Re: groupdel 'command' don't remove group id

[Paul de Weerd]

On Wed, Mar 16, 2016 at 07:10:09AM +0100, Max Power wrote:
| Hi Todd, guys.
| 
| LogOut e reboot has been the first thing I have done,
| but nothing... gid is always there!
| 
| The group not exist but gid: yes!
| # groups testx: group: can't find group 'testx'
| # id testx: uid=1001(testx) gid=1001 groups=1001, 1000(laboratory)

The gid id reports here is the group that's configured in your passwd
file.  The line will look like this:

testx:*:1001:1001:Test User:/home/testx:/bin/ksh
-

That's the GID right there.  A user always has a login group that's
configed in /etc/passwd.  If you don't want this group to be used,
don't put users in it (either in /etc/group as additional groups or in
/etc/passwd as the login group).

Cheers,

Paul 'WEiRD' de Weerd

| I just can not understand this!
| can someone please help me?
| Thanks.
| 
| The same situation, with other deleted group, is on another server with
| OpenBSD 5.7 amd64.
| 
| > A user's active groups are set at login time.  Removing a group
| > from the group file does not affect processes that are already
| > running.  If you logout and login again after removing the group
| > you should no longer be a member of the group.
| >
| >  - todd
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: groupdel 'command' don't remove group id

[Max Power]

Hi Todd, guys.

LogOut e reboot has been the first thing I have done,
but nothing... gid is always there!

The group not exist but gid: yes!
# groups testx: group: can't find group 'testx'
# id testx: uid=1001(testx) gid=1001 groups=1001, 1000(laboratory)

I just can not understand this!
can someone please help me?
Thanks.

The same situation, with other deleted group, is on another server with
OpenBSD 5.7 amd64.

> A user's active groups are set at login time.  Removing a group
> from the group file does not affect processes that are already
> running.  If you logout and login again after removing the group
> you should no longer be a member of the group.
>
>  - todd

Re: Raspberrypi 3 was released

[Michael Motyka]

> On Mar 14, 2016, at 02:42, Karel Gardas  wrote:
>
>> On Mon, Mar 14, 2016 at 10:07 AM, Roderick  wrote:
>> What about AMD Opteron A-Series? Does OpenBSD run on it?
>>
>> http://www.amd.com/en-us/products/server/opteron-a-series
>
> No and unfortunately reference doc is still under NDA. Also no answer
> here: https://community.amd.com/thread/196120
>
> I'm not sure about broadcom in RPi3, but I've tried to get doc from
> AMCC for their X-Gene and from Cavium for their ThunderX but no
> success so far. The only meaningful thing (i.e. performance higher
> than A53 which is also in RPi3) with doc released is Nvidia's
> Tegra-X1.
>
> If you are a fan of ARMv8 and you'd like to see this moving forward,
> perhaps you can give a try to  drahn_arm64 branch in bitrig project
> git tree... IMHO thing which may be closest to OpenBSD tree...

It seems to me that as time passes there will be additional armv8 choices. If
I were to devote cycles to it it would seem preferable to work in the context
of the real thing instead of something close. Is that poor reasoning?

Also, even though the Pi3 has its blob problems it is inexpensive and may not
be a bad way to get a v8 foundation in place. Again, is this wrong?

ntop on openbsd

[Indunil Jayasooriya]

Hi,

i installed ntop by going to /usr/ports/net/ntop/ (then, make , make
install)


How to  run it on web mode?

When I type below command

 ntop -w 3000 -d

it gives below output.

-w mode is disabled for security reasons.

I want to see traffic via web browser.


How can I achieve this ?


just a source.

http://www.computerglitch.net/blog/attic/ntop-2-0-on-openbsd.html


-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Re: wireshark illegal instruction on older systems

[Christian Weisgerber]

On 2016-03-15, Stuart Henderson  wrote:

> Looks like Qt autodetects at build time, we probably want to configure
> on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3.
> (SSE2 is probably reasonable to expect for Qt5 apps, it's present on
> Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point
> for heavy GUI apps).

Well, Peter did attempt to run it on Pentium II, which doesn't have
SSE2.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: openbsd.org, openssh.com server(s) down

[Tobias Feldhaus]

Failing PSU AFAIK from IRC.


> On 15 Mar 2016, at 19:56, Gene  wrote:
>
>> On Tue, Mar 15, 2016 at 7:22 AM, Martin Schröder 
wrote:
>>
>> 2016-03-15 14:31 GMT+01:00 Rudolf Sykora :
>>> is it only I who cannot connect to either
>>> of openbsd.org and openssh.com, or
>>
>> Nope.
>> http://www.downforeveryoneorjustme.com/openbsd.org
>>
>> Best
>>   Martin
>
> They're back up.
>
> Any info on what caused the outage? (Just curious)
>
> -Gene

Re: groupdel 'command' don't remove group id

[Todd C. Miller]

A user's active groups are set at login time.  Removing a group
from the group file does not affect processes that are already
running.  If you logout and login again after removing the group
you should no longer be a member of the group.

 - todd

Re: /usr/games/hack

[Raul Miller]

On Tue, Mar 15, 2016 at 3:52 PM, Kamil Cholewiński 
wrote:
> setgid is setgid, you give unprivileged users an executable they can
> play with.

... and a successful hack means that they can corrupt the score file.

> A daemon can open a descriptor to the score file at startup, chroot,
> drop privileges, and only then start accepting connections.

Which leads to:

> I can't think of a way a networked setgid could ever be possible.
> Ultimately it means the score server would have to somehow trust the
> input from whichever program is sending the score.

I can think of ways a networked setgid could be made to work, but each
involves significant hassle and annoyance.

That said, I can think of another networked approach which should work
fine for low volume use (but winds up being vulnerable to spam attacks
- and of course is significantly more complicated than setgid).

But what's so bad about giving unprivileged users an executable they
can play with, in this specific case? Personally, I can think of more
important things to worry about...

--
Raul

Re: /usr/games/hack

[Theo de Raadt]

> > You propose to start a score daemon all the time?  Yes, you do...
> 
> I didn't suggest it to be enabled by default. Administrator's choice.
> Users can spawn private instances. No more dangerous than installing
> openarena-server from ports.
> 
> Not a score daemon but a game server. If it's a simple daemon keeping
> scores, it couldn't stop users from submitting any score they please and
> thus cheating.

It gains nothing.

Re: /usr/games/hack

[Kamil Cholewiński]

On Tue, 15 Mar 2016, Raul Miller  wrote:
> On Tue, Mar 15, 2016 at 3:04 PM, Kamil Cholewiński 
wrote:
>> I didn't suggest it to be enabled by default. Administrator's choice.
>> Users can spawn private instances. No more dangerous than installing
>> openarena-server from ports.
>>
>> Not a score daemon but a game server. If it's a simple daemon keeping
>> scores, it couldn't stop users from submitting any score they please and
>> thus cheating.
>
> How is a game server better security (or better anything) than setgid
> for these games?

setgid is setgid, you give unprivileged users an executable they can
play with.

A daemon can open a descriptor to the score file at startup, chroot,
drop privileges, and only then start accepting connections.

> In my opinion:
>
> You'd basically have to rewrite everything from scratch to turn them
> into game servers. And, ok, that might make a fun project for someone
> with an MVC bent and an intense interest in game archeology, but the
> development/debugging issues here are daunting (and offer lots of
> potential for security holes).

Agree. Probably easier to write a couple of new, fun games from scratch.

> Meanwhile, if you trim that back to just a score server, you need to
> create a networked equivalent of setgid - maybe not a bad project in
> itself, but more opportunity for flaws.

I can't think of a way a networked setgid could ever be possible.
Ultimately it means the score server would have to somehow trust the
input from whichever program is sending the score.

Perhaps embed a signing key in the executable and chmod 111?
Infrastructural mess, keys would have to be different per each install.
Also not sure how to keep the user away from inspecting a core dump.

Perhaps there could be a way to let an unprivileged process exchange one
set of capabilities for another; like pledge, but a trade. "In exchange
for this cookie, I promise I will only ever write /var/games/scores".
Probably would end up having similar problems as setgid.

> But maybe you have some working code which shows otherwise? (Have you
> you looked at how these games were implemented?)
>
> Thanks,
>
> --
> Raul

Re: /usr/games/hack

[Raul Miller]

On Tue, Mar 15, 2016 at 3:04 PM, Kamil Cholewiński 
wrote:
> I didn't suggest it to be enabled by default. Administrator's choice.
> Users can spawn private instances. No more dangerous than installing
> openarena-server from ports.
>
> Not a score daemon but a game server. If it's a simple daemon keeping
> scores, it couldn't stop users from submitting any score they please and
> thus cheating.

