Re: OpenBSD runs hotter than Linux with same laptop, draws more electricity?
On 01.07.24 23:27, A B wrote: I just wonder why OpenBSD requires more CPU load for the same kind of activity (web browsing), and also appears to draw more electricity from the power supply when measured, compared to Linux, when using the same laptop? Different objectives of operating systems: different kernel, different drivers, different userland, different compiler. Memory protection kinds of checks? good guess! Furthermore, it's open source, so everyone including you is invited to contribute patches and make this awesome operating system even more awesome
7.5/amd64 acpitz problem with syspatch75-001
Hi, I just updated my 7.5/amd64 system with syspatch75-001_xserver. Unfortunately now when booting shortly after "starting network" I receive the error: "acpitz0: critical temperature exceeded 60C, shutting down". Disabling acpitz* at the boot-config helps, or, also reverting the syspatch is a workaround. See attached [1] my dmesg. Maybe this is an indicator for a bug and some dev could have a closer look. Thanks! Regards, infoomatic [1] dmesg: OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3195666432 (3047MB) avail mem = 3077914624 (2935MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfc860 (34 entries) bios0: vendor American Megatrends Inc. version "205" date 02/27/2008 bios0: ASUSTeK Computer Inc. X51L acpi0 at bios0 acpi0: ATKG checksum error: ACPI 3.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMX DBGP BOOT ECDT OEMB HPET GSCI ATKG SSDT acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) EUSB(S3) USB3(S3) USB4(S3) USBE(S3) HDAC(S3) P0P8(S4) P0P2(S4) WLAN(S4) P0P6(S4) GLAN(S4) CBS0(S3) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz, 1995.10 MHz, 06-0f-0d, patch 00a4 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 4-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 166MHz cpu0: mwait min=64, max=64, C-substates=0.1.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz, 1995.16 MHz, 06-0f-0d, patch 00a4 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 4-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P0P1) acpiprt2 at acpi0: bus 4 (P0P2) acpiprt3 at acpi0: bus 5 (P0P3) acpiprt4 at acpi0: bus 7 (P0P5) acpiprt5 at acpi0: bus 1 (P0P6) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 "SYN0A04" at acpi0 not configured acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0 model "T12--22" serial type LIon oem "ASUSTEK" "ATK0100" at acpi0 not configured acpibtn0 at acpi0: SLPB(wakeup) acpibtn1 at acpi0: LID_ acpicpu0 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpitz0 at acpi0: critical temperature is 110 degC acpivideo0 at acpi0: VGA_ acpivout0 at acpivideo0: LCDD cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2000, 1667, 1333, 1000 MHz pci0 at mainbus0 bus 0 0:28:2: bridge mem address conflict 0xbdf0/0x200 0:30:0: bridge mem address conflict 0xbbf0/0x200 pchb0 at pci0 dev 0 function 0 "Intel GM965 Host" rev 0x03 inteldrm0 at pci0 dev 2 function 0 "Intel GM965 Video" rev 0x03 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0: apic 2 int 16, I965GM, gen 4 "Intel GM965 Video" rev 0x03 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x04: apic 2 int 16 uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x04: apic 2 int 21 ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x04: apic 2 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x04: msi azalia0: codecs: Realtek ALC660, Motorola/0x3055, using Realtek ALC660 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 82801H PCIE" rev 0x04 pci1 at ppb0 bus 3 ppb1 at pci0 dev 28 function 1 "Intel 82801H PCIE" rev 0x04 pci2 at ppb1 bus 4 athn0 at pci2 dev 0 function 0 "Atheros AR928X" rev 0x01: apic 2 int 17 athn0: AR9280 rev 2 (1T2R), ROM rev 11, address 00:22:43:21:ed:f7 ppb2 at pci0 dev 28 function 2 "Intel 82801H PCIE" rev 0x04: msi pci3 at ppb2 bus 5 ppb3 at pci0
Re: PC Engines APU platform EOL
is anyone aware of such a nice little device with low power consumption and ECC memory? The alternatives mentioned so far just offer normal RAM options...
Re: BSD and kubernetes
Kubernetes' philosophy quite contradicts to OpenBSDs. Also, Kubernetes builds upon Linux technologies. Porting that stuff alone to OpenBSD would mean a great deal of work, and again does not really fit OpenBSDs developers ideas. The resources of OpenBSD is just a tiny fraction of that of kubernetes alone, so in my opinion and probably in theirs also they should keep doing what they have done for a long time and what they are good at: focus on OpenBSDs development (and of course their other projects!). The good part: anyone interested in that could just grab the source and start hacking together Kubernetes for OpenBSD, though that work is probably overwhelming. Being a heavy kubernetes user myself I would not choose OpenBSD in order to run kubernetes, because I choose OpenBSD for different reasons/requirements. What's the sense of simply putting tremendous effort in copying a solution that is already out there, noone wants OpenBSD to become a Linux-clone, it would be wasted energy. A metaphor: while both systems are a kind of mobile housing, I do not want my lightweight trekking tent to become a mongolian yurt overnight. On 03.03.23 19:33, Ken Young wrote: Hello, I am a BSD user and also a user of kubernetes. It seems the BSD community has no much interest in docker/k8s integration. Is it true? and why? Thanks.
Re: IKEV2 two devices can connect but only one can make traffic
On 12.04.22 15:26, Łukasz Moskała wrote: I remember talking with network engineer at one company I used to work at. We used fortigate firewalls, and I asked why are we using SSLVPN instead of ipsec-based vpn, as both were supported. He said something along the lines of "ipsec does not work when there are two devices connecting from the same IP so this would be issue for us when two admins were on the same public wifi, or lived together" I could not resolve this issue myself at around the release of OpenBSD 6.0, I had to use one public external IPv4 address per client connecting to an IPSec endpoint, and when our pool of addresses was depleted we unfortunately were forced to use #commercialfirewall.
Re: OpenBSD benchmarks
imho benchmarking only makes sense for your scenario, so I recommend benchmarking the ruleset you intend to use on that device. Also: what are you benchmarking against, and what is your setup (nat, bridge etc.)? On 04.04.22 21:50, Nicolas Goy wrote: Hello, I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. I was wondering if there was some "standard" pf ruleset I could use to have a meaningful metric. Also, I'm curious if anymody is aware of such existing benchmarks. Regards
Re: Question about cryptography software compatibility on OpenBSD
I agree with Janne. Almost always it is more of a compliance topic than a technical topic. I did work for where we provided crypto/digital signature stuff to government and institutions I won't name, and e.g. the constraint for choosing an operating system for a platform was almost always certification, e.g. at least EAL4 ... certified hardware to certified software, everything in a chain. So if you are ready to take a bunch of cash approach a hardware manufacturer and a certification authority and get your whole platform certified, then you can sell it to big corps and govs - thats sad, but the way you have to go. Good luck! On 15.10.21 11:14, Janne Johansson wrote: Den fre 15 okt. 2021 kl 11:01 skrev soko.tica : Hello list, I have a question about cryptography software compatibility on OpenBSD. I have a wild guess about the answer, but I need it to be more reliable. The target audience are lawyers, since I want to launch a legal battle in Then you need lawyer-speak, not answers from technical people. Those two overlap very little. My wild guess is as follows: 1) OpenBSD includes cryptography capabilities/software in its kernel. yes, some. 2) Most other operating systems had not included cryptography capabilities/software in its kernel. Depends on when "had" is in time. Nowadays, they probably all do. 3) Providers of public digital signatures offer software (a one-size-fits-all Java “blob”) that should add cryptography capabilities to the operating system. No, they don't add it to the OS, they expose crypto functionality to other programs. Big difference. I know of no OS that would reach out to java in order to get crypto inside the kernel, and if it's not in the kernel, then any other random program would not necessarily pick up that there is a bad/evil blob installed somewhere that gives you poor crypto unless it actively looks for it, so just by adding java-crypto-something in a folder it might not be used by anything else that doesn't specifically ask for exactly this. 4) OpenBSD doesn’t allow such technically inferior software to meddle with its superior cryptography capabilities included in kernel. Value added statement, and mostly irrelevant to court cases I guess. 5) The proper technical solution would be that providers of public digital signatures offer digital signatures adjusted to OpenBSD technical solutions, including offering software not being under the minimal cryptography standards of OpenBSD. (A side note, hash function of all offered public digital signatures in Serbia are SHA-1.) Am I somewhere wrong in my wild guess? Yes, you are assuming too much in the last part. It is not impossible for other OSes to have better,faster,more-formally-verified,more-legal-where-I-am-located crypto routines in their OSes which might be a preferred solution somewhere. While openbsd has the crypto it requires for its needs, those needs are not guaranteed to (always) overlap with all the other requirements that are set in different places around the world. One example could be russian computers wanting certain algorithms like GOST in various forms, or US computers needing FIPS-140 validation even if that in certain cases lowers the overall security (hard to get fixes and patches into such a setup)
Re: Large Filesystem
On 28.11.20 05:51, Nick Holland wrote: > I've heard that from a lot of people. > And yet, those same people, when pressed, will tell you that a ZFS-equipped > system will crash much more often than simpler file systems. That's one > heck of a real penalty to pay for a theoretical advantage. > > I've setup some cool stuff using ZFS (dynamically sized partitions, > snapshots, zfs sends of snapshots to other machines, etc), but man, I > spent a comical amount of time babysitting and fixing file system > problems. The 1980s are over, file systems should Just Work now. > If you are babysitting them constantly, something ain't right. If > someone wants to add a ZFS-like "scrubbing" feature to ffs, I'd be all > for it. But not for the penalties that come with ZFS. no idea what you did but I have never had problems on ZFS (in ~ 10 years, 250 servers, few PB of storage) with Solaris and FreeBSD, Linux yes. Other than that I can just highly recommend reconsidering ZFS, my experience was: bit rot on modern high density disks _is_ a problem. sorry for offtopic.
