Re: Need advice on “tcp proxy”

2024-03-03 Thread Joel Wirāmu Pauling
Maybe look at Meshcentral as an alternative to Rustdesk. It allows proxying
over https OOTB.

On Sun, 3 Mar 2024 at 19:30, Kasak  wrote:

>
>
> > 3 марта 2024 г., в 00:46, Joel Wirāmu Pauling 
> написал(а):
> >
> > ssh can work in tap VPN mode (ssh -w) and will tunnel udp fine ; I'm not
> > sure what you are trying to achieve but perhaps ssh tunnels might be an
> > option for your use case. You are probably better off setting up
> something
> > like wireguard, but in a pinch if the target and host already have ssh.
> >
> > https://wiki.archlinux.org/title/VPN_over_SSH
> >
> No, ssh tunnels is no-go for me. Remote hosts are windows, and they are
> mostly “wild” hosts.
> >
> >
> >> On Sun, 3 Mar 2024 at 07:26, Kasak  wrote:
> >>
> >>
> >>
> >>> 2 марта 2024 г., в 21:05, Stuart Henderson 
> >> написал(а):
> >>>
> >>> On 2024-03-02, Kasak  wrote:
> >>>> Hello misc! There is a good manual on OpenBSD faq about redirection
> and
> >> reflection, here it is:
> https://www.openbsd.org/faq/pf/rdr.html#tcpproxy
> >>>>
> >>>> I’m using nginx as tcp and udp proxy, but maybe there is another
> >> software, more suitable for this task?
> >>>> I need to redirect and reflect near 15 tcp ports and couple of udp.
> >>>> I know I can do this with only pf, but I switched to nginx
> >> intentionally, because this amount of ports made my pf config hard
> readable.
> >>>
> >>> As far as TCP goes, haproxy is possibly a bit better suited. It
> >>> doesn't do UDP though (and unlikely to in a generic way, see
> >>> https://github.com/haproxy/haproxy/issues/62).
> >>>
> >>> Depending on which UDP protocols are used there might be better
> >>> alternatives though - for example if it's DNS then look at dnsdist.
> >>> UDP proxying in most cases needs to be protocol-aware.
> >>>
> >>>
> >> I’m afraid this is not dns, this is Rustdesk software and antivirus
> agent,
> >> and something else like this.
> >> Thank you anyway, I see there is not much options for me
> >>
> >>
>
>


Re: Need advice on “tcp proxy”

2024-03-02 Thread Joel Wirāmu Pauling
ssh can work in tap VPN mode (ssh -w) and will tunnel udp fine ; I'm not
sure what you are trying to achieve but perhaps ssh tunnels might be an
option for your use case. You are probably better off setting up something
like wireguard, but in a pinch if the target and host already have ssh.

https://wiki.archlinux.org/title/VPN_over_SSH



On Sun, 3 Mar 2024 at 07:26, Kasak  wrote:

>
>
> > 2 марта 2024 г., в 21:05, Stuart Henderson 
> написал(а):
> >
> > On 2024-03-02, Kasak  wrote:
> >> Hello misc! There is a good manual on OpenBSD faq about redirection and
> reflection, here it is: https://www.openbsd.org/faq/pf/rdr.html#tcpproxy
> >>
> >> I’m using nginx as tcp and udp proxy, but maybe there is another
> software, more suitable for this task?
> >> I need to redirect and reflect near 15 tcp ports and couple of udp.
> >> I know I can do this with only pf, but I switched to nginx
> intentionally, because this amount of ports made my pf config hard readable.
> >
> > As far as TCP goes, haproxy is possibly a bit better suited. It
> > doesn't do UDP though (and unlikely to in a generic way, see
> > https://github.com/haproxy/haproxy/issues/62).
> >
> > Depending on which UDP protocols are used there might be better
> > alternatives though - for example if it's DNS then look at dnsdist.
> > UDP proxying in most cases needs to be protocol-aware.
> >
> >
> I’m afraid this is not dns, this is Rustdesk software and antivirus agent,
> and something else like this.
> Thank you anyway, I see there is not much options for me
>
>


Re: Ryzen 9 (7x000) users: do you experience hangs?

2023-07-18 Thread Joel Wirāmu Pauling
Just a personal anecdote that might be worth something.

On both my AMD chipsets motherboards ( x570/x670E Proart Wifi ) ; I was
getting microstutters and odd hangs occasionally for the last year or so,
reboots would often power off rather than power cycle - which I mostly
wrote off as odditiy with the Mobo . I had a PSU blow (less than 2 years
in) on that build - which I put down to Winter Peak power being hot in NZ (
I measure 247V off the grid through the UPS).

It was a beQuiet 12 Pro 1000W - RMA'd and replaced with a 1300W beQuiet Pro
; Which went BANG ! after two days - after isolating circuit/removing it
from the UPS I went through another 2 beQuiet Pro 1300W within a week with
same Bang! (Fet exploding) after a couple of days of working. 4th one
switched to a Corsair and it's been fine since.

Turns out there is some issue with that particular Power Supply Brand and
compatibility with AMD Chipsets - which is not a thing I was expecting to
find.

-Joel

On Wed, 19 Jul 2023 at 09:27, Kastus Shchuka  wrote:

> On Tue, Jul 18, 2023 at 08:09:11PM +0100, cho...@jtan.com wrote:
> > Not really. But.
> >
> > I have an APU2 which runs two VMs that do practically nothing,
> > although the box itself is used actively. The VMs consistently, and
> > without warning, hang in a way which matches the description "nothing
> > new can be execed" although I recall being able to log in on the
> > console. I noticed shortly after I installed the VMs in around May
> > but I haven't got very far diagnosing it because it's a low priority.
> > However there is a common denominator: AMD
> >
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: AMD G-T40E Processor, 1000.02 MHz, 14-02-00
> > cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
> > cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache
> > cpu0: 512KB 64b/line 16-way L2 cache
> > cpu0: smt 0, core 0, package 0
> >
> > Times two.
> >
> > As you say the existing processes seem to work fine right up until
> > sshd is nearly (but not quite?) ready to fork:
> >
> > .
> > .
> > .
> > debug1: SSH2_MSG_EXT_INFO received
> > debug1: kex_input_ext_info: server-sig-algs= sk-ssh-ed25...@openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> sk-ecdsa-sha2-nistp...@openssh.com,
> webauthn-sk-ecdsa-sha2-nistp...@openssh.com
> ,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
> > debug1: kex_input_ext_info: publickey-hostbo...@openssh.com=<0>
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> >
> > Ordinarily it would next attempt authentication. Does sshd fork and
> > drop privileges to do that?
> >
> > I don't know if that could help or even if it's related, but it can
> > be reproduced with confidence. I can poke the box or its VMs any
> > way that could shake some data loose.
> >
> > Matthew
> >
>
> Is AMD errata referenced from https://inks.tedunangst.com/l/4996 any
> relevant?
> (errata #1474 in
> https://www.amd.com/system/files/TechDocs/56323-PUB_1.01.pdf)
>
> -Kastus
>
>


Re: USB-C monitors

2021-09-19 Thread Joel Wirāmu Pauling
Just be aware that if you are looking at 4k monitors ; you will be likely
be limited to 30hz refresh rate via most adaptors using DP mode over USBC.

Thunderbolt3 and 4 can do 4kp60 as can DP 1.4 - but there are various
factors involved including the adaptors SoC, your GPU/Motherboard output.
Things can definitely go pear shaped if you are doing anything over 1080p.

On Mon, Sep 20, 2021 at 4:25 AM Paco Esteban  wrote:

> Hi,
>
> My experience is the same as Peter's.  No problem with various adapters
> USB-C to HDMI, in my case at 4k both 30Hz and 60Hz.
>
> I had no luck with DisplayPort output on a couple of docking stations.
>
> Will try next week with a direct cable USB-C to DP and will be able to
> report on that.
>
> Cheers,
> Paco.
>
> On Sun, 19 Sep 2021, Jan Betlach wrote:
>
> > Hi Peter,
> >
> > thanks for your prompt response. I believe it should work (it is
> > actually a usb-c monitor, no usb-c to hdmi adapter needed).
> > Nevertheless I'll just take my laptop to the store and try it, just to
> > be sure it really works.
> >
> > Thanks again
> >
> > Jan
> >
> >
> > On Sun, 2021-09-19 at 16:25 +0200, Peter Hessler wrote:
> > > Yes, I've used that with a couple different monitors, and a handful
> > > of usb-c to hdmi adapters.  All worked fine, and behaved just like
> > > normal hdmi/dvi/vga monitors.
> > >
> > > Power delivery and usb also worked as expected.
> > >
> > >
> > > On 2021 Sep 19 (Sun) at 14:29:27 +0200 (+0200), Jan Betlach wrote:
> > > :Hi guys,
> > > :
> > > :I am on -current and considering to purchase a USB-C monitor (power
> > > :delivery to my Thinkpad over one cable).
> > > :Do USB-C dislplays work on OpenBSD?
> > > :
> > > :Thanks in advance
> > > :
> > > :Jan
> > > :
> > >
> >
> >
>
> --
> Paco Esteban.
> 0x5818130B8A6DBC03
>
>


Re: 50Gbe

2021-08-06 Thread Joel Wirāmu Pauling
Also SFP28 ports are backwards compatible with SFP+ optics.

