Re: Route bad address
Something like: # cat hostname.pppoe0 pppoedev vr0 authproto chap authname 'u...@on.net' authkey 'pass' up inet 0.0.0.0 255.255.255.255 dest 0.0.0.1 !/sbin/route -v add -inet default -ifp pppoe0 0.0.0.1 See: man -s 4 pppoe http://www.openbsd.org/cgi-bin/man.cgi?query=pppoesektion=4
Re: BCM5719C/BCM5720 partially working
On 2013-05-24 23:37, Mike Belopuhov wrote: ... I also noticed if_bge.c line 2293: BGE_SETBIT(sc, BGE_MI_MODE, BGE_MIMODE_AUTOPOLL|1016); Does any one have a clue why the (1016) is there? it changes the MI clock. But why? and why OR 0xA with the default 0xC, instead of 0x2? FreeBSD and Linux use the default of 0xC for the MI Clock. I think it's a remnant of the original code and it should be BGE_MIMODE_BASE (as in the other frequency). But since BGE_MIMODE_BASE is the default value after reset and OR'ing the value wouldn't be correct, I suggest to just remove the '|(1016)'. I'm not OR'ing it in, I'm overwriting the value. Sorry, i meant in the old code. ... This also changes the Use Short Preamble flag and PHY Address which are not 0 by default. I've followed FreeBSD here. If you inspect the Linux driver you'll find the same: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/broadcom/tg3.c#n16149 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/broadcom/tg3.c#n1479 I guess we need to think about it a bit more. Tests will help though. Ok, I tested this with a Broadcom BCM5721. Auto-polling doesn't work anymore when the PHY Address is set to 0. So I added setting of the correct phy address in the patch below. Clearing Use Short Preamble doesn't seem to matter, and is also the default for older chips. Apart from that I think the patch is ok. Kind regards, David Index: sys/dev/pci/if_bge.c === RCS file: /cvs/src/sys/dev/pci/if_bge.c,v retrieving revision 1.328 diff -u -p -r1.328 if_bge.c --- sys/dev/pci/if_bge.c22 May 2013 16:02:31 - 1.328 +++ sys/dev/pci/if_bge.c27 May 2013 13:01:24 - @@ -1057,6 +1057,18 @@ bge_miibus_statchg(struct device *dev) mii-mii_media_active = ~IFM_ETH_FMASK; } + if (!BGE_STS_BIT(sc, BGE_STS_LINK) + mii-mii_media_status IFM_ACTIVE + IFM_SUBTYPE(mii-mii_media_active) != IFM_NONE) + BGE_STS_SETBIT(sc, BGE_STS_LINK); + else if (BGE_STS_BIT(sc, BGE_STS_LINK) + (!(mii-mii_media_status IFM_ACTIVE) || + IFM_SUBTYPE(mii-mii_media_active) == IFM_NONE)) + BGE_STS_CLRBIT(sc, BGE_STS_LINK); + + if (!BGE_STS_BIT(sc, BGE_STS_LINK)) + return; + /* Set the port mode (MII/GMII) to match the link speed. */ mac_mode = CSR_READ_4(sc, BGE_MAC_MODE) ~(BGE_MACMODE_PORTMODE | BGE_MACMODE_HALF_DUPLEX); @@ -1775,7 +1787,7 @@ bge_blockinit(struct bge_softc *sc) volatile struct bge_rcb *rcb; vaddr_t rcb_addr; bge_hostaddrtaddr; - u_int32_t dmactl, val; + u_int32_t dmactl, mimode, val; int i, limit; /* @@ -2371,9 +2383,19 @@ bge_blockinit(struct bge_softc *sc) if (sc-bge_flags BGE_PHY_FIBER_TBI) { CSR_WRITE_4(sc, BGE_MI_STS, BGE_MISTS_LINK); } else { - BGE_STS_SETBIT(sc, BGE_STS_AUTOPOLL); - BGE_SETBIT(sc, BGE_MI_MODE, BGE_MIMODE_AUTOPOLL|1016); - if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5700) + if ((sc-bge_flags BGE_CPMU_PRESENT) != 0) + mimode = BGE_MIMODE_500KHZ_CONST; + else + mimode = BGE_MIMODE_BASE; + mimode |= ((sc-bge_phy_addr 0x1f) 5); + if (BGE_IS_5700_FAMILY(sc) || + BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5705) { + mimode |= BGE_MIMODE_AUTOPOLL; + BGE_STS_SETBIT(sc, BGE_STS_AUTOPOLL); + } + CSR_WRITE_4(sc, BGE_MI_MODE, mimode); + if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5700 + sc-bge_chipid != BGE_CHIPID_BCM5700_B2) CSR_WRITE_4(sc, BGE_MAC_EVT_ENB, BGE_EVTENB_MI_INTERRUPT); } @@ -2721,9 +2743,6 @@ bge_attach(struct device *parent, struct BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM57780) sc-bge_flags |= BGE_CPMU_PRESENT; - if ((sc-bge_flags BGE_CPMU_PRESENT) != 0) - BGE_SETBIT(sc, BGE_MI_MODE, BGE_MIMODE_500KHZ_CONST); - /* Try to reset the chip. */ DPRINTFN(5, (bge_reset\n)); bge_sig_pre_reset(sc, BGE_RESET_START); @@ -4491,11 +4510,6 @@ bge_link_upd(struct bge_softc *sc) if_link_state_change(ifp); ifp-if_baudrate = 0; } - /* - * Discard link events for MII/GMII cards if MI auto-polling disabled. -* This should not happen since mii callouts are locked now, but -* we keep this check for debug. -*/ } else if (BGE_STS_BIT(sc, BGE_STS_AUTOPOLL)) { /*
