Re: Problem with CARP interfaces not responding until VHID is changed.

[Alexander Salmin]

Hey,

Welcome to the OpenBSD community mailing list. I'm also using CARP for 
lots of HA-setups and yes, I will be gentle. I have never had issues 
like yours but my setup seems very different. The virtual host id (vhid) 
and its ip adress becomes a carp-group, so changing the vhid back and 
forth is not something I understand why you are doing.


 - Try to isolate this to 2 simple test machines with as simple setup 
as possible. Be simple.
 - Make those machines either run the release version or current. State 
which.

 - Then continue;
  - Post your interfaces configurations.
  - Post your dmesg
  - Post your pf.conf
  - Post your tcpdump (where you observed this, make it as small as 
possible)
  - Also some information about why you are changing vhid would be 
interesting.
  - vhid needs to be the same on all hosts participating in the same 
carp interface.
  - if you change vhid, the other host(s) on the other side also needs 
to change.
  - Are you using a carp on top of any other non-hardware interface? 
Like a vlan, with carpdev?
  - Also, many people forget this, but if you type "man 4 carp" you 
will find a lot of good stuff to be read about carp, vhids, carpdev and 
such.


Best of luck,
Alexander





On 01/21/2016 11:02 PM, rizz2pro . wrote:

Hello,

This is my first time posting here so be gentle.


It seems that random CARP interfaces on our systems will just die, stop
replying to any requests OR only 1 request out of ~50 will make it through,
slowly.

tcpdump also shows no traffic reach the interface. Only when that 1 request
makes it through, we will see traffic arrive to the system.

We've tried everything we could think of to bring the carp interface back
to life such as reboot, run sh /etc/netstart and even going as far as
rebuilding the system server from scratch with maven and dropping the
site55.tgz file in there but none of these things fix the issue.

When we change the VHID to anything else and restart the interface, it
fixes everything and the interface is smoking fast again. When we change
the VHID back to what it originally was, we're dead in the water. Again,
change it back to any random VHID and the issue goes away. So I have
narrowed it down to VHID. Whenever we run into this problem I just tell
people to change it to anything else.

I know the CARP interface's MAC address is generated by the VHID so I am
sort of leaning towards it be an ARP issue and possibly not an issue with
the OBSD system. But I am hoping for some hints or ideas from you guys.

Thanks in advance for any help!

RZ

Re: WLAN Card frustration

[Alexander Salmin]

On 2015-12-03 19:25, bluesun08 wrote:

Hi,

in the meantime i had tested many  miniPCIe-WLAN-Cards (ar9271, ar9280,
ar9285, ar9287, ...) with OpenBSD in HostAP-mode.
But no one of them works reliable, stable and fast.

No i'm frustrated. I'm fed up with ordering, testing and sending back
several cards.

Can someone recommend me a *very well proven* miniPCIe-WLAN-Card which work
stable and fast on OpenBSD in HostAP-mode and have a good range?
Please recommend me not only a chipset but also a concrete
miniPCIe-WLAN-Card.

Which is the most used/recommended card?

This is not an easy question. Not because OpenBSD but because drivers
for wifi cards frequently change due to manufacturer decisions.

Are you looking for an integrated WLAN module, which is placed inside a 
laptop?

Or, are you looking for a mini form factor wlan card which is pci express?

Re: whats wrong with me?

[Alexander Salmin]

On 2015-12-01 21:51, Krzysztof Strzeszewski wrote:

Sorry, I'm beginner. I konow, my message was not logical.


