Re: Patch: porters guide chapter 2.2, item no. 23
On Fri, Jul 25, 2014 at 11:22:44AM -0700, patrick keshishian wrote: > On 7/25/14, Edward wrote: > > Hi, > > > > The original wording doesn't seems to flow too well: > > > > "Create pkg/PLIST. After the install is complete use the developer's > > command, make plist which makes the file PLIST in the pkg directory. > > This file is a candidate packing list." > > > > I would like to suggest changing to the followig: > > > > "Create pkg/PLIST. After the installation is done, use the developer's > > command make plist, which creates the file PLIST in pkg sub-directory. > > It will be a template for this port." > > I don't think definition of the word "template" fits this > use-case. What issue do you have with the original > wording? > > --patrick > Hi Patrick, Refering to this sentence: "After the install is complete use the developer's command, make plist which makes the file PLIST in the pkg directory." There's 3 points to make in this original sentence: 1. "After the install is complete" 2. "use the developer's command, make plist" 3. "which makes the file PLIST in the pkg directory." Which I think should be broken up with commas so that it appears clearer. And thus my suggestion to change it to: "After the installation is done, use the developer's command make plist, which creates the file PLIST in pkg sub-directory." As for the last sentences, "This file is a candidate packing list.", I think the word "candidate" usually refers to a person than an object. But I do agree, "template" might not be as good. Regards, Edward.
Re: add a new partition in USB ( clone )
Hi, all . this is a method to make clone USB larger size than original . 1) use linux (because openbsd fdisk is hard to use) by fdisk , make /dev/sdb4 Id:a6 2)then use 'openbsd5.5 install CD disk' for <> on installing OpenBSD use OpenBSD area <- 1) mount point / (because original USB has a and b only) install bsd, bsd.rd, base55 only 3)then openbsd runninng machine, # mkdir /mnt0 # mkdir /mnt1 # mount /dev/sd0a /mnt0 <- / partition # mount /dev/sd1a /mnt <- / partition # (cd /mnt0; tar cvpf - .)|(cd /mnt1 ; tar xpf -) #umount /mnt0 => cannot #umount /mnt1 => cannot so halt openbsd machine , 4)then goto linux machine fdisk /dev/sdb make bootable flag on sdb4 ( if 1) has this priicedure , this may be needless ) --- this method is perhaps effective to smaller USB clone , or USB to Hard disk clone and so so . --- tuyosi
Re: carp setup firewall
On 2014-07-24, Peter Hessler wrote: > if the addresses on the carp interface are out of sync, then the hashes > won't mash, and the firewalls *WILL* conflict with each other. > > I recommend one IP per carp interface. Far nicer in case you screw that > bit up, and much easier to balance IPs to one system or the other. That's going to involve a fair bit of multicast chatter for 60 addresses, if binding addresses to carp interfaces is unavoidable I'd usually try to go for the "don't screw up" option :)
Re: l2tp / ipsec issue
Probably, but you can play with ipsec-config and send your results over here. On 24 jul 2014, at 13:23, Stefan Krueger wrote: > In mailing.openbsd.misc, you wrote: >> the public_ip in your ipsec.conf should be the external ip of your router, >> not the openbsd box. >> >> other setup checks can be referred to the following article. >> >> http://undeadly.org/cgi?action=article&sid=20120427125048 > > Say I'm using PPPoE and my IP address changes every night, do I have > to restart isakmpd + change the $public_ip in /etc/ipsec.conf every > night, too?
Re: carp setup firewall
On 2014-07-24, Waldemar Brodkorb wrote: > Hi OpenBSD hackers, > > we like to use OpenBSD for our corporate firewall. > We have two appliances and want to setup carp and pfsync. > In the past I used this for a simple firewall connected to > a provider via dsl without a DMZ. This worked fine and I know > how to configure it. > > Now our firewall is used for outgoing connections into the internet > and for incoming connections to our DMZ servers. (We use binat, > the ip adresses of the network (/26) are bound on the wan interface > of the firewall. > > According to > http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/SA/v14/i05/a6.htm > I could use aliases with ifconfig. > > Do you think there would be any issues in using 60 aliases > for the wan interface? > > best regards > Waldemar > > Is your upstream router within the /26, or do you have a separate link network for that? If it's in the /26 I think you'll have to do it that way, but if you have (or if you can get) a separate link net (e.g. /29 with your+their router and carp/vrrp addresses, you can just nat them, there's no need to place the addresses on an interface.
