
uhub4 detached

I’ve never had this behaviour after an upgrade.


--
Russell Sutherland
Supervisor, Network Development | Enterprise Infrastructure Solutions
Information Technology Services | University of Toronto
4 Bancroft Ave., Rm. 102 | Toronto, ON  M5S 1C1

russell.sutherl...@utoronto.ca
+1.416.978.0470 ~ tel
+1.416.978.6620 ~ fax

Re: OpenBSD embedded?

[Russell Sutherland]

Does anyone know if the Dual-Core 500 MHz, MIPS64 board that is used in
the Ubiquiti EdgeRouter family,
has been used as an OpenBSD platform? I know there is development on the
octeon http://www.openbsd.org/octeon.html
platforms, but not sure if the port was actually usable.

-- 
Russell Sutherland  I+TS
email:russell.sutherl...@utoronto.ca
office:   +1.416.978.0470
mobile: +1.416.803.0080




On 2014-12-04, 7:53 AM, Brad Smith b...@comstyle.com wrote:

On 12/04/14 07:05, Alan McKay wrote:
 On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod vi...@icanconnect.com
wrote:
 We have been using Mikrotik routerboards since 7 years

 Huh?  With OpenBSD on them?

There are 3 PowerPC based RouterBOARDs. AFAIK the RB600 is supported
at the moment by the socppc port.

The RB800 and RB850Gx2 boards would probably be relatively easy to add
support for.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: OpenBSD embedded?

[Russell Sutherland]

ThanksŠ And may I assume with net booting saving local customizations
(firewall rules, network configuration, etc.)
is a bit awkward, as there is no local storage?

-- 
Russell Sutherland  I+TS
email:russell.sutherl...@utoronto.ca
office:   +1.416.978.0470
mobile: +1.416.803.0080




On 2014-12-04, 12:05 PM, Chris Cappuccio ch...@nmedia.net wrote:

Russell Sutherland [russell.sutherl...@utoronto.ca] wrote:
 Does anyone know if the Dual-Core 500 MHz, MIPS64 board that is used in
 the Ubiquiti EdgeRouter family,
 has been used as an OpenBSD platform? I know there is development on the
 octeon http://www.openbsd.org/octeon.html
 platforms, but not sure if the port was actually usable.
 

The port is going to be more usable if it gets USB support. Right now
you have to net boot.

NAT logging and limits using pf

[Russell Sutherland]

I am trying to determine whether using an OpenBSD system to perform
institutional NAT for our wireless users would be a viable option.

At the present time we are evaluating the A10 Thunder CGN  appliance.

There are a few issues for which I would like to get some input for those
using pf for NAT in large environments (  10k users )


  *   are there problems with arp cache resources ?
  *   can logging be modified to use radius ? We really need some hooks to
determine who is/was responsible for a given session.

Thanks in advance for any operational experience you may have using pf in a
similar environment.


--
Russell Sutherland  I+TS
email:russell.sutherl...@utoronto.ca
office:   +1.416.978.0470
mobile: +1.416.803.0080

Re: Problem with a startup script

[russell]

On 05/21/2013 11:18 PM, C. L. Martinez wrote:

Hi all,

  I have a problem with some tcl rc.d startup scripts. Start and status
works ok but stop and restart, doesn't.

  Script:

#!/bin/sh -x
#
# $OpenBSD: suricata_proxyin_agent,v 1.0

daemon=/usr/local/bin/suricata_proxyin_agent.tcl
daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D

. /etc/rc.d/rc.subr

pexp=/usr/local/bin/tclsh8.5 $daemon

rc_cmd $1

I have tried several variants like to insert rc_stop specific option
or changing pexp to /usr/local/bin/tclsh8.5 $daemon $daemon_args
without luck.

Debugging script, acts as like the other system startup scripts:

.

+ echo NO
+ : NO
+ [ XNO = XYES ]
+ echo NO
+ : NO
+ domainname
+ [ X != X -a -d /var/yp/binding ]
+ echo NO
+ : NO
+ : NO
+ [ -n /usr/local/bin/suricata_proxyin_agent.tcl ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename ./suricata_proxyin_agent
+ _name=suricata_proxyin_agent
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/suricata_proxyin_agent
+ eval _rcflags=${suricata_proxyin_agent_flags}
+ _rcflags=
+ eval _rcuser=${suricata_proxyin_agent_user}
+ _rcuser=
+ getcap -f /etc/login.conf suricata_proxyin_agent
+  /dev/null
+ 21
+ [ -z  ]
+ daemon_class=daemon
+ [ -z  ]
+ daemon_user=root
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ printf  %s -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ daemon_flags= -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ readonly daemon_class
+ unset _rcflags _rcuser
+ pexp=/usr/local/bin/suricata_proxyin_agent.tcl -c
/data/config/etc/sguil/suricata_proxyin_agent.conf -D
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ pexp=/usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl
+ rc_cmd stop

root@nsm10:/usr/local/etc/rc.d# ps xa |grep suricata_proxyin_agent.tcl
| grep -v grep
17486 p2- I   0:00.29 /usr/local/bin/tclsh8.5
/usr/local/bin/suricata_proxyin_agent.tcl -c
/data/config/etc/sguil/suricata_proxyin_agent.conf -D

Any idea why process is not stopped??

Because pexp uses pkill to do its work and pkill matches on command name 
only(like ps -c).


the command name for your tcl scripts is the tcl interpreter.

I had same problem with some python daemons I wrote.

my solution
ignore all the nice rc.subr goodness and write the rc.d script with 
explicit start and stop bits.

Re: Problem with a startup script

[russell]

Because pexp uses pkill to do its work and pkill matches on command name
only(like ps -c).


sorry for the noise I just revisited this and I am wrong.
the pkill bits in rc.subr are using pkill -f
and that does match agianst the full arg list.

as said before make a better pexp and it should work.

nfe on i386

[russell]

doctor it hurts when I do this

PXE boot MAC address 00:e0:81:77:e8:78, interface nfe0
uvm_fault(0xd0a36200, 0x0, 0, 1) - e
kernel: page fault trap, code=0
Stopped at  get_hibernate_io_function+0x28: repe cmpsb 
(%esi),%es:(%edi)


Well stop doing that.

*sigh* yes I know I am dabbleing with dark forces I don't fully 
understand and should probably stop. but what the hell it's the weekend

I am allowed a bit of fun every now and then, right.

so.. I am trying to setup an i386 system for netbooting, the smart way 
would be to install to the actual i386 then copy the filesystem to the 
fileserver, the stupid way(my way) is to untar the sets and try to 
reproduce the rest of the install script.


And just because thats not stupid enough, I am doing this on a spare 
amd64 system 'cause I don't want loose my net connection through the 
alix the netboot tree is intended for.


As a bonus the bsd.rd boot just fine.

dmesg and trace to follow but quick question on MAKEDEV first
to get the i386 dev entrys I ran the i386 MAKEDEV in the diskless client 
tree /diskless/firewall/dev/MAKEDEV and it *appered* to do the correct 
thing.


However I ran it from an amd64 kernel is this ok or does it need to run 
under a i386 kernel


dmesg (actually a serial console dump)
PhoenixBIOS 4.0 Release 6.1
C OpenBSD/i386 PXEBOOT 3.17
boot
booting tftp:/bsd: 8288508+1101960 [52+372864+359455]=0x9a77cc
entry point at 0x200120

[ using 732744 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2012 OpenBSD. All rights reserved. 
http://www.OpenBSD.org


OpenBSD 5.2 (GENERIC) #278: Wed Aug  1 10:04:16 MDT 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Dual-Core AMD Opteron(tm) Processor  SE (AuthenticAMD 
686-class, 102

4KB L2 cache) 3.01 GHz
cpu0: Dual-Core AMD Opteron(tm) Processor  SE (AuthenticAMD 
686-[105/1981]

4KB L2 cache) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF

LUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,SSE3,CX16,LAHF,SVM
real mem  = 3454894080 (3294MB)
avail mem = 3387609088 (3230MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/07/08, BIOS32 rev. 0 @ 0xfdd34, 
SMBIOS

rev. 2.4 @ 0xcdf6b000 (36 entries)
bios0: vendor Phoenix Technologies Ltd. version S2912-E V4.00 date 
11/07/2008

bios0: empty empty
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP SSDT SRAT SPCR MCFG HPET APIC BOOT
acpi0: wakeup devices PCI0(S5) USB0(S3) USB2(S3) MAC0(S5) MAC2(S5) 
P2P0(S5) KBC0

(S4) MSE0(S4) XVR0(S5) XVR2(S5) XVR5(S5) HTX_(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-4
acpihpet0 at acpi0: 2500 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu at mainbus0: not configured
cpu0: apic clock running at 200MHz 
[84/1981]

cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P2P0)
acpiprt2 at acpi0: bus 4 (XVR0)
acpiprt3 at acpi0: bus 3 (XVR2)
acpiprt4 at acpi0: bus 2 (XVR5)
acpiprt5 at acpi0: bus -1 (HTX_)
acpicpu0 at acpi0: C3, C2, PSS
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0x9000 0xc9000/0x1800
ipmi at mainbus0 not configured
cpu0: PowerNow! K8 3001 MHz: speeds: 3000 2800 2600 2400 2200 2000 1800 
1000 MHz

pci0 at mainbus0 bus 0: configuration mode 1 (bios)
NVIDIA MCP55 Memory rev 0xa2 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA MCP55 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA MCP55 SMBus rev 0xa3
iic0 at nviic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM registered cmd/addr parity, 
data ECC P

C2-5300CL5
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM registered cmd/addr parity, 
d[63/1981]

C2-5300CL5
spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM registered cmd/addr parity, 
data ECC P

C2-5300CL5
spdmem2 at iic0 addr 0x54: 1GB DDR2 SDRAM registered cmd/addr parity, 
data ECC P

C2-5300CL5
spdmem3 at iic0 addr 0x55: 1GB DDR2 SDRAM registered cmd/addr parity, 
data ECC P

C2-5300CL5
iic1 at nviic0
adt0 at iic1 addr 0x2c: adt7476 rev 0x69
lm1 at iic1 addr 0x2d: W83627HF
adt1 at iic1 addr 0x2e: adt7476 rev 0x69
ohci0 at pci0 dev 2 function 0 NVIDIA MCP55 USB rev 0xa1: apic 4 int 
10, versi

on 1.0, legacy support
ehci0 at pci0 dev 2 function 1 NVIDIA MCP55 USB rev 0xa2: apic 4 int 11
ehci0: timed out waiting for BIOS
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 NVIDIA EHCI root hub rev 2.00/1.00 addr 1
pciide0 at pci0 dev 4 function 0 NVIDIA MCP55 IDE rev 0xa1: DMA, 
channel 0 con

figured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 5 

Re: hint on starting tftpd -r

[russell]

On 02/24/2013 11:32 PM, David Gwynne wrote:

what are you using the rewrite stuff for?


netbooting.

pxeboot is unable to pick a kernel based on machine.
and as I run an oddball mix of current/stable
i386/amd64 (and sparc64 but it does not count as ofwboot.net does 
specify kernel)


so I use tftpd rewrite rules to load the correct kernel.

I use my constantly growing collection of old machines sort of in the 
manner you would use a vm.

copy tree, send wol, have new server.

In all honesty it is sort of stupid, but I am having fun setting it up.

And just for grins and giggles this is what I am using to rewrite
I am sure my inexperience shows but it is good to learn somthing new

#!/usr/local/bin/python
#rewrite tftp requests
import socket, os
tftpd_rewrite_address = '/var/run/tftpd.sock'
tftpd_rewrite_address = '/tmp/tftpd.sock'
tftpd_base = '/tftpboot'
if os.path.exists(tftpd_rewrite_address):
os.unlink(tftpd_rewrite_address)
listen_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
listen_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
listen_socket.bind(tftpd_rewrite_address)
listen_socket.listen(1)
tftpd_socket, addr = listen_socket.accept()
REQUEST_ADDR = 0
REQUEST_CMD = 1
REQUEST_FILE = 2
cmd_list = ['quit']
cmd = ''
while cmd != 'quit':
  tftp_request = tftpd_socket.recv(1024)
  for request in tftp_request.strip().split('\n'):
if request in cmd_list:
  cmd = request
else:
  request_data = request.split(' ', 3)
if len(request_data) == 3:
  response = request_data[REQUEST_FILE] + '\n'
  host_name = socket.gethostbyaddr(request_data[REQUEST_ADDR])
  short_name = host_name[0].split('.')[0]
  if os.path.isdir(os.path.join(tftpd_base, short_name)):
if os.path.isabs(response):
  response = response[1:] #remove leading /
  short_name = '/' + short_name
  response = os.path.join(short_name, response)
  send_size = tftpd_socket.send(response)

tftpd_socket.close()
listen_socket.close()

hint on starting tftpd -r

[russell]

So I am using tftpd -r socket and my rewrite script works however I am 
at a loss as to the best way to start tftpd.


From my experiments, the rewrite engine has to start before tftpd, 
tftpd expects the socket to exist. however tftpd is started rather 
earlier in /etc/rc than than a pkg_scripts rc.d entry(my initial choice).


So my options as I see them are.

1 modify /etc/rd.d/tftpd to start the rewrite engine
benifit:the two programs really do need to run together
problems: will get erased during upgrade.

2 modify /etc/rc to start tftpd_rewrite_engine before tftps
problems: nonstandard rc, changes will get erased during upgrade

3 remove tftpd from rc.conf.local and make custom rc.d/tftpd_local
  that will start both processes from pkg_scripts
problems: nonstandard tftpd start


I am hoping I have missed somthing obvious but will probably go with 
choice three(the pkg_scripts tftpd)


And, if anyone whishes to see it, I would be happy to share my rewrite 
script, however about the best that can be said about it is It works. 
It is written in python and I have little experiance writing socket code.

OpenBSD Customer Gateway to Amazon VPC

[Russell Garrison]

I found the following thread on this issue from 2010:

http://comments.gmane.org/gmane.os.openbsd.misc/168129

Amazon still only supports route-based VPNs, but they have removed the
requirement for BGP and instead allow for static routes. I was able to
get a tunnel working without using BGP based on the info from the post
above, but it would stop handling the reply traffic after a short
time. The esp packets arrive at the gateway, but never get decrypted
into enc0. Tearing down the tunnels and waiting an hour or so seems to
permit another short-lived VPN, but it still doesn't stay up. Has
anyone been successful establishing a customer gateway VPN connection
into Amazon VPC using OpenBSD? Does the fact that they only support a
route-based VPN exclude the possibility of using a policy-based system
like OpenBSD?

