Re: Intel I210 ethernet card support

[Bryan Vyhmeister]

On Aug 10, 2013, at 6:10, Jonathan Gray  wrote:

> The i210/i211 chips aren't supported yet.  The i217/pch_lpt found
> in the Lynx Point/Haswell PCH isn't either.  I don't think any of
> the usual suspects have hardware yet.

Do those that need the hardware have it yet? If not, what's needed? The 
Supermicro X10SLL-S would be a good choice since it has both i217LM & i210AT 
Ethernet. That board along with a Pentium G3220 and 4GB of ECC RAM could get a 
developer the required hardware for Haswell.

Bryan

Re: uaudio0: audio descriptors make no sense, with Schiit Bifrost USB DAC

[Remco]

Martijn Rijkeboer wrote:

>>> I have a Schiit Bifrost USB DAC that includes an uaudio device for audio
>>> playback. When I plug the device in I'm getting "uaudio0: audio
>>> descriptors make no sense, error=4". Any suggestions on how to make this
>>> work?
>>>
>>> Here are the relevant lines from usbdevs -v (debugging enabled for
>>> uaudio):
>>
>> Looks like the audio descriptor of your device doesn't match what
>> uaudio(4) expects.  A quirk might be needed.  Could you please
>> install the usbutils package and post the output of "lsusb -v" for
>> your device?
> 
> Below are the relevant lines of "lsusb -v". Before I ran lsusb I've
> re-installed the system with current (i386).
> 
> Bus 000 Device 002: ID 0d8c:0319 C-Media Electronics, Inc.
...
> Interface Descriptor:
>   bLength 9
>   bDescriptorType 4
>   bInterfaceNumber0
>   bAlternateSetting   0
>   bNumEndpoints   1
>   bInterfaceClass 1 Audio
>   bInterfaceSubClass  1 Control Device
>   bInterfaceProtocol 32
>   iInterface  2 Schiit USB Audio Device
>   AudioControl Interface Descriptor:
> bLength 9
> bDescriptorType36
> bDescriptorSubtype  1 (HEADER)
> --> bcdADC   2.00 <--

If I'm interpreting this correctly your device is an USB Audio 2.0 device.
AFAICT there's currently no support for such a device in OpenBSD.

Re: yubikey offline login

[Alexander Hall]

On 09/09/13 16:48, alex wrote:

Hi!

Is anybody know about possibility local (offline) login to OpenBSD?
I found this article
http://www.h-ein.de/projekte/yubikey-login-auth-module-openbsd.html
(i know about yubikey for ssh auth :
http://undeadly.org/cgi?action=article&sid=20130616112437

Thanks,
Alex Popov



All our base are belong to you.

man login_yubikey
man login.conf

/Alexander

Re: pflow packets before state expires

[sven falempin]

The manual say the information is extracted from the state table.
So you should have seen the info.

First: are you sure the information wasnt in the udp pflow packets ? maybe
the collector was wrong.
Second: man says <>

+



On Mon, Sep 9, 2013 at 11:55 AM, Matt Hamilton  wrote:

> Hi All,
>   We use pflow with pf to export packets to a collector for
> billing/monitoring
> purposes. The problem we have is that someone at the weekend had a very
> long running scp connection over several days that transferred a TB
> of data.  The data was not logged via pflow until the state expired, so
> then showed a massive spike when the state expired.
>
> Anyone know any way around this? Is it possible to get pf/pflow to
> export more regularly? Or set some timeout? I'm guessing not due
> to the architecture, and unless I force pf states to timeout then I'm
> stuck? But thought I'd ask in case anyone knew of a way.
>
> Thanks
> -Matt
>
>


-- 
-
() ascii ribbon campaign - against html e-mail
/\

pflow packets before state expires

[Matt Hamilton]

Hi All,
  We use pflow with pf to export packets to a collector for billing/monitoring
purposes. The problem we have is that someone at the weekend had a very
long running scp connection over several days that transferred a TB
of data.  The data was not logged via pflow until the state expired, so
then showed a massive spike when the state expired.

Anyone know any way around this? Is it possible to get pf/pflow to 
export more regularly? Or set some timeout? I'm guessing not due
to the architecture, and unless I force pf states to timeout then I'm
stuck? But thought I'd ask in case anyone knew of a way.

Thanks
-Matt

yubikey offline login

[alex]

Hi!

Is anybody know about possibility local (offline) login to OpenBSD?
I found this article 
http://www.h-ein.de/projekte/yubikey-login-auth-module-openbsd.html
(i know about yubikey for ssh auth : 
http://undeadly.org/cgi?action=article&sid=20130616112437


Thanks,
Alex Popov

Re: Strange vlan interface behavior/crash

[Wiesław Kielas]

* Wiesław Kielas  [04.09.2013. @15:44:05 +0200]:
> Hi misc@,
> 
> I have a Dell PowerEdge M600 machine running OpenBSD 5.3 which causes
> frequent problems - once about every few days vlan interfaces stop
> working.
> 
> Ifconfig reports them being up the whole time, but when trying to ping
> anything in the given vlan, the ping fails (this also applies to the
> loopback address on the interface - it doesn't reply as well), as if no
> packets were transmitted on it. This applies to all packets on the
> interface, not just ICMP ones.
> 
> This doesn't seem to be a PF issue, since disabling it doesn't help, and
> non-vlan interfaces (like trunk0 with trunkproto failover) continue to
> work.
> 
> Putting the interface down and up, destroying and creating it or running
> /etc/netstart doesn't help - a reboot is required, after which the
> machine works correctly again for some time.
> 
> I checked the logs and dmesg and found there nothing of any value - no
> new messages around the time of the crash.
> 
> As this is a blade machine, most hardware issues (like memory problems)
> would be reported by the chassis, and it reports none.
> 
> I have a couple other M600 machines running OpenBSD, with the same
> network cards, and only once this problem did occur on another machine -
> a slave for the problematic one, running pfsync, sasync and acting as a
> carp backup.
> 
> Could anyone provide me with some tips on how to debug the problem
> further? Turn on some kernel debug mode, make use of the kernel
> debugger? I'm at my wits end here.
> 
> If there is any information that I could provide to help solve the
> problem, please don't hesitate to ask.
> 
> The dmesg is attached below:
> 
> 

I'm currently testing a diff which disables hw vlan tag processing,
which I recieved off-list.

Aside from that, after increasing isakmpd verbosity, I started getting
messages like this before every vlan freeze:

> isakmpd[6940]: dropped message from 193.xxx.xxx.xxx port 500 due to
> notification type INVALID_FLAGS

Could they be somehow related?

-- 
regards, 

Wiesław Kielas

Re: Help with ISAKMP Nat Traversal Problem needed

[Christoph Leser]

Here is another debug output and tcpdump for the same problem. Following the 
advice from Stuart Henderson I change the debug levels to

isakmpd -D0=29 -D1=49 -D2=10 -D3=30 -D6=99 -D7=99 -D8=99 -D9=30 -D10=20  -K -L

Here again the tcpdump and the new debug output


16:08:35.114550 0.0.0.0.500 > 217.86.184.8.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: 1a0208d771df46ef-> msgid:  len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)

16:08:35.184157 217.86.184.8.500 > 217.110.66.79.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len: 116
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
payload: TRANSFORM len: 36
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 12
payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len 
144)

16:08:35.275577 217.110.66.79.500 > 217.86.184.8.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len: 220
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 20
payload: NAT-D len: 20 [ttl 0] (id 1, len 248)

16:08:35.363848 217.86.184.8.500 > 217.110.66.79.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len: 268
payload: KEY_EXCH len: 132
payload: NAT-D len: 20
payload: NAT-D len: 20
payload: NONCE len: 24
payload: VENDOR len: 12
payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 296)

16:08:35.454563 217.110.66.79.4500 > 217.86.184.8.4500: [bad udp cksum c9d0!] 
udpencap: isakmp v1.0 exchange ID_PROT
cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len: 88
payload: ID len: 12 type: IPV4_ADDR = 217.110.66.79
payload: HASH len: 20
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT (1a0208d771df46ef->be3ad6b901947e8e) 
[ttl 0] (id 1, len 120)