uname -a:
#
OpenBSD hostname 5.8 GENERIC#0 i386
#


virtual server in httpd.conf:
#
server "hostname" {
listen on * port 80
listen on * tls port 443
log { access "access.log", error "error.log" }
tls { certificate "/etc/ssl/server.crt" key 
"/etc/ssl/private/server.key" }
root "/htdocs/hostname"
}
#


port 80 end 443 is open:
# netstat -a |grep http
#
tcp 0   0   localhost.https *.* LISTEN
tcp 0   0   *.https *.* LISTEN
#


in firefox:
#
Secure Connection Falied

An error occurred during a connection to my_domain. Cannot communicate
securely whih peer: no common encryption algorithm(s). (Error code:
ssl_error_no_cypher_overlap)
#


in log from httpd:
#
httpd: could not parse macro definition SSL
httpd[21336]: server_tls_init: failed to configure TLS - failed to read
private key: Operation not supported by device
#


Check the following;

1) Does private key match certificate? Verify this like so
(should result in two exact same sha512 strings);
# openssl x509 -noout -modulus -in server.pem | openssl sha512
# openssl rsa -noout -modulus -in server.key | openssl sha512

2) Is httpd allowed to read key file?
# ls -lhart /etc/ssl/server.crt
# ls -lhart /etc/ssl/private/server.key

3) Check with browser random x on random other operating system y.

Re: ansible openbsd_rcctl module

[Alexander Salmin]

On 2015-12-01 09:54, Sarevok Anchev wrote:

Hello,

Recently I submitted openbsd_rcctl to ansible. In order to speed up the
process of having it included by default, I'm asking the community to
review/test the module and drop a comment at
https://github.com/ansible/ansible-modules-extras/pull/1296

Let me know if there are other OpenBSD-specific modules you'd like to see
for ansible.

p.s: not subscribed to the list, cc me

Hey again,

Much appreciated as I said already. I left my computer and instantly
remembered a few more things. Hope it is OK.

My second wish; vlandev for vlan-interfaces and carpdev for 
carp-interfaces. See below.
Third wish, I'd like description from all interfaces visible. See below 
for vlan example but same for all.
Fourth wish; I'd like carp demote counters, advbase and advskew visible 
for carp.

Fifth wish; vhid for carp

I am very grateful for carp status however, it is already implemented.

Alexander




## TEST OPENBSD MACHINE

# uname -a
OpenBSD test46.local.lan 5.8 GENERIC#1534 amd64

# ifconfig vlan34 create vlandev bge0

# ifconfig vlan34
vlan34: flags=8843 mtu 1500
lladdr 00:24:81:eb:1f:14
priority: 0
vlan: 34 parent interface: bge0
groups: vlan
status: active

## LAPTOP WITH ANSIBLE (no vlandev is visible)

# ansible -m setup test46.local.lan -a 'filter=ansible_vlan34'
test46.local.lan | success >> {
"ansible_facts": {
"ansible_vlan34": {
"device": "vlan34",
"flags": [
"UP",
"BROADCAST",
"RUNNING",
"SIMPLEX",
"MULTICAST"
],
"ipv4": [],
"ipv6": [],
"macaddress": "00:24:81:eb:1f:14",
"mtu": "1500",
"status": "active",
"type": "unknown"
}
},
"changed": false
}

Re: ansible openbsd_rcctl module

[Alexander Salmin]

On 2015-12-01 09:54, Sarevok Anchev wrote:

Hello,

Recently I submitted openbsd_rcctl to ansible. In order to speed up the
process of having it included by default, I'm asking the community to
review/test the module and drop a comment at
https://github.com/ansible/ansible-modules-extras/pull/1296

Let me know if there are other OpenBSD-specific modules you'd like to see
for ansible.

p.s: not subscribed to the list, cc me

Hey Sarevok,

Much appreciated. If you have the time I'd really like improved gre 
interface support for the tunnel configuration. See below example. 
Thanks for asking and for offer your help.