How is a game server better security (or better anything) than setgid
for these games?

In my opinion:

You'd basically have to rewrite everything from scratch to turn them
into game servers. And, ok, that might make a fun project for someone
with an MVC bent and an intense interest in game archeology, but the
development/debugging issues here are daunting (and offer lots of
potential for security holes).

Meanwhile, if you trim that back to just a score server, you need to
create a networked equivalent of setgid - maybe not a bad project in
itself, but more opportunity for flaws.

But maybe you have some working code which shows otherwise? (Have you
you looked at how these games were implemented?)

Thanks,

--
Raul

Re: /usr/games/hack

[Edgar Pettijohn]

/use/games/scored

Sent from my iPhone

> On Mar 15, 2016, at 2:04 PM, Kamil Cholewiński 
wrote:
>
> On Tue, 15 Mar 2016, Theo de Raadt  wrote:
 You obviously cannot make them private, because that destroys inter-
 terminal games, and you cannot remove the common data because it is the
 game status data.
>>>
>>> The rest of the gamedev world seems to handle this situation by
>>> splitting the game into a client and a server part.
>>>
>>> The client handles whatever the player is supposed to witness with their
>>> eyes, and communicates with the server using some network protocol. The
>>> server accepts client input, executes the game logic, keeps the game
>>> state, updates connected clients, and keeps scores.
>>>
>>> This would probably be a major rewrite for most games.
>>
>> You propose to start a score daemon all the time?  Yes, you do...
>
> I didn't suggest it to be enabled by default. Administrator's choice.
> Users can spawn private instances. No more dangerous than installing
> openarena-server from ports.
>
> Not a score daemon but a game server. If it's a simple daemon keeping
> scores, it couldn't stop users from submitting any score they please and
> thus cheating.

Re: wireshark illegal instruction on older systems

[Juan Francisco Cantero Hurtado]

On Tue, Mar 15, 2016 at 06:33:56PM +, Stuart Henderson wrote:
> On 2016-03-15, Peter Kay  wrote:
> > It's a MOVSD SSE instruction. Tshark is ok. I can cope with that or tcpdump
> > if need be, but here's the output :
> 
> I think this variant of MOVSD might be AVX?
> 
> > Starting program: /usr/local/bin/wireshark
> > warning: Lowest section in /usr/local/lib/libicudata.so.9.0 is .hash at
> > 0154
> >
> > Program received signal SIGILL, Illegal instruction.
> > 0x06d685fb in _GLOBAL__sub_I_qguiapplication.cpp () from
> > /usr/local/lib/qt5/./libQt5Gui.so.1.1
> 
> Looks like it's in Qt5 then. Wireshark still has the "legacy" gtk GUI
> (it's in a subpackage), you could try that instead for now.
> 
> Looks like Qt autodetects at build time, we probably want to configure
> on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3.
> (SSE2 is probably reasonable to expect for Qt5 apps, it's present on
> Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point
> for heavy GUI apps).

"maybe no-ssse3"

There are a lot of "recent" AMD cpus which don't support ssse3.

cpu0: AMD Athlon(tm) II X4 638 Quad-Core Processor, 2700.26 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC


> 
> > 0x06d685fb <_GLOBAL__sub_I_qguiapplication.cpp+43>: movsd
> >  0x8(%esp),%xmm0
> ..
> > 0x06d6860c <_GLOBAL__sub_I_qguiapplication.cpp+60>: movsd
> >  %xmm0,0x8(%eax)
> 

-- 
Juan Francisco Cantero Hurtado http://juanfra.info

Re: /usr/games/hack

[Kamil Cholewiński]

On Tue, 15 Mar 2016, Theo de Raadt  wrote:
>> > You obviously cannot make them private, because that destroys inter-
>> > terminal games, and you cannot remove the common data because it is the
>> > game status data.
>>
>> The rest of the gamedev world seems to handle this situation by
>> splitting the game into a client and a server part.
>>
>> The client handles whatever the player is supposed to witness with their
>> eyes, and communicates with the server using some network protocol. The
>> server accepts client input, executes the game logic, keeps the game
>> state, updates connected clients, and keeps scores.
>>
>> This would probably be a major rewrite for most games.
>
> You propose to start a score daemon all the time?  Yes, you do...

