Re: relayd ssl termination advice
On 08.10.2023 03:00, Courtney wrote: Hello everyone, I'm seeking an ideal way to make secure https connections to a handful of web servers in my house. Currently I have a Nextcloud server and a gitea server, but only the Nextcloud server is being port forwarded on 80/443. I want to make my gitea server publicly visible as well as a couple other projects. My thought is to have relayd running on my router and match Host headers and forward it to my servers based on the Host. This will also conveniently let me handle renewing Let's Encrypt certs in one place. I already do this right now with a VPS, but I have a wireguard tunnel to my house in this case to access the backend, which is encrypting the traffic from my relayd server to my backend web server. With my Nextcloud and gitea server, if I terminate SSL at my router, the connection between my router and Nextcloud/gitea web servers would be unencrypted. Even though it is in my own house, I don't really like that idea. It seems to be overkill too to do peer to peer wireguard between my Nextcloud/gitea servers in my house. I was wondering if this would actually be proper or if there are any other ideas you all might have. Ultimately, I want to serve a handful of services on 80/443 that are easily accessible internally and externally, and I don't want to have unencrypted traffic between relayd and my server for the services that are passing sessions and such. Thank you, Courtney I have a similar situation at home. I use TLS to encrypt the traffic between relayd(8) and the actual web servers. On the web servers I use self-signed certificates which are valid for several decades. When it comes to administrative access on the web servers I use my router as ProxyJump and/or configure local tunnel(s) in ssh(1). Cheers, Bruno
Re: Restore pf tables metadata after a reboot
On 29.05., Walter Alejandro Iglesias wrote: > In article <20200528165448.ga22...@flueckiger.lan> Bruno Flueckiger > wrote: > > On 26.05., Walter Alejandro Iglesias wrote: > > > I understand that this command: > > > > > > # pfctl -t spam -T expire > > > > > > Takes in care the "Cleared" date: > > > > > > # pfctl -t spam -vT show > > > ___.___.22.65 > > > Cleared: Mon May 25 16:10:22 2020 > > > ___.___.167.62 > > > Cleared: Mon May 25 16:10:22 2020 > > > [...] > > > > > > Is there a way to save and restore tables metadata after a reboot > > > preserving those dates? > > > > > > > You can save the list of IPs in a table and reload it after a reboot as > > described here: https://www.bsdhowto.ch/savepftables.html > > Nice website. ;-) > Thanks :-) > > > > As there is no way to save the dates the date for each IP will be set to > > the current date and time when load happens. > > The interesting point and the reason of my concern is to choose a > convenient "expire time." With mail is problematic but with ssh, since > I know exactly whom I want to allow external access (just me,) I let > them accumulate. I block ssh attackers in the ssh port only, people > sharing those addresses are not affected. So, I thought, the only > concern in the ssh case was how much a big number of entries could > affect pf performance, till at some point my tables reached the memory > hard limit and I had to remove IPs arbitrarily. :-) > Well, I use my system in production. Therefore I prefer to be on the safe side and remove old entries from my block tables rather than risking instabilities or performance penalties. > In summary, pfctl expire command does nothing after a reboot. Then you > have two options: > > - To use a (cron) expire time significantly lower than the desirable. > > - To expire entries when your tables are about to reach the memory > hard limit. > > In both cases you'll probably suffer spam again from IPs that were > already blocked. > What is a desirable expire time for blocked IPs in your view? For SSH I don't care how many times an attacker tries it. As soon as the IP is in the blocking table I don't even get log entries for it. In case of SMTP I don't rely solely on IP blocking to fight spam. The blocking only kicks in if there are too many simultaneous connections comming from the same IP. Cheers, Bruno
Re: Restore pf tables metadata after a reboot
On 26.05., Walter Alejandro Iglesias wrote: > I understand that this command: > > # pfctl -t spam -T expire > > Takes in care the "Cleared" date: > > # pfctl -t spam -vT show > ___.___.22.65 > Cleared: Mon May 25 16:10:22 2020 > ___.___.167.62 > Cleared: Mon May 25 16:10:22 2020 > [...] > > Is there a way to save and restore tables metadata after a reboot > preserving those dates? > You can save the list of IPs in a table and reload it after a reboot as described here: https://www.bsdhowto.ch/savepftables.html As there is no way to save the dates the date for each IP will be set to the current date and time when load happens. Cheers, Bruno
Re: Installing OpenBSD -current snapshots
On 27.11., Clay Daniels wrote: > I have successfully installed OpenBSD 6.6 release and would like to give > the Current Snapshots a try. I went to a mirror, and to: > > Index of /pub/OpenBSD/snapshots/amd64/ > > I saw install66.fs (probably for usb memstick) and install66.iso (surely > for a cd/dvd) at ~450Mb. I picked the install66.fs, wrote it to a usb > thumbdrive, and it starts the install. When i get into the install it asks > where are the file sets? Humm, maybe it gets these online and it tries to > do this but no luck. It was late last night, and I checked to see if it had > written anything to my disk, which it had not, and went to bed. This > evening I'm looking a bit deeper at the snapshot directory and I suspect I > need to provide the install with base66.tzg at ~239Mb. > > My question now is after downloading the base, do I need to un-tar it, and > how to I provide it to the install? I wrote the install66.fs to the usb > with the dd command. Not clear to me how to either manually copy the base > file set to the usb, or maybe leave it on an accessible directory on my > machine. Any help would be appreciated. > > Clay Daniels I would recommend using sysupgrade(8) with the parameter -s to you. Cheers, Bruno
Re: Ergonomic USB wired mouse
On 24.08., Anatoli wrote: > Hi Bruno, > > AWESOME!! Thanks a lot! You can add "MX Vertical" to the list of the > successfully tested pointing devices :D > > I just made some minor changes as this mouse only has 2 additional physical > buttons (no secondary wheel, nor anything else). I removed the WAxis and > lowered the button numbers on the ZAxis: > > Section "InputClass" > Identifier "Logitech MX Vertical" > MatchDriver "ws" > Driver "ws" > Option "Buttons" "16" > Option "Device" "/dev/wsmouse" > Option "Floating" "false" > Option "ZAxisMapping" "6 7" > EndSection > > And adjusted xmodmap: > > xmodmap -e "pointer = 1 2 3 8 9 4 5 6 7 10 11 12 13 14 15 16" > > This way everything works as expected! Nice! > Thanks for reporting back your success. I like to read that my writing is useful to others. The mapping of the axes to the different buttons will vary for most devices. But if my article gave you what you needed to get it running yourself my goal is reached. > > Some time ago I also saw your other great guide about extra keys on USB > keyboards (https://www.bsdhowto.ch/extrakeys.html) and used some ideas from > it. I'd like to suggest one thing though: not to run usbhidaction from rc > (it could be started under regular users from their WM startup scripts) and > not to put the actual commands in the usbhidaction config, but rather to > call from there xdotool for each button with the key codes to generate (e.g. > "xdotool key XF86Mail" XF86LaunchA-Z, XF86AudioPlay/Stop, etc.) and then to > capture them with xbindkeys. > I do not use any X11 tools on purpose. It is my goal to describe a way that works independently from X11. > If you exec programs directly by usbhidaction the way you launch it, they'd > be executed under root and some users reading your guide may not understand > the implications. Also this way it's impossible for each user to customize > the actions. > You're right about the security implications and the lack of multiuser support in my article. From a security perspective it is better to run usbhidaction as an unprivileged user. rc allows this by setting the user parameter like this: $ doas rcctl set user I've updated my article to include this setting. By the way it also solves some trouble when you try to send commands to other media players like moc (https://moc.daper.net/) which check for security. The lack multi user support is left to the reader as an exercise :-) > I tried to go even further and to detect the keyboard when it's attached > with hotplugd & usbdevs/lsusb (for vendor/product IDs), but then I couldn't > solve the link between uhidev & uhid instances > (https://marc.info/?l=openbsd-misc&m=156499209423144&w=2). Please let me > know if you have any idea how to solve this. > > Regards, > Anatoli > I would try to grep the output of dmesg(8) for the uhids attached to the uhidev. Something like that should give you a list of uhid belonging to the uhidev that got just attached: dmesg | grep "uhid. at uhidev4" Cheers, Bruno
