Re: Adding zombies to a pf table?

[Peter Hessler]

On 2015 Sep 24 (Thu) at 12:37:03 +0300 (+0300), Pantelis Roditis wrote:
:On 09/24/2015 11:39 AM, Peter Hessler wrote:
:>On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
:>:Hello,
:>:
:>:Zombies are often attacking ports which don't have services running,
:>:such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
:>
:
:Hi,
:
:This is the exact reason why we created bofh-divert[1]. The idea is that you
:pass those packets with PF to a divert socket opened by a daemon. The daemon
:grabs the source IP and adds it to a predefined table.
:
:The rules look something like this
:
:-- pf.conf snip --
:
:table  persist counters
:
:block in log quick from 
:
:pass in log quick on { egress } inet proto tcp from ! to port {
:3389, 5900, 6001, 8080,  } divert-packet port 1100 no state
:
:-- pf.conf snip --
:
:We have used this on some of our firewalls for some time now without
:problems.
:
:>I've been playing with this, too.  Overload won't work until the packet
:>is processed by a userland process.
:>
:>:Or is there something handy in ports to help?
:>:
:>
:>I don't know of any, but I have such a thing on my TODO.
:>
:
:The port[2] is under cleanup/testing and will be submitted for review soon.
:
:I hope this is close to what you guys were looking for.
:
:
:[1] https://github.com/echothrust/pf-diverters
:[2] https://github.com/echothrust/OpenBSD-ports-mystuff
:

Yes, this looks very close to what I had in mind.

Main comment: looks like no IPv6 support.


-- 
In Boston, it is illegal to hold frog-jumping contests in nightclubs.

Re: Making IPv6 NAT prefer privacy address

[Stuart Henderson]

On 2015-09-23, Giancarlo Razzolini  wrote:
> Em 23-09-2015 11:49, Stuart Henderson escreveu:
>> Exactly. It also makes it easier to handle multiple ISPs for load-balancing
>> or failover, which IPv6 handles poorly (short of using BGP).
>
> Wouldn't multipath and properly constructed ifstated scripts be better
> in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc.

The problem is that you rely on the end host to make decisions about
which address to use etc. The router can only influence those decisions
(by choosing which networks to advertise) rather than force them.
This might be good enough for failover (though failover is likely to
be slower than doing it on the router) but isn't going to work at all
for the type of load-balancing that many people currently do across
multiple ISP connections (often built-in to small/home office routers,
and like the example in faq/pf/pools.html).

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Stuart Henderson]

On 2015-09-24, Adam  wrote:
>>> So the one you recommend from Amazon got some
>>> mediocre reviews and comes from Asia.
>>> But it works, good for you, that's a plus. It is
>>> also a Qualcomm Atheros, maybe not
>>> so dissimilar from the ones PC Engines sells on
>>> their site:
>>> http://www.pcengines.ch/wle200nx.htm and
>>
>> This one should work ok with athn(4).
>
> Huh, athn(4)? Which one is that? http://www.pcengines.ch/order1.php?c=4
>
> No such SKU for PC Engines. Do you mean the APU board, perhaps?
>
> Thanks for your additional tips, though.
>
>

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/athn.4?query=athn

Re: Adding zombies to a pf table?

[Pantelis Roditis]

On 09/24/2015 11:39 AM, Peter Hessler wrote:

On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
:Hello,
:
:Zombies are often attacking ports which don't have services running,
:such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.



Hi,

This is the exact reason why we created bofh-divert[1]. The idea is that 
you pass those packets with PF to a divert socket opened by a daemon. 
The daemon grabs the source IP and adds it to a predefined table.


The rules look something like this

-- pf.conf snip --

table  persist counters

block in log quick from 

pass in log quick on { egress } inet proto tcp from ! to port { 
3389, 5900, 6001, 8080,  } divert-packet port 1100 no state


-- pf.conf snip --

We have used this on some of our firewalls for some time now without 
problems.



I've been playing with this, too.  Overload won't work until the packet
is processed by a userland process.

:Or is there something handy in ports to help?
:

I don't know of any, but I have such a thing on my TODO.



The port[2] is under cleanup/testing and will be submitted for review soon.

I hope this is close to what you guys were looking for.


[1] https://github.com/echothrust/pf-diverters
[2] https://github.com/echothrust/OpenBSD-ports-mystuff

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Adam]

>> So the one you recommend from Amazon got some
>> mediocre reviews and comes from Asia.
>> But it works, good for you, that's a plus. It is
>> also a Qualcomm Atheros, maybe not
>> so dissimilar from the ones PC Engines sells on
>> their site:
>> http://www.pcengines.ch/wle200nx.htm and
>
> This one should work ok with athn(4).

Huh, athn(4)? Which one is that? http://www.pcengines.ch/order1.php?c=4

No such SKU for PC Engines. Do you mean the APU board, perhaps?

Thanks for your additional tips, though.

Re: Making IPv6 NAT prefer privacy address

[Stuart Henderson]

On 2015-09-23, Giancarlo Razzolini  wrote:
> Em 23-09-2015 11:16, Marios Makassikis escreveu:
>> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a 
>> prefix
>> from fd00::/8 and announce that on your network.
>> It is the equivalent to RFC1918 addresses, except it is for IPv6.
>
> Figured it. These are ULA, right?

yep.

