strange behaviour with amd64, 3des and crypto accelerator

[Joosep]

Hi misc!

configuration is following:

Server
|
Router0
||
||ipsec tunnel
||
Router1
|
Client

ipsec tunnel between routers is using following parameters:
ike esp transport proto ipencap from R0_IP to R1_IP \
local R0_IP peer R1_IP quick auth hmac-sha1 enc 3des \
srcid R0_NAME dstid R1_NAME

Routers are directly connected(no other devices between them)

Both routers are running OpenBSD 4.7 amd64 MP kernel with
stable patches.

Both routers have a crypto accelerator:
ubsec0 at pci2 dev 1 function 0 Sun Crypto 5821 rev 0x01:
3DES MD5 SHA1 RNG PK, apic 9 int 5 (irq 10)

Now the problem.
When using iperf, everything works perfectly(tried UDP and TCP
at various packet sizes).  Same goes with ping.
The only way(so far), i've been able to reproduce the problem,
is using either mysql client to connect to mysql server or
doing telnet to the mysql servers 3306 port.
The connection fails on both cases.

Tcpdump in the server side routers ipsec tunnel gif shows
the following:
10:05:35.320881 192.168.8.46.45873  192.168.7.7.3306: S
3861220531:3861220531(0) win 5840 mss 1460,sackOK,timestamp
2517252528 0,nop,wscale 6 [tos 0x10]

10:05:35.321063 192.168.7.7.3306  192.168.8.46.45873: S
25184535:25184535(0) ack 3861220532 win 5792 mss 1460,sackOK,
timestamp 4053315240 2517252528,nop,wscale 7

10:05:35.321951 192.168.8.46.45873  192.168.7.7.3306: . ack 1
win 92 nop,nop,timestamp 2517252528 4053315240 [tos 0x10]

10:05:35.322402 192.168.7.7.3306  192.168.8.46.45873: P 1:75(74)
ack 1 win 46 nop,nop,timestamp 4053315241 2517252528 [tos 0x8]

10:05:35.530663 192.168.7.7.3306  192.168.8.46.45873: P 1:75(74)
ack 1 win 46 nop,nop,timestamp 4053315293 2517252528 [tos 0x8]

10:05:35.937570 192.168.7.7.3306  192.168.8.46.45873: P 1:75(74)
ack 1 win 46 nop,nop,timestamp 4053315395 2517252528 [tos 0x8]

10:05:36.753450 192.168.7.7.3306  192.168.8.46.45873: P 1:75(74)
ack 1 win 46 nop,nop,timestamp 4053315599 2517252528 [tos 0x8]

10:05:38.385517 192.168.7.7.3306  192.168.8.46.45873: P 1:75(74)
ack 1 win 46 nop,nop,timestamp 4053316007 2517252528 [tos 0x8]

10:05:41.649605 192.168.7.7.3306  192.168.8.46.45873: P 1:75(74)
ack 1 win 46 nop,nop,timestamp 4053316823 2517252528 [tos 0x8]

On the client side routers gif interface i can see only the first
three packets. netstat -ssp esp shows that, everytime i try this,
counter packets that failed verification received increases only
on the client side router.

The problem is symmetrical - if i reverse the direction, same things
happen, but all the beforementioned events have swithced places and
are on the other router now.
When using aes instead of 3des, the problem does not occur. My guess
is that it is so due to the lack of aes support of the crypto
accelerator. When crypo accelerator is not present in the system,
i haven't been able to reproduce the problem.

I have seen the same problem also in 4.8(amd64) and 4.9 current(amd64)
from 08.02.11. Using SP kernel doesn't solve the problem.

In the test environment i couldn't reproduce the problem with 4.7 i386
(with mysql client), but i saw the same symptoms when i tried it in
the live environment. Perhaps the problem didn't occur due to low
system load in the lab setup.

I have also tested it with IPSec tunnel mode. Problem doesn't occur
with mysql client, but in live environment some packets still fail
verification and there are problems with some services. It's nature
seems to me similar to some MTU problems but packet sizes do not
confirm that and there is no problem with aes. For that reason,
i believe, that we can exclude PF as the source of the problem.


Routers hardware is almost identical(processor speed and the amount of
memory are different). Both are running on HP Proliant 365 G1.
Dmesg of the server side router is following:

OpenBSD 4.7 (GENERIC.MP) #1: Mon Jan 17 16:12:03 EET 2011
root@router.local:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2144657408 (2045MB)
avail mem = 2078121984 (1981MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (64 entries)
bios0: vendor HP version A10 date 03/27/2008
bios0: HP ProLiant DL365 G1
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC SRAT  BERT HEST
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Dual-Core AMD Opteron(tm) Processor , 3000.59 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT
,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,
3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Dual-Core AMD Opteron(tm) Processor , 

Re: SSH getting blocked on PF after 30 seconds (OpenBSD 4.7)

[a b]

Thank you for your replies so far.

Interestingly enough, killing off stateful
filtering seems to have done the 
trick.

The router happens to be running BGP
along with another couple of OpenBSD boxes 
also running BGP.  


After much
extensive digging, I eventually found this little paragraph from 
Claudio
Jeker hiding deep in the internet...