I didn't suggest it to be enabled by default. Administrator's choice.
Users can spawn private instances. No more dangerous than installing
openarena-server from ports.

Not a score daemon but a game server. If it's a simple daemon keeping
scores, it couldn't stop users from submitting any score they please and
thus cheating.

Re: /usr/games/hack

[Theo de Raadt]

> > You obviously cannot make them private, because that destroys inter-
> > terminal games, and you cannot remove the common data because it is the
> > game status data.
> 
> The rest of the gamedev world seems to handle this situation by
> splitting the game into a client and a server part.
> 
> The client handles whatever the player is supposed to witness with their
> eyes, and communicates with the server using some network protocol. The
> server accepts client input, executes the game logic, keeps the game
> state, updates connected clients, and keeps scores.
> 
> This would probably be a major rewrite for most games.

You propose to start a score daemon all the time?  Yes, you do...

Re: wireshark illegal instruction on older systems

[Stuart Henderson]

On 2016-03-15, Peter Kay  wrote:
> It's a MOVSD SSE instruction. Tshark is ok. I can cope with that or tcpdump
> if need be, but here's the output :

I think this variant of MOVSD might be AVX?

> Starting program: /usr/local/bin/wireshark
> warning: Lowest section in /usr/local/lib/libicudata.so.9.0 is .hash at
> 0154
>
> Program received signal SIGILL, Illegal instruction.
> 0x06d685fb in _GLOBAL__sub_I_qguiapplication.cpp () from
> /usr/local/lib/qt5/./libQt5Gui.so.1.1

Looks like it's in Qt5 then. Wireshark still has the "legacy" gtk GUI
(it's in a subpackage), you could try that instead for now.

Looks like Qt autodetects at build time, we probably want to configure
on i386 with no-avx, no-avx2, no-sse4.1, no-sse4.2, maybe no-ssse3.
(SSE2 is probably reasonable to expect for Qt5 apps, it's present on
Netburst, Pentium-M, Atom, C7 etc. which seems a sane cut-off point
for heavy GUI apps).

> 0x06d685fb <_GLOBAL__sub_I_qguiapplication.cpp+43>: movsd
>  0x8(%esp),%xmm0
..
> 0x06d6860c <_GLOBAL__sub_I_qguiapplication.cpp+60>: movsd
>  %xmm0,0x8(%eax)

Re: openbsd.org, openssh.com server(s) down

[Gene]

On Tue, Mar 15, 2016 at 7:22 AM, Martin Schröder  wrote:

> 2016-03-15 14:31 GMT+01:00 Rudolf Sykora :
> > is it only I who cannot connect to either
> > of openbsd.org and openssh.com, or
>
> Nope.
> http://www.downforeveryoneorjustme.com/openbsd.org
>
> Best
>Martin
>

They're back up.

Any info on what caused the outage? (Just curious)

-Gene

Re: relayd - SSL acceleration / loadbalacing performance

[Tobias Feldhaus]

With the following settings - e.g. by optimizing and simplifying pf.conf
rules and relayd.conf we were able to push 24400 req/s through with HTTPS.
:) Maybe this helps someone else.

#
###
# OpenBSD sysctl.conf

net.inet.carp.preempt=1

kern.bufcachepercent=90
kern.maxfiles=20
kern.maxproc=5

kern.maxclusters=32768
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.ifq.maxlen=8192
net.inet.ip.mtudisc=0
net.inet.tcp.rfc3390=1
net.inet.tcp.mssdflt=1440

#
###
# OpenBSD relayd.conf

ip4_244 = "xx.xx.xx.244"
ip4_245 = "xx.xx.xx.245"

tracker5 = "10.5.3.34"
tracker6 = "10.5.3.42"
tracker7 = "10.5.3.50"

interval 10
table  { $tracker5, $tracker6, $tracker7 }

prefork 12

http protocol https {

  ### TCP performance options
  tcp { nodelay, sack, socket buffer 65536, backlog 128 }

  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" \
  value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  pass
  tls { no tlsv1.0, ciphers "HIGH:!aNULL" }
  tls session cache disable