>> Therefore, it is
>> not routable and you need to perform NAT on it. The global address is the one
>> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
>> used by all your clients.
>
> It kind of defeats the purpose of IPv6, doesn't it?

What is the purpose of IPv6? The main purpose that I see is "ability to
continue getting internet addresses after v4 runout". (If it had been left
at that and didn't change a bunch of other things at the same time, perhaps
more people would be using it already).

And, like it or not, the majority of network admins have learned their
trade in a post-NAT world, and are relying on things which are difficult or
impossible to do without that...

>> Your CPE will see only the OpenBSD router's address so it should work.
>
> I ended up setting up a bridge for that. It's harder to filter on them
> though. I plan to port some NDP proxy to OpenBSD, but all of the
> candidates looked very cumbersome to my taste. I'll have eventually to
> do it, unless someone else beat me to it.

So you're relying on your ISPs CPE for network addressing and it doesn't
have a way to add a static route? It seems like you would have the same
problem with v4, doesn't it?

Can you terminate the session on the OpenBSD box instead?

Re: Adding zombies to a pf table?

[Pantelis Roditis]

On 09/24/2015 12:48 PM, Peter Hessler wrote:

On 2015 Sep 24 (Thu) at 12:37:03 +0300 (+0300), Pantelis Roditis wrote:
:On 09/24/2015 11:39 AM, Peter Hessler wrote:
:>On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
:>:Hello,
:>:
:>:Zombies are often attacking ports which don't have services running,
:>:such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
:>

[..]

:
:[1] https://github.com/echothrust/pf-diverters
:[2] https://github.com/echothrust/OpenBSD-ports-mystuff
:

Yes, this looks very close to what I had in mind.

Main comment: looks like no IPv6 support.



I know, unfortunately my familiarity with anything IPv6 is close to 0. 
However it shouldn’t be too hard to add the support. If anyone is 
interested in taking the task I am happy to accept pull requests or patches.

Re: Adding zombies to a pf table?

[Peter Hessler]

On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
:Hello,
:
:Zombies are often attacking ports which don't have services running,
:such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
:
:With a default pf block drop in on $ext_if, how can those source ips be
:added to a  table? Which all can be dropped & small queued.
:
:I've tried to overload a match statement, but that won't work.
:

I've been playing with this, too.  Overload won't work until the packet
is processed by a userland process.

:Or is there something handy in ports to help?
:

I don't know of any, but I have such a thing on my TODO.

Annoyingly, that TODO list is too long.  If you beat me to it, please
share :).


:Thanks.
:-- 
:By the time they had diminished from 50 to 8,
:the other dwarves began to suspect "Hungry" ...
:-- Gary Larson, "The Far Side"
:

-- 
Ed Sullivan will be around as long as someone else has talent.
-- Fred Allen

Re: 5.8-stable: panic: mtx_enter locking against myself

[mxb]

Looks like I found the root cause.
At least it is stable as it suppose to be.
In need to reproduce this in lab before making next move.

//mxb

> On 17 sep. 2015, at 10:35, mxb  wrote:
> 
> 
> Hey,
> getting panics with 5.8-STABLE kernel.
> 
> panic: mix_enter: locking against myself
> Starting stack trace…
> panic() at panic+0x10b
> mtx_enter() at mtx_enter+0x60
> sofree() at sofree+0xa0
> in_pcbdetach() at in_pcbdetach+0x40
> tcp_close() at tcp_close+0xad
> tcp_timer_2msl() at tcp_timer_2msl+0x90
> softclock() at softclock+0x315
> softintr_dispatch() at softintr_dispatch+0x8b
> Xsoftclock() at Xsoftclock+0x1f
> ——interrupt———
> (null)() at 0x8
> end of kernel
> end trace frame: 0x1120001, count: 247
> end of stack trace

Re: Making IPv6 NAT prefer privacy address

[Delan Azabani]

For the record, some ISPs offer both dynamic and static IPv6 subnets to
their clients, like Internode, which uses router advertisements for
dynamic subnets, and DHCPv6 IA_PD for static subnets.

Re: Adding zombies to a pf table?

[David Dahlberg]

Am Donnerstag, den 24.09.2015, 10:39 +0200 schrieb Peter Hessler:
> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:

> :Zombies are often attacking ports which don't have services running,
> :such as telnet (most popular indeed), mysql, 3551, 8080, 13272,
> etc.
> :
[..]
> :I've tried to overload a match statement, but that won't work.
> :
> 
> I've been playing with this, too.  Overload won't work until the
> packet
> is processed by a userland process.

I remember to have done it once. But when I look into that old
configuration, I am not sure whether the "synproxy state" or the "rdr-to
127.0.0.1 port 9" part of the rule did the trick.


-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277

Re: Making IPv6 NAT prefer privacy address

[Daniel Gillen]

On 23/09/2015 16:16, Marios Makassikis wrote:
> On 23 September 2015 at 15:34, Giancarlo Razzolini  
> wrote:
>> Em 23-09-2015 04:40, Stuart Henderson escreveu:
>>> Saves messing about with DHCPv6-PD
>>
>> I see. So you translate from what exactly? Wouldn't it be better to use
>> af-to instead of nat?
> 
> Hello,
> 
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.
> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.
> 
>> But I can relate to that, given that my CPE will
>> give me a PD, but won't route packets back because it thinks the prefix
>> is reachable using NDP. Hence the need for a proxy, which OpenBSD
>> currently doesn't have.
>>
>> Cheers,
>> Giancarlo Razzolini
>>
> 
> Your CPE will see only the OpenBSD router's address so it should work.
> 
> Marios
> 

And that's exactly what I am doing. Well, I don't use DHCP but rather
assign the fd00::/8 addresses statically, but for the rest, it's the same.