## TEST OPENBSD MACHINE

# uname -a
OpenBSD test46.local.lan 5.8 GENERIC#1534 amd64

# ifconfig gre0 create 1.2.3.4 5.6.7.8 tunnel 11.22.33.44 55.66.77.88

# ifconfig gre0
gre0: flags=9011 mtu 1476
priority: 0
groups: gre
tunnel: inet 11.22.33.44 -> 55.66.77.88
inet 1.2.3.4 --> 5.6.7.8 netmask 0xff00


## LAPTOP WITH ANSIBLE

# ansible -m setup test46.local.lan -a 'filter=ansible_gre0'

test46.local.lan | success >> {
"ansible_facts": {
"ansible_gre0": {
"device": "gre0",
"flags": [
"UP",
"POINTOPOINT",
"LINK0",
"MULTICAST"
],
"ipv4": [
{
"address": "1.2.3.4",
"broadcast": "0xff00",
"netmask": "5.6.7.8",
"network": "1.2.3.0"
}
],
"ipv6": [],
"macaddress": "unknown",
"mtu": "1476",
"type": "unknown"
}
},
"changed": false
}

Re: whats wrong with me?

[Alexander Salmin]

On 2015-11-30 20:52, Krzysztof Strzeszewski wrote:

Hi,
whats wrong?:

httpd: could not parse macro definition SSL
httpd[21336]: server_tls_init: failed to configure TLS - failed to read
private key: Operation not supported by device


Krzysztof Strzeszewski

Hey Krzysztof,

Two reasons why you did not receive much feedback on this.
- You did not supply OpenBSD version (uname -a) so we can't replicate 
with same version.

- You did not provide httpd.conf(8) so we can't replicate your exact setup.

A key to good free online OpenBSD support is to; "Always provide as much 
information as possible. Try to pin-point the exact problem. Give clear 
instructions on how to reproduce the problem. Try to describe the 
problem with as much accuracy and non-confusing terminology as possible, 
especially if it is not easy to reproduce." // 
http://www.openbsd.org/report.html


Continue to fail this and the world will just lead to sadness and despair.

Alexander

Re: Meaning of '+', '*' in disk: hd0+ hd1+* hd2*

[Alexander Salmin]

The '+' character after the "hd0" indicates that the BIOS has told /boot 
that this disk can be accessed via LBA. When doing a first-time install, 
you will sometimes see a '*' after a hard disk -- this indicates a disk 
that does not seem to have a valid OpenBSD disk label on it.


http://www.openbsd.org/faq/faq14.html#Boot386


On 2015-11-30 19:28, edward wandasiewicz wrote:

If I have the following showing after a probe during biosboot

disk: hd0+ hd1+* h2*

What is the meaning of '+', '+*' and '*' next to each disk?

Edward.

Re: Wireless PCI hardware

[Alexander Salmin]

On 2015-11-27 05:13, li...@wrant.com wrote:

For USB I am using the run(4) driver for Ralink 802.11n product
Netsys98N but my head hurts a bit while using it.

You're most probably imagining the headache part or you have some sort
of astigmatism (or another eye focus related condition you're unaware
of), go "see" an optician who can also fix your wireless power rating
psychosomatic (look and) feel.
It is possible that you are right, I'll start use my tinfoil hat and be 
safe.

http://www.dx.com/p/netsys-98n-2-4ghz-4200mw-high-power-802-11b-g-n-150mbps-usb-wi-fi-wireless-network-adapter-93722#.Vled1noy30M

This is very likely false rating as the USB 2.0 port is rated 500 mA at
5 V DC (which usually drops to 4.75 V under full load) delivering up to
2500 mW at maximum power drain.  Probably would be interesting to
actually ask the maker what's this stupid lie and see what they come up
with.  Also with these phoney devices, the 9 dBi antennas are usually
just 5 dBi in a longer plastic casing, an incredibly brain damaged trick.

https://en.wikipedia.org/wiki/USB

Thanks for the explanation. Using the run(4) driver for this is OK since
I only use it as client when I need *extreme* range and not for hostap 
mode purposes.

Re: Wireless PCI hardware

[Alexander Salmin]

On 2015-11-27 08:48, Tati Chevron wrote:



- TP-Link TL-WN851ND
Works on OpenBSD. 