Re: Seeking GUI refuge
Hi Jan I just tried the fvwm from my linux distro repos. It's pretty nice. I could always compile the GPL version from source on OpenBSD, i will give it a shot. Thanks-Patrick On 13-05-26 11:54 PM, Jan Lambertz wrote: Hi Patrick, My Gui problem is (was) quite similar. I was searching intensivly for a correct,fast,non bloated desktop manager for years. I have checked at least 10 products ( non windows ) and in the end i felt depressed,like you. So what saved my live ? At work i had to build an environment for java and db developers that works on an enterprise linux distro. These distros came typically with gnome2. Being a terminal server and doing some more intense compiling tasks, system became slow. Developers were angry because they were only used to ms windows. Then i remembered openbsd and fvwm. I took a deep dive into fvwm and figured out that it can do nearly anything. I build my config ( beginning from a large sample config that ships with it. Ms windows 95 style). I cleaned out about 50% i dont need. I integrated the development tools and then everything went like tux on crack. It took some time but i was happy with the achieved. After that fvwm became the wm of my choice and i am still happy. I really can recommend fvwm. Even if it looks a little bit oldschool and hard to understand in first place,this is the window manager with coolness (correctness) in mind. I even think it the openbsd of the window managers. P.s. Good to see thomas adam around at openbsd . Great work !
Re: divert-to with bridge
Hello Patrick ! Yes, I could not make it work, I'm using another environment that is working: FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge These patch: http://www.mundounix.com.br/~gugabsd/tproxy_bridge_ipfw-9.1-RELEASE.diff Apply over a complete src of Freebsd 9.1-RELEASE Use ipfw for forward, was: ipfw add 100 fwd 127.0.0.1,3128 tcp from $lan_net to any 80 via em1 ipfw add 100 fwd 127.0.0.1 tcp from any 80 to $lan_net via em0 em0 = WAN interface em1 = LAN interface With this, working 100% ! You can use squid 3.4HEAD or Lusca (from ports) with TPROXY environment For use squid 3.4HEAD, i make a port config (FreeBSD): http://www.mundounix.com.br/~gugabsd/squid34devel.tgz Original patch: http://loos.no-ip.org/lusca_tproxy.diff On Sun, 26 May 2013 18:07:38 +0200 Patrick Wildt m...@patrick-wildt.de wrote: Hi Luiz, I actually have seen that on a bridge setup I had, too. Although the divert-to points to localhost, I see the packet trying to pass out on the interface to the original destination, as your data shows, too. No idea why that's happening though. \Patrick Am 23.05.2013 um 22:45 schrieb Luiz Gustavo S. Costa luizgust...@mundounix.com.br: Hi List ! I'm trying to implement a firewall with squid TPROXY in an environment with bridge. vio0 = external if vio1 = internal if bridge0 = (vio0 + vio1) I have these rules, the connections pass through it, but nothing comes on the side of the divert-to (did tests with nc -l 3128) [17:31:25] root:logs # cat /etc/pf.conf pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 3128 pass out log quick on vio0 inet proto tcp from any to any port 80 divert-reply pass all [17:39:40] root:~ # pfctl -vvsr @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 92Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 flags S/SA divert-reply [ Evaluations: 49Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @2 pass all flags S/SA [ Evaluations: 50Packets: 93Bytes: 13453 States: 6 ] [ Inserted: uid 0 pid 22438 State Creations: 50] [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) tcpdump: WARNING: compensating for unaligned libpcap packets May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) but, command nc not receiving any packet or connection. divert-to not working with bridge ? My reference is this - http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf Thanks --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
Re: divert-to with bridge
On Mon, May 27, 2013 at 3:43 PM, Luiz Gustavo S. Costa luizgust...@mundounix.com.br wrote: Hello Patrick ! Yes, I could not make it work, I'm using another environment that is working: FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge Sure, but this is misc@openbsd.org, an *OpenBSD related* mailing list.
