Re: snapshots total freeze
Hi, On 25.12.2012 20:28, epsilon wrote: On Tue, Dec 25, 2012 at 06:05:10PM +0100, frantisek holop wrote: since a couple of snapshosts back i can quite reliably freeze my openbsd notebook simply by leaving it on overnight. the desktop is there, all the open windows are there, but it has become a painting... nothing in the logs, no panic, nothing. anybody else is seeing something similar? Not really the same, but maybe compareable. I am unsure, but let's see: Since upgrade to 5.2 my gateway box freezes in about one out of four times I boot it (it's switched off over night). It freezes somewhere after starting network daemons and starting local daemons. I tried to disable services I do not essentially need or to substitute them with other solutions. So far no findings here. But this box runs no X. I have connected a keyboard and a monitor and I am able to switch between the virtual terminals but no reaction there. If I simply hit return, nothing happens. No login possible. ICMP pings are replyed, but I cannot SSH into the box. Connections are NOT rejected, they just time out. Same with all other TCP connections. After a while the fan accelerates. It looks like the CPU is working very hard. Unfortunately this is really the only reaction this box gives me. But better than nothing. I can confirm the problem here. We run some 5.2 VMs on ESXi 5.1 and if the VM freezes the CPU runs on 100% but the system is completely frozen. No disk IO, no keyboard, but kernel networking seems to be ok. We hit this problem on a physical server after upgrading to 5.2 too. Sometimes the problem occurs during boot like described above, but most of the freezes are seen after a short up time on system with heavy disk io. We had two VMs which crashed every 2 - 4 days after upgrading to 5.2. After a long time of investigation I had the assumption that a problem with the UVM / FFS softdep bufs causes the freeze. I saw a high, increasing number of busymap bufs in systat. After a simple sync the number drops down to 0 - 2 and increases again ... Since 9 days, I run sync every 5 minutes and both systems did *not* freeze again. - Joerg -- OSN Online Service Nuernberg GmbH, Bucher Str. 78, 90408 Nuernberg Tel: +49 911 39905-0 - Fax: +49 911 39905-55 - http://www.osn.de HRB 15022 Nuernberg, USt-Id: DE189301263, GF: Joerg Goltermann
Re: PF block log all and ddos issue
Hello,
@Peter, thanks for your reply. But i have no problem with dns daemon.
Infact attackers make ddos to ip addresses which have no dns services
listening UDP port 53.
So i have solved this issue partially with these
rules below:
#Stop pointless udp 53 requests (dont log these packets)
block
drop in quick on vlan100 inet proto {tcp,udp} from any to $dmz2:network port
{ 53 }
block drop out quick on $dmz2 inet proto {tcp,udp} from any to
$dmz2:network port { 53 }
#default policy block and log all of them
block log
all
# Other ruless
..
But i still wonder why my firewall freezes when
logging all blocked udp 53 requests.
The attack is not too heavy. I had seen
much worse before.
Anyway, thanks.
From: Peter N. M. Hansteen pe...@bsdly.net
To: Theron ZORBAS
theronzor...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent:
Thursday, December 27, 2012 7:43 PM
Subject: Re: PF block log all and ddos
issue
Theron ZORBAS theronzor...@yahoo.com writes:
I have an OpenBSD
5.2 i386 firewall. It was running so good till
last night.
We are under a
ddos attack(DNS Amplification attack) (ANY? isc.org
requests)
First of all,
unless you *want* to run an open resolver, reconfigure so
only the ones you
want to do recursion for (typically at most clients in
a subset of directly
connected networks) will get the data they ask
for. The difference in size
between a full answer to the query you quote
and a 'denied' reply is quite
significant.
Our firewall freezes. I cant ping to my firewall interfaces
even
internal interface. It doesnt answer maybe replies very slowly.
Before this
freezing issue i got these messages at /var/log/messages:
/bsd:
uvm_mapent_alloc: out of static map entries
/bsd: WARNING: mclpools
limit
reached; increase kern.maxcluster
I increased up
kern.maxcluster values
but did not work. We had to reboot firewall every 2
hours cause of this ddos
attack.
After that i realized that changing this
pf rule worked:
block log
all to block all
Now we are still
under attack but firewall handles it. It
drops udp port 53 attacks and
doesnt log any packet.
But this is not what i
want. As default i wanna log
which packet my firewall blocked.
So how can i
log all blocked packets
and my firewall can be still up and running?
If pf logging or not is the
difference between your firewall crashing or
not, I'd put a significantly
lower priority on collecting statistics
than shutting up the noise makers.
I
was in a similar situation a little while back (blagged about it too,
see
[1]). If you do want to run a name service but want to send the
recursion
gropers packing, you could do what I did - read the log for
requests denied by
named, then blackhole route the offending IP address
to make sure you don't
make any noise yourself by sending replies (pfctl
-k and adding to a table you
block drop are optional extras).
- P
[1]
http://bsdly.blogspot.ca/2012/12/ddos-bots-are-people-or-manned-by-some.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember
to set the evil bit on all malicious network traffic
delilah spamd[29949]:
85.152.224.147: disconnected after 42673 seconds.