On 2015-11-27 08:52, Jason McIntyre wrote:

anyway i currently have a tp-link tl-wn881nd (so close!). it's an athn
and has worked perfectly. it was very cheap, though i don;t remember the
price.

jmc

Bought and tested both TP-Link WN881ND and TP-Link TL-WN851ND.
Confirmed that both works very well.

Thanks.

Re: Wireless PCI hardware

[Alexander Salmin]

On 2015-11-27 08:48, Tati Chevron wrote:

On Fri, Nov 27, 2015 at 12:08:37AM +0100, Alexander Salmin wrote:

I want OpenBSD in hostap mode with PCI or PCIe ath / athn driver.


Be aware that hostap mode is not particularly reliable, usable, or with
good peformance at the moment.


That's OK, my purpose is not production.

- TP-Link TL-WN851ND


Works on OpenBSD.

I also got information off-list that also TP-Link TL-WN881ND works well.
I found a store which has both of them, so I'll go buy these today and see.

Thanks everyone.

Alexander

Wireless PCI hardware

[Alexander Salmin]

Hey friends,

I want OpenBSD in hostap mode with PCI or PCIe ath / athn driver.

I am not interested in USB Wifi which has recently been discussed
on this list, already have a good usb wifi that works well for its 
purpose (thanks!).


Instead I have been checking out the ath(4) and athn(4) driver manuals
for compatible pci or pcie cards.

I would love to go haywire and buy more cards in my local store and test
them, but once I open the seal; I can't return them. Yes, I tried, this 
is not

an option anymore, spent too much money on it. :-|

If you recently bought a PCI or PCIe wireless card with atheros chipset
that works for OpenBSD, please report which name/model/manufacturer and 
preferably ~buydate so we know if its recently or might been replaced by 
new version.


Or, if you are running a computer store or similar or have a friend that 
does,

maybe you can help with testing(?).

Cards I have not yet tested which I'm thinking of buying, any advise on 
these?

Both are quite cheap.

- TP-Link TL-WN851ND
- TP-Link TL-WDN4800


Alexander

Re: Wireless PCI hardware

[Alexander Salmin]

Don't know about PCI but could get cardbus adaptor for d-link DWA-652
that works well for me or look up it's chip. What usb are you using as
the ones i tried a while back weren't much good though there have been
changes to the drivers since so probably worth trying again.

http://www.ebay.co.uk/itm/D-Link-DWA-652-Xtreme-N-Wireless-Notebook-Adapter-Draft-/400461073245?hash=item5d3d570b5d:g:HdsAAOxyrP9RZur0

For USB I am using the run(4) driver for Ralink 802.11n product 
Netsys98N but my head hurts a bit while using it. Not so good for 
long-term use. :-) Works extremely well though, very long-range. But 
still, looking for PCI/PCIe.


http://www.dx.com/p/netsys-98n-2-4ghz-4200mw-high-power-802-11b-g-n-150mbps-usb-wi-fi-wireless-network-adapter-93722#.Vled1noy30M

Re: WLAN Card AP feature

[Alexander Salmin]

If the system identified your wlan-card, write this.

# ifconfig | grep -1 -B3 wlan | grep -o -E -e "^([a-z]{1,3})" | xargs man

On 2015-11-25 19:03, bluesun08 wrote:

Please, can you give me a link of the manual for the 802.11 drivers?



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/WLAN-Card-AP-feature-tp283685p283756.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OBSD 5.8 and console

[Alexander Salmin]

I have a similar setup. Kill your screen, and connect again, usually 
works for me.


On 2015-11-22 17:13, Alessandro Baggi wrote:
set tty com0 

Re: rdomain with BGP dynamic route

[Alexander Salmin]

Hey,

man 5 bgpd.conf

See section Routing Domain Configuration and parameters 
export-target and import-target. I suspect that is what you want.


Alexander Salmin

On 2015-07-24 13:47, XU, YANG (YANG) wrote:

Let me describe it in another way. Can I create a new rdomain as a VRF and use 
the rdomain to import/export customer's prefix through BGP?

