Q: Assistance with pf.conf rules

[John Nyhuis]

I am building and OpenBSD 5.7 +pf +pfsync +stp bridging firewall.  It's 90% working great, but I have a mistake in my pf.conf, and I've been 
staring at it for days, and have not spotted my error.

Would anyone be willing to review my rules and point out my mistake?

---ix0  -  ix1 --
|  world  |-| pf bridge |--| switch |
--- -  --
   \/
\  /
$man_if
ix0 connects from the WAN and is filtered and bridged to ix1, which is 
connected to the LAN switch
bond0 = $man_if (bnx0 + bnx1) is connected from the management interface on the 
bridge to the switch


My problem:  ssh connections from the world to the management interface of the bridge are being blocked.  ssh connections from the world to the 
switch are not, implying that my mistake is in my management interface rule block.


cat /etc/pf.conf

##JN general rules that apply to all interfaces and this specific server
set skip on lo  #ignore local interface
man_if="bond0"  #our Management vNIC is bond0 (bond: bnx0, bnx1)
br="ix0"# This is a bridge, so only filter on one bridge 
interface
int_if="ix1"#internal interface of bridge

#set block-policy drop   #drop packets rather then send rejections.
set block-policy return #means we refuse packets, sending back a 
response
match in all scrub (no-df)  #means we reassemble all incoming packets to 
fix any overflows, etc.
block in log on $br all #Default deny all in, exceptions must be listed 
below
pass out on $br all #We trust ourselves, don't block outgoing
pass in quick on $int_if all#don't filter on internal interface, only 
external
pass out quick on $int_if all   #don't filter on internal interface, only 
external
pass quick on pfsync0 proto pfsync keep state   #Allow pfsync to sync firewall 
states

#ICMP: allow ping from any network -JN
pass in on $br inet proto icmp from any icmp-type echoreq

#SSH: ssh ports protected from brute force by fail2ban, allow ssh into DMZ by 
default
pass in on any proto tcp from any to any port 22 keep state
pass out on any proto tcp from any to any port 22 keep state

##JN Rules for Firewalls
table  { 140.142.217.141, 140.142.217.140 }  #JN Lister and Rimmer
pass out quick on $man_if all keep state#We trust ourselves
##SSH: allow in from world, should be redundant, but SSH is being blocked -JN
pass in on $man_if proto tcp from any to  port 22 keep state
##Block brute force attacks
table  persist
block quick log from 
pass log on $man_if inet proto tcp from any to any port ssh flags S/SA keep 
state (max-src-conn 100, \
max-src-conn-rate 15/5, overload  flush global)


##JN Rules for Switch 140.142.217.135, the DMZ switch
table  { 140.142.217.135 }
#pass out on $br proto { tcp, udp, icmp } from   to any keep state
##SSH: allow in from world, already allowed by default -JN
#pass  in  on $br proto tcp from any to  port 22 keep state


##Hacker IP Addresses [LEAVE THIS RULE LAST]
table  { 202.131.227.252, 220.231.54.232, 200.118.119.48 } #addresses of 
known hackers
block drop in log quick on $br from  to any


If anyone could point out why I can ssh into the LAN, but get blocked by sshing 
to the management interface of the firewall, you have my gratitude.


--
Thanks,
John Nyhuis
IT Manager, Stam Lab
2211 Elliott Avenue
6th Floor, 6S139
Seattle, WA 98121
O: (206)-267-1097 ext 220
F: (206)-441-3033

Re: upgrade openbsd partition cipher

[Bryan C. Everly]

What do you see when you do:

disklabel /dev/sd3

Thanks,
Bryan


On Thu, Jun 18, 2015 at 4:35 PM, Ultramedia Libertad  wrote:
> MAKEDEV now works, thanks
>
> but I can not ride my encrypted partition to upgrade openbsd
>
> bioctl: could not open /dev/sd3a: device not configured
>
> 2015-06-18 15:31 GMT-05:00 Daniel Gillen :
>> On 18.06.2015 22:24, Ultramedia Libertad wrote:
>>> cd /dev && MAKEDEV sd3
>>
>> try: cd /dev && ./MAKEDEV sd3
>
>
>
> --
> editor de sueños

Re: OpenBSD 58-beta

[Bryan C. Everly]

I had the same problem.  Grabbed a fresh snapshot today and all is well.

