Re: coverity running on OpenBSD to scan a port
Thanks for that... Ill setup a test system so ... Thanks On Thu, 13 Apr 2023 at 07:33, Stuart Henderson wrote: > > On 2023-04-12, Tom Smyth wrote: > > does anyone have experience on running coverity on OpenBSD ... > > Im trying to scan a port im maintaining at the minute... > > there does not seem to be binaries for coverity for OpenBSD > > I don't think you can - afaik those scans are normally done on linux. > -- Kindest regards, Tom Smyth.
coverity running on OpenBSD to scan a port
Folks, does anyone have experience on running coverity on OpenBSD ... Im trying to scan a port im maintaining at the minute... there does not seem to be binaries for coverity for OpenBSD Tjanks -- Kindest regards, Tom Smyth.
Re: How to announce over OSPF only one IP address
hello Radek, You can do the route add command as part of bringing up a network interface We often put a separate loopback address on an interface to make an address available via OSPF on our network... if you add in a loopback interface with the /32 route and then add the loopback interface to your ospf area in your ospfd.conf file Note when you redistribute a static address it will appear as an external route in the The link state advertisements from the router ... (it wont be an intra area route) which can affect the route metric during the route selection process... Thanks Tom Smyth Tom Smyth On Wed, 8 Feb 2023 at 14:41, Radek wrote: > > Hello Bradley, > thank you, your setup works the way I need. > > I can't deal with adding the static route permanently. I have to add the > static route by hand (route add 10.1.111.11/32 10.1.111.1) after reboot. > Did I missed something? > > [10.109.3.15] $ cat /etc/hostname.vr0 > -inet > dhcp > #inet 10.109.3.15 255.255.255.0 > !sleep 60 > !route add 10.1.111.11/32 10.1.111.1 > > After reboot it looks like this: > > [10.109.3.15] $ route -n show > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default10.109.3.254 UGS5 15 - 8 vr0 > 224/4 127.0.0.1 URS0 59 32768 8 lo0 > 10.1.100/2410.1.100.1 Cn 00 - 4 vr1 > 10.1.100.1 00:00:24:cb:4f:cd UHLl 00 - 1 vr1 > 10.1.100.255 10.1.100.1 Hb 00 - 1 vr1 > 10.1.111/2410.1.111.1 UCn10 - 4 vr3 > 10.1.111.1 00:00:24:cb:4f:cf UHLl 03 - 1 vr3 > 10.1.111.1100:00:24:cb:4f:d0 UHLc 02 - 3 vr3 > 10.1.111.255 10.1.111.1 UHb00 - 1 vr3 > 10.1.222/2410.109.3.16UG 00 -32 vr0 > 10.109.3/2410.109.3.15UCn3 40 - 4 vr0 > 10.109.3.10a4:bb:6d:d6:5a:a4 UHLc 1 29 - 3 vr0 > 10.109.3.1500:00:24:cb:4f:cc UHLl 0 13 - 1 vr0 > 10.109.3.1600:00:24:cd:90:10 UHLch 1 26 - 3 vr0 > 10.109.3.254 00:0d:b9:35:39:29 UHLch 1 31 - 3 vr0 > 10.109.3.255 10.109.3.15UHb00 - 1 vr0 > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo0 > > > On Tue, 7 Feb 2023 17:54:27 +1100 > Bradley Latus wrote: > > > Hi all, > > > > I have done an experiment. > > > > If your interface is part of an area, it will be advertised always. > > > > If you wanted to advertise only /32 this is how I got mine to work. > > Ensure your interface vr3 is not in your ospf area > > > > Add a static route to the one you wish to advertise, it appears that unless > > a route exists on the machine you cannot redistribute a random ip. > > > > So route add 10.1.111.11/32 10.1.111.1 > > > > Then you can redistribute your /32 > > > > > > > > router-id 10.109.3.15 > > redistribute 10.1.111.11/32 > > > > area 0.0.0.0 { > > interface vr0 > > } > > > > > > > > On Tue, 7 Feb 2023, 02:46 Radek, wrote: > > > > > Hello, > > > > I’d check the databases on both sides. > > > > And flush/reload the config and fibs. > > > I reloaded and restarted OSPFd on both sides - nothing changes. Then, I > > > rebooted routers on both sides - nothing changes. > > > I still can see/ping the whole 10.1.111.0/24 subnet from the far end. > > > > > > [10.109.3.15]$ ospfctl show database router > > > > > > Router Link States (Area 0.0.0.0) > > > > > > LS age: 238 > > > Options: -|-|-|-|-|-|E|- > > > LS Type: Router > > > Link State ID: 10.109.3.15 > > > Advertising Router: 10.109.3.15 > > > LS Seq Number: 0x8016 > > > Checksum: 0x6d0a > > > Length: 48 > > > Flags: *|*|*|*|*|-|E|- > > > Number of Links: 2 > > > > > > Link connected to: Stub Network > > > Link ID (Network ID): 10.1.111.0 > > > Link Data (Network Mask): 255.255.255.0 > > > Metric: 10 > > > > > > Link connected to: Transit Network > > > Link ID (Designated Router address): 10.109.3.16 > > > Link Data (Router Interface address): 10.109.3.1
Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD
I think I understand better. Now .. but is there still a security benefit from having the different services in their own jails ? (even if the jail cells come with their own metaphorical swimming pool and armoury ) or is it that the jails don’t offer enough compared with the additional workload of managing multiple copies of libraries/binaries in the system... ? On Thu, 9 Mar 2023 at 12:29, Stuart Henderson wrote: > > On 2023/03/08 10:10, Glen Gunsalus wrote: > > > > On 3/7/23 15:33, Stuart Henderson wrote: > > > On 2023-03-07, Glen Gunsalus wrote: > > > > To get this running cp'd perl (/usr/bin/perl) and relevant perl libs > > > > (/usr/lib/[libs.so|libm.so|libperl.so] /usr/libexec/ld.so) to > > > > /var/www/usr/[bin|lib|libexec] > > > > > > You shouldn't need that bit (and it is safer not to) - smokeping_fcgi > > > does not chroot. > > > > > > > > Hmm, I did this on the basis of a post by you (5/11/20) in response to Tom > > (5/10/20) which I interpreted as needing several files moved into www > > "jail." > > No that was me saying "this software is not really meant to work with > chroot and if you're copying enough into the chroot that it works, > you're providing a lot of extra tools to someone who is able to execute > code within the jail" > > > quote-- > > bgplg is designed to run in a jail, it is a small C program and even > > then it needs specially compiled versions of the external dependencies > > (ping, bgpctl etc). > > > > Smokeping isn't - if you want to run the graph generating part of > > smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot > > more is needed - a copy of perl and various modules, rrdtool, > > rrdtool's library dependencies, fonts, and I think there were config > > files for some of the libraries. I did this in the past but it's a > > real mess and easy to break at update time, and the amount of things > > copied in means that the chroot ends up more as "luxury camping" than > > "jail" > > end quote--- > > > > I had been running smokeping and mrtg with apache for a number of years, > > but when OpenBSD abandoned apache I looked at nginx for transition then > > httpd came along and looked both more attractive and likely to be more long > > lived under OpenBSD. > > > > It was Tom's post that got me started down the httpd path. I have been > > running with httpd since that time. > > I can't remember the details, but think I initially tried w/o the cp'd > > files, but was not successful so began incrementally moving goodies into > > /var/www until it worked. > > I will try rm'ing or mv'ing those in /var/www and see how it goes. > > > > Thanks for your help. > > > > Regards, Glen > -- Kindest regards, Tom Smyth.
Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD
Morning Glen, Stuart all, yep ... Stuarts comments re chroot glamping vs chroot jails made me gigle all right... the way I think I have it working is that smokeping and rrdcached are running outside the jail with symbolic links to sockets inside the httpd chroot jail /var/www/... and httpd picks up those sockets and plays with them inside the jail... relevant output from my ps -aux list USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND _smokepi 98525 9.7 1.3 98040 111580 ?? S 6:31AM1:03.00 /usr/bin/perl /usr/local/bin/smokeping_cgi /etc/smokeping/config _rrdcach 67082 0.0 0.1 9272 7952 ?? S 6:31AM0:03.21 /usr/local/bin/rrdcached -b /var/db/smokeping -B -m 770 -l unix:/var/www/run/rrd _smokepi 25394 0.0 0.1 43244 10536 ?? I 6:31AM0:00.03 /usr/bin/perl /usr/local/bin/smokeping _smokepi 57899 0.0 0.3 43752 21276 ?? S 6:31AM0:01.31 perl: /usr/local/bin/smokeping [FPing] (perl) _smokepi 74710 0.4 0.3 43244 21480 ?? S 6:31AM0:03.49 perl: /usr/local/bin/smokeping [DNS] (perl) _smokepi 76253 0.2 0.0 2892 2916 ?? Sp 6:47AM0:00.15 /usr/local/sbin/fping -C 61 -q -B1 -r1 -b64 -t125 -i10 -p1 10.20.127.2 10.139.25... when I get around to it ... I would like rrdcached and smokeping in another / separate glamping site / luxury chroot jail to the cgi binary... Comments thoughts welcome ... On Wed, 8 Mar 2023 at 19:26, Glen Gunsalus wrote: > > > On 3/7/23 15:33, Stuart Henderson wrote: > > On 2023-03-07, Glen Gunsalus wrote: > >> To get this running cp'd perl (/usr/bin/perl) and relevant perl libs > >> (/usr/lib/[libs.so|libm.so|libperl.so] /usr/libexec/ld.so) to > >> /var/www/usr/[bin|lib|libexec] > > > > You shouldn't need that bit (and it is safer not to) - smokeping_fcgi > > does not chroot. > > > > > Hmm, I did this on the basis of a post by you (5/11/20) in response to Tom > (5/10/20) which I interpreted as needing several files moved into www "jail." > > quote-- > bgplg is designed to run in a jail, it is a small C program and even > then it needs specially compiled versions of the external dependencies > (ping, bgpctl etc). > > Smokeping isn't - if you want to run the graph generating part of > smokeping (i.e. the cgi/fcgi script) inside a chroot jail, a whole lot > more is needed - a copy of perl and various modules, rrdtool, > rrdtool's library dependencies, fonts, and I think there were config > files for some of the libraries. I did this in the past but it's a > real mess and easy to break at update time, and the amount of things > copied in means that the chroot ends up more as "luxury camping" than > "jail" > end quote--- > > I had been running smokeping and mrtg with apache for a number of years, but > when OpenBSD abandoned apache I looked at nginx for transition then httpd > came along and looked both more attractive and likely to be more long lived > under OpenBSD. > > It was Tom's post that got me started down the httpd path. I have been > running with httpd since that time. > I can't remember the details, but think I initially tried w/o the cp'd files, > but was not successful so began incrementally moving goodies into /var/www > until it worked. > I will try rm'ing or mv'ing those in /var/www and see how it goes. > > Thanks for your help. > > Regards, Glen > -- Kindest regards, Tom Smyth.
Re: Upgrading from 7.2 stable to 7.3 current dig crashes (core-dumped) breaking smokeping
Folks, just on this changing the binary /usr/sbin/dig... to /usr/bin/dig and going from 7.2 to 7.3 massive drop in latency of queries in a local dns server in the same datacentre ... just thought it would be useful ... before and after smoke graph below On Tue, 7 Mar 2023 at 14:30, Tom Smyth wrote: > > Hi Peter, > > Thanks for that ... you are 100% correct... I was caught off guard with > that thanks ... > > I Think I need to go through my upgrades ... for more RmFiles... :/ > > Thanks it worked just fine... > > Much Obliged, > > Tom Smyth > > > On Tue, 7 Mar 2023 at 12:48, Peter Hessler wrote: >> >> On 2023 Mar 07 (Tue) at 12:42:33 + (+), Tom Smyth wrote: >> :Folks upgrading from 7.2 to 7.3 current snapshot >> :dig seems to crash ... >> : >> : >> :/usr/sbin/dig localhost >> :Bad system call (core dumped) >> : >> >> dig (et al) moved from /usr/sbin/ to /usr/bin/ in 6.7, you should update >> your config to use the currently supported binary. >> >> https://www.openbsd.org/faq/upgrade67.html#RmFiles >> >> >> -- >> We will have solar energy as soon as the utility companies solve one >> technical problem -- how to run a sunbeam through a meter. > > > > -- > Kindest regards, > Tom Smyth. -- Kindest regards, Tom Smyth.
Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD
Folks, Just to say keeping rrdcached for smokeping, and just using the smokeping.sock server "default" { listen on * port 80 location "/smokeping/smokeping.fcgi*" { fastcgi { socket "/run/smokeping.sock" } } } is way faster ... for the user interface... ... Ill let you know if there are any negative impact on the graphs ... Thanks Tom Smyth On Wed, 8 Mar 2023 at 15:21, Tom Smyth wrote: > > Hello > I found that RRDCached helps with the gaps in the graphs... (write > i/o burst smoothing) (which is the main reason I went with rrdcached > > but it did not help so much on the user interface / web rendering front ... > (perhaps I could try (if it is even possible) to try the following > > write rrds using smokeping --> rrdcached-->rrdfile > and separately read > rrdfile --> smokeping_fcgi --> httpd > or does rrdcahced need to exclusively manage I/O ( read and write) > with the rrd files. ? > Ill investgate this a bit more ... (comments and ideas welcome .. > > On Wed, 8 Mar 2023 at 14:16, Stuart Henderson wrote: > > > > On 2023/03/07 14:38, Tom Smyth wrote: > > > the config below seems to get rrdcached working with httpd in OpenBSD. > > > ... > > > > Thanks, I've added this to the pkg-readme. > > > > > the loading of the smokeping detailed graphs still takes a while ... but > > > I > > > will do further dianostics... > > > > Do check to make sure that using rrdcached does actually improve things > > for your setup, you might find that it doesn't. > > > > > -- > Kindest regards, > Tom Smyth. -- Kindest regards, Tom Smyth.
Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD
Hello I found that RRDCached helps with the gaps in the graphs... (write i/o burst smoothing) (which is the main reason I went with rrdcached but it did not help so much on the user interface / web rendering front ... (perhaps I could try (if it is even possible) to try the following write rrds using smokeping --> rrdcached-->rrdfile and separately read rrdfile --> smokeping_fcgi --> httpd or does rrdcahced need to exclusively manage I/O ( read and write) with the rrd files. ? Ill investgate this a bit more ... (comments and ideas welcome .. On Wed, 8 Mar 2023 at 14:16, Stuart Henderson wrote: > > On 2023/03/07 14:38, Tom Smyth wrote: > > the config below seems to get rrdcached working with httpd in OpenBSD. ... > > Thanks, I've added this to the pkg-readme. > > > the loading of the smokeping detailed graphs still takes a while ... but I > > will do further dianostics... > > Do check to make sure that using rrdcached does actually improve things > for your setup, you might find that it doesn't. > -- Kindest regards, Tom Smyth.
Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD
ce"7d "Last 14 Days Performance"14d "Last 28 Days Performance"28d "Last 100 Days Performance" 100d #+ hierarchies #++ owner #title = Host Owner #++ location #title = Location *** Probes *** #+basefork #forks = 8 #offset = 50% #step = 90 #timeout = 1 + FPing blazemode = true binary = /usr/local/sbin/fping packetsize = 64 hostinterval = 0.001 timeout = 0.125 offset = random + DNS binary = /usr/bin/dig # mandatory forks = 5 offset = 50% step = 30 timeout = 15 # The following variables can be overridden in each target section lookup = bbc.co.uk pings = 30 server = [redacted] + TCPPing binary = /usr/local/sbin/hping forks = 5 offset = 50% step = 300 timeout =10 #*** Slaves *** #secrets=/etc/smokeping/smokeping_secrets #+boomer #display_name=boomer #color=ff #+slave2 #display_name=another #color=00ff00 *** Targets *** probe = FPing menu = Top title = Wireless Connect Network Latency Grapher remark = SmokePing of Wireless Connect Ltd. \ This Tool Shows the latency of the \ Wireless Connectnetwork. alerts = Sustained_5%_loss,Sudden_10%_Loss,Sporadic_Loss,Latency_Over_50ms,Offline_at_startup #########config-sniped# smoke1# rcctl ls started cron dhcpleased httpd ntpd pflogd resolvd rrdcached smokeping smokeping_fcgi smtpd sshd syslogd On Tue, 7 Mar 2023 at 14:38, Tom Smyth wrote: > > Hi Stuart,... > Im running 2 cores as Im a miser with my VMS in terms of CPU allocation > ... ( I dont like spending time on the bare metal spliting cherries ) (more > context switches than work being done) ... > > Got my system upgraded... thanks ... and fixed my old /usr/sbin/dig > (old..nolonger working) to /usr/bin/dig > the initial load seems to be quicker ... and opening a page seems to put > more load on rrdcached... process alright > the config below seems to get rrdcached working with httpd in OpenBSD. ... > > the loading of the smokeping detailed graphs still takes a while ... but I > will do further dianostics... > > > > This is my setup > > #httpd.conf### > server "default" { > listen on * port 80 > location "/smokeping/smokeping.fcgi*" { > fastcgi { > socket "/run/smokeping.sock" > param RRDCACHED_ADDRESS "unix:/var/www/run/rrd/rrdcached.sock" > } > root "/" > } > ### > > top output below when loading a web page > > > load averages: 2.09, 1.82, 1.07 smoke1 > 14:36:27 > 42 processes: 40 idle, 2 on processor up 0 days > 00:11:09 > CPU0 states: 53.2% user, 0.0% nice, 6.8% sys, 0.2% spin, 2.2% intr, 37.6% > idle > CPU1 states: 33.1% user, 0.0% nice, 10.6% sys, 1.4% spin, 0.0% intr, 54.9% > idle > Memory: Real: 208M/1758M act/tot Free: 6160M Cache: 882M Swap: 0K/0K > > PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND > 57245 _rrdcach 20 41M 36M onproc/0 kqread3:13 30.62% rrdcached > 99560 _smokepi 20 74M 88M sleep/1 netio 1:01 10.55% perl > 73953 _smokepi 20 2632K 2660K sleep/0 kqread0:00 0.20% fping > 77717 _smokepi 100 42M 20M sleep/0 nanoslp 0:02 0.00% perl > 1 root 100 644K 628K idle wait 0:01 0.00% init > 67291 _smokepi -60 42M 20M idle piperd0:01 0.00% perl > 72553 root 30 948K 924K idle ttyin 0:00 0.00% ksh > 84133 _pflogd40 776K 1620K sleep/0 bpf 0:00 0.00% pflogd > 74456 _smtpq 20 1656K 3484K idle kqread0:00 0.00% smtpd > 58541 _ntp 2 -20 1408K 3320K sleep/1 kqread0:00 0.00% ntpd > 22630 root 20 1204K 4160K idle kqread0:00 0.00% sshd > 20724 www20 1908K 3944K sleep/1 kqread0:00 0.00% httpd > 27618 www20 2256K 4276K idle kqread0:00 0.00% httpd > 81375 _syslogd 20 1228K 1524K idle kqread0:00 0.00% syslogd > 77400 _smokepi 180 42M 10M idle sigsusp 0:00 0.00% perl > 39827 root 280 1224K 2512K onproc/1 - 0:00 0.00% top > 79586 _smtpd 20 1936K 4828K idle kqread0:00 0.00% smtpd > 18799 fireman20 1396K 3340K sleep/0 kqread0:00 0.00% sshd > 20179 www20 1320K 3324K idle kqread0:00 0.00% httpd > 45288 root 180 944K 916K idle sigsusp 0:00 0.00% ksh > 51902 root 20 760K 2548K idle netio 0:00 0.00% syslogd > 37356 www20 1332K 3180K idle kqread0:00 0.00% httpd > 82428 root
Re: Folks are there any tips to improve page load times on smokeping running on OpenBSD
Hi Stuart,... Im running 2 cores as Im a miser with my VMS in terms of CPU allocation ... ( I dont like spending time on the bare metal spliting cherries ) (more context switches than work being done) ... Got my system upgraded... thanks ... and fixed my old /usr/sbin/dig (old..nolonger working) to /usr/bin/dig the initial load seems to be quicker ... and opening a page seems to put more load on rrdcached... process alright the config below seems to get rrdcached working with httpd in OpenBSD. ... the loading of the smokeping detailed graphs still takes a while ... but I will do further dianostics... This is my setup #httpd.conf### server "default" { listen on * port 80 location "/smokeping/smokeping.fcgi*" { fastcgi { socket "/run/smokeping.sock" param RRDCACHED_ADDRESS "unix:/var/www/run/rrd/rrdcached.sock" } root "/" } ### top output below when loading a web page load averages: 2.09, 1.82, 1.07 smoke1 14:36:27 42 processes: 40 idle, 2 on processor up 0 days 00:11:09 CPU0 states: 53.2% user, 0.0% nice, 6.8% sys, 0.2% spin, 2.2% intr, 37.6% idle CPU1 states: 33.1% user, 0.0% nice, 10.6% sys, 1.4% spin, 0.0% intr, 54.9% idle Memory: Real: 208M/1758M act/tot Free: 6160M Cache: 882M Swap: 0K/0K PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 57245 _rrdcach 20 41M 36M onproc/0 kqread3:13 30.62% rrdcached 99560 _smokepi 20 74M 88M sleep/1 netio 1:01 10.55% perl 73953 _smokepi 20 2632K 2660K sleep/0 kqread0:00 0.20% fping 77717 _smokepi 100 42M 20M sleep/0 nanoslp 0:02 0.00% perl 1 root 100 644K 628K idle wait 0:01 0.00% init 67291 _smokepi -60 42M 20M idle piperd0:01 0.00% perl 72553 root 30 948K 924K idle ttyin 0:00 0.00% ksh 84133 _pflogd40 776K 1620K sleep/0 bpf 0:00 0.00% pflogd 74456 _smtpq 20 1656K 3484K idle kqread0:00 0.00% smtpd 58541 _ntp 2 -20 1408K 3320K sleep/1 kqread0:00 0.00% ntpd 22630 root 20 1204K 4160K idle kqread0:00 0.00% sshd 20724 www20 1908K 3944K sleep/1 kqread0:00 0.00% httpd 27618 www20 2256K 4276K idle kqread0:00 0.00% httpd 81375 _syslogd 20 1228K 1524K idle kqread0:00 0.00% syslogd 77400 _smokepi 180 42M 10M idle sigsusp 0:00 0.00% perl 39827 root 280 1224K 2512K onproc/1 - 0:00 0.00% top 79586 _smtpd 20 1936K 4828K idle kqread0:00 0.00% smtpd 18799 fireman20 1396K 3340K sleep/0 kqread0:00 0.00% sshd 20179 www20 1320K 3324K idle kqread0:00 0.00% httpd 45288 root 180 944K 916K idle sigsusp 0:00 0.00% ksh 51902 root 20 760K 2548K idle netio 0:00 0.00% syslogd 37356 www20 1332K 3180K idle kqread0:00 0.00% httpd 82428 root 20 1472K 2284K idle kqread0:00 0.00% httpd 62829 _ntp 20 908K 2772K idle kqread0:00 0.00% ntpd 89278 root 20 872K 1524K idle kqread0:00 0.00% cron 16265 _smtpd 20 1652K 3472K idle kqread0:00 0.00% smtpd 46732 _smtpd 20 1456K 3304K idle kqread0:00 0.00% smtpd 3405 root 2 -20 1264K 1956K idle kqread0:00 0.00% ntpd 30532 root 20 1716K 2164K idle kqread0:00 0.00% smtpd On Tue, 7 Mar 2023 at 08:36, Stuart Henderson wrote: > On 2023/03/07 07:10, Tom Smyth wrote: > > I m running smokeping fcgi and rrdcached ontop of OpenbSD, to smokeping > > about 150 devces > > the page load times can take 30 seconds to 1 minute, > > is there any way to speed this up. > > > > im running 7.2 OpenBSD on amd64 vm on top of an SSD array > > > > any tips tricks welccome ... > > One quick thing to try is updating to -current, I made some changes to > the rrdtool port which may possibly help a little. > > Check that smokeping is actually using rrdcached (watch top while > opening a page) - the pkg-readme only gives instructions for passing the > required fastcgi variable through for nginx, I don't know how to do that > for httpd (or whether it's actually possible). > > Other than that, rrdtool/rrdcached is just slow on OpenBSD. If it's > anything like mine you'll see high cpu spin % in top while it's busy. > You can try changing the number of cores in the VM - if you've given it > lots of cores try *reducing* it a bit. To pick a number out of the air > I'd suggest probably 4-6. (mine is bare metal and I can't drop the > number short of kernel hac
Re: Upgrading from 7.2 stable to 7.3 current dig crashes (core-dumped) breaking smokeping
Hi Peter, Thanks for that ... you are 100% correct... I was caught off guard with that thanks ... I Think I need to go through my upgrades ... for more RmFiles... :/ Thanks it worked just fine... Much Obliged, Tom Smyth On Tue, 7 Mar 2023 at 12:48, Peter Hessler wrote: > On 2023 Mar 07 (Tue) at 12:42:33 + (+), Tom Smyth wrote: > :Folks upgrading from 7.2 to 7.3 current snapshot > :dig seems to crash ... > : > : > :/usr/sbin/dig localhost > :Bad system call (core dumped) > : > > dig (et al) moved from /usr/sbin/ to /usr/bin/ in 6.7, you should update > your config to use the currently supported binary. > > https://www.openbsd.org/faq/upgrade67.html#RmFiles > > > -- > We will have solar energy as soon as the utility companies solve one > technical problem -- how to run a sunbeam through a meter. > -- Kindest regards, Tom Smyth.