Re: Ergonomic USB wired mouse
On 19.08., Anatoli wrote: > I'm using Logitech MX Vertical. Nice mouse, IMO one of the most ergonomic > ones though it needs some adaptation. It has 2 additional buttons which do > NOT work on -current (better to say, they work like scrolling the wheel > instead being left and right), I'd like to know how to make them work BTW. > On Linux it works well. > > Oliver Marugg wrote: > > Hi > > > > I am preparing switching my desktop from another OS to OpenBSD. Is > > anyone using an Evoluent USB Wired Mouse (C/4 or 4 small) with OpenBSD? > > Or any other great ideas about an ergonomic mouse working with OpenBSD? > > > > Many thanks. > > > > -oliver > > > I use the Logitech Performance MX trackball. Like Anatoli I had the problem that the two additional buttons behave like the scroll wheel. I solved this issue last year. You can find my how-to here: https://www.bsdhowto.ch/mousekeys.html Cheers, Bruno
Re: Use xenodm like startx?
On 31.01.19 11:57, John Ankarström wrote: > trondd wrote: > > It's not really that complicated. The bare minimum is to copy your > > .xinitrc to .xsession and then just run xenodm on demand with doas. All > > the configs already exist in /etc/X11/xenodm. Nothing requires you to run > > it at startup. > > > > Here's what I've done: > > Copy your .xinitrc to .xsession > > > > Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME > > > > Edit xenodm-config and add > > DisplayManager*autoLogin: yourusername > > > > Comment out the call to Xsetup so you don't get the xconsole window > > !DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0 > > > > Then you can alias it to run it on demand. Alias to startx if you want. > > alias xenodm='doas xenodm -config /home/myusername/xenodm-config' > > Hm. Thank you. This works, except the environment in which I run xenodm is > lost. For example, I have ENV=~/.kshrc in my ~/.profile, but this isn't > inherited to X11 ... I guess I should add these things to my .xsession, but > then I'll have it in two places instead of once. You could source either file in your ~/.xsession by adding a line like this to it: . ~/.kshrc Depending on the settings you have in ~/.profile and/or ~/.kshrc this might cause unwanted side effects. You have been warned. > > > Only thing I never figured out is how to make X and xenodm shutdown when I > > exit my window manager. > > This too makes me feel like xenodm is far too complex for what I want. > Add the following line to /etc/X11/xenodm/xenodm-config: DisplayManager.*.terminateServer: true Cheers, Bruno
Re: daily cron not starting
On 13.11.18 06:35, Tony Boston wrote: > Hi misc@, > > the daily cron is not running anymore although I can execute '/bin/sh > /etc/daily' by hand just fine. I don't see anything in the logs and I > don't have any clue what else to check. > Do you guys have any idea? > > -- > Tony > > GPG-FP: 49CC8250 CDCF2183 6209C1AE 625677C1 F7783D5F > Threema: DN8PJX4Z > Is the cron(8) daemon running? Cheers, Bruno
Re: growfs(8) to lower offset
On 05.11.18 19:47, David Higgs wrote: > I read both the FAQ section and the growfs(8) man page but I am not > yet confident that what I want to do is supported / safe. > > http://www.openbsd.org/faq/faq14.html#GrowPartition > > I started with a number of partitions and a bunch of free space. I > later needed the free space and allocated a /project partition that > went to the end of my disk. More recently, I emptied the /data > partition immediately prior. Now I would like to use growfs(8) to > merge this unused space with the /project partition without losing any > of the existing data. > > See disklabel output below. I have only grown partitions "down", > never in the other direction. Am I being overly paranoid? > > Thanks. > > --david > As the FAQ entry states, you can use growfs(8) if the empty space is after the existing partition, not prior. You can only grow a partition "down", never "up". What you want to do would require the following steps: 1. Create a new partition on the free space 2. Move all data to the new partition 3. Remove the existing /project partition 4. Use growfs(8) on the new partition to include the space from the old /project partition Cheers, Bruno
Re: syntax error and doas.conf
On 31.10.18 10:42, Markus Rosjat wrote: > Hi all, > > just something I notice while trying out stuff with doas and my python > scripts. If you do a mistake and have a syntax error in the doas.conf > file you can easily look you self out from root privilages :( > > consider a a case where your root has no pw, you are the guy in the > wheel group and of course you have only this line > > permit persist keepenv :wheel > > so far everything is peachy ok we are going to add a new line > > permit nopass foo as root cmt /root/scripts/dosomething > > and we save it ... ups we did a mistake an like to fix it, no worries we > can ... or cant we? > > doas vi /etc/doas.conf > > doas: syntax error at line 15 > > > at this point you are a bit screwed because you cant edit the doas.conf > you cant reboot you only way seems to be a switch off. Ok maybe there > other was but hey I'm no pro Im a simple user and its a vm so switch it > off. Boot in single user mode, make a fsck because , mount the > patritions, export the TERM var so yu get a vi. Well seems we are back > in business but no we cant edit /etc/doas.conf. Doesnt matter we came so > far we simply copy the exmaple to /etc and be done with it. At that > point 5 to 10 min of your life is wasted with silly stuff but you may > have learn at least one thing ... read again what you just wrote before > you save it :) > > > Have a nice day list :) and happy helloween > > -- > Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT > Losing ten minutes time because of a mistake you've made all by yourself made you write this useles mail. Imagine how many times you could have read the man page of doas(8) and find out that there is the parameter -C to check the config file. Cheers, Bruno -- Don't trust a man wearing a better suit than your own
Re: Backup of OpenBSD under VMware
On 30.06.18 14:23, Paolo Aglialoro wrote: > Hello, > > the scenario is a cluster of ESXi nodes on which OpenBSD should run as a VM. > > Currently the cluster is being backed up by Veeam, I tried to insert th > obsd VM inside the backup job but no success, with following "Error: An > error occurred while saving the snapshot: Failed to quiesce the virtual > machine.". This looks strange to me because the open-vm-tools implemented > inside the kernel are usually functional to ESXi hosts. > > Questions: > 1. has anybody found a way to use Veeam to backup OpenBSD VMs? > 2. are there any other suggested softwares to perform a similar task? > > Thanks At $dayjob I use dump(8) and store the files on a Windows file server we use to store backup files. Then we run Veeam to backup the file server. The file server is used by my colleagues from the DBA team too to store database backups on it. Cheers, Bruno
Re: Partitioning recommendations for 6.3?
