Re: crontab

[Andreas Kusalananda Kähäri]

On Tue, May 28, 2019 at 05:43:03PM -0400, System Administrator wrote:
> On 28 May 2019 at 15:14, Carlos Aguilar wrote:
> 
> > Hi,
> > 
> > I am having lots of problems to execute a shell script at boot time.
> > 
> > My crontab is as follows;
> > >>
> > SHELL=/bin/ksh
> > 
> > @reboot $HOME/bin/app-ferre
> > <<
> > My shell script is as follows:
> > >>
> > #!/bin/ksh
> > 
> > lua=/usr/local/bin/lua53
> > 
> > for f in $(ls /home/alberto/app/service-*.lua) ;do
> > echo 'Initializing' $f '\n'
> > $lua $f &
> > done
> > >>
> > 
> > Thanks for any help or advice,
> > 
> > // Carlos
> > 
> 
> Hi Carlos,
> 
> The $HOME environment variable is defined by the interactive shell for 
> login sessions. Moreover, unless you regularly log into your system as 
> root -- which is the user that kicks off cron tasks and runs them 
> unless changed with su or doas -- it does not point where you are 
> expecting (*your* home folder).
> 
> When specifying crontab entries, it is best to spell out the program 
> path.
> 
> -Jacob.

Assuming that this is being run from the correct users' crontab, $HOME
would be set correctly.  Cron sets $HOME.

There is too much information missing from the original post that it
makes it difficult to debug (any mentioning of what the actual issue is,
for example).

-- 
Kusalananda
Sweden

Re: The right way to view the current input layout in X

[Максим]

Thank you.
It really does the job.

-- 
Best Regards
Maksim Rodin

28.05.2019, 16:24, "Lévai, Dániel" :
> That's the thing, that doesn't tell you which specific layout is active (from 
> us,ru).
>
> I've been using skb for ages for this: https://plhk.ru/
>
> It does the job.
>
> Dani
>
> ‐‐‐ Original Message ‐‐‐
> On Tuesday, 28 May 2019 14:39, Robert Klein  wrote:
>
>>  On Tue, 28 May 2019 14:50:30 +0300
>>  Максим a23s4a2...@yandex.ru wrote:
>>
>>  > Hello,
>>  > The following command is run from my .xsession file to allow me to
>>  > switch between english and russian layout: "setxkbmap -layout "us,ru"
>>  > -option grp:alt_space_toggle"
>>  > But how can I view the current input layout?
>>
>>  “man setxkbmap” says:
>>
>>  [...]
>>  -query With this option setxkbmap just prints the current rules,
>>  model, layout, variant, and options, then exits.
>>  [...]
>>
>>  Best regards
>>  Robert
>>
>>  > --
>>  > Maksim Rodin

Re: Random system freeze.

[Stuart Henderson]

On 2019-05-28, Paco Esteban  wrote:
> Hi Stuart,
>
> On Tue, 28 May 2019, Stuart Henderson wrote:
>
>> Some things to try:
>> 
>> Does it seem to be in ddb? Try typing "call cpu_reset" blindly and see
>> if it reboots.
>
> I'll take a look at the manpages to see how that works. Never used the
> kerned debugger.

This is just a command which is likely to trigger a reboot (on amd64)
without getting into other problems that might hang. Basically to
identify whether it's in ddb without having changed the screen, or
whether it's hard locked. (There's some new non-arch-dependent command
to do this but I forgot what it's called and it didn't get added to the
ddb manual).


>> Does it start responding again if you wait?
>
> No, at least in a "short time period" (5 minutes more or less). I'll try
> to wait longer next time to test this.

I'd give it a little bit more than this, though probably doesn't need
much more. I've had systems recover from hangs after 5-10ish minutes
(I don't know if it's likely to be similar or completely different to
what you're seeing, so just throwing out a few things to try to get
more information and possibly help..).