Upgrading from 7.2 stable to 7.3 current dig crashes (core-dumped) breaking smokeping
0 lun 0: sd0: 32768MB, 512 bytes/sector, 67108864 sectors, thin virtio0: msix per-VQ virtio1 at pci6 dev 18 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio1: address aa:2a:39:0b:78:b1 virtio1: msix shared ppb6 at pci5 dev 2 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 pci7 at ppb6 bus 7 ppb7 at pci5 dev 3 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 pci8 at ppb7 bus 8 ppb8 at pci5 dev 4 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 pci9 at ppb8 bus 9 pcib0 at pci0 dev 31 function 0 "Intel 82801IB LPC" rev 0x02 ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.0 ahci0: port 1: 1.5Gb/s scsibus2 at ahci0: 32 targets cd0 at scsibus2 targ 1 lun 0: removable ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 0 int 16 iic0 at ichiic0 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb6 at uhci4: USB revision 1.0 uhub6 at usb6 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb7 at uhci5: USB revision 1.0 uhub7 at usb7 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation) vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (59cdf031e4c1fe67.a) swap on sd0b dump on sd0b smoke1# uname -va OpenBSD smoke1server.com 7.3 GENERIC.MP#1094 amd64 -- Kindest regards, Tom Smyth.
Folks are there any tips to improve page load times on smokeping running on OpenBSD
#config-sniped######### smoke1# rcctl ls started cron dhcpleased httpd ntpd pflogd resolvd rrdcached smokeping smokeping_fcgi smtpd sshd syslogd -- Kindest regards, Tom Smyth.
Re: fragmented ipv4[udp] ignored by server.
s-Challenge id=4 > 11 0.164158 10.10.2.10 ? 10.10.2.1RADIUS 1372 Access-Request > id=5 > 12 0.26551410.10.2.1 ? 10.10.2.10 RADIUS 161 > Access-Challenge id=5 > 13 0.266328 10.10.2.10 ? 10.10.2.1RADIUS 191 Access-Request > id=6 > 14 0.28460710.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept id=6 > > Question: How to avoid altering fragment_size to get this working ? > > Some clients could not be set so easily like phones. > > Thank you. > > Mikhael. > > -- Kindest regards, Tom Smyth.
Re: Lightweight Web browser
Hi Riccardo, One thing to consider a little off topic... is that hangs can be related to firewall / proxy rules / systems in place (to block advertising/ other content ) being filtered, depending on the method of blocking requests made by the browsers to specific web application sites (and their java script collateral) may actually have to timeout (rather than be refused quickly) and so the web page / application can appear to hang, network layer (ip) blocking can lead to request timeouts which can really slow down an interactive web app chrome with debug / developer tools can show you this issue (of network timeouts for certain applications I hope this helps, Tom Smyths On Mon, 6 Feb 2023 at 15:41, Riccardo Mottola wrote: > Hi, > > Rodrigo Readi wrote: > > Can someone recommend a lightweight Browser that support javascript? > > "Lightweight" is a hard term here.. .there are several options. But if > you need heavy usage - gmail, youtube and similar, at the end you need a > gecko, blink or webkit engine and so there things become equal. > Are you pressed by RAM or CPU? > E.g. in my experience Firefox was never "lighter" than seamonkey. Opera > or Bing are at the end similar to Chrome in terms of resources. The > difference are in "spy" amount. > I like SeaMonkey but it is lagging behind in packages on most BSDs > and/or it was removed. > In my experience, Firefox is much easier on RAM than Chrome(ium) and > good on more RAM pressed system. Limited Firefox is usable on a good > 32bit system with 2GB of RAM, but OpenBSD no longer provides firefox there. > > My distaste with Firefox is that it took a bad turn after FF52/FF60... > making horrible design choices - rust included and mocking more and more > Chrome interface. > > > In which I can use gmail? > > > > Otter browser hangs and even make core dumping with gmail. > > Also with chromium I get core dumping sometimes. > > There is no port for elinks to test it. > > You might try your luck with ArcticFox. Login works. Reading messages > appears to, replying by detaching into a separate panel does not anymore. > > ArcitcFox received a lot of care since I last tried it with gmail, but > also gmail is a moving JS target... so you are always at Google's mercy. > > Riccardo > > -- Kindest regards, Tom Smyth.
Re: How to announce over OSPF only one IP address
Hi Radek, it is better practice to add ospf network statements to ospfd.conf (if you dont want to send / recieve ospf messages on an interface set the interface to passive in ospfd.conf avoid redistribute connected (add the network you want to be added to your ospf network) and leave the other network ommitted from your ospfd.conf I hope this helps, On Sat, 4 Feb 2023 at 20:02, Radek wrote: > Hello, > is it possible to announce over OSPF only one (or a few specific) IP > address instead of the whole subnet? > If yes.. an ospfd.conf example would be appreciated. > > $ cat /etc/hostname.vr3 > inet 10.1.111.1 255.255.255.0 > > $ cat /etc/ospfd.conf > router-id 10.109.3.15 > redistribute connected > > area 0.0.0.0 { > interface vr0 > interface vr3 > } > > Thanks, > Radek > > -- Kindest regards, Tom Smyth.
Re: OpenBSD as a transparent switch filter
Hi Christian, if you have Port 20 and 21 isolated from each other ... ie in the same protected port group 0 on the switch... and ports 1-19 in a spearate protected port group eg 1 ports 1-19 can talk to either 20 or 21 and ports 20-21 cannot talk to each other (loop avoidance) then in openBSD Bridge you can add em0 and em1 to the same protected port group eg 3 you can do your filtering then... However... you have to contend with mac flaps on your OpenBSD Bridge (as broadcast traffic from clients will mean that client macs will be learned on both em0 and em1) anotther option and more granularly controlable ... to create 19 vlans... port 1 vlan1, access (untagged) port 2 vlan2 access (untagged) port 3 vlan3 access (untagged) ... .. port 19 vlan 19 access (untagged) make port 20 a trunk (tagged) port on the switch create 19 vlan interfaces in OpenBSD bridge them all together with port isolation or filtering you get around the hair pining etc... but your openbsd box will suffer if there is lots of broadcast traffic (copying frames to multiple ports can be challenging for your CPU) but if you are doing line rate stuff... you may just want to look at vlan maps / Vlan ACLs... (extend acls...) ... on the switch... one piece of advice... on this non standard layer 2 stuff (port isiolation on the switch and bridge is your friend always... in avoiding loops... watch the logs of the switch and cpu.. if the mac flaps are happinging you will see your switch logs (ususally ) moan about it watch your mac address table size and your hardware capacity on your switch...with this stuff... (know your switch hardware capacity and specs) i hope ths helps... On Wed, 25 Jan 2023 at 15:14, Cristian Danila wrote: > Thank you so much Tom and David for giving me ideas where I can dig more. > Definitely it is a good start in this journey and I am researching more. > I have exact same situation with Wireless, for the moment all the clients > are > isolated but I need to achieve the same, to filter between them. > I am evaluating also another idea(possible bad idea) like this: > > Switch having all the clients able to talk only with 2 ports: port 20 > and 21 but port 20 and 21 cannot talk direct > Having BSD setup with two NIC's em0 and em1 as transparent filter: veb, > em0 connected to port 20 > em1 connected to port 21 > > In short the only possible way to pass frames from one device to > another is just through port 20 and 21 > > I am aware about headache related to possible loops but I am curious > if it will work. > > > On Wed, Jan 25, 2023 at 2:33 PM Tom Smyth > wrote: > > > > Hey David... > > (I have learned so much from you over the years and used your gear so > maybe I can give a lttle back on this one ) > > > > "Correct use of Proxy arp" Gateway of layer 2 isolated network... > > clients cannot see or hear eachothers arp traffic or discovery traffic > or other broadcast nasties > > so gateway knows everyones correct arp entry (because it can see > everyone and everyone can see the gateway0 > > gateway knows correct arp entries for 2 example clients clienta and > clientb > > > > if client a wants to talk to client b ...they are isolated in layer 2 > ...so arp between them is not posible... > > enable proxy arp on gateway client a asks for clientbs mac address in > an arp request > > gateway responds to client a with gateway mac address for clientb Ip > address > > client a sends traffic for client b ip to gateway.mac .. gateway routes > the traffic to client b ip via its connected route and correct arp address > for client b > > client B asks for clienta mac address... in an arp request... > > gateway responds with an arp reply for clienta IP with its own mac > address > > client b sends traffic to client a ip to the gateway mac address, > > gateway routes the traffic to client a via its connected route + correct > arp entry for client a > > > > --- > > proxy arp is (kindof) useful in a lan gateway (LAN interface only) were > the IT admin hasnt a handle on routing and gives vpn clients an IP in the > same range as the Lan in the office.. > > Proxy arp allows the gateway to respond to arp requests for the vpn > client IP... (but it is no substitute for teaching an IT person how to > route and design/ number networks) > > > > ---incorrect use of proxy arp- > > EVERYWHERE ELSE ... (sorry for shouting ) > > > > ps I hate proxy arp ... but it is useful in allowing client - client > communications while minimising broadcast waste of bandwidth (on large > wireless access networks) > > > > > > > > > > On Tue, 24 Jan 2023 at 23:53, David Gwynne wrote: &
Re: OpenBSD as a transparent switch filter
Hey David... (I have learned so much from you over the years and used your gear so maybe I can give a lttle back on this one ) "Correct use of Proxy arp" Gateway of layer 2 isolated network... clients cannot see or hear eachothers arp traffic or discovery traffic or other broadcast nasties so gateway knows everyones correct arp entry (because it can see everyone and everyone can see the gateway0 gateway knows correct arp entries for 2 example clients clienta and clientb if client a wants to talk to client b ...they are isolated in layer 2 ...so arp between them is not posible... enable proxy arp on gateway client a asks for clientbs mac address in an arp request gateway responds to client a with gateway mac address for clientb Ip address client a sends traffic for client b ip to gateway.mac .. gateway routes the traffic to client b ip via its connected route and correct arp address for client b client B asks for clienta mac address... in an arp request... gateway responds with an arp reply for clienta IP with its own mac address client b sends traffic to client a ip to the gateway mac address, gateway routes the traffic to client a via its connected route + correct arp entry for client a --- proxy arp is (kindof) useful in a lan gateway (LAN interface only) were the IT admin hasnt a handle on routing and gives vpn clients an IP in the same range as the Lan in the office.. Proxy arp allows the gateway to respond to arp requests for the vpn client IP... (but it is no substitute for teaching an IT person how to route and design/ number networks) ---incorrect use of proxy arp- EVERYWHERE ELSE ... (sorry for shouting ) ps I hate proxy arp ... but it is useful in allowing client - client communications while minimising broadcast waste of bandwidth (on large wireless access networks) On Tue, 24 Jan 2023 at 23:53, David Gwynne wrote: > > > > On 25 Jan 2023, at 09:47, Tom Smyth > wrote: > > > > Hi David is that like a local proxy arp type setup (on typical > > networking gear) .. ? > > I’ve never had a clear idea about what proxy ARP is, and the only time it > comes up in converstaion is when people complain about problems it causes. > Do you have a definition of what you think it means before I say yes or no? > > > > > On Tue, 24 Jan 2023 at 23:45, David Gwynne wrote: > >> > >> I think you can do this on OpenBSD with > https://github.com/eait-itig/commarp and just routing on em0. I don’t > think any layer 2 things like bridge or veb are needed, and probably won’t > work anyway because as Claudio said, they don’t want to hairpin anyway. > >> > >> That code doesn’t have any manpages unfortunately. commarp wants a > config file saying which interface it should run on and which IPs it should > intercept ARP for. eg: > >> > >> $ cat /etc/commarp.conf > >> interface em0 { > >>allow 192.168.1.16 - 192.168.1.254 > >> } > >> > >> There’s no point rewriting ARP requests for the IP your router is using > on that subnet, or carp addresses on that subnet, etc. > >> > >> > >>> On 24 Jan 2023, at 22:16, Cristian Danila wrote: > >>> > >>> HI Tom, > >>> > >>> I am familiar with options you mentioned, veb, bridge and isolated > ports. > >>> I am having another transparent filter based of veb also I am aware > about > >>> protected members but my use case is different. > >>> > >>> Let me try to explain maybe with different words. > >>> OpenBSD box is having only one cable input, so what would be the > >>> benefit of having protected members? > >>> Protected members are isolating the communication between members of a > >>> bridge, in my case > >>> I have only one NIC, so if a bridge would be helpful, I can have a > >>> bridge with single member, > >>> therefore isolating that member from who? > >>> OpenBSD box has only one wire connected to a physical switch, so it > >>> can communicate with all members > >>> of the switch, but the physical switch itself do not permit > >>> communication between members as explained. > >>> So it is a desire that OpenBSD box is the one that is making possible > >>> communication between different > >>> members of the switch through same wire. > >>> > >>> Let me try to draw it, I hope will help more > >>> > >>> DEVICE1 DEVICE2 DEVICE3 > >>>| | | > >>>| | | > >>> ---
Re: OpenBSD as a transparent switch filter
Hi David is that like a local proxy arp type setup (on typical networking gear) .. ? On Tue, 24 Jan 2023 at 23:45, David Gwynne wrote: > > I think you can do this on OpenBSD with https://github.com/eait-itig/commarp > and just routing on em0. I don’t think any layer 2 things like bridge or veb > are needed, and probably won’t work anyway because as Claudio said, they > don’t want to hairpin anyway. > > That code doesn’t have any manpages unfortunately. commarp wants a config > file saying which interface it should run on and which IPs it should > intercept ARP for. eg: > > $ cat /etc/commarp.conf > interface em0 { > allow 192.168.1.16 - 192.168.1.254 > } > > There’s no point rewriting ARP requests for the IP your router is using on > that subnet, or carp addresses on that subnet, etc. > > > > On 24 Jan 2023, at 22:16, Cristian Danila wrote: > > > > HI Tom, > > > > I am familiar with options you mentioned, veb, bridge and isolated ports. > > I am having another transparent filter based of veb also I am aware about > > protected members but my use case is different. > > > > Let me try to explain maybe with different words. > > OpenBSD box is having only one cable input, so what would be the > > benefit of having protected members? > > Protected members are isolating the communication between members of a > > bridge, in my case > > I have only one NIC, so if a bridge would be helpful, I can have a > > bridge with single member, > > therefore isolating that member from who? > > OpenBSD box has only one wire connected to a physical switch, so it > > can communicate with all members > > of the switch, but the physical switch itself do not permit > > communication between members as explained. > > So it is a desire that OpenBSD box is the one that is making possible > > communication between different > > members of the switch through same wire. > > > > Let me try to draw it, I hope will help more > > > > DEVICE1 DEVICE2 DEVICE3 > > | | | > > | | | > > --- > > PORT1 PORT2PORT3 PORT 20 > >| | |_| > >| |_ | > >|__ | > > PHISICAL SWITCH DEVICE | > > ---| > > | > > | > > | > > OPEN BSD BOX > > > > > > Thank you. > > > > > > On Tue, Jan 24, 2023 at 1:43 PM Tom Smyth > > wrote: > >> > >> Hello Cristian, > >> if you want to filter on layer 2 ... you would need to use Bridge > >> have a look at man ifconfig(8) > >> bridge filter rules can be added to ports in the bridge... > >> you can also tag traffic in bridge filter rules and then use PF to > >> filter them... > >> > >> but if your objective is to isolate ports from each other.. this can > >> be achieved with protected port groups... > >> again check out ifconfig (8) > >> TLDR version bridge ports in the same protected port group are > >> isolated from each other... > >> If port isolation if all your looking for (no other detailed filtering > >> ) if (im not sure) veb(4) supports protected ports...then this would > >> be faster... > >> but to my shame I have not tried out veb(4) > >> > >> I hope this is of some use... > >> > >> > >> > >> > >> > >> > >> On Tue, 24 Jan 2023 at 11:29, Cristian Danila wrote: > >>> > >>> Hello > >>> > >>> I have a more difficult task that I would like to solve with OpenBSD > >>> and I would really > >>> appreciate any ideas if it is possible to achieve such. > >>> > >>> I have: > >>> - one OpenBSD box with one Ethernet port > >>> - one big switch with multiple devices connected > >>> > >>> All switch ports are isolated by each other with one exception: > >>> - All ports can communicate with only one Ethernet port(let's say port 20) > >>> > >>> Now what i would like to achieve is to connect an Ethernet cable between > >>> OpenBSD box and port 20 of the switch, and make OpenBSD a transparent > >>> filtering hub. > >>> > >>> So I need OpenBSD box to be a transparent bridge and filter between > >>> clients of the switch. > >>> > >>> Can anybody suggest a point where I can think about? > >>> I was thinking initially to add the nic(em0) to veb0 then with link1 > >>> achieve L3 filtering but > >>> definitely I think I miss something important. > >>> I am open to research everything is needed for it but I miss a > >>> starting point and I would > >>> really appreciate any hint. > >>> > >>> Kind regards, > >>> Claudiu > >>> > >> > >> > >> -- > >> Kindest regards, > >> Tom Smyth. > > > -- Kindest regards, Tom Smyth.
Re: Software RAID5 write performance
Hi Atanas, in general (not specific to RAID5 Softraid in OpenBSD... ) I would advise the following based on my own experience... Raid5 in hardware raid generally has poor write performance due the number of actual writes to disk per write operation to the raid controller ( parity reads and rewrites once you write to disks) see https://www.arcserve.com/blog/understanding-raid-performance-various-levels#:~:text=This%20means%20that%20a%20RAID,write%20performance%20is%20NX%2F4. becuase of the number of physical writes per raid device write... Raid5 and SSDs dont really go together... ... unless you like replacing SSD Disks in your arrays... suggest meet and potatoes RAID 1 or Raid 10 ... for ssd ... and you then dont suffer write penalties... associated with Raid 5... On Tue, 24 Jan 2023 at 15:05, Atanas Vladimirov wrote: > > Hi Guys, > > I wonder if someone here is using RAID5 with HDD drives and what write > performance on such discipline is expected? > I have 4x 1T HDDs and can't get more than 10~12 MBps on writing. > > I found a Reddit post [1] where the user observed a similar write speed, > of course, he was using other drives (Model and Size). > My curiosity (and the reason I'm asking here) comes from the fact that > we are observing very similar speeds. > > So, do you use RAID5 and how it behaves on your side? > > > [1] > https://www.reddit.com/r/openbsd/comments/srru20/raid5_write_performance/ > > P.S.: Anyone using RAID5 with SSD drives? How is the write speed there? > > Best wishes, > Atanas > -- Kindest regards, Tom Smyth.
Re: OpenBSD as a transparent switch filter
I agree with Claudio re Hairpin issue... perhaps an alternate setup would be to use 2 vlans on the switch on the uplink of the openbsd box (to avoid the hair pin on a physical interface) but care needs to be taken when bridging between the two vlans as 2x mac table usage will occur ... ie mac address on one device may be present in two vlans (if you have a filtering bridge between the two vlans ) and isolation is turned off at any stage... ( I have been badly caught out on this when aggregating n vlans ... n bridged vlans x (original mactable usage ) = new mac address table size Hope this helps... On Tue, 24 Jan 2023 at 12:24, Claudio Jeker wrote: > > On Tue, Jan 24, 2023 at 11:43:08AM +0000, Tom Smyth wrote: > > Hello Cristian, > > if you want to filter on layer 2 ... you would need to use Bridge > > have a look at man ifconfig(8) > > bridge filter rules can be added to ports in the bridge... > > you can also tag traffic in bridge filter rules and then use PF to > > filter them... > > > > but if your objective is to isolate ports from each other.. this can > > be achieved with protected port groups... > > again check out ifconfig (8) > > TLDR version bridge ports in the same protected port group are > > isolated from each other... > > If port isolation if all your looking for (no other detailed filtering > > ) if (im not sure) veb(4) supports protected ports...then this would > > be faster... > > but to my shame I have not tried out veb(4) > > > > I hope this is of some use... > > > > The problem is not veb(4) vs bridge(4) (both should work and I would > suggest you try to stay away from brigde(4)). The problem is the hairpin > on the single interface to the switch. AFAIK neither veb(4) nor bridge(4) > will send back a packet on the same port it was received on. Doing so > can result in packet loops. > > > > On Tue, 24 Jan 2023 at 11:29, Cristian Danila wrote: > > > > > > Hello > > > > > > I have a more difficult task that I would like to solve with OpenBSD > > > and I would really > > > appreciate any ideas if it is possible to achieve such. > > > > > > I have: > > > - one OpenBSD box with one Ethernet port > > > - one big switch with multiple devices connected > > > > > > All switch ports are isolated by each other with one exception: > > > - All ports can communicate with only one Ethernet port(let's say port 20) > > > > > > Now what i would like to achieve is to connect an Ethernet cable between > > > OpenBSD box and port 20 of the switch, and make OpenBSD a transparent > > > filtering hub. > > > > > > So I need OpenBSD box to be a transparent bridge and filter between > > > clients of the switch. > > > > > > Can anybody suggest a point where I can think about? > > > I was thinking initially to add the nic(em0) to veb0 then with link1 > > > achieve L3 filtering but > > > definitely I think I miss something important. > > > I am open to research everything is needed for it but I miss a > > > starting point and I would > > > really appreciate any hint. > > > > > > Kind regards, > > > Claudiu > > > > > > > > > -- > > Kindest regards, > > Tom Smyth. > > > > -- > :wq Claudio > -- Kindest regards, Tom Smyth.
