Topics - bob@afrinet.eu

#1

Development and Code Review / EMMC support on 19.1 ß

October 23, 2018, 03:31:20 PM

We were testing the 19.1ß since It should now be able to boot on Denverton MB.
But we think that there is a problem with the EMMC support.

Do you know if the following modules are compiled with the actual ß kernel in 19.1 ?

sdhci_pci/mmc
sdhci_acpi/mmc
mmc/mmcsd

Thanks for your reply.

#2

Development and Code Review / PKCS-11 compile option for OpenVPN

October 05, 2018, 05:10:22 PM

I wanted to know why compile options used in OPNsense (and pfSense®) didn't include pkcs11 ?

What is the reason ?

And what would you recommend for stronger authentication method / physical (like smart card ok USB dongle) ?

The optic is a large scale VPN where we would need to push dynamic routes && get strong authentication (firewall to firewall).

Actual OpenVPN compile options are as follow :

root@FW1:~ # openvpn --version
OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 17 2018
library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

#3

Hardware and Performance / Yandex patch in OPNSense ?

September 18, 2018, 12:20:06 PM

Just a simple question, I wanted to know if the "yandex patches" have been ported in OPNSense.
I am talking about two sets of patch which are used to enhance performance of arpresolve & ip_findroute :

https://people.freebsd.org/~olivier/fbsd11.1.ae.afdata-radix.patch
https://reviews.freebsd.org/D12040

#4

Intrusion Detection and Prevention / Suricata as flow loggin engine

July 11, 2018, 11:20:18 AM

I think It would be nice to be able to use the suricata flow logging feature as described here :
https://blog.inliniac.net/2014/07/28/suricata-flow-logging/

For the time being there does not seem to have any option in the GUI to send flow to an external loger (beside local log files).

Is there any way to override the configuration of Suricata ?
What are the compile time options used ?

Main idea would be to be able to use Suricata as a Netflow / Flow collector.
I know this is handled using Netflow in OPNSense, but wouldn't the Suricata log collecting be more efficient ?

Furthermore Suricata has the ability to handle bi-directional flows, where Netflow handles them only unidirectional.

Thanks for your answer.

#5

18.7 Legacy Series / 18.7 based on FBSD 11.1 or 11.2 ?

June 20, 2018, 01:25:07 PM

I wanted to know if the upcoming release will be based on FBSD 11.1 or 11.2 ?

#6

Hardware and Performance / Impossible to boot from USB Key : "CAM status: Command timeout"

June 20, 2018, 01:01:42 PM

I was trying to install OPNSense on a box and bumped into this problem :