Re: UNIX A to Z List RFC

[russell]

On 02/02/2013 01:59 PM, Chris Hettrick wrote:

Hi Misc,

I made a list of the most classical UNIX commands / utilities from section one 
where there is only one per letter of the english alphabet (it's for my OpenBSD 
obsessed five year old son :) ). I know that this subject is very personal and 
steeped in tradition and history, so I was looking for your opinions and 
suggestions.
A quick note about the list: some hard choices were made concerning letters 
such as c, p, m, etc. For instance, kill(1) is not included for two reasons: it 
is included in the shell, and it needs ps(1) to be properly used (which 
conflicts with pwd(1) which I think is _more_ useful for a UNIX beginner). 
mv(1) was not included because a cp(1) and rm(1) can suffice.


snip

heh there is a fortune for that

A is for awk, which runs like a snail, and
B is for biff, which reads all your mail.
C is for cc, as hackers recall, while
D is for dd, the command that does all.
E is for emacs, which rebinds your keys, and
F is for fsck, which rebuilds your trees.
G is for grep, a clever detective, while
H is for halt, which may seem defective.
I is for indent, which rarely amuses, and
J is for join, which nobody uses.
K is for kill, which makes you the boss, while
L is for lex, which is missing from DOS.
M is for more, from which less was begot, and
N is for nice, which it really is not.
O is for od, which prints out things nice, while
P is for passwd, which reads in strings twice.
Q is for quota, a Berkeley-type fable, and
R is for ranlib, for sorting ar table.
S is for spell, which attempts to belittle, while
T is for true, which does very little.
U is for uniq, which is used after sort, and
V is for vi, which is hard to abort.
W is for whoami, which tells you your name, while
X is, well, X, of dubious fame.
Y is for yes, which makes an impression, and
Z is for zcat, which handles compression.
-- THE ABC'S OF UNIX

which got me thinking and I came with this terrifying monstrosity

find $(echo ${PATH} | tr ':' ' ') -perm -0100 -maxdepth 1 ! -type d \
| sed -E -f basename.sed \
| awk -f tag.awk \
| sort -n -k 1,1 \
| sort -u -k 2,2 \
| awk -f display.awk

with
basename.sed:
s/.*\/([^\/]*)$/\1/

#much faster then my first attempt | xargs -n 1 basename

tag.awk:
{
printf %s %s %s\n, int(rand() * 1000), substr($0, 1, 1), $0
}

display.awk:
{
man_cmd = man -f $3 | tail -n 1
man_cmd | getline man_str
printf %s is for %s\n, $2, man_str
}

Now, the prose is a little off, but I blame the documentation writers.
I am certain mdoc(7) has a section about the rhyming  characteristics 
needed for .Nm on alternate lettered commands.


And let me just say I was quite pleased with my
random pick one per letter group system(the tag-sort nonsense)
First attempt was with awk associative arrays and that was getting nasty 
quick.


So I just wanted to thank you for reminding me how much fun unix can be.
and I wish you and your son many hours of happy hacking togther.

Re: trunking

[russell]

On 01/03/13 16:11, Stuart Henderson wrote:

On 2013-01-03, Friedrich Locke friedrich.lo...@gmail.com wrote:

Hi folks!

What happens if i have a trunk(loadbalance) interface setted for 2 physical
interfaces and connect each physical one on different switches?

Tnx




 From the manual;

  The trunk protocols loadbalance and roundrobin require a switch which
  supports IEEE 802.3ad static link aggregation; otherwise protocols such
  as inet6(4) duplicate address detection (DAD) cannot properly deal with
  duplicate packets.

you usually can't configure this across two switches (it may be possible
with some fancy switch stacking protocol, but not in the normal case).

trunk(failover) works perfectly well in this scenario.

I thought 802.3ad the switch requirement was for when all your trunk 
legs plug into the same switch.


That is, if your trunk legs are on separated networks you would not need 
static link aggregation.


That said, the one time I played with a trunked interface, I direct 
connected the legs.

Re: Best postscript printer with network support?

[russell]

On 12/27/12 02:58, Girish Venkatachalam wrote:

I want to print from my OpenBSD machines on the ethernet LAN.

I asked HP and Epson but did not get a good response. I want to avoid HP.

I want basic printing with Postscript ability over the network.

Also good value for money. I don't think I should spend more than 300$.

Are there any recommendations?

Or can we make do with HP's PCL on port 9100?

Will this work well on OpenBSD?

-Girish

While I have no clue about various printers and manufactures, here is an 
anecdotal experience that I found pretty damn cool.


While at work a little used lj2100dn caught my eye.
Now I have printed from a openbsd machine before, why not?

so read lpd(8), printcap(5) and a quick web search to get started

/etc/printcap
lp|lj2055 operations c:\
   :rm=oc-printer:rp=auto:sd=/var/spool/output:lf=/var/log/lpd-errs:
and start lpd


yep it was that simple.
the hp printer network stack has a lpd daemon.

pci graphics on sparc64?

[russell]

I recently picked up a pair of sun netras to play around with
and I noticed they have a pci slot.

I was wondering what would happen if I put a pci graphics card in there.

While I expect X would work.
Would I get a console?

My guess is ofw prompts would not show as that would require bios/vga 
emulation that probably does not exist(or ofw compat firmware on card, 
unlikely), and the console probably just uses whatever ofw tells it to. 
The console may appear when vga(4) attaches, But I can't tell from the 
man pages(probably not).

Re: USB hubs

[Russell Garrison]

I can confirm this all is true, but due to USB power being the way it
is YMMV. I use hubs regularly for host attachment and for standalone
charging. The hub in my desktop monitor is intentionally disconnected
from the host in order to provide charging, but it doesn't always
work.

A main thing is that some devices are really using the USB connector
for convenience, but draw way more power than your USB provides with
their wall charger. Check your device wall chargers to see if they
provide more than 500mA and keep in mind that anything that goes with
a charger supplying more than that will charge slower on the hub, if
at all.

The other thing to check is the hub, and possibly return it. Sometimes
they aren't totally honest about the hub being self-powered. I have
had good luck with Belkin in the past, but for all I know they have
bad models I never purchased. Also check the electical power supply
that came with the hub and make sure it is providing enough current.
It is best to have at least 500mA per-port, so a 4-port hub should
have at least a 2000mA supply. If the supply is undersized you could
see issues where it simply can't provide enough juice. I have seen
undersized supplies on cheaper hubs, since the part is cheaper than a
higher-capacity supply.

Really all the pain starts with the decision to combine the power plug
with the USB, but that genie is out of the bottle now. Good luck.

Re: Upgrade to 5.2?

[russell]

On 11/01/2012 07:04 AM, Kurt Mosiejczuk wrote:

Otto Moerbeek wrote:


untarring the sets and copying the kernel by hand is not recommended.


I used the perfect phrase for this in a presentation on PF a week ago:

You wouldn't ever do this... unless maybe you hate yourself.

--Kurt


Err, I do this all the time.
if there is a better way I would love to hear it.
as I pretty much had to figure it out myself.

See my use case is I have a number of netboot trees
and when I want to update one of them I have found the best way is to 
untar all the sets and put the kernel where it can be found, really I 
just more or less followed what the install script did.


The hard part was getting /dev(first sparc64 machine) built. I think I 
used bsd.rd for this. I was going off the theory different archs would 
have different dev numbers(I could be wrong)


Every once in a while I work on scripting the process but this is just 
for fun right now.

Re: Bitcoin client for OpenBSD?

[russell]

On 10/16/2012 04:06 PM, Anonymous wrote:

You wrote:


2012/10/16 Fritz Wuehler fr...@spamexpire-201210.rodent.frell.theremailer.net:

...snip... Bottom line
appears to be a lone miner with a normal desktop computer is not going to be
able to do anything but heat up his room. I agree bitcoin is a cool concept
and design and the history is fascinating. But we are probably priced out.



I don't see much difference to 'real money' when thinking from
standpoint of a lone miner with a normal desktop printer.
we don't create the money, we just trade it, be it buying things or
working to earn it etc..


That's a good comparison and it is the point I was making. Nobody has ever
legally printed money with his own printer but people have been able to mine
bitcoins with their own computers until recently. That was the original
point of bitcoin and it is already on the verge of disappearing. bitcoin was
supposed to be decentralized currency but because of increasing resources
needed for mining that part is no longer relevant.

Do you really want another unelected federal reserve board of bitcoin? That
kind of defeats the purpose.

Yes, the point of mining was to have a decentralized method of 
destributing bitcoins.


The guy who invented the system could of said hey I have 23 million
cryptographic tokens, lets use them as currency! and start passing them 
out and he would have been rightly laughed out of the room.


So he spent a lot of effort to invent a system where the tokens 
emerge(with effort) out of thin air. The end result is the same, 23 
million cryptographic tokens, but now they are spread around and people 
feel they have real value(sometimes).


Not sure if bitcoin will work, but I do admire the system that got it 
out there.

Re: SSI

[Russell Garrison]

I initially thought this thread was about Social Security Insurance,
but instead it is about something like SGI UV.

Re: happy alix user ?

[Russell Garrison]

Definitely OT, but I second the FW-7535. Good gear and Lanner is easy
to work with direct even for small projects.

Re: happy alix user ?

[Russell Garrison]

On Thu, Sep 27, 2012 at 2:10 PM, Michel Blais mic...@targointernet.com wrote:
 Same with LEI technologie, the're division in Canada.

Good catch. I now remember that was the actual entity I dealt with,
not Lanner. Started with the main Lanner sales office for NA, but they
directed me to LEI in Canada. From then on it was only a few days
before I had hardware on my bench. The pair here is on 100/100
Internet and regularly handles around 20-25k states with ease.

Re: pxeboot, machine dependent kernel

[russell]

On 09/08/12 03:34, Ville Valkonen wrote:

On 7 September 2012 14:08, russell russ...@dotplan.dyndns.org wrote:

I have doing quite a lot of netbooting lately. However I can not figure out
how to configure a specific machine to use a specific kernel.

Is there a way for pxeboot to load a kernel based on something machine
dependent, for example, mac address?

If not, I have been digging around in sys/stand/boot/boot.c
while I have not found where to get the mac address yet
would it be preferable to
a. look for a boot.conf.macaddress before an unadorned boot.conf
b. if not otherwise specified fall back to /bsd.macadress
c. macro expansion in boot.conf(somthing in the manner of
machine $macaddress)

I like option a as that seems like it would be easy to put in and provide
configuration power where needed while not complicating the
setup in the common case of only ever needing one kernel.


Have you checked man 8 diskless ?

--
Ville


heh, diskless(8), thats my bible.

but my problem is.
dhcp: filename directive
  can be per machine but it does not point to  a kernel.
  it points to a pxeboot.
pxeboot:
  can be configured via boot.conf but there is no way to specify
  a kernel based on the machine actually booting,
  can only hard code the kernel image in.
  and even if I kept different pxeboot binarys they would still use the
  same boot.conf

when different machines (say one is amd64 and the other is i386) need 
different kernels one boot.conf will not work.


I was hoping there was something obvious I missed when setting it up.
cause right now I am typing in the kernel name by hand when booting, 
which sucks and kind of defeats the purpose of netbooting.


my intention is to hack boot.c(my guess, at this point I am still just 
looking at source) to check for and use some sort of global kernel 
macaddress var pxeboot claims to set.


It may seem I have no idea what I am doing, this is true.
However I figure this is a good chance to learn.

pxeboot, machine dependent kernel

[russell]

I have doing quite a lot of netbooting lately. However I can not figure 
out how to configure a specific machine to use a specific kernel.


Is there a way for pxeboot to load a kernel based on something machine 
dependent, for example, mac address?


If not, I have been digging around in sys/stand/boot/boot.c
while I have not found where to get the mac address yet
would it be preferable to
a. look for a boot.conf.macaddress before an unadorned boot.conf
b. if not otherwise specified fall back to /bsd.macadress
c. macro expansion in boot.conf(somthing in the manner of
   machine $macaddress)

I like option a as that seems like it would be easy to put in and 
provide configuration power where needed while not complicating the

setup in the common case of only ever needing one kernel.

Re: wol for nfe

[russell]

On 08/30/12 10:41, Stefan Sperling wrote:

On Wed, Aug 29, 2012 at 07:53:54AM -0700, russell wrote:

finally even though it did not work out for me. ( my nics were
nfe(4) which has no WOL bits in OBSD, I blame nvidia, those
secretive assholes.)


Yes, but they cannot hide their secrets forever ;)

The nfe driver already knows the which register to poke, and in fact
it currently attempts to enable WOL by default. However, it always
shuts down the receive engine when the interface goes down which
prevents wol from working.

The diff below disables wol by default and makes it configurable.
Works for me with:
   nfe0 at pci0 dev 5 function 0 NVIDIA nForce3 LAN rev 0xa2: apic 1 int 9, 
address 00:11:d8:90:b3:56
   rlphy0 at nfe0 phy 1: IP101 10/100 PHY, rev. 4

Can you please test if this works for you, too?

snip diff
Very cool, like Christmas came early this year.
Sorry for the wait, caught me with my metaphorical trousers down
much to my shame I did not have a build environment set up.

I can now confirm the patch does work.(I tested with -current)

before:
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500

hwfeatures=37CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING
lladdr 00:e0:81:77:e8:78
priority: 0
groups: netboot egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.16.11 netmask 0xff00 broadcast 192.168.16.255

after:
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500

hwfeatures=8037CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL
lladdr 00:e0:81:77:e8:78
priority: 0
groups: netboot egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.16.11 netmask 0xff00 broadcast 192.168.16.255

I can set and disable the WOL flag with wol and -wol
When set, i can turn off machine and turn it back on with arp -W


This is great,
Thank you very much.

Re: setting WOL for Realtek 8168

[russell]

On 08/31/12 05:38, Stefan Sperling wrote:

On Thu, Aug 30, 2012 at 07:58:07PM -0500, Ed Ahlsen-Girard wrote:

I'm all good now, actually - apparently wol has to be reset by rc.local
each startup.


Yes, or alternatively add the 'wol' keyword to '/etc/hostname.re0'.
The option doesn't stick across reboots.


Derp. Yes the netstart scripts would be a better place to put it.

I was thinking in linux and how you have to find somewhere to hide that 
infernal ehttool command.

Re: setting WOL for Realtek 8168

[russell]

On 08/29/12 06:56, Ed Ahlsen-Girard wrote:

While I can set wol for this interface, the setting does not
survive shutdown. I have found no bios settings that seem to pertain.
This system is not dual-boot. Is this a quirk of the 8168? Do I need to
look for jumpers?


As far as I can tell from my attempts on setting WOL on linux
the NIC driver resets the WOL flag on system start
I think I saw the same in the OBSD code.

windows drivers also do the same, so I am guessing it's normal.

just reactivate the WOL flag in rc.local.

finally even though it did not work out for me. ( my nics were nfe(4) 
which has no WOL bits in OBSD, I blame nvidia, those secretive assholes.)

I do love the ifconfig based wol syntax, miles ahead of the linux bullshit

Re: CARP and transit network to ISP

[Russell Garrison]

I have set up a pair of gateways for a similar scenario where the
provider gave me /30 and an ethernet jack instead of providing a
router on-premises. This is what I did:

-Configured an interface on each machine to come up with no IP.
-Configured a carpdev to use the no IP interface on each machine.
-Configured my ip from the /30 on the carpdev on each machine.