On 25.06.2018 14:17, John Long wrote: Been a while and don't have my other OpenBSD boxes accessible. What are the recommended partitions and appropriate sizes for people who want to track stable and possibly build the whole ports tree? Thanks, /jl Check the detailed explanation given by Ingo Schwarze: https://marc.info/?l=openbsd-misc&m=149890809430366&w=2 Cheers, Bruno
Re: Networking FAQ: VMM internet access
On 01.06.2018 10:54, Leonid Bobrov wrote: # cat /etc/resolv.conf # Generated by vio0 dhclient nameserver 100.64.2.2 nameserver 100.64.2.2 # ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=63 time=0.938 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=0.799 ms ^C --- 192.168.1.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.799/0.868/0.938/0.070 ms # echo "nameserver 192.168.1.1" > /etc/resolv.conf # ping -c 1 www.google.com ping: Warning: www.google.com has multiple addresses; using 74.125.205.105 PING www.google.com (74.125.205.105): 56 data bytes 64 bytes from 74.125.205.105: icmp_seq=0 ttl=46 time=24.032 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 24.032/24.032/24.032/0.000 ms # (facepalm #2) For your head's protection I recommend you to add the following in your vm: $ cat /etc/dhclient.conf supersede domain-name-servers 192.168.1.1 Cheers, Bruno
Re: smtpd relay problem
On 02.05.18 15:05, Rudolf Sykora wrote: > Hello misc, > > I just wanted to send mail through my gmail account > using smtpd in the relay mode. > I am unsuccessful so far, and do not understand what's > going wrong. > > smtpd log of the attempt to send the email follows. > Can anybody help, please? > > Thanks > Ruda > > [snip debug output] > > > my /etc/mail/smtpd.conf: > > table aliases file:/etc/mail/aliases > table secrets file:/etc/mail/secrets > > listen on lo0 > > accept for local alias deliver to mbox > accept for any relay \ > via secure+auth://a...@smtp.gmail.com \ > auth \ > as rudolf.syk...@gmail.com > - > > > > my /etc/mail/secrets > --- > A rudolf.syk...@gmail.com:MY_PASSWORD > --- Hi Ruda, According to Google, smtp.gmail.com listens on port 465/tcp and 587/tcp. If I get it right from your debug output your mail server tries to talk to smtp.gmail.com on port 25/tcp. But this port is not open on smtp.gmail.com according to [1] Either of the following modifications in your config should work: via smtps+auth://a...@smtp.gmail.com:465 \ or via tls+auth://a...@smtp.gmail.com:587 \ Cheers, Bruno [1] https://support.google.com/a/answer/176600?hl=en
Re: Syn flood crashed my LAN
On 12.02.18 01:26, Martin Hanson wrote: > Hi, > > I have a home network that is segmented into 3 different zones using a NIC > with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is > connected to the Internet (ISP router) and each of the three others has a > D-Link DGS-1005D switch connected to each. > > So.. > > LAN1 = 192.168.1.0 > LAN2 = 192.168.2.0 > LAN3 = 192.168.3.0 > > Learning more about networking I wanted to test a SYN flood so I set up a > couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with > the "S" and "flood" options. > > Running a regular ping in a terminal I could see how the response time > decreased and eventually the box began to loose packages. > > However after a while it seemed like the entire internal network went down. > > No box on any LAN could get an IP address from the DHCP server on the OpenBSD > box. > > I eventually rebooted the OpenBSD box, but that didn't immediately help, and > only after powering down the switches and powering the switches on again, > everything worked again. > > I have been looking through the PF documentation to see if PF somehow blocks > SYN flooding, but I am not using synproxy on any rules. > > What could cause such a "melt down" of the entire network because of a SYN > flood to a box? > > I suspect that the D-Link switches are pretty bad and maybe are the cause of > the problem? > > I eventually will try again to see if I can determine what's causing the > "melt down", but I want to know if anyone perhaps has experienced similar > results during some testing? > > Many thanks in advance. > > Kind regards, > > Martin You run a denial of service attack against your home network. As a result your network denials service. Sounds like you have proven that syn flooding is an effective denial of service attack in your network. Yes, your switches cannot handle the amount of traffic you putting on them. No, your switches are not the problem. Your syn flooding of the network is causing the problem. Cheers, Bruno -- I really hope this whole thing works, I won't be able to test everything beforehand
