Re: When will be created a great desktop experience for OpenBSD?

2019-05-09 Thread Charles
@ Steve

>  One point I didn't see in RFC's post is stability. When I used OpenBSD
>  back in 2010, subjectively it seemed more stable, more consistent, and
>  less surprising than any Linux I'd ever used (and of course than any
>  Windows I'd ever used). If my computer were just for web browsing,
>  social networking, email, and storing photos and videos, Ubuntu or Mint
>  would be stable enough. But the way I work, I often have over 50
>  windows open. I can't afford the massive instability bestowed by "we do
>  it all for you" user interfaces.

This is also true. In my experience with Gnome, KDE, et. al., these
fancy configuration menus and wizards generally wind up being leaky
abstractions. Writing a simple format into /etc/hostname.if has in my
experience had far fewer caveats than NetworkManager or nm-applet. I had
mostly addressed stability in terms of UI/UX design, but in the broader
software quality meaning of the word it's a good point.

I would be fine with using a fancy tool to configure everything... if it
worked and was consistent. So far the only such tool I've found to
deliver on that (actually functioning and being consistent) is OpenBSD's
/etc/.



Re: When will be created a great desktop experience for OpenBSD?

2019-05-08 Thread Charles
I'd like to chime in here, on a slightly different subject.

I think the OP (Clark) raises a point, but I suggest he's coming it
from the wrong angle. I think there's something here to discuss that I
have not seen mentioned in this thread thus far.

TL;DR: the OpenBSD (and friends) way of thinking is falling further and
further out of fashion with respect to mainstream computing  -- I justify
this statement, posit on the need for action, and propose a starting
point.

Disclaimer 1: I use OpenBSD at various points to refer to the piece of
code, to the development philosophy, to the development team, and to the
community of users. I try to make clear which I am referencing; sorry if
it's confusing.

Disclaimer 2: I am not an OpenBSD developer. I have contributed only in
very minor ways. I don't speak on behalf of anyone other than myself as
a user of OpenBSD. If it seems at points that I am speaking on behalf of
"OpenBSD" (by any of the previous definitions), I intend that as an
appeal to my perception of what the community of users and developers
feels and thinks, based on my interactions with them here and elsewhere.
If I am wrong in this respect, I invite corrections.

It certainly seems that there is a great disconnect from the canonical
(small c) definition of "great desktop experience", and the OpenBSD (and
friends) definition. I feel that the broader notion of what a "great
desktop experience" means within the context of the 2019 zeitgeist has
trended towards pandering to the user, in my view to the point of being
patronizing.

"The users cannot be trusted to manage their own files, it's too hard and
will confuse them."

"The users cannot be trusted to install their own programs, it's too hard
and will confuse them."

...

"The users cannot be trusted to make decisions, it's too hard and will
confuse them."

You get the picture (hopefully).

Part of this is perhaps because the users are "bad at using computers".
I think most anyone who has helped a computer-illiterate family member
or friend with any technology related problem for more than 5 minutes
will see the truth in this statement. But I think it's not the users
fault; many might argue "but if the users would only learn X, Y, an Z
DE/WM/OS/app/etc". I feel that many _do_ argue this, with all the talk
these days of "pushing the envelope", "modern UX", "innovation", and so
on in big blinking neon letters. Ultimately, what this means is telling
the users "yup, you learned $paradigm, but now we have $paradigm++
because it's the new big thing". If you're a corporate user on a box you
don't control, or you just don't have the experience to do systems
administration on your own, you have to suck it up and deal with it.

That probably won't be a relateable sentiment to nearly anyone likely to
ever read this document. But as a thought experiment, let's imagine if
vi got a fresh now UX paradigm every year or so, and let's pretend for
the sake of argument that we can't patch it or revert. I think all of us
would not want to use such a program very much. vi takes a while to
learn, and while I (as a diehard vim user) would argue against the
notion of the vi paradigm as the One True Way to edit text, it is
certainly a very powerful tool... because of the time put in to build
muscle memory and intuition about it, knowing that that knowledge will
be applicable to vi implementations for decades to come. Without the
ability to trust that time spent front-loading learning will not be
wasted when $paradigm goes to $paradigm++ in a year, who would ever
invest effort into learning more than the bare minimum?

Remember that the typical computer user sees their box the way most of
us probably see our cars. It doesn't matter how it works, as long as it
does, but nobody wants a car where the gas and brake pedals switch every
second Tuesday and you wake up one morning to discover the head unit is
now entirely in Sumerian.

It would seem that this creates a self-perpetuating feedback loop. The
users have a difficult time using the software because they don't learn
it, so the software changes to accommodate the users better, which
further puts folks off of ever learning any of it very well (by
punishing the ones who try). I suggest that this trend has become so
prolific that it has seeped into the general human population's
consciousness around how interacting with computers works.

Think about it. How many software packages do you know of where a user
could learn how to use it well once and have that knowledge be
applicable for years or decades thereafter? This is something we expect
(as technical folk) of shells and editors, scripting languages, and so
on, but it is not something that the layperson using a GUI can now or at
any point in the past reasonably expect.

Remember also, that every developer was one a user at some point. It
sure seems that the wall you have to climb over to go from user to
developer keeps getting higher and higher every year.

There are several 

Re: Xorg blanks until I switch to a TTY and back on 6.5

2019-04-30 Thread Charles
On Mon, Apr 29, 2019 at 05:05:25PM +1000, Jonathan Gray wrote:
> On Sun, Apr 28, 2019 at 07:26:54PM -0400, Charles wrote:
> > Hello list,
> > 
> > Ever since the new inteldrm driver got merged into -current, shortly
> > before the 6.5 release, I'm seeing an odd new behavior on my Thinkpad
> > T430 -- when an external display is connected, Xorg blanks all screens
> > (but the mouse can still be seen) until I switch to a TTY and back with
> > (i.e. C-A-F4 then C-A-F5) after which point it goes back to normal.
> > 
> > I'm glad the new inteldrm driver got merged, since it fixes several
> > other video issues I was having. This problem is very minor since the
> > workaround is just a few extra keystrokes when I dock or undock, but it
> > is nevertheless annoying.
> > 
> > Is anyone else experiencing this issue on third gen core-I series Intel
> > chips with integrated graphics? Or on any other chips for that matter?
> > 
> > I checked Xorg.0.log and didn't see anything suspicious. I also tried
> > disabling monitor hotplugging via Xorg.conf, but I either did it wrong
> > or it had no effect.
> > 
> > I would attach xorg logs and dmesg, but AFAIK misc@ does not allow
> > attachments, and I don't want to annoy people with that much inline
> > info.
> 
> Does this help?
> 
> Index: sys/dev/pci/drm/drm_fb_helper.c
> ===
> RCS file: /cvs/src/sys/dev/pci/drm/drm_fb_helper.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 drm_fb_helper.c
> --- sys/dev/pci/drm/drm_fb_helper.c   14 Apr 2019 10:14:51 -  1.13
> +++ sys/dev/pci/drm/drm_fb_helper.c   29 Apr 2019 06:58:25 -
> @@ -575,6 +575,9 @@ static bool drm_fb_helper_is_bound(struc
>  #ifdef notyet
>   if (READ_ONCE(dev->master))
>   return false;
> +#else
> + if (!SPLAY_EMPTY(>files))
> + return false;
>  #endif
>  
>   drm_for_each_crtc(crtc, dev) {

This appears to have done the trick. I tested with two displays that
were affected by the originally noted issue. I will continue running
with this patch for a while and report back if the issue re-appears, or
there are other relevant developments.

Thank you for the patch.

~ Charles



Xorg blanks until I switch to a TTY and back on 6.5

2019-04-28 Thread Charles
Hello list,

Ever since the new inteldrm driver got merged into -current, shortly
before the 6.5 release, I'm seeing an odd new behavior on my Thinkpad
T430 -- when an external display is connected, Xorg blanks all screens
(but the mouse can still be seen) until I switch to a TTY and back with
(i.e. C-A-F4 then C-A-F5) after which point it goes back to normal.

I'm glad the new inteldrm driver got merged, since it fixes several
other video issues I was having. This problem is very minor since the
workaround is just a few extra keystrokes when I dock or undock, but it
is nevertheless annoying.

Is anyone else experiencing this issue on third gen core-I series Intel
chips with integrated graphics? Or on any other chips for that matter?

I checked Xorg.0.log and didn't see anything suspicious. I also tried
disabling monitor hotplugging via Xorg.conf, but I either did it wrong
or it had no effect.

I would attach xorg logs and dmesg, but AFAIK misc@ does not allow
attachments, and I don't want to annoy people with that much inline
info.

Thanks,

~ Charles



Re: Questions about Carp / PF / PFSync

2019-02-22 Thread Charles Amstutz
> On 2019/02/22 20:45, Charles Amstutz wrote:
> > > Not sure if it will give any additional clues but can you show dmesg
> please?
> >
> > Sure, however, they are quite lengthy, are you wanting the whole thing? I
> apologize not sure of protocol here.
> 
> Yes please, the whole thing is fine (and preferable to cutting bits out and
> accidentally trimming something that might have been useful!).

Alright, here it is. Please note, the Public IPs have been scrubbed 


Load Balancer 2:

lb2:someguy {59} dmesg
OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8531312640 (8136MB)
avail mem = 8263491584 (7880MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec170 (79 entries)
bios0: vendor American Megatrends Inc. version "3.0" date 04/24/2015
bios0: Supermicro X10SLM-F
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT SSDT SSDT SSDT MCFG PRAD HPET 
SSDT SSDT SPMI DMAR EINJ ERST HEST BERT
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) 
PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP05(S4) 
GLAN(S4) EHC1(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz, 3100.61 MHz, 06-3c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz, 3100.01 MHz, 06-3c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz, 3100.00 MHz, 06-3c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz, 3100.01 MHz, 06-3c-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 2 (RP01)
acpiprt5 at acpi0: bus 4 (RP02)
acpiprt6 at acpi0: bus -1 (RP03)
acpiprt7 at acpi0: bus -1 (RP05)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: FN00, resource for FAN0
acpipwrres4 at acpi0: FN01, resource for FAN1
acpipwrres5 at acpi0: FN02, resource for FAN2
acpipwrres6 at acpi0: FN03, resource for FAN3
acpipwrres7 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical t

Re: Questions about Carp / PF / PFSync

2019-02-22 Thread Charles Amstutz
> Not sure if it will give any additional clues but can you show dmesg please?

Sure, however, they are quite lengthy, are you wanting the whole thing? I 
apologize not sure of protocol here. 



Re: Questions about Carp / PF / PFSync

2019-02-21 Thread Charles Amstutz
> Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> > Hello
> >
> > We are running into an issue with a lot of dropped packets where states
> are failing to be created. We have noticed that it coincides with a fair 
> amount
> of congestion, around 10-15/s according to 'pfctl -si'.
> >
> > We finally tried disabling our Carp Interfaces (we are using carp for 
> > failover)
> and the problem seems to completely go away. We have 53 carp interfaces
> on these two boxes and are just looking for some input on what might be
> causing an issue like this, where having carp interfaces enabled is causing
> such high congestion.
> >
> > We are running OpenBSD 6.4.
> >
> > Thanks,
> 
> Set sysctl net.inet.carp.log=7 (and activate carp again).
> What does it show (in /var/log/messages)?
> 
> Also, whats the output of
> 
> sysctl net.inet.ip.ifq.drops
> sysctl net.inet6.ip6.ifq.drops
> netstat -m
> pfctl -vsi
> 
> ?
> 
> 
> Hello, here are the results
> 
> /var/log/messages
> 
> With the logging we notice what is typical add entry attempts for arp
> 
> 
> sysctl net.inet.ip.ifq.drops
> 
> net.inet.ip.ifq.drops=0
> 
> sysctl net.inet6.ip6.ifq.drops
> 
> net.inet6.ip6.ifq.drops=0
> 
> netstat –m
> 
> 297 mbufs in use:
> 200 mbufs allocated to data
> 4 mbufs allocated to packet headers
> 93 mbufs allocated to socket names and addresses
> 17/104 mbuf 2048 byte clusters in use (current/peak)
> 99/555 mbuf 2112 byte clusters in use (current/peak)
> 0/40 mbuf 4096 byte clusters in use (current/peak)
> 0/56 mbuf 8192 byte clusters in use (current/peak)
> 0/14 mbuf 9216 byte clusters in use (current/peak)
> 0/30 mbuf 12288 byte clusters in use (current/peak)
> 0/24 mbuf 16384 byte clusters in use (current/peak)
> 0/48 mbuf 65536 byte clusters in use (current/peak)
> 5236/6856/524288 Kbytes allocated to network (current/peak/max)
> 0 requests for memory denied
> 0 requests for memory delayed
> 0 calls to protocol drain routines
> 
> pfctl –vsi
> 
> Status: Enabled for 1 days 20:18:23  Debug: err
> 
> Hostid:   0x30e5b38f
> Checksum: 0x0930fa9e7e5a8c4562c3c5b488715989
> 
> 
> State Table  Total Rate
>  current entries 7400
>  half-open tcp136
>  searches   486306276 3048.9/s
>  inserts 21891932  137.3/s
> removals21884532  137.2/s
> Source Tracking Table
> current entries0
>  searches   00.0/s
> inserts00.0/s
> removals   00.0/s
> Counters
> match   39904360  250.2/s
> bad-offset 00.0/s
> fragment   00.0/s
> short  40.0/s
> normalize  10.0/s
> memory 00.0/s
> bad-timestamp  00.0/s
> congestion   1777154   11.1/s
> ip-option  00.0/s
> proto-cksum00.0/s
> state-mismatch  41850.0/s
> state-insert   00.0/s
> state-limit00.0/s
> src-limit  00.0/s
> synproxy   00.0/s
> translate  00.0/s
> no-route   00.0/s
> Limit Counters
> max states per rule00.0/s
> max-src-states 00.0/s
> max-src-nodes  00.0/s
> max-src-conn   00.0/s
> max-src-conn-rate  00.0/s
> overload table insertion   00.0/s
> overload flush states  00.0/s
> synfloods detected 00.0/s
> syncookies sent00.0/s
> syncookies validated   00.0/s
> 
> Adaptive Syncookies Watermarks
>   start  25000 states
>   end12500 states


The actual problem that we are seeing is that OpenBSD is failing to create 
states for some network connections. Has anyone seen anything like this? At 
this point, it may not be a pf problem, but it is constant. 



Re: Questions about Carp / PF / PFSync

2019-02-08 Thread Charles Amstutz


Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> Hello
> 
> We are running into an issue with a lot of dropped packets where states are 
> failing to be created. We have noticed that it coincides with a fair amount 
> of congestion, around 10-15/s according to 'pfctl -si'.
> 
> We finally tried disabling our Carp Interfaces (we are using carp for 
> failover) and the problem seems to completely go away. We have 53 carp 
> interfaces on these two boxes and are just looking for some input on what 
> might be causing an issue like this, where having carp interfaces enabled is 
> causing such high congestion.
> 
> We are running OpenBSD 6.4.
> 
> Thanks,

Set sysctl net.inet.carp.log=7 (and activate carp again).
What does it show (in /var/log/messages)?

Also, whats the output of

sysctl net.inet.ip.ifq.drops
sysctl net.inet6.ip6.ifq.drops
netstat -m
pfctl -vsi

?


Hello, here are the results

/var/log/messages

With the logging we notice what is typical add entry attempts for arp


sysctl net.inet.ip.ifq.drops

net.inet.ip.ifq.drops=0

sysctl net.inet6.ip6.ifq.drops

net.inet6.ip6.ifq.drops=0

netstat –m

297 mbufs in use:
200 mbufs allocated to data
4 mbufs allocated to packet headers
93 mbufs allocated to socket names and addresses
17/104 mbuf 2048 byte clusters in use (current/peak)
99/555 mbuf 2112 byte clusters in use (current/peak)
0/40 mbuf 4096 byte clusters in use (current/peak)
0/56 mbuf 8192 byte clusters in use (current/peak)
0/14 mbuf 9216 byte clusters in use (current/peak)
0/30 mbuf 12288 byte clusters in use (current/peak)
0/24 mbuf 16384 byte clusters in use (current/peak)
0/48 mbuf 65536 byte clusters in use (current/peak)
5236/6856/524288 Kbytes allocated to network (current/peak/max)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

pfctl –vsi

Status: Enabled for 1 days 20:18:23  Debug: err

Hostid:   0x30e5b38f
Checksum: 0x0930fa9e7e5a8c4562c3c5b488715989


State Table  Total Rate
 current entries 7400
 half-open tcp136
 searches   486306276 3048.9/s
 inserts 21891932  137.3/s
removals21884532  137.2/s
Source Tracking Table
current entries0
 searches   00.0/s
inserts00.0/s
removals   00.0/s
Counters
match   39904360  250.2/s
bad-offset 00.0/s
fragment   00.0/s
short  40.0/s
normalize  10.0/s
memory 00.0/s
bad-timestamp  00.0/s
congestion   1777154   11.1/s
ip-option  00.0/s
proto-cksum00.0/s
state-mismatch  41850.0/s
state-insert   00.0/s
state-limit00.0/s
src-limit  00.0/s
synproxy   00.0/s
translate  00.0/s
no-route   00.0/s
Limit Counters
max states per rule00.0/s
max-src-states 00.0/s
max-src-nodes  00.0/s
max-src-conn   00.0/s
max-src-conn-rate  00.0/s
overload table insertion   00.0/s
overload flush states  00.0/s
synfloods detected 00.0/s
syncookies sent00.0/s
syncookies validated   00.0/s

Adaptive Syncookies Watermarks
  start  25000 states
  end12500 states



Re: Questions about Carp / PF / PFSync

2019-02-01 Thread Charles Amstutz
Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> Hello
> 
> We are running into an issue with a lot of dropped packets where states are 
> failing to be created. We have noticed that it coincides with a fair amount 
> of congestion, around 10-15/s according to 'pfctl -si'.
> 
> We finally tried disabling our Carp Interfaces (we are using carp for 
> failover) and the problem seems to completely go away. We have 53 carp 
> interfaces on these two boxes and are just looking for some input on what 
> might be causing an issue like this, where having carp interfaces enabled is 
> causing such high congestion.
> 
> We are running OpenBSD 6.4.
> 
> Thanks,

Set sysctl net.inet.carp.log=7 (and activate carp again).
What does it show (in /var/log/messages)?