Re: divert-to with bridge
On Mon, 27 May 2013 15:54:23 +0200 David Coppa dco...@gmail.com wrote: Sure, but this is misc@openbsd.org, an *OpenBSD related* mailing list. Sorry David, My intention is to supplement information. Thank you! --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
Re: Sturdy and secure mail server
Hi Bruno, Thank you so much for your email! That's exactly what I want to arrive at one day. Perhaps one day I will indeed contact you for some specific advice on configuration. For now I only got a centralized mail archive with an IMAP server. I briefly searched the Internet on the IMAP server comparison. Dovecot seemed like a good choice and I went ahead and installed it. I configured Dovecot for both client and server certificate authentication. All went well, but there were a couple of glitches: * The Dovecot configuration was pretty easy except that the ssl_ca option should point to a file that is a CONCATENTATION of the CA certificate file and a valid CRL file. I didn't concatenate the CRL file, and so the client certificate was rejected. Once I concatenated the file, it turned out that the CRL was outdated, and so again the client certificate was rejected. Now it's working. The verbose_ssl option was very useful in diagnosing these problems. * Thunderbird (Icedove, actually) doesn't remember my choice of the client certificate over restarting. But when I chose Select one automatically, Thunderbird stopped bugging me, since I have just one client certificate installed. For now, all my mail clients receive mail with POP3 and send with SMTP. Later most probably I will use Fetchmail and Exim to consolidate my mail accounts on my server. Best, Irek On 07.05.2013 18:12, Bruno Flueckiger wrote: Hi Irek I had pretty much the same requirements for my mail server at home as you have. Over the time I got different mail accounts for different purposes. So I wanted to consolidate all the accounts on my own server running in my home network. Since several years (and releases) I'm running my home mail server under OpenBSD. The server is not directly reachable as a MX host because I only use a DynDNS address to access it from outside through a proxy server (nginx for IMAP and SMTP) also running OpenBSD. My mail server fetches the mails from all accounts via POP3 with fetchmail. The mails are delivered to Postfix which acts as the mail server for my internal domain at home. Postfix then delivers the mail to my personal user account on the server using procmail. Procmail runs each mail through ClamAV (antivirus) and SpamAssassin (antispam). Mails containing viruses are delivered to /dev/null, mails recognized as spam are delivered to the Spam folder. Every other mail is delivered to the mail folder specified in the procmail receipt or, if there is no other destination specified in .procmailrc, to the INBOX. All mails are stored in ~/mails which is a Maildir folder structure. I prefer Maildir to store mails because it creates a file for each mail. This make backup and restore much easier. I use Courier IMAP to access all my mails through IMAP clients like Thunderbird (on all my clients) and - since some days - BlackBerry Z10 (access from the Internet through the IMAP proxy feature of nginx). This way I have always the same sight on my mailbox, no matter which client I use. No more manual sync or having mails downloaded to the wrong client. My Maildir folders also act as the archive for my mails. All components on my mail server support of course TLS. I've configured Postfix and Courier IMAP to support TLS. For this I use my personal PKI. It is based on a self-signed root CA with two sub CAs, one for client certificates and one for server certificates. I make an hourly backup of my mails folder using rsync to one of my NAS. Additionally there is the daily backup using dump of the whole mail server. I hope my explanations give some ideas about how you could solve your problem. Feel free to contact me if you would like to get more details about the configuration. Best regards, Bruno
From the military propaganda department
Excuse the Yahoo address. That's the best I can do here in the United States of Amerikkka. How is life in OpenBSD-land? The gummint dont trust me when I use OpenBSD because they don't have a clue what I'm doing when I'm at my computer. Even after they've read my code, and obtained all my passwords via rubber-hose cryptanalysis, and they're sitting at my keyboard staring at the hash prompt, they still don't have a clue what I am doing, and they think the problem can be solved by the more liberal use of rubber hoses. Oh, I was writing a letter to my attorney. But some people consider that to be illegal here in Amerikkka. They don't understand that when I am ready to release my software, I release it, and when it's released, it's released. That is my right under our First Amendment guarantee of freedom of speech and of the press. I think it works pretty similarly over there in Canada. When you've tested your code and you are ready, you commit it, and when it's committed, it's committed, and the rest of the team is free to tear it to shreds. The best defense to rubber-hose cryptanalysis is small pieces of lead, saboted and silenced and projected at high speed at anyone and everyone armed with a rubber hose. The Penguins over in Linux-land understand this very well. Do the Pufferfish? Because that's my right, too, under our Second Amendment guarantee of the right to keep and bear arms. So when I'm ready, I fire a shot, and when it's fired, it's fired, and there is no calling it back. And that's why I make dead certain that I am ready before I fire. Even if the U.S. Department of Defense considers computer cryptography to be a munition of war, then the right to use it is still protected, only under the Second Amendment rather than the First. Some communications are private, confidential, classified, or privileged and not obtainable with a warrant, and that is why we use cryptography here in the United States of America.