Why NAT? I'm using pppoe to establish a connection to my ISP. And for
every new connection, I get new IPv4 and IPv6 addresses. This is at home
and I don't want my machines being accessible from the internet (except
for some specific ports to some specific machines). As the addresses
change all the time, firewalling would be quite difficult. SO NAT is
very useful here :)

But with that configuration, the problem is that all outgoing traffic
(after the NAT) will use the main IPv6 address of the external interface
(auto configured) or will pick one dynamically (auto configured /
privacy address) (depending on the match statement in pf.conf).

I think I will try to write a script to periodically check if the
privacy address has changed and then update my pf.conf for now.

But it would be a nice feature to be able to use something like
egress:privacy for example or make pf automagically prefer the privacy
addresses when natting:)

Daniel

Re: Making IPv6 NAT prefer privacy address

[Giancarlo Razzolini]

Em 24-09-2015 08:36, Stuart Henderson escreveu:
> What is the purpose of IPv6? The main purpose that I see is "ability to
> continue getting internet addresses after v4 runout". (If it had been left
> at that and didn't change a bunch of other things at the same time, perhaps
> more people would be using it already).

This sure is the purpose now. Short term. But one of the main reasons
the address space is so large, is for every connected device be
accessible from every other.

>
> And, like it or not, the majority of network admins have learned their
> trade in a post-NAT world, and are relying on things which are difficult or
> impossible to do without that...

Yes. I got that. But I prefer to learn to do things properly, even if it
means it's more difficult.

> So you're relying on your ISPs CPE for network addressing and it doesn't
> have a way to add a static route? It seems like you would have the same
> problem with v4, doesn't it?

I can add a static route, yes. And it answers to IA_PD requests, and
also IA_NA. So I've managed to get it working for my internal machines.
The only issue is that the CPE wont try to route the prefix it delegated
to me. What it does instead, is to keep asking, using NDP, who has the
address. Hence the need for a NDP proxy.

>
> Can you terminate the session on the OpenBSD box instead?

If you mean a pppoe or other way to get the IPv6 directly on the OpenBSD
box, then no. My CPE is only routed, unfortunately. But this discussion
gave me the idea of making a bridge for my dmz and using ULA with nat on
my internal networks, that don't need much external connectivity. This
also solve my problem of having only one /64 prefix.

Cheers,
Giancarlo Razzolini

Re: Adding zombies to a pf table?

[Benny Lofgren]

On 2015-09-24 11:37, Pantelis Roditis wrote:
> On 09/24/2015 11:39 AM, Peter Hessler wrote:
>> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
>> :Hello,
>> :
>> :Zombies are often attacking ports which don't have services running,
>> :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
>>
> 
> Hi,
> 
> This is the exact reason why we created bofh-divert[1]. The idea is that
> you pass those packets with PF to a divert socket opened by a daemon.
> The daemon grabs the source IP and adds it to a predefined table.

I've used one of the inetd "trivial services" (echo, discard, chargen,
daytime or time) for this purpose, in combination with a couple of PF
rules. Something like this:

match in log on egress from any to  tag honeypot
pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \
  (max-src-conn-rate 1/30, overload  flush global)


Regards,
/Benny


PS. Who named unlistened-to ports "zombies" anyway? I've never heard
that before. A zombie in a unix context have always been one thing and
one thing only - a dead process that has yet to be wait()ed for by its
parent.

Re: Adding zombies to a pf table?

[Otto Moerbeek]

On Thu, Sep 24, 2015 at 02:42:47PM +0200, Benny Lofgren wrote:

> On 2015-09-24 11:37, Pantelis Roditis wrote:
> > On 09/24/2015 11:39 AM, Peter Hessler wrote:
> >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
> >> :Hello,
> >> :
> >> :Zombies are often attacking ports which don't have services running,
> >> :such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
> >>
> > 
> > Hi,
> > 
> > This is the exact reason why we created bofh-divert[1]. The idea is that
> > you pass those packets with PF to a divert socket opened by a daemon.
> > The daemon grabs the source IP and adds it to a predefined table.
> 
> I've used one of the inetd "trivial services" (echo, discard, chargen,
> daytime or time) for this purpose, in combination with a couple of PF
> rules. Something like this:
> 
> match in log on egress from any to  tag honeypot
> pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \
>   (max-src-conn-rate 1/30, overload  flush global)
> 
> 
> Regards,
> /Benny
> 
> 
> PS. Who named unlistened-to ports "zombies" anyway? I've never heard
> that before. A zombie in a unix context have always been one thing and
> one thing only - a dead process that has yet to be wait()ed for by its
> parent.

Zombie is also a pc taken over bij malware.

-Otto

Re: Adding zombies to a pf table?

[Craig Skinner]

Thanks for all the helpful replies.