I will greatly appreciate it if you can provide any information. I have seen 
some information online, but prefix is either from static configuration or 
connected network. In my case, I need to support dynamic routes from BGP in VRF.

Thanks,
-Yang




From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of XU, YANG  
(YANG)
Sent: 23 July 2015 08:06
To: misc@openbsd.org
Subject: rdomain with BGP dynamic route

Hi all,

I am configuring OpenBSD bgpd so that it can relay the routes learned from 
customer BGP servers to a route reflector (RR). Customer BGP servers only speak 
IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher and 
route-target to the dynamic routes learned from each customer BGP neighbor 
before forwarding to RR. As I understand, I should be able to use rdomain to 
implement this. What I really need conceptually is to attach a BGP neighbor to 
a rdomain, so that dynamic routes learned from that BGP neighbor are added to 
the specified rdomain.  But I failed to find a way to do this in OpenBSD. Does 
anyone know if this is possible and give me an BGP configure example?

Many thanks in advance,

-Yang

Re: Regarding the default /usr partitioning

[Alexander Salmin]

Hi,

Read up on the Automatic disk allocation chapter in the disklabel manual 
as mentioned by Raf. Basically partitions are dynamically allocated 
based on total disk-space with a few exceptions - the following paths 
have their own partitions on disks larger than 7G (so you are mistaken 
about the /usr/src part, as Raf said). Maybe you should use make clean 
after your jobs? What exactly is using all your disk space? I suggest 
reading 15.3.6 - Cleaning up after a build at 
http://www.openbsd.org/faq/faq15.html


2G /usr/src
2G /usr/obj
10G /usr/local
1G /usr/X11R6

Alexander

On 2015-06-29 00:42, Raf Czlonka wrote:

On Sun, Jun 28, 2015 at 11:15:20PM BST, Carlos Fenollosa wrote:


Hi,

Hi Carlos,


I’m a new OpenBSD user, so please forgive me if this topic has been
discussed thoroughly already.

I installed a new box using the default partitioning (2GB for
/usr) and I found that it’s a bit insufficient since /usr/ports,
/usr/xenocara and /usr/src hang from there on the same partition, and
eat up most of those 2GB. I’ve searched online and some users also
found the same problem

Do you think it would be a good idea to increase that number to about
5GB? I could try to write a simple patch for it.

It all depends on the size of your disk but most likely you are mistaken.

man 8 disklabel

Raf

Re: alternative places to buy the CDs in US are needed

[Alexander Salmin]

Download, buy media yourself, and donate. Download docs online, print 
them, donate. Iterate every release, or more often. Don't understand how 
this can be so hard? Donations = close to zero effort. Printing CDs = 
more than zero effort for the project.


On 2015-06-26 16:58, Boris Goldberg wrote:

Hello misc,

   I've looked (and registered) at openbsdstore.com (USA site) - don't
like it (a lot). Use to buy OpenBSD stuff from a US book store, but can't
find it (there was a link to it on the openbsd.org, but not any more). Are
there alternative (local) options to buy the OpenBSD CDs in the US?

Re: Puppet and OpenBSD. Any examples/experience for unattended provisioning?

[Alexander Salmin]

Are you looking into running a puppet server or puppet client on 
OpenBSD? For the server, the requirements are many, and even if it's 
possible, it can be a bit hard to get everything right. As for the 
puppet client, it works as intended.


Unless you are aiming for bare-metal (with foreman or something similar) 
and if you are open to suggestions I'd say try ansible. I'm using it on 
some 30+ OpenBSD servers which works great. It's really easy to learn. 
Both package managment and sysctl configuration is of high quality as 
well as templates with jinja2-syntax.


But as always, use what works best for you. Maybe if you explain more 
about what parts of the OpenBSD system you want to automate the list can 
help you with some suitable automation options.