Thanks,
Bryan


On Thu, Jun 18, 2015 at 4:30 PM, Francisco Valladolid H.
 wrote:
> 5.8 Beta? You are running ...
>
> Regards.
>
> On Thu, Jun 18, 2015 at 11:28 AM, Michael McConville
>  wrote:
>> On Thu, Jun 18, 2015 at 09:18:31PM +0500, dmitry.sensei wrote:
>>> First feature :) I can't load latest OpenBSD.iso.
>>> Unending stream "Process (pid 1) got signal 4"
>>
>> This has been happening. There was a thread about it yesterday. Theo
>> advised everyone on tech@ to just wait a few days.
>>
>
>
>
> --
> Francisco Valladolid H.
>  -- http://blog.bsdguy.net - Jesus Christ follower.

Re: upgrade openbsd partition cipher

[Ultramedia Libertad]

MAKEDEV now works, thanks

but I can not ride my encrypted partition to upgrade openbsd

bioctl: could not open /dev/sd3a: device not configured

2015-06-18 15:31 GMT-05:00 Daniel Gillen :
> On 18.06.2015 22:24, Ultramedia Libertad wrote:
>> cd /dev && MAKEDEV sd3
>
> try: cd /dev && ./MAKEDEV sd3



-- 
editor de sueños

Re: upgrade openbsd partition cipher

[Daniel Gillen]

On 18.06.2015 22:24, Ultramedia Libertad wrote:
> cd /dev && MAKEDEV sd3

try: cd /dev && ./MAKEDEV sd3

Re: OpenBSD 58-beta

[Francisco Valladolid H.]

5.8 Beta? You are running ...

Regards.

On Thu, Jun 18, 2015 at 11:28 AM, Michael McConville
 wrote:
> On Thu, Jun 18, 2015 at 09:18:31PM +0500, dmitry.sensei wrote:
>> First feature :) I can't load latest OpenBSD.iso.
>> Unending stream "Process (pid 1) got signal 4"
>
> This has been happening. There was a thread about it yesterday. Theo
> advised everyone on tech@ to just wait a few days.
>



-- 
Francisco Valladolid H.
 -- http://blog.bsdguy.net - Jesus Christ follower.

upgrade openbsd partition cipher

[Ultramedia Libertad]

I need help.

I have an encrypted Particio and I'm trying to upgrade from my console kvm.

But I get the following errors

Welcome to the OpenBSD/i386 5.7 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s

cd /dev && MAKEDEV sd3
sh: MAKEDEV: not found

bioctl -c C -l /dev/sd3a softraid0 && exit
bioctl: could not open /dev/sd3a: no such file or directory

cd /dev
sh MAKEDEV /dev/sd3a //it is ok
bioctl: could not open /dev/sd3a: device not configured


How I can do to upgrade?
-- 
editor de sueños

Re: NetBSD has now support for USB on EdgeRouter Lite

[jungle Boogie]

On 17 June 2015 at 03:24, Jonathan Gray  wrote:
> On Wed, Jun 17, 2015 at 12:25:54PM +0300, lausg...@gmail.com wrote:
>> Just a heads up. Anyone to merge this into OpenBSD?
>>
>> http://mail-index.netbsd.org/source-changes/2015/05/01/msg065510.html
>> [ https://blog.netbsd.org/tnf/entry/hands_on_experience_with_edgerouter ]
>>
>> Thanks.
>>
>
> http://marc.info/?l=openbsd-cvs&m=143005106108571&w=2
> http://marc.info/?l=openbsd-cvs&m=143387765930344&w=2
>


ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/INSTALL.octeon

Ubiquiti Networks EdgeRouter Lite / PoE
 onboard serial port and Ethernet are supported; it's possible
 to boot OpenBSD/octeon on this machine over NFS. There is no
 USB support yet, which means that there is no local storage
 (no onboard CompactFlash).

Is this different than what the install file states?



-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si

Re: NetBSD has now support for USB on EdgeRouter Lite

[Bruno Bigras]

2015-06-18 2:00 GMT-04:00 lausgans :
> Ah, just still not compiled in:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/octeon/conf/GENERIC.diff?
> r1=1.17&r2=1.18&f=h

I'm looking forward for this. Is it ready to be tested or should I wait?

