Re: coverity running on OpenBSD to scan a port

2023-04-13 Thread Tom Smyth
Thanks for that...
Ill setup a test system so ... Thanks

On Thu, 13 Apr 2023 at 07:33, Stuart Henderson
 wrote:
>
> On 2023-04-12, Tom Smyth  wrote:
> > does anyone have experience on running coverity on OpenBSD ...
> > Im trying to scan a port im maintaining at the minute...
> > there does not seem to be binaries for coverity  for OpenBSD
>
> I don't think you can - afaik those scans are normally done on linux.
>


-- 
Kindest regards,
Tom Smyth.



coverity running on OpenBSD to scan a port

2023-04-12 Thread Tom Smyth
Folks,

does anyone have experience on running coverity on OpenBSD ...
Im trying to scan a port im maintaining at the minute...
there does not seem to be binaries for coverity  for OpenBSD

Tjanks

-- 
Kindest regards,
Tom Smyth.



Re: How to announce over OSPF only one IP address

2023-03-17 Thread Tom Smyth
hello Radek,
You can do the route add command as part of bringing up a network interface
We often put a separate loopback address  on an interface to make an
address available
via OSPF on our network...
if you add in a loopback interface with the /32 route and then add the
loopback interface to your ospf area in your ospfd.conf file

Note when you redistribute a static address it will appear as an
external route in the
The link state advertisements from the router ... (it wont be an intra
area route) which can affect the route metric during the route
selection process...

Thanks

Tom Smyth



Tom Smyth


On Wed, 8 Feb 2023 at 14:41, Radek  wrote:
>
> Hello Bradley,
> thank you, your setup works the way I need.
>
> I can't deal with adding the static route permanently. I have to add the 
> static route by hand (route add 10.1.111.11/32 10.1.111.1) after reboot.
> Did I missed something?
>
> [10.109.3.15] $ cat /etc/hostname.vr0
> -inet
> dhcp
> #inet 10.109.3.15 255.255.255.0
> !sleep 60
> !route add 10.1.111.11/32 10.1.111.1
>
> After reboot it looks like this:
>
> [10.109.3.15] $ route -n show
> Routing tables
>
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default10.109.3.254   UGS5   15 - 8 vr0
> 224/4  127.0.0.1  URS0   59 32768 8 lo0
> 10.1.100/2410.1.100.1 Cn 00 - 4 vr1
> 10.1.100.1 00:00:24:cb:4f:cd  UHLl   00 - 1 vr1
> 10.1.100.255   10.1.100.1 Hb 00 - 1 vr1
> 10.1.111/2410.1.111.1 UCn10 - 4 vr3
> 10.1.111.1 00:00:24:cb:4f:cf  UHLl   03 - 1 vr3
> 10.1.111.1100:00:24:cb:4f:d0  UHLc   02 - 3 vr3
> 10.1.111.255   10.1.111.1 UHb00 - 1 vr3
> 10.1.222/2410.109.3.16UG 00 -32 vr0
> 10.109.3/2410.109.3.15UCn3   40 - 4 vr0
> 10.109.3.10a4:bb:6d:d6:5a:a4  UHLc   1   29 - 3 vr0
> 10.109.3.1500:00:24:cb:4f:cc  UHLl   0   13 - 1 vr0
> 10.109.3.1600:00:24:cd:90:10  UHLch  1   26 - 3 vr0
> 10.109.3.254   00:0d:b9:35:39:29  UHLch  1   31 - 3 vr0
> 10.109.3.255   10.109.3.15UHb00 - 1 vr0
> 127/8  127.0.0.1  UGRS   00 32768 8 lo0
> 127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo0
>
>
> On Tue, 7 Feb 2023 17:54:27 +1100
> Bradley Latus  wrote:
>
> > Hi all,
> >
> > I have done an experiment.
> >
> > If your interface is part of an area, it will be advertised always.
> >
> > If you wanted to advertise only /32 this is how I got mine to work.
> > Ensure your interface vr3 is not in your ospf area
> >
> > Add a static route to the one you wish to advertise, it appears that unless
> > a route exists on the machine you cannot redistribute a random ip.
> >
> > So  route add 10.1.111.11/32 10.1.111.1
> >
> > Then you can redistribute your /32
> >
> >
> >
> > router-id 10.109.3.15
> > redistribute 10.1.111.11/32
> >
> > area 0.0.0.0 {
> >   interface vr0
> > }
> >
> >
> >
> > On Tue, 7 Feb 2023, 02:46 Radek,  wrote:
> >
> > > Hello,
> > > > I’d check the databases on both sides.
> > > > And flush/reload the config and fibs.
> > > I reloaded and restarted OSPFd on both sides - nothing changes. Then, I
> > > rebooted routers on both sides - nothing changes.
> > > I still can see/ping the whole 10.1.111.0/24 subnet from the far end.
> > >
> > > [10.109.3.15]$ ospfctl show database router
> > >
> > > Router Link States (Area 0.0.0.0)
> > >
> > > LS age: 238
> > > Options: -|-|-|-|-|-|E|-
> > > LS Type: Router
> > > Link State ID: 10.109.3.15
> > > Advertising Router: 10.109.3.15
> > > LS Seq Number: 0x8016
> > > Checksum: 0x6d0a
> > > Length: 48
> > > Flags: *|*|*|*|*|-|E|-
> > > Number of Links: 2
> > >
> > > Link connected to: Stub Network
> > > Link ID (Network ID): 10.1.111.0
> > > Link Data (Network Mask): 255.255.255.0
> > > Metric: 10
> > >
> > > Link connected to: Transit Network
> > > Link ID (Designated Router address): 10.109.3.16
> > > Link Data (Router Interface address): 10.109.3.1

Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-10 Thread Tom Smyth
I think I  understand better. Now .. but is there still a security
benefit from having the different services in their own jails  ?
(even if the jail cells come with their own metaphorical  swimming
pool and armoury )



or is it that the jails don’t offer enough compared with  the
additional workload of managing multiple copies  of libraries/binaries
in the system... ?

On Thu, 9 Mar 2023 at 12:29, Stuart Henderson  wrote:
>
> On 2023/03/08 10:10, Glen Gunsalus wrote:
> >
> > On 3/7/23 15:33, Stuart Henderson wrote:
> > > On 2023-03-07, Glen Gunsalus  wrote:
> > > > To get this running cp'd perl (/usr/bin/perl) and relevant perl libs 
> > > > (/usr/lib/[libs.so|libm.so|libperl.so] /usr/libexec/ld.so) to 
> > > > /var/www/usr/[bin|lib|libexec]
> > >
> > > You shouldn't need that bit (and it is safer not to) - smokeping_fcgi
> > > does not chroot.
> > >
> > >
> > Hmm, I did this on the basis of a post by you (5/11/20) in response to Tom 
> > (5/10/20) which I interpreted as needing several files moved into www 
> > "jail."
>
> No that was me saying "this software is not really meant to work with
> chroot and if you're copying enough into the chroot that it works,
> you're providing a lot of extra tools to someone who is able to execute
> code within the jail"
>
> > quote--
> > bgplg is designed to run in a jail, it is a small C program and even
> > then it needs specially compiled versions of the external dependencies
> > (ping, bgpctl etc).
> >
> > Smokeping isn't - if you want to run the graph generating part of
> > smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot
> > more is needed - a copy of perl and various modules, rrdtool,
> > rrdtool's library dependencies, fonts, and I think there were config
> > files for some of the libraries. I did this in the past but it's a
> > real mess and easy to break at update time, and the amount of things
> > copied in means that the chroot ends up more as "luxury camping" than
> > "jail" 
> > end quote---
> >
> > I had been running smokeping and mrtg with apache for a number of years, 
> > but when OpenBSD abandoned apache I looked at nginx for transition then 
> > httpd came along and looked both more attractive and likely to be more long 
> > lived under OpenBSD.
> >
> > It was Tom's post that got me started down the httpd path.  I have been 
> > running with httpd since that time.
> > I can't remember the details, but think I initially tried w/o the cp'd 
> > files, but was not successful so began incrementally moving goodies into 
> > /var/www until it worked.
> > I will try rm'ing or mv'ing those in /var/www and see how it goes.
> >
> > Thanks for your help.
> >
> > Regards, Glen
>


-- 
Kindest regards,
Tom Smyth.



Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-08 Thread Tom Smyth
Morning Glen, Stuart all,

yep ... Stuarts comments re chroot glamping vs chroot jails made me
gigle all right...

the way I think I have it working is that smokeping and rrdcached are
running outside the jail with symbolic links to sockets inside the
httpd chroot jail /var/www/... and httpd
picks up those sockets and plays with them inside the jail...

relevant output from my ps -aux list

USER   PID %CPU %MEM   VSZ   RSS TT  STAT   STARTED   TIME COMMAND
_smokepi 98525  9.7  1.3 98040 111580 ??  S   6:31AM1:03.00
/usr/bin/perl /usr/local/bin/smokeping_cgi /etc/smokeping/config
_rrdcach 67082  0.0  0.1  9272  7952 ??  S   6:31AM0:03.21
/usr/local/bin/rrdcached -b /var/db/smokeping -B -m 770 -l
unix:/var/www/run/rrd
_smokepi 25394  0.0  0.1 43244 10536 ??  I   6:31AM0:00.03
/usr/bin/perl /usr/local/bin/smokeping
_smokepi 57899  0.0  0.3 43752 21276 ??  S   6:31AM0:01.31
perl: /usr/local/bin/smokeping [FPing] (perl)
_smokepi 74710  0.4  0.3 43244 21480 ??  S   6:31AM0:03.49
perl: /usr/local/bin/smokeping [DNS] (perl)
_smokepi 76253  0.2  0.0  2892  2916 ??  Sp  6:47AM0:00.15
/usr/local/sbin/fping -C 61 -q -B1 -r1 -b64 -t125 -i10 -p1 10.20.127.2
10.139.25...

when I get around to it ... I would like rrdcached and smokeping in
another / separate glamping site / luxury chroot jail to the  cgi
binary...

Comments thoughts welcome ...


On Wed, 8 Mar 2023 at 19:26, Glen Gunsalus  wrote:
>
>
> On 3/7/23 15:33, Stuart Henderson wrote:
> > On 2023-03-07, Glen Gunsalus  wrote:
> >> To get this running cp'd perl (/usr/bin/perl) and relevant perl libs 
> >> (/usr/lib/[libs.so|libm.so|libperl.so] /usr/libexec/ld.so) to 
> >> /var/www/usr/[bin|lib|libexec]
> >
> > You shouldn't need that bit (and it is safer not to) - smokeping_fcgi
> > does not chroot.
> >
> >
> Hmm, I did this on the basis of a post by you (5/11/20) in response to Tom 
> (5/10/20) which I interpreted as needing several files moved into www "jail."
>
> quote--
> bgplg is designed to run in a jail, it is a small C program and even
> then it needs specially compiled versions of the external dependencies
> (ping, bgpctl etc).
>
> Smokeping isn't - if you want to run the graph generating part of
> smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot
> more is needed - a copy of perl and various modules, rrdtool,
> rrdtool's library dependencies, fonts, and I think there were config
> files for some of the libraries. I did this in the past but it's a
> real mess and easy to break at update time, and the amount of things
> copied in means that the chroot ends up more as "luxury camping" than
> "jail" 
> end quote---
>
> I had been running smokeping and mrtg with apache for a number of years, but 
> when OpenBSD abandoned apache I looked at nginx for transition then httpd 
> came along and looked both more attractive and likely to be more long lived 
> under OpenBSD.
>
> It was Tom's post that got me started down the httpd path.  I have been 
> running with httpd since that time.
> I can't remember the details, but think I initially tried w/o the cp'd files, 
> but was not successful so began incrementally moving goodies into /var/www 
> until it worked.
> I will try rm'ing or mv'ing those in /var/www and see how it goes.
>
> Thanks for your help.
>
> Regards, Glen
>


-- 
Kindest regards,
Tom Smyth.



Re: Upgrading from 7.2 stable to 7.3 current dig crashes (core-dumped) breaking smokeping

2023-03-08 Thread Tom Smyth
Folks,
just on this changing the binary  /usr/sbin/dig... to /usr/bin/dig and
going from 7.2 to 7.3  massive drop in latency of queries in a local
dns server in the same datacentre ...
 just thought it would be useful ... before and after smoke graph below

On Tue, 7 Mar 2023 at 14:30, Tom Smyth  wrote:
>
> Hi Peter,
>
> Thanks for that ...  you are 100% correct...  I was  caught off guard with 
> that thanks ...
>
> I Think I need to go through my upgrades ...  for more RmFiles...  :/
>
> Thanks it worked just fine...
>
> Much Obliged,
>
> Tom Smyth
>
>
> On Tue, 7 Mar 2023 at 12:48, Peter Hessler  wrote:
>>
>> On 2023 Mar 07 (Tue) at 12:42:33 + (+), Tom Smyth wrote:
>> :Folks upgrading from 7.2 to 7.3 current snapshot
>> :dig seems to  crash ...
>> :
>> :
>> :/usr/sbin/dig localhost
>> :Bad system call (core dumped)
>> :
>>
>> dig (et al) moved from /usr/sbin/ to /usr/bin/ in 6.7, you should update
>> your config to use the currently supported binary.
>>
>> https://www.openbsd.org/faq/upgrade67.html#RmFiles
>>
>>
>> --
>> We will have solar energy as soon as the utility companies solve one
>> technical problem -- how to run a sunbeam through a meter.
>
>
>
> --
> Kindest regards,
> Tom Smyth.



-- 
Kindest regards,
Tom Smyth.


Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-08 Thread Tom Smyth
Folks,
Just to say keeping rrdcached for smokeping, and just using the smokeping.sock

server "default" {
listen on * port 80
location "/smokeping/smokeping.fcgi*" {
fastcgi {
socket "/run/smokeping.sock"
}
}
}

is way faster ... for the user interface...  ...  Ill let you know if
there are any negative impact on the  graphs ...

Thanks

Tom Smyth

On Wed, 8 Mar 2023 at 15:21, Tom Smyth  wrote:
>
> Hello
> I found that RRDCached helps with the gaps in the graphs...  (write
> i/o burst smoothing)  (which is the main reason I went with rrdcached
>
> but it did not help so much  on the user interface / web rendering  front ...
>  (perhaps I could try (if it is even possible)  to try the following
>
> write rrds using   smokeping --> rrdcached-->rrdfile
> and separately read
> rrdfile --> smokeping_fcgi --> httpd
> or does rrdcahced need to exclusively manage I/O ( read and write)
> with the rrd files. ?
> Ill investgate this a bit more ... (comments and ideas welcome ..
>
> On Wed, 8 Mar 2023 at 14:16, Stuart Henderson  wrote:
> >
> > On 2023/03/07 14:38, Tom Smyth wrote:
> > > the config below seems to get rrdcached working with httpd  in OpenBSD. 
> > > ...
> >
> > Thanks, I've added this to the pkg-readme.
> >
> > > the loading of the smokeping detailed graphs still takes a while ...  but 
> > > I
> > > will do further dianostics...
> >
> > Do check to make sure that using rrdcached does actually improve things
> > for your setup, you might find that it doesn't.
> >
>
>
> --
> Kindest regards,
> Tom Smyth.



-- 
Kindest regards,
Tom Smyth.



Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-08 Thread Tom Smyth
Hello
I found that RRDCached helps with the gaps in the graphs...  (write
i/o burst smoothing)  (which is the main reason I went with rrdcached

but it did not help so much  on the user interface / web rendering  front ...
 (perhaps I could try (if it is even possible)  to try the following

write rrds using   smokeping --> rrdcached-->rrdfile
and separately read
rrdfile --> smokeping_fcgi --> httpd
or does rrdcahced need to exclusively manage I/O ( read and write)
with the rrd files. ?
Ill investgate this a bit more ... (comments and ideas welcome ..

On Wed, 8 Mar 2023 at 14:16, Stuart Henderson  wrote:
>
> On 2023/03/07 14:38, Tom Smyth wrote:
> > the config below seems to get rrdcached working with httpd  in OpenBSD. ...
>
> Thanks, I've added this to the pkg-readme.
>
> > the loading of the smokeping detailed graphs still takes a while ...  but I
> > will do further dianostics...
>
> Do check to make sure that using rrdcached does actually improve things
> for your setup, you might find that it doesn't.
>


-- 
Kindest regards,
Tom Smyth.



Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-07 Thread Tom Smyth
ce"7d
"Last 14 Days Performance"14d
"Last 28 Days Performance"28d
"Last 100 Days Performance"   100d


#+ hierarchies
#++ owner
#title = Host Owner
#++ location
#title = Location

*** Probes ***
#+basefork
#forks = 8
#offset = 50%
#step = 90
#timeout = 1



+ FPing
blazemode = true
binary = /usr/local/sbin/fping
packetsize = 64
hostinterval = 0.001
timeout = 0.125
offset = random
+ DNS

binary = /usr/bin/dig # mandatory
forks = 5
offset = 50%
step = 30
timeout = 15

# The following variables can be overridden in each target section
lookup = bbc.co.uk
pings = 30
server = [redacted]


+ TCPPing

binary = /usr/local/sbin/hping

forks = 5
offset = 50%
step = 300
timeout =10

#*** Slaves ***
#secrets=/etc/smokeping/smokeping_secrets
#+boomer
#display_name=boomer
#color=ff

#+slave2
#display_name=another
#color=00ff00

*** Targets ***

probe = FPing

menu = Top
title = Wireless Connect Network Latency Grapher
remark = SmokePing of Wireless Connect Ltd. \
 This Tool Shows the latency of the \
 Wireless Connectnetwork.
alerts = 
Sustained_5%_loss,Sudden_10%_Loss,Sporadic_Loss,Latency_Over_50ms,Offline_at_startup

#########config-sniped#

smoke1# rcctl ls started
cron
dhcpleased
httpd
ntpd
pflogd
resolvd
rrdcached
smokeping
smokeping_fcgi
smtpd
sshd
syslogd


On Tue, 7 Mar 2023 at 14:38, Tom Smyth  wrote:
>
> Hi Stuart,...
> Im running 2 cores as Im a miser with my VMS in terms of CPU allocation
> ... ( I dont like spending time on the bare metal spliting cherries ) (more 
> context switches than work being done) ...
>
> Got my system upgraded...  thanks ... and fixed my old /usr/sbin/dig  
> (old..nolonger working) to /usr/bin/dig
> the initial load seems to be quicker ...  and opening a page seems to put 
> more  load on rrdcached... process alright
> the config below seems to get rrdcached working with httpd  in OpenBSD. ...
>
> the loading of the smokeping detailed graphs still takes a while ...  but I 
> will do further dianostics...
>
>
>
> This is my setup
>
> #httpd.conf###
> server "default" {
> listen on * port 80
> location "/smokeping/smokeping.fcgi*" {
> fastcgi {
> socket "/run/smokeping.sock"
> param RRDCACHED_ADDRESS "unix:/var/www/run/rrd/rrdcached.sock"
> }
> root "/"
> }
> ###
>
> top output below when loading a web page
>
>
> load averages:  2.09,  1.82,  1.07 smoke1  
> 14:36:27
> 42 processes: 40 idle, 2 on processor   up 0 days 
> 00:11:09
> CPU0 states: 53.2% user,  0.0% nice,  6.8% sys,  0.2% spin,  2.2% intr, 37.6% 
> idle
> CPU1 states: 33.1% user,  0.0% nice, 10.6% sys,  1.4% spin,  0.0% intr, 54.9% 
> idle
> Memory: Real: 208M/1758M act/tot Free: 6160M Cache: 882M Swap: 0K/0K
>
>   PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
> 57245 _rrdcach   20   41M   36M onproc/0  kqread3:13 30.62% rrdcached
> 99560 _smokepi   20   74M   88M sleep/1   netio 1:01 10.55% perl
> 73953 _smokepi   20 2632K 2660K sleep/0   kqread0:00  0.20% fping
> 77717 _smokepi  100   42M   20M sleep/0   nanoslp   0:02  0.00% perl
> 1 root  100  644K  628K idle  wait  0:01  0.00% init
> 67291 _smokepi  -60   42M   20M idle  piperd0:01  0.00% perl
> 72553 root   30  948K  924K idle  ttyin 0:00  0.00% ksh
> 84133 _pflogd40  776K 1620K sleep/0   bpf   0:00  0.00% pflogd
> 74456 _smtpq 20 1656K 3484K idle  kqread0:00  0.00% smtpd
> 58541 _ntp   2  -20 1408K 3320K sleep/1   kqread0:00  0.00% ntpd
> 22630 root   20 1204K 4160K idle  kqread0:00  0.00% sshd
> 20724 www20 1908K 3944K sleep/1   kqread0:00  0.00% httpd
> 27618 www20 2256K 4276K idle  kqread0:00  0.00% httpd
> 81375 _syslogd   20 1228K 1524K idle  kqread0:00  0.00% syslogd
> 77400 _smokepi  180   42M   10M idle  sigsusp   0:00  0.00% perl
> 39827 root  280 1224K 2512K onproc/1  - 0:00  0.00% top
> 79586 _smtpd 20 1936K 4828K idle  kqread0:00  0.00% smtpd
> 18799 fireman20 1396K 3340K sleep/0   kqread0:00  0.00% sshd
> 20179 www20 1320K 3324K idle  kqread0:00  0.00% httpd
> 45288 root  180  944K  916K idle  sigsusp   0:00  0.00% ksh
> 51902 root   20  760K 2548K idle  netio 0:00  0.00% syslogd
> 37356 www20 1332K 3180K idle  kqread0:00  0.00% httpd
> 82428 root 

Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-07 Thread Tom Smyth
Hi Stuart,...
Im running 2 cores as Im a miser with my VMS in terms of CPU allocation
... ( I dont like spending time on the bare metal spliting cherries ) (more
context switches than work being done) ...

Got my system upgraded...  thanks ... and fixed my old /usr/sbin/dig
(old..nolonger working) to /usr/bin/dig
the initial load seems to be quicker ...  and opening a page seems to put
more  load on rrdcached... process alright
the config below seems to get rrdcached working with httpd  in OpenBSD. ...

the loading of the smokeping detailed graphs still takes a while ...  but I
will do further dianostics...



This is my setup

#httpd.conf###
server "default" {
listen on * port 80
location "/smokeping/smokeping.fcgi*" {
fastcgi {
socket "/run/smokeping.sock"
param RRDCACHED_ADDRESS
"unix:/var/www/run/rrd/rrdcached.sock"
}
root "/"
}
###

top output below when loading a web page


load averages:  2.09,  1.82,  1.07 smoke1
14:36:27
42 processes: 40 idle, 2 on processor   up 0
days 00:11:09
CPU0 states: 53.2% user,  0.0% nice,  6.8% sys,  0.2% spin,  2.2% intr,
37.6% idle
CPU1 states: 33.1% user,  0.0% nice, 10.6% sys,  1.4% spin,  0.0% intr,
54.9% idle
Memory: Real: 208M/1758M act/tot Free: 6160M Cache: 882M Swap: 0K/0K

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
57245 _rrdcach   20   41M   36M onproc/0  kqread3:13 30.62%
rrdcached
99560 _smokepi   20   74M   88M sleep/1   netio 1:01 10.55% perl
73953 _smokepi   20 2632K 2660K sleep/0   kqread0:00  0.20% fping
77717 _smokepi  100   42M   20M sleep/0   nanoslp   0:02  0.00% perl
1 root  100  644K  628K idle  wait  0:01  0.00% init
67291 _smokepi  -60   42M   20M idle  piperd0:01  0.00% perl
72553 root   30  948K  924K idle  ttyin 0:00  0.00% ksh
84133 _pflogd40  776K 1620K sleep/0   bpf   0:00  0.00% pflogd
74456 _smtpq 20 1656K 3484K idle  kqread0:00  0.00% smtpd
58541 _ntp   2  -20 1408K 3320K sleep/1   kqread0:00  0.00% ntpd
22630 root   20 1204K 4160K idle  kqread0:00  0.00% sshd
20724 www20 1908K 3944K sleep/1   kqread0:00  0.00% httpd
27618 www20 2256K 4276K idle  kqread0:00  0.00% httpd
81375 _syslogd   20 1228K 1524K idle  kqread0:00  0.00% syslogd
77400 _smokepi  180   42M   10M idle  sigsusp   0:00  0.00% perl
39827 root  280 1224K 2512K onproc/1  - 0:00  0.00% top
79586 _smtpd 20 1936K 4828K idle  kqread0:00  0.00% smtpd
18799 fireman20 1396K 3340K sleep/0   kqread0:00  0.00% sshd
20179 www20 1320K 3324K idle  kqread0:00  0.00% httpd
45288 root  180  944K  916K idle  sigsusp   0:00  0.00% ksh
51902 root   20  760K 2548K idle  netio 0:00  0.00% syslogd
37356 www20 1332K 3180K idle  kqread0:00  0.00% httpd
82428 root   20 1472K 2284K idle  kqread0:00  0.00% httpd
62829 _ntp   20  908K 2772K idle  kqread0:00  0.00% ntpd
89278 root   20  872K 1524K idle  kqread0:00  0.00% cron
16265 _smtpd 20 1652K 3472K idle  kqread0:00  0.00% smtpd
46732 _smtpd 20 1456K 3304K idle  kqread0:00  0.00% smtpd
 3405 root   2  -20 1264K 1956K idle  kqread0:00  0.00% ntpd
30532 root   20 1716K 2164K idle  kqread0:00  0.00% smtpd



On Tue, 7 Mar 2023 at 08:36, Stuart Henderson  wrote:

> On 2023/03/07 07:10, Tom Smyth wrote:
> > I m running smokeping fcgi and rrdcached ontop of OpenbSD, to smokeping
> > about 150 devces
> > the page load times can take 30 seconds to 1 minute,
> > is there any way to speed this up.
> >
> > im running 7.2 OpenBSD on amd64 vm on top of an SSD array
> >
> > any tips tricks welccome ...
>
> One quick thing to try is updating to -current, I made some changes to
> the rrdtool port which may possibly help a little.
>
> Check that smokeping is actually using rrdcached (watch top while
> opening a page) - the pkg-readme only gives instructions for passing the
> required fastcgi variable through for nginx, I don't know how to do that
> for httpd (or whether it's actually possible).
>
> Other than that, rrdtool/rrdcached is just slow on OpenBSD. If it's
> anything like mine you'll see high cpu spin % in top while it's busy.
> You can try changing the number of cores in the VM - if you've given it
> lots of cores try *reducing* it a bit. To pick a number out of the air
> I'd suggest probably 4-6. (mine is bare metal and I can't drop the
> number short of kernel hac

Re: Upgrading from 7.2 stable to 7.3 current dig crashes (core-dumped) breaking smokeping

2023-03-07 Thread Tom Smyth
Hi Peter,

Thanks for that ...  you are 100% correct...  I was  caught off guard with
that thanks ...