I generally do not filter on core
routers because of the asymetric
routing. Stateless filtering works OK to
block the martians and other
unwanted traffic at the boarder but keep the
ruleset as minimal as
possible.  Claudio Jeker  Sat, 30 Jan 2010 05:01:26
-0800

So thank you Claudio !  :)


Perhaps I can humbly suggest that the
powers that be consider adding this sort 
of useful information
to the FAQ or
docs, because it would have saved me many, many hours of 
frustration and
confusion.
At the moment, the FAQ and docs are written from the point of view
of a 
single-homed stub system with a
simple default route to an ISP router.
It would be nice to see more 
consideration for more advanced
applications of
OpenBSD where stateful filtering might not be such a Good Thing 
(TM) as the
docs and
FAQ make it out to be.


Also, while I've got your attention.
There's not much information at all as to 
the benefits/disadvantages
of using
sloppy states vs no states.

Re: brcm80211

[Téssio Fechine]

It's not only in Arch, Debian/Ubuntu/OpenSUSE say the same thing. 
Anyway..
It's the header in all src files at /drivers/staging/brcm80211/:
--
/*
 *
Copyright (c) 2010 Broadcom Corporation
 *
 * Permission to use, copy, modify,
and/or distribute this software for any
 * purpose with or without fee is
hereby granted, provided that the above
 * copyright notice and this
permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED AS IS
AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE
INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO
EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
 */
--

--- Em qui, 10/2/11, Skylar Hawk
skylar.j.h...@gmail.com escreveu:

 De: Skylar Hawk
skylar.j.h...@gmail.com
 Assunto: Re: brcm80211
 Para: Tissio Fechine
precheca...@yahoo.com.br
 Cc: misc@openbsd.org
 Data: Quinta-feira, 10 de
Fevereiro de 2011, 23:18
 2011/2/10 Tissio Fechine precheca...@yahoo.com.br
 
  Hello,
  My wifi card (Broadcom 4313 - 0x4727) is currently

unsupported by
  OpenBSD.
  But in Arch linux, modinfo brcm80211 (the
driver for
 this card) shows
  that its BSD/GNU licensed:
  ...
 
filename:
 

/lib/modules/2.6.37-ARCH/kernel/drivers/staging/brcm80211/brcm80211.ko.gz
 
license:Dual BSD/GPL
  description:Broadcom 802.11n wireless LAN
  driver.
  author: Broadcom Corporation
  alias:
 
pci:v14E4d4727sv*sd*bc*sc*i*
  alias:
 
pci:v14E4d4353sv*sd*bc*sc*i*
  alias:
 
pci:v14E4d4357sv*sd*bc*sc*i*
  depends:mac80211,cfg80211
 
...
 
  I
  just want to know if someone is aware of that fact,
 and if
the proper support
  is in the TODO list.
  Thaks!
 
 I think the Arch
Linux folks lied a bit there... I've got
 the same
 wifi card, and I looked
at the driver that the Broadcom
 Corporation
 released, and it is not Dual
BSD/GPL licensed. It uses
 their own
 license.
 
 You can check it out
here:

http://www.broadcom.com/docs/linux_sta/hybrid-portsrc_x86_32-v5_100_82_38.tar
.gz
 
 The license is in lib/LICENSE.txt

Maestr�a en Administraci�n de Proyectos

[Universidad para la Cooperaci�n Internacional]

Title:::Universidad para la Cooperacion Internacional::
 Si no puede ver este anuncio, haga click aqum
 Maestrma en 
   ADMINISTRACISN
   DE PROYECTOS
  
 MAESTRMAS Y POSGRADOS EN MODALIDAD 100% VIRTUAL Y SEMIPRESENCIAL
 Maestrma en
Administracisn de Proyectos
 Objetivo general:
   Formar profesionales capaces de asesorar a empresas en el logro de 
sus proyectos tomando en cuenta los principales factores crmticos de ixito: 
tiempo, presupuesto, producto y objetivos estratigicos.
   Ventajas de la maestrma
   
 [*]Maestrma que incorpora los estandares y criterios del Project 
Management Institute (PMI)\n
 [*]Registrada como Proveedor Global de Educacisn y znica 
universidad en Latinoamirica como Global Accreditation Center-GAC.\n
  [*]Profesores idsneos de diferentes nacionalidades con 
experiencia docente y empresarial de excelencia que le asegura una formacisn 
completa e integral.\n
 [*]Modalidad 100% virtual, disponible 24/7\n
 [*]Adquiere PDU4s para certificaciones PMI.\n
 [*]Al inscribirse en la maestrma queda asociado al PMI\n
  
  
  
  
 100% Virtual
  
  
 Calidad internacional
  
  
 Becas parciales disponibles
 MATRICULA ABIERTA
  
 Para mas informacisn 
 UNIVERSIDAD PARA LA COOPERACISN INTERNACIONAL
 (506) 2283-6464   www.uci.ac.cr i...@uci.ac.cr
  
 CONOCIMIENTO SIN FRONTERAS
 Primera universidad en Amirica Latina en obtener la distincisn Global 
Accreditation Center (GAC)  del Project Management Institute - PMI.
  
  
 Para mayor informacisn, llene sus datos haciendo click aqum 
 Puedes ver esta y todas las promociones desde el sitio de Direct Publiweb 
en:
 
  
  
 Si desea anunciarse con nosotros, contactenos.
   Telifonos:
(502) 2361-7900 / (502) 2377-1272
   Fax:
   (502) 2331-6749 
   Registre gratuitamente a un amigo, o actualice sus datos a cambio de 
futuros incentivos.
   Si no desea recibir mas promociones o informacisn, remuivase aqum.
 Emarketing - Paginas Web - Presentaciones Interactivas

default route interface not in group egress

[MERIGHI Marcus]

I am puzzled by the fact that interface ppp0 is not automagically
assigned to interface group ``egress'' though a default route points to
it. This does not seem to match ifconfig(8): ``The interface(s) the
default route(s) point to are members of the egress interface group.''
On the other hand bwi0 stays in the ``egress'' group even if the default
route pointing to it is removed. 

