Filtering other network layer protocols with PF

[Christopher Snell]

Hi,

I have an AT fiber connection at home that relies on a crappy,
proprietary, and insecure [1] router that does proprietary authentication
with upstream equipment via EAP over 802.1x.  Some folks have figured out
how to bypass it by putting the AT router behind their actual firewalls
and proxying the 802.1x packets to/from the AT device, thus faking out
the upstream gateway.

Unfortunately, the common solution [2] for this is Linux-specific and
relies on their PF_RING stuff.  I was hoping to proxy this protocol in
OpenBSD without having to use something slow like pcap.  As far as I can
tell from reading man pages, PF does not support this network layer
protocol (0x888E).  Does anybody have any ideas on how I might efficiently
capture these packets and copy them to another interface?

Chris

[1] https://www.nomotion.net/blog/sharknatto/
[2] https://github.com/jaysoffian/eap_proxy

Re: PPPoE / isakmpd race

[Christopher Snell]

On Wed, Feb 17, 2016 at 1:38 AM, Stuart Henderson 
wrote:

>
> A more generic (but more complicated) approach would be to use ifstated
> to wait until the interface is up before running isakmpd.


Stu,

Thanks a bunch for this suggestion.  This turned out to be the ticket!  It
works like a champ.

For anyone who may stumble upon this in the mail archive, looking for a
solution, here's what works for me:

First, remove isakmpd_flags=<...> from your /etc/rc.conf.local.   We want
ifstated(8) to start isakmpd(8), not rc(8) directly.

Next, add this to your rc.conf.local to start ifstated:

   ifstated_flags=""

Finally, create an /etc/ifstated.conf.   Mine is simple.  It looks for
"status: active" in the ifconfig output, and it pings a router two hops up
from me that should always be online:


init-state pppoe_status

pppoe_check = '( "ifconfig pppoe0 | grep \"status: active\" && ping -q -c 1
-w 2 NNN.NNN.NNN.NNN > /dev/null" every 10)'

# Check to see if we're online.
state pppoe_status {
if $pppoe_check {
set-state pppoe_online
}
if ! $pppoe_check {
set-state pppoe_offline
}
}

state pppoe_online {
   init {
  run "ifconfig pppoe0 | mail -s 'PPPoE is UP' root@localhost"
  run "pkill isakmpd; sleep 2; isakmpd -K; sleep 1; ipsecctl -f
/etc/ipsec.conf"
   }
   if ! $pppoe_check {
  set-state pppoe_offline
   }
}

state pppoe_offline {
   init {
  run "ifconfig pppoe0 | mail -s 'PPPoE is down' root@localhost"
   }
   if $pppoe_check {
  set-state pppoe_online
   }
}

Re: PPPoE / isakmpd race

[Christopher Snell]

Yes, the Listen-on is static.  Unfortunately, changing the 0.0.0.0 in
hostname.pppoe0 breaks PPPoE.

I think I could work around this in netstart by simply sleeping until the
link comes up (or a pre-defined timer elapses) but I'm struggling to come
up with a more generic approach.  There might be more than one PPPoE
interface and more than one tunnel/PPP dependency that needs to be
accounted for.

Perhaps another approach is to rework netstart to block up to
[configurable] seconds after bringing up any PPPoE connection before
continuing.  This could default to no blocking but a maximum block period
could be defined in rc.conf.local for those who have PPPoE dependencies.

Chris

On Tue, Feb 16, 2016 at 7:46 AM, Stuart Henderson 
wrote:

> Is the address in "Listen-on" a static address for this connection?
>
> If so, you should be able to use it directly in hostname.pppoe0
> instead of 0.0.0.0, and that might well solve this.

PPPoE / isakmpd race

[Christopher Snell]

Hi,

I recently set up a site-to-site IPsec VPN on an OpenBSD firewall/router
that connects to the public Internet via PPPoE.  I've noticed that the VPN
does not come up properly upon system boot because of what appears to be a
race condition between the PPPoE connection and isakmpd start.  I say
"race" but it's really a race that isakmpd always wins.

When isakmpd starts up, I see this in the logs:

Feb 14 23:42:24 sainthelena isakmpd[27969]: udp_create: no matching
listener found
Feb 14 23:42:24 sainthelena isakmpd[27969]: exchange_establish: transport
"udp" for peer "peer-XX.XXX.XX.X" could not be created

If I kill isakmpd and start it again manually, then run 'ipsecctl -f
/etc/ipsec.conf', the VPN comes up and functions correctly.

I am still very new to IPSec and PPPoE under OpenBSD but I suspect that the
failure is happening because the external interface (pppoe0) does not yet
have a PPP session established and has no IP to bind to.

I've tried removing isakmpd_flags from rc.conf.local and starting isakmpd
via a ! command in /etc/hostname.pppoe0 but that didn't seem to work--same
results.   I suspect this is because ifconfig does not block when the PPP
connection is first set up and the isakmpd is executing prematurely.

I'm curious if anybody has any work-arounds or if this is something that
should be formally reported to bugs@.

--
My /etc/ipsec.conf, sanitized:

ike dynamic esp from { 10.50.0.0/24 } to { 10.20.0.0/22 10.40.0.0/24
10.240.0.0/22 10.176.0.0/12 \
   10.239.0.0/22 10.208.0.0/12
10.21.0.0/22 172.24.96.0/22 \
10.30.0.0/20 10.70.0.0/24
10.80.0.0/22 172.20.0.0/22 } \
peer XXX..com \
main auth hmac-sha1 enc aes-256 group modp1024 lifetime 8h \
quick auth hmac-sha1 enc aes-256 group none lifetime 1h \
srcid AA.AAA.AAA dstid XX.XXX.XX.X psk "SECRET_HERE"


--
My /etc/hostname.pppoe0, sanitized:

inet 0.0.0.0 255.255.255.255 NONE \
   pppoedev vlan0 authproto pap \
   authname 'XXX@' authkey 'SECRET_HERE' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

--
My /etc/rc.conf.local:

dhcpd_flags=em1 em2
pf=YES
isakmpd_flags="-K"
ipsec=YES


--
My /etc/isakmpd/isakmpd.conf:
NOTE: I've tried using the interface name here (pppoe0) in lieu of my IP
address.  I've also removed this file entirely.  All variants produce the
same results


[General]
Listen-on=63.226.194.238


--
dmesg:


OpenBSD 5.9 (GENERIC.MP) #1870: Mon Feb  8 17:34:23 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130640896 (2031MB)
avail mem = 2061930496 (1966MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/30/2013
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1999.98 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1999.98 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2620 0 @ 

AX.25

[Christopher Snell]

It's been a few years since anybody has asked this.  Is anybody
working on an AX.25 implementation for OpenBSD?  Just passed my Extra
exam and would like to start doing some packet radio soon.  Would love
to put OpenBSD 23km up like this guy did with Linux:

http://vpizza.org/~jmeehan/balloon/

Chris
KE7OVL

Re: OpenBSD - High Performance 1u box

[Christopher Snell]

Sun X2200 with Intel PCI-e NIC(s) works great here.  Buy two and use
CARP for redundancy.

Chris

On 6/10/07, Pui Edylie [EMAIL PROTECTED] wrote:

Good Day,

I am building a 1u box for OpenBGP with PF.

Any hardware recommendation so it can achieved the best
throughput/performance?

Thank you
-e

Re: Sun Fire X2100, GigaBit Fiber?

[Christopher Snell]

Check out the Intel PRO/1000 PF.  While it's not mentioned as
supported in amd64, many of its brethren are.  It might be worth a
try.

http://www.intel.com/network/connectivity/products/pro1000pf_dualport_server_adapter.htm

Chris


On 2/7/07, Steven Xiao [EMAIL PROTECTED] wrote:

Hi,

  I really want to use one of those Sun Fire X2100, X2100 M2 or X2200 to
build a firewall for my network. But my problem is that my network is a
fiber connection running Gigabit. It seems that all these boxes have only
PCI-E X8 slot(s) for fiber network card(s).

  My questions are:

  1) Sun also sells a fiber gigabit card with X2100 ... (Sun Dual Gigabit
Ethernet PCI-E MMF Adapter). But this card is not supported in OpenBSD
4.0. Am I right? Is there a plan to support it in the near futher?

  2) If I get a M2 box, say, X2100 M2 with two PCI-E X8 slots and get two
PCI-E fiber network cards, say, HP NC373F PCI Express Multifunction
Gigabit server adapter (1000baseSX) which is supported per openbsd
document. Would that work?

  Thanks for any inputs.