Also, whats the output of

sysctl net.inet.ip.ifq.drops
sysctl net.inet6.ip6.ifq.drops
netstat -m
pfctl -vsi

?


/var/log/messages

With the logging we notice what is typical add entry attempts for arp


sysctl net.inet.ip.ifq.drops

net.inet.ip.ifq.drops=0

sysctl net.inet6.ip6.ifq.drops

net.inet6.ip6.ifq.drops=0

netstat –m

297 mbufs in use:
200 mbufs allocated to data
4 mbufs allocated to packet headers
93 mbufs allocated to socket names and addresses
17/104 mbuf 2048 byte clusters in use (current/peak)
99/555 mbuf 2112 byte clusters in use (current/peak)
0/40 mbuf 4096 byte clusters in use (current/peak)
0/56 mbuf 8192 byte clusters in use (current/peak)
0/14 mbuf 9216 byte clusters in use (current/peak)
0/30 mbuf 12288 byte clusters in use (current/peak)
0/24 mbuf 16384 byte clusters in use (current/peak)
0/48 mbuf 65536 byte clusters in use (current/peak)
5236/6856/524288 Kbytes allocated to network (current/peak/max)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

pfctl –vsi

Status: Enabled for 1 days 20:18:23  Debug: err

Hostid:   0x30e5b38f
Checksum: 0x0930fa9e7e5a8c4562c3c5b488715989


State Table  Total Rate
 current entries 7400
 half-open tcp136
 searches   486306276 3048.9/s
 inserts 21891932  137.3/s
removals21884532  137.2/s
Source Tracking Table
current entries0
 searches   00.0/s
inserts00.0/s
removals   00.0/s
Counters
match   39904360  250.2/s
bad-offset 00.0/s
fragment   00.0/s
short  40.0/s
normalize  10.0/s
memory 00.0/s
bad-timestamp  00.0/s
congestion   1777154   11.1/s
ip-option  00.0/s
proto-cksum00.0/s
state-mismatch  41850.0/s
state-insert   00.0/s
state-limit00.0/s
src-limit  00.0/s
synproxy   00.0/s
translate  00.0/s
no-route   00.0/s
Limit Counters
max states per rule00.0/s
max-src-states 00.0/s
max-src-nodes  00.0/s
max-src-conn   00.0/s
max-src-conn-rate  00.0/s
overload table insertion   00.0/s
overload flush states  00.0/s
synfloods detected 00.0/s
syncookies sent00.0/s
syncookies validated   00.0/s

Adaptive Syncookies Watermarks
  start  25000 states
  end12500 states



Questions about Carp / PF / PFSync

2019-01-31 Thread Charles Amstutz
Hello

We are running into an issue with a lot of dropped packets where states are 
failing to be created. We have noticed that it coincides with a fair amount of 
congestion, around 10-15/s according to 'pfctl -si'.

We finally tried disabling our Carp Interfaces (we are using carp for failover) 
and the problem seems to completely go away. We have 53 carp interfaces on 
these two boxes and are just looking for some input on what might be causing an 
issue like this, where having carp interfaces enabled is causing such high 
congestion.

We are running OpenBSD 6.4.

Thanks,


calmwm mouse stuck inside of window

2018-12-19 Thread Charles A Daniels
A slight issue I've noticed with calmwm (under OpenBSD 6.4) is that the
mouse can occasionally get "stuck" inside of a window, and can't be
moved out of it. This most often seems to occur with modal dialogs (in
particular, most of the configuration dialogs for graphics/ipe exhibit
this behavior, but I've seen it occur in other programs as well. The
specific symptom seems to be that moving the mouse beyond the edge of an
effected window causes it to "teleport" back to the exact center of the
window. Also, affected windows cannot be lowered by using the window-
cycle binding, as they immediate re-capture focus. However, the menu-
window binding can be used to search for another window and raise it,
and lowering the entire group of the effected group allows it to be
switched away from. 

I'm not sure if this is a bug or intended behavior, but if it is the
latter I feel there should be a config flag to disable it (I would be
willing to do the legwork if someone knowledgeable with CWM can guide
me).

I believe the issue lies in client.c in the fragments noted below, as
this is the only place that the mouse position seems to be modified.
That said, my xlib skills are not very good, and I haven't worked with
the CWM codebase before.

~ Charles

...
struct client_ctx *
client_init(Window win, struct screen_ctx *sc, int active)
{
...
if (wattr.map_state != IsViewable) {
client_placecalc(cc);
...
static void
client_placecalc(struct client_ctx *cc)
{
...
if (cc->hint.flags & (USPosition | PPosition)) {
if (cc->geom.x >= sc->view.w)
cc->geom.x = sc->view.w - cc->bwidth - 1;
if (cc->geom.x + cc->geom.w + cc->bwidth <= 0)
cc->geom.x = -(cc->geom.w + cc->bwidth - 1);
if (cc->geom.y >= sc->view.h)
cc->geom.x = sc->view.h - cc->bwidth - 1;
if (cc->geom.y + cc->geom.h + cc->bwidth <= 0)
cc->geom.y = -(cc->geom.h + cc->bwidth - 1);
} else {
struct geom  area;
int  xmouse, ymouse;

xu_ptr_getpos(sc->rootwin, , );
area = screen_area(sc, xmouse, ymouse, CWM_GAP);
area.w += area.x;
area.h += area.y;
xmouse = MAX(xmouse, area.x) - cc->geom.w / 2;
ymouse = MAX(ymouse, area.y) - cc->geom.h / 2;

xmouse = MAX(xmouse, area.x);
ymouse = MAX(ymouse, area.y);

xslack = area.w - cc->geom.w - cc->bwidth * 2;
yslack = area.h - cc->geom.h - cc->bwidth * 2;

if (xslack >= area.x) {
cc->geom.x = MAX(MIN(xmouse, xslack), area.x);
} else {
cc->geom.x = area.x;
cc->geom.w = area.w;
}
if (yslack >= area.y) {
cc->geom.y = MAX(MIN(ymouse, yslack), area.y);
} else {
cc->geom.y = area.y;
cc->geom.h = area.h;
}
}
...



Re: Thinkpad T430 random power off while sleeping

2018-12-07 Thread Charles A Daniels
> I have a similar issue with the X220, the problem is a watchdog
> timer, 
> that I suspect is in the Intel ME.  It expires without being reset
> and 
> forces the machine to restart.  Or at least that is the cause of
> that 
> happening on my X230's.  I've ripped a few of them apart and
> analyzed 
> their guts and found only the CPU and a few other chips are active 
> during suspend.  I've probed all the buses of those other chips and
> none 
> make a peep when the machine reboots, the only chip left active is
> the 
> Intel ME chunk of the CPU, and for obvious reasons, I have no idea
> what 
> it is doing, so I suspect it is the culprit.

I think there is at least some aspect of software at play here however.
I did not experience these issues while running Debian 9 on the
machine. It could be that Linux uses some horrible hack to make suspend
work reliably, but it does nevertheless work.


> I gave up on the work a few months ago since it seemed easier to
> just 
> accept that suspend isn't going to work and just use suspend-to-disk
> or 
> just shut the machine down completely. 

I had intended to use suspend-to-disk with this machine, but I found
that applications that use hardware acceleration (namely Firefox) do
not function after resuming from suspend to disk. The specific symptom
is that the application's window is just black with no visible
contents. Restarting it does nothing. This is very likely a problem
with inteldrm. Disabling hardware acceleration in FF fixes the problem,
but makes it almost unusably slow.


>  If you want to do more, and have 
> access to a Windows machine, you can try pulling apart the Lenovo 
> drivers to see what the Lenovo-specific ACPI driver is doing when
> the 
> machine goes into suspend.

I don't, but I had planned to throw Windows on a spare disk and see if
updating the firmware / BIOS / playing with the proprietary driver
helps or yields any useful information.

... Maybe I should look at running coreboot on the T430, since it's
supported now.

Thanks for your detailed response!



Thinkpad T430 random power off while sleeping

2018-12-04 Thread Charles A Daniels
Closing the lid on the T430 causes OpenBSD to suspend, as per my
setting for machdep.lidaction=1. This usually works as expected, but
occasionally I take my laptop out of my bag to find it sitting on the
xenodm login screen, not suspended, with the lid closed, having lost
power and rebooted at some point after being suspended.

I would like to collect further information so a bug report can be
filed, but I feel that the above description alone is insufficient to
constitute a useful bug report. To that end, I would like to solicit
advice on what information can be collected and what debugging steps
can be taken so that I can write a useful bug report.

I'm running the 6.4 release, and I have run fw_update and syspatch
periodically since install.

I previously asked for help on r/openbsd[1], but still have not been
able to either resolve the problem or gather sufficient information for
a bug report.

~ Charles

1 -
https://old.reddit.com/r/openbsd/comments/9v0u4w/t430_wakes_from_suspend_with_lid_closed/



OpenBSD/landisk on J-core/J2 based systems?

2018-12-03 Thread Charles A Daniels

I'm curious to know if anyone involved with OpenBSD/landisk has any
comments on J-core[1]? It claims to implement SuperH and capability to
boot Linux on an FPGA.

To that end, has anyone tried booting OpenBSD/landisk on a J2 based
system?

One of my hobbies is obscure architectures, and OpenBSD/landisk seemed
like and interesting one; I stumbled across J-core while researching for
background on the SH-4 CPU. It seems like targeting (relatively) readily
available FPGA development boards would make SuperH compatible systems
much more accessible to those interested in the landisk port.

1 - http://j-core.org/



Re: ThinkPad X220 Trackpoint Pointer Wheel Emulation Issues

2018-10-21 Thread Charles Daniels

> The jumping up and down vertically should have been fixed via this
> commit from @bru:
> 
https://github.com/openbsd/xenocara/commit/a011f4db8a6b02f5b298f8b631330764f40aa037


Confirming that installing the new 6.4 release (which includes the
linked patch) fixes the issue.

For the sake of future Googlers or archive readers, this is all that
was required for me to get pointer wheel emulation working as it
should on the Thinkpad X220 under OpenBSD 6.4:

    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation" 1
    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation Button" 2

Thank you Jake and Matthias for your help!


Charles



ThinkPad X220 Trackpoint Pointer Wheel Emulation Issues

2018-10-16 Thread Charles Daniels

First off, I'm new around here, so my apologies in advance if this is
the wrong list or I've formatted something incorrectly.

I've recently installed OpenBSD 6.3 on my Thinkpad X220. I'm happy to
report that almost everything seems to work the way it should
(suspend/resume, wireless, volume controls, etc.). However, I've been
having some difficulty with the TrackPoint.

The TrackPoint works fine as a pointing device, however the "WS
Pointer Wheel Emulation" emulation feature is not working. For those
unfamiliar, this allows the middle mouse button to be held down, and
while it is held, the TrackPoint can be used to scroll vertically or
horizontally.

After conducting some research, I have written the following script to
set the appropriate xinput properties to properly enable the pointer
wheel emulation functionality:

    #!/bin/sh

    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation" 1
    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation Button" 2
    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation Axes" 6 7 4 5
    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation Timeout" 500
    xinput set-prop /dev/wsmouse "WS Pointer Wheel Emulation Inertia" 20

I have tried many different variations on the input parameters.
One interesting behavior I have discovered is that if I set the
emulation axes to "4 5 0 0" then I can scroll up and down by moving
the track point left or right by holding the middle mouse button.
However, when I use "6 7 4 5" or "0 0 4 5", the up and down scrolling
generally does not work at all (occasionally jumping in the direction
the trackpoint was pushed).

I have spent several days troubleshooting this issue and haven't had
any luck. I think this may be a bug, but I wanted to see if anyone
else had similar issues and knew of a solution before submitting a bug
report. I am under the impression that this list does not permit
attachments, so I will refrain from attaching the full output of dmesg
and other long logs, but I will include the output of some
commands that I think might be relevant.

Finally, I tried digging into some of the source code for Xenocara and
the wsmouse drive. Unfortunately, my knowledge of OpenBSD and Xorg are
insufficient to draw any useful conclusions. However, I think the
following files may be relevant / a good starting point for someone
more knowledgeable than I:

* xenocara/driver/xf86-input-ws/include/ws-properties.h
* xenocara/driver/xf86-input-ws/src/emuwheel.c

I would really appreciate any suggestions to troubleshoot further.

Charles


### possibly relevant output follows

nessus$ dmesg | grep -i mouse
wsmouse0 at pms0 mux 0
nessus$ dmesg | grep -i ws
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
wsmouse0 at pms0 mux 0
nessus$ xinput
⎡ Virtual core pointer    id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer    id=4    [slave 
pointer  (2)]
⎜   ↳ /dev/wsmouse  id=7    [slave 
pointer  (2)]

⎣ Virtual core keyboard   id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard id=5 [slave  
keyboard (3)]
    ↳ /dev/wskbd  id=6 [slave  
keyboard (3)]

nessus$ xinput list-props /dev/wsmouse
Device '/dev/wsmouse':
    Device Enabled (140):   1
    Coordinate Transformation Matrix (141): 1.00, 0.00, 
0.00, 0.00, 1.00, 0.00, 0.00, 0.00, 1.00

    Device Accel Profile (253): 0
    Device Accel Constant Deceleration (254):   1.00
    Device Accel Adaptive Deceleration (255):   1.00
    Device Accel Velocity Scaling (256):    10.00
    WS Pointer Middle Button Emulation (257):   2
    WS Pointer Middle Button Timeout (258): 50
    WS Pointer Wheel Emulation (259):   1
    WS Pointer Wheel Emulation Axes (260):  4, 5, 0, 0
    WS Pointer Wheel Emulation Inertia (261):   20
    WS Pointer Wheel Emulation Timeout (262):   500
    WS Pointer Wheel Emulation Button (263):    2
nessus$ cat /etc/X11/xorg.conf
nessus$ X -version

X.Org X Server 1.19.6
Release Date: 2017-12-20
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 6.3 amd64
Current Operating System: OpenBSD nessus.domain_redacted 6.3 
GENERIC.MP#107 amd64

Build Date: 24 March 2018  02:38:24PM

Current version of pixman: 0.34.0
    Before reporting problems, check http://wiki.x.org
    to make sure that you have the latest version.




Re: LACP problem [SOLVED]

2017-10-08 Thread Charles Lecklider
Just in case someone has the same problem and finds this thread, the
solution was to reboot the switch.

That was it - no other changes required.



Re: l2tp and openbsd 6.1

2017-10-06 Thread Charles Amstutz
Should've also mentioned this oddity:

So, if the firewall rules are uncommented (where I get the below error)

no IP address found for pppx:network
/etc/pf.conf:102: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:103: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:106: could not parse host specification


And reboot, I can't connect. However, if I comment out those lines and then 
save/reload then uncomment,  I can connect just fine.




-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Charles Amstutz
Sent: Friday, October 6, 2017 10:04 AM
To: 'misc@openbsd.org' <misc@openbsd.org>
Subject: Re: l2tp and openbsd 6.1

Hello Noth,


"Try pppx instead of pppx0, it'll work in pf.conf, including as a macro."

I did!! I found another article that talked about the group.  After reading 
this: 
http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/

However,  I still get this error if I try to reload the firewall and no vpn 
client is established (thus the pppx group or pppx0 interface doesn't exist 
yet)... this is the same if I use pppx or pppx0


no IP address found for pppx:network
/etc/pf.conf:102: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:103: could not parse host specification no IP address found for 
pppx:network
/etc/pf.conf:106: could not parse host specification

If I remove :network,  the same errors:

no IP address found for pppx
/etc/pf.conf:102: could not parse host specification no IP address found for 
pppx
/etc/pf.conf:103: could not parse host specification no IP address found for 
pppx
/etc/pf.conf:106: could not parse host specification


However,  if I comment out those lines, connect, then uncomment out the lines, 
things work as they should (it appears)

It also seems as if I can't connect if I have those lines uncommented after a 
reboot.

Many strange things.  

Thanks for the help everyone, I'm going to continue to research. 


Re: l2tp and openbsd 6.1

2017-10-06 Thread Charles Amstutz
Hello Noth,


"Try pppx instead of pppx0, it'll work in pf.conf, including as a macro."

I did!! I found another article that talked about the group.  After reading 
this: 
http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/

However,  I still get this error if I try to reload the firewall and no vpn 
client is established (thus the pppx group or pppx0 interface doesn't exist 
yet)... this is the same if I use pppx or pppx0


no IP address found for pppx:network
/etc/pf.conf:102: could not parse host specification
no IP address found for pppx:network
/etc/pf.conf:103: could not parse host specification
no IP address found for pppx:network
/etc/pf.conf:106: could not parse host specification

If I remove :network,  the same errors:

no IP address found for pppx
/etc/pf.conf:102: could not parse host specification
no IP address found for pppx
/etc/pf.conf:103: could not parse host specification
no IP address found for pppx
/etc/pf.conf:106: could not parse host specification


However,  if I comment out those lines, connect, then uncomment out the lines, 
things work as they should (it appears)

It also seems as if I can't connect if I have those lines uncommented after a 
reboot.

