Re: Suppessing logging of arp movement messages
Torsten, Thanks for responding to my question. I know about this specific sysctl on FreeBSD. Used this one on pfSense as well. The issue is that this one, or functional similar seems not available on OpenBSD. Maybe someone else has run into this before and found a way? Marco PC > Op 8 nov. 2017, om 16:44 heeft torsten het volgende > geschreven: > > >> -Original Message- >> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf >> Of OpenBSD >> Sent: 08 November 2017 15:44 >> To: misc@openbsd.org >> Subject: Suppessing logging of arp movement messages >> >> hello all, >> >> I have finally build an internet gateway with OpenBSD 6.2 (AMD64), >> including pf and IPSec. Great stuff. >> Now I am seeing a lot of arp movement, that I know are caused by >> Apple's Bonjour Sleep Proxy. >> >> Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 >> by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:00:58 gatekeeper /bsd: arp info >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 >> 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by >> 00:46:ab:ba:19:87 on vmx0 Nov 8 00:02:04 gatekeeper /bsd: arp info >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 >> 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by >> 00:46:ab:ba:19:87 on vmx0 Nov 8 00:03:28 gatekeeper /bsd: arp info >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 >> 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by >> 00:46:ab:ba:19:87 on vmx0 Nov 8 00:04:27 gatekeeper /bsd: arp info >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 >> >> These messages are repeating every 15-30 seconds for Apple devices like >> laptops that are in standby (sleep mode). >> >> On pfSense and FreeBSD you have a sysctl: >> net.link.ether.inet.log_arp_movements >> when set to zero it will no longer log the messages. >> >> Discussions can be found on internet dating back to 2010, but no >> solution has been provided for what I could find. >> I have not yet found any sysctl in OpenBSD to do the same. Did I miss >> something or does OpenBSD have any trick to not log these messages. >> Currently these messages are filling up the logs /var/run/dmesg.boot >> and /var/log/messages. >> >> Marco PC > > Mi Marco > In freebsd is is usually done with > sysctl net.link.ether.inet.log_arp_movements=0 > > and I guess this applies to openbsd too. > T >
Re: Suppessing logging of arp movement messages
AFAIK there is no way to turn off those messages in the default kernel. You could try to write a patch if you care: take a look at src/sys/netinet/if_ether.c, line #625. Regards! 2017-11-09 9:14 GMT+01:00 OpenBSD : > Torsten, > > Thanks for responding to my question. > I know about this specific sysctl on FreeBSD. Used this one on pfSense as > well. The issue is that this one, or functional similar seems not available > on OpenBSD. > > Maybe someone else has run into this before and found a way? > > Marco PC > > > Op 8 nov. 2017, om 16:44 heeft torsten het > volgende geschreven: > > > > > >> -Original Message- > >> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > >> Of OpenBSD > >> Sent: 08 November 2017 15:44 > >> To: misc@openbsd.org > >> Subject: Suppessing logging of arp movement messages > >> > >> hello all, > >> > >> I have finally build an internet gateway with OpenBSD 6.2 (AMD64), > >> including pf and IPSec. Great stuff. > >> Now I am seeing a lot of arp movement, that I know are caused by > >> Apple's Bonjour Sleep Proxy. > >> > >> Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 > >> by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:00:58 gatekeeper /bsd: arp info > >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > >> 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > >> 00:46:ab:ba:19:87 on vmx0 Nov 8 00:02:04 gatekeeper /bsd: arp info > >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > >> 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > >> 00:46:ab:ba:19:87 on vmx0 Nov 8 00:03:28 gatekeeper /bsd: arp info > >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > >> 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > >> 00:46:ab:ba:19:87 on vmx0 Nov 8 00:04:27 gatekeeper /bsd: arp info > >> overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 > >> > >> These messages are repeating every 15-30 seconds for Apple devices like > >> laptops that are in standby (sleep mode). > >> > >> On pfSense and FreeBSD you have a sysctl: > >> net.link.ether.inet.log_arp_movements > >> when set to zero it will no longer log the messages. > >> > >> Discussions can be found on internet dating back to 2010, but no > >> solution has been provided for what I could find. > >> I have not yet found any sysctl in OpenBSD to do the same. Did I miss > >> something or does OpenBSD have any trick to not log these messages. > >> Currently these messages are filling up the logs /var/run/dmesg.boot > >> and /var/log/messages. > >> > >> Marco PC > > > > Mi Marco > > In freebsd is is usually done with > > sysctl net.link.ether.inet.log_arp_movements=0 > > > > and I guess this applies to openbsd too. > > T > > > >