16:08:35.523331 217.86.184.8.4500 > 217.110.66.79.4500: [bad udp cksum 1c00!] 
udpencap: isakmp v1.0 exchange ID_PROT
cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid:  len: 60
payload: ID len: 12 type: IPV4_ADDR = 192.168.50.253
payload: HASH len: 20 [ttl 0] (id 1, len 92)

16:08:35.615285 217.110.66.79.4500 > 217.86.184.8.4500: [udp sum ok] udpencap: 
isakmp v1.0 exchange QUICK_MODE
cookie: 1a0208d771df46ef->be3ad6b901947e8e msgid: ceee06b6 len: 288
payload: HASH len: 20
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 
xforms: 1 SPI: 0x4dc1e13b
payload: TRANSFORM len: 32
transform: 1 ID: AES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 1200
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 
129.143.250.128/255.255.255.128
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 
192.168.199.0/255.255.255.0 [ttl 0] (id 1, len 320)
  

Re: uaudio0: audio descriptors make no sense, with Schiit Bifrost USB DAC

[Martijn Rijkeboer]

>> I have a Schiit Bifrost USB DAC that includes an uaudio device for audio
>> playback. When I plug the device in I'm getting "uaudio0: audio
>> descriptors make no sense, error=4". Any suggestions on how to make this
>> work?
>>
>> Here are the relevant lines from usbdevs -v (debugging enabled for
>> uaudio):
>
> Looks like the audio descriptor of your device doesn't match what
> uaudio(4) expects.  A quirk might be needed.  Could you please
> install the usbutils package and post the output of "lsusb -v" for
> your device?

Below are the relevant lines of "lsusb -v". Before I ran lsusb I've
re-installed the system with current (i386).

Bus 000 Device 002: ID 0d8c:0319 C-Media Electronics, Inc.
Device Descriptor:
  bLength18
  bDescriptorType 1
  bcdUSB   2.00
  bDeviceClass  239 Miscellaneous Device
  bDeviceSubClass 2 ?
  bDeviceProtocol 1 Interface Association
  bMaxPacketSize064
  idVendor   0x0d8c C-Media Electronics, Inc.
  idProduct  0x0319
  bcdDevice1.02
  iManufacturer   1 Schiit
  iProduct2 Schiit USB Audio Device
  iSerial 0
  bNumConfigurations  1
  Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength  298
bNumInterfaces  3
bConfigurationValue 1
iConfiguration  0
bmAttributes 0xc0
  Self Powered
MaxPower  100mA
Interface Association:
  bLength 8
  bDescriptorType11
  bFirstInterface 0
  bInterfaceCount 2
  bFunctionClass  1 Audio
  bFunctionSubClass   0
  bFunctionProtocol  32
  iFunction   0
Interface Descriptor:
  bLength 9
  bDescriptorType 4
  bInterfaceNumber0
  bAlternateSetting   0
  bNumEndpoints   1
  bInterfaceClass 1 Audio
  bInterfaceSubClass  1 Control Device
  bInterfaceProtocol 32
  iInterface  2 Schiit USB Audio Device
  AudioControl Interface Descriptor:
bLength 9
bDescriptorType36
bDescriptorSubtype  1 (HEADER)
bcdADC   2.00
bCategory  10
wTotalLength  256
bmControl0x00
  AudioControl Interface Descriptor:
bLength17
bDescriptorType36
bDescriptorSubtype  2 (INPUT_TERMINAL)
bTerminalID 1
wTerminalType  0x0101 USB Streaming
bAssocTerminal  0
bCSourceID 18
bNrChannels 0
bmChannelConfig   0x
bmControls0x0040
  Cluster Control (read-only)
iChannelNames   0
iTerminal   0
  AudioControl Interface Descriptor:
bLength12
bDescriptorType36
bDescriptorSubtype  3 (OUTPUT_TERMINAL)
bTerminalID 7
wTerminalType  0x0301 Speaker
bAssocTerminal  0
bSourceID  13
bCSourceID 18
bmControls 0x
iTerminal   0
  AudioControl Interface Descriptor:
bLength18
bDescriptorType36
bDescriptorSubtype  6 (FEATURE_UNIT)
bUnitID13
bSourceID   1
bmaControls( 0)  0x0003
  Mute Control (read/write)
bmaControls( 1)  0x
bmaControls( 2)  0x
iFeature0
  AudioControl Interface Descriptor:
bLength 8
bDescriptorType36
bDescriptorSubtype 10 (CLOCK_SOURCE)
bClockID   18
bmAttributes 0x03 Internal programmable Clock
bmControls   0x07
  Clock Frequency Control (read/write)
  Clock Validity Control (read-only)
bAssocTerminal  0
iClockSource0
  Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8f  EP 15 IN
bmAttributes3
  Transfer TypeInterrupt
  Synch Type   None
  Usage Type   Data
wMaxPacketSize 0x0006  1x 6 bytes
bInterval   4
Interface Descriptor:
  bLength 9
  bDescriptorType 4
  bInterfaceNumber1
  bAlternateSetting   0
  bNumEndpoints   0
  bInterfaceClass 1 Audio
  bInterfaceSubClass  2 Streaming
  bInterfaceProtocol 32
  iInterface  4 Speaker-Schiit USB Audio Device
Interface Descriptor:
  

