Re: Route bad address

[David Walker]

Something like:

# cat hostname.pppoe0
pppoedev vr0
authproto chap
authname 'u...@on.net'
authkey 'pass'
up
inet 0.0.0.0 255.255.255.255
dest 0.0.0.1
!/sbin/route -v add -inet default -ifp pppoe0 0.0.0.1

See:
man -s 4 pppoe
http://www.openbsd.org/cgi-bin/man.cgi?query=pppoesektion=4

Re: BCM5719C/BCM5720 partially working

[David Imhoff]

On 2013-05-24 23:37, Mike Belopuhov wrote:
...

I also noticed if_bge.c line 2293:
BGE_SETBIT(sc, BGE_MI_MODE, BGE_MIMODE_AUTOPOLL|1016);
Does any one have a clue why the (1016) is there? it changes the
MI clock. But why? and why OR 0xA with the default 0xC, instead of
0x2? FreeBSD and Linux use the default of 0xC for the MI Clock.


I think it's a remnant of the original code and it should be
BGE_MIMODE_BASE (as in the other frequency).


But since BGE_MIMODE_BASE is the default value after reset and
OR'ing the value wouldn't be correct, I suggest to just remove
the '|(1016)'.



I'm not OR'ing it in, I'm overwriting the value.


Sorry, i meant in the old code.

...

This also changes the Use Short Preamble flag and PHY Address
which are not 0 by default.



I've followed FreeBSD here. If you inspect the Linux driver you'll
find the same:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/broadcom/tg3.c#n16149
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/broadcom/tg3.c#n1479

I guess we need to think about it a bit more.
Tests will help though.


Ok, I tested this with a Broadcom BCM5721. Auto-polling doesn't work
anymore when the PHY Address is set to 0. So I added setting of the
correct phy address in the patch below. Clearing Use Short Preamble
doesn't seem to matter, and is also the default for older chips.

Apart from that I think the patch is ok.

Kind regards,

David

Index: sys/dev/pci/if_bge.c
===
RCS file: /cvs/src/sys/dev/pci/if_bge.c,v
retrieving revision 1.328
diff -u -p -r1.328 if_bge.c
--- sys/dev/pci/if_bge.c22 May 2013 16:02:31 -  1.328
+++ sys/dev/pci/if_bge.c27 May 2013 13:01:24 -
@@ -1057,6 +1057,18 @@ bge_miibus_statchg(struct device *dev)
mii-mii_media_active = ~IFM_ETH_FMASK;
}

+   if (!BGE_STS_BIT(sc, BGE_STS_LINK) 
+   mii-mii_media_status  IFM_ACTIVE 
+   IFM_SUBTYPE(mii-mii_media_active) != IFM_NONE)
+   BGE_STS_SETBIT(sc, BGE_STS_LINK);
+   else if (BGE_STS_BIT(sc, BGE_STS_LINK) 
+   (!(mii-mii_media_status  IFM_ACTIVE) ||
+   IFM_SUBTYPE(mii-mii_media_active) == IFM_NONE))
+   BGE_STS_CLRBIT(sc, BGE_STS_LINK);
+
+   if (!BGE_STS_BIT(sc, BGE_STS_LINK))
+   return;
+
/* Set the port mode (MII/GMII) to match the link speed. */
mac_mode = CSR_READ_4(sc, BGE_MAC_MODE) 
~(BGE_MACMODE_PORTMODE | BGE_MACMODE_HALF_DUPLEX);
@@ -1775,7 +1787,7 @@ bge_blockinit(struct bge_softc *sc)
volatile struct bge_rcb *rcb;
vaddr_t rcb_addr;
bge_hostaddrtaddr;
-   u_int32_t   dmactl, val;
+   u_int32_t   dmactl, mimode, val;
int i, limit;