Alexander Salmin

On 2015-06-21 15:00, Kirill Peskov wrote:

Hi All,

Looks like there is no comprehensive guide/howto in the Net for $subj...
Googling gives some discussions and presentations regarding running
puppet server on OpenBSD, which is not so interesting. My task is to
automate provisioning of bunch of OpenBSD servers across several LANs
and puppet would be a good helper here (OK, maybe Saltstack could be an
alternative solution, but there is even less info about such a
combination out there).

Thanx in advance,
Kirill

Re: IPSec and Cisco peers

[Alexander Salmin]

Hey,

Based on my experience you could try three things:
 - Provide us with the Cisco configuration on that side.
 - Use packet-tracer from the cisco device, it's really helpful in these 
situations.
 - Verify every little bit of configuration on both sides so that they are 
exactly the same.

Alexander Salmin


On 2015-04-07 16:28:00, jean-yves boisiaud wrote:
 hello,
 
 I'm using IPSec with OpenBSD.
 
 I cannot connect with some Cisco appliances, a Cisco Asa and a Cisco 2951.
 
 For these two Cisco gw, I can see in the log the same messages :
 
 Apr  7 16:10:00 billy isakmpd[31908]: isakmpd: phase 1 done: initiator id
 X, responder id Y, src: X dst: Y
 Apr  7 16:10:00 billy isakmpd[31908]: isakmpd: Peer Y made us delete live
 SA peer-Y-local-X for proto 1, initiator id: X, responder id: Y
 
 As the remote IT engineers wanted me to enable DPD, I changed the ipsec
 configuration from active to dynamic, but nothing changes.
 
 Is there something wrong in my configuration ?
 
 ike dynamic esp from 192.168.36.0/24 to 10.0.0.0/8 \
   local X peer Y \
   main auth hmac-md5 enc 3des group grp2 lifetime 28800 \
   quick auth hmac-sha1 enc 3des group grp2 lifetime 28800 \
   srcid X dstid Y \
   psk z
 
 -- 
 Jean-Yves Boisiaud - Alcor Consulting
 24, rue de la Glycine
 49250 Saint Remy la Varenne
 mobile : +33 6 63 71 73 46  fixe : +33 9 72 41 19 35

Re: CPU criteria for OpenBSD firewall

[Alexander Salmin]

Good luck, when you have time I also recommend that you read this.
https://calomel.org/network_performance.html

On 2015-02-19 08:05:54, ML mail wrote:
 Thanks to all of you for this interesting discussion. My OpenBSD firewall 
 will only be doing PF as I totally agree that a firewall should have the 
 least userland application running as possible of course if your budget 
 permits it. So far I have around 340 rules (as the number of lines in the 
 output of a pf -sr) and a state table of around 12-20k entries depending 
 the time of the day. As per your recommendations I will go with a higher CPU 
 frequency and less cores as packet filtering still only takes place on one 
 single core. I might also experiment if I should use bsd.mp or the standard 
 non SMP bsd.
 
 I also agree with Nick that CPU is of course not the only criteria but the 
 rest I have luckily already sorted out :) For example by using nice and 
 modern Intel 10 Gbit/s NICs, CompactFlash industrial grade flash storage, 
 redundant setup with 2 firewalls and CARP, etc. OpenBSD does a great job 
 here, I don't even want to imagine the price of such a setup with C***o 
 hardware.
 
 Cheers

Re: Help needed: pkg_add dropps connections

[Alexander Salmin]

Have you also tried without the proxy?


On 2015-02-18 13:47:26, Marc Espie wrote:
 On Tue, Feb 17, 2015 at 03:15:14PM +0100, Stefan Wollny wrote:
  Hello!
  
  I'd like to pick up an issue that is bugging me for some time now:
  Whenever I run 'pkg_add -ui' my connection gets terminated soon,
  reliably at the latest once packages starting with g are checked. I
  suspect it is in my pf.conf but it is not obvious to me.
  
  My system: Lenovo T60 running amd64-current. Below I provide the
  obligatory dmesg, pf.conf, rc.conf.local and sysctl.conf.
  