Re: how to set framebuffer resolution

[Stuart Henderson]

On 2013-09-09, remy couture  wrote:
> Hi,
>
> i'm looking for infos on how to play with the screen resolution on intel
> framebuffer.
>
> Other OSes have some kind of "mode setting" at the boot loader level, what
> about OpenBSD ?
>
> Thank you very much
>
>

At the moment, all you can do is disable kernel modesetting completely
(I had to do this on one server where the attached monitor doesn't support
the newly chosen resolution).

at the bootloader:

boot -c
disable inteldrm (or radeondrm)
quit

or similar via config(8).

Re: nat-to static-port chooses random ports

[Stuart Henderson]

On 2013-09-07, Christopher Zimmermann  wrote:
> Hi,
>
> as far as I understand pf, the following rules should behave exactly
> the same:
>
> pass out log on pppoe0 inet proto udp from mortimer-ipsec port 5061 nat-to
> (pppoe0) static-port
> and
> pass out log on pppoe0 inet proto udp from mortimer-ipsec port 5061 nat-to
> (pppoe0) port 5061
>
> but they don't:
>
> rule 98/(match) pass out on pppoe0: 217.190.89.90.56487 > 88.215.213.26.5748:
> udp 2048
> resp.
> rule 98/(match) pass out on pppoe0: 217.190.89.90.5061 > 62.138.116.3.5748:
> udp 2048
>
> this is on an OPENBSD_5_4 kernel.
>
> --
> http://gmerlin.de
> OpenPGP: http://gmerlin.de/christopher.pub
> 1917 680A 723C BF3D 2CA3  0E44 7E24 D19F 34B8 2A2A
>
> [demime 1.01d removed an attachment of type application/pgp-signature]
>
>


The most likely reason for this failing is if you have tried to
translate to a port which is already in-use. If "translate" in
"pfctl -si" is non-zero, then this has happened.

Re: A suggestion for snapshots

[Stuart Henderson]

On 2013-09-07, Lars Engblom  wrote:
> I think the issue is more about space than bandwidth.

No, it's about bandwidth, first from the build machines to the main
distribution site (fanout), and then from the fanout to mirrors.
Between them, amd64 and i386 packages take ~40GB, then there are
the other slower arch which are pushed out a bit less often.
Feeding this out across the mirroring infrastructure takes time.

> From: Theo de Raadt 
> Date: 07/09/2013  06:13  (GMT+02:00)
>
> Anyone want to pay for a faster network link?
>
> Step up -- then we can solve this problem easily.

Of course this is only easy now that Theo and a few others have
recently put significant effort into improving the internet
infrastructure in Alberta.