According to my OpenBSD experience it is probably me getting something
wrong, anyone got a clue stick to apply on me?

$ netstat -n -r -f inet
Routing tables
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default192.168.111.111UGS1   68 -12
bwi0
default10.1.67.76 UG 00 -56
ppp0
10.1.67.76 10.120.190.120 UH 10 - 4
ppp0
127/8  127.0.0.1  UGRS   00 33200 8
lo0
127.0.0.1  127.0.0.1  UH 5   82 33200 4
lo0
192.168.111/24 link#1 UC 10 - 4
bwi0
192.168.111.11100:0e:56:00:4f:90  UHLc   14 - 4
bwi0
192.168.111.205127.0.0.1  UGHS   00 33200 8
lo0
224/4  127.0.0.1  URS00 33200 8
lo0

$ ifconfig bwi0
bwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:a4:81:85:48
priority: 4
groups: wlan egress
media: IEEE802.11 autoselect (DS11 mode 11b)
status: active
ieee80211: [snip]
inet6 fe80::214:a4ff:fe81:8548%bwi0 prefixlen 64 scopeid 0x1
inet 192.168.111.205 netmask 0xff00 broadcast 192.168.111.255

$ ifconfig ppp0
ppp0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
priority: 0
groups: ppp
inet 10.120.190.120 -- 10.1.67.76 netmask 0xff00

$ sudo route -n delete default
$ netstat -n -r -f inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default10.1.67.76 UG 0   14 -56
ppp0
10.1.67.76 10.120.190.120 UH 10 - 4
ppp0
127/8  127.0.0.1  UGRS   00 33200 8
lo0
127.0.0.1  127.0.0.1  UH 3  280 33200 4
lo0
192.168.111/24 link#1 UC 10 - 4
bwi0
192.168.111.11100:0e:56:00:4f:90  UHLc   0   24 - 4
bwi0
192.168.111.205127.0.0.1  UGHS   00 33200 8
lo0
224/4  127.0.0.1  URS00 33200 8
lo0

$ ifconfig bwi0
bwi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:a4:81:85:48
priority: 4
groups: wlan egress
media: IEEE802.11 autoselect (DS11 mode 11b)
status: active
ieee80211: [snip]
inet6 fe80::214:a4ff:fe81:8548%bwi0 prefixlen 64 scopeid 0x1
inet 192.168.111.205 netmask 0xff00 broadcast 192.168.111.255

$ ifconfig ppp0
ppp0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
priority: 0
groups: ppp
inet 10.120.190.120 -- 10.1.67.76 netmask 0xff00

$ dmesg
OpenBSD 4.9-beta (GENERIC) #650: Sun Feb  6 17:26:25 MST 2011
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Mobile Intel(R) Pentium(R) 4 - M CPU 2.00GHz (GenuineIntel 686-class) 2 
GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1072721920 (1023MB)
avail mem = 1045041152 (996MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/12/03, BIOS32 rev. 0 @ 0xfd7e0, SMBIOS 
rev. 2.31 @ 0xe0010 (48 entries)
bios0: vendor IBM version 1IET66WW (2.05 ) date 06/12/2003
bios0: IBM 2366EG9
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA BOOT
acpi0: wakeup devices LID_(S3) SLPB(S3) UART(S3) PCI0(S4) PCI1(S4) DOCK(S4) 
USB0(S3) USB1(S3) USB2(S3) AC97(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (PCI1)
acpicpu0 at acpi0: C3, C2, FVS, 2000, 1200 MHz
acpipwrres0 at acpi0: PUBS
acpitz0 at acpi0: critical temperature 94 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model IBM-COMPATIBLE serial 20884 type LION oem GW
acpibat1 at acpi0: BAT1 not present
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpidock0 at acpi0: DOCK not docked (0)
bios0: ROM list: 0xc/0x1 0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe000, size 0x400
ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 

Re: Dell R310 - H200 Raid performance problem

[Łukasz Czarniecki]

On 11.02.2011 03:49, Nick Holland wrote:

 tip: use OpenBSD's resident ftp app, save a package:
 /tmp $ ftp http://ftp.spline.de/pub/OpenBSD/4.8/sys.tar.gz

:)

 i.e., basically the same for all  Therefore, I'm ignoring all but the
 4.9 GENERIC.  I almost never complain about dmesgs being included, but
 including four different dmesgs that show the same result wasn't overly
 interesting and 57k emails are a bit big... :)

Sorry, just trying to be helpfull :).


 Sounds like you don't have softdeps running on your system.  Use 'em
 (FAQ 14).

 A lot slower, but still a lot better than you are getting, so, I suspect
 you have both issues going on.

 There are about 10,000 files in that file, so that's a lot of file
 creations, that's the stuff that Softdeps shines on.

Enabling softdeps made some improvement but performance is still
unacceptable.