Re: Panic at pmap_remove_ptes, 5.2/i386
Hi, On 18.12.2012 09:33, Marcin wrote: Hi, Today a member of my 2 machines firewall cluster running 5.2 panicked with following info (screenshot at http://tinypic.com/r/11t7nrl/6): panic: pmap_remove_ptes: unmanaged page marked PG_PVLIST, va = 0x3c005000, pa = 0xf000 The machine, along with its identical twin, runs a standard suite of: PF (including carp and pfsync), relayd and bgpd. It is the 5th panic since the cluster was commisioned over a week ago, all of them happened in the same function pmap_remove_ptes. I found an older thread with Stuart reporting similar issue here http://marc.info/?l=openbsd-techm=132593610913252 Could I ask for suggestions how to approach this and what might be a root cause of the problem? we hit the same crash on two different VMs: Dec 20 11:04:40 mx01 /bsd: panic: pmap_remove_ptes: unmanaged page marked PG_PVLIST, va = 0x3c00, pa = 0x7aada000 Dec 20 11:04:40 mx01 /bsd: Starting stack trace... Dec 20 11:04:40 mx01 /bsd: panic(d08e4318,f53d1e38,d08e7660,f53d1e38,d169798c) at panic+0x6a Dec 20 11:04:40 mx01 /bsd: panic(d08e7660,3c00,7aada000,2f65e000,0) at panic+0x6a Dec 20 11:04:40 mx01 /bsd: pmap_remove_ptes(d66f0bd4,d169798c,ffcf,3c00,3c001000) at pmap_remove_ptes+0x159 Dec 20 11:04:40 mx01 /bsd: pmap_do_remove(d66f0bd4,3c00,3c001000,0,d0a55020) at pmap_do_remove+0xeb Dec 20 11:04:40 mx01 /bsd: pmap_remove(d66f0bd4,3c00,3c001000,d0515e99,f5f2c154) at pmap_remove+0x27 Dec 20 11:04:40 mx01 /bsd: uvm_unmap_kill_entry(f64bd018,f5f2c154,f53d1f2c,d03e7197,0) at uvm_unmap_kill_entry+0xf8 Dec 20 11:04:40 mx01 /bsd: uvm_map_teardown(f64bd018,1,4,d08bf5ce,d6521030) at uvm_map_teardown+0xac Dec 20 11:04:40 mx01 /bsd: uvmspace_free(f64bd018,1,1,f53d1f6c,d02030e1) at uvmspace_free+0x2e Dec 20 11:04:40 mx01 /bsd: uvm_exit(d6522744,d09ca628,4,d08bf5ce,0) at uvm_exit+0x15 Dec 20 11:04:40 mx01 /bsd: reaper(d6d9aba0) at reaper+0x8a Dec 20 11:04:40 mx01 /bsd: Bad frame pointer: 0xd0ba9e68 Dec 20 11:04:40 mx01 /bsd: End of stack trace. Dec 21 12:36:33 mx02 /bsd: panic: pmap_remove_ptes: managed page without PG_PVLIST for 0x3c003000 Dec 21 12:36:33 mx02 /bsd: Starting stack trace... Dec 21 12:36:33 mx02 /bsd: panic(d08e4318,f53d1e38,d08e7624,f53d1e38,d16c52b0) at panic+0x6a Dec 21 12:36:33 mx02 /bsd: panic(d08e7624,3c003000,d66d7c24,d05155bc,0) at panic+0x6a Dec 21 12:36:33 mx02 /bsd: pmap_remove_ptes(d66a855c,d16c52b0,ffcf000c,3c003000,3c004000) at pmap_remove_ptes+0x142 Dec 21 12:36:33 mx02 /bsd: pmap_do_remove(d66a855c,3c003000,3c004000,0,d0a55020) at pmap_do_remove+0xeb Dec 21 12:36:33 mx02 /bsd: pmap_remove(d66a855c,3c003000,3c004000,d0515e99,d60a23b0) at pmap_remove+0x27 Dec 21 12:36:33 mx02 /bsd: uvm_unmap_kill_entry(f5ee9894,d60a23b0,f53d1f2c,d03e7197,0) at uvm_unmap_kill_entry+0xf8 Dec 21 12:36:33 mx02 /bsd: uvm_map_teardown(f5ee9894,1,4,d08bf5ce,d66b0b38) at uvm_map_teardown+0xac Dec 21 12:36:33 mx02 /bsd: uvmspace_free(f5ee9894,1,1,f53d1f6c,d02030e1) at uvmspace_free+0x2e Dec 21 12:36:33 mx02 /bsd: uvm_exit(d66b1744,d09ca628,4,d08bf5ce,0) at uvm_exit+0x15 Dec 21 12:36:33 mx02 /bsd: reaper(d6d9aba0) at reaper+0x8a Dec 21 12:36:33 mx02 /bsd: Bad frame pointer: 0xd0ba9e68 Dec 21 12:36:33 mx02 /bsd: End of stack trace. From the last I have a crash dump and can provide further information if someone want to take a look. - Joerg -- OSN Online Service Nuernberg GmbH, Bucher Str. 78, 90408 Nuernberg Tel: +49 911 39905-0 - Fax: +49 911 39905-55 - http://www.osn.de HRB 15022 Nuernberg, USt-Id: DE189301263, GF: Joerg Goltermann
Re: snapshots total freeze
Joerg Goltermann wrote: I can confirm the problem here. We run some 5.2 VMs on ESXi 5.1 and if the VM freezes the CPU runs on 100% but the system is completely frozen. No disk IO, no keyboard, but kernel networking seems to be ok. We had two VMs which crashed every 2 - 4 days after upgrading to 5.2. After a long time of investigation I had the assumption that a problem with the UVM / FFS softdep bufs causes the freeze. I saw a high, increasing number of busymap bufs in systat. After a simple sync the number drops down to 0 - 2 and increases again ... We're running a 5.2 VM on ESXi 5.0 and experiencing somewhat similar problems since upgrading from 5.1. No total freezes, the keyboard is still working, but a reboot is needed to get the machine back in a usable state. I noticed the problems when the network wasn't working anymore. After bringing the interfaces down/up and flushing the routes, it looked good again but i then noticed that the clock hung completely. ntpd -s wouldn't work and the clock didn't count any further either. It just stuck. No log or kernel messages, unfortunately. The problems happened two times since upgrading in mid November, about every 2 weeks. We have softdep enabled too, I'll check the systat output when I'm back at work and let you know if I see the same. Regards Andre
cron - approval failed
This is what cron said to me on a current/macppc, when incidentally, the machine was just (re)booting: On Dec 28 12:00:01, root wrote: approval failed for hans Dec 28 12:00:04 www syslogd: exiting on signal 15 Dec 28 12:00:53 www syslogd: start Dec 28 12:00:53 www /bsd: syncing disks... done Dec 28 12:00:53 www /bsd: support Dec 28 12:00:53 www /bsd: o Dec 28 12:00:53 www /bsd: [ using 501892 bytes of bsd ELF symbol table ] [...] Could someone please elaborate on the cron behaviour when the cron minute is a reboot minute? In particular, what aproval is needed in that case? Jan
Re: cron - approval failed