On Fri, Aug 6, 2021 at 9:12 PM Joel Wirāmu Pauling 
wrote:

> SFP28  (25gbit) is the way to go for density on x86 as it matches CPU
> bound bus architecture well. QSFP28 to 4*SFP28 offers the best price per
> port density both for interconnects (the DAC TwinAX 'squid' cables are
> cheap as chips)
>
> Network Stack Throughput through CPU on modern Intel x86 _64 even on perf
> tuned OS's tops out around 40Gbit locally so 50gbit ports don't make a lot
> of sence bar for specific use cases. Going faster means SmartNIC offloads,
> which are fine for certain use cases or if you just want to push packets
> without doing anything with them (i.e NIC to NVME etc, or switching).
>
> On Fri, Aug 6, 2021 at 7:33 PM Stuart Henderson 
> wrote:
>
>> On 2021-08-06, ha...@sdf.org  wrote:
>> >> Hi folks!
>> >>
>> >> I wonder if OBSD supports 50Gbe network cards. And what is the cable
>> >> standard to support such data transfers ?
>> >>
>> >> Thanks.
>> >>
>> >> --
>> >> The lion and the tiger may be more powerful, but the wolves do not
>> perform
>> >> in the circus
>> >
>> > $ apropos 50gb
>> > bnxt(4) - Broadcom NetXtreme-C/E 10/25/40/50Gb Ethernet device
>> >
>> > https://man.openbsd.org/bnxt.4
>> >
>> >
>>
>> Cable is usually single-mode fibre (duplex or simplex depending on which
>> QSFP28 you use) or twinax DACs. There might also be some using multimode
>> MTP cables but if there are, they're less common.
>>
>> Don't expect to get anywhere close to line rate with OpenBSD.
>>
>>
>>


Re: 50Gbe

2021-08-06 Thread Joel Wirāmu Pauling
SFP28  (25gbit) is the way to go for density on x86 as it matches CPU bound
bus architecture well. QSFP28 to 4*SFP28 offers the best price per port
density both for interconnects (the DAC TwinAX 'squid' cables are cheap as
chips)

Network Stack Throughput through CPU on modern Intel x86 _64 even on perf
tuned OS's tops out around 40Gbit locally so 50gbit ports don't make a lot
of sence bar for specific use cases. Going faster means SmartNIC offloads,
which are fine for certain use cases or if you just want to push packets
without doing anything with them (i.e NIC to NVME etc, or switching).

On Fri, Aug 6, 2021 at 7:33 PM Stuart Henderson  wrote:

> On 2021-08-06, ha...@sdf.org  wrote:
> >> Hi folks!
> >>
> >> I wonder if OBSD supports 50Gbe network cards. And what is the cable
> >> standard to support such data transfers ?
> >>
> >> Thanks.
> >>
> >> --
> >> The lion and the tiger may be more powerful, but the wolves do not
> perform
> >> in the circus
> >
> > $ apropos 50gb
> > bnxt(4) - Broadcom NetXtreme-C/E 10/25/40/50Gb Ethernet device
> >
> > https://man.openbsd.org/bnxt.4
> >
> >
>
> Cable is usually single-mode fibre (duplex or simplex depending on which
> QSFP28 you use) or twinax DACs. There might also be some using multimode
> MTP cables but if there are, they're less common.
>
> Don't expect to get anywhere close to line rate with OpenBSD.
>
>
>


Re: Equipment for OBSD based firewall

2018-09-03 Thread Joel Wirāmu Pauling
But - The thing that isn't mentioned here is basically Power Cost and
Consumption vs PPS(Packet Processing Speed).

IMNSHO running on anything that doesn't ;

A) Have passive Cooling
B) Is older than a couple of years (in intel/amd terms anything with a
TDPW above 65W)

 - is probably not a great idea. Mainly because the on-going cost of
supplying power to old junkers isn't worth what you can do with a
'newish' junker.

If you have free electricity, feel free to do what you like I guess.


-Joel



On 4 September 2018 at 15:10, Bogdan Kulbida  wrote:
> Ingo,
> I so much enjoyed reading your answer. Thanks a lot for sharing.
>
> -Bogdan
>
> On Mon, Sep 3, 2018 at 20:04 Ingo Schwarze  wrote:
>
>> Hi Bogdan,
>>
>> Bogdan Kulbida wrote on Mon, Sep 03, 2018 at 04:17:51PM -0700:
>>
>> > I need to build a pf OBSD firewall for a small office. What minimally
>> > feasible equipment would you recommend in order to achieve this goal?
>>
>> I seriously doubt that you can find anything in the trash that isn't
>> seriously oversized.
>>
>> In 2001, i ran an OpenBSD 2.7 firewall with ipf(4) on an
>> Intel 486-SX25 (25 MHz) with 24 MB (not GB!) RAM, a system
>> disk of 100 MB (not GB!) and a /var/ disk of another 100 MB.
>> The about ten concurrent users were happy with it for years.
>>
>> OK, that would no longer work because the SX25 had no numerical
>> coprocessor which is now required to run OpenBSD, and it required
>> some fiddling to fit the system installation into 100 MB.  But it
>> always routed the traffic fast enough.
>>
>> Currently, one of my office firewalls runs on:
>>
>>  - CPU: AMD-K6 234 MHz (yes, a quarter of a GHz)
>>  - RAM: 128 MB (yes, an eigth of a GB)
>>  - HD: ATA (not SATA!) UDMA-2, 3 GB (not 300 GB!)
>>
>> The only reason the machine is *THAT* large is that at the time it
>> was selected, we no longer had any smaller dismantled desktop
>> machines in the trash.  I don't have the slightest doubt that a
>> much smaller machine would also be fine - certainly with half of
>> everything, like 100 MHz, 64 MB RAM, 1 GB disk.
>>
>> And since then, i'm too lazy to pull something newer from the trash
>> to replace it - because it just works.
>>
>> As a matter of fact, i'm sending this email over it...
>>
>> Yours,
>>   Ingo
>>
> --
> ---
> Best regards,
> Bogdan Kulbida
> Founder and CEO, Konstankino LLC 
> +1.802.793.8295



Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64

2018-08-27 Thread Joel Wirāmu Pauling
Hi Aaron - I have a Rangely c2xxx sitting on my desk right now. It's a
lanner rebadged as Nuage NSG-E.

This platform is able to do around 3.6gbit through it without
encryption (and around 1.3gbit total if encryption is turned on
everything). This one has 4 Intel igb 345 cards and 2 i210's - it's
designed as an SDN box. I use it with Openvswitch; but it's dual core
only and struggles with enough resources to be useful for dpdk (it
also has to use the older UIO shim drivers due to not supporting
undirected IO on the NIC cards) ; so ovs sans dpdk - if it had 4 cores
it might be a bit better. There is some QAT offload stuff that is a
PITA to get working as intel dropped support for that particular SoC
flavour years ago.

Despite it having far more ports,hardware watchdog, serial console and
gpio's which my cheap n3160's lack (2* realtek cards) the n3160 is
actually better performing.

On 28 August 2018 at 04:55, Aaron  wrote:
> Have you considered any of intel’s atom c2000 or c3000 series SoC? I have 
> openbsd running with several services, multiple vlans and a 500 down 20 up 
> internet connection I can saturate on a c2000 series board
>
> Sent from my iPhone
>
>> On Aug 26, 2018, at 5:26 AM, Carlos López  wrote:
>>
>> Hi all,
>>
>> I am considering to buy an ARM based device to use it with OpenBSD as a 
>> personal/portable firewall, IDS and Tor gateway.
>>
>> My only requirements are:
>>
>> a/ OpenBSD well hardware's supported
>> b/ Best network throughput
>>
>> It seems Raspberry 3 B+ maybe the best option, but I am not pretty sure.
>>
>> Any advice?
>>
>> --
>> Greetings,
>> C. L. Martinez
>>
>



Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64

2018-08-27 Thread Joel Wirāmu Pauling
On 28 August 2018 at 05:26, Joseph Mayer  wrote:
> Joel,
>
> Are you saying you gave up on using the PCIe at all?
>
> There's a 4-lane PCIe connector on the Rock64 right, aren't those
> dedicated lanes, and, if they'd somehow be shared with any other
> hardware, then you should still have supposedly >90% of the 16gbps
> capacity available?
>
> Did you try connecting some multiport 1gbps or 10gbps PCIe NIC?

That's where my Wireless card goes - so it's not very useful.


My general experience with the Arm boards SBC's vs the Intel SoC's is
the Arm SBC's generally have screwed up some fundemental Bus sharing
in their designs (either placing the USB controller on so it shares
bandwidth with the GMAC) or Exposing only a Single X4 PCI lane (which
inevitably get's used by Wireless - unless you want to stick with the
onboard wireless which suffers from the first problem).


>
> Geekbench figures indicate that RK3399 and Celeron N3160 should perform
> fairly similarly.
>
> https://browser.geekbench.com/v4/cpu/search?q=rk3399
> https://browser.geekbench.com/v4/cpu/search?utf8=%E2%9C%93=n3160
> https://ark.intel.com/products/91831/Intel-Celeron-Processor-N3160-2M-Cache-up-to-2_24-GHz


The first test I normally subject my boxes too is localhost flent
(which is mostly netperf/iperf3/iperf under the hood) which provides a
bunch of test suites which are relatively good at finding out where
the Packet gen/receive limits are and if there is jitter - and provide
a starting point for further investigation. Irtt (which is written in
go) is also a really useful tool to figure out latencies (it times
sleep accuracy) on the SoC's.

