Re: watchdog timeout with re0 after MSI change

2011-06-08 Thread Devin Reade
John Danks wrote: Unrelated but this machine pauses for a good 30 seconds on boot and resume after ahci1 is detected. I think it started when I added the Intel SSD. On the SSD topic (and in case it helps trigger a thought), I was running into a problem on a Soekris box

carp and OS upgrades

2010-06-01 Thread Devin Reade
Ignoring aspects common to all OpenBSD upgrades, and the ideosyncracies that get mentioned in the release notes for specific upgrades, does anyone have general comments, suggestions, warnings, etc regarding upgrading a pair of firewalls that are running in a typical redundant config using carp,

Re: No SSH on External Interfaces After pf.conf Rewrite for Load Balancing Outgoing Traffic

2010-06-04 Thread Devin Reade
dontek wrote: In rewriting the ruleset I've had no problems with connectivity with the exception of getting an SSH connection to the firewall to work on either of the two external interfaces. [...] pass log quick on $EXT_IF_1 inet proto tcp from any to ($EXT_IF_1) port ssh

carp + client avahi-daemon = OpenBSD kernel hang

2010-10-02 Thread Devin Reade
I've got a problem where I have a couple of OpenBSD firewalls running in a redundant configuration using carp, and have found that CentOS 5.5 (Linux) boxes running on a protected network, if they have avahi-daemon running, will cause the OpenBSD kernels to lock up hard. This is very

Re: carp + client avahi-daemon = OpenBSD kernel hang

2010-10-03 Thread Devin Reade
Kenneth R Westerback wrote: You seem to be using a custom compiled kernel. I didn't spot any explanation of that (-stable patches? changes to kernel config?). Non-GENERIC kernels make developers nervous. Nothing custom; it's 4.7 stable with patches 001 through 006

Re: carp + client avahi-daemon = OpenBSD kernel hang

2010-10-04 Thread Devin Reade
--On Monday, October 04, 2010 12:11:01 PM + Stuart Henderson wrote: On 2010-10-03, Devin Reade wrote: snip *excellent* write-up of the problem and network layout; if only all problem reports were this good! Thanks. I'm also a developer, just

Advice on pf no-sync

2010-12-07 Thread Devin Reade
I understand (from pf.conf(5)) what no-sync is supposed to do, however the only example I've seen of it in use is on the pfsync and carp examples in pfsync(4). I was wondering if anyone had some advice on some specific examples of when the use of no-sync is appropriate, specifically in a two-node

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

2011-04-23 Thread Devin Reade
Benny Lofgren wrote: On 2011-04-21 22.27, P. Pruett wrote: how about donate [snip] The reason for my initial suggestion, which was along the lines Rafal whom you commented also thought, was that a donation *ISN'T A FUCKING OPTION* where I and others live. The other

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

2011-04-23 Thread Devin Reade
Kapetanakis Giannis wrote: On 23/04/11 19:19, Scott Stanley wrote: But isn't it an order of magnitude [simpler] to follow the suggestion Marco/Benny put forth and purchase a bunch of CDs and make a note to ship only one (thus eliminating the waste of resources)?

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

2011-04-23 Thread Devin Reade
Theo de Raadt wrote: I think I do more than enough and don't need to make promises to outsiders just to keep this project alive. I bet all the developers feel the same way. Fair enough. Ignoring my particular case for the moment, I was trying to generalize the

Re: remote management

2013-05-14 Thread Devin Reade
--On Monday, May 13, 2013 09:24:13 PM +0200 Tony Berth wrote: I would like to know what kind of environment you use for remote management of one or more openbsd servers. Which KVM over IP solution would you recomend. For OpenBSD I usually try to have hardware with a

watchdog on Atom N270

2013-05-22 Thread Devin Reade
I just picked up a Lanner LEC-2010P, which is a fanless embedded Atom N270 industrial control system. It seems to work just fine so far, overall. Since the N270 isn't all that new, I was a bit surprised though to find that its hardware watchdog wasn't detected (no criticism implied). The user

software stack for portable application

2013-09-25 Thread Devin Reade
I have a software project that is initially targeted at Linux but that I would like to have running on OpenBSD as well. This being new development, I have the flexibility of selecting the software stack and I'd prefer to use one that minimizes the pain of making it work on other platforms.