On Fri, Dec 28, 2012 at 01:25:25PM +0100, h...@stare.cz wrote: This is what cron said to me on a current/macppc, when incidentally, the machine was just (re)booting: On Dec 28 12:00:01, root wrote: approval failed for hans Dec 28 12:00:04 www syslogd: exiting on signal 15 Dec 28 12:00:53 www syslogd: start Dec 28 12:00:53 www /bsd: syncing disks... done Dec 28 12:00:53 www /bsd: support Dec 28 12:00:53 www /bsd: o Dec 28 12:00:53 www /bsd: [ using 501892 bytes of bsd ELF symbol table ] [...] Could someone please elaborate on the cron behaviour when the cron minute is a reboot minute? In particular, what aproval is needed in that case? Jan Likely /etc/nologin was already made by shutdown(8). This is a reason for auth_approval(3) to fail. -Otto
Re: openbsd clusters
On 12/27/12 17:25, Jiri B wrote: On Wed, Dec 26, 2012 at 03:26:43PM -0500, Nick Holland wrote: Probably thinking of this thread: http://marc.info/?t=117689108200011r=1w=2 and my two contributions to it. A number of other people provided some good (and some bad) comments, too...read through 'em all. You get to decide which are useful and which are not, and what is right and what is wrong. Keep in mind that thread is almost six years old...500GB was a big disk back then. However, I'm still quite proud of that system. (and in case you were wondering, my employment ended with that employer about four months later. That also makes a great story, but quite off-topic. They did replace my system with a proprietary system that cost many times as much). Only setup I can imagine which cannot fit into this setup of small partitions combined with filesystem structure and symlinks is this one 'unrestricted space offered directly to a user via ftp/sftp/ssh' As we cannot predict how fast and when he/she would fit the storage, moving later user's whole data to bigger one is slow and still not a solution. It seems to me that giving a user direct access to his data root dir while telling him about no space restriction is not possible. I would say that's true, period. Fancy stuff only lets you push off the problem to a bigger number, but you always have some finite storage available, and if given no limits, no checks, no costs, you WILL fill it eventually...unless you have an inbound pipe that's slower than your procurement process for new storage (and I'm going to argue, that's cheating! :) If your task definition is give a user direct access to unlimited storage, well, yes... I may not have the greatest solution in the world for you...but then, you crafted the question in a non-business savvy way to stump me (me: you don't need unlimited storage for most real world tasks you: My real world task is to give someone unlimited storage) -- you are ignoring all laws of economics, and your solution WILL have serious issues because of that (why do we have a problem with spam? Because it's painless and risk-free for the sender. Why are we seeing a resurgence in telephone-based scams? Because it's become painless and risk-free for the scammer. Why will your task blow up in your face in predictable ways? Because there's no cost to the consumer of your disk space. Econ 101). But still...this is not a statement of an actual problem to be solved (I need to be able to upload lots of huge video files for exchange with other people), but a proposed solution (unlimited direct access to file systems). So I'm not going to admit defeat. :) On the other hand, if the user would not require one big directory for his data, then filesystem layout could be hidden to the user and mentioned setup would fit - although instead of direct ftp/sftp the user would use some specialized client to get his files, the setup would use some UUID and keep track of UUID and his owner (or something similar). Any comments? Do exists some proxies which would mirror files immediately when a user is uploading them via some common protocol? And when the user deletes some of his files the proxy would delete the copy? (rsyncing later regularly could be quite problematic if you would have many users uploading for example a couple of GB files...). actually, rsyncing is fantastic for huge files...it can verify quickly and sync at hardware's capability for mismatches. Lots of small files, you start having file system overhead. If you look at some of the Big File Sharing Services, I think you will find this problem has been solvedand considering the fact that many of them offer some service for free, or at least a fraction of the price per gigabyte that many high-end solutions give you, I think it is safe to say it is NOT being done with high-end SANs, but cheap commodity hw and disks (and low maintenance solutions, too). Realistically, you will have upload limits. 2GB is an upload limit above which, http starts having issues and some file systems start having issues (note: USB devices are still often formatted with variations of FAT file systems, which have a 2GB limit). So..you let people upload to a temp area...if you accept 2GB as an upload limit, a 500GB upload area would cover a fair number of uploads. If you want 100GB upload limit, well...500GB will fill rapidly, but you can have a lot of these temp areas, and a 2TB file system isn't so crazy anymore. Your user uploads to this area, the received file name is uniquely generated and tracked by a database. When uploads are complete, you give the user some kind of key to identify THEIR file (maybe just the original name, when combined with their user ID), and the database tracks it. After the upload is complete, the system identifies the size of the file, and looks around in its storage chunks for a place to put it, and slowly (to not tax the disk
Re: Goodbye to you my file descriptor - take 3
On Thu, Dec 27, 2012 at 02:04:24PM +0100, Maxime Villard wrote:
Well, as no one seems to give a fuck on tech@, I put a more
glamourous title here.
btw, i wonder why you don't put -Wextra to the makefile, you would
see that there are a lot of unused parameters, comparisons between
signed and unsigned, uninitialized vars, ...
Too many false positives to be useful.