Note the Arm boards don't have AES-NI either, so once you start
playing with VPN it get's pretty bad in comparison. (Some of the newer
arms do have AES offloads but - implementations are varied, the H3/H5
sunxi platform is where I am focused on at the moment - but not for
network stuff)
>
> On August 27, 2018 5:51 PM, Joel Wirāmu Pauling  wrote:
>> I do actually have an rk3399 (firefly) - like you I also had high hopes for 
>> it.



Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64

2018-08-27 Thread Joel Wirāmu Pauling
I do actually have an rk3399 (firefly) - like you I also had high hopes for it.

It's still the best out of the Arm boards I've tried, but the lanes
are shared with the GMAC on the SoC so you end up not getting what you
might hope for; you can Sorta get another Gigabit port by using the
USB-C port and a reasonably good adaptor; but latency's are all over
the board when you start to wire in the network over USB NICs.

Sustained duplex Gigabit is mostly achievable. But again for the
price/perfomance the n3160 that currently is my gateway blows it out
of the water. And the firefly was twice as expensive.


On 28 August 2018 at 00:15, Joseph Mayer  wrote:
> On August 26, 2018 3:16 PM, Joel Wirāmu Pauling  wrote:
> ..
>> I have a bunch of various SBC and they all suck pretty bad for network
>> tasks. Fine for random server tasks but don't put them in your network
>> path unless you like artificial bottlenecks.
>
> Please note that the RK3399 (e.g. Pine64 ROCK64) supports a normal PCIe
> networking card, and its PCIe bus bandwidth is four PCIe version 2.1
> lanes, meaning 4 x 4 gbps = 16gbps = 2GBps.
>
> I have not benchmarked this and do not know how this compares with
> Octeon, but it should be decent-to-very-good.
>
> http://opensource.rock-chips.com/images/6/60/Rockchip_RK3399_Datasheet_V1.6-20170301.pdf



Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64

2018-08-27 Thread Joel Wirāmu Pauling
Yeah I got excited about the MachiattoBin when I first saw it - it's
possibly the first non-x86 SOHO router that can actually do 14MPPS
needed for 10G in the home.

BUT

The Copper ethernet situation is problematic, the original design
shares the PCI Bus with the SFP Slots to provide copper 10G option.
however Copper 10G is relatively shite unless you are lucky enough to
have Cat6a/Cat7 run everywhere.

What I really would like to see is the Aquantia 407 Silicon paired
with Dual SFP+ and a Beefy enough SoC to do L3 14MPps. The Aquantia
stuff is the 10GBase-X (802.3bz) auto rate negotiation stuff which
should finally bring faster than 1G networks to the home (and is
pretty much a must for the Wireless AX stuff). I would really like to
test the SoC in the Machiatto to see how and if it can actually
acheive 10G packet rates as it touts. It may be a bunch of 'Fastpath'
offload stuff which isn't actually very useful tbh.




On 27 August 2018 at 23:49, Karel Gardas  wrote:
> On Sun, 26 Aug 2018 15:52:48 +0200
> Patrick Wildt  wrote:
>
>> On the MacchiatoBin we don't support the onboard ethernet yet.  On the
>> EspressoBin we do support the ethernet controller, but the connected
>> switch is a mess that I don't dare to support.  Got other stuff to do.
>> Though I am working on partial EspressoBin support for the upcoming
>> Turris Mox.
>
> What do you plan to support on Mox? Just basic module? If so, do you plan to 
> support USB too so one can at least connect second NIC over USB? I see CZ.NIC 
> does not make module with just another NIC and if you claim switch is a mess 
> I'm curious how to make from this a router with >1NIC.
>
> Thanks!
> Karel
>



Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64

2018-08-26 Thread Joel Wirāmu Pauling
Still IME best bang for buck is n3160 ATOM based mini-pc's there are
several vendors (Jetway/Qotom) and you can get an AES-NI capable 4
core machine with dual NICs that will do 5Gbit Duplex on the nose for
less than 90$ USD.

I know intel isn't the flavour of the month, but these machines lack
Management Engine or SMT - which at least makes them slightly less
dire than more beefy SoC's from Chipzilla.

On 26 August 2018 at 23:00, Stuart Henderson  wrote:
> On 2018-08-26, Carlos López  wrote:
>>
>>
>> On 26/08/2018 11:46, Joel Wirāmu Pauling wrote:
>>> netboot works fine. However almost all of the Arm platforms including
>>> the Rpi3 make terrible gateways and in general l3 packet path
>>> machines.
>>>
>>> I have a bunch of various SBC and they all suck pretty bad for network
>>> tasks. Fine for random server tasks but don't put them in your network
>>> path unless you like artificial bottlenecks.
>>>
>>> The Machiattobin and/or Espressobin platforms are probably the best
>>> for network appliance usage. I haven't got one to see if Openbsd works
>>> on them at all tho.
>>>
>>>
>>
>> Uhmm ... Interesting point Joel ... Searching both SBC, maybe
>> Espressobin is best option than Machiattobin ...
>>
>> Has anyone tried any of them?
>
> The MACCHIATObin is listed on arm64.html as having some support, the
> ESPRESSObin isn't.
>
> If ARM isn't an absolute requirement, I think one of the smaller Octeon
> machines (probably EdgeRouter Lite or USG) is likely to be a better choice
> for your intended use, and may also be easier to buy locally than some of
> the ARM development platforms. https://www.openbsd.org/octeon.html
>
>



Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64

2018-08-26 Thread Joel Wirāmu Pauling
netboot works fine. However almost all of the Arm platforms including
the Rpi3 make terrible gateways and in general l3 packet path
machines.

I have a bunch of various SBC and they all suck pretty bad for network
tasks. Fine for random server tasks but don't put them in your network
path unless you like artificial bottlenecks.

The Machiattobin and/or Espressobin platforms are probably the best
for network appliance usage. I haven't got one to see if Openbsd works
on them at all tho.


On 26 August 2018 at 21:33, Alfredo “Fred” Vogel  wrote:
> Hi hola,
> The raspi is fiddly for installing openbsd. One needs a special usb cable to 
> install obsd because there is no driver for the sdcard booting device!
> Regards
> Alfredo
> On 26 Aug 2018, 10:30 +0100, Carlos López , wrote:
>> Hi all,
>>
>> I am considering to buy an ARM based device to use it with OpenBSD as
>> a personal/portable firewall, IDS and Tor gateway.
>>
>> My only requirements are:
>>
>> a/ OpenBSD well hardware's supported
>> b/ Best network throughput
>>
>> It seems Raspberry 3 B+ maybe the best option, but I am not pretty sure.
>>
>> Any advice?
>>
>> --
>> Greetings,
>> C. L. Martinez
>>



Re: OT: Temperature sensors suggestions?

2018-05-19 Thread Joel Wirāmu Pauling
I would suggest bme280 sensor.

If you have a spare VGA port you can use the d2c bus as i2c and plug
directly into it with a modified VGA cable. Other wise yeah esp8266 module
+ bme280 for 5$ is going to give you the best result.

On Fri., 18 May 2018, 4:01 pm Base Pr1me,  wrote:

> I roll SHT31-Ds through ESP8266s via I2C. Of course, there is programming
> involved.
> Good hardware though, if that's what you're looking for.
>
> On Fri, May 18, 2018 at 2:42 PM, Daniel Ouellet 
> wrote:
>
> > Does anyone have a decent temperature sensors that can connect to an
> > OpenBSD server and be reliable and give any decent reading via either
> > USB or Serial port or even stand alone via Ethernet?
> >
> > I asked because yes I can use the sensors on some servers, but I got a
> > pretty expensive router blowing up because an AC unit stop working and
> > in a few hours the router was history and I need something reliable so I
> > can graph the changes in temperature to keep track of things.
> >
> > I got lucky this time as that using was providing 192 VoIP channels and
> > I had just moved them from PRI to full SIP like a month earlier. If I
> > haven't done that it would have been a disaster for me!
> >
> > So, I need more then just servers sensors so I can place these at
> > various location to get a better idea of what's going on.
> >
> > I don't understand why it is so difficult to have decent AC technician
> > keep AC units working properly. It's not like brain surgery, but that's
> > always a problem.
> >
> > Anything you know or use that is reliable that you can recommend would
> > be very much appreciated.
> >
> > I am trying to keep it simple, so using base tools in OpenBSD is a must,
> > no proprietary shit or Windows crap like I found tonnes of them. I have
> > NO Windows systems for 20+ years already and I am sure hell not going to
> > install any either. I try to keep it simple. Even snmp reading is find.
> > Simpler the better. I can grab the reading and save to a database to
> > graph later and what not. I got two self standing units in the pass,
> > nice but they get hacked and not useful obviously, so add-on to OpenBSD
> > is better to me. I trust that way more then all the self standing units,
> > records proving it...
> >
> > If that's no interest for the list fell free to reply off line as well,
> > but I guess some might like to know too.
> >
> > Thanks in advance for any suggestions...
> >
> > Daniel
> >
> >
>


Re: 4-ports router under $150

2018-04-12 Thread Joel Wirāmu Pauling
The Denverton SoC's when and if they get paired with reasonably priced
Mobo's will do 10G; Price wise for the SoC itself they are sub 150$

Currently if you want to be able to do the above on the cheap you need to
look towards non-fanless parts like a u6100 or similar

On 13 April 2018 at 12:48, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote:

> Not at 150$ ... sorry will u get 10G kit let alone line rate 10G kit...
>
>
> On Fri 13 Apr 2018, 01:46 Joel Wirāmu Pauling, <j...@aenertia.net> wrote:
>
>> Can they do 14MPPS aka 10GBIT ?
>>
>> That's what I am looking for in pretty much in anything I would vaguely
>> consider to replace the n3160's I have as my target devices at the moment.
>>
>>
>>
>> On 13 April 2018 at 11:28, Sterling Archer <deb...@gmail.com> wrote:
>>
>> > On Thu, Apr 12, 2018 at 9:41 PM, Joel Wirāmu Pauling <j...@aenertia.net
>> >
>> > wrote:
>> > > Not that I am shitting on the e350 platform but;
>> >
>> > E350 is the Bobcat CPU, the PC Engines APU devices all have a 4 core
>> > Jaguar CPU, which is quite a lot more powerful.
>> >
>> > --
>> > :wq!
>> >
>>
>


Re: 4-ports router under $150

2018-04-12 Thread Joel Wirāmu Pauling
Can they do 14MPPS aka 10GBIT ?