Re: OpenBSD as a transparent switch filter
Hello Cristian, if you want to filter on layer 2 ... you would need to use Bridge have a look at man ifconfig(8) bridge filter rules can be added to ports in the bridge... you can also tag traffic in bridge filter rules and then use PF to filter them... but if your objective is to isolate ports from each other.. this can be achieved with protected port groups... again check out ifconfig (8) TLDR version bridge ports in the same protected port group are isolated from each other... If port isolation if all your looking for (no other detailed filtering ) if (im not sure) veb(4) supports protected ports...then this would be faster... but to my shame I have not tried out veb(4) I hope this is of some use... On Tue, 24 Jan 2023 at 11:29, Cristian Danila wrote: > > Hello > > I have a more difficult task that I would like to solve with OpenBSD > and I would really > appreciate any ideas if it is possible to achieve such. > > I have: > - one OpenBSD box with one Ethernet port > - one big switch with multiple devices connected > > All switch ports are isolated by each other with one exception: > - All ports can communicate with only one Ethernet port(let's say port 20) > > Now what i would like to achieve is to connect an Ethernet cable between > OpenBSD box and port 20 of the switch, and make OpenBSD a transparent > filtering hub. > > So I need OpenBSD box to be a transparent bridge and filter between > clients of the switch. > > Can anybody suggest a point where I can think about? > I was thinking initially to add the nic(em0) to veb0 then with link1 > achieve L3 filtering but > definitely I think I miss something important. > I am open to research everything is needed for it but I miss a > starting point and I would > really appreciate any hint. > > Kind regards, > Claudiu > -- Kindest regards, Tom Smyth.
Re: Max number of NICs
msixfailed to allocate interrupt slot for PIC msix pin -2145714175 : unable to establish interrupt 1 ppb27 at pci0 dev 24 function 1 "VMware PCIE" rev 0x01: msi pci28 at ppb27 bus 28 vmx9 at pci28 dev 0 function 0 "VMware VMXNET3" rev 0x01: ppb28 at pci0 dev 24 function 2 "VMware PCIE" rev 0x01: msi pci29 at ppb28 bus 29 ppb29 at pci0 dev 24 function 3 "VMware PCIE" rev 0x01: msi pci30 at ppb29 bus 30 ppb30 at pci0 dev 24 function 4 "VMware PCIE" rev 0x01: msi pci31 at ppb30 bus 31 ppb31 at pci0 dev 24 function 5 "VMware PCIE" rev 0x01: msi pci32 at ppb31 bus 32 ppb32 at pci0 dev 24 function 6 "VMware PCIE" rev 0x01: msi pci33 at ppb32 bus 33 ppb33 at pci0 dev 24 function 7 "VMware PCIE" rev 0x01: msi pci34 at ppb33 bus 34 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (d48ff886556ca841.a) swap on sd0b dump on sd0b On Tue, 24 Jan 2023 at 04:33, Nick Holland wrote: > > On 1/23/23 17:54, Lars Bonnesen wrote: > > How many physical NICs can you add to an OpenBSD host (vmx) > > > > I am asking because I am running an OpenBSD on a VMware host but apparently > > OpenBSD can only see 8 of them. > > > > Can I raise the limit somehow? > > > > Regards, Lars. > > may years ago (back in the 3.x days, iirc), someone asked me to jam > a machine full of NICs and see what happened. > > Four 4-port dc(4) NICs (16 ports) plus one 3com 3c905 on the main > board later, I saw no issues, but then I lacked any use for a 17 port > machine. If I recall properly, the person who asked me to do it was > expecting some kind of issue, but when I told him they were dc(4)s, > he was disappointed and said, "Well, of course those will work". > > I had a machine for a while with something like ten or > eleven em(4)s in it, I had fired it up, don't recall seeing any > problems with it identifying all the ports (in fact, iirc, it found > a port on the MoBo that was not extended to the outside). Again, > no issue, but after staring at the power hungry box for many years > and never doing anything with it, it finally got recycled. Again, > that was many releases ago...so not sure how it applies today. > > Current FW box is a old citrix appliance with a six port NIC and two > onboard ports, for eight em(4)s. > > Nick. > -- Kindest regards, Tom Smyth.
Re: Max number of NICs
as far as I know Vmware has a limit of 10 nics ... per vm can you send on a dmesg... of th emachine you are running... have you tried setting the nic type to Intel Pro1000 as a test ? On Mon, 23 Jan 2023 at 23:09, Lars Bonnesen wrote: > > How many physical NICs can you add to an OpenBSD host (vmx) > > I am asking because I am running an OpenBSD on a VMware host but apparently > OpenBSD can only see 8 of them. > > Can I raise the limit somehow? > > Regards, Lars. -- Kindest regards, Tom Smyth.
Re: BiDi sfp in ix
Hi Hrvoje, Some intel Nics do have restrictions on what Trancievers they would accept ... (like a licensing / branding thing ) ... if you are ordering from fs.com or flexoptix you can re-program those with the FS.com Tranciever programmer / Flexopticx Tranciever Programmmer... for what it its worth ... I have come across weird issues with Ubnt Edge switches and getting the SFP interfaces to come up ,.. where for instance in UBNT the autodetect, vs autonegotiate, vs 1000 Mb/s Full all have differenet results depending on the vendor of router / device that is attached to the sfp interface... I would play around with the combinations of autodetect (whcih is different to auto negotiate) to forcing the speed... your nic vendor may be able to provide you wiht firmware to unluck any weird licensing restriction on the brand of tranciever in use... I hope this is in some way helpful ... ? if you use your phone camera can you confirm when the SFP is in the Ix(4) interface... that the laser is on and is sending light ? (you will see a purple / blue ish hue light on your camera of your phone... ) Hope this helps and Happy new year to you .. On Mon, 2 Jan 2023 at 15:10, Hrvoje Popovski wrote: > > On 28.12.2022. 20:21, Stuart Henderson wrote: > > On 2022-12-28, Hrvoje Popovski wrote: > >> Hi all, > >> > >> I don't have much experience with BiDi sfp, so I'm asking you guys, > >> should openbsd ix work with 1G BiDi sfp. > > > > should do, yes. > > > > in case you're not aware, bidi transceivers come in different types, e.g. > > your MaxLink ML-S5531-20 transmits at 1550nm and receives at 1310nm, so > > must be paired with a transceiver that transmits at 1310nm and receives > > at 1550nm (e.g. the MaxLink model is ML-S3155-20) - do you have that? > > > > also, they should normally be used with single-mode fibre (due to how > > the bidi optics are coupled into the fibre they *can* also work with > > multimode fibre, though if you do that, insertion loss is high so > > distance is much more limited, plus it's even more sensitive to bending > > than usual in that case). > > > > > > Hi, > > everything is fine regarding transceiver and fiber. I've played with it > for few days with my ISP and that BiDI sfp works on mikrotik > RB5009UG+S+IN and cisco 2960 switch. On aruba 2540 (allow unsupported > transceiver), ibm switch and openbsd ix(4) it won't work. > > I've ordered few BiDi sfp from fs.com and maybe my ISP will lend me > MaxLink sfp so I could test them in lab. > > Thank you Stuart for information ... > -- Kindest regards, Tom Smyth.
Re: bgpd.conf rules changed?
Hi Toni, what version are you comming from... if you are priorto 6.4 or 6.5 (I cant fully remember One of the Biggest changes was RFC 8212 where route filter policies went from allow all announcements by default to deny by default... announce all and announce self were depreciated Check out /etc/examples/bgpd.conf which has a nice examples of best practice with the new syntax you will see the new syntax and you will see how you can create groups of prefixes (for instance yourown prefixes) and another group for transit customer prefixes etc.. then you just create filters to accept your prefixes to your upstream peers... man bgpd.conf will show any other syntax that may be depreciated... ( I have nevever set the softreconfig I *think* it is now a default ... I hope this helps, Tom Smyth On Mon, 19 Dec 2022 at 11:59, Toni Mueller wrote: > > > Hi, > > I am trying to upgrade an OpenBSD based BGP router from an old version > to 7.2. But on OpenBSD 7.2, the config file results in several errors, > despite the man page not indicating any thing "obvious". > > Eg. I get syntax errors on > > softreconfig in yes > softreconfig out yes > announce self > announce all > announce default-route > > > I also get errors on > > tcp md5sig password somesecrethere > > if the secret contains special characters. > > > I have tried to comment the softreconfig lines, but can't do away with > the 'announce' statements. > > > Is there some overview about what changed over the course of time, and > possibly, some better error messages to help diagnose the errors? > > > Thanks a lot, > Toni > -- Kindest regards, Tom Smyth.
Re: VMM FAQ - 802.11 Prevents Bridging?
Hi Cory, Just to clarify, bridging typically works from a wireless Access Point ie bridging a wirieless access point to an ethernet interface and vice versa that (should) work and is catered for in the 802.11 standard. however a wireless interface in station / client mode bridged to an ethernet interface requires propietary extensions (and as Stuart has pointed out wont work) if you need a layer 2 Wireless Connection to VMM I would suggest using a an ethernet port in VMM and plug the ethernet port into a propietary wireless Router / Client.. I can give you a steer off list but I dont want to decend into plugging a propietary solution ... I hope this helps Tom Smyth On Mon, 12 Dec 2022 at 22:35, Stuart Henderson wrote: > > On 2022-12-12, c0ry wrote: > > Hey folks, > > > > I noticed this line in the VMM FAQ ( > > https://www.openbsd.org/faq/faq16.html#VMMnet): > > > > "...the IEEE 802.11 standard prevents wireless interfaces from > > participating in network bridges." > > > > Just wanted to confirm what is meant by this - are we just trying to say > > that WDS isn't part of the standard and isn't supported? Does the standard > > actually "prevent" anything? Sorry if this is pedantic, I'm just curious. > > WDS is only partly standardised and doesn't always work cross-vendor; > also OpenBSD doesn't support it at all. > > > > -- > Please keep replies on the mailing list. > -- Kindest regards, Tom Smyth.
Re: OpenBSD File systems , on Flash / SSD CPE (in sites with uncontrolled power (CPE customer sites)
sorry there was an omission in my /etc/fstab i had left out the softdep,noatime flags on the filessytems that were funning off the disk using FFS Thanks #begin corrected /etc/fstab## /dev/sd0a / ffs rw,softdep,noatime 1 1 /dev/sd0d /usr/local ffs rw,wxallowed,nodev,softdep,noatime 1 1 swap /tmp mfs rw,nosuid,noexec,nodev,-s=256000,-P=/persist-fs/tmp 0 0 swap /var mfs rw,nosuid,noexec,nodev,-s=512000,-P=/persist-fs/var 0 0 swap /dev mfs rw,nosuid,noexec,-P=/persist-fs/dev,-i=2048,-s=102400 0 0 ##end-corrected /etc/fstab## On Mon, 28 Nov 2022 at 21:46, Tom Smyth wrote: > Hello, Folks, > > Im reviewing our filesystem setup for OpenBSD CPEs that we deploy in the > field > > in order to minimise the impact of Power Outages / Customer interference > on the boxes, > we install a 4G root partition / > and a 2GB /usr/local (to allow the wxallowed flag for the filesystem) > > we use mfs for /tmp and /var so that there the probability that there is > a filessytem write to the SSD is reduced (so that power failures dont cause > file system corruption) > > we use the following fstabl > > #begin /etc/fstab/### > /dev/sd0a / ffs rw 1 1 > /dev/sd0d /usr/local ffs rw,wxallowed,nodev 1 1 > swap /tmp mfs rw,nosuid,noexec,nodev,-s=256000,-P=/persist-fs/tmp 0 0 > swap /var mfs rw,nosuid,noexec,nodev,-s=512000,-P=/persist-fs/var 0 0 > swap /dev mfs rw,nosuid,noexec,-P=/persist-fs/dev,-i=2048,-s=102400 0 0 > #end /etc/fstab/### > > and the persist-fs folders are created by installing OpenBSD, installing > packages and running > the following commands to copy /var /tmp and /dev to a persistent location > on / > ###setup commands # > mkdir -p /persist-fs/dev > mkdir -p /persist-fs/tmp > mkdir -p /persist-fs/var > cp -Rp /var/* /persist-fs/var > cp -Rp /tmp/* /persist-fs/tmp > cp -p /dev/MAKEDEV /persist-fs/dev/ > cd /persist-fs/dev/ > /persist-fs/dev/MAKEDEV all > > any feedback welcome, are there other folders that could be heavily > written to ? > is there shortcommings I have ommited swap (because of flash and ssd wear > concerns) > I hope this helps... > Tom Smyth > > > -- > Kindest regards, > Tom Smyth. > -- Kindest regards, Tom Smyth.
OpenBSD File systems , on Flash / SSD CPE (in sites with uncontrolled power (CPE customer sites)
Hello, Folks, Im reviewing our filesystem setup for OpenBSD CPEs that we deploy in the field in order to minimise the impact of Power Outages / Customer interference on the boxes, we install a 4G root partition / and a 2GB /usr/local (to allow the wxallowed flag for the filesystem) we use mfs for /tmp and /var so that there the probability that there is a filessytem write to the SSD is reduced (so that power failures dont cause file system corruption) we use the following fstabl #begin /etc/fstab/### /dev/sd0a / ffs rw 1 1 /dev/sd0d /usr/local ffs rw,wxallowed,nodev 1 1 swap /tmp mfs rw,nosuid,noexec,nodev,-s=256000,-P=/persist-fs/tmp 0 0 swap /var mfs rw,nosuid,noexec,nodev,-s=512000,-P=/persist-fs/var 0 0 swap /dev mfs rw,nosuid,noexec,-P=/persist-fs/dev,-i=2048,-s=102400 0 0 #end /etc/fstab/### and the persist-fs folders are created by installing OpenBSD, installing packages and running the following commands to copy /var /tmp and /dev to a persistent location on / ###setup commands # mkdir -p /persist-fs/dev mkdir -p /persist-fs/tmp mkdir -p /persist-fs/var cp -Rp /var/* /persist-fs/var cp -Rp /tmp/* /persist-fs/tmp cp -p /dev/MAKEDEV /persist-fs/dev/ cd /persist-fs/dev/ /persist-fs/dev/MAKEDEV all any feedback welcome, are there other folders that could be heavily written to ? is there shortcommings I have ommited swap (because of flash and ssd wear concerns) I hope this helps... Tom Smyth -- Kindest regards, Tom Smyth.
Re: Suggestions for miniPCI wireless card for an accesspoint on OpenBSD - 2022q4
Hi Mikolaj, im told that the broadcom ac chipset based ones are an excellent choice as the card handles the vast majority of wi-fi protocols & advanced features associated with newer 802.11 standards... leaving you the admin to just configure the WPA keys and the ssids... checking back through the archives and there was a recenet enough discussion on this very topic ... I hope this helps, On Thu, 24 Nov 2022 at 17:27, Mikolaj Kucharski wrote: > Hi, > > I'm using for few years now on OpenBSD accesspoint (mediaopt hostap) > based on following miniPCI card: > > # dmesg | grep -e ^ath > athn0 at pci4 dev 0 function 0 "Atheros AR928X" rev 0x01: apic 5 int 16 > athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 04:f0:21:45:6a:c4 > > I don't remember where I bought it, but I think it is one of those, or > compatibile: > > https://www.pcengines.ch/wle200nx.htm > > If you would build today an accesspoint, on hardware with miniPCI, what > would you choose, for OpenBSD? > > -- > Regards, > Mikolaj > > -- Kindest regards, Tom Smyth.
Re: 0.0.0.0/32 in pf's tables
yeah 0.0.0.0/32 ,( legacy broadcast address is a valid address and would be included in very verbose explicit rules blocking traffic from invalid src addresses ( for example) hope this helps On Fri 11 Nov 2022, 20:23 3, wrote: > a very clever man once said that God does not play dice.. and he was > wrong! so it is too presumptuous to believe that you know the ways of the > God ;) seriously, if i can use 0.0.0.0/32 in rules, then why can't i use > the same in tables? i don't think God cares why i do it > > > > God abhors a naked singularity. > > > > On Tue, 2022-11-08 at 22:47 +0300, 3 wrote: > >> what religion forbids using 0.0.0.0/32 in tables? 0_0 but 0/0 can be > >> used.. what's going on?! is the world going mad? > >> > > >
Re: 2FA VPNs
Hi Stuart, some of the commercial systems we have used use Radius as the Authentication Mechanisim... One could do a rudimentary OTP password system using Radius ... some OTP systems allow for Caching a series of One Time passowrds circa 100 passwords... so it could be fesible to have 100 passowrds listed on a card , and ask the user to enter password X ? Thanks, Tom Smyth On Wed, 2 Nov 2022 at 02:14, Stuart Henderson wrote: > If anyone's got any good suggestions on how to do VPNs with 2FA > on an OpenBSD gateway for non-technical users to access (iOS, Android, > Windows clients) I'd love to hear them. > > I could bodge something together with openvpn and TOTP but it doesn't > exactly spark joy. > > > -- Kindest regards, Tom Smyth.
Re: HP PA-RISC / IA64 hardware platform for Linux Debian, Gentoo, NetBSD, OpenBSD and HP-UX Unix
Hi Jesse, you can check out https://www.openbsd.org/want.html perhaps there is an overlap between developers requirements and what you have surplus, it is a voluntary project so consider donating some hardware to the developers according to that list, Hope this helps, Tom Smyth On Fri, 7 Oct 2022 at 13:16, Jesse Dougherty wrote: > Hi, I'm Jesse at Cypress Technology Inc. We at Cypress sell HP hardware. > Below are some links to HP PA-RISC and IA64 boxes that support the Linux > Debian, Gentoo, NetBSD, OpenBSD Linux and HP-UX Unix platforms. If you > are in need of systems, feel free to email back with any question or > requests. We also sell all boxes and parts that HP made for the HP-UX / > Unix line. > > PA-RISC > www.ebay.com/itm/385130495455 > www.ebay.com/itm/384211227917 > > IA64 > www.ebay.com/itm/384272059488 > www.ebay.com/itm/384211228177 > > IA64 - For Telco / Data Center users / 48v DC > www.ebay.com/itm/384966825704 > > Thanks > Jesse Dougherty > Resellers of HP hardware > je...@cypress-tech.com > www.cypress-tech.com > > -- Kindest regards, Tom Smyth.
Re: embarrassing mail problem
howdy Steve... on newer versions of openBSD open SMTPD legacy tls versions / ciphers are disabled by default... there is an option to allow legact tls versions ( i cant remember the option off hand but man smtpd.conf and search for tls you should find it handy enough...( this caught me out on an upgrade to 7.0 btw mxtoolbox.com has some useful tests that could help you diagnose mail flow issues... DMARC + DKIM would be worth looking at... also check the spamhaus PBL... if your isp suddenly added their subscriber ip ranges to the PBL this could negatively impact you if your mail server ip is in the ranges the ISP included in Spamhaus Policy Block List... hope this helps On Wed 5 Oct 2022, 23:07 Steve Fairhead, wrote: > I've searched and failed, and I realise I'm going to show my total > ignorance by not having found an answer (and no, I've not been keeping > up these last few years - mea culpa - demanding day-job). But - I'd be > grateful for any (gentle or otherwise) cluebats. > > I have several OpenBSD email servers, some elderly (Sendmail) and some > brand-spanking new (smtpd). Recently I've noticed that some (of both > kinds) are failing to deliver mail to some major UK ISPs. (Mostly > domestic; business ISPs not so much.) > > For Sendmail, the error is "TLS handshake failed"; for smtpd, it's > "Network error on destination MXs". > > I do have SPF etc setup; thought that might be it, but no. I've read > that some ISPs have closed port 25. I presume that's relevant, but I > simply don't know. > > As I said, all cluebats gratefully (and probably painfully) accepted. > > Steve > > -- > > -- >Steve Fairhead > email: st...@fivetrees.com > -- > >
Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)
Hi Jan, I have seen a number of cases where partitions on the fixed disks from other osses being on the system prevented some installers working / detecting free space to install to ... I have seen where usb writing software (on other operating systems) did not write the installiimage properly to the usb stick, clearing the partitions and writing zeros ahead of writing the image to the usb did help me with installs before ... but less so about panics and more to do with either booting the install os , or writing the sets to the fixed disks on the box.. On Wed, 7 Sept 2022 at 13:13, Jan Stary wrote: > > > > 1) On initial boot (with 7.1 release, on a usb stick) it more or less > > > > immediately panicked into ddb when I tried to pipe dmesg into a file > on > > > > the usb stick. I took out the NVMe-card, and whether or not that was > the > > > > problem the machine anyhow behaved better long enough for me to get > > > > network and do a fw_update. > > > > > > sure sounds like it could be a bad USB stick. > > > Very common. For important things, I have learned to write zeros over > > > the entire USB stick before expecting it to actually work. Nothing to > > > do with the T5500. > > I am puzzled: how exactly is a zero filled USB stick > less panicky than another USB stick? > > -- Kindest regards, Tom Smyth.
Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)
Hi Erling, it depends do you mean soft raid, that will be either AHCI using intel driver or LSI Raid emulation (where you can onfigure the raid in the option rom (after POST just before the OS Boots) it depneds on the chipset setup ... Dell may put the LIS as a PERC, it also may be a separate card or i/o module to the onboard sata ... Hope this helps On Wed, 7 Sept 2022 at 12:19, Erling Westenvik wrote: > On Wed, Sep 07, 2022 at 11:41:49AM +0100, Tom Smyth wrote: > > hi > > > > i would check bios / firmware settings > > > > try disabling memory mapped i/o in bios > > > > check processor settings enable vt-d disable hyper threading ensure > execute > > disable is enabled > > > > update the bios as it will update cpu microcode ... > > Great. Thanks, Tom. > > > dell alow you to select the emulation of sata > > ahci vs raid vs sata vs legacy > > For 2 x 525GB SSD's in RAID (softraid) 1, that setting would be...? > > Erling > > > > > On Wed 7 Sep 2022, 03:02 Erling Westenvik, > > wrote: > > > > > Hello, > > > > > > A friend donated an old Dell Precision T5500 workstation, a heavy > > > bastard with dual Xeon X5675 and 72GB RAM which still packs a punch I > > > believe. At least it does for me. I would like it to replace my old i7 > > > 3770k. However, I'm starting to have doubts: > > > > > > 1) On initial boot (with 7.1 release, on a usb stick) it more or less > > > immediately panicked into ddb when I tried to pipe dmesg into a file on > > > the usb stick. I took out the NVMe-card, and whether or not that was > the > > > problem the machine anyhow behaved better long enough for me to get > > > network and do a fw_update. > > > > > > 2) After fw_update the radeondrm was detected and I got a nice > 2560x1600 > > > console. However, before it would give me a login prompt the machine > got > > > stuck with repeating complaints about "ehci_device_clear_toggle: queue > > > active". So – USB related, right? Very well! Out with the usb stick, > in > > > with an old SSD with OpenBSD 6.7. > > > > > > 3) The machine behaves better, xenodm starts fine with cwm, but it > won't > > > resume after suspend (zzz). > > > > > > Some or all of the above problems may have solutions, trivial or not, > > > but more problems may perhaps lurk under the surface..? > > > > > > So I guess my question is if someone knows whether these Dell machines > > > are known to be error prone in general, or problematic with OpenBSD in > > > particular, and if I should stop before wasting time!? > > > > > > Sincerely, > > > > > > Erling > > > > > > OpenBSD 7.1 (GENERIC.MP) #465: Mon Apr 11 18:03:57 MDT 2022 > > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/ > GENERIC.MP > > > real mem = 77290508288 (73709MB) > > > avail mem = 74930786304 (71459MB) > > > random: good seed from bootblocks > > > mpath0 at root > > > scsibus0 at mpath0: 256 targets > > > mainbus0 at root > > > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (102 entries) > > > bios0: vendor Dell Inc. version "A18" date 10/15/2018 > > > bios0: Dell Inc. Precision WorkStation T5500 > > > acpi0 at bios0: ACPI 3.0 > > > acpi0: sleep states S0 S3 S4 S5 > > > acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA _RAT > SLIC > > > SSDT > > > acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) > > > PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) > > > PCI8(S5) PCIA(S5) PCIB(S5) > > > acpitimer0 at acpi0: 3579545 Hz, 24 bits > > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > > cpu0 at mainbus0: apid 32 (boot processor) > > > cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.54 MHz, 06-2c-02 > > > cpu0: > > > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN > > > cpu0: 256KB 64b/line 8-way L2 cache > > > cpu0: smt 0, core 0, package 1 > > > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > > > cpu0: apic clock running at 132MHz > > > cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE > > > cpu1 at mainbus0: apid 34
Re: Is OpenBSD suited for old Dell Precision T5500 (Dual Xeon X5675, 72GB RAM)
hi i would check bios / firmware settings try disabling memory mapped i/o in bios check processor settings enable vt-d disable hyper threading ensure execute disable is enabled update the bios as it will update cpu microcode ... dell alow you to select the emulation of sata ahci vs raid vs sata vs legacy On Wed 7 Sep 2022, 03:02 Erling Westenvik, wrote: > Hello, > > A friend donated an old Dell Precision T5500 workstation, a heavy > bastard with dual Xeon X5675 and 72GB RAM which still packs a punch I > believe. At least it does for me. I would like it to replace my old i7 > 3770k. However, I'm starting to have doubts: > > 1) On initial boot (with 7.1 release, on a usb stick) it more or less > immediately panicked into ddb when I tried to pipe dmesg into a file on > the usb stick. I took out the NVMe-card, and whether or not that was the > problem the machine anyhow behaved better long enough for me to get > network and do a fw_update. > > 2) After fw_update the radeondrm was detected and I got a nice 2560x1600 > console. However, before it would give me a login prompt the machine got > stuck with repeating complaints about "ehci_device_clear_toggle: queue > active". So – USB related, right? Very well! Out with the usb stick, in > with an old SSD with OpenBSD 6.7. > > 3) The machine behaves better, xenodm starts fine with cwm, but it won't > resume after suspend (zzz). > > Some or all of the above problems may have solutions, trivial or not, > but more problems may perhaps lurk under the surface..? > > So I guess my question is if someone knows whether these Dell machines > are known to be error prone in general, or problematic with OpenBSD in > particular, and if I should stop before wasting time!? > > Sincerely, > > Erling > > OpenBSD 7.1 (GENERIC.MP) #465: Mon Apr 11 18:03:57 MDT 2022 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 77290508288 (73709MB) > avail mem = 74930786304 (71459MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (102 entries) > bios0: vendor Dell Inc. version "A18" date 10/15/2018 > bios0: Dell Inc. Precision WorkStation T5500 > acpi0 at bios0: ACPI 3.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA _RAT SLIC > SSDT > acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI1(S5) PCI2(S5) PCI3(S5) > PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) > PCI8(S5) PCIA(S5) PCIB(S5) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 32 (boot processor) > cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.54 MHz, 06-2c-02 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 1 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 132MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE > cpu1 at mainbus0: apid 34 (application processor) > cpu1: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 0, core 1, package 1 > cpu2 at mainbus0: apid 36 (application processor) > cpu2: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02 > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN > cpu2: 256KB 64b/line 8-way L2 cache > cpu2: smt 0, core 2, package 1 > cpu3 at mainbus0: apid 48 (application processor) > cpu3: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02 > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN > cpu3: 256KB 64b/line 8-way L2 cache > cpu3: smt 0, core 8, package 1 > cpu4 at mainbus0: apid 50 (application processor) > cpu4: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.01 MHz, 06-2c-02 > cpu4: >
Re: vxlan operational question
Hi Florian, Ill at mit im guessing but I would setup the tunnel before putting the Ip address on it... so vnetid 10 tunnel 1.1.1.1 2.2.2.2 inet6 2001:db8::1/126 up I could be wrong but I know the ordering of setup commands in the file can be important (rdomain for istance would have to come first) but it was always my insticnt to setup the interface with tags etc before putting the ip on it... i am guessing here but it might be a help ... On Sat, 16 Jul 2022 at 17:35, Florian Bauer wrote: > Hello there, > > I am using OpenBSD with OpenBGPD to server my private ASN. Unfortunately, > since upgrading from 7.0 to 7.1, my p-to-p vxlan underlay network stopped > working. This behavior is reproducible on fresh set up systems without any > further modification. > My configuration looks as follows on both sides with correct IP addresses: > ``` > # content of /etc/hostname.vxlan0 > up > tunnel 1.1.1.1 2.2.2.2 > inet6 2001:db8::1/126 > vnetid 10 > ``` > While taking the interface up, I am getting the following error: > ``` > border1# ifconfig vxlan0 up > ifconfig: SIOCSIFFLAGS: Protocol not supported > ``` > If someone has an idea, please let me know. > > Best regards > Florian > > -- Kindest regards, Tom Smyth.
Re: OpenBGPD via (WG?) Tunnel Not Learning Routes
Hello Tobias, Next hop Validation to make routes valid ? asks the question is the Next hop reachable... so if you look at the prefixes learned and the next hop... you may need additional routes to make the next hop visible (via an Interior Routing Protocol o) (OSPF RIP / EIGRP) or Static Routes ... Tip to add peering lans / Transit uplink lans to OSPF just add the network to OSPF and set the interface to passive (it is the safest way) (avoid redistribute Connected if you can) once the next hop is pingable in of its self then the routes that point to the next hop should become valid.. I hope this helps, Tom Smyth On Wed, 13 Jul 2022 at 02:38, Tobias Fiebig < tob...@reads-this-mailinglist.com> wrote: > Heho, > I am running OpenBGPd (on 7.1+binpatches), and have some tunnel links > between hosts and up/downstreams over wg tunnels. > > I am basically wondering whether the behavior is known/normal and/or > happened to others, or if it is worth it to setup a test-setup to properly > debug the issue/document how it can be reproduced. > > Specifically, I noticed that bgpd will consider routes invalid which it > learns over a (wg?) interface that was not there when bgpd was started; So, > essentially: > > Start bgpd > Create wireguard interface, configure IPs > Adjust bgpd config to add new peer on that if. > bgpctl reload > > -> Session with the peer comes up, bgpd sees the routes, but it lacks the > 'valid' * flag. > > Restarting bgpd resolves this (but also lets all sessions flap). > > I did not see (or missed) something about this in the man page; The same > issue seems to not occur with other Interfaces added later, e.g., vlan. > > With best regards, > Tobias > > > -- Kindest regards, Tom Smyth.
Re: httpd not reachable from outside
hi Adriano can you just restart httpd with rcctl restart httpd did your ip addresses on external interface change ? what are the loadef firewall rules Thanks Tom Smyth On Thu 23 Jun 2022, 00:05 Adriano Barbosa, wrote: > Hi. > > My httpd was working perfectly for the last 32 days and today I it > doesnt respond anymore. Last change I made on this box was update > nextcloud package, tested after the upgrade and it was working. The > machine is running 7.1-stable. > > httpd responds on the machine itself with a curl localhost call, for > example, but not from outside. > > nmap from outside returns > PORTSTATESERVICE > 80/tcp filtered http > 443/tcp filtered https > > httpd.conf is defined with > listen on * port 80 > and > listen on * tls port 443 > > I remember it happening once and it solved after a machine reboot, but > I dont have physical access to the machine for this week to enter > bioctl password after the reboot and Im afraid to try a network > restart by myself and lose access to the machine. > > Any ideas or suggestions on how to find the problem? > > Obrigado! > >
Hello Folks Im in Brussles for the evening if anyone wants to meet up
Hello Folks Im in Brussles for the evening if anyone wants to meet up -- Kindest regards, Tom Smyth.
Re: documentation
Hi Gustavo, any manual pages that you wish to convert to PDF can be done with PDF stuart@ had once recommended the following command for creating a nice pdf manual of the PF firewall man -T pdf pf.conf > pf.conf.pdf Hope this helps On Tue, 24 May 2022 at 16:54, Gustavo Rios wrote: > Hi folks, > > I would like to download a pdf version of the faq and pf guide for openbsd > 7.1. May some one here point me where i could fetch the pdf documentation > from ? > > Thanks a lot. > > -- > The lion and the tiger may be more powerful, but the wolves do not perform > in the circus > -- Kindest regards, Tom Smyth.
Re: Wireguard IP packets fragmentation issue
hello Stuart, sorry for the delay in replying I think the issue in my ISP corner case case was that clients were natted to Public address pool X while link ips within the ISP network (the ips that might send the ICMP destination unreachable fragmentation needed messages would be natted to a different IP address, so PMTU discovery inbound (behind the NAT) in that case didn't work. ( I think you are right re the possibility of a Catch all NAT being missed for the Private router links also would result in the PMTU Frag needed ICMP messages getting lost) Re: >My preference is to try and set things up as much as possible so that >you don't get PMTU blackholes or have to fragment the tunnel packet, >but also clamp mss so that even if you do hit a blackhole there's no problem. >There are some downsides to clamping MSS but they're relatively small >and it's something done by almost every off-the-shelf home CPE so it's >very very xommon on the internet. Agreed on the above... I see alot of 4G devices / networks clamping the hell out of TCP MSS in the wild also, which can make TCP VPNs (SSTP) TLS etc... VPNS Challenging as you have to clamp the TCP MSS in anticipation of an outer clamp on the TCP MSS some tunnels do Fragment gracefully (if you call doubling packet per second on your VPN device graceful, but performance takes a big hit, in testing even deliberately fragmenting packets (to send full frames (layer2) in tunnels or full packets in tunnels (layer3) ) the benefit of being able to send the full packet over the fragmented tunnel does not in any way increase perf... and the TCP MSS clamping gives the best throughput (in my experience) ... Thanks again, Tom Smyth On Sun 15 May 2022, 21:02 Stuart Henderson, wrote: > On 2022-05-15, Tom Smyth wrote: > > Hi Stuart, > > I have huge regard for you and all you contribute to OpenBSD and the > community > > Im going to clarify what I meant and what my experience with PMTU and > > constrained MTUs behind > > NAT, > > My humble experience is that if we have a constrained MTU behind a NAT > > Path MTU discovery from the server to the client fails because > > > > [website]--- public IP MTU 1500 bytes --[firewall/Nat] > > private network MTU 1492 bytes-client > > > > so while MTU discovery may work outbound...(from client to the website) > > the public website to the public IP has no way to discover the > > constrained PMTU behind the nat... > > There's no reason for this to fail? 1500 byte packet with DF set hits > the firewall/nat box, route lookup, exit MTU is 1492, too big -> surely > it just sends back frag needed? > > Even if you have a nat device with 1500 exit mtu and it then hits 1492 > mtu on another device, similar case but the original frag-needed is > sourced from a private address so it gets natted on the way out. > > There could be some specific cases where things aren't setup to allow > this to work but there's nothing in general to cause it to fail. > > The problem case is when you have router hops on private addresses > where there is *no* nat in the path in which case icmp is generated > from the private address but there's nithing ti translate it, so that > case you do often lose the message due to "no martian" packet filtering. > > > This corner case was discovered when I setup My ISP initially and I > > had not many IP addresses many moons ago > > It would be rare for a client behind a NAT to have a smaller MTU than > > their public IP internet connection. > > > > Is my reasoning and analysis here correct ? > > > > > > Regarding my comment > >> PMTU cannot properly account for underlay restrictions Inside a VPN > > > > what I meant was, that if you set an MTU of 1500 on a VPN Tunnel > interface > > but in sending 1500 Bytes in an IP packet across the tunnel it > > requires a the VPN encapsulated Packet + a Fragment Packet to be sent > > also, (on the underlay interface) > > the Router on the VPN wont sent a Fragment needed IP message to the > > client because the MTU of the Tunnel was not exceeded > > (but the MTU on the underlay was exceeded) > > This depends on the MTU stored in the route table entry used to send > the packet over the vpn. > > With a separate tunnel interface the mtu on that interface and thus the > route table can be set low enough that frag needed is sent. > > With standard flow-based IPsec the route used is normally the default > route with either a standard ethernet MTU or a pppoe MTU. But if there's > another route (route-based IPsec on OS which have this, or a > dummyinterface such as is sometines used in combo with flow-based IPsec, > for example a vether interface with
Re: Wireguard IP packets fragmentation issue
Hi Stuart, I have huge regard for you and all you contribute to OpenBSD and the community Im going to clarify what I meant and what my experience with PMTU and constrained MTUs behind NAT, My humble experience is that if we have a constrained MTU behind a NAT Path MTU discovery from the server to the client fails because [website]--- public IP MTU 1500 bytes --[firewall/Nat] private network MTU 1492 bytes-client so while MTU discovery may work outbound...(from client to the website) the public website to the public IP has no way to discover the constrained PMTU behind the nat... This corner case was discovered when I setup My ISP initially and I had not many IP addresses many moons ago It would be rare for a client behind a NAT to have a smaller MTU than their public IP internet connection. Is my reasoning and analysis here correct ? Regarding my comment > PMTU cannot properly account for underlay restrictions Inside a VPN what I meant was, that if you set an MTU of 1500 on a VPN Tunnel interface but in sending 1500 Bytes in an IP packet across the tunnel it requires a the VPN encapsulated Packet + a Fragment Packet to be sent also, (on the underlay interface) the Router on the VPN wont sent a Fragment needed IP message to the client because the MTU of the Tunnel was not exceeded (but the MTU on the underlay was exceeded) I hope the clarifications helps and that im right or at least that I learn something new :) Thanks Tom Smyth On Sun, 15 May 2022 at 19:37, Stuart Henderson wrote: > > On 2022-05-15, Tom Smyth wrote: > > IP fragments on internet are avoided generally through PMTU discovery (mtu > > path > > discovery) but > > PMTU does not work beyond a Nat (if a smaller MTU interface exists > > behind a NAT then the smaller > > MTU will not be discovered. > > That's not right, NAT doesn't break PMTU detection. > > > PMTU cannot properly account for underlay restrictions Inside a VPN > > Depends on the VPN type. For VPNs using a tunnel device (openvpn, > WireGuard, gif/gre/l2tp etc, maybe route-based IPsec) then PMTU works > like it would on another network type. Not nornally for flow-based IPsec > though as the MTU is taken from the route (but it can be made to work > with a dummy interface covering the VPN range with a lower MTU set in > it). > > -- Kindest regards, Tom Smyth.
Re: Wireguard IP packets fragmentation issue
Hello all, one issue we have encountered with encapsulated packets is the IP fragment packets that are created when the would be encapsulated packet would exceed the MTU of an underlay interface. on non natted networks with firewalls that behave them selves the tunnels may work. however across the internet more often than not there will be some problematic nat / firewall implementations that block these IP fragments. a good way of diagnosing the issue with tunnels is to use the ping -s and gradually increase the ping packet size (inside the tunnel and do a packet capture on the Underlay interface that is transmitting the VPN Encapsulated Ping Packets , if this packet capture is done on the physical interface of the devices at both ends of the tunnel one can see if the IP fragments are getting through... I found that this exercise was a good way of understanding how the packets are encapsulated in a given vpn protocol. and discover the conditions where IP fragments were being generated. if IP fragments are blocked or dropped or routed asymmetrically (packet ordering issues) then they are likely to break a great article on IP fragments and why they suck so bad is outlined here https://blog.cloudflare.com/ip-fragmentation-is-broken/ avoiding IP fragments: IP fragments on internet are avoided generally through PMTU discovery (mtu path discovery) but PMTU does not work beyond a Nat (if a smaller MTU interface exists behind a NAT then the smaller MTU will not be discovered. PMTU cannot properly account for underlay restrictions Inside a VPN the TCP MSS resizing eliminates fragments for tunneled TCP Packets, but the problem remains for non TCP IP payloads, by reducing MSS (and therefore the required MTU to support a connection) the need to generate IP Fragments is reduced, Restricting the MTU of interfaces of internal devices that generate alot of non TCP traffic can reduce fragmentation across the VPN (its horrible I know) the alternative is to setup the VPN so that it fragments gracefully Openvpn for instance mitigates this IP fragment issue for UDP vpns by introducing a UDP fragments, so (packets less than half the udp frag limit are sent as one packet) larger packets are broken into 2 equal sized encapsulated packets and transmitted, these UDP fragmented vpn encapsulated packets have the benefit, of having same source / destination, IPs, Ports and protocol (and are more likely to be accepted in Firewall State tables (and have the same Hash so they will be routed / switched along the same path (reducing packet ordering issues) (there is a disadvantage of doubling PPS requirements of your hardeare) bottom line captures on physical interfaces sending and receiving encapsulated vpn Packets at both sides of the vpn can help identify the IP fragment issue, and then steps to avoid it can be taken. on my own network we try to avoid fragments by increasing the Physical Interfaces MTU (underlay) to ensure the overlay VPNS can send full sized packets . (but this is difficult to achieve across the internet) I hope this helps, On Sun, 15 May 2022 at 07:03, Jason McIntyre wrote: > > On Sat, May 14, 2022 at 09:14:36PM -, Stuart Henderson wrote: > > On 2022-05-14, Georg Pfuetzenreuter wrote: > > > pppoe(4) already has a section on this, possibly this could be used as a > > > start. > > > > It's not a great start really. Mixes up information about a method to > > set the pppoe MTU to 1500 (RFC4638) and using scrub, doesn't describe > > the problem (says "causing conflict" but this isn't very meaningful > > or really correct), and points at nonexistent "more information on MTU, > > MSS and NAT" as this isn't in pf.conf(5). > > > > > > hi. > > if there are issues in that text, feel free to suggest how to improve > it. > > - mixing mtu to 1500 and scrub: well, both concern issues with mtu. why > wouldn;t they be together in there? > > - "causing conflict": feel free to be more specific. it's not something > i have knowledge of > > - "more information in pf.conf": yes there is information in pf.conf on > mtu, mss, and nat, including the syntax for using them. again, why > wouldn;t we point people there? > > i'm happy to try and rework the text if you think it can be improved. > > jmc > -- Kindest regards, Tom Smyth.
Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks
Hello all, Thanks for the feedback it is really helpful to have peoples experiences in the wild to help feed into the training course content. and certainly better than just my humble experience I really appreciate all of your feedback. Thanks again folks, Tom Smyth Tom Smyth On Fri, 13 May 2022 at 11:20, Stuart Henderson wrote: > > On 2022-05-13, Marko Cupać wrote: > > The only problem I currently have with pfsync is the fact that it does > > not synchronise queue membership of states. > > IIRC this is meant to work but only if you have identical rulesets, > after expanding interface addresses etc. This will require some care in > constructing pf.conf - interface groups instead of interface names if > nic hw is different - "(self)" or list the addresses of both firewalls > instead of using "self" - avoid "antispoof". > > -- Kindest regards, Tom Smyth.
calling all PFsync users for experience, gotchas, feedback, tips and tricks
Hello Folks, We are updating some course material for an upcoming PF firewall course, and I would like to put a call out to those who use PFsync in a redundant firewall cluster about your user experience, have you come across any edge cases? have you any tips or tricks about PFSync. have you come across any edge cases / minor misconfigurations / suboptimal configurations that caused problems, were there some tweaks you had to make to make your system scale ? it is likely that people who are running PFSync have more complicated firewall configs. and I would like to see what tuning other people have done in the field. I would appreciate any feedback or problem descriptions (with our without solutions) what is the largest throughput firewall you deployed with PFSync? how was your experience of running with PFsync vs without PFsync on your firewall. Thanks again, -- Kindest regards, Tom Smyth.
Re: time drift in OpenBSD in proxmox (qemu-kvm) guest
Hello Stuart, What is the EFI / BIOS Power management / CPU power management Performance setting set to ? if the CPU is throttled back (due to low usage) is that affecting the time keeping ? It might be worth trying OS Controlled or Performance (as a test) it may be set to power saving or balanced I hope this helps, ( and thanks for your patience with my previous impulsive (albeit trying to help) replies earlier Tom Smyth On Fri, 15 Apr 2022 at 11:12, Stuart Henderson wrote: > > On 2022-04-14, Stefan Sperling wrote: > > On Thu, Apr 14, 2022 at 09:26:41PM -, Stuart Henderson wrote: > >> I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and > >> seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope > >> with it. From boot: > >> > >> 2022-04-14T13:58:19.844Z ntpd[26996]: adjusting local clock by 1.745061s > >> 2022-04-14T13:59:24.070Z ntpd[26996]: adjusting local clock by 1.504470s > >> 2022-04-14T14:03:51.176Z ntpd[26996]: adjusting local clock by 2.430486s > >> 2022-04-14T14:07:40.299Z ntpd[26996]: adjusting local clock by 2.48s > >> 2022-04-14T14:11:51.540Z ntpd[26996]: adjusting local clock by 3.173884s > >> 2022-04-14T14:15:03.534Z ntpd[26996]: adjusting local clock by 3.109722s > >> 2022-04-14T14:16:04.848Z ntpd[26996]: adjusting local clock by 3.185755s > >> 2022-04-14T14:17:40.286Z ntpd[26996]: adjusting local clock by 3.575126s > >> 2022-04-14T14:18:45.582Z ntpd[26996]: adjusting local clock by 4.231518s > >> 2022-04-14T14:22:27.618Z ntpd[26996]: adjusting local clock by 4.231999s > >> 2022-04-14T14:25:41.618Z ntpd[26996]: adjusting local clock by 4.844904s > >> 2022-04-14T14:29:58.888Z ntpd[26996]: adjusting local clock by 4.451876s > >> 2022-04-14T14:32:41.628Z ntpd[26996]: adjusting local clock by 5.250357s > >> > >> etc. No difference whether qemu-ga is used or not. No difference between > >> passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this case) > >> and passing through as "common KVM processor". The guest does detect and > >> use pvclock(4). > >> > >> $ sysctl kern.timecounter > >> kern.timecounter.tick=1 > >> kern.timecounter.timestepwarnings=0 > >> kern.timecounter.hardware=pvclock0 > >> kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) > >> acpitimer0(1000) > >> > >> Anyone have ideas of things I could try that are less wrong than > >> running rdate from cron? Thanks. > > > > I have a -current built-a-week-ago guest on stock Debian KVM, no problems > > with time-keeping. It picks acpihpet as timecounter instead of pvclock: > > > > $ sysctl kern.timecounter > > kern.timecounter.tick=1 > > kern.timecounter.timestepwarnings=0 > > kern.timecounter.hardware=acpihpet0 > > kern.timecounter.choice=i8254(0) pvclock0(500) acpihpet0(1000) > > acpitimer0(1000) > > Interesting - I would have expected the opposite. I've changed mine to > acpihpet0 and it seems much happier. Your value of 500 indicates that the > PVCLOCK_TSC_STABLE flag wasn't set by the host, I guess that's dependent > on host cpu features. > > Summarising other responses: > > - Q35 vs i440FX emulated hw setting: no difference > - AMD EPYC performance tuning guide: cpu load is pretty low, I think this > is unlikely to be relevant > - kvm_intel/parameters/preemption_timer: seems Intel-only and reports are > that it's not needed for newer KVM > > -- Kindest regards, Tom Smyth.