  Steven

OpenBSD under Parallels Desktop

[Christopher Snell]

Hi,

Has anybody been able to run OpenBSD 4.0 or newer under Parallels
Desktop?  Booting the 3.9 media works just fine and I am able to
install the OS.  Booting 4.0 (or newer snapshots) media results in a
lock-up of the VM at the (I)nstall/(U)pgrade prompt.  I'd post a
dmesg(1) but I'm unable to select text in the VM.  I'm running the
latest build (3120) of Parallels Desktop under Mac OS X 10.4.8.

The next thing to try is an manual upgrade by CVS source to -CURRENT,
I suppose...

Chris

Re: OpenBSD under Parallels Desktop

[Christopher Snell]

On 1/26/07, Peter Valchev [EMAIL PROTECTED] wrote:


Indeed, this was caused by the pckbd diff referred to in the other
email, which was built in the snapshots you tried.  As of today's
snapshot, it includes a newer iteration of this diff, which should
fix the problem.


Thanks, Peter.  That fixed the problem nicely.  I'm now installing
today's snapshot under Parallels on my Mac.  I'm absolutely amazed at
how fast OpenBSD runs under this VM.   Very exciting!

Chris

Re: Which crypto card for Soekris 4801?

[Christopher Snell]

On 1/15/07, Heinrich Rebehn [EMAIL PROTECTED] wrote:

Hi all,

which crypto cards actually work in a soekris 4801 under OpenBSD?


You're going to have a hard time finding supported Mini-PCI cards,
other than the HiFn stuff.

Instead, check out the Commel motherboards:

http://www.commell-sys.com/Product/SBC/ITX-662.HTM

This one has the C3 chip which is listed as supported here:

http://www.openbsd.org/crypto.html#hardware

If it's performance that you're after, you're going to have a struggle
with that Soekris.

Chris

Re: Thinkpad Fingerprint Sensors

[Christopher Snell]

Sorry for the thread revival but this looks interesting.  These guys
claim to have a GPL'ed driver for the fingerprint reader:

http://sourceforge.net/projects/thinkfinger

Chris

On 12/13/06, Chris Kuethe [EMAIL PROTECTED] wrote:

On 12/13/06, Marc Balmer [EMAIL PROTECTED] wrote:
 * Michael wrote:
  Hi,
 
  will there be any support for the fingerprint sensor on the newer
  Thinkpads (anytime soon)?
 
  Linux:
  http://toe.ch/~tsa/ibm-fingerprint/
  http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader
  http://www.qrivy.net/~michael/blua/
 
  Vendor SDKs:
  Linux: http://www.upek.com/support/dl_linux_bsp.asp
  FreeBSD: http://www.upek.com/support/dl_freeBSD_bsp.asp

 These are binary only (BLOB) drivers w/o source code.  If you can find
 source code that would be better.  With the current state of affairs (no
 source code, only BLOB) you will never get support for this device in
 OpenBSD .

If you're still curious though, there is a fairly stagnant project at
sourceforge that might offer some insight into what you're asking for
- fvs.sourceforge.net. Sometimes you can find the sensor docs - like
for authentec - but many times there are very significant errors (like
with authentec). I started hacking on an authentec driver some years
ago. I was getting data back from the sensor but then I stopped
caring.

UPEK and DigitalPersona seemed quite unwilling to release enough
register documentation to make an open, multiplatform driver a
worthwhile pursuit - even if you did buy the SDK. They're free to
build closed, windows-only software, and you're free to ignore them.

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

State table not recovering on CARP backup machine

[Christopher Snell]

Hi All,

We saw a strange issue today with two of our CARP'ed firewalls.  At
two different points in the afternoon, the state table suddenly jumped
from it's normal level of around 30,000 entries to the limit of
200,000 entries.  As expected, no new states could be created.  We
drove to our datacenter, logged into to the primary machine and
flushed the state table.  Strangely, the output from pfctl was
something like Cleared 26 state entries or some similarly small
number.  At this point, the state count creeped back up to its normal
level of around 30k entries.  Our network went back to normal and we
drove back to the office.  I bumped the state limit up on our CARP
master to 60 and then attempted to copy the pf.conf to the CARP
backup server.  The scp timed out.  I haven't yet made it back to the
datacenter but my guess is that the state table is still full on that
machine.  This is really strange.  Wouldn't pfsync clear out the state
tables on the backup host when the primary host was cleared with
'pfctl -F state'?  Has anybody experienced sudden surges of state
entries like this?  Denial of service attack perhaps?