People are running various static analysis packages over the tree
periodically to find such things. None are perfect so if you actually
find any you think are bugs, diffs are always appreciated.
Ken
Message original
Sujet: [PATCH] pfctl: leak stuff
Date : Sat, 22 Dec 2012 08:16:09 +0100
De : Maxime Villard rusty...@gmx.fr
Pour : t...@openbsd.org
Hi,
here are my small changes for pfctl.
1) There are cases where we could leak a file descriptor by
returning.
2) We don't need to check memory before freeing it, as
free() already does that.
3) Just replaced a snprintf() by strlcpy(), it's faster.
Ok/Comments ?
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.314
diff -u -r1.314 pfctl.c
--- pfctl.c 19 Sep 2012 15:52:17 - 1.314
+++ pfctl.c 22 Dec 2012 07:08:28 -
@@ -1377,8 +1377,7 @@
err(1, DIOCXROLLBACK);
exit(1);
} else {/* sub ruleset */
- if (path)
- free(path);
+ free(path);
return (-1);
}
@@ -1867,10 +1866,6 @@
unsigned int len = 0;
size_t n;
- f = fopen(file, w);
- if (f == NULL)
- err(1, open: %s, file);
-
memset(ps, 0, sizeof(ps));
for (;;) {
ps.ps_len = len;
@@ -1893,6 +1888,10 @@
return; /* no states */
len *= 2;
}
+
+ f = fopen(file, w);
+ if (f == NULL)
+ err(1, open: %s, file);
n = ps.ps_len / sizeof(struct pfsync_state);
if (fwrite(inbuf, sizeof(struct pfsync_state), n, f) n)
Index: pfctl_osfp.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_osfp.c,v
retrieving revision 1.18
diff -u -r1.18 pfctl_osfp.c
--- pfctl_osfp.c 18 Oct 2010 15:55:28 - 1.18
+++ pfctl_osfp.c 22 Dec 2012 07:08:28 -
@@ -112,16 +112,11 @@
while ((line = fgetln(in, len)) != NULL) {
lineno++;
- if (class)
- free(class);
- if (version)
- free(version);
- if (subtype)
- free(subtype);
- if (desc)
- free(desc);
- if (tcpopts)
- free(tcpopts);
+ free(class);
+ free(version);
+ free(subtype);
+ free(desc);
+ free(tcpopts);
class = version = subtype = desc = tcpopts = NULL;
memset(fp, 0, sizeof(fp));
@@ -250,16 +245,11 @@
add_fingerprint(dev, opts, fp);
}
- if (class)
- free(class);
- if (version)
- free(version);
- if (subtype)
- free(subtype);
- if (desc)
- free(desc);
- if (tcpopts)
- free(tcpopts);
+ free(class);
+ free(version);
+ free(subtype);
+ free(desc);
+ free(tcpopts);
fclose(in);
@@ -513,7 +503,7 @@
return (buf);
found:
- snprintf(buf, len, %s, class_name);
+ strlcpy(buf, class_name, len);
if (version_name) {
strlcat(buf, , len);
strlcat(buf, version_name, len);
Index: pfctl_radix.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_radix.c,v
retrieving revision 1.29
diff -u -r1.29 pfctl_radix.c
--- pfctl_radix.c 27 Jul 2011 00:26:10 - 1.29
+++ pfctl_radix.c 22 Dec 2012 07:08:28 -
@@ -499,8 +499,7 @@
{
if (b == NULL)
return;
- if (b-pfrb_caddr != NULL)
- free(b-pfrb_caddr);
+ free(b-pfrb_caddr);
b-pfrb_caddr = NULL;
b-pfrb_size = b-pfrb_msize = 0;
}
sort -un gives just the last line
I have a list of IP addresses. Sorting them with sort -n works as expected. Sorting them with sort -u works as expected. $ sort -u /tmp/list 173.194.64.26 173.194.64.27 173.194.65.26 173.194.65.27 173.194.66.26 173.194.66.27 173.194.67.26 173.194.67.27 173.194.69.26 173.194.70.26 173.194.70.27 173.194.71.26 173.194.71.27 173.194.78.26 173.194.78.27 But: $ sort -u -n /tmp/list 173.194.70.27 This is just the last one in the file. Am I missing something obvious? Jan
Re: sort -un gives just the last line
On Fri, Dec 28, 2012 at 03:40:50PM +0100, Jan Stary wrote: I have a list of IP addresses. Sorting them with sort -n works as expected. Sorting them with sort -u works as expected. $ sort -u /tmp/list 173.194.64.26 173.194.64.27 173.194.65.26 173.194.65.27 173.194.66.26 173.194.66.27 173.194.67.26 173.194.67.27 173.194.69.26 173.194.70.26 173.194.70.27 173.194.71.26 173.194.71.27 173.194.78.26 173.194.78.27 But: $ sort -u -n /tmp/list 173.194.70.27 This is just the last one in the file. Am I missing something obvious? Jan Yes, all lines have the value 173.194. -u picks one of them to print. -Otto
Re: OT: mailing list unix programming
On Wed, Dec 26, 2012 at 05:17:29PM -0200, Friedrich Locke wrote: It is a newsgroup, not a mailing list. What news client do you suggest in order to access it? slrn. There is also patch for mutt to access newsgroups On Wed, Dec 26, 2012 at 5:09 PM, J?r?mie Courr?ges-Anglas jca+o...@wxcvbn.org wrote: Friedrich Locke friedrich.lo...@gmail.com writes: Does anybody know any mailing list devoted to unix/posix programming ? Thanks in advance. My first tought is comp.unix.programmer -- J?r?mie Courr?ges-Anglas GPG Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: snapshots total freeze
Hi, On Fri, Dec 28, 2012 at 12:01:37PM +0100, Joerg Goltermann wrote: ... We hit this problem on a physical server after upgrading to 5.2 too. ... Since 9 days, I run sync every 5 minutes and both systems did *not* freeze again. Thanks for the hint. I will cronjob this. - Eps
Re: snapshots total freeze (linux emulation)
hmm, on Tue, Dec 25, 2012 at 06:05:10PM +0100, frantisek holop said that since a couple of snapshosts back i can quite reliably freeze my openbsd notebook simply by leaving it on overnight. the desktop is there, all the open windows are there, but it has become a painting... nothing in the logs, no panic, nothing. so let me correct that: no visible panic.. i stayed up overnight as well for a change, and it froze/panicked right in the front of my eyes. i started a 'boot crash', but i am not sure if it was finished correctly, it was sitting there forever with the disk led on, so in the end i just power cycled it. savecore came on and i have in the logs: Dec 28 00:25:25 amaaq savecore: reboot after panic: kernel diagnostic assertion wp-wp_new_futex == f failed: file ../../../../compat/linux/linux_futex.c, line 568 Dec 28 00:25:25 amaaq savecore: /var/crash/bounds: No such file or directory Dec 28 00:25:25 amaaq savecore: writing core to /var/crash/bsd.0.core Dec 28 00:26:10 amaaq savecore: writing kernel to /var/crash/bsd.0 as the only program i run in linux emulation is opera... thanks for all the tips how to catch this. -f -- i'm not nearly as think as you confused i am.