Other things included CARP on other interfaces like LAN and DMZ. In my
case those IP networks were large enough to allow me 1 CARP IP and an
IP for each gateway.

Not sure if that helps, but the best general advice is to draw a
picture of what you want. Read the FAQ/manpages to draft a config.
Test all that, and if you are like me, realize you didn't really want
bridge at the one place in the drawing and revise--repeat.  Good luck!

Re: OpenBSD forked

[russell]

On 06/22/2012 06:35 AM, Diana Eichert wrote:

morons

if you can't write forth code you should stay home.

diana


I Love me my hand crafted postscripts...
Does that count?

Re: Mounting a partition, cdrom, usb as a user

[russell]

On 06/16/2012 04:39 AM, Mik J wrote:

Hello,

I'm able to mount a partition as a user if I have
kern.usermount=1
#
ls -l /dev/wd2*
brw-rw  1 root  operator0,   0 May  7 21:54 /dev/wd2a
# ls -l /mnt
drwxrwxr-x   2 myuser  operator  512 May  7 22:38 extpart
and
#
grep operator /etc/group
operator:*:5:root,myuser

However, I'm unable to
mount the partition if the owner of /mnt/extpart is root although that mount
point is rwx by the group operator and myuser belongs to that group.
# ls -l
/mnt
drwxrwxr-x   2 root  operator  512 May  7 22:38 extpart

I assume that
kern.usermount allows a partition to be mounted only if the mount point is
owned by a user and the group owner is not considered.
I have search for a
variable kern.groupmount but there is not such thing.

So my question is:
Is
it possible to allow a group to mount partitions (or usb keys, cdrom) ?

Thank
you


quite suprised.
no love so far for fbtab(5)

Re: Mounting a partition, cdrom, usb as a user

[russell]

On 06/19/2012 06:40 AM, Christopher Zimmermann wrote:

On Mon, 18 Jun 2012 22:26:57 -0700
russellruss...@dotplan.dyndns.org  wrote:


quite suprised.
no love so far for fbtab(5)


  The fbtab file is used by login(1) to chown(2) the specified files to the
  user who has performed a login.  Additionally, chmod(2) is used to set
  the devices to the specified permission.  When a user logs out, init(8)
  is responsible for performing the inverse operation, which results in the
  files once again belonging to root.

Nice. But how is this supposed to work for multiple logins or system
crashes (power outage during login)?


how many people are you gonna cram at the local machine anyhow?
that is, remote users don't need to mount cd/floppy/usb

Re: Customizing the install process

[russell]

On 06/07/2012 04:21 PM, Tomasz Marszal wrote:


Yes i red it as well as the FreeBSD handbook section about PXE.
So my idea is to install bsd system then install gnome then tar the
installed system make img from tar.
Later configure dhcp and tftp and nfs on a PXE server. Put bsd.rd and other
files mentioned in OpenBSD FAQ into tftpboot directory and put the image to
your nfs server. Enable PXE on booted machine obtain ip address from dhcp
and kernel with bsd.rd from tftp then in shell mount nfs (as described in
handbook)  and dd system.img from it to local hdd finaly reboot and here we
go :)



Heh, I started off setting up an enviroment for pxe bsd.rd boots to aid 
in installs...

started getting into it...

now I have three diskless(8) machines and I am eyeing a few others.

*sigh* I'm terrible

Re: llround(), round() broken?

[russell]

On 06/04/2012 07:31 PM, Alan Corey wrote:

man intro (3) comes close in OpenBSD (I did man -k libraries to find it)

It just seems like if a function requires a special library that
should be mentioned in the function's man page as well as the header
file since it needs both to work.  I guess it depends on how surprised
you are that the function isn't built-in.  round() at least is
perfectly ordinary in Pascal/Delphi and in Java/Javascript it might be
something like math.round().

   Alan

On 6/4/12, Anthony J. Bentleyanthonyjbent...@gmail.com  wrote:

Alan Corey writes:

They probably aren't broken, looks like I need to link in some library.  I

get undefined reference to when I try to compile/link.  Shouldn't this
be mentioned in the man page?


FreeBSD has a Library section in its man page:

LIBRARY
  Math Library (libm, -lm)

I recall reading on the mandoc mailing lists that OpenBSD man pages do not
contain this section, but I don't know why that is.

--
Anthony J. Bentley





what are you looking for?

$man round
SYNOPSIS
 #include math.h

$man math
DESCRIPTION
 These functions constitute the C math library, libm.  The link editor
 searches this library under the ``-lm'' option.  Declarations for these
 functions may be obtained from the include file math.h.

seams well documented to me.
however I had a similer problem with a program built with
djgpp(dos gcc) that had libm built in(auto included, I am not sure)
which had me confused as to whay it was not building on obsd.
just needed the -lm

Re: Load balancing and fail-over

[Russell Garrison]

 On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya
 induni...@gmail.com wrote:

 If yes, How to ping external internet host when that link is DOWN? I find
 it difficult?

 I tried it with below commands


 ping -I WAN1_if_ip www.google.lk

 ping -I WAN2_if_ip www.google.lk


 Some times it works? some times it does NOT?

 Could you pls explain why?


I have been asked by management a few times about why some pings fail
when you ping things like google servers and core routers at the ISP.
The short answer I give is that things like that are too busy being
the Internet to respond to all the ping traffic that doesn't do
anything to enable them to be the Internet. Best advice is to consult
your routing tables or contact your ISP and have your ifstated ping
the far-end of your internet connection. Those systems are typically
less busy and have a higher expectation of answering all pings while
up.

Re: Song copyright

[Russell Garrison]

Shucks! I was working on a baby mulching machine that was going to
play the song while it operates.

http://www.monkey.org/openbsd/archive/source-changes/0105/msg01243.html

Re: IPSec isakmpd pre shared interoperability with Fortigate VPN

[Russell Garrison]

Does look like the line, but is the OpenBSD ipsec VPN new to you? If
it is I suggest building one between two OpenBSD machines and testing
to see how you can break/change things from the defaults in the man
pages. Doing that really made a difference for me after completely
flopping on the first try with an OpenBSD to whatever our co-location
has VPN. I got it together after some lab work and everything just
worked magically on my second go. Cheers.

Re: Intel ICH9R compatibility with OpenBSD

[Russell Garrison]

 Hello Axton, thanks for your reply.
 I do not want use RAID, I just need S-ATA
 to connect HDD and install system on it.

You will be fine. I have Dell gear here that includes the Intel Matrix
RAID ICH, and it doesn't have an issue with OpenBSD. The controller
checks for a RAID pair at startup and then should revert to normal
AHCI when none is found. Those chips also have a setting in the BIOS
as an additional failsafe that will disable the R features and force
them into AHCI or even IDE-compatible for older operating systems.

Re: My OpenBSD 5.0 installation experience (long rant)

[Russell Garrison]

It really is amazing how much the install is genuinely loved on
OpenBSD. I think there are other distributions out there where the
installer is liked or even praised, but I would describe my feelings
and what I see here as love. It is always a pleasure when I have the
chance to show someone the install process for the first time or hear
their accounts of success or failure. I started out with OpenBSD
around 2.3 and the funny thing is that I am most impressed by how the
installer disk setup is improved since those days. At least I don't
have to start off the discussion about how c is the whole disk, etc.

Re: My OpenBSD 5.0 installation experience (long rant)

[Russell Garrison]

I am absolutely intrigued by this story despite my better judgement.
You were able to cook your own full OpenBSD installer on a USB stick
with GRUB instead of downloading an ISO or using PXE, but you failed
disk setup in the installer? It really would be interesting to see if
you can read just http://www.openbsd.org/faq/faq4.html , particularly
4.5.3 and then come back to us with anything other than a mea culpa.

There are always going to be stumbling points in computing, but the
question is do we learn from them or just reject them and act like
they are not the great opportunities for growth that they are.

Re: Problem filtering CARP in PF

[Russell Garrison]

In the spirit of K.I.S.S. I use:

pass quick proto carp

Since that should match the number on 4 and 6 packets.


 Your block rule had inet so you were probably blocking IPv4 only.  But
 because of the send errors (due to pf blocking) fw1 started to demote
 itself.

Re: CD/DVD CDROM support

[Russell Garrison]

I found USB is easy with a thumbdrive big enough to hold the files, or
there is pxe which is probably easier if you can control the DHCP on
the network. My manual process for thumbdrive involved:

Assume thumb is empty, otherwise insert to system and run. Also make
sure you know the dev name from insert message (this example it is
sd0):
dd if=/dev/zero of=/dev/rsd0a bs=32k
This will zero the drive out. Then run:
fdisk i /dev/rsd0c then y to overwrite and save MBR.
Then edit disklabel:
disklabel E /dev/rsd0c then a take all defaults, then w and
finally q just like old times!
Then create the FS:
newfs /dev/rsd0a
Now mount:
mount /dev/sd0a /mnt/thumb and mount /dev/cd0a /mnt/cd
Copy CD to thumb:
cp r /mnt/cd/* /mnt/thumb/ and cp /usr/mdec/boot /mnt/thumb/
BOOT VOODOO:
/usr/mdec/installboot /mnt/thumb/boot /usr/mdec/biosboot sd0


On Fri, Feb 24, 2012 at 6:12 PM, Duncan Patton a Campbell
campb...@neotext.ca wrote:
 I have run into a most peculiar phenomenon, that it appears that the
 CDrom driver support has dropped from the install CDs, apparently
 as of about version 5. This is not an old board, but admittedly
 ATAPI CDs are.  I can boot all the images from 4.9release thru
 5.1snap (today's) but only 4.9 shows any evidence of the CD after
 booting and in the rest CDROM is not an option for install media
 and there's no evidence of the device in the dmesgs, either.

 the sysctls after booting each cd:

 kern.osrelease=4.9
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3

hw.disknames=cd0:,sd0:,wd0:e09436d04e1d70c4,rd0:2870906e5854e337,sd1:0e7d30fe
615c49b0
 hw.ncpufound=4

 kern.osrelease=5.0
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3
 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:efa10dd049a97542
 hw.ncpufound=4

 kern.osrelease=5.0
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3

hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:10f77ef34d162647,sd1:0e7d30fe615c4
9b0
 hw.ncpufound=4

 kern.osrelease=5.1
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3

hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:7c8ac10ea613493f,sd1:0e7d30fe615c4
9b0
 hw.ncpufound=4

 And, following, the dmesg output for these same install media.

 Any idea how this is so would help, thanks.

 Dhu


 OpenBSD 4.9 (RAMDISK_CD) #858: Wed Mar  2 07:04:48 MST 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
 real mem = 3488153600 (3326MB)
 avail mem = 3383611392 (3226MB)
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f000 (66 entries)
 bios0: vendor American Megatrends Inc. version 1702 date 12/22/2010
 bios0: ASUSTeK Computer INC. M4A88TD-V EVO/USB3
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S3 S4 S5
 acpi0: tables DSDT FACP APIC MCFG OEMB SRAT HPET SSDT
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: AMD Phenom(tm) II X4 840 Processor, 3214.66 MHz
 cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
 cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
 cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu0: apic clock running at 200MHz
 cpu at mainbus0: not configured
 cpu at mainbus0: not configured
 cpu at mainbus0: not configured
 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (P0P1)
 acpiprt2 at acpi0: bus -1 (PCE2)
 acpiprt3 at acpi0: bus -1 (PCE3)
 acpiprt4 at acpi0: bus -1 (PCE4)
 acpiprt5 at acpi0: bus 2 (PCE9)
 acpiprt6 at acpi0: bus 3 (PCEA)
 acpiprt7 at acpi0: bus 4 (P0PC)
 acpiprt8 at acpi0: bus 6 (PE21)
 pci0 at mainbus0 bus 0
 pchb0 at pci0 dev 0 function 0 AMD RS780 Host rev 0x00
 ppb0 at pci0 dev 1 function 0 vendor Asustek, unknown product 0x9602 rev
0x00
 pci1 at ppb0 bus 1
 vga1 at pci1 dev 5 function 0 ATI Radeon HD 4250 rev 0x00
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 ATI Radeon HD 4200 HD Audio rev 0x00 at pci1 dev 5 function 1 not
configured
 ppb1 at pci0 dev 9 function 0 AMD RS780 PCIE rev 0x00: apic 4 int 17 (irq
10)
 pci2 at ppb1 bus 2
 vendor VIA, unknown product 0x3403 (class serial bus subclass Firewire,
rev 0x00) at pci2 dev 0 function 0 not configured
 pciide0 at pci2 dev 0 function 1 vendor VIA, unknown product 0x0415 rev
0xa0: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to
native-PCI
 pciide0: using apic 4 int 17 (irq 10) for native-PCI interrupt
 atapiscsi0 at pciide0 channel 0 drive 0
 scsibus0 at atapiscsi0: 2 targets
 cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-H20N, 1.05 ATAPI
5/cdrom removable
 pciide0: channel 1 ignored 

Re: IPSEC Site-to-Site not routing packages

[Russell Garrison]

I can confirm this. Spent way too much time in my VMWare lab on this
until I thought to add a default route to the host-only interfaces I
was running the tunnel on. All you need is default route and it will
work. I have found that fleshed out config for networking on OpenBSD
is a sure way to clear up some of the more strange things that can
happen.

On Thu, Feb 23, 2012 at 10:43 AM, Aner Perez a...@ncstech.com wrote:
 See the thread titled ipsec tunnel traffic getting icmp host unreachable
 on this same list.

 In short, the answer is that you need a standard route (in addition to the
 encap route) to the destination networks.

 Any route that covers your destination network will do.  In my case,
instead
 of adding routes for each of my ipsec tunnels, I just added a default route
 and that fixed the problem.  It won't actually use the gateway listed on
 this route, for that it uses the encap route.

- Aner


 On 02/22/2012 05:22 PM, Morten Christensen wrote:

 Dear fellow OpenBSD friends.

 I'm setting up 2 FW's that should form a VPN tunnel securing the net
 behind each FW - simple

 NET x -  FW x -  WAN -  FW y -  NET y

 I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled.

 On FW x
 # cat /etc/ipsec.conf
 ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk
 lotsofFishs4meAndyou

 netstat -rn
 Encap:
 Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
 10.20/16   0 10.21.35/240 0
 212.37.141.59/esp/use/in
 10.21.35/240 10.20/16   0 0
 212.37.141.59/esp/require/out

 # ipsecctl -sa
 FLOWS:
 flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid
 212.37.141.60/32 dstid 212.37.141.59/32 type use
 flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid
 212.37.141.60/32 dstid 212.37.141.59/32 type require

 SAD:
 esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth
 hmac-sha2-256 enc aes
 esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth
 hmac-sha2-256 enc aes



 On FW y
 # cat /etc/ipsec.conf
 ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk
 lotsofFishs4meAndyou

 netstat -rn
 Encap:
 Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
 10.21.35/240 10.20/16   0 0
 212.37.141.60/esp/use/in
 10.20/16   0 10.21.35/240 0
 212.37.141.60/esp/require/out

 # ipsecctl -sa
 FLOWS:
 flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid
 212.37.141.59/32 dstid 212.37.141.60/32 type use
 flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid
 212.37.141.59/32 dstid 212.37.141.60/32 type require

 SAD:
 esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth
 hmac-sha2-256 enc aes
 esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth
 hmac-sha2-256 enc aes

 Offcourse on both machines
 net.inet.ip.forwarding=1

 Pinging from a host on NET x
 Request timeout for icmp_seq 1402
 36 bytes from 10.21.35.1: Destination Host Unreachable
 Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
  4  5  00 5400 736e   0   40  01 cfa4 10.21.35.100  10.20.0.10

 The gateway clearly answers that it can't route the packet!?