Re: font path ignorance
On 24.01.18 06:20, Ed Ahlsen-Girard wrote: > Built a new system, and it didn't have all the fonts that were on the > old one. I looked for msttcorefonts as a package, and didn't find it. So > I went through ports and found it, and some other font sets that I > remembered from before, make, make build, make install. > > At the end of each make install I was advised to add the new fonts to my > fontpath, but I don't know where that is lives, and apropos returns > only XSetFontPath, XFreeFontPath, XGetFontPath(3), seemingly indicating > that this is done programmatically. > > There are new directories in /usr/local/share/fonts. > > The new fonts do not show up in LibreOffice. I do, however, have many > noto fonts for languages that I don't need to work with very often. So > to speak. > > What have I missed? > > -- > > Edward Ahlsen-Girard > Ft Walton Beach, FL In my ~/.xsession script I have the following part to make sure all font paths get added when I log in: xset fp default for font in /usr/local/share/fonts/* ; do xset fp+ $font done xset fp rehash Cheers, Bruno
Re: touchpad input driver: testing needed
I've tested it on my HP ProBook 450 G3 with the snapshot from July 30. In xorg.conf I've put the block you've proposed, there is nothing else in it. Cursor moves: OK Tapping:OK one finger = left click, two fingers = right click Swapsides: not OK, scroll bar moves the same way my fingers move on the touchpad, no matter what the setting is Scaling/Speed: OK Thank you very much for your work! # wsconsctl | grep mouse mouse.type=synaptics mouse.rawmode=0 mouse.scale=1472,5716,1408,4886,0,46,80 mouse.tp.tapping=1 mouse.tp.scaling=0.167 mouse.tp.swapsides=0 mouse.tp.disable=0 OpenBSD 6.1-current (GENERIC.MP) #21: Sun Jul 30 09:58:05 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17055059968 (16264MB) avail mem = 16531820544 (15765MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xd9a23000 (34 entries) bios0: vendor HP version "N78 Ver. 01.14" date 08/08/2016 bios0: HP HP ProBook 450 G3 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT SSDT TCPA SSDT UEFI SSDT SSDT MSDM SLIC HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT NHLT FPDT BGRT SSDT acpi0: wakeup devices PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PEGP(S4) PEG0(S4) GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 24 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 23MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG1) acpiprt2 at acpi0: bus -1 (PEG2) acpiprt3 at acpi0: bus -1 (PEG0) acpiprt4 at acpi0: bus -1 (RP01) acpiprt5 at acpi0: bus -1 (RP02) acpiprt6 at acpi0: bus -1 (RP03) acpiprt7 at acpi0: bus -1 (RP04) acpiprt8 at acpi0: bus 1 (RP05) acpiprt9 at acpi0: bus 2 (RP06) acpiprt10 at acpi0: bus -1 (RP07) acpiprt11 at acpi0: bus -1 (RP08) acpiprt12 at acpi0: bus 3 (RP09) acpiprt13 at acpi0: bus -1 (RP10) acpiprt14 at acpi0: bus -1 (RP11) acpiprt15 at acpi0: bus -1 (RP12) acpiprt16 at acpi0: bus -1 (RP13) acpiprt17 at acpi0: bus -1 (RP14) acpiprt18 at acpi0: bus -1 (RP15) acpiprt19 at acpi0: bus -1 (RP16) acpiprt20 at acpi0: bus -1 (RP17) acpiprt21 at acpi0: bus -1 (RP18) acpiprt22 at acpi0: bus -1 (RP19) acpiprt23 at acpi0: bus -1 (RP20) acpiec0 at acpi0 ac
Re: querying scsi id/wwn for scsi disk
On Thu, Mar 30, 2017 at 07:21:22AM -0400, Jiri B wrote: > On Thu, Mar 30, 2017 at 12:59:00PM +0200, Bruno Flueckiger wrote: > > I see your point with the installer. Default labels make the disks > > indistinguishable. The following diff prints the raw infos from dmesg > > rather than the current list of disks: > > > > Index: distrib/miniroot/install.sub > > === > > RCS file: /cvs/src/distrib/miniroot/install.sub,v > > retrieving revision 1.988 > > diff -u -p -r1.988 install.sub > > --- distrib/miniroot/install.sub13 Mar 2017 17:08:31 - 1.988 > > +++ distrib/miniroot/install.sub30 Mar 2017 10:44:01 - > > @@ -264,13 +264,7 @@ diskinfo() { > > local _d > > > > for _d; do > > - make_dev $_d > > - echo -n "$_d: " > > - disklabel -dpg $_d 2>/dev/null | > > - sed -e '/^label: /{s,,,;s/ *$//;s/^$//;h;d;}' \ > > - -e '/.*# total bytes: \(.*\)/{s//(\1)/;H;}' \ > > - -e '$!d;x;s/\n/ /' > > - rm -f /dev/{r,}$_d? > > + sed -n "/^$_d/p" /var/run/dmesg.boot > > done > > } > > > > Your proposition is good for the installer? I doubt it. > > j. AFAICT the function diskinfo() is only called once in the installer: if you press ? a the prompt for the root disk. So my diff just changes the output in this case, no other functionality is affected. What causes your doubt?