>> What does "sysctl kern.timecounter.hardware" say? If it's tsc, try one
>> of the other names shown in "sysctl kern.timecounter.choice", probably
>> acpihpet0 if available.
>> 
>> Is it any better with the intel driver rathef than modesetting? Try this
>> in xorg.conf:
>> 
>> Section "Device"
>>Identifier  "Intel Graphics"
>>Driver  "intel"
>> EndSection
>
> I'll try them all one change at a time and try to make a table
> (work/crash) for it.
>
> It can take some time as the problem manifests randomly.
>
> Thanks for the suggestions.
>

Re: Lenovo w/ AMD Ryzen CPU

[Jonathan Gray]

On Tue, May 28, 2019 at 09:58:58AM -0700, Chris Cappuccio wrote:
> David Anthony [d...@silentsystems.org] wrote:
> > All,
> > 
> > The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears 
> > imminent. 
> > 
> > Would these be poor choices for OpenBSD? Are there any anticipated 
> > ???gotchas??? that I should be aware of? Any thoughts would be greatly 
> > appreciated.
> > 
> 
> Chances are it will work very well.

I disagree.

> 
> First, less flaws were identified with AMD's implementation of speculative
> execution. That means that there are less mitigations to slow down the system.
> Whether there are unidentified flaws, that's another issue..
> 
> Second, the amdgpu driver was just imported to OpenBSD 6.5-current. That
> means you'll have graphics support. Combined with the recent improvements
> to xhci and wi-fi driver improvments (well, mostly intel), support for modern
> laptops has never been better.

There is no support for newer Intel wireless like the 9260 the T495 has.

The version of amdgpu in the tree does not include support for
picasso APUs (Ryzen 3xxx) https://en.wikichip.org/wiki/amd/cores/picasso
or whatever raven2 works out to be.

It is also not enabled by default just yet.

If anyone wants to have a Ryzen thinkpad work in the short term the
current A series A285/A485 and similar generation E series require less
work.  Suspend/resume doesn't work right on them currently.
They mostly ship with RTL8822BE wireless which there is no support for
but this can be replaced with an Intel 8265 which is in the bios
whitelist and is supported by iwm(4).

Re: PF firewall for desktop

[James Huddle]

Lots of miscommunications in these threads.  The original poster here was
talking about setting up a virtual firewall machine to deal with traffic on
a single box.
Most of the war stories are from sys admins protecting a corporate LAN (or
larger)
with lawyers and accountants weighing in.  Of course you need to consider
the
collective OpenBSD wisdom and up your game accordingly, when protecting
a multimillion dollar facility.

I could really go for a methanol, about now!

On Tue, May 28, 2019 at 6:58 AM Kevin Chadwick  wrote:

> On 5/24/19 8:30 PM, Jean-Francois Simon wrote:
> > Hi,
> >
> > Out of interest, I'd like to let you know a specific use of OpenBSD with
> PF, in
> > virtualbox, 2 virtual network card Bridged to physical NIC, and building
> up a
> > subnet with NAT and hence running Packet Filter as the
> machine's firewall.
> >
> >
> > That's the firewall I use under Win7, OpenBSD running in a VM, out of
> pure
> > interest into running BSD and let it purify the network access to
> > desktop (without need for additional hardware).
> >
> >
> > Works well, love it.
>
> I have done something similar in the past. My personal preference is
> hyper-v on
> windows 10 pro which seven can be upgraded to. I would hope hyper-V has
> inherited kernel sandboxing/mitigation protections and hardening from
> Windows
> kernel/azure.
>
> I assign the physical nick to the OpenBSD VM and remove all check boxes
> like
> ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to
> talk
> to. Glasswire ontop gives a window into the why is it connecting there or
> obfuscating CDNs https certs without the other free windows firewall cruft.
>
> I assume communications to the windows box could be made from a foreign
> network
> via arp manipulation but a nice setup none the less, if you can be
> bothered with it.
>
>

Re: crontab

[System Administrator]

On 28 May 2019 at 15:14, Carlos Aguilar wrote:

> Hi,
> 
> I am having lots of problems to execute a shell script at boot time.
> 
> My crontab is as follows;
> >>
> SHELL=/bin/ksh
> 
> @reboot $HOME/bin/app-ferre
> <<
> My shell script is as follows:
> >>
> #!/bin/ksh
> 
> lua=/usr/local/bin/lua53
> 
> for f in $(ls /home/alberto/app/service-*.lua) ;do
> echo 'Initializing' $f '\n'
> $lua $f &
> done
> >>
> 
> Thanks for any help or advice,
> 
> // Carlos
> 

Hi Carlos,

The $HOME environment variable is defined by the interactive shell for 
login sessions. Moreover, unless you regularly log into your system as 
root -- which is the user that kicks off cron tasks and runs them 
unless changed with su or doas -- it does not point where you are 
expecting (*your* home folder).

When specifying crontab entries, it is best to spell out the program 
path.

-Jacob.

Re: crontab

[Andreas Kusalananda Kähäri]

On Tue, May 28, 2019 at 03:14:58PM -0500, Carlos Aguilar wrote:
> Hi,
> 
> I am having lots of problems to execute a shell script at boot time.
> 
> My crontab is as follows;
> >>
> SHELL=/bin/ksh
> 
> @reboot $HOME/bin/app-ferre
> <<
> My shell script is as follows:
> >>
> #!/bin/ksh
> 
> lua=/usr/local/bin/lua53
> 
> for f in $(ls /home/alberto/app/service-*.lua) ;do
> echo 'Initializing' $f '\n'
> $lua $f &
> done
> >>
> 
> Thanks for any help or advice,
> 
> // Carlos

I'm noticing that you don't actually mention what the problem is, or
what your Lua scripts do.

Do you get an error message?

BTW, note that it's safer to use

#!/bin/ksh

PATH=$PATH:/usr/local/bin

for f in /home/alberto/app/service-*.lua; do
printf '%s\n' "$f"
lua53 "$f" &
done

-- 
Kusalananda
Sweden

Re: crontab

[Edgar Pettijohn]

On May 28, 2019 3:14 PM, Carlos Aguilar  wrote:
>
> Hi,
>
> I am having lots of problems to execute a shell script at boot time.
>
> My crontab is as follows;
> >>
> SHELL=/bin/ksh
>
> @reboot $HOME/bin/app-ferre
> <<
> My shell script is as follows:
> >>
> #!/bin/ksh
>
> lua=/usr/local/bin/lua53
>
> for f in $(ls /home/alberto/app/service-*.lua) ;do
>     echo 'Initializing' $f '\n'
>     $lua $f &
> done
> >>
>
> Thanks for any help or advice,
>
> // Carlos

Have you tried using rc.local? May be easier.

crontab

[Carlos Aguilar]

Hi,

I am having lots of problems to execute a shell script at boot time.

My crontab is as follows;
>>
SHELL=/bin/ksh

@reboot $HOME/bin/app-ferre
<<
My shell script is as follows:
>>
#!/bin/ksh

lua=/usr/local/bin/lua53

for f in $(ls /home/alberto/app/service-*.lua) ;do
echo 'Initializing' $f '\n'
$lua $f &
done
>>

Thanks for any help or advice,

// Carlos

Re: The right way to view the current input layout in X

[Jan Stary]

On May 28 15:45:30, a23s4a2...@yandex.ru wrote:
> I saw this option
> Not exactly what I want:
> 
> "~ $ setxkbmap -query
> rules:  base
> model:  pc105
> layout: us,ru
> options:grp:alt_space_toggle"
> 
> I would like to know whether it is "en" or "ru" right now

setxkbmap -layout "us,cz" -option "grp:shifts_toggle,grp_led:scroll"

also switches the scroll lock led on/off to indicate that.

openup failing?

[Adam Thompson]

I've seen a large number failures recently from m:tier's openup tool, 
complaining of:


ftp: connect: Host is down
!!! Cannot retrieve https://stable.mtier.org/openup
!!! Please verify your Internet connection, proxy settings and 
firewall.


I'm seeing this from two different networks/providers/companies, so I'm 
assuming it's not me, but am posting this to validate that assumption.