6.1, opensmtpd: unable to verify the first certificate
Hi folks, opensmtpd problem on openbsd 6.1: smtpd.conf says xname = "mail.example.de" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname certificate "/etc/ssl/public/mail.example.de.pem" ca $xname certificate "/etc/ssl/public/DigiCertCA.crt" limit mta inet4 listen on lo0 tls pki $xname ca $xname listen on internal tls pki $xname ca $xname listen on external tls pki $xname ca $xname : : If I try to verify starttls via openssl s_client from another host, then it complains Verification error: unable to verify the first certificate # % openssl s_client -connect mail.example.de:25 -starttls smtp CONNECTED(0003) depth=0 C = DE, ST = NRW, L = Kleinesdorfnahekoeln, O = example AG, CN = *.example.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, ST = NRW, L = Kleinesdorfnahekoeln, O = example AG, CN = *.example.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=DE/ST=NRW/L=Kleinesdorfnahekoeln/O=example AG/CN=*.example.de i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA --- Server certificate -BEGIN CERTIFICATE- MIIFHDCCBASgAwIBAgIQCvjGPkV+KuTwCbtsU6MMVzANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E : ROBuAtmbmyGV7JgZibJHwMza1lhyerRndUCluQdrnwxwyxf9mkxq/e3MQ+g2A7YJ Er5U9dCsV8c/59ehxPis0A== -END CERTIFICATE- subject=/C=DE/ST=NRW/L=Kleinesdorfnahekoeln/O=example AG/CN=*.example.de issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2000 bytes and written 302 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 025B8C04418CA6...DC7441262A8 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1510221777 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- 250 HELP read:errno=0 # Apparently the ca chain is not sent by opensmtpd. The "ca" on the listen lines is ignored. Is this a known problem? Is there a workaround? Hopefully you don't mind the question. This is a production host, i.e. I cannot upgrade to openbsd 6.2 and a new opensmtpd immediately. Every helpful comment is highly appreciated. Regards Harri
Re: spamd.conf with rsync and DNS-based lists
On 2017-11-08, Mark Carroll wrote: > I am looking to expand my spamd.conf's blacklisting and I now see that > some providers prefer one to rsync their blacklist rather than simply > fetching it and more others make their lists queryable by DNS only. Commercial dnsbl operators will be taking value from your queries (so they can identify sender IP addresses and approximate levels of mail based on lookups), those that do provide rsync access often charge for it. > I am not missing some easy rsync syntax for spamd.conf right? It is a > sufficient workaround to just rsync to a local file then have the base > spamd look at that. The fast table lookups that pf can do are great. Correct, that is the way to handle rsync. > As for the DNSBLs, last year Clint Pachl kindly shared a spamd-dnsbl > script here which every few minutes looks to trap hosts while they are > graylisted. Also promising is https://github.com/echothrust/pf-diverters > though the README warns "IN NO-WAY PRODUCTION READY" and dnsbl-divert > is "still work-in-progress" and there are no recent commits. Maybe it's > more reliable than it seems though I am still trying to understand the > implications of a divert-packet to something that then does DNS lookups: > this is a side of pf that's new to me. > > For using IP blacklists to immediately divert senders to spamd, it'd be > interesting to try Spamhaus Zen and similar. How are people approaching > this? Is there a "good" OpenBSD way to do it or maybe the whole idea is > ill-conceived. The usual way to run spamd is in greylisting mode, in which case the script to check greylisted hosts isn't a bad idea. The dnsbl-divert approach might be useful if spamd is in blacklist-only mode. The biggest risk is that it makes your DNSBL/s a point of failure; something that works at the SMTP rather than TCP connect level can cope with longer lookup delays, and has enough time and information to make more complex decisions. I'm not sure how well (if at all) dnsbl-divert could combine with spamd, it seems like an alternative rather than an addition to me. It would be interesting to have something which can proxy directly to a backend mail server (i.e. accept an incoming connection, stutter at the sender, do some basic checks which could include dnswl, dnsbl and smtp protocol enforcement, then transparently proxy to the backend from "rcpt to" reducing spamd's 3 connections to hit the real MTA to 2). It would be quite a different beast though. What MTA do you have behind spamd? Some (e.g. postfix/postscreen) have spamd-like functionality that can make more complex decisions (additional checks on SMTP protocol, dnsbl lookups, etc). That's all I'm using in early SMTP nowadays (plus after-DATA checks via rspamd as a milter). For the mail I have to receive, dnswl support is a must, really.