Re: querying scsi id/wwn for scsi disk
On Thu, Mar 30, 2017 at 04:53:51AM -0400, Jiri B wrote: > On Thu, Mar 30, 2017 at 10:25:18AM +0200, Bruno Flueckiger wrote: > > > how to query scsi id or wwn for a scsi disk in OpenBSD? I'd like to get > > > this > > > info and extend installer to provide more info about disks (because > > > currently > > > it's imposible to distinguish between scsi disks if they are same size and > > > originate from same iscsi target and passed to OpenBSD via qemu-kvm). > > > > > > So what's OpenBSD equivalent scsi query for Linux commands? > > > > > > # lsscsi -iws | tail -n1 > > > [6:0:0:10] disk0x6006048c8f0ff1a5c7ef85c8d1c95 /dev/sdd > > > 36006048c8f0ff1a5c7ef85c8d1c95481 16.1GB > > > > > > # /usr/lib/udev/scsi_id -xg /dev/sdd > > > ID_SCSI=1 > > > ID_VENDOR=EMC > > > ID_VENDOR_ENC=EMC\x20\x20\x20\x20\x20 > > > ID_MODEL=Celerra > > > ID_MODEL_ENC=Celerra\x20\x20\x20\x20\x20\x20\x20\x20\x20 > > > ID_REVISION=0002 > > > ID_TYPE=disk > > > ID_SERIAL=36006048c8f0ff1a5c7ef85c8d1c95481 > > > ID_SERIAL_SHORT=6006048c8f0ff1a5c7ef85c8d1c95481 > > > ID_WWN=0x6006048c8f0ff1a5 > > > ID_WWN_VENDOR_EXTENSION=0xc7ef85c8d1c95481 > > > ID_WWN_WITH_EXTENSION=0x6006048c8f0ff1a5c7ef85c8d1c95481 > > > ID_SCSI_SERIAL=EMC-Celerra-iSCSI-VLU-fs179_T5_LUN10_CKM00120100230 > > > > $ dmesg | grep scsi > > > > sd1 at scsibus2 targ 0 lun 0: SCSI3 > > 0/direct fixed naa.6001405635870b3d9e95d40c9d9221d1 > > sd2 at scsibus2 targ 0 lun 1: SCSI3 > > 0/direct fixed naa.6001405dcc70b1dd909ed44f8db0d6d6 > > disklabel sd1 | grep label > > For sd1 and sd2 please. This is what is printed in installer. See diskinfo() > in src/distrib/miniroot/install.sub > > If it does print just 'iSCSI Storage 3.1' then this is not very > useful info in the installer (although one can break and investigate dmesg) > > So maybe disklabel should have better 'label' or we could print more info > directly in the installer. > > I'm also not sure sysctl hw.disknames output is best one, it does show duid > which is OpenBSD specific (compare disklabel with and without '-d'). > > It seems there's no good solution fitting all cases (softraid, usb disks, > both are scsi-like devices). > > j. # disklabel sd1 | grep label label: iSCSI Storage # disklabel sd2 | grep label label: iSCSI Storage I see your point with the installer. Default labels make the disks indistinguishable. The following diff prints the raw infos from dmesg rather than the current list of disks: Index: distrib/miniroot/install.sub === RCS file: /cvs/src/distrib/miniroot/install.sub,v retrieving revision 1.988 diff -u -p -r1.988 install.sub --- distrib/miniroot/install.sub13 Mar 2017 17:08:31 - 1.988 +++ distrib/miniroot/install.sub30 Mar 2017 10:44:01 - @@ -264,13 +264,7 @@ diskinfo() { local _d for _d; do - make_dev $_d - echo -n "$_d: " - disklabel -dpg $_d 2>/dev/null | - sed -e '/^label: /{s,,,;s/ *$//;s/^$//;h;d;}' \ - -e '/.*# total bytes: \(.*\)/{s//(\1)/;H;}' \ - -e '$!d;x;s/\n/ /' - rm -f /dev/{r,}$_d? + sed -n "/^$_d/p" /var/run/dmesg.boot done }
Re: querying scsi id/wwn for scsi disk
On Thu, Mar 30, 2017 at 04:04:51AM -0400, Jiri B wrote: > Hi, > > how to query scsi id or wwn for a scsi disk in OpenBSD? I'd like to get this > info and extend installer to provide more info about disks (because currently > it's imposible to distinguish between scsi disks if they are same size and > originate from same iscsi target and passed to OpenBSD via qemu-kvm). > > Currently OpenBSD does show for such SCSI disk something like (taken from > disklabel): > > ... > Which disk is the root disk? ('?' for details) [sd0] ? > sd0: Celerra (20.0G) > ^^^ ^ > > # scsi -f /dev/rsd0c -c "12 0 0 0 64 0" -i 0x64 "s8 z8 z16 z4" > EMC Celerra 0002 > > So what's OpenBSD equivalent scsi query for Linux commands? > > # lsscsi -iws | tail -n1 > [6:0:0:10] disk0x6006048c8f0ff1a5c7ef85c8d1c95 /dev/sdd > 36006048c8f0ff1a5c7ef85c8d1c95481 16.1GB > > # /usr/lib/udev/scsi_id -xg /dev/sdd > ID_SCSI=1 > ID_VENDOR=EMC > ID_VENDOR_ENC=EMC\x20\x20\x20\x20\x20 > ID_MODEL=Celerra > ID_MODEL_ENC=Celerra\x20\x20\x20\x20\x20\x20\x20\x20\x20 > ID_REVISION=0002 > ID_TYPE=disk > ID_SERIAL=36006048c8f0ff1a5c7ef85c8d1c95481 > ID_SERIAL_SHORT=6006048c8f0ff1a5c7ef85c8d1c95481 > ID_WWN=0x6006048c8f0ff1a5 > ID_WWN_VENDOR_EXTENSION=0xc7ef85c8d1c95481 > ID_WWN_WITH_EXTENSION=0x6006048c8f0ff1a5c7ef85c8d1c95481 > ID_SCSI_SERIAL=EMC-Celerra-iSCSI-VLU-fs179_T5_LUN10_CKM00120100230 > > Thank you for help, it would help me playing with iscsi luns on OpenBSD. > > j. Infos about disks are printed to the console as soon as a disk is attached. So you can use dmesg and grep for scsi to get the info you want: $ dmesg | grep scsi scsibus0 at mpath0: 256 targets scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa. vscsi0 at root scsibus2 at vscsi0: 256 targets scsibus3 at softraid0: 256 targets sd1 at scsibus2 targ 0 lun 0: SCSI3 0/direct fixed naa.6001405635870b3d9e95d40c9d9221d1 sd2 at scsibus2 targ 0 lun 1: SCSI3 0/direct fixed naa.6001405dcc70b1dd909ed44f8db0d6d6 Cheers, Bruno
Re: serial port expansion card
On Fri, Mar 03, 2017 at 08:54:02AM +0100, Jan Stary wrote: > On Mar 03 08:46:11, h...@stare.cz wrote: > > This is current/amd64 (dmesg below). I got me this > > https://www.alza.cz/EN/axago-pcea-s2-d277216.htm > > to have two extra serial ports to connect to my ALIXes. > > It shows up in dmesg as > > > > puc0 at pci2 dev 0 function 0 "NetMos Nm9922" rev 0x00: ports: 1 com > > com4 at puc0 port 0 apic 2 int 16: st16650, 32 byte fifo > > puc1 at pci2 dev 0 function 1 "NetMos Nm9922" rev 0x00: ports: 1 com > > com5 at puc1 port 0 apic 2 int 17: st16650, 32 byte fifo > > Hm, puc(4) says > > The current design of this driver keeps any com ports on these > cards from easily being used as console. Of course, because boards with > those are PCI boards, they also suffer from dynamic address > assignment, which also means that they can't easily be used as console. > > What do people use as a serial port expansion then > to connect to the ALIX serial console? > > Jan I use an old USB to serial adapter from HP which attaches as uftdi(4). There are some other compatible chips listed in usb(4). In my experience USB to serial adapters provide more flexibility and cause less headaches than expansion cards. Cheers, Bruno
Re: Flaw in ipsec.conf(5)?