That's what I am looking for in pretty much in anything I would vaguely
consider to replace the n3160's I have as my target devices at the moment.



On 13 April 2018 at 11:28, Sterling Archer <deb...@gmail.com> wrote:

> On Thu, Apr 12, 2018 at 9:41 PM, Joel Wirāmu Pauling <j...@aenertia.net>
> wrote:
> > Not that I am shitting on the e350 platform but;
>
> E350 is the Bobcat CPU, the PC Engines APU devices all have a 4 core
> Jaguar CPU, which is quite a lot more powerful.
>
> --
> :wq!
>


Re: 4-ports router under $150

2018-04-12 Thread Joel Wirāmu Pauling
Not that I am shitting on the e350 platform but;

a) Where are you finding 4 Gigabit port versions of the MB's with APU?
b) When I had one of these to test a few years ago they have some quite bad
Bus performance, which caused quite a lot of jitter/contension delay when
using PCI-E peripherals - would be interested to see some benchmarks vs the
Celeron/Atom 22mm process intel equivalents.

On 13 April 2018 at 02:47, jungle Boogie  wrote:

> On 10 April 2018 at 16:09, Stuart Henderson  wrote:
> > On 2018-04-08, Patrick Dohman  wrote:
> >> As much as I’d rather not point the blame I found the APU platform
> buggy when running OpenBSD.
> >> Yes there are reports of stability with other O.S however subtle
> hardware/firmware bugs appeared on several OpenBSD releases.
> >
> > APU and APU2 are both rock solid for many people on OpenBSD. If seeing
> > problems there I would first look for hardware issues e.g. is the power
> > supply faulty, or are there any mPCIe cards that might be causing
> > problems?
> >
> >
>
> It's awesome to know how with the apu2's are running. The other boards
> from aliexpress are probably okay, but in the end, seem more
> expensive.
> What's been linked here from aliexpress doesn't include RAM or HDD.
>
> Here's a link to a github repo on setting up openBSD:
> https://github.com/elad/openbsd-apu2/blob/master/README.md
>
> --
> ---
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info
>
>


Re: 4-ports router under $150

2018-04-10 Thread Joel Wirāmu Pauling
That sounds bang on what MIPS64 Qualcomm AR7xxx platforms can do
~400-500mbit slow path operations is pretty much peak you see with them
regardless of implementation.

-Joel

On 10 April 2018 at 20:38, Tom Smyth  wrote:

> Hi Michael,
>
> I did some brief testing on 6.1/ 6.2
> simple routing 780Mb./s TCP performance simple routed
> with GRE tunnels about 450 Mb/s TCP Performance simple routed
> +Gre Encapsulation
> (1500 byte packets)
>
>
>
> On 8 April 2018 at 17:02, Michael Price  wrote:
> > Was it an apu2c4 by any chance? I was thinking about picking one of those
> > up and was curious as to what kind of packet rates people were seeing
> with
> > them.
> >
> > Michael
> >
> > On Sun, Apr 8, 2018 at 1:41 AM, flipchan  wrote:
> >
> >> I run a apu board with 3 ports with openbsd 6.2 and coreboot, i
> recommend
> >> it
> >>
> >> On April 8, 2018 2:01:50 AM UTC, jungle boogie  >
> >> wrote:
> >> >Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700
> >> >> The Edgerouter 6 is going to be coming out shortly, that is what I am
> >> >
> >> >> holding out for to run my home network on.
> >> >>
> >> >>
> >> >
> >> >Just curious, why this and not amd64 bit with something like the
> >> >pcengine apu2 board? I know it only has three NICs, so it's likely a
> >> >non-started for the OP, but it's 64bit amd.
> >> >
> >> >I don't know the MSRP of the ER6. Do you?
> >>
> >> --
> >> Take Care Sincerely flipchan layerprox dev
> >>
>
>
>
> --
> Kindest regards,
> Tom Smyth
>
> Mobile: +353 87 6193172
> The information contained in this E-mail is intended only for the
> confidential use of the named recipient. If the reader of this message
> is not the intended recipient or the person responsible for
> delivering it to the recipient, you are hereby notified that you have
> received this communication in error and that any review,
> dissemination or copying of this communication is strictly prohibited.
> If you have received this in error, please notify the sender
> immediately by telephone at the number above and erase the message
> You are requested to carry out your own virus check before
> opening any attachment.
>
>


Re: 4-ports router under $150

2018-04-08 Thread Joel Wirāmu Pauling
You can get  4 ports j1900's for sub $100 off ali-express. If you don't
care about AES-NI they do 5gbit duplex slow path l3 forwarding just fine:

If you want AES-NI then these are the Cheapest :
https://www.aliexpress.com/item/Minisys-4-Lan-pfsense-minipc-Intel-atom-E3845-quad-core-mini-itx-motherboard-linux-firewall-computer/32825684280.html

On 9 April 2018 at 12:20, Anatoli  wrote:

> Guys, thank you all for your recommendations.
>
> > I know it only has three NICs, so it's likely a non-started for the OP
>
> Yepp, there are a lot of nice devices with 3 NICs, but I need at least 4
> and actually I don't need more than 5.
>
>
> > The Edgerouter 6 is going to be coming out shortly, that is what I am
> holding out for to run my home network on
> > I think the ER6 is going to be retailing for about $220
>
> It's a nice device for the suggested price, but it's a bit expensive for
> my project. I need a number of the devices, the idea is not to surpass $150.
>
>
> > https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone-
> mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop-
> Computer/32769767156.html
> > This is what I bought for similar purposes.
> > It has 4 Intel Gigabit ports and their efficiency is 99%.
>
> Thanks Максим, looks interesting, but again it's a bit expensive. The
> basic version with RAM costs about $232.
>
>
> > apu4b4 provides 4 intel NICs: http://pcengines.ch/apu4b4.htm
>
> Thanks a lot Karel, I didn't know there was an apu4 board. I guess this is
> the device I'm looking for. Though, there's no information on internet
> about it, even the official page doesn't provide links to it, it appears
> only on the order page. Was it released just recently? Can you confirm it's
> working well with OpenBSD 6.2/6.3?
>
> Do you know where to buy it? On the official order page (
> http://www.pcengines.ch/newshop.php?c=4) it says "No stock".
>
> Regards,
> Anatoli
>
> *From:* Karel Gardas
> *Sent:* Sunday, April 08, 2018 09:39
> *To:* Jungle Boogie
> *Cc:* Misc
> *Subject:* Re: 4-ports router under $150
>
>
> On Sat, 7 Apr 2018 19:01:50 -0700
> jungle boogie  wrote:
>
> Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700
>>
>>> The Edgerouter 6 is going to be coming out shortly, that is what I am
>>> holding out for to run my home network on.
>>>
>>>
>>> Just curious, why this and not amd64 bit with something like the
>> pcengine apu2 board? I know it only has three NICs, so it's likely a
>>
>
> apu4b4 provides 4 intel NICs:
>
> http://pcengines.ch/apu4b4.htm
>
>
>
>
>


Re: Re : Suggestions home server

2017-12-17 Thread Joel Wirāmu Pauling
Agree with the j1900 experiences. The n3160's can be had for roughly
same price (2 port) variants and are a generation newer 14nm and
support AES-NI and are far more capable for mixed workloads.

On 18 December 2017 at 11:48, Oliver Marugg  wrote:
> On 14 Dec 2017, at 20:24, gro...@grompf.net wrote:
>
>> Bonjour,
>>
>> For my own personal purpose, i'm using coolermaster 110, 120, 130 cases
>> with some asrock low cost and low power mini-itx boards.All other parts
>> are common ones. It's not the «best & most power full setup» but it's
>> silent and my small ups announces 5 days of autonomy with openbsd on
>> this. Anyway it's very well supported as long as you don't select
>> braswell and alike cpus.
>>
>> Regards,
>> Eric
>
>
> Thanks Eric, I verified this option with a J1900 or equivalent low power
> cpus/boards. I think to use vmm in future they seem a bit underpowered for
> my purpose.
>



Re: Chip cheaper than chips

2017-12-02 Thread Joel Wirāmu Pauling
You can get barebone c3xxx series atom boards from Supermicro.