Many strange things.  

Thanks for the help everyone, I'm going to continue to research. 


Re: l2tp and openbsd 6.1

2017-10-05 Thread Charles Amstutz
This works as well:

Pass  in quick on pppx0 
Pass out quick on pppx0 


This doesn't work 

Pass in quick on pppx0 from pppx0  as it complains there is no IP.  Assigning 
pppx0 to a variable doesn't work either. Neither does setting it to be dynamic. 


-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Charles Amstutz
Sent: Thursday, October 5, 2017 10:44 AM
To: 'misc@openbsd.org' <misc@openbsd.org>
Subject: Re: l2tp and openbsd 6.1

Here is a related but new question,


If pppx0 only exists when someone is vpn'ed in.  How do people handle this in 
pf?  If you don't define rules, packets get blocked on it. But if there is no 
connect, pf complains about pppx0 not having a firewall. 

The only thing that seems to work is set skip on pppx0. But then no rules 
process on it. 


Has anyone ran into this? how did you handle it. 
 




Re: l2tp and openbsd 6.1

2017-10-05 Thread Charles Amstutz
Here is a related but new question,


If pppx0 only exists when someone is vpn'ed in.  How do people handle this in 
pf?  If you don't define rules, packets get blocked on it. But if there is no 
connect, pf complains about pppx0 not having a firewall. 

The only thing that seems to work is set skip on pppx0. But then no rules 
process on it. 


Has anyone ran into this? how did you handle it. 
 




Re: l2tp and openbsd 6.1

2017-10-04 Thread Charles Amstutz
Yes,

I would like to know this as well, it seems annoying that Android 8/4.x  and 
IOS can connect, but not windows 10 (I haven't tried earlier windows 10)  and 
android 7.

Its either a user error (which I am willing to admit) or something very 
annoying. Especially when my l2tp PSK windows server can accept connections 
from anything it seems. 

I would like to get this figured out. 

I appreciate all of the suggestions, but I still can't get android 7 to 
connect, no matter which encryption, authentication or modp I use.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
lilit-aibolit
Sent: Wednesday, October 4, 2017 2:46 AM
To: misc@openbsd.org
Cc: Charles Amstutz <charl...@infinitesys.com>; yasu...@yasuoka.net
Subject: Re: l2tp and openbsd 6.1

Hi,
with l2tp I have situation when iOS  and Android devices could connect but 
Windows 7 and Windows 10 couldn't.

Is it possible to adjust ipsec.conf somehow so it could accept connection from 
Windows clients too?
Or is there a way to adjust some settings in Windows so it will work with 
current ipsec.conf?

I also noticed that I have to add pass rule for tun0 to PF explicitly:
- pass on tun0 all
instead of having just:
- set skip on  { lo0, tun0 }

Here is ipsec.conf:

ike passive esp transport \
proto udp from a.b.x.y to any port 1701 \ main auth hmac-sha1 enc aes group 
modp1024 \ quick auth hmac-sha1 enc aes \ psk "password"

Here is npppd.conf:
authentication LOCAL type local {
     users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
     listen on x.x.y.y
}
ipcp IPCP {
     pool-address 192.168.222.2-192.168.222.254
     dns-servers 192.168.a.b
}
interface tun0  address 192.168.222.1 ipcp IPCP bind tunnel from L2TP 
authenticated by LOCAL to tun0

Log from Android:

Oct  2 16:22:39 gw npppd[10826]: l2tpd ctrl=4 logtype=Started RecvSCCRQ 
from=192.38.129.182:41634/udp tunnel_id=4/4667 protocol=1.0 winsize=1 
hostname=anonymous vendor=(no vendorname) firm= Oct  2 16:22:40 gw 
npppd[10826]: l2tpd ctrl=4 call=7962 logtype=PPPBind
ppp=3
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base logtype=TUNNELSTART 
user="xxx" duration=1sec layer2=L2TP layer2from=192.38.129.182:41634
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:22:41 gw /bsd: pipex: 
ppp=3 iface=tun0 protocol=L2TP id=7962 PIPEX is ready.
Oct  2 16:22:41 gw npppd[10826]: ppp id=3 layer=base Using pipex=yes

Log from IPhone6s:

Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: 
attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  2 16:13:13 gw 
isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_512, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: 
attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:13 gw isakmpd[24211]: 
attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Oct  2 16:13:13 gw 
isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Oct  2 16:13:13 gw isakmpd[24211]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA Oct  2 16:13:14 gw npppd[10826]: 
l2tpd ctrl=3 logtype=Started RecvSCCRQ from=192.38.129.182:65367/udp 
tunnel_id=3/7 protocol=1.0 winsize=4 hostname=xxx-iPhone vendor=(no vendorname) 
firm= Oct  2 16:13:14 gw npppd[10826]: l2tpd ctrl=3 call=11161 
logtype=PPPBind
ppp=2
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base logtype=TUNNELSTART 
user="xxx" duration=4sec layer2=L2TP layer2from=192.38.129.182:65367
auth=MS-CHAP-V2  ip=192.168.222.110 iface=tun0 Oct  2 16:13:18 gw /bsd: pipex: 
ppp=2 iface=tun0 protocol=L2TP id=11161 PIPEX is ready.
Oct  2 16:13:18 gw npppd[10826]: ppp id=2 layer=base Using pipex=yes

Log from IPhone4s:

Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 logtype=Started RecvSCCRQ 
from=37.73.241.124:59028/udp tunnel_id=1/15 protocol=1.0 winsize=4 hostname=xxx 
vendor=(no vendorname) firm= Oct  2 15:55:55 gw npppd[10826]: l2tpd ctrl=1 
call=5660 logtype=PPPBind
ppp=0
Oct  2 15:55:58 gw npppd[10826]: ppp id=0 layer=base logtype=TUNNELSTART 
user="xxx" duration=3sec layer2=L2TP layer2from=37.73.241.124:59028
auth=MS-CHAP-V2  ip=192.168.222.101 iface=tun0 Oct  2 15:55:58 gw npppd[10826]: 
ppp id=0 layer=base Using pipex=yes Oct  2 15:55:58 gw /bsd: pipex: ppp=0 
iface=tun0 protocol=L2TP id=5660 PIPEX is ready.

And unsuccessful connection from Win7:

Oct  4 10:12:37 gw isakmpd[24211]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Oct  4 10:12:37 gw 
isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC Oct  4 10:12:37 gw 
isakmpd[24211]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got 3DES

Re: l2tp and openbsd 6.1

2017-10-02 Thread Charles Amstutz
Hello Sterling,

Thanks for the response. I changed it to 

ike passive esp transport \
   proto udp from $public_ip to any port 1701 \
   main auth "hmac-sha1" enc "aes-256" group modp1024\
   quick auth "hmac-sha1" enc "aes-256" \
   PSK "PSK-GOES-HERE"

and still no luck. I found out that Android 8 will connect (using aes).   I am 
dumpping pflog0 and seeing no blocks. However, that doesn't mean it still isn't 
a potential pf problem I guess. However, if IOS and android 8 would connect, I 
would think that would rule a pf problem? 

Is there a way to turn on additional debugging?  I'm using isakmpd -K in 
rc.conf.local, so not using isakmpd.policy/.conf  (from my understanding) 
Everything in /var/log/messages is just from npppd. Unless I'm reading it 
wrong, there doesn't appear to be any errors. 



-Original Message-
From: Sterling Archer [mailto:deb...@gmail.com] 
Sent: Monday, October 2, 2017 5:35 PM
To: Charles Amstutz <charl...@infinitesys.com>
Cc: misc@openbsd.org
Subject: Re: l2tp and openbsd 6.1

On Mon, Oct 2, 2017 at 10:03 PM, Charles Amstutz <charl...@infinitesys.com> 
wrote:
> Hello everyone,
>
> I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
> knowledge).  After searching the previous forum posts (and the internet) I 
> have found a lot of information on l2tp ipsec.conf connection strings. 
> However, I can't get android to connect. I keep getting IKE negotiation 
> failed errors.
>
> I've looked at sites such as:
>
> http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-andro
> id-601-ios.html
> https://www.authbsd.com/blog/?p=20
> http://daemonforums.org/showthread.php?t=10326
> https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openb
> sd-invalid_cookie/
> https://man.openbsd.org/npppd.conf.5
> https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-
> ios-and-osx/
> https://marc.info/?l=openbsd-misc=145922338026396=2
> https://marc.info/?l=openbsd-misc=145614573528471=2
> https://www.mail-archive.com/misc@openbsd.org/msg145747.html
> ... etc
>
>
> I can get IOS to connect, but I can't get android 7 to connect.  I've 
> read that android has bugs with the vpn client in 6.x and 7.x (not 
> sure if it is fixed in 8 or not). However, what is confusing is it 
> connections just fine To my windows l2tp server.  Bug tracker: 
> https://issuetracker.google.com/issues/37074640#c35
>
>
> My goal: Setup openbsd to work with IOS/android/windows/whatever.
>
> My questions.
>
>
> 1)  Can you have more than one ike line in ipsec.conf? from my 
> presumption of looking at sites on the internet, you can, however, I am not 
> sure.
>
> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless 
> it is just two examples
>
>
> 2)  Every time I read a site that says, "this configuration worked for me 
> on android", it doesn't work for me. I presume it is my lack of 
> understanding, though, I'm not ruling out the possible android bug.
>
>
> I appreciate any help.
>
>
>
> Here is my ipsec.conf (this allows IOS to connect)
>
> public_ip = "x.x.x.x"
>
>
>
> ike passive esp transport \
>
>   proto udp from $public_ip to any port 1701 \
>
>   main auth "hmac-sha1" enc "aes" group modp1024\
>
>   quick auth "hmac-sha1" enc "aes" \
>
>   psk "PSK-GOES-HERE"
>
> Here is my npppd.conf
>
>
>
> authentication LOCAL type local {
>
> users-file "/etc/npppd/npppd-users"
>
> }
>
>
>
> tunnel L2TP protocol l2tp {
>
> listen on 0.0.0.0
>
> listen on ::
>
> }
>
>
>
> ipcp IPCP {
>
> pool-address 10.0.0.101-10.0.0.254
>
> dns-servers x.x.x.x
>
> }
>
>
>
> # use pppx(4) interface.  use an interface per a ppp session.
>
> interface pppx0 address 10.0.0.1 ipcp IPCP
>
> bind tunnel from L2TP authenticated by LOCAL to pppx0

I'm able to connect using a similar setup, but using aes-256 instead of aes as 
encoding in ipsec.conf.

--
:wq!



l2tp and openbsd 6.1

2017-10-02 Thread Charles Amstutz
Hello everyone,

I'm new to this list and l2tp/openbsd (but do have working UNIX/Linux 
knowledge).  After searching the previous forum posts (and the internet) I have 
found a lot of information on l2tp ipsec.conf connection strings. However, I 
can't get android to connect. I keep getting IKE negotiation failed errors.

I've looked at sites such as:

http://bluepilltech.blogspot.com/2017/02/openbsd-l2tp-over-ipsec-android-601-ios.html
https://www.authbsd.com/blog/?p=20
http://daemonforums.org/showthread.php?t=10326
https://rzemieniecki.wordpress.com/2014/05/28/debugging-ipsec-on-openbsd-invalid_cookie/
https://man.openbsd.org/npppd.conf.5
https://blog.gordonturner.com/2016/12/10/openbsd-6-0-vpn-endpoint-for-ios-and-osx/
https://marc.info/?l=openbsd-misc=145922338026396=2
https://marc.info/?l=openbsd-misc=145614573528471=2
https://www.mail-archive.com/misc@openbsd.org/msg145747.html
... etc


I can get IOS to connect, but I can't get android 7 to connect.  I've read that 
android has bugs with the vpn client in 6.x and 7.x (not sure if it is fixed in 
8 or not). However, what is confusing is it connections just fine
To my windows l2tp server.  Bug tracker: 
https://issuetracker.google.com/issues/37074640#c35


My goal: Setup openbsd to work with IOS/android/windows/whatever.

My questions.


1)  Can you have more than one ike line in ipsec.conf? from my presumption 
of looking at sites on the internet, you can, however, I am not sure.

https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless it is 
just two examples


2)  Every time I read a site that says, "this configuration worked for me 
on android", it doesn't work for me. I presume it is my lack of understanding, 
though, I'm not ruling out the possible android bug.


I appreciate any help.



Here is my ipsec.conf (this allows IOS to connect)

public_ip = "x.x.x.x"



ike passive esp transport \

  proto udp from $public_ip to any port 1701 \

  main auth "hmac-sha1" enc "aes" group modp1024\

  quick auth "hmac-sha1" enc "aes" \

  psk "PSK-GOES-HERE"

Here is my npppd.conf



authentication LOCAL type local {

users-file "/etc/npppd/npppd-users"

}



tunnel L2TP protocol l2tp {

listen on 0.0.0.0

listen on ::

}



ipcp IPCP {

pool-address 10.0.0.101-10.0.0.254

dns-servers x.x.x.x

}



# use pppx(4) interface.  use an interface per a ppp session.

interface pppx0 address 10.0.0.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0


Re: LACP problem

2017-09-20 Thread Charles Lecklider
On 09/06/2017 04:07, Lyndon Nerenberg wrote:
> The first step is to have the switch display its idea of the LACP 
> configuration and status.  I haven't a clue how a TP-LINK does that, but on 
> our Junipers it's 'show lacp interfaces'.

So I finally found my serial cable


TL-SG3424#show lacp internal
Flags:  S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in active mode   P - Device is in passive mode
[...]
Channel group 6
  LACP port   AdminOperPort   Port
Port  Flags  StatePriorityKey  Key Number State
Gi1/0/9   SP Up   32768   0x6  0xf60   0x90x3c
Gi1/0/10  SP Down 32768   0x6  0   0xa0x44

TL-SG3424#show lacp neighbor

Flags:  S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in active mode   P - Device is in passive mode
[...]
Channel group 6
 LACP port  Admin  Oper   PortPort
Port  Flags  Priority   Dev ID  KeyKeyNumber  State
Gi1/0/9   SA 32768  0cc4.7ad9.ead0  0  0x405c 0x5 0x3d
Gi1/0/10  SP 0  ..  0  0  0   0


I'm not sure if any of that is informative in any way?



Re: LACP problem

2017-06-10 Thread Charles Lecklider
On 10/06/2017 19:15, Lyndon Nerenberg wrote:
> Not really, other than running tcpdump on the two interfaces and
> examining the LACP protocol packets to try to discover why the
> negotiation is acting the way it is.

OK, that sounds like an even deeper rabbit-hole.

> Also, if you don't have the enable password, how did you configure
> LACP on the switch to begin with?

Fair question: via the web UI. That would imply it's not just a
front-end for the CLI, which implies another set of potential security
issues. Not an issue for this network, but certainly something to
consider in future.



Re: LACP problem

2017-06-10 Thread Charles Lecklider
On 09/06/2017 04:07, Lyndon Nerenberg wrote:
> The first step is to have the switch display its idea of the LACP
> configuration and status.

That's turning into a bit of a mission

Seems TP-LINK don't set an enable password by default so I can't get
what I need via ssh until I've set that. To set it I need to connect to
the console port, which means finding the cable and a serial-to-USB adapter.
I have all the above (somewhere), it's just going to take some time.

Is there no other diagnostic information I can get from the OpenBSD side?



LACP problem

2017-06-08 Thread Charles Lecklider
I'm trying to get LACP working over 2 ports (em0, em1). I've done this
successfully with FreeBSD and 4 ports on the same switch so I know it
can be done, I just can't get it working with OpenBSD. I'm hoping I've
just botched the config somewhere.

The switch is a TP-LINK TL-SG3424, latest firmware available, and LACP
is set to passive for the two ports (I've tried active, too).

hostname.em0:
mtu 9000 up

hostname,em1:
mtu 9000 up

hostname.trunk0:
trunkport em0 trunkport em1 trunkproto lacp
inet 10.1.2.1 255.255.255.0 NONE


>From my reading of the man pages that's all I need to do, and ifconfig
seems to agree:

em0: flags=8b43
mtu 9000
lladdr 0c:c4:7a:d9:ea:d0
index 5 priority 0 llprio 3
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
em1: flags=8b43
mtu 9000
lladdr 0c:c4:7a:d9:ea:d0
index 6 priority 0 llprio 3
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active

trunk0: flags=8843 mtu 9000
lladdr 0c:c4:7a:d9:ea:d0
index 11 priority 0 llprio 3
trunk: trunkproto lacp
trunk id: [(8000,0c:c4:7a:d9:ea:d0,405C,,),
 (8000,30:b5:c2:07:81:4a,0CF3,,)]
trunkport em1
trunkport em0 active,collecting,distributing
groups: trunk
media: Ethernet autoselect
status: active
inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255


The trunk is there, seems to be configured the right way, but the second
port doesn't come up. If I pull the cable on em0, em1 comes up, put the
cable back, em0 doesn't join the trunk.


Have I botched the config somewhere? Or is there some incompatibility
going on between OpenBSD and the switch? And if it's the latter, how do
I get some diagnostic information to work out what's going on?

Thanks!