After discussing this with Philipp Buehler off list I have reworked my diff to make things easier in the example. The paragraph which contains set skip on enc0 just before the ruleset is removed. All filtering in the rule set is done on sk0, skipping enc0 entirely. The new rule set looks like this: block on sk0 set skip on enc0 pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \ port {500, 4500} pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \ port {500, 4500} pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 pass in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \ keep state (if-bound) pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \ keep state (if-bound) Index: sbin/ipsecctl/ipsec.conf.5 === RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.151 diff -u -p -r1.151 ipsec.conf.5 --- sbin/ipsecctl/ipsec.conf.5 9 Dec 2015 21:41:50 - 1.151 +++ sbin/ipsecctl/ipsec.conf.5 27 May 2016 11:07:55 - @@ -493,20 +493,12 @@ Match traffic of phase 2 SAs using the keyword. .El .Pp -If the filtering rules specify to block everything by default, -the following rule -would ensure that IPsec traffic never hits the packet filtering engine, -and is therefore passed: -.Bd -literal -offset indent -set skip on enc0 -.Ed -.Pp In the following example, all traffic is blocked by default. IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and networks {10.0.1.0/24, 10.0.2.0/24} is permitted. .Bd -literal -offset indent block on sk0 -block on enc0 +set skip on enc0 pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e port {500, 4500} @@ -516,13 +508,9 @@ pass out on sk0 proto udp from 192.168.3 pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 -pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e - keep state (if-bound) -pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e - keep state (if-bound) -pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e +pass in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \e keep state (if-bound) -pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e +pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \e keep state (if-bound) .Ed .Pp
Re: Flaw in ipsec.conf(5)?
On Thu, May 26, 2016 at 08:41:49AM +0100, Jason McIntyre wrote: > On Tue, May 24, 2016 at 10:53:16AM +0200, Bruno Flueckiger wrote: > > Hi, > > > > I've tested IPsec connections in my lab. The setup looks like this: > > > > [cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv] > > IPsec= > > i think you should provide more details of your setup first. for > example, ipsec.conf(5) shows pf rules for ipencap but you only provide a > small snippet of your pf.conf. no vlan details. none of your tcpdump > output that leads you to this conclusion. no routing details. > > then keep your fingers crossed. i think most people run for the hills > when they see ipsec mail. > > jmc > The network config looks like this: vlan10: [cli] .11 <- 10.19.1.0/24 -> .1 [gw1] vlan20: [gw2] .1 <- 10.81.1.0/24 -> .11 [srv] The simulated internet between the gateways is one OpenBSD box which forwards packets between the two subnets 10.0.19.0/24 and 10.0.81.0/24: [gw1] .2 <- 10.0.19.0/24 -> .1 [inet] .1 <- 10.0.81.0/24 -> .2 [gw2] There are no vlans defined for the two subnets between the gateways and the [inet] box. All machines are running OpenBSD 5.9-release on a VMware ESXi 5.5. All network adapters are vmx, each adapter is connected to a vSphere standard switch. There is one vSphere switch for each subnet. None of the switches have physical nics assigned. This is the ipsec.conf on [gw1]: local_ip="10.0.19.2" remote_ip="10.0.81.2" local_net="10.19.1.0/24" remote_net="10.81.1.0/24" ike esp from $local_ip to $remote_ip ike esp from $local_ip to $remote_net ike esp from $local_net to $remote_net This is the pf.conf on [gw1] in the version that blocks ipsec traffic on interface enc0: wan_if="vmx0" local_net="10.19.1.0/24" remote_ip="10.0.81.2" remote_net="10.81.1.0/24" icmp_types="{ echoreq unreach }" ike_ports="{ isakmp ipsec-nat-t }" set block-policy return set skip on lo match in all scrub (no-df random-id reassemble tcp) block log all pass in from (self) pass out on $wan_if from (self) to any keep state pass inet proto icmp all icmp-type $icmp_types keep state pass in on vlan10 inet proto tcp from $local_net to vlan10 port ssh \ keep state (if-bound) # Allow traffic for IPsec tunnel setup pass in on $wan_if proto udp from $remote_ip to $wan_if \ port $ike_ports pass out on $wan_if proto udp from $wan_ifto $remote_ip \ port $ike_ports # Allow esp packets between tunnel endpoints pass in on $wan_if proto esp from $remote_ip to $wan_if \ keep state (if-bound) pass out on $wan_if proto esp from $wan_ifto $remote_ip \ keep state (if-bound) # Allow encapsulated IP packets pass in on enc0 proto ipencap from $remote_ip to $wan_if \ keep state (if-bound) pass out on enc0 proto ipencap from $wan_ifto $remote_ip \ keep state (if-bound) # Allow traffic between the subnets pass in on vlan10 from $local_net to $remote_net keep state pass out on enc0 from $local_net to $remote_net keep state (if-bound) pass in on enc0 from $remote_net to $local_net keep state (if-bound) pass out on vlan10 from $remote_net to $local_net keep state I run tcpdump -nettti pflog0 on [gw1]. Then I try to connect from [cli] to [srv] by running ssh 10.81.1.11. This is the output from tcpdump when using the above pf.conf on [gw1]: tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 27 08:27:04.754155 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 8 len 120 May 27 08:27:10.743030 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 9 len 120 May 27 08:27:22.739668 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 10 len 120 May 27 08:27:46.732233 rule 1/(match) block out on enc0: esp 10.0.19.2 > 10.0.81.2 spi 0x621d35d7 seq 11 len 120 This made me include the interface enc0 in the two rules for esp packets. After this the connection works as expected. That made me write the patch. If something is unclear in my description of even more details are needed I'm happy to provide those. Cheers, Bruno
Flaw in ipsec.conf(5)?