Re: ISAKMPD NAT/Traversal

[Stuart Henderson]

On 2013-09-07, Christoph Leser  wrote:
>>Von: owner-m...@openbsd.org [owner-m...@openbsd.org]" im Auftrag von 
>>"Stuart Henderson >[s...@spacehopper.org]
>>Gesendet: Samstag, 7. September 2013 00:11
>>An: misc@openbsd.org
>>Betreff: Re: ISAKMPD NAT/Traversal
>
>>>On 2013-09-06, Christoph Leser  wrote:
>>> Hello, list,
>>>
>>> from a remark by Stuart Henderson on an older thread
>>> http://marc.info/?l=openbsd-misc&m=134849 788026722&w=2 back in September
>>> 2012,I understood that NAT-T support in openBSD was not complete at that 
>>> time,
>>> especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2
>>> 'TRANSFORM'. Sometimes this gets set to a value incompatible with other
>>> equipment ( cisco ).
>>>
>>> Can someone please point me to where I can find more information on this
>>> matter. Has anything changed in openBSD with regard to this, will openBSD
>>> follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, 
>>> it
>>> seems to be a standard proposal since 2005 ).
>>>
>>> Mit freundlichen Gr��en
>>>
>>> Christoph Leser
>>>
>>> S&P Computersysteme GmbH
>>> Zettachring 4
>>> 70567 Stuttgart Fasanenhof
>>>
>>> EMail: le...@sup-logistik.de
>>>
>
>
>>You misunderstand. OpenBSD uses the proper assigned encapsulation mode
>>values from the newer internet-drafts and the published RFC:
>
>>http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04#section-5.1
>>http://tools.ietf.org/html/rfc3947#section-5.1
>
>>It is Cisco who use the old encapsulation mode values from the early
>>versions of the internet-draft (marked "XXX CHANGE" here):
>
>>http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-03#section-5.1
>
>
> thanks for the clarification. Does that mean that openBSD sends
> UDP-Encapsulated-Tunnel (=3) mode when it detects NAT? But the
> isakmpd.pcap still shows "attribute ENCAPSULATION_MODE = TUNNEL" in the
> TRANSFORM payload?

IIRC that is the case.

> I ask because I have problems with a SonicWall behind a Nat on the
> remote site, which claims that my openBSD "TUNNEL(=1) instead of
> Encapsulated Tunnel(=3).

At this point I think you probably need to break out the debug logs to
try and work out what's going on. My general-use logging setup for
isakmpd is "-v -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30
-D9=30 -D10=20" though sometimes certain areas need tweaking.

Re: Exploits

[Jérémie Courrèges-Anglas]

Andy  writes:

> On first look I couldn't see the exploit in that old PDF being listed on
> the errata's. Maybe I'm being blind ;)

Or maybe you need to take a second look (010).  The security problem is
described, a workaround and a patch are available.  Publishing an exact
how-to-reproduce-and-expoit-a-bug isn't one of the the responsibilities
of the OpenBSD project, afaik.

> On Sat 07 Sep 2013 19:45:38 BST, Greg Thomas wrote:
>> "Does this document still hold any truth with current OpenBSD;"
>>
>> Come on, really?
>>
>> http://www.openbsd.org/errata40.html
>>
>>
>> On Sat, Sep 7, 2013 at 8:13 AM, andy  wrote:
>>
>>> Hi everyone,
>>>
>>> I have a feeling that I may get some strong opinions on this question, so
>>> please don't flame me or anything, I'm asking because I don't know.
>>>
>>> Does this document still hold any truth with current OpenBSD;
>>>
>>> https://www.blackhat.com/presentations/bh-usa-07/Ortega/Whitepaper/bh-usa-07-ortega-WP.pdf
>>>
>>> Cheers, Andy.

Ciao,
-- 
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

Re: Exploits

[Andy]

On first look I couldn't see the exploit in that old PDF being listed 
on the errata's. Maybe I'm being blind ;)



On Sat 07 Sep 2013 19:45:38 BST, Greg Thomas wrote:

"Does this document still hold any truth with current OpenBSD;"

Come on, really?

http://www.openbsd.org/errata40.html


On Sat, Sep 7, 2013 at 8:13 AM, andy  wrote:


Hi everyone,

I have a feeling that I may get some strong opinions on this question, so
please don't flame me or anything, I'm asking because I don't know.