Assuming it's not just me, does anyone know what's going on with them?  
The relevant routes appear in the DFZ, but none of the *.mtier.org IPs I 
know of respond.


-Adam

Re: Lenovo w/ AMD Ryzen CPU

[Daniel Boyd]

must some kind of bizarre coincidence

On Tue, May 28, 2019 at 11:16:51AM -0600, Theo de Raadt wrote:
> I am hoping to get one also... and as a rule whatever I get my hands on tends 
> to work out well.
> 
> danieljb...@icloud.com wrote:
> 
> > I just ordered some E495s (not 'T', but pretty similar). I think
> > they're supposed to arrive today. I'll do a test boot and send in a
> > dmesg.
> > 
> > On Tue, May 28, 2019 at 10:44:44AM -0400, David Anthony wrote:
> > > All,
> > > 
> > > The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears 
> > > imminent. 
> > > 
> > > Would these be poor choices for OpenBSD? Are there any anticipated 
> > > ???gotchas??? that I should be aware of? Any thoughts would be greatly 
> > > appreciated.
> > > 
> > > Respectfully,
> > > David Anthony
> > > 
> > 
> 

Re: Lenovo w/ AMD Ryzen CPU

[Theo de Raadt]

I am hoping to get one also... and as a rule whatever I get my hands on tends 
to work out well.

danieljb...@icloud.com wrote:

> I just ordered some E495s (not 'T', but pretty similar). I think
> they're supposed to arrive today. I'll do a test boot and send in a
> dmesg.
> 
> On Tue, May 28, 2019 at 10:44:44AM -0400, David Anthony wrote:
> > All,
> > 
> > The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears 
> > imminent. 
> > 
> > Would these be poor choices for OpenBSD? Are there any anticipated 
> > ???gotchas??? that I should be aware of? Any thoughts would be greatly 
> > appreciated.
> > 
> > Respectfully,
> > David Anthony
> > 
> 

Re: Lenovo w/ AMD Ryzen CPU

[danieljboyd]

I just ordered some E495s (not 'T', but pretty similar). I think
they're supposed to arrive today. I'll do a test boot and send in a
dmesg.

On Tue, May 28, 2019 at 10:44:44AM -0400, David Anthony wrote:
> All,
> 
> The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears 
> imminent. 
> 
> Would these be poor choices for OpenBSD? Are there any anticipated “gotchas” 
> that I should be aware of? Any thoughts would be greatly appreciated.
> 
> Respectfully,
> David Anthony
> 

Re: OpenBSD on VMware ESXi

[Hendrik Meyburgh]

We have been running succesfully for a very long time, earlier editions (5.5) 
didn’t recover so well after storage hiccups, but these days running very well, 
no customizations needed. Sorry I can’t download the vmx right now.

OpenBSD 6.3 GENERIC.MP#107 amd64
Running openbgpd, pf and relayd.

Esxi 6.5 on Intel "Sandy Bridge” Generation EVC
VMFS5 datastore on FC - Thick provision lazy zeroed
VMXNET3
VM version 10 hardware compatibility
Guest OS emulation - Freebsd 64bit

8vcpu
8gig mem


> On 22 May 2019, at 12:46, Roderick  wrote:
> 
> 
> Hallo!
> 
> As far as I read in WWW, OpenBSD do run on VMware ESXi out of the box.
> 
> What does run better on amd64 virtual machine? i386 or amd64?
> Are there reasons to preffer one to the other?
> 
> Any recommendations in general? Current or stable?
> 
> I have a virtual server, just for testing, at the moment with debian
> and I find it awfull. Is there any reasong to keep it with linux?
> 
> A detail: the console is in WWW, almost unreadable small fonts,
> unstable, high latency (result of low price :). The best would
> be a short installation path to get a listening sshd and end the
> installation with shell login.
> 
> Thanks for any hint
> Rodrigo
> 

Re: Lenovo w/ AMD Ryzen CPU

[Chris Cappuccio]

David Anthony [d...@silentsystems.org] wrote:
> All,
> 
> The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears 
> imminent. 
> 
> Would these be poor choices for OpenBSD? Are there any anticipated 
> ???gotchas??? that I should be aware of? Any thoughts would be greatly 
> appreciated.
> 

Chances are it will work very well.