Re: Bad network performance on apu2c4
The test had PF, NFS, and other services up. The mtu/JumboPacket on both nics is 9K bit. The wires are class 5e. The switch is a 1Gbps cisco. Sent from ProtonMail Mobile On Thu, Nov 9, 2017 at 08:19, Christer Solskogen wrote: > On Thu, Nov 9, 2017 at 1:42 AM, Rupert Gallagher wrote: > >> New speed record today: 963Mbps between apu2c4 and a PC, both ways. > > I never get above 550Mbit with pf enabled.
Re: Suppessing logging of arp movement messages
Thanks Daniel, Great direction on where to look at in the code. Even without programming experience I will be able to remove the logging part. No idea yet on how I can make this configurable via sysctl.conf, but that’s for later. Marco PC > Op 9 nov. 2017, om 10:07 heeft Daniel Gracia het > volgende geschreven: > > AFAIK there is no way to turn off those messages in the default kernel. You > could try to write a patch if you care: take a look at > src/sys/netinet/if_ether.c, line #625. > > Regards! > > > 2017-11-09 9:14 GMT+01:00 OpenBSD : > >> Torsten, >> >> Thanks for responding to my question. >> I know about this specific sysctl on FreeBSD. Used this one on pfSense as >> well. The issue is that this one, or functional similar seems not available >> on OpenBSD. >> >> Maybe someone else has run into this before and found a way? >> >> Marco PC >> >>> Op 8 nov. 2017, om 16:44 heeft torsten het >> volgende geschreven: >>> >>> -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of OpenBSD Sent: 08 November 2017 15:44 To: misc@openbsd.org Subject: Suppessing logging of arp movement messages hello all, I have finally build an internet gateway with OpenBSD 6.2 (AMD64), including pf and IPSec. Great stuff. Now I am seeing a lot of arp movement, that I know are caused by Apple's Bonjour Sleep Proxy. Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:00:58 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:02:04 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:03:28 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:04:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 These messages are repeating every 15-30 seconds for Apple devices like laptops that are in standby (sleep mode). On pfSense and FreeBSD you have a sysctl: net.link.ether.inet.log_arp_movements when set to zero it will no longer log the messages. Discussions can be found on internet dating back to 2010, but no solution has been provided for what I could find. I have not yet found any sysctl in OpenBSD to do the same. Did I miss something or does OpenBSD have any trick to not log these messages. Currently these messages are filling up the logs /var/run/dmesg.boot and /var/log/messages. Marco PC >>> >>> Mi Marco >>> In freebsd is is usually done with >>> sysctl net.link.ether.inet.log_arp_movements=0 >>> >>> and I guess this applies to openbsd too. >>> T >>> >> >>
Re: Suppessing logging of arp movement messages
Torsten, Thanks for responding to my question. I know about this specific sysctl on FreeBSD. Used this one on pfSense as well. The issue is that this one, or functional similar seems not available on OpenBSD. MarcoPC > Op 8 nov. 2017, om 16:44 heeft torsten het volgende > geschreven: > >> >> On pfSense and FreeBSD you have a sysctl: >> net.link.ether.inet.log_arp_movements >> when set to zero it will no longer log the messages. >> ….. >> Marco PC > > Mi Marco > In freebsd is is usually done with > sysctl net.link.ether.inet.log_arp_movements=0 > > and I guess this applies to openbsd too. > T >
Re: Hellos from the Lands of Norway.