Does this document still hold any truth with current OpenBSD;

https://www.blackhat.com/presentations/bh-usa-07/Ortega/Whitepaper/bh-usa-07-ortega-WP.pdf

Cheers, Andy.

Re: uaudio0: audio descriptors make no sense, with Schiit Bifrost USB DAC

[James Griffin]

!-- On Sat  7.Sep'13 at 11:17:56 BST, Martijn Rijkeboer (mart...@bunix.org), 
wrote: 

> Hi,
> 
> I have a Schiit Bifrost USB DAC that includes an uaudio device for audio
> playback. When I plug the device in I'm getting "uaudio0: audio
> descriptors make no sense, error=4". Any suggestions on how to make this
> work?
 
This is the error I have seen when my USB webcam is plugged in. It has a
built-in microphone, it's that component that generates the message. 

I posted the information to misc@ a couple of months back, using a
current snapshot. To-date, I have not been able to find a fix for it.

[ ... ]

-- 


James Griffin: jmz at kontrol.kode5.net 

A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38

Help with ISAKMP Nat Traversal Problem needed

[Christoph Leser]

Hello misc,

My openBSD Gateway seems to have a problem with ISAKMP Nat Traversal to a 
remote Sonicwall. The ISAKMP Exchange fails in pase 2.

The remote Sonicwall is behind a NAT device.

Before I blame one side or the other for misbehavior, I would like you to take 
a look at the traces I will provide here and help me with the proper 
interpretation.

The setup is simple:

openBSD has direct access to the internet with IP address 217.110.66.79

SonicWall is  behind  IP address 217.86.184.8

My /etc/ipsec.conf is

ike active  esp tunnel from 129.143.250.128/25 to 192.168.199.0/24  peer 
217.86.184.8 main auth hmac-md5  enc aes-128  group modp1024 quick auth 
hmac-md5   enc aes-128  group modp1024 psk 'xyz'

What I think happens here is that openBSD recognizes that a NAT device is 
between Sonicwall and itself. And switches to NAT encapsulation.  And Sonciwall 
only proposes NAT-T with RFC3947. ( Also see the NAT related messages in the 
debug output below )

But in the phase 2 transform proposal openBSD requests 'TUNNEL' encapsulation 
mode instead of 'UDP-encapsulated-TUNNEL' as required by RFC-3947. ( See bytes 
78-7b in the hexdump of the first quick mode packet, it reads 80040001 instead 
of 80040003 ). 

Here is tcpdump output from /var/run/isakmpd.pcap ( I have removed the hexdump 
part from all but the last packet for brevity )

10:36:51.578451 0.0.0.0.500 > 217.86.184.8.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: daf885a1cd119c2d-> msgid:  len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)

10:36:51.651586 217.86.184.8.500 > 217.110.66.79.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: daf885a1cd119c2d->3264ac29e5082e4c msgid:  len: 116
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY 
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 
xforms: 1
payload: TRANSFORM len: 36
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute HASH_ALGORITHM = MD5
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 12
payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len 
144)

10:36:51.745502 217.110.66.79.500 > 217.86.184.8.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: daf885a1cd119c2d->3264ac29e5082e4c msgid:  len: 220
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 20
payload: NAT-D len: 20 [ttl 0] (id 1, len 248)

10:36:51.833947 217.86.184.8.500 > 217.110.66.79.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
cookie: daf885a1cd119c2d->3264ac29e5082e4c msgid:  len: 268
payload: KEY_EXCH len: 132
payload: NAT-D len: 20
payload: NAT-D len: 20
payload: NONCE len: 24
payload: VENDOR len: 12
payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 296)

10:36:51.927437 217.110.66.79.4500 > 217.86.184.8.4500: [bad udp cksum aaf3!] 
udpencap: isakmp v1.0 exchange ID_PROT
cookie: daf885a1cd119c2d->3264ac29e5082e4c msgid:  len: 88
payload: ID len: 12 type: IPV4_ADDR = 217.110.66.79
payload: HASH len: 20
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT (daf885a1cd119c2d->3264ac29e5082e4c) 
[ttl 0] (id 1, len 120)