Re: Seeking GUI refuge
Hi Patrick, Patrick Mc(avery writes: Hi Jan I just tried the fvwm from my linux distro repos. It's pretty nice. I could always compile the GPL version from source on OpenBSD, i will give it a shot. You don't need to compile from source to use the newer fvwm. Just install the fvwm2 package.
how can I get a dmesg (without a floppy or serial console port)?
Is there any way (physical settings / cables) to get a dmesg from a laptop that has neither a floppy nor a serial console port (no ssh either)? 10x -h
Re: how can I get a dmesg (without a floppy or serial console port)?
Heya Any network connectivity at all? Otherwise, mount a USB stick and dmesg file... On Mon, May 27, 2013 at 4:52 PM, Heptas Torres hepta...@gmail.com wrote: Is there any way (physical settings / cables) to get a dmesg from a laptop that has neither a floppy nor a serial console port (no ssh either)? 10x -h
Re: how can I get a dmesg (without a floppy or serial console port)?
On 5/27/13, Shane Lazarus shane.laza...@pobox.com wrote: Heya Any network connectivity at all? nope - that would be easy through ssh. Otherwise, mount a USB stick and dmesg file... well if the system crashes there is now way I could mount a USB and copy the dmesg. I was wondering whether there are some hacks with network cables or some physical hacks to connect two machines directly to get the dmesg from one to another. -h On Mon, May 27, 2013 at 4:52 PM, Heptas Torres hepta...@gmail.com wrote: Is there any way (physical settings / cables) to get a dmesg from a laptop that has neither a floppy nor a serial console port (no ssh either)? 10x -h
Re: how can I get a dmesg (without a floppy or serial console port)?
On Tue, May 28, 2013 at 12:06:10AM +, Heptas Torres wrote: On 5/27/13, Shane Lazarus shane.laza...@pobox.com wrote: Heya Any network connectivity at all? nope - that would be easy through ssh. Otherwise, mount a USB stick and dmesg file... well if the system crashes there is now way I could mount a USB and copy the dmesg. I was wondering whether there are some hacks with network cables or some physical hacks to connect two machines directly to get the dmesg from one to another. If the crash is able to dump core to swap, on reboot, savecore(8) runs, and your dmesg will be within the stored dump. Refer to crash(8) and the -M and -N options of dmesg(8).
Re: Problems w/apache+php+mysqld since 4.9-5.0 OpenBSD Upgrade
Sorry, had some guests over the weekend, and I was unable to continue with the thread for a bit. I hope you guys are willing to catch up where you left off, I still haven't been able to get apache+php+mysql working again on my server since the 4.9-5.0 upgrade, and I really need my wiki and other associated services here. Managed to get done with my speech without them, at least. *grin* Still really could've used the wiki for the reference gathering, though. Thankfully nobody asked me for references. So, here is the output from php -m: Mon May 27 20:01 contract:/home/ftp$ php -m [PHP Modules] bcmath calendar ctype date dom exif filter ftp gettext hash iconv json libxml mbstring mysql openssl pcre PDO posix Reflection session SimpleXML sockets SPL standard suhosin sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter zlib [Zend Modules] Suhosin -=-=-=-=- So it looks like at least from the command-line invoked php, things are loading the mysql version just fine. And I checked, yes, and mysqld is running via invocation of mysqld_safe. I'll post the appropriate snippets from all of the php*.ini files scattered about my installation in just a bit here as soon as I can gather them all together. A visitor has stopped by again, so I must take a brief respite. On Wed, May 22, 2013 at 7:18 PM, Richard Toohey richardtoo...@paradise.net.nz wrote: On 05/23/13 12:08, Damon Getsman wrote: Okay, now I've got the phpinfo output. Nothing is jumpin' out at me, if y'all care to take a look at it I've got it available at bismaninfo.hopto.org/debug.php for a limited time here. No mysql in the output. What does php -m give you, etc. It's like the message you are getting - something is up with the mysql extension in your install. Check the ini files, etc. You are using the base Apache and PHP is working - you need to look at the mysql extension and find out why it is not enabled or not loading.
Re: how can I get a dmesg (without a floppy or serial console port)?
On 05/27/13 19:52, Heptas Torres wrote: Is there any way (physical settings / cables) to get a dmesg from a laptop that has neither a floppy nor a serial console port (no ssh either)? 10x -h You have two options: 1) video tape it and transcribe it, or 2) take the disk out of the machine and put it on another, so you can grab the dmesg output. --STeve Andre'