Re: OpenBSD 58-beta

[Michael McConville]

On Thu, Jun 18, 2015 at 09:18:31PM +0500, dmitry.sensei wrote:
> First feature :) I can't load latest OpenBSD.iso.
> Unending stream "Process (pid 1) got signal 4"

This has been happening. There was a thread about it yesterday. Theo
advised everyone on tech@ to just wait a few days.

Re: OpenBSD 58-beta

[dmitry.sensei]

First feature :) I can't load latest OpenBSD.iso.
Unending stream "Process (pid 1) got signal 4"

On 6/18/15, Stefan Wollny  wrote:
> For those following ~current:
>
> Theo flipped the switch to move to 58-beta:
> https://marc.info/?l=openbsd-cvs&m=143457080515142&w=2
>
>
> #
> OpenBSD 5.8-beta (GENERIC.MP) #1072: Wed Jun 17 18:54:45 MDT 2015
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 3203203072 (3054MB)
> avail mem = 3102306304 (2958MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
> bios0: vendor LENOVO version "79ETC9WW (2.09 )" date 12/22/2006
> bios0: LENOVO 2007VG2
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT
> SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3)
> DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3)
> USB2(S3) USB7(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.68 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
> cpu0: 4MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 166MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.34 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
> cpu1: 4MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
> ioapic0: misconfigured as apic 2, remapped to apid 1
> acpimcfg0 at acpi0 addr 0xf000, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (AGP_)
> acpiprt2 at acpi0: bus 2 (EXP0)
> acpiprt3 at acpi0: bus 3 (EXP1)
> acpiprt4 at acpi0: bus 4 (EXP2)
> acpiprt5 at acpi0: bus 12 (EXP3)
> acpiprt6 at acpi0: bus 21 (PCI1)
> acpicpu0 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10),
> C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: !C3(250@17
> mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS
> acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7 acpitz0 at
> acpi0: critical temperature is 127 degC acpitz1 at acpi0: critical
> temperature is 99 degC acpibtn0 at acpi0: LID_
> acpibtn1 at acpi0: SLPB
> acpibat0 at acpi0: BAT0 model "92P1139" serial  2887 type LION oem
> "Panasonic" acpibat1 at acpi0: BAT1 not present
> acpiac0 at acpi0: AC unit online
> acpithinkpad0 at acpi0
> acpidock0 at acpi0: GDCK not docked (0)
> cpu0: Enhanced SpeedStep 1994 MHz: speeds: 2000, 1667, 1333, 1000 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> ppb0 at pci0 dev 1 function 0 "Intel 82945GM PCIE" rev 0x03: msi
> pci1 at ppb0 bus 1
> radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1300 M52-64"
> rev 0x00 drm0 at radeondrm0
> radeondrm0: apic 1 int 16
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
> azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog
> Devices AD1981HD audio0 at azalia0
> ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: msi
> pci2 at ppb1 bus 2
> em0 at pci2 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address
> 00:15:58:81:15:fb ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE"
> rev 0x02: msi pci3 at ppb2 bus 3
> wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02:
> msi, MoW2, address 00:19:d2:85:6f:4d ppb3 at pci0 dev 28 function 2
> "Intel 82801GB PCIE" rev 0x02: msi pci4 at ppb3 bus 4
> xhci0 at pci4 dev 0 function 0 "Renesas uPD720202 xHCI" rev 0x02: msi
> usb0 at xhci0: USB revision 3.0
> uhub0 at usb0 "Renesas xHCI root hub" rev 3.00/1.00 addr 1
> ppb4 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: msi
> pci5 at ppb4 bus 12
> uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 1
> int 16 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02:
> apic 1 int 17 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev
> 0x02: apic 1 int 18 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB"
> rev 0x02: apic 1 int 19 ehci0 at pci0 dev 29 function 7 "Intel 82801GB
> USB" rev 0x02: apic 1 int 19 usb1 at ehci0: USB revision 2.0
> uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb5 at pci0 dev 30 function 0 "Intel 82801BAM

Re: Is PFSync over IPSec still broken?

[Łukasz Czarniecki]

> It's still broken because as mentioned at the end of the thread you
> linked IPsec state gets replicated to the peer and this is causing
> the "replayed" packets you're seeing. The peer already has IPsec state
> in memory (created by pfsync replication) which matches incoming IPsec
> packets directed at it. So the peer's IPsec stack ends up believing it's
> seen the incoming packet already (while it actually hasn't seen the packet,
> it just copied the IPsec state from the sender) and drops the packet.
> 
> No good fix is known as of yet. I've given up on it for now.
> 

Please fix this bug or remove this example from documentation.
For me this setup is broken since 2011.
http://marc.info/?l=openbsd-misc&m=130624207811609&w=2

Nobody cares or nobody uses?