First, less flaws were identified with AMD's implementation of speculative
execution. That means that there are less mitigations to slow down the system.
Whether there are unidentified flaws, that's another issue..

Second, the amdgpu driver was just imported to OpenBSD 6.5-current. That
means you'll have graphics support. Combined with the recent improvements
to xhci and wi-fi driver improvments (well, mostly intel), support for modern
laptops has never been better.

Chris

Lenovo w/ AMD Ryzen CPU

[David Anthony]

All,

The Lenovo release of T*95 series laptops with AMD Ryzen CPU appears imminent. 

Would these be poor choices for OpenBSD? Are there any anticipated “gotchas” 
that I should be aware of? Any thoughts would be greatly appreciated.

Respectfully,
David Anthony

Re: The right way to view the current input layout in X

[Максим]

I saw this option
Not exactly what I want:

"~ $ setxkbmap -query
rules:  base
model:  pc105
layout: us,ru
options:grp:alt_space_toggle"

I would like to know whether it is "en" or "ru" right now

-- 
Best Regards
Maksim Rodin


28.05.2019, 15:41, "Robert Klein" :
> On Tue, 28 May 2019 14:50:30 +0300
> Максим  wrote:
>
>>  Hello,
>>  The following command is run from my .xsession file to allow me to
>>  switch between english and russian layout: "setxkbmap -layout "us,ru"
>>  -option grp:alt_space_toggle"
>>
>>  But how can I view the current input layout?
>
> “man setxkbmap” says:
>
> [...]
>    -query With this option setxkbmap just prints the current rules,
>    model, layout, variant, and options, then exits.
> [...]
>
> Best regards
> Robert
>
>>  --
>>  Maksim Rodin

Re: The right way to view the current input layout in X

[Lévai , Dániel]

That's the thing, that doesn't tell you which specific layout is active (from 
us,ru).

I've been using skb for ages for this: https://plhk.ru/

It does the job.


Dani

‐‐‐ Original Message ‐‐‐
On Tuesday, 28 May 2019 14:39, Robert Klein  wrote:

> On Tue, 28 May 2019 14:50:30 +0300
> Максим a23s4a2...@yandex.ru wrote:
>
> > Hello,
> > The following command is run from my .xsession file to allow me to
> > switch between english and russian layout: "setxkbmap -layout "us,ru"
> > -option grp:alt_space_toggle"
> > But how can I view the current input layout?
>
> “man setxkbmap” says:
>
> [...]
> -query With this option setxkbmap just prints the current rules,
> model, layout, variant, and options, then exits.
> [...]
>
> Best regards
> Robert
>
> > -- 
> > Maksim Rodin




publickey - leva@ecentrum.hu - 0x66E1F716.asc
Description: application/pgp-keys

Re: The right way to view the current input layout in X

[Robert Klein]

On Tue, 28 May 2019 14:50:30 +0300
Максим  wrote:

> Hello,
> The following command is run from my .xsession file to allow me to
> switch between english and russian layout: "setxkbmap -layout "us,ru"
> -option grp:alt_space_toggle"
> 
> But how can I view the current input layout?

“man setxkbmap” says:

[...]
   -query  With this option setxkbmap just prints the current rules,
   model, layout, variant, and options, then exits.
[...]


Best regards
Robert

> 
> -- 
> Maksim Rodin
> 

The right way to view the current input layout in X

[Максим]

Hello,
The following command is run from my .xsession file to allow me to switch 
between english and russian layout:
"setxkbmap -layout "us,ru" -option grp:alt_space_toggle"

But how can I view the current input layout?

-- 
Maksim Rodin

Re: Random system freeze.

[Jesper Wallin]

On Tue, May 28, 2019 at 08:10:09PM +1000, Jonathan Gray wrote:
> On Tue, May 28, 2019 at 09:25:52AM -, Stuart Henderson wrote:
> > 
> > Does it seem to be in ddb? Try typing "call cpu_reset" blindly and see
> > if it reboots.