 Pinging directly from FWx to FWy WORKS !!! ???

 # ping -I 10.21.35.1 10.20.0.1
 PING 10.20.0.1 (10.20.0.1): 56 data bytes
 64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms
 64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms
 Dump while ping
 # tcpdump -i enc0 -n
 tcpdump: listening on enc0, link-type ENC
 13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1
  10.20.0.1: icmp: echo request (encap)
 13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1
  10.21.35.1: icmp: echo reply (encap)
 13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1
  10.20.0.1: icmp: echo request (encap)
 13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1
  10.21.35.1: icmp: echo reply (encap)


 Routing is the problem ? what is the cause ? It looks like each FW doesn't
 permit routing packets from LAN hosts.

 Thanks for you help

 Regards

 Morten Bech Christensen

Re: network throughput tool suggestion

[Russell Garrison]

On Tue, Feb 14, 2012 at 3:13 PM, Christiano F. Haesbaert
haesba...@haesbaert.org wrote:
 On 14 February 2012 17:59, Mihai Popescu mihp...@gmail.com wrote:
 Hi,

 I need to test a commercial router for throughtput and I decided to
 put it between 2 OpenBSD systems running network benchmark software.
 Looking on openports.se I found iperf, netperf and ttcp. Could you
 suggest one from them, based on your experience, please ?

 Thanks.


 We have tcpbench in base, that's what most devs use.


I have used iperf on OpenBSD 4.9 to run get some quick basic numbers
and experiment with jumbo frames. My test also involved a Windows
system, so the cross-platform part was nice. Haven't used tcpbench
before, but it is built-in to recent OpenBSD systems and looks pretty
nice according to the man page.

Re: problem running named in non 0 rdomain

[Russell Garrison]

On Sun, Jan 1, 2012 at 5:40 PM, Stuart Henderson s...@spacehopper.org wrote:

 I'm pretty sure the child will be inheriting the rdomain from the process
 which forked it.


I can offer the anecdote that when I ran sshd using the route -exec
wrapper my child session would exist in whatever rdomain was hosting
the daemon. Ended up backing away from this approach and sticking with
pf rules, so I didn't have sshd parent processes littering my machine.
I'll assume you don't want to use pf to land queries on the daemon, so
the next question is did you try creating a loopback address in the
non-zero rdomain to get the control port you need?

Re: [PF] bug in port range.

[Russell Garrison]

For those of us playing the CS home game. Is this an example of
left-to right evaluation? My thought on this was that the value 81
isn't greater than 82 and isn't less than 80, so the rule doesn't
match.

Re: strange tcp rst with rdomain

[Russell Garrison]

I have found that I need to add something like:

!route -T 2 exec /usr/sbin/sshd

To the pertinent hostname.if file to make sure sshd is listening in
addtional routing tables, but I do not know if this is best.

On Mon, Dec 19, 2011 at 1:02 PM, PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com wrote:
 Hello.

 I'm running multihomed OpenBSD server:

 vlan5/carp5 - default
 vlan2/carp2 and vlan4/carp4 are connected to other ISPs.

 when there's no rdomain thing, everything seems to be working, except
 all outgoing packets goes through vlan5/carp5.


 so, I did

 f2n0:/root#cat /etc/hostname.vlan2
 vlan 2 vlandev trunk0 mtu 1300
 up

 f2n0:/root#cat /etc/hostname.carp2
 vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2
 !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z
 f2n0:/root#cat /etc/hostname.vlan4
 vlan 4 vlandev trunk0 mtu 1300
 up

 f2n0:/root#cat /etc/hostname.carp4
 vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4
 !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z
 f2n0:/root#

 also, I did

 f2n0:/root#grep -v ^# /etc/pf.conf

 set skip on lo

 pass in vlan2 rtable 2
 pass in vlan4 rtable 4

 pass


 pingis working good, packets go out via appropriate interface.
 however, ssh ends with tcp rst, for example.
 how can the reason for that tcp rst might be detected?

 am I doing anything wrong with rdomains?

 Ilya Shipitsin

Re: OT: some news here

[Russell Garrison]

Wonderful news Eric! Good to know opportunities like these exist.
Happy Holidays and good luck with the program.

Re: using ssh to forward the install console

[Russell Garrison]

On Wed, Dec 7, 2011 at 2:47 PM, Eric Oyen eric.o...@gmail.com wrote:
 hello group.

 I have an interesting (and fairly technical) question.

 the question is: how can I forward the install screen via ssh to another
 machine on my network? I ask this because I didn't see any specific
 instructions that applied. my issue right now is that I need a sighted
 assistant to read me the screen and help with  installing the base system
(and
 setting up ssh).

 I would like to run the install like from a serial port output (like the
old
 spark pizza boxes) but none of my current machines have a serial port to do
 this on.

 comments? suggestions?

 -eric


Any possibility of using USB serial adapters on these systems? You may
need to blind-type to the boot loader in order to get it up on the
serial redirection with an attached keyboard, but as I recall that
isn't a big issue for Eric. ;) Then you would just need a crossover to
the other DTE port on a host running cu and ssh to handle the install.
We would do a similar thing with our v210's except they had built-in
serial.

Re: correct netmask on carp interfaces

[Russell Garrison]

On Thu, Nov 24, 2011 at 2:40 PM, Henning Brauer lists-open...@bsws.de wrote:
 if your carpdev has an IP and the IP(s) on the carp interface are in
 the same subnet, is it best to have the real netmask on the carpdev
 and all-ones netmasks on the carp interface, for the case where you're
 carp slave.

 and the rule of thumb remains, one IP per subnet per rdomain in the
 system with the real netmask, all others all-ones - aka /32 for the one
 and only real protocol.

 Example:
 em5 - no IP
 carp5 - 10.0.0.0/30 mask on carpdev em5

 right.

 em4 - 9.0.0.0/32 for mgmt
 carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4
 carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4

 here it is better to have the /28 on em4 and /32 on the carp ifs.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully 
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/


This was very helpful information and I have implemented it, but I am
still wondering about a related issue with routing. My default route
on the pair of firewalls is set to an IP on the carp5 IP network, so I
don't have a useable default route to the Internet on the backup until
it fails over. I think that Kapetanakis was referencing that same
issue when he responded to me which led to me discovering it on my
production setup. Is there anything I can do about this given the /30
on the em5/carp5 network.

In the Firewall Redundancy with Carp and pfsync section of the PF
Users Guide FAQ at http://www.openbsd.org/faq/pf/carp.html there is an
example where the WAN/Internet connection has IP addresses assigned on
the physical and CARP interfaces. The all ones mask rule isn't set out
there, since the ifconfig commands for the underlying physical
interfaces aren't included in the examples. In fact, the rule is
violated by the included ifconfig commands for the carp IP addresses
by including a permissive mask. I am pretty sure this is where my
misunderstanding started, since I followed this FAQ to get started on
my redundant firewall setup. It may be good to revise this and
possibly even add discussion about the default route in the case where
you have a /30 from your ISP to deal with.

For now I can live with the lack of Internet access on the slave and
having to SSH to the master and then hop over to the slave using the
/28 for remote management. I did get Internet-sourced SSH access to
the backup working with a nat-to on the master, but it was ugly and
only worked when I set the translated source to the carp4 IP instead
of the master's em4 IP. Ended up rolling it back since the indirect
method works well enough. Any possible resolution to the default route
issue would be greatly appreciated.

Snmpd and socket file creation

[Russell Sutherland]

It appears to me that the OpenBSD SNMP daemon: /usr/sbin/snmpd should create
it's own socket file: /var/run/snmpd.sock upon startup. There seems to be an
error which occurs at startup:

# /usr/sbin/snmpd -d
startup
fatal: snmpe: failed to bind SNMP UDP socket
check_child: lost child: snmp engine exited
terminating

I am running OpenBSD 5.0 on a Vmware image.

I've run snmpd previously on OpenBSD 4.7 without problems.

Russell

--
Russell Sutherand  I+TS
e: russell.sutherl...@utoronto.ca
t: +1.416.978.0470
f: +1.416.978.6620
m: +1.416.803.0080

Audacity/Sound recording on a Mac Mini

[Russell Sutherland]

I have a G4 Mac Mini (PowerMac 10,1) and have successfully installed OpenBSD
5.0 on it. I have also successfully built audacity from the ports tree. My
thought was to create a small footprint audio recording system for a small
charitable organization using OpenBSD.

I've had two small problems:

A. When sound is played e.g. When KDE starts up, there is a loud hissing
sound which comes from the internal speaker(s).

B. I am not really able to see any sound input coming from either the native
MacMini audio input/output jack (aoa) nor from a USB (iMic) microphone
(uaudio).

Audacity seems to only show one source of audio input: sndio.

Any help with be greatly appreciated. I do not want to have to go back to an
unsupported version of Mac OS X, nor a Linux/Debian option. Has anyone used
OpenBSD to do sound recording on a MacMini or other Apple PowerPC devices?

Russell

--
Russell Sutherand  I+TS
e: russell.sutherl...@utoronto.ca
t: +1.416.978.0470
f: +1.416.978.6620
m: +1.416.803.0080

Re: correct netmask on carp interfaces

[Russell Garrison]

I had some experience with this and found another thread where the
best thing to do for your routing is to have only one /(32-n) mask and
then all /32 for any given subnet and rdomain combination on a system.
I have set up my system accordingly and my advice is to set your carp
primary IP to the proper network mask (especially if it is using the
carp IP to provide a gateway to the connected network) and then any
other IP/interfaces to /32 per subnet. Example:

em5 - no IP
carp5 - 10.0.0.0/30 mask on carpdev em5
em4 - 9.0.0.0/32 for mgmt
carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4
carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4

Before this I had the same mask on em4 and carp4 primary IP. It
worked, but I noticed the ARP had tell: set to the em4 MAC/IP and that
the route for that network was homed to em4 in the table. After the
change ARP has tell: set to the carp MAC/IP and the network is on the
carp4 if, which seemed more consistent to me. Can't tell you for sure
if that is better for you, but it is worth a shot.

I can also advise that ifconfig on runtime can have different effects
than editing hostname.if and using netstart. One example I can think
of is all the self-routing stuff that happens with netstart. I also
find it good to get a reboot in at some point just to double-check
that the hostname.if files and netstart do what you want on a system
that hasn't had any previous networking setup.

Good luck, happy hacking.

2011/11/21 Kapetanakis Giannis bil...@edu.physics.uoc.gr:
 Hi,

 I'm a bit confused on setting appropriate netmask on carp interface when
the
 carpdev has an IP address.

 Till yesterday (following http://openbsd.org/faq/pf/carp.html#failover) my
 carp interfaces had the same netmask as the carpdev interfaces:
 em1:
   (no inet adddress)

 vlanXX:
   vlan: 102 priority: 0 parent interface: em1
   inet xxx.xxx.xxx.18 netmask 0xfff8 broadcast xxx.xxx.xxx.23

 carp0:
   carp: MASTER carpdev vlanXX
   inet xxx.xxx.xxx.20 netmask 0xfff8 broadcast xxx.xxx.xxx.23

 I've read this from Henning
 http://marc.info/?l=openbsd-miscm=123464537104366w=2
 so I tried to switch to /32 netmask on the carp interfaces
 # ifconfig carp0 xxx.xxx.xxx.20/32

 But now I get

 Nov 21 11:45:09 fw /bsd: carp0: state transition: BACKUP - MASTER
 Nov 21 11:45:09 fw /bsd: arp_rtrequest: bad gateway value
 Nov 21 11:45:10 fw /bsd: carp1: state transition: BACKUP - MASTER
 Nov 21 11:45:10 fw /bsd: arp_rtrequest: bad gateway value

 every time the state changes on each firewall. Apart from this I don't see
 any other problem.

 Is this normal behavior? Should I change back to the /29 netmask?

 regards,

 Giannis

Multi Link PPP support in Kernel

[Russell Sutherland]

Is it possible to enable multilink PPP using the kernel based: pppoe(4) ?
Or does one have to resort to the userland pppoe/ppp(8) ?

--
Russell Sutherand  I+TS
e: russell.sutherl...@utoronto.ca
t: +1.416.978.0470
f: +1.416.978.6620
m: +1.416.803.0080

hostname.if routing question

[Russell Garrison]

I am having trouble figuring out how I should configure a physical
interface and a carp virtual interface where the carp IP will serve as
a default route for hosts on the network and also hold some aliases
for server re-directs. From what I have seen the routes built at
startup home the route for the network on the interface that is
configured with the actual network mask so:

/etc/hostname.em0
inet A.B.C.14 255.255.255.240 A.B.C.15 rdomain 2

/etc/hostname.carp0
vhid 9 pass  rdomain 2
inet A.B.C.1 255.255.255.255 A.B.C.15 rdomain 2
inet alias A.B.C.3 255.255.255.255 A.B.C.15 rdomain 2
inet alias A.B.C.4 255.255.255.255 A.B.C.15 rdomain 2

Will put the A.B.C.0/28 entry in table 2 to:

A.B.C.0/28  link#1  UC  0  0  -  4 em0

Changing the masks so carp0 has the open mask on its first ip and em0
is all 1s yields:

A.B.C.0/28  link#9 UC  0  0  -  4 carp0

Is it better for that to be on carp0 instead of em0, given that carp0
will be the router for that network?

problem connecting to verizon.net

[Russell Garrison]

I discovered an odd issue once I upgraded my OpenBSD pf
firewall/router that manifested itself by preventing my email server
from sending to verizon.net customers. The strange thing was that mail
was going out to other domains. I figured out that I did something odd
in my ruleset and fixed it, so now I am wondering what is going on. I
am only aware of one other individual with these symptoms, but he was
using a bridge with pf and our fixes are at least semantically
different.