Re: time drift in OpenBSD in proxmox (qemu-kvm) guest
apologies all I missed (speed read Stuarts) mail... I would have a look at the preemption timer for the Host ... check out the top of page 15 of this amd manual... http://developer.amd.com/wp-content/resources/56263-Performance-Tuning-Guidelines-PUB.pdf I would try the two settings related to the preemption timer on the Proxmox Host Sorry for bombing the list on this one ... On Thu, 14 Apr 2022 at 22:54, Tom Smyth wrote: > > Stuart, > sorry I wasnt entirely clear in my last email > > 1) you can try the /sys/module/kvm_intel/parameters/preemption_timer > > if the system is an intel CPU based Physcial server > 2) if you have an amd System you may find the issue does not occur in that > case > > 3) looking at the DMESG I see a KVM CPU in the VM config ... in > proxmox you can set it to Host > if the emulated kvm CPU is causing the issue with OpenBSD > this is something to try and it may improve your sytem performance > more generally (and hopefully > help the times) > > Other people who have Proxmox 7.1 and have access to an AMD CPU based server > if they can try running an OpenBSD VM on an Amd Processor > based server to compare ( what I found in my experience wiht KVM and > OpenBSD and Proxmox > was the Drift issue / COnsole freeze only occured on Intel Based > systems ... and the preemption_timer > kernel setting in the Proxmox Linux Kernel sorted it > > > > > On Thu, 14 Apr 2022 at 22:45, Tom Smyth wrote: > > > > Stuart > > > > is your host on an Intel System ? > > > > I had an awful time with Proxmox 5.0 and 5.1 > > > > with clock drift and console freezes > > > > can you try to disable the following feature in the Proxmox Host kernel > > > > /sys/module/kvm_intel/parameters/preemption_timer > > > > https://www.mail-archive.com/misc@openbsd.org/msg158768.html > > > > > > You can try change the CPU to VM to Host (or the lowest generation > > Processor that is common to all your hosts in the cluster > > Better acceleration with modern processeor > > > > Hope this helps > > > > > > On Thu, 14 Apr 2022 at 22:37, Stuart Henderson > > wrote: > > > > > > I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and > > > seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope > > > with it. From boot: > > > > > > 2022-04-14T13:58:19.844Z ntpd[26996]: adjusting local clock by 1.745061s > > > 2022-04-14T13:59:24.070Z ntpd[26996]: adjusting local clock by 1.504470s > > > 2022-04-14T14:03:51.176Z ntpd[26996]: adjusting local clock by 2.430486s > > > 2022-04-14T14:07:40.299Z ntpd[26996]: adjusting local clock by 2.48s > > > 2022-04-14T14:11:51.540Z ntpd[26996]: adjusting local clock by 3.173884s > > > 2022-04-14T14:15:03.534Z ntpd[26996]: adjusting local clock by 3.109722s > > > 2022-04-14T14:16:04.848Z ntpd[26996]: adjusting local clock by 3.185755s > > > 2022-04-14T14:17:40.286Z ntpd[26996]: adjusting local clock by 3.575126s > > > 2022-04-14T14:18:45.582Z ntpd[26996]: adjusting local clock by 4.231518s > > > 2022-04-14T14:22:27.618Z ntpd[26996]: adjusting local clock by 4.231999s > > > 2022-04-14T14:25:41.618Z ntpd[26996]: adjusting local clock by 4.844904s > > > 2022-04-14T14:29:58.888Z ntpd[26996]: adjusting local clock by 4.451876s > > > 2022-04-14T14:32:41.628Z ntpd[26996]: adjusting local clock by 5.250357s > > > > > > etc. No difference whether qemu-ga is used or not. No difference between > > > passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this > > > case) > > > and passing through as "common KVM processor". The guest does detect and > > > use pvclock(4). > > > > > > $ sysctl kern.timecounter > > > kern.timecounter.tick=1 > > > kern.timecounter.timestepwarnings=0 > > > kern.timecounter.hardware=pvclock0 > > > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) > > > acpitimer0(1000) > > > > > > Anyone have ideas of things I could try that are less wrong than > > > running rdate from cron? Thanks. > > > > > > > > > OpenBSD 7.1 (GENERIC.MP) #463: Thu Apr 7 12:48:15 MDT 2022 > > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > real mem = 1056808960 (1007MB) > > > avail mem = 1007554560 (960MB) > > > random: good seed from bootblocks > > > mpath0 at root > > > scsibus0 at mpath0: 256 targets > > > mainbus0 at root > > > bios0 at mainbus0:
Re: time drift in OpenBSD in proxmox (qemu-kvm) guest
I have an Intel based Proxmox 7.1 being built pre-Production Ill have a go with it... Tomorrow and let you know On Thu, 14 Apr 2022 at 22:54, Tom Smyth wrote: > > Stuart, > sorry I wasnt entirely clear in my last email > > 1) you can try the /sys/module/kvm_intel/parameters/preemption_timer > > if the system is an intel CPU based Physcial server > 2) if you have an amd System you may find the issue does not occur in that > case > > 3) looking at the DMESG I see a KVM CPU in the VM config ... in > proxmox you can set it to Host > if the emulated kvm CPU is causing the issue with OpenBSD > this is something to try and it may improve your sytem performance > more generally (and hopefully > help the times) > > Other people who have Proxmox 7.1 and have access to an AMD CPU based server > if they can try running an OpenBSD VM on an Amd Processor > based server to compare ( what I found in my experience wiht KVM and > OpenBSD and Proxmox > was the Drift issue / COnsole freeze only occured on Intel Based > systems ... and the preemption_timer > kernel setting in the Proxmox Linux Kernel sorted it > > > > > On Thu, 14 Apr 2022 at 22:45, Tom Smyth wrote: > > > > Stuart > > > > is your host on an Intel System ? > > > > I had an awful time with Proxmox 5.0 and 5.1 > > > > with clock drift and console freezes > > > > can you try to disable the following feature in the Proxmox Host kernel > > > > /sys/module/kvm_intel/parameters/preemption_timer > > > > https://www.mail-archive.com/misc@openbsd.org/msg158768.html > > > > > > You can try change the CPU to VM to Host (or the lowest generation > > Processor that is common to all your hosts in the cluster > > Better acceleration with modern processeor > > > > Hope this helps > > > > > > On Thu, 14 Apr 2022 at 22:37, Stuart Henderson > > wrote: > > > > > > I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and > > > seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope > > > with it. From boot: > > > > > > 2022-04-14T13:58:19.844Z ntpd[26996]: adjusting local clock by 1.745061s > > > 2022-04-14T13:59:24.070Z ntpd[26996]: adjusting local clock by 1.504470s > > > 2022-04-14T14:03:51.176Z ntpd[26996]: adjusting local clock by 2.430486s > > > 2022-04-14T14:07:40.299Z ntpd[26996]: adjusting local clock by 2.48s > > > 2022-04-14T14:11:51.540Z ntpd[26996]: adjusting local clock by 3.173884s > > > 2022-04-14T14:15:03.534Z ntpd[26996]: adjusting local clock by 3.109722s > > > 2022-04-14T14:16:04.848Z ntpd[26996]: adjusting local clock by 3.185755s > > > 2022-04-14T14:17:40.286Z ntpd[26996]: adjusting local clock by 3.575126s > > > 2022-04-14T14:18:45.582Z ntpd[26996]: adjusting local clock by 4.231518s > > > 2022-04-14T14:22:27.618Z ntpd[26996]: adjusting local clock by 4.231999s > > > 2022-04-14T14:25:41.618Z ntpd[26996]: adjusting local clock by 4.844904s > > > 2022-04-14T14:29:58.888Z ntpd[26996]: adjusting local clock by 4.451876s > > > 2022-04-14T14:32:41.628Z ntpd[26996]: adjusting local clock by 5.250357s > > > > > > etc. No difference whether qemu-ga is used or not. No difference between > > > passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this > > > case) > > > and passing through as "common KVM processor". The guest does detect and > > > use pvclock(4). > > > > > > $ sysctl kern.timecounter > > > kern.timecounter.tick=1 > > > kern.timecounter.timestepwarnings=0 > > > kern.timecounter.hardware=pvclock0 > > > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) > > > acpitimer0(1000) > > > > > > Anyone have ideas of things I could try that are less wrong than > > > running rdate from cron? Thanks. > > > > > > > > > OpenBSD 7.1 (GENERIC.MP) #463: Thu Apr 7 12:48:15 MDT 2022 > > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > real mem = 1056808960 (1007MB) > > > avail mem = 1007554560 (960MB) > > > random: good seed from bootblocks > > > mpath0 at root > > > scsibus0 at mpath0: 256 targets > > > mainbus0 at root > > > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf58e0 (9 entries) > > > bios0: vendor SeaBIOS version > > > "rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org" date 04/01/2014 > > > bios0: QEMU Standard PC (i440FX + PIIX, 1996) > > > acpi0 at bios0: A
Re: time drift in OpenBSD in proxmox (qemu-kvm) guest
Stuart, sorry I wasnt entirely clear in my last email 1) you can try the /sys/module/kvm_intel/parameters/preemption_timer if the system is an intel CPU based Physcial server 2) if you have an amd System you may find the issue does not occur in that case 3) looking at the DMESG I see a KVM CPU in the VM config ... in proxmox you can set it to Host if the emulated kvm CPU is causing the issue with OpenBSD this is something to try and it may improve your sytem performance more generally (and hopefully help the times) Other people who have Proxmox 7.1 and have access to an AMD CPU based server if they can try running an OpenBSD VM on an Amd Processor based server to compare ( what I found in my experience wiht KVM and OpenBSD and Proxmox was the Drift issue / COnsole freeze only occured on Intel Based systems ... and the preemption_timer kernel setting in the Proxmox Linux Kernel sorted it On Thu, 14 Apr 2022 at 22:45, Tom Smyth wrote: > > Stuart > > is your host on an Intel System ? > > I had an awful time with Proxmox 5.0 and 5.1 > > with clock drift and console freezes > > can you try to disable the following feature in the Proxmox Host kernel > > /sys/module/kvm_intel/parameters/preemption_timer > > https://www.mail-archive.com/misc@openbsd.org/msg158768.html > > > You can try change the CPU to VM to Host (or the lowest generation > Processor that is common to all your hosts in the cluster > Better acceleration with modern processeor > > Hope this helps > > > On Thu, 14 Apr 2022 at 22:37, Stuart Henderson > wrote: > > > > I have some OpenBSD guests in Proxmox VE 7.1-7 (pve-qemu-kvm_6.1.0) and > > seeing pretty bad clock drift (50 seconds in ~7h uptime). ntpd can't cope > > with it. From boot: > > > > 2022-04-14T13:58:19.844Z ntpd[26996]: adjusting local clock by 1.745061s > > 2022-04-14T13:59:24.070Z ntpd[26996]: adjusting local clock by 1.504470s > > 2022-04-14T14:03:51.176Z ntpd[26996]: adjusting local clock by 2.430486s > > 2022-04-14T14:07:40.299Z ntpd[26996]: adjusting local clock by 2.48s > > 2022-04-14T14:11:51.540Z ntpd[26996]: adjusting local clock by 3.173884s > > 2022-04-14T14:15:03.534Z ntpd[26996]: adjusting local clock by 3.109722s > > 2022-04-14T14:16:04.848Z ntpd[26996]: adjusting local clock by 3.185755s > > 2022-04-14T14:17:40.286Z ntpd[26996]: adjusting local clock by 3.575126s > > 2022-04-14T14:18:45.582Z ntpd[26996]: adjusting local clock by 4.231518s > > 2022-04-14T14:22:27.618Z ntpd[26996]: adjusting local clock by 4.231999s > > 2022-04-14T14:25:41.618Z ntpd[26996]: adjusting local clock by 4.844904s > > 2022-04-14T14:29:58.888Z ntpd[26996]: adjusting local clock by 4.451876s > > 2022-04-14T14:32:41.628Z ntpd[26996]: adjusting local clock by 5.250357s > > > > etc. No difference whether qemu-ga is used or not. No difference between > > passing through the real cpu type (i.e. cpu=host, Ryzen 5650G in this case) > > and passing through as "common KVM processor". The guest does detect and > > use pvclock(4). > > > > $ sysctl kern.timecounter > > kern.timecounter.tick=1 > > kern.timecounter.timestepwarnings=0 > > kern.timecounter.hardware=pvclock0 > > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) > > acpitimer0(1000) > > > > Anyone have ideas of things I could try that are less wrong than > > running rdate from cron? Thanks. > > > > > > OpenBSD 7.1 (GENERIC.MP) #463: Thu Apr 7 12:48:15 MDT 2022 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > real mem = 1056808960 (1007MB) > > avail mem = 1007554560 (960MB) > > random: good seed from bootblocks > > mpath0 at root > > scsibus0 at mpath0: 256 targets > > mainbus0 at root > > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf58e0 (9 entries) > > bios0: vendor SeaBIOS version > > "rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org" date 04/01/2014 > > bios0: QEMU Standard PC (i440FX + PIIX, 1996) > > acpi0 at bios0: ACPI 1.0 > > acpi0: sleep states S3 S4 S5 > > acpi0: tables DSDT FACP APIC SSDT HPET WAET > > acpi0: wakeup devices > > acpitimer0 at acpi0: 3579545 Hz, 24 bits > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > cpu0 at mainbus0: apid 0 (boot processor) > > cpu0: Common KVM processor, 3892.54 MHz, 0f-06-01 > > cpu0: > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,x2APIC,HV,NXE,LONG,LAHF,CMPLEG > > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > > 64b/line 16-way L2 cache > > cpu0: ITLB 255 4KB entries direct-
Re: time drift in OpenBSD in proxmox (qemu-kvm) guest
; acpicpu0 at acpi0: C1(@1 halt!) > acpicpu1 at acpi0: C1(@1 halt!) > pvbus0 at mainbus0: KVM > pvclock0 at pvbus0 > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 > pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 > pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 > wired to compatibility, channel 1 wired to compatibility > pciide0: channel 0 disabled (no drives) > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: removable > cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 > uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 > piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 > iic0 at piixpm0 > vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Memory Balloon" rev 0x00 > viomb0 at virtio0 > virtio0: apic 0 int 11 > virtio1 at pci0 dev 10 function 0 "Qumranet Virtio Storage" rev 0x00 > vioblk0 at virtio1 > scsibus2 at vioblk0: 1 targets > sd0 at scsibus2 targ 0 lun 0: > sd0: 10240MB, 512 bytes/sector, 20971520 sectors > virtio1: msix per-VQ > virtio2 at pci0 dev 18 function 0 "Qumranet Virtio Network" rev 0x00 > vio0 at virtio2: address c6:e5:7f:4f:5e:cf > virtio2: msix shared > ppb0 at pci0 dev 30 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 > pci1 at ppb0 bus 1 > ppb1 at pci0 dev 31 function 0 "Red Hat Qemu PCI-PCI" rev 0x00 > pci2 at ppb1 bus 2 > isa0 at pcib0 > isadma0 at isa0 > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > usb0 at uhci0: USB revision 1.0 > uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 > addr 1 > uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" > rev 2.00/0.00 addr 2 > uhidev0: iclass 3/0 > ums0 at uhidev0: 3 buttons, Z dir > wsmouse1 at ums0 mux 0 > vscsi0 at root > scsibus3 at vscsi0: 256 targets > softraid0 at root > scsibus4 at softraid0: 256 targets > root on sd0a (cf14a346fbf0559d.a) swap on sd0b dump on sd0b > fd0 at fdc0 drive 1: density unknown > > > -- Kindest regards, Tom Smyth.
Re: pf documentation
Steve, if you like books ... Peter Hansteen has written a book the book of pf which I have read and would recommend https://nostarch.com/pf3 and if you are interested in firewalls ingeneral and comparing features On Thu, 7 Apr 2022 at 10:40, Tom Smyth wrote: > > Hi Steve, > Im going to give my usual answer here > > > Peter Hansteen and Max Stucchi have an amazing tutorial on PF > https://home.nuug.no/~peter/pftutorial/#1 > > but they explain the concepts really well > recommend the class that they do in person .. > > for the latest features about PF in the version of Openbsd you are running ... > > man pfctl or man pf.conf will help you ... > > if you need a intro to the intro ... > https://openbsdjumpstart.org by Wesley is pretty cool and gets you > started on OpenBSD and PF > > > > Hope this helps, > > Tom Smyth > > On Thu, 7 Apr 2022 at 10:28, Brodey Dover wrote: > > > > To be honest, I just used the handbook/FAQ. > > > > https://www.openbsd.org/faq/pf/example1.html > > > > Note that some grammar and syntax from Google search results will not work > > in newer versions of pf. > > > > Sent from my iPhone > > > > > On Apr 7, 2022, at 05:13, Steve Litt wrote: > > > > > > Hi all, > > > > > > I need some easy beginner's pf documentation as well as some > > > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > > > haven't done this in ten years, and imagine pf and the process of > > > turning OpenBSD into a firewall have changed in that time. > > > > > > Thanks, > > > > > > SteveT > > > > > > Steve Litt > > > March 2022 featured book: Making Mental Models: Advanced Edition > > > http://www.troubleshooters.com/mmm > > > > > > > -- > Kindest regards, > Tom Smyth. -- Kindest regards, Tom Smyth.
Re: pf documentation
Hi Steve, Im going to give my usual answer here Peter Hansteen and Max Stucchi have an amazing tutorial on PF https://home.nuug.no/~peter/pftutorial/#1 but they explain the concepts really well recommend the class that they do in person .. for the latest features about PF in the version of Openbsd you are running ... man pfctl or man pf.conf will help you ... if you need a intro to the intro ... https://openbsdjumpstart.org by Wesley is pretty cool and gets you started on OpenBSD and PF Hope this helps, Tom Smyth On Thu, 7 Apr 2022 at 10:28, Brodey Dover wrote: > > To be honest, I just used the handbook/FAQ. > > https://www.openbsd.org/faq/pf/example1.html > > Note that some grammar and syntax from Google search results will not work in > newer versions of pf. > > Sent from my iPhone > > > On Apr 7, 2022, at 05:13, Steve Litt wrote: > > > > Hi all, > > > > I need some easy beginner's pf documentation as well as some > > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > > haven't done this in ten years, and imagine pf and the process of > > turning OpenBSD into a firewall have changed in that time. > > > > Thanks, > > > > SteveT > > > > Steve Litt > > March 2022 featured book: Making Mental Models: Advanced Edition > > http://www.troubleshooters.com/mmm > > -- Kindest regards, Tom Smyth.
Re: TLS library problme: tlsv1 alert protocol
Hi Stephan, at a guess I would say that there is no overlap between supported TLS protool versions and ciphers available on the client vs the server. if your system is using a recent version of an Os and you are trying to relay to an older legacy system, ideally ask the older system to uprade / enable higher ciphers or you can be more permissive on your tls configuration... I hope this is helpful On Wed, 6 Apr 2022 at 23:32, Stephan Mending wrote: > > Hi *, > I've noticed on my mail relays, that tls handshake with one certain email > relay keep failing. I was wondering what the > reason for that may be. > > Following error from postfix: > > connect from mout.web.de[ IP ]:44003 > SSL_accept error from mout.web.de[ IP ]:44003: -1 > warning: TLS library problem: error:1404A42E:SSL routines:ST_ACCEPT:tlsv1 > alert protocol version:/usr/src/lib/libssl/tls13_lib.c:150: > lost connection after STARTTLS from mout.web.de > > Can anybody with more knowledge of libressl and it's error messages tell by > this error what is wrong? > > Best regards, > Stephan > -- Kindest regards, Tom Smyth.
Re: Changing rdomain on an interface after the rdomain has already been set openbsd7.0 / 7.1snapshots
Hey David thanks for reply makes more sens to me now ... Thanks again... Tom Smyth On Sat, 2 Apr 2022 at 04:11, David Gwynne wrote: > > loopback interfaces are special and kind of end up representing an rdomain > inside the kernel, which is where this restriction comes from. > > dlg > > > On 2 Apr 2022, at 09:36, Tom Smyth wrote: > > > > Hello, > > I came across an issue that once a rdomain is set on a > > loopback interface > > you cant change it without destroying and re-creating the interace, > > while it appears you can change a virtio network interface, is this a > > bug or a feature > > > > tobsd# ifconfig lo3 create > > tobsd# ifconfig lo3 rdomain 3 > > tobsd# ifconfig lo3 inet 127.0.0.1/8 > > tobsd# ifconfig lo3 > > lo3: flags=8049 rdomain 3 mtu 32768 > > index 5 priority 0 llprio 3 > > groups: lo > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo3 prefixlen 64 scopeid 0x5 > > inet 127.0.0.1 netmask 0xff00 > > tobsd# ifconfig lo3 rdomain 0 > > ifconfig: SIOCSIFRDOMAIN: Operation not permitted > > tobsd# ifconfig > > > > > > -- > > Kindest regards, > > Tom Smyth. > > > -- Kindest regards, Tom Smyth.
Changing rdomain on an interface after the rdomain has already been set openbsd7.0 / 7.1snapshots
Hello, I came across an issue that once a rdomain is set on a loopback interface you cant change it without destroying and re-creating the interace, while it appears you can change a virtio network interface, is this a bug or a feature tobsd# ifconfig lo3 create tobsd# ifconfig lo3 rdomain 3 tobsd# ifconfig lo3 inet 127.0.0.1/8 tobsd# ifconfig lo3 lo3: flags=8049 rdomain 3 mtu 32768 index 5 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo3 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 tobsd# ifconfig lo3 rdomain 0 ifconfig: SIOCSIFRDOMAIN: Operation not permitted tobsd# ifconfig -- Kindest regards, Tom Smyth.
Re: issue with move to php8 as default
Hi ITwrx you will need to check your rc.conf.local and update it to start up the php8.0 fpm it is possible (im not saying it is recommended) but it is possible to run different versions of php fpm (with different socket files) for different applications on the same server ... but it sounds like you just need to remove the php7.4 fpm line in your rc.conf.local and replace it with a line that would startup your php8 fpm I hope this helps, On Mon, 28 Mar 2022 at 20:10, ITwrx wrote: > I'm running php7.4 and php8 at the same time on an OpenBSD 7.0 machine > i'm testing as a web server. I'm pretty sure they were both starting up > fine until yesterday (it's been a while) after i updated with pkg_add -u > and syspatch. Now, php8 fails to start with: > > ERROR: Another FPM instance seems to already listen on > /var/www/run/php-fpm.sock > ERROR: FPM initialization failed > > This seems to be due to the fact that php8.0 became the new default, > but it looks like php74 is still trying to use php-fpm.sock instead of > php-fpm74.sock, or whatever it's supposed to be called once it's not > the default anymore. > > Am i missing something, or is this a bug? If the latter, is this email > sufficient to get it looked at, or i would need to report it more > formally? > > Thanks, > ITwrx > > -- Kindest regards, Tom Smyth.