Hi, I'm having the same issue here, on a X1 Carbon (3rd gen)

No luck with "call cpu_reset", I might have done it wrong though, as
english keyboard isn't native to me and I assume that's what ddb use?

> > What does "sysctl kern.timecounter.hardware" say? If it's tsc, try one
> > of the other names shown in "sysctl kern.timecounter.choice", probably
> > acpihpet0 if available.

Had two freezes today, one using tsc and one using acpihpet0.


> All the reports I have seen have been from skylake or kabylake.
> Have never encountered it with ivy bridge or broadwell here.

I'm using a broadwell here (i7-5500U) with the intel drivers for Xorg.

Snapshots are from today and I've had these freezes for the last week or
so.  Doubt it's of importance, but I applied the latest BIOS update to
this machine yesterday and I've had these freezes since before that.

Re: PF firewall for desktop

[Kevin Chadwick]

On 5/24/19 8:30 PM, Jean-Francois Simon wrote:
> Hi,
> 
> Out of interest, I'd like to let you know a specific use of OpenBSD with PF, 
> in
> virtualbox, 2 virtual network card Bridged to physical NIC, and building up a
> subnet with NAT and hence running Packet Filter as the machine's firewall.
> 
> 
> That's the firewall I use under Win7, OpenBSD running in a VM, out of pure
> interest into running BSD and let it purify the network access to
> desktop (without need for additional hardware).
> 
> 
> Works well, love it.

I have done something similar in the past. My personal preference is hyper-v on
windows 10 pro which seven can be upgraded to. I would hope hyper-V has
inherited kernel sandboxing/mitigation protections and hardening from Windows
kernel/azure.

I assign the physical nick to the OpenBSD VM and remove all check boxes like
ipv4/ipv6 support from that nick. Then I had an VNAT device for windows to talk
to. Glasswire ontop gives a window into the why is it connecting there or
obfuscating CDNs https certs without the other free windows firewall cruft.

I assume communications to the windows box could be made from a foreign network
via arp manipulation but a nice setup none the less, if you can be bothered 
with it.

Issue with file not showing up in directory mounted over local NFS

[Andreas Kusalananda Kähäri]

Hi,

I'm building current ports in a chroot with dpb(1), and I'm keeping the
ports tree in /extra/ports which is mounted over local NFS to both
/usr/ports and /extra/proot/usr/ports (in my chroot).

Recently I've seen this happening:

$ ls -l /extra/ports/packages/amd64/all/wget*
-rw-r--r--  3 _pbuild  _pbuild  1227063 May 28 12:27
/extra/ports/packages/amd64/all/wget-1.20.3p1.tgz
$ ls -l /usr/ports/packages/amd64/all/wget*
ls: /usr/ports/packages/amd64/all/wget-1.20.3p1.tgz: No such file or directory

That is, the name of the file is listed in the directory entry on the
NFS mount, but the actual file does not appear to be there.  It appears
after a few *minutes* though.

$ mount
/dev/sd0a on / type ffs (local, softdep)
/dev/sd0e on /usr type ffs (local, nodev, softdep)
/dev/sd0d on /var type ffs (local, nodev, nosuid, softdep)
/dev/sd1a on /usr/local type ffs (local, nodev, wxallowed,
softdep)
/dev/sd2a on /home type ffs (local, nodev, softdep)
/dev/sd3a on /extra type ffs (NFS exported, local, nosuid, wxallowed,
softdep)
localhost:/extra/ports on /usr/ports type nfs (v3, udp, timeo=100,
retrans=101)
localhost:/extra/ports on /extra/proot/usr/ports type nfs (v3, udp,
timeo=100, retrans=101)

The entries for the mounts in /etc/fstab:

localhost:/extra/ports  /usr/ports  nfs rw
localhost:/extra/ports  /extra/proot/usr/ports  nfs rw

This is on a current amd64 VM.

What is the cause of the delay and is there anything I could do to
trigger the NFS daemon to deliver the actual file a bit quicker?