10:36:51.998066 217.86.184.8.4500 > 217.110.66.79.4500: [bad udp cksum 1c00!] 
udpencap: isakmp v1.0 exchange ID_PROT
cookie: daf885a1cd119c2d->3264ac29e5082e4c msgid:  len: 60
payload: ID len: 12 type: IPV4_ADDR = 192.168.50.253
payload: HASH len: 20 [ttl 0] (id 1, l

Re: uaudio0: audio descriptors make no sense, with Schiit Bifrost USB DAC

[Martin Pieuchot]

On 07/09/13(Sat) 12:17, Martijn Rijkeboer wrote:
> Hi,
> 
> I have a Schiit Bifrost USB DAC that includes an uaudio device for audio
> playback. When I plug the device in I'm getting "uaudio0: audio
> descriptors make no sense, error=4". Any suggestions on how to make this
> work?
> 
> Here are the relevant lines from usbdevs -v (debugging enabled for uaudio):

Looks like the audio descriptor of your device doesn't match what
uaudio(4) expects.  A quirk might be needed.  Could you please
install the usbutils package and post the output of "lsusb -v" for
your device?

Martin

Re: spamd(8) more persistent greytrapping

[Boudewijn Dijkstra]

Op Thu, 29 Aug 2013 14:04:59 +0200 schreef Boudewijn Dijkstra  
:
Here's a suggested improvement to spamlogd(8) which keeps greytrap  
entries tarpitted while they keep trying. [...]


Because at least one person expressed an interest in my modification, find  
below an updated patch that fixes a subtle bug. The previous version could  
accidentally trap hosts that were just whitelisted but not yet added in  
the pf table . The version below leaves these entries alone.


--- spamlogd.c.54   Fri Mar 18 23:37:06 2011
+++ spamlogd.c  Mon Sep  9 10:52:51 2013
@@ -21,7 +21,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */

-/* watch pf log for mail connections, update whitelist entries. */
+/* watch pf log for mail connections, update spamdb entries. */

 #include 
 #include 
@@ -33,6 +33,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 

 #include 
@@ -64,6 +65,7 @@
 int greylist = 1;
 FILE *grey = NULL;

+u_short spamd_port;
 u_short sync_port;
 int syncsend;
 u_int8_tflag_debug = 0;
@@ -74,13 +76,14 @@
 pcap_t *hpcap = NULL;
 struct syslog_data  sdata  = SYSLOG_DATA_INIT;
 time_t  whiteexp = WHITEEXP;
+time_t  trapexp = TRAPEXP;
 extern char*__progname;

 void   logmsg(int , const char *, ...);
 void   sighandler_close(int);
 intinit_pcap(void);
 void   logpkt_handler(u_char *, const struct pcap_pkthdr *, const u_char *);
-intdbupdate(char *, char *);
+intdbupdate(char *, char *, int);
 void   usage(void);

 void
@@ -110,9 +113,11 @@
 init_pcap(void)
 {
struct bpf_program  bpfp;
-   charfilter[PCAPFSIZ] = "ip and port 25 and action pass "
-   "and tcp[13]&0x12=0x2";
+   charfilter[PCAPFSIZ];

+   snprintf(filter, PCAPFSIZ, "ip and (port 25 or %d) and action pass "
+   "and tcp[13]&0x12=0x2", spamd_port);
+
if ((hpcap = pcap_open_live(pflogif, PCAPSNAP, 1, PCAPTIMO,
errbuf)) == NULL) {
logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
@@ -157,6 +162,11 @@
const struct ip *ip = NULL;
const struct pfloghdr   *hdr;
char ipstraddr[40] = { '\0' };
+   int  white = 1;
+   unsigned int off;
+   const struct tcphdr *tcp;
+   unsigned int iplen;
+   unsigned int port;

hdr = (const struct pfloghdr *)sp;
if (hdr->length < MIN_PFLOG_HDRLEN) {
@@ -185,26 +195,34 @@
else if (hdr->dir == PF_OUT && !flag_inbound)
inet_ntop(af, &ip->ip_dst, ipstraddr,
sizeof(ipstraddr));
+   off = ntohs(ip->ip_off);
+   if ((off & 0x1fff) == 0) {
+   iplen = ip->ip_hl * 4;
+   tcp = (const struct tcphdr *)(sp + hdrlen + iplen);
+   port = ntohs(tcp->th_dport);
+   if (port == spamd_port)
+   white = 0;
+   }
}