}

relay wwwssl {
  listen on $ip4_244 port 443 tls
  listen on $ip4_245 port 443 tls
  protocol "https"
  forward to  port 8083 mode roundrobin check tcp
  session timeout 60
}

relay www {
  listen on $ip4_244 port 80
  listen on $ip4_245 port 80
  forward to  port 8083 mode roundrobin check tcp
}

#
###
# OpenBSD: pf.conf

tcp_services = "{ domain }"
udp_services = "{ domain }"
tcp_public_services = "{ www, https }"

pfsync_int = trunk2 # Pfsync interface
int_if = trunk1 # DMZ (internal) interface
ext_if = trunk0 # External CARP interface

# Increase limits
set limit { states 25000, src-nodes 25000, table-entries 30 }

# Aggressive settings
set optimization aggressive
set timeout { adaptive.end 12, interval 2, tcp.tsdiff 5, tcp.first 5,
tcp.closing 5, tcp.closed 5, tcp.finwait 5, tcp.established 4200}

# See pf.conf(5) and /etc/examples/pf.conf
anchor "relayd/*"

set block-policy drop
set loginterface $ext_if
set skip on lo
set skip on $int_if
set skip on $pfsync_int

match in all scrub (no-df max-mss 1440)

# Block everything by default
block all

# Allow main service of this host
pass quick proto tcp to port $tcp_public_services keep state
pass out quick proto tcp to port $tcp_services keep state
pass proto udp to port $udp_services keep state

# Pass CARP
pass quick proto carp keep state (no-sync)

# SSH backup channel from Wooga office
pass in on trunk0 inet proto tcp from xx.xx.xx.xx/xx to any port 22 keep
state (no-sync)

# Allow pings for Pingdom status checks
pass on trunk0 inet proto icmp keep state (no-sync)
pass on trunk0 inet6 proto icmp6 keep state (no-sync)


On Tue, Mar 15, 2016 at 11:49 AM, Tobias Feldhaus  wrote:

> We have 3x Supermicro Intel Dual Xeon E5-2620v3 powered systems with 32GB
> ECC
> memory, 4x 10 Gigabit Ethernet NICs (Intel X520-DA2), and 2x Gigabit
> Ethernet
> onboard NICs connected towards a Virtual Chassis of a Juniper EX 4550
> Ethernet
> Switch, running OpenBSD 5.8 with all (11) patches.
>
> We want to use these 3 systems as loadbalancers, 2x 10GE (trunk0, LACP)
> inbound,
> 2x 10GE (trunk1, LACP) outbound, 2x 1GE (trunk2, LACP) for Pfsync.
>
> LB-1 shares a public IP with LB-2, and LB-2 and LB-3 do the same (via
> CARP). We
> use relayd for Loadbalancing the traffic towards 3 backend servers, all
> they
> currently do is serving a HTTP 200 OK response.
>
> When we load tested one LB's HTTP performance alone with wrk - we get
> about 40k
> req/s when testing with one machine in the same network as a client, and
> more
> than 100k req/s when testing with 3 client machines. Doing the test with
> HTTPS
> brings the performance down to 1400 req/s, and it does not matter if using
> more
> or less clients, the total number of req/s stays almost the same.
>
> The overall load of the systems is low (below 2-3), memory utilization is
> low as well.
>
> As we don't have experience with OpenBSD and relayd we can only compare
> these
> numbers to FreeBSD and HAproxy, which we used in our previous setup. Our
> configuration files are listed below - we would be happy about any comment
> how
> to improve the HTTPS performance.
>
>
>
#
###
> # OpenBSD sysctl.conf
>
> net.inet.carp.preempt=1
>
> ### Tried with and without the following settings - with some effect
> kern.bufcachepercent=90
>
> kern.maxfiles=20
> kern.maxproc=5
>
> kern.maxclusters=32768
> machdep.allowaperture=2
> net.inet.ip.forwarding=1
> net.inet.ip.ifq.maxlen=8192
> net.inet.ip.mtudisc=0
> net.inet.tcp.rfc3390=1
> net.inet.tcp.mssdflt=1440
>
>
>
>
#
#

groupdel 'command' don't remove group id

[Max Power]

Hi peoples!