QuoteBooting...
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2017 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.1-RELEASE-p9 e86703e30(stable/18.1) amd64
FreeBSD clang version 4.0.0 (tags/RELEASE_400/final 297347) (based on LLVM 4.0.)
VT(vga): resolution 640x480
[HBSD LOG] logging to system: enabled
[HBSD LOG] logging to user: disabled
[HBSD HARDENING] procfs hardening: enabled
[HBSD ASLR] status: opt-out
[HBSD ASLR] mmap: 30 bit
[HBSD ASLR] exec base: 30 bit
[HBSD ASLR] stack: 42 bit
[HBSD ASLR] vdso: 28 bit
[HBSD ASLR] map32bit: 18 bit
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in
[HBSD ASLR (compat)] status: opt-out
[HBSD ASLR (compat)] mmap: 14 bit
[HBSD ASLR (compat)] exec base: 14 bit
[HBSD ASLR (compat)] stack: 14 bit
[HBSD ASLR (compat)] vdso: 8 bit
[HBSD SEGVGUARD] status: opt-out
[HBSD SEGVGUARD] expiry: 120 sec
[HBSD SEGVGUARD] suspension: 600 sec
[HBSD SEGVGUARD] maxcrashes: 5
CPU: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz (2200.07-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x506f1 Family=0x6 Model=0x5f Stepping=1
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,>
Features2=0x4ff8ebbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,>
AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
AMD Features2=0x101<LAHF,Prefetch>
Structured Extended Features=0x2294e283<FSGSBASE,TSCADJ,SMEP,ERMS,NFPUSG,MPX,>
Structured Extended Features3=0x2c000000<IBPB,STIBP,ARCH_CAP>
XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>
IA32_ARCH_CAPS=0x1<RDCL_NO>
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID,VID,PostIntr
TSC: P-state invariant, performance statistics
real memory = 8589934592 (8192 MB)
avail memory = 8187076608 (7807 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: <INTEL TIANO >
WARNING: L1 data cache covers less APIC IDs than a core
0 < 1
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23 on motherboard
SMP: AP CPU #1 Launched!
SMP: AP CPU #2 Launched!
SMP: AP CPU #3 Launched!
Timecounter "TSC-low" frequency 1100035729 Hz quality 1000
random: entropy device external interface
wlan: mac acl policy registered
netmap: loaded module
module_register_init: MOD_LOAD (vesa, 0xffffffff810ab110, 0) error 19
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
kbd1 at kbdmux0
nexus0
vtvga0: <VT VGA driver> on motherboard
cryptosoft0: <software crypto> on motherboard
acpi0: <ALASKA A M I > on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
cpu2: <ACPI CPU> on acpi0
cpu3: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 24000000 Hz quality 950
Event timer "HPET" frequency 24000000 Hz quality 550
Event timer "HPET1" frequency 24000000 Hz quality 440
Event timer "HPET2" frequency 24000000 Hz quality 440
Event timer "HPET3" frequency 24000000 Hz quality 440
Event timer "HPET4" frequency 24000000 Hz quality 440
atrtc0: <AT realtime clock> port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pcib0: _OSC returned error 0x10
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pci1: <processor> at device 0.0 (no driver attached)
pcib2: <ACPI PCI-PCI bridge> mem 0xdff60000-0xdff7ffff irq 20 at device 14.0 on0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> mem 0xdff40000-0xdff5ffff irq 21 at device 15.0 on0
pci3: <ACPI PCI bus> on pcib3
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xd000-0xd3
igb0: Using MSIX interrupts with 5 vectors
igb0: Ethernet address: 00:90:00:00:00:01
igb0: Bound queue 0 to cpu 0
igb0: Bound queue 1 to cpu 1
igb0: Bound queue 2 to cpu 2
igb0: Bound queue 3 to cpu 3
igb0: netmap queues/slots: TX 4/1024, RX 4/1024
pcib4: <ACPI PCI-PCI bridge> mem 0xdff20000-0xdff3ffff irq 22 at device 16.0 on0
pci4: <ACPI PCI bus> on pcib4
igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xc000-0xc4
igb1: Using MSIX interrupts with 5 vectors
igb1: Ethernet address: 00:90:00:00:00:02
igb1: Bound queue 0 to cpu 0
igb1: Bound queue 1 to cpu 1
igb1: Bound queue 2 to cpu 2
igb1: Bound queue 3 to cpu 3
igb1: netmap queues/slots: TX 4/1024, RX 4/1024
pcib5: <ACPI PCI-PCI bridge> mem 0xdff00000-0xdff1ffff irq 23 at device 17.0 on0
pci5: <ACPI PCI bus> on pcib5
ahci0: <AHCI SATA controller> port 0xe0c0-0xe0c7,0xe0b0-0xe0b3,0xe040-0xe05f me0
ahci0: AHCI v1.31 with 1 6Gbps ports, Port Multiplier supported
ahcich0: <AHCI channel> at channel 0 on ahci0
ahciem0: <AHCI enclosure management bridge> on ahci0
ahci1: <AHCI SATA controller> port 0xe0a0-0xe0a7,0xe090-0xe093,0xe020-0xe03f me0
ahci1: AHCI v1.31 with 1 6Gbps ports, Port Multiplier supported