Re: How many IPs can I block before taking a performance hit?
We have ~30,000 entries in our table blocking networks and single ip addresses, all in all at the moment exactly 169,471,974 hosts being blocked. No idea what your criteria is for "performance impact", but we have no issues. On 12.08.20 14:11, Alan McKay wrote: > Hey folks, > > This is one that is difficult to test in a test environment. > > I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM. > > With some scripting I'm looking at feeding block IPs to the firewalls > to block bad-guys in near real time, but in theory if we got attacked > by a bot net or something like that, it could result in a few thousand > IPs being blocked. Possibly even 10s of thousands. > > Are there any real-world data out there on how big of a block list we > can handle without impacting performance? > > We're doing the standard /etc/blacklist to load a table and then have > a block on the table right at the top of the ruleset. > > thanks, > -Alan >
Re: A concerning commit which breaks compatibility
this is probably due to the recent social discussion about the black lives matter movement. engineers around the world show their support to this movement against racism by various measurs, e.g. adjusting their code of conduct/rules etc. In many cases, "blacklist" should not relate to something negative/weak/bad because this could lead to conscious or unconscious negative behaviour against people of different skin tones. On 23.07.20 23:54, goldeneagle96 wrote: > Hello OpenBSD devs. It has come to my attention that a mysterious commit > , unlogged by CVS, has appeared. This commit changes language, breaking > compatibility on header and source files. > Thankfully, it was logged by the Github mirror. > The commit's author is the Github username "djmdjm", and the one who > okayed it was "markus@". > Please, I ask of you and specially of Theo to look at this strange > commit, and decide what to do about it. > Its link is > https://github.com/openbsd/src/commit/5bde2954c180034a27b079acaff46073dc75139b > cc @misc @tech
Re: HD OpenBSD Artwork
that's aweseome! Thanks! On 16.07.20 15:43, Ben Jahmine wrote: >> Is there somewhere to get higher resolution OpenBSD artwork? >> >> I see the stuff on the website, and it's great, but on my 8k screen it's >> kind of like a postage stamp in the middle. >> >> Do higher Res copies exist somewhere? Can they be made available? > Scale to your needs. > > Cheers > > Ben
Re: how to mount phone?
also: you can use the app termux if you want some nice terminal programs ... I rsync all my files from my phone to my computer. On 14.07.20 13:11, Abel Abraham Camarillo Ojeda wrote: > On Tue, Jul 14, 2020 at 5:07 AM Jan Stary wrote: > >> On Jul 13 14:39:35, justinkm...@gmail.com wrote: >>> Just wishing to mount my phone to access photos. >>> Here's the output from dmesg: >>> ugen0 at uhub0 port 3 "Alcatel U50? Alcatel U50?" rev 2.00/3.10 addr 2 >>> Any ideas on how this might be mounted?? >> I believe phone OSes go out of their way to _not_ expose >> the storage as an umass. You need a dedicated app to do >> things as fundamental as copying a file. >> >> > I think you can use adb (in packages) to copy more "easily" > (without installing third-party apps on phone): > > https://developer.android.com/studio/command-line/adb#copyfiles
Re: How do I set up a Wi-Fi access point (using APU2)?
it seems you skipped the firewall part of the document you were referring, you need NAT connections. On 05.06.20 18:50, Richard Ulmer wrote: > Hi, > I got myself an APU2E2 and am trying to set it up as a router. To learn > how to do this I'm mostly following the "Building a Router" FAQ [1]. For > simplicity's sake I'm only using em0 and athn0. This is my setup: > > .---. > .--. .. | APU2| ))) client1 > | Internet | <--> | ISP-Router | <--> | em0 athn0 | ))) client2 > `--' `' `---' > > I want the clients, that are connected to athn0 to be able to access the > internet, but it doesn't work. What works is this: > > 1. I can connect my laptop to athn0, ping the IP of athn0 and even the >IP of em0. Pinging the ISP-Router doesn't work. > 2. If I connect my laptop to the ISP-Router, I can ping em0. > 3. When I am on the router (via ssh or COM-Port) I can ping em0, athn0 >the ISP-Router, openbsd.org, ... > > So what I can't figure out is why I can't ping the ISP-Router and > servers on the internet, when I'm connected to athn0. My APU2 setup is: > > $ sysctl net.inet.ip.forwarding > net.inet.ip.forwarding=1 > $ cat /etc/mygate > # This is the ISP-Router: > 192.168.178.1 > $ cat /etc/hostname.em0 > inet 192.168.178.2 255.255.255.0 192.168.178.255 > up > $ cat /etc/hostname.athn0 > media autoselect mode 11n mediaopt hostap chan 36 > nwid wpakey > inet 192.168.3.1 255.255.255.0 > $ cat /etc/pf.conf > pass in log (all) > $ cat /etc/rc.conf.local > dhcpd_flags=athn0 > $ cat /etc/dhcpd.conf > subnet 192.168.3.0 netmask 255.255.255.0 { > option routers 192.168.3.1; > option domain-name-servers 192.168.178.1; > range 192.168.3.20 192.168.3.100; > } > > I'm an absolute noob when it comes to network configuration, so the > problem is probably something really stupid, but I can't figure it out. > I'll appreciate any hint! > > Greetings, > Richard Ulmer > > [1] https://www.openbsd.org/faq/pf/example1.html >
Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog
I just don't get it why some people put so much energy into bashing a free product instead of just ignoring it if they really hate it. The time would have been better spent on supporting/improving OpenBSD or another project. On 28.05.20 13:20, Ian Darwin wrote: > On Thu, May 28, 2020 at 02:21:49PM +1000, Aaron Mason wrote: >> On Thu, May 28, 2020 at 2:20 PM Quantum Robin >> wrote: >>> While surfing on the Google to learn more about OpenBSD, I encountered this >>> one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure ( >>> https://aboutthebsds.wordpress.com/2013/01/25/20/) >>> >>> Is the author telling the truth? Or just yet another anti-BSD thing? >> If it has to tell you it's "the truth" in its title, it probably isn't. > If it can't spell "Functional", it probably isn't. >
Re: upgrade 6.6 -> 6.7
Hi, yes of course! All systems are running amd64 with 768MB or 1GB ram, I used sysupgrade to upgrade. The tool works, however, a short notice before rebooting would be nice. The last thing I saw was upgrading the firmware, then the ssh-connection stalled (system rebooted). After the upgrade I just thought: wow, that was fast! Linux/KVM was straight forward, "like on real hardware". FreeBSD/bhyve virtualization technology basically uses 2 components: the bootloader and the hypervisor. It needs some manual steps (using bhyve-grub as bootloader): *) sysupgrade -n, then shutdown *) vm.conf usually has a line like 'grub_run0="kopenbsd -h com0 -r sd0a /bsd"' - use /bsd.upgrade instead of /bsd - this can also be configured in grub boot menu *) Upgrade finishes and reboots again automatically, so in grub use /bsd again. Using the vm.conf method you need to force the shutdown because the system is trying to boot /bsd.upgrade again which of course vanished. (so use /bsd in vm.conf again and start the vm) So for manual upgrade editing the boot config in grub menu is simple, if you do automated upgrades going via the vm.conf stuff might be preferable. Regards, infoomatic On 19.05.20 21:25, Ottavio Caruso wrote: > You might want to share how you did it. bsd.rd, sysupgrade, manual > upgrade?