OpenBSD 6.1 (GENERIC.MP) #20: Sat Apr  1 13:45:56 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17134788608 (16341MB)
avail mem = 16610807808 (15841MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4d8000 (53 entries)
bios0: vendor American Megatrends Inc. version "1.1a" date 08/27/2015
bios0: Supermicro A1SAi
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET
SSDT HEST BERT ERST EINJ
acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2400.44 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 2400438240 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2400.01 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2400.01 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) CPU C2550 @ 2.40GHz, 2400.01 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins

addresses and routes configured via rtsol

2014-09-01 Thread Charles Musser
I set up a small network in which an OpenBSD machine serves as a
router for a collection of IPv6-only clients. Many thanks to previous
responders to my questions on tunneling with gif(4). This rudimentary
setup is working well: a client machine acquires an address via SLAAC
and can access the IPv6 Internet. I am curious, however, about the
addresses and routes that get installed on the client machine.

The setup straightforward. The router is connected to an IPv6 tunnel
on the Internet-facing side (using a gif(4) interface), it has IPv6
forwarding enabled, and is running rtadvd on the inward-facing
interface. Note that rtadvd is using its internal defaults; I didn't
create a configuration file for it because the man page

The interface info and routing table is at the end of this mail and
I've annotated lines of interest with numbers in brackets so that
referencing these entries in questions would be clearer. The questions
are:

1.) In addition to the self-assigned link-local address, the client's
interface has two other addresses, both having the network prefix
supplied by the router (annotation [1]). One has the same suffix as
that of the link-local address. The other, marked autoconfprivacy,
is different and changes periodically (certainly on every reboot). I
assume this address is formed with the rules defined in RFC 4941. As I
interpret it, the RFC suggests a scheme that employs different
addresses for server-oriented tasks and client-oriented tasks. The
idea is that a predicable address is suitable for the former, while a
randomized one is for the latter. Is that what's happening here?
According to netstat(1), this seems to be the case. While surfing the
web, the local address always seems to be the one with the
autoconfprivacy attribute. Is rtsol(8) in charge of implementing this
policy?

2.) A corollary to the above question is how the privacy address
gets used for outbound connections. My assumption of how interfaces
with multiple addresses behave is this: the interface will accept
connections for any address it has been assigned, but will use the
canonical one for connections that are initiated through that
interface. Is this correct? Does IPv6 have the notion of aliases at
all? If it does, how do you know which one is the canonical
address. If not, how do outbound connection end up with the correct,
i.e. private, local address?

3.) The default route (annotation [2]) mystified me at first, before I
realized that the gateway address was the link-local address of the
router. I was aware of link-local addresses in IPv6, but I was unsure
of their application and didn't expect them to come into play here. I
expected the gateway to be the IPv6 address I assigned to the router's
inward facing interface. It seems logical that the router's link-local
address works, but why was it chosen?

4.) The /64 network route for my network has the gateway specified as
link#1 (annotation [3]). What are the link family of interfaces?
These must be different than routes that specify one of the link-layer
addresses, but how?

Thanks,

Chuck

Output of ifconfig em0 and  netstat -nrf inet6, with [annotations]:

em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr f0:de:f1:78:d5:4c
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::f2de:f1ff:fe78:d54c%em0 prefixlen 64 scopeid 0x1
inet6 2001:470:1f05:204:f2de:f1ff:fe78:d54c prefixlen 64 autoconf 
pltime 604280 vltime 2591480  [1]
inet6 2001:470:1f05:204:1039:d2fd:9b56:709 prefixlen 64 autoconf 
autoconfprivacy pltime 77124 vltime 595610 [1]

Internet6:
DestinationGatewayFlags   Refs  
Use   Mtu  Prio Iface
::/104 ::1UGRS   0  
  0 - 8 lo0  
::/96  ::1UGRS   0  
  0 - 8 lo0  
defaultfe80::92e2:baff:fe2b:b008%em0  UG 0  
156 -56 em0  [2]
::1::1UH14  
  0 33144 4 lo0  
::127.0.0.0/104::1UGRS   0  
  0 - 8 lo0  
::224.0.0.0/100::1UGRS   0  
  0 - 8 lo0  
::255.0.0.0/104::1UGRS   0  
  0 - 8 lo0  
:::0.0.0.0/96  ::1UGRS   0  
  0 - 8 lo0  
2001:470:1f05:204::/64 link#1 UC 1  
  0 - 4 em0  [3]
2001:470:1f05:204::1   90:e2:ba:2b:b0:08  UHLc   0  
 30 - 4 em0  
2001:470:1f05:204:24c5:ec52:ca52:a9e7 f0:de:f1:78:d5:4c  UHL
00   

Re: ifconfig command for IPv6 tunnel

2014-08-20 Thread Charles Musser
On Aug 19, 2014, at 9:38 PM, Adam Thompson athom...@athompso.net wrote:
 
 IIRC from my experimentation, you've got it exactly right.
 Some tunnel brokers give you subnet masks that certain versions of OpenBSD 
 don't like - that turns out to not actually matter, just use whatever 
 ifconfig(8) want.  Point in case: HE recommends using /64 for PtP links, but 
 OpenBSD 5.x requires /128.  Since HE allocates an entire /64 per tunnel, 
 there is no danger in configuring it more narrowly on the client end.

Thanks for the info. As it happens, I am also using a tunnel provided by HE.
 
 The hostname.if(5) syntax that finally worked for me on 5.4-RELEASE was 
 (slightly anonymized)
 description HE_TUNNEL_FREMONT
 tunnel 184.70.48.XXX
 dest 64.71.128.83
 inet6 2001:470::X::2
 dest 2001:470::X::1 prefixlen 128
 which perhaps adds some clarity, or perhaps confuses, depending on your point 
 of view.  I can't remember whether (in the non-BGP case) I added the route 
 command as !route -n add -inet6 default 2001:470:1f04:204::1 to the 
 hostname.gif0 file, or if I added it to /etc/mygate - one or the other should 
 work, anyway.
I haven't gotten to the point of making this configuration permanent, but the 
example above makes sense. My initial effort is toward a larger goal of getting 
a small network of pure IPv6 hosts connected. My current thinking on how to do 
this is (in admittedly vague and incomplete terms) is: use a machine connected 
to the tunnel broker as a bridge. Other machines would connect to it and 
perform address auto configuration, using the prefix of the HE provided 
network. To accomplish this, the bridge machine would run the daemon that hands 
out these prefixes, which I think is called rtadvd Comments on this approach 
(or alternatives) are welcome.

Finally, is this the place to discuss these kinds of network setup puzzles? I 
happen to be using OpenBSD, but this kind of task really is at the intersection 
of operating system specifics and the more general practice of network design.

Chuck



Re: ifconfig command for IPv6 tunnel

2014-08-20 Thread Charles Musser
On Aug 20, 2014, at 7:43 AM, Adam Thompson athom...@athompso.net wrote:
 I know - I could tell by the addresses  you provided :-).
So much for *my* anonymity... ;-)
 
 Basically, yes.  Although you have a router (does things with IP packets), 
 not a bridge (does things with Ethernet frames) - that's a huge difference.
 I don't think I've ever relied on address autoconfig - it looks very nice in 
 theory but has some limitations in practice.  I would test everything using 
 static IPs and static routes first, and then move on to rtadvd.
 
 HE assigns two blocks of addresses with every tunnel - the point-to-point 
 tunnel addresses and the Routed IPv6 Prefixes.
 You want to use the IPv6 Tunnel Endpoints on the gif0 tunnel, which is 
 presumably built on top of $external_if , and you want to use the Routed IPv6 
 Prefixes on $internal_if.  Note that is perfectly valid to have public IPv6 
 addresses running on the same subnet as private (RFC1918) IPv4 addresses - 
 IPv4 traffic gets NAT'd, IPv6 traffic merely gets routed.

rtadvd: Yes, one thing at a time. Static IPs first.

router vs. bridge: good point. Because I those routed IPv6 Prefixes are 
available, there are two networks in play, so it's routing and not bridging. I 
was initially operating under the assumption that there was one network for 
both the tunnel endpoint and the other hosts, so I thought bridge!. But that 
isn't the case.
 
 Do beware that your pf ruleset must pass IPv6 traffic without NAT'ing it... I 
 think this is the default now, not sure.
This, I will have to dig into. I wasn't aware that PF was enabled. But I 
suspect you can't get very far in these setups without it. Another responder 
provided some PF rules to try, so I can study those.



Re: ifconfig command for IPv6 tunnel

2014-08-20 Thread Charles Musser
On Aug 20, 2014, at 4:15 AM, Ed Hynan eh_l...@optonline.net wrote:

 On Tue, 19 Aug 2014, Charles Musser wrote:
 
 
 - prefix::1 is the local address of the interface on the IPv6
 network.
 
 No, *::2 is local.
Ah, yes. Despite my best efforts at copyediting, I had the meanings of  *::1 and
*::2 reversed. 

 
 - The alias parameter is superfluous in this case. I tried it without
 that and got the same result: an operating tunnel.
 
 If it works, ifconfig is being smart, but why not make your intent
 explicit? The tunnel is across the ip4 addresses; this command adds
 aliases, or close enough.
Stated another way: the alias keyword doesn't do any harm here, but
using it makes things harder to understand because this isn't actually an
alias; it's a local address and a remote address and this pair comprises
the endpoints of a point-to-point link.
 

 It's ambiguous when you write the server IP because the remote end
 of the tunnel is a server, and if you're configuring a router rather
 than a host then that's a server too. Addr *:2 is local in that it's
 an address of your gif(4) interface.  The ifconfig(8) synopsis is
 simpler than gif configuration, but yes *::2 is like dest_address.
Just to clarify, this setup is currently a host, not a router. Given all that,
::2 is the local address and ::1 is remote. Doesn't that make ::1 the
dest_address?

Note: possible beating of dead horse here. Feel free to say: stop
obsessing over the syntax of this command, dummy.

 
 Addr *::1 is remote. Try 'netstat -nvrf inet6 | grep 2001:' and find
 that *::1 has the G (gateway) flag, and host *::2 has a route to *::1.
Output of that is:

default2001:470:1f04:204::1   UGS6  
146 - 8 gif0 
2001:470:1f04:204::1   2001:470:1f04:204::2   UH 1  
  0 - 4 gif0 
2001:470:1f04:204::2   link#6 UHL0  
  0 - 4 lo0 

This is different than what you describe, but it makes sense. I think.
 
 Also look at something using the interface, maybe ntpd. Look at the
 address with 'netstat -nvf inet6 | grep 123' (no -r there), and
 see that *::2 is local.
Output is:

Active Internet connections
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp6 0  0  2001:470:1f04:204::2.32069 
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0  0  2001:470:1f04:204::2.7 
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0  0  2001:470:1f04:204::2.30221 
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0  0  2001:470:1f04:204::2.3173 
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0  0  2001:470:1f04:204::2.27980 
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0  0  2001:470:1f04:204::2.48945 
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED

This seems to confirm what you said. The local endpoint is indeed *::2.



Re: ifconfig command for IPv6 tunnel

2014-08-20 Thread Charles Musser
On Aug 20, 2014, at 2:25 PM, Ed Hynan eh_l...@optonline.net wrote:

 
 Although this is a little more complex on gif than e.g. an ethernet interface,
 alias is at least similar. On a more straightforward type interface, alias
 is used adding additional addresses (BTW, not OpenBSD specific, the alias
 keyword is similar for {Net,Free}BSD; and, apparently dissimilar on Linux).
 Think of the IPv6 addrs as 'additional' after IPv4 tunnel addrs for
 conceptual satisfaction.
OK, got it. I am at peace.

 
 Output of that is:
 
 default2001:470:1f04:204::1   UGS
 6  146 - 8 gif0
 2001:470:1f04:204::1   2001:470:1f04:204::2   UH 
 10 - 4 gif0
 2001:470:1f04:204::2   link#6 UHL
 00 - 4 lo0
 
 This is different than what you describe, but it makes sense. I think.
 
 Is it different?  Your output shows what I intended to describe.
 Line 1 with G flag shows that 'gateway' addr *::1 is default route
 and line 2 with H flag shows 'host' addr *::2 has/is a route to *::1
 (didn't I suggest that clearly on my 1st coffee? I think I did).
Upon reflection, it does match what you said. My coffee consumption, or
lack thereof, influenced my comprehension here.
 
 
 Looks good.  Since this is a host never mind rtadvd (I had mentioned
 that).  You'll want to handle IPv6 in pf generally.  Since you
 didn't mention it I suppose you're not strictly firewalling; you
 would have mentioned allowing proto 41 for the ip4 remote endpoint
 or maybe you've got that all set.
I don't now, but that's the goal. At this point, I need to forage for some
hardware to try building a router. I had a perfectly good beige box with
numerous interfaces that I threw out recently. Party foul. Once I get
that, then I probably will have PF-specific questions.



ifconfig command for IPv6 tunnel

2014-08-19 Thread Charles Musser
Hi,

I'm experimenting with using IPv6 via a tunnel broker provided by an
ISP. The tunnel works, but I want to confirm my understanding of the
commands they gave me to set it up. These are the commands:

ifconfig gif0 tunnel 50.1.94.112 72.52.104.74
ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen 
128
route -n add -inet6 default 2001:470:1f04:204::1

The first and third commands make sense to me; they set up an IPv4
tunnel interface and a default route for IPv6. After reading the
ifconfig(8) man page) I think I sort of understand what the second one
does. Side note: the two IPv6 addresses provided by the tunnel
broker are defined, in their terminology, as follows: prefix::1 is
the server IPv6 address and prefix::2 is the client IPv6
address. Given that, I think the following is true:

- prefix::1 is the local address of the interface on the IPv6
  network.

- The alias parameter is superfluous in this case. I tried it without
  that and got the same result: an operating tunnel.

- Because gif0 is a point-to-point interface, prefix::2 (the
  server IP) is interpreted as the dest_address parameter mentioned
  in the ifconfig(8) man page.

- dest_address is the far end of the tunnel and, for point-to-point
  links, serves as the gateway. In this case, it leads to the broader
  IPv6 universe.

Any confirmation, clarification or correction is much appreciated.

Chuck



Re: Package installation

2014-08-02 Thread Charles Musser
The need for multiple versions of an application on one machine
doesn't manifest that often. Asking the system to tie itself into
knots for this purpose is likely to result in bloat, convolution and
less reliability.

Some contexts support and indeed encourage the notion of many
versions. For instance, the Ruby Version Manager (RVM) allows
different versions of the Ruby interpreter and its attendant libraries
to be in use at a given time. It seems to work perfectly well, but one
has to wonder if this is really a good thing. Do you really want the
mental overload that results from having to deal with multiple
versions of a language, library, API, user tool, or whatever?

The original poster might want to consider whether this kind of thing
is necessary or desirable. It sounds symptomatic of half-baked ideas
about what needs to be accomplished and how to accomplish it. Also
worth considering is OpenBSD's stance on how to maintain a system. You
are encouraged to refresh the system at six month intervals and, in so
doing, become familiar with the nature of the software you're
running. Chances are, the version they've packaged works well enough,
probably better than older incarnations.

Incidentally, you can learn what files comprise a package with:

pkg_info -L package-name

You can learn about the package related commands by typing:

apropos pkg_

And then reading the listed manpages. As always with OpenBSD, these
documents are of high quality.

Chuck

On Aug 2, 2014, at 4:17 AM, Gustav Fransson Nyvell gus...@nyvell.se wrote:

 On 08/02/14 13:13, Gustav Fransson Nyvell wrote:
 On 08/02/14 12:54, Marc Espie wrote:
 On Sat, Aug 02, 2014 at 12:26:06PM +0200, Gustav Fransson Nyvell wrote:
 Hi, there,
 
 I wanted to run something by you, mkay. About package management. I wonder
 if this has been shouted at already. I remember from SunOS that packages 
 are
 installed in a different manner than let's say Red Hat and of course
 OpenBSD. They install it in the form /pkgs/PROGRAM/VERSION, example
 /pkgs/gimp/1.0. GoboLinux does this. I think this has some advantages over
 installing /usr/local/bin/gimp1.1 and /usr/local/bin/gimp2.0. What do you
 think? What have you said?
 
 Ready to be shouted at;
 This puts more strain on the file system actually, which is probably
 the main reason we don't do it. Also, there is generally a lot of churning
 to do to make the package self-contained.
 
 As far as policy goes, having stuff set up like that looks more flexible, 
 but
 it is a fallacy. Instead of having the distribution solve issues concerning
 incompatible versions and updates, the toll falls instead on the individual
 sysadmin, to make sure things they have work together. It can lead to
 security nightmares, because it's so simple to have the newer version
 alongside the old version that sticky points of updating take much longer
 to resolve.
 
 It's a bit like having mitigation measures that you can turn on and off...
 if it's possible to turn these off, there's not enough incentive to actually
 fix issues.
 
 Likewise for packages. By making it somewhat LESS convenient to install
 several versions of the same piece of software, we make it more important
 to do timely updates.
 
 Also, we don't have the manpower to properly manage lots of distinct 
 versions
 of the same software. So  this kind of setup would be detrimental to
 actually testing stuff.
 I guess there could be both. But I think that if there's a security issue 
 with one version of a software then there quite possibly are multiple ways 
 of limiting the impact of that issue. Disallowing multiple versions to force 
 people to upgrade is not really a good reason, from how I see it. Old 
 software will always have more holes, because they're older and more well 
 observed, but they have qualities, too, like speed. GIMP-1.0 is amazing on 
 Lenovo X41 from 2005, but probably has bugs. Of course none of these systems 
 will stop someone who wants to run version x of a software. Maybe something 
 entirely different is needed? Okay, maybe I should complain about the status 
 quo... thing is when packages install in /var, /usr, /etc and /opt they're 
 so spread out it's hard to know what is what. This might be because I'm new 
 but/and scripts can find orphan files in this structures, but you need the 
 scripts for that. Having everything in /pkgs/PKG/VER would not cause this 
 splatter. P!
 rograms without dependees (i.e. non-libs, non-utilprograms) could fit in this 
structure without any extra filesystem magic. Well, the grass is always greener.
 