Re: Are there any default password managers in OpenBSD?

2013-12-06 Thread Devin Reade
--On Thursday, December 05, 2013 08:20:07 AM +0100 obsd, cgi wrote: - Are there any best-practises to generate a password? - that are kept in password manager, so ex.: 128 char long with special/random chars, etc. Diceware:

Re: BackupPC

2013-12-12 Thread Devin Reade
Quoting Martin Schröder quote src=; In 2010, a fork named Bareos was established, the project published first packages in February 2013.[7] Bareos introduces many new features and eases configuration.[8] /quote [...] I've used

Big endian options

2014-05-02 Thread Devin Reade
The recent news elsewhere about Debian no longer actively testing on sparc plaforms got me to thinking. It's been very handy over the years to be able to test programs on both big-endian and little-endian machines (for the same reason that it's good to test across different compilers and

Re: LibreSSL @ BSDCan 2014

2014-05-19 Thread Devin Reade
On May 18, 2014, at 4:18, Marc Espie Actually, if you were awake at the time of the talk, you probably heard something of a distant rumble. Bob is the only OpenBSD developer who's a match to the humpback whale in terms of sound carrying power. That comes from all those

Re: low power device

2014-09-20 Thread Devin Reade
--On Friday, September 12, 2014 03:27:39 PM +0200 Martijn van Duren wrote: Because this PC requires more power then should necessary for its purpose I would like to acquire something like a pandaboard, which is low power, and has at least 2 sata ports, 1 network port and

5.6 CDs

2014-11-17 Thread Devin Reade
I just got my 5.6 CD set (I ordered late). I love that artwork and the movie misquotes. How apropos. Thanks to all involved (in the entire release). Devin

Re: Crash cart console adapters compatible with OpenBSD?

2015-01-16 Thread Devin Reade
On Jan 15, 2015, at 23:46, Sean Kamath wrote: I've got about 10 of these where I work (Adder iPEPS: I'll second it; I've used them a fair amount and they're quite stable. Yes, they use RealVNC, and encrypted

Re: Crash cart console adapters compatible with OpenBSD?

2015-01-16 Thread Devin Reade
On Jan 16, 2015, at 03:05, Stuart Henderson wrote: On 2015-01-16, Sean Kamath wrote: I've got about 10 of these where I work (Adder iPEPS: I have one of these (vga version) too. As long as you

Re: Crash cart console adapters compatible with OpenBSD?

2015-01-16 Thread Devin Reade
On Jan 16, 2015, at 14:23, Stuart Henderson wrote: Considering which mailing list this is on, and the compatible with OpenBSD in the subject, a binary-only client which doesn't run on OpenBSD isn't terribly useful ;) My head is bowed in shame :) Well, in an attempt to

weird carp failover behavior

2015-08-19 Thread Devin Reade
I'm trying to understand an odd behavior during carp failover where one uplink goes numb until the demarc equipment is power cycled. Consider the following: ISP1-demarc ISP2-demarc | | SW1 (Net1) SW2 (Net2) - C |\ /| | X | |/ \| FW-A - FW-B

dmesg: OneRNG hardware RNG plugged into Soekris 5501

2015-08-19 Thread Devin Reade
I've got one of the early units from, intended for providing input data to /dev/random. They currently have support for Linux via a simple command set to the device. (See the shell scripts in the tarball listed at I figured I'd plug this into a

resource impact of bgp-spamd

2015-08-10 Thread Devin Reade
In general terms, what kind of additional memory/disk/cpu usage is incurred through the use of a bgp-spamd client? Is this something that is likely able to run on a low end device like a Soekris 5501, or is it something more suited to a Real Server? (I don't see any dedicated mailing list on