/*
@@ -2371,9 +2383,19 @@ bge_blockinit(struct bge_softc *sc)
if (sc-bge_flags  BGE_PHY_FIBER_TBI) {
CSR_WRITE_4(sc, BGE_MI_STS, BGE_MISTS_LINK);
} else {
-   BGE_STS_SETBIT(sc, BGE_STS_AUTOPOLL);
-   BGE_SETBIT(sc, BGE_MI_MODE, BGE_MIMODE_AUTOPOLL|1016);
-   if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5700)
+   if ((sc-bge_flags  BGE_CPMU_PRESENT) != 0)
+   mimode = BGE_MIMODE_500KHZ_CONST;
+   else
+   mimode = BGE_MIMODE_BASE;
+   mimode |= ((sc-bge_phy_addr  0x1f)  5);
+   if (BGE_IS_5700_FAMILY(sc) ||
+   BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5705) {
+   mimode |= BGE_MIMODE_AUTOPOLL;
+   BGE_STS_SETBIT(sc, BGE_STS_AUTOPOLL);
+   }
+   CSR_WRITE_4(sc, BGE_MI_MODE, mimode);
+   if (BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM5700 
+   sc-bge_chipid != BGE_CHIPID_BCM5700_B2)
CSR_WRITE_4(sc, BGE_MAC_EVT_ENB,
BGE_EVTENB_MI_INTERRUPT);
}
@@ -2721,9 +2743,6 @@ bge_attach(struct device *parent, struct
BGE_ASICREV(sc-bge_chipid) == BGE_ASICREV_BCM57780)
sc-bge_flags |= BGE_CPMU_PRESENT;

-   if ((sc-bge_flags  BGE_CPMU_PRESENT) != 0)
-   BGE_SETBIT(sc, BGE_MI_MODE, BGE_MIMODE_500KHZ_CONST);
-
/* Try to reset the chip. */
DPRINTFN(5, (bge_reset\n));
bge_sig_pre_reset(sc, BGE_RESET_START);
@@ -4491,11 +4510,6 @@ bge_link_upd(struct bge_softc *sc)
if_link_state_change(ifp);
ifp-if_baudrate = 0;
}
-   /*
-	 * Discard link events for MII/GMII cards if MI auto-polling 
disabled.

-* This should not happen since mii callouts are locked now, but
-* we keep this check for debug.
-*/
} else if (BGE_STS_BIT(sc, BGE_STS_AUTOPOLL)) {
/*

Re: Seeking GUI refuge

[Patrick Mc(avery]

Hi Jan

I just tried the fvwm from my linux distro repos. It's pretty nice.

I could always compile the GPL version from source on OpenBSD, i will 
give it a shot.


Thanks-Patrick






On 13-05-26 11:54 PM, Jan Lambertz wrote:

Hi Patrick,

My Gui problem is (was) quite similar. I was searching intensivly for a
correct,fast,non bloated desktop manager for years. I have checked at least
10 products ( non windows ) and in the end i felt depressed,like you.
So what saved my live ?
At work i had to build an environment for java and db developers that works
on an enterprise linux distro. These distros came typically with gnome2.
Being a terminal server and doing some more intense compiling tasks, system
became slow. Developers were angry because they were only used to ms
windows. Then i remembered openbsd and fvwm. I took a deep dive into fvwm
and figured out that it can do nearly anything. I build my config (
beginning from a large sample config that ships with it. Ms windows 95
style). I cleaned out about 50% i dont need. I integrated the development
tools and  then everything went like tux on crack. It took some time but i
was happy with the achieved. After that fvwm became the wm of my choice and
i am still happy.
I really can recommend fvwm. Even if it looks a little bit oldschool and
hard to understand in first place,this is the window manager with coolness
(correctness) in mind. I even think it the openbsd of the window managers.

P.s. Good to see thomas adam around at openbsd . Great work !

Re: divert-to with bridge

[Luiz Gustavo S. Costa]

Hello Patrick !

Yes, I could not make it work, I'm using another environment that is working:

FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge

These patch:
http://www.mundounix.com.br/~gugabsd/tproxy_bridge_ipfw-9.1-RELEASE.diff

Apply over a complete src of Freebsd 9.1-RELEASE

Use ipfw for forward, was:

ipfw add 100 fwd 127.0.0.1,3128 tcp from $lan_net to any 80 via em1
ipfw add 100 fwd 127.0.0.1 tcp from any 80 to $lan_net via em0

em0 = WAN interface
em1 = LAN interface

With this, working 100% !

You can use squid 3.4HEAD or Lusca (from ports) with TPROXY environment

For use squid 3.4HEAD, i make a port config (FreeBSD):
http://www.mundounix.com.br/~gugabsd/squid34devel.tgz

Original patch: http://loos.no-ip.org/lusca_tproxy.diff

On Sun, 26 May 2013 18:07:38 +0200
Patrick Wildt m...@patrick-wildt.de wrote:

 Hi Luiz,
 
 I actually have seen that on a bridge setup I had, too.
 
 Although the divert-to points to localhost, I see the packet trying to pass 
 out on the interface to the original destination, as your data shows, too.
 No idea why that's happening though.
 
 \Patrick
 
 Am 23.05.2013 um 22:45 schrieb Luiz Gustavo S. Costa 
 luizgust...@mundounix.com.br:
 
  Hi List !
  