 BTW, you create multiple versions by your mere existence. There are lots of 
 old versions laying around, but they can't be installed together right now.
 
 -- 
 This e-mail is confidential and may not be shared with anyone other than 
 recipient(s) without written permission from sender.



Re: network roaming convenience

2014-07-22 Thread Charles Musser
On Jul 22, 2014, at 12:59 AM, Stuart Henderson s...@spacehopper.org wrote:

 Out of curiosity, what happens?

 It prints the status,

 iwn0: flags=8847UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 8c:70:5a:62:b7:f8
   priority: 4
   groups: wlan egress
   media: IEEE802.11 autoselect (DS1 mode 11g)
   status: active
   ieee80211: nwid TP-LINK_8F014A chan 6 bssid f8:1a:67:8f:01:4a 189dB

 then there's a 30 second pause during which the led flashes, then ifconfig
exits
 without further output. Then I have to ifconfig iwn0 down, ifconfig iwn0
up,
 and start dhclient again which has exited due to the interface state change

Yeah, that is interesting. I didn’t really notice it before, but
“scan” doesn’t return anything if I’m connected to my network, but the
act of doing it changes the status from “active” to “no network”. Then
it returns a list if invoked again. I thought I might run “scan”
periodically to check connectivity, but the act of doing so seems to
knock me off the air. A related wrinkle is that the status never
changes to “no network” if the AP is powered off. So you can’t check
actively (with “scan” anyway) and you can’t be informed passively if
you’ve moved out of range. Darn. About the only thing I noticed was that
the “mode” listed in the media line changes. Not sure that’s actually
indicative of anything


 While I don't dispute that this behaviour is a bug, it doesn't seem
 right for the script to be doing this, surely if you know the password
 you should also know if wep is needed? It would seem safer generally
 to only use the expected protocol.
True. wiconfig’s author is open to changing how this
works. Apparently, in an upcoming OBSD release, ifconfig will display
the security offered by the AP.


 Do you need a full reboot at this point, or does restarting the interface
 (ifconfig down+up) work? Do you get anything interesting (look in
 /var/log/messages) if ifconfig iwn0 debug is set?
Turns out, no. What I needed to do was clear the WEP key (by using the
“-nwkey parameter) and then the interface was usable. A subsequent
ifconfig with “wpakey” specified got me connected.



Re: network roaming convenience

2014-07-21 Thread Charles Musser
On Jul 18, 2014, at 3:09 PM, Stuart Henderson s...@spacehopper.org wrote:

 On 2014-07-17, Daniel Melameth dan...@melameth.com wrote:
 It should have tried WEP first and, if that failed, WPA.  ifconfig in
 -current can now discern WEP or WPA so this can readily be improved.
 
 ...as long as you have a wifi nic where ifconfig scan works, for example
 not Intel Centrino Advanced-N 6205 rev 0x34...
 

Out of curiosity, what happens? Does this mean you’re flying blind
when you parachute in somewhere and want to know what wi-fi networks
are around?

On my machine, which uses iwn, “ifconfig scan” does work, but there is
an odd behavior that wiconfig happens to trigger, at least in my
environment.  Configuring the interface for WPA manually (or via
hostname.if) works fine, but I had trouble with wiconfig until I
increased its connect timeout value.  This was due to an odd set of
circumstances.

wiconfig attempts to configure the interface with WPA, waits for a bit
and, if the connection isn’t successful, tries again with WEP. My
machine doesn'tt connect within the wiconfig's 3 second timeout
interval, and then things get weird. After the second connection
attempt (with WEP, using the “nwkey” param), the connect fails again
(my AP only does WPA). After this, the interface cannot connect
successfully with WPA until after a reboot.

I first noticed this behavior with wiconfig and determined what it was
doing specifically with help from wiconfig’s author. To
confirm what was going on, I issued the same sequence of “ifconfig”
invocations manually.  Sure enough, an ifconfig with the nwkey
parameter was a buzzkill: it prevented connection with a subsequent
“ifconfig” invocation: one that certainly works if it is the first
ifconfig that happens. This is certainly a corner case, but it did
trip me up.



network roaming convenience

2014-07-17 Thread Charles Musser
Hi,

I'm looking to create or cobble together functionality that automates
network connections as a user roams around with a laptop. The idea is
to respond to changing network availability: wifi network is known, so
connect, or cable was plugged in, or connect for the first time and
remember, etc).

On Linux, this is provided by program called NetworkManager. I'm
pretty sure it's are Linux-specific and, anyway, it depends
on DBus (a separate messaging system). I was hoping to create
something a little more self contained. I did explore a couple
of avenues.

One was the wiconfig script mentioned on Undeadly a while
back. This didn't connect, seemingly because it tried to use WEP, not
WPA. I didn't want to debug a shell script to find out why.

Another possibility is using ifstated. However it looks like WiFi
interfaces are always up, even in the no network state, so it's
unclear whether the required state transitions would actually happen
But I haven't verified that, so I can't dismiss this as a solution.

An argument could be made that this is of marginal utilty. How hard is
it to use ifconfig, anyway? But I figured it might be an interesting
exercise and may be a nice convenience. Any advice, or discussion
would be appreciated.

Chuck



Re: unreliable connections

2014-01-22 Thread Charles RAPENNE
Hello, I would suggest a DNS problem.
Do you rsync directly to an ip address or are you using avec domain name
?  That would explain why the first only is failing and not the second
one.
The DNS server you use may have some problems during the night.
If you don't use a domain name, this can't be this. If you use one, you
can add it to /etc/hosts to by-pass it. If this continue to fail, the
problem is elsewhere.
I have been monitoring some public dns servers of ISP (with smokeping)
and some of them were unrealiable during the night. 
Regards

De: Chris SmithEnvoyé: mercredi 22 janvier 2014 16:23À: Stuart HendersonCc:
OpenBSD-MiscObjet: Re: unreliable connections

On Mon, Jan 20, 2014 at 11:31 AM, Chris Smith obsd_m...@chrissmith.org
wrote:
 have moved the block all to the beginning of the ruleset to see if
 it will make any difference

Unfortunately no difference. The attempt to rsync the first directory
failed last night, second one worked fine.

Any other ideas?

Thanks,

Chris



Re: Request for Funding our Electricity

2014-01-17 Thread Charles RAPENNE

Le 2013-12-21 01:08, Theo de Raadt a écrit :

I am resending this request for funding our electricity bills because
it is not yet resolved.

We really need even more funding beyond that, because otherwise all of
this is simply unsustainable.  This request is the smallest we can
make.

---

Hi everyone.

The OpenBSD project uses a lot of electricity for running the
development and build machines.  A number of logistical reasons
prevents us from moving the machines to another location which might
offer space/power for free, so let's not allow the conversation to go
that way.

We are looking for a Canadian company who will take on our electrical
expenses -- on their books, rather than on our books.  We would be
happiest to find someone who will do this on an annual recurring
basis.

That way the various OpenBSD efforts can be supported, yet written off
as an off-site operations cost by such a company.  If we reduce this
cost, it will leave more money for other parts of the project.

We think that a Canadian company is the best choice for accounting
reasons.  If a company in some other jurisdiction feels they can also
do this successfully, we'd be very happy to hear from them as well.

I am not going to disclose the actual numbers here.  Please contact me
for details if serious.

Thanks.



Hello,

I think this could be great if OpenBSD had somewhere on their website a 
goal/objectif about the money to rise, and the % of advancement of it. 
The FreeBSD Foundation is doing this, I think this is very effective as 
you know if they really lack some founds or if they are near their 
objective.


I tried this method for one little project of mine involving some costs 
(~ 400 € / year), after yelling every year please give some money, this 
doesn't run for free... I put a visual show of my needs, then I got 40% 
of my funds the day I put the advancement image of the fundraising.



Thank you everyone for doing what you do for OpenBSD :)

Kind Regards



Re: goaccess 0.5

2013-07-09 Thread Charles Rapenne
On the FAQ of the project website, you will find a how-to compile it
on OpenBSD, you need to edit 2 or 3 files before compiling it.

2013/7/9 Tony Berth tonybe...@googlemail.com:
 is anyone using goaccess 0.5 with 5.2 or 5.3?

 When running './configure' I get:

 checking for a BSD-compatible install... /usr/bin/install -c
 checking whether build environment is sane... yes
 checking for a thread-safe mkdir -p... ./install-sh -c -d
 checking for gawk... no
 checking for mawk... no
 checking for nawk... no
 checking for awk... awk
 checking whether make sets $(MAKE)... yes
 checking for gcc... gcc
 checking for C compiler default output file name... a.out
 checking whether the C compiler works... yes
 checking whether we are cross compiling... no
 checking for suffix of executables...
 checking for suffix of object files... o
 checking whether we are using the GNU C compiler... yes
 checking whether gcc accepts -g... yes
 checking for gcc option to accept ISO C89... none needed
 checking for style of include used by make... GNU
 checking dependency style of gcc... gcc3
 checking for pkg-config... /usr/bin/pkg-config
 checking pkg-config is at least version 0.9.0... yes
 checking for GLIB2... yes
 checking for refresh in -lncurses... yes
 checking for new_menu in -lmenu... yes
 checking for g_free in -lglib-2.0... no
 configure: error: glib-2.x is missing



Re: Snapshot shasum mismatch

2013-06-25 Thread Charles RAPENNE

On 06/25/13 16:25, toby wrote:

Hi there,

I just wondered if anyone else had found that the shasums on the latest
(24/06/13) snapshots are wrong. I've just tried upgrading from all the
different mirrors here in the UK  got shasum errors for all the non X
parts from the Oxford mirror, the Bytemark mirror and the mirrorservice
one...

Here are some examples:

SHA256 (base53.tgz) =
b46c621ae4be7183ab90279d887748d69b4822a309ede81067abbe7adf0b7c5c


  fd29dadcf424335e8614745e5dd6a9a88ad8b893decc4b5b4c0ffed26dda891c
  base53.tgz

SHA256 (bsd) =
630e5b962a035abe5f25161895bd375979d6907b438d439ccb8e43a7d80f89e0


  2de329fc109816fd8a810b0d6a411bad3710f8bb476f213ffc9e3d5d20ac2db2  bsd

SHA256 (bsd.mp) =
fbca7ad263c42a0265ddce05b030a9168e3d74bbac0fd3195acc75ec301e5040


af34f3faeeb26d8d7f22ed44edeb90fd17980c64d3148c44b4ec6ebcb416341a  bsd.mp

SHA256 (comp53.tgz) =
6229bbb09a5c1a4d5d761b86c133c15e688abc85c3e6adc6421aa46c651505f7


e0323c01d3a15016d7a0e390420a9518211542ba8e8380b3be5bae2aab7ad718  comp53.tgz

SHA256 (etc53.tgz) =
443f72e113ec652574965e9c43b17644e96080d609e16db59d972fcfdb7a8ec4


d43c6f648586a6c1f1123df42693fb0ea6378c11d18c6f275374fa04ed6eb435  etc53.tgz

SHA256 (game53.tgz) =
4fa2e9027a6c54a98bf6bc220a0cf385a9f53b5e0aea5067bcb3a57946bc51f6


5b3ed56e84fdae1576df27649a756cb5ac1cc88fb295bbae618623525836903f  game53.tgz

SHA256 (man53.tgz) =
5f3cfea012a5d44bb70197f2cd8c7febc5a9eccdd6a791774bbafe0d33e96602


1ab44139148acc480a21765f5d30bc3d94d7b18349019aa0e04069aa64293909  man53.tgz

But, strangely enough, their all good for the rd kernel, the x* series and
the install isos. Also the erroneous shasums are consistent across all
three mirrors...

Having never encountered this issue before I'm not too sure how suspicious
I should be

Kind regards,
Toby

I had the same problem yesterday. I'm not sure if it's a real problem or 
a hack.




Re: Ruby on Rails and the chrooted nginx(8)

2013-06-09 Thread Charles Rapenne
Hi

Please someone correct me if I'm wrong, but I don't think using Nginx
with chroot is useful when dealing with proxy_pass or fastcgi
application.
If your RoR app is compromised, it won't be chrooted as it's not
running in a chroot. All nginx will do is serving static files.

Regards

2013/6/9  openda...@hushmail.com:
 Hi,

 Is anybody here running Ruby on Rails in the chrooted nginx(8) and know if 
 it's worth the hassle?

 I notice the docs saying: Some applications are pretty simple, and 
 chroot(2)ing them makes sense. Others are very complex, and are either not 
 worth the effort of forcing them into a chroot(2), or by the time you copy 
 enough of the system into the chroot, you have lost the benefit of the 
 chroot(2) environment. -- http://www.openbsd.org/faq/faq10.html#httpdchroot

 O.D.



Re: Xephyr bug with Firefox

2013-05-24 Thread Charles Evans
I also run Firefox in Xephyr - on debian 32bit.
I _often_ have had the capslock or shift get stuck, 
and I too always had to restart Xephyr.

IIRC it always got stuck when I alt-tab away from (or back to) Xephyr
(maybe because I hit the shift key accidentally? 
or maybe the capslock was on? )

I hope you can find an answer; please let me know.
If you file a bug, please forward it to me /or send me a link.

Thanks
Charles



Re: First macppc install, sensors question

2013-04-17 Thread Charles Rapenne
Hi,

I don't have much experience with Macppc but I think x86 rules should apply.

Usually an idle temperature is under 65°C with fan not at maximum
speed. Not idle, If your CPU is getting more than 90°C, there is
problably something wrong with your cooling system.

The temperatures you show are normal.

Regards
Charles

2013/4/17 Tor Houghton t...@bogus.net:
 Hello,

 I found and repurposed an old PowerBook6,4 yesterday. Thanks all who worked
 on the macppc port.

 The onboard BCM4306 appears to be working just fine after running fw_update
 too.

 I have a question regarding the onboard temperature sensors; they are
 currently reading:

 hw.sensors.adt0.temp0=38.00 degC (Remote)
 hw.sensors.adt0.temp1=38.00 degC (Internal)
 hw.sensors.adt0.temp2=52.00 degC (Remote)

 First of all, what are they measuring (where)? And secondly, what is
 considered to be oops, too hot? It won't be doing anything but shift
 network traffic in and out of its gem0 and bwi0 interfaces (it's repurposed
 as a firewall/IPv6 gateway).

 Kind regards,

 Tor



Re: Server

2013-03-13 Thread Charles Rapenne
Hello,

It will depend what you want to do with your server.

Firstly, I suggest you to remove your graphic card if you can. It will
make noise and heat for nothing and will increase your power
consumption.
If you need a simple home server, to store/share files on your
network, set-up your owncloud and/or run a database for personal
developments, I think your hardware is good.

I can't say if OpenBSD is the best system for your use as we don't
know your use. OpenBSD can run a database (postgresql, mysql, redis,
mongo..), but the performance will depend of your workload.

Best regards,
Charles RAPENNE

2013/3/13 Andi andiro...@gmail.com:
 Hello everybody,

 I'm thinking about putting the openBSD 5.2, in a desktop machine, in order
 to make this a server.

 The hardware configuration is:
 intel i3, 1TB of HD, nvidia 9800.

 But I'm wondering about this, if it will be good idea?
 If it's recommended... if openBSD is good to run a database... etc

 Any sugestion, critict, whatever... feel free to answer.

 Best regards,
 ..:: Andi ::..



Novice browser questions

2011-05-01 Thread Charles Blair
   Is the absence of a graphical browser from the base system
a statement that any attempt to do such things as look at
stuff on youtube is inherently unsafe?

   Is tor considered a safe way to do anonymous browsing, or
does openbsd recommend an alternative?



Re: preserving editor files

2010-09-17 Thread Charles Smith
 - Original Message -
 From: Jean-FranC'ois SIMON
 Sent: 09/08/10 08:50 PM
 To: openbsd-misc
 Subject: preserving editor files
 
 Hi All,
 
 At start-up the OS stays several minutes on preserving editor files.
 
 Could you please inform me what to do about this  what is the system
 then doing ? Is it normal ?
 
 Thanks  regards

By me happens this when the machine on which is the ntpd is running, is not 
available, no network or hasnot booted up yet.
Yes, it waits several minutes.



Re: major bump note in faq/current.html

2010-05-29 Thread Charles Smith
  Can we ask in the future something similar at src/*/shlib_version major 
  bumps?
 

 to avoid ``pkg_add -u'' complaining about bad
 major/minor I do the following:

 - check that my mirror is up to date
 ie ``ls'' to make sure all files belong 
 to the same snap

you mean: all files=${mirror}/pub/OpenBSD/snapshots/${arch}/* ?
You don't care comparing the 3 date (major bump, base sets, packages)?

 - update to base (using the installer or just
 reboot and untar base file sets)
Yes.


 - apply changes in current.html
Yes + sysmerge -s etc47.tgz, sysmerge -x xetc47.tgz


 - pkg_add -ui

 this should always work and you don't have to care about
 bumps.

Always or almost always? It doesn't depends on major bump?
Major bumps are infrequent, but sometimes happen.



Re: major bump note in faq/current.html

2010-05-28 Thread Charles Smith
Thank you for the polite answers.

On Thu, May 27, 2010 at 10:58 AM, Charles Smith chasm_...@gmx.com wrote:
 Can we ask in the future something similar at src/*/shlib_version major 
 bumps?