rsu problem
HP nx9020, 5.2, i386. Put d-link dwa-131 usb wifi dongle and it shows up as rsu0. The content of hostname.rsu0 does not matter, since I never got to wireless router. I.e. inet 192.168.1.1 255.255.255.0 NONE nwid ssid wpakey password The message after ifconfig is like this: rsu0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr mac_address priority: 4 groups: wlan egress media: IEEE802.11 autoselect status: no network ieee80211: nwid ssid wpakey password wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet 192.168.1.102 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::1e7e:e5ff:fe1f:a1f3%rsu0 prefixlen 64 scopeid 0x4 Firmware installed from openbsd site. Whatever I do, remove pf, or else, I cannot connect to the router. Manual ifconfig was the same, no network. After some hdd problems, I reinstalled and now I get another problem: boot hangs at: preserving editor files After a minute or so, it finishes the boot with this line: starting network daemons; sendmail inetd sndiod. There is a chance that it is fine, but next things in a raw waits. I remove usb dongle and it boots further. I am able to scan, so dongle works. If dmesg needed, I'd provide it, but nothing useful sits there. Best regards Zoran
Re: PF block log all and ddos issue
But i still wonder why my firewall freezes when logging all blocked udp 53 requests. The attack is not too heavy. I had seen much worse before. - Check interrupt usage - Check states to make sure the reason it seems unresponsive isn't due to the state table being full Without more information from the machine, we don't have a lot of advice we can really give. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PF block log all and ddos issue
Hi again,
Here is the info that i can supply. If need more please tell me how
to do?
PF Options
set timeout { interval 10, frag 30 }
set timeout {
tcp.first 300, tcp.opening 60, tcp.established 86400 }
set timeout {
tcp.closing 900, tcp.finwait 60, tcp.closed 90 }
set timeout { udp.first 120,
udp.single 150, udp.multiple 120 }
set timeout { icmp.first 20, icmp.error 10
}
set timeout { other.first 60, other.single 30, other.multiple 60 }
set
timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 50, frags
10 }
set loginterface none
set skip on { lo0 enc0 }
set optimization
normal
set block-policy drop
set fingerprints /etc/pf.os
PF states :
root#
pfctl -ss |wc -l
4765
root# date;vmstat -i
Fri Dec 28 22:57:00 EET 2012
interrupt total rate
irq0/clock
91039955 799
irq0/ipi 17900164 157
irq82/bnx0
58237357 511
irq98/bnx1 215829335
1896
irq82/bnx2 59316 0
irq97/bnx4
6800293 59
irq80/mfi0 537214 4
irq82/bnx5
125670397 1104
irq84/ehci0 74177
0
Total 516148208 4534
root# date;vmstat -i
Fri
Dec 28 22:57:05 EET 2012
interrupt total rate
irq0/clock 91043954 799
irq0/ipi
17900210 157
irq82/bnx0 58237576 511
irq98/bnx1
215854554 1896
irq82/bnx2 59317
0
irq97/bnx4 6800360 59
irq80/mfi0
537232 4
irq82/bnx5 125684762 1104
irq84/ehci0
74177 0
Total 516192142
4535
My egress interface is at bnx1 and my attacked interface is bnx5.
I read
somewhere that intel network cards' (em0 etc.) performance were better. I can
try to get a new nic to see difference.
I have taken these outputs when i am
not logging udp 53 requests which are just attack.
Thanks.
From: James Shupe jsh...@hermetek.com
To:
misc@openbsd.org
Sent: Friday, December 28, 2012 8:11 PM
Subject: Re: PF
block log all and ddos issue
But i still wonder why my firewall freezes
when
logging all blocked udp 53 requests.
The attack is not too heavy. I
had seen
much worse before.
- Check interrupt usage
- Check states to
make sure the reason it seems unresponsive isn't due
to the state table being
full
Without more information from the machine, we don't have a lot of advice
we can really give.