Re: Advice for hardening a PHP webserver on OpenBSD
Hi, Owasp has some cheat sheets for hardening PHP configurations, https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html you can combine it with httpd which would run the php app and website inside a chroot jail, you can also review the php application for the functions that it uses and then disable any functions not required by the php application (care needs to be taken with obfuscated / encoded website applications) you can also restrict the extensions that you dont need to reduce the attack surface.. You can also do limits on the sizes of post / upload size (if they are needed or not) .. you can also restrict HTTP methods (for instance in a CMS site that doesnt require updates / login publically (and allow posts from specific Ips ) I hope this helps On Thu, 10 Mar 2022 at 00:17, wrote: > Hi all, > > I have done a lot of coding in PHP over the years, but have only > recently had a change to look deeper into the language in order to look > at some of the C coding and see how security and bugs are handled. Of > course this has been very eye opening and I am shocked at how many > confirmed security bugs just stay dormant without being fixed for > more than a decade. This seem to mainly be because PHP is such a huge > pile of crap mixed together. In several cases the developers simply > cannot see how a serious security bug can be fixed because it will > cause a cascade of problems elsewhere - so they leave it. Then when you > do coding in PHP, you have to be an expert in "PHP problems" in order > to avoid all of that. > > I considering abandoning all future work with PHP and perhaps only do > projects in Go instead, but I haven't had the time to compare how > serious security is taken in Go. I would suspect a lot better (simpler > language, daily usage by Google and many other big companies, > involvement of Ken, Rob, and others), but that is just assumptions. Any > advice on that? > > I know how OpenBSD chroots the webserver and thereby PHP too, but I > need advice on how to harden a PHP server further. I only run > production servers on OpenBSD. > > On a higher level there is "disable_functions" and "disable_classes", > an internal feature of PHP, but its a blacklist, and PHP has about a > gazillion functions. Furthermore, it doesn't make a lot of sense to me > since it's possible to use even basic functions such as "require" or > "include", for remote code execution in the form of local file include > and remote file include vulnerabilities. If you need to disable all the > dangerous functions, you can hardly use PHP. And then.. its on the PHP > level, sooo. But maybe every little bit counts? > > Anyway, what are you guys doing if you're running PHP in production on > OpenBSD? Besides from NOT running PHP in production at all. > > Kindest regards. > > -- > Sent with Tutanota, the secure & ad-free mailbox. > -- Kindest regards, Tom Smyth.
Re: shells/nsh network shells, feedback and comments requested,
Hello all, just following up on this as a call out to anyone who use nsh or have used it in the past, if you have any feedback / suggestions I would really appreciate that, Thanks Tom Smyth On Sun, 18 Apr 2021 at 13:31, Tom Smyth wrote: > Hello, > > If anyone has used shells/nsh (past or present) > or has any ideas, opinions on it and its usability, > bug reports or questions can you let me know > (on or off list I don't mind). > > I'm particularly interested in configuration limitations > you came across. (where you couldn't do something > in NSH that you can do in base. > > We will be working on it to track current, and hopefully > 7.0 release. > > Thanks > Tom Smyth > -- Kindest regards, Tom Smyth.
Re: NSD: Could not tcp connect to X Operation timed out
is pf allowing tcp port53 as well as udp port53 ? On Wed 19 Jan 2022, 11:46 Laura Smith, wrote: > Hi > > OpenBSD NSD slave is driving me nuts with the following message in the > logs "Could not tcp connect to X Operation timed out". > > The answer sounds obvious, but I can: > > - Ping the IP > - Do a "dig @$auth_server_ip $auth_domain" > > Both respond normally. > > What am I missing here ? Connectivity clearly works ? PF is clearly not > dropping inbound port 53 on the master ? > > THanks > > Laura > >
Re: Error on xenocara.tar.gz extraction
i think u need to do as root or configure doas to perform privleged operation... On Thu 13 Jan 2022, 17:26 Rob Whitlock, wrote: > Attempting to extract xenocara.tar.gz while avoiding root proviliges as > described here https://www.openbsd.org/faq/faq5.html#wsrc, I ran into an > error, shown below: > > 0 thinkpad$ pwd > /usr/xenocara > 0 thinkpad$ ls -a > > . .. > 0 thinkpad$ tar xzf /home/rob/openbsd_files/7.0/xenocara.tar.gz > > tar: Access/modification time set failed on: .: Operation not permitted > 1 thinkpad$ ls -a > . 3RDPARTY Makefile data docfont share > .. CVSREADME dist driver libutil > .gitignore MODULESappdistribetcproto xserver > 0 thinkpad$ cd .. > 0 thinkpad$ ls -ld xenocara > drwxrwxr-x 16 root wsrc512 Jan 12 21:43 xenocara > 0 thinkpad$ id > uid=1001(rob) gid=1001 groups=1001, 0(wheel), 9(wsrc) > 0 thinkpad$ > > Running ktrace on tar shows that tar is trying to set the mtime of ., which > corresponds to /usr/xenocara, with the function futimens, which fails. > According to the man page for futimens, if the times argument is non-NULL, > which is the case here, then the caller must be the owner of the file or > the superuser. For an unprivileged user, this is not the case, as, although > /usr/xenocara has group wsrc, it has owner root. > > Running tar tzf xenocara.tar.gz shows an entry for . which seems to be > causing this problem. If you instead run tar xzf xenocara.tar.gz -s > '/^\.$//' to omit only the . entry when extracting, there is no more error. > There is a side effect to adding this -s option, which is that > /usr/xenocara's mtime gets updated to the time the tarball extraction took > place, as opposed to the time that was recorded for . in the tarball. I > don't know whether updating /usr/xenocara to the mtime that was recorded in > the tarball was intentional behavior or not. > > If updating the mtime of /usr/xenocara was not intentional behavior, it > would seem to me that the fix for this problem would be to not include the > . directory when making the tarball xenocara.tar.gz. I was unable to locate > any code that was responsible for creating xenocara.tar.gz so I have not > included a diff. If anybody could tell me where that code is then that > would be appreciated. > > As another issue, extracting ports.tar.gz as a non-privileged user in /usr, > as described in the document whose address is given above, results in > failure due to lack of permission, as a normal user does not have access to > create the /usr/ports directory. > > I am running a snapshot of OpenBSD 7.0 that is only a few days old. >
Re: Help with basic pf rule to open port 25
Hi Sean, Happy new year to you, do a netstat and make sure that your software is listening on an address other than loopback or all addresses (0.0.0.0) run the following command netstat -an If you want to check active rules in pf run the following command pfctl -sr if you ever want to check your rules (in a recently edited pf.conf file run pfctl -nvvvf /etc/pf.conf if the rules returned match what you wish ..then you can commit / load them by running pfctl -vvvf /etc/pf.conf (each v increases verbosity ) Peter Hansteen and Max Stucchi have an amazing tutorial on PF https://home.nuug.no/~peter/pftutorial/#1 but they explain the concepts really well recommend the class that they do in person .. for the latest features about PF in the version of Openbsd you are running ... man pfctl or man pf.conf will help you ... I hope this helps and enjoy the Journey in OpenBSD ... It is awesome ... Tom Smyth On Wed, 5 Jan 2022 at 16:09, Sean McBride wrote: > Hi all, > > (Newbie and first time poster, please be gentle :)) > > I'm trying to set up spamd, and I think I'm having trouble with pf. So > I tried to add a very basic test rule. I added to the beginning of > /etc/pf.conf the following: > > pass in log quick on egress proto tcp to any port smtp > > then rebooted (for luck). If on the OpenBSD system itself I do `telnet > localhost 25` I see the built-in OpenSTMPD. But if I telnet from > another machine on my LAN, I fail to connect. Shouldn't that rule have > opened port 25? > > Thanks, > > Sean > -- Kindest regards, Tom Smyth.
Re: Recommendations on Buffer Space for Busy Unbound Resolver Service for a network
Thanks Stuart, A year or two ago I set the following sysctl which did help, fdns1# cat /etc/sysctl.conf net.inet.udp.recvspace=262144 net.inet.udp.sendspace=262144 Thanks for the tip re diagnosing the UDP buffers output of the command you suggested looks good from a buffer perspective... The server has been running a few hours fdns1# netstat -s -p udp udp: 32820423 datagrams received 0 with incomplete header 0 with bad data length field 7 with bad checksum 133788 with no checksum 32686635 input packets software-checksummed 0 output packets software-checksummed 40699 dropped due to no socket 13873 broadcast/multicast datagrams dropped due to no socket 0 dropped due to missing IPsec protection 0 dropped due to full socket buffers 32765844 delivered 32913599 datagrams output 24008710 missed PCB cache Thanks again, Really appreciate your Tom Smyth On Wed, 22 Dec 2021 at 11:26, Stuart Henderson wrote: > On 2021-12-22, Dirk Coetzee wrote: > > Hi Tom, > > > > I would recommend debugging using "unbound-control stats_noreset" and > referencing the unbound configuration documentation at > https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/ > > Also check for "dropped due to full socket buffers" in netstat -s -p udp, > some have reported needing to raise net.inet.udp.*space sysctls. > > You might also consider front-ending with dnsdist. As well as answering hot > requests very quickly, that could also simplify things for maintenance. > > > On Tue, 21 Dec 2021 at 21:15, Tom Smyth > > wrote: > > > >> Recommendations on Buffer Space for Busy Unbound Resolver Service for > >> a network serving a 3000, customers > > > -- > Please keep replies on the mailing list. > > -- Kindest regards, Tom Smyth.
Re: Recommendations on Buffer Space for Busy Unbound Resolver Service for a network
THanks Dirk Ill give that a go Cheers, Tom Smyth On Wed, 22 Dec 2021 at 00:30, Dirk Coetzee wrote: > Hi Tom, > > I would recommend debugging using "unbound-control stats_noreset" and > referencing the unbound configuration documentation at > https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/ > > > > -Original Message- > From: owner-m...@openbsd.org On Behalf Of Tom > Smyth > Sent: Wednesday, 22 December 2021 5:25 AM > To: Misc > Subject: Re: Recommendations on Buffer Space for Busy Unbound Resolver > Service for a network > > Sorry forgot to say running OpenBSD on an amd64, and hosted in a KVM > environment, Thanks > > Tom Smyth > > > > > On Tue, 21 Dec 2021 at 21:15, Tom Smyth > wrote: > > > Recommendations on Buffer Space for Busy Unbound Resolver Service for > > a network serving a 3000, customers > > > > Thanks > > > > -- > > Kindest regards, > > Tom Smyth. > > > > > -- > Kindest regards, > Tom Smyth. > -- Kindest regards, Tom Smyth.
Re: Recommendations on Buffer Space for Busy Unbound Resolver Service for a network
Sorry forgot to say running OpenBSD on an amd64, and hosted in a KVM environment, Thanks Tom Smyth On Tue, 21 Dec 2021 at 21:15, Tom Smyth wrote: > Recommendations on Buffer Space for Busy Unbound Resolver Service for a > network serving a 3000, customers > > Thanks > > -- > Kindest regards, > Tom Smyth. > -- Kindest regards, Tom Smyth.
Recommendations on Buffer Space for Busy Unbound Resolver Service for a network
Recommendations on Buffer Space for Busy Unbound Resolver Service for a network serving a 3000, customers Thanks -- Kindest regards, Tom Smyth.
Radiusd anyone know of a Simple to use web front end for usermanagement ?
Hi All, I was wondering is there a front end web interface out there for radiusd (for the un inducted users who wouldnt be comfortable with the command line I would rather use radiusd than freeradius alternatives ... perhaps im missing something in the ma pages any tips tricks would be welcome thanks -- Kindest regards, Tom Smyth.
Re: ipsec with default route and routing of internal networks
Can you do an exception for the ranges ... so internet - private ips you dont want over the tunnel) ike esp from 10.90.0.0/24 to any encrypt and 10.90.0.0/24 to NOT [networks you dont want over the tunnel) ? On Mon, 13 Sept 2021 at 13:02, Hrvoje Popovski wrote: > Hi, > > On 13.9.2021. 12:58, Tom Smyth wrote: > > Hi Hrvoje, > > > > is 10.90.0.0/24 <http://10.90.0.0/24> local to your firewall, and if I > > understand your rule, > > ike esp from 10.90.0.0/24 <http://10.90.0.0/24> to anyyou are > saying > > encrypt all traffic comming from 10.90.0.0/24 <http://10.90.0.0/24> > > > > should the tunnel be more specific ? like > > > > from 10.90.0.0/24 <http://10.90.0.0/24> to another network across the > > tunnel > > > > 10.90/24 is my local internal network, as other networks (10.91/24, > 10.92/24). > i need "ike esp from 10.90.0.0/24 to any"... because hosts on that > network need to go out to internet over ipsec tunnel ... but at the same > time hosts in that 10.90/24 network needs to communicate to other > internal networks... > -- Kindest regards, Tom Smyth.
Re: ipsec with default route and routing of internal networks
Hi Hrvoje, is 10.90.0.0/24 local to your firewall, and if I understand your rule, ike esp from 10.90.0.0/24 to anyyou are saying encrypt all traffic comming from 10.90.0.0/24 should the tunnel be more specific ? like from 10.90.0.0/24 to another network across the tunnel ike esp from 10.90.0.0/24 to {list of private network ranges that are across the tunnel} (remove any and replace with specific subnets to be routed across the Ipsec tunnel) without a diagram I cant help much more... On Mon, 13 Sept 2021 at 11:36, Hrvoje Popovski wrote: > Hi all, > > I have a firewall that routes few internal networks, 10.90/24, 10.91/24, > 10.92/24. And i have some static routes to other firewalls, but i don't > think that is relevant to this problem. > > For network 10.90/24 i have ipsec tunnel, and i need to push any traffic > from that network to the internet, but not to local networks, > over that ipsec tunnel. > > something like this: > ike esp from 10.90.0.0/24 to any > > I thought that the routing table will take care of that, but i seems > that when ipsec tunnel is up, i can't connect from local networks > (10.91/24, 10.92/24) to 10.90/24 and I can't even ping hosts on the > 10.90/24 network ... > something like this ping -I 10.90.0.1 10.90.0.8 ... > traffic from 10.90/24 to the internet is working just fine .. > > I need to make network 10.90/24 reachable to all local networks. > Could someone please point me in the right direction on what to look and > configure? > > Thank you .. > > -- Kindest regards, Tom Smyth.
Re: DNS resolution after VPN?
and make sure there is a route to Route to your Internal DNS servers over the VPNs Or a policy that covers the DNS servers ip range if it is an Ipsec policy based vpn Hope this helps On Tue, 20 Jul 2021 at 13:15, Timo Myyrä wrote: > > Stuart Henderson [2021-07-20, 11:24 +]: > > > On 2021-07-20, Timo Myyrä wrote: > > > >> Hi, > >> > >> Just started testing the new dhcleased,resolvd stuff and noticed that > >> DNS resolution won't work correctly once I open my VPN connection. Name > >> resolution works for external domains but not for the internal domains > >> resolved by the interal DNS servers. > >> > >> I'm using openconnect to setup VPN tunnel and it runs the > >> /etc/vpnc-script to setup networking after initing the tunnel. This > >> script adds the nameserver entries into /etc/resolv.conf. > >> But these entries in /etc/resolv.conf are done below following line: > >> nameserver 127.0.0.1 # resolvd: unwind > >> > >> This means the unwind is handling the DNS query passing and it doesn't > >> seem to notice the DNS server entries given by openconnect. > >> > >> What would be a good method to get DNS resolution working after running > >> openconnect? I'd like to prepend the DNS servers from VPN connection so > >> they are queried first, then fallback to other servers. > >> > >> Timo > >> > >> > > > > Untested but I would use unwind and try something like > > > > forwarder > > preference recursor oDoT-dhcp dhcp stub > > force forwarder {vpndomain.com} > > > > For the forwarder address you might be able to statically configure > > it, if not then you could modify vpnc-script to have it update the > > address in unwind.conf and reload it. > > Thanks, this works somewhat: > > forwarder { $ip1 $ip2 } > force accept bogus forwarder { $internal_domain1 } > force accept bogus forwarder { $internal_domain2 } > ... > > A bit cubersome to list all internal domains but I there shouldn't be > that many of them in day-to-day use. > The DNS server IP's are pretty much static so manually adjusting the > unwind.conf is doable. > > Timo > -- Kindest regards, Tom Smyth.
Re: fighting amplification attack --was: Re: pf: block drop not working
Hello Axel, Check out fastnetmon if you have SFLOW (Preferably ) or Netflow support on your switches /or routers facing external providers you can put pps per second thresholds on . but bear in mind if the amount of bandwdith being sent to your router exceeds capacity you need to send a BGP community to do remote Triggered Black Holeto your providers... RTBH ... (BGP Communities) etc.. Best of Luck On Fri, 7 May 2021 at 10:10, Axel Rau wrote: > > > > > Am 05.05.2021 um 16:20 schrieb Stuart Henderson > <mailto:s...@spacehopper.org>>: > > > > This is usually best dealt with in your DNS server software e.g. by using > > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config > > section in BIND. > > Yes, I have this in place now, but I try to let the fw drop them: > This seems not working: > udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload > flush global )' > … > pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \ > port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns > inbound" > > Is this not possible with udp? > > Axel > --- > PGP-Key: CDE74120computing @ chaos claudius > -- Kindest regards, Tom Smyth.
Re: pf: block drop not working
black_whole vs black_hole check the table name ... On Wed, 5 May 2021 at 12:11, Axel Rau wrote: > > Hi all, > > in pf.conf, I have at the beginning: > - - - > table persist file "/etc/pf/black_hole.txt" > block drop in quick on $red_if from flags any > > fw1# pfctl -s rules | head -3 > block drop in quick on em2 from to any > > fw1# pfctl -t black_hole -T show > . . . >146.168.0.0/16 > . . . > > But responses still going out from my ns: > > 0800 532: x.y.z.71.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) > (ttl 63, id 10399, len 518) > 0800 72: 146.168.163.94.443 > x.y.z.21.53: [no udp cksum] 1+ RRSIG? > pizzaseo.com.(30) (ttl 249, id 3922, len 58) > 0800 532: x.y.z.21.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) > (ttl 63, id 38336, len 518) > 0800 72: 146.168.163.94.443 > x.y.z.171.53: [no udp cksum] 1+ RRSIG? > pizzaseo.com.(30) (ttl 249, id 55913, len 58) > 0800 532: x.y.z.171.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) > (ttl 62, id 53578, len 518) > > > What is wrong in my setup? > > Thanks, Axel > --- > PGP-Key: CDE74120computing @ chaos claudius > -- Kindest regards, Tom Smyth.
Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment
Christian, Otto, Thanks for your feedback on this one Ill research it further, but NTFS has 4K, 8K 32K and 64K Allocation units on the filessystem and for Microsoft windows running Exchange or Database workloads they were recommending alignment of the NTFS partitions on the 1MB offset also. >From Otto's, explanation (Thanks) of 1/16 blocks would potentially cross a boundary of the storage subsystem, 6.25% of reads(or writes) could result in a double Read ( or double write) of course the write issue is a bigger problem for the SSDs.. I can configure the partitions how I want ,for now anyway, Ill do a little digging on FFS and FFS2 and see how the filesystem database (or table) is structured... Thanks for the feedback it is very helpful to me All the best, Tom Smyth On Wed, 21 Apr 2021 at 15:25, Christian Weisgerber wrote: > > Tom Smyth: > > > if you were to have a 1MB file or a database that needed to read 1MB > > of data, i > > f the partitions are not aligned then > > your underlying storage system need to load 2 chunks or write 2 > > chunks for 1 MB of data, written, > > You seem to assume that FFS2 would align a 1MB file on an 1MB border > within the filesystem. That is not case. That 1MB file will be > aligned on a blocksize border (16/32/64 kB, depending on filesystem > size). Aligning the partition on n*blocksize has no effect on this. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de -- Kindest regards, Tom Smyth.
Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment
Hello Otto, Christian, I was relying on that paper for the pictures of the alignment issue, VMFS (vmware file system)since version 5 of vmwarehas allocation units of 1MB each https://kb.vmware.com/s/article/2137120 my understanding is that SSDs have a similar allocation unit setup of 1MB, and that aligning your file system to 1MB would improve performance |OpenBSD Filesystem --| FFS-Filesystem |VMDK Virtual Disk file for Guest | OpenBSD-Gusest-Disk0.vmdk |vmware datastore-- | 1MB allocation |Logical Storage Device / RAID---| |SSD or DISK storage --|1MB allocation unit (on some SSDs) Figure 2 of the following paper shows what https://www.usenix.org/legacy/event/usenix09/tech/full_papers/rajimwale/rajimwale.pdf as your writes start to cross another underlying block boundary you see a degradation of performance largest impact is on a write o1 1MB (misaligned) across 2 blocks, but it repeats as you increase the number of MB in a transaction but the % overhead reduces for each additional 1MB in the Transaction. If there is no downside to allocating /Offsetting filesystems on 1MB boundaries, can we do that by default to reduce wear on SSDs, and improve performance in Virtualized Environments with large allocation units on what ever storage subsystem they are running. Thanks for your time Tom Smyth On Wed, 21 Apr 2021 at 08:49, Otto Moerbeek wrote: > > On Wed, Apr 21, 2021 at 08:20:10AM +0100, Tom Smyth wrote: > > > Hi Christian, > > > > if you were to have a 1MB file or a database that needed to read 1MB > > of data, i > > f the partitions are not aligned then > > your underlying storage system need to load 2 chunks or write 2 > > chunks for 1 MB of data, written, > > > > So *worst* case you would double the workload for the storage hardware > > (SSD or Hardware RAID with large chunks) for each transaction > > on writing to SSDs if you are not aligned one could *worst *case > > double the write / wear rate. > > > > The improvement would be less for accessing small files and writing small > > files > > (as they would need to be across 2 Chunks ) > > > > The following paper explains (better than I do ) > > https://www.vmware.com/pdf/esx3_partition_align.pdf > > > > if the cost is 1-8MB at the start of the disk (assuming partitions are > > sized > > so that they dont loose the ofset of 2048 sectors) > > I think it is worth pursuing. (again I only have experience on amd64 > > /i386 hardware) > > Doing a quick scan trhough the pdf I only see talk about 64k boundaries. > > FFS(2) will split up any partiition in multiple cylinder groups. Each > cylinder group starts with a superblock copy, inode tables and other > meta datas before the data blocks of that cylinder group. Having the > start of a partion a 1 1MB boundary does not get you those data blocks > at a specific boundary. So I think your resoning does not apply to FFS(2). > > It might make sense to move the start to offset 128 for big > partitions, so you align with the 64k boundary mentioned in the pdf, > the block size is already 64k (for big parttiions). > > -Otto > > > > > Thanks > > Tom Smyth > > > > On Tue, 20 Apr 2021 at 22:52, Christian Weisgerber > > wrote: > > > > > > Tom Smyth: > > > > > > > just installing todays snapshot and the default offset on amd64 is 64, > > > > (as it has been for as long as I can remember) > > > > > > It was changed from 63 in 2010. > > > > > > > Is it worth while updating the defaults so that OpenBSD partition > > > > layout will be optimal for SSD or other Virtualized RAID environments > > > > with 1MB Chunks, > > > > > > What are you trying to optimize with this? FFS2 file systems reserve > > > 64 kB at the start of a partition, and after that it's filesystem > > > blocks, which are 16/32/64 kB, depending on the size of the filesystem. > > > I can barely see an argument for aligning large partitions at 128 > > > sectors, but what purpose would larger multiples serve? > > > > > > > Is there a down side to moving the default offset to 2048 ? > > > > > > Not really. It wastes a bit of space, but that is rather insignificant > > > for today's disk sizes. > > > > > > -- > > > Christian "naddy" Weisgerber na...@mips.inka.de > > > > > > > > > -- > > Kindest regards, > > Tom Smyth. > > -- Kindest regards, Tom Smyth.
Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment
Hi Christian, if you were to have a 1MB file or a database that needed to read 1MB of data, i f the partitions are not aligned then your underlying storage system need to load 2 chunks or write 2 chunks for 1 MB of data, written, So *worst* case you would double the workload for the storage hardware (SSD or Hardware RAID with large chunks) for each transaction on writing to SSDs if you are not aligned one could *worst *case double the write / wear rate. The improvement would be less for accessing small files and writing small files (as they would need to be across 2 Chunks ) The following paper explains (better than I do ) https://www.vmware.com/pdf/esx3_partition_align.pdf if the cost is 1-8MB at the start of the disk (assuming partitions are sized so that they dont loose the ofset of 2048 sectors) I think it is worth pursuing. (again I only have experience on amd64 /i386 hardware) Thanks Tom Smyth On Tue, 20 Apr 2021 at 22:52, Christian Weisgerber wrote: > > Tom Smyth: > > > just installing todays snapshot and the default offset on amd64 is 64, > > (as it has been for as long as I can remember) > > It was changed from 63 in 2010. > > > Is it worth while updating the defaults so that OpenBSD partition > > layout will be optimal for SSD or other Virtualized RAID environments > > with 1MB Chunks, > > What are you trying to optimize with this? FFS2 file systems reserve > 64 kB at the start of a partition, and after that it's filesystem > blocks, which are 16/32/64 kB, depending on the size of the filesystem. > I can barely see an argument for aligning large partitions at 128 > sectors, but what purpose would larger multiples serve? > > > Is there a down side to moving the default offset to 2048 ? > > Not really. It wastes a bit of space, but that is rather insignificant > for today's disk sizes. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de > -- Kindest regards, Tom Smyth.
default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment
Hello, just installing todays snapshot and the default offset on amd64 is 64, (as it has been for as long as I can remember) Is it worth while updating the defaults so that OpenBSD partition layout will be optimal for SSD or other Virtualized RAID environments with 1MB Chunks, Is there a down side to moving the default offset to 2048 ?1MB off set on 512 byte format disks. we have been running 2048 offset as our starting offset, for our OpenBSD installs for about 3 -4 years now and we have not come across issues. it is unlikely that this will be changed in 6.9 release but It might be worth re-visiting as it would make for more straightforward aligned partitions on OpenBSD installs.. my experience is more for x86 / amd64 rather than other platforms .. Kindest Regards, Tom Smyth -- Kindest regards, Tom Smyth.
shells/nsh network shells, feedback and comments requested,
Hello, If anyone has used shells/nsh (past or present) or has any ideas, opinions on it and its usability, bug reports or questions can you let me know (on or off list I don't mind). I'm particularly interested in configuration limitations you came across. (where you couldn't do something in NSH that you can do in base. We will be working on it to track current, and hopefully 7.0 release. Thanks Tom Smyth
Re: Last shutdown date of old OpenBSD machine
Check dmesg i think that will have the boot time / date in it On Thursday, 15 April 2021, Ales Tepina wrote: > Hi! > > I have a really old machine (it has DIN keyboard connector) with OpenBSD > installed on it that was used as a router and its been sitting > in the basement for quite a few years. I would like to find out the date > when the machine was last shutdown. > > What would be the best way to go about looking for that info? > > I have two options as far as i can see but have not tried any of them to > avoid messing up the date of last boot/shutdown: > 1. Boot the machine and check the log files in /var/log > 2. Attach the disk drive to another machine and mount the partition and > also check the info on some files > > Also, one important caveat. There is a good chance i won't be able to > guess the password anymore. I think i know what it is, but i'm not sure > since it was so long ago. > Therefore booting into single user mode is probably the only choice for > option 1. > > Thank you for your suggestions. > > Br, Ales > > -- Kindest regards, Tom Smyth.
Re: Technical Documentation - CARP
Hi Jannick the man pages are also a good up to date source of information... sometimes a paper from a few years ago states something like X/Y is not supported... but as an OpenBSD developer once quiped "yes we do add features from time to time" :) so the papers can give really good context and insights... but refer to the manuals also to validate any improved syntax and or features Hope this helps Tom Smyth On Tue, 13 Apr 2021 at 09:34, jannick Weiss wrote: > > Hello,my name is Jannick Weiss and i am currently in the process of taking > my education as a datatechnician. As part of my education i have to do a > presentation on a self-elected subject and i have chosen to talk about CARP. > > It is my understanding that it is you (OpenBSD) that have developed CARP. > I am having trouble finding information about CARP, such as the different > states the protocol goes through or how the election of the master node > works specifically. > If you can provide any documentation on CARP it would be greatly > appreciated. > > In advance, thank you for any help you may provide. > > Best regards > > Jannick Weiss -- Kindest regards, Tom Smyth.
Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes
Hi Ian, Thanks for that it seems to be the screensaver that was causing the issue. do you have the screensaver enabled also ? in hind sight it doesn't appear to be a hardware issue (or virtual hardware issue ) thanks for your reply and feedback On Sat, 10 Apr 2021 at 23:52, Ian Darwin wrote: > > On Sat, Apr 10, 2021 at 10:22:17PM +0100, Tom Smyth wrote: > > Hello, > > > > 1) issue does not occur with fvwm or with chrome running in fvwm > > > > so the issue seems to be confined to xfce, and I was running just 1 > > xfce terminal session > > 2) (so the issue is not related to chromium) > > > > > > I'm running OpenBSD on an Oracle Virtualbox VM > > I run xfce all the time on -current on amd64 on real hardware and do > not have any such issue. -- Kindest regards, Tom Smyth.
Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes
Geoff, The force is strong with you :) Thanks that worked xfce-screensaver was active but I was not seeing the screen-saver Appreciate your help Tom Smyth On Sat, 10 Apr 2021 at 22:48, gwes wrote: > > > > On 4/10/21 5:22 PM, Tom Smyth wrote: > > Hello, > > > > 1) issue does not occur with fvwm or with chrome running in fvwm > > > > so the issue seems to be confined to xfce, and I was running just 1 > > xfce terminal session > > 2) (so the issue is not related to chromium) > > > > Thanks > > > > > > O > > -- > > Kindest regards, > > Tom Smyth. > > > Hi Tom, > Some application that you can't see is grabbing focus and not letting go. > > On another OS using xfce (XUbuntu) the screensaver sometimes causes > something > extremely similar. Mouse cursor moves but nothing else responds. > The workaround is to use control-alt-F1 to get a > plain console and ps -ax | grep screen then doas kill . > > If it's not a screensaver it's almost always a second browser copy. > I just find likely greedy candidates in the ps and kill until the > problem goes away. > > If the X server won't let you use control-alt-Fx to change screens you'll > have to ssh in. > > Geoff Steckel -- Kindest regards, Tom Smyth.
Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes
Hello, 1) issue does not occur with fvwm or with chrome running in fvwm so the issue seems to be confined to xfce, and I was running just 1 xfce terminal session 2) (so the issue is not related to chromium) Thanks On Fri, 9 Apr 2021 at 19:09, Tom Smyth wrote: > > just to update this thread, > > 1) the mouse pointer still moves around but It cant seem to select a > window or text or any icon in a menu > > 2) i did increase the resolution using xrandr -s 1920x1080 at the > start of the session without issue > > 3) crhomium is open when this happens > > Thanks > > On Fri, 9 Apr 2021 at 19:33, Tom Smyth wrote: > > > > Hello > > > > 6.9 Current amd64 xfce seems to freeze and not respond to mouse > > clicks or keystrokes. I cant seem to change windows or enter text on > > the X terminal > > > > > > im running OpenBSD on an Oracle Virtualbox VM > > > > however + does work and im able to restart the x > > session using the console > > > > rcctl restart xenodm > > > > Ill try FVWM to see is it an X11 issue or an issue with xfce > > > > just raising it incase someone else has noticed this issue > > > > dmesg below > > > > OpenBSD 6.9 (GENERIC.MP) #458: Fri Apr 9 01:05:30 MDT 2021 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > real mem = 8573091840 (8175MB) > > avail mem = 8297865216 (7913MB) > > random: good seed from bootblocks > > mpath0 at root > > scsibus0 at mpath0: 256 targets > > mainbus0 at root > > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries) > > bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006 > > bios0: innotek GmbH VirtualBox > > acpi0 at bios0: ACPI 4.0 > > acpi0: sleep states S0 S5 > > acpi0: tables DSDT FACP APIC HPET MCFG SSDT > > acpi0: wakeup devices > > acpitimer0 at acpi0: 3579545 Hz, 32 bits > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > cpu0 at mainbus0: apid 0 (boot processor) > > cpu0: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.35 MHz, 06-8e-0c > > cpu0: > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF > > cpu0: 256KB 64b/line 8-way L2 cache > > cpu0: smt 0, core 0, package 0 > > mtrr: CPU supports MTRRs but not enabled by BIOS > > cpu0: apic clock running at 1000MHz > > cpu1 at mainbus0: apid 1 (application processor) > > cpu1: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.08 MHz, 06-8e-0c > > cpu1: > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF > > cpu1: 256KB 64b/line 8-way L2 cache > > cpu1: smt 0, core 1, package 0 > > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped > > acpihpet0 at acpi0: 14318179 Hz > > acpimcfg0 at acpi0 > > acpimcfg0: addr 0xdc00, bus 0-63 > > acpiprt0 at acpi0: bus 0 (PCI0) > > acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 > > acpicmos0 at acpi0 > > acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek" > > acpiac0 at acpi0: AC unit online > > acpicpu0 at acpi0: C1(@1 halt!) > > acpicpu1 at acpi0: C1(@1 halt!) > > acpivideo0 at acpi0: GFX0 > > pci0 at mainbus0 bus 0 > > vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00 > > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > > em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19, > > address 08:00:27:bd:cb:77 > > "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 > > not configured > > auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2 > > int 21, ICH > > ac97: codec id 0x83847600 (SigmaTel STAC9700) > > audio0 at auich0 > > piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int > > 23 > > iic0 at piixpm0 > > pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02 > > pciide0 at pci0 dev 31 function 1 "Intel 82371AB IDE" rev 0x01: DMA, > > channel 0 configured to compatibility, channel 1 configured to > > compatibility > > wd0 at pciide0
Re: OT: Dell EMC switches
+1 re arista switches... On Friday, 9 April 2021, Diana Eichert wrote: > I second Arista switches, in my day job we use a lot of Arista > switches. Though one of the "issues" we see is Arista > drops older tech regularly. I believe their last presentation to us > was 25G/100G/400G switches. > > On Thu, Apr 8, 2021 at 1:18 PM Mischa wrote: > > > > Hi Ivo, > > > > I don’t have any experience with the Dell switches but what about the > Arista DCS-7050QX-32 or DCS-7050QX-32S? > > 32x40G QSFP+ for the 7050QX-32 > > 32x40G QSFP+ of which one QSFP+ can act as a dual personality to 4xSFP+ > for the 7050QX-32S. (mind the S) > > > > There are converters for the QSFP+ to turn them into a SFP+ port if you > need more 10G but want to have a way to migrate to 40G. > > You can do this with the Mellanox 655902-001 QSA adapter. > > > > Which is pretty much what we have in production. :) > > Are you planning to buy new or eBay? There are some pretty good deals on > eBay. > > > > Mischa > > -- Kindest regards, Tom Smyth.
Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes
just to update this thread, 1) the mouse pointer still moves around but It cant seem to select a window or text or any icon in a menu 2) i did increase the resolution using xrandr -s 1920x1080 at the start of the session without issue 3) crhomium is open when this happens Thanks On Fri, 9 Apr 2021 at 19:33, Tom Smyth wrote: > > Hello > > 6.9 Current amd64 xfce seems to freeze and not respond to mouse > clicks or keystrokes. I cant seem to change windows or enter text on > the X terminal > > > im running OpenBSD on an Oracle Virtualbox VM > > however + does work and im able to restart the x > session using the console > > rcctl restart xenodm > > Ill try FVWM to see is it an X11 issue or an issue with xfce > > just raising it incase someone else has noticed this issue > > dmesg below > > OpenBSD 6.9 (GENERIC.MP) #458: Fri Apr 9 01:05:30 MDT 2021 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 8573091840 (8175MB) > avail mem = 8297865216 (7913MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries) > bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006 > bios0: innotek GmbH VirtualBox > acpi0 at bios0: ACPI 4.0 > acpi0: sleep states S0 S5 > acpi0: tables DSDT FACP APIC HPET MCFG SSDT > acpi0: wakeup devices > acpitimer0 at acpi0: 3579545 Hz, 32 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.35 MHz, 06-8e-0c > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: CPU supports MTRRs but not enabled by BIOS > cpu0: apic clock running at 1000MHz > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.08 MHz, 06-8e-0c > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF > cpu1: 256KB 64b/line 8-way L2 cache > cpu1: smt 0, core 1, package 0 > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped > acpihpet0 at acpi0: 14318179 Hz > acpimcfg0 at acpi0 > acpimcfg0: addr 0xdc00, bus 0-63 > acpiprt0 at acpi0: bus 0 (PCI0) > acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 > acpicmos0 at acpi0 > acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek" > acpiac0 at acpi0: AC unit online > acpicpu0 at acpi0: C1(@1 halt!) > acpicpu1 at acpi0: C1(@1 halt!) > acpivideo0 at acpi0: GFX0 > pci0 at mainbus0 bus 0 > vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19, > address 08:00:27:bd:cb:77 > "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 > not configured > auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2 > int 21, ICH > ac97: codec id 0x83847600 (SigmaTel STAC9700) > audio0 at auich0 > piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int 23 > iic0 at piixpm0 > pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02 > pciide0 at pci0 dev 31 function 1 "Intel 82371AB IDE" rev 0x01: DMA, > channel 0 configured to compatibility, channel 1 configured to > compatibility > wd0 at pciide0 channel 0 drive 0: > wd0: 128-sector PIO, LBA48, 131072MB, 268435456 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus1 at atapiscsi0: 2 targets > cd0 at scsibus1 targ 0 lun 0: removable > cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 > ohci0 at pci0 dev 31 function 4 "Apple Intrepid USB" rev 0x00: apic 2 > int 23, version 1.0 > isa0 at pcib0 > isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > usb0 at ohci0: USB r
6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes
Hello 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes. I cant seem to change windows or enter text on the X terminal im running OpenBSD on an Oracle Virtualbox VM however + does work and im able to restart the x session using the console rcctl restart xenodm Ill try FVWM to see is it an X11 issue or an issue with xfce just raising it incase someone else has noticed this issue dmesg below OpenBSD 6.9 (GENERIC.MP) #458: Fri Apr 9 01:05:30 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8573091840 (8175MB) avail mem = 8297865216 (7913MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries) bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006 bios0: innotek GmbH VirtualBox acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC HPET MCFG SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.35 MHz, 06-8e-0c cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: CPU supports MTRRs but not enabled by BIOS cpu0: apic clock running at 1000MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304.08 MHz, 06-8e-0c cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MD_CLEAR,L1DF cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 acpimcfg0: addr 0xdc00, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek" acpiac0 at acpi0: AC unit online acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpivideo0 at acpi0: GFX0 pci0 at mainbus0 bus 0 vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19, address 08:00:27:bd:cb:77 "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2 int 21, ICH ac97: codec id 0x83847600 (SigmaTel STAC9700) audio0 at auich0 piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int 23 iic0 at piixpm0 pcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02 pciide0 at pci0 dev 31 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 128-sector PIO, LBA48, 131072MB, 268435456 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ohci0 at pci0 dev 31 function 4 "Apple Intrepid USB" rev 0x00: apic 2 int 23, version 1.0 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 1 configuration 1 interface 0 "VirtualBox USB Tablet" rev 1.10/1.00 addr 2 uhidev0: iclass 3/0 ums0 at uhidev0: 5 buttons, Z and W dir wsmouse1 at ums0 mux 0 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on wd0a (619d721c1c3c871d.a) swap on wd0b dump on wd0b
Re: Does intel(4) support Iris Xe Graphics?
Hi Jonathan, sorry missed the Bug Report... with the dmesg. I thought the linux dnmesg where the hardware was working would have been useful if there was an issue with the hardware detection. I suggested trying 6.8 incase there was a bug introduced in current and would give a baseline... suggested current as the bug might already be fixed in current as opposed to release ... On Wed, 7 Apr 2021 at 11:56, Jonathan Gray wrote: > > On Wed, Apr 07, 2021 at 11:34:54AM +0100, Tom Smyth wrote: > > Try Current and 6.8 and see if you get a different result in each.. > > dmesgs are key for getting help on this type of query ... > > There is a snapshot dmesg in the bug report. I don't see a benefit to > 6.8 or linux dmesgs. -- Kindest regards, Tom Smyth.
Re: Does intel(4) support Iris Xe Graphics?
Try Current and 6.8 and see if you get a different result in each.. dmesgs are key for getting help on this type of query ... On Wed, 7 Apr 2021 at 11:33, Tom Smyth wrote: > > Hi Michel, > if you send the dmesg from OpenBSD when it is installed and Ubuntu > it would help alot > see the hardware that your box is running (and the hardware as > detected by OpenBSD / Ubuntu > > > On Wed, 7 Apr 2021 at 05:21, Michel von Behr wrote: > > > > Thank you for the reply, Jonathan - FWIW I was able to run Ubuntu on the > > machine just now. I still would like to try and install OpenBSD, if anyone > > can help me diagnose/fix the problem I’m willing to try. > > > > Regards, > > > > Michel > > > > On Wed, 7 Apr 2021 at 2:33 AM Jonathan Gray wrote: > > > > > On Tue, Apr 06, 2021 at 11:09:07AM +0400, Michel von Behr wrote: > > > > Hi - (not a dev, just trying to use OpenBSD snapshot) whenever I try to > > > > launch Xorg, either via xenodm or startx, I'm getting a kernel panic, > > > > like "pool_do_get: > > > > drmobj : page empty" (I already sent an e-mail [1] to b...@openbsd.org > > > with > > > > dmesg and all). > > > > > > The pool should already be initialised via > > > i915_global_objects_init() > > > i915_globals_init() > > > inteldrm_attachhook() > > > > > > > > > > > I'm wondering if the problem could be with my video card, Intel Iris Xe? > > > > Even though dmesg shows that is was detected and should (?) be working. > > > But > > > > I can't find a reason why my laptop would not run Xorg. > > > > > > > > inteldrm0 at pci0 dev 2 function 0 "Intel Xe Graphics" rev 0x01 > > > > drm0 at inteldrm0 > > > > inteldrm0: msi, TIGERLAKE, gen 12 > > > > > > > > > > jcs@ has/had a tiger lake machine which could run Xorg with the > > > linux 5.7 based drm in -current. I'm not sure what is different here. > > > > > > > > > > > Any pointing to the right direction would be appreciated. (If this > > > problem > > > > relates to Xorg specifically and not to OpenBSD please let me know). > > > > > > > > [1] https://marc.info/?l=openbsd-bugs=161754767328009=2 > > > > > > > > Regards, > > > > > > > > Michel > > > > > > > > > > > -- > Kindest regards, > Tom Smyth. -- Kindest regards, Tom Smyth.
Re: Does intel(4) support Iris Xe Graphics?
Hi Michel, if you send the dmesg from OpenBSD when it is installed and Ubuntu it would help alot see the hardware that your box is running (and the hardware as detected by OpenBSD / Ubuntu On Wed, 7 Apr 2021 at 05:21, Michel von Behr wrote: > > Thank you for the reply, Jonathan - FWIW I was able to run Ubuntu on the > machine just now. I still would like to try and install OpenBSD, if anyone > can help me diagnose/fix the problem I’m willing to try. > > Regards, > > Michel > > On Wed, 7 Apr 2021 at 2:33 AM Jonathan Gray wrote: > > > On Tue, Apr 06, 2021 at 11:09:07AM +0400, Michel von Behr wrote: > > > Hi - (not a dev, just trying to use OpenBSD snapshot) whenever I try to > > > launch Xorg, either via xenodm or startx, I'm getting a kernel panic, > > > like "pool_do_get: > > > drmobj : page empty" (I already sent an e-mail [1] to b...@openbsd.org > > with > > > dmesg and all). > > > > The pool should already be initialised via > > i915_global_objects_init() > > i915_globals_init() > > inteldrm_attachhook() > > > > > > > > I'm wondering if the problem could be with my video card, Intel Iris Xe? > > > Even though dmesg shows that is was detected and should (?) be working. > > But > > > I can't find a reason why my laptop would not run Xorg. > > > > > > inteldrm0 at pci0 dev 2 function 0 "Intel Xe Graphics" rev 0x01 > > > drm0 at inteldrm0 > > > inteldrm0: msi, TIGERLAKE, gen 12 > > > > > > > jcs@ has/had a tiger lake machine which could run Xorg with the > > linux 5.7 based drm in -current. I'm not sure what is different here. > > > > > > > > Any pointing to the right direction would be appreciated. (If this > > problem > > > relates to Xorg specifically and not to OpenBSD please let me know). > > > > > > [1] https://marc.info/?l=openbsd-bugs=161754767328009=2 > > > > > > Regards, > > > > > > Michel > > > > > -- Kindest regards, Tom Smyth.
Re: sndiod on by default (does it need to be ? )
Thanks Stuart, appreciate your time on this, and explanation of the sndiod design it was a case of I dont understand, dont use so I just disable. and then I proceeded to ask out of turn shouldn't everyone else disable because I dont understand or use it my self :/ Re attack surface / risk of other software that I use on top of OpenBSD I couldn't agree more with you Thanks again.. On Sun, 21 Feb 2021 at 18:42, Stuart Henderson wrote: > > On 2021-02-21, Tom Smyth wrote: > > my thinking is by having the service off by default would reduce the > > default attack surface of the OS ? > > The attack surface is tiny. > > sndiod has a pair of processes each run as their own dedicated uid, one > in a chroot jail containing no files and pledged to not allow access to > read/write files anyway, the other (which needs to access audio-related > nodes in /dev) using unveil to restrict itself to only the necessary > ones. The pledges are very restrictive. No network access unless you use > -L to enable the network server. > > I don't honestly think it's worth going to the trouble of disabling. > Look at the other software you run which isn't enabled in OpenBSD by > default - that's where your attack surface is ;) > > -- Kindest regards, Tom Smyth.
Re: sndiod on by default (does it need to be ? )
Hi folks, thanks for everyone who replied on and off list, I had not considered the console only user who uses audio also... (I had not even considered this so pardon my ignorance folks, and thanks to Sebastian, Abel, and David for replying on and off list I guess Ill just add rcctl disable sndiod to my deploy ment scripts for my use cases :) Thanks again to all who considered it :) On Sun, 21 Feb 2021 at 14:28, Tom Smyth wrote: > > Hi Sebastian > I get users want to listen to audio but if the only hardware is a buzzer and > the user is not running x what are the chances they are using audio on the > console only ? > > I can keep running > rcctl disable sndiod > Post install > > I thought linking audio support on by default to x would make sense as it is > likely such system is for users who may need audio > > Just a thought > Thanks > > > On Sunday, 21 February 2021, Sebastian Benoit wrote: >> >> Tom Smyth(tom.sm...@wirelessconnect.eu) on 2021.02.21 04:08:48 +: >> > Hello, >> > >> > I was wondering should sndiod (default) startup be determined based on >> > whether or not >> > it the install is a typical headless install (off) or an install for >> > a user machine with running X >> > >> > is there a reason why one would need to run this daemon by default? >> >> Because users want to listen to audio. >> >> > my thinking is by having the service off by default would reduce the >> > default attack surface of the OS ? >> >> How big is that attack surface? And especially compared to X? >> >> > perhaps the installer could use the answer to the question do you >> > intend to run X to determine whether or not to enable the sndiod >> > daemon ? >> >> The difference is that a running sndiod is not noticable to you. Running X >> is - you dont have a console anymore on your screen. >> >> Whereas a not running sndiod is noticable - no sound. >> >> Next to security, we try to make it easy for people to use OpenBSD. Not >> asking questions when not needed is just that. >> >> /Benno > > > > -- > Kindest regards, > Tom Smyth. -- Kindest regards, Tom Smyth.