On 2015-09-23 Wed 18:14 PM |, Craig Skinner wrote:
> 
> Zombies are often attacking ports which don't have services running,
> such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
> 

This was logged from Friday - Monday (zombies love the weekend)...

Blocked logged connections from hosts in tables  & 

count destination
12957 25 tcp
5396 23 tcp
3703 22 tcp
1578 1433 tcp
 638 80 tcp
 545 5060 udp
 393 13282 udp
 373 13272 udp
 358 13281 udp
 330 13283 udp
 305 135 tcp
 281 53 udp
 269 3389 tcp
 222 123 udp
 210 443 tcp
 208 113 tcp
 194 3306 tcp
 192 8080 tcp
 124 445 tcp
 124 1900 udp
 118 9200 tcp
 102 1723 tcp
  93 63875 udp
  82 137 udp
  76 5902 tcp
  75  tcp
  74 5900 tcp
  70 3551 udp
  69 4899 tcp
  67 19 udp
  67 161 udp
  64 53413 udp
  61 5901 tcp
  56 502 tcp
  54 53 tcp
  52 50571 udp
  52 43022 udp
  50 111 udp
  48 2228 tcp
  48 2223 tcp
  47 110 tcp
  40 81 tcp
  40 3128 tcp
  38 91 tcp
  38 21320 tcp
  38 1701 udp
  34 520 udp
  32 2226 tcp
  32 2225 tcp
  32 2224 tcp
  31 8000 tcp
  30 5351 udp
  30 47808 udp
  30 139 tcp
  29 5093 udp
  29 49153 udp
  28 623 udp
  27 441 tcp
  26 27017 tcp
  26 1434 udp
  26 11211 tcp
  24 30022 tcp
  20 6379 tcp
  19 17 udp
  18 14435 tcp
  18 1234 tcp
  17 995 tcp
  17 143 tcp
  16 9443 tcp
  16 5903 tcp
  16 2227 tcp
  16 22012 tcp
  16 11911 tcp
  15 8081 tcp
  14 8800 tcp
  14 4000 tcp
  13 8443 tcp
  13 5000 tcp
  13 3443 tcp
  12  tcp
  12 5070 udp
  12 5062 udp
  12 5061 udp
  12 33436 udp
  11 5800 tcp
  10 8123 tcp
  10 8118 tcp
  10  tcp
  10 44818 udp
  10 2022 tcp
   9  tcp
   9 80 udp
   9  tcp
   9 442 tcp
   9 3444 tcp
   9 21 tcp
   9 2082 tcp
   9 10444 tcp
   8 9080 tcp
   8 9000 tcp
   8 843 tcp
   8 8291 tcp
   8 808 tcp
   8 8022 tcp
   8 8001 tcp
   8 7003 tcp
   8 6060 udp
   8 5905 tcp
   8 5904 tcp
   8 5069 udp
   8 5068 udp
   8 5067 udp
   8 5066 udp
   8 5065 udp
   8 5064 udp
   8 5063 udp
   8 5060 tcp
   8 34352 tcp
   8 27164 tcp
   8 26600 tcp
   8 25955 tcp
   8 22122 tcp
   8 2066 tcp
   8 2055 tcp
   8 2044 tcp
   8 2033 tcp
   8 1991 tcp
   8 1218 tcp
   8  tcp
   8 10155 tcp
   7 3 tcp
   7 2323 tcp
   7 2 tcp
   7 1911 tcp
   7 18000 tcp
   7 1337 tcp
   6 9797 tcp
   6 9393 tcp
   6 9090 tcp
   6 9001 tcp
   6 8140 tcp
   6 8090 tcp
   6 8089 tcp
   6 8086 tcp
   6 7808 tcp
   6 7547 tcp
   6 7004 tcp
   6  tcp
   6 63000 tcp
   6 6006 tcp
   6 5353 udp
   6 37564 tcp
   6 3 tcp
   6 3130 tcp
   6 3129 tcp
   6 25967 tcp
   6 2083 tcp
   6 18186 tcp
   6 14410 tcp
   6 1080 tcp
   5 9600 tcp
   5 9051 tcp
   5 5432 tcp
   5 5007 tcp
   5 1883 tcp
   5 12345 tcp
   5 11 tcp
   4 9993 tcp
   4 9987 udp
   4 9527 tcp
   4 9160 tcp
   4 902 tcp
   4 9010 tcp
   4 9009 tcp
   4 9008 tcp
   4 9007 tcp
   4 9006 tcp
   4 9005 tcp
   4 9004 tcp
   4 9003 tcp
   4 9002 tcp
   4 9 tcp
   4  udp
   4 8810 tcp
   4 8809 tcp
   4 8808 tcp
   4 8807 tcp
   4 8806 tcp
   4 8805 tcp
   4 8804 tcp
   4 8803 tcp
   4 8802 tcp
   4 8801 tcp
   4 8686 tcp
   4 8554 tcp
   4 8145 tcp
   4 8085 tcp
   4 8010 tcp
   4 8009 tcp
   4 8008 tcp
   4 8007 tcp
   4 8006 tcp
   4 8005 tcp
   4 8004 tcp
   4 8003 tcp
   4 8002 tcp
   4 8 tcp
   4 7778 tcp
   4 7443 tcp
   4 7005 tcp
   4 6443 tcp
   4 6080 udp
   4 6050 udp
   4 6022 tcp
   4 60022 tcp
   4 6001 tcp
   4 587 tcp
   4 55313 tcp
   4 5443 tcp
   4 51132 tcp
   4 5099 udp
   4 5098 udp
   4 5090 udp
   4 5080 udp
   4 5075 udp
   4 5038 tcp
   4 5022 tcp
   4 5010 tcp
   4 5009 tcp
   4 5008 tcp
   4 5006 tcp
   4 5005 tcp
   4 5004 tcp
   4 5003 tcp
   4 5002 tcp
   4 5001 tcp
   4 46536 tcp
   4 44818 tcp
   4  tcp
   4 4443 tcp
   4 4022 tcp
   4 4 tcp
   4 37191 tcp
   4 3493 tcp
   4 3264 tcp
   4 3263 tcp
   4 3262 tcp
   4 3261 tcp
   4 31337 tcp
   4 3000 tcp
   4 2701 tcp
   4 25557 tcp
   4 2443 tcp
   4 22322 tcp
   4  udp
   4 2049 tcp
   4 20288 tcp
   4 2001 tcp
   4 1755 tcp
   4 17185 udp
   4 15 tcp
   4 1443 tcp
   4 14226 tcp
   4 14 tcp
   4 13282 tcp
   4 13281 tcp
   4 13272 tcp
   4 13 tcp
   4 1283 tcp
   4 12 tcp
   4 1122 tcp
   4 10 tcp
   3 993 tcp
   3 9151 tcp
   3 82 tcp
   3 64738 udp
   3 500 udp
   3 4500 udp
   3 3780 tcp
   3 3460 tcp
   3 2480 tcp
   3 2152 udp
   3 21025 tcp
   3 20547 tcp
   3 19 tcp
   3 1604 udp
   3 1010 tcp
   2 9798 tcp
   2 8989 tcp
   2 8834 tcp
   2 88 udp
   2 873 tcp
   2 83 tcp
   2 8060 tcp
   2 7548 tcp
   2 69 udp
   2 6664 tcp
   2 64436 tcp
   2 63184 tcp
   2 62484 tcp
   2 6243 tcp
   2 61049 tcp
   2 60607 tcp
   2 60333 tcp
   2 59806 tcp
   2 59395 tcp
   2 57490 tcp
   2 57358 tcp
   2 5632 udp
   2 56067 tcp
   2 55650 tcp
   2 5560 tcp
   2 55107 tcp
   2 5364 tcp
   2 52072 tcp
   2 51546 tcp
   2 51483 tcp
   2 5148 tcp
   2 51065 tcp
   2 50787 tcp
   2 50009 tcp
   2 4911 tcp
   2 45925 tcp
   2 44877 tcp
   2 43501 tcp
   2 4343 tcp
   2 43192 tcp
   2 42741 tcp
   2 4040 tcp
   2 38956 