Hi, I've tested IPsec connections in my lab. The setup looks like this: [cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv] IPsec= During the testing I think I've found a flaw in ipsec.conf(5). According to the man page the esp packets need to be passed on interface sk0: block on sk0 block on enc0 pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \ port {500, 4500} pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \ port {500, 4500} pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 My test setup didn't allow communication between [cli] and [srv]. Checking the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets are blocked by pf on enc0. So I included the interface enc0 in the pass rules for esp packets. After this the connections work as expected. As a result of my tests I've created the diff below for ipsec.conf(5). Is this ok or did I miss something? Cheers, Bruno Index: sbin/ipsecctl/ipsec.conf.5 === RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.151 diff -u -p -r1.151 ipsec.conf.5 --- sbin/ipsecctl/ipsec.conf.5 9 Dec 2015 21:41:50 - 1.151 +++ sbin/ipsecctl/ipsec.conf.5 24 May 2016 08:24:49 - @@ -513,8 +513,8 @@ pass in on sk0 proto udp from 192.168.3 pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e port {500, 4500} -pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 -pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 +pass in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1 +pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2 pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e keep state (if-bound)
Re: light browsers
On 12.05.2016 00:26, 3sad68+aivzh013i5...@guerrillamail.com wrote: Hi, did anyone try Midori or other light browsers with good results ? Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=TEhnBi0PU7Ebih2wvnENdQ%3D%3D Midori works fine. But if your definition of "light" is "consumes little resources" then I would recommend to use one of the browsers with a text interface: - w3m - lynx - links Cheers, Bruno
Re: OpenBSD mailserver success stories ?
On 26.04.2016 18:32, stan wrote: Given that, most of the things we are doing with FreeBSD, Apache, Samba, NFS etc, do not concern me as to doing them with OpenBSD. but I am a bit concerned about the mailserver. We use it for internal mail, and it gets mail from a large variety of systems, and devices, not all of which are modern. also I offer our users many options for retrieving their mail. With this in mid, I'd like to hear the experience of others using OpenBSD for mailserver. I use OpenBSD for my own little mail server at home with Postfix and Courier IMAP. This system was setup with OpenBSD 4.4 and got every new release of OpenBSD since then. At work I run two VMs with OpenBSD which act as incomming SMTP gateways. The gateways eliminate spam and malware before forwarding mails to the internal Exchange server. The system is built with Postfix, ClamAV and SpamAssassin. Both servers process hundereds to thousands of mails each day. Cheers, Bruno
Re: 5.9 discs in the wild. Europe/Switzerland
On 21.04.2016 05:45, noah pugsley wrote: Thank you all for the best little correctness focused general purpose operating system in the known universe. With all the nonsense created every day, a little sanity now and then, is cherished by the wisest men. http://noahpugsley.net/59.jpg Cheers, -noah P.S. garbage.fm you both better be at bsdcan. I want to complain about everything !OpenBSD. And I think you do too. In Switzerland the package arrived today: https://www.bsdhowto.ch/?p=102 Thanks to everybody involved. Cheers, Bruno
Re: OpenBSD 5.8 on VMware 5.5
On 01.12.2015 16:50, Felipe Gomes wrote: Folks, I've been trying to search for more information on OpenBSD as a VMWare guest, but I wasn't able to find much... and the information is pretty much outdated. What are the recommendations for OpenBSD 5.8 (amd64) as a guest on VMware 5.5? Guest Operating System: should I pick "Other (64bit)" or FreeBSD? How does OpenBSD work with "virtual sockets" and "cores per virtual socket"? What is the best NIC? E1000, E1000E, VMXNET2 ENHANCED or VMXNET3? What is the recommended SCSI Controller? LSI Logic Parallel, LSI Logic SAS or VMware Paravirtual? I'd believe that all of these options work... I just don't know which is more stable or perform better. Any other tips on fine tunning or special setting? I'm planning on migrating a few Soekris boxes to virtual machines. Is this reliable? Is anyone running production OpenBSD servers on VMware? Thanks in advance! I run a productive SMTP server with OpenBSD 5.8-stable on VMware 5.5 for some months and so far I didn't experience any problems. Guest OS is FreeBSD, NIC is VMXNET3 and the controller is LSI Logic Parallel. There are plans for more OpenBSD servers on VMware in the company I work for due to the small footprint of the OS and the very good experience we have so far. Cheers, Bruno
Re: Question re dhclient.conf
On 29.09.2014 13:39, Duncan Patton a Campbell wrote: On Mon, 29 Sep 2014 05:28:27 -0600 Duncan Patton a Campbell wrote: /etc/dhclient.conf used to contain a script "tosomfile" ; option that could, amongst other things, be used to set a dynamic assigned dns address to a named server. This functionality has been removed and I am trying to figure out if there was some other mechanism to accomplish this but I can't find any refs to it in the changes between 5.1 and 5.5. Any info would be appreciated. Thanks, Dhu -- Ne obliviscaris, vix ea nostra voco. I found it in the 5.3 changes.. "Removed dhclient-script(8) and dhclient.conf(5) "script" directive. Do all interface and route configuration via ioctl's and routing sockets. " Unfortunately this mechanism was used for more than just routing. And without a dhclient-script to hack I don't see how a dynamic address can be updated vi the named/key mechanism. Dhu If your goal is to set entries in DNS for a machine which acts as DHCP client there are two other possibilities I know of: 1. Use a reservation in DHCP server together with fixed entries in DNS 2. Get ISC DHCP from ports and configure it to make dynamic updates to BIND Depending on your exact setup there may be other ways to achieve the same as you did with the script. Bruno
Re: PF port forwarding issue
On 18.01.2014 01:49, Matt M wrote: I am using PF on 5.4-stable to NAT and firewall my network, but I can't get port forwarding to work. All requests end up at the OpenBSD box and go no further. For instance, I opened port 22 in PF to forward to a Centos box, but ssh on the openbsd box still takes the request. Port 80 isn't working at all, as there is no apache on the openbsd box. PF is running on 192.168.2.160 and apache is on 192.168.2.170. I can access apache by directly connecting to 192.168.2.170 Thanks for any help. PF.conf --- ext_if = "dc0" int_if = "vr0" icmp_types="echoreq" #OPTIONS set block-policy return set loginterface egress set skip on lo #default block incoming traffic block in log #PORT FORWARDING pass in on egress proto tcp from any to any port 22 rdr-to 192.168.2.170 port 22 pass in on egress proto tcp from any to any port 80 rdr-to 192.168.2.170 port 80 #NAT the entire network match out on egress inet from !(egress:network) to any nat-to (egress:0) #pass outgoing traffic through firewall with no checking pass out quick #antispoof protection antispoof quick for { lo $int_if } pass in inet proto icmp all icmp-type $icmp_types If you run the tests from your internal network I suggest that you read this page carefully: http://openbsd.org/faq/pf/rdr.html. Pay special attention to the subchapter Redirection and Reflection HTH, Bruno
Re: open bsd router
On 04.10.2013 15:05, Jan Stary wrote: Just to praise PC Engines a little bit more: when my ALIX.1C stopped working for some reason, I sent it to PC Engines, who found that the board is completely OK - it was my power supply that was faulty (which I could then confirm). Before sending it back, they kindly suggested that ALIX.1E is a newer model that replaces the ALIX.1C, so if I don't object ... which I didn't. The shipping didn't even cost me anything, and they just replaced my old 1C with a new 1E. Not to mention the chocolate. In short, their customer service is as good as the boards. Reading this I almost regret that I never had any trouble with the boards so far ;-) This is true customer service.