I Think I need to go through my upgrades ...  for more RmFiles...  :/

Thanks it worked just fine...

Much Obliged,

Tom Smyth


On Tue, 7 Mar 2023 at 12:48, Peter Hessler  wrote:

> On 2023 Mar 07 (Tue) at 12:42:33 + (+), Tom Smyth wrote:
> :Folks upgrading from 7.2 to 7.3 current snapshot
> :dig seems to  crash ...
> :
> :
> :/usr/sbin/dig localhost
> :Bad system call (core dumped)
> :
>
> dig (et al) moved from /usr/sbin/ to /usr/bin/ in 6.7, you should update
> your config to use the currently supported binary.
>
> https://www.openbsd.org/faq/upgrade67.html#RmFiles
>
>
> --
> We will have solar energy as soon as the utility companies solve one
> technical problem -- how to run a sunbeam through a meter.
>


-- 
Kindest regards,
Tom Smyth.


Upgrading from 7.2 stable to 7.3 current dig crashes (core-dumped) breaking smokeping

2023-03-07 Thread Tom Smyth
0 lun 0: 
sd0: 32768MB, 512 bytes/sector, 67108864 sectors, thin
virtio0: msix per-VQ
virtio1 at pci6 dev 18 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio1: address aa:2a:39:0b:78:b1
virtio1: msix shared
ppb6 at pci5 dev 2 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
pci7 at ppb6 bus 7
ppb7 at pci5 dev 3 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
pci8 at ppb7 bus 8
ppb8 at pci5 dev 4 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
pci9 at ppb8 bus 9
pcib0 at pci0 dev 31 function 0 "Intel 82801IB LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.0
ahci0: port 1: 1.5Gb/s
scsibus2 at ahci0: 32 targets
cd0 at scsibus2 targ 1 lun 0:  removable
ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 0 int
16
iic0 at ichiic0
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (59cdf031e4c1fe67.a) swap on sd0b dump on sd0b
smoke1# uname -va
OpenBSD smoke1server.com  7.3 GENERIC.MP#1094 amd64

-- 
Kindest regards,
Tom Smyth.


Folks are there any tips to improve page load times on smokeping running on OpenBSD

2023-03-06 Thread Tom Smyth
#config-sniped#########

smoke1# rcctl ls started
cron
dhcpleased
httpd
ntpd
pflogd
resolvd
rrdcached
smokeping
smokeping_fcgi
smtpd
sshd
syslogd



-- 
Kindest regards,
Tom Smyth.


Re: fragmented ipv4[udp] ignored by server.

2023-03-05 Thread Tom Smyth
s-Challenge id=4
> 11   0.164158   10.10.2.10 ? 10.10.2.1RADIUS 1372 Access-Request
> id=5
> 12   0.26551410.10.2.1 ? 10.10.2.10   RADIUS 161
> Access-Challenge id=5
> 13   0.266328   10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request
> id=6
> 14   0.28460710.10.2.1 ? 10.10.2.10   RADIUS 226 Access-Accept id=6
>
> Question: How to avoid altering fragment_size to get this working ?
>
> Some clients could not be set so easily like phones.
>
> Thank you.
>
> Mikhael.
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Lightweight Web browser

2023-02-06 Thread Tom Smyth
Hi Riccardo,

One thing to consider a little off topic... is that hangs can be related to
firewall / proxy rules / systems in place (to block advertising/ other
content ) being filtered,
depending on the method of blocking requests made by the browsers to
specific web application sites (and their java script collateral) may
actually have to timeout (rather than be refused quickly) and so the web
page / application can appear to hang,

network layer (ip) blocking can lead to request timeouts which can really
slow down an interactive web app
chrome with debug / developer tools can show you this issue (of network
timeouts for certain applications

I hope this helps,

Tom Smyths

On Mon, 6 Feb 2023 at 15:41, Riccardo Mottola 
wrote:

> Hi,
>
> Rodrigo Readi wrote:
> > Can someone recommend a lightweight Browser that support javascript?
>
> "Lightweight" is a hard term here.. .there are several options. But if
> you need heavy usage - gmail, youtube and similar, at the end you need a
> gecko, blink or webkit engine and so there things become equal.
> Are you pressed by RAM or CPU?
> E.g. in my experience Firefox was never "lighter" than seamonkey. Opera
> or Bing are at the end similar to Chrome in terms of resources. The
> difference are in "spy" amount.
> I like SeaMonkey but it is lagging behind in packages on most BSDs
> and/or it was removed.
> In my experience, Firefox is much easier on RAM than Chrome(ium) and
> good on more RAM pressed system. Limited Firefox is usable on a good
> 32bit system with 2GB of RAM, but OpenBSD no longer provides firefox there.
>
> My distaste with Firefox is that it took a bad turn after FF52/FF60...
> making horrible design choices - rust included and mocking more and more
> Chrome interface.
>
> > In which I can use gmail?
> >
> > Otter browser hangs and even make core dumping with gmail.
> > Also with chromium I get core dumping sometimes.
> > There is no port for elinks to test it.
>
> You might try your luck with ArcticFox. Login works. Reading messages
> appears to, replying by detaching into a separate panel does not anymore.
>
> ArcitcFox received a lot of care since I last tried it with gmail, but
> also gmail is a moving JS target... so you are always at Google's mercy.
>
> Riccardo
>
>

-- 
Kindest regards,
Tom Smyth.


Re: How to announce over OSPF only one IP address

2023-02-04 Thread Tom Smyth
Hi Radek,

it is better practice to add ospf network statements  to ospfd.conf
(if you dont want to send / recieve ospf messages on an interface set the
interface to passive in ospfd.conf
avoid redistribute connected
(add the network you want to be added to your ospf network) and leave the
other network ommitted from your ospfd.conf


I hope this helps,


On Sat, 4 Feb 2023 at 20:02, Radek  wrote:

> Hello,
> is it possible to announce over OSPF only one (or a few specific) IP
> address instead of the whole subnet?
> If yes.. an ospfd.conf example would be appreciated.
>
> $ cat /etc/hostname.vr3
> inet 10.1.111.1 255.255.255.0
>
> $ cat /etc/ospfd.conf
> router-id 10.109.3.15
> redistribute connected
>
> area 0.0.0.0 {
> interface vr0
> interface vr3
> }
>
> Thanks,
> Radek
>
>

-- 
Kindest regards,
Tom Smyth.


Re: OpenBSD as a transparent switch filter

2023-01-25 Thread Tom Smyth
Hi Christian,

if you have Port 20 and 21 isolated from each other ... ie in the same
protected port group 0 on the switch...
and ports 1-19 in a spearate protected port group eg 1
ports 1-19 can talk to either 20 or 21
and ports 20-21 cannot talk to each other (loop avoidance)

then in openBSD Bridge you can add em0 and em1 to the same protected port
group eg 3
you can do your filtering then...
However... you have to contend with mac flaps on your OpenBSD Bridge (as
broadcast traffic from clients will mean that client macs will be learned
on both em0 and em1)


anotther option  and more granularly controlable ... to
create 19 vlans...

port 1 vlan1,  access (untagged)
port 2 vlan2 access (untagged)
port 3 vlan3 access (untagged)
...
..
port 19 vlan 19 access (untagged)

make port 20 a trunk (tagged)  port on the switch

create 19 vlan interfaces in OpenBSD
bridge them all together with port isolation or filtering you get around
the hair pining etc... but your openbsd box will suffer if there is lots of
broadcast traffic
(copying frames to multiple ports can be challenging for your CPU)

but if you are doing line rate stuff... you may just want to look at vlan
maps / Vlan ACLs... (extend acls...) ... on the switch...

one piece of advice... on this non standard layer 2 stuff (port
isiolation on the switch and bridge is your friend always...  in avoiding
loops...
watch the logs of the switch and cpu.. if the mac flaps are happinging you
will see your switch logs (ususally ) moan about it

watch your mac address table size and your hardware capacity on your
switch...with this stuff... (know your switch hardware capacity and specs)

i hope ths helps...

On Wed, 25 Jan 2023 at 15:14, Cristian Danila  wrote:

> Thank you so much Tom and David for giving me ideas where I can dig more.
> Definitely it is a good start in this journey and I am researching more.
> I have exact same situation with Wireless, for the moment all the clients
> are
> isolated but I need to achieve the same, to filter between them.
> I am evaluating also another idea(possible bad idea) like this:
>
> Switch having all the clients able to talk only with 2 ports: port 20
> and 21 but port 20 and 21 cannot talk direct
> Having BSD setup with two NIC's em0 and em1 as transparent filter: veb,
> em0 connected to port 20
> em1 connected to port 21
>
> In short the only possible way to pass frames from one device to
> another is just through port 20 and 21
>
> I am aware about headache related to possible loops but I am curious
> if it will work.
>
>
> On Wed, Jan 25, 2023 at 2:33 PM Tom Smyth 
> wrote:
> >
> > Hey David...
> > (I have learned so much from you over the years and used your gear so
> maybe I can give a lttle back  on this one )
> >
> > "Correct use of Proxy arp"  Gateway of  layer 2 isolated network...
> > clients cannot see or hear eachothers arp traffic or discovery traffic
> or other broadcast nasties
> > so gateway knows everyones correct arp entry  (because it can see
> everyone and everyone can see the gateway0
> > gateway knows correct arp entries for 2 example clients clienta and
> clientb
> >
> > if client a wants to talk to client b ...they are isolated in layer 2
> ...so arp between them is not posible...
> > enable proxy arp on gateway  client a asks for clientbs mac address in
> an arp request
> > gateway responds to client a with gateway mac address for clientb Ip
> address
> > client a sends traffic for client b ip  to gateway.mac .. gateway routes
> the traffic to client b ip via its connected route and correct arp address
> for client b
> > client B asks for clienta mac address... in an arp request...
> > gateway responds with an arp reply for clienta IP with its own mac
> address
> > client b sends traffic to client a  ip  to the gateway mac address,
> > gateway routes the traffic to client a via its connected route + correct
> arp entry for client a
> >
> > ---
> > proxy arp is (kindof) useful in a lan gateway  (LAN interface only) were
> the IT admin hasnt a handle on routing and gives vpn clients an IP in the
> same range as the Lan in the office..
> > Proxy arp allows the gateway to respond to arp requests for the vpn
> client IP... (but it is no substitute for teaching an IT person how to
> route and design/ number networks)
> >
> > ---incorrect use of proxy arp-
> > EVERYWHERE ELSE ... (sorry for shouting )
> >
> > ps I hate proxy arp ... but it is useful in allowing client - client
> communications while minimising broadcast waste of bandwidth (on large
> wireless access networks)
> >
> >
> >
> >
> > On Tue, 24 Jan 2023 at 23:53, David Gwynne  wrote:
&

Re: OpenBSD as a transparent switch filter

2023-01-25 Thread Tom Smyth
Hey David...
(I have learned so much from you over the years and used your gear so maybe
I can give a lttle back  on this one )

"Correct use of Proxy arp"  Gateway of  layer 2 isolated network...
clients cannot see or hear eachothers arp traffic or discovery traffic or
other broadcast nasties
so gateway knows everyones correct arp entry  (because it can see everyone
and everyone can see the gateway0
gateway knows correct arp entries for 2 example clients clienta and clientb

if client a wants to talk to client b ...they are isolated in layer 2 ...so
arp between them is not posible...
enable proxy arp on gateway  client a asks for clientbs mac address in an
arp request
gateway responds to client a with gateway mac address for clientb Ip address
client a sends traffic for client b ip  to gateway.mac .. gateway routes
the traffic to client b ip via its connected route and correct arp address
for client b
client B asks for clienta mac address... in an arp request...
gateway responds with an arp reply for clienta IP with its own mac address
client b sends traffic to client a  ip  to the gateway mac address,
gateway routes the traffic to client a via its connected route + correct
arp entry for client a

---
proxy arp is (kindof) useful in a lan gateway  (LAN interface only) were
the IT admin hasnt a handle on routing and gives vpn clients an IP in the
same range as the Lan in the office..
Proxy arp allows the gateway to respond to arp requests for the vpn client
IP... (but it is no substitute for teaching an IT person how to route and
design/ number networks)

---incorrect use of proxy arp-
EVERYWHERE ELSE ... (sorry for shouting )

ps I hate proxy arp ... but it is useful in allowing client - client
communications while minimising broadcast waste of bandwidth (on large
wireless access networks)




On Tue, 24 Jan 2023 at 23:53, David Gwynne  wrote:

>
>
> > On 25 Jan 2023, at 09:47, Tom Smyth 
> wrote:
> >
> > Hi David is that like a local proxy arp type setup (on typical
> > networking gear) .. ?
>
> I’ve never had a clear idea about what proxy ARP is, and the only time it
> comes up in converstaion is when people complain about problems it causes.
> Do you have a definition of what you think it means before I say yes or no?
>
> >
> > On Tue, 24 Jan 2023 at 23:45, David Gwynne  wrote:
> >>
> >> I think you can do this on OpenBSD with
> https://github.com/eait-itig/commarp and just routing on em0. I don’t
> think any layer 2 things like bridge or veb are needed, and probably won’t
> work anyway because as Claudio said, they don’t want to hairpin anyway.
> >>
> >> That code doesn’t have any manpages unfortunately. commarp wants a
> config file saying which interface it should run on and which IPs it should
> intercept ARP for. eg:
> >>
> >> $ cat /etc/commarp.conf
> >> interface em0 {
> >>allow 192.168.1.16 - 192.168.1.254
> >> }
> >>
> >> There’s no point rewriting ARP requests for the IP your router is using
> on that subnet, or carp addresses on that subnet, etc.
> >>
> >>
> >>> On 24 Jan 2023, at 22:16, Cristian Danila  wrote:
> >>>
> >>> HI Tom,
> >>>
> >>> I am familiar with options you mentioned, veb, bridge and isolated
> ports.
> >>> I am having another transparent filter based of veb also I am aware
> about
> >>> protected members but my use case is different.
> >>>
> >>> Let me try to explain maybe with different words.
> >>> OpenBSD box is having only one cable input, so what would be the
> >>> benefit of having protected members?
> >>> Protected members are isolating the communication between members of a
> >>> bridge, in my case
> >>> I have only one NIC, so if a bridge would be helpful, I can have a
> >>> bridge with single member,
> >>> therefore isolating that member from who?
> >>> OpenBSD box has only one wire connected to a physical switch, so it
> >>> can communicate with all members
> >>> of the switch, but the physical switch itself do not permit
> >>> communication between members as explained.
> >>> So it is a desire that OpenBSD box is the one that is making possible
> >>> communication between different
> >>> members of the switch through same wire.
> >>>
> >>> Let me try to draw it, I hope will help more
> >>>
> >>> DEVICE1 DEVICE2 DEVICE3
> >>>|   |  |
> >>>|   |  |
> >>> ---

Re: OpenBSD as a transparent switch filter

2023-01-24 Thread Tom Smyth
Hi David is that like a local proxy arp type setup (on typical
networking gear) .. ?

On Tue, 24 Jan 2023 at 23:45, David Gwynne  wrote:
>
> I think you can do this on OpenBSD with https://github.com/eait-itig/commarp 
> and just routing on em0. I don’t think any layer 2 things like bridge or veb 
> are needed, and probably won’t work anyway because as Claudio said, they 
> don’t want to hairpin anyway.
>
> That code doesn’t have any manpages unfortunately. commarp wants a config 
> file saying which interface it should run on and which IPs it should 
> intercept ARP for. eg:
>
> $ cat /etc/commarp.conf
> interface em0 {
> allow 192.168.1.16 - 192.168.1.254
> }
>
> There’s no point rewriting ARP requests for the IP your router is using on 
> that subnet, or carp addresses on that subnet, etc.
>
>
> > On 24 Jan 2023, at 22:16, Cristian Danila  wrote:
> >
> > HI Tom,
> >
> > I am familiar with options you mentioned, veb, bridge and isolated ports.
> > I am having another transparent filter based of veb also I am aware about
> > protected members but my use case is different.
> >
> > Let me try to explain maybe with different words.
> > OpenBSD box is having only one cable input, so what would be the
> > benefit of having protected members?
> > Protected members are isolating the communication between members of a
> > bridge, in my case
> > I have only one NIC, so if a bridge would be helpful, I can have a
> > bridge with single member,
> > therefore isolating that member from who?
> > OpenBSD box has only one wire connected to a physical switch, so it
> > can communicate with all members
> > of the switch, but the physical switch itself do not permit
> > communication between members as explained.
> > So it is a desire that OpenBSD box is the one that is making possible
> > communication between different
> > members of the switch through same wire.
> >
> > Let me try to draw it, I hope will help more
> >
> > DEVICE1 DEVICE2 DEVICE3
> > |   |  |
> > |   |  |
> > ---
> > PORT1 PORT2PORT3 PORT 20
> >|   |  |_|
> >|   |_ |
> >|__ |
> > PHISICAL SWITCH DEVICE  |
> > ---|
> >       |
> >   |
> >   |
> >   OPEN BSD BOX
> >
> >
> > Thank you.
> >
> >
> > On Tue, Jan 24, 2023 at 1:43 PM Tom Smyth  
> > wrote:
> >>
> >> Hello Cristian,
> >> if you want to filter on layer 2 ... you would need to use Bridge
> >> have a look at  man ifconfig(8)
> >> bridge filter rules can be added to ports in the bridge...
> >> you can also tag traffic in bridge filter rules and then use PF to
> >> filter them...
> >>
> >> but if your objective is to isolate ports from each other.. this can
> >> be achieved with protected port groups...
> >> again check out ifconfig (8)
> >> TLDR version bridge ports in the same protected port group are
> >> isolated from each other...
> >> If port isolation if all your looking for (no other detailed filtering
> >> ) if (im not sure) veb(4) supports protected ports...then this would
> >> be faster...
> >> but to my shame I have not tried out veb(4)
> >>
> >> I hope this is of some use...
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, 24 Jan 2023 at 11:29, Cristian Danila  wrote:
> >>>
> >>> Hello
> >>>
> >>> I have a more difficult task that I would like to solve with OpenBSD
> >>> and I would really
> >>> appreciate any ideas if it is possible to achieve such.
> >>>
> >>> I have:
> >>> - one OpenBSD box with one Ethernet port
> >>> - one big switch with multiple devices connected
> >>>
> >>> All switch ports are isolated by each other with one exception:
> >>> - All ports can communicate with only one Ethernet port(let's say port 20)
> >>>
> >>> Now what i would like to achieve is to connect an Ethernet cable between
> >>> OpenBSD box and port 20 of the switch, and make OpenBSD a transparent
> >>> filtering hub.
> >>>
> >>> So I need OpenBSD box to be a transparent bridge and filter between
> >>> clients of the switch.
> >>>
> >>> Can anybody suggest a point where I can think about?
> >>> I was thinking initially to add the nic(em0) to veb0 then with link1
> >>> achieve L3 filtering but
> >>> definitely I think I miss something important.
> >>> I am open to research everything is needed for it but I miss a
> >>> starting point and I would
> >>> really appreciate any hint.
> >>>
> >>> Kind regards,
> >>> Claudiu
> >>>
> >>
> >>
> >> --
> >> Kindest regards,
> >> Tom Smyth.
> >
>


-- 
Kindest regards,
Tom Smyth.



Re: Software RAID5 write performance

2023-01-24 Thread Tom Smyth
Hi Atanas,
in general (not specific to RAID5 Softraid in OpenBSD... )
I would advise the following based on my own experience...
Raid5 in hardware raid generally has poor write performance due the
number of actual writes to disk per
write operation to the raid controller ( parity reads and rewrites
once you write to disks) see
https://www.arcserve.com/blog/understanding-raid-performance-various-levels#:~:text=This%20means%20that%20a%20RAID,write%20performance%20is%20NX%2F4.

becuase of the number of physical writes per  raid device write...
Raid5 and SSDs dont really go together... ... unless you like
replacing SSD Disks in your arrays...
suggest meet and potatoes RAID 1 or Raid 10 ... for ssd ...  and you
then dont suffer write penalties... associated with Raid 5...


On Tue, 24 Jan 2023 at 15:05, Atanas Vladimirov  wrote:
>
> Hi Guys,
>
> I wonder if someone here is using RAID5 with HDD drives and what write
> performance on such discipline is expected?
> I have 4x 1T HDDs and can't get more than 10~12 MBps on writing.
>
> I found a Reddit post [1] where the user observed a similar write speed,
> of course, he was using other drives (Model and Size).
> My curiosity (and the reason I'm asking here) comes from the fact that
> we are observing very similar speeds.
>
> So, do you use RAID5 and how it behaves on your side?
>
>
> [1]
> https://www.reddit.com/r/openbsd/comments/srru20/raid5_write_performance/
>
> P.S.: Anyone using RAID5 with SSD drives? How is the write speed there?
>
> Best wishes,
> Atanas
>


-- 
Kindest regards,
Tom Smyth.



Re: OpenBSD as a transparent switch filter

2023-01-24 Thread Tom Smyth
I agree with Claudio re Hairpin issue...
perhaps an alternate setup would be to use 2 vlans on the switch on
the uplink of the openbsd box
(to avoid the hair pin on a physical interface) but care needs to be
taken when bridging between the two vlans as 2x mac table usage will
occur ... ie mac address on one device may be present in two vlans (if
you have a filtering bridge between the two vlans ) and isolation is
turned off at any stage...
( I have been badly caught out on this when aggregating n vlans ... n
bridged vlans x (original mactable usage ) = new mac address table
size
Hope this helps...

On Tue, 24 Jan 2023 at 12:24, Claudio Jeker  wrote:
>
> On Tue, Jan 24, 2023 at 11:43:08AM +0000, Tom Smyth wrote:
> > Hello Cristian,
> > if you want to filter on layer 2 ... you would need to use Bridge
> > have a look at  man ifconfig(8)
> > bridge filter rules can be added to ports in the bridge...
> > you can also tag traffic in bridge filter rules and then use PF to
> > filter them...
> >
> > but if your objective is to isolate ports from each other.. this can
> > be achieved with protected port groups...
> > again check out ifconfig (8)
> > TLDR version bridge ports in the same protected port group are
> > isolated from each other...
> > If port isolation if all your looking for (no other detailed filtering
> > ) if (im not sure) veb(4) supports protected ports...then this would
> > be faster...
> > but to my shame I have not tried out veb(4)
> >
> > I hope this is of some use...
> >
>
> The problem is not veb(4) vs bridge(4) (both should work and I would
> suggest you try to stay away from brigde(4)). The problem is the hairpin
> on the single interface to the switch. AFAIK neither veb(4) nor bridge(4)
> will send back a packet on the same port it was received on. Doing so
> can result in packet loops.
>
>
> > On Tue, 24 Jan 2023 at 11:29, Cristian Danila  wrote:
> > >
> > > Hello
> > >
> > > I have a more difficult task that I would like to solve with OpenBSD
> > > and I would really
> > > appreciate any ideas if it is possible to achieve such.
> > >
> > > I have:
> > > - one OpenBSD box with one Ethernet port
> > > - one big switch with multiple devices connected
> > >
> > > All switch ports are isolated by each other with one exception:
> > > - All ports can communicate with only one Ethernet port(let's say port 20)
> > >
> > > Now what i would like to achieve is to connect an Ethernet cable between
> > > OpenBSD box and port 20 of the switch, and make OpenBSD a transparent
> > > filtering hub.
> > >
> > > So I need OpenBSD box to be a transparent bridge and filter between
> > > clients of the switch.
> > >
> > > Can anybody suggest a point where I can think about?
> > > I was thinking initially to add the nic(em0) to veb0 then with link1
> > > achieve L3 filtering but
> > > definitely I think I miss something important.
> > > I am open to research everything is needed for it but I miss a
> > > starting point and I would
> > > really appreciate any hint.
> > >
> > > Kind regards,
> > > Claudiu
> > >
> >
> >
> > --
> > Kindest regards,
> > Tom Smyth.
> >
>
> --
> :wq Claudio
>


-- 
Kindest regards,
Tom Smyth.