upgrade 6.6 -> 6.7
Hi, just for info: Upgrading from 6.6 to 6.7 worked without flaws on my OpenBSD VMs on Linux/KVM and FreeBSD/bhyve hypervisors! 6.7 feels faster and snappier! Thanks to you all for your hard work! Regards, infoomatic
wireguard on i386
Hi, I realized wireguard is not available as binary package for i386. Since this is my only 32bit machine I would setup 32bit VM to build the package. Is it possible to compile it from ports for 32bit? (or is the missing package a sign that it's not available for 32bit architecture?) thanks, infoomatic
Re: multihomed routing issue
what exactly are you trying to achieve, or: why not use azure firewall? On 26.04.20 17:27, 4642 wrote: > Hi, I have created a OpenBSD 6.6 VM in the Azures cloud that I plan to use as > a Firewall, I had planned on using carp but I can't get it working in Azure > so I think I can use an Internal load balancer to achieve my aim of having > two redundany OBSD Firewalls in Azure. The problem I have is that the Azure > Internal Load Balancer requires a health probe to work. So I create a load > balancer health probe and set it to the SSH service on my FW Host and set it > to every 5 seconds. I can see the traffic on my FW but the health probe > doesn't work and I think it's because the traffic from the Azure discover ip > "168.63.129.16" that is doing the probe is coming from within the azure > nextwork, hitting my internal nic and then onto the ssh service ? and then > finally leaving but on the external interface. > > tcpdump -n -e -ttt -i pflog0 -v > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Apr 26 15:59:30.082436 rule 1/(match) [uid 0, pid 44293] block out on hvn0: > [orig src 10.x.x.36:22, dst 168.63.129.16:54762] 10.x.x.4.65324 > > 168.63.129.16.54762: S [bad tcp cksum 9d0b! -> 9e14] 252441079:252441079(0) > ack 3958895254 win 16384 (DF) (ttl 64, > id 2960, len 52, bad ip cksum 0! -> 52f0) > > Rule 1 = block log all > 168.63.129.16 = Azure Discovery Address > 10.x.x.4 = My External IP on hvn0 > 10.x.x.36 = My Internal IP on hvn1 > > I tried changing the state rules to allow the traffic out on the external > interface and I thought I had it working earlier today by changing > state-policy from if-bound to floating but I can't reproduce that again for > some reason... anyway it didn't seem to work. > I think I really just need to force the traffic back out the Internal > interface but I just don't know how to do that ? > > If anyone could help me it would be really appreciated. > Thanks > > Keith
Re: Reduce attack surface - Tomcat and guacamole...
some questions do arise: 1.) is the device which you intend to use under your control? 2.) how would you like to access systems in your home network as for me I have a VPN service on my server so I can access all my systems from a device I own when I am on the road. This saves me from installing java and the like ... even a plain ssh reverse tunnel can solve lots of those issues. On 14.04.20 22:40, Steve Williams wrote: > Hi, > > For a R&D project, I am trying to get guacamole working to be able to > access systems on my home network remotely. > > Guacamole (I believe) needs to run under something like tomcat to > serve up the java war file & application. > > I really don't want to have Tomcat exposed to the Internet without > some kind of authentication in front of it. > > I was thinking of running Tomcat bound to localhost and using pf to > redirect to it, but that doesn't add any security. > > So, I was thinking of using some form of authpf to open up pf rules > when I needed to access systems remotely. > > But, I don't want to open up Tomcat to the world when I'm using > guacamole, so is it possible to have authpf tweak pf rules so that the > originating IP address of the ssh session would be the only one that > could access Tomcat? > > Is there something better that could be done? > > I was thinking even httpd in front of tomcat with httpd > authentication, but that doesn't seem to make sense to me at a high > level. > > I was looking at relayd but it doesn't seen to have any authentication > mechanism built in. > > Does anyone have some inspiration on how to provide a level of > security before packets even hit Tomcat? > > Thanks, > Steve Williams >
Re: openbsd.org down?
not reachable for days now in Austria, Germany, Czech Republic On 13.04.20 11:01, SP2L Tom wrote: > Greetings. > > > It was and it is still up&running. > At least, I can reach OpenBSD site. > > > Best regards. > Tom > > W 13 kwietnia 2020 10:23:18 Sebastien Marie napisał: > >> On Mon, Apr 13, 2020 at 10:14:00AM +0300, Ilya Mitrukov wrote: >>> Hi, >>> flushing the caches doesn't help and it's still unavailable. >>> >>> Does anybody know where to report the issue? >>> (I'd look at openbsd.org but ... ) >> >> I suppose there is one or two openbsd developers which follow this >> list. So they >> might already know. >> >> Thanks. >> -- >> Sebastien Marie > > >
Re: Does Intel driver supports Intel g31?
I suggest you read on the documentation instead of throwing one-line questions to the mailing list. The documentation is excellent, just look for the information you need. https://man.openbsd.org/ https://openports.se/ On 11.04.20 15:58, Nikita Stepanov wrote: > Does Intel driver supports Intel g31?
Re: Can openbsd run Linux binaries?
No. But a lot of the software you might know from Linux is available via ports and packages. On 11.04.20 11:57, Nikita Stepanov wrote: > Can openbsd run Linux binaries?
Re: secure MTA (was: news from ...)
On 09.04.20 11:55, Rudolf Leitgeb wrote: > As soon as your server does anything useful, it will > present an attack vector to the outside world, and one needs to > be aware of it. > just to add to your argument: your server does not even have to do anything ... the interface driver or just the tcp ip stack can also be vulnerable. e.g. I hit the nasty bug in OpenBSD 6.0 where ipv6 router advertisements did crash my freshly installed boxes remotely ... this was one of those "WTF" moments when you stand in front of your racks and see 4 kernel panics at the same time. And where there is such a bug, there might be a possibility to inject a payload and execute stuff.
Re: Hosting a CDN question
varnish does not bring down the network latency if users are sitting on the other end of the world... On 17.03.20 08:48, Wayne Oliver wrote: On 2020/03/16 12:26, Flipchan wrote: Hey all, My company needs to put up a cdn for fast hosting of javascript, images and css for websites, and then i would need something faster then httpd. Does anyone here run a cdn for static website content? If so what software did u use to set it up ? have a good one Sincerely Filip What about sticking a caching server/s in front of your httpd instance/s. e.g. https://varnish-cache.org/
Re: do i need to configure mkinitcpio.conf for my md array ?
what do you want to achieve? If you want to access the array from OpenBSD then I see no possibility with this configuration. If you want a dual-boot system I suggest you configure the 4-disk raid in OpenBSD and in arch linux you could use a VM and use hardware passthrough to access the data. Am 16.01.20 um 13:10 schrieb Shadrock Uhuru: i have just configured my 4 disk raid 10 array with mdadm, the filesystem is ext4 unencrypted and arch is installed on a separate disk, do i need to reconfigure mkinitcpio.conf for my md array so that the array is assembled and started at boot, all the examples i've seen have arch installed on the raid array including the example in tne wiki https://wiki.archlinux.org/index.php/RAID i have not reboot the new array yet so i would like to make sure everything necessary is configure before i do that. shadrock
Re: OpenBSD's extremely poor network/disk performance?