if (ipstraddr[0] != '\0') {
-   if (hdr->dir == PF_IN)
-   logmsg(LOG_DEBUG,"inbound %s", ipstraddr);
-   else
-   logmsg(LOG_DEBUG,"outbound %s", ipstraddr);
-   dbupdate(PATH_SPAMD_DB, ipstraddr);
+   logmsg(LOG_DEBUG, "%s %s %s",
+   hdr->dir == PF_IN ? "inbound" : "outbound",
+   white ? "white" : "spamd",
+   ipstraddr);
+   dbupdate(PATH_SPAMD_DB, ipstraddr, white);
}
 }

 int
-dbupdate(char *dbname, char *ip)
+dbupdate(char *dbname, char *ip, int white)
 {
HASHINFOhashinfo;
DBT dbk, dbd;
DB  *db;
struct gdatagd;
time_t  now;
-   int r;
+   int r, mod;
struct in_addr  ia;

now = time(NULL);
@@ -224,7 +242,7 @@
dbk.data = ip;
memset(&dbd, 0, sizeof(dbd));

-   /* add or update whitelist entry */
+   /* add or update entry */
r = db->get(db, &dbk, &dbd, 0);
if (r == -1) {
logmsg(LOG_NOTICE, "db->get failed (%m)");
@@ -237,18 +255,11 @@
gd.first = now;
gd.bcount = 1;
gd.pass = now;
-   gd.expire = now + whiteexp;
-   memset(&dbk, 0, sizeof(dbk));
-   dbk.size = strlen(ip);
-   dbk.data = ip;
-   memset(&dbd, 0, sizeof(dbd));
-   dbd.size = sizeof(gd);
-   dbd.data = &gd;
-   r = db->put(db, &dbk, &dbd, 0);
-   if (r) {
-   logmsg(LOG_NOTICE, "db->put failed (%m)");
-   goto bad;
-   }
+   if (white) {
+   gd.expire = now + whiteexp;
+   mo

Re: how to set framebuffer resolution

[Janne Johansson]

The FAQ has some info on making the text console have more lines on x86-y
machines, if that is what you are after.



2013/9/9 remy couture 

> Hi,
>
> i'm looking for infos on how to play with the screen resolution on intel
> framebuffer.
>
> Other OSes have some kind of "mode setting" at the boot loader level, what
> about OpenBSD ?
>
> Thank you very much
>
>


-- 
May the most significant bit of your life be positive.

ipsec with ipcomp configuration challange.

[Lundal, Gaute]

Hello

Configuration challenge for ipsec.conf with ipcomp.
the reason for doing this is an attempt to speed up the connection to a site in 
singapore from norway.
The Singapore site has OpenBSD 5.3 but is not used in the config test.

What I have been using and is working in the test(ipsec.conf):
ike esp from $lan_Dalen2 to $lan_Maffy \
local $FW_Dalen2 peer $FW_Maffy \
main auth hmac-sha1 enc aes-128 group modp1024 life 3600 \
quick auth hmac-sha1 enc aes-128 group modp1024 life 3600 \
psk $psk_Maffy tag ipsec

This works fine.
Then I tried to add after:
flow ipcomp from $lan_Dalen2 to $lan_Maffy peer $FW_Maffy
   
The second line is accepted by ipsecctl but has no impact.

ipcomp is enabled:
# sysctl |grep ipcomp
net.inet.ipcomp.enable=1

Test boxes:
# uname -a
OpenBSD dalen 5.0 GENERIC#43 i386
# uname -a
OpenBSD worf 5.1 GENERIC.MP#188 i386

>From the man ipsec.conf  MANUAL SECURITY ASSOCIATIONS might be needed?

I have been searching before posting but I can't seem to find the answer.

does a working example exist that could be made public?

Regards
Gaute Lundal