NSA transition to quantum resistant algorithms

2015-08-15 Thread Devin Reade
Interesting background info, including recommended minimum key sizes during the interim:

Re: Starting isc_named earlier

2015-08-24 Thread Devin Reade
--On Monday, August 24, 2015 12:27:06 AM + Stuart Henderson wrote: Having NFS rely on DNS is not ideal. I don't see why dhcpd would need DNS to run at all? If you have a 'fixed-address' definition in a 'host' block, and the fixed-address uses a FQDN rather than an

Re: state of SSD by OpenBSD

2015-11-13 Thread Devin Reade
--On Thursday, November 12, 2015 10:13:34 PM -0500 Nick Holland wrote: > And if you deploy a lot of SSDs, [...] Some models are good, > some are crap, you can't say which is which until after they are out of > production. In other words, the same as with

Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-20 Thread Devin Reade
> On Oct 19, 2015, at 18:26, Karl O. Pinc wrote: > But if you write DNS names into your pf.conf > file then step 2 can be eliminated. All > that's required is to reload the rules. > > Eliminating an extra editing step reduces > error. Unless of course your DNS is on your LAN and

Re: Passwd cipher for YP

2015-10-14 Thread Devin Reade
--On Wednesday, October 14, 2015 08:51:06 AM -0600 Theo de Raadt wrote: Do you have any other tips on how to handle logins in a mixed OS YP network? These days, I would recommend using YP in fewer places. I wrote the code, but even I don't use it. Each time I make

Re: Linux crypt(3)

2015-10-17 Thread Devin Reade
> On Oct 17, 2015, at 04:31, Adam Wysocki wrote: > > Hi misc, > > I'm migrating one of my servers from Linux to OpenBSD and I need a method > to authenticate users based on passwords treated with Linux crypt() > function. Passwords are encrypted with salted DES, without

Re: Recommended Industrial PCs?

2015-08-26 Thread Devin Reade
--On Wednesday, August 26, 2015 09:11:22 PM +0200 Martin Haufschild wrote: can someone recommend me an Industrial PC (IPC) to use with OpenBSD? I would like to have a lot of hardware supported from this IPC by OpenBSD. Lanners are solid:

Re: Soekris 4501 and OpenBSd 5.7

2015-09-16 Thread Devin Reade
> On Sep 16, 2015, at 00:40, Markus Rosjat wrote: > > Hi there, > > just a simple question, is it possible to install a 5.7 on a soekris 4501? I don't know about the 4501, but the 5501 works fine. Any chance you grabbed the 64 bit image by mistake? Devin

Re: OpenBSD Home Server: Hints and Advices

2015-09-29 Thread Devin Reade
--On Tuesday, September 29, 2015 01:14:39 PM +0200 Benny Lofgren wrote: However, even with mirrored drives, IT IS NOT A BACKUP. What if there is a fire? What if someone burglars your house and steals the server? What if someone accidentally knocks it over and all disks

Re: OpenBSD Home Server: Hints and Advices

2015-09-29 Thread Devin Reade
--On Tuesday, September 29, 2015 11:38:00 AM -0600 Devin Reade <> wrote: To the OP, while most of the advice on this thread has been good, I'd be careful of that one. *Keep* your drives in a mirrored configuration and have *additional* disks for backup purposes. Just to c

Re: Making IPv6 NAT prefer privacy address

2015-09-24 Thread Devin Reade
> On Sep 24, 2015, at 07:49, Giancarlo Razzolini wrote: > > Em 24-09-2015 08:36, Stuart Henderson escreveu: >> What is the purpose of IPv6? The main purpose that I see is "ability to >> continue getting internet addresses after v4 runout". (If it had been left >> at that

Re: authentication infra structure

2015-12-09 Thread Devin Reade
--On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke wrote: > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix

restrictions for kernel interrupt context

2015-12-15 Thread Devin Reade
The usbd_open_pipe_intr(9) man page discusses the usbd_callback type and the usbd_transfer(9) man page mentions the associated interrupt context in which (presumably) that callback executes. Are there any particular restrictions that apply while running from within that interrupt context? In

anyone using msk(4) NICs?