Can we ask in the present that you actually describe what problem you're 
trying to solve when you suggest extra work? You know, we just might be able 
to come up with an easier way to solve your problem.
Philip Guenther


Sure, sorry for fault.
Of course I read the sources-changes@ maillist among others.
This is the sole place, where from what i hear about major bumps.
In most times i remember, but yesterday i forgot and so pkg_add -ui failed.
Besides forgetfulness it can be missing time to read sources-changes@, so bad 
timing to upgrade.
Together with sloppy reading the commit log messages.

Is this would redundancy? Not practical?
I thought maybe some people can more easily review/look back faq/current.html, 
which is more short,
than the lot of mails on sources-changes@ without informative subjects.
pkg_add -ui fail is enough practical.
Yes, so current.html grows fat, and at 4.8 release must remove these notes. 
This is drawback.
How many major bumps are yearly? 4-6?

Of course yours decision.



Re: major bump note in faq/current.html

2010-05-28 Thread Charles Smith
Or maybe just send a heads up mail to m...@.



Re: major bump note in faq/current.html

2010-05-28 Thread Charles Smith
Nowadays I'm using snapshots, but it can be current also, it is imo unimportant 
within aspect.
Sometimes, seldom, I see on sources-changes@ major bumps.
I mark the precise date, when the major bump happened.
At the next upgrade i pay big attention that my base system must correspond 
with snapshots packages.
Not newer, not older, but accurately identical.
I accomplish my upgrade only when the prebuilt packages get ready (after the 
marked date, with new major).
I wouldn't undertake to build from ports my all (or some) installed packages. 

This was the very first occasion, that i forgot about major bump, and after the 
unguarded upgrade 
pkg_add -ui of course told it, because the prebuilt packages was made with the 
old major base system.

My starting point was 05.12 base system, packages 05.13 or 05.20.
Major bump happened at 05.21 and 05.26.
My end point 05.27 base system and 05.25 packages: conflict because the 
intermediate major bump (05.26).

If no claim seperate noting major bumps, I accept and solve, and we forget the 
idea. No problem.
Or I'm misunderstanding something?
Thank you for the nice answers.



Re: major bump note in faq/current.html

2010-05-28 Thread Charles Smith
- Original Message -
From: Vadim Zhukov

  2010/5/28 Charles Smith chasm_...@gmx.com: 
  Or maybe just send a heads up mail to m...@.
 You do not need to bother about ABI changes if you're using -STABLE(thanks to 
 developers). And if you're using -CURRENT, you'redefinitely advised to 
 monitor source-changes@, no?-- WBR, Vadim Zhukov

Yes, it remains this solution.



major bump note in faq/current.html

2010-05-27 Thread Charles Smith
Can we ask in the future something similar at src/*/shlib_version major bumps?



Index: current.html
===
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.221
diff -u -r1.221 current.html
--- current.html 27 May 2010 14:11:42 - 1.221
+++ current.html 27 May 2010 17:48:08 -
@@ -43,6 +43,7 @@
 lia href=#201005252010/05/25 - new config(8) for kernel builds/a
 lia href=#201005262010/05/26 - gcc4 for amd64 and sparc64/a
 lia href=#20100526a2010/05/26 - f77 moved to ports/a
+lia href=#20100526b2010/05/26 - major bump/a
 !-- New additions go on the bottom, please --
 /ul

@@ -234,6 +235,12 @@
 /usr/share/man/cat1/f77.0 /usr/share/man/cat1/g77.0
 /b/pre/blockquote

+a name=20100526b/a
+h32010/05/26 - Major bump/h3
+Major bump at 2010.05.26 14:39 UTC.
+Pay attention: snapshots packages must be correspond with snapshots sets at 
major level.
+See: a 
href=http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/shlib_version;cvsweb/a
+and a href=http://marc.info/?l=openbsd-cvsm=127488492723928w=2;commit log 
message/a.

 hr
 a href= index.htmlimg height= 24 width= 24 src= ../images/back.gif 
border= 0 alt=[back]/a



minor bump is src/.../shlib_version

2009-10-27 Thread Charles Smith
Good afternoon!

When there is a major bump in src/.../shlib_version files,
snapshots sets must be correspond with snapshots packages.
For example:
src/lib/libkrb5/shlib_version
src/gnu/lib/libiberty/shlib_version
src/lib/libc/shlib_version
src/lib/libm/shlib_version
 
Maybe with minor bump too?

At UTC 2009.06.26 21:06 and 21:09 there was minor bump in 
src/lib/libc/shlib_version and
src/lib/libm/shlib_version.

i386 packages are from 2009.10.26 beforenoon.



root.mail at Nov 1

2009-09-30 Thread Charles Smith
Index: src/etc/root/root.mail
===
RCS file: /cvs/src/etc/root/root.mail,v
retrieving revision 1.87
diff -u -r1.87 root.mail
--- src/etc/root/root.mail  24 Jun 2009 06:46:07 -  1.87
+++ src/etc/root/root.mail  30 Sep 2009 14:03:07 -
@@ -1,6 +1,6 @@
-From dera...@do-not-reply.openbsd.org Thu Oct  1 06:46:46 MDT 2009
+From dera...@do-not-reply.openbsd.org Sun Nov  1 06:46:46 MDT 2009
 Return-Path: root
-Date: Oct 1 06:46:46 MDT 2009
+Date: Nov 1 06:46:46 MDT 2009
 From: dera...@do-not-reply.openbsd.org (Theo de Raadt)
 To: root
 Subject: Welcome to OpenBSD 4.6!



Re: root.mail at Nov 1

2009-09-30 Thread Charles Smith
--- On Wed, 9/30/09, Miod Vallat m...@online.fr wrote:
 It's too late for this.
 

Yes, I have realised this too after sending.  Sorry for the noise.



vendor list (was: dmesg IBM x3650 OpenBSD 4.3 )

2008-10-13 Thread Charles Smith
 to create a web section listing the reasonable and bastard vendors?
 I think it would be useful in two points:
 
 * helps to OpenBSD community to choose the right hardware
 * make good or bad publicity depending on real vendor's position
 
 Anyway it's only an idea.

+1
I very like the idea.



Re: neomagic and the needs-update entries

2008-07-20 Thread Charles Smith
--- On Sat, 7/12/08, Charles Smith [EMAIL PROTECTED] wrote:

 From: Charles Smith [EMAIL PROTECTED]
 Subject: neomagic and the needs-update entries
 To: misc@openbsd.org
 Date: Saturday, July 12, 2008, 6:09 PM
 Good afternoon!
 
 In xenocara/MODULES file a needs-update entry,
 eg by neomagic,
 can provoke errors, like PR pending/5836 [0]?
 The PR in short:
   On i386 ThinkPad 600X (NeoMagic 256ZX NM2360) doesn't
 work 
   WindowMaker since 2008.04.10 (or before too, that was my
 first test
   after 4.3 RELEASE branch fork.)
   With 4.3 RELEASE works.
   The very odd thing: cwm, fvwm; and icewm from ports work.
   All application works, that I use.
   WindowMaker didn't change since 2007.09.15.
 
 
 After branch fork in xenocara/MODULES file the neomagic has
 been
 updated two times:
 on 2008.03.19 from 1.1.1 to 1.2.0 and on 2008.05.21 to
 1.2.1.
 In xenocara/driver/xf86-video-neomagic/ directory remained
 1.1.1.
 The needs-update appeared with 1.2.0.
 Are they not in sync?
 Is this rate major update?
 
 Are the needs-update entries like as
 public todo lists?
 
 [0]:
 http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5836
 Synopsis and Subject: wmaker on ThinkPad600X Fatal server
 error


These found today: [1] [2]
On FreeBSD 7.0 X.org 7.3. ThinkPad600 Neomagic
Wmaker and GNUStep application problem.
icewm works.

Very likewise than by me on OpenBSD.
I don't know if it helps.

[1] http://permalink.gmane.org/gmane.os.freebsd.questions/225666
[2] http://permalink.gmane.org/gmane.os.freebsd.questions/225665



neomagic and the needs-update entries

2008-07-12 Thread Charles Smith
Good afternoon!

In xenocara/MODULES file a needs-update entry, eg by neomagic,
can provoke errors, like PR pending/5836 [0]?
The PR in short:
  On i386 ThinkPad 600X (NeoMagic 256ZX NM2360) doesn't work 
  WindowMaker since 2008.04.10 (or before too, that was my first test
  after 4.3 RELEASE branch fork.)
  With 4.3 RELEASE works.
  The very odd thing: cwm, fvwm; and icewm from ports work.
  All application works, that I use.
  WindowMaker didn't change since 2007.09.15.


After branch fork in xenocara/MODULES file the neomagic has been
updated two times:
on 2008.03.19 from 1.1.1 to 1.2.0 and on 2008.05.21 to 1.2.1.
In xenocara/driver/xf86-video-neomagic/ directory remained 1.1.1.
The needs-update appeared with 1.2.0.
Are they not in sync?
Is this rate major update?

Are the needs-update entries like as public todo lists?

[0]: http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5836
Synopsis and Subject: wmaker on ThinkPad600X Fatal server error



yacc rebuild

2008-07-10 Thread Charles Smith
Good afternoon!

So, before the next make build I must rebuild the yacc alone.
I would like to know how can I rebuild yacc.
I searched in old errata patches, Makefiles, bsd.*.mk files.
In my previous logfile (2008.07.07/src_make_build) I see, that by
yacc the make cleandir is used:
rm -f yacc.cat1 ...
rm -f .depend ...tags

So is this correct?
cd usr.bin/yacc
make obj
make cleandir
make depend
make
make install

In general, how can I ascertain, what kind of make Phony Targets must
I use?
I didn't read through the whole stuff (docs, all Makefiles, etc) yet,
so I rejoice at a link too.

Thank You!



CREA-PROMO.COM vous offre l'étude eMarketing de votre site commercial !

2008-02-05 Thread charles-henri
Ce courriel vous est envoyi par www.crea-promo.com - S'il ne s'affiche pas
correctement Cliquez sur ce lien
http://www.crea-promo.com/lists/lt.php?id=MEoEUgZXB09XB00AVlxb


http://www.crea-promo.com/lists/lt.php?id=MEoEUgZXB09XB00AVlxb

 Pour recommander ce message ` un ami, Cliquez sur
http://www.crea-promo.com/lists/lt.php?id=MEoEUgZXBk9XB00AVlxb 

 Conformiment ` l'article 34 de la loi n078-17 du 6 janvier 1978
relative ` l'informatique, aux fichiers et aux libertis, Vous
disposez d'un droit d'acchs, de rectification des donnies nominatives
vous concernant. Diclaration CNIL N0 1260916

 Si vous souhaitez difinitivement ne plus recevoir de courriel de
www.crea-promo.com : Cliquez sur
http://www.crea-promo.com/lists/lt.php?id=MEoEUgZXCU9XB00AVlxb

 

 

 



--
Powered by PHPlist, www.phplist.com --



CREA-PROMO.COM vous offre l'étude eMarketing de votre site commercial !

2008-02-05 Thread charles-henri
Ce courriel vous est envoyi par www.crea-promo.com - S'il ne s'affiche pas
correctement Cliquez sur ce lien
http://www.crea-promo.com/lists/lt.php?id=MEoEXwJRBU9XA00AVlxb


http://www.crea-promo.com/lists/lt.php?id=MEoEXwJRBU9XA00AVlxb

 Pour recommander ce message ` un ami, Cliquez sur
http://www.crea-promo.com/lists/lt.php?id=MEoEXwJRBE9XA00AVlxb 

 Conformiment ` l'article 34 de la loi n078-17 du 6 janvier 1978
relative ` l'informatique, aux fichiers et aux libertis, Vous
disposez d'un droit d'acchs, de rectification des donnies nominatives
vous concernant. Diclaration CNIL N0 1260916

 Si vous souhaitez difinitivement ne plus recevoir de courriel de
www.crea-promo.com : Cliquez sur
http://www.crea-promo.com/lists/lt.php?id=MEoEXwJRB09XA00AVlxb

 

 

 



--
Powered by PHPlist, www.phplist.com --



Fin de votre Inscription

2008-02-05 Thread Charles-Henri de crea-promo.com
   Nous sommes disoli de vous voir partir.

   Vous ne faites plus parti de notre base.

   C'est le dernier message que vous recevez de nous.   Nous vous avons
ajouti ` notre Liste noire, ce qui signifie que notre systhme ne pourra
plus vous envoyer tout autre courrier ilectronique, sans intervention
manuelle de notre administrateur.

   S'il y a une erreur dans ces informations, vous pouvez vous riabonner:
   Veuillez aller ` http://www.crea-promo.com/lists/?p=subscribe et suivez
les itapes.

   Merci



Re: Strange line in the routing table after carp failover?

2007-12-13 Thread Charles Price
 yes,that is the result of games carp plays with routes (which it
 shouldn not, imo, but anyway). it should finally work as advertised in
 -current even with unnumbered carpdevs.


Hi Henning,

Updating to -current did the trick. Thanks very much.

What was the problem here?

Charlie



Re: Strange line in the routing table after carp failover?

2007-12-10 Thread Charles Price
I've been looking into this some more. Are there any issues which 
CARP/OpenBGPd when machines in the CARP group do not have an IP address of 
their own - ie. they have only a shared CARP address?

I find that in this situation, when the CARP master fails the backup router 
correctly becomes master and re-establishes BGP sessions. However, the CARP 
shared IP address appears in the routing/arp table bound to the localhost 
interface. This creates a really nasty routing loop.

'route -n show -inet' gives this line:
DestGateway Flags  Refs  Use  Mtu Interface
80.x.y.154   00:00:5e:00:01:01  UHLc  1   2  -lo0

If I assign each router an IP address in addition to the CARP shared address, 
this problem does not appear.

Thanks,

Charlie



Re: Strange line in the routing table after carp failover?

2007-12-10 Thread Charles Price
 yes,that is the result of games carp plays with routes (which it
 shouldn not, imo, but anyway). it should finally work as advertised in
 -current even with unnumbered carpdevs.

Hi Henning,

Thanks for the quick response. I will update to -current tomorrow and let you 
know how I get on.

All the best,

Charlie



Strange line in the routing table after carp failover?

2007-11-15 Thread Charles Price
Hi,

I have a pair of routers running OpenBSD 4.2 release, each with four ethernet 
interfaces (fxp0, fxp1, fxp2, fxp3) and carp on all four interfaces. fxp0 and 
fxp1 are /30 networks over which I run BGP sessions to our upstream 
providers.

Router A is the primary machine with advskew 0 and Router B is the backup 
machine with advskew 50.

When I unplug an ethernet connection on Router A to simulate a failure, all of 
the carp interfaces become MASTER and the BGP sessions are re-established, as 
expected. However, I am experiencing some strange behaviour.

When the backup router is active, traffic destined for the Internet (through 
the BGP peers) doesn't reach it's destination and ICMP TTL expired messages 
are received back from Router B. Looking at the routing table, the following 
line appears on Router B when it becomes carp MASTER:

Destination Gateway Flags   RefsUse 
Mtu Interface
80.x.y.154  00:00:5e:00:01:01   UHLc1   2   
-   lo0

This entry does not appear on Router A when it is in operation (and routing 
traffic correctly). Could this interesting-looking router be something 
associated with the routing loop I'm seeing?

I appreciate that I may not have provided enough information for a correct 
diagnosis of the problem. I will be happy to provide more details on request.

Many Thanks,

Charlie



Re: OT: mail retrieval software

2007-08-01 Thread Charles Longeau
Hi,

 Grateful if anyone could recommend a mail retrieval program which does
 not require a local SMTP service like fetchmail does.

From the fetchmail man page :
   -m command | --mda command
  (Keyword: mda) You can force mail to be  passed  to
  an  MDA directly (rather than forwarded to port 25)
  with the --mda or -m option.

Best regards,

Charles Longeau



Re: gunzip changes lastmod time?

2007-04-19 Thread Charles Longeau
Hello,

2007/4/19, Frank Bax [EMAIL PROTECTED]:

 On an older box still running 3.5; gunzip/gzip does not change lastmod
 time; but on 4.0 [release] gunzip changes the lastmod time.  What's the
 reason for this change?


This was a bug and it has been fixed. For more info, please see :
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5417

Best regards,

Charles Longeau



Re: pf examples needed [solved]

2007-01-17 Thread Charles Farinella

Charles Farinella wrote:


On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote:

I have an OpenBSD 3.9 machine with a public IP providing NAT and
firewalling for our internal network.  It has 3 interfaces:

dc0: public ip from internet X.X.X.25
dc1: 192.168.100.x to internal network.  This works well.
dc2: 192.168.200.x -- to Windows server.

I need to allow public access to the Windows server connected to dc2
(one port only).  Currently I have a private network address assigned
to dc2 and a public one (X.X.X.26) assigned to the machine connected
to it.


I have this working, thanks for the help.  :-)

=
# Network interfaces
external = dc0
internal = dc1
dmz = dc2

# Address ranges
int_add = 192.168.100.0/24
dmz_add = 192.168.200.0/24
ext_add = X.X.X.25

rdr pass log (all) on $external proto tcp from any to $external port 80 
- 192.168.200.122 port 80
rdr pass log (all) on $internal proto tcp from any to $external port 80 
- 192.168.200.122 port 80

==

I actually had it working and didn't realize it as I was accessing the 
server via dc1 and only had the dc0 rule set.  Martin Toft tipped me off 
when he pointed that out to me, and indeed checking from a machine 
outside of our network confirmed that.  Creating the internal redirect 
has solved my problem.


Thanks again.

--charlie


--

Charles Farinella
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668



pf examples needed

2007-01-16 Thread Charles Farinella

I have an OpenBSD 3.9 machine with a public IP providing NAT and
firewalling for our internal network.  It has 3 interfaces:

dc0: public ip from internet X.X.X.25
dc1: 192.168.100.x to internal network.  This works well.
dc2: 192.168.200.x -- to Windows server.