  Checking what is going on with 'pftop' I noticed that 'pkg_add' opens up
  hundreds of connections, all with state 'TIME_WAIT:TIME_WAIT' or
  'FIN_WAIT_2:FIN_WAIT_2'. Once around 100 such states are established the
  connection will be dropped soon. I've tried ftp.hostserver.de,
  openbsd.cs.fau.de and ftp.openbsd.org - all show the same behaviour.
  E.g. PKG_PATH is set in my .profile like so:
  PKG_PATH=http://ftp.hostserver.de/pub/OpenBSD/snapshots/packages/amd64/
 
 All those connections get closed by pkg_add.  If you don't see them closing
 in your pf log, you need to figure out why.

Re: OpenBSD firefox useragent Facebook

[Alexander Salmin]

Not using facebook but have you checked on another computer? Feels like this is 
not related to OpenBSD.
Anyway, your best choice is using developer-tools and trying to identify which 
requests works and which does not.
Maybe you have like me, local DNS-server which blocks famous ad-providers IPs 
or similar in your hosts-file?

On 2015-02-18 15:32:41, Erling Westenvik wrote:
 Not sure if this belongs in @misc or @ports - if any! - but I'll give
 the former a shot.
 
 All below applies to amd64/current-installations of mine.
 
 The last few months, I've been unable to tag other people when
 commenting on Facebook. I've tried resetting Firefox, disabling add-ons,
 deleting old profiles, reinstalling the browser, and even doing a fresh
 install of Firefox on a new OpenBSD installation. All to now avail.
 
 I suspect the user agent setting to be the culprit and have tried
 experimenting with various strings. Some of them enables me to tag other
 people, but messes up other things.
 
 Would anyone using Facebook be so kind as to provide me with a working
 user agent string for Firefox (35.0) ?
 
 Thanks,
 
 Erling
 
 PS. Just checked and neither Seamonkey nor Chrome will let me tag people
 in comments. This is getting weird...

Re: CPU criteria for OpenBSD firewall

[Alexander Salmin]

I might start a flame now but the higher freq and less core model is the 
better choice unless your firewall will do other things than packetfiltering 
and routing.

On 2015-02-18 22:30:31, ML mail wrote:
 Hi,
 
 Stupid question but if you would have to choose between two different Intel 
 CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all /24 networks 
 behind and around 50-60 Mbit/s average traffic would you rather choose the 
 CPU with higher Frequency and less cores or for a CPU with lower frequency 
 but more cores?
 
 For example:
 
 - E5-2630Lv3, 20M Cache, 1.80 GHz, 8 cores: 
 http://ark.intel.com/products/83357/Intel-Xeon-Processor-E5-2630L-v3-20M-Cache-1_80-GHz
 - E5-2637v3, 15M Cache, 3.50 GHz, 4 cores: 
 http://ark.intel.com/products/83358/Intel-Xeon-Processor-E5-2637-v3-15M-Cache-3_50-GHz
 
 Or asked differently, which are the importants criteria to look at first for 
 a CPU intended to be used in an OpenBSD firewall?
 
 Regards
 ML

Re: Mutt Sidebar not working properly

[Alexander Salmin]

Hi,

I'd say its way easier to help you and debug it with your .muttrc-file. I'm 
using sidebar
with mutt and have no issues with it.

Send both mutt -v output and .muttrc

Cheers,
Alexander 

On 2015-02-12 20:19:05, Dutch Ingraham wrote:
 Hello all:
 
 I installed the binary mutt last week with the compressed, sasl, and sidebar
 flavors.  I also used my standard .muttrc from other systems.  Everything
 worked fine except the sidebar.  While all folders are present, and I can
 scroll to any folder, no folder will open.  The folders do seem to be in sync,
 though.
 
 As an exercise, I deleted the package and compiled the port with the gpgme,
 sasl, and sidebar flavors; there was no difference as to the sidebar issue.
 
 My current system is OpenBSD 5.7 GENERIC.MP#834 amd64 -current to Feb. 2.  I
 am using IMAP.
 