My personal interest is the variants that come with dual SFP+
interfaces. It's a pity that there is no thunderbolt3 on them by
default (free 10/40gbit networking).

On 3 December 2017 at 08:54, Rupert Gallagher  wrote:
> Do you have any reference on Intel M.E. being present on Atom C3308?
>
> Sent from ProtonMail Mobile
>
> On Sat, Dec 2, 2017 at 20:14, Kevin Chadwick  wrote:
>
>> On Sat, 02 Dec 2017 03:11:23 -0500 > IME (vPro) is included in Xeon and Core 
>> chips. Atom is clear of it. > Just checked. Perhaps the older ones but I 
>> doubt that. The latest Atom Apollo Lake E3s even PROVIDE "Access to user 
>> memory". Which I believe means the entire RAM and if so is quite 
>> ridiculous!! I am sure it will change however the current working exploits 
>> require access to a USB port, though the OS has access and could turn 
>> malware into HW resident malware. OpenBSD is as good a protection as you 
>> will get there though and probably even better for future exploits. I am 
>> still unclear as to whether a properly setup Trusted Execution Engine can 
>> protect the system. I guess from persistent firmware invasion but not 
>> protect kernel memory access or prevent an attacker gaining knowledge for 
>> gadgets (if can get to a Debug USB from userland) or worse. Reminds me of 
>> IPv6 to some degree but worse. Take a small problem and expand it until you 
>> have potential for undermining everything. The most ironic is Intels recent 
>> adverts for not trusting software but HW instead. Can be true in an 
>> application specific fashion but even then it has to be done right. 
>> Unfortunately the lastest hardware is much cheaper so it isn't necessarily 
>> as simple as just using some older stuff that may just be less understood, 
>> unless you go further into obsolescence territory. AMD is *maybe* an option 
>> but they are moving higher end not cheaper by the looks of it.



Re: Time management under QEMU-KVM

2017-09-15 Thread Joel Wirāmu Pauling
As I said i've been using tlsdate to set time initially before running ntpd
- this resolves most of the aforementioned issues and quite often being out
of reach of public time-servers due to network restrictions.

On 15 September 2017 at 23:23, Stuart Henderson <s...@spacehopper.org> wrote:

> On 2017-09-15, Maksym Sheremet <mshere...@sheremets.com> wrote:
> > On Thu, 14 Sep 2017 23:46:14 +1200
> > Joel Wirāmu Pauling <aener...@aenertia.net> wrote:
> >
> >> Run NTPd on the hypervisor and NTP client In VM. Run ntpdate at boot
> before
> >> starting NTPd on the client to ensure the stepping is not too far off
> >> first.
> >
> > What is the reason to run ntpdate on boot? The "-s" flag of ntpd(8) sets
> time immediately at startup.
>
> It's rdate, not ntpdate, on OpenBSD.
>
> ntpd -s works as long as either A) the clock isn't too far off, or B) you
> don't use the default "constraints from" option.
>
>
>


Re: Time management under QEMU-KVM

2017-09-15 Thread Joel Wirāmu Pauling
That works too -

On 15 September 2017 at 21:28, Maksym Sheremet <mshere...@sheremets.com>
wrote:

> On Thu, 14 Sep 2017 23:46:14 +1200
> Joel Wirāmu Pauling <aener...@aenertia.net> wrote:
>
> > Run NTPd on the hypervisor and NTP client In VM. Run ntpdate at boot
> before
> > starting NTPd on the client to ensure the stepping is not too far off
> > first.
>
> What is the reason to run ntpdate on boot? The "-s" flag of ntpd(8) sets
> time immediately at startup.
>
> >
> > On 14 Sep. 2017 11:35 pm, "Aaron Marcher" <m...@drkhsh.at> wrote:
> >
> > Hi all,
> >
> > I have a weird problem on my OpenBSD server. It is a virtualized guest
> > under QEMU-KVM. Apperently time management is completely off. With HPET
> and
> > normal HW-clock the command "time sleep 1" shows a little bit more than a
> > second after a fresh boot. After a few hours the result is about 10
> > seconds. Additionally the clock drifts slowly. The problem is on OpenBSD
> > 6.1 with all syspatches applied.
> > Does anybody know how to fix the problem?
> > Thank you very much in advance!
> >
> > Regards,
> > Aaron Marcher
> >
>
>


Re: Time management under QEMU-KVM

2017-09-14 Thread Joel Wirāmu Pauling
No Idea - I've been using tlsdate ( https://github.com/ioerror/tlsdate )
inside my Cloud VM images recently to set initial time  as a lot of the
time ntp traffic is firewalled. Whereas there is generally a https source
you can reach from inside locked down networks.



On 15 September 2017 at 03:46, Rui Ribeiro <ruyrybe...@gmail.com> wrote:

> Hi,
>
> Does NTPDd supports "tinker panic 0" as the linux one?
>
> On 14 September 2017 at 12:46, Joel Wirāmu Pauling <aener...@aenertia.net>
> wrote:
>
>> Run NTPd on the hypervisor and NTP client In VM. Run ntpdate at boot
>> before
>> starting NTPd on the client to ensure the stepping is not too far off
>> first.
>>
>> On 14 Sep. 2017 11:35 pm, "Aaron Marcher" <m...@drkhsh.at> wrote:
>>
>> Hi all,
>>
>> I have a weird problem on my OpenBSD server. It is a virtualized guest
>> under QEMU-KVM. Apperently time management is completely off. With HPET
>> and
>> normal HW-clock the command "time sleep 1" shows a little bit more than a
>> second after a fresh boot. After a few hours the result is about 10
>> seconds. Additionally the clock drifts slowly. The problem is on OpenBSD
>> 6.1 with all syspatches applied.
>> Does anybody know how to fix the problem?
>> Thank you very much in advance!
>>
>> Regards,
>> Aaron Marcher
>>
>> --
>> Web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
>> Gopher: gopher://drkhsh.at or gopher://drkhsh5rv6pnahas.onion
>> GPG: 0x09e71697435bf54b
>> Fingerprint: 57D2 5F2C 9402 A6BD FEF9 B3B6 09E7 1697 435B F54B
>>
>
>
>
> --
> Regards,
>
> --
> Rui Ribeiro
> Senior Linux Architect and Network Administrator
> ISCTE-IUL
> https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
>


Re: Time management under QEMU-KVM

2017-09-14 Thread Joel Wirāmu Pauling
Run NTPd on the hypervisor and NTP client In VM. Run ntpdate at boot before
starting NTPd on the client to ensure the stepping is not too far off
first.

On 14 Sep. 2017 11:35 pm, "Aaron Marcher"  wrote:

Hi all,

I have a weird problem on my OpenBSD server. It is a virtualized guest
under QEMU-KVM. Apperently time management is completely off. With HPET and
normal HW-clock the command "time sleep 1" shows a little bit more than a
second after a fresh boot. After a few hours the result is about 10
seconds. Additionally the clock drifts slowly. The problem is on OpenBSD
6.1 with all syspatches applied.
Does anybody know how to fix the problem?
Thank you very much in advance!

Regards,
Aaron Marcher

-- 
Web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
Gopher: gopher://drkhsh.at or gopher://drkhsh5rv6pnahas.onion
GPG: 0x09e71697435bf54b
Fingerprint: 57D2 5F2C 9402 A6BD FEF9 B3B6 09E7 1697 435B F54B


Re: Can I bind USB/other interface/device number (e.g. cdceX) to particular MAC, USB serial number or the like?

2017-06-01 Thread Joel Wirāmu Pauling
I don't know the bridge code in OpenBSD as well as I know it in Linux -
basic bridges don't add any appreciable overhead on that platform until you
start mucking around with bridge specific things.

It just means you maintain an arp table distinct from each sub-interface.

tl;dr - it's not going to hurt your performance.



On 2 June 2017 at 14:37, Tinker <ti...@openmailbox.org> wrote:

> In the kernel however that implies an internal indirection/one or more
> additional rounds copying of all traffic and passing around, right, so even
> it works quite well, it's not optimal right?
>
> Anyhow sure that is an effective workaround if needed.
>
>
> On 2017-06-02 02:20, Joel Wirāmu Pauling wrote:
>
>> There are several ways of doing this.
>>
>> I suggest just using a bridge and adding a bunch of sub-devices into
>> it.
>>
>> On 2 June 2017 at 14:00, Tinker <ti...@openmailbox.org> wrote:
>>
>> Wait, can you give an example of how that would work?
>>>
>>> I was not aware of any aliasing mechanism e.g. I could designate
>>> "cdce10001" or "virt10001" to be the cdce that has MAC so and so.
>>>
>>> On 2017-06-02 01:12, Joel Wirāmu Pauling wrote:
>>> You can use a Virtual Interface/Alias that is consistent so that
>>> you
>>> don't need to change scripts/etc in relation to network config - I
>>> believe this is suggested in several man pages etc as a solution to
>>> consistent interface naming.
>>>
>>> On 2 June 2017 at 12:50, Tinker <ti...@openmailbox.org> wrote:
>>>
>>> On 2017-06-02 00:45, Joe Gidi wrote:
>>>
>>> Good news! You can have this already.
>>>
>>> Yay!
>>>
>>> Go run Linux.
>>>
>>> Em -
>>>
>>> Nay!
>>>
>>> No yay. Hope to see a solid solution to this problem on a
>>> non-crappy OS soon.
>>>
>>
>