  I'm trying to implement a firewall with squid TPROXY in an environment with 
  bridge.
  
  vio0 = external if
  vio1 = internal if
  bridge0 = (vio0 + vio1)
  
  I have these rules, the connections pass through it, but nothing comes on 
  the side of the divert-to (did tests with nc -l 3128)
  
  [17:31:25] root:logs # cat /etc/pf.conf
  pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to 
  127.0.0.1 port 3128
  
  pass out log quick on vio0 inet proto tcp from any to any port 80 
  divert-reply
  
  pass all
  
  [17:39:40] root:~ # pfctl -vvsr
  @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags 
  S/SA divert-to 127.0.0.1 port 3128
   [ Evaluations: 92Packets: 194   Bytes: 43964   States: 1   
]
   [ Inserted: uid 0 pid 22438 State Creations: 21]
  @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 
  flags S/SA divert-reply
   [ Evaluations: 49Packets: 194   Bytes: 43964   States: 1   
]
   [ Inserted: uid 0 pid 22438 State Creations: 21]
  @2 pass all flags S/SA
   [ Evaluations: 50Packets: 93Bytes: 13453   States: 6   
]
   [ Inserted: uid 0 pid 22438 State Creations: 50]
  
  [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0
  tcpdump: WARNING: snaplen raised from 116 to 160
  tcpdump: listening on pflog0, link-type PFLOG
  May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 
   74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 
  1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF)
  tcpdump: WARNING: compensating for unaligned libpcap packets
  May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 
   74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 
  1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF)
  
  but, command nc not receiving any packet or connection.
  
  divert-to not working with bridge ?
  
  My reference is this - 
  http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
  
  Thanks
  
  ---
  Luiz Gustavo Costa (Powered by BSD)
  *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
  mundoUnix - Consultoria em Software Livre
  http://www.mundounix.com.br
  ICQ: 2890831 / MSN: cont...@mundounix.com.br
  Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407
  Blog: http://www.luizgustavo.pro.br
  
 


---
Luiz Gustavo Costa (Powered by BSD)
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
mundoUnix - Consultoria em Software Livre
http://www.mundounix.com.br
ICQ: 2890831 / MSN: cont...@mundounix.com.br
Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407
Blog: http://www.luizgustavo.pro.br

Re: divert-to with bridge

[David Coppa]

On Mon, May 27, 2013 at 3:43 PM, Luiz Gustavo S. Costa
luizgust...@mundounix.com.br wrote:
 Hello Patrick !

 Yes, I could not make it work, I'm using another environment that is working:

 FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge

Sure, but this is misc@openbsd.org, an *OpenBSD related* mailing list.

Re: divert-to with bridge

[Luiz Gustavo S. Costa]

On Mon, 27 May 2013 15:54:23 +0200
David Coppa dco...@gmail.com wrote:

 
 Sure, but this is misc@openbsd.org, an *OpenBSD related* mailing list.

Sorry David,

My intention is to supplement information.

Thank you!


---
Luiz Gustavo Costa (Powered by BSD)
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
mundoUnix - Consultoria em Software Livre
http://www.mundounix.com.br
ICQ: 2890831 / MSN: cont...@mundounix.com.br
Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407
Blog: http://www.luizgustavo.pro.br

Re: Sturdy and secure mail server

[Ireneusz Szcześniak]

Hi Bruno,

Thank you so much for your email!  That's exactly what I want to arrive 
at one day.  Perhaps one day I will indeed contact you for some specific 
advice on configuration.


For now I only got a centralized mail archive with an IMAP server.  I 
briefly searched the Internet on the IMAP server comparison.  Dovecot 
seemed like a good choice and I went ahead and installed it.  I 
configured Dovecot for both client and server certificate authentication.


All went well, but there were a couple of glitches:

* The Dovecot configuration was pretty easy except that the ssl_ca 
option should point to a file that is a CONCATENTATION of the CA 
certificate file and a valid CRL file.  I didn't concatenate the CRL 
file, and so the client certificate was rejected.  Once I concatenated 
the file, it turned out that the CRL was outdated, and so again the 
client certificate was rejected.  Now it's working.  The verbose_ssl 
option was very useful in diagnosing these problems.


* Thunderbird (Icedove, actually) doesn't remember my choice of the 
client certificate over restarting.  But when I chose Select one 
automatically, Thunderbird stopped bugging me, since I have just one 
client certificate installed.