Operating System: OpenBSD 5.8 amd64.
I removed a group with 'groupdel' command,
When I run the 'groups' command the result is: 'group: can't find group
'testx'
...but when the I run 'id' command or look for the user that was
associated with it, the group exist: id testx =
uid=1001(testx) gid=1001 groups=1001, 1000(laboratory)
# groups testx [user in this case associated with other group]:
1001 laboratory

The same scenario, with OpenBSD 5.7 amd64
with 'groups' command, gid non appears:
# groups testx
laboratory
but for the rest is the same, although the group is removed
his gid exist.

Why this happens? Can I remove gid?

Thanks for Your replies.

proper way to terminate bgpd (removing routes from RIB upon termination of bgpd)

[Laurent CARON]

Hi,

I'm wondering what a good way of terminating bgpd would be.

Context: OpenBSD box (5.8 GENERIC.MP#1236 amd64) running ospfd, bgpd, ...

When terminating bgpd (pkill bgpd), routes installed by bgpd are not 
being removed from the routing table (this server is getting 4 full 
views and a lot of peering sessions (see bgpctl show rib mem below)).


How to have the routes removed from the rib when the bgpd daemon is killed ?

Thanks

:bgpctl show rib mem:
RDE memory statistics
583225 IPv4 unicast network entries using 22.2M of memory
 95527 IPv6 unicast network entries using 5.1M of memory
   1355164 rib entries using 82.7M of memory
   6696529 prefix entries using 409M of memory
   1150903 BGP path attribute entries using 132M of memory
402714 BGP AS-PATH attribute entries using 21.8M of memory,
   and holding 1150903 references
 32147 BGP attributes entries using 1.2M of memory
   and holding 3629437 references
 32146 BGP attributes using 805K of memory
RIB using 674M of memory

Re: openbsd.org, openssh.com server(s) down

[Raimo Niskanen]

On Tue, Mar 15, 2016 at 09:36:33AM -0400, Matt Schwartz wrote:
> Seems like there might be an outage. I cannot reach either openbsd.org or
> openssh.com.
> 
> On Mar 15, 2016 9:32 AM, "Rudolf Sykora" wrote:
> >
> > Hello,
> >
> > is it only I who cannot connect to either
> > of openbsd.org and openssh.com, or
> > is the server down?

Not just for you nor me:

  http://www.isup.me/www.openbsd.org

> >
> > Thanks
> > Ruda

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: openbsd.org, openssh.com server(s) down

[Martin Schröder]

2016-03-15 14:31 GMT+01:00 Rudolf Sykora :
> is it only I who cannot connect to either
> of openbsd.org and openssh.com, or

Nope.
http://www.downforeveryoneorjustme.com/openbsd.org

Best
   Martin

Re: openbsd.org, openssh.com server(s) down

[Matt Schwartz]

Seems like there might be an outage. I cannot reach either openbsd.org or
openssh.com.

On Mar 15, 2016 9:32 AM, "Rudolf Sykora" wrote:
>
> Hello,
>
> is it only I who cannot connect to either
> of openbsd.org and openssh.com, or
> is the server down?
>
> Thanks
> Ruda

Re: Silly typo in docs

[lists]

Mon, 14 Mar 2016 22:12:12 +0100 Murk Fletcher 
> I see what you mean and you're right, it can go both ways.

Does not change a thing.  Maybe concentrate on improving incomplete,
missing or required sections rather than churn on wording and style.

openbsd.org, openssh.com server(s) down

[Rudolf Sykora]

Hello,

is it only I who cannot connect to either
of openbsd.org and openssh.com, or
is the server down?

Thanks
Ruda

Re: /usr/games/hack

[Kamil Cholewiński]

On Tue, 15 Mar 2016, Black Rider  wrote:
> El Sun, 13 Mar 2016 20:17:00 +0100, Theo Buehler escribió:
>
>> On Sun, Mar 13, 2016 at 02:06:54PM -0500, Edgar Pettijohn wrote:
>>> On current I get the following when starting 'hack'
>>>
>>> "Cannot get status of hack"
>>>
>>> It worked on 5.8 release.  Just wanted to see if anyone else had the
>>> same problem.
>>
>> hack, hunt, phantasia and sail are either completely broken or mostly
>> broken since they had their setgid bits removed almost 4 months ago:
>>
>> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games/hack/Makefile
>>
>> so far, nobody has stepped up to fix them and I think you're the first
>> to mention it on the list.
>
> From the link:
>
> "score file features must be removed, or
> rewritten to use private files"
>
> That can be ok for some games, but Phantasia stores the game status in
> common files that must be accesible/writeable by the players, I think.
> You obviously cannot make them private, because that destroys inter-
> terminal games, and you cannot remove the common data because it is the
> game status data.