Re: Hardware recommendations for compact 1U firewall

2016-12-18 Thread Joel Wirāmu Pauling
If someone hasn't already mentioned it : Lanner http://www.lannerinc.com/

On 19 December 2016 at 18:08, Aaron Mason  wrote:

> Thanks for some additional fleabay search terms :)
>
> On Sat, Dec 17, 2016 at 2:59 PM, Nick Holland
>  wrote:
> > On 12/14/16 20:39, Aaron Mason wrote:
> >> All
> >>
> >> I'm looking for a 1U appliance that I can re-purpose into a firewall
> >> using OpenBSD.  I've tried the near-free method by using an old Lacie
> >> Ethernet Disk appliance I had lying around, but it turns out the
> >> onboard SATA chipset is toast on this particular unit (it freezes at
> >> CDBOOT when it detects hard drives and the BIOS freezes when I set it
> >> to IDE mode with drives attached, plus it only has one onboard NIC and
> >> one PCI slot, so I can't install another SATA card without removing
> >> the other NIC I installed), so I'm looking for other options that fit
> >> a limited budget.
> >
> > heh.  Little secret: if you look in many data centers, you will find
> > lots of 1U boxes with various titles -- security appliances, load
> > balancing devices, etc.  A lot of them, under the covers, are just PCs.
> > And a lot of data centers have 'em rotting on the racks after they have
> > been turned off and replaced, but no motivation to remove them.
> >
> > Just cleaned out some stuff from one of our data centers -- we had a
> > three authentication devices and a couple "security appliances" that all
> > turned out to have the same SuperMicro board on them...some with Pentium
> > D, others with P4s...but both could pump a lot of packets through
> > gigabit NICs (two on board).  The security appliances were kinda cool in
> > that they have a LCD screen that looks like it could be accessed through
> > a USB serial port (better yet, when you powered up the box, the LCD
> > panel put up an advertisement, not for the security appliance maker, but
> > for the LCD panel...including a website.  Bet there are docs there! :)
> > (I once programmed the LCD panel of a Novell server to say, "WINDOWS
> > SUCKS".  Wasn't noticed for years, but when it was, my name was quickly
> > assumed as being responsible)
> >
> > We also had a couple odd little "load balancers" -- five NIC ports.  My
> > coworkers were skeptical about it being a standard PC under the cover.
> > Haven't tried to boot OpenBSD on them yet, but turns out the thing has a
> > 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and
> > a SATA hard disk in the box.  Again, all in one U.
> >
> > And I'll admit there's a certain fun in bringing up another OS on
> > something like that.  And I HAVE to at least try to bring up OpenBSD on
> > them...so I can wipe the media before the hw is disposed of.  (Company
> > policy says "overwrite entire disk with random data", who's got the
> > fastest random number generator in town?  OpenBSD, of course!)
> >
> > Nick.
> >
>
>
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse



Re: Why on earth would online voting be insecure?

2016-11-15 Thread Joel Wirāmu Pauling
On 15 November 2016 at 09:47, gwes  wrote:

> On 11/15/2016 00:55, Joel Wirāmu Pauling wrote:
>
>> So yes, back to my original point. A Civic's blockchain, one that does not
>> rely on the integrity (or rather is resilient to) the system it runs on,
>> or
>> the security of the transmission media ; as a platform for use in civic's
>> -
>> needs to exist first.
>>
>>
> Combining two systems entirely separate in concept, implementation,
> and space increases the probability of a correct answer. Three
> would be better. Using the electronic system as a supplement to
> the traditional one could be good as long as it does not compromise
> the virtues of the old system.
>
> The blockchain starts after the votes are entered. Two physically
> separate systems composed of entirely different CPUs and peripherals
> at the voting place would be good.
>
> You still haven't addressed the problems of privacy while casting
> the vote.
>
> I think that your concepts for the technical parts of the
> system are good. You haven't addressed some serious problems
> where your system can be subverted.
>
> Suggesting weekly votes is a very bad idea. Search science
> fiction, for instance, to see very plausible predictions
> of voter burnout.
>
> I think this is no longer a computer systems discussion.
>
> ​This. Once you start to think about the problem further in terms of
distributing the ledger via a public blockchain - as the datastore and
mechanism for recording and verification, and that the blockchain exists
entirely independently of the systems it runs on you are at least in the
right place to start tackling this issue.



Re: Why on earth would online voting be insecure?

2016-11-14 Thread Joel Wirāmu Pauling
So yes, back to my original point. A Civic's blockchain, one that does not
rely on the integrity (or rather is resilient to) the system it runs on, or
the security of the transmission media ; as a platform for use in civic's -
needs to exist first.

Block-chains are relatively new and we are still discovering properties and
flaws in them, but I think if you view them as data-structure and as being
useful for certain things, they potentially mitigate a lot of traditional
security concerns. But we are a long way away from having them adopted as
an everyday tool. I've been on the NZ government panel on on-line voting,
and submitted a submission to the Canada electoral commission whilst living
here. Unfortunately people view on-line voting and make the false
comparison to banks "Well if some SSL secured website cluster, backed by
some $sql database, in some $secure data centre is good enough for banks
..." falacy all the time.

The problem is a bank is a centralised system, they have legal
responsibilities and make calculated risk assessments and have insurance
coverage. You have a one to one relationship with them and have choice
(arguably) over choosing them or not. The trust relationship is between you
and your bank, that's it. The bank is responsible for liability to third
parties not you.

Civics engagement by necessity needs to be verifiable, independent and
distributed, not reliant on central systems where you trust some entity to
negotiate on your behalf.

It is a lot more nuanced that it appears at first glance.

Would I design a voting station to run on OpenBSD ... sure... but I would
also design it to work on /Linux, Windows or an Abacus.

The paper comparison is a good one, block-chains provide a ledger
verifiable by hand (yes with some hard math, but doable) but unlike paper
can't be lost, or tampered with (the court is still out on exactly the best
ways to implement this is...) and don't care how much they get graphetti'd
on during passing around. You can also check your vote went to where you
wanted it to go.

Talking about traditional Databases, and Application system designs is
simply the wrong mindset.

On 15 November 2016 at 00:03, gwes  wrote:

> On 11/14/2016 22:19, Alan Corey wrote:
>
>> OK, it's relevant to OpenBSD because I wouldn't consider anything else
>> safe enough to run on the servers.  Not that I'm in a position to do
>> any of it.  The servers could even be run from custom official live
>> CDs so they were harder to tamper with, with maybe a RAM drive for
>> speed.
>>
>> There seems to be a conflict between having anonymous votes and having
>> something similar to paper ballots that can be recounted.  So let
>> authentication, identification, etc. be handled by one machine and
>> stored in one database then the transaction is handed over to another
>> machine which stores the votes.  That could be something simple like a
>> tab-delimited file which could be counted by hand, one line per voter.
>> The file could be only writeable by the owner. The same person can't
>> vote twice because the first machine wouldn't allow them in a second
>> time.
>>
>>
> How do you know if the voter is under duress or being watched?
>
> Paper can last two thousand years. It's pretty easy to make
> paper that can't be duplicated in any useful quantity.
> Functionally indelible ink, too.
>
> Using machines to assist voting is a good thing.
> Physical objects are much more convincing and easier to secure.
>
> Oh yes -- the magic ghost Intel has put in every processor
> for years. With a secret key -- security by obscurity.
> Disk drives can be secretly reprogrammed. Network interfaces
> have microcode, too. The memory system is also vulnerable
> to secret tampering. All of these are back doors which are
> or could be in place.
>
> Securing the system is far harder than securing a program
> or group of programs.
>
> Geoff Steckel



Re: Why on earth would online voting be insecure?

2016-11-14 Thread Joel Wirāmu Pauling
You need a civic blockchain or some-such that guarantee's data integrity
and agnosticism of the platform that anyone can verify.

The interface into / mechanics once you have a blockchain which you can
issue tokens from is the simple bit.

Not sure this is relevant for this list tho.

-Joel

On 14 November 2016 at 17:52, Alan Corey  wrote:

> This sounds like heel-dragging to me, or they're trying to do it under
> Windows or something:
> https://www.washingtonpost.com/news/post-nation/wp/2016/
> 05/17/more-than-30-states-offer-online-voting-but-
> experts-warn-it-isnt-secure/
>
> It seems simple to me, you use firewalls and only make the results
> writeable by the process that should be writing to it, probably
> nothing needs to have read access in the short term.  As far as
> security after the election, mount the servers in a Brinks truck or
> something, it just sounds like a ludicrous excuse.
>
> Something like: for each election the town government mails you a
> random number that's your key to vote that election. You go to a
> website and put in your town, name, SSN, and the key. If somebody
> steals the mail they won't have your SSN. If Russian hackers or
> whoever tries to impersonate you online they won't have the key. It's
> bringing those 2 pieces of information plus your name and town
> together that makes it secure. Just guessing. Did I overlook anything?
>
> --
> Credit is the root of all evil.  - AB1JX



Re: Why isn't "sort -R" random?

2016-11-04 Thread Joel Wirāmu Pauling
Pipe through uniq and you'll get what you are after.

Design intent for sort, as others point out this behaviour is documented.