I have reduced everything to basic working parts and tested a few
times to narrow down what is happening. In summary, I found that I can
create two pass-only rules to nat outgoing traffic using carp and
rdomains, but the traffic to verizon.net doesn't work unless I use a
combination of two pass rules and a match rule. The basic setup where
you can see this behavior follows (public IPs changed to protect the
innocent):

# ifconfig em0
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:90:0b:1f:72:e4
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet 10.0.0.1 netmask 0xfffc broadcast 10.0.0.3

# ifconfig em1
em1: 
flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6
rdomain 1 mtu 1500
lladdr 00:90:0b:1f:72:e5
priority: 0
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 9.9.9.170 netmask 0xfff0 broadcast 9.9.9.175

# ifconfig carp1
carp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6
rdomain 1 mtu 1500
lladdr 00:00:5e:00:01:09
priority: 0
carp: MASTER carpdev em1 vhid 9 advbase 1 advskew 0
groups: carp
status: master
inet 9.9.9.167 netmask 0xfff0 broadcast 9.9.9.175
inet 9.9.9.168 netmask 0x broadcast 9.9.9.168

# route -T 0 -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.0.0.1   UGS09 - 8 em0
10.0.0.0/30link#1 UC 20 - 4 em0
10.0.0.1   00:90:0b:1f:72:e4  HLc10 - 4 lo0
10.0.0.2   00:14:22:2e:ba:8c  UHLc   0   10 - 4 em0
9.9.9.168 127.0.0.1  UGHS   00 33200 8 lo0
127/8  127.0.0.1  UGRS   00 33200 8 lo0
127.0.0.1  127.0.0.1  UH 20 33200 4 lo0
224/4  127.0.0.1  URS00 33200 8 lo0

# route -T 1 -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default9.9.9.161 UGS0   14 - 8 em1
9.9.9.160/28  link#2 UC 10 - 4 em1
9.9.9.161 00:1b:54:b7:81:a8  UHLc   10 - 4 em1
9.9.9.168/32  9.9.9.168 U  0   10 - 4 carp1

# cat /etc/hostname.em0
inet 10.0.0.1 255.255.255.252 NONE

# cat /etc/hostname.em1
inet 9.9.9.170 255.255.255.240 9.9.9.175 rdomain 1
!route -T 1 add default 9.9.9.161

# cat /etc/hostname.carp1
inet 9.9.9.167 255.255.255.240 9.9.9.175 vhid 9\
pass password rdomain 1
inet alias 9.9.9.168 255.255.255.255

# cat /etc/mygate
10.0.0.1

# cat /etc/pf.conf

set skip on lo
block

# LAN to Internet with three rules and rdomain
# (fixes the verizon issue)
#match out on em1 inet from 10.0.0.2\
to any nat-to 9.9.9.170
#pass out on em1 inet from 9.9.9.170\
to any
#pass in on em0 from 10.0.0.2\
to any rtable 1

# example LAN to Internet with two rules and rdomain
# (doesn't work)
# Seeing TTL expired in transit
#pass in on em0 inet from 10.0.0.2\
to any nat-to 9.9.9.170 rtable 1
#pass out on em1 inet from 9.9.9.170 to any

# Internet access over rdomain and carp
# (creates the verizon issue)
pass in quick on em0 inet from 10.0.0.2\
to any nat-to 9.9.9.168 rtable 1
pass out quick on em1 inet from 9.9.9.168\
to any

---

From 10.0.0.2 I run the following commands:

(first a non-verizon smtp server)
telnet 207.155.253.210 25
(works, but a little slower to display the banner under the pass-only rules)

(now one of the relay.verizon.net smtp servers)
telnet 206.46.232.11 25
(fails to connect unless I use the match/pass rule combo)


In the rules above I also found that the two-rule setup doesn't work
in any case with the public if physical IP in the rdomain. I have
looked at these over tcpdump and I can see the traffic going out with
the proper NAT to either server, but the returning SYN/ACKs in the
handshake from verizon arrive and do not forward to the internal host.
One thing I have noticed is that the verizon ttl is higher than the
other server, 

Multiple Ethernet over IP tunnels.

[Russell Sutherland]

I am trying to create multiple L2 over L3 tunnels using OpenBSD. The man
page for gif(4), the generic tunnel interface, gives excellent instructions
for creating _one_ bridge over a wide area network to join two remote LANs.

I have tried to extend this idea by bridging two other LANs over the same
gif0 tunnel. No such luck. Here's a representative stick diagram:


routerA  routerB
LAN1 fxp1  fxp1 LAN1
  \  /
LAN2 fxp2--OpenBSD 1.2.3.4 --- WAN --- 4.3.2.1 OpenBSD fxp2 LAN2
  /fxp0fxp0  \
LAN3 fxp3  fxp3 LAN3

The first tunnel works as documented:

routerA:
#cat /etc/hostname.bridge1
 up add fxp1 add gif0

#cat /etc/hostname.gif0
 tunnel 1.2.3.4 4.3.2.1

routerB:
#cat /etc/hostname.bridge1
 up add fxp1 add gif0
#cat /etc/hostname.gif0
 tunnel 4.3.2.1 1.2.3.4

However if one tries to bridge the other LANS as follows:
#cat /etc/hostname.bridge2
 up add fxp2 add gif0

This fails.

Does one need to create alias addresses on fxp0 and create gif1?
e.g. Tunnel 1.2.3.5 - 4.3.2.2

Or is there an easier way to do this?

--
Russell Sutherand
e: russell.sutherl...@utoronto.ca
t: +1.416.978.0470
f: +1.416.978.6620
m: +1.416.803.0080

faq 14.15

[russell]

Just a thank you for the awesome documentation.

Was upgrading my home file server, doing my normal half assed job.
decided to install 49 while I was at it and during the disklabel
I though my new disk was bigger?, oh shit...

you do keep a backup disklabel right?,  well... err... *cough* I do now.

and then the angels sang out, a beam of light came down
and when the glare settled there was faq 14.15

/var/backup! score! I have a copy of that somewhere.

bonus: scanffs(8), my new favorite man page.

Re: ALIX/current as an Access Point

[Russell]

On 02/27/2011 10:25 AM, Joe Snikeris wrote:

On Sun, Feb 27, 2011 at 11:07 AM, Nerius Landysnlan...@gmail.com  wrote:

snip


In general people say that Atheros chips are the best supported (use
the ath driver).


Slightly off topic:

Is anyone using a card with an AR5213 chip?  I've got a Cisco
AIR-PI21AG-A-K9 that I'd love to use to replace my crappy router, but
my machine freezes while booting when it's plugged in.  ath(4)
mentions a bunch of AR5212 cards, but no AR5213 cards.


This is my build.
currently using it as a nat/firewall box.
Was intending to us it as an ap as well.
but, sigh obsd does not like my radios.
and have not been motivated enough to get off my ass
and do somthing about it.

OpenBSD 4.8 (GENERIC) #136: Mon Aug 16 09:06:23 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 
586-class) 432 MHz

cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 133791744 (127MB)
avail mem = 121712640 (116MB)
snip
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, 
address 00:0d:b9:12:e0:90
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
vr1 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, 
address 00:0d:b9:12:e0:91
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034

ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9
ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:80:48:7e:13:be
ath1 at pci0 dev 14 function 0 Atheros AR2413 rev 0x01: irq 11
ath1: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:80:48:7e:14:36
snip

So I am still using an old k6-2 400Mhz ps with a ral(4) radio
on 44 that I keep meaning to update.

 OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 451 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 267939840 (255MB)
avail mem = 250646528 (239MB)
snip
rl0 at pci0 dev 10 function 0 Realtek 8139 rev 0x10: irq 10, address 
00:e0:7d:c2:0f:87

rlphy0 at rl0 phy 0: RTL internal PHY
em0 at pci0 dev 11 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 
5, address 00:0e:0c:72:80:8a
eso0 at pci0 dev 12 function 0 ESS SOLO-1 AudioDrive rev 0x01: ES1946, 
irq 11

eso0: mapping Audio 1 DMA using VC I/O space at 0x90c0
audio0 at eso0
opl0 at eso0: model OPL3
midi0 at opl0: ESO Yamaha OPL3
mpu at eso0 not configured
isa0 at pcib0
isadma0 at isa0
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 SiS OHCI root hub rev 1.00/1.00 addr 1
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20
pcmcia0 at cardslot0
biomask f355 netmask f775 ttymask f7ff
mtrr: K6-family MTRR support (2 registers)
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
ral0 at cardbus0 dev 0 function 0 Ralink RT2560 rev 0x01: irq 12, 
address 00:0e:3b:08:45:41

ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525

works great, I have not tried many radios, but...
all my ral based radios have worked (ral, rum)
none of my ath based radios have bees supported.
and my zyd radio delevered corrupted packets.

Re: Wifi host AP thoughts

[Russell]

On 01/01/2011 10:43 PM, Greg Steuck wrote:

I was thinking of building a new wifi AP. The following is a stream of
thoughts on the subject. Any constructive suggestions are welcome.

Requirements:
   * Compatibility with Androids, Kindles, x86 Linux, OpenBSD wifi clients
   * Strong in-doors signal
   * Maximum control

Nice to have:
   * Combine the AP with the wired Ethernet OpenBSD router.
   * Low power  noise.

Complications:
   * A few wireless networks in nearby houses
   * OpenBSD AP capable devices have a CAVEAT: Host AP mode doesn't
 support power saving.  Clients attempting to use power saving mode
 may experience significant packet loss (disabling power saving on
 the client will fix this).

Possible design:
   * OpenBSD host with 2 or more wired Ethernets
   * USB wifi device (free to switch host hardware)
   * External Hi-Gain antenna

Detailed implementation:
  * small i386 or armish machine for the host (Soekris?)
  * Hawking HWUG1 (rum(4)) ( http://goo.gl/ccd6Q )


rum(4) did not like hostap mode the few times I tried.
via the man page I think this is a problem with all usb radios
so I tend to stick with pci/pcmcia cards ral(4) for my APs,
however I have not had any other problems with rum.
And fwiw I have had the worst luck picking out ath radios.


  * Hawking HAI7SIP Antenna ( http://goo.gl/Axg7j )

Does anybody know if the CAVEAT above present a problem in real life for
the clients I listed?

Thanks
Greg
--
nest.cx is Gmail hosted, use PGP for anything private. Key:
http://tinyurl.com/ho8qg
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3  4D50 0B15 42BD 8DF5 A1B0

Re: OpenBSD Access Point? (Summary)

[Russell]

On 12/13/2010 04:29 AM, Lists Account wrote:

Hi All,

Summarising, for future reference...

I received some six responses. Overall the feedback was a little
disappointing. Three responses suggested that it would be easier/less
time consuming/more stable to simply connect a consumer access point
device via Ethernet. Of course, I wouldn't learn as much by doing this
:-(. The background to this seems to be mostly issues with the
configuration and stability of drivers e.g. ath and ral.

At least a couple of the respondents are successfully using ALIX boards,
including the desired 2D13. None of the responses related to the
specific wireless devices that I asked about. Some of those mentioned as
having been used included the AR5212 and AR5413 (with ath) and the
RT2561C (ral).

A couple of responses indicated that OpenBSD doesn't support 802.11n. I
got my initial information from the athn manual page. It begins:

...
NAME
 athn - Atheros IEEE 802.11a/g/n wireless network device
...
 The athn driver provides support for a wide variety of
 Atheros 802.11n devices ...


Which I incorrectly took to mean that n networking was supported...

However, further down in the same man page, under caveats, it states:

...
 The athn driver does not support any of the 802.11n capabilities
 offered by the adapters.  Additional work is required in
 ieee80211(9) before those features can be supported.
...


That should teach me (yet again) to read the whole man page :-)

Cato Auestad provided a very helpful link to a description of his
working (ral based) OpenBSD configuration:
 http://bleakgadfly.com/notes/openbsd_wifi.html

There he mentions that support from the hostap daemon - hostapd(8) - is
also necessary for such a configuration. Something else that I hadn't
realised.

So, based on the feedback, it looks like while this might be a fun
project, it could be hard to create a stable production access point.
Thanks for all the info.


I use ral(4) in b/g mode, works great for my usage. ~4 users.
the card does flake out every once in a while.
ifconfig ral0 down; ifconfig ral0 upworks

hostapd is for more than one AP that share a ssid.
it keeps all the AP synced up, so overkill on mine.

still 4.4 as I have ejabberd running on that box and menisia databases 
are a pain and a half to transfer/convert.


overall, very happy running obsd as an ap.

dmesg snip...
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 451 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 267939840 (255MB)
avail mem = 250646528 (239MB)
snip...
ral0 at cardbus0 dev 0 function 0 Ralink RT2560 rev 0x01: irq 12, 
address 00:0e:3b:08:45:41

ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525

hostname.ral0
inet 192.168.32.1 0xff00 NONE mode 11g chan 8 nwid bervix_castor 
mediaopt hostap

sysctl net.inet.ip.forwarding=1
was all that was needed to get it going.

running open as I am always thankfull when I find an open AP so just 
returning the favor.

plus a few pf rules to keep guests out of the wired network.
authpf does a good job modifing that to allow real users.

stumped on a linker problem.

[Russell]

Trying to compile Hercules (a s/390 emulator) on 4.8/sparc64
and hit this error.

.libs/herculesS.o(.rodata+0x2d0): undefined reference to `aliases2_lookup'

that particular function is in libiconv.
I managed to get ld to produce verbose output and saw

attempt to open /usr/local/lib/libiconv.so.6.0 succeeded
-liconv (/usr/local/lib/libiconv.so.6.0)

hell I even checked libiconv with nm

so what else should I look for?

here is the full gcc command.

gcc -W -Wall -O3 -o hercules .libs/herculesS.o bootstrap.o hdlmain.o 
-pthread -pthread -Wl,-E  -L/usr/local/lib ./.libs/dyngui.a 
./.libs/dyninst.a ./.libs/hdteq.a ./.libs/hdt1403.a ./.libs/hdt3420.a 
./.libs/hdt2703.a ./.libs/hdt3705.a ./.libs/hdt3088.a ./.libs/hdt3270.a 
./.libs/hdt3505.a ./.libs/hdt3525.a ./.libs/hdtqeth.a ./.libs/hdt1052c.a 
/usr/people/russell/hercules-3.07/.libs/libherc.a ./.libs/libherc.a 
/usr/people/russell/hercules-3.07/.libs/libherct.a 
/usr/people/russell/hercules-3.07/.libs/libhercd.a 
/usr/people/russell/hercules-3.07/.libs/libhercu.a 
/usr/people/russell/hercules-3.07/.libs/libhercs.a 
/usr/people/russell/hercules-3.07/decNumber/.libs/libdecNumber.a 
./.libs/libhercs.a -liconv -lpthread -lz -lm -Wl,-rpath,/usr/local/lib 
-Wl,-rpath,/usr/local/lib

Re: diskmap(4) interface and live USB fstab file

[Russell]

On 11/05/2010 04:27 PM, Jacob Meuser wrote:

fwiw, in -current, USB attach order should be quite predictable.  there
are no longer multiple threads attaching USB devices.  attachment is
now done in a single thread, and it is done in the same order every
time.

of course, if you change which USB ports the devices are connected to
between boots, or disconnect/reconnect while booted then the order
might change.


The stable attach order is very appreciated here let me tell you.
I recently had a linux install that was driving me insane.
The damn thing could not keep it's network interfaces straight across 
boots. worst was that they were not even similer interfaces, what on bsd 
would be vr(4) and em(4). (saving that rant for another day)

Re: password-less console-only access and ssh remote access?