The rest of the gamedev world seems to handle this situation by
splitting the game into a client and a server part.

The client handles whatever the player is supposed to witness with their
eyes, and communicates with the server using some network protocol. The
server accepts client input, executes the game logic, keeps the game
state, updates connected clients, and keeps scores.

This would probably be a major rewrite for most games.

K.

Re: /usr/games/hack

[Black Rider]

El Sun, 13 Mar 2016 20:17:00 +0100, Theo Buehler escribió:

> On Sun, Mar 13, 2016 at 02:06:54PM -0500, Edgar Pettijohn wrote:
>> On current I get the following when starting 'hack'
>> 
>> "Cannot get status of hack"
>> 
>> It worked on 5.8 release.  Just wanted to see if anyone else had the
>> same problem.
> 
> hack, hunt, phantasia and sail are either completely broken or mostly
> broken since they had their setgid bits removed almost 4 months ago:
> 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games/hack/Makefile
> 
> so far, nobody has stepped up to fix them and I think you're the first
> to mention it on the list.

>From the link:

"score file features must be removed, or
rewritten to use private files"

That can be ok for some games, but Phantasia stores the game status in 
common files that must be accesible/writeable by the players, I think. 
You obviously cannot make them private, because that destroys inter-
terminal games, and you cannot remove the common data because it is the 
game status data.

Relayd relay http persistent connection to different destination (filter by url)

[Paul Fariello]

Hi all,

I'm trying to relay an http connection to differents destination based
on url filtering. It works great but since url used for filtering are on
the same domain, browser tends to use a persistent connection:
"Connection: keep-alive".

Relayd seems to keep using the first match destination even when
http request match the second one.

Here is my relayd configuration:

table  { 127.0.0.1 }
table  { 127.0.0.1 }

http protocol "httpfilter" {
return error
match url "www.example.org/" forward to 
match url "www.example.org/api/" forward to 
}

relay www {
listen on 127.0.0.1 port 80
protocol httpfilter

forward to  port 8080 check tcp
forward to  port 8181 check tcp
}

Here is how I test with persistent connection:

curl http://www.example.org http://www.example.org/api/

and here is the log I get:

relay www, session 1 (1 active), 0, 127.0.0.1 -> 127.0.0.1:8080, done, GET GET


Giving a look at relayd source code I suppose that this scenario is
known. In relay_http.c, int relay_match_actions(); relayd is changing
the destination table with the one from the matched rule.

Am I doing something wrong ? something not supported ?

I'm more than willing to help on this.

Regards,

-- 
Paul Fariello

relayd - SSL acceleration / loadbalacing performance

[Tobias Feldhaus]

We have 3x Supermicro Intel Dual Xeon E5-2620v3 powered systems with 32GB
ECC
memory, 4x 10 Gigabit Ethernet NICs (Intel X520-DA2), and 2x Gigabit
Ethernet
onboard NICs connected towards a Virtual Chassis of a Juniper EX 4550
Ethernet
Switch, running OpenBSD 5.8 with all (11) patches.

We want to use these 3 systems as loadbalancers, 2x 10GE (trunk0, LACP)
inbound,
2x 10GE (trunk1, LACP) outbound, 2x 1GE (trunk2, LACP) for Pfsync.

LB-1 shares a public IP with LB-2, and LB-2 and LB-3 do the same (via
CARP). We
use relayd for Loadbalancing the traffic towards 3 backend servers, all
they
currently do is serving a HTTP 200 OK response.

When we load tested one LB's HTTP performance alone with wrk - we get about
40k
req/s when testing with one machine in the same network as a client, and
more
than 100k req/s when testing with 3 client machines. Doing the test with
HTTPS
brings the performance down to 1400 req/s, and it does not matter if using
more
or less clients, the total number of req/s stays almost the same.

The overall load of the systems is low (below 2-3), memory utilization is
low as well.

As we don't have experience with OpenBSD and relayd we can only compare
these
numbers to FreeBSD and HAproxy, which we used in our previous setup. Our
configuration files are listed below - we would be happy about any comment
how
to improve the HTTPS performance.