# mount
/dev/sd0a on / type ffs (local)
/dev/sd0m on /home type ffs (local, nodev, nosuid, softdep)
/dev/sd0d on /tmp type ffs (local, nodev, nosuid)
/dev/sd0f on /usr type ffs (local, nodev)
/dev/sd0g on /usr/X11R6 type ffs (local, nodev)
/dev/sd0h on /usr/local type ffs (local, nodev)
/dev/sd0l on /usr/obj type ffs (local, nodev, nosuid)
/dev/sd0k on /usr/src type ffs (local, nodev, nosuid)
/dev/sd0e on /var type ffs (local, nodev, nosuid)
# pwd
/home/test/6
# time tar xzf ./sys.tar.gz

1m2.53s real 0m0.58s user 0m0.62s system

I think my problem is somehow related to this:

http://old.nabble.com/Dell-R310-with-SAS-drives-very-slow-td28659314.html

And this:
http://support.dell.com/support/edocs/storage/storlink/h200/en/ug/html/features.htm#wp1062398

Thank you.
Lukasz

Süper Kobi - Web Sitesi İhtiyaçlarınıza Ekonomik ve Fonksiyonel Çözümler

[Super Kobi]

SCPER KOBD0

Yeni ticaret kanununa gC6re web sitesi tCm firmalar iC'in artD1k
zorunlu!

Biz sizin iC'in hazD1rD1z, HazD1r Site olarak bizden ucuzu ve daha
kalitelisi yok!

FirmalarD1n internette tanD1tD1m ihtiyaC'larD1nD1 karED1lamak amacD1yla
uygun maliyetlerde komple bir C'C6zCm Cretmek sunmaktadD1r. D0ETE
KOBD0 HAZIR WEB SD0TELERD0, kobilerin web sitesi ihtiyacD1nD1 en uygun
koEullarla karED1lamak amacD1yla oluEturulmuEtur.

FirmalarD1n en kolay tanD1tD1m yapabildiDi ortam kuEkusuz ki
internettir. Bu ortamD1n verimli kullanD1lmasD1 kobilere hiC' beklenmeyen
ticari fD1rsatlar yaratabilmektedir.

Clkemiz genelinde malesef ki henCz biliEim sektC6rC tam olarak
yerleEmiE bir sektC6r deDildir. Bu konuda C'ok yetersiz web siteleri
bulunmaktadD1r.TCm bunlarD1n C6nCne geC'ebilmek amacD1yla tek bir
standart grafik yapD1da olmayan , sitenin tasarD1mD1 da dahil olmak
Czere tamamD1nD1n yC6netilebildiDi hazD1r web sitesi paketleri
oluEturulmuEtur.

D0Ete Kobi HazD1r Web Sitesi Fonksiyonel ve YCksek Verimlidir

HazD1r web sitesi paketlerinden yararlanabilmek ve tCm sitenizi
yC6netmek iC'in kullanD1cD1larD1n temel internet bilgisine sahip
olmalarD1 yeterlidir.

HazD1r web sitesi

paket iC'eriDinde, firma bilgileri, CrCn bilgileri, referans
bilgileri, iletiEim bilgileri, mail listesi oluEturma, toplu mail
gC6nderme imkanD1, tasarD1m deDiEtirebilme imkanD1, insan kaynaklarD1
formlarD1, fiyat listesi oluEturma imkanD1, galeri sayfalarD1 ve
ihtiyaC' halinde kullanD1m iC'in joker sayfalar mevcuttur.

D0Ete Kobi HazD1r Web Sitesi Paketleri Ekonomiktir

D0lk kurulum ve yD1llD1k yenileme maliyetleri aC'D1sD1ndanda iddialD1
olan D0ETE KOBD0 HAZIR WEB SD0TELERD0 tCm kobilerin internetten en
optimum faydayD1 saDlamasD1 iC'in aralD1ksD1z olarak hizmetlerini
geliEtirme arzusundadD1r.

Gerek gC6rsel gerekse yC6netim panelini buraya tD1klayarak ana
sayfamD1zda bulunan demo bC6lCmCnden inceleyebilirsiniz.

DetaylD1 bilgi iC'in lCtfen bizlerle iletiEime geC'in;



CanlD1 MSN HattD1 : superkob...@gmail.com

i...@istekobi.com

0216 336 66 44

Recaizade Sok. Czdil apt. No:7/9 KadD1kC6y

http://www.superkobi.com



B) Copyright (2011) www.superkobi.com. All Rights Reserved.

[OT] squid and https.

[Alessandro Baggi]

Hi list. I have a squid proxy with url filtering and file av scan 
composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp, all 
works fine but i'm not able to get https traffic scanned. To avoid this, 
we can use squid-3.1.11 with ssl-bump feature.
At this point I've tried to set this configuration on a linux host, to 
avoid to break my firewall, on Slackware 13.1 + squid-3.1.11 + sslbump + 
c-icap + squidclamav-6.0 + squidGuard + clamav.


from http://wiki.squid-cache.org/Features/SslBump:

Squid-in-the-middle decryption and encryption of straight CONNECT and 
transparently redirected SSL traffic, using configurable client- and 
server-side certificates. While decrypted, the traffic can be inspected 
using ICAP.


At this point there's no needed examplation about sslbump.
All HTTP and HTTPS traffic will be scanned greatly.

I've tried also to set an env with: Slackware 13.1 + squid-3.1.11 + 
sslbump + havp + clamav + squidguard. The point is that, to get in work 
squid with havp, I must insert a parent (cache_peer) to havp and then 
when squid get the request from a client, it sends the request to havp, 
and havp tells (rightly) that the request is an invalid request 
returning the havp page.
There is a method to avoid this? Or the problem is related only to havp 
that could not see https traffic?


Another question is about security. With this method, the SSL 
communication beetween two endpoint is broken with the squid in the 
middle, what are the security implication using this method? There are 
many pro in front of cons to use this solution?