I need to allow public access to the Windows server connected to dc2
(one port only).  Currently I have a private network address assigned to
dc2 and a public one (X.X.X.26) assigned to the machine connected to it.

I need to know how to access the X.X.X.26 machine from the internet.  My
attempts at redirecting with pf rules haven't been successful so far,
and I'm not sure that's how I should be approaching it.

I've been playing with this for a few days, and am kind of lost, so any
advice, pointers to docs, examples, etc. would be very much appreciated.

thanks,

--charlie

--

Charles Farinella
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668



Re: pf examples needed

2007-01-16 Thread Charles Farinella

Thanks to all for the help.

Martin Toft wrote:

On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote:

I have an OpenBSD 3.9 machine with a public IP providing NAT and
firewalling for our internal network.  It has 3 interfaces:

dc0: public ip from internet X.X.X.25
dc1: 192.168.100.x to internal network.  This works well.
dc2: 192.168.200.x -- to Windows server.

I need to allow public access to the Windows server connected to dc2
(one port only).  Currently I have a private network address assigned
to dc2 and a public one (X.X.X.26) assigned to the machine connected
to it.


You should put a private 192.168.200.x IP address on the Windows box,
not a global X.X.X.26 address. Afterwards, do a simple port forwarding
(redirection in pf language) at the OpenBSD box, e.g.


I currently have it set up like this:

dc0 = X.X.X.25
dc2 = 192.168.200.254
test_box = 192.168.25.123
services = { ssh, smtp, http, https }

I have the following in my pf.conf:
rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 192.168.25.122 
port 80


If I ssh into the X.X.X.25 box I can access the test_box on port 80.  I 
cannot access X.X.X.25 port 80 however.


I've been using pfctl -f /etc/pf.conf to reload my rules.  I see no 
reference in my pflog to any attempts to access port 80 on X.X.X.25.




Remember to set up a default route on the Windows box (it should of
course use the OpenBSD box as its default route).


Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface

default192.168.25.254 UGS 07  -   ne3
loopback   localhost.localnet UGRS00  33224   lo0
localhost.localnet localhost.localnet UH  09  33224   lo0
192.168.25/24  link#1 UC  00  -   ne3
192.168.25.254 00:18:f8:08:b4:27  UHLc0  592  -   ne3
BASE-ADDRESS.MCAST localhost.localnet URS 00  33224   lo0

Is this correct?

Thanks again.

--charlie

--

Charles Farinella
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668



Re: pf examples needed

2007-01-16 Thread Charles Farinella

Charles Farinella wrote:

Thanks to all for the help.

Martin Toft wrote:

On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote:

I have an OpenBSD 3.9 machine with a public IP providing NAT and
firewalling for our internal network.  It has 3 interfaces:

dc0: public ip from internet X.X.X.25
dc1: 192.168.100.x to internal network.  This works well.
dc2: 192.168.200.x -- to Windows server.

I need to allow public access to the Windows server connected to dc2
(one port only).  Currently I have a private network address assigned
to dc2 and a public one (X.X.X.26) assigned to the machine connected
to it.


You should put a private 192.168.200.x IP address on the Windows box,
not a global X.X.X.26 address. Afterwards, do a simple port forwarding
(redirection in pf language) at the OpenBSD box, e.g.


I currently have it set up like this:

dc0 = X.X.X.25
dc2 = 192.168.200.254
test_box = 192.168.25.123

oops, my error, sorry.  That should be 192.168.200.123

services = { ssh, smtp, http, https }

I have the following in my pf.conf:
rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 192.168.25.122 
port 80


If I ssh into the X.X.X.25 box I can access the test_box on port 80.  I 
cannot access X.X.X.25 port 80 however.


I've been using pfctl -f /etc/pf.conf to reload my rules.  I see no 
reference in my pflog to any attempts to access port 80 on X.X.X.25.




Remember to set up a default route on the Windows box (it should of
course use the OpenBSD box as its default route).


Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface

default192.168.25.254 UGS 07  -   ne3
loopback   localhost.localnet UGRS00  33224   lo0
localhost.localnet localhost.localnet UH  09  33224   lo0
192.168.25/24  link#1 UC  00  -   ne3
192.168.25.254 00:18:f8:08:b4:27  UHLc0  592  -   ne3
BASE-ADDRESS.MCAST localhost.localnet URS 00  33224   lo0

Is this correct?

Thanks again.

--charlie




--

Charles Farinella
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668



More donations for hardware

2006-11-07 Thread Charles Dietlein

Good day misc@,

Seeing as how quickly kettenis@ received a second Blade 1k after the
donations request a few weeks back, I thought we should try it again.
Of personal interest to me are the following: GPS for timing
(mbalmer@), and GSM/GPRS (jolan@)  HSDPA/UMTS (fkr@) device support.

If anyone is interested in helping with one or more of these areas,
remember, it only takes a little money from a few people to buy
hardware.  Please contact me off-list regarding rough donation amount
and area of interest so I can see which one(s) of these we can take
off of want.html and get the developers the hardware they need.  After
a few days I'll reply to you and let you know what the consensus is,
and how/where to put your money so it's used for the correct purchase.
I have already selected devices in each of these categories and know
the approximate costs (75-200 EUR/USD ea. depending on category).
I'll chip in 50 EUR/USD to the categories which receive most interest.
Let's do it!

Best regards,
Charles



Re: Sun SMP Hardware [was RE: Version 4.0 release ]

2006-10-10 Thread Charles Dietlein

I've gotten a few replies with people interested in
parting with E450s, 250s, 280s, and 220s (I have an
Ultra 2 to throw onto the pile, for what its worth).
So far, every reply has been, It's yours if you pay
to ship it.

If any devs would find any of these useful, or know of
a dev who would find them useful, please let me know.
I'm happy to get this rolling--either by myself or
with the help of others.


Count me in; I will help pay shipping as well.



Re: The future of NetBSD

2006-09-01 Thread Charles M. Hannum
On Fri, Sep 01, 2006 at 10:40:01AM -0700, Spruell, Darren-Perot wrote:
 Like, what docs does a vendor engineering division give to the developers
 who write the drivers internally? They don't give them bad docs. They give
 them functional, useful docs. Does it need to be stated that any project
 wanting to compose useful support for the same hardware shouldn't get the
 same level of docs?

Sorry, but that's the core fallacy in your argument.  In many cases, there
are no functional, useful docs.  They just don't exist.  Certainly this
is a problem in itself.



Re: The future of NetBSD

2006-09-01 Thread Charles M. Hannum
On Fri, Sep 01, 2006 at 01:08:13AM +0200, Matthias Kilian wrote:
 They don't have to write device drivers at all, they just should
 write good documentation.

Unfortunately, the documentation often isn't so hot either.  I'll
give you an example.  Even with both code and documentation from
Realtek, we still had to reverse engineer how some parts of the RTL8180
work.  And though it works now, our understanding is still incomplete.

It is far easier for a manufacturer to spew out a Windows driver
in-house, where they have direct access to the people who designed the
hardware, so this is what they do.  The Windows driver model is pretty
much designed around this approach.

What we really want is not just documentation, but support from their
engineers.  The Linux community is starting to get this in some places.



Re: The future of NetBSD

2006-09-01 Thread Charles M. Hannum
On Fri, Sep 01, 2006 at 12:16:59PM -0700, Spruell, Darren-Perot wrote:
 From: Charles M. Hannum [mailto:[EMAIL PROTECTED] 
  On Fri, Sep 01, 2006 at 10:40:01AM -0700, Spruell, Darren-Perot wrote:
   Like, what docs does a vendor engineering division give to the 
   developers who write the drivers internally? They don't 
  give them bad 
   docs. They give them functional, useful docs. Does it need to be 
   stated that any project wanting to compose useful support 
  for the same 
   hardware shouldn't get the same level of docs?
  
  Sorry, but that's the core fallacy in your argument.  In many 
  cases, there are no functional, useful docs.  They just 
  don't exist.  Certainly this is a problem in itself.
 
 Certainly it is. So why bother resorting to vendor-supplied drivers (OSS or
 blob) derived from originally piss-poor docs in the first place? If the docs
 are bad, then the results of those docs are derivatively worse as a result.

That's not actually true.  You're still using the fallacy that the
vendor driver is written based on the documentation -- but in fact there
are other inputs, like discussion with the hardware engineers.
Sometimes there are pieces you just can't get from the documentation,
because they're not there, but they are present in the driver.  In the
current climate, having both is almost always better than having only
one -- and certainly having the code is better than having nothing.

I'm not against harassing the hardware vendors to do better.



Re: The future of NetBSD

2006-08-31 Thread Charles M. Hannum
On Thu, Aug 31, 2006 at 12:01:07AM -0500, [EMAIL PROTECTED] wrote:
 A chicken running around sans head is quite active.
 Not really the same thing as productive.

What you don't see is that NetBSD is the chicken in your analogy.



Re: The future of NetBSD

2006-08-31 Thread Charles M. Hannum
On Thu, Aug 31, 2006 at 05:44:00PM +0200, Johnny Billquist wrote:
 Andy Ruhl wrote:
 On 8/31/06, Thorsten Glaser [EMAIL PROTECTED] wrote:
 
 BSD is about an operating system, not about a kernel.
 
 Bingo. Good point. This point is lost sometimes.
 
 I believe NetBSD has the proper philosophy in regards to the entire OS
 as well. I don't want apache built in, for instance.
 
 This is a silly definition (imho) which I first heard Stallman use, but 
 seems to be spreading.
 Every book on operating systems that I own, or have read, defines an 
 operating system as the kernel. Different applications, including even 
 shells, are not the operating system.
 
 But that's just my opinion, of course. But most of all, I don't see the 
 relevance of bringing the discussion down to a hair-splitting of what an 
 operating system is.

Actually, defining (poorly) the OS to include so much else has been a
liability for NetBSD in many ways.  It has massively slowed the adoption
of new software versions (e.g. GCC), for one.  It also contributed to
the perception that a better package system and automatic updates were
not a serious issue.



The future of NetBSD

2006-08-30 Thread Charles M. Hannum
 it is or
   is not acceptable to commit changes that do not change functionality;
   when multiple changed must be batched in one commit; etc.  Right now
   it is difficult to sort the wheat from the chaff.  In addition, there
   must be standards of review.

I must repeat a point I've made earlier.  The current management of
the project is not going to either fix the project's problems, or lead
the project to solutions.  They are going to maintain the status quo,
and nothing else.  If the project is to rise from its charred stump,
this management must be disbanded and replaced wholesale.  Anything
less is a non-solution.

--

To some of you, I would like to apologize.  There *are* NetBSD
developers doing good work even now.  I'd like to particularly recognize
and thank those working on kernel locking and UVM problems; wireless
support (though I'm not sure what happened to my extensive set of rtw
bug fixes); Bluetooth; G5; and improved ARM support.  This is all good
stuff.  In the bigger picture, though, the project needs to do a lot
more.

--
- Charles Hannum - past founder, developer, president and director of
  The NetBSD Project and The NetBSD Foundation; sole proprietor of The
  NetBSD Mission; proprietor of The NetBSD CD Project.

[I'm CCing this to FreeBSD and OpenBSD lists in order to share it with
the wider *BSD community, not to start a flame war.  I hope that people
reading it have the tact to be respectful of their peers, and consider
how some of these issues may apply to them as well.]



Re: newsyslog.conf help?

2006-08-18 Thread Charles Farinella
On Thu, 2006-08-17 at 20:54, Garance A Drosihn wrote:
 At 5:56 PM -0400 8/17/06, Charles Farinella wrote:
 Hi,
 
 All my logs rotate as expected except 1, my amavisd.log.
 My newsyslog.conf file follows and I have the amavisd.log
 set up the same as the rest of them.  I have no idea what's
 wrong, any suggestions?
 
 Try running newsyslog by hand, and include the '-v' option,
 so you get a more verbose output of what it thinks is going
 on.  That might be helpful.

It seems to be ignoring the log in question.

# newsyslog -v
/var/cron/log 3Z: size (KB): 6.04 [10] -- skipping
/var/log/authlog 7Z: age (hr): 39 [168] -- skipping
/var/log/daemon 5Z: size (KB): 15.18 [30] -- skipping
/var/log/maillog 7Z: age (hr): 23 [24] -- skipping
/var/log/messages 5Z: size (KB): 10.79 [30] -- skipping
/var/log/secure 7Z: age (hr): 5541 [168] -- skipping
/var/log/wtmp 7ZB: age (hr): 69 [168] -- skipping
/var/log/xferlog 7Z: size (KB): 0.00 [250] -- skipping
/var/amavisd/clamav/log/clamd.log 5Z: age (hr): 49 [168] -- skipping


-- 
Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079



Re: newsyslog.conf help?

2006-08-18 Thread Charles Farinella
On Thu, 2006-08-17 at 18:35, Bryan Irvine wrote:
 can you port the output of syslogd -d?
 
 --Bryan
 
 
 On 17 Aug 2006 17:56:40 -0400, Charles Farinella
 [EMAIL PROTECTED] wrote:
  Hi,
 
  All my logs rotate as expected except 1, my amavisd.log.  My
  newsyslog.conf file follows and I have the amavisd.log set up the same
  as the rest of them.  I have no idea what's wrong, any suggestions?
 
  thanks,
 
  -- #
  # configuration file for newsyslog
  #
  # logfile_name  owner:group mode count 
  size when  flags
  /var/cron/log   root:wheel  600  3 
  10   * Z
  /var/log/aculog uucp:dialer 660  7 
  *24Z
  /var/log/authlogroot:wheel  640  7 
  *168   Z
  /var/log/daemon 640  5 
  30   * Z
  /var/log/lpd-errs   640  7 
  10   * Z
  /var/log/maillog600  7 
  *24Z
  /var/log/messages   644  5 
  30   * Z
  /var/log/secure 600  7 
  *168   Z
  /var/log/wtmp   644  7 
  *168   ZB
  /var/log/xferlog640  7 
  250  * Z
  /var/log/ppp.log640  7 
  250  * Z
  /var/log/pflog  600  3 
  250  * ZB /var/run/pflogd.pid
  /var/amavisd/logs/amavisd.log   _amavisd:_amavisd   644  5 
  *24Z
  /var/amavisd/clamav/log/clamd.log   _amavisd:_amavisd   644  5 
  *168   Z

# syslogd -d
syslogd: bind: Address already in use
syslogd: bind: Address already in use
syslogd: connect: Socket is already connected
syslogd: connect: Socket is already connected
can't open /dev/klog (16)
off  running
init
[priv]: msg PRIV_CONFIG_MODIFIED received
[priv]: msg PRIV_OPEN_CONFIG received
cfline(*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none
/var/log/messages, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(kern.debug;syslog,user.info
/var/log/messages, f, *)
cfline(auth.info  
/var/log/authlog, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(authpriv.debug 
/var/log/secure, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(cron.info  
/var/cron/log, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(daemon.info
/var/log/daemon, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(ftp.info   
/var/log/xferlog, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(lpr.debug  
/var/log/lpd-errs, f, *)
[priv]: msg PRIV_OPEN_LOG received
syslogd: priv_open_log failed
syslogd: /var/log/lpd-errs: No such file or directory
syslogd: /var/log/lpd-errs: No such file or directory
cfline(mail.info  
/var/log/maillog, f, *)
[priv]: msg PRIV_OPEN_LOG received
cfline(*.emerg *, f,
*)
7 6 X 5 X 6 X 5 5 X X X 5 5 5 5 5 5 5 5 5 5 5 5 X FILE:
/var/log/messages
X X X X 6 X X X X X X X X X X X X X X X X X X X X FILE: /var/log/authlog
X X X X X X X X X X 7 X X X X X X X X X X X X X X FILE: /var/log/secure
X X X X X X X X X 6 X X X X X X X X X X X X X X X FILE: /var/cron/log
X X X 6 X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/daemon
X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
X X X X X X 7 X X X X X X X X X X X X X X X X X X UNUSED:
X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
logmsg: pri 056, flags 0x4, from mail, msg syslogd: restart
Logging to FILE /var/log/messages
syslogd: restarted
[priv]: msg PRIV_DONE_CONFIG_PARSE received


-- 
Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079



newsyslog.conf help?

2006-08-17 Thread Charles Farinella
Hi,

All my logs rotate as expected except 1, my amavisd.log.  My
newsyslog.conf file follows and I have the amavisd.log set up the same
as the rest of them.  I have no idea what's wrong, any suggestions?

thanks,

-- #
# configuration file for newsyslog
#
# logfile_name  owner:group mode count size 
when  flags
/var/cron/log   root:wheel  600  3 10   
* Z
/var/log/aculog uucp:dialer 660  7 *
24Z
/var/log/authlogroot:wheel  640  7 *
168   Z
/var/log/daemon 640  5 30   
* Z
/var/log/lpd-errs   640  7 10   
* Z
/var/log/maillog600  7 *
24Z
/var/log/messages   644  5 30   
* Z
/var/log/secure 600  7 *
168   Z
/var/log/wtmp   644  7 *
168   ZB
/var/log/xferlog640  7 250  
* Z
/var/log/ppp.log640  7 250  
* Z
/var/log/pflog  600  3 250  
* ZB /var/run/pflogd.pid
/var/amavisd/logs/amavisd.log   _amavisd:_amavisd   644  5 *
24Z 
/var/amavisd/clamav/log/clamd.log   _amavisd:_amavisd   644  5 *
168   Z 
~  


Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079



Kernel panic

2006-08-16 Thread Charles Farinella
We have a G3 mac here running mail/dns and this morning it died.  I had
to reboot it, so I wasn't able to run trace or ps.  Any clues as to what
may have happened?  I don't see anything in my logs.

from dmesg:
===
kern dsi on addr 3c200068 iar 304430
panic: trap type 300 at 304430 (uvm_unmap_remove+0x1c4) lr 304500
Stopped at  Debugger+0x10:  lwz\M-hX=8\M-hX\M^X r0,20(r1)
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
[ using 323864 bytes of bsd ELF symbol table ]
console out [ATY,Rage128y]console in [keyboard] USB and ADB found, using
USB
: memaddr 8400 size 400, : consaddr 8400, : ioaddr 8092,
size 2: memtag 8000, iotag 8000: width 640 linebytes 640 height 480
depth 8
===



-- 
Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079



ClamAV compile fails

2006-07-24 Thread Charles Farinella
Hi,

I have an OpenBSD 3.8 mail server running Postfix, amavisd-new,
SpamAssassin and ClamAV.  