Re: Patch: porters guide chapter 2.2, item no. 23
On 7/25/14, Edward wrote: > Hi, > > The original wording doesn't seems to flow too well: > > "Create pkg/PLIST. After the install is complete use the developer's > command, make plist which makes the file PLIST in the pkg directory. > This file is a candidate packing list." > > I would like to suggest changing to the followig: > > "Create pkg/PLIST. After the installation is done, use the developer's > command make plist, which creates the file PLIST in pkg sub-directory. > It will be a template for this port." I don't think definition of the word "template" fits this use-case. What issue do you have with the original wording? --patrick > > The patch to my suggestion is at the bottom of this mail, ok? > > Regards, > Edward. > > Index: guide.html > === > RCS file: /cvs/www/faq/ports/guide.html,v > retrieving revision 1.29 > diff -u -p -r1.29 guide.html > --- guide.html21 Jun 2014 12:17:47 - 1.29 > +++ guide.html25 Jul 2014 08:08:35 - > @@ -498,10 +498,9 @@ generated packing-lists). Remember that > For automatic updating of /etc, sysmerge(8) may help. > > Create pkg/PLIST. > -After the install is complete use the developer's command, > -make plist which makes the file PLIST in the > -pkg directory. > -This file is a candidate packing list. > +After the installation is done, use the developer's command > +make plist, which creates the file PLIST in > +pkg sub-directory. It will be a template for this port. > > Peruse PLIST and verify that everything was installed and that it > was > installed in the proper locations.
Re: openbsd and chromebooks
On 2014-07-25 11.59.33 -0400, Stuart McMurray wrote: > Anybody know of any small laptops (not necessarily chromebooks) that run > OpenBSD well? Thinkpad X1 Carbon. -current works well: wifi, keyboard, mouse, touchscreen, suspend, resume, USB, headphones. See my recent thread "zzz + /dev/wsmouse" if you run into suspend/resume issues, or if you want to see a dmesg. Have not yet tried: camera, fingerprint reader, mini-DisplayPort, BlueTooth. If you buy one, double-check the keyboard layout first. You may have to buy from a reseller. -Mike
MinnowBoard MAX
new toy for OpenBSD? ;) -> http://www.minnowboard.org/meet-minnowboard-max/
Re: [Bulk] Re: openbsd and chromebooks
previously on this list Stuart McMurray contributed: > The other thing that kept me from putting OpenBSD on here is that > dual-booting is kinda kooky and has security implications for the ChromeOS > side. A better question: > Is that because you have to unlock the bootloader or root it? > Anybody know of any small laptops (not necessarily chromebooks) that run > OpenBSD well? > I believe I've seen atleast one dev with a lenovo x201 which I have used briefly with OpenBSD and the T's seem to run well enough. I rarely use wifi though and so can't vouch there. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ ___
Re: reload isakmpd
On 25.07.2014 19:42, James Shupe wrote: Note that this doesn't clear old config, so you can't use it to tear down sessions that you no longer want - you can paste the relevant config lines to "ipsecctl -df -" to delete them though. As an added note for ipsecctl -df, you can break all your peers into their own files and include them from the main ipsec.conf. Then you can "ipsecctl -df /etc/ipsec/peer.conf"... When you have several dozen peers, it makes troubleshooting individual ones a bit easier. There is a good article about isakmpd/ipsec on undeadly: http://undeadly.org/cgi?action=article&sid=20131125041429
Re: reload isakmpd
> Note that this doesn't clear old config, so you can't use it to tear > down sessions that you no longer want - you can paste the relevant > config lines to "ipsecctl -df -" to delete them though. > > > As an added note for ipsecctl -df, you can break all your peers into their own files and include them from the main ipsec.conf. Then you can "ipsecctl -df /etc/ipsec/peer.conf"... When you have several dozen peers, it makes troubleshooting individual ones a bit easier. -- James Shupe
Re: reload isakmpd
On 2014-07-25, Andy wrote: > Try ipsecctl -f /etc/ipsec.conf Sometimes this works ok, but I do have some occasions when I need to shutdown isakmpd, ipsecctl -F and restart. Note that this doesn't clear old config, so you can't use it to tear down sessions that you no longer want - you can paste the relevant config lines to "ipsecctl -df -" to delete them though.