[Russell]

On 10/22/2010 09:43 AM, Joachim Schipper wrote:

On Thu, Oct 21, 2010 at 07:46:50PM +0200, Bret S. Lambert wrote:

On Thu, Oct 21, 2010 at 05:38:54PM +, Jay K wrote:

My ideal setup would be:
   1) no passwords  (* in /etc/passwd or via vipw)
   2) only ssh for remote access
i.e. no password-based security, only something better
   3) except console, where anyone should be able to login
 without any password (granted, I only have two users, root and jay)

You can get almost the same thing by setting PasswordAuthentication to no
in your sshd_config file, and hand out (...) simple passwords (...)

Well, except when someone runs login(1) from an SSH'ed shell...

I'm pretty sure you can just add a line along the lines of

ttyC0 //bin/ksh vt220 on

to /etc/ttys, if you insist.

Joachim

Don't I wish, as I have a box I would like to do this on(main function 
in life is a 3270 emulator).
but getty sets a few enviroment variables that ksh wants, best I could 
figure out was to make a getty-like stub that would set the env and 
excve ksh. one of the many thing on my to-do-when-I-have-time list I 
will never get around to.

Re: sys/tcp.h does not compile with _POSIX_SOURCE

[Russell]

On 10/21/2010 09:52 AM, hyjial wrote:

Hi list !

There is a u_int on line 50 of sys/tcp.h. u_int is defined only if
__BSD_VISIBLE is which it is not is _POSIX_SOURCE is defined.

Is this intended ?

Hit into this when trying to build a program which uses libsoup.

Thanks,

hyjial

I was hit with this once (surf before it was ported) I just patched out 
the POSIX_SOURCE define in the code I was trying to compile.


However, I to am curious about the politics of that particular ifdef.

Re: Router components

[russell]

Stuart Henderson wrote:

On 2010-10-04, David Higgs hig...@gmail.com wrote:

I am building a replacement router/firewall for home use and am
soliciting suggestions/commentary/alternatives on the components
below.


What sort of internet connection and what will be running over it?
Will you be doing crypto on the firewall (ipsec/some other vpn)?


I was planning to use an SSD in the 32 GB size range, but the archives
indicate we don't have TRIM support yet.  Though this obviously isn't
a showstopper to usage, am I better off getting an older-generation
SSD that doesn't require TRIM, or perhaps hold off on SSDs until the
tech is more mature?


Newer SSDs don't *require* TRIM, it is optional. I think it's probably
a better idea to get the newer generation. Though a 2-4GB CF might be
quite good enough too.

For what a lot of people need for a router/firewall a 2-4GB CF
card in an IDE adapter would be fine too (smaller works too if you can
still find them, but it's easier to have this much space).


Finally, I want this box to act as wireless AP, and hope to have
out-of-the-box 802.11n support (when eventually available).  I've read
that run(4) is a solid chipset in this regard; any other suggestions?


run(4) does not support host AP.

athn(4) is likely the best choice, I haven't used it with OpenBSD but it
looks like this is the most actively developed wireless driver at the moment.
I have used it with commercial APs running their embedded linux-based OS
and the hardware itself works very well indeed.

As I think you're aware we don't support 802.11n capabilities yet, also
note we don't support clients that use power-saving mode (this is an
absolute show-stopper for some users; some client hardware has no way
to disable this).


I tend to swear by ral(4)
Mainly due to the unscientific but proven mechanisim
all my ral cards have worked, and all my ath cards end up having a 
unsupported chipset.

and there was something freaky about that zyd,
almost working is worse than not working at all.

Given half a chance stay away from usb radios.

but ral has always been there for me.
best of luck.
I know I enjoy my k6-2(450) based firewall/nat device infinitely more 
than the netgear piece of crap it replaced.

Re: Remotely connect to gnome

[russell]

Jean-Francois wrote:

Hi All,

I've set up an OpenBSD server running gnome and administered locally or 
remotely for home use.


I've understood that unixes are made to work as workstations and that gnome 
and kde could handle that.


Could you please help me to get on the way to make remote connections possible 
to gnome for session login and desktop use ?


Thanks for help,

Regards
J-F


I usually just use ssh -Y when I need a X application.
ssh -X should work but I always run into x auth issues.

It will not give you a desktop environment, but that is why you use
the command line, right, The one dimensional desktop.

Re: CGI : Shell Script

[russell]

Mayuresh Kathe wrote:

Has anyone experimented with using a set of shell scripts as CGI under the
stock Apache delivered with
OpenBSD?


I did.

I wanted to learn more involved shell programing.
and perhaps a little about some of the old unix languages.

so I built this mini wikipedia ish thing
out of ksh, sed awk rcs and m4.
(collaborative revision controlled cms)

It is a complete mess, I don't think I would be able to sleep at
night if it were out in the wild.

but it actually works quite well, humming along  on the old p133 I keep 
it on.


Regarding the collective horror with using shell scripts as cgi. why?
Now mine is not safe but mainly I think thats because of the m4 thrown 
in there. If you watch your inputs it should be fine.


And ksh is a static executable, I would think it would run fine in a 
chroot. I would hate, however, to do a lot of string processing using 
only ksh. main reason for m4 being in there was template processing.


If there is any scientific curiosity just ask and I can send a copy.


But it ru

ipsec.conf syntax

[Russell Sutherland]

I am trying to set up an ipsec bridge  using the template and  
instructions found in the brconfig man page (OpenBSD 4.6):


 Create Security Associations (SAs) between the external IP  
address of

 each bridge and matching ingress flows by using the following
 ipsec.conf(5) file on bridge1:

   esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \
   authkey file auth1:auth2 enckey file enc1:enc2
   flow esp proto etherip from 1.2.3.4 to 4.3.2.1

I was curious as to the exact meaning of the colon, specifically the  
auth1:auth2 and enc1:enc2 arguments.

Do they mean references to the 4 keys, two on each of the machines?

E.g.

om 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \
   authkey file /etc/keys/auth1:/etc/keys/auth2  
enckey file /etc/keys/enc1:/etc/keys/enc2

   flow esp proto etherip from 1.2.3.4 to 4.3.2.1


---
Russell P. Sutherland   Email: russ @ madhaus.cns.utoronto.ca
4 Bancroft Ave., Rm. 102Voice: +1.416.978.0470
University of Toronto   Fax:   +1.416.978.6620
Toronto, ON  M5S 1C1
CANADA

Re: Soekris net5501 locks up with Ralink 2860 miniPCI

[russell]

I am curious, though, what brands of wifi cards OpenBSD folks use for
APs.  From when I was investigating this a year or so ago the ral
cards (per the man pages) were about the only ones without some sort
of caveat in AP mode.

yep, ral(4) works quite well for me

ifconfig ral0
ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0e:3b:08:45:41
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid bervix_castor chan 8 bssid 00:0e:3b:08:45:41 100dBm

dmesg snip
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20
pcmcia0 at cardslot0
biomask f355 netmask f775 ttymask f7ff
mtrr: K6-family MTRR support (2 registers)
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
ral0 at cardbus0 dev 0 function 0 Ralink RT2560 rev 0x01: irq 12, 
address 00:0e:3b:08:45:41

ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525

I have two different pcmcia ral(4) cards that work great in hostap mode
and a rum(4) usb radio that tries(no errors) but people have trouble 
connecting.


I bought a couple mini pci ath cards to go with a pcengine board
that was going to replace my AP(currently a old ibm aptiva with a pcmcia 
card) but they turned out to be ath 2413 and they don't quite work 
right. I am sure it will only take a minor tweak to get them going but I 
have never got around to it.


My other ath card, a 5424 in a eeepc 701, does not work ether, I am 
thinking that would take a little more work to get going however.


Speaking of which, I would love to test patches for the ath 5424, be 
awesome if I could use the internal radio..

Adding custom termcap entries.

[Russell Harmon]

I want to add a custom termcap entry for rxvt-unicode. Is the proper way
simply editing /etc/termcap? I notice that it is a symlink to
/usr/share/misc/termcap. Perhaps I should delete the symlink and copy it
from there into /etc?

I tried editing in my termcap entry, but when I do, and run the following
command, I get errors:

# tset -IsQ rxvt-unicode
TERM=rxvt-unicode;
tset: termcap names not colon terminated: No such file or directory
TERMCAP='#

--
Russell Harmon
RTP Computer Science House

Re: Adding custom termcap entries.

[Russell Harmon]

The output of the infocmp command isn't valid in /etc/termcap. It doesn't
even use the same syntax!
--
Russell Harmon
RTP Computer Science House


On Sun, Apr 4, 2010 at 05:42, Nicholas Marriott nicholas.marri...@gmail.com
 wrote:

 OpenBSD uses its own terminfo database format, but the default paths are
 searched as well so you can just use tic(1):

 $ ftp -o rxvt-unicode.terminfo \

 http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26
 $ sudo TERMINFO=/usr/share/terminfo tic -x rxvt-unicode.terminfo
 $ ls -l /usr/share/terminfo/r/rxvt-unicode
 -rw-r--r--  1 root  wheel   2.1K Apr  4 10:40
 /usr/share/terminfo/r/rxvt-unicode
 $ infocmp rxvt-unicode
 #   Reconstructed via infocmp from file:
 /usr/share/terminfo/r/rxvt-unicode
 rxvt-unicode|rxvt-unicode terminal (X Window System),
 ...

 Job done.

 On Sun, Apr 04, 2010 at 04:44:11AM -0400, Russell Harmon wrote:
  I want to add a custom termcap entry for rxvt-unicode. Is the proper way
  simply editing /etc/termcap? I notice that it is a symlink to
  /usr/share/misc/termcap. Perhaps I should delete the symlink and copy it
  from there into /etc?
 
  I tried editing in my termcap entry, but when I do, and run the following
  command, I get errors:
 
  # tset -IsQ rxvt-unicode
  TERM=rxvt-unicode;
  tset: termcap names not colon terminated: No such file or directory
  TERMCAP='#
 
  --
  Russell Harmon
  RTP Computer Science House

Re: Adding custom termcap entries.

[Russell Harmon]

I'm sorry for my inexperience with termcap/terminfo entries, but unless I
misunderstood, your original response didn't fully answer my question. I
wanted to install a termcap entry for rxvt-unicode. Now you told me how to
install a terminfo entry, and I hadn't even realized that openbsd used
terminfo (so thank you), but there still isn't a termcap entry. The infocmp
program outputs a termcap entry, but I'm not sure what to do with it.
--
Russell Harmon
RTP Computer Science House


On Sun, Apr 4, 2010 at 06:01, Nicholas Marriott nicholas.marri...@gmail.com
 wrote:

 Sometimes I wonder why I bother...


 On Sun, Apr 04, 2010 at 05:55:01AM -0400, Russell Harmon wrote:
 The output of the infocmp command isn't valid in /etc/termcap. It
 doesn't
 even use the same syntax!
 --
 Russell Harmon
 RTP Computer Science House
 
 On Sun, Apr 4, 2010 at 05:42, Nicholas Marriott
 [1]nicholas.marri...@gmail.com wrote:
 
   OpenBSD uses its own terminfo database format, but the default paths
 are
   searched as well so you can just use tic(1):
 
   $ ftp -o rxvt-unicode.terminfo \
   [2]
 http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26
   $ sudo TERMINFO=/usr/share/terminfo tic -x rxvt-unicode.terminfo
   $ ls -l /usr/share/terminfo/r/rxvt-unicode
   -rw-r--r-- **1 root **wheel ** 2.1K Apr **4 10:40
   /usr/share/terminfo/r/rxvt-unicode
   $ infocmp rxvt-unicode
   # ** ** ** Reconstructed via infocmp from file:
   /usr/share/terminfo/r/rxvt-unicode
   rxvt-unicode|rxvt-unicode terminal (X Window System),
   ...
 
   Job done.
   On Sun, Apr 04, 2010 at 04:44:11AM -0400, Russell Harmon wrote:
I want to add a custom termcap entry for rxvt-unicode. Is the
 proper
   way
simply editing /etc/termcap? I notice that it is a symlink to
/usr/share/misc/termcap. Perhaps I should delete the symlink and
 copy
   it
from there into /etc?
   
I tried editing in my termcap entry, but when I do, and run the
   following
command, I get errors:
   
# tset -IsQ rxvt-unicode
TERM=rxvt-unicode;
tset: termcap names not colon terminated: No such file or
 directory
TERMCAP='#
   
--
Russell Harmon
RTP Computer Science House
   
 
  References
 
 Visible links
 1. mailto:nicholas.marri...@gmail.com
 2.
 http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26

Re: Adding custom termcap entries.

[Russell Harmon]

Thank you, I didn't use the -C option when I originally tried it.
--
Russell Harmon
RTP Computer Science House


On Sun, Apr 4, 2010 at 06:18, Nicholas Marriott nicholas.marri...@gmail.com
 wrote:

 If you want termcap as well, do:

 $ cd /usr/share/misc
 $ infocmp -C rxvt-unicode termcap
 $ rm termcap.db  cap_mkdb -f termcap termcap

 But few programs require it so usually it isn't worth the time.

 Remember that upgrades will overwrite these files, you may be better
 putting them in ~ instead.


 On Sun, Apr 04, 2010 at 05:55:01AM -0400, Russell Harmon wrote:
 The output of the infocmp command isn't valid in /etc/termcap. It
 doesn't
 even use the same syntax!
 --
 Russell Harmon
 RTP Computer Science House
 
 On Sun, Apr 4, 2010 at 05:42, Nicholas Marriott
 [1]nicholas.marri...@gmail.com wrote:
 
   OpenBSD uses its own terminfo database format, but the default paths
 are
   searched as well so you can just use tic(1):
 
   $ ftp -o rxvt-unicode.terminfo \
   [2]
 http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26
   $ sudo TERMINFO=/usr/share/terminfo tic -x rxvt-unicode.terminfo
   $ ls -l /usr/share/terminfo/r/rxvt-unicode
   -rw-r--r-- **1 root **wheel ** 2.1K Apr **4 10:40
   /usr/share/terminfo/r/rxvt-unicode
   $ infocmp rxvt-unicode
   # ** ** ** Reconstructed via infocmp from file:
   /usr/share/terminfo/r/rxvt-unicode
   rxvt-unicode|rxvt-unicode terminal (X Window System),
   ...
 
   Job done.
   On Sun, Apr 04, 2010 at 04:44:11AM -0400, Russell Harmon wrote:
I want to add a custom termcap entry for rxvt-unicode. Is the
 proper
   way
simply editing /etc/termcap? I notice that it is a symlink to
/usr/share/misc/termcap. Perhaps I should delete the symlink and
 copy
   it
from there into /etc?
   
I tried editing in my termcap entry, but when I do, and run the
   following
command, I get errors:
   
# tset -IsQ rxvt-unicode
TERM=rxvt-unicode;
tset: termcap names not colon terminated: No such file or
 directory
TERMCAP='#
   
--
Russell Harmon
RTP Computer Science House
   
 
  References
 
 Visible links
 1. mailto:nicholas.marri...@gmail.com
 2.
 http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26

Favorite 2 or 4-port GigE NIC for i386/AMD64 OpenBSD 4.6?