--
James Shupe
[demime 1.01d removed an attachment of
type application/pgp-signature which had a name of signature.asc]
Re: snapshots total freeze (linux emulation)
On Fri, Dec 28, 2012 at 8:57 AM, frantisek holop min...@obiit.org wrote: ... i started a 'boot crash', but i am not sure if it was finished correctly, it was sitting there forever with the disk led on, so in the end i just power cycled it. It depends on how much memory you have and how fast your disk is. With 4GB of mem on my laptop, it feels like it takes 5 minutes, though I haven't actually timed it. If I'm *trying* get a crash dump (as part of debugging something particularly complicated, say), then I'll usually tell boot to lie and only use 128MB, via machine memory =128M, before boot bsd.test. (Note: if you do that, you must *also* do that when booting after the crash dump, so that savecore can find the dump in the swap partition.) savecore came on and i have in the logs: Dec 28 00:25:25 amaaq savecore: reboot after panic: kernel diagnostic assertion wp-wp_new_futex == f failed: file ../../../../compat/linux/linux_futex.c, line 568 Excellent. The next question is whether that's the only bug that you're hitting, or if there's something else going on that should also be debugged. As for that particular failed assertion, it would be interesting to know what the actual values of wp-wp_mew_futex was (if it was NULL, then I have a guess as to the bug; if it wasn't NULL, then uh, good luck!) Philip Guenther
Re: PF block log all and ddos issue
Sorry my last post is broken:
You can see my outputs at :
http://pastebin.com/FtbfHXf8
Thanks.
From: Theron ZORBAS theronzor...@yahoo.com
To: James Shupe
jsh...@hermetek.com; misc@openbsd.org misc@openbsd.org
Sent: Friday,
December 28, 2012 11:00 PM
Subject: Re: PF block log all and ddos issue
Hi
again,
Here is the info that i can supply. If need more please tell me how
to
do?
PF Options
set timeout { interval 10, frag 30 }
set timeout {
tcp.first
300, tcp.opening 60, tcp.established 86400 }
set timeout {
tcp.closing 900,
tcp.finwait 60, tcp.closed 90 }
set timeout { udp.first 120,
udp.single 150,
udp.multiple 120 }
set timeout { icmp.first 20, icmp.error 10
}
set timeout {
other.first 60, other.single 30, other.multiple 60 }
set
timeout {
adaptive.start 0, adaptive.end 0 }
set limit { states 50, frags
10 }
set loginterface none
set skip on { lo0 enc0 }
set optimization
normal
set
block-policy drop
set fingerprints /etc/pf.os
PF states :
root#
pfctl -ss
|wc -l
4765
root# date;vmstat -i
Fri Dec 28 22:57:00 EET 2012
interrupt
total rate
irq0/clock
91039955
799
irq0/ipi 17900164 157
irq82/bnx0
58237357 511
irq98/bnx1 215829335
1896
irq82/bnx2
59316 0
irq97/bnx4
6800293
59
irq80/mfi0 537214 4
irq82/bnx5
125670397 1104
irq84/ehci0 74177
0
Total
516148208 4534
root# date;vmstat -i
Fri
Dec 28 22:57:05
EET 2012
interrupt total rate
irq0/clock
91043954 799
irq0/ipi
17900210 157
irq82/bnx0 58237576 511
irq98/bnx1
215854554 1896
irq82/bnx2 59317
0
irq97/bnx4
6800360 59
irq80/mfi0
537232
4
irq82/bnx5 125684762 1104
irq84/ehci0
74177 0
Total 516192142
4535
My egress
interface is at bnx1 and my attacked interface is bnx5.
I read
somewhere that
intel network cards' (em0 etc.) performance were better. I can
try to get a
new nic to see difference.
I have taken these outputs when i am
not logging
udp 53 requests which are just attack.
Thanks.
From: James Shupe jsh...@hermetek.com
To:
misc@openbsd.org
Sent: Friday, December 28, 2012 8:11 PM
Subject: Re: PF
block log all and ddos issue
But i still wonder why my firewall freezes
when
logging all blocked udp 53 requests.
The attack is not too heavy. I
had seen
much worse before.
- Check interrupt usage
- Check states to
make sure the reason it seems unresponsive isn't due
to the state table being
full
Without more information from the machine, we don't have a lot of advice
we can really give.
--
James Shupe
[demime 1.01d removed an attachment of
type application/pgp-signature which had a name of signature.asc]
delay after preserving editor files [Was: rsu problem]
Not your main concern but: On Fri, Dec 28, 2012 at 8:56 AM, Zoran Kolic zko...@sbb.rs wrote: After some hdd problems, I reinstalled and now I get another problem: boot hangs at: preserving editor files After a minute or so, it finishes the boot with this line: That just means the system went down while someone had a file open in vi, so you have vi save files in /var/tmp/vi.recover/ and the system at that moment in the start up is generating email messages to the owners of the files saying run vi -r. Solution: read your email! Run vi -r as each user that has files under /var/tmp/vi.recover/ to see what files where half-edited and then use vi -r filename on each, either saving the contents or throwing them away with :q! Philip Guenther
Re: Kernel Debugging
On Wed, Dec 26, 2012 at 5:32 PM, Luis Useche use...@gmail.com wrote: I just tried today and I couldn't build it either. But the following simple patch fixed it for me: ... However this might be wrong. Most likely there is a good reason why that ifdef is there. Well, does the resulting kernel run? Can it be debugged with a remote gdb? Can the in-kernel ddb still be used? Philip Guenther
Re: Goodbye to you my file descriptor - take 3
You can enable a bunch of warnings with WARNINGS=Yes in our tree.
On Dec 28, 2012 3:34 PM, Kenneth R Westerback kwesterb...@rogers.com
wrote:
On Thu, Dec 27, 2012 at 02:04:24PM +0100, Maxime Villard wrote:
Well, as no one seems to give a fuck on tech@, I put a more
glamourous title here.
btw, i wonder why you don't put -Wextra to the makefile, you would
see that there are a lot of unused parameters, comparisons between
signed and unsigned, uninitialized vars, ...
Too many false positives to be useful.
People are running various static analysis packages over the tree
periodically to find such things. None are perfect so if you actually
find any you think are bugs, diffs are always appreciated.
Ken
Message original
Sujet: [PATCH] pfctl: leak stuff
Date : Sat, 22 Dec 2012 08:16:09 +0100
De : Maxime Villard rusty...@gmx.fr
Pour : t...@openbsd.org
Hi,
here are my small changes for pfctl.