Regards,

-- 
Kusalananda
Sweden

Re: Random system freeze.

[Paco Esteban]

Hi Stuart,

On Tue, 28 May 2019, Stuart Henderson wrote:

> Some things to try:
> 
> Does it seem to be in ddb? Try typing "call cpu_reset" blindly and see
> if it reboots.

I'll take a look at the manpages to see how that works. Never used the
kerned debugger.

> Does it start responding again if you wait?

No, at least in a "short time period" (5 minutes more or less). I'll try
to wait longer next time to test this.

> What does "sysctl kern.timecounter.hardware" say? If it's tsc, try one
> of the other names shown in "sysctl kern.timecounter.choice", probably
> acpihpet0 if available.
> 
> Is it any better with the intel driver rathef than modesetting? Try this
> in xorg.conf:
> 
> Section "Device"
>Identifier  "Intel Graphics"
>Driver  "intel"
> EndSection

I'll try them all one change at a time and try to make a table
(work/crash) for it.

It can take some time as the problem manifests randomly.

Thanks for the suggestions.

-- 
Paco Esteban.
https://onna.be/gpgkey.asc
9A6B 6083 AD9E FDC2 0EAF  5CB3 5818 130B 8A6D BC03

Re: PF firewall for desktop

[Kapetanakis Giannis]

On 28/05/2019 11:12, Janne Johansson wrote:
> Den sön 26 maj 2019 kl 10:03 skrev Walt :
>
>> I like having a firewall that would pretty much require someone physically
>> entering the computer room in order to attack the firewall.  With OpenBSD,
>> your firewall can control your network traffic without having an IP address
>> at all.
>> One thing that you could try is to use the OpenBSD VM as the firewall, but
>> don't assign any IP address to the firewall.  The Win7 VM would have the
>> actual IP address, but the OpenBSD VM would control the network.
>> I am curious if there is any way to attack the firewall if it has no IP
>> addresses.
>>
> If you build it like the emails before listed, you still have the attack
> surface of the whole OS that runs VirtualBox, then the whole codebase of
> Virtualbox on top of that before you reach your obsd ip-less
> un-maintainable VM to "protect you" from evil packets.


In advance it's been mentioned many times is this list that bridge-only 
(IP-less) firewall is not a recommended setup.
Start with this: https://marc.info/?l=openbsd-misc=124056858519840=2
I'm sure you will find valuable info there like the post from Henning@ (pf dev):

"yes. lots of idiots do it.
bridging is stupid. don't. there are cases where you can't avoid it,
but deliberately? about as clever as knowingly drinking methanol."

First of all it's harder to detect problems, configuration errors.
There might be performance issues as well since you're utilizing the bridge 
interface (not sure if it's still a case)
IP/routing adds another layer of protection. The packets must pass the network 
layer 3 of the firewall.
Layer 2 attacks are not easy to protect from or even to detect sometimes.

Not having an IP on the firewall is no better than having an IP firewall with 
no open services or no open services on the external interface.

G

Re: hw.ncpu=1, hw.ncpuonline=1, hw.ncpufound=4

[Ipsen S Ripsbusker]

Thank you

I was not aware of the security issues of hw.smt. Fortunately, things
are fast enough without it, and I'm setting up a true multicore AMD
system soon.

On my hypothesis about CPU usage competition, I was using "interrupt"
in the sense that doesn't involve computers. For example, suppose that
I first run something that outputs its processing as it processes, like
nmh scan(1) or playing music with mpv(1). Second, in the middle, I run
something that uses the filesystem a lot, like a borg(1) backup. The
first thing's output will stop for a moment while the second thing runs.

Best salutations,
Ipsen

Re: Random system freeze.