just out of curiosity: did you do the FreeBSD test on ZFS with compression enabled? Am 09.01.20 um 15:22 schrieb Hamd: Joe, are you a joke? Please stop insulting me, this is not my/your_personal_fancy_forum. This will be my last post here in misc. Default setups, no config. changes. Just patches installed. Same hardware. FreeBSD: freebsd@test:~ # time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 && sync" 5+0 records in 5+0 records out 20480 bytes transferred in 0.239590 secs (854792500 bytes/sec) 0.000u 0.195s 0:00.25 76.0% 22+198k 0+1568io 0pf+0w Result: *854.79 MB/s disk speed* freebsd@test:~ # uname -a FreeBSD test.local 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC amd64 OpenBSD: test$ time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 && sync" 5+0 records in 5+0 records out 20480 bytes transferred in 12.303 secs (16645247 bytes/sec) 0m12.32s real 0m00.13s user 0m01.28s system Result: *16.64 MB/s disk speed* test$ uname -a OpenBSD test.local 6.6 GENERIC#3 amd64 You all guys, please don't get me wrong in any way, I truly adore cleanness, stability and security of OpenBSD, huge efforts of all the dev team is really, much appreciated! I agree when it comes to OpenBSD, of course, security comes FIRST. But in 2020, a speed of 16 megabytes per second...hurts the users. A lot. I really wish I could do contribute the code somehow..*sighs Regards. Joe Greco , 8 Oca 2020 Çar, 18:29 tarihinde şunu yazdı: On Wed, Jan 08, 2020 at 05:57:37PM +0300, Hamd wrote: Under less than 24 hours, after my post, the misc has received 2 or 3 brand new questions/posts regarding slow*. Well, in the case of my issue, I am reasonably certain that this isn't an issue with LibreSSL. I raised it as an issue of simply not knowing how to get it to do what I need at the speeds it is clearly capable of, on i386. It works fine and at approximately OpenSSL speeds on amd64. The problem is, well, obviously not me, personally. I beg to differ. Your repurposing my question for your own ends in an attempt to categorize it as an general OpenBSD performance issue is, in my opinion, full of **it. This is not helpful to those of us who are asking legitimate questions of those who are more familiar with these projects. I know I've made a dumb mistake of some sort and I was hoping someone would point it out. If you do not like the product, don't use it. Or submit a patch to fix it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
Re: OpenBSD's extremely poor network/disk performance?
1.) OpenBSD never stated that ultimate performance is their goal, but clean maintainable code is, and thus in case of a compromise the developers will choose clean code over performance. 2.) to quote Breandan Gregg: "All benchmarks are wrong until proven otherwise" 3.) It's 2020 and you quote a benchmark from 2018? 4.) The code is right there, you are invited to improve the situation. Am 07.01.20 um 15:35 schrieb Hamd: It's 2020 and it's -still- sad to see OpenBSD -still- has the lowest/poorest (general/overall) performance ever: https://www.phoronix.com/scan.php?page=article&item=8-linux-bsd&num=1 My reference is not -only- that url, of course. My reference is my OpenBSD, giving ~8 MB/s file transfer/network/disk speed. A Linux distro, on the same computer (dual boot), providing 89 MB/s speed. (Longest) sad story of the year: When it comes to OpenBSD; security - great! Performance - horrible! I truly wish it was much better.. No, I'm not a fan of Calomel.
Re: Traffic prioritization inside VPN
I can recommend using queues in pf ... very simple and effective. https://man.openbsd.org/pf.conf#QUEUEING Am 02.01.20 um 15:12 schrieb radek: Hello, I have the following scenario: [box_rac][fw_rac] <--iked site-to-site--> [fw_krz]--[box_krz] [box_rac] pulls (rsync) "big data" from [box_krz] through VPN. I need to put this traffic to the total background, making way for any other packets going through VPN, NICs, from/to any other boxes on both sides. I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by specific rules [1] and setting the lowest priority fot it. Unfortunately it doesn't seem to work as expected. Bandwidth seems to be shared roughly equally with other traffic (tested with pushing data (netcat) through VPN in the same time). I would appreciate your advice or any clues on what I have done wrong. Thank you. [fw_rac] and [fw_krz] have analogical rulesets [2]. [1] [fw_rac]: pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state [fw_krz]: pass out quick on enc0 from $box_krz to $box_rac set prio (0, 0) keep state [2] pf.conf [fw_rac]: ext_if = "vr0" lan_rac_if = "vr2" # lan_rac_local = $lan_rac_if:network # 10.0.15.0/24 backup_if = "vr3" # backup_local= $backup_if:network # 10.0.115/24 box_rac = "10.0.115.151" box_krz = "10.0.100.151" set fingerprints "/dev/null" set skip on { lo, enc0 } set block-policy drop set optimization normal set ruleset-optimization basic antispoof quick for {lo0, $lan_rac_if, $backup_if } match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, $backup_local } nat-to $ext_if set prio (3, 7) block all match out all scrub (no-df random-id) pass out on egress keep state pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state pass out quick on $ext_if from $box_rac to $box_krz set prio (0, 0) keep state pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 7) keep state ssh_port= "1071" table const { $bud, $rdk_wy, $rdk_mon, $krz_wan, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } table persist counters block from pass in log quick inet proto tcp from to $ext_if port $ssh_port flags S/SA \ set prio (7, 7) keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global) icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types \ set prio (7, 7) keep state table const { $krz_wan } pass out quick on egress proto esp from (egress:0) to set prio (6, 7) keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} set prio (6, 7) keep state pass in quick on egress proto esp from to (egress:0) set prio (6, 7) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} set prio (6, 7) keep state pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} set prio (6,7) keep state pass in on egress proto {ah,esp} set prio (6,7) keep state block return in on ! lo0 proto tcp to port 6000:6010
Re: off-topic
here is another version: https://github.com/notqmail/notqmail I switched to postfix long time ago, never looked back. Am 30.12.19 um 14:09 schrieb Gustavo Rios: Is qmail dead ? Does anyone here use openbsd with qmail+ldap ?
Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connections
thats good news, thanks Philip for the info! In the meantime I disabled swap (as well as ntopng) on my firewalls - this is of course not needed on a firewall and was just a left-over from the initial default install. regards,infoomatic Gesendet: Freitag, 27. April 2018 um 13:50 Uhr Von: "Philip Guenther" An: Infoomatic Cc: "OpenBSD Misc" Betreff: Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connectionsOn Thu, Apr 26, 2018 at 11:21 PM, Infoomatic wrote: thanks for your input! Actually, I was never really satisfied with the stability of ntopng, so this problem of the memory leak does not really surprise me. However, when killing the process, which also means freeing swap space, I think it is not an expected behaviour that the system does not handle any tcp/ip or icmp connections any more until the swap space is fully freed (which, in my case when ntopng used 3 out of 4GB swap, lastet for nearly 20 minutes). IMHO, unswapping a process should not influence network connectivity that much. You're correct that we don't want the clean up of an exiting process to affect network processing. The issue is that our UVM is still under the kernel lock; work into using more fine-grained locking there has begun but nothing has really hit the tree yet. Philip Guenther
Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connections
Hi Stuart, thanks for your input! Actually, I was never really satisfied with the stability of ntopng, so this problem of the memory leak does not really surprise me. However, when killing the process, which also means freeing swap space, I think it is not an expected behaviour that the system does not handle any tcp/ip or icmp connections any more until the swap space is fully freed (which, in my case when ntopng used 3 out of 4GB swap, lastet for nearly 20 minutes). IMHO, unswapping a process should not influence network connectivity that much. Regards, infoomatic > Gesendet: Donnerstag, 26. April 2018 um 16:10 Uhr > Von: "Stuart Henderson" > An: misc@openbsd.org > Betreff: Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping > kills connections > > On 2018-04-26, Infoomatic wrote: > > Hi, > > > > Today I discovered some interesting details: I guess ntopng has a memory > > leak, thus eating all my 4GB RAM and some 3GB swap - this appeared in the > > morning, so after all the backups and heavy traffic occured. > > When I fired up a rcctl stop ntopng the ssh connection stalled. The > > firewall could not handle further connections, and established connections > > dropped. The system could not answer to ping packets etc. > > This now also happened on a 2nd machine. After 20 minutes (when I was in a > > taxi to the datacenter) I could login again and realized that ntopng was > > stopped and swap was freed. > > > > I have now disabled ntopng. I kindly ask the devs to take a look at this! > > If you need a testsetup for this or if I can do anything, just contact me. > > First off, it's not a big surprise to have a hanging machine if you > run it out of memory. > > ntopng is not really stable. There is a newer version upstream but it > crashes very often with certain packet types suggesting bugs in the packet > parsers. > > If you run ntopng at all, I would recommend you only run it while you > need to investigate traffic, not leave it running unattended permanently. > > It might also be a good idea to set login.conf limits for it, if you > start it via the rc.d script you can add an "ntopng" class with say > datasize=2500M. > > >
Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connections