Re: Adding zombies to a pf table?

[Craig Skinner]

Hi Ted,

On 2015-09-23 Wed 13:51 PM |, Ted Unangst wrote:
> > 
> > Zombies are often attacking ports which don't have services running,
> > such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
> > 
> 
> block log those ports, then process the log file?
> 

Running tcpdump was my first thought too, via an rc.d started script,
but I wasn't too keen on having that running all the time.

Ta.
-- 
An elephant is a mouse with an operating system.

Re: Adding zombies to a pf table?

[Craig Skinner]

Hi Pantelis,

On 2015-09-24 Thu 12:37 PM |, Pantelis Roditis wrote:
> 
> This is the exact reason why we created bofh-divert[1]. The idea is that you
> pass those packets with PF to a divert socket opened by a daemon. The daemon
> grabs the source IP and adds it to a predefined table.
> 

Wow, that looks like the ticket.

If nothing else, I was considering a fake inetd driven telnet daemon,
which would just be a script to drive netcat, grab the remote ip & pfctl
add it to a table.

With pf re-directs to it for commonly attacked ports, finishing up with:
block in log from 

Cheers.
-- 
The only possible interpretation of any research whatever in the
`social sciences' is: some do, some don't.
-- Ernest Rutherford

Re: Adding zombies to a pf table?

[Craig Skinner]

On 2015-09-24 Thu 14:42 PM |, Benny Lofgren wrote:
> 
> I've used one of the inetd "trivial services" (echo, discard, chargen,
> daytime or time) for this purpose, in combination with a couple of PF
> rules. Something like this:
> 
> match in log on egress from any to  tag honeypot
> pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \
>   (max-src-conn-rate 1/30, overload  flush global)
> 


Ahhh! Cunning plan Benny.

I shall play...

> 
> PS. Who named unlistened-to ports "zombies" anyway?

http://en.wikipedia.org/wiki/Zombie_computer

Cool.
-- 
It is only the great men who are truly obscene.
If they had not dared to be obscene,
they could never have dared to be great.
-- Havelock Ellis

PF stops accepting packets after ~2 days on -current

[Mattieu Baptiste]

Hi,

Since the recent mp network hackathon two weekd ago, I'm seeing very
strange behavior on my gateway (PC-Engine APU on -current/amd64).

After about 2 days, the box stops accepting "external" trafic,
although everything seems normal when connected on serial.