Re: reload isakmpd
Thank you all, I used this command. ps aux kill 29309 kill 7908 ps aux isakmpd -S sasyncd Thanks, On Fri, Jul 25, 2014 at 8:29 AM, Reyk Floeter wrote: > On Fri, Jul 25, 2014 at 08:17:15AM -0700, motty cruz wrote: > > Hello, how to reload configuration without restarting isakmpd? > > > > Thanks, > > > > Have a look at THE FIFO USER INTERFACE in isakmpd(8): > > NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will > void any updates done to the configuration. > > You can also try to SIGHUP and re-run ipsecctl afterwards. > > Good luck! > > Reyk
Re: openbsd and chromebooks
the keyboard and trackpad are horrendeous. I hate typing on it. no wifi, which is also really annoying. On 2014 Jul 25 (Fri) at 17:40:24 +0200 (+0200), frantisek holop wrote: :has anyone tried any of the existing chromebooks? :any dmesgs? : :http://en.wikipedia.org/wiki/Chromebook#Chromebook_models : :-f :-- :tap here >>> <<< with hammer for a new monitor. : -- In 1750 Isaac Newton became discouraged when he fell up a flight of stairs.
Re: openbsd and chromebooks
The other thing that kept me from putting OpenBSD on here is that dual-booting is kinda kooky and has security implications for the ChromeOS side. A better question: Anybody know of any small laptops (not necessarily chromebooks) that run OpenBSD well? J. Stuart McMurray On Fri, Jul 25, 2014 at 11:56 AM, frantisek holop wrote: > hmm, on Fri, Jul 25, 2014 at 11:45:32AM -0400, Stuart McMurray said that > > I tried putting it on an SD card on my acer c270. I don't have a dmesg > at > > the moment. > > > > Wireless and the trackpad didn't work, but a cheapy USB wireless device > > did. The biggest problem was putting it on the SD card made disk IO > > really, really slow. The lack of 802.11n was also kinda a bummer. > > well, there is no 802.11n in openbsd :) > but i understand what you mean. the wifi is not > supported on my current notebook either, so i am > used to usb helpers. > > i am interested in the newest samsung chromebook. > looks quite nice. > > -f > -- > in the country of the blind, the one-eyed man is king.
Re: openbsd and chromebooks
hmm, on Fri, Jul 25, 2014 at 11:45:32AM -0400, Stuart McMurray said that > I tried putting it on an SD card on my acer c270. I don't have a dmesg at > the moment. > > Wireless and the trackpad didn't work, but a cheapy USB wireless device > did. The biggest problem was putting it on the SD card made disk IO > really, really slow. The lack of 802.11n was also kinda a bummer. well, there is no 802.11n in openbsd :) but i understand what you mean. the wifi is not supported on my current notebook either, so i am used to usb helpers. i am interested in the newest samsung chromebook. looks quite nice. -f -- in the country of the blind, the one-eyed man is king.