Re: OpenBSD as a transparent switch filter

2023-01-24 Thread Tom Smyth
Hello Cristian,
if you want to filter on layer 2 ... you would need to use Bridge
have a look at  man ifconfig(8)
bridge filter rules can be added to ports in the bridge...
you can also tag traffic in bridge filter rules and then use PF to
filter them...

but if your objective is to isolate ports from each other.. this can
be achieved with protected port groups...
again check out ifconfig (8)
TLDR version bridge ports in the same protected port group are
isolated from each other...
If port isolation if all your looking for (no other detailed filtering
) if (im not sure) veb(4) supports protected ports...then this would
be faster...
but to my shame I have not tried out veb(4)

I hope this is of some use...






On Tue, 24 Jan 2023 at 11:29, Cristian Danila  wrote:
>
> Hello
>
> I have a more difficult task that I would like to solve with OpenBSD
> and I would really
> appreciate any ideas if it is possible to achieve such.
>
> I have:
> - one OpenBSD box with one Ethernet port
> - one big switch with multiple devices connected
>
> All switch ports are isolated by each other with one exception:
> - All ports can communicate with only one Ethernet port(let's say port 20)
>
> Now what i would like to achieve is to connect an Ethernet cable between
> OpenBSD box and port 20 of the switch, and make OpenBSD a transparent
> filtering hub.
>
> So I need OpenBSD box to be a transparent bridge and filter between
> clients of the switch.
>
> Can anybody suggest a point where I can think about?
> I was thinking initially to add the nic(em0) to veb0 then with link1
> achieve L3 filtering but
> definitely I think I miss something important.
> I am open to research everything is needed for it but I miss a
> starting point and I would
> really appreciate any hint.
>
> Kind regards,
> Claudiu
>


-- 
Kindest regards,
Tom Smyth.



Re: Max number of NICs

2023-01-24 Thread Tom Smyth
msixfailed
to allocate   interrupt slot for
PIC msix pin -2145714175
: unable to establish interrupt 1
ppb27 at pci0 dev 24 function 1 "VMware PCIE" rev 0x01: msi
pci28 at ppb27 bus 28
vmx9 at pci28 dev 0 function 0 "VMware VMXNET3" rev 0x01:
ppb28 at pci0 dev 24 function 2 "VMware PCIE" rev 0x01: msi
pci29 at ppb28 bus 29
ppb29 at pci0 dev 24 function 3 "VMware PCIE" rev 0x01: msi
pci30 at ppb29 bus 30
ppb30 at pci0 dev 24 function 4 "VMware PCIE" rev 0x01: msi
pci31 at ppb30 bus 31
ppb31 at pci0 dev 24 function 5 "VMware PCIE" rev 0x01: msi
pci32 at ppb31 bus 32
ppb32 at pci0 dev 24 function 6 "VMware PCIE" rev 0x01: msi
pci33 at ppb32 bus 33
ppb33 at pci0 dev 24 function 7 "VMware PCIE" rev 0x01: msi
pci34 at ppb33 bus 34
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (d48ff886556ca841.a) swap on sd0b dump on sd0b

On Tue, 24 Jan 2023 at 04:33, Nick Holland  wrote:
>
> On 1/23/23 17:54, Lars Bonnesen wrote:
> > How many physical NICs can you add to an OpenBSD host (vmx)
> >
> > I am asking because I am running an OpenBSD on a VMware host but apparently
> > OpenBSD can only see 8 of them.
> >
> > Can I raise the limit somehow?
> >
> > Regards, Lars.
>
> may years ago (back in the 3.x days, iirc), someone asked me to jam
> a machine full of NICs and see what happened.
>
> Four 4-port dc(4) NICs (16 ports) plus one 3com 3c905 on the main
> board later, I saw no issues, but then I lacked any use for a 17 port
> machine.  If I recall properly, the person who asked me to do it was
> expecting some kind of issue, but when I told him they were dc(4)s,
> he was disappointed and said, "Well, of course those will work".
>
> I had a machine for a while with something like ten or
> eleven em(4)s in it, I had fired it up, don't recall seeing any
> problems with it identifying all the ports (in fact, iirc, it found
> a port on the MoBo that was not extended to the outside).  Again,
> no issue, but after staring at the power hungry box for many years
> and never doing anything with it, it finally got recycled.  Again,
> that was many releases ago...so not sure how it applies today.
>
> Current FW box is a old citrix appliance with a six port NIC and two
> onboard ports, for eight em(4)s.
>
> Nick.
>


-- 
Kindest regards,
Tom Smyth.



Re: Max number of NICs

2023-01-23 Thread Tom Smyth
as far as I know Vmware has a limit of 10 nics ...  per vm
can you send on a dmesg... of th emachine you are running...

have you tried setting the  nic type to Intel Pro1000 as a test ?

On Mon, 23 Jan 2023 at 23:09, Lars Bonnesen  wrote:
>
> How many physical NICs can you add to an OpenBSD host (vmx)
>
> I am asking because I am running an OpenBSD on a VMware host but apparently
> OpenBSD can only see 8 of them.
>
> Can I raise the limit somehow?
>
> Regards, Lars.



-- 
Kindest regards,
Tom Smyth.



Re: BiDi sfp in ix

2023-01-02 Thread Tom Smyth
Hi Hrvoje,

Some intel Nics do have restrictions on what Trancievers they would
accept ... (like a licensing / branding thing ) ... if you are
ordering from fs.com or flexoptix you can re-program those  with the
FS.com Tranciever programmer / Flexopticx Tranciever Programmmer...

for what it its worth ...  I have come across weird issues with Ubnt
Edge switches and getting the SFP interfaces to come up ,..

where for instance in UBNT the  autodetect, vs autonegotiate, vs 1000
Mb/s Full  all  have differenet results depending on the vendor of
router / device that is attached to the sfp interface...
I would play around with the combinations of autodetect (whcih is
different to auto negotiate) to forcing the speed...

your nic vendor may be able to provide you wiht firmware to unluck any
weird licensing restriction on the brand of tranciever in use...

I hope this is in some way helpful ... ?

if you use your phone camera can you confirm when the SFP is in the
Ix(4) interface... that the laser is on and is sending light ? (you
will see a purple / blue ish hue light on your camera of your phone...
)
Hope this helps and Happy new year to you ..



On Mon, 2 Jan 2023 at 15:10, Hrvoje Popovski  wrote:
>
> On 28.12.2022. 20:21, Stuart Henderson wrote:
> > On 2022-12-28, Hrvoje Popovski  wrote:
> >> Hi all,
> >>
> >> I don't have much experience with BiDi sfp, so I'm asking you guys,
> >> should openbsd ix work with 1G BiDi sfp.
> >
> > should do, yes.
> >
> > in case you're not aware, bidi transceivers come in different types, e.g.
> > your MaxLink ML-S5531-20 transmits at 1550nm and receives at 1310nm, so
> > must be paired with a transceiver that transmits at 1310nm and receives
> > at 1550nm (e.g. the MaxLink model is ML-S3155-20) - do you have that?
> >
> > also, they should normally be used with single-mode fibre (due to how
> > the bidi optics are coupled into the fibre they *can* also work with
> > multimode fibre, though if you do that, insertion loss is high so
> > distance is much more limited, plus it's even more sensitive to bending
> > than usual in that case).
> >
> >
>
> Hi,
>
> everything is fine regarding transceiver and fiber. I've played with it
> for few days with my ISP and that BiDI sfp works on mikrotik
> RB5009UG+S+IN and cisco 2960 switch. On aruba 2540 (allow unsupported
> transceiver), ibm switch and openbsd ix(4) it won't work.
>
> I've ordered few BiDi sfp from fs.com and maybe my ISP will lend me
> MaxLink sfp so I could test them in lab.
>
> Thank you Stuart for information ...
>


-- 
Kindest regards,
Tom Smyth.



Re: bgpd.conf rules changed?

2022-12-19 Thread Tom Smyth
Hi Toni,
what version are you comming from... if you are priorto 6.4 or 6.5 (I
cant fully remember
One of the Biggest changes was  RFC 8212
where route filter policies went from allow all announcements  by
default to deny by default...
announce all and announce self were depreciated

Check out /etc/examples/bgpd.conf which has a nice examples of best
practice with the new syntax

you will see the new syntax and you will see how you can create groups
of prefixes (for instance yourown prefixes)  and another group for
transit customer prefixes etc..

then you just create filters to accept your prefixes to your upstream peers...

man bgpd.conf will show any other syntax that may be depreciated...  (
I have nevever set the softreconfig  I *think* it is now a default ...

I hope this helps,
Tom Smyth


On Mon, 19 Dec 2022 at 11:59, Toni Mueller  wrote:
>
>
> Hi,
>
> I am trying to upgrade an OpenBSD based BGP router from an old version
> to 7.2. But on OpenBSD 7.2, the config file results in several errors,
> despite the man page not indicating any thing "obvious".
>
> Eg. I get syntax errors on
>
>   softreconfig in yes
>   softreconfig out yes
>   announce self
>   announce all
>   announce default-route
>
>
> I also get errors on
>
>   tcp md5sig password  somesecrethere
>
> if the secret contains special characters.
>
>
> I have tried to comment the softreconfig lines, but can't do away with
> the 'announce' statements.
>
>
> Is there some overview about what changed over the course of time, and
> possibly, some better error messages to help diagnose the errors?
>
>
> Thanks a lot,
> Toni
>


-- 
Kindest regards,
Tom Smyth.



Re: VMM FAQ - 802.11 Prevents Bridging?

2022-12-12 Thread Tom Smyth
Hi Cory,
Just to clarify, bridging typically works from a wireless Access Point
ie bridging a wirieless access point to an ethernet interface and vice
versa
that (should) work and is catered for in the 802.11 standard.


however a wireless interface in station / client mode bridged to an
ethernet interface requires propietary extensions (and as Stuart has
pointed out
wont work)

if you need a layer 2 Wireless Connection to VMM  I would suggest
using a an ethernet port in VMM and plug the ethernet port into a
propietary wireless Router / Client..
I can give you a steer off list but I dont want to  decend into
plugging a propietary solution ...

I hope this helps
Tom Smyth


On Mon, 12 Dec 2022 at 22:35, Stuart Henderson
 wrote:
>
> On 2022-12-12, c0ry  wrote:
> > Hey folks,
> >
> > I noticed this line in the VMM FAQ (
> > https://www.openbsd.org/faq/faq16.html#VMMnet):
> >
> > "...the IEEE 802.11 standard prevents wireless interfaces from
> > participating in network bridges."
> >
> > Just wanted to confirm what is meant by this - are we just trying to say
> > that WDS isn't part of the standard and isn't supported? Does the standard
> > actually "prevent" anything? Sorry if this is pedantic, I'm just curious.
>
> WDS is only partly standardised and doesn't always work cross-vendor;
> also OpenBSD doesn't support it at all.
>
>
>
> --
> Please keep replies on the mailing list.
>


-- 
Kindest regards,
Tom Smyth.



Re: OpenBSD File systems , on Flash / SSD CPE (in sites with uncontrolled power (CPE customer sites)

2022-11-28 Thread Tom Smyth
sorry  there was an omission in my /etc/fstab
i had left out the softdep,noatime flags on the filessytems that were
funning off the disk using FFS
Thanks
#begin corrected /etc/fstab##
/dev/sd0a / ffs rw,softdep,noatime 1 1
/dev/sd0d /usr/local ffs rw,wxallowed,nodev,softdep,noatime 1 1
swap /tmp mfs rw,nosuid,noexec,nodev,-s=256000,-P=/persist-fs/tmp 0 0
swap /var mfs rw,nosuid,noexec,nodev,-s=512000,-P=/persist-fs/var 0 0
swap /dev mfs rw,nosuid,noexec,-P=/persist-fs/dev,-i=2048,-s=102400 0 0

##end-corrected /etc/fstab##


On Mon, 28 Nov 2022 at 21:46, Tom Smyth 
wrote:

> Hello, Folks,
>
> Im reviewing our filesystem setup for OpenBSD CPEs that we deploy in the
> field
>
> in order to minimise the impact of Power Outages / Customer interference
> on the boxes,
> we install a 4G root partition /
> and a 2GB /usr/local (to allow the wxallowed flag for the filesystem)
>
> we use mfs for /tmp and /var  so that there the probability that there is
> a filessytem write to the SSD is reduced (so that power failures dont cause
> file system corruption)
>
> we use the following  fstabl
>
> #begin /etc/fstab/###
> /dev/sd0a / ffs rw 1 1
> /dev/sd0d /usr/local ffs rw,wxallowed,nodev 1 1
> swap /tmp mfs rw,nosuid,noexec,nodev,-s=256000,-P=/persist-fs/tmp 0 0
> swap /var mfs rw,nosuid,noexec,nodev,-s=512000,-P=/persist-fs/var 0 0
> swap /dev mfs rw,nosuid,noexec,-P=/persist-fs/dev,-i=2048,-s=102400 0 0
> #end  /etc/fstab/###
>
> and the persist-fs folders are created by installing OpenBSD, installing
> packages and running
> the following commands to copy /var /tmp and /dev to a persistent location
> on /
> ###setup commands #
> mkdir -p /persist-fs/dev
> mkdir -p /persist-fs/tmp
> mkdir -p /persist-fs/var
> cp -Rp /var/* /persist-fs/var
> cp -Rp /tmp/* /persist-fs/tmp
> cp -p /dev/MAKEDEV /persist-fs/dev/
> cd /persist-fs/dev/
> /persist-fs/dev/MAKEDEV all
>
> any feedback welcome, are there other folders that could be heavily
> written to ?
> is there shortcommings  I have ommited swap (because of flash and ssd wear
> concerns)
> I hope this helps...
> Tom Smyth
>
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 
Kindest regards,
Tom Smyth.


OpenBSD File systems , on Flash / SSD CPE (in sites with uncontrolled power (CPE customer sites)

2022-11-28 Thread Tom Smyth
Hello, Folks,

Im reviewing our filesystem setup for OpenBSD CPEs that we deploy in the
field

in order to minimise the impact of Power Outages / Customer interference on
the boxes,
we install a 4G root partition /
and a 2GB /usr/local (to allow the wxallowed flag for the filesystem)

we use mfs for /tmp and /var  so that there the probability that there is a
filessytem write to the SSD is reduced (so that power failures dont cause
file system corruption)

we use the following  fstabl

#begin /etc/fstab/###
/dev/sd0a / ffs rw 1 1
/dev/sd0d /usr/local ffs rw,wxallowed,nodev 1 1
swap /tmp mfs rw,nosuid,noexec,nodev,-s=256000,-P=/persist-fs/tmp 0 0
swap /var mfs rw,nosuid,noexec,nodev,-s=512000,-P=/persist-fs/var 0 0
swap /dev mfs rw,nosuid,noexec,-P=/persist-fs/dev,-i=2048,-s=102400 0 0
#end  /etc/fstab/###

and the persist-fs folders are created by installing OpenBSD, installing
packages and running
the following commands to copy /var /tmp and /dev to a persistent location
on /
###setup commands #
mkdir -p /persist-fs/dev
mkdir -p /persist-fs/tmp
mkdir -p /persist-fs/var
cp -Rp /var/* /persist-fs/var
cp -Rp /tmp/* /persist-fs/tmp
cp -p /dev/MAKEDEV /persist-fs/dev/
cd /persist-fs/dev/
/persist-fs/dev/MAKEDEV all

any feedback welcome, are there other folders that could be heavily written
to ?
is there shortcommings  I have ommited swap (because of flash and ssd wear
concerns)
I hope this helps...
Tom Smyth


-- 
Kindest regards,
Tom Smyth.


Re: Suggestions for miniPCI wireless card for an accesspoint on OpenBSD - 2022q4

2022-11-24 Thread Tom Smyth
Hi Mikolaj,

im told that the broadcom ac chipset based ones are  an excellent choice as
the  card handles the vast majority of wi-fi protocols & advanced features
associated with newer 802.11 standards...  leaving you the admin to just
configure the WPA keys  and the ssids...
checking back through the archives and  there was a recenet enough
discussion on this very topic ...


I hope this helps,


On Thu, 24 Nov 2022 at 17:27, Mikolaj Kucharski 
wrote:

> Hi,
>
> I'm using for few years now on OpenBSD accesspoint (mediaopt hostap)
> based on following miniPCI card:
>
> # dmesg | grep -e ^ath
> athn0 at pci4 dev 0 function 0 "Atheros AR928X" rev 0x01: apic 5 int 16
> athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 04:f0:21:45:6a:c4
>
> I don't remember where I bought it, but I think it is one of those, or
> compatibile:
>
> https://www.pcengines.ch/wle200nx.htm
>
> If you would build today an accesspoint, on hardware with miniPCI, what
> would you choose, for OpenBSD?
>
> --
> Regards,
>  Mikolaj
>
>

-- 
Kindest regards,
Tom Smyth.


Re: 0.0.0.0/32 in pf's tables

2022-11-11 Thread Tom Smyth
yeah 0.0.0.0/32 ,( legacy broadcast address is a valid address and would be
included in very verbose explicit rules blocking traffic from invalid src
addresses ( for example)

hope this helps

On Fri 11 Nov 2022, 20:23 3,  wrote:

> a very clever man once said that God does not play dice.. and he was
> wrong! so it is too presumptuous to believe that you know the ways of the
> God ;) seriously, if i can use 0.0.0.0/32 in rules, then why can't i use
> the same in tables? i don't think God cares why i do it
>
>
> > God abhors a naked singularity.
>
>
> > On Tue, 2022-11-08 at 22:47 +0300, 3 wrote:
> >> what religion forbids using 0.0.0.0/32 in tables? 0_0 but 0/0 can be
> >> used.. what's going on?! is the world going mad?
> >>
>
>
>


Re: 2FA VPNs

2022-11-01 Thread Tom Smyth
Hi Stuart,

some of the commercial systems we have used use Radius as the
Authentication Mechanisim...

One could  do a rudimentary OTP  password system using Radius ...

some OTP systems allow for Caching a series of One Time passowrds  circa
100 passwords...
so it could be fesible to have 100 passowrds listed  on a card , and ask
the user to enter password X  ?



Thanks,

Tom Smyth


On Wed, 2 Nov 2022 at 02:14, Stuart Henderson 
wrote:

> If anyone's got any good suggestions on how to do VPNs with 2FA
> on an OpenBSD gateway for non-technical users to access (iOS, Android,
> Windows clients) I'd love to hear them.
>
> I could bodge something together with openvpn and TOTP but it doesn't
> exactly spark joy.
>
>
>

-- 
Kindest regards,
Tom Smyth.


Re: HP PA-RISC / IA64 hardware platform for Linux Debian, Gentoo, NetBSD, OpenBSD and HP-UX Unix

2022-10-07 Thread Tom Smyth
Hi Jesse,

you can check out https://www.openbsd.org/want.html  perhaps there is an
overlap between developers requirements and what you have surplus,
it is a voluntary project so consider donating  some hardware to the
developers  according to that list,

Hope this helps,

Tom Smyth

On Fri, 7 Oct 2022 at 13:16, Jesse Dougherty  wrote:

> Hi, I'm Jesse at Cypress Technology Inc. We at Cypress sell HP hardware.
> Below are some links to HP PA-RISC and IA64 boxes that support the Linux
> Debian, Gentoo, NetBSD, OpenBSD Linux and HP-UX Unix platforms. If you
> are in need of systems, feel free to email back with any question or
> requests. We also sell all boxes and parts that HP made for the HP-UX /
> Unix line.
>
> PA-RISC
> www.ebay.com/itm/385130495455
> www.ebay.com/itm/384211227917
>
> IA64
> www.ebay.com/itm/384272059488
> www.ebay.com/itm/384211228177
>
> IA64 - For Telco / Data Center users / 48v DC
> www.ebay.com/itm/384966825704
>
> Thanks
> Jesse Dougherty
> Resellers of HP hardware
> je...@cypress-tech.com
> www.cypress-tech.com
>
>

-- 
Kindest regards,
Tom Smyth.


Re: embarrassing mail problem

2022-10-05 Thread Tom Smyth
howdy Steve...
on newer versions of openBSD open SMTPD
legacy tls versions / ciphers are disabled by default...
there is an option to allow legact tls versions ( i cant remember the
option off hand but man smtpd.conf and search for tls you should find it
handy enough...( this caught me out on an upgrade to 7.0

btw mxtoolbox.com has some useful tests that could help you diagnose mail
flow issues...

DMARC + DKIM   would be worth looking at...

also check the spamhaus PBL... if your isp suddenly added their subscriber
ip ranges to the PBL this could negatively impact you if your mail server
ip is in the ranges the ISP included in Spamhaus Policy Block List...

hope this helps



On Wed 5 Oct 2022, 23:07 Steve Fairhead,  wrote:

> I've searched and failed, and I realise I'm going to show my total
> ignorance by not having found an answer (and no, I've not been keeping
> up these last few years - mea culpa - demanding day-job). But - I'd be
> grateful for any (gentle or otherwise) cluebats.
>
> I have several OpenBSD email servers, some elderly (Sendmail) and some
> brand-spanking new (smtpd). Recently I've noticed that some (of both
> kinds) are failing to deliver mail to some major UK ISPs. (Mostly
> domestic; business ISPs not so much.)
>
> For Sendmail, the error is "TLS handshake failed"; for smtpd, it's
> "Network error on destination MXs".
>
> I do have SPF etc setup; thought that might be it, but no. I've read
> that some ISPs have closed port 25. I presume that's relevant, but I
> simply don't know.
>
> As I said, all cluebats gratefully (and probably painfully) accepted.
>
> Steve
>
> --
>
> --
>Steve Fairhead
>   email: st...@fivetrees.com
> --
>
>


Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)

2022-09-07 Thread Tom Smyth
Hi Jan,
I have seen a number of cases where
partitions on the fixed disks from other osses being on the system
prevented some installers working  / detecting free space to install to
...

I have seen where usb writing software (on other operating systems) did not
write the installiimage properly to the usb stick,
clearing the partitions and writing zeros ahead of writing the image to the
usb did help me with installs before ...
but less so about panics and more to do with either booting the install os
,  or writing the sets to the fixed disks on the box..