Hi, Today I discovered some interesting details: I guess ntopng has a memory leak, thus eating all my 4GB RAM and some 3GB swap - this appeared in the morning, so after all the backups and heavy traffic occured. When I fired up a rcctl stop ntopng the ssh connection stalled. The firewall could not handle further connections, and established connections dropped. The system could not answer to ping packets etc. This now also happened on a 2nd machine. After 20 minutes (when I was in a taxi to the datacenter) I could login again and realized that ntopng was stopped and swap was freed. I have now disabled ntopng. I kindly ask the devs to take a look at this! If you need a testsetup for this or if I can do anything, just contact me. Regards, infoomatic > Gesendet: Mittwoch, 25. April 2018 um 15:25 Uhr > Von: Infoomatic > An: misc@openbsd.org, b...@openbsd.org > Betreff: crash of OpenBSD 6.3 -stable (amd64 MP kernel) > > Hi folks, > > Unfortunately this is not a complete bugreport since I could not retrieve > relevant information, however [1] is the dmesg. > I upgraded to the new OpenBSD 6.3 version on monday, however, today it > crashed - better: it hung completely. I could not reach it any more via ssh, > a ping needed 15 seconds instead of 19ms, and only some packets arrived at > the host - but the network was normal. > The machine runs the standard services from the default install plus httpd > and relayd, and also third party software: OpenVPN, scanlogd and ntopng. > > In the sysctl.conf I have set ddb.panic=0. > > When I was physically standing in front of the machine I was expecting to see > some messages on the screen, or even ddb, so to get some info for the devs, > but this was not the case. > I plugged in a PS/2 keyboard with an USB-adapter and promptly got on my > screen (without the "date hostname" - took this from the log): > Apr 25 13:28:21 dorie /bsd: uhub0: device problem, disabling port 1 > > I tried another USB port and got: > Apr 25 13:29:34 dorie /bsd: uhub0: device problem, disabling port 10 > > The keyboard was not working on the machine, so I grabbed another one. I > plugged it in and suddenly the monitor was filled up with messages which kept > flooding and did not stop: > scsi_xfer pool exhausted! > > I then had to reset the machine. > > I also found suspicious messages in the log at about the time when the > machine got irresponsive: > Apr 25 11:23:00 dorie relayd[31883]: rsae_send_imsg: poll timeout > Apr 25 11:23:00 dorie relayd[96425]: rsae_send_imsg: poll timeout > Apr 25 11:23:11 dorie relayd[39081]: rsae_send_imsg: poll timeout > Apr 25 11:23:16 dorie relayd[96425]: rsae_send_imsg: poll timeout > Apr 25 11:23:28 dorie relayd[96425]: relay: proc_dispatch: relay 1 got > invalid imsg 59 peerid -1 from ca 1 > Apr 25 11:23:34 dorie relayd[31883]: rsae_send_imsg: poll timeout > Apr 25 11:23:42 dorie relayd[31883]: relay: pipe closed > Apr 25 11:23:43 dorie relayd[39081]: rsae_send_imsg: imsg_flush: Broken pipe > Apr 25 11:23:44 dorie relayd[39081]: relay: pipe closed > > Maybe some devs have an idea where to look for a bug. Any tipps how to deal > with this matter in the future? > > TIA and regards, > infoomatic > > > [1] > OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4238319616 (4041MB) > avail mem = 4102795264 (3912MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xebb80 (74 entries) > bios0: vendor American Megatrends Inc. version "0801" date 08/20/2014 > bios0: Thomas-Krenn.AG P9D-MV(X) Series > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT SSDT MCFG HPET SSDT SSDT > BERT DMAR EINJ ERST HEST > acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) > PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S4) EHC2(S4) > XHC_(S4) HDEF(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.38 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN > cpu0: 256KB 64b/line 8-way L2 cache > acpitimer0: recalibrated TSC frequency 1795841682 Hz > cpu0:
crash of OpenBSD 6.3 -stable (amd64 MP kernel)
Hi folks, Unfortunately this is not a complete bugreport since I could not retrieve relevant information, however [1] is the dmesg. I upgraded to the new OpenBSD 6.3 version on monday, however, today it crashed - better: it hung completely. I could not reach it any more via ssh, a ping needed 15 seconds instead of 19ms, and only some packets arrived at the host - but the network was normal. The machine runs the standard services from the default install plus httpd and relayd, and also third party software: OpenVPN, scanlogd and ntopng. In the sysctl.conf I have set ddb.panic=0. When I was physically standing in front of the machine I was expecting to see some messages on the screen, or even ddb, so to get some info for the devs, but this was not the case. I plugged in a PS/2 keyboard with an USB-adapter and promptly got on my screen (without the "date hostname" - took this from the log): Apr 25 13:28:21 dorie /bsd: uhub0: device problem, disabling port 1 I tried another USB port and got: Apr 25 13:29:34 dorie /bsd: uhub0: device problem, disabling port 10 The keyboard was not working on the machine, so I grabbed another one. I plugged it in and suddenly the monitor was filled up with messages which kept flooding and did not stop: scsi_xfer pool exhausted! I then had to reset the machine. I also found suspicious messages in the log at about the time when the machine got irresponsive: Apr 25 11:23:00 dorie relayd[31883]: rsae_send_imsg: poll timeout Apr 25 11:23:00 dorie relayd[96425]: rsae_send_imsg: poll timeout Apr 25 11:23:11 dorie relayd[39081]: rsae_send_imsg: poll timeout Apr 25 11:23:16 dorie relayd[96425]: rsae_send_imsg: poll timeout Apr 25 11:23:28 dorie relayd[96425]: relay: proc_dispatch: relay 1 got invalid imsg 59 peerid -1 from ca 1 Apr 25 11:23:34 dorie relayd[31883]: rsae_send_imsg: poll timeout Apr 25 11:23:42 dorie relayd[31883]: relay: pipe closed Apr 25 11:23:43 dorie relayd[39081]: rsae_send_imsg: imsg_flush: Broken pipe Apr 25 11:23:44 dorie relayd[39081]: relay: pipe closed Maybe some devs have an idea where to look for a bug. Any tipps how to deal with this matter in the future? TIA and regards, infoomatic [1] OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4238319616 (4041MB) avail mem = 4102795264 (3912MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xebb80 (74 entries) bios0: vendor American Megatrends Inc. version "0801" date 08/20/2014 bios0: Thomas-Krenn.AG P9D-MV(X) Series acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT SSDT MCFG HPET SSDT SSDT BERT DMAR EINJ ERST HEST acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4) HDEF(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.38 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache acpitimer0: recalibrated TSC frequency 1795841682 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0:
Re: Performance issues as KVM guest?
Hi Stefan, Thanks a lot, that solved the problem! However, I still wonder why the difference in cputime consumption between a FreeBSD KVM and a OpenBSD KVM (both just a basic install) is so huge ... now I see 643min on OpenBSD vs 46min on FreeBSD. Regards, Robert > Gesendet: Freitag, 12. Januar 2018 um 12:48 Uhr > Von: "Stefan Fritsch" > An: Infoomatic > Cc: misc@openbsd.org > Betreff: Re: Performance issues as KVM guest? > > Hi, I don't see this issue on my Debian system, but please try two things: * > disable kvm_intel.preemption_timer on the host (see > /sys/module/kvm_intel/parameters/preemption_timer ) This seems to be buggy in > linux 4.10 and newer * enable hpet in the vm config: Make sure there is no in > your libvirt xml (or don't pass -ho-hpet to qemu). Unfortunately, newer > libvirt versions seem to disable hpet by default. Different issue: If you > remove the USB controllers, the CPU load on the host will reduce by a few > percent (~ 3%). Add and remove all other usb controller sections. Just > removing the usb controller sections without adding the 'none' makes libvirt > add them back (this is stupid). Cheers, Stefan On Fri, 12 Jan 2018, > Infoomatic wrote: > Same problem here. While we did have significant > differences in cpu > usage between FreeBSD and OpenBSD (basic OS without > configuration: > FreeBSD ~ 33min CPU time, OpenBSD ~ 474min CPU time - both > started at > the same time), with the latest kernel patches for Ubuntu 17.04 > (our > test environments all run Ubuntu 17.04 for KVM VMs), OpenBSD now > becomes > practically unusable: as soon as I su or login on the console with > su, > cpu usage is at 100% - the system freezes. :-/ guess we need some > > dedicated BSD machines to host some test-VMs ;-) > > Regards, > Robert > > > > > Gesendet: Donnerstag, 11. Januar 2018 um 20:32 Uhr > > Von: "Kirill > Miazine" > > An: misc@openbsd.org > > Betreff: Re: Performance issues as KVM > guest? > > > > * Kent Watsen [2018-01-11 17:38]: > > [...] > > > > > Since my > hosting provider https://www.bytemark.co.uk/cloud-hosting/ > > > > > patched > for Meltdown last weekend I'm seeing significant performance > > > > > issues > with an OpenBSD virtual instance there. It seems okay after a > > > > > fresh > reboot but then progressively returns to being very slow: for > > > > > > example "sleep 1" may take four seconds, then five, six, seven, then > > > > > > rather more. Curiously it does tend to be an integral multiplier. > > > > > > > > > > > I wondered, is anybody else seeing significant performance problems > with > > > > > OpenBSD (or other BSDs) virtual instances since Meltdown > patching? Is > > > > > there anything to tweak at my end or am I reliant on > the provider? > > > > > > > > > > -- Mark > > > > > > > > > There are a ton > of threads talking about this issue, and it's not meltdown > > > > specific. > Please search the archives. > > > > > > > > -ml > > > > > > [...] > > > Also, > Mark, could you say some more about the issue. For instance, how long > > > > after a reboot does it take until you start to notice the issue, and how > > > > quickly does it get worse? > > > > I'm another customer of Bytemark > experiencing the same issue. I'm taking > > care of one VM there and I'm > primarly noticing it in two situations: > > sleep() takes a long time (e.g. > sleep(1) might take up to 40 seconds) > > and the clock slows down. > > > > > Right now, 9 hours after reboot, the clock on VM is 3 hours behind real > > > clock. And sleep(1) takes 13 secs: > > > > km@buildfarm ~ $ time sleep 1 > > > 0m13.85s real 0m00.00s user 0m00.01s system > > > > This all started after > the host was patched and VM rebooted. > > > > Bytemark guys are looking at > the issue and doing their own debugging. > > Here're findings so far: > > > > > I spun a few OpenBSD VMs up and left them overnight - looks like the > > > clock isn't drifting but there's still the 'time sleep 1' issue. > > My > testing results seemed to concur with User_4574's, virtio was slowing > > > down only a few minutes after a fresh install whereas compatibility > > would > stick at 1s, jump to 2s, etc. > > > > > > Thanks, > > > Kent > > > > > > > -- > > > -- Kirill Miazine > > > > > >
Re: Performance issues as KVM guest?