Also, I just noticed some strange entries in /var/log/messages:

Jan 15 15:57:15 fw-01 /bsd: carp666: ip_output failed: 65
Jan 15 15:57:15 fw-01 /bsd: carp667: ip_output failed: 65
Jan 15 15:57:15 fw-01 /bsd: carp668: ip_output failed: 65
Jan 15 15:57:15 fw-01 /bsd: carp669: ip_output failed: 65

Googling didn't yield anything interesting (beyond CARP source code)
for this error.  Does anybody have any ideas?

Chris

OpenBSD 4.0-current (GENERIC) #744: Fri Nov 10 16:16:08 MST 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 3757633536 (3669564K)
avail mem = 3223883776 (3148324K)
using 22937 buffers containing 375971840 bytes (367160K) of memory
mainbus0 (root)
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfcfe0 (52 entries)
bios0: Sun Microsystems Sun Fire X2200 M2
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca2/2 spacing 1
cpu0 at mainbus0: (uniprocessor)
cpu0: Dual-Core AMD Opteron(tm) Processor 2214, 2211.65 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
pci0 at mainbus0 bus 0: configuration mode 1
NVIDIA MCP55 Memory rev 0xa2 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA MCP55 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA MCP55 SMBus rev 0xa3
iic0 at nviic0: disabled to avoid ipmi0 interactions
iic1 at nviic0: disabled to avoid ipmi0 interactions
ohci0 at pci0 dev 2 function 0 NVIDIA MCP55 USB rev 0xa1: irq 15,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 NVIDIA MCP55 USB rev 0xa2: irq 7
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
pciide0 at pci0 dev 4 function 0 NVIDIA MCP55 IDE rev 0xa1: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 5 function 0 NVIDIA MCP55 SATA rev 0xa3: DMA
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: HDT722525DLA380
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: HDT722525DLA380
wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 6 function 0 NVIDIA MCP55 PCI-PCI rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 ASPEED Technology AST2000 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
nfe0 at pci0 dev 8 function 0 NVIDIA MCP55 LAN rev 0xa3: irq 11,
address 00:16:36:76:43:f7
eephy0 at nfe0 phy 2: Marvell 88E1149 Gigabit PHY, rev. 1
nfe1 at pci0 dev 9 function 0 NVIDIA MCP55 LAN rev 0xa3: irq 5,
address 00:16:36:76:43:f8
eephy1 at nfe1 phy 3: Marvell 88E1149 Gigabit PHY, rev. 1
ppb1 at pci0 dev 10 function 0 NVIDIA MCP55 PCIE rev 0xa3
pci2 at ppb1 bus 2
ppb2 at pci0 dev 11 function 0 NVIDIA MCP55 PCIE rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 12 function 0 NVIDIA MCP55 PCIE rev 0xa3
pci4 at ppb3 bus 4
ppb4 at pci0 dev 13 function 0 NVIDIA MCP55 PCIE rev 0xa3
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5
pci6 at ppb5 bus 6
bge0 at pci6 dev 4 function 0 Broadcom BCM5715 rev 0xa3, BCM5715 A3
(0x9003): irq 15, address 00:16:36:76:43:f5
brgphy0 at bge0 

Re: OT Was: Wanted: OpenBSD Systems Administrator

[Christopher Snell]

On 1/3/07, Kenny Mann [EMAIL PROTECTED] wrote:


His response was a bit rude, however at least the courtesy was made to
attempt a reading on the rules page. He made the best decision he could
given the information he had.


Hi All,

I apologize if my posting offended anyone.  That really was not my
intent.  I *do* read this list regularly, attend OpenBSD-related
conferences, send e-mail to hardware manufacturers, etc.  I assure
you, I'm not some headhunter drone, just another sysadmin like most of
you.  Regarding the questionaire, I hear your objections and will not
be including this on future job postings elsewhere.  The quiz is lame,
yes, I agree.  We've had problems in the past with hires who looked
great on paper and even interviews but could not come up with a simple
solution to a simple problem to save their asses.  The quiz was an
attempt to weed out slackers, Unabomber types, and others who could
not cut the mustard in a business environment.

So, I'll leave it at that and get back to OpenBSD-specific discussion as usual.

Chris

Wanted: OpenBSD Systems Administrator

[Christopher Snell]

Hi Folks,

I hope you will excuse the commercial nature of this post; I figured
that this is the best place to find what we are looking for.