On Wed, 7 Sept 2022 at 13:13, Jan Stary  wrote:

> > > > 1) On initial boot (with 7.1 release, on a usb stick) it more or less
> > > > immediately panicked into ddb when I tried to pipe dmesg into a file
> on
> > > > the usb stick. I took out the NVMe-card, and whether or not that was
> the
> > > > problem the machine anyhow behaved better long enough for me to get
> > > > network and do a fw_update.
> > >
> > > sure sounds like it could be a bad USB stick.
> > > Very common.  For important things, I have learned to write zeros over
> > > the entire USB stick before expecting it to actually work.  Nothing to
> > > do with the T5500.
>
> I am puzzled: how exactly is a zero filled USB stick
> less panicky than another USB stick?
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)

2022-09-07 Thread Tom Smyth
Hi Erling,

it depends do you mean soft raid, that will be either  AHCI  using intel
driver or LSI  Raid emulation (where you can onfigure the raid in the
option rom (after POST  just before the OS Boots)  it depneds on the
chipset setup ...
Dell may put  the LIS as a PERC,  it also may be a separate card or i/o
module to the onboard sata ...
Hope this helps


On Wed, 7 Sept 2022 at 12:19, Erling Westenvik 
wrote:

> On Wed, Sep 07, 2022 at 11:41:49AM +0100, Tom Smyth wrote:
> > hi
> >
> > i would check bios / firmware settings
> >
> > try disabling memory mapped i/o in bios
> >
> > check processor settings enable vt-d disable hyper threading ensure
> execute
> > disable is enabled
> >
> > update the bios as it will update cpu microcode ...
>
> Great. Thanks, Tom.
>
> > dell alow you to select the emulation of sata
> > ahci vs raid vs sata vs legacy
>
> For 2 x 525GB SSD's in RAID (softraid) 1, that setting would be...?
>
> Erling
>
> >
> > On Wed 7 Sep 2022, 03:02 Erling Westenvik, 
> > wrote:
> >
> > > Hello,
> > >
> > > A friend donated an old Dell Precision T5500 workstation, a heavy
> > > bastard with dual Xeon X5675 and 72GB RAM which still packs a punch I
> > > believe. At least it does for me. I would like it to replace my old i7
> > > 3770k. However, I'm starting to have doubts:
> > >
> > > 1) On initial boot (with 7.1 release, on a usb stick) it more or less
> > > immediately panicked into ddb when I tried to pipe dmesg into a file on
> > > the usb stick. I took out the NVMe-card, and whether or not that was
> the
> > > problem the machine anyhow behaved better long enough for me to get
> > > network and do a fw_update.
> > >
> > > 2) After fw_update the radeondrm was detected and I got a nice
> 2560x1600
> > > console. However, before it would give me a login prompt the machine
> got
> > > stuck with repeating complaints about "ehci_device_clear_toggle: queue
> > > active". So – USB related, right?  Very well! Out with the usb stick,
> in
> > > with an old SSD with OpenBSD 6.7.
> > >
> > > 3) The machine behaves better, xenodm starts fine with cwm, but it
> won't
> > > resume after suspend (zzz).
> > >
> > > Some or all of the above problems may have solutions, trivial or not,
> > > but more problems may perhaps lurk under the surface..?
> > >
> > > So I guess my question is if someone knows whether these Dell machines
> > > are known to be error prone in general, or problematic with OpenBSD in
> > > particular, and if I should stop before wasting time!?
> > >
> > > Sincerely,
> > >
> > > Erling
> > >
> > > OpenBSD 7.1 (GENERIC.MP) #465: Mon Apr 11 18:03:57 MDT 2022
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/
> GENERIC.MP
> > > real mem = 77290508288 (73709MB)
> > > avail mem = 74930786304 (71459MB)
> > > random: good seed from bootblocks
> > > mpath0 at root
> > > scsibus0 at mpath0: 256 targets
> > > mainbus0 at root
> > > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (102 entries)
> > > bios0: vendor Dell Inc. version "A18" date 10/15/2018
> > > bios0: Dell Inc. Precision WorkStation T5500
> > > acpi0 at bios0: ACPI 3.0
> > > acpi0: sleep states S0 S3 S4 S5
> > > acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA  _RAT
> SLIC
> > > SSDT
> > > acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5)
> > > PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3)
> > > PCI8(S5) PCIA(S5) PCIB(S5)
> > > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > > cpu0 at mainbus0: apid 32 (boot processor)
> > > cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.54 MHz, 06-2c-02
> > > cpu0:
> > >
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
> > > cpu0: 256KB 64b/line 8-way L2 cache
> > > cpu0: smt 0, core 0, package 1
> > > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> > > cpu0: apic clock running at 132MHz
> > > cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> > > cpu1 at mainbus0: apid 34 

Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)

2022-09-07 Thread Tom Smyth
hi

i would check bios / firmware settings

try disabling memory mapped i/o in bios




check processor settings enable vt-d disable hyper threading ensure execute
disable is enabled

update the bios as it will update cpu microcode ...

dell alow you to select the emulation of sata

ahci vs raid vs sata vs legacy





On Wed 7 Sep 2022, 03:02 Erling Westenvik, 
wrote:

> Hello,
>
> A friend donated an old Dell Precision T5500 workstation, a heavy
> bastard with dual Xeon X5675 and 72GB RAM which still packs a punch I
> believe. At least it does for me. I would like it to replace my old i7
> 3770k. However, I'm starting to have doubts:
>
> 1) On initial boot (with 7.1 release, on a usb stick) it more or less
> immediately panicked into ddb when I tried to pipe dmesg into a file on
> the usb stick. I took out the NVMe-card, and whether or not that was the
> problem the machine anyhow behaved better long enough for me to get
> network and do a fw_update.
>
> 2) After fw_update the radeondrm was detected and I got a nice 2560x1600
> console. However, before it would give me a login prompt the machine got
> stuck with repeating complaints about "ehci_device_clear_toggle: queue
> active". So – USB related, right?  Very well! Out with the usb stick, in
> with an old SSD with OpenBSD 6.7.
>
> 3) The machine behaves better, xenodm starts fine with cwm, but it won't
> resume after suspend (zzz).
>
> Some or all of the above problems may have solutions, trivial or not,
> but more problems may perhaps lurk under the surface..?
>
> So I guess my question is if someone knows whether these Dell machines
> are known to be error prone in general, or problematic with OpenBSD in
> particular, and if I should stop before wasting time!?
>
> Sincerely,
>
> Erling
>
> OpenBSD 7.1 (GENERIC.MP) #465: Mon Apr 11 18:03:57 MDT 2022
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 77290508288 (73709MB)
> avail mem = 74930786304 (71459MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (102 entries)
> bios0: vendor Dell Inc. version "A18" date 10/15/2018
> bios0: Dell Inc. Precision WorkStation T5500
> acpi0 at bios0: ACPI 3.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA  _RAT SLIC
> SSDT
> acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5)
> PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3)
> PCI8(S5) PCIA(S5) PCIB(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 32 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.54 MHz, 06-2c-02
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 1
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 132MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> cpu1 at mainbus0: apid 34 (application processor)
> cpu1: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 1
> cpu2 at mainbus0: apid 36 (application processor)
> cpu2: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 1
> cpu3 at mainbus0: apid 48 (application processor)
> cpu3: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 8, package 1
> cpu4 at mainbus0: apid 50 (application processor)
> cpu4: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02
> cpu4:
> 

Re: vxlan operational question

2022-07-16 Thread Tom Smyth
Hi Florian,

Ill at mit im guessing but I would setup the tunnel before putting the Ip
address on it... so
vnetid 10
tunnel 1.1.1.1 2.2.2.2
inet6 2001:db8::1/126
up

I could be wrong but I know the ordering of setup commands in the file can
be important (rdomain for istance would have to come first)
but it was always my insticnt to setup the interface with tags etc before
putting the ip on it...

i am guessing here  but it might be a help ...


On Sat, 16 Jul 2022 at 17:35, Florian Bauer  wrote:

> Hello there,
>
> I am using OpenBSD with OpenBGPD to server my private ASN. Unfortunately,
> since upgrading from 7.0 to 7.1, my p-to-p vxlan underlay network stopped
> working. This behavior is reproducible on fresh set up systems without any
> further modification.
> My configuration looks as follows on both sides with correct IP addresses:
> ```
> # content of /etc/hostname.vxlan0
> up
> tunnel 1.1.1.1 2.2.2.2
> inet6 2001:db8::1/126
> vnetid 10
> ```
> While taking the interface up, I am getting the following error:
> ```
> border1# ifconfig vxlan0 up
> ifconfig: SIOCSIFFLAGS: Protocol not supported
> ```
> If someone has an idea, please let me know.
>
> Best regards
> Florian
>
>

-- 
Kindest regards,
Tom Smyth.


Re: OpenBGPD via (WG?) Tunnel Not Learning Routes

2022-07-12 Thread Tom Smyth
Hello Tobias,

Next hop Validation  to make routes valid ? asks the question is the Next
hop reachable...

so if you look at the prefixes learned and the next hop...  you may need
additional routes to make the next hop visible (via an Interior Routing
Protocol o) (OSPF RIP / EIGRP)  or Static Routes ...
Tip to add peering lans / Transit uplink lans  to OSPF just add the network
to OSPF and set the interface to passive   (it is the safest way)
(avoid redistribute Connected if you can)
once the next hop is pingable   in of its self then the routes that point
to the next hop should become valid..

I hope this helps,

Tom Smyth

On Wed, 13 Jul 2022 at 02:38, Tobias Fiebig <
tob...@reads-this-mailinglist.com> wrote:

> Heho,
> I am running OpenBGPd (on 7.1+binpatches), and have some tunnel links
> between hosts and up/downstreams over wg tunnels.
>
> I am basically wondering whether the behavior is known/normal and/or
> happened to others, or if it is worth it to setup a test-setup to properly
> debug the issue/document how it can be reproduced.
>
> Specifically, I noticed that bgpd will consider routes invalid which it
> learns over a (wg?) interface that was not there when bgpd was started; So,
> essentially:
>
> Start bgpd
> Create wireguard interface, configure IPs
> Adjust bgpd config to add new peer on that if.
> bgpctl reload
>
> -> Session with the peer comes up, bgpd sees the routes, but it lacks the
> 'valid' * flag.
>
> Restarting bgpd resolves this (but also lets all sessions flap).
>
> I did not see (or missed) something about this in the man page; The same
> issue seems to not occur with other Interfaces added later, e.g., vlan.
>
> With best regards,
> Tobias
>
>
>

-- 
Kindest regards,
Tom Smyth.


Re: httpd not reachable from outside

2022-06-22 Thread Tom Smyth
hi Adriano

can you just restart httpd with
rcctl restart httpd

did your ip addresses on external interface change ?


what are the loadef firewall rules

Thanks

Tom Smyth



On Thu 23 Jun 2022, 00:05 Adriano Barbosa,  wrote:

> Hi.
>
> My httpd was working perfectly for the last 32 days and today I it
> doesnt respond anymore. Last change I made on this box was update
> nextcloud package, tested after the upgrade and it was working. The
> machine is running 7.1-stable.
>
> httpd responds on the machine itself with a curl localhost call, for
> example, but not from outside.
>
> nmap from outside returns
> PORTSTATESERVICE
> 80/tcp  filtered http
> 443/tcp filtered https
>
> httpd.conf is defined with
> listen on * port 80
> and
> listen on * tls port 443
>
> I remember it happening once and it solved after a machine reboot, but
> I dont have physical access to the machine for this week to enter
> bioctl password after the reboot and Im afraid to try a network
> restart by myself and lose access to the machine.
>
> Any ideas or suggestions on how to find the problem?
>
> Obrigado!
>
>


Hello Folks Im in Brussles for the evening if anyone wants to meet up

2022-06-17 Thread Tom Smyth
Hello Folks Im in Brussles for the evening if anyone wants to meet up



-- 
Kindest regards,
Tom Smyth.


Re: documentation

2022-05-24 Thread Tom Smyth
Hi Gustavo,

any manual pages that you wish to convert to PDF can be done with PDF

stuart@  had once recommended the following command for creating a nice pdf
manual of the PF firewall

man -T pdf pf.conf > pf.conf.pdf

Hope this helps

On Tue, 24 May 2022 at 16:54, Gustavo Rios  wrote:

> Hi folks,
>
> I would like to download a pdf version of the faq and pf guide for openbsd
> 7.1. May some one here point me where i could fetch the pdf documentation
> from ?
>
> Thanks a lot.
>
> --
> The lion and the tiger may be more powerful, but the wolves do not perform
> in the circus
>


-- 
Kindest regards,
Tom Smyth.


Re: Wireguard IP packets fragmentation issue

2022-05-17 Thread Tom Smyth
hello Stuart,
 sorry for the delay in replying

I think the issue in my  ISP corner case case was that clients were natted
to Public address pool X
while link ips  within the ISP network (the ips that might send the ICMP
destination
unreachable fragmentation needed
messages would be natted to a different IP address, so  PMTU discovery
inbound (behind the NAT) in that case didn't work.
( I think you are right re the possibility of a Catch all NAT being missed
for the Private router links also would result in the PMTU
Frag needed ICMP messages getting lost)

Re:
>My preference is to try and set things up as much as possible so that
>you don't get PMTU blackholes or have to fragment the tunnel packet,
>but also clamp mss so that even if you do hit a blackhole there's no
problem.
>There are some downsides to clamping MSS but they're relatively small
>and it's something done by almost every off-the-shelf home CPE so it's
>very very xommon on the internet.

Agreed on  the above...

I see alot of 4G devices / networks  clamping the hell out of TCP MSS  in
the wild also, which can make TCP VPNs (SSTP)
TLS etc...  VPNS Challenging as you have to clamp the TCP MSS in
anticipation of an outer clamp on the TCP MSS

some tunnels do  Fragment gracefully (if you call doubling packet per
second on your VPN device graceful,
but performance takes a big hit,
in testing even deliberately fragmenting packets (to send full frames
(layer2) in tunnels or full packets in tunnels (layer3) )
the benefit of being able to send the full packet over the fragmented
tunnel does not in any way increase perf...
and the TCP MSS clamping gives the best throughput (in my experience) ...

Thanks again,
Tom Smyth





On Sun 15 May 2022, 21:02 Stuart Henderson, 
wrote:

> On 2022-05-15, Tom Smyth  wrote:
> > Hi Stuart,
> > I have huge regard for you and all you contribute to OpenBSD and the
> community
> > Im going to clarify what I meant and what my experience with PMTU and
> > constrained MTUs behind
> > NAT,
> > My humble  experience is that if we have a constrained MTU behind a NAT
> > Path MTU discovery from the server to the client  fails because
> >
> > [website]--- public IP MTU 1500 bytes --[firewall/Nat]
> > private network MTU 1492 bytes-client
> >
> > so while MTU discovery may work outbound...(from client to the website)
> >  the public website to the public IP has  no way to discover the
> > constrained PMTU behind the nat...
>
> There's no reason for this to fail? 1500 byte packet with DF set hits
> the firewall/nat box, route lookup, exit MTU is 1492, too big -> surely
> it just sends back frag needed?
>
> Even if you have a nat device with 1500 exit mtu and it then hits 1492
> mtu on another device, similar case but the original frag-needed is
> sourced from a private address so it gets natted on the way out.
>
> There could be some specific cases where things aren't setup to allow
> this to work but there's nothing in general to cause it to fail.
>
> The problem case is when you have router hops on private addresses
> where there is *no* nat in the path in which case icmp is generated
> from the private address but there's nithing ti translate it, so that
> case you do often lose the message due to "no martian" packet filtering.
>
> > This corner case was discovered when I setup My ISP initially and I
> > had not many IP addresses many moons ago
> > It would be rare for a client behind a NAT to have a smaller MTU than
> > their  public IP internet connection.
> >
> > Is my reasoning and analysis here correct ?
> >
> >
> > Regarding my comment
> >> PMTU cannot properly account for underlay restrictions Inside a VPN
> >
> > what I meant was, that if you set an  MTU of 1500 on a VPN Tunnel
> interface
> > but in sending 1500 Bytes in an IP packet across the tunnel it
> > requires a the VPN encapsulated Packet + a Fragment Packet to be sent
> > also, (on the underlay interface)
> > the Router on the VPN wont sent a Fragment needed IP message  to the
> > client because the MTU of the Tunnel was not exceeded
> > (but the MTU on the underlay was exceeded)
>
> This depends on the MTU stored in the route table entry used to send
> the packet over the vpn.
>
> With a separate tunnel interface the mtu on that interface and thus the
> route table can be set low enough that frag needed is sent.
>
> With standard flow-based IPsec the route used is normally the default
> route with either a standard ethernet MTU or a pppoe MTU. But if there's
> another route (route-based IPsec on OS which have this, or a
> dummyinterface such as is sometines used in combo with flow-based IPsec,
> for example a vether interface with

Re: Wireguard IP packets fragmentation issue

2022-05-15 Thread Tom Smyth
Hi Stuart,
I have huge regard for you and all you contribute to OpenBSD and the community
Im going to clarify what I meant and what my experience with PMTU and
constrained MTUs behind
NAT,
My humble  experience is that if we have a constrained MTU behind a NAT
Path MTU discovery from the server to the client  fails because

[website]--- public IP MTU 1500 bytes --[firewall/Nat]
private network MTU 1492 bytes-client

so while MTU discovery may work outbound...(from client to the website)
 the public website to the public IP has  no way to discover the
constrained PMTU behind the nat...

This corner case was discovered when I setup My ISP initially and I
had not many IP addresses many moons ago
It would be rare for a client behind a NAT to have a smaller MTU than
their  public IP internet connection.

Is my reasoning and analysis here correct ?


Regarding my comment
> PMTU cannot properly account for underlay restrictions Inside a VPN

what I meant was, that if you set an  MTU of 1500 on a VPN Tunnel interface
but in sending 1500 Bytes in an IP packet across the tunnel it
requires a the VPN encapsulated Packet + a Fragment Packet to be sent
also, (on the underlay interface)
the Router on the VPN wont sent a Fragment needed IP message  to the
client because the MTU of the Tunnel was not exceeded
(but the MTU on the underlay was exceeded)


I hope the clarifications helps  and that im right or at least that I
learn something new :)
Thanks
Tom Smyth








On Sun, 15 May 2022 at 19:37, Stuart Henderson
 wrote:
>
> On 2022-05-15, Tom Smyth  wrote:
> > IP fragments on internet are avoided generally through PMTU discovery (mtu 
> > path
> > discovery) but
> > PMTU does not work beyond a Nat (if a smaller MTU interface exists
> > behind a NAT then the smaller
> > MTU will not be discovered.
>
> That's not right, NAT doesn't break PMTU detection.
>
> > PMTU cannot properly account for underlay restrictions Inside a VPN
>
> Depends on the VPN type. For VPNs using a tunnel device (openvpn,
> WireGuard, gif/gre/l2tp etc, maybe route-based IPsec) then PMTU works
> like it would on another network type. Not nornally for flow-based IPsec
> though as the MTU is taken from the route (but it can be made to work
> with a dummy interface covering the VPN range with a lower MTU set in
> it).
>
>


-- 
Kindest regards,
Tom Smyth.



Re: Wireguard IP packets fragmentation issue

2022-05-15 Thread Tom Smyth
Hello all,

one issue we have encountered with encapsulated packets is the IP
fragment packets that are  created
when the would be encapsulated packet would exceed the MTU of an
underlay interface.
on non natted  networks with firewalls that behave them selves the
tunnels may work.
however across the internet more often than not there will be some
problematic nat / firewall implementations
that block these IP fragments.

a good way of diagnosing the issue with tunnels is to use the
ping -s  and gradually increase the ping packet size (inside the tunnel
and do a packet capture on the Underlay interface that is transmitting the
VPN Encapsulated Ping Packets ,

if this packet capture is done on the physical interface of the
devices at both ends of the tunnel
one can see if the IP fragments are getting through...

I found that this exercise was a good way of understanding how the
packets are encapsulated
in a given vpn protocol.  and discover the conditions where IP
fragments were being generated.

if IP fragments are blocked or dropped or routed asymmetrically
(packet ordering issues) then
they are likely to break a great article on IP fragments and why they
suck so bad is outlined here
https://blog.cloudflare.com/ip-fragmentation-is-broken/

avoiding IP fragments:
IP fragments on internet are avoided generally through PMTU discovery (mtu path
discovery) but
PMTU does not work beyond a Nat (if a smaller MTU interface exists
behind a NAT then the smaller
MTU will not be discovered.
PMTU cannot properly account for underlay restrictions Inside a VPN


the TCP MSS resizing eliminates fragments for tunneled TCP Packets,
but the problem remains
for non TCP IP payloads,  by reducing MSS (and therefore the required
MTU to support a connection)
the need to generate IP Fragments is reduced,

Restricting the MTU of interfaces of internal devices that generate
alot of non TCP traffic
can reduce fragmentation across the VPN (its horrible I know)

the alternative is to setup the VPN so that it fragments gracefully
Openvpn for instance mitigates this IP fragment issue for UDP vpns
by introducing a UDP fragments, so
(packets less than half the udp frag limit are sent as one packet)
larger packets are broken into 2 equal sized encapsulated packets and
transmitted,

these UDP fragmented vpn encapsulated packets have the benefit, of having
same source / destination, IPs, Ports and protocol  (and are more
likely to be accepted
in Firewall State tables (and have the same Hash so they will be
routed / switched along the
same path (reducing packet ordering issues) (there is a disadvantage
of doubling PPS requirements
of your hardeare)

bottom line
captures on physical interfaces sending and receiving encapsulated vpn Packets
at both sides of the vpn can help identify the IP fragment issue, and
then steps to avoid it
can be taken.

on my own network we try to avoid fragments by increasing the Physical
Interfaces MTU (underlay)
to ensure the overlay VPNS can send full sized packets . (but this is
difficult to achieve across the internet)


I hope this helps,






























































































































































































































































































































































































































































































































































































































































































On Sun, 15 May 2022 at 07:03, Jason McIntyre  wrote:
>
> On Sat, May 14, 2022 at 09:14:36PM -, Stuart Henderson wrote:
> > On 2022-05-14, Georg Pfuetzenreuter  wrote:
> > > pppoe(4) already has a section on this, possibly this could be used as a
> > > start.
> >
> > It's not a great start really. Mixes up information about a method to
> > set the pppoe MTU to 1500 (RFC4638) and using scrub, doesn't describe
> > the problem (says "causing conflict" but this isn't very meaningful
> > or really correct), and points at nonexistent "more information on MTU,
> > MSS and NAT" as this isn't in pf.conf(5).
> >
> >
>
> hi.
>
> if there are issues in that text, feel free to suggest how to improve
> it.
>
> - mixing mtu to 1500 and scrub: well, both concern issues with mtu. why
>   wouldn;t they be together in there?
>
> - "causing conflict": feel free to be more specific. it's not something
>   i have knowledge of
>
> - "more information in pf.conf": yes there is information in pf.conf on
>   mtu, mss, and nat, including the syntax for using them. again, why
>   wouldn;t we point people there?
>
> i'm happy to try and rework the text if you think it can be improved.
>
> jmc
>


--
Kindest regards,
Tom Smyth.



Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

2022-05-14 Thread Tom Smyth
Hello all,
Thanks for the feedback it is really helpful to have peoples
experiences in the wild to
help feed into the training course content.  and certainly better than
just my humble experience
I really appreciate all of your feedback.

Thanks again folks,

Tom Smyth

Tom Smyth

On Fri, 13 May 2022 at 11:20, Stuart Henderson
 wrote:
>
> On 2022-05-13, Marko Cupać  wrote:
> > The only problem I currently have with pfsync is the fact that it does
> > not synchronise queue membership of states.
>
> IIRC this is meant to work but only if you have identical rulesets,
> after expanding interface addresses etc. This will require some care in
> constructing pf.conf - interface groups instead of interface names if
> nic hw is different - "(self)" or list the addresses of both firewalls
> instead of using "self" - avoid "antispoof".
>
>


-- 
Kindest regards,
Tom Smyth.



calling all PFsync users for experience, gotchas, feedback, tips and tricks

2022-05-11 Thread Tom Smyth
Hello Folks,

We are updating some course material for an upcoming PF firewall course,
and I would like to put a call out to those who use PFsync in a
redundant firewall cluster
about your user experience, have you come across any edge cases?
have you any tips or tricks about PFSync.
have you come across any edge cases / minor misconfigurations /
suboptimal configurations that caused problems, were there some tweaks
you had to make to make your system scale ?

it is likely that people who are running PFSync have  more complicated
firewall configs.

and I would like to see what tuning other people have done in the field.

I would appreciate any feedback or problem descriptions  (with our
without solutions)

what is the largest throughput firewall you deployed with PFSync?  how
was your experience
of running with PFsync vs without PFsync  on your firewall.

Thanks again,


-- 
Kindest regards,
Tom Smyth.



Re: time drift in OpenBSD in proxmox (qemu-kvm) guest

2022-04-15 Thread Tom Smyth
Hello Stuart,
What is the EFI / BIOS  Power management / CPU power management
Performance setting set to  ?
if the CPU is throttled back (due to low usage) is that affecting the
time keeping ?
It might be worth trying OS Controlled or Performance (as a test)
it may be set to power saving or balanced

I hope this helps,
( and thanks for your patience with my previous impulsive (albeit
trying to help) replies earlier

Tom Smyth

On Fri, 15 Apr 2022 at 11:12, Stuart Henderson
 wrote:
>
> On 2022-04-14, Stefan Sperling  wrote:
> > On Thu, Apr 14, 2022 at 09:26:41PM -, Stuart Henderson wrote:
> >> I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and
> >> seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope
> >> with it. From boot:
> >>
> >> 2022-04-14T13:58:19.844Z  ntpd[26996]: adjusting local clock by 1.745061s
> >> 2022-04-14T13:59:24.070Z  ntpd[26996]: adjusting local clock by 1.504470s
> >> 2022-04-14T14:03:51.176Z  ntpd[26996]: adjusting local clock by 2.430486s
> >> 2022-04-14T14:07:40.299Z  ntpd[26996]: adjusting local clock by 2.48s
> >> 2022-04-14T14:11:51.540Z  ntpd[26996]: adjusting local clock by 3.173884s
> >> 2022-04-14T14:15:03.534Z  ntpd[26996]: adjusting local clock by 3.109722s
> >> 2022-04-14T14:16:04.848Z  ntpd[26996]: adjusting local clock by 3.185755s
> >> 2022-04-14T14:17:40.286Z  ntpd[26996]: adjusting local clock by 3.575126s
> >> 2022-04-14T14:18:45.582Z  ntpd[26996]: adjusting local clock by 4.231518s
> >> 2022-04-14T14:22:27.618Z  ntpd[26996]: adjusting local clock by 4.231999s
> >> 2022-04-14T14:25:41.618Z  ntpd[26996]: adjusting local clock by 4.844904s
> >> 2022-04-14T14:29:58.888Z  ntpd[26996]: adjusting local clock by 4.451876s
> >> 2022-04-14T14:32:41.628Z  ntpd[26996]: adjusting local clock by 5.250357s
> >>
> >> etc. No difference whether qemu-ga is used or not. No difference between
> >> passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this case)
> >> and passing through as "common KVM processor". The guest does detect and
> >> use pvclock(4).
> >>
> >> $ sysctl kern.timecounter
> >> kern.timecounter.tick=1
> >> kern.timecounter.timestepwarnings=0
> >> kern.timecounter.hardware=pvclock0
> >> kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) 
> >> acpitimer0(1000)
> >>
> >> Anyone have ideas of things I could try that are less wrong than
> >> running rdate from cron? Thanks.
> >
> > I have a -current built-a-week-ago guest on stock Debian KVM, no problems
> > with time-keeping. It picks acpihpet as timecounter instead of pvclock:
> >
> > $ sysctl kern.timecounter
> > kern.timecounter.tick=1
> > kern.timecounter.timestepwarnings=0
> > kern.timecounter.hardware=acpihpet0
> > kern.timecounter.choice=i8254(0) pvclock0(500) acpihpet0(1000) 
> > acpitimer0(1000)
>
> Interesting - I would have expected the opposite. I've changed mine to
> acpihpet0 and it seems much happier. Your value of 500 indicates that the
> PVCLOCK_TSC_STABLE flag wasn't set by the host, I guess that's dependent
> on host cpu features.
>
> Summarising other responses:
>
> - Q35 vs i440FX emulated hw setting: no difference
> - AMD EPYC performance tuning guide: cpu load is pretty low, I think this
> is unlikely to be relevant
> - kvm_intel/parameters/preemption_timer: seems Intel-only and reports are
> that it's not needed for newer KVM
>
>


-- 
Kindest regards,
Tom Smyth.