 Any hints as to where the issue may lie are appreciated.  If my .muttrc, dmesg
 or anything else is needed, please let me know.  Thanks.

Re: packets logged by pf without log rule

[Alexander Salmin]

Did you see it in previous versions? 
I would compare the same ruleset with a fresh 5.5 and see if you experience the 
same and in that case continue compare the relevant sourcecode.

Regards,
Alexander Salmin

On 2014-09-15 16:18:26, Tony Sarendal wrote:
 I'm currently looking into some logging strangeness in we are seeing.
 Does anyone know why this is logged ?
 
 obc3.rad# cat /etc/pf.conf
 pass quick all
 obc3.rad# pfctl -sr
 pass quick all flags S/SA
 obc3.rad# tcpdump -n -e -ttt -i pflog0
 tcpdump: WARNING: snaplen raised from 116 to 160
 tcpdump: listening on pflog0, link-type PFLOG
 Sep 15 16:07:31.276913 rule 0/(match) pass in on em0: 10.69.48.14 
 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1]
 Sep 15 16:07:31.278020 rule 0/(match) pass in on em0: 10.69.48.14 
 239.192.104.1: igmp nreport 239.192.104.1 (DF) [tos 0xc0] [ttl 1]
 
 
 obc3.rad# tcpdump -n -i em0 igmp
 tcpdump: listening on em0, link-type EN10MB
 tcpdump: WARNING: compensating for unaligned libpcap packets
 16:07:31.276905 10.69.48.14  239.192.104.1: igmp nreport 239.192.104.1
 (DF) [tos 0xc0] [ttl 1]
 16:07:31.278014 10.69.48.14  239.192.104.1: igmp nreport 239.192.104.1
 (DF) [tos 0xc0] [ttl 1]
 
 
 Regards Tony
 
 
 OpenBSD 5.6-current (GENERIC.MP) #0: Wed Sep 10 13:39:02 CEST 2014
 r...@obc3.rad.unibet.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
 real mem = 8545173504 (8149MB)
 avail mem = 8308969472 (7924MB)
 mpath0 at root
 scsibus0 at mpath0: 256 targets
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (54 entries)
 bios0: vendor American Megatrends Inc. version 2.0a date 06/08/2012
 bios0: Supermicro X9SCD
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S4 S5
 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SPCR EINJ
 ERST HEST BERT BGRT
 acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) P0P1(S4) USB1(S4) USB2(S4)
 USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) PXSX(S4) RP01(S4) PXSX(S4)
 RP02(S4) PXSX(S4) [...]
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.49 MHz
 cpu0:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
 H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
 ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A
 ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
 cpu0: 256KB 64b/line 8-way L2 cache
 cpu0: smt 0, core 0, package 0
 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
 cpu0: apic clock running at 100MHz
 cpu0: mwait min=64, max=64, C-substates=0.2.1.1.0, IBE
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz
 cpu1:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
 H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
 ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A
 ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
 cpu1: 256KB 64b/line 8-way L2 cache
 cpu1: smt 0, core 1, package 0
 cpu2 at mainbus0: apid 4 (application processor)
 cpu2: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz
 cpu2:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
 H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
 ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A
 ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
 cpu2: 256KB 64b/line 8-way L2 cache
 cpu2: smt 0, core 2, package 0
 cpu3 at mainbus0: apid 6 (application processor)
 cpu3: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz
 cpu3:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
 H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
 ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A
 ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
 cpu3: 256KB 64b/line 8-way L2 cache
 cpu3: smt 0, core 3, package 0
 cpu4 at mainbus0: apid 1 (application processor)
 cpu4: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz
 cpu4:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
 H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
 ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,A
 ES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
 cpu4: 256KB 64b/line 8-way L2 cache
 cpu4: smt 1, core 0, package 0
 cpu5 at mainbus0: apid 3 (application processor)
 cpu5: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz, 3500.02 MHz
 cpu5:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
 H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
 ,SMX,EST,TM2,SSSE3,CX16,xTPR