I dug a bit and it seems related to PF. When PF is disabled, the box
is responding from the network. When PF is enabled (even with a simple
"pass log all"), no packets seems to pass : when pinging from another
host, I'm seeing requests, but no reply. On the pflog side, nothing is
blocked.

Trafic originated from the box is OK : I can ping other hosts on the network.

I tried reloading rules, flushing states, nothing helped. Rebooting
seems to be the only way to be back to normal.

I'm out of ideas how to debug this situation. Any clues ?

-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Re: Making IPv6 NAT prefer privacy address

[Devin Reade]

> On Sep 24, 2015, at 07:49, Giancarlo Razzolini  wrote:
> 
> Em 24-09-2015 08:36, Stuart Henderson escreveu:
>> What is the purpose of IPv6? The main purpose that I see is "ability to
>> continue getting internet addresses after v4 runout". (If it had been left
>> at that and didn't change a bunch of other things at the same time, perhaps
>> more people would be using it already).
> 
> This sure is the purpose now. Short term. But one of the main reasons
> the address space is so large, is for every connected device be
> accessible from every other.

Another consideration that has entered the picture since that idea came out, 
though, is how much easier it will be in the non-NAT world for advertisers or 
whomever to track individuals' behaviour. Not everyone likes that. 

Re: xrandr: Failed to get size of gamma for output default

[Aaron Poffenberger]

On 09/20/15 16:35, Aaron Poffenberger wrote:

I mentioned this in my dmesg for the Thinkpad T450s but thought it might
also help others who have seen or may later see this issue to pull it
out as a separate email.

In addition to the xrandr issue below I can't change backlight settings.
Noting here in case they're related.

$ xrandr
xrandr: Failed to get size of gamma for output default
Screen 0: minimum 1920 x 1080, current 1920 x 1080, maximum 1920 x 1080
default connected 1920x1080+0+0 0mm x 0mm
   1920x1080  0.00*

$ xbacklight -set 50
No outputs have backlight property

Any thoughts or suggestions?

Cheers,

--Aaron







This issue is resolved with the build from 2015-09-23.

This is now what I get back from xrandr:

Screen 0: minimum 8 x 8, current 1920 x 1080, maximum 32767 x 32767
eDP1 connected 1920x1080+0+0 (normal left inverted right x axis y axis) 
309mm x 174mm

   1920x1080 60.02*+
   1400x1050 59.98
   1280x1024 60.02
   1280x960  60.00
   1024x768  60.00
   800x600   60.3256.25
   640x480   59.94
DP1 disconnected (normal left inverted right x axis y axis)
DP2 disconnected (normal left inverted right x axis y axis)
HDMI1 disconnected (normal left inverted right x axis y axis)
HDMI2 disconnected (normal left inverted right x axis y axis)
VIRTUAL1 disconnected (normal left inverted right x axis y axis)

And with a monitor connected to Display Port with a DP -> DVI adapter:

Screen 0: minimum 8 x 8, current 3840 x 1080, maximum 32767 x 32767
eDP1 connected 1920x1080+1920+0 (normal left inverted right x axis y 
axis) 309mm x 174mm

   1920x1080 60.02*+
   1400x1050 59.98
   1280x1024 60.02
   1280x960  60.00
   1024x768  60.00
   800x600   60.3256.25
   640x480   59.94
DP1 disconnected (normal left inverted right x axis y axis)
DP2 disconnected (normal left inverted right x axis y axis)
HDMI1 connected 1920x1080+0+0 (normal left inverted right x axis y axis) 
510mm x 287mm

   1920x1080 60.00*+
   1600x1200 60.00
   1680x1050 59.88
   1280x1024 60.02
   1440x900  59.90
   1280x960  60.00
   1280x800  59.91
   1024x768  60.00
   800x600   60.3256.25
   640x480   60.00
HDMI2 disconnected (normal left inverted right x axis y axis)
VIRTUAL1 disconnected (normal left inverted right x axis y axis)

xbacklight -set also works.

Thanks!

--Aaron

Re: network config question

[Kapetanakis Giannis]

On 24/09/15 22:41, patrick keshishian wrote:

Hi,

I'm pretty sure I'm over-thinking this, so I thought I'd step back and
see if I can get some hints as how this sort of a set-up is done
"properly" by pros.


Say, existing set up:

[internet] -- [pf] -- [ public-ip-net/24 ]


Want to add/connect a private 192.168.0/24 to existing [ public-ip-net/24]:

... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ]


Goals:
1. Hosts in both networks "talk" with one another freely.
e.g., hosts in existing network see hosts in to-be-added 192
network, as they are; i.e., not NAT-ed. And vice versa.
2. Hosts in 192.168.0/24 have access to the internet through
the same/existing gateway.


I lack some knowledge wrt to the subject, where I think, I am
filling the "holes" with, possibly, far too complicated ideas.

Appreciate any and all help offered.

Thanks,
--patrick


First of all you don't need a second obsd/pf router for this.

Either put the private network on a secondary ip on the same 
vlan/interface as the public

or use a new vlan/interface for the private network.

pf can be tuned to fit you filtering needs.

Do the nat on [pf] box only for packets going out on its egress interface.

G

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Adam Thompson]

On 15-09-23 05:01 PM, Mike Bregg wrote:
I'm using an APU as a firewall/router and it works very well.  
However, after experimenting with some different wireless cards, I 
actually opted to install a separate EnGenius EAP600 Access Point on 
the main floor of my house, using PoE to run to the router/switch.