Re: time drift in OpenBSD in proxmox (qemu-kvm) guest

2022-04-14 Thread Tom Smyth
apologies all
I missed (speed read Stuarts) mail...

I would have a look at the preemption timer for the Host ...
check out the top of page 15 of this amd manual...
http://developer.amd.com/wp-content/resources/56263-Performance-Tuning-Guidelines-PUB.pdf
I would try the two settings related to the preemption timer  on the
Proxmox Host

Sorry for bombing the list on this one ...


On Thu, 14 Apr 2022 at 22:54, Tom Smyth  wrote:
>
> Stuart,
> sorry I wasnt entirely clear in my last email
>
> 1) you can try the  /sys/module/kvm_intel/parameters/preemption_timer
>
> if the system is an intel CPU based Physcial server
> 2) if you have an amd System you may find the issue does not occur in that 
> case
>
> 3) looking at the DMESG I see a KVM CPU  in the VM config ...   in
> proxmox you can set it to Host
> if the emulated kvm CPU is causing the issue  with OpenBSD
> this is something to try and it may improve your sytem performance
> more generally (and hopefully
> help the times)
>
> Other people who have Proxmox 7.1 and have access to an AMD CPU based server
>  if they can try running an OpenBSD VM on an Amd Processor
> based server to compare   ( what I found in my experience wiht KVM and
> OpenBSD and Proxmox
> was the Drift issue / COnsole freeze only occured on Intel Based
> systems ...   and the preemption_timer
> kernel setting in the Proxmox Linux Kernel sorted it
>
>
>
>
> On Thu, 14 Apr 2022 at 22:45, Tom Smyth  wrote:
> >
> > Stuart
> >
> > is your host on an Intel System ?
> >
> > I had an awful time with Proxmox 5.0 and 5.1
> >
> > with clock drift and console freezes
> >
> > can you try to disable the following feature in the Proxmox Host kernel
> >
> > /sys/module/kvm_intel/parameters/preemption_timer
> >
> > https://www.mail-archive.com/misc@openbsd.org/msg158768.html
> >
> >
> > You can try change the CPU to  VM to Host (or the lowest generation
> > Processor that is common to all your hosts in the cluster
> > Better acceleration with modern processeor
> >
> > Hope this helps
> >
> >
> > On Thu, 14 Apr 2022 at 22:37, Stuart Henderson
> >  wrote:
> > >
> > > I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and
> > > seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope
> > > with it. From boot:
> > >
> > > 2022-04-14T13:58:19.844Z  ntpd[26996]: adjusting local clock by 1.745061s
> > > 2022-04-14T13:59:24.070Z  ntpd[26996]: adjusting local clock by 1.504470s
> > > 2022-04-14T14:03:51.176Z  ntpd[26996]: adjusting local clock by 2.430486s
> > > 2022-04-14T14:07:40.299Z  ntpd[26996]: adjusting local clock by 2.48s
> > > 2022-04-14T14:11:51.540Z  ntpd[26996]: adjusting local clock by 3.173884s
> > > 2022-04-14T14:15:03.534Z  ntpd[26996]: adjusting local clock by 3.109722s
> > > 2022-04-14T14:16:04.848Z  ntpd[26996]: adjusting local clock by 3.185755s
> > > 2022-04-14T14:17:40.286Z  ntpd[26996]: adjusting local clock by 3.575126s
> > > 2022-04-14T14:18:45.582Z  ntpd[26996]: adjusting local clock by 4.231518s
> > > 2022-04-14T14:22:27.618Z  ntpd[26996]: adjusting local clock by 4.231999s
> > > 2022-04-14T14:25:41.618Z  ntpd[26996]: adjusting local clock by 4.844904s
> > > 2022-04-14T14:29:58.888Z  ntpd[26996]: adjusting local clock by 4.451876s
> > > 2022-04-14T14:32:41.628Z  ntpd[26996]: adjusting local clock by 5.250357s
> > >
> > > etc. No difference whether qemu-ga is used or not. No difference between
> > > passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this 
> > > case)
> > > and passing through as "common KVM processor". The guest does detect and
> > > use pvclock(4).
> > >
> > > $ sysctl kern.timecounter
> > > kern.timecounter.tick=1
> > > kern.timecounter.timestepwarnings=0
> > > kern.timecounter.hardware=pvclock0
> > > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) 
> > > acpitimer0(1000)
> > >
> > > Anyone have ideas of things I could try that are less wrong than
> > > running rdate from cron? Thanks.
> > >
> > >
> > > OpenBSD 7.1 (GENERIC.MP) #463: Thu Apr  7 12:48:15 MDT 2022
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > > real mem = 1056808960 (1007MB)
> > > avail mem = 1007554560 (960MB)
> > > random: good seed from bootblocks
> > > mpath0 at root
> > > scsibus0 at mpath0: 256 targets
> > > mainbus0 at root
> > > bios0 at mainbus0: 

Re: time drift in OpenBSD in proxmox (qemu-kvm) guest

2022-04-14 Thread Tom Smyth
I have an Intel based Proxmox 7.1 being built pre-Production Ill have
a go with it... Tomorrow and let you know

On Thu, 14 Apr 2022 at 22:54, Tom Smyth  wrote:
>
> Stuart,
> sorry I wasnt entirely clear in my last email
>
> 1) you can try the  /sys/module/kvm_intel/parameters/preemption_timer
>
> if the system is an intel CPU based Physcial server
> 2) if you have an amd System you may find the issue does not occur in that 
> case
>
> 3) looking at the DMESG I see a KVM CPU  in the VM config ...   in
> proxmox you can set it to Host
> if the emulated kvm CPU is causing the issue  with OpenBSD
> this is something to try and it may improve your sytem performance
> more generally (and hopefully
> help the times)
>
> Other people who have Proxmox 7.1 and have access to an AMD CPU based server
>  if they can try running an OpenBSD VM on an Amd Processor
> based server to compare   ( what I found in my experience wiht KVM and
> OpenBSD and Proxmox
> was the Drift issue / COnsole freeze only occured on Intel Based
> systems ...   and the preemption_timer
> kernel setting in the Proxmox Linux Kernel sorted it
>
>
>
>
> On Thu, 14 Apr 2022 at 22:45, Tom Smyth  wrote:
> >
> > Stuart
> >
> > is your host on an Intel System ?
> >
> > I had an awful time with Proxmox 5.0 and 5.1
> >
> > with clock drift and console freezes
> >
> > can you try to disable the following feature in the Proxmox Host kernel
> >
> > /sys/module/kvm_intel/parameters/preemption_timer
> >
> > https://www.mail-archive.com/misc@openbsd.org/msg158768.html
> >
> >
> > You can try change the CPU to  VM to Host (or the lowest generation
> > Processor that is common to all your hosts in the cluster
> > Better acceleration with modern processeor
> >
> > Hope this helps
> >
> >
> > On Thu, 14 Apr 2022 at 22:37, Stuart Henderson
> >  wrote:
> > >
> > > I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and
> > > seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope
> > > with it. From boot:
> > >
> > > 2022-04-14T13:58:19.844Z  ntpd[26996]: adjusting local clock by 1.745061s
> > > 2022-04-14T13:59:24.070Z  ntpd[26996]: adjusting local clock by 1.504470s
> > > 2022-04-14T14:03:51.176Z  ntpd[26996]: adjusting local clock by 2.430486s
> > > 2022-04-14T14:07:40.299Z  ntpd[26996]: adjusting local clock by 2.48s
> > > 2022-04-14T14:11:51.540Z  ntpd[26996]: adjusting local clock by 3.173884s
> > > 2022-04-14T14:15:03.534Z  ntpd[26996]: adjusting local clock by 3.109722s
> > > 2022-04-14T14:16:04.848Z  ntpd[26996]: adjusting local clock by 3.185755s
> > > 2022-04-14T14:17:40.286Z  ntpd[26996]: adjusting local clock by 3.575126s
> > > 2022-04-14T14:18:45.582Z  ntpd[26996]: adjusting local clock by 4.231518s
> > > 2022-04-14T14:22:27.618Z  ntpd[26996]: adjusting local clock by 4.231999s
> > > 2022-04-14T14:25:41.618Z  ntpd[26996]: adjusting local clock by 4.844904s
> > > 2022-04-14T14:29:58.888Z  ntpd[26996]: adjusting local clock by 4.451876s
> > > 2022-04-14T14:32:41.628Z  ntpd[26996]: adjusting local clock by 5.250357s
> > >
> > > etc. No difference whether qemu-ga is used or not. No difference between
> > > passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this 
> > > case)
> > > and passing through as "common KVM processor". The guest does detect and
> > > use pvclock(4).
> > >
> > > $ sysctl kern.timecounter
> > > kern.timecounter.tick=1
> > > kern.timecounter.timestepwarnings=0
> > > kern.timecounter.hardware=pvclock0
> > > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) 
> > > acpitimer0(1000)
> > >
> > > Anyone have ideas of things I could try that are less wrong than
> > > running rdate from cron? Thanks.
> > >
> > >
> > > OpenBSD 7.1 (GENERIC.MP) #463: Thu Apr  7 12:48:15 MDT 2022
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > > real mem = 1056808960 (1007MB)
> > > avail mem = 1007554560 (960MB)
> > > random: good seed from bootblocks
> > > mpath0 at root
> > > scsibus0 at mpath0: 256 targets
> > > mainbus0 at root
> > > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf58e0 (9 entries)
> > > bios0: vendor SeaBIOS version 
> > > "rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org" date 04/01/2014
> > > bios0: QEMU Standard PC (i440FX + PIIX, 1996)
> > > acpi0 at bios0: A

Re: time drift in OpenBSD in proxmox (qemu-kvm) guest

2022-04-14 Thread Tom Smyth
Stuart,
sorry I wasnt entirely clear in my last email

1) you can try the  /sys/module/kvm_intel/parameters/preemption_timer

if the system is an intel CPU based Physcial server
2) if you have an amd System you may find the issue does not occur in that case

3) looking at the DMESG I see a KVM CPU  in the VM config ...   in
proxmox you can set it to Host
if the emulated kvm CPU is causing the issue  with OpenBSD
this is something to try and it may improve your sytem performance
more generally (and hopefully
help the times)

Other people who have Proxmox 7.1 and have access to an AMD CPU based server
 if they can try running an OpenBSD VM on an Amd Processor
based server to compare   ( what I found in my experience wiht KVM and
OpenBSD and Proxmox
was the Drift issue / COnsole freeze only occured on Intel Based
systems ...   and the preemption_timer
kernel setting in the Proxmox Linux Kernel sorted it




On Thu, 14 Apr 2022 at 22:45, Tom Smyth  wrote:
>
> Stuart
>
> is your host on an Intel System ?
>
> I had an awful time with Proxmox 5.0 and 5.1
>
> with clock drift and console freezes
>
> can you try to disable the following feature in the Proxmox Host kernel
>
> /sys/module/kvm_intel/parameters/preemption_timer
>
> https://www.mail-archive.com/misc@openbsd.org/msg158768.html
>
>
> You can try change the CPU to  VM to Host (or the lowest generation
> Processor that is common to all your hosts in the cluster
> Better acceleration with modern processeor
>
> Hope this helps
>
>
> On Thu, 14 Apr 2022 at 22:37, Stuart Henderson
>  wrote:
> >
> > I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and
> > seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope
> > with it. From boot:
> >
> > 2022-04-14T13:58:19.844Z  ntpd[26996]: adjusting local clock by 1.745061s
> > 2022-04-14T13:59:24.070Z  ntpd[26996]: adjusting local clock by 1.504470s
> > 2022-04-14T14:03:51.176Z  ntpd[26996]: adjusting local clock by 2.430486s
> > 2022-04-14T14:07:40.299Z  ntpd[26996]: adjusting local clock by 2.48s
> > 2022-04-14T14:11:51.540Z  ntpd[26996]: adjusting local clock by 3.173884s
> > 2022-04-14T14:15:03.534Z  ntpd[26996]: adjusting local clock by 3.109722s
> > 2022-04-14T14:16:04.848Z  ntpd[26996]: adjusting local clock by 3.185755s
> > 2022-04-14T14:17:40.286Z  ntpd[26996]: adjusting local clock by 3.575126s
> > 2022-04-14T14:18:45.582Z  ntpd[26996]: adjusting local clock by 4.231518s
> > 2022-04-14T14:22:27.618Z  ntpd[26996]: adjusting local clock by 4.231999s
> > 2022-04-14T14:25:41.618Z  ntpd[26996]: adjusting local clock by 4.844904s
> > 2022-04-14T14:29:58.888Z  ntpd[26996]: adjusting local clock by 4.451876s
> > 2022-04-14T14:32:41.628Z  ntpd[26996]: adjusting local clock by 5.250357s
> >
> > etc. No difference whether qemu-ga is used or not. No difference between
> > passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this case)
> > and passing through as "common KVM processor". The guest does detect and
> > use pvclock(4).
> >
> > $ sysctl kern.timecounter
> > kern.timecounter.tick=1
> > kern.timecounter.timestepwarnings=0
> > kern.timecounter.hardware=pvclock0
> > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) 
> > acpitimer0(1000)
> >
> > Anyone have ideas of things I could try that are less wrong than
> > running rdate from cron? Thanks.
> >
> >
> > OpenBSD 7.1 (GENERIC.MP) #463: Thu Apr  7 12:48:15 MDT 2022
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > real mem = 1056808960 (1007MB)
> > avail mem = 1007554560 (960MB)
> > random: good seed from bootblocks
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf58e0 (9 entries)
> > bios0: vendor SeaBIOS version 
> > "rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org" date 04/01/2014
> > bios0: QEMU Standard PC (i440FX + PIIX, 1996)
> > acpi0 at bios0: ACPI 1.0
> > acpi0: sleep states S3 S4 S5
> > acpi0: tables DSDT FACP APIC SSDT HPET WAET
> > acpi0: wakeup devices
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Common KVM processor, 3892.54 MHz, 0f-06-01
> > cpu0: 
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,x2APIC,HV,NXE,LONG,LAHF,CMPLEG
> > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 
> > 64b/line 16-way L2 cache
> > cpu0: ITLB 255 4KB entries direct-

Re: time drift in OpenBSD in proxmox (qemu-kvm) guest

2022-04-14 Thread Tom Smyth
; acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> pvbus0 at mainbus0: KVM
> pvclock0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
> wired to compatibility, channel 1 wired to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0:  removable
> cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
> uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
> iic0 at piixpm0
> vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
> viomb0 at virtio0
> virtio0: apic 0 int 11
> virtio1 at pci0 dev 10 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus2 at vioblk0: 1 targets
> sd0 at scsibus2 targ 0 lun 0: 
> sd0: 10240MB, 512 bytes/sector, 20971520 sectors
> virtio1: msix per-VQ
> virtio2 at pci0 dev 18 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address c6:e5:7f:4f:5e:cf
> virtio2: msix shared
> ppb0 at pci0 dev 30 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
> pci1 at ppb0 bus 1
> ppb1 at pci0 dev 31 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
> pci2 at ppb1 bus 2
> isa0 at pcib0
> isadma0 at isa0
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
> addr 1
> uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" 
> rev 2.00/0.00 addr 2
> uhidev0: iclass 3/0
> ums0 at uhidev0: 3 buttons, Z dir
> wsmouse1 at ums0 mux 0
> vscsi0 at root
> scsibus3 at vscsi0: 256 targets
> softraid0 at root
> scsibus4 at softraid0: 256 targets
> root on sd0a (cf14a346fbf0559d.a) swap on sd0b dump on sd0b
> fd0 at fdc0 drive 1: density unknown
>
>
>


--
Kindest regards,
Tom Smyth.



Re: pf documentation

2022-04-07 Thread Tom Smyth
Steve,

if you like books ...
Peter Hansteen has written a book the book of pf
which I have read and would recommend

https://nostarch.com/pf3

and if you are interested in firewalls ingeneral and comparing features



On Thu, 7 Apr 2022 at 10:40, Tom Smyth  wrote:
>
> Hi Steve,
> Im going to give my usual answer here
>
>
> Peter Hansteen and Max Stucchi have an amazing tutorial on PF
> https://home.nuug.no/~peter/pftutorial/#1
>
> but they explain the concepts really well
> recommend the class that they do in person ..
>
> for the latest features about PF in the version of Openbsd you are running ...
>
> man pfctl or man pf.conf will help you ...
>
> if you need a intro to the intro ...
> https://openbsdjumpstart.org by Wesley is pretty cool and gets you
> started on OpenBSD and PF
>
>
>
> Hope this helps,
>
> Tom Smyth
>
> On Thu, 7 Apr 2022 at 10:28, Brodey Dover  wrote:
> >
> > To be honest, I just used the handbook/FAQ.
> >
> > https://www.openbsd.org/faq/pf/example1.html
> >
> > Note that some grammar and syntax from Google search results will not work 
> > in newer versions of pf.
> >
> > Sent from my iPhone
> >
> > > On Apr 7, 2022, at 05:13, Steve Litt  wrote:
> > >
> > > Hi all,
> > >
> > > I need some easy beginner's pf documentation as well as some
> > > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I
> > > haven't done this in ten years, and imagine pf and the process of
> > > turning OpenBSD into a firewall have changed in that time.
> > >
> > > Thanks,
> > >
> > > SteveT
> > >
> > > Steve Litt
> > > March 2022 featured book: Making Mental Models: Advanced Edition
> > > http://www.troubleshooters.com/mmm
> > >
>
>
>
> --
> Kindest regards,
> Tom Smyth.



--
Kindest regards,
Tom Smyth.



Re: pf documentation

2022-04-07 Thread Tom Smyth
Hi Steve,
Im going to give my usual answer here


Peter Hansteen and Max Stucchi have an amazing tutorial on PF
https://home.nuug.no/~peter/pftutorial/#1

but they explain the concepts really well
recommend the class that they do in person ..

for the latest features about PF in the version of Openbsd you are running ...

man pfctl or man pf.conf will help you ...

if you need a intro to the intro ...
https://openbsdjumpstart.org by Wesley is pretty cool and gets you
started on OpenBSD and PF



Hope this helps,

Tom Smyth

On Thu, 7 Apr 2022 at 10:28, Brodey Dover  wrote:
>
> To be honest, I just used the handbook/FAQ.
>
> https://www.openbsd.org/faq/pf/example1.html
>
> Note that some grammar and syntax from Google search results will not work in 
> newer versions of pf.
>
> Sent from my iPhone
>
> > On Apr 7, 2022, at 05:13, Steve Litt  wrote:
> >
> > Hi all,
> >
> > I need some easy beginner's pf documentation as well as some
> > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I
> > haven't done this in ten years, and imagine pf and the process of
> > turning OpenBSD into a firewall have changed in that time.
> >
> > Thanks,
> >
> > SteveT
> >
> > Steve Litt
> > March 2022 featured book: Making Mental Models: Advanced Edition
> > http://www.troubleshooters.com/mmm
> >



-- 
Kindest regards,
Tom Smyth.



Re: TLS library problme: tlsv1 alert protocol

2022-04-06 Thread Tom Smyth
Hi Stephan,
at a guess  I would say that there is no overlap between supported TLS
 protool versions and ciphers
available on the client vs the server.
if your system is using a recent version of an Os and you are trying
to relay to an older legacy system,
ideally ask the older system to uprade / enable higher ciphers
or you can be more permissive on your tls configuration...
I hope this is helpful

On Wed, 6 Apr 2022 at 23:32, Stephan Mending  wrote:
>
> Hi *,
> I've noticed on my mail relays, that tls handshake with one certain email 
> relay keep failing. I was wondering what the
> reason for that may be.
>
> Following error from postfix:
>
> connect from mout.web.de[ IP ]:44003
> SSL_accept error from mout.web.de[ IP ]:44003: -1
> warning: TLS library problem: error:1404A42E:SSL routines:ST_ACCEPT:tlsv1 
> alert protocol version:/usr/src/lib/libssl/tls13_lib.c:150:
> lost connection after STARTTLS from mout.web.de
>
> Can anybody with more knowledge of libressl and it's error messages tell by 
> this error what is wrong?
>
> Best regards,
> Stephan
>


-- 
Kindest regards,
Tom Smyth.



Re: Changing rdomain on an interface after the rdomain has already been set openbsd7.0 / 7.1snapshots

2022-04-02 Thread Tom Smyth
Hey David thanks for  reply makes more sens to me now ...  Thanks again...
Tom Smyth

On Sat, 2 Apr 2022 at 04:11, David Gwynne  wrote:
>
> loopback interfaces are special and kind of end up representing an rdomain 
> inside the kernel, which is where this restriction comes from.
>
> dlg
>
> > On 2 Apr 2022, at 09:36, Tom Smyth  wrote:
> >
> > Hello,
> >  I came across an issue that once a rdomain is set on a
> > loopback interface
> > you cant change it without destroying and re-creating the interace,
> > while it appears you can change a virtio  network interface, is this a
> > bug or a feature
> >
> > tobsd# ifconfig lo3 create
> > tobsd# ifconfig lo3 rdomain 3
> > tobsd# ifconfig lo3 inet 127.0.0.1/8
> > tobsd# ifconfig lo3
> > lo3: flags=8049 rdomain 3 mtu 32768
> > index 5 priority 0 llprio 3
> > groups: lo
> > inet6 ::1 prefixlen 128
> > inet6 fe80::1%lo3 prefixlen 64 scopeid 0x5
> > inet 127.0.0.1 netmask 0xff00
> > tobsd# ifconfig lo3 rdomain 0
> > ifconfig: SIOCSIFRDOMAIN: Operation not permitted
> > tobsd# ifconfig
> >
> >
> > --
> > Kindest regards,
> > Tom Smyth.
> >
>


-- 
Kindest regards,
Tom Smyth.



Changing rdomain on an interface after the rdomain has already been set openbsd7.0 / 7.1snapshots

2022-04-01 Thread Tom Smyth
Hello,
  I came across an issue that once a rdomain is set on a
loopback interface
you cant change it without destroying and re-creating the interace,
while it appears you can change a virtio  network interface, is this a
bug or a feature

tobsd# ifconfig lo3 create
tobsd# ifconfig lo3 rdomain 3
tobsd# ifconfig lo3 inet 127.0.0.1/8
tobsd# ifconfig lo3
lo3: flags=8049 rdomain 3 mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo3 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
tobsd# ifconfig lo3 rdomain 0
ifconfig: SIOCSIFRDOMAIN: Operation not permitted
tobsd# ifconfig


-- 
Kindest regards,
Tom Smyth.



Re: issue with move to php8 as default

2022-03-28 Thread Tom Smyth
Hi ITwrx

you will need to check your rc.conf.local and update it to start up the
php8.0 fpm

it is possible (im not saying it is recommended)  but it is possible to run
different versions of php fpm (with different socket files)
for different applications on the same server ...
but it sounds like you just need to remove the php7.4 fpm line in your
rc.conf.local and replace it with a line that would startup  your php8 fpm

I hope this helps,



On Mon, 28 Mar 2022 at 20:10, ITwrx  wrote:

> I'm running php7.4 and php8 at the same time on an OpenBSD 7.0 machine
> i'm testing as a web server. I'm pretty sure they were both starting up
> fine until yesterday (it's been a while) after i updated with pkg_add -u
> and syspatch. Now, php8 fails to start with:
>
> ERROR: Another FPM instance seems to already listen on
> /var/www/run/php-fpm.sock
> ERROR: FPM initialization failed
>
> This seems to be due to the fact that php8.0 became the new default,
> but it looks like php74 is still trying to use php-fpm.sock instead of
> php-fpm74.sock, or whatever it's supposed to be called once it's not
> the default anymore.
>
> Am i missing something, or is this a bug? If the latter, is this email
> sufficient to get it looked at, or i would need to report it more
> formally?
>
> Thanks,
> ITwrx
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Advice for hardening a PHP webserver on OpenBSD

2022-03-09 Thread Tom Smyth
Hi,
Owasp has some cheat sheets for hardening PHP configurations,

https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html

you can combine it with httpd which would run the php app and website
inside a chroot jail,

you can also review the php application for the functions that it  uses and
then disable any functions not required by the php application
(care needs to be taken with obfuscated / encoded website applications)

you can also restrict the extensions that you dont need to reduce the
attack surface..