ahcich8: <AHCI channel> at channel 7 on ahci1
ahciem1: <AHCI enclosure management bridge> on ahci1
xhci0: <XHCI (generic) USB 3.0 controller> mem 0xdff80000-0xdff8ffff irq 19 at 0
xhci0: 32 bytes context size, 64-bit DMA
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pcib6: <ACPI PCI-PCI bridge> irq 16 at device 22.0 on pci0
pci6: <ACPI PCI bus> on pcib6
pci6: <network, ethernet> at device 0.0 (no driver attached)
pci6: <network, ethernet> at device 0.1 (no driver attached)
pcib7: <ACPI PCI-PCI bridge> at device 23.0 on pci0
pci7: <ACPI PCI bus> on pcib7
pci7: <network, ethernet> at device 0.0 (no driver attached)
pci7: <network, ethernet> at device 0.1 (no driver attached)
pci0: <simple comms> at device 24.0 (no driver attached)
pci0: <simple comms, UART> at device 26.0 (no driver attached)
pci0: <simple comms, UART> at device 26.1 (no driver attached)
pci0: <simple comms, UART> at device 26.2 (no driver attached)
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
pci0: <memory> at device 31.2 (no driver attached)
pci0: <serial bus> at device 31.5 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 7 flags 0x10 on acpi0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 10 on acpi0
ppc0: cannot reserve I/O port range
est0: <Enhanced SpeedStep Frequency Control> on cpu0
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21eb00001600
device_attach: est0 attach returned 6
est1: <Enhanced SpeedStep Frequency Control> on cpu1
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21eb00001600
device_attach: est1 attach returned 6
est2: <Enhanced SpeedStep Frequency Control> on cpu2
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21eb00001600
device_attach: est2 attach returned 6
est3: <Enhanced SpeedStep Frequency Control> on cpu3
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21eb00001600
device_attach: est3 attach returned 6
Timecounters tick every 1.000 msec
nvme cam probe device init
ugen0.1: <0x8086 XHCI root HUB> at usbus0
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
uhub0: 8 ports with 8 removable, self powered
ugen0.2: <UFD 3.0 Silicon-Power16G> at usbus0
umass0 on uhub0
umass0: <UFD 3.0 Silicon-Power16G, class 0/0, rev 3.00/11.00, addr 1> on usbus0
umass0: SCSI over Bulk-Only; quirks = 0x4000
umass0:4:0: Attached to scbus4
ahcich8: Timeout on slot 5 port 0
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00000020 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout
(aprobe0:ahcich8:0:0:0): Retrying command
run_interrupt_driven_hooks: still waiting after 60 seconds for xpt_config
ahcich8: Timeout on slot 6 port 0
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00000040 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout
(aprobe0:ahcich8:0:0:0): Error 5, Retries exhausted
ahcich8: Timeout on slot 11 port 0
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00000800 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout
(aprobe0:ahcich8:0:0:0): Retrying command
run_interrupt_driven_hooks: still waiting after 120 seconds for xpt_config
ahcich8: Timeout on slot 12 port 0
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00001000 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout
(aprobe0:ahcich8:0:0:0): Error 5, Retries exhausted
ses0 at ahciem0 bus 0 scbus1 target 0 lun 0
ses0: <AHCI SGPIO Enclosure 1.00 0001> SEMB S-E-S 2.00 device
ses0: SEMB SES Device
ses1 at ahciem1 bus 0 scbus3 target 0 lun 0
ses1: <AHCI SGPIO Enclosure 1.00 0001> SEMB S-E-S 2.00 device
ses1: SEMB SES Device
da0 at umass-sim0 bus 0 scbus4 target 0 lun 0
da0: <UFD 3.0 Silicon-Power16G 1100> Removable Direct Access SPC-4 SCSI device
da0: Serial Number P1503809737151200347
da0: 400.000MB/s transfers
da0: 15376MB (31490048 512 byte sectors)
da0: quirks=0x2<NO_6_BYTE>
Trying to mount root from ufs:/dev/ufs/OPNsense_Install [ro,noatime]...
Mounting filesysahcich8: Timeout on slot 16 port 0
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00010000 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout
(aprobe0:ahcich8:0:0:0): Error 5, Retries exhausted

Then system endlessly loops into :

QuoteTrying to mount root from ufs:/dev/ufs/OPNsense_Install [ro,noatime]...
Mounting filesysahcich0: Timeout on slot 16 port 0
ahcich0: is 00000002 cs 00000000 ss 00000000 rs 00010000 tfd 50 serr 00000000 c7
(aprobe0:ahcich0:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich0:0:0:0): CAM status: Command timeout
(aprobe0:ahcich0:0:0:0): Error 5, Retries exhausted

I am not really sure what to try from there on... ??

Show posts