Same problem here. While we did have significant differences in cpu usage between FreeBSD and OpenBSD (basic OS without configuration: FreeBSD ~ 33min CPU time, OpenBSD ~ 474min CPU time - both started at the same time), with the latest kernel patches for Ubuntu 17.04 (our test environments all run Ubuntu 17.04 for KVM VMs), OpenBSD now becomes practically unusable: as soon as I su or login on the console with su, cpu usage is at 100% - the system freezes. :-/ guess we need some dedicated BSD machines to host some test-VMs ;-) Regards, Robert > Gesendet: Donnerstag, 11. Januar 2018 um 20:32 Uhr > Von: "Kirill Miazine" > An: misc@openbsd.org > Betreff: Re: Performance issues as KVM guest? > > * Kent Watsen [2018-01-11 17:38]: > [...] > > > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/ > > > > patched for Meltdown last weekend I'm seeing significant performance > > > > issues with an OpenBSD virtual instance there. It seems okay after a > > > > fresh reboot but then progressively returns to being very slow: for > > > > example "sleep 1" may take four seconds, then five, six, seven, then > > > > rather more. Curiously it does tend to be an integral multiplier. > > > > > > > > I wondered, is anybody else seeing significant performance problems with > > > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is > > > > there anything to tweak at my end or am I reliant on the provider? > > > > > > > > -- Mark > > > > > > > There are a ton of threads talking about this issue, and it's not meltdown > > > specific. Please search the archives. > > > > > > -ml > > > > [...] > > Also, Mark, could you say some more about the issue. For instance, how long > > after a reboot does it take until you start to notice the issue, and how > > quickly does it get worse? > > I'm another customer of Bytemark experiencing the same issue. I'm taking > care of one VM there and I'm primarly noticing it in two situations: > sleep() takes a long time (e.g. sleep(1) might take up to 40 seconds) > and the clock slows down. > > Right now, 9 hours after reboot, the clock on VM is 3 hours behind real > clock. And sleep(1) takes 13 secs: > > km@buildfarm ~ $ time sleep 1 > 0m13.85s real 0m00.00s user 0m00.01s system > > This all started after the host was patched and VM rebooted. > > Bytemark guys are looking at the issue and doing their own debugging. > Here're findings so far: > > I spun a few OpenBSD VMs up and left them overnight - looks like the > clock isn't drifting but there's still the 'time sleep 1' issue. > My testing results seemed to concur with User_4574's, virtio was slowing > down only a few minutes after a fresh install whereas compatibility > would stick at 1s, jump to 2s, etc. > > > > > Thanks, > > Kent > > > > -- > -- Kirill Miazine > >
Microsoft VPN - multiple users behind OpenBSD Firewall
Hello, First: thanks for OpenBSD 6.2, another great release ... and oooh, boy, upgrading is such a joy! Its awesome cause its painless and is done faster than even booting most full blown operating systems. Second, my problem: We have 2 roadwarriors doing projects for another company, and they should connect to their Microsoft based VPN Service. However, we are experiencing a weird problem that only one of them can connect at the same time. Its no problem with their service, using mobile phone tethering both can connect simultaneously. I have tried both with net.inet.gre.allow and net.inet.gre.wccp enabled and disabled, but it does not work. The rule is basically: pass out quick on $if_int proto {tcp udp gre} from any to $customer_ip nat-to $ext_ip which of course also allows Port 1723. I have no idea about the configuration on their server, and found various discussions e.g. "multiple pptp pass-through on pf" from 2007 and others about 10 years back. Whats the current state of this? Do I really need a proxy like poptop? thanks in advance, infoomatic
Re: OpenBSD 6.1/i386 hangs on reboot
I have tried the latest snapshot and ... thanks for fixing this! reboot and shutdown are now working again on my 16 year old notebook! > Gesendet: Freitag, 12. Mai 2017 um 22:06 Uhr > Von: Infoomatic > An: "OpenBSD Misc" > Betreff: OpenBSD 6.1/i386 hangs on reboot > > I wanted to try to resolve the issue I just posted and tried to reboot, > however the machine hangs and shows: > > syncing disks... done > ehci0: reset timeout > rebooting... > > even pushing the power button long does not switch off the machin, I have to > unplug the powersupply and remove the battery. Anyone with the same errors? > >
OpenBSD fuzzy testing
Hi, As nowadays I read quite a lot of projects being fuzzy tested or vulnerabilities detected by fuzzy testing, I am quite curious: what is the status of OpenBSD kernel/base system concerning fuzzy testing? Is there a plan on using the Google fuzzer? thanks regards, infoomatic
Re: bridge/vether0 not working - BUG?
Hello, Last week I did an update of this 6.1 machine. Somehow, the machine ignores /etc/mygate (one line with ipv4 gateway, one line with ipv6 gateway). After the reboot I could not connect to the box. Luckily I could ssh into one of the bridged hosts "behind" the OpenBSD 6.1 machine, and from there I could log into the OpenBSD 6.1 machine via its external IP-Address. So, in addition to the machine ignoring IP aliases in /etc/hostname.vether0 (well, it shows the IP aliases via ifconfig, but the pf rules are only working after an explicit "ifconfig vether0 inet alias ...") , it now ignores also /etc/mygate. Adding "ifconfig vether0 inet alias XXX netmask XXX" and "route add default XXX" to /etc/rc.local was the workaround, however, I think this is not expected behaviour. regards, infoomatic > Gesendet: Dienstag, 09. Mai 2017 um 18:37 Uhr > Von: Infoomatic > An: "OpenBSD Misc" > Betreff: Re: bridge/vether0 not working - BUG? > > > > > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ? > > > > > > unfortunately not. It's the same effect as with 255.255.255.224: working > > > locally on the subnet, but not when routing is involved. > > > Thanks anyway for this idea! > > > > Guess I was to fast! After a few minutes it was working (did not do > > anything in the meantime!). > > The fun fact: I did a reboot with the .224 netmask in the file enabled > > again and it also worked. This is weird, maybe someone could explain this > > (why the .255 netmask?) to me, I have no clue why this now works and what > > causes this behaviour. > > > > This is weird. I was too fast again. Something is really strange here. It is > working on incoming stuff, e.g. also in pf on rules like > "pass in quick inet proto tcp from any to X.X.X.Y port 4422 rdr-to > 192.168.1.3 port 22" > > However, outgoing is not working. > "pass out quick from 192.168.1.3 to any nat-to X.X.X.Y" is NOT WORKING, but > when I use the main ip-address X.X.X.X it is working. > > Now the weird part: > As soon as I remove any alias in the /etc/hostname.vether0 and fire up > "ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224", the pf-rules > work as expected supporting nat-to with any of the firewalls external > ip-addresses. Could this be a bug? > > Any further enlightenment would be highly appreciated, thanks! > >
Re: OpenBSD 6.1/i386 iwi0 problems
> iwi(4) was entirely broken since the WPA security patch for 6.0. > I made it work again for 6.1 but also saw these firmware errors occasionally. > But I thought these errors were already present in 6.0 and before. It looks > like that's not the case, and there is even more left to fix... OK, thanks for the info. Now I am not sure it did work in 6.0, maybe I haven't used wifi in 6.0, but it worked in 5.9. @G: "media autoselect mode 11g" did not resolve the problems but thanks for the suggestion
OpenBSD 6.1/i386 hangs on reboot
I wanted to try to resolve the issue I just posted and tried to reboot, however the machine hangs and shows: syncing disks... done ehci0: reset timeout rebooting... even pushing the power button long does not switch off the machin, I have to unplug the powersupply and remove the battery. Anyone with the same errors?