For now, all my mail clients receive mail with POP3 and send with SMTP. 
 Later most probably I will use Fetchmail and Exim to consolidate my 
mail accounts on my server.



Best,
Irek

On 07.05.2013 18:12, Bruno Flueckiger wrote:

Hi Irek

I had pretty much the same requirements for my mail server at home as
you have. Over the time I got different mail accounts for different
purposes. So I wanted to consolidate all the accounts on my own server
running in my home network. Since several years (and releases) I'm
running my home mail server under OpenBSD.

The server is not directly reachable as a MX host because I only use a
DynDNS address to access it from outside through a proxy server (nginx
for IMAP and SMTP) also running OpenBSD.

My mail server fetches the mails from all accounts via POP3 with
fetchmail. The mails are delivered to Postfix which acts as the mail
server for my internal domain at home. Postfix then delivers the mail to
my personal user account on the server using procmail. Procmail runs
each mail through ClamAV (antivirus) and SpamAssassin (antispam). Mails
containing viruses are delivered to /dev/null, mails recognized as spam
are delivered to the Spam folder. Every other mail is delivered to the
mail folder specified in the procmail receipt or, if there is no other
destination specified in .procmailrc, to the INBOX.

All mails are stored in ~/mails which is a Maildir folder structure. I
prefer Maildir to store mails because it creates a file for each mail.
This make backup and restore much easier.

I use Courier IMAP to access all my mails through IMAP clients like
Thunderbird (on all my clients) and - since some days - BlackBerry Z10
(access from the Internet through the IMAP proxy feature of nginx). This
way I have always the same sight on my mailbox, no matter which client I
use. No more manual sync or having mails downloaded to the wrong
client. My Maildir folders also act as the archive for my mails.

All components on my mail server support of course TLS. I've configured
Postfix and Courier IMAP to support TLS. For this I use my personal PKI.
It is based on a self-signed root CA with two sub CAs, one for client
certificates and one for server certificates.

I make an hourly backup of my mails folder using rsync to one of my NAS.
Additionally there is the daily backup using dump of the whole mail server.

I hope my explanations give some ideas about how you could solve your
problem. Feel free to contact me if you would like to get more details
about the configuration.

Best regards,
Bruno

From the military propaganda department

[Justin Lindberg]

Excuse the Yahoo address.  That's the best I can do here in the United States
of Amerikkka.  How is life in OpenBSD-land?  The gummint dont trust me when
I use OpenBSD because they don't have a clue what I'm doing when I'm at my
computer.  Even after they've read my code, and obtained all my passwords via
rubber-hose cryptanalysis, and they're sitting at my keyboard staring at the 
hash
prompt, they still don't have a clue what I am doing, and they think the problem
can be solved by the more liberal use of rubber hoses.
 
Oh, I was writing a letter to my attorney.  But some people consider that to be
illegal here in Amerikkka.
 
They don't understand that when I am ready to release my software, I release it,
and when it's released, it's released.  That is my right under our First 
Amendment
guarantee of freedom of speech and of the press.  I think it works pretty 
similarly
over there in Canada.  When you've tested your code and you are ready, you
commit it, and when it's committed, it's committed, and the rest of the team is
free to tear it to shreds.
 
The best defense to rubber-hose cryptanalysis is small pieces of lead, saboted
and silenced and projected at high speed at anyone and everyone armed with a
rubber hose.  The Penguins over in Linux-land understand this very well.  Do the
Pufferfish?  Because that's my right, too, under our Second Amendment
guarantee of the right to keep and bear arms.
 
So when I'm ready, I fire a shot, and when it's fired, it's fired, and there is 
no
calling it back.  And that's why I make dead certain that I am ready before I 
fire.
 
Even if the U.S. Department of Defense considers computer cryptography to be a
munition of war, then the right to use it is still protected, only under the 
Second
Amendment rather than the First.  Some communications are private, confidential,
classified, or privileged and not obtainable with a warrant, and that is why we 
use
cryptography here in the United States of America.

Re: Seeking GUI refuge

[Anthony J. Bentley]

Hi Patrick,

Patrick Mc(avery writes:
 Hi Jan
 
 I just tried the fvwm from my linux distro repos. It's pretty nice.
 
 I could always compile the GPL version from source on OpenBSD, i will 
 give it a shot.

You don't need to compile from source to use the newer fvwm. Just install
the fvwm2 package.

how can I get a dmesg (without a floppy or serial console port)?

[Heptas Torres]

Is there any way (physical settings / cables) to get a dmesg from a
laptop that has neither a floppy nor a serial console port (no ssh
either)?
10x
-h

Re: how can I get a dmesg (without a floppy or serial console port)?