Backcountry.com is seeking an OpenBSD and Linux systems administrator
to join its Systems and Networks Engineering team. Qualified
applicants will have solid experience configuring and maintaining
OpenBSD- and Linux-based servers in a production environment. We're a
close-knit group, so a positive, cooperative attitude and the ability
to function as part of a team are extremely important.

Requirements:

* Configuring and maintaining OpenBSD and Linux in a 24/7/365
production environment

* Solid UNIX systems and network security fundamentals

* Excellent understanding of the OSI seven layer model and TCP/IP networking

* Experience working with hardware and software RAID devices

* Stateful packet filtering with pf and iptables

* Configuration and tuning of Apache and PostgreSQL

* Datacenter operations (cabling, racking, organizing)

Additional Preferred Skills:

* CARP, pfsync, VLANs, and trunking
* Configuration of layer 3 managed switches, eg. Foundry FastIron
* Configuration of layer 4-7 application switches, eg. Foundry ServerIron
* Asterisk PBX;
* GFS or other distributed file system technologies;

Considerations:

This position is based in Park City, Utah and is full-time and
benefits eligible. Benefits include paid time off, paid holidays,
floating holidays, subsidized medical insurance, voluntary coverage
(dental, short-term disability, supplemental accident), 401K, annual
profit sharing, employee gear discount, employee referral program,
flexible hours, casual dress, discounted season passes, and
transferable day ski passes.

To Apply:

Send resume, salary history, and answers to the following screening
questions to [EMAIL PROTECTED] with Systems Administrator in the
subject line.

Screening Questions:

1. Based on the following statements (props to Lewis Carroll), answer
the following questions:

a. What can you logically conclude from these statements?

b. Explain how you came to this conclusion (bonus points for using
symbolic logic).

The statements:

* No birds, except ostriches, are 9 feet high.
* There are no birds in this aviary that belong to anyone but me.
* No ostrich lives on mince pies.
* I have no birds less than 9 feet high.

2. Describe some differences between OpenBSD's and Linux's init(8).

3. Design a scalable e-mail architecture to support 1,000 users and
2MM+ incoming and 200,000 outgoing e-mails/day. You may be as brief or
as verbose as you like. Architectural drawings, server, network, and
software specs are encouraged but not required.

4. Your home network has a single pf-based firewall machine between
your internal LAN and the general internet. The firewall machine has
two network interfaces: external (sk0) and internal (sk1). This
firewall takes a default-deny stance to *ALL* network traffic. You
have a machine on your internal LAN, puffy, that wants to talk to
www.backcountry.com on TCP ports 80 and 443. Given the following pf
macros, write the appropriate rule(s) that will allow puffy to surf
www.backcountry.com:


external_if=sk0
internal_if=sk1
puffy_ip=10.0.0.67
backcountry_ip=166.70.146.69


5. What are your top three innate strengths that you don't even have to try at?

6. What is a genuine weakness that you strive to improve upon? (don't
twist a positive into a negative)

7. What is your desired salary range?

8. Why do you want to work at Backcountry.com?

We Are an Equal Opportunity Employer

Re: Wanted: OpenBSD Systems Administrator

[Christopher Snell]

And who appointed you list manager?  My post was permitted based on my
reading of the rules in http://www.openbsd.org/mail.html.

Chrris

On 1/2/07, Diana Eichert [EMAIL PROTECTED] wrote:

Okay, enough is enough, no more employment want ad stuff.

Funny how I can ignore the stupid lamer posts, but I find employment want
ad posts deplorable enough to reply.

go figure.

diana

Re: nagios check_carp for OpenBSD carp(4)

[Christopher Snell]

On 12/15/06, Brian A. Seklecki [EMAIL PROTECTED] wrote:

Thoughts? Strategies? Ideas?
---

Ask the machine directly? Ask an adjacent machine?


Joel Knight just released an updated OpenBSD SNMP MIB that supports
reading data from the sensors framework.  Perhaps he could be
persuaded to add support for CARP state detection?  :)

Chris

Re: em(4) Intel PRO/1000PT Dual Port

[Christopher Snell]

On 8/17/06, Kyle George [EMAIL PROTECTED] wrote:


Speaking of em(4), does the Intel PRO/1000PT dual-port PCIe card work on
3.9 i386?


I can't speak for 3.9 i386 but it seems to work fine on amd64 late 3.9
and 4.0 snapshots.