# OpenBSD sysctl.conf

net.inet.carp.preempt=1

### Tried with and without the following settings - with some effect
kern.bufcachepercent=90

kern.maxfiles=20
kern.maxproc=5

kern.maxclusters=32768
machdep.allowaperture=2
net.inet.ip.forwarding=1
net.inet.ip.ifq.maxlen=8192
net.inet.ip.mtudisc=0
net.inet.tcp.rfc3390=1
net.inet.tcp.mssdflt=1440



# OpenBSD relayd.conf

ip4_244 = "xx.xx.xx.244"
ip4_245 = "xx.xx.xx.245"

tracker5 = "10.5.3.34"
tracker6 = "10.5.3.42"
tracker7 = "10.5.3.50"

interval 10
table  { $tracker5, $tracker6, $tracker7 }

prefork 12

http protocol https {

  ### TCP performance options
  tcp { nodelay, sack, socket buffer 65536, backlog 128 }

  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" \
  value "$SERVER_ADDR:$SERVER_PORT"
  match request header set "Connection" value "close"

  tls { no tlsv1.0, ciphers HIGH }
  tls session cache disable  # tried enabling/disabling -> no effect
}

relay wwwssl {
  listen on $ip4_244 port 443 tls
  listen on $ip4_245 port 443 tls
  protocol "https"
  forward to  port 8083 mode loadbalance check tcp
}

relay www {
  listen on $ip4_244 port 80
  listen on $ip4_245 port 80
  forward to  port 8083 mode loadbalance check tcp
}


# OpenBSD: pf.conf

tcp_services = "{ domain, www, https }"
udp_services = "{ domain }"
tcp_public_services = "{ www, https }"
icmp_types = "{ echorep, echoreq, unreach}"
icmp6_types = "{ echorep, echoreq, unreach, timex, paramprob, routersol,
routeradv, neighbrsol, neighbradv, redir }"

pfsync_int = trunk2 # Pfsync interface
int_if = trunk1 # DMZ (internal) interface
ext_if = trunk0 # External CARP interface

# Increase limits
set limit { states 10, src-nodes 10, table-entries 200 }

# Optimizations
set optimization aggressive
set timeout { adaptive.end 12, interval 2, tcp.tsdiff 5, tcp.first 5,
tcp.closing 5, tcp.closed 5, tcp.finwait 5, tcp.established 4200} # tried
with
# and without - very small effect

# See pf.conf(5) and /etc/examples/pf.conf
anchor "relayd/*"

set reassemble yes
set block-policy drop
set loginterface $ext_if
set skip on lo
set skip on $int_if
set skip on $pfsync_int

# Scrub incoming
match in all scrub (no-df max-mss 1440)

# Block everything by default
block all

# Activate spoofing protection
block in quick from urpf-failed

# Allow main service of this host
pass out proto tcp to port $tcp_services keep state
pass in proto tcp to port $tcp_public_services keep state
pass proto udp to port $udp_services keep state

# Pass CARP and pfsync
pass proto carp keep state (no-sync)
pass quick proto pfsync keep state (no-sync)

# SSH backup channel from Wooga office
pass in on trunk0 inet proto tcp from 185.74.12.0/22 to any port 22 keep
state (no-sync)

# Allow pings for Pingdom status checks
pass on trunk0 inet proto icmp icmp-type $icmp_types keep state (no-sync)
pass on trunk0 inet6 proto icmp6 icmp6-type $icmp6_types keep state
(no-sync)

zdump - nonexistent zone

[hans]

It seems zdump(8) just displays GMT for zones which do not exist.
Is that intended?

Jan

$ zdump Canada/* Canada/Toronto   
Canada/Atlantic   Tue Mar 15 05:22:21 2016 ADT
Canada/CentralTue Mar 15 03:22:21 2016 CDT
Canada/East-Saskatchewan  Tue Mar 15 02:22:21 2016 CST
Canada/EasternTue Mar 15 04:22:21 2016 EDT
Canada/Mountain   Tue Mar 15 02:22:21 2016 MDT
Canada/Newfoundland   Tue Mar 15 05:52:21 2016 NDT
Canada/PacificTue Mar 15 01:22:21 2016 PDT
Canada/Saskatchewan   Tue Mar 15 02:22:21 2016 CST
Canada/Yukon  Tue Mar 15 01:22:21 2016 PDT
Canada/TorontoTue Mar 15 08:22:21 2016 GMT