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pfsync.4?query=pfsync

This can be used in combination with ipsec(4) to protect the
synchronisation traffic. In such a configuration, the syncdev should be
set to the enc(4) interface, as this is where the traffic arrives when
it is decapsulated, e.g.:

# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0


Lukasz

Re: Is PFSync over IPSec still broken?

[Stefan Sperling]

On Thu, Jun 18, 2015 at 03:44:24PM +0200, Łukasz Czarniecki wrote:
> Hi,
> 
> I have the same problem described here:
> 
> http://openbsd-archive.7691.n7.nabble.com/pfsync-over-ipsec-is-broken-td257496.html#a257681
> 
> My system is 5.7 i386
> 
> I have keep state (no-sync) on all local terminated traffic (including
> ipsec udp/esp) and set skip on enc in pf.conf.
> 
> I can see only outgoing PFSync traffic (no incoming) with increasing
> replayed packets received on both firewalls.
> 
> netstat -p esp -s | grep replay
> 304 possibly replayed packets received
> 
> Does anyone have working PFSync over IPsec Setup?
> 
> Lukasz

It's still broken because as mentioned at the end of the thread you
linked IPsec state gets replicated to the peer and this is causing
the "replayed" packets you're seeing. The peer already has IPsec state
in memory (created by pfsync replication) which matches incoming IPsec
packets directed at it. So the peer's IPsec stack ends up believing it's
seen the incoming packet already (while it actually hasn't seen the packet,
it just copied the IPsec state from the sender) and drops the packet.

No good fix is known as of yet. I've given up on it for now.

Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)

[Karel Gardas]

On Thu, Jun 18, 2015 at 1:53 PM, Christian Weisgerber
 wrote:
> They also tend to forget that magnetic disks also corrupt data, or
> never write it, or write it to the wrong place on disk.  Time to
> remind people of this great paper:
>
> "An Analysis of Data Corruption in the Storage Stack"
> https://www.usenix.org/legacy/events/fast08/tech/full_papers/bairavasundaram/bairavasundaram_html/index.html
>
> If nothing else, read section "2.3 Corruption Classes".  It should
> scare the bejesus out of you.

Nice text! I especially like "6.2 Lessons Learned", thanks for sharing!

Karel

Is PFSync over IPSec still broken?

[Łukasz Czarniecki]

Hi,

I have the same problem described here:

http://openbsd-archive.7691.n7.nabble.com/pfsync-over-ipsec-is-broken-td257496.html#a257681

My system is 5.7 i386

I have keep state (no-sync) on all local terminated traffic (including
ipsec udp/esp) and set skip on enc in pf.conf.

I can see only outgoing PFSync traffic (no incoming) with increasing
replayed packets received on both firewalls.

netstat -p esp -s | grep replay
304 possibly replayed packets received

Does anyone have working PFSync over IPsec Setup?

Lukasz

/usr/sbin/dhcpd -y em0 -Y em0 and synchronization

[Taisto Qvist]

Hi folks,

I am trying to make the synchronization of DHCP leases to work using the
instructions of the dhcpd man page in OpenBSD 5.7.

But I cant make it work, no traffic seems to be generated on the interface
I configure.

Initiallly I also got a hanging dhcpd during "rcctl start dhcpd", because
the daemon was performing DNS lookups on my em3 inteface name??

Even adding -"y em3:1 -Y em3:1" for multicast TTL, still caused DNS lookups
with "em:" in it!

And since I'll be using em3 on several hosts with different ip-addresses, I
dont see how the heck the dns lookups should be able to help, as well as
the fact that I want to use multicast sync, not unicast.

Using tcpdump on the em3 interface doesnt seem to show any sync-messages,
unless they're piggybacked on pfsync messages?

Anyone got this working?

Best Regards
Taisto Qvist

Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)

[Christian Weisgerber]

On 2015-06-18, Nick Holland  wrote:

> The SSD has some number of spare storage blocks.  When it finds a bad
> block, it locks out the bad block and swaps in a good block.
>
> Curiously -- this is EXACTLY how modern "spinning rust" hard disks have
> worked for about ... 20 years

Easily 25, for SCSI disks.