Re: open bsd router
On 03.10.2013 23:37, alexey.kurin...@gmail.com wrote: My favorite: http://www.pcengines.ch/product.htm http://en.wikipedia.org/wiki/Raspberry_Pi Question is - what boards succesfully used by members of misc@openbsd.org list? I glad to read members IMHO about used boards. I'm using different boards from PC Engines for my servers at home. E. g. my firewall is a WRAP board from PC Engines. This is the predecessor of their ALIX board. It's almost seven years old and still working 24/7. Once in that time I had to replace the CF card because it showed some write errors. Else the only maintenance I've done on the board is to upgrade to the latest release of OpenBSD every six months. No, I'm not working for PC Engines. But I'm a huge fan of their products :-) Regards, Bruno
Re: VirtualBox+chive+mysql
On 14.08.2013 14:21, Tony Berth wrote: Dear group, I have following configuration: - latest Ubuntu amd64 server - VirtualBox running on the above Ubuntu server - openbsd 5.3 (amd64) with mysql and chive installed and running inside VirtualBox when I try to connect to the openbsd mysql server from mysql workbench installed in Ubuntu, everything works fine. When I try the same but calling chive from the openbsd installation, I get 'CDbConnection failed to open the DB connection'. What is the difference? Thanks Hi, I don't have any knowledge about mysql workbench or chive. The usual suspects would be: - Wrong hostname - Missing DNS entry for hostname - Wrong DNS config on the OpenBSD VM - Wrong username - Wrong password It's hard to tell where the problem if you don't provide us with more details. Regards, Bruno
Re: Sturdy and secure mail server
Hi Irek I had pretty much the same requirements for my mail server at home as you have. Over the time I got different mail accounts for different purposes. So I wanted to consolidate all the accounts on my own server running in my home network. Since several years (and releases) I'm running my home mail server under OpenBSD. The server is not directly reachable as a MX host because I only use a DynDNS address to access it from outside through a proxy server (nginx for IMAP and SMTP) also running OpenBSD. My mail server fetches the mails from all accounts via POP3 with fetchmail. The mails are delivered to Postfix which acts as the mail server for my internal domain at home. Postfix then delivers the mail to my personal user account on the server using procmail. Procmail runs each mail through ClamAV (antivirus) and SpamAssassin (antispam). Mails containing viruses are delivered to /dev/null, mails recognized as spam are delivered to the Spam folder. Every other mail is delivered to the mail folder specified in the procmail receipt or, if there is no other destination specified in .procmailrc, to the INBOX. All mails are stored in ~/mails which is a Maildir folder structure. I prefer Maildir to store mails because it creates a file for each mail. This make backup and restore much easier. I use Courier IMAP to access all my mails through IMAP clients like Thunderbird (on all my clients) and - since some days - BlackBerry Z10 (access from the Internet through the IMAP proxy feature of nginx). This way I have always the same sight on my mailbox, no matter which client I use. No more manual sync or having mails downloaded to the "wrong" client. My Maildir folders also act as the archive for my mails. All components on my mail server support of course TLS. I've configured Postfix and Courier IMAP to support TLS. For this I use my personal PKI. It is based on a self-signed root CA with two sub CAs, one for client certificates and one for server certificates. I make an hourly backup of my mails folder using rsync to one of my NAS. Additionally there is the daily backup using dump of the whole mail server. I hope my explanations give some ideas about how you could solve your problem. Feel free to contact me if you would like to get more details about the configuration. Best regards, Bruno
Re: nginx in 5.2 without mail proxy features - Reasons?
On 19.04.2013 14:32, Jiri B wrote: I would say maybe because nginx' purpose in base install is to be webserver ? :) You can use one from ports. jirib The ports tree didn't come to my mind when I've been writing my mail. Thanks for the hint. I see the point that it is meant to be a webserver. And I know that nginx is the designated replacement for Apache in the base system according to the release notes for 5.2. Don't get me wrong: I don't want to criticize the decision to do so. I'm just curious if there are also other reasons, e. g. security considerations, code which is not audited (yet), performance, whatever. Information of this kind could help me to decide if I trust nginx enough to use it on productive systems or not. Bruno
nginx in 5.2 without mail proxy features - Reasons?
Today I wanted to test the mail reverse proxy features of nginx. For this I've installed a fresh VM running release 5.2. To my surprise I had to realize that nginx is compiled without the mail proxy features in the base system. [bruno@gateway ~]$ /usr/sbin/nginx -V nginx version: nginx/1.2.2 built by gcc 4.2.1 20070719 TLS SNI support enabled configure arguments: --prefix=/var/www --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-log-path=logs/access.log --error-log-path=logs/error.log --http-client-body-temp-path=/var/www/cache/client_body_temp --http-proxy-temp-path=/var/www/cache/proxy_temp --http-fastcgi-temp-path=/var/www/cache/fastcgi_temp --http-scgi-temp-path=/var/www/cache/scgi_temp --http-uwsgi-temp-path=/var/www/cache/uwsgi_temp --user=www --group=www --with-http_gzip_static_module --with-http_ssl_module --with-http_stub_status_module --with-ipv6 --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module The last two lines show that all three mail modules (POP3/IMAP/SMTP) had been disabled by configure before compilation took place. Can anybody please tell me if this has a special reason (maybe security)? Thanks in advance, Bruno
Re: Strange ksh history behaviour
On 07.01.2013 14:54, Sébastien Marie wrote: In order to keep EDITOR to vi, you should set VISUAL to "emacs" in your .profile: VISUAL=emacs EDITOR=vi export VISUAL EDITOR Thanks a lot. You just solved one of those small problems I've had for years on all my OpenBSD systems. It was a pain in the ass to me at rare intervals. Therefore I was too lazy to read the man page. But now I'm very happy about knowing this solution. :-) .. Bruno Flückiger