ClamAV was installed via ports ( I think ) and is version .88.  I am
trying to upgrade it to version .88.3.  I cannot get it to build from
source code.  I found what I thought to be exactly my problem at
flakshak.com:

===
1.1 ClamAV 0.88.3 Compilation Issues on OpenBSD 3.9

ClamAV fails to compile from the source codesnip.

In order to fix this, you must edit the Configure script (before running
./configure) and find the OpenBSD section.

Open up configure with your favorite editor, and search for openbsd* and
find a line that looks like LIBCLAMAV_LIBS=$LIBCLAMAV_LIBS -pthread

Replace all -pthread with -lpthread and Viola!
===

I did this but still get this result from 'make':
===
gcc -g -O2 -o .libs/clamd output.o cfgparser.o getopt.o memory.o misc.o
options.o clamd.o tcpserver.o localserver.o session.o thrmgr.o
server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o 
-L../libclamav/.libs -lclamav -lz -lpthread -lc_r
-Wl,-rpath,/usr/local/lib
ld: cannot find -lc_r
*** Error code 1

Stop in /usr/src/clamav-0.88.3/clamd (line 326 of Makefile).
*** Error code 1

Stop in /usr/src/clamav-0.88.3 (line 374 of Makefile).
*** Error code 1

Stop in /usr/src/clamav-0.88.3 (line 233 of Makefile).
===

I'm going to have to update this on a regular basis and need to figure
out how to do it so I'm looking for some pointers, please.

thanks,

--charlie

-- 
Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079



Re: wi: ifconfig txpower wrong for non 100mW wireless cards?

2006-06-14 Thread Charles Dietlein

EE/RF pedant here (there had to be one, right?).


However, I doubt that e.g. subtracting 3dBm is sufficient, say


Without going into detail, it needs to be said that dB is a relative
measurement while dBm is absolute.  Thus, one would state that 3 dB is
subtracted from X dBm in order to represent half power (which is what
you were getting at with the 200 - 100 mW issue).

Simple example:  15 dBm = 31.623 mW, 12 dBm = 15.829 mW (indeed, 3 dB
down is half power on a linear scale).  3 dBm, however is 1.995 mW.
Subtracting 3 dBm from 15 dBm would then give you 14.72 dBm (29.628
mW).  Not obvious?  Yes.  Important?  Definitely.


While I'm at it an OT(?) question:
Does somebody know how to _simply_ (using a multimeter or an old
20MHz scope) measure the power output of a wireless NIC? Just a rough
(+-10mW) estimate would suffice. The antennae are external so I have
access to the SMA. Then I could measure the mapping myself.


To simply answer, no.  You cannot absolutely measure transmitted RF
power without a calibrated receiver of some sort (e.g. a commercial RF
power meter... see Agilent), two antennas with known directivity
patterns and known efficiencies, and/or a 2D motorized az/el stage
such that you can easily rotate one of the two antennas and integrate
the received power.

If you have, however, two known antennas with known gains (say,
Hyperlink patch antennas), and you know - or can estimate - the
insertion loss in the cables and coax connectors, and a second
wireless NIC with software you believe is giving you approximate
values of received power, you can use the Friis equation to find the
transmitted power.  This will put you within 10 dBm/mW easily.

http://en.wikipedia.org/wiki/Friis_Transmission_Equation

Any other questions related to this I can answer off-list.

Cheers,
Charles



Re: kernel debugging when booted off install cd

2006-02-05 Thread Charles Sprickman

On Sun, 5 Feb 2006, Nick Holland wrote:


Charles Sprickman wrote:

Hello all,

I'm still not able to get OpenBSD 3.4-3.8 loaded on my old firewall box. 
It either freezes or panics when probing (or creating?) rd0, which I 
assume is the ramdisk used in the install.  It runs 3.3 fine.


So rather than just asking some random questions, I'd like to know how to 
save a dump when booting off of the install CD.  I do have a serial console 
available (set tty com0).  If getting a dump isn't possible, I'd then like 
to know how to get into the kernel debugger.


I figure that I can gather information that's more helpful this way.


You aren't going to get nor save a dump when booting off the install CD. 
You really don't want a panicked kernel writing to your good data disks, do 
you?


In this case, I don't mind.  I've got another box in it's place so I'm 
prepared to do anything I need to do to get this running a current version 
of OBSD.


The install kernels don't have all the bells and whistles of the production 
kernel, that's how they fit on floppies and such.


Got it, so there's absolutely no way to dump to a disk?  It looks like it 
tries to...  I also don't have another box handy to build a custom 3.8 
kernel on.  And I also wonder if a non-rd kernel would panic, as the panic 
happens as it tries to deal with the ramdisk...


Use your serial cable to capture the output of the boot process.  THAT will 
tell us much more about your hardware.


I've got a thread here:

http://marc.theaimsgroup.com/?t=11366659953r=1w=2

I reposted since I just wanted to get the basics on getting a dump in 
OBSD.  I figured once I had that, I could actually file a PR or something.


A completely Wild A..ed Guess, based on the symptoms, you may have way too 
little RAM for the newer kernels (16M will get you running still, but 32M is 
a practical minimum) and floating point emulation broke after 3.3 on i386 
(translation: no more 486sx or 80386 w/o 80387 support).  If I were to bet, 
I'd say you probably have no FPU on your machine.


It's old, but not that old.  I've got 128MB of RAM.  Processor is an AMD 
K6-2/500 clocked down to 300.  VIA chipset.  I've had memtest86+ go 
through about a dozen runs with no errors.  3.3 works flawlessly.


Not sure where to go from here...

Thanks,

Charles


Nick.




Re: kernel debugging when booted off install cd

2006-02-04 Thread Charles Sprickman

On Fri, 3 Feb 2006, Rogier Krieger wrote:


On 2/3/06, Charles Sprickman [EMAIL PROTECTED] wrote:

It either freezes or panics when probing (or creating?) rd0, which I
assume is the ramdisk used in the install.  It runs 3.3 fine.


Perhaps you need to look at the FAQ if you're running i386:
upgrading/reinstalling OpenBSD/i386 using bsd.rd-a.out [1].


Excellent, I did not know how to boot an ELF kernel from the a.out 
bootloader.



If that doesn't solve your problem, a dmesg would be your best bet.
Information from a panic (trace/ps, obtained through the debugger you
get dropped into) would also be helpful. Since you mentioned you have
a serial console available, I recommend using it to file a report.


OK, so I grabbed the 3.5 bsd.rd-a.out and I get the same results.  Instant 
panic, and then a reboot.


dump to 1001
dump error 19

How can I go about getting it to crash into the debugger?

Thanks,

Charles


Upon freezes, I usually try to boot into the UKC to set the verbose
option. Typically, this gave me a hint in devices to disable. As a
sidenote: my own usual culprit is the ahc(4) driver. That said, this
only happens with two machines, each having an nVidia nForce2 chipset.
Given that you mentioned rd0 as a problem point, I doubt you are
having the same underlying problem.

Cheers,

Rogier


References:
1. OpenBSD FAQ - Upgrading/reinstalling OpenBSD/i386 using bsd.rd-a.out
http://www.openbsd.org/faq/faq4.html#bsdrdaout

--
If you don't know where you're going, any road will get you there.




kernel debugging when booted off install cd

2006-02-02 Thread Charles Sprickman

Hello all,

I'm still not able to get OpenBSD 3.4-3.8 loaded on my old firewall box. 
It either freezes or panics when probing (or creating?) rd0, which I 
assume is the ramdisk used in the install.  It runs 3.3 fine.


So rather than just asking some random questions, I'd like to know how to 
save a dump when booting off of the install CD.  I do have a serial 
console available (set tty com0).  If getting a dump isn't possible, I'd 
then like to know how to get into the kernel debugger.


I figure that I can gather information that's more helpful this way.

Thanks,

Charles



Re: 3.8 panic on boot (rd0)

2006-01-20 Thread Charles Sprickman
Leaving the history intact, following up below.  An offlist reply 
suggested trying a more recent snapshot of -current.  It also paniced in 
the same place.


On Sat, 7 Jan 2006, Kenneth R Westerback wrote:


On Sat, Jan 07, 2006 at 03:23:15PM -0500, Charles Sprickman wrote:

Hello all,

I have an older i386 pc that I've been using as my home firewall for some
years now.  It currently runs 3.3 and I was hoping to do an upgrade, so I
did go ahead and buy the full CD set (impressive packaging, btw) after
having trouble with boot floppies (marginal drive) and the boot CD ISO.

However, the kernel panics every time I try and boot the 3.8 CD.  I've
also tried 3.7, 3.6 and 3.5 boot CDs that I downloaded from the OpenBSD
ftp server.  Hardware seems fine; I ran memtest86+ for a day and it did
about 30 passes with no errors, I tried different CD-ROM drives, different
IDE cables, removed all network cards, etc., but still it panics in the
same place (right after rd0: fixed, 3800 blocks).  CPU is an AMD
K6-2-500 clocked down to 300 - temperature is fine (about 110F), mainboard
is an old Epox.

On the suggestion of a bsdforums.org user, I tried downloading bsd.rd and
booting that from the 3.3 install, and that failed.  I'm guessing it has
something to do with the exec format changing; perhaps the old loader
doesn't understand the new kernel exec format?

rebooting...
boot /bsd.rd
booting hd0a:/bsd.rd:  failed(79). will try /obsd
boot ls bsd.rd
-rwxr-xr-x 0,0  4658297 hd0a:bsd.rd
boot ls obsd
-rwxr-xr-x 0,0  2487309 hd0a:obsd
boot

...snip...

gw# cd /
gw# file bsd.rd
bsd.rd: ELF 32-bit LSB executable, Intel 80386, version 1, statically
linked, not stripped
gw# file obsd
obsd: OpenBSD/i386 demand paged executable not stripped
gw#

I have this thing hooked up via serial now, so if someone can point me in
the right direction (how to get a dump when booting from CD, how to look
at that dump, etc.), I will gladly do so.  I have also included the 3.3
dmesg below.

Thanks,

Charles

_


I'd suggest trying a 3.8 snapshot as well, to make sure it hasn't
already been fixed in -current.


I grabbed a snapshot from 1/19 today and burned the mini cd boot iso.

Same thing.  Where do I go from here to troubleshoot this?  It does panic, but 
I'm not sure how to get a dump when booting off of cd.


Thanks,

Charles

latest boot messages follow, then the older boot messages from 3.8 are still 
intact below.


boot
booting cd0a:/3.9/i386/bsd.rd: 4429460+740764 [52+154592+141324]=0x5369c4
entry point at 0x100120

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org

OpenBSD 3.9-beta (RAMDISK_CD) #1001: Thu Jan 19 12:49:57 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 301 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 133799936 (130664K)
avail mem = 116531200 (113800K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ee) BIOS, date 01/03/00, BIOS32 rev. 0 @ 0xfb390
apm0 at bios0: Power Management spec V1.2
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb80c
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C586 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT82C598 PCI rev 0x04
ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C586 ISA rev 0x47
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA33, channel 0 
configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: Maxtor 72004 AP
wd0: 32-sector PIO, LBA, 1916MB, 3924360 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SC-148F, F007 SCSI0 5/cdrom 
removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
VIA VT82C586 Power rev 0x10 at pci0 dev 7 function 3 not configured
sis0 at pci0 dev 17 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, 
address 00:09:5b:22:4a:ee

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
xl0 at pci0 dev 18 function 0 3Com 3c900 10Base-T rev 0x00: irq 5, address 
00:a0:24:ce:11:02

isa0 at pcib0

trouble with ports

2006-01-16 Thread Charles Farinella
I have continual trouble installing from ports.  I am under the
impression that I cd to the proper directory in my ports tree, type make
install and the package should install.

In more than 50% of the cases in which I attempt this, it appears to
download and build the package, but towards the end of the process I get
failures 'Error code 1' mostly.  Here is the latest of them for
BerkeleyDB:

===
===  Building package for db-3.1.17p4
Unknown element: @pkgpath databases/db/v3,no_tcl
===  Cleaning for db-3.1.17p4
rm -f /usr/ports/packages/powerpc/all/db-3.1.17p4.tgz
*** Error code 1

Stop in /usr/ports/databases/db/v3 (line 2051 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/databases/db/v3 (line 1274 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/databases/db (line 108 of
/usr/ports/infrastructure/mk/bsd.port.subdir.mk).


I can't help but feel that I am missing something fundamental, perhaps
these messages will be meaningful to those with more experience than I.

This is OpenBSD 3.8 installed on a G3 Mac.

thanks,

--charlie

-- 
Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079



3.8 panic on boot (rd0)

2006-01-07 Thread Charles Sprickman

Hello all,

I have an older i386 pc that I've been using as my home firewall for some 
years now.  It currently runs 3.3 and I was hoping to do an upgrade, so I 
did go ahead and buy the full CD set (impressive packaging, btw) after 
having trouble with boot floppies (marginal drive) and the boot CD ISO.


However, the kernel panics every time I try and boot the 3.8 CD.  I've 
also tried 3.7, 3.6 and 3.5 boot CDs that I downloaded from the OpenBSD 
ftp server.  Hardware seems fine; I ran memtest86+ for a day and it did 
about 30 passes with no errors, I tried different CD-ROM drives, different 
IDE cables, removed all network cards, etc., but still it panics in the 
same place (right after rd0: fixed, 3800 blocks).  CPU is an AMD 
K6-2-500 clocked down to 300 - temperature is fine (about 110F), mainboard 
is an old Epox.


On the suggestion of a bsdforums.org user, I tried downloading bsd.rd and 
booting that from the 3.3 install, and that failed.  I'm guessing it has 
something to do with the exec format changing; perhaps the old loader 
doesn't understand the new kernel exec format?


rebooting...
boot /bsd.rd
booting hd0a:/bsd.rd:  failed(79). will try /obsd
boot ls bsd.rd
-rwxr-xr-x 0,0  4658297 hd0a:bsd.rd
boot ls obsd
-rwxr-xr-x 0,0  2487309 hd0a:obsd
boot

...snip...

gw# cd /
gw# file bsd.rd
bsd.rd: ELF 32-bit LSB executable, Intel 80386, version 1, statically 
linked, not stripped

gw# file obsd
obsd: OpenBSD/i386 demand paged executable not stripped
gw#

I have this thing hooked up via serial now, so if someone can point me in 
the right direction (how to get a dump when booting from CD, how to look 
at that dump, etc.), I will gladly do so.  I have also included the 3.3 
dmesg below.


Thanks,

Charles

_

Here is the partial boot message booting 3.8:

 OpenBSD/i386 CDBOOT 1.04
boot
booting cd0a:/3.8/i386/bsd.rd: 4369156+828044 [52+151072+137381]=0x53b600
entry point at 0x100120

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2005 OpenBSD. All rights reserved. 
http://www.OpenBSD.org


OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 301 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 133799936 (130664K)
avail mem = 116502528 (113772K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ee) BIOS, date 01/03/00, BIOS32 rev. 0 @ 
0xfb390

apm0 at bios0: Power Management spec V1.2
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb80c
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C586 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT82C598 PCI rev 0x04
ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C586 ISA rev 0x47
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA33, 
channel 0 configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: Maxtor 72004 AP
wd0: 32-sector PIO, LBA, 1916MB, 3924360 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SC-148F, F007 SCSI0 
5/cdrom removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
VIA VT82C586 Power rev 0x10 at pci0 dev 7 function 3 not configured
sis0 at pci0 dev 17 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 
10, address 00:09:5b:22:4a:ee

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
xl0 at pci0 dev 18 function 0 3Com 3c900 10Base-T rev 0x00: irq 5, 
address 00:a0:24:ce:11:02

isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask fbc5 netmask ffe5 ttymask ffe7
rd0: fixed, 3800 blocks
fatal page fault in supervisor mode
trap type 6 code 2 eip d02b9015 cs 50 eflags 10002 cr2 1ffec1c6 cpl a0
panic: trap type 6, code=2, pc=d02b9015
syncing disks

Re: Macppc G3 Powerbook - Install Fails

2005-11-17 Thread Charles Farinella
On Tue, 2005-11-15 at 20:49, Roy Morris wrote:
 Martin Reindl wrote:
 
 How should the hardware know that it should boot from CD? Press 'C' or
 switch-appel-o-f to get into OF and boot from there as described in the docs.

 Thanks we have tried all the examples in the docs. We get to the
 ofw prompt and have tried
 
 boot cd:,ofwboot /3.8/macppc/bsd.rd
 and putting the two files on the hard drive and booting
 using
 boot hd:,ofwboot bsd.rd
 
 no go on any of them.

I don't know if this will help, but I just did this on a bluewhite
PowerMac.  

Try:
boot hd:,ofwboot bsd

leave off the .rd.

Worked for us.


-- 
Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
603.924.6079