On 4 November 2016 at 11:47, Christian Gruhl  wrote:

> Hi minek,
>
> On 11/04/2016 04:41 PM, minek van wrote:
> > Hello,
> >
> > # strings /dev/arandom | grep -o '[[:print:]]' | head -100 > a.txt
> > # sort -R a.txt
> > K
> ...
> > 9
> > # uname -mrs
> > OpenBSD 6.0 amd64
> > #
> > # sort -R a.txt > b.txt
> > # cksum b.txt
> > 3374888359 200 b.txt
> > # sort -R a.txt > b.txt
> > # cksum b.txt
> > 109071951 200 b.txt
> > # sort -R a.txt > b.txt
> > # cksum b.txt
> > 3441576000 200 b.txt
> > #
> >
> > from: http://man.openbsd.org/OpenBSD-current/man1/sort.1
> >
> >  -R, --random-sort, --sort=random
> >
> > Sort lines in random order. This is a random permutation of the
> inputs with the exception that equal keys sort together. It is
> implemented by hashing the input keys and sorting the hash values. The
> hash function is randomized with data from arc4random_buf(3), or by file
> content if one is specified via --random-source. If multiple sort fields
> are specified, the same random hash function is used for all of them.
> >
> > Although the "b.txt" differs, if we check it by the human eye... that
> is not random.. **Why**? Why is it called random, WHEN IT IS NOT
> RANDOM?! Random should mean RANDOM. Not "almost" random..
> >
> > The same can be seen on ex.: RHEL7.
> >
>
> I would guess this is the desired behavior. The man page cited by you
> also states:
>
> 'This is a random permutation of the inputs with the exception that
> equal keys sort together. It is implemented by hashing the input keys
> and sorting the hash values.'
>
> So clearly same values/strings will be put together.
>
> Best wishes
>
> Chris
>
> [demime 1.01d removed an attachment of type application/pkcs7-signature
> which had a name of smime.p7s]



Re: OpenBSD on SBC?

2016-06-12 Thread Joel Wirāmu Pauling
I've been playing with the Lanner FW7525 - It's a Nice piece  of Kit. Can
be had for just under 400$ Depends on what your purposes are - but for
Firewall appliance it's pretty hard to beat at the moment.

On 12 June 2016 at 14:25,  wrote:

> There's some reports of Minnowboard Max working with OpenBSD:
>
> http://web.archive.org/web/20150705061723/http://countersiege.com/2015/02/22/minnowboard_max_openbsd.html



Re: vi vs emacs, which one makes me look more smart in front of my friends?

2016-05-17 Thread Joel Wirāmu Pauling
ed()

QED.



On 18 May 2016 at 14:33, Lyndon Nerenberg  wrote:

> > acme(1)
>
> Or sam(1) if you are a purist.



Re: OT: Any experience connecting OpenBSD via ONT ?

2016-04-26 Thread Joel Wirāmu Pauling
In New Zealand - 802.11ad VLAN's are stripped at the fibre Side of the ONT
and the Layer2 (whatever it is ) is preserved throughout the access network
to the ISP handover. If you get VLAN's (802.1q)  on the customer ethernet
port side, it will be entirely entirely dependent on the service that you
bought from the ISP and how they deliver it.

In my experience the only ISP's actively passing VLAN's on to the customer
normally supply a pre-configured Residential gateway pre-setup with VLAN
tag info.

Most of the others do straight ethernet out of the port and dhcpc san' any
.1q tagging.

I don't know who you are with or where you live but the above is a fairly
standard setup for METH + GPON deployments in several other countries.

Your best best will be to use wireshark to sniff the port and see what (if
any) tags and frames are passing over it.

Also in the NZ situation Each Customer side ONT ethernet port maps to a
single service (each port is separate ethernet chip, i.e you can't use it
like a switch) so you may simply be on the wrong activated port.

In any case if your ISP is useless. Wireshark is your friend.


I would wager we are slightly off topic.

-Joel



On 27 April 2016 at 10:53, Adam Thompson  wrote:

> On 16-04-26 05:29 PM, Jeremy wrote:
>
>> Yeah, that's half the problem. My ISP isn't telling me much. Their
>> helpdesk is handled out of the Philippines and it seems they're reading
>> off a script. They don't mention PPPoE but from what I've tried so far,
>> this looks like it will be necessary.
>>   Jeremy
>>
>
> If all else fails, run "ifconfig em2 up", and then "tcpdump -i em2 -
> -l -n" and see what, if any, traffic is coming from the ONT on the raw
> ethernet port (this will include the VLAN 10 packets, too). If you're
> lucky, something it emits will give you a clue.
> -Adam



Re: OT: Any experience connecting OpenBSD via ONT ?

2016-04-26 Thread Joel Wirāmu Pauling
​Oh one other caveat; your dhcpclient MUST support dhcp-option-82 in some
situations.

On 27 April 2016 at 11:20, Joel Wirāmu Pauling  wrote:

> In New Zealand - 802.11ad VLAN's are stripped at the fibre Side of the ONT
> and the Layer2 (whatever it is ) is preserved throughout the access network
> to the ISP handover. If you get VLAN's (802.1q)  on the customer ethernet
> port side, it will be entirely entirely dependent on the service that you
> bought from the ISP and how they deliver it.
>
> In my experience the only ISP's actively passing VLAN's on to the customer
> normally supply a pre-configured Residential gateway pre-setup with VLAN
> tag info.
>
> Most of the others do straight ethernet out of the port and dhcpc san' any
> .1q tagging.
>
> I don't know who you are with or where you live but the above is a fairly
> standard setup for METH + GPON deployments in several other countries.
>
> Your best best will be to use wireshark to sniff the port and see what (if
> any) tags and frames are passing over it.
>
> Also in the NZ situation Each Customer side ONT ethernet port maps to a
> single service (each port is separate ethernet chip, i.e you can't use it
> like a switch) so you may simply be on the wrong activated port.
>
> In any case if your ISP is useless. Wireshark is your friend.
>
>
> I would wager we are slightly off topic.
>
> -Joel
>
>
>
> On 27 April 2016 at 10:53, Adam Thompson  wrote:
>
>> On 16-04-26 05:29 PM, Jeremy wrote:
>>
>>> Yeah, that's half the problem. My ISP isn't telling me much. Their
>>> helpdesk is handled out of the Philippines and it seems they're reading
>>> off a script. They don't mention PPPoE but from what I've tried so far,
>>> this looks like it will be necessary.
>>>   Jeremy
>>>
>>
>> If all else fails, run "ifconfig em2 up", and then "tcpdump -i em2 -
>> -l -n" and see what, if any, traffic is coming from the ONT on the raw
>> ethernet port (this will include the VLAN 10 packets, too). If you're
>> lucky, something it emits will give you a clue.
>> -Adam



Re: recommendations for 10GBase Ethernet on OpenBSD

2016-04-09 Thread Joel Wirāmu Pauling
Has any one used the Melanox X3 or the Intel 720's? I ask for the vxlan
offload features, which are pretty useful if you are going the SDN way (or
potentially might do)

-Joel

On 9 April 2016 at 09:54, Kapetanakis Giannis 
wrote:

> On 08/04/16 19:35, Joe Crivello wrote:
>
>> Intel X520 cards seem to work nicely in our shop.
>>
>>
> x520 work fine for us too.
>
> G



Re: OpenBSD <> Commercial VPNs

2015-10-10 Thread Joel Wirāmu Pauling
You could try using Linux Binary emulation layer to connect using the cisco
vpnc client. For the old proprietary Cisco IPSec implementation:

http://www.openbsd.org/papers/slack2k11-on_compat_linux.pdf

I've recently been using softether for my personal VPN's it's on Github I
haven't tried to compile it for openBSD - but it's not going to help
connect to random vendor Firewalls.

I am unsure if Fortinet have a linux client, I imagine they must.

OpenVPN works just fine under openbsd.

-Joel


On 10 October 2015 at 15:04, Jack J. Woehr  wrote:

> Janne Johansson wrote:
>
>> Try ipsec, I hear some of the commercial offerings almost manage that too.
>>
> I just can't figure out how to connect to VPN's I don't have any control
> of.
>
> I've found articles where the user had admin control of the Cisco or
> Fortinet device.
>
> I just need to log into nets I don't administer. I'm forced off OpenBSD in
> the workplace when I the connection is thru a VPN.
>
> I don't understand the minutiae of VPN's enough to figure this out and I
> find no useful examples on the web.
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan



Re: IPv6 is not working at Hetzner

2015-05-23 Thread Joel Wirāmu Pauling
I've had problems with Hetzner and v6 also.

When I was configuring v6 sub-subnets from the /64 they give out, on
containers, I would get the same behavior. From what I could tell because
the container bridges also use the fe80::1 link local route for the
sub-subnets hetzners next-hop would get confused and just stop pushing any
v6.

They also have a bunch of Layer2 switch monitoring stuff they do to watch
for mainly v4 routes and IP's they are not expecting to exit from a
particular ports on their switches.

They call it 'locking' in their documentation and there isn't very precise
description of what exactly it is they are monitoring.


-Joel



On 22 May 2015 at 15:15, Thomas Bohl thomas-b...@gmx.de wrote:

 Am 22.05.2015 um 23:55 schrieb Heiko Zimmermann:

 # route delete -inet6 default
 # route add -inet6 default fe80::1%re0


 It worked one time until reboot.