[OT, sorry...]

One word of warning: don't *ever* put an EnGenius AP outside the 
firewall... it has an open DNS resolver running on it that you can't 
disable.  Found that out the hard way when I used an EAP600 to bridge a 
cable modem connection to a router in another room :-(.


-Adam

Re: network config question

[Daniel Melameth]

On Thu, Sep 24, 2015 at 1:41 PM, patrick keshishian  wrote:
> I'm pretty sure I'm over-thinking this, so I thought I'd step back and
> see if I can get some hints as how this sort of a set-up is done
> "properly" by pros.
>
> Say, existing set up:
>
> [internet] -- [pf] -- [ public-ip-net/24 ]
>
> Want to add/connect a private 192.168.0/24 to existing [ public-ip-net/24]:
>
> ... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ]
>
> Goals:
> 1. Hosts in both networks "talk" with one another freely.
>e.g., hosts in existing network see hosts in to-be-added 192
>network, as they are; i.e., not NAT-ed. And vice versa.
> 2. Hosts in 192.168.0/24 have access to the internet through
>the same/existing gateway.
>
> I lack some knowledge wrt to the subject, where I think, I am
> filling the "holes" with, possibly, far too complicated ideas.

Is it possible to add another NIC or VLAN interface the existing pf
box?  If so, this is how I'd do it and have the pf box route between
the two subnets.

Re: Making IPv6 NAT prefer privacy address

[Giancarlo Razzolini]

Em 24-09-2015 16:51, Devin Reade escreveu:
> Another consideration that has entered the picture since that idea came out, 
> though, is how much easier it will be in the non-NAT world for advertisers or 
> whomever to track individuals' behaviour. Not everyone likes that. 

Hence privacy addresses extensions and non-temporary address
associations. In hindsight, it was a poor choice to make IPv6 addresses
based on MAC addresses, given the advancements on pseudo-random number
generation. The fact is, that OpenBSD and the other OS's should prefer
privacy address for everything (even pf itself). This already happens on
some linux configurations, where you have a semi stable privacy address
any given time on a interface, and only that kind of address, not the
MAC address based form.

Anyway, this ULA natted will sure have it's uses, specially now in
the beginning of the IPv4 to IPv6 migration. What Stuart mentioned that
most of network administrators where born in a world already needing
nat, has a big impact on this. Still it's not substitute to proper
implementation and might even slow IPv6 deployment for a while. But with
the advent of more devices in the IPv6 world, the so called internet of
things, nat will have a performance hit on that, so it will eventually
fade away, hopefully.

Cheers,
Giancarlo Razzolini

Re: Making IPv6 NAT prefer privacy address

[Stefan Sperling]

On Thu, Sep 24, 2015 at 05:25:31PM -0300, Giancarlo Razzolini wrote:
> The fact is, that OpenBSD and the other OS's should prefer
> privacy address for everything (even pf itself). This already happens on
> some linux configurations, where you have a semi stable privacy address
> any given time on a interface, and only that kind of address, not the
> MAC address based form.

OpenBSD has been defaulting to autoconfprivacy addresses as
source address for outgoing connections since 2012.
http://marc.info/?l=openbsd-cvs=134557868416796=2

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Mike Bregg]

On Thu, Sep 24, 2015 at 5:28 PM, Adam Thompson  
wrote:
On 15-09-23 05:01 PM, Mike Bregg wrote:
 > I'm using an APU as a firewall/router and it works very well.
 > However, after experimenting with some different wireless cards, I
 > actually opted to install a separate EnGenius EAP600 Access Point on
 > the main floor of my house, using PoE to run to the router/switch.

[OT, sorry...]

One word of warning: don't *ever* put an EnGenius AP outside the
firewall... it has an open DNS resolver running on it that you can't
disable. Found that out the hard way when I used an EAP600 to bridge a
cable modem connection to a router in another room :-(.

-Adam
Good to know, thanks for the heads up Adam.
Mike

Re: doas and home directory of target user

[Joel Rees]

At any rate, I have convinced myself that doas follows the manual page
in preserving the calling user's key environment variables, including
HOME and USER.

I had not grasped that this was considered desired behavior, so did
not initially read it that way. I still think the man page is a little
confusing, but do not at the moment have any suggestions for
clarifying things. (Now I'm not sure what doas is for, other than for
running build scripts more safely, which I think it will be much more
reliable at than sudo.)

For the purpose below (allowing running firefox as a non-login user),
I've installed sudo, and note that sudo -s now passes quoted strings
as if the string itself were the command, such that scripts that were

sudo -H -u user2 -s "cd; command"

must now explicitly say sh -c, as

sudo -H -u user2 sh -c "cd; command"

For the larger purpose, providing a reliable sandbox, I'm going to see
whether chroot would allow me to use a non-login user as proxy user
for the stupid (pardon my French) bloated web browsers.