[Jonathan Gray]

On Tue, May 28, 2019 at 09:25:52AM -, Stuart Henderson wrote:
> On 2019-05-23, Paco Esteban  wrote:
> > Hi misc@,
> >
> > I've been having some system freezes lately, as others using intel
> > graphics.
> >
> > Sometimes it does not hit in days but sometimes the system hangs 2 or 3
> > times a day.
> >
> > I was wondering if there's any iformation I can supply to devs that
> > could be useful (besides dmesg ...).
> 
> Some things to try:
> 
> Does it seem to be in ddb? Try typing "call cpu_reset" blindly and see
> if it reboots.
> 
> Does it start responding again if you wait?
> 
> What does "sysctl kern.timecounter.hardware" say? If it's tsc, try one
> of the other names shown in "sysctl kern.timecounter.choice", probably
> acpihpet0 if available.
> 
> Is it any better with the intel driver rathef than modesetting? Try this
> in xorg.conf:
> 
> Section "Device"
>Identifier  "Intel Graphics"
>Driver  "intel"
> EndSection
> 

All the reports I have seen have been from skylake or kabylake.
Have never encountered it with ivy bridge or broadwell here.

jcs@ mentioned off list:

enable_dc enable_fbc enable_psr enable_ips 0 lasts longer but locked up
after a few days.

Still locks up with no i915 firmware loaded.

Not reachable over network on lockup.

Occurs with intel xorg driver as well as modesetting.

Re: Random system freeze.

[Stuart Henderson]

On 2019-05-23, Paco Esteban  wrote:
> Hi misc@,
>
> I've been having some system freezes lately, as others using intel
> graphics.
>
> Sometimes it does not hit in days but sometimes the system hangs 2 or 3
> times a day.
>
> I was wondering if there's any iformation I can supply to devs that
> could be useful (besides dmesg ...).

Some things to try:

Does it seem to be in ddb? Try typing "call cpu_reset" blindly and see
if it reboots.

Does it start responding again if you wait?

What does "sysctl kern.timecounter.hardware" say? If it's tsc, try one
of the other names shown in "sysctl kern.timecounter.choice", probably
acpihpet0 if available.

Is it any better with the intel driver rathef than modesetting? Try this
in xorg.conf:

Section "Device"
   Identifier  "Intel Graphics"
   Driver  "intel"
EndSection

Re: PCIe SFP Network Adapter's

[Stuart Henderson]

On 2019-05-27, Patrick Dohman  wrote:
> Hoping to clarify if any PCI Express SFP adapters are currently considered 
> compatible.
> I've recently upgraded my managed switch & now have two SFP 100/1000 uplinks.
> At this point I consider my existing Broadcom NetXtreme 10/100/1000 ethernet 
> card stable
> However testing of SFP functionality on OpenBSD & PF seems worthwhile.
> A quick search turned up a StarTech PEX1000SFP2 with the following chipsets:
> Realtek - RTL8168E 
> Marvell - 88EB1
> Please note that I’m hoping to maintain desktop compatibility while 
> implementing SFP.
> Regards
> Patrick
>
>

I suggest just using 10gb SFP+ cards if you need fibre, they're easier
to find, you can use 1g SFPs in them as well as 10g SFP+, and no need to
mess with swapping cards out if you later want 10g.

I'm using ix(4) (onboard or X550 cards) here, but there are other
options. They are common enough that you can find used ones pretty
easily if you are keeping costs to a minimum. DOM statistics (light
levels, temperature, etc) are also available on 6.5 with ix and a few
other 10g nics.

Re: PF firewall for desktop

[Janne Johansson]

Den sön 26 maj 2019 kl 10:03 skrev Walt :

> I like having a firewall that would pretty much require someone physically
> entering the computer room in order to attack the firewall.  With OpenBSD,
> your firewall can control your network traffic without having an IP address
> at all.
> One thing that you could try is to use the OpenBSD VM as the firewall, but
> don't assign any IP address to the firewall.  The Win7 VM would have the
> actual IP address, but the OpenBSD VM would control the network.
> I am curious if there is any way to attack the firewall if it has no IP
> addresses.
>

If you build it like the emails before listed, you still have the attack
surface of the whole OS that runs VirtualBox, then the whole codebase of
Virtualbox on top of that before you reach your obsd ip-less
un-maintainable VM to "protect you" from evil packets.

-- 
May the most significant bit of your life be positive.