> Now, in both cases, this is assuming the drive fails in the way you
> expect -- that the "flaw" will be spotted on immediate read-after-write,
> while the data is still in the disk's cache or buffer.  There is more
> than one way magnetic disks fail, there's more than one way SSDs fail.
> People tend to hyperventilate over the one way and forget all the rest.

They also tend to forget that magnetic disks also corrupt data, or
never write it, or write it to the wrong place on disk.  Time to
remind people of this great paper:

"An Analysis of Data Corruption in the Storage Stack"
https://www.usenix.org/legacy/events/fast08/tech/full_papers/bairavasundaram/bairavasundaram_html/index.html

If nothing else, read section "2.3 Corruption Classes".  It should
scare the bejesus out of you.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Testing changes in current using a liveCD

[Walter Alejandro Iglesias]

Hello,

I'd appreciate someone tell me if I'm doing something wrong.  I want to
test the latest ACPI changes in two Thinkpad I own (T410 and x201).
I assume:

  1. To test current I can just use the latest snapshot.

  2. FuguIta LiveCD is regularly updated to the latest snapshot.

In case I'm not wrong about some of those two assumptions.  I tested my
T410 and x201 with "5.7 release" and "June 17th 2015 snapshot" without
noticing any differences.  I took in care the values showed by
hw.sensors and apm, for example with both (release and snapshot) in x201
the values are arround:

hw.sensors.fan0=3283 RPM
hw.sensors.temp0=43.00 degC
hw.sensors.itherm0.power0=5.00 W

Please tell me if I'm wrong in any step.


Walter




-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Re: nVIDIA driver on OpenBSD 5.7 Issue

[Ville Valkonen]

On 18 June 2015 at 13:17, Mohammad BadieZadegan  wrote:
> Hi everybody,
> I have nVIDIA graphic card but it did not recognise by my OpenBSD5.7!
> It's my dmesg
> .
> I can use default OpenBSD X when I replaced "nv" by "vesa" in
> /etc/X11/xorg.conf but is that possible to use nVidia driver on OpenBSD?
> Regards.

Hi,

don't be surprised, Nvidia is not supported until someone sends a
patch (Nouveau). Therefore, your options are: 1) Use VESA 2) If the
machine has a second display card, use that by disabling Nvidia from
BIOS c) Change HW d) Use different OS.

--
Kind regards,
Ville Valkonen

nVIDIA driver on OpenBSD 5.7 Issue

[Mohammad BadieZadegan]

Hi everybody,
I have nVIDIA graphic card but it did not recognise by my OpenBSD5.7!
It's my dmesg
.
I can use default OpenBSD X when I replaced "nv" by "vesa" in
/etc/X11/xorg.conf but is that possible to use nVidia driver on OpenBSD?
Regards.

OpenBSD 58-beta

[Stefan Wollny]

For those following ~current:

Theo flipped the switch to move to 58-beta:
https://marc.info/?l=openbsd-cvs&m=143457080515142&w=2


#
OpenBSD 5.8-beta (GENERIC.MP) #1072: Wed Jun 17 18:54:45 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3203203072 (3054MB)
avail mem = 3102306304 (2958MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
bios0: vendor LENOVO version "79ETC9WW (2.09 )" date 12/22/2006
bios0: LENOVO 2007VG2
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT
SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3)
DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3)
USB2(S3) USB7(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.68 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 4MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.34 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 4MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus 4 (EXP2)
acpiprt5 at acpi0: bus 12 (EXP3)
acpiprt6 at acpi0: bus 21 (PCI1)
acpicpu0 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10),
C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: !C3(250@17
mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7 acpitz0 at
acpi0: critical temperature is 127 degC acpitz1 at acpi0: critical
temperature is 99 degC acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "92P1139" serial  2887 type LION oem
"Panasonic" acpibat1 at acpi0: BAT1 not present
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpidock0 at acpi0: GDCK not docked (0)
cpu0: Enhanced SpeedStep 1994 MHz: speeds: 2000, 1667, 1333, 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82945GM PCIE" rev 0x03: msi
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1300 M52-64"
rev 0x00 drm0 at radeondrm0
radeondrm0: apic 1 int 16
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog
Devices AD1981HD audio0 at azalia0
ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address
00:15:58:81:15:fb ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE"
rev 0x02: msi pci3 at ppb2 bus 3
wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02:
msi, MoW2, address 00:19:d2:85:6f:4d ppb3 at pci0 dev 28 function 2
"Intel 82801GB PCIE" rev 0x02: msi pci4 at ppb3 bus 4
xhci0 at pci4 dev 0 function 0 "Renesas uPD720202 xHCI" rev 0x02: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 "Renesas xHCI root hub" rev 3.00/1.00 addr 1
ppb4 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: msi
pci5 at ppb4 bus 12
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 1
int 16 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02:
apic 1 int 17 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev
0x02: apic 1 int 18 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB"
rev 0x02: apic 1 int 19 ehci0 at pci0 dev 29 function 7 "Intel 82801GB
USB" rev 0x02: apic 1 int 19 usb1 at ehci0: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb5 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
pci6 at ppb5 bus 21
cbb0 at pci6 dev 0 function 0 "TI PCI1510 CardBus" rev 0x00: apic 1 int
16 cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02
pciide0 at p

Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)

[Karel Gardas]

On Thu, Jun 18, 2015 at 9:08 AM, David Dahlberg
 wrote:
> Am Donnerstag, den 18.06.2015, 02:15 +0530 schrieb Mikael:
>
>> 2015-06-18 2:07 GMT+05:30 Gareth Nelson :
>> No I meant, you plug in a 2TB SSD and a 2TB magnet HD, is there any way to
>> make them properly mirror each other [so the SSD performance is delivered
>> while the magnet disk safeguards contents] - would you use softraid here?
>
> No. If you use a RAID1, you'll get the performance of the worse of both
> disks. To support multiple disks with different characteristics and to
> get the most out of it was AFAIK one of motivations for Matthew Dillon
> to write HAMMER.
>

I'm not sure about RAID1 in general, but I'm reading softraid code
recently and based on it I would claim that you get write performance
of the slowest drive (assuming OpenBSD schedule writes to different
drives in parallel), but read performance slightly higher than slower
drive since the read is done in round-robin fashion hence SSD will
speed it a little bit.

Anyway, the interesting question is if it makes sense to balance this
interleaving reading based on actual drive performance. AFAIK this
should be possible, but IMHO it'll not be that reliable, i.e. it'll
not provide that much of added reliability. Since reliability is my
concern, I'm more looking forward to see kind of virtual drive with
implemented block checksumming in OpenBSD, that IMHO will provide some
added reliability when run for example in RAID1 setup.

Karel

Re: httpd and Ruby on Rails

[ludovic coues]

2015-06-18 1:15 GMT+02:00  :
> Hi!
>
> OpenBSD's httpd and Ruby on Rails - is this a reality yet?
>
> Thanks!
>
> O.D.
>


httpd can only serve static file and FastCGI script.

If Ruby on Rails can't use FastCGI, there is slowcgi(8) in base which
make the bridge between FastCGI supporting server and CGI script.

-- 

Cordialement, Coues Ludovic
+336 148 743 42

Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)

[David Dahlberg]

Am Donnerstag, den 18.06.2015, 02:15 +0530 schrieb Mikael:

> 2015-06-18 2:07 GMT+05:30 Gareth Nelson :
> No I meant, you plug in a 2TB SSD and a 2TB magnet HD, is there any way to
> make them properly mirror each other [so the SSD performance is delivered
> while the magnet disk safeguards contents] - would you use softraid here?

No. If you use a RAID1, you'll get the performance of the worse of both
disks. To support multiple disks with different characteristics and to
get the most out of it was AFAIK one of motivations for Matthew Dillon
to write HAMMER.


-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277

Re: redhat <-> openbsd tcpdump

[Stuart Henderson]

On 2015-06-16, Frank Brodbeck  wrote:
> Hi Patric,
>
> On Tue, Jun 16, 2015 at 10:51:54AM -0500, patric conant wrote:
>> What's file say when you run it against it?
>
> foo.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", 
> capture length 96)
>
> I now know that I can convert the file via wireshark but if someone 
> knows a faster method I would be happy to hear about it.

It might be faster to add support for "cooked" to tcpdump(8), then you
wouldn't need to convert it, look at print-sll.c from tcpdump.org's
tcpdump code...

The most likely reason to have this type of file is from doing a capture
with "-i any" on Linux, if you can use a specific interface name instead
you should get standard ethernet headers rather than these special ones..