More than 255 vhid's w/ CARP

[Christopher Snell]

Hi All,

We're setting up some VLAN routers using a pair of machines.  We have
a bunch of VLANs and we're using CARP to provide redunancy.
Currently, there is a carpNNN interface built on top of every vlanNNN
interface, which are themselves built on the actual ethernet
interface.  We're using VLAN IDs as high as 1000.  The CARP vhid's,
however, can only go as high as 255 per ifconfig(8).  Is there a way
to increase this number to match the VLAN limit (4096, I believe)? Or,
perhaps we're doing this wrong and we should be using the same vhid
for every CARP interface?  Can somebody enlighten me?

thanks,

Chris

Intel PRO/1000 PT

[Christopher Snell]

Hi,

Is the Intel PRO/1000 PT still non-functional under our favorite OS?
I searced around and found a message from Darrian Hale in late April
that said he was having kernel panics with this NIC.  Has anything
changed?

I have some Sun X2100s that I want to use as routers and the only
missing bit is a good 2-port gigabit NIC that fits in the X2100's
single PCI Express (8x) slot.

thanks,

Chris

Re: Laptop recommendations

[Christopher Snell]

I'm still looking for a laptop.  Does anybody know of a laptop that
will do at least 1600x___ resolution and have rudimentary power
management (ie., I can pull the AC plug and the laptop does not lock
up)?

Chris

On 5/29/06, Theo de Raadt [EMAIL PROTECTED] wrote:

 On 5/26/06, Christopher Snell [EMAIL PROTECTED] wrote:
  It seems like every major laptop manufacturer is locked into Intel
  CPU, graphics, WiFi, and sound and that there's no chance in hell that
  Intel will release specs on these.  What is the future of laptop
  support for free Unicies?  Will SpeedStep ever be reverse engineered?
  Are we forever doomed to barely-working laptops?

 umm, the graphics and sound for intel chipsets are completely
 documented.  the correct way to use speedstep (est) is through acpi,
 which is also documented, even though we should now pretty much
 support every est cpu at least basically.  the situation with wifi
 could be better, but if you download the firmware it works.

 you have either misappraised the situation, or your defintion of
 barely working is very different than most people's.

Intel is changing their ways.  They got seriously hurt by NVidia and
ATI taking over the video market, while simultaneously AMD hurt
them on the processor side.

The real enemy today is Nvidia (and ATI).

Intel is trying to release documentation and open up as fast as they
can to stay in the market.  It's almost pathetic, but yes, it is
benefiting us (as it should, and thus, us running on their machines
benefits them, as it should).

Re: Laptop recommendations

[Christopher Snell]

On 5/11/06, Chris Cappuccio [EMAIL PROTECTED] wrote:


I always run across cheap/free/lying around dell laptops that work great.
The sound works, the wireless might work, and suspend usually works.  Right
now I have a dell latitude c400, they're on ebay for $300, the thing weighs
2.5 pounds, it's very small.


It's a bummer for folks like me who depend on corporate purchasing to
get their laptops.  I feel lucky that my employer will at least listen
to my request to get Lenovo over Dell.  eBay is not going to be an
option for them.  So, me and every other purchaser of new equipment is
stuck with two options at the moment:

1) Buy an outdated laptop that can do 1024x768 (or similar) at best

2) Buy a modern laptop that can do 1440x900 but have no working
power management and have to deal with a laptop that locks up when the
power cord is unplugged.

It seems like every major laptop manufacturer is locked into Intel
CPU, graphics, WiFi, and sound and that there's no chance in hell that
Intel will release specs on these.  What is the future of laptop
support for free Unicies?  Will SpeedStep ever be reverse engineered?
Are we forever doomed to barely-working laptops?

I've never felt more motivated to write Intel and give them my
corporate mouthful.

Chris

Re: traffic shaping question.

[Christopher Snell]

On 5/23/06, S t i n g r a y [EMAIL PROTECTED] wrote:


I want to do traffic shaping as per protocol basis so
if i give a certian bandwith to HTTP protocole , isnt
there any way i can diffrenciate between HTTP webpages
 HTTP downloads of huge .iso files ?


Sure, set your HTTP daemon to listen on two ports (say, ports 80 and
81).  Make the ISO images available through port 81 only and use
traffic shaping to limit bandwidth from that port.