[Shane Lazarus]

Heya

Any network connectivity at all?

Otherwise, mount a USB stick and dmesg  file...



On Mon, May 27, 2013 at 4:52 PM, Heptas Torres hepta...@gmail.com wrote:

 Is there any way (physical settings / cables) to get a dmesg from a
 laptop that has neither a floppy nor a serial console port (no ssh
 either)?
 10x
 -h

Re: how can I get a dmesg (without a floppy or serial console port)?

[Heptas Torres]

On 5/27/13, Shane Lazarus shane.laza...@pobox.com wrote:
 Heya

 Any network connectivity at all?

nope - that would be easy through ssh.

 Otherwise, mount a USB stick and dmesg  file...

well if the system crashes there is now way I could mount a USB and
copy the dmesg. I was wondering whether there are some hacks with
network cables or some physical hacks to connect two machines directly
to get the dmesg from one to another.
-h



 On Mon, May 27, 2013 at 4:52 PM, Heptas Torres hepta...@gmail.com wrote:

 Is there any way (physical settings / cables) to get a dmesg from a
 laptop that has neither a floppy nor a serial console port (no ssh
 either)?
 10x
 -h

Re: how can I get a dmesg (without a floppy or serial console port)?

[Josh Grosse]

On Tue, May 28, 2013 at 12:06:10AM +, Heptas Torres wrote:
 On 5/27/13, Shane Lazarus shane.laza...@pobox.com wrote:
  Heya
 
  Any network connectivity at all?
 
 nope - that would be easy through ssh.
 
  Otherwise, mount a USB stick and dmesg  file...
 
 well if the system crashes there is now way I could mount a USB and
 copy the dmesg. I was wondering whether there are some hacks with
 network cables or some physical hacks to connect two machines directly
 to get the dmesg from one to another.

If the crash is able to dump core to swap, on reboot, savecore(8) runs, and 
your dmesg will be within the stored dump.  Refer to crash(8) and the -M and
-N options of dmesg(8).

Re: Problems w/apache+php+mysqld since 4.9-5.0 OpenBSD Upgrade

[Damon Getsman]

Sorry, had some guests over the weekend, and I was unable to continue
with the thread for a bit.  I hope you guys are willing to catch up
where you left off, I still haven't been able to get apache+php+mysql
working again on my server since the 4.9-5.0 upgrade, and I really need
my wiki and other associated services here.  Managed to get done with my
speech without them, at least.  *grin*  Still really could've used the
wiki for the reference gathering, though.  Thankfully nobody asked me
for references.

So, here is the output from php -m:
Mon May 27 20:01
contract:/home/ftp$ php -m
[PHP Modules]
bcmath
calendar
ctype
date
dom
exif
filter
ftp
gettext
hash
iconv
json
libxml
mbstring
mysql
openssl
pcre
PDO
posix
Reflection
session
SimpleXML
sockets
SPL
standard
suhosin
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
zlib

[Zend Modules]
Suhosin

-=-=-=-=-
So it looks like at least from the command-line invoked php, things are
loading the mysql version just fine.  And I checked, yes, and mysqld is
running via invocation of mysqld_safe.

I'll post the appropriate snippets from all of the php*.ini files
scattered about my installation in just a bit here as soon as I can
gather them all together.  A visitor has stopped by again, so I must
take a brief respite.



On Wed, May 22, 2013 at 7:18 PM, Richard Toohey 
richardtoo...@paradise.net.nz wrote:

 On 05/23/13 12:08, Damon Getsman wrote:

 Okay, now I've got the phpinfo output.  Nothing is jumpin' out at me,
 if y'all care to take a look at it I've got it available at
 bismaninfo.hopto.org/debug.php for a limited time here.


  No mysql in the output.

 What does php -m give you, etc.

 It's like the message you are getting - something is up with the mysql
 extension in your install.

 Check the ini files, etc.

 You are using the base Apache and PHP is working - you need to look at the
 mysql extension and find out why it is not enabled or not loading.

Re: how can I get a dmesg (without a floppy or serial console port)?

[STeve Andre']

On 05/27/13 19:52, Heptas Torres wrote:

Is there any way (physical settings / cables) to get a dmesg from a
laptop that has neither a floppy nor a serial console port (no ssh
either)?
10x
-h


You have two options: 1) video tape it and transcribe it, or 2) take
the disk out of the machine and put it on another, so you can grab
the dmesg output.

--STeve Andre'