>> On Tue, Nov 7, 2017 at 3:55 PM, Ywe Cærlyn >> wrote: >> >> > Well I have introduced myself then. >> > To make it clear: No name anywhere like the probably pure fantasy name of this specimen have ever been held by any human, pixie, faery, troll or any other entity in Norway, nor in any other scandinavian or nordic country. -- Eivind Eide "ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD" - Oceania Association of Autonomous Astronauts
pf queueing syntax question
Hi, I'm (re)trying out queuing possibilities in 6.2. I am trying out different possibilities, mixing queue with prio. I have accidentally put two different lines in my pf.conf: match proto tcp to any port domain set prio 6 set queue dns match proto udp to any port domain set queue dns prio 6 I reloaded the ruleset and there weren't any complaints. `pfctl -sr' interpeted these two lines differently: match proto tcp from any to any port = 53 set ( prio 6, queue dns ) match proto udp from any to any port = 53 prio 6 set ( queue dns ) Are those two lines expected to queue differently? In which way? Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
Hello all, Is this the sane/correct thing to do? What is the impact? Running: OpenBSD6.2-release Goal: To run a secure and functional web server. (the server is currently up and running and used by the public at large) Previously: Only installing needed packages as binaries via pkg_add. Now: The thought is that the third-party packages being used by the server should be kept up to date. Ports tree via: $ cvs -qd anon...@anoncvs4.usa.openbsd.org:/cvs\ checkout -rOPENBSD_6_2 -P ports Problem: Some out of date packages found via 'out-of-date' e.g.: $ /usr/ports/infrastructure/bin/out-of-date ... Outdated ports: databases/mariadb,-main# 10.0.32v1 -> 10.0.33v1 databases/mariadb,-server # 10.0.32v1 -> 10.0.33v1 ... complain when running 'make update' (in this case mariadb). e.g.: Fatal: /usr/ports/pobj must be on a wxallowed filesystem\ (in lang/python/2.7) To solve this issue, this is what I've done: $cat /etc/mk.conf SUDO=/usr/bin/doas WRKOBJDIR=/usr/local/ports/pobj <--- (since /usr/local is on a wxallowed filesystem) Is this a rational solution to the problem? I'm somewhat regretting going this route as, unlike with pkg_add, building some ports from the tree pulls in more dependencies than via pkg_add (I am assuming that these are build dependencies and not run-time dependencies; please correct me if this is not so) Is it not worth it to update ports in this way; meaning, is it better to simply wait for OpenBSD6.3 and stick with binary packages only (as recommended on the openbsd.org site)? Also, is there an easy/sane way to remove packages that were only required for building once the ports have been updated? I'm loathe to do something like build the packages on another system and then install them as binary packages on the server; this seems like a lot of effort and, at least for myself might be prone to introduce other issues. Thank-you in advance; advice is appreciated. -- Jeff
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
On 11/9/2017 2:04 PM, Jeff wrote: > Hello all, > > [...] > > Also, is there an easy/sane way to remove packages that were only > required for building once the ports have been updated? You could use: $ pkg_info -t to show packages which are not required by any other packages (man.openbsd.org/pkg_info#t). Obviously this will also show you packages that you want to keep, such as mariadb, firefox, etc... But this should help in determining some packages to remove. Scott
In httpd redirecting and preserving the query parameters.
location match "^(.*)[.]shtml$" {
block return 301
"https://$SERVER_NAME%1.htm?$QUERY_STRING";
}
I used the above to change and web address ending in .shtml to the same ending
in .htm
The redirect went to the right spot, but each '&' got converted to '%26' in
the query string.
So how do I do such a redirect?