On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees  wrote:
> Thank you, Dan, Ben, and Frank. I see that I have left out some
> important information:
>
> user2 is specified as a non-login class of user in /etc/login.conf,
> auth=reject: shell=/sbin/nologin, and has a default shell of
> /sbin/nologin in /etc/passwd .
>
> On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees  wrote:
>> I have this rule in doas.conf:
>>
>> permit nopass user1 as user2
>>
>> As user1, I try this at the command line:
>>
>> doas -u user2 whoami
>>
>> and it tells me I am user2, as I expect. And
>>
>>doas -u user2 ls
>>
>> tells me I don't have permission. I kind of expect this.
>>
>> I'm looking for a way to do the equivalent of
>>
>> sudo -u user2 -s "cd; ls"
>>
>> I don't see a way to do this with doas, at least not without a short
>> intermediary script, which script is not going to be able to do cd ~/.
>>
>> Should I assume that doas is not intended to do this sort of thing?
>
> With this intermediary script:
>
> #! /bin/sh
> export USER=user2
> . /etc/ksh.kshrc
> printenv
> ls
>
> I get
>
> MAIL=/var/mail/user1
> LOGNAME=user1
> HOME=/home/classU/user1
> 
> PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
> DISPLAY=:0.0
> TERM=xterm
> USER=user2
> ls: .: Permission denied
>
> Which, I guess, does surprise me.
>
>> (And therefore [I should] do things "right" by setting up ssh with public-key
>> authentication to do the user switch?)
>
> Which would also require enabling login for user2. (I tried this
> without thinking yesterday.)
>
>> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
>> )
>
> Would this also require enabling login?
>
> --
> Joel Rees
>
> Be careful when you look at conspiracy.
> Arm yourself with knowledge of yourself, as well:
> http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html



-- 
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html

Tratamiento para controlar la Gastritis naturalmente.

[Basta de Gastritis]

La foma natural de eliminar la gastritis comienza desde las causas.

“La gastritis” se da por problemas digestivos y la deficiente función del
sistema inmunológico,
resultado de una incorrecta alimentación y de malos hábitos.

Se debe curar la raíz, “La Raíz Son Los Hábitos En El Estilo De Vida”, de
lo contrario nada efectivo sucederá
por más antiácidos, antibióticos o simples remedios caseros que tomemos.
E incluso ni una cirugía la soluciona.
Al contrario todo esto complica el problema.

La cura natural y definitiva se logra aplicando un conjunto de
técnicas que podrás conocer
ingresando a nuestra página web dando Clic Aquí

< BR>

**
**
SI DESEA DESUSCRIBIRSE de Click Aquí para ser removido inmediatamente
**
***

dig and DNSSEC

[Etienne]

Hello there,

Is there any chance that dig (src/usr.sbin/bind/bin/dig/) could be build 
with -DDIG_SIGCHASE to enable dnssec verification in future releases? 
Where would be a proper place to request that?


Cheers,

--
Étienne

network config question

[patrick keshishian]

Hi,

I'm pretty sure I'm over-thinking this, so I thought I'd step back and
see if I can get some hints as how this sort of a set-up is done
"properly" by pros.


Say, existing set up:

[internet] -- [pf] -- [ public-ip-net/24 ]


Want to add/connect a private 192.168.0/24 to existing [ public-ip-net/24]:

... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ]


Goals:
1. Hosts in both networks "talk" with one another freely.
   e.g., hosts in existing network see hosts in to-be-added 192
   network, as they are; i.e., not NAT-ed. And vice versa.
2. Hosts in 192.168.0/24 have access to the internet through
   the same/existing gateway.


I lack some knowledge wrt to the subject, where I think, I am
filling the "holes" with, possibly, far too complicated ideas.

Appreciate any and all help offered.

Thanks,
--patrick

Re: mini itx from intel

[abyxcos]

On Sun, Sep 20, 2015, at 08:50 AM, frantisek holop wrote:
> does anyone happen to have any of these?
> http://www.intel.com/content/www/us/en/nuc/nuc-comparison.html
> 
> plz send dmesg if possible.
> 
> -f
> -- 
> loose lips sinks ships
> 

Intel NUC 54250WYK, everything seems to work, prone to over-heating the
wifi/mSATA cards though.

OpenBSD 5.7 (GENERIC.MP) #2: Mon Jul 27 16:16:48 CEST 2015

r...@stable-57-amd64.mtier.org:/binpatchng/work-binpatch57-amd64/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8498167808 (8104MB)
avail mem = 8268029952 (7885MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec170 (83 entries)
bios0: vendor Intel Corp. version "WYLPT10H.86A.0026.2014.0514.1714"
date 05/14/2014
bios0: Intel Corporation D54250WYK
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT MCFG HPET SSDT SSDT
DMAR CSRT
acpi0: wakeup devices PS2K(S3) PS2M(S3) PXSX(S4) RP01(S4) PXSX(S4)
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4)
RP06(S4) PXSX(S4) RP07(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2295.05 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2294.69 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2294.69 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4250U CPU @ 1.30GHz, 2294.69 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 40 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP04)
acpiprt3 at acpi0: bus -1 (PEG0)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2, C1, PSS
acpicpu1 at acpi0: C2, C1, PSS
acpicpu2 at acpi0: C2, C1, PSS
acpicpu3 at acpi0: C2, C1, PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 2295 MHz: speeds: 1901, 1900, 1800, 1700, 1600,
1500, 1400, 1300, 1200, 1100, 1000, 900, 800, 779 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 5000" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
error: [drm:pid0:i915_write32] *ERROR* Unknown unclaimed register before
writing to 10
inteldrm0: 1920x1080
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3