[Ryan Russell]

I was recently bit by some reliability problems with a late-model Quad
GigE Intel NIC, and I'm looking for a replacement. (Details below if
you're interested in the problems.)

So I'm looking for a gigabit Ethernet NIC that has good OpenBSD
compatibility and model stability. Do you have a favorite? You're
welcome to respond off-list if you like, I'll happily summarize back to
the list. Quad port would be ideal, I'll take dual and settle on
single-port if I have to. PCIe. I need autonegotiation on speed and
duplex, and 802.1q VLAN support. It will be used for an OpenBSD firewall
(currently 4.6), PF, NAT. Current hardware is Dell R200. The built-in
BGE0 and BGE1 seem to work well, this is to add additional Ethernet ports.

By model stability, I mean I'm seeking a brand that I can have some
assurance will be around for a couple of years, and won't switch
chipsets on the same model number.

Problems with the Intel card:
The most obvious symptom is that some ports will not go to 1000baseT.
You can see someone else describing my symptoms here:
http://www.pubbs.net/openbsd/200911/33252/

I cannot get em1 and em3 to go higher than 100baseTX. If I force it to
1000, I lose connection. HP Procurve 5406ZL switch.

I have also had a few kernel panics that mentioned pf. I'm assuming its
related to the card, but that's a big assumption on my part.

The card doesn't have a lot of identifying marks. On the backplane
metal, it has D61627-003. It was purchased from Dell with the R200s. I
have one pulled out, another is in a running machine. If I can post some
useful info, let me know.

If I'm correct that the NIC is the source of my trouble, then my
priority isn't getting it to work, but replacing it. Happy to do some
tests if desired, though.

If one of the Intel NIC driver developers wants this NIC, let me know
where to ship it.

Ryan

Re: How to disable IPv6?

[russell]

Hey! I use tn3270.
Well actually c3270 as it is a bit saner when remapping keys.

But I was very presently surprised to find tn3270 in base. Saved my day 
once.


And thread hijack. As far as I can tell wscons does not send/set 
Shift+Fn keys.


was sort of looking for them as I like to map that to PF11-PF22

It was quite the adventure trying to figure out how(and in what form) a 
key gets to the app.

again a sort of nonquestion.
I think it is
key
  wscons set this via wsconsctl
termcap/terminfo might be able to set it here but termcap scares me
  tn3270/c3270 hah yet another keymap

so minimum 3 different keymaps add X to the mix and it adds it's own 
freakish system into the mix.

Re: Truncation Data Loss

[Russell Howe]

Michal wrote, sometime around 11/11/09 11:40:


I know this is a bit off topic, but storage devices have battery's on
RAID cards for a reason. If you are worried about read/writes etc when a
system dies, there are measures you can take


Probably even more OT, but...

Although some (most?) RAID cards which have a battery option will only 
let you enable the write cache if you have a battery installed. 
Certainly the HP P400 cards we have do.


There has been endless discussion about data loss in these types of 
scenarios on the XFS mailing list - it journals metadata but not data, 
so if your application (e.g. vim) overwrites files by first truncating 
them to 0 length and then writing out the data, you'll find that the 
truncate and the resize of the file are all nicely replayed from the 
journal after the crash, but if the machine died before your data hit 
the disk, all you'll get when you read() is \0\0\0\0...


Since ext4 has started to implement similar features in similar ways to 
XFS, the ext4 folk are running into the same old problems.


--
Russell Howe, IT Manager. rh...@bmtmarinerisk.com
BMT Marine  Offshore Surveys Ltd.

Re: trunks and vlan madness

[Russell Howe]

Marian Hettwer wrote, sometime around 23/07/09 16:07:

Hi *,

# cat /etc/hostname.bge0   
up
# cat /etc/hostname.bge1  
up

# cat /etc/hostname.trunk0
trunkproto failover trunkport bge0 trunkport bge1 up
# cat /etc/hostname.trunk1 
trunkproto failover trunkport bge0 trunkport bge1 up


You can run both vlans over the one trunk. I'm not sure what happens if 
you have the same interface involved in more than one trunk, but it 
doesn't sound sensible to me.


# rm /etc/hostname.trunk1

# cat /etc/hostname.vlan24 
inet 10.46.24.101 255.255.255.0 10.46.24.255 vlan 24 vlandev trunk0
# cat /etc/hostname.vlan25 
inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 vlandev trunk1


echo inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 \
vlandev trunk0  /etc/hostname.vlan25

--
Russell Howe, IT Manager. rh...@bmtmarinerisk.com
BMT Marine  Offshore Surveys Ltd.

Re: ADSL2+ PCI card

[Russell Howe]

John Bond wrote:

Hello,

Im looking into bulding a home rourter device and my obvious OS choice
is OpenBSD however im strugeling to find an ADSL2+ pci cards which i
can use.  I have only managed to find to devices which may work

snagoma data card s519 --
http://www.sangoma.com/products_and_solutions/hardware/data_networking/s519.html
or possibly the
Viking PCI ADSL2+ Modem Card -- http://www.yawarra.com.au/pdfs/XC-P-ADSL2-V.pdf

does anyone have any expirence with these cards and know if they do
work with OpenBSD or know if they are better options


These should work fine - the S518 presents itself as a special ADSL 
controller on the PCI bus, but AFAIK the 519 is actually an ethernet 
chip (Realtek 8139?) paired up with an ADSL modem on a PCI card, so all 
the computer sees is an ethernet card.


I think you configure the ADSL modem by telnetting to it through the 
ethernet card, but I'm not sure.


--
Russell Howe
rh...@bmtmarinerisk.com

Re: Anyone using munin?

[Russell Howe]

Martin SchrC6der wrote, sometime around 06/04/09 10:01:

2009/4/3, Marc Runkel mrun...@untangle.com:

Trying to set up munin work with OpenBSD and was wondering if anyone had some
 plugins pre-written?  In particular interface statistics but I'll take just
 about anything.


Good luck. AFAIK there's a freebsd port, try that. And there are some
plugins for pf at http://muninexchange.projects.linpro.no/


Munin can collect from SNMP, which makes life a LOT easier!

OK, so that's not so useful if you want to collect some stats which 
OpenBSD's snmpd doesn't expose but assuming you do, this is what you 
need to do:


munin-node can act as a proxy, forwarding requests to another box. This 
is handy if you want to monitor a bunch of hosts the other side of a 
firewall as you only need to punch a hole for the one machines. It can 
also do act as a munin-to-snmp one way bridge, forwarding incoming 
requests on to another node that speaks SNMP.


Install munin-node somewhere (I installed it on a Debian box that I run 
munin on, which is also where I collect all syslog messages and run 
logcheck and nagios).


Check that the box running munin-node can talk SNMP to OpenBSD:

This works well enough for me as a test:
$ snmpwalk -v 2c -c community address of obsd box

Run munin-node-configure-snmp - you can pass either a single address or 
a CIDR range. It will scan for SNMP and configure any plugins which can 
monitor the stats it finds.


Configure munin-node to allow connections from the host running munin

e.g.

echo 'allow ^10\.0\.0\.1$'  /etc/munin/munin-node.conf

where 10.0.0.1 is the IP address of the box running munin (the one which 
collects stats from all the nodes and draws graphs)


Restart munin-node

Wait for the pretty graphs to appear

Debug, rejoice and go on an SNMP configuring rampage across your network 
(hint: this is useful for monitoring Windows boxes, if you have any of 
those).


--
Russell Howe, IT Manager. rh...@bmtmarinerisk.com
BMT Marine  Offshore Surveys Ltd.

Re: Duplicate incoming packets to multiple destinations using pf

[Russell Howe]

Simen Stavdal wrote, sometime around 05/11/08 14:14:

Hi Damian/misc,

I appreciate your input -I really do.
Please see my comments below.

  I am not trying to escape the fact that one needs systems in place to
  manage large installations, I am merely looking for what *I* think
  would be a better way to deploy resources.
  As a service provider I can provide advice (and hence I posted this
  question in the first place to see if there was a good way to
  multicast traps to predefined destinations), but it is not in my
  power to manage a customers network - so this I'm afraid is out of my
  control - but I do agree with your point ...should *never* be a
  reason


Maybe you answered your own question here - what if you sent your traps 
to a multicast address and had proper multicast routing?


Not something I've ever tried, mind you...

--
Russell Howe, IT Manager. [EMAIL PROTECTED]
BMT Marine  Offshore Surveys Ltd.

Re: Duplicate incoming packets to multiple destinations using pf

[Russell Howe]

Simen Stavdal wrote, sometime around 05/11/08 15:25:

Hi Russell,

Thanks for your answer.
Sending traps to multicast addresses seems like a good idea, except it 
would be up to the receiver to decide whether to use the trap or not
(taking away the possibility to filter which hosts gets copied the traps 
(multicast traps to predefined destinations)).


How about rdr-ing to different multicast addresses depending on who you 
want the packet to go to?


Start doing this though, and the configuration is going to get a bit messy.

e.g. 3 multicast addresses, with their members:

mcastA - trapdest1
mcastB - trapdest2
mcastC - trapdest1,trapdest2

then you can decide who to send the trap to by rdr'ing it to one of 
mcastA, mcastB or mcastC



Certainly seems to violate the principle of least astonishment...

--
Russell Howe, IT Manager. [EMAIL PROTECTED]
BMT Marine  Offshore Surveys Ltd.

Re: OpenBSD and HP Proliant DL320/DL360 G5

[Russell Howe]

Johan Strvm wrote, sometime around 15/09/08 16:39:

On Sep 15, 2008, at 5:16 PM, Russell Howe wrote:


Johan Strvm wrote, sometime around 15/09/08 15:46:
Well, the main questions is if DL360/DL320  OpenBSD is working good 
together, the rest is only me thinking out loud :)


They work fine for me.

I have a pair of DL320 G5 machines each with a quad port Intel 
Pro/1000 PT card in them and they do all our vlan routing and pass 
traffic off into an OSPF area on its way to the internet.


Sounds good. Are you using only these quad ports? Or the onboard too?


Onboard too. I went a bit overkill and bonded everything into pairs.

Onboard bonded crossover cable to the other box for pfsync/sasync
then a couple of other bonded pairs off the quad port card with vlans on 
top of that.


Basically, I have 3 more gigE interfaces available should I need them. 
(I can unbond one of the pairs - none of them need to be 2 x gigE).


I've been thinking about using one onboard to external, one for pfsync 
and then get a dualport NIC where both ports are bonded to the switch. 
Since I will do both external and internal routing (but I'm not sure I 
will even be able to get that performance out of the box so might be a 
none-problem), it would be nice to have 2GBit in case I actually push 1 
gig of traffic on the external interface (in which case the internal 
would be full too and thus internal routing would suffer)..


You don't happen to have any numbers on performance do you?


Never really benchmarked actually, so nothing specific, no.

I do know that the carp failover is lovely, though. Nothing notices a 
box being rebooted (haven't yet tried yanking a power cable).


iLO is fine - just set it up for serial console (if you want a GUI 
console you have to buy an 'Advanced iLO' license, but it's really not 
needed for a router box). You'll probably want to flip the iLO virtual 
serial port to be the 1st serial port, just to make life simpler.


Yeah, openbsd works pretty good with the serial console, but how is it 
with BIOS etc? If I recall correct one can access RBSU (HPs rom boot 
thingy) etc from text console too. How is it with bootloader support for 
console? That works all the way right? Never used it myself in openbsd.


Yep, it all works just fine. There are a few options for accessing the 
BIOS I think - text console or a curses-type interface.


The DL320 can have proper RAID, but only if you buy an additional 
controller. I use a pair of 80G SATA drives with the onboard 
controller and they work fine (the box doesn't really do much disk I/O 
- all the network monitoring and graphing is elsewhere).


Yep, thats my plan too (or well 250G since 250G is almost as cheap as 
80G, and we are using 250G in other machines, no need for different 
spares), and use software raid. One thing I'm worried about though is if 
one disk fails, will the BIOS be able to boot from the other disk with a 
broken/empty disk in the first slot? I haven't seen any indications in 
the BIOS about being able to change, and I've had similar problems 
before (empty disk in slot1, disk with OS in slot2, box refusing to boot 
since disk1 is empty).


I don't think this will work with the way I have it set up at present. 
The trick on Linux is to install the bootloader on disk 2 so that it is 
configured to boot from disk 1 (as disk #2 will become disk #1 when disk 
#1 is no longer there or operational). I haven't tried to figure out the 
necessary magic for that as yet.


--
Russell Howe, IT Manager. [EMAIL PROTECTED]
BMT Marine  Offshore Surveys Ltd.

Re: OpenBSD and HP Proliant DL320/DL360 G5

[Russell Howe]

 Intel 82801GB IDE rev 0x01: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, 
channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide1: using irq 7 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: ST3808110AS
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: ST3808110AS
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
uhidev0 at uhub1 port 1 configuration 1 interface 0 HP Virtual 
Keyboard rev 1.10/0.02 addr 2

uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub1 port 1 configuration 1 interface 1 HP Virtual 
Keyboard rev 1.10/0.02 addr 2

uhidev1: iclass 3/1
ums0 at uhidev1: 3 buttons
wsmouse0 at ums0 mux 0
uhub6 at uhub1 port 2 HP Virtual Hub rev 1.10/0.01 addr 3
softraid0 at root
root on wd0a swap on wd0b dump on wd0b


--
Russell Howe, IT Manager. [EMAIL PROTECTED]
BMT Marine  Offshore Surveys Ltd.

Changed source address for packets from ospfd causing breakage?

[Russell Howe]

Afternoon misc,

I recently added an extra loopback interface to an OpenBSD host running 
OpenOSPFd as a way of assigning specific IP addresses to the host in a 
way that didn't tie them to a specific physical interface.


I'm using the addresses for NAT and also announcing them as a route into 
an OSPF area where there is another OpenBSD box (matched with this one 
running with carp/pfsync/sasync/openospfd) and two Linux machines 
running quagga's ospfd.


Ever since I did this, my OSPF area fell over and I think it might be 
because ospfd is now sending packets with a source address matching one 
of the (public) addresses on this loopback interface instead of the 
address on the interface it is speaking OSPF on which matches its 
router-id. I've configured static routes for now, until I can figure out 
exactly what's going on.


How does ospfd choose the address to send from? I thought it might be 
something to do with the multicast route, but that's set to be on 'lo0', 
whereas my new loopback interface is lo1.


This is on OpenBSD 4.2 (I attempted to upgrade to 4.3 and the other node 
in the carp group died, so I'll be trying that again outside office 
hours, I think!).


The machine is connected to the ospf area via the 'vlan20' interface 
which is configured with an IP address 192.168.50.10/24 and is supposed 
to be announcing all the networks it is connected to on other 
interfaces. I've anonymised the non-rfc1918 addresses, but (and this 
might be important) they are the 'lowest' addresses on the router.