The last question: why openbsd does not get squid-3.x instead 2.7-x?

Thanks in advance

TRS is now Ignite Technical Resources

[Register]

Dear Jay, 
 

We are excited to announce TRS Contract Consulting Group has now become
Ignite Technical Resources.  The new name better reflects the services
the company provides and demonstrates the continuing evolution from a
small firm to one of Canada's leading IT Resource Providers. Ignite's
average annual growth rate of over 84% over the last 5 years ranks it as
one of fastest growing companies in Canada. 

The good news is other than the name, nothing else has changed. The
company as the same ownership, management, address and telephone number.
As a result, you resume and personal information is still considered
confidential and Ignite will continue to conduct all its operations
under the Canada's Privacy Act. 

Should you have any questions or concerns please email @
regis...@ignitetechnical.com mailto:regis...@ignitetechnical.com  or
call our at the office, 604-687-6795. 

Looking forward to a prosperous future for all.

Check out our new website www.ignitetechnical.com
http://www.ignitetechnical.com 

Or follow us on twitter @ignitetechnical 


 

 
 
regis...@ignitetechnical.com mailto:regis...@ignitetechnical.com  

 

www.ignitetechnical.com http://www.ignitetechnical.com 

File #File_ID - Used to group and organize related email 
 
 
You are receiving this email because you are a member of our private
contact database. If you do not wish to receive similar email messages
in the future and to see our contact information please click here
http://www.maxhire.net/services/optout.aspx?id=596F7D190F2E241051752B3F
5D1A620D417C270B5C2C49472655 . We respect your privacy. This email
fully complies with the CAN-SPAM Act.

Re: Constant rate mbuf leak

[Lars Kotthoff]

Just to say that I've been having the same problem with a Soekris board since
about 4.4. I haven't figured out what's going on, but strangely the problem is
getting better with time (i.e. the rate at which mbufs are allocated decreases).
I *think* that it was fine in 4.3 (though I never run the machine for any length
of time with that kernel), so you could try that if you want to investigate.

I haven't been able to establish a correlation between allocated mbufs and
(network) load either.

The solution for me so far has been to keep a watchful eye and reboot the
machine once too much memory is used, combined with a watchdog and monit to
reboot the machine automatically if it becomes unresponsive.

Lars

Re: Dell R310 - H200 Raid performance problem

[Rodolfo Gouveia]

On Thu, Feb 10, 2011 at 09:49:43PM -0500, Nick Holland wrote:
 Also, check to see if your RAID card has a battery for its cache, if it
 doesn't, a lot of RAID controllers drop to non-cached writes, and often
 seem to slow down way beyond what you'd expect just to make you buy the
 dang battery :).  I believe most of the current crop of Dell RAID
 controllers have an option buried in the RAID setup screens to cache
 writes even without a battery.  Don't blame me (or Dell, or anyone else)
 if you trip over the power cord and blow away your array.

I second this too. Check if you have that write cache enabled.

cheers,
--rodolfo

Re: [OT] squid and https.

[Alessandro Baggi]

Il 11/02/2011 19:17, R0me0 *** ha scritto:

Hello Alessandro !

Try read this

If possible, coment after try :D

Regards,

spawn

2011/2/11 Alessandro Baggi alessandro.ba...@gmail.com 
mailto:alessandro.ba...@gmail.com


Hi list. I have a squid proxy with url filtering and file av scan
composed by OpenBSD 4.8 + squid-2.7-STABLE7 + squidGuard + havp,
all works fine but i'm not able to get https traffic scanned. To
avoid this, we can use squid-3.1.11 with ssl-bump feature.
At this point I've tried to set this configuration on a linux
host, to avoid to break my firewall, on Slackware 13.1 +
squid-3.1.11 + sslbump + c-icap + squidclamav-6.0 + squidGuard +
clamav.

from http://wiki.squid-cache.org/Features/SslBump:

Squid-in-the-middle decryption and encryption of straight CONNECT
and transparently redirected SSL traffic, using configurable
client- and server-side certificates. While decrypted, the traffic
can be inspected using ICAP.

At this point there's no needed examplation about sslbump.
All HTTP and HTTPS traffic will be scanned greatly.

I've tried also to set an env with: Slackware 13.1 + squid-3.1.11
+ sslbump + havp + clamav + squidguard. The point is that, to get
in work squid with havp, I must insert a parent (cache_peer) to
havp and then when squid get the request from a client, it sends
the request to havp, and havp tells (rightly) that the request is
an invalid request returning the havp page.
There is a method to avoid this? Or the problem is related only to
havp that could not see https traffic?

Another question is about security. With this method, the SSL
communication beetween two endpoint is broken with the squid in
the middle, what are the security implication using this method?
There are many pro in front of cons to use this solution?

The last question: why openbsd does not get squid-3.x instead 2.7-x?

Thanks in advance


Azz, is very very secure this solution :D. Letting the jokes, i've 
ridden something about this, and I would the assurance of this.

For my second question: cause squid-3 permit mitm.

Thanks for the reply.

Best regards

Prezado Cliente Banco do Brasil S.A

[Banco do Brasil]

 BANCO DO BRASIL
Prezado(a) Cliente.
O Banco do Brasil traz para sua maior Seguranga o Sistema adesco de
Seguranga da
Central do Auto-Atendimento BB: O BB esta fornecendo adesco a senha da
Central do
Auto-Atendimento de (4 Dmgitos).