2016-01-09 Thread Devin Reade
I reported a problem on the bugs@ list in that I have a machine that panics if the msk(4) interface is used, but works fine with an em(4) interface. There is a possibility that I have bad hardware as I've been able to replicate this on 5.9 beta, 5.8 release, and now 5.7 release. I find it

Re: A branded USB stick as an alternative to the CD set?

2015-11-30 Thread Devin Reade
I suspect the answer is that this falls into the category of too expensive/distracting to bother, based on the overall benefit. I find that having a DVD reader/writer in an external USB-connected enclosure works well for optical-diskless machines. Devin

Re: anyone using msk(4) NICs?

2016-01-11 Thread Devin Reade
--On Monday, January 11, 2016 12:38:51 PM -0800 Chris Cappuccio wrote: > I wouldn't just assume the problem is hardware. In fact, you should > provide a dmesg, trace, etc. It's already reported in bugs@, so I figured it would be redundant here. See:

Re: Random delay on incoming SMTP connection to OpenSMTPD

2016-06-10 Thread Devin Reade
--On Friday, June 10, 2016 09:04:07 PM + ML mail wrote: Well right now I have max-children on 50, so you mean lowering this value to something like 10? But then if I receive 20 simultaneous incoming SMTP connection, what will happen to the 10 others?Will they

Re: Random delay on incoming SMTP connection to OpenSMTPD

2016-06-10 Thread Devin Reade
Seems like the wrong solution. How about altering spamassassin's max-children parameter instead?

OpenSSL changes coming Tuesday

2016-02-25 Thread Devin Reade
Operators: Apparently there are high severity security patches coming for OpenSSL on Tuesday 01 Mar 2015: I have no idea if/how this affects LibreSSL, and we can't necessarily expect info from those in the know

Re: Industrial use of line printers, does/would your company/organization use them with our lpd?

2016-02-21 Thread Devin Reade
--On Wednesday, February 17, 2016 11:49:30 AM -0600 Chris Bennett wrote: > I do see that lpc, lpq, lprm are dinosaurs and have to be made extinct > and replaced with something more functional with more information output > and better capabilities. Whatever

Re: libc issues on last snapshot

2016-03-22 Thread Devin Reade
On Mar 22, 2016, at 05:51, Mihai Popescu wrote: >> Is there any verification of the contents of the tar balls being done? > > I don't know about you, but I don't feel like have balls verified. You only have to worry if they're covered in tar.

what would break arp on carp?

2016-04-03 Thread Devin Reade
I have an OpenBSD 5.8 stable carp setup where one of my upstream links is serviced by a cable provider, a static IP is assigned, and I would normally have no IP assigned to the carpdev: # cat hostname.vr2 up # cat hostname.carp2 inet NONE vhid 3 pass somepass

Re: what would break arp on carp?

2016-04-03 Thread Devin Reade
--On Monday, April 04, 2016 12:26:06 AM +0300 Mihai Popescu wrote: However, if carp IS in use, I can see the upstream router do the arp request, followed by the firewall arp reply (with the carp MAC), Is it the 'carp MAC' the MAC of vr2? No. It is the lladdr shown in a

for those needing narrow SCSI disks

2016-09-04 Thread Devin Reade
For those people needing narrow SCSI disks to keep old hardware going, I happened to see this page the other day: They appear to be newer SSD and spinning rust packaged in a 3.5" form factor with a narrow SCSI interface. I have no idea as to

Re: spamd and network whitelisting

2016-12-19 Thread Devin Reade
You might also want to look at bgp-spamd. With respect to dealing with SPF, the simple solution (permitting an IP if it is on the sending domain's SPF list) doesn't work too well in the general case since it appears many spammers publish SPF records. However what I found works well, at least