1) There are cases where we could leak a file descriptor by
returning.
2) We don't need to check memory before freeing it, as
free() already does that.
3) Just replaced a snprintf() by strlcpy(), it's faster.
Ok/Comments ?
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.314
diff -u -r1.314 pfctl.c
--- pfctl.c 19 Sep 2012 15:52:17 - 1.314
+++ pfctl.c 22 Dec 2012 07:08:28 -
@@ -1377,8 +1377,7 @@
err(1, DIOCXROLLBACK);
exit(1);
} else {/* sub ruleset */
- if (path)
- free(path);
+ free(path);
return (-1);
}
@@ -1867,10 +1866,6 @@
unsigned int len = 0;
size_t n;
- f = fopen(file, w);
- if (f == NULL)
- err(1, open: %s, file);
-
memset(ps, 0, sizeof(ps));
for (;;) {
ps.ps_len = len;
@@ -1893,6 +1888,10 @@
return; /* no states */
len *= 2;
}
+
+ f = fopen(file, w);
+ if (f == NULL)
+ err(1, open: %s, file);
n = ps.ps_len / sizeof(struct pfsync_state);
if (fwrite(inbuf, sizeof(struct pfsync_state), n, f) n)
Index: pfctl_osfp.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_osfp.c,v
retrieving revision 1.18
diff -u -r1.18 pfctl_osfp.c
--- pfctl_osfp.c 18 Oct 2010 15:55:28 - 1.18
+++ pfctl_osfp.c 22 Dec 2012 07:08:28 -
@@ -112,16 +112,11 @@
while ((line = fgetln(in, len)) != NULL) {
lineno++;
- if (class)
- free(class);
- if (version)
- free(version);
- if (subtype)
- free(subtype);
- if (desc)
- free(desc);
- if (tcpopts)
- free(tcpopts);
+ free(class);
+ free(version);
+ free(subtype);
+ free(desc);
+ free(tcpopts);
class = version = subtype = desc = tcpopts = NULL;
memset(fp, 0, sizeof(fp));
@@ -250,16 +245,11 @@
add_fingerprint(dev, opts, fp);
}
- if (class)
- free(class);
- if (version)
- free(version);
- if (subtype)
- free(subtype);
- if (desc)
- free(desc);
- if (tcpopts)
- free(tcpopts);
+ free(class);
+ free(version);
+ free(subtype);
+ free(desc);
+ free(tcpopts);
fclose(in);
@@ -513,7 +503,7 @@
return (buf);
found:
- snprintf(buf, len, %s, class_name);
+ strlcpy(buf, class_name, len);
if (version_name) {
strlcat(buf, , len);
strlcat(buf, version_name, len);
Index: pfctl_radix.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_radix.c,v
retrieving revision 1.29
diff -u -r1.29 pfctl_radix.c
--- pfctl_radix.c 27 Jul 2011 00:26:10 - 1.29
+++ pfctl_radix.c 22 Dec 2012 07:08:28 -
@@ -499,8 +499,7 @@
{
if (b == NULL)
return;
- if (b-pfrb_caddr != NULL)
- free(b-pfrb_caddr);
+ free(b-pfrb_caddr);
b-pfrb_caddr = NULL;
b-pfrb_size = b-pfrb_msize = 0;
}
Re: List of all software present on OpenBSD 5.2
On 2012-12-27, Live user nots...@live.com wrote: On 27/12/2012 14:06, Stuart Henderson wrote: This isn't like a Linux distribution where the whole system is installed from a collection of different pieces of packaged software. The base operating system is a consistent whole; pkg_info lists only packages of third-party software which are not part of the base OS (software from packages is located primarily under /usr/local, with some files ending up in other places like /var - software from the base OS installs into /bin, /sbin, /usr/bin, /usr/sbin etc). I understand, that in this case, tar is really bsdtar (not gnutar, or star) and that is part of the core while linux distros don't have a core tar and use the external gnu version. I see as well that binary packages use versioning, because are external, like nano or lftp. Calling it bsdtar is confusing; FreeBSD's tar, which is in the libarchive package, has that name (and is different to OpenBSD's tar).. but otherwise right.
Re: greyscanner - sender with no MX or A
On 27 December 2012 23:59, Marc Espie es...@nerim.net wrote: I would be careful with that guy's work... you may suddenly find yourself in the bathroom with a backed up toilet gargling shitz out. I wouldn't use language quite that strong, not knowing anything about Bob, but it looks like he didn't read 'perldoc -f system' (badrcpt will trap hosts if system() fails to spawn the external address checker) and also he should really use a proper SMTP address parser rather than a regexp hack. John
A point about the BSD license I'm feeling edgy about
The BSD license says that * Copyright (c) * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the * above copyright notice and this permission notice appear in all * copies That says, under my interpretation, 1) That distributing only object files complies with the license, 2) That any derived code must retain the exact notice, and for that reason, 3) The copyright holder of the object files is the original author even if the compiler is a third party person
Re: A point about the BSD license I'm feeling edgy about
On Fri, Dec 28, 2012 at 8:50 PM, Live user nots...@live.com wrote: 3) The copyright holder of the object files is the original author even if the compiler is a third party person Nope, that depends on the compiler/transformation. Consider GNU autoconf. the output isn't derivative work of the source files, regardless of how big their BSD headers are. That's the biggest problem with autoconf, imo; not the idiosyncrasies of the language.
Re: A point about the BSD license I'm feeling edgy about
On 29/12/2012 2:28, Andres Perera wrote: Consider GNU autoconf. the output isn't derivative work of the source files, regardless of how big their BSD headers are. That's the biggest problem with autoconf, imo; not the idiosyncrasies of the language. Since when documentation is a derivative work of something that is not documentation? Obviously, I consider a derivative work, to something that if you do reverse engineering or decompile ont, you can get more or less to the original code, which is not the case.