You can also do limits on the sizes of post / upload size (if they are
needed or not) ..

you can also restrict HTTP methods (for instance in a CMS site that doesnt
require updates / login publically  (and allow posts from specific Ips )


I hope this helps




On Thu, 10 Mar 2022 at 00:17,  wrote:

> Hi all,
>
> I have done a lot of coding in PHP over the years, but have only
> recently had a change to look deeper into the language in order to look
> at some of the C coding and see how security and bugs are handled. Of
> course this has been very eye opening and I am shocked at how many
> confirmed security bugs just stay dormant without being fixed for
> more than a decade. This seem to mainly be because PHP is such a huge
> pile of crap mixed together. In several cases the developers simply
> cannot see how a serious security bug can be fixed because it will
> cause a cascade of problems elsewhere - so they leave it. Then when you
> do coding in PHP, you have to be an expert in "PHP problems" in order
> to avoid all of that.
>
> I considering abandoning all future work with PHP and perhaps only do
> projects in Go instead, but I haven't had the time to compare how
> serious security is taken in Go. I would suspect a lot better (simpler
> language, daily usage by Google and many other big companies,
> involvement of Ken, Rob, and others), but that is just assumptions. Any
> advice on that?
>
> I know how OpenBSD chroots the webserver and thereby PHP too, but I
> need advice on how to harden a PHP server further. I only run
> production servers on OpenBSD.
>
> On a higher level there is "disable_functions" and "disable_classes",
> an internal feature of PHP, but its a blacklist, and PHP has about a
> gazillion functions. Furthermore, it doesn't make a lot of sense to me
> since it's possible to use even basic functions such as "require" or
> "include", for remote code execution in the form of local file include
> and remote file include vulnerabilities. If you need to disable all the
> dangerous functions, you can hardly use PHP. And then.. its on the PHP
> level, sooo. But maybe every little bit counts?
>
> Anyway, what are you guys doing if you're running PHP in production on
> OpenBSD? Besides from NOT running PHP in production at all.
>
> Kindest regards.
>
> --
>  Sent with Tutanota, the secure & ad-free mailbox.
>


-- 
Kindest regards,
Tom Smyth.


Re: shells/nsh network shells, feedback and comments requested,

2022-02-20 Thread Tom Smyth
Hello all, just following up on this  as a call out to anyone who use nsh
or have used it in the past,

if you have any feedback / suggestions I would really appreciate that,

Thanks
Tom Smyth

On Sun, 18 Apr 2021 at 13:31, Tom Smyth 
wrote:

> Hello,
>
> If anyone has used shells/nsh (past or present)
>  or has any ideas, opinions on it and its usability,
> bug reports or questions can you let me know
> (on or off list I don't mind).
>
> I'm particularly interested in configuration limitations
> you came across. (where you couldn't do something
> in NSH that  you can do in base.
>
> We will be working on it  to track  current, and hopefully
> 7.0 release.
>
> Thanks
> Tom Smyth
>


-- 
Kindest regards,
Tom Smyth.


Re: NSD: Could not tcp connect to X Operation timed out

2022-01-19 Thread Tom Smyth
is pf allowing tcp port53 as well as udp port53 ?

On Wed 19 Jan 2022, 11:46 Laura Smith, 
wrote:

> Hi
>
> OpenBSD NSD slave is driving me nuts with the following message in the
> logs "Could not tcp connect to X Operation timed out".
>
> The answer sounds obvious, but I can:
>
> - Ping the IP
> - Do a "dig @$auth_server_ip $auth_domain"
>
> Both respond normally.
>
> What am I missing here ? Connectivity clearly works ? PF is clearly not
> dropping inbound port 53 on the master ?
>
> THanks
>
> Laura
>
>


Re: Error on xenocara.tar.gz extraction

2022-01-13 Thread Tom Smyth
i think u need to do as root or configure  doas to perform privleged
operation...



On Thu 13 Jan 2022, 17:26 Rob Whitlock,  wrote:

> Attempting to extract xenocara.tar.gz while avoiding root proviliges as
> described here https://www.openbsd.org/faq/faq5.html#wsrc, I ran into an
> error, shown below:
>
> 0 thinkpad$ pwd
> /usr/xenocara
> 0 thinkpad$ ls -a
>
> .  ..
> 0 thinkpad$ tar xzf /home/rob/openbsd_files/7.0/xenocara.tar.gz
>
> tar: Access/modification time set failed on: .: Operation not permitted
> 1 thinkpad$ ls -a
> .  3RDPARTY   Makefile   data   docfont   share
> .. CVSREADME dist   driver libutil
> .gitignore MODULESappdistribetcproto  xserver
> 0 thinkpad$ cd ..
> 0 thinkpad$ ls -ld xenocara
> drwxrwxr-x  16 root   wsrc512 Jan 12 21:43 xenocara
> 0 thinkpad$ id
> uid=1001(rob) gid=1001 groups=1001, 0(wheel), 9(wsrc)
> 0 thinkpad$
>
> Running ktrace on tar shows that tar is trying to set the mtime of ., which
> corresponds to /usr/xenocara, with the function futimens, which fails.
> According to the man page for futimens, if the times argument is non-NULL,
> which is the case here, then the caller must be the owner of the file or
> the superuser. For an unprivileged user, this is not the case, as, although
> /usr/xenocara has group wsrc, it has owner root.
>
> Running tar tzf xenocara.tar.gz shows an entry for . which seems to be
> causing this problem. If you instead run tar xzf xenocara.tar.gz -s
> '/^\.$//' to omit only the . entry when extracting, there is no more error.
> There is a side effect to adding this -s option, which is that
> /usr/xenocara's mtime gets updated to the time the tarball extraction took
> place, as opposed to the time that was recorded for . in the tarball. I
> don't know whether updating /usr/xenocara to the mtime that was recorded in
> the tarball was intentional behavior or not.
>
> If updating the mtime of /usr/xenocara was not intentional behavior, it
> would seem to me that the fix for this problem would be to not include the
> . directory when making the tarball xenocara.tar.gz. I was unable to locate
> any code that was responsible for creating xenocara.tar.gz so I have not
> included a diff. If anybody could tell me where that code is then that
> would be appreciated.
>
> As another issue, extracting ports.tar.gz as a non-privileged user in /usr,
> as described in the document whose address is given above, results in
> failure due to lack of permission, as a normal user does not have access to
> create the /usr/ports directory.
>
> I am running a snapshot of OpenBSD 7.0 that is only a few days old.
>


Re: Help with basic pf rule to open port 25

2022-01-05 Thread Tom Smyth
Hi Sean,

Happy new year to you,

do a netstat and make sure that your software is listening on an address
other than loopback  or all addresses (0.0.0.0)
run the following command

netstat -an

If you want to check active rules in pf  run the following command

pfctl -sr

if you ever want to check your rules (in a recently edited pf.conf file
run
pfctl -nvvvf /etc/pf.conf

if the rules returned match what you wish ..then you can commit / load them
by running

pfctl -vvvf /etc/pf.conf

(each v increases verbosity )

Peter Hansteen and Max Stucchi have an amazing tutorial on PF
https://home.nuug.no/~peter/pftutorial/#1
but they explain the concepts really well
recommend the class that they do in person ..

for the latest features about PF in the version of Openbsd you are running
...

man pfctl or man pf.conf will help you ...

I hope this helps and enjoy the Journey in OpenBSD ... It is awesome ...
Tom Smyth




On Wed, 5 Jan 2022 at 16:09, Sean McBride  wrote:

> Hi all,
>
> (Newbie and first time poster, please be gentle :))
>
> I'm trying to set up spamd, and I think I'm having trouble with pf.  So
> I tried to add a very basic test rule.  I added to the beginning of
> /etc/pf.conf the following:
>
> pass in log quick on egress proto tcp to any port smtp
>
> then rebooted (for luck).  If on the OpenBSD system itself I do `telnet
> localhost 25` I see the built-in OpenSTMPD.  But if I telnet from
> another machine on my LAN, I fail to connect.  Shouldn't that rule have
> opened port 25?
>
> Thanks,
>
> Sean
>


-- 
Kindest regards,
Tom Smyth.


Re: Recommendations on Buffer Space for Busy Unbound Resolver Service for a network

2021-12-22 Thread Tom Smyth
Thanks Stuart,

A year or two ago I set the following  sysctl which did help,
fdns1# cat /etc/sysctl.conf
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144

Thanks for the tip re diagnosing the UDP buffers output of the command you
suggested looks good  from a buffer perspective...

The server has been running a few hours

fdns1# netstat -s -p udp
udp:
32820423 datagrams received
0 with incomplete header
0 with bad data length field
7 with bad checksum
133788 with no checksum
32686635 input packets software-checksummed
0 output packets software-checksummed
40699 dropped due to no socket
13873 broadcast/multicast datagrams dropped due to no socket
0 dropped due to missing IPsec protection
0 dropped due to full socket buffers
32765844 delivered
32913599 datagrams output
24008710 missed PCB cache

Thanks again, Really appreciate your

Tom Smyth

On Wed, 22 Dec 2021 at 11:26, Stuart Henderson 
wrote:

> On 2021-12-22, Dirk Coetzee  wrote:
> > Hi Tom,
> >
> > I would recommend debugging using "unbound-control stats_noreset" and
> referencing the unbound configuration documentation at
> https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
>
> Also check for "dropped due to full socket buffers" in netstat -s -p udp,
> some have reported needing to raise net.inet.udp.*space sysctls.
>
> You might also consider front-ending with dnsdist. As well as answering hot
> requests very quickly, that could also simplify things for maintenance.
>
> > On Tue, 21 Dec 2021 at 21:15, Tom Smyth 
> > wrote:
> >
> >> Recommendations on Buffer Space for Busy Unbound Resolver Service for
> >> a network serving a  3000, customers
>
>
> --
> Please keep replies on the mailing list.
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Recommendations on Buffer Space for Busy Unbound Resolver Service for a network

2021-12-21 Thread Tom Smyth
THanks Dirk Ill give that a go

Cheers,

Tom Smyth

On Wed, 22 Dec 2021 at 00:30, Dirk Coetzee  wrote:

> Hi Tom,
>
> I would recommend debugging using "unbound-control stats_noreset" and
> referencing the unbound configuration documentation at
> https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
>
>
>
> -Original Message-
> From: owner-m...@openbsd.org  On Behalf Of Tom
> Smyth
> Sent: Wednesday, 22 December 2021 5:25 AM
> To: Misc 
> Subject: Re: Recommendations on Buffer Space for Busy Unbound Resolver
> Service for a network
>
> Sorry forgot to say running OpenBSD on an amd64, and hosted in a KVM
> environment, Thanks
>
> Tom Smyth
>
>
>
>
> On Tue, 21 Dec 2021 at 21:15, Tom Smyth 
> wrote:
>
> > Recommendations on Buffer Space for Busy Unbound Resolver Service for
> > a network serving a  3000, customers
> >
> > Thanks
> >
> > --
> > Kindest regards,
> > Tom Smyth.
> >
>
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 
Kindest regards,
Tom Smyth.


Re: Recommendations on Buffer Space for Busy Unbound Resolver Service for a network

2021-12-21 Thread Tom Smyth
Sorry forgot to say running OpenBSD on an amd64, and hosted in a KVM
environment,
Thanks

Tom Smyth




On Tue, 21 Dec 2021 at 21:15, Tom Smyth 
wrote:

> Recommendations on Buffer Space for Busy Unbound Resolver Service for a
> network serving a  3000, customers
>
> Thanks
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 
Kindest regards,
Tom Smyth.


Recommendations on Buffer Space for Busy Unbound Resolver Service for a network

2021-12-21 Thread Tom Smyth
Recommendations on Buffer Space for Busy Unbound Resolver Service for a
network serving a  3000, customers

Thanks

-- 
Kindest regards,
Tom Smyth.


Radiusd anyone know of a Simple to use web front end for usermanagement ?

2021-09-22 Thread Tom Smyth
Hi All,

I was wondering is there a front end web interface out there for radiusd
(for the un inducted users who wouldnt be comfortable with the command line
I would rather use radiusd than freeradius alternatives ...  perhaps im
missing something in the ma pages

any tips tricks would be welcome

thanks



-- 
Kindest regards,
Tom Smyth.


Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Tom Smyth
Can you do  an exception for the ranges ...  so internet - private ips you
dont want over the tunnel)

ike esp from 10.90.0.0/24 to any encrypt
and

 10.90.0.0/24 to   NOT  [networks you dont want over the tunnel)  ?

On Mon, 13 Sept 2021 at 13:02, Hrvoje Popovski  wrote:

> Hi,
>
> On 13.9.2021. 12:58, Tom Smyth wrote:
> > Hi Hrvoje,
> >
> > is 10.90.0.0/24 <http://10.90.0.0/24> local to your firewall, and if I
> > understand your rule,
> > ike esp from 10.90.0.0/24 <http://10.90.0.0/24> to anyyou are
> saying
> > encrypt all traffic comming from 10.90.0.0/24 <http://10.90.0.0/24>
> >
> > should the tunnel be more specific ? like
> >
> > from 10.90.0.0/24 <http://10.90.0.0/24>  to another network across the
> > tunnel
> >
>
> 10.90/24 is my local internal network, as other networks (10.91/24,
> 10.92/24).
> i need "ike esp from 10.90.0.0/24 to any"... because hosts on that
> network need to go out to internet over ipsec tunnel ... but at the same
> time hosts in that 10.90/24 network needs to communicate to other
> internal networks...
>


-- 
Kindest regards,
Tom Smyth.


Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Tom Smyth
Hi Hrvoje,

is 10.90.0.0/24 local to your firewall, and if I understand your rule,
ike esp from 10.90.0.0/24 to anyyou are saying
encrypt all traffic comming from 10.90.0.0/24

should the tunnel be more specific ? like

from 10.90.0.0/24  to another network across the tunnel

ike esp from 10.90.0.0/24 to  {list of private network ranges that are
across the tunnel}

(remove any and replace with specific subnets to be routed across the Ipsec
tunnel)

without a diagram I cant help much more...


On Mon, 13 Sept 2021 at 11:36, Hrvoje Popovski  wrote:

> Hi all,
>
> I have a firewall that routes few internal networks, 10.90/24, 10.91/24,
> 10.92/24. And i have some static routes to other firewalls, but i don't
> think that is relevant to this problem.
>
> For network 10.90/24 i have ipsec tunnel, and i need to push any traffic
> from that network to the internet, but not to local networks,
> over that ipsec tunnel.
>
> something like this:
> ike esp from 10.90.0.0/24 to any
>
> I thought that the routing table will take care of that, but i seems
> that when ipsec tunnel is up, i can't connect from local networks
> (10.91/24, 10.92/24) to 10.90/24 and I can't even ping hosts on the
> 10.90/24 network ...
> something like this ping -I 10.90.0.1 10.90.0.8 ...
> traffic from 10.90/24 to the internet is working just fine ..
>
> I need to make network 10.90/24 reachable to all local networks.
> Could someone please point me in the right direction on what to look and
> configure?
>
> Thank you ..
>
>

-- 
Kindest regards,
Tom Smyth.


Re: DNS resolution after VPN?

2021-07-20 Thread Tom Smyth
and make sure there is a route  to Route to your Internal DNS servers
over the VPNs
Or
 a policy that covers the DNS servers ip range if it is an Ipsec
policy based vpn

Hope this helps

On Tue, 20 Jul 2021 at 13:15, Timo Myyrä  wrote:
>
> Stuart Henderson  [2021-07-20, 11:24 +]:
>
> > On 2021-07-20, Timo Myyrä  wrote:
> >
> >> Hi,
> >>
> >> Just started testing the new dhcleased,resolvd stuff and noticed that
> >> DNS resolution won't work correctly once I open my VPN connection. Name
> >> resolution works for external domains but not for the internal domains
> >> resolved by the interal DNS servers.
> >>
> >> I'm using openconnect to setup VPN tunnel and it runs the
> >> /etc/vpnc-script to setup networking after initing the tunnel. This
> >> script adds the nameserver entries into /etc/resolv.conf.
> >> But these entries in /etc/resolv.conf are done below following line:
> >> nameserver 127.0.0.1 # resolvd: unwind
> >>
> >> This means the unwind is handling the DNS query passing and it doesn't
> >> seem to notice the DNS server entries given by openconnect.
> >>
> >> What would be a good method to get DNS resolution working after running
> >> openconnect? I'd like to prepend the DNS servers from VPN connection so
> >> they are queried first, then fallback to other servers.
> >>
> >> Timo
> >>
> >>
> >
> > Untested but I would use unwind and try something like
> >
> > forwarder 
> > preference recursor oDoT-dhcp dhcp stub
> > force forwarder {vpndomain.com}
> >
> > For the forwarder address you might be able to statically configure
> > it, if not then you could modify vpnc-script to have it update the
> > address in unwind.conf and reload it.
>
> Thanks, this works somewhat:
>
> forwarder { $ip1 $ip2 }
> force accept bogus forwarder { $internal_domain1 }
> force accept bogus forwarder { $internal_domain2 }
> ...
>
> A bit cubersome to list all internal domains but I there shouldn't be
> that many of them in day-to-day use.
> The DNS server IP's are pretty much static so manually adjusting the
> unwind.conf is doable.
>
> Timo
>


-- 
Kindest regards,
Tom Smyth.



Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-07 Thread Tom Smyth
Hello Axel,

Check out fastnetmon  if you have SFLOW (Preferably ) or Netflow
support on your switches   /or routers facing external providers
you can put pps per second thresholds on .

but bear in mind if the amount of bandwdith being sent to your router
exceeds capacity you need to send a BGP community to
do  remote Triggered Black Holeto your providers...  RTBH ... (BGP
Communities) etc..

Best of Luck

On Fri, 7 May 2021 at 10:10, Axel Rau  wrote:
>
>
>
> > Am 05.05.2021 um 16:20 schrieb Stuart Henderson  > <mailto:s...@spacehopper.org>>:
> >
> > This is usually best dealt with in your DNS server software e.g. by using
> > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
> > section in BIND.
>
> Yes, I have this in place now, but I try to let the fw drop them:
> This seems not working:
> udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload 
>  flush global )'
> …
> pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
> port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns 
> inbound"
>
> Is this not possible with udp?
>
> Axel
> ---
> PGP-Key: CDE74120computing @ chaos claudius
>


-- 
Kindest regards,
Tom Smyth.



Re: pf: block drop not working

2021-05-05 Thread Tom Smyth
black_whole vs black_hole

check the table name ...

On Wed, 5 May 2021 at 12:11, Axel Rau  wrote:
>
> Hi all,
>
> in pf.conf, I have at the beginning:
> - - -
> table  persist file "/etc/pf/black_hole.txt"
> block drop in quick on $red_if from  flags any
>
> fw1# pfctl -s rules  | head -3
> block drop in quick on em2 from  to any
>
> fw1# pfctl -t black_hole -T show
> . . .
>146.168.0.0/16
> . . .
>
> But responses still going out from my ns:
>
>  0800 532: x.y.z.71.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) 
> (ttl 63, id 10399, len 518)
>  0800 72: 146.168.163.94.443 > x.y.z.21.53: [no udp cksum] 1+ RRSIG? 
> pizzaseo.com.(30) (ttl 249, id 3922, len 58)
>  0800 532: x.y.z.21.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) 
> (ttl 63, id 38336, len 518)
>  0800 72: 146.168.163.94.443 > x.y.z.171.53: [no udp cksum] 1+ RRSIG? 
> pizzaseo.com.(30) (ttl 249, id 55913, len 58)
>  0800 532: x.y.z.171.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) 
> (ttl 62, id 53578, len 518)
>
>
> What is wrong in my setup?
>
> Thanks, Axel
> ---
> PGP-Key: CDE74120computing @ chaos claudius
>


-- 
Kindest regards,
Tom Smyth.



Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-21 Thread Tom Smyth
Christian, Otto, Thanks for your feedback on this one

Ill research it further,
but NTFS has 4K, 8K 32K and 64K Allocation units on the
filessystem and for Microsoft  windows running Exchange or Database workloads
they were recommending alignment of the NTFS partitions
on the 1MB offset also.

>From Otto's, explanation (Thanks) of 1/16  blocks would potentially
cross a boundary  of the
storage subsystem,
6.25% of reads(or writes)  could result in a double Read ( or double write)

of course the write issue is a bigger problem for the SSDs..

I can configure the partitions how I want ,for now anyway,

Ill do a little digging on FFS and FFS2 and see how the filesystem
database (or table)
is structured...

Thanks for the feedback it is very helpful to me

All the best,

Tom Smyth



On Wed, 21 Apr 2021 at 15:25, Christian Weisgerber  wrote:
>
> Tom Smyth:
>
> > if you were to have a 1MB file or  a database that needed to read 1MB
> > of data,  i
> > f the partitions are not aligned then
> > your underlying storage system need to load 2 chunks  or write 2
> > chunks for 1 MB of data, written,
>
> You seem to assume that FFS2 would align a 1MB file on an 1MB border
> within the filesystem.  That is not case.  That 1MB file will be
> aligned on a blocksize border (16/32/64 kB, depending on filesystem
> size).  Aligning the partition on n*blocksize has no effect on this.
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de



-- 
Kindest regards,
Tom Smyth.



Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-21 Thread Tom Smyth
Hello Otto, Christian,

I was relying on that paper for the pictures of the alignment issue,

VMFS  (vmware file system)since version 5 of vmwarehas allocation
units of 1MB each

https://kb.vmware.com/s/article/2137120

my understanding is that SSDs   have a similar allocation unit setup of 1MB,

and that aligning your file system to 1MB would improve performance


|OpenBSD Filesystem --|  FFS-Filesystem
|VMDK Virtual Disk file for Guest |  OpenBSD-Gusest-Disk0.vmdk
|vmware datastore--  |   1MB allocation
|Logical Storage Device / RAID---|
|SSD or DISK storage --|1MB allocation  unit (on some SSDs)

Figure 2 of the following paper shows what
https://www.usenix.org/legacy/event/usenix09/tech/full_papers/rajimwale/rajimwale.pdf
as your writes start to cross another underlying block boundary you
see a degradation of performance
largest impact is on a write o1 1MB (misaligned) across 2 blocks,
but it repeats as you increase the number  of MB in a transaction but
the % overhead
reduces for each additional 1MB in the Transaction.

If there is no downside to allocating  /Offsetting  filesystems on 1MB
boundaries,
can we do that by default to reduce wear on SSDs, and improve performance
in Virtualized Environments with large allocation units on what ever storage
subsystem they are running.

Thanks for your time

Tom Smyth




On Wed, 21 Apr 2021 at 08:49, Otto Moerbeek  wrote:
>
> On Wed, Apr 21, 2021 at 08:20:10AM +0100, Tom Smyth wrote:
>
> > Hi Christian,
> >
> > if you were to have a 1MB file or  a database that needed to read 1MB
> > of data,  i
> > f the partitions are not aligned then
> > your underlying storage system need to load 2 chunks  or write 2
> > chunks for 1 MB of data, written,
> >
> > So *worst* case you would double the workload for the storage hardware
> > (SSD or Hardware RAID with large chunks)  for each transaction
> > on writing to SSDs if you are not aligned one could *worst *case
> > double the write / wear rate.
> >
> > The improvement would be less for accessing small files and writing small 
> > files
> > (as they would need to be across  2 Chunks )
> >
> > The following paper explains (better  than I do )
> > https://www.vmware.com/pdf/esx3_partition_align.pdf
> >
> > if the cost is  1-8MB at the start of the disk (assuming partitions are 
> > sized
> >  so that they dont loose the ofset of 2048 sectors)
> > I think it is worth pursuing. (again I only have experience on amd64
> > /i386 hardware)
>
> Doing a quick scan trhough the pdf I only see talk about 64k boundaries.
>
> FFS(2) will split up any partiition in multiple cylinder groups. Each
> cylinder group starts with a superblock copy, inode tables and other
> meta datas before the data blocks of that cylinder group. Having the
> start of a partion a 1 1MB boundary does not get you those data blocks
> at a specific boundary. So I think your resoning does not apply to FFS(2).
>
> It might make sense to move the start to offset 128 for big
> partitions, so you align with the 64k boundary mentioned in the pdf,
> the block size is already 64k (for big parttiions).
>
> -Otto
>
> >
> > Thanks
> > Tom Smyth
> >
> > On Tue, 20 Apr 2021 at 22:52, Christian Weisgerber  
> > wrote:
> > >
> > > Tom Smyth:
> > >
> > > > just installing todays snapshot and the default offset on amd64 is 64,
> > > >  (as it has been for as long as I can remember)
> > >
> > > It was changed from 63 in 2010.
> > >
> > > > Is it worth while updating the defaults so that OpenBSD partition
> > > > layout will be optimal for SSD or other Virtualized RAID environments
> > > > with 1MB  Chunks,
> > >
> > > What are you trying to optimize with this?  FFS2 file systems reserve
> > > 64 kB at the start of a partition, and after that it's filesystem
> > > blocks, which are 16/32/64 kB, depending on the size of the filesystem.
> > > I can barely see an argument for aligning large partitions at 128
> > > sectors, but what purpose would larger multiples serve?
> > >
> > > > Is there a down side  to moving the default offset to 2048 ?
> > >
> > > Not really.  It wastes a bit of space, but that is rather insignificant
> > > for today's disk sizes.
> > >
> > > --
> > > Christian "naddy" Weisgerber  na...@mips.inka.de
> > >
> >
> >
> > --
> > Kindest regards,
> > Tom Smyth.
> >



-- 
Kindest regards,
Tom Smyth.



Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-21 Thread Tom Smyth
Hi Christian,

if you were to have a 1MB file or  a database that needed to read 1MB
of data,  i
f the partitions are not aligned then
your underlying storage system need to load 2 chunks  or write 2
chunks for 1 MB of data, written,

So *worst* case you would double the workload for the storage hardware
(SSD or Hardware RAID with large chunks)  for each transaction
on writing to SSDs if you are not aligned one could *worst *case
double the write / wear rate.

The improvement would be less for accessing small files and writing small files
(as they would need to be across  2 Chunks )

The following paper explains (better  than I do )
https://www.vmware.com/pdf/esx3_partition_align.pdf

if the cost is  1-8MB at the start of the disk (assuming partitions are sized
 so that they dont loose the ofset of 2048 sectors)
I think it is worth pursuing. (again I only have experience on amd64
/i386 hardware)

Thanks
Tom Smyth

On Tue, 20 Apr 2021 at 22:52, Christian Weisgerber  wrote:
>
> Tom Smyth:
>
> > just installing todays snapshot and the default offset on amd64 is 64,
> >  (as it has been for as long as I can remember)
>
> It was changed from 63 in 2010.
>
> > Is it worth while updating the defaults so that OpenBSD partition
> > layout will be optimal for SSD or other Virtualized RAID environments
> > with 1MB  Chunks,
>
> What are you trying to optimize with this?  FFS2 file systems reserve
> 64 kB at the start of a partition, and after that it's filesystem
> blocks, which are 16/32/64 kB, depending on the size of the filesystem.
> I can barely see an argument for aligning large partitions at 128
> sectors, but what purpose would larger multiples serve?
>
> > Is there a down side  to moving the default offset to 2048 ?
>
> Not really.  It wastes a bit of space, but that is rather insignificant
> for today's disk sizes.
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de
>


-- 
Kindest regards,
Tom Smyth.



default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-20 Thread Tom Smyth
Hello,

just installing todays snapshot and the default offset on amd64 is 64,
 (as it has been for as long as I can remember)
Is it worth while updating the defaults so that OpenBSD partition
layout will be optimal for SSD or other Virtualized RAID environments
with 1MB  Chunks,

Is there a down side  to moving the default offset to 2048 ?1MB
off set on 512 byte format disks.
we have been running 2048 offset as our starting offset,  for our
OpenBSD  installs for about 3 -4 years now and we have not come across
issues.

it is unlikely that this will be changed in 6.9  release but It might
be worth re-visiting as it would
make for more straightforward  aligned partitions on OpenBSD installs..

my experience is more for x86 / amd64   rather than other platforms ..

Kindest Regards,

Tom Smyth




-- 
Kindest regards,
Tom Smyth.



shells/nsh network shells, feedback and comments requested,

2021-04-18 Thread Tom Smyth
Hello,

If anyone has used shells/nsh (past or present)
 or has any ideas, opinions on it and its usability,
bug reports or questions can you let me know
(on or off list I don't mind).

I'm particularly interested in configuration limitations
you came across. (where you couldn't do something
in NSH that  you can do in base.

We will be working on it  to track  current, and hopefully
7.0 release.

Thanks
Tom Smyth



Re: Last shutdown date of old OpenBSD machine

2021-04-15 Thread Tom Smyth
Check dmesg i think that will have the boot time / date in it



On Thursday, 15 April 2021, Ales Tepina  wrote:

> Hi!
>
> I have a really old machine (it has DIN keyboard connector) with OpenBSD
> installed on it that was used as a router and its been sitting
> in the basement for quite a few years. I would like to find out the date
> when the machine was last shutdown.
>
> What would be the best way to go about looking for that info?
>
> I have two options as far as i can see but have not tried any of them to
> avoid messing up the date of last boot/shutdown:
> 1. Boot the machine and check the log files in /var/log
> 2. Attach the disk drive to another machine and mount the partition and
>   also check the info on some files
>
> Also, one important caveat. There is a good chance i won't be able to
> guess the password anymore. I think i know what it is, but i'm not sure
> since it was so long ago.
> Therefore booting into single user mode is probably the only choice for
> option 1.
>
> Thank you for your suggestions.
>
> Br, Ales
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Technical Documentation - CARP

2021-04-13 Thread Tom Smyth
Hi Jannick

the man pages are also a good up to date source of information...

sometimes a paper from a few years ago states something like

X/Y is not supported... but as an OpenBSD developer once quiped
"yes we do add features from time to time"  :)

so the papers can give really good context and insights...
but refer to the manuals also to validate any improved syntax and or
features

Hope this helps
Tom Smyth

On Tue, 13 Apr 2021 at 09:34, jannick Weiss  wrote:
>
> Hello,my name is Jannick Weiss and i am currently in the process of taking
> my education as a datatechnician. As part of my education i have to do a
> presentation on a self-elected subject and i have chosen to talk about CARP.
>
> It is my understanding that it is you (OpenBSD) that have developed CARP.
> I am having trouble finding information about CARP, such as the different
> states the protocol goes through or how the election of the master node
> works specifically.
> If you can provide any documentation on CARP it would be greatly
> appreciated.
>
> In advance, thank you for any help you may provide.
>
> Best regards
>
> Jannick Weiss



-- 
Kindest regards,
Tom Smyth.



Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes

2021-04-10 Thread Tom Smyth
Hi Ian,

Thanks for that  it seems to be the screensaver that was causing the issue.

do you have the screensaver enabled also ?

in hind sight it doesn't appear to be a hardware issue (or virtual
hardware issue )

thanks for your reply and feedback

On Sat, 10 Apr 2021 at 23:52, Ian Darwin  wrote:
>
> On Sat, Apr 10, 2021 at 10:22:17PM +0100, Tom Smyth wrote:
> > Hello,
> >
> > 1) issue does not occur with fvwm or with chrome running in fvwm
> >
> > so the issue seems to be confined to xfce, and I was running  just 1
> > xfce terminal session
> > 2) (so the issue is not related to chromium)
> >
> > > > I'm running OpenBSD on an Oracle Virtualbox VM
>
> I run xfce all the time on -current on amd64 on real hardware and do
> not have any such issue.



-- 
Kindest regards,
Tom Smyth.



Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes

2021-04-10 Thread Tom Smyth
Geoff,
The force is strong with you :)

Thanks that worked xfce-screensaver was active but I was not seeing
the screen-saver

Appreciate your help

Tom Smyth

On Sat, 10 Apr 2021 at 22:48, gwes  wrote:
>
>
>
> On 4/10/21 5:22 PM, Tom Smyth wrote:
> > Hello,
> >
> > 1) issue does not occur with fvwm or with chrome running in fvwm
> >
> > so the issue seems to be confined to xfce, and I was running  just 1
> > xfce terminal session
> > 2) (so the issue is not related to chromium)
> >
> > Thanks
> >
> >
> > O
> > --
> > Kindest regards,
> > Tom Smyth.
> >
> Hi Tom,
> Some application that you can't see is grabbing focus and not letting go.
>
> On another OS using xfce (XUbuntu) the screensaver sometimes causes
> something
> extremely similar. Mouse cursor moves but nothing else responds.
> The workaround is to use control-alt-F1 to get a
> plain console and ps -ax | grep screen then doas kill .
>
> If it's not a screensaver it's almost always a second browser copy.
> I just find likely greedy candidates in the ps and kill until the
> problem goes away.
>
> If the X server won't let you use control-alt-Fx to change screens you'll
> have to ssh in.
>
> Geoff Steckel



-- 
Kindest regards,
Tom Smyth.



Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes

2021-04-10 Thread Tom Smyth
Hello,

1) issue does not occur with fvwm or with chrome running in fvwm

so the issue seems to be confined to xfce, and I was running  just 1
xfce terminal session
2) (so the issue is not related to chromium)

Thanks


On Fri, 9 Apr 2021 at 19:09, Tom Smyth  wrote:
>
> just to update this thread,
>
> 1) the mouse pointer still moves around but It cant seem to select a
> window or text or any icon in a menu
>
> 2) i did increase the resolution using xrandr -s 1920x1080   at the
> start of the session without issue
>
> 3) crhomium is open when this happens
>
> Thanks
>
> On Fri, 9 Apr 2021 at 19:33, Tom Smyth  wrote:
> >
> > Hello
> >
> > 6.9 Current  amd64 xfce seems to freeze and not respond to  mouse
> > clicks  or keystrokes.  I cant seem to change windows or enter text on
> > the X terminal
> >
> >
> > im running OpenBSD on an Oracle Virtualbox VM
> >
> > however  +   does work and im able to restart the x
> > session using the console
> >
> > rcctl restart xenodm
> >
> > Ill try FVWM to see is it an  X11 issue or an issue with xfce
> >
> > just raising it incase someone else has noticed this issue
> >
> > dmesg below
> >
> > OpenBSD 6.9 (GENERIC.MP) #458: Fri Apr  9 01:05:30 MDT 2021
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > real mem = 8573091840 (8175MB)
> > avail mem = 8297865216 (7913MB)
> > random: good seed from bootblocks
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
> > bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
> > bios0: innotek GmbH VirtualBox
> > acpi0 at bios0: ACPI 4.0
> > acpi0: sleep states S0 S5
> > acpi0: tables DSDT FACP APIC HPET MCFG SSDT
> > acpi0: wakeup devices
> > acpitimer0 at acpi0: 3579545 Hz, 32 bits
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.35 MHz, 06-8e-0c
> > cpu0: 
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF
> > cpu0: 256KB 64b/line 8-way L2 cache
> > cpu0: smt 0, core 0, package 0
> > mtrr: CPU supports MTRRs but not enabled by BIOS
> > cpu0: apic clock running at 1000MHz
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.08 MHz, 06-8e-0c
> > cpu1: 
> > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF
> > cpu1: 256KB 64b/line 8-way L2 cache
> > cpu1: smt 0, core 1, package 0
> > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped
> > acpihpet0 at acpi0: 14318179 Hz
> > acpimcfg0 at acpi0
> > acpimcfg0: addr 0xdc00, bus 0-63
> > acpiprt0 at acpi0: bus 0 (PCI0)
> > acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
> > acpicmos0 at acpi0
> > acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
> > acpiac0 at acpi0: AC unit online
> > acpicpu0 at acpi0: C1(@1 halt!)
> > acpicpu1 at acpi0: C1(@1 halt!)
> > acpivideo0 at acpi0: GFX0
> > pci0 at mainbus0 bus 0
> > vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00
> > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> > em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19,
> > address 08:00:27:bd:cb:77
> > "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0
> > not configured
> > auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2
> > int 21, ICH
> > ac97: codec id 0x83847600 (SigmaTel STAC9700)
> > audio0 at auich0
> > piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int 
> > 23
> > iic0 at piixpm0
> > pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02
> > pciide0 at pci0 dev 31 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> > channel 0 configured to compatibility, channel 1 configured to
> > compatibility
> > wd0 at pciide0 

Re: OT: Dell EMC switches

2021-04-09 Thread Tom Smyth
+1 re arista switches...

On Friday, 9 April 2021, Diana Eichert  wrote:

> I second Arista switches, in my day job we use a lot of Arista
> switches.  Though one of the "issues" we see is Arista
> drops older tech regularly.  I believe their last presentation to us
> was 25G/100G/400G switches.
>
> On Thu, Apr 8, 2021 at 1:18 PM Mischa  wrote:
> >
> > Hi Ivo,
> >
> > I don’t have any experience with the Dell switches but what about the
> Arista DCS-7050QX-32 or DCS-7050QX-32S?
> > 32x40G QSFP+ for the 7050QX-32
> > 32x40G QSFP+ of which one QSFP+ can act as a dual personality to 4xSFP+
> for the 7050QX-32S. (mind the S)
> >
> > There are converters for the QSFP+ to turn them into a SFP+ port if you
> need more 10G but want to have a way to migrate to 40G.
> > You can do this with the Mellanox 655902-001 QSA adapter.
> >
> > Which is pretty much what we have in production. :)
> > Are you planning to buy new or eBay? There are some pretty good deals on
> eBay.
> >
> > Mischa
>
>

-- 
Kindest regards,
Tom Smyth.


Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes

2021-04-09 Thread Tom Smyth
just to update this thread,

1) the mouse pointer still moves around but It cant seem to select a
window or text or any icon in a menu

2) i did increase the resolution using xrandr -s 1920x1080   at the
start of the session without issue

3) crhomium is open when this happens

Thanks

On Fri, 9 Apr 2021 at 19:33, Tom Smyth  wrote:
>
> Hello
>
> 6.9 Current  amd64 xfce seems to freeze and not respond to  mouse
> clicks  or keystrokes.  I cant seem to change windows or enter text on
> the X terminal
>
>
> im running OpenBSD on an Oracle Virtualbox VM
>
> however  +   does work and im able to restart the x
> session using the console
>
> rcctl restart xenodm
>
> Ill try FVWM to see is it an  X11 issue or an issue with xfce
>
> just raising it incase someone else has noticed this issue
>
> dmesg below
>
> OpenBSD 6.9 (GENERIC.MP) #458: Fri Apr  9 01:05:30 MDT 2021
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8573091840 (8175MB)
> avail mem = 8297865216 (7913MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
> bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
> bios0: innotek GmbH VirtualBox
> acpi0 at bios0: ACPI 4.0
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP APIC HPET MCFG SSDT
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.35 MHz, 06-8e-0c
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: CPU supports MTRRs but not enabled by BIOS
> cpu0: apic clock running at 1000MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.08 MHz, 06-8e-0c
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped
> acpihpet0 at acpi0: 14318179 Hz
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xdc00, bus 0-63
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
> acpicmos0 at acpi0
> acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
> acpiac0 at acpi0: AC unit online
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpivideo0 at acpi0: GFX0
> pci0 at mainbus0 bus 0
> vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19,
> address 08:00:27:bd:cb:77
> "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0
> not configured
> auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2
> int 21, ICH
> ac97: codec id 0x83847600 (SigmaTel STAC9700)
> audio0 at auich0
> piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int 23
> iic0 at piixpm0
> pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02
> pciide0 at pci0 dev 31 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 128-sector PIO, LBA48, 131072MB, 268435456 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0:  removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> ohci0 at pci0 dev 31 function 4 "Apple Intrepid USB" rev 0x00: apic 2
> int 23, version 1.0
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> usb0 at ohci0: USB r

6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes

2021-04-09 Thread Tom Smyth
Hello

6.9 Current  amd64 xfce seems to freeze and not respond to  mouse
clicks  or keystrokes.  I cant seem to change windows or enter text on
the X terminal


im running OpenBSD on an Oracle Virtualbox VM

however  +   does work and im able to restart the x
session using the console

rcctl restart xenodm

Ill try FVWM to see is it an  X11 issue or an issue with xfce

just raising it incase someone else has noticed this issue

dmesg below

OpenBSD 6.9 (GENERIC.MP) #458: Fri Apr  9 01:05:30 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8573091840 (8175MB)
avail mem = 8297865216 (7913MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC HPET MCFG SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.35 MHz, 06-8e-0c
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.08 MHz, 06-8e-0c
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0
acpimcfg0: addr 0xdc00, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
acpiac0 at acpi0: AC unit online
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpivideo0 at acpi0: GFX0
pci0 at mainbus0 bus 0
vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19,
address 08:00:27:bd:cb:77
"InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0
not configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2
int 21, ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int 23
iic0 at piixpm0
pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 128-sector PIO, LBA48, 131072MB, 268435456 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ohci0 at pci0 dev 31 function 4 "Apple Intrepid USB" rev 0x00: apic 2
int 23, version 1.0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev
1.00/1.00 addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "VirtualBox USB
Tablet" rev 1.10/1.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 5 buttons, Z and W dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (619d721c1c3c871d.a) swap on wd0b dump on wd0b



Re: Does intel(4) support Iris Xe Graphics?

2021-04-07 Thread Tom Smyth
Hi Jonathan,
sorry missed the Bug Report... with the dmesg.
I thought the linux  dnmesg  where the hardware was working  would
have been useful if there was an issue with the hardware detection.
I suggested trying 6.8 incase there was a bug introduced in current
and would give a baseline...
suggested current  as the bug might already be fixed in current as
opposed to release ...


On Wed, 7 Apr 2021 at 11:56, Jonathan Gray  wrote:
>
> On Wed, Apr 07, 2021 at 11:34:54AM +0100, Tom Smyth wrote:
> > Try Current and 6.8  and see if you get a different result in each..
> > dmesgs are key for getting help on this type of query ...
>
> There is a snapshot dmesg in the bug report.  I don't see a benefit to
> 6.8 or linux dmesgs.



-- 
Kindest regards,
Tom Smyth.



Re: Does intel(4) support Iris Xe Graphics?

2021-04-07 Thread Tom Smyth
Try Current and 6.8  and see if you get a different result in each..
dmesgs are key for getting help on this type of query ...

On Wed, 7 Apr 2021 at 11:33, Tom Smyth  wrote:
>
> Hi Michel,
> if you send the dmesg  from OpenBSD when it is installed and Ubuntu
> it would help alot
> see the hardware that your box is running (and the hardware as
> detected by OpenBSD / Ubuntu
>
>
> On Wed, 7 Apr 2021 at 05:21, Michel von Behr  wrote:
> >
> > Thank you for the reply, Jonathan - FWIW I was able to run Ubuntu on the
> > machine just now. I still would like to try and install OpenBSD, if anyone
> > can help me diagnose/fix the problem I’m willing to try.
> >
> > Regards,
> >
> > Michel
> >
> > On Wed, 7 Apr 2021 at 2:33 AM Jonathan Gray  wrote:
> >
> > > On Tue, Apr 06, 2021 at 11:09:07AM +0400, Michel von Behr wrote:
> > > > Hi - (not a dev, just trying to use OpenBSD snapshot) whenever I try to
> > > > launch Xorg, either via xenodm or startx, I'm getting a kernel panic,
> > > > like "pool_do_get:
> > > > drmobj : page empty" (I already sent an e-mail [1] to b...@openbsd.org
> > > with
> > > > dmesg and all).
> > >
> > > The pool should already be initialised via
> > > i915_global_objects_init()
> > > i915_globals_init()
> > > inteldrm_attachhook()
> > >
> > > >
> > > > I'm wondering if the problem could be with my video card, Intel Iris Xe?
> > > > Even though dmesg shows that is was detected and should (?) be working.
> > > But
> > > > I can't find a reason why my laptop would not run Xorg.
> > > >
> > > > inteldrm0 at pci0 dev 2 function 0 "Intel Xe Graphics" rev 0x01
> > > > drm0 at inteldrm0
> > > > inteldrm0: msi, TIGERLAKE, gen 12
> > > >
> > >
> > > jcs@ has/had a tiger lake machine which could run Xorg with the
> > > linux 5.7 based drm in -current.  I'm not sure what is different here.
> > >
> > > >
> > > > Any pointing to the right direction would be appreciated. (If this
> > > problem
> > > > relates to Xorg specifically and not to OpenBSD please let me know).
> > > >
> > > > [1] https://marc.info/?l=openbsd-bugs=161754767328009=2
> > > >
> > > > Regards,
> > > >
> > > > Michel
> > > >
> > >
>
>
>
> --
> Kindest regards,
> Tom Smyth.



-- 
Kindest regards,
Tom Smyth.



Re: Does intel(4) support Iris Xe Graphics?

2021-04-07 Thread Tom Smyth
Hi Michel,
if you send the dmesg  from OpenBSD when it is installed and Ubuntu
it would help alot
see the hardware that your box is running (and the hardware as
detected by OpenBSD / Ubuntu


On Wed, 7 Apr 2021 at 05:21, Michel von Behr  wrote:
>
> Thank you for the reply, Jonathan - FWIW I was able to run Ubuntu on the
> machine just now. I still would like to try and install OpenBSD, if anyone
> can help me diagnose/fix the problem I’m willing to try.
>
> Regards,
>
> Michel
>
> On Wed, 7 Apr 2021 at 2:33 AM Jonathan Gray  wrote:
>
> > On Tue, Apr 06, 2021 at 11:09:07AM +0400, Michel von Behr wrote:
> > > Hi - (not a dev, just trying to use OpenBSD snapshot) whenever I try to
> > > launch Xorg, either via xenodm or startx, I'm getting a kernel panic,
> > > like "pool_do_get:
> > > drmobj : page empty" (I already sent an e-mail [1] to b...@openbsd.org
> > with
> > > dmesg and all).
> >
> > The pool should already be initialised via
> > i915_global_objects_init()
> > i915_globals_init()
> > inteldrm_attachhook()
> >
> > >
> > > I'm wondering if the problem could be with my video card, Intel Iris Xe?
> > > Even though dmesg shows that is was detected and should (?) be working.
> > But
> > > I can't find a reason why my laptop would not run Xorg.
> > >
> > > inteldrm0 at pci0 dev 2 function 0 "Intel Xe Graphics" rev 0x01
> > > drm0 at inteldrm0
> > > inteldrm0: msi, TIGERLAKE, gen 12
> > >
> >
> > jcs@ has/had a tiger lake machine which could run Xorg with the
> > linux 5.7 based drm in -current.  I'm not sure what is different here.
> >
> > >
> > > Any pointing to the right direction would be appreciated. (If this
> > problem
> > > relates to Xorg specifically and not to OpenBSD please let me know).
> > >
> > > [1] https://marc.info/?l=openbsd-bugs=161754767328009=2
> > >
> > > Regards,
> > >
> > > Michel
> > >
> >



-- 
Kindest regards,
Tom Smyth.



Re: sndiod on by default (does it need to be ? )

2021-02-21 Thread Tom Smyth
Thanks Stuart, appreciate your time on this,   and explanation of
the sndiod design

it was a case of I dont understand, dont use so I just disable.
and then I proceeded to ask out of turn shouldn't everyone else disable because
I dont understand or use it my self :/

Re attack surface / risk of other software that I use on top of OpenBSD
 I couldn't agree more with you

Thanks again..

On Sun, 21 Feb 2021 at 18:42, Stuart Henderson  wrote:
>
> On 2021-02-21, Tom Smyth  wrote:
> > my thinking is by having the service off by default would reduce the
> > default attack surface of the OS ?
>
> The attack surface is tiny.
>
> sndiod has a pair of processes each run as their own dedicated uid, one
> in a chroot jail containing no files and pledged to not allow access to
> read/write files anyway, the other (which needs to access audio-related
> nodes in /dev) using unveil to restrict itself to only the necessary
> ones. The pledges are very restrictive. No network access unless you use
> -L to enable the network server.
>
> I don't honestly think it's worth going to the trouble of disabling.
> Look at the other software you run which isn't enabled in OpenBSD by
> default - that's where your attack surface is ;)
>
>


-- 
Kindest regards,
Tom Smyth.



Re: sndiod on by default (does it need to be ? )

2021-02-21 Thread Tom Smyth
Hi folks,
thanks for everyone who replied on and off list,
I had not considered the console only user who uses audio also...
(I had not even considered this  so pardon my ignorance folks,
and thanks to Sebastian, Abel, and David for replying on and off list

I guess Ill just add rcctl disable sndiod to my deploy ment scripts
for my use cases :)

Thanks again to all who considered it

:)



On Sun, 21 Feb 2021 at 14:28, Tom Smyth  wrote:
>
> Hi Sebastian
> I get users want to listen to audio but if the only hardware is a buzzer and 
> the user is not running x what are the chances they are using audio on the 
> console only ?
>
> I can keep running
> rcctl disable sndiod
> Post install
>
> I thought linking audio support on by default to x would make sense as it is 
> likely such system is for users who may need audio
>
> Just a thought
> Thanks
>
>
> On Sunday, 21 February 2021, Sebastian Benoit  wrote:
>>
>> Tom Smyth(tom.sm...@wirelessconnect.eu) on 2021.02.21 04:08:48 +:
>> > Hello,
>> >
>> > I was wondering should sndiod (default) startup be determined based on
>> > whether or not
>> > it the install is a typical headless install (off) or  an install for
>> > a user machine with  running X
>> >
>> > is there a reason why one would need to run this daemon by default?
>>
>> Because users want to listen to audio.
>>
>> > my thinking is by having the service off by default would reduce the
>> > default attack surface of the OS ?
>>
>> How big is that attack surface? And especially compared to X?
>>
>> > perhaps the installer could use the answer to the question do you
>> > intend to run X   to determine whether or not to enable the sndiod
>> > daemon ?
>>
>> The difference is that a running sndiod is not noticable to you. Running X
>> is - you dont have a console anymore on your screen.
>>
>> Whereas a not running sndiod is noticable - no sound.
>>
>> Next to security, we try to make it easy for people to use OpenBSD. Not
>> asking questions when not needed is just that.
>>
>> /Benno
>
>
>
> --
> Kindest regards,
> Tom Smyth.



--
Kindest regards,
Tom Smyth.



Re: sndiod on by default (does it need to be ? )

2021-02-21 Thread Tom Smyth
Hi Sebastian
I get users want to listen to audio but if the only hardware is a buzzer
and the user is not running x what are the chances they are using audio on
the console only ?