Chris

Re: PHP vs Mason vs Ruby vs JSP/Tomcat

[Christopher Snell]

Can we please end this crappy, off-topic thread right now?

Thank you.

Chris

Intel 945GM + Dell Latitude D620 resolution woes

[Christopher Snell]

Hi All,

I'm having a hell of a time trying to get this Dell Latitude D620 to
run at 1440x900 resolution.  Dimitry Andric's recent 945GM patches got
me closer (no more Xorg BusID errors) but I still can't get 1440x900
going.  I'm using the 915resolution port to patch BIOS mode 5a to
1440x900x24 but Xorg is still not seeing this as a valid resolution:

(II) I810(0): Monitor0: Using hsync range of 28.00-72.00 kHz
(II) I810(0): Monitor0: Using vrefresh range of 43.00-60.00 Hz
(II) I810(0): Not using mode 1440x900 (no mode of this name)
(--) I810(0): Virtual size is 1024x768 (pitch 1024)
(**) I810(0):  Built-in mode 1024x768
(**) I810(0):  Built-in mode 800x600
(**) I810(0):  Built-in mode 640x480

I'm patching in /etc/rc.securelevel like this:

if [ -x /usr/local/sbin/915resolution ]; then
   echo 'Starting 915resolution...'
   /usr/local/sbin/915resolution 5a 1440 900 32
fi

Running '915resolution -l' after patching (in single-user mode) does
list 1440x900 at 8, 16, and 32bpp depths.

Here are the relevant log and config files:

  http://saba.island.nu/openbsd/D620-dmesg.txt

  http://saba.island.nu/openbsd/Xorg.0.log.txt

  http://saba.island.nu/openbsd/xorg.conf.txt

Thanks in advance for any advice that you all might provide.

Chris

Re: Intel 945GM + Dell Latitude D620 resolution woes

[Christopher Snell]

On 5/22/06, Christopher Snell [EMAIL PROTECTED] wrote:


I'm having a hell of a time trying to get this Dell Latitude D620 to
run at 1440x900 resolution.  Dimitry Andric's recent 945GM patches got
me closer (no more Xorg BusID errors)  [...]


Doh.  I researched Dell's site and noticed that two variants of the
same model are sold: one has WXGA+ resolution (1440x900) and the other
only has WXGA resolution (1280x800).  I monkeyed around with
915resolution and my xorg.conf and was able to get it running in
1280x800 resolution.  My employers are thrifty and it doesn't surprise
me that they bought the cheaper version.

If anybody needs working configs for this laptop, they can be found here:

http://saba.island.nu/openbsd/latitude-d620/

Note, you'll need to run the latest 3.9 snapshot if you want X.org and
your 3945G-based wifi to work.

There are still some issues with this laptop.  Noteably, shutdown(8)
does not reboot nor power-off the machine properly.  It hangs with the
power on.  I'll post more about this later.


Chris

Dell Latitude D620 lock-ups

[Christopher Snell]

Hi,

Well, now that I have the video issues resolved, I want to track down
the source of the lock-ups that I am seeing while running this laptop
and today's snapshot.  Anything power-related (unplugging power cord,
adjusting screen brightness, attempting to suspend, etc.) locks the
laptop up cold.  Attempting to reboot via 'shutdown -r' causes the OS
to stop but does not reboot the machine.  Similarly, 'shutdown -p'
does not power down the machine.  I'm also seeing lock-ups randomly as
I work.

I'm not a kernel developer but I am willing to work with anyone to
resolve these issues.  I'm comfortable patching and building kernels,
testing, whatever.  I see that there is apparently an OpenBSD
developer here in Utah.  I'd be happy to loan the laptop to him/her if
they can fix these things.

On the plus side, X.org is working nicely and Damien's wpi(4) driver
is kicking ass.

Thanks,

Chris

OBDII, Anyone?

[Christopher Snell]

Hi All,

Has anybody done any work to port Freediag
(http://freediag.sourceforge.net/) to OpenBSD or to write similar
ODBII software for our favorite OS?  Googling did not yield anything
useful.

For those that don't already know, ODBII is the nifty hardware
interface present in many automobiles manufactured since the
mid-1990s, which allows you to read diagnostic and performance metrics
from your car's computer systems.  Interface dongles can be home built
(http://www.planetfall.com/~jeff/obdii/) or purchased cheaply.

Freediag reads its data over the serial port but is very
Linux-specific at the moment.  :(

Chris