/etc/ospfd.conf:

cost_vpn=100
cost_gige=10
cost_gige_shared=12
cost_gige_crossover=8

router-id 192.168.50.10

auth-key censored
auth-type simple
hello-interval 6
retransmit-interval 5
router-dead-time 10
redistribute connected
redistribute static

area 0.0.0.0 {
interface trunk0 {
metric $cost_gige_crossover
}
interface trunk2 {
metric $cost_gige
passive
}
interface vlan1 {
metric $cost_gige_shared
passive
}
interface vlan5 {
metric $cost_gige_shared
passive
}
interface vlan6 {
metric $cost_gige_shared
passive
}
interface vlan8 {
metric $cost_gige_shared
passive
}
interface vlan10 {
metric $cost_gige_shared
passive
}
interface vlan20 {
metric $cost_gige_shared
}
interface lo1:1.2.3.4 {
metric $cost_gige
passive
}
interface lo1:1.2.3.5 {
metric $cost_gige
passive
}
interface lo1:1.2.3.6 {
metric $cost_gige
passive
}
interface lo1:1.2.3.7 {
metric $cost_gige
passive
}
interface lo1:1.2.3.8 {
metric $cost_gige
passive
}
}


--
Russell Howe, IT Manager. BMT Marine  Offshore Surveys Ltd.
[EMAIL PROTECTED]

Re: UPDATE: mozilla-firefox-3.0

[Russell Howe]

n0g0013 wrote:

i'm sure SUN was/is hoping that someone will develop a java based

 animation toolkit to compete with flash but that's yet to happen.

I think this is what JavaFX is aiming to be - unfortunately, it's 
probably missed the boat, what with Flash having been around for years 
and Microsoft having released Silverlight.


One of the reasons Flash on Windows is so fast is that it is 
JIT-compiled to native code, plus it probably takes advantage of 
accelerated graphics rendering where it can. Neither of these seem to 
happen with the Linux flash plugin from Adobe (or if they do, it doesn't 
help - it's still dog slow).


I think that was one of the things holding Adobe back from releasing an 
amd64 version of Flash (even for Windows!) - they didn't seem to be 
capable of porting their JIT compiler!


The bug reference for that is here:

https://bugs.adobe.com/jira/browse/FP-37

Looks like the JIT was released under the MPL/GPL/LGPL in 2006:

http://www.mozilla.org/projects/tamarin/

--
Russell Howe
[EMAIL PROTECTED]

Re: Hardware recommendation for firewalls (more than 4 NICs)

[Russell Howe]

Claer wrote, sometime around 15/07/08 07:31:

On Mon, Jul 14 2008 at 28:15, Mart?n Coco wrote:


Thanks!

Have you tried the quad nics on those Dells? We do have a couple of R200s, 
860s and 850s running with 2 dual port cards no problem, but we have never 
tried the quad ports.

Hello,

I do have around 20 Dell 860 and R200 with 2 cards Intel Quad ports.
That is a total of 10 interfaces on those cheap Dell.

You'll never hit any problem if you use only one Quad port. Be careful
with 2 cards on 860. You'll have to order Intel PRO/1000 PT Quad Port
and *NOT* the Low profile one. For the moment, no issues with them. 


I run a pair of HP DL320 G5 boxes as a pair of failover gateways 
(pf/isakmpd/ospfd/dhcpd) and have an Intel Pro/1000 PT quad port card in 
each, giving me 6 interfaces. The onboard ethernet controller is bge, 
and the intel ones are em. I use the onboard for a crossover link 
between the two gateways, and then the other 4 connections are split 
into 2 bonded pairs.


One is a plain old bond to a separate network and the other bonded pair 
has 5 VLANs running over it. Carp's used on all the links, pretty much, 
and it works great.


I haven't performed any particularly scientific performance tests, but I 
did push ~800Mbit/s using iperf through them, from what I recall.


If you were to stick two of the cards in, you'd need one full height and 
one low profile, as only one of the PCIe slots on the DL320 is full 
height. You'd also need to make sure you ordered the right version of 
the server (I think you can get it with one PCIe and one PCI-X slot as 
well as two PCIe slots).


I'm still not sold on the benefits of bonding when you have a failover 
pair of gateways, but we had the budget for the extra ports, so why not? 
It gives me room to expand by breaking the bonds if necessary.


Next task is to fix munin (or replace with something else) so that I can 
actually get bandwidth stats graphed.


--
Russell Howe, IT Manager. [EMAIL PROTECTED]
BMT Marine  Offshore Surveys Ltd.

Redistributing routes for IPSec tunnels with OpenOSPFD

[Russell Howe]

I have a pair of firewall routers running OpenBSD (4.1 and 4.2 at 
present - need to get them updated) and I recently added an IPsec tunnel 
to their configurations, using ipsecctl and ipsec.conf complete with 
sasyncd.


This works fine, and the host which is master of the carp interface I've 
told isakmpd to use gets routes to and from the remote network in the 
Encap section of route(8)'s output.


However, this does not seem to be advertised by ospfd. I've tried 
redistribute connected and redistribute static, as well as 
explicitly specifying the prefix (which I didn't expect to do much), but 
the route doesn't show in the output of ospfctl show rib.


Is what I am trying to do possible? I know that IPsec isn't a routed 
protocol and so it's not normally useful to announce routes to other 
routers, plus the policy tends to restrict the type of traffic that is 
allowed to pass through the tunnel.


Currently I've set a static route on the other gateway, and this is 
what's being redistributed into OSPF.


I saw in the man page that you can redistribute based on rtlabel, but 
couldn't see that the IPsec routes (which I suspect aren't normal 
routes) can be assigned an rtlabel.


This wouldn't be an issue if I tied all my carp interfaces together so 
that the same host was always master for all interfaces (or at least all 
interfaces on VPN-related networks). There's no real reason I haven't 
done that aside from thinking that it shouldn't be necessary, but maybe 
now it is...


--
Russell Howe, IT Manager. [EMAIL PROTECTED]
BMT Marine  Offshore Surveys Ltd.

Kernel Compile Crashes

[Russell Ault]

: Tue Aug 28 10:38:44 MDT
2007
   
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Duron(tm) Processor (AuthenticAMD
686-class, 64KB L2 cache) 802 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 796487680 (759MB)
avail mem = 761987072 (726MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/16/01, BIOS32
rev. 0 @ 0xfa100, SMBIOS rev. 2.3 @ 0xfd490 (19
entries)
bios0: vendor Compaq version 786K3 date 02/16/2001
bios0: Compaq Compaq PC
pcibios0 at bios0: rev 2.1 @ 0xfa040/0x1000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa040/128
(6 entries)
pcibios0: PCI Interrupt Router at 000:20:0 (VIA
VT82C686 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x1 0xe9000/0x3000!
0xec000/0x4000!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT8363 Host rev
0x81
ppb0 at pci0 dev 1 function 0 VIA VT8363 AGP rev
0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 S3 ProSavage KM133 rev
0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100
emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
vr0 at pci0 dev 3 function 0 VIA VT6105 RhineIII rev
0x86: irq 3, address 00:05:5d:78:c0:ae
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media
interface, rev. 4: OUI 0x004063, model 0x0034
vr1 at pci0 dev 4 function 0 VIA VT6105 RhineIII rev
0x86: irq 10, address 00:11:95:d2:d6:59
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media
interface, rev. 5: OUI 0x004063, model 0x0034
vr2 at pci0 dev 5 function 0 VIA VT6105 RhineIII rev
0x86: irq 5, address 00:0f:3d:e9:29:9c
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media
interface, rev. 4: OUI 0x004063, model 0x0034
pcib0 at pci0 dev 20 function 0 VIA VT82C686 ISA rev
0x22
pciide0 at pci0 dev 20 function 1 VIA VT82C571 IDE
rev 0x10: ATA66, channel 0 configured to
compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: WDC
WD5000AAKB-00YSA0
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
wd1 at pciide0 channel 1 drive 0: WDC
WD5000AAKB-00YSA0
wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4
uhci0 at pci0 dev 20 function 2 VIA VT83C572 USB rev
0x10: irq 11
uhci1 at pci0 dev 20 function 3 VIA VT83C572 USB rev
0x10: irq 11
viaenv0 at pci0 dev 20 function 4 VIA VT82C686 SMBus
rev 0x30: HWM disabled: 32-bit timer at 3579545Hz
auvia0 at pci0 dev 20 function 5 VIA VT82C686 AC97
rev 0x20: irq 10
ac97: codec id 0x41445348 (Analog Devices AD1881A)
ac97: codec features headphone, Analog Devices Phat
Stereo
audio0 at auvia0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using
exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte
fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb0 at uhci0: USB revision 1.0
uhub0 at usb0: VIA UHCI root hub, rev 1.00/1.00, addr
1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1: VIA UHCI root hub, rev 1.00/1.00, addr
1
biomask fb45 netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a swap on wd0b dump on wd0b

Any ideas?

-Russell Ault


  Ask a question on any topic and get answers from real people. Go to 
Yahoo! Answers and share what you know at http://ca.answers.yahoo.com

Mozilla Firefox security updates

[Russell Gadd]

Could anyone enlighten me about how Mozilla Firefox security updates are 
implemented in OpenBSD?


I notice that the version of Firefox I am using in OBSD is 2.0.0.6 
whereas the latest versions on Windows and Ubuntu are both 2.0.0.11, and 
several security vulnerabilities are present in 2.0.0.6. In my version 
of Debian (Etch) Iceweasel is at version 2.0.0.10 but I note from the 
Mozilla site that the 2.0.0.11 update doesn't include any security fixes 
whereas 2.0.0.10 does include security fixes.


Updates to Firefox are pretty regular things at present and if you are 
running Windows they always seem to emphasise the need to update as soon 
as a fix is announced, presumably meaning that vulnerabilities could 
well be exploited quickly.


In Windows updates are downloaded from within the running program, in 
Ubuntu via the usual software update process (binary updates - either 
apt-get, aptitude or Synaptic). I presume the OBSD team are only 
concerned with updates to the basic OS and package updates are handled 
by the package developers.


I can find the source of 2.0.0.11 on Mozilla's site. Can I assume I must 
use this and compile it myself? I have had a look at the ports source on 
the UK mirror site and it is dated 1 Sept 07 so I presume this includes 
only 2.0.0.6 and there is no port later than this. I am out on a limb 
regarding implementing 2.0.0.11 in source form - what do other people do?


Russell

Re: Advice requested on security issues

[Russell Gadd]

Jussi Peltola wrote:

On Tue, Jan 08, 2008 at 10:48:41AM -0500, Douglas A. Tutty wrote:
 

I suppose the only way to have a trusted-secure box and an
untrusted-insecure box with one disply/keyboard would be a KVM.

Actual, physical separation of the machines is the only 100% secure way
to prevent information from leaking between them. I'd be more worried
about the network cable between them than a KVM, though.
  
I looked at KVM and came to the same conclusion - that most now have 
some software (partly to allow the boot process to discover the 
keyboard, etc hardware), so there is a risk of some leakage. My 
configuration will be physical separation of secure box from main box 
with network cabling to the router as the only link.  So my security 
measures on the secure box are a simple PF setup permitting only 
outgoing initiation of connections and some sort of restriction on the 
internet sites visited.  i.e. simply setting up the appropriate bank 
sites as bookmarks and only using these as starting pages to visit. Plus 
maybe some form of whitelisting in the browser setup if I don't trust 
myself to be awake.


Unfortunately some bank sites do use javascript and I have a concern 
over cross site scripting - only because I have yet to look deeper into 
this to see what the risks are. But  if I never visit non-bank sites is 
this a problem?


Russell

How to find all package files

[Russell Gadd]

I am new to OpenBSD and I am not sure what is the correct way to find 
packages.


For example I have tried to install the xfce window manager, and at 
first I looked at the list of files in the packages list and there were 
a lot of files with xfce in the name / description. I looked for one 
which said something like this is the main package for xfce4 so that 
installing that and all dependencies would do the job, but couldn't find 
such a file. I resorted to looking for xfce in the INDEX and using all 
files where this was mentioned, i.e. forming a list with


grep xfce INDEX | cut -d | -f 1 | sed 's/$/.tgz/g'  
/tmpdir/xfce4pkglist


then
pkg_add `cat /tmpdir/xfce4pkglist`

I realise that for such a package there would be some parts which were 
optional, so needed to be separated out, but I thought there must be a 
more reliable way to determine which files to include.


Is there a better way to do this?

Russell

Re: Advice requested on security issues

[Russell Gadd]

On 05/01/2008, Nick Holland [EMAIL PROTECTED]  wrote:


 snip

 Your PF rules would probably just block all incoming traffic and pass
 outgoing traffic.  Or if you want to make sure it is used only for your
 desired app, block everything outbound 'cept for that traffic destined to
 your desired locations (note: this is a lot of fun to maintain).


Yes I may consider only enabling the outbound locations, but probably will
just block unsolicited incoming traffic. I once asked a bank for the list of
urls they would use so I could whitelist them, but they said they couldn't
give that to me. Strange how they claim to be concerned about security..

In order for your general purpose machine to impact your OpenBSD machine
 you would need to be running some app on the OpenBSD machine that is
 vulnerable to attack.  So, in general, just don't add anything to the
 machine you don't need, and in your case, default install is about
 right.


Thanks, this is what I thought.

 2: Space for the P3 is limited and I would like to remove its printer and
  print bank statements across the LAN on the main PC (running Linux, or
 maybe
  FreeBSD in future) using CUPS. Does this introduce security risks?

 Some.  Not much.  If you end up (accidentally) running a poorly written
 service on your OpenBSD machine, yes you could be attacked.  Even if you
 are initiating contact with a compromised machine, it *might* be able to
 send something back at you that could choke your app and cause Bad Things
 to happen.


Choking the app is not so bad. Stealing passwords is the concern. I presume
as password transmission is encrypted they can't be sniffed from somewhere
else on the the LAN, so I guess it's down to whether CUPS  (or some other
app inside the PC) could be hacked somehow? I suspect this is such a remote
possibility that I should stop worrying about it.

The sad thing is you are being more careful with your system design than
 your bank probably is. :-/  By the time you are running OpenBSD on your
 banking computer, I suspect you have shifted the primary risk to the
 other end of the wire...your bank is a bigger risk to your data than you
 are.


Agreed


On 05/01/2008, Ted Unangst [EMAIL PROTECTED] wrote:


 you may or may not find this helpful.  you should consider how much
 money you have, how many other people have that much or more money,
 how many of those people only use a windows pc to do their banking,
 and how many would-be thieves capable of infecting all those windows
 machines would decide to spend the extra effort figuring out your
 installation in order to exploit it instead of settling for only all
 the money of all the windows users.

 i actually have a similar setup, but have no concerns about the
 windows machine attacking the openbsd machines.


Yes I understand I'm being more cautious than 99% of the population,  but as
I'm retired there isn't a whole lot of money coming in to replace lost
savings. Internet savings accounts pay enough over accounts available on the
high street to make the effort worthwhile, and why should I take a risk if
it's avoidable with a little good organisation?

you may or may not find this helpful - I am grateful for your comments and
those from others, thanks.