OpenBSD 6.1/i386 iwi0 problems
hi, I upgraded my old notebook to 6.1. However, I am experiencing hickups with wifi (no problems with 6.0) some lines in dmesg: iwi0 at pci1 dev 13 function 0 "Intel PRO/Wireless 2200BG" rev 0x05: irq 11, address 00: . iwi0: fatal firmware error iwi0: timeout waiting for master iwi0: fatal firmware error iwi0: timeout waiting for master iwi0: fatal firmware error iwi0: fatal firmware error iwi0: fatal firmware error iwi0: timeout waiting for master iwi0: unknown authentication state 1 Any advice?
Re: bridge/vether0 not working - BUG?
> > > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ? > > > > unfortunately not. It's the same effect as with 255.255.255.224: working > > locally on the subnet, but not when routing is involved. > > Thanks anyway for this idea! > > Guess I was to fast! After a few minutes it was working (did not do anything > in the meantime!). > The fun fact: I did a reboot with the .224 netmask in the file enabled again > and it also worked. This is weird, maybe someone could explain this (why the > .255 netmask?) to me, I have no clue why this now works and what causes this > behaviour. > This is weird. I was too fast again. Something is really strange here. It is working on incoming stuff, e.g. also in pf on rules like "pass in quick inet proto tcp from any to X.X.X.Y port 4422 rdr-to 192.168.1.3 port 22" However, outgoing is not working. "pass out quick from 192.168.1.3 to any nat-to X.X.X.Y" is NOT WORKING, but when I use the main ip-address X.X.X.X it is working. Now the weird part: As soon as I remove any alias in the /etc/hostname.vether0 and fire up "ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224", the pf-rules work as expected supporting nat-to with any of the firewalls external ip-addresses. Could this be a bug? Any further enlightenment would be highly appreciated, thanks!
Re: bridge/vether0 not working
> > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ? > > unfortunately not. It's the same effect as with 255.255.255.224: working > locally on the subnet, but not when routing is involved. > Thanks anyway for this idea! Guess I was to fast! After a few minutes it was working (did not do anything in the meantime!). The fun fact: I did a reboot with the .224 netmask in the file enabled again and it also worked. This is weird, maybe someone could explain this (why the .255 netmask?) to me, I have no clue why this now works and what causes this behaviour.
Re: bridge/vether0 not working
> Von: "Hrvoje Popovski" > > /etc/hostname.vether0: > > up media autoselect > > inet X.X.X.X 255.255.255.224 NONE > > inet alias X.X.X.Y 255.255.255.224 > > > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ? unfortunately not. It's the same effect as with 255.255.255.224: working locally on the subnet, but not when routing is involved. Thanks anyway for this idea!
bridge/vether0 not working
Hi, In my setup I use 4 ethernet ports for my firewall: 1 for the external, 1 bridged for bridged hosts in the same external subnet, 2 as trunk to the internal network. I want to slowly migrate some (its not possible for all) of the hosts with external ip-addresses to the internal net. Thus, the firewall gets the external ip-address and uses pf (rdr-to, nat-to) to map this to the internal host. I have a similar setup working like this (other ip-addresses, and no trunk for internal hosts, the rest is the same), but this beast is just not working. The primary external interface of the firewall works, but all other ip-address on vether0 are just working locally on the subnet, they seem to ignore the route. I am using OpenBSD 6.1 on amd64 with the latest patches applied via syspatch (thanks for that tool ;-) netstat -nr shows: X.X.X.0/27 X.X.X.X UCPn 221427 - 4 vether0 X.X.X.0/27 X.X.X.Y UCPn 00 - 4 vether0 /etc/hostname.bridge0: add em0 add em1 add vether0 blocknonip em0 blocknonip em1 blocknonip vether0 up /etc/hostname.vether0: up media autoselect inet X.X.X.X 255.255.255.224 NONE inet alias X.X.X.Y 255.255.255.224 If I fire up a "ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224" I get a dmesg of "arpresolve: X.X.X.1: route contains no arp information". (what exactly means this message?) However, if I delete the last line in /etc/hostname.vether0 (containing the alias statement), and then manually do a "ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224" everything is fine and works as expected. I am curious in this matter, and would really appreciate someone sharing his/her knowlegde to enlight a newcomer, thanks! Kind regards, infoomatic
Re: I can't connect to openbsd.org in most cases.
I can confirm this for the https site > Gesendet: Dienstag, 04. April 2017 um 11:04 Uhr > Von: "Luke Small" > An: openbsd-misc > Betreff: I can't connect to openbsd.org in most cases. > > I have an openbsd vm on a windows 7 host, windows 7 asus, iPhone, and > Android phone. Only the iPhone 7+ seems to be able to connect to openbsd.org > correctly without getting a https validation error. they are all going > through the same wifi router. > > I am running firefox on everything. Safari also worked on iPhone.
Re: Running OpenBSD on Hypervisor
Hi, I have not experienced any problems virtualizing OpenBSD with KVM, Xen, HyperV, VMware. I have done various performance tests over the years and found KVM to be the best performing, most stable platform for our environment. Those non-scientific tests simulated some of our typical workloads - web platforms (php,js,python), databases, filesystem, running various stuff in a single VM up to 8 different VMs... they were performed on entry level server hardware though: maximum 2 CPU sockets, max 128GB RAM with max 8 SSD/SAS disks. Haven't tested bhyve yet, but I don't expect it to be faster or more stable than KVM (if you ignore frequent kernel updates ;-) regards > Gesendet: Mittwoch, 08. März 2017 um 16:07 Uhr > Von: "Markus Rosjat" > An: "misc@openbsd.org" > Betreff: Running OpenBSD on Hypervisor > > Hi there, > > just like to get opinions or examples of OpenBSd as guest on a > hypervisor. I had it running on a VMware Host but since the free version > is missing quiet a lot features I was wondering where to look at. I also > tried Hyper-V from MS and this looks qiet ok. So if the "virtual" guys > like to share there expericence it would be nice. Im open for every > thing so KVM or BHive are points Ive looked at but haven't tried for now. > > thanks for the input > > regards > --
Re: increased load average
> Gesendet: Freitag, 03. März 2017 um 15:53 Uhr > This is known behaviour from current. > OK, thanks for the info. I have no problem with the load so far, just did not have an idea where it did come from since vmstat did not show anything unusual compared to running -stable.
increased load average
Hi, I have got "QOTOM Mini PC" with a 4-core "Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.45 MHz" CPU and 8GB RAM acting as firewall for a 12MBit synchronous connection and routing all traffic to our datacenter via OpenVPN. Since the upgrade yesterday from -stable to -current, the load average jumped from about 0.2 to 1.7. There hasn't been changes in our userbase (<10 users) or anything else, is this a known problem? I use the MP kernel. regards, infoomatic
Re: kernel panic in OpenBSD 6.0-stable
> At least two bugs leading to this panic have been fixed post 6.0. I'd > suggest you to upgrade to -current where it should work as expected. If > not, please send a new bug report to bugs@. Thanks a lot! This is awesome, you manage to fix bugs faster than I can report them ;-) I guess I won't have problems with -current, otherwise I will report!