Re: openbsd and chromebooks
I tried putting it on an SD card on my acer c270. I don't have a dmesg at the moment. Wireless and the trackpad didn't work, but a cheapy USB wireless device did. The biggest problem was putting it on the SD card made disk IO really, really slow. The lack of 802.11n was also kinda a bummer. J. Stuart McMurray On Fri, Jul 25, 2014 at 11:40 AM, frantisek holop wrote: > has anyone tried any of the existing chromebooks? > any dmesgs? > > http://en.wikipedia.org/wiki/Chromebook#Chromebook_models > > -f > -- > tap here >>> <<< with hammer for a new monitor.
openbsd and chromebooks
has anyone tried any of the existing chromebooks? any dmesgs? http://en.wikipedia.org/wiki/Chromebook#Chromebook_models -f -- tap here >>> <<< with hammer for a new monitor.
reload isakmpd
Hello, how to reload configuration without restarting isakmpd? Thanks,
Re: reload isakmpd
On Fri, Jul 25, 2014 at 08:17:15AM -0700, motty cruz wrote: > Hello, how to reload configuration without restarting isakmpd? > > Thanks, > Have a look at THE FIFO USER INTERFACE in isakmpd(8): NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will void any updates done to the configuration. You can also try to SIGHUP and re-run ipsecctl afterwards. Good luck! Reyk
Re: reload isakmpd
Try ipsecctl -f /etc/ipsec.conf On Fri 25 Jul 2014 16:17:15 BST, motty cruz wrote: Hello, how to reload configuration without restarting isakmpd? Thanks,
Re: LDAPD attribute and ACL'S
On 07/25/2014 05:48 AM, Bambero wrote: Hi Is it possibile to give write access only for userPassword field ? sth like: allow write access to attr=userPassword by self There are no per-attribute permissions in the base ldapd(8). I think the 'normal' way to accomplish this is to create a user who does have write permission to users' entries, and then write a program that will authenticate as that DN to modify passwords on users' behalf. -- Matthew Weigel hacker unique & idempot . ent
LDAPD attribute and ACL'S
Hi Is it possibile to give write access only for userPassword field ? sth like: allow write access to attr=userPassword by self Regards Bambero
[Cannot allocate memory][Qemu][x86 & i386] limits ? login.conf ?
Hi, had same Problem.the only (poor) workaround i found is running qemu as root .
Patch: porters guide chapter 2.2, item no. 23 (again)
Hi, I thought pkg_create(1) is worth mentioning in the porting checklist so that a new porter would know where to find more information on PLIST variables & annotations that's useful to the PLIST file. The below patch appended the sentence "PLIST variables/annotations can be found in pkg_create(1)." to the second paragraph of item 23, chapter 2.2 of Porting guide[1]. Regards, Edward. [1]http://www.openbsd.org/faq/ports/guide.html Index: guide.html === RCS file: /cvs/www/faq/ports/guide.html,v retrieving revision 1.29 diff -u -p -r1.29 guide.html --- guide.html 21 Jun 2014 12:17:47 - 1.29 +++ guide.html 25 Jul 2014 09:17:40 - @@ -506,7 +506,9 @@ This file is a candidate packing list. Peruse PLIST and verify that everything was installed and that it was installed in the proper locations. Anything not installed can be added to a port Makefile -post-install rule. +post-install rule. PLIST variables/annotations can be found in +http://www.openbsd.org/cgi-bin/man.cgi?sektion=1&query=pkg_create"; +>pkg_create(1). Ports that install shared libraries will have another file called PFRAG.shared.