I can keep running
rcctl disable sndiod
Post install

I thought linking audio support on by default to x would make sense as it
is likely such system is for users who may need audio

Just a thought
Thanks


On Sunday, 21 February 2021, Sebastian Benoit  wrote:

> Tom Smyth(tom.sm...@wirelessconnect.eu) on 2021.02.21 04:08:48 +:
> > Hello,
> >
> > I was wondering should sndiod (default) startup be determined based on
> > whether or not
> > it the install is a typical headless install (off) or  an install for
> > a user machine with  running X
> >
> > is there a reason why one would need to run this daemon by default?
>
> Because users want to listen to audio.
>
> > my thinking is by having the service off by default would reduce the
> > default attack surface of the OS ?
>
> How big is that attack surface? And especially compared to X?
>
> > perhaps the installer could use the answer to the question do you
> > intend to run X   to determine whether or not to enable the sndiod
> > daemon ?
>
> The difference is that a running sndiod is not noticable to you. Running X
> is - you dont have a console anymore on your screen.
>
> Whereas a not running sndiod is noticable - no sound.
>
> Next to security, we try to make it easy for people to use OpenBSD. Not
> asking questions when not needed is just that.
>
> /Benno
>


-- 
Kindest regards,
Tom Smyth.


sndiod on by default (does it need to be ? )

2021-02-20 Thread Tom Smyth
Hello,

I was wondering should sndiod (default) startup be determined based on
whether or not
it the install is a typical headless install (off) or  an install for
a user machine with  running X

is there a reason why one would need to run this daemon by default?

my thinking is by having the service off by default would reduce the
default attack surface of the OS ?

perhaps the installer could use the answer to the question do you
intend to run X   to determine whether or not to enable the sndiod
daemon ?

I hope this helps

-- 
Kindest regards,
Tom Smyth.



Re: bsd.rd ok , bsd explodes, trying to get traces

2021-02-09 Thread Tom Smyth
Hey Sven,

sorry just wondering have you tried running an alternate OS  and or memtest
x86 to see if the computer CPU memory is behaving its self  ?

also if it is an intel raid controller it usually has about 3 differentnt
settings (and alters the controllers firmware to present different
hardware   to the os

(legacy--->raid--> AHCI -->Enhanced)
Hope this helps


On Tue, 9 Feb 2021 at 20:56, Sven F.  wrote:

> Dear readers,
>
> I found a computer which behaves oddly.
> Only EFI boot is supported, I usually go the MBR way.
> The bios looks like a classic AMibios Intel stuff.
> The cpu is intel and there's an intel HD5500 graphic card
> ( trying to extract proper dmesg fails so far )
>
> When booting 6.8 basic amd64 installation the video
> signal is completely lost and network too ( suspect crash )
>
> I tried to `set  db_console 1` and change video mode
> with machine video before booting, and entering
> `boot dump` blindly ( video off )
> but after rebooting in bsd.rd /var/ has no dmesg.anything
> or some log
>
> I think the last line of boot i see is 'softraid0'
>
> There's probably a few tricks I should try to get the actual
> message, I will do my best to extract the (bsd.rd) dmesg now and post it as
> a reply ( and try boot current )
>
> Is there some boot option i can use or something i can do
> to extract the errors ? ( i do not see com ports anywhere either )
>
> Thank you for reading.
> --
> --
>
> -
> Knowing is not enough; we must apply. Willing is not enough; we must do
>
>

-- 
Kindest regards,
Tom Smyth.


Re: NIC Port L2 Switching capability

2021-01-25 Thread Tom Smyth
Hi Kaya

you need to create   a bridge interface and add the  interfaces you want to
switch packets between into the bridge,

man bridge
man switch
man ifconfig
will give you the information you need,


trunk is a bonding / team  / fail over interface and not for switching

because you are using a virtualisation platform you need to be wary of
hypervisor / virtualisation network stack  Security features / hacks /
shortcuts
some hypervisors filter traffic comming from a vm which has a different
source mac to the mac assigned to the vm network card  by the hyper-visor
and somehypervispors will only switch traffic to a vm if the destination
mac is the same as the mac of the virtual machine network card

all the best



On Mon, 25 Jan 2021 at 22:06, Kaya Saman  wrote:

> Hi,
>
>
> I'm wondering if it's possible to get OpenBSD to make the NIC ports act
> like a layer 2 switch?
>
>
> I made a quick test in VirtualBox (unfortunately I don't have any bare
> bones systems free to test with) and tried the following:
>
>
> create two systems, one called router , the other called client
>
>
> create vlans: vlan1, vlan2, vlan3
>
>
> create trunk interfaces on 3x virtual NIC's: trunk0 (em0), trunk1 (em1),
> trunk2 (em2)
>
>
> I then added the vlans to trunk0 by setting the vlandev to trunk0 in the
> hostname.if files.
>
>
> Of course a basic router-on-a-stick method like the above works fine but
> if I wanted the 3 vlans to also be on the trunk1 interface in a similar
> way to provisioning an L2 switch how would I go about it?
>
>
> I attempted to bridge trunk0 and trunk1. The result I got was that dhcp
> worked and the client was able to get an IPv4 address, I also had
> multicast traffic working when dynamically sending the client routes
> through OpenOSPF, as in I could see OSPFv2-hello and OSPFv2-dd packets
> being sent to 224.0.0.5 .
>
> What didn't work was ICMP packets were not being seen on the router
> systems NIC when I tried to use the ping command and in addition the
> OSPF routes would not propagate either.
>
> If I changed the virtual configuration back to trunk0 then everything
> worked as expected. It may just be a limitation of Vbox?
>
>
> In the meantime I have been looking at the docs:
>
> https://www.openbsd.org/papers/bsdcan2016-switchd.pdf
>
> https://man.openbsd.org/switch
>
>
> for the switch interface but is this really what I need here?
>
>
> Has anyone tried and succeeded with this kind of config?
>
>
> My main reason for wanting to use something like this is that I want to
> add a 10GbE NIC and switch into my production router platform while
> still keeping the same setup going to the 1GbE switch which is running
> in a 4-port LACP trunk.
>
>
>
> Of course an alternate would be to link the 1GbE switch to the 10GbE
> switch and do things that way, but the above would be more practical
> from a cabling sense.
>
>
>
> Has anyone got any ideas?
>
>
> Thanks a lot!
>
>
> Kaya
>
>
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Fw: ospf question

2021-01-08 Thread Tom Smyth
Hello Mark
you need to give more detail on the IP address types are you using  b
roadcast networks or point to point / tunnel type addresses
are you seeing anything in
also can you be certain your hypervisor switches (real switches in the
datacentre
allow for vm -vm communication and dont filter  certain types of traffic (OSPF)

/var/log/messages when you run the daemons,
 are you allowing ip protocol 89 (OSPF) on your PF rules on boxes running pf ?
have you configured loopback ips on each router  (on a separate
loopback interface)
 on each open BSD Router  (so as not to have  127.0.0.0/8 routes advertised
have you confirmed you dont have a network conflict 2 routers with the
same ip range
 on interfaces that are not connected ..

you can start ospfd with -df  switches to see if there are any
warnings / messages
that might hint what is up and running

only other high level things I can thing of
is check your neighbour adjacencies are they forming, and focus where
they are not forming
and usual things for OSPF adjacencies not forming
MTU of interfaces not matching between neighbours
Authentication key
authentication type
authentication key id  usually = 1
switch between routers with a smaller MTU / L2MTU than what the
neighbour routers
have configured on their interfaces

if ospf neighbours are forming are you learning any routes..  avoid
static default
routes they are the spawn of satan and you can run into issues
learning and propagating
default routes otherwise ...

Peace out and Happy new year




On Fri, 8 Jan 2021 at 23:08, Mark  wrote:
>
> I'll try this message one more time.
>
> I have a question regarding the use of ospf with OpenBSD 6.8.
>
> > I have a network that consists of 23 OpenBSD 6.8 based routers (created, 
> > within a virtualbox environment on a GNU/Linux server, to match the 
> > physical network I manage - the only different being that the physical 
> > network consists of FreeBSD based routers rather than OpenBSD ones). I set 
> > this up after have replaced a FreeBSD based router with an OpenBSD based 
> > one in the real network and immediately experiencing an issue accessing 
> > parts of the network.
> >
> > Within my setup there is one router (router22) that is six hops away from 
> > the designated default gateway (which I'll call the firewall) and there are 
> > two paths (going different ways around the network) to get to it. I am able 
> > to run a traceroute to router22, but am not able to ping it or ssh onto it. 
> > If I ssh to the router connected to the firewall then I can ping and ssh to 
> > router22 (at that point it's only 5 hops away). If I reboot any router that 
> > lies within the path to router22 then I am subsequently able to ping and 
> > ssh router22 from the firewall.
> >
> > I have also subsequently duplicated the entire network again using FreeBSD 
> > 12.2 and the problem does not occur, so as far as I can see it's just an 
> > OpenBSD ospf issue.
> >
> > I first set this up after replacing a FreeBSD based router with an OpenBSD 
> > based one and experiencing another strange issue. In this instance the 
> > shortest path from my server network (accessible from router01) to 
> > router08, router11 and router12 was router01 <-> router13 <-> router21 <-> 
> > router08 <-> router11 <-> router12, when I put the OpenBSD router in as 
> > router13 I could no longer ping router08, router11 or router12 (though I 
> > could still ping router21). If I connected to a router in a different part 
> > of the network I was able to ping each of the inaccessible ones, so it was 
> > only when the OpenBSD based router was along the shortest path the issue 
> > manifested itself.
> >
> > Is anyone aware of incompatibilities between the OSPF implementation within 
> > OpenBSD and that provided by quagga on FreeBSD? Or of any limitations of 
> > OSPF on OpenBSD?
> >
> > In each setup I have the same hello and dead interval and have md5 crypt 
> > authentication in place on each link between routers. Each router is in 
> > area 0.0.0.0.
> >
> > regards,
> > Mark



-- 
Kindest regards,
Tom Smyth.



Re: Internal Microphone on Thinkpad X1 Carbon 7th gen not working

2020-12-04 Thread Tom Smyth
tel", unknown product 0x7360 (class wireless unknown subclass
> 0x40, rev 0x01) at pci1 dev 0 function 0 not configured
> ppb1 at pci0 dev 29 function 0 "Intel 300 Series PCIE" rev 0xf1: msi
> pci2 at ppb1 bus 3
> nvme0 at pci2 dev 0 function 0 "SanDisk WD Black NVMe" rev 0x00: msix,
> NVMe 1.3
> nvme0: WDC PC SN730 SDBQNTY-1T00-1001, firmware 11130101, serial
> 1951E5485614
> scsibus1 at nvme0: 2 targets, initiator 0
> sd0 at scsibus1 targ 1 lun 0: 
> sd0: 976762MB, 512 bytes/sector, 2000409264 sectors
> ppb2 at pci0 dev 29 function 4 "Intel 300 Series PCIE" rev 0xf1: msi
> pci3 at ppb2 bus 5
> ppb3 at pci3 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02
> pci4 at ppb3 bus 6
> ppb4 at pci4 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
> pci5 at ppb4 bus 7
> "Intel JHL6540 Thunderbolt" rev 0x02 at pci5 dev 0 function 0 not
> configured
> ppb5 at pci4 dev 1 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
> pci6 at ppb5 bus 8
> ppb6 at pci4 dev 2 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
> pci7 at ppb6 bus 45
> xhci1 at pci7 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi,
> xHCI 1.10
> usb1 at xhci1: USB revision 3.0
> uhub1 at usb1 configuration 1 interface 0 "Intel xHCI root hub" rev
> 3.00/1.00 addr 1
> ppb7 at pci4 dev 4 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi
> pci8 at ppb7 bus 46
> pcib0 at pci0 dev 31 function 0 "Intel 300 Series LPC" rev 0x11
> azalia0 at pci0 dev 31 function 3 "Intel 300 Series HD Audio" rev 0x11: msi
> azalia0: codecs: Realtek ALC285, Intel/0x280b, using Realtek ALC285
> audio0 at azalia0
> ichiic0 at pci0 dev 31 function 4 "Intel 300 Series SMBus" rev 0x11: apic
> 2 int 16
> iic0 at ichiic0
> ichiic0: abort failed, status 0x41
> "Intel 300 Series SPI" rev 0x11 at pci0 dev 31 function 5 not configured
> em0 at pci0 dev 31 function 6 "Intel I219-V" rev 0x11: msi, address
> f8:75:a4:c8:62:06
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> vmm0 at mainbus0: VMX/EPT
> efifb at mainbus0 not configured
> uhidev0 at uhub0 port 3 configuration 1 interface 0 "Yubico YubiKey
> OTP+FIDO+CCID" rev 2.00/5.26 addr 2
> uhidev0: iclass 3/1
> ukbd0 at uhidev0: 8 variable keys, 6 key codes
> wskbd1 at ukbd0 mux 1
> uhidev1 at uhub0 port 3 configuration 1 interface 1 "Yubico YubiKey
> OTP+FIDO+CCID" rev 2.00/5.26 addr 2
> uhidev1: iclass 3/0
> fido0 at uhidev1: input=64, output=64, feature=0
> ugen0 at uhub0 port 3 configuration 1 "Yubico YubiKey OTP+FIDO+CCID" rev
> 2.00/5.26 addr 2
> uvideo0 at uhub0 port 8 configuration 1 interface 0 "Azurewave Integrated
> Camera" rev 2.01/69.05 addr 3
> video0 at uvideo0
> uvideo1 at uhub0 port 8 configuration 1 interface 2 "Azurewave Integrated
> Camera" rev 2.01/69.05 addr 3
> video1 at uvideo1
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> sd1 at scsibus3 targ 1 lun 0: 
> sd1: 976761MB, 512 bytes/sector, 2000407649 sectors
> root on sd1a (69b037e186d738a3.a) swap on sd1b dump on sd1b
> inteldrm0: 3840x2160, 32bpp
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
> wskbd1: connecting to wsdisplay0
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> iwm0: hw rev 0x310, fw ver 34.3125811985.0, address f8:e4:e3:30:0a:07
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Fwd: PayPal pool for developer M1 Mac mini for OpenBSD port

2020-12-03 Thread Tom Smyth
Clearly I missed Patriks Email ...  earlier.. :/ sorry folks

+1 if experienced Devs are working on it...  it will happen
Best of luck to the people working on  getting it working ... cant be easy
without all the docs ...

Thanks

On Thu, 3 Dec 2020 at 22:39, Tom Smyth  wrote:

> Hi Jeff,
>
> as far as Im aware... if you donate to the project  they will source
> hardware as the project sees fit..
> if there is an M1 in want.html (where a developer is looking for one to
> make an initial POC before the project considers it viable to spend
> resources...
> it I would be happy to contribute...  for that purpose ..
>
> I dont think anyone has anything specific against apple. per sya..
>  there are objections to proprietary firmware...   and binary blobs...
> and this makes development of OpenSource Systems even harder than it
> already is...
>
> but yes tthe M1 looks awesome it will be interesting to see if  they open
> it up (a little) ...  but it is an arm chip ... so perhaps testing and
> providing
> open  arm hardware would help the project more...  check out want.html
>
> all of these are my own observations as a user over the years  and im not
> a developer in OpenBSD
>
> Thanks
> Tom SMyth
>
>
>
>
>
> On Thu, 3 Dec 2020 at 22:11, Jeff Joshua Rollin 
> wrote:
>
>>
>>
>>
>>  Forwarded Message 
>> Subject:Fwd: PayPal pool for developer M1 Mac mini for OpenBSD
>> port
>> Date:   Thu, 3 Dec 2020 21:56:51 +
>> From:   Jeff Joshua Rollin 
>>
>>
>>
>>
>>
>> Oops, forgot to reply to the list. Sorry for the duplicate, Mihai.
>>
>>
>> On 03/12/2020 01:18, Mihai Popescu wrote:
>> > I have only good wishes for the project, but I still don't get one
>> thing:
>> > why do some people start to behave oddly whenever Apple comes into
>> > discussion.
>> > They are doing a proprietary thing, closed as hell, no documentation
>> > and so
>> > on. Why is this impulse to write code for such a thing. Just asking ...
>>
>> Apple make great products. My iMac, which is nearly ten years old, runs
>> without problems even today (try that with Windows). iPads and iPhones
>> have much better lifetimes than Android devices - we'll see if the
>> increasing number of devices running "real Linux" make a dent in the
>> market, but either way there are AFAIK no phones using any of the BSDs
>> (unless you count macOS/iOS, which for these purposes I don't) anyway.
>>
>> Other than the fact that the platform is proprietary, the only other
>> thing that annoys me about Macs, and always has, is their half-arsed
>> attempt at a British keyboard, which unless it's changed since my iMac
>> was manufactured still puts @ and " in the wrong places for Brits -
>> exactly the opposite places on a US keyboard. (Even Commodore, infamous
>> in its day for reliability problems and which bought the Amiga company
>> in what no less august an institution than Amiga Format magazine called
>> "a rare fit of insight," managed that one.) Fortunately, if you also use
>> Linux/UNIX, the problem of switching between keyboards with @ and " in
>> 'the wrong place' is easily solved for X11 by selecting a Mac UK
>> keyboard in the software settings even on a PC. (They did stubbornly
>> stick with that crap butterfly keyboard for four years, for reasons
>> presumably best known to themselves, but luckily that era also seems to
>> be over, and I didn't bother buying one during that time, for that and
>> other reasons.)
>>
>> As for the proprietaryness, other than the fact that it's a nice new
>> hardware architecture as other people have mentioned, pretty much every
>> other architecture OpenBSD, NetBSD and Linux has ever run on (Amiga, Sun
>> and VAX, for example) is/was proprietary. And that's without considering
>> the closed peripherals (without which OpenBSD wouldn't have to eschew
>> NDAs) or the BMC on a Wintel - heaven knows what that thing really gets
>> up to.
>>
>> My £0.02
>>
>> Jeff.
>>
>>
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 
Kindest regards,
Tom Smyth.


Re: PayPal pool for developer M1 Mac mini for OpenBSD port

2020-12-03 Thread Tom Smyth
Thanks Patrik,  Marcan, and Theo...

Interesting project...  OpenBSD on the M1 :) ...  best of luck with it



On Thu, 3 Dec 2020 at 22:11, Patrick Wildt  wrote:

> This really has shown how much interest there is in having OpenBSD
> running on those machines.  Still, we would all not be here without
> the OpenBSD project itself.  Not being able to host hackathons due to
> COVID-19 leaves an impact, and I hope that soon(TM) we'll be able to
> get back together to shut up and hack.
>
> I'm sure you all love using OpenBSD and hacking on OpenBSD as much as I
> do, so to help OpenBSD run infrastructure, organize hackathons and to
> flourish even more, please consider donating!
>
> https://www.openbsdfoundation.org/donations.html
> https://www.openbsd.org/donations.html
>
> Also a shoutout to marcan, who'll be doing a lot of reverse engineering
> on the M1.  He's pretty good, and I'm supporting his project by being a
> patron.  I'm looking forward to his work, because of all the people out
> there who can do it, he's definitely one of them.
>
> https://www.patreon.com/marcan
>
> Patrick
>
> Am Thu, Dec 03, 2020 at 02:33:34PM -0700 schrieb Ben Goren:
> > Oh, wow — it hasn’t even been a full day since I sent this out...and
> already enough of you have chipped in enough to buy not just a single M1
> system for Patrick, but also a second one for his partner in crime, Mark
> Kettenis.
> >
> > Thank you to all! This show of generosity and support and excitement is
> most welcome. (And, frankly, a bit overwhelming.)
> >
> > If anybody reading this still wishes to donate to the cause, despite the
> immediate needs being met, the money will be put to good use. There are
> other developers who will eventually need their own hardware, and there are
> always other sorts of expenses related to development. Feel free to chip in
> at Patrick’s original link:
> >
> > https://www.paypal.com/pools/c/8uPSkfNJMp
> >
> > ...or, of course, to the OpenBSD general fund (which can *ALWAYS* use
> donations):
> >
> > https://www.openbsd.org/donations.html
> >
> > Thanks again, everybody!
> >
> > b&
> >
> > > On Dec 2, 2020, at 2:59 PM, Ben Goren  wrote:
> > > Greetings, all!
> > >
> > > Patrick Wildt has set up a PayPal pool to raise funds to purchase an
> M1 Mac mini so he can start porting OpenBSD to the platform. If you’d like
> to be able to run OpenBSD on an M1 system, now would be a great time to
> throw some pennies his way.
> > >
> > > The donation link: https://paypal.me/pools/c/8uPSkfNJMp
> > >
> > > Read below for an idea of what one might expect if we can get a
> machine into Patrick’s hands.
> > >
> > > Cheers,
> > >
> > > b&
> > >
> > > Patrick wrote:
> > >
> > >> Yes, kettenis@ and me are the two ones doing the major work on
> porting
> > >> to new devices.  Not sure if kettenis@ is interested, but I can ask
> him.
> > >> I definitely am, a Mac Mini as a dedicated machine to do stuff with
> and
> > >> not care about what is installed would really help.
> > >>
> > >> Marcan has started a crowdfunding on Patreon.  He's a really capable
> > >> person, and he'll definitely lay a lot of groundwork needed for
> porting
> > >> OpenBSD to the platform.  He apparenetly will also do his work in a
> > >> dual-licensed fashion, so the BSDs will easily profit from it.
> > >>
> > >> So, the first steps are basically to follow Marcan's work and use all
> > >> that information and code to port OpenBSD as well.
> > >>
> > >> This *will* take some time, because essentially there are only the
> > >> binary drivers, but it's doable and I think with a bit of patience
> > >> we will have OpenBSD running on the M1 as well.
> > >>
> > >> Biggest hurdle, as always, will be support for graphics acceleration.
>
>

-- 
Kindest regards,
Tom Smyth.


Re: Fwd: PayPal pool for developer M1 Mac mini for OpenBSD port

2020-12-03 Thread Tom Smyth
Hi Jeff,

as far as Im aware... if you donate to the project  they will source
hardware as the project sees fit..
if there is an M1 in want.html (where a developer is looking for one to
make an initial POC before the project considers it viable to spend
resources...
it I would be happy to contribute...  for that purpose ..

I dont think anyone has anything specific against apple. per sya..
 there are objections to proprietary firmware...   and binary blobs...
and this makes development of OpenSource Systems even harder than it
already is...

but yes tthe M1 looks awesome it will be interesting to see if  they open
it up (a little) ...  but it is an arm chip ... so perhaps testing and
providing
open  arm hardware would help the project more...  check out want.html

all of these are my own observations as a user over the years  and im not
a developer in OpenBSD

Thanks
Tom SMyth





On Thu, 3 Dec 2020 at 22:11, Jeff Joshua Rollin 
wrote:

>
>
>
>  Forwarded Message 
> Subject:Fwd: PayPal pool for developer M1 Mac mini for OpenBSD port
> Date:   Thu, 3 Dec 2020 21:56:51 +
> From:   Jeff Joshua Rollin 
>
>
>
>
>
> Oops, forgot to reply to the list. Sorry for the duplicate, Mihai.
>
>
> On 03/12/2020 01:18, Mihai Popescu wrote:
> > I have only good wishes for the project, but I still don't get one thing:
> > why do some people start to behave oddly whenever Apple comes into
> > discussion.
> > They are doing a proprietary thing, closed as hell, no documentation
> > and so
> > on. Why is this impulse to write code for such a thing. Just asking ...
>
> Apple make great products. My iMac, which is nearly ten years old, runs
> without problems even today (try that with Windows). iPads and iPhones
> have much better lifetimes than Android devices - we'll see if the
> increasing number of devices running "real Linux" make a dent in the
> market, but either way there are AFAIK no phones using any of the BSDs
> (unless you count macOS/iOS, which for these purposes I don't) anyway.
>
> Other than the fact that the platform is proprietary, the only other
> thing that annoys me about Macs, and always has, is their half-arsed
> attempt at a British keyboard, which unless it's changed since my iMac
> was manufactured still puts @ and " in the wrong places for Brits -
> exactly the opposite places on a US keyboard. (Even Commodore, infamous
> in its day for reliability problems and which bought the Amiga company
> in what no less august an institution than Amiga Format magazine called
> "a rare fit of insight," managed that one.) Fortunately, if you also use
> Linux/UNIX, the problem of switching between keyboards with @ and " in
> 'the wrong place' is easily solved for X11 by selecting a Mac UK
> keyboard in the software settings even on a PC. (They did stubbornly
> stick with that crap butterfly keyboard for four years, for reasons
> presumably best known to themselves, but luckily that era also seems to
> be over, and I didn't bother buying one during that time, for that and
> other reasons.)
>
> As for the proprietaryness, other than the fact that it's a nice new
> hardware architecture as other people have mentioned, pretty much every
> other architecture OpenBSD, NetBSD and Linux has ever run on (Amiga, Sun
> and VAX, for example) is/was proprietary. And that's without considering
> the closed peripherals (without which OpenBSD wouldn't have to eschew
> NDAs) or the BMC on a Wintel - heaven knows what that thing really gets
> up to.
>
> My £0.02
>
> Jeff.
>
>

-- 
Kindest regards,
Tom Smyth.


  1   2   3   4   >