kernel panic in OpenBSD 6.0-stable
Hi, I have "managed" go get a kernel panic in OpenBSD 6.0 -stable (from GENERIC.MP). Unfortunately I cannot provide you with lots of information, but here is what I have: The panic occured twice on an IBM X3550 server (CPU: Intel(R) Xeon(R) CPU E5-2603 0 @ 1.80GHz, with 4GB RAM and Intel I350 Gigabit Network chips onboard) and once in a VM which was hosted inside Linux KVM with the e1000 as network interface. The IBM server was configured to act as bridged and routed firewall, so we had a hostname.bridge0 (with blocknonip) with em0 and em1 interfaces and vether0 (having the main external ip-address of the firewall and some alias addresses that are routed through into the internal network) and vether1 (having the primary internal ip-adress) - some hosts on the network are not of my responsibility so they stayed with an external ip address (and thus we need bridging). We carefully planned the migration from Linux/iptables to OpenBSD/PF (which is really a joy to use, kudos to you devs for making me happy and enjoying the time spent with PF and the rest of the system), but after we switched, the hardware got a panic at night (and so did I). I could not even type via USB-keyboard in ddb. And since it was already in production I did not have time to fiddle around and get it working, a restart was needed. See picture [1] The second crash occured when I did a "ifconfig vether0 alias EX.TE.RN.IP netmask 255.255.255.240", this time I have switched on ddb.panic=0, but the server did not restart and was hung - no USB keyboard again. See pic [2] The third crash was in a VM, where I was playing around. Here, I did not have a bridge configuration, but a "ifconfig em1 alias XX.XX.XX.XX netmask 255.255.255.0" resulted in picture [3], this time again without being able to type in the VM. We had to switch back to the old Linux based firewall, but in the VM I have not managed to reproduce this. I would appreciate any tipps, comments or info in this matter, I am willing to help if more information is needed or if I can do anything to support a dev to fix this problem. regards, infoomatic [1] https://postimg.org/image/5ogvhmc45/ [2] https://postimg.org/image/mmx6f1nxv/ [3] https://postimg.org/image/687wqsh8j/
openiked troubles during conn
Hello, I hope someone could point me in the right direction with my problem I am facing with openiked on a 64bit OpenBSD 6.0-stable. I want to connect two bridged firewalls, however, it seems the connection cannot be fully established. I tried with pf disabled but that did not change anything. 2 physical interfaces are configured in the bridge with 2 vether interfaces (one being the external IP and one being the internal IP e.g.192.168.201.1) In the logs I only get: Feb 15 23:34:02 stage03 iked[3379]: ikev2_recv: IKE_SA_INIT request from initiator 11.11.11.11:500 to 33.33.33.33:500 policy 'testing' id 0, 518 bytes Feb 15 23:34:02 stage03 iked[3379]: ikev2_msg_send: IKE_SA_INIT response from 33.33.33.33:500 to 11.11.11.11:500 msgid 0, 446 bytes UDP Ports 500 and 4500 can be reached on both ends, but the connection does not get across this point. The configuration /etc/iked.conf is very simple: ikev2 "testing" active esp \ from 192.168.101.0/24 to 192.168.201.0/24 \ local 11.11.11.11 peer 33.33.33.33 \ psk thisisjustatestpassword with "passive" and the IP-addresses switched on the other end, 11.11.11.11 and 33.33.33.33 obviously changed for posting here. On the passive host, with "iked -d -vv -f /etc/iked.conf" I do get the output in [1], on the active host, I get [2]. Maybe I just cannot see the obvious problem, however, any advice is highly appreciated. Thanks, robert [1] ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ikev2 "testing" passive esp inet from 192.168.201.0/24 to 192.168.101.0/24 local 33.33.33.33 peer 11.11.11.11 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x7468697369736a757374617465737470617373776f7264 /etc/iked.conf: loaded 1 configuration rules ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ikev2_recv: IKE_SA_INIT request from initiator 11.11.11.11:500 to 33.33.33.33:500 policy 'testing' id 0, 518 bytes ikev2_recv: ispi 0x175fc9692a413ed6 rspi 0x ikev2_policy2id: srcid FQDN/stage03.testing length 18 ikev2_pld_parse: header ispi 0x175fc9692a413ed6 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120 ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x175fc9692a413ed6 0x 11.11.11.11:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x175fc9692a413ed6 0x 33.33.33.33:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x, require 0x
Re: openiked + rc.conf.local
> Do you get any more output if you do "rcctl -f -d start iked"? the output is: doing _rc_parse_conf doing _rc_quirks iked_flags empty, using default >< doing _rc_parse_conf /var/run/rc.d/iked doing _rc_quirks doing rc_check iked doing rc_pre configuration OK and then the terminal is blocked again > What happens if you press ^T to get status (assuming common > shell setup)? Or if you don't get anything useful there, what > is shown in the WAIT column in top for iked? ("top -g iked" if > you have lots running and need to cut it down) ^T does not do anything (standard installation without further config), top lists 4 processes, one running as root (parent) with "wait" and the other three processes (control, ca, ikev2) with "kqread" in the wait-column. > It might be useful to include your config file (obviously masking > anything sensitive, but try to avoid hiding anything that might be > important..). the exact configuration (does not matter if active or passive): ikev2 "test" active esp \ from 10.85.0.0/24 to 10.86.0.0/24 \ local 10.85.0.2 peer 10.86.0.2 \ psk thisisjustatestpassword sysctl is not touched except: net.inet.ip.forwarding=1 Thanks in advance!
Re: openiked + rc.conf.local
> On Mon, Sep 26, 2016 at 02:17:35PM +0200, Infoomatic wrote: > > also, the already running endpoint did not receive any packets. > > Nobody on this list can run ifconfig, route, and tcpdump on *your* box > to figure out where you're losing packets... this is not a connectivity issue. To clarify: when I start the daemon manually as mentioned in my first mail, everything is fine. However, when I try to start it automatically via rc.conf.local it just interrupts the boot sequence and further daemons like ssh are not started, I cannot even login on terminal locally. The same happens when I try to do a "rcctl -f start iked" (I need -f since I cannot use it with rc.conf.local because this leaves me with an unusable system)- it hangs and "ctrl+c"/ SIGNAL 15 does not give me my terminal back, I have to kill -9 the iked to use the terminal again where I tried to start iked via rcctl. When using iked_flags="-v", and doing "rcctl start iked" the same happens, but opposite to my expection I did not get _any_ logs to /var/log/daemon. There really seems something wrong here ... this should not happen in any way.
Re: openiked + rc.conf.local
> On Mon, Sep 26, 2016 at 01:56:20PM +0200, Infoomatic wrote: > > ipsec=YES in rc.conf.local does not change anything, and appending > > "ikelifetime 60" to iked.conf neither. > > ipsec=YES and /etc/ipsec.conf are for use with isakmpd. > > iked does not use ipsec.conf. that's what I thought, but wasn't quite sure so I just tried the ipsec=YES in rc.conf.local > It seems you came to this list before gathering actual evidence of > what's going on. So I'd suggest you run tcpdump on your interfaces > to figure out what's going on with the IKE session when it's in that > non-working state, based on packets being passed around. > You could also enable verbose mode at the other end and check the > logs there to obtain more information. I also tried with "-v" flags which did not write anything to /var/log/daemon, also, the already running endpoint did not receive any packets.
openiked + rc.conf.local
Hi, I am trying to get an sit-to-site ipsec tunnel to work with openiked. The configuration seems quite easy, testing also works. The iked.conf is: ikev2 "test" esp \ from 192.168.1.1 to 192.168.3.1 \ from 192.168.1.0/24 to 192.168.3.0/24 \ local 192.168.1.1 peer 192.168.3.1 \ psk thisisjustatest The other endpoint is the passive one. /sbin/iked -f /etc/iked.conf -dvv just works and shows the connection established. However, rc.conf.local containing iked_flags= just keeps the box hanging: "starting early daemons: syslogd pflogd ntpd iked" and there is no timeout, the box cannot be reached via ssh any more. iked_flags="-v" does not give me any information, iked_flags=YES delivers the same behavior. Do I need some additional configuration in ipsec.conf? "rcctl get iked" shows an "iked_timeout=30", I guess that should be the timeout on startup, but I did not find any exact info on that. ipsec=YES in rc.conf.local does not change anything, and appending "ikelifetime 60" to iked.conf neither. PF is configured to pass everything, nothing else is configured. The network is configured with a bridge0 containing 2 interfaces of which the external one has the (simulated) external ip address and the internal interface has an internal ip addres, both only ipv4. The system is Openbsd 6.0 -stable including the patches until (and including) 006. I am quite sure this is just a minor detail I have overseen, however, I would really appreciate your help! Thanks! infoomatic