Re: sndiod on by default (does it need to be ? )
Hi Sebastian I get users want to listen to audio but if the only hardware is a buzzer and the user is not running x what are the chances they are using audio on the console only ? I can keep running rcctl disable sndiod Post install I thought linking audio support on by default to x would make sense as it is likely such system is for users who may need audio Just a thought Thanks On Sunday, 21 February 2021, Sebastian Benoit wrote: > Tom Smyth(tom.sm...@wirelessconnect.eu) on 2021.02.21 04:08:48 +: > > Hello, > > > > I was wondering should sndiod (default) startup be determined based on > > whether or not > > it the install is a typical headless install (off) or an install for > > a user machine with running X > > > > is there a reason why one would need to run this daemon by default? > > Because users want to listen to audio. > > > my thinking is by having the service off by default would reduce the > > default attack surface of the OS ? > > How big is that attack surface? And especially compared to X? > > > perhaps the installer could use the answer to the question do you > > intend to run X to determine whether or not to enable the sndiod > > daemon ? > > The difference is that a running sndiod is not noticable to you. Running X > is - you dont have a console anymore on your screen. > > Whereas a not running sndiod is noticable - no sound. > > Next to security, we try to make it easy for people to use OpenBSD. Not > asking questions when not needed is just that. > > /Benno > -- Kindest regards, Tom Smyth.
sndiod on by default (does it need to be ? )
Hello, I was wondering should sndiod (default) startup be determined based on whether or not it the install is a typical headless install (off) or an install for a user machine with running X is there a reason why one would need to run this daemon by default? my thinking is by having the service off by default would reduce the default attack surface of the OS ? perhaps the installer could use the answer to the question do you intend to run X to determine whether or not to enable the sndiod daemon ? I hope this helps -- Kindest regards, Tom Smyth.
Re: bsd.rd ok , bsd explodes, trying to get traces
Hey Sven, sorry just wondering have you tried running an alternate OS and or memtest x86 to see if the computer CPU memory is behaving its self ? also if it is an intel raid controller it usually has about 3 differentnt settings (and alters the controllers firmware to present different hardware to the os (legacy--->raid--> AHCI -->Enhanced) Hope this helps On Tue, 9 Feb 2021 at 20:56, Sven F. wrote: > Dear readers, > > I found a computer which behaves oddly. > Only EFI boot is supported, I usually go the MBR way. > The bios looks like a classic AMibios Intel stuff. > The cpu is intel and there's an intel HD5500 graphic card > ( trying to extract proper dmesg fails so far ) > > When booting 6.8 basic amd64 installation the video > signal is completely lost and network too ( suspect crash ) > > I tried to `set db_console 1` and change video mode > with machine video before booting, and entering > `boot dump` blindly ( video off ) > but after rebooting in bsd.rd /var/ has no dmesg.anything > or some log > > I think the last line of boot i see is 'softraid0' > > There's probably a few tricks I should try to get the actual > message, I will do my best to extract the (bsd.rd) dmesg now and post it as > a reply ( and try boot current ) > > Is there some boot option i can use or something i can do > to extract the errors ? ( i do not see com ports anywhere either ) > > Thank you for reading. > -- > -- > > - > Knowing is not enough; we must apply. Willing is not enough; we must do > > -- Kindest regards, Tom Smyth.
Re: NIC Port L2 Switching capability
Hi Kaya you need to create a bridge interface and add the interfaces you want to switch packets between into the bridge, man bridge man switch man ifconfig will give you the information you need, trunk is a bonding / team / fail over interface and not for switching because you are using a virtualisation platform you need to be wary of hypervisor / virtualisation network stack Security features / hacks / shortcuts some hypervisors filter traffic comming from a vm which has a different source mac to the mac assigned to the vm network card by the hyper-visor and somehypervispors will only switch traffic to a vm if the destination mac is the same as the mac of the virtual machine network card all the best On Mon, 25 Jan 2021 at 22:06, Kaya Saman wrote: > Hi, > > > I'm wondering if it's possible to get OpenBSD to make the NIC ports act > like a layer 2 switch? > > > I made a quick test in VirtualBox (unfortunately I don't have any bare > bones systems free to test with) and tried the following: > > > create two systems, one called router , the other called client > > > create vlans: vlan1, vlan2, vlan3 > > > create trunk interfaces on 3x virtual NIC's: trunk0 (em0), trunk1 (em1), > trunk2 (em2) > > > I then added the vlans to trunk0 by setting the vlandev to trunk0 in the > hostname.if files. > > > Of course a basic router-on-a-stick method like the above works fine but > if I wanted the 3 vlans to also be on the trunk1 interface in a similar > way to provisioning an L2 switch how would I go about it? > > > I attempted to bridge trunk0 and trunk1. The result I got was that dhcp > worked and the client was able to get an IPv4 address, I also had > multicast traffic working when dynamically sending the client routes > through OpenOSPF, as in I could see OSPFv2-hello and OSPFv2-dd packets > being sent to 224.0.0.5 . > > What didn't work was ICMP packets were not being seen on the router > systems NIC when I tried to use the ping command and in addition the > OSPF routes would not propagate either. > > If I changed the virtual configuration back to trunk0 then everything > worked as expected. It may just be a limitation of Vbox? > > > In the meantime I have been looking at the docs: > > https://www.openbsd.org/papers/bsdcan2016-switchd.pdf > > https://man.openbsd.org/switch > > > for the switch interface but is this really what I need here? > > > Has anyone tried and succeeded with this kind of config? > > > My main reason for wanting to use something like this is that I want to > add a 10GbE NIC and switch into my production router platform while > still keeping the same setup going to the 1GbE switch which is running > in a 4-port LACP trunk. > > > > Of course an alternate would be to link the 1GbE switch to the 10GbE > switch and do things that way, but the above would be more practical > from a cabling sense. > > > > Has anyone got any ideas? > > > Thanks a lot! > > > Kaya > > > > -- Kindest regards, Tom Smyth.
Re: Fw: ospf question
Hello Mark you need to give more detail on the IP address types are you using b roadcast networks or point to point / tunnel type addresses are you seeing anything in also can you be certain your hypervisor switches (real switches in the datacentre allow for vm -vm communication and dont filter certain types of traffic (OSPF) /var/log/messages when you run the daemons, are you allowing ip protocol 89 (OSPF) on your PF rules on boxes running pf ? have you configured loopback ips on each router (on a separate loopback interface) on each open BSD Router (so as not to have 127.0.0.0/8 routes advertised have you confirmed you dont have a network conflict 2 routers with the same ip range on interfaces that are not connected .. you can start ospfd with -df switches to see if there are any warnings / messages that might hint what is up and running only other high level things I can thing of is check your neighbour adjacencies are they forming, and focus where they are not forming and usual things for OSPF adjacencies not forming MTU of interfaces not matching between neighbours Authentication key authentication type authentication key id usually = 1 switch between routers with a smaller MTU / L2MTU than what the neighbour routers have configured on their interfaces if ospf neighbours are forming are you learning any routes.. avoid static default routes they are the spawn of satan and you can run into issues learning and propagating default routes otherwise ... Peace out and Happy new year On Fri, 8 Jan 2021 at 23:08, Mark wrote: > > I'll try this message one more time. > > I have a question regarding the use of ospf with OpenBSD 6.8. > > > I have a network that consists of 23 OpenBSD 6.8 based routers (created, > > within a virtualbox environment on a GNU/Linux server, to match the > > physical network I manage - the only different being that the physical > > network consists of FreeBSD based routers rather than OpenBSD ones). I set > > this up after have replaced a FreeBSD based router with an OpenBSD based > > one in the real network and immediately experiencing an issue accessing > > parts of the network. > > > > Within my setup there is one router (router22) that is six hops away from > > the designated default gateway (which I'll call the firewall) and there are > > two paths (going different ways around the network) to get to it. I am able > > to run a traceroute to router22, but am not able to ping it or ssh onto it. > > If I ssh to the router connected to the firewall then I can ping and ssh to > > router22 (at that point it's only 5 hops away). If I reboot any router that > > lies within the path to router22 then I am subsequently able to ping and > > ssh router22 from the firewall. > > > > I have also subsequently duplicated the entire network again using FreeBSD > > 12.2 and the problem does not occur, so as far as I can see it's just an > > OpenBSD ospf issue. > > > > I first set this up after replacing a FreeBSD based router with an OpenBSD > > based one and experiencing another strange issue. In this instance the > > shortest path from my server network (accessible from router01) to > > router08, router11 and router12 was router01 <-> router13 <-> router21 <-> > > router08 <-> router11 <-> router12, when I put the OpenBSD router in as > > router13 I could no longer ping router08, router11 or router12 (though I > > could still ping router21). If I connected to a router in a different part > > of the network I was able to ping each of the inaccessible ones, so it was > > only when the OpenBSD based router was along the shortest path the issue > > manifested itself. > > > > Is anyone aware of incompatibilities between the OSPF implementation within > > OpenBSD and that provided by quagga on FreeBSD? Or of any limitations of > > OSPF on OpenBSD? > > > > In each setup I have the same hello and dead interval and have md5 crypt > > authentication in place on each link between routers. Each router is in > > area 0.0.0.0. > > > > regards, > > Mark -- Kindest regards, Tom Smyth.
Re: Internal Microphone on Thinkpad X1 Carbon 7th gen not working
tel", unknown product 0x7360 (class wireless unknown subclass > 0x40, rev 0x01) at pci1 dev 0 function 0 not configured > ppb1 at pci0 dev 29 function 0 "Intel 300 Series PCIE" rev 0xf1: msi > pci2 at ppb1 bus 3 > nvme0 at pci2 dev 0 function 0 "SanDisk WD Black NVMe" rev 0x00: msix, > NVMe 1.3 > nvme0: WDC PC SN730 SDBQNTY-1T00-1001, firmware 11130101, serial > 1951E5485614 > scsibus1 at nvme0: 2 targets, initiator 0 > sd0 at scsibus1 targ 1 lun 0: > sd0: 976762MB, 512 bytes/sector, 2000409264 sectors > ppb2 at pci0 dev 29 function 4 "Intel 300 Series PCIE" rev 0xf1: msi > pci3 at ppb2 bus 5 > ppb3 at pci3 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02 > pci4 at ppb3 bus 6 > ppb4 at pci4 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi > pci5 at ppb4 bus 7 > "Intel JHL6540 Thunderbolt" rev 0x02 at pci5 dev 0 function 0 not > configured > ppb5 at pci4 dev 1 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi > pci6 at ppb5 bus 8 > ppb6 at pci4 dev 2 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi > pci7 at ppb6 bus 45 > xhci1 at pci7 dev 0 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi, > xHCI 1.10 > usb1 at xhci1: USB revision 3.0 > uhub1 at usb1 configuration 1 interface 0 "Intel xHCI root hub" rev > 3.00/1.00 addr 1 > ppb7 at pci4 dev 4 function 0 "Intel JHL6540 Thunderbolt" rev 0x02: msi > pci8 at ppb7 bus 46 > pcib0 at pci0 dev 31 function 0 "Intel 300 Series LPC" rev 0x11 > azalia0 at pci0 dev 31 function 3 "Intel 300 Series HD Audio" rev 0x11: msi > azalia0: codecs: Realtek ALC285, Intel/0x280b, using Realtek ALC285 > audio0 at azalia0 > ichiic0 at pci0 dev 31 function 4 "Intel 300 Series SMBus" rev 0x11: apic > 2 int 16 > iic0 at ichiic0 > ichiic0: abort failed, status 0x41 > "Intel 300 Series SPI" rev 0x11 at pci0 dev 31 function 5 not configured > em0 at pci0 dev 31 function 6 "Intel I219-V" rev 0x11: msi, address > f8:75:a4:c8:62:06 > isa0 at pcib0 > isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > vmm0 at mainbus0: VMX/EPT > efifb at mainbus0 not configured > uhidev0 at uhub0 port 3 configuration 1 interface 0 "Yubico YubiKey > OTP+FIDO+CCID" rev 2.00/5.26 addr 2 > uhidev0: iclass 3/1 > ukbd0 at uhidev0: 8 variable keys, 6 key codes > wskbd1 at ukbd0 mux 1 > uhidev1 at uhub0 port 3 configuration 1 interface 1 "Yubico YubiKey > OTP+FIDO+CCID" rev 2.00/5.26 addr 2 > uhidev1: iclass 3/0 > fido0 at uhidev1: input=64, output=64, feature=0 > ugen0 at uhub0 port 3 configuration 1 "Yubico YubiKey OTP+FIDO+CCID" rev > 2.00/5.26 addr 2 > uvideo0 at uhub0 port 8 configuration 1 interface 0 "Azurewave Integrated > Camera" rev 2.01/69.05 addr 3 > video0 at uvideo0 > uvideo1 at uhub0 port 8 configuration 1 interface 2 "Azurewave Integrated > Camera" rev 2.01/69.05 addr 3 > video1 at uvideo1 > vscsi0 at root > scsibus2 at vscsi0: 256 targets > softraid0 at root > scsibus3 at softraid0: 256 targets > sd1 at scsibus3 targ 1 lun 0: > sd1: 976761MB, 512 bytes/sector, 2000407649 sectors > root on sd1a (69b037e186d738a3.a) swap on sd1b dump on sd1b > inteldrm0: 3840x2160, 32bpp > wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0 > wskbd1: connecting to wsdisplay0 > wsdisplay0: screen 1-5 added (std, vt100 emulation) > iwm0: hw rev 0x310, fw ver 34.3125811985.0, address f8:e4:e3:30:0a:07 > > -- Kindest regards, Tom Smyth.
Re: Fwd: PayPal pool for developer M1 Mac mini for OpenBSD port
Clearly I missed Patriks Email ... earlier.. :/ sorry folks +1 if experienced Devs are working on it... it will happen Best of luck to the people working on getting it working ... cant be easy without all the docs ... Thanks On Thu, 3 Dec 2020 at 22:39, Tom Smyth wrote: > Hi Jeff, > > as far as Im aware... if you donate to the project they will source > hardware as the project sees fit.. > if there is an M1 in want.html (where a developer is looking for one to > make an initial POC before the project considers it viable to spend > resources... > it I would be happy to contribute... for that purpose .. > > I dont think anyone has anything specific against apple. per sya.. > there are objections to proprietary firmware... and binary blobs... > and this makes development of OpenSource Systems even harder than it > already is... > > but yes tthe M1 looks awesome it will be interesting to see if they open > it up (a little) ... but it is an arm chip ... so perhaps testing and > providing > open arm hardware would help the project more... check out want.html > > all of these are my own observations as a user over the years and im not > a developer in OpenBSD > > Thanks > Tom SMyth > > > > > > On Thu, 3 Dec 2020 at 22:11, Jeff Joshua Rollin > wrote: > >> >> >> >> Forwarded Message >> Subject:Fwd: PayPal pool for developer M1 Mac mini for OpenBSD >> port >> Date: Thu, 3 Dec 2020 21:56:51 + >> From: Jeff Joshua Rollin >> >> >> >> >> >> Oops, forgot to reply to the list. Sorry for the duplicate, Mihai. >> >> >> On 03/12/2020 01:18, Mihai Popescu wrote: >> > I have only good wishes for the project, but I still don't get one >> thing: >> > why do some people start to behave oddly whenever Apple comes into >> > discussion. >> > They are doing a proprietary thing, closed as hell, no documentation >> > and so >> > on. Why is this impulse to write code for such a thing. Just asking ... >> >> Apple make great products. My iMac, which is nearly ten years old, runs >> without problems even today (try that with Windows). iPads and iPhones >> have much better lifetimes than Android devices - we'll see if the >> increasing number of devices running "real Linux" make a dent in the >> market, but either way there are AFAIK no phones using any of the BSDs >> (unless you count macOS/iOS, which for these purposes I don't) anyway. >> >> Other than the fact that the platform is proprietary, the only other >> thing that annoys me about Macs, and always has, is their half-arsed >> attempt at a British keyboard, which unless it's changed since my iMac >> was manufactured still puts @ and " in the wrong places for Brits - >> exactly the opposite places on a US keyboard. (Even Commodore, infamous >> in its day for reliability problems and which bought the Amiga company >> in what no less august an institution than Amiga Format magazine called >> "a rare fit of insight," managed that one.) Fortunately, if you also use >> Linux/UNIX, the problem of switching between keyboards with @ and " in >> 'the wrong place' is easily solved for X11 by selecting a Mac UK >> keyboard in the software settings even on a PC. (They did stubbornly >> stick with that crap butterfly keyboard for four years, for reasons >> presumably best known to themselves, but luckily that era also seems to >> be over, and I didn't bother buying one during that time, for that and >> other reasons.) >> >> As for the proprietaryness, other than the fact that it's a nice new >> hardware architecture as other people have mentioned, pretty much every >> other architecture OpenBSD, NetBSD and Linux has ever run on (Amiga, Sun >> and VAX, for example) is/was proprietary. And that's without considering >> the closed peripherals (without which OpenBSD wouldn't have to eschew >> NDAs) or the BMC on a Wintel - heaven knows what that thing really gets >> up to. >> >> My £0.02 >> >> Jeff. >> >> > > -- > Kindest regards, > Tom Smyth. > -- Kindest regards, Tom Smyth.
Re: PayPal pool for developer M1 Mac mini for OpenBSD port
Thanks Patrik, Marcan, and Theo... Interesting project... OpenBSD on the M1 :) ... best of luck with it On Thu, 3 Dec 2020 at 22:11, Patrick Wildt wrote: > This really has shown how much interest there is in having OpenBSD > running on those machines. Still, we would all not be here without > the OpenBSD project itself. Not being able to host hackathons due to > COVID-19 leaves an impact, and I hope that soon(TM) we'll be able to > get back together to shut up and hack. > > I'm sure you all love using OpenBSD and hacking on OpenBSD as much as I > do, so to help OpenBSD run infrastructure, organize hackathons and to > flourish even more, please consider donating! > > https://www.openbsdfoundation.org/donations.html > https://www.openbsd.org/donations.html > > Also a shoutout to marcan, who'll be doing a lot of reverse engineering > on the M1. He's pretty good, and I'm supporting his project by being a > patron. I'm looking forward to his work, because of all the people out > there who can do it, he's definitely one of them. > > https://www.patreon.com/marcan > > Patrick > > Am Thu, Dec 03, 2020 at 02:33:34PM -0700 schrieb Ben Goren: > > Oh, wow — it hasn’t even been a full day since I sent this out...and > already enough of you have chipped in enough to buy not just a single M1 > system for Patrick, but also a second one for his partner in crime, Mark > Kettenis. > > > > Thank you to all! This show of generosity and support and excitement is > most welcome. (And, frankly, a bit overwhelming.) > > > > If anybody reading this still wishes to donate to the cause, despite the > immediate needs being met, the money will be put to good use. There are > other developers who will eventually need their own hardware, and there are > always other sorts of expenses related to development. Feel free to chip in > at Patrick’s original link: > > > > https://www.paypal.com/pools/c/8uPSkfNJMp > > > > ...or, of course, to the OpenBSD general fund (which can *ALWAYS* use > donations): > > > > https://www.openbsd.org/donations.html > > > > Thanks again, everybody! > > > > b& > > > > > On Dec 2, 2020, at 2:59 PM, Ben Goren wrote: > > > Greetings, all! > > > > > > Patrick Wildt has set up a PayPal pool to raise funds to purchase an > M1 Mac mini so he can start porting OpenBSD to the platform. If you’d like > to be able to run OpenBSD on an M1 system, now would be a great time to > throw some pennies his way. > > > > > > The donation link: https://paypal.me/pools/c/8uPSkfNJMp > > > > > > Read below for an idea of what one might expect if we can get a > machine into Patrick’s hands. > > > > > > Cheers, > > > > > > b& > > > > > > Patrick wrote: > > > > > >> Yes, kettenis@ and me are the two ones doing the major work on > porting > > >> to new devices. Not sure if kettenis@ is interested, but I can ask > him. > > >> I definitely am, a Mac Mini as a dedicated machine to do stuff with > and > > >> not care about what is installed would really help. > > >> > > >> Marcan has started a crowdfunding on Patreon. He's a really capable > > >> person, and he'll definitely lay a lot of groundwork needed for > porting > > >> OpenBSD to the platform. He apparenetly will also do his work in a > > >> dual-licensed fashion, so the BSDs will easily profit from it. > > >> > > >> So, the first steps are basically to follow Marcan's work and use all > > >> that information and code to port OpenBSD as well. > > >> > > >> This *will* take some time, because essentially there are only the > > >> binary drivers, but it's doable and I think with a bit of patience > > >> we will have OpenBSD running on the M1 as well. > > >> > > >> Biggest hurdle, as always, will be support for graphics acceleration. > > -- Kindest regards, Tom Smyth.
Re: Fwd: PayPal pool for developer M1 Mac mini for OpenBSD port
Hi Jeff, as far as Im aware... if you donate to the project they will source hardware as the project sees fit.. if there is an M1 in want.html (where a developer is looking for one to make an initial POC before the project considers it viable to spend resources... it I would be happy to contribute... for that purpose .. I dont think anyone has anything specific against apple. per sya.. there are objections to proprietary firmware... and binary blobs... and this makes development of OpenSource Systems even harder than it already is... but yes tthe M1 looks awesome it will be interesting to see if they open it up (a little) ... but it is an arm chip ... so perhaps testing and providing open arm hardware would help the project more... check out want.html all of these are my own observations as a user over the years and im not a developer in OpenBSD Thanks Tom SMyth On Thu, 3 Dec 2020 at 22:11, Jeff Joshua Rollin wrote: > > > > Forwarded Message > Subject:Fwd: PayPal pool for developer M1 Mac mini for OpenBSD port > Date: Thu, 3 Dec 2020 21:56:51 + > From: Jeff Joshua Rollin > > > > > > Oops, forgot to reply to the list. Sorry for the duplicate, Mihai. > > > On 03/12/2020 01:18, Mihai Popescu wrote: > > I have only good wishes for the project, but I still don't get one thing: > > why do some people start to behave oddly whenever Apple comes into > > discussion. > > They are doing a proprietary thing, closed as hell, no documentation > > and so > > on. Why is this impulse to write code for such a thing. Just asking ... > > Apple make great products. My iMac, which is nearly ten years old, runs > without problems even today (try that with Windows). iPads and iPhones > have much better lifetimes than Android devices - we'll see if the > increasing number of devices running "real Linux" make a dent in the > market, but either way there are AFAIK no phones using any of the BSDs > (unless you count macOS/iOS, which for these purposes I don't) anyway. > > Other than the fact that the platform is proprietary, the only other > thing that annoys me about Macs, and always has, is their half-arsed > attempt at a British keyboard, which unless it's changed since my iMac > was manufactured still puts @ and " in the wrong places for Brits - > exactly the opposite places on a US keyboard. (Even Commodore, infamous > in its day for reliability problems and which bought the Amiga company > in what no less august an institution than Amiga Format magazine called > "a rare fit of insight," managed that one.) Fortunately, if you also use > Linux/UNIX, the problem of switching between keyboards with @ and " in > 'the wrong place' is easily solved for X11 by selecting a Mac UK > keyboard in the software settings even on a PC. (They did stubbornly > stick with that crap butterfly keyboard for four years, for reasons > presumably best known to themselves, but luckily that era also seems to > be over, and I didn't bother buying one during that time, for that and > other reasons.) > > As for the proprietaryness, other than the fact that it's a nice new > hardware architecture as other people have mentioned, pretty much every > other architecture OpenBSD, NetBSD and Linux has ever run on (Amiga, Sun > and VAX, for example) is/was proprietary. And that's without considering > the closed peripherals (without which OpenBSD wouldn't have to eschew > NDAs) or the BMC on a Wintel - heaven knows what that thing really gets > up to. > > My £0.02 > > Jeff. > > -- Kindest regards, Tom Smyth.