A partir de hoje 11/02/2011 todas as transagues sera obrigatsrio usar a
senha da Central
do Auto-Atendimento para a confirmagco das suas transagues Internet
Banking.
Todas as transagues pela Internet Banking passara para o Sistema de
Analise, onde
ocorre o liberamento das suas transagues.
Renove ou crie sua senha da Central do Auto-Atendimento no link abaixo:

Adesco de Seguranga da Central do Auto-Atendimento BB

Pronto! Seu computador possui o que ha de mais avangado para seguranga de
transagues bancarias.
ATENGCO: caso vocj nco Cadastra-se ou renove sua senha, por medidas de
seguranga sua conta
sera suspensa para o acesso ao Auto-Atendimento BB pela Internet e o
desbloqueio podera ser
realizado somente nas agjncias do Banco do Brasil.

Re: Constant rate mbuf leak

[Chris]

 Lars == Lars Kotthoff li...@larsko.org writes:

Lars Just to say that I've been having the same problem with a
Lars Soekris board since about 4.4. I haven't figured out what's
Lars going on, but strangely the problem is getting better with
Lars time (i.e. the rate at which mbufs are allocated decreases).
Lars I *think* that it was fine in 4.3 (though I never run the
Lars machine for any length of time with that kernel), so you could
Lars try that if you want to investigate.

Lars I haven't been able to establish a correlation between
Lars allocated mbufs and (network) load either.

Lars The solution for me so far has been to keep a watchful eye
Lars and reboot the machine once too much memory is used, combined
Lars with a watchdog and monit to reboot the machine automatically
Lars if it becomes unresponsive.


I've had a similar issue in the past (see PR kernel/6380).  First a
small amount of background, I'm using an Alix 3d3 to act as a
bridging firewall.

ISP -- vr2 -- Bridge0 + PF -- vr1 -- MyHost

With this setup, if PF was enabled, or disabled, I would leak 2k sized
mbufs at a roughly linear rate, causing the system to become
non-responsive after it could not allocate more mbufs.  Raising the
limit on mbufs would prolong the hang, and raised high enough the
machine would hang when it ran off the end of memory.

I eventually found a way to mitigate this by filtering the MAC's seen
through the bridge.  This isn't a fix to the real problem, just a
bandaid that seems to fit.  Basically I only allow packets written with
the MAC for MyHost on the bridge with the following in
/etc/hostname.bridge0:

add vr2
add vr1
rule pass in on vr1 src 88:88:88:88:88:88 tag extbr
rule pass out on vr1 dst 88:88:88:88:88:88 tag extbr
rule block on vr1
up

This keeps my inside machine from having to see the ISP's usual
background packets (arp spam, etc).  With these filters in place the
firewall has been stable and non-leaking for  100 days.

I don't understand the link between this filtering and the memory leaks
that are seen without it (I started to go through the code, but so far
RealLife(TM) has kept me from completely getting my head around it).

Anyways, I don't know if this will be at all applicable for what you are
seeing, but hopefully it's a nudge in the right direction.

-- 
Chris

Thinkpad x201 OBSD compatibility

[Chris]

I'm planning to buy a Thinkpad x201 laptop (not the tablet one) and
wondering if anyone using it with OpenBSD at the moment. If so, is it
100% OpenBSD compatible?

Thanks.

Re: Constant rate mbuf leak

[Bret S. Lambert]

Prime suspect here would be the network driver. dlg@ had a nice mbuf leak
detect-o-matic diff a while back. I'll have to see if I can find it.

In the meantime knowing which board it is (or, even better, what network
drivers are in use) would help immensely.

On Fri, Feb 11, 2011 at 06:20:50PM +, Lars Kotthoff wrote:
 Just to say that I've been having the same problem with a Soekris board since
 about 4.4. I haven't figured out what's going on, but strangely the problem is
 getting better with time (i.e. the rate at which mbufs are allocated 
 decreases).
 I *think* that it was fine in 4.3 (though I never run the machine for any 
 length
 of time with that kernel), so you could try that if you want to investigate.
 
 I haven't been able to establish a correlation between allocated mbufs and
 (network) load either.
 
 The solution for me so far has been to keep a watchful eye and reboot the
 machine once too much memory is used, combined with a watchdog and monit to
 reboot the machine automatically if it becomes unresponsive.
 
 Lars

Re: Constant rate mbuf leak

[Lars Kotthoff]

 In the meantime knowing which board it is (or, even better, what network
 drivers are in use) would help immensely.

3 like this
rl0 at pci0 dev 18 function 0 Realtek 8139 rev 0x10

and one
ral0 at pci0 dev 21 function 0 Ralink RT2860 rev 0x00
ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (MIMO 2T3R)

Alan's network drivers seem to be completely different though.

Lars

Re: Constant rate mbuf leak

[Christiano F. Haesbaert]

Are you all running bridged setups ?

Re: Constant rate mbuf leak

[Lars Kotthoff]

 Are you all running bridged setups ?

I am, but the problem also occurred without the bridge. I originally suspected
the wireless interface (which is bridged with one of the wired ones) and removed
the card and hence the bridge. Same problem.

Lars

Re: Thinkpad x201 OBSD compatibility

[Matthew Dempsky]

On Fri, Feb 11, 2011 at 12:26 PM, Chris atst...@gmail.com wrote:
 I'm planning to buy a Thinkpad x201 laptop (not the tablet one) and
 wondering if anyone using it with OpenBSD at the moment. If so, is it
 100% OpenBSD compatible?