Upgrade OpenVPN 2.3.1 server >> OpenVPN 2.4.1 server produces an write to TUN/TAP : Address family not supported error
Hi All, Have working setup with OpenVPN 2.3.1 on 54amd64 as a server side. As a client side supposedly using hardcoded OpenVPN 2.1.2. I can't affect to that version, just added ovpn.cnf to it to have it working. All work fine on OpenBSD54 amd64 for years... #openvpn --version OpenVPN 2.3.1 x86_64-unknown-openbsd5.4 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 23 2013 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=no with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no Here is fully working server's config #cat /etc/server.conf - local 127.0.0.1 proto udp port 1000 dev tun0 dev-type tap tun-mtu 1500 fragment 1500 mssfix 1500 keys section is removed... dh... ca... crl-verify... ...end of removed section tls-version-min 1.2# since 2.3.3 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA tls-exit auth SHA512 cipher AES-256-CBC ifconfig 192.168.8.6 192.168.8.254 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt 10 mode server tls-server key-method 2 client-to-client comp-lzo keepalive 5 60 user _openvpn group _openvpn daemon openvpn persist-key persist-tun persist-local-ip persist-remote-ip push-peer-info some pushes... ...end of some pushes pid... logs verb 4 -- ...all working perfectly fine before upgrading to prepackaged OpenVPN 2.4.1 on OpenBSD 6.1amd64 #openvpn --version OpenVPN 2.4.1 x86_64-unknown-openbsd6.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 1 2017 library versions: LibreSSL 2.5.2, LZO 2.10 Originally developed by James Yonan I have connection problem appeared as an error code 47 in openvpn.log: Eliminating the error from openvpn.log: Thu Nov 9 12:31:02 2017 US= user/192.168.1.16:1035 MULTI: Learn: MA:CX:XX:XX:XX:XX -> user/192.168.1.16:1035 Eliminating the error from openvpn.log: Thu Nov 9 12:31:02 2017 US= user/192.168.1.16:1035 write to TUN/TAP : Address family not supported by protocol family (code=47) Does it have IPv6 problem as various maillists says or what? Please give some recommendations how to resolve the issue. Thank you for answer in advance
Partitioning on MacBook Pro for triple booting
Hi everyone ! Up to now I have failed to do what the header says and I would love to know the reason, probably I am missing an/some important step(s). The hardware: MacBook Pro mid 2012 with EFI, a single 480GB SSD and 16GB RAM. The preps: Installed latest MacOS X (I am using the new “Apple file system”), encrypted the drive using FileVault, GPT partitioned the drive in three equal Partitions using disk utility. The target: Triple boot Mac OS X, OpenBSD and DragonFly BSD from the same drive (there are quite a few reasons for this, do not call me a masochist, at least not in public). The problem: As I, of course, do not intend to use the whole disk for OpenBSD, I choose “E” at the prompt which asks so. As expected, fdisk is summoned. I then mark, according to the instructions, my second partition, where I want my OpenBSD installation to sit, as an active A06 partition and exit, saving my progress. I would expect the installer to summon disklabel, which does not happen. It complains that no OpenBSD active partition is present. I can do that over and over again and there is no way that I go beyond that point. Am I missing something really stupid ? am I in a no-go zone because of the encrypted drive? Is this a bug? ANY comments and suggestions appreciated ! Thanks in advance ! Raymundo.-
Re: Bad network performance on apu2c4
I forgot, the switch must be compatible with jumbo frames. If you have a managed switch, you need to enable it. Sent from ProtonMail Mobile On Thu, Nov 9, 2017 at 14:58, Rupert Gallagher wrote: > The test had PF, NFS, and other services up. > The mtu/JumboPacket on both nics is 9K bit. > The wires are class 5e. > The switch is a 1Gbps cisco. > > Sent from ProtonMail Mobile > > On Thu, Nov 9, 2017 at 08:19, Christer Solskogen > wrote: > >> On Thu, Nov 9, 2017 at 1:42 AM, Rupert Gallagher wrote: >> >>> New speed record today: 963Mbps between apu2c4 and a PC, both ways. >> >> I never get above 550Mbit with pf enabled.