Re: carp setup firewall
Hello Waldemar, On 24.07.2014 17:44, Waldemar Brodkorb wrote: > Hi Peter, > Peter Hessler wrote, > >> if the addresses on the carp interface are out of sync, then the hashes >> won't mash, and the firewalls *WILL* conflict with each other. >> >> I recommend one IP per carp interface. Far nicer in case you screw that >> bit up, and much easier to balance IPs to one system or the other. > > Thanks for the hints. The previous firewall is managed via > fwbuilder, which does manage all the ip aliases for the wan > interface for us. It seems fwbuilder has some support for carp, > but I am not sure it will work with ip aliases. > > Thanks so far > Waldemar > we have a similar setup here, with only a /29 range of external addresses. Until now, we have had no problems so far running this using only one external carp IF (using a private IP) and adding all external addresses as aliases. But we do not use bi-nat for our DMZ Servers. As for fwbuilder, we did use it for some years with iptables, but during our switch to OpenBSD found writing pf.conf by hand gave a cleaner and faster fw. The file is under version control and distributed and enabled by Puppet on both our FW-CARP nodes. Cheers, Kim
Patch: porters guide chapter 2.2, item no. 23
Hi, The original wording doesn't seems to flow too well: "Create pkg/PLIST. After the install is complete use the developer's command, make plist which makes the file PLIST in the pkg directory. This file is a candidate packing list." I would like to suggest changing to the followig: "Create pkg/PLIST. After the installation is done, use the developer's command make plist, which creates the file PLIST in pkg sub-directory. It will be a template for this port." The patch to my suggestion is at the bottom of this mail, ok? Regards, Edward. Index: guide.html === RCS file: /cvs/www/faq/ports/guide.html,v retrieving revision 1.29 diff -u -p -r1.29 guide.html --- guide.html 21 Jun 2014 12:17:47 - 1.29 +++ guide.html 25 Jul 2014 08:08:35 - @@ -498,10 +498,9 @@ generated packing-lists). Remember that For automatic updating of /etc, sysmerge(8) may help. Create pkg/PLIST. -After the install is complete use the developer's command, -make plist which makes the file PLIST in the -pkg directory. -This file is a candidate packing list. +After the installation is done, use the developer's command +make plist, which creates the file PLIST in +pkg sub-directory. It will be a template for this port. Peruse PLIST and verify that everything was installed and that it was installed in the proper locations.
Re: pfctl: DIOCADDQUEUE: No such process
Erf... i found the error. An admin has configured a queue on a inexisting interface... Maybe the pfctl tell us the interface doesn't exists ? Sorry for the inconvenience -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le vendredi 25 juillet 2014 à 09:25 +0200, Loïc Blot a écrit : > Hello > after the reboot the problem persists... > > pfctl: DIOCADDQUEUE: No such process > > The default ruleset has been loaded: > > block drop all > pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol > pass out inet6 proto ipv6-icmp all icmp6-type routersol > pass out inet6 proto udp from any port = 546 to any port = 547 > pass out inet proto icmp all icmp-type echoreq > pass out inet proto udp from any port = 68 to any port = 67 > pass out proto tcp from any to any port = 53 flags S/SA > pass out proto udp from any to any port = 53 > pass in inet6 proto ipv6-icmp all icmp6-type neighbradv > pass in inet6 proto ipv6-icmp all icmp6-type routeradv > pass in inet6 proto udp from any port = 547 to any port = 546 > pass in proto tcp from any to any port = 22 flags S/SA > pass in inet proto udp from any port = 67 to any port = 68 > pass on lo0 all flags S/SA > pass proto carp all keep state (no-sync)
Re: pfctl: DIOCADDQUEUE: No such process
Hello after the reboot the problem persists... pfctl: DIOCADDQUEUE: No such process The default ruleset has been loaded: block drop all pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol pass out inet6 proto ipv6-icmp all icmp6-type routersol pass out inet6 proto udp from any port = 546 to any port = 547 pass out inet proto icmp all icmp-type echoreq pass out inet proto udp from any port = 68 to any port = 67 pass out proto tcp from any to any port = 53 flags S/SA pass out proto udp from any to any port = 53 pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in inet6 proto udp from any port = 547 to any port = 546 pass in proto tcp from any to any port = 22 flags S/SA pass in inet proto udp from any port = 67 to any port = 68 pass on lo0 all flags S/SA pass proto carp all keep state (no-sync) -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 24 juillet 2014 à 17:44 +0200, Loïc Blot a écrit : > Hi David, > in fact no, now the ruleset is empty and everything is allowed, erf. > Now i have no choice, i need to reboot this critical router :(. > > I think there is a bug somewhere, i'll try to found why this is > happening before rebooting (maybe a patch if i can)