I have an X201s and it works okay.  The biggest thing that doesn't
*seem* to work correctly is CPU throttling: even when the machine's
100% idle, the CPU fan is still spinning at full speed and power
consumption isn't any lower at 100% utilization.

There seems to be some issue with aps(4) too, but that hasn't
practically caused me any issues.

Re: Thinkpad x201 OBSD compatibility

[Vadim Zhukov]

On 11 February 2011 P3. 23:26:33 Chris wrote:
 I'm planning to buy a Thinkpad x201 laptop (not the tablet one) and
 wondering if anyone using it with OpenBSD at the moment. If so, is it
 100% OpenBSD compatible?

Using X201i now. Almost all is working OK. Here are all problems I saw:

 - Bluetooth causes panics sometimes, especially after suspend/resume
cycle. Do not try to disable radio while in OpenBSD. Also note that
Bluetooth chip here does not allow to save even one key in his memory,
but this looks like hardware limitation.

 - After switching away from X console is blank, but suspend/resume
usually helps.

 - Note that Lenovo changed the fingerprint sensor, which is not
supported by login_fingerprint.

 - NTFS causes problems exhausting kernel memory when, for example,
running find(1) on Windows folder.

All those are minorities, the machine itself works cool. I had no
problems using OpenBSD, including lockups, except noted above.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: brcm80211

[Skylar Hawk]

2011/2/11 Tissio Fechine precheca...@yahoo.com.br:
 It's not only in Arch, Debian/Ubuntu/OpenSUSE say the same thing.
 Anyway.. It's the header in all src files at /drivers/staging/brcm80211/:
 --
 /*
  * Copyright (c) 2010 Broadcom Corporation
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
  * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY
  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 --


Wow, you didn't even bother looking at the license did you? Okay, I'll
list just a small sections from the license (again at
http://www.broadcom.com/docs/linux_sta/hybrid-portsrc_x86_32-v5_100_82_38.tar
.gz
) to show my point.

...
2.2.Restriction on Modification.  If and to the extent that the
Software is designed to be compliant with any published communications
standard (including, without limitation, DOCSIS, HomePNA, IEEE, and
ITU standards), Licensee may not make any modifications to the
Software that would cause the Software or the accompanying Broadcom
Products to be incompatible with such standard.
...

Point here is the license is not GPL nor GPL compatible and if the
driver they are using really is the official Broadcom Corporation
driver, they are ALL lying. Otherwise, they've got some other driver
they are using, and I'm curious why they are crediting Broadcom for
making it. I would guess that someone fibbed about it to the Debian
repos and the rest of them have ported it onward to their own distros.


-Sky

Re: Thinkpad x201 OBSD compatibility

[Alexandr Shadchin]

On Sat, Feb 12, 2011 at 07:26:33AM +1100, Chris wrote:
 I'm planning to buy a Thinkpad x201 laptop (not the tablet one) and
 wondering if anyone using it with OpenBSD at the moment. If so, is it
 100% OpenBSD compatible?
 
 Thanks.
 

I use a ThinkPad x201. Works well, there is truth a couple of problems:
- don't work USB after suspend/resume
- if X run - don't work switch to text consoles (blank screen)

-- 
Alexandr Shadchin

Re: Constant rate mbuf leak

[Abel Abraham Camarillo Ojeda]

On Fri, Feb 11, 2011 at 3:44 PM, Lars Kotthoff li...@larsko.org wrote:
 In the meantime knowing which board it is (or, even better, what network
 drivers are in use) would help immensely.

 3 like this
 rl0 at pci0 dev 18 function 0 Realtek 8139 rev 0x10

 and one
 ral0 at pci0 dev 21 function 0 Ralink RT2860 rev 0x00
 ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (MIMO 2T3R)

 Alan's network drivers seem to be completely different though.

 Lars



I have had a lot of problem with rl*, I didn't wanted to debug, so just
bought some re* (if you want something cheap).

I remember a comment by Jacob Meuser about how rl driver (and cards)
sucks and re* are more or less ok.

Les premiers noms

[Festival Le CHIEN à PLUMES]

Le Chien ` Plumes annonce les premiers noms !!
les 5.6.7 aout ` LANGRES - 52 - Lac de Villegusien :


KATERINE (Fr)http://katerine.free.fr/

GOGOL BORDELLO (US)  http://www.gogolbordello.com/us/home

APOCALYPTICA (Finlande)http://www.myspace.com/apocalyptica

KATZENJAMMER (Norvhge)   http://katzenjammer.no/site/

STAFF BENDA BILILI (Congo)http://www.myspace.com/staffbendabilili

CALI (Fr)
http://www.calimusic.fr/

 BOMBA ESTEREO (Colombie) http://www.myspace.com/bombaestereo



Rens : www.chienaplumes.fr

http://www.facebook.com/LE.CHIEN.A.PLUMES



... la suite bienttt !
Faites tourner !!

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
bandeau750x250_50dpi.jpg]

Re: brcm80211

[Téssio Fechine]

 Wow, you didn't even bother looking at the license did you?

Yes.. Because
I'm talking about brcm80211, and you are referring to other driver's license.
You didn't even bother looking at the e-mail subject did you? :D

Re: brcm80211

[Skylar Hawk]

2011/2/11 Tissio Fechine precheca...@yahoo.com.br:
 Wow, you didn't even bother looking at the license did you?

 Yes.. Because I'm talking about brcm80211, and you are referring to other
driver's license. You didn't even bother looking at the e-mail subject did
you? :D


I did read the subject, but I wasn't aware that Broadcom had released
more than one version of their driver for that chipset. The driver I
referred to is for that same chipset you spoke of as well.

None-the-less, I am not too proud to admit I am wrong on list. My
apologies Tissio. You are right, and for both our sakes, I hope that
the driver ends up being ported.

-Sky

Re: Thinkpad x201 OBSD compatibility

[Ted Unangst]

On Fri, Feb 11, 2011 at 5:05 PM, Vadim Zhukov persg...@gmail.com wrote:
  - NTFS causes problems exhausting kernel memory when, for example,
 running find(1) on Windows folder.

can you run find in a smaller folder a few times, and send the output
of vmstat -m | grep -i ntfs?

Re: Thinkpad x201 OBSD compatibility

[Vadim Zhukov]

On 12 February 2011 c. 05:13:33 Ted Unangst wrote:
 On Fri, Feb 11, 2011 at 5:05 PM, Vadim Zhukov persg...@gmail.com wrote:
   - NTFS causes problems exhausting kernel memory when, for example,
  running find(1) on Windows folder.

 can you run find in a smaller folder a few times, and send the output
 of vmstat -m | grep -i ntfs?

After running find on /win/Users/pers/Documents:

  packet tags, temp, NTFS data, NTFS vrun, AGP Memory, DRM
  USB, memdesc, temp, NTFS vrun, DRM
  USB device, NDP, temp, NTFS data, NTFS vrun, AGP Memory, DRM
  NTFS node, NTFS fnode, NTFS data, NTFS vrun, DRM
  UVM aobj, USB, USB device, temp, NTFS data, bluetooth, DRM
  NTFS mount, NTFS attr, NTFS data, DRM
  UVM amap, UVM aobj, USB, crypto data, temp, NTFS data, DRM
  VM swap, UVM amap, temp, NTFS mount, DRM
  USB, memdesc, temp, NTFS dir, DRM
  UVM amap, temp, NTFS hash, DRM
  131072  devbuf, VM swap, NTFS data
NTFS mount 2 3K  3K 39322K20 0  512,2048
 NTFS node   11014K 26K 39322K  4880 0  128
NTFS fnode   11014K 26K 39322K  4880 0  128
  NTFS dir   105   420K420K 39322K  1220 0  4096
 NTFS hash 116K 16K 39322K10 0  16384
 NTFS attr   495   248K296K 39322K 12100 0  512
 NTFS data   453   193K194K 39322K 10290 0
16,64,128,256,512,1024,131072
 NTFS vrun86 2K  4K 39322K  3640 0  16,32,64,128

After this find ran on /win/Users/pers:

  packet tags, temp, NTFS data, NTFS vrun, AGP Memory, DRM
  USB, memdesc, temp, NTFS vrun, DRM
  USB device, NDP, temp, NTFS data, NTFS vrun, AGP Memory, DRM
  NTFS node, NTFS fnode, NTFS data, NTFS vrun, DRM
  UVM aobj, USB, USB device, temp, NTFS data, bluetooth, DRM
  NTFS mount, NTFS attr, NTFS data, DRM
  UVM amap, UVM aobj, USB, crypto data, temp, NTFS data, DRM
  VM swap, UVM amap, temp, NTFS mount, DRM
  USB, memdesc, temp, NTFS dir, DRM
  UVM amap, temp, NTFS hash, DRM
  131072  devbuf, VM swap, NTFS data
NTFS mount 2 3K  3K 39322K20 0  512,2048
 NTFS node  1343   168K168K 39322K 17210 0  128
NTFS fnode  1343   168K168K 39322K 17210 0  128
  NTFS dir  1339  5356K   5356K 39322K 13560 0  4096
 NTFS hash 116K 16K 39322K10 0  16384
 NTFS attr  5368  2684K   2684K 39322K 60830 0  512
 NTFS data  5084   913K913K 39322K 56600 0
16,64,128,256,512,1024,131072
 NTFS vrun   57012K 12K 39322K  8480 0  16,32,64,128

And after running on /win/Users:

  packet tags, temp, NTFS data, NTFS vrun, AGP Memory, DRM
  USB, memdesc, temp, NTFS vrun, DRM
  USB device, NDP, temp, NTFS data, NTFS vrun, AGP Memory, DRM
  NTFS node, NTFS fnode, NTFS data, NTFS vrun, DRM
  UVM aobj, USB, USB device, temp, NTFS data, bluetooth, DRM
  NTFS mount, NTFS attr, NTFS data, DRM
  UVM amap, UVM aobj, USB, crypto data, temp, NTFS data, DRM
  VM swap, UVM amap, temp, NTFS mount, DRM
  USB, memdesc, temp, NTFS dir, DRM
  UVM amap, temp, NTFS hash, DRM
  131072  devbuf, VM swap, NTFS data
NTFS mount 2 3K  3K 39322K20 0  512,2048
 NTFS node  1552   194K194K 39322K 19300 0  128
NTFS fnode  1552   194K194K 39322K 19300 0  128
  NTFS dir  1549  6196K   6196K 39322K 15660 0  4096
 NTFS hash 116K 16K 39322K10 0  16384
 NTFS attr  6272  3136K   3136K 39322K 69870 0  512
 NTFS data  5952  1039K   1039K 39322K 65280 0
16,64,128,256,512,1024,131072
 NTFS vrun   64213K 13K 39322K  9200 0  16,32,64,128

If I rerun find on previously searched folder it ends it work almost
immediately - caching? - and there is no difference in vmstat output.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?