Re: A point about the BSD license I'm feeling edgy about
On Fri, Dec 28, 2012 at 9:03 PM, Live user nots...@live.com wrote: On 29/12/2012 2:28, Andres Perera wrote: Consider GNU autoconf. the output isn't derivative work of the source files, regardless of how big their BSD headers are. That's the biggest problem with autoconf, imo; not the idiosyncrasies of the language. Since when documentation is a derivative work of something that is not documentation? Obviously, I consider a derivative work, to something that if you do reverse engineering or decompile ont, you can get more or less to the original code, which is not the case. I'm not sure how documentation ties in. Other then that, I don't see an active movement challenging autoconf maintainers on the FSF copyright that invariably appears in the output. What is the copyright referring to? Is it outlandish to interpret it as a claim on the file? I sure as hell did.
Re: Goodbye to you my file descriptor - take 3
On Thu, Dec 27, 2012 at 5:04 AM, Maxime Villard rusty...@gmx.fr wrote: Well, as no one seems to give a fuck on tech@, I put a more glamourous title here. The fd/FILE part of your diff changes the behavior of pfctl to be incorrect when there are no states. Philip Guenther
Realtek r8712u Wireless Dongle .. OpenBSD 5.2 i386 ..
Has anyone got one of these working? It is actually identified as 'rsu0' during boot, but I'm unsure of what to put in: /etc/hostname.rsu0 for either dhcp (preferably) or fixed address. So if somebody's got it working and can give me a specific example, that would be appreciated .. Graham Jenkins
Re: A point about the BSD license I'm feeling edgy about
On 12/28/2012 7:20 PM, Live user wrote: The BSD license says that * Copyright (c) * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the * above copyright notice and this permission notice appear in all * copies Where did you find that? http://www.openbsd.org/policy.html cites the Berkeley copyright notice as saying (in part) * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright *notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in the *documentation and/or other materials provided with the distribution. Which seems to address your concern quite precisely. Existing code with that notice must retain that notice, even in derivative works. Binary distributions should include the notice, but not necessarily exclusively. The version of the BSD license cited at opensource.org (http://opensource.org/licenses/BSD-2-Clause) also makes it clear: % Redistribution and use in source and binary forms, with or without % modification, are permitted provided that the following conditions are met: %Redistributions of source code must retain the above copyright notice, % this list of conditions and the following disclaimer. %Redistributions in binary form must reproduce the above copyright % notice, this list of conditions and the following disclaimer in the % documentation and/or other materials provided with the distribution. And this is exactly what everyone is doing, and no one has found a way to sue over it yet... which at least suggests your concern is misguided. -- Matthew Weigel hacker unique idempot . ent
Re: delay after preserving editor files [Was: rsu problem]
preserving editor files After a minute or so, it finishes the boot with this line: That just means the system went down while someone had a file open in vi, so you have vi save files in /var/tmp/vi.recover/ and the system at that moment in the start up is generating email messages to the owners of the files saying run vi -r. I found it a minute after I made a post. Sorry to bother for that. The main problem still exists. I was pretty short and did not include all details for rsu issue. It is brand new dongle, realtek rtl8191su and I installed Bergamini's firmware. If I do: ifconfig rsu0 scan I see all non hidden routers around my flat. Not mine, since I hid ssid. I set router to work on g only. I am positive dongle is not broken and that I probably do not understand the topic as I should. As the next move, I'd install wpa_supplicant and see if I could go further. What is beyond my knowledge is why I cannot get a handshake properly? Wpa2-aes is not new and I assume everybody on this list uses it regurarly. Even further, doing route show gives blank result. Since I get scan output, it shuld not be firewall issue. Any idea to go on? Best regards Zoran
Re: Goodbye to you my file descriptor - take 3
Le 29/12/2012 02:46, Philip Guenther a écrit : On Thu, Dec 27, 2012 at 5:04 AM, Maxime Villard rusty...@gmx.fr wrote: Well, as no one seems to give a fuck on tech@, I put a more glamourous title here. The fd/FILE part of your diff changes the behavior of pfctl to be incorrect when there are no states. Philip Guenther Hum, Before: - we open the file, go in the loop to do ioctl stuff, and if it fails BAM we lose the fd when returning at l.1893 or l.1889. If it worked, we write data to the file and close it. Now: - we go in the loop, we do ioctl stuff, and then if nothing failed we open the file and write data to it, and close it. If something failed in the loop, we return without leaking f. The fd is not used in the loop, I just moved it down. So I don't see what behaviour it changes.
Re: Goodbye to you my file descriptor - take 3
On Fri, Dec 28, 2012 at 10:16 PM, Maxime Villard rusty...@gmx.fr wrote: Le 29/12/2012 02:46, Philip Guenther a écrit : On Thu, Dec 27, 2012 at 5:04 AM, Maxime Villard rusty...@gmx.fr wrote: Well, as no one seems to give a fuck on tech@, I put a more glamourous title here. The fd/FILE part of your diff changes the behavior of pfctl to be incorrect when there are no states. Hum, Before: - we open the file, go in the loop to do ioctl stuff, and if it fails BAM we lose the fd when returning at l.1893 or l.1889. If it worked, we write data to the file and close it. And if there are no states at all, such that the first call to ioctl(DIOCGETSTATES) returns with ps_len=0, then pfctl_state_store() returns without closing the file but *AFTER* it created the file. The file is, of course, closed when the process later exits, leaving it a zero byte file. Now: - we go in the loop, we do ioctl stuff, and then if nothing failed we open the file and write data to it, and close it. If something failed in the loop, we return without leaking f. AND WITHOUT CREATING THE FILE. The fd is not used in the loop, I just moved it down. So I don't see what behaviour it changes. Uh huh. You didn't try it either. Philip Guenther