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
On Thu, 9 Nov 2017 14:04:39 -0500 Jeff wrote: > Is it not worth it to update ports in this way; meaning, is it better > to simply wait for OpenBSD6.3 and stick with binary packages only > (as recommended on the openbsd.org site)? It is has been pointed out to me that my meaning here is unclear. I will attempt to clarify: openbsd.org says: The ports tree is meant for advanced users. Everyone is encouraged to use the pre-compiled binary packages. I do not imply that openbsd.org recommends waiting for the next release and not patching software. A better statement would possibly have been: Is it not worth it to update ports in this way; meaning, is it better to simply wait for OpenBSD6.3 and stick with binary packages? The openbsd.org site says: The ports tree is meant for advanced users. Everyone is encouraged to use the pre-compiled binary packages. I'm looking for the advice of those more experienced than myself. -- Jeff
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
On Thu, 2017-11-09 at 14:52 -0500, Jeff wrote: > Is it not worth it to update ports in this way; meaning, > is it better to simply wait for OpenBSD6.3 and stick with > binary packages? > > The openbsd.org site says: > The ports tree is meant for advanced users. > Everyone is encouraged to use the pre-compiled > binary packages. > > I'm looking for the advice of those more experienced than myself. > It just depends on your situation. Most of the time, I'm happy just to upgrade every 6 months when a new release comes out. But I'm also not running a public-facing, mission-critical server. Regardless, I usually have the ports tree untarred on my system in case there is some patch that I feel like I should install. They say it's for advanced users, but really it's not difficult if you're reasonably comfortable running unix-like OS commands. Read the FAQ: https://www.openbsd.org/faq/ports/ports.html
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
Jeff writes: > I do not imply that openbsd.org recommends waiting for the next release > and not patching software. I personally use openup from m:tier, they provide updated packages as errata are released. https://www.mtier.org/solutions/apps/openup/ Allan
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
If I understood your question correct ... > Running: OpenBSD6.2-release > > Goal: To run a secure and functional web server. > (the server is currently up and running and used by > the public at large) If you apply the patches from the errata page using syspatch(8) (if you are on i386 / amd64) then you have a up to date and secure -stabe installation. > Previously: Only installing needed packages as binaries via pkg_add. > > Now: The thought is that the third-party packages being used > by the server should be kept up to date. If there are security related patches or things needed to be fixed, that the package works as it should, you can simple run pkg_add -iu > databases/mariadb,-main# 10.0.32v1 -> 10.0.33v1 > databases/mariadb,-server # 10.0.32v1 -> 10.0.33v1 > ... The question is, do you need the things which are provided from this new versions - for security see above. > complain when running 'make update' (in this case mariadb). e.g.: > Fatal: /usr/ports/pobj must be on a wxallowed filesystem\ > (in lang/python/2.7) You can add wxallowed to a already mounted filesystem using mount(8). > Is it not worth it to update ports in this way; meaning, is it better > to simply wait for OpenBSD6.3 and stick with binary packages only > (as recommended on the openbsd.org site)? That depends on your requirements. See above. > Also, is there an easy/sane way to remove packages that were only > required for building once the ports have been updated? A port is a package. See make clean and so on for builded ports and pkg_delete -a for packages. IMHO Who say, that something unneeded is installed ? It also has no effect to the system if build deps. are kept in the ports tree.
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
On Thu, 9 Nov 2017 22:06:43 +0100
"Christoph R. Murauer" wrote:
> If I understood your question correct ...
>
> > Running: OpenBSD6.2-release
> >
> > Goal: To run a secure and functional web server.
> > (the server is currently up and running and used by
> > the public at large)
>
> If there are security related patches or things needed to be fixed,
> that the package works as it should, you can simple run pkg_add -iu
Thanks for your replay Christoph.
Please correct me if I'm wrong, but as I understand things, this only
works if one is following OpenBSD-current. I am running -release.
This is an in-use production server; I don't feel wise running -current.
> You can add wxallowed to a already mounted filesystem using mount(8).
In theory, I don't like this; I would rather keep preventing everything
not mapped from /use/local from being able to have both writable and
executeable pages, even if it's only temporary.
> > Is it not worth it to update ports in this way; meaning, is it better
> > to simply wait for OpenBSD6.3 and stick with binary packages only
> > (as recommended on the openbsd.org site)?
>
> That depends on your requirements. See above.
My answer also depends. Ideally, I'd want to jump on any update for
any software for which a security advisory has been issued. Also,
I do wish to track other non-critical updates to keep the server's
software relatively up-to-date as not to fall behind; picking up
performance and related enhancements in a bonus. In practice,
at least for myself and my available time, this isn't always feasible
(e.g. the ports tree doesn't have the latest software available as a port
and it would also be a significant time commitment to build and install
the software from the original source and successfully integrate it into
OpenBSD.)
For example, moving to php v7.1.11 or 7.2 fall into this category
(see: http://www.securityfocus.com/bid/101745)
.
Looking at what the ports system has to do to make the php 7.0.23
package, I'd be spending my life getting 7.2 to build and work properly
and I feel this is better left to those with more OpenBSD porting
experience.
Some software builds and integrates from original sources more easilym
that is, the usual:
./configure {reasonable options} -> make -> make install
procedure goes off withotu a hitch, or at least without too many edits.
> > Also, is there an easy/sane way to remove packages that were only
> > required for building once the ports have been updated?
>
> A port is a package. See make clean and so on for builded ports and
> pkg_delete -a for packages. IMHO Who say, that something unneeded is
> installed ? It also has no effect to the system if build deps. are
> kept in the ports tree.
I understand that the ports system first builds and packages a port,
and then installs it.
I could be doing something wrong, but it seems that some ports install
dependencies to the system (pkg_add-style) that are required to *build*
the package from source, but that aren't required to *run* the package
(e.g. cmake).
So, I definitely don't mind leaving the built packages in the ports
tree, but I *do* mind leaving them installed on the system.
--
Jeff
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
On Thu, November 9, 2017 4:54 pm, Jeff wrote:
> On Thu, 9 Nov 2017 22:06:43 +0100
> "Christoph R. Murauer" wrote:
>
>> If I understood your question correct ...
>>
>> > Running: OpenBSD6.2-release
>> >
>> > Goal: To run a secure and functional web server.
>> > (the server is currently up and running and used by
>> > the public at large)
>>
>> If there are security related patches or things needed to be fixed,
>> that the package works as it should, you can simple run pkg_add -iu
>
> Thanks for your replay Christoph.
>
> Please correct me if I'm wrong, but as I understand things, this only
> works if one is following OpenBSD-current. I am running -release.
> This is an in-use production server; I don't feel wise running -current.
>
>> You can add wxallowed to a already mounted filesystem using mount(8).
>
> In theory, I don't like this; I would rather keep preventing everything
> not mapped from /use/local from being able to have both writable and
> executeable pages, even if it's only temporary.
>
>> > Is it not worth it to update ports in this way; meaning, is it better
>> > to simply wait for OpenBSD6.3 and stick with binary packages only
>> > (as recommended on the openbsd.org site)?
>>
>> That depends on your requirements. See above.
>
> My answer also depends. Ideally, I'd want to jump on any update for
> any software for which a security advisory has been issued. Also,
> I do wish to track other non-critical updates to keep the server's
> software relatively up-to-date as not to fall behind; picking up
> performance and related enhancements in a bonus. In practice,
> at least for myself and my available time, this isn't always feasible
> (e.g. the ports tree doesn't have the latest software available as a port
> and it would also be a significant time commitment to build and install
> the software from the original source and successfully integrate it into
> OpenBSD.)
>
> For example, moving to php v7.1.11 or 7.2 fall into this category
> (see: http://www.securityfocus.com/bid/101745)
> .
> Looking at what the ports system has to do to make the php 7.0.23
> package, I'd be spending my life getting 7.2 to build and work properly
> and I feel this is better left to those with more OpenBSD porting
> experience.
>
> Some software builds and integrates from original sources more easilym
> that is, the usual:
> ./configure {reasonable options} -> make -> make install
> procedure goes off withotu a hitch, or at least without too many edits.
>
>> > Also, is there an easy/sane way to remove packages that were only
>> > required for building once the ports have been updated?
>>
>> A port is a package. See make clean and so on for builded ports and
>> pkg_delete -a for packages. IMHO Who say, that something unneeded is
>> installed ? It also has no effect to the system if build deps. are
>> kept in the ports tree.
>
> I understand that the ports system first builds and packages a port,
> and then installs it.
>
> I could be doing something wrong, but it seems that some ports install
> dependencies to the system (pkg_add-style) that are required to *build*
> the package from source, but that aren't required to *run* the package
> (e.g. cmake).
>
> So, I definitely don't mind leaving the built packages in the ports
> tree, but I *do* mind leaving them installed on the system.
>
Use proot(1). It's amazing. You need space, though. I am using 2.5G to
build my personal use ports. So, nothing huge.
With dpb(1) it's a pretty automatic process to rebuild stuff.
Tim.
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
On Thu, Nov 09, 2017 at 02:04:39PM -0500, Jeff wrote: > Is this a rational solution to the problem? I'm somewhat regretting > going this route as, unlike with pkg_add, building some ports from the > tree pulls in more dependencies than via pkg_add (I am assuming that > these are build dependencies and not run-time dependencies; please > correct me if this is not so) pkg_delete -a will remove auto-added packages, which is what happens for strictly build-time dependencies
Re: Partitioning on MacBook Pro for triple booting
On 11/09/17 13:42, SFM wrote: ... > The target: > > Triple boot Mac OS X, OpenBSD and DragonFly BSD from the same drive > (there are quite a few reasons for this, do not call me a masochist, > at least not in public). no need, you already described your behavior. ;) > > The problem: As I, of course, do not intend to use the whole disk for > OpenBSD, I choose “E†at the prompt which asks so. As expected, > fdisk is summoned. I then mark, according to the instructions, my > second partition, where I want my OpenBSD installation to sit, as an > active A06 partition and exit, saving my progress. I would expect the > installer to summon disklabel, which does not happen. It complains > that no OpenBSD active partition is present. I can do that over and > over again and there is no way that I go beyond that point. did you really create an A06 partition? If so (and I don't fdisk should let you do that, but I've never tried) what you describe is what should happen. it's "a6", not "a06". Nick.
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
> Thanks for your replay Christoph.
>
> Please correct me if I'm wrong, but as I understand things, this only
> works if one is following OpenBSD-current. I am running -release.
> This is an in-use production server; I don't feel wise running
> -current.
If you install for example OpenBSD 6.2 you have a -release version. On
the errata page https://www.openbsd.org/errata62.html you find the
available patches for the -release base system. If you apply this
patches with syspatch(8) you have a -stable system. -current (also
called snapshots is something different).
>> You can add wxallowed to a already mounted filesystem using
>> mount(8).
>
> In theory, I don't like this; I would rather keep preventing
> everything
> not mapped from /use/local from being able to have both writable and
> executeable pages, even if it's only temporary.
That was only meaned as information. I have enough RAM and use it to
build things. There are many ways todo things.
> ...
> Some software builds and integrates from original sources more easilym
> that is, the usual:
> ./configure {reasonable options} -> make -> make install
> procedure goes off withotu a hitch, or at least without too many
> edits.
IMHO sure, you can build all things you need manually. The point is,
ports (from what you talked) have maintainers. If you use a
./configure switch, it means not, that the maintainer also will go
this way for port updates or, provide a flavour for the port using
this switch. Security things or broken things from a port should be
fixed upstream - if not and, if you like to see updated ports, work on
it.
>
> I understand that the ports system first builds and packages a port,
> and then installs it.
>
> I could be doing something wrong, but it seems that some ports install
> dependencies to the system (pkg_add-style) that are required to
> *build*
> the package from source, but that aren't required to *run* the package
> (e.g. cmake).
>
> So, I definitely don't mind leaving the built packages in the ports
> tree, but I *do* mind leaving them installed on the system.
>
See my pkg_add -a mention and, the answer from espie@
Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem
Sorry, typo. Meaned pkg_delete -a
Fwd: Partitioning on MacBook Pro for triple booting
Sorry, I meant “A6” of course! بداية الرسالة المحولة: > من: Nick Holland > التاريخ: ٩ نوفمبر، ٢٠١٧، ١١:٣٢:١٢ م جرينتش+١ > إلى: misc@openbsd.org > الموضوع: رد: Partitioning on MacBook Pro for triple booting > >> On 11/09/17 13:42, SFM wrote: >> ... >> The target: >> >> Triple boot Mac OS X, OpenBSD and DragonFly BSD from the same drive >> (there are quite a few reasons for this, do not call me a masochist, >> at least not in public). > > no need, you already described your behavior. ;) > >> >> The problem: As I, of course, do not intend to use the whole disk for >> OpenBSD, I choose “E†at the prompt which asks so. As expected, >> fdisk is summoned. I then mark, according to the instructions, my >> second partition, where I want my OpenBSD installation to sit, as an >> active A06 partition and exit, saving my progress. I would expect the >> installer to summon disklabel, which does not happen. It complains >> that no OpenBSD active partition is present. I can do that over and >> over again and there is no way that I go beyond that point. > > did you really create an A06 partition? If so (and I don't fdisk should > let you do that, but I've never tried) what you describe is what should > happen. > > it's "a6", not "a06". > > Nick. >