 That is a problem I have too:
 http://marc.info/?l=openbsd-miscm=142249632125559w=2

 You first need to ping fe80::1%re0 in order to get it into the address
 mapping table. I tried static entries without luck. Try to add

 @reboot sleep 10  ping6 -c 10 fe80::1\%re0  /dev/null

 into your crontab. Works for me.


  Could you advise me hostname.re0 and mygate ?


 I don't use mygate. Just

 !route add -inet6 default fe80::1%re0

 in hostname.re0



Re: OpenZFS announcement

2013-09-18 Thread Joel Wirāmu Pauling
It is still CDDL with all the (dis)advantages that brings; depending on your 
perspective - nothing has changed in that respect. 

I.e it's purely a branding relaunch from what I can see.

-Joel

patric conant mirage.comput...@gmail.com wrote:
http://www.open-zfs.org/wiki/Announcement

It supposed to be open-er. I didn't find a license, thought it might be
of
mild interest.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.



Re: DNS Proxy

2013-09-15 Thread Joel Wirāmu Pauling
Also given dns is a user of UDP by default you need to use some other tunnel 
mechanism other than ssh.

-Joel

Johan Beisser j...@caustic.org wrote:
DNS proxy uses less bandwidth on your end.

There are a dozen DNS proxy services out there for media, they all
work on the same basic principle.

On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki monahb...@gmail.com
wrote:
 Hi all,


 I'm running OpenBSD 5.2 with squid for a friend who owns an ISP
outside the
 U.S and uses my OpenBSD squid proxy to access netflix. I've been told
this
 can be also accomplished via DNS Proxy. Is it true?

 If yes which one do you recommend?


 Thanks

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.



Hunning HA over multiple ARCH's

2012-12-04 Thread Joel Wirāmu Pauling
Kia ora/hello,

I am currently redesigning one of our border edge Firewalls and want
to split the existing SPARC64 v215 into several DL140's in an HA -
Active/Load-balanced configuration.

The Sparc64 hasn't been without issues - and is currently running 4.9
release + some patches and is due for a re-install in any-case.

My question is whether or not it is considered a 'good idea' to mix
and match Archs. Effectively The question is if it is worth retaining
the v215 alongside the two dl140's as part of the border FW solution.


 question to determine if :

a) Anyone is doing this? (mixing amd64/i386/sparc64)
b) Gotcha's
c) If this is generally considered a 'good idea'?



Kind regards

-Joel

http://gplus.to/aenertia
http://linkedin.com/in/aenertia
@aenertia



Re: Hunning HA over multiple ARCH's

2012-12-04 Thread Joel Wirāmu Pauling
Yes CARP/LACP layer2 load balancing was my first preference of design.

There is a very expensive Alcatel-Lucent 7750 on the upstream(red)
side that these machines are plugged into which does our BGP session
handling to our peer among other carrier things. These boxes whilst
very capable - are esoteric when you want to any sort interactive
inspection of L3 traffic, and I enjoy having the flexibility and
familiarity of OpenBSD on the FW.

In our existing setup I have noticed that with the existing SUN v215
OBSD box ends up being the pinch point - especially when we have
multicast running internally it becomes very noticeable wrt Latency
and Throughput.

Sounds like I should retire the v215 - I was hoping I might be able to
prolong it's life as part of the HA setup;  it boots very quickly in
comparison to the HP hardware something quite useful in a Firewall -
but seems I should perhaps put a Soekris or something else in-line for
that purpose.

Kind regards

-Joel





On 5 December 2012 11:27, Loïc BLOT loic.b...@frostsapphirestudios.com wrote:
 Hi Joel,
 You can mix several architectures, that's not a problem for firewall and
 routers, IP is OS arch independant.
 The thing you must consider is packet processing. Some architectures are
 fast to process for packets than other (with equivalent perfs on paper).
 If you doesn't need low latency, you don't have to consider this thing.
 Do you want to make a load balanced infrastructure (like CARP LB) ?

 --
 Cordialement,
 Loïc BLOT, expertise en systèmes UNIX, sécurité et réseaux
 Frost Sapphire Studios

 Le mercredi 05 décembre 2012 à 10:15 +1300, Joel Wirāmu Pauling a
 écrit :

 Kia ora/hello,

 I am currently redesigning one of our border edge Firewalls and want
 to split the existing SPARC64 v215 into several DL140's in an HA -
 Active/Load-balanced configuration.

 The Sparc64 hasn't been without issues - and is currently running 4.9
 release + some patches and is due for a re-install in any-case.

 My question is whether or not it is considered a 'good idea' to mix
 and match Archs. Effectively The question is if it is worth retaining
 the v215 alongside the two dl140's as part of the border FW solution.


  question to determine if :

 a) Anyone is doing this? (mixing amd64/i386/sparc64)
 b) Gotcha's
 c) If this is generally considered a 'good idea'?



 Kind regards

 -Joel

 http://gplus.to/aenertia
 http://linkedin.com/in/aenertia
 @aenertia



Re: Hardware hunting

2012-11-15 Thread Joel Wirāmu Pauling
Have Soekris put out a Gbit NIC platform yet? I stopped using them because
of this reason.

-Joel


On 16 November 2012 11:02, Justin Mayes jma...@careered.com wrote:

 Check out http://soekris.com/. I have a low end one and it works great.
 Little costly though.

 Justin Mayes


 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
 Chris McGee
 Sent: Thursday, November 15, 2012 3:48 PM
 To: misc@openbsd.org
 Subject: Hardware hunting

 Hi guys-

   I am hunting for a low-power firewall for my home network. For at least
 10 years, whenever my firewall hardware has started to die, I've grabbed a
 decommissioned game PC, added a few NIC's, and put OpenBSD on it.  The
 firewall's current incarnation pulls about 160 watts 24/7; I'd like to
 lower
 that by a lot.

   Requirements are:
1) Low power (50w; I want it to pay for itself before the hardware
 dies)
2) 4 network interfaces (3 gigabit, one gigabit or 100mbps)
3) Cheaper is better (e.g., a $200 4-port PCIE NIC on a $75 motherboard
 is suboptimal)
4) Works with OpenBSD 5.2
5) Won't cause a hardware bottleneck when pushing 200mbps of
 multidirectional traffic through a moderately complex pf ruleset (this
 doesn't take a lot of CPU; a 1 GHz Athlon runs at about 2% under load, and
 most of that is from hardware interrupts).

   It looks like a lot of people use the Alix 2D13 for this, but I rejected
 it for poor throughput (it would be great for the internet connection, but
 it sounds like it might be a serious bottleneck between the internal
 networks).

   Jetway makes a number of promising-looking Atom boards, including the
 4-interface NF38, but the NF38 and many other JetWays use the Realtek
 RTL8111EVL, which doesn't appear to be OpenBSD-friendly. You can add
 interfaces to Jetway boards via their daughterboards, but those are either
 Realtek RTL8111F or Intel 82574L; same problem.  (Google turns up one
 report
 of the RTL8111 series sorta working with -current, but if you read the
 guy's
 dmesg, it doesn't look like he HAS an RTL8111 in the first place.)


   ...anyway, if you have a low-power OpenBSD network appliance with 3-4
 interfaces that you're happy with, please give me a yell. I've been through
 a lot of boards without finding a winner so far!

 [demime 1.01d removed an attachment of type application/pkcs7-signature
 which had a name of smime.p7s]



Re: Why anyone in their right mind would like to use NAT64

2012-10-24 Thread Joel Wirāmu Pauling
As someone working for a 'Carrier'  vendor - I can tell you straight
up that LSN(Large Scale) or CGN(Carrier Grad) NAT are big sell points
(i.e customers are asking for them).

Personally out of the various RFC's and schemes i've had the
displeasure of perusing for V6 to V4 access NAT64 to me seems to the
be the least evil.

It is the ONLY solution which can easily remove the need for upstream
fiddling if the CPE implements it, i.e the bad stuff at least stays on
the edge of YOUR network. You effectively need the NAT64 module and a
DNS proxy sitting on the CPE - all the various other RFC's require
some level of ISP/Carrier interaction upstream to make things work; or
break in interesting strange ways for the user (not that I am saying
NAT64 is perfect).

I know which I would prefer to see widely adopted.

Also under the general guise of WHY you need NAT at all in IPV6
stacks... the ONE good argument is for easily setup Load Balancing.

-Joel

@aenertia
http://gplus.to/aenertia



Re: Skype.

2012-10-16 Thread Joel Wirāmu Pauling
On 16 October 2012 19:48, David Coppa dco...@gmail.com wrote:
 On Tue, Oct 16, 2012 at 7:40 AM, Jay Patel rockworl...@gmail.com wrote:
 Hi ... i copied the libskype.so under /usr/local/purple/  but it wont
 show up under adding account or in plugin options ...how to  link this
 library to pidgin to get access to skype.. let me know ...


I would have thought a better route would be inside a Linux/Windows VM
inside of QEMU?



Re: Speeding up scp over 10GigE, suggestions?

2012-07-18 Thread Joel Wirāmu Pauling
use mosh or LFTP with pget

i.e lftp -c pget -n10 sftp://someuser@someserver:somefile

mosh is a bit weirder in that it will multiplex transfers via udp
sessions... Try lftp first IMHO it is the best swiss army knife of
filetransfer utils.

-JoelW
@aenertia