nxserver on OpenBSD

[Sandeep Gupta]

Hello,

 I am looking for an nxserver for openBSD. It seems all the well know
solutions -- NoMachine, OpenNX, nxserver. The only one which is actively
worked on is X2GO. Just wanted to confirm if OpenBSD has support for any of
the nxserver solutions or is there plan/intend to support one.

Thanks
Sandeep

Re: Error in dconf-0.40.0: @tag gio-querymodules definition not found

[Daniel Lemke]

Ok, I think I got it figured out after some time away from the computer.
My use of -n was causing the error. I thought I would check for problems
before making changes permanent. Since nothing was being installed, the
package manager couldn't use functions from the dependencies either
hence causing the error. Oops, sorry for the idiocy.

Re: Identifying a network

[Stuart Henderson]

On 2022-03-23, Zé Loff  wrote:
>
> Hi all
>
> I have a laptop in which I use ifstated to determine whether it is "at
> home" or whether it is "roaming", and bring up the VPN -- used to be
> iked, now its wg -- for unwind and some NFS shares, if it is.
>
> My question is: how would you detect if the machine it's "at home"? 

If you use a "non default" subnet for your home network (not anything
common like 192.168.0.0/24, 192.168.1.0/24 etc) then checking the gateway
IP address might be good enough.

You could check the MAC address of the gateway, if you're using
something more common.

> My present setup is a combination of checking the BSSID of the AP if it
> is connected to one, and some MAC addresses of other machines on the
> network.  I can think of a couple other ways (SSH host keys, external IP
> -- though it might change --, DHCP-assigned domain, etc).  Is there an
> easier way I'm not thinking of?  How would you do it?
>
> Note that this doesn't have 100% fail proof nor am I worried about
> covering absolutely all corner cases, or paranoid about someone spoofing
> my network's BSSID, MAC addresses, etc, etc, just to prevent me from
> setting up a VPN.  This is just for convenience.

Alternatively you could just leave the tunnel connected.. wg is pretty quick.


-- 
Please keep replies on the mailing list.

Re: question regarding rc.d multi daemon tool and synmlink

[Stuart Henderson]

On 2022-03-23, Sven F.  wrote:
> Dear reader,
>
> according to the rc.d man:
>
> --
> daemon_class is a special read-only variable.  It is set to "daemon"
> unless there is a login class configured in login.conf(5) with the same
> name as the rc.d script itself, in which case it will be set to that
> login class.  This allows setting many initial process properties, for
> example environment variables, scheduling priority, and process limits
> such as maximum memory use and number of files.
> --
>
> If the demon requires a specific class, like lets say `unbound`,
> but it s launched through a symlink `unbound_jail -> unbound`,
> the class will not be used and login.conf
> *must* declare `unbound_jail` ?

Correct, that is what the documentation says will happen, and is what
does happen. You can also look at the daemon_class entry in
/var/run/rc.d/$daemon_name to confirm which class it was actually
started with.

> In other words,
>
> Is there a way to, without rewriting rc_exec, use a specific class
> for all 'instances' created through a symlink of the rc.d/script directory.
> So all other unbound daemon actually do `su -c unbound` and not
> `su -c unbound_secondary`

That feature is not available. But you could add login.conf entries like

unbound_secondary:tc=unbound:

or copy the unbound block to /etc/login.conf.d/unbound and symlink to
the names for the other classes. At least that then has symmetry
with your symlinks in /etc/rc.d.



-- 
Please keep replies on the mailing list.

Re: Identifying a network

[Jan Stary]

On Mar 23 14:10:58, zel...@zeloff.org wrote:
> I have a laptop in which I use ifstated to determine whether it is "at
> home" or whether it is "roaming", and bring up the VPN -- used to be
> iked, now its wg -- for unwind and some NFS shares, if it is.
> 
> My question is: how would you detect if the machine it's "at home"? 

You know if you are at home.

So start up the VPN by hand if you are roaming.


> My present setup is a combination of checking the BSSID of the AP if it
> is connected to one, and some MAC addresses of other machines on the
> network.  I can think of a couple other ways (SSH host keys, external IP
> -- though it might change --, DHCP-assigned domain, etc).  Is there an
> easier way I'm not thinking of?  How would you do it?
> 
> Note that this doesn't have 100% fail proof nor am I worried about
> covering absolutely all corner cases, or paranoid about someone spoofing
> my network's BSSID, MAC addresses, etc, etc, just to prevent me from
> setting up a VPN.  This is just for convenience.
> 
> Cheers and TIA
> Zé
> 
> -- 
>  
> 
> 

Error in dconf-0.40.0: @tag gio-querymodules definition not found

[Daniel Lemke]

I have searched all over the place and cannot find anywhere in man or
on openbsd.org what I am supposed to do with a "@tag gio-querymodules
definition not found" error. This happens whenever dconf-0.40.0 gets pulled as
dependency, but I see a similar error for other packages too (such as
librsvg-2.50.7).

Can someone please point me in the right direction here? I am on a
relatively fresh install, only having done:
  syspatch
  reboot
  pkg_add -Uu
  sysmerge -d

Attached is dmesg and output from pkg_add -n firefox-esr

OpenBSD 7.0 amd64

/etc/installurl:
https://cdn.openbsd.org/pub/OpenBSD
quirks-4.54 signed on 2022-03-21T17:41:55Z
Error in dconf-0.40.0: @tag gio-querymodules definition not found
Direct dependencies for dconf-0.40.0 resolve to glib2-2.68.4
Full dependency tree is glib2-2.68.4 pcre-8.44 python-3.8.12 libffi-3.3p1 
sqlite3-3.35.5p0 libiconv-1.16p0 bzip2-1.0.8p0 xz-5.2.5 gettext-runtime-0.21p1
Error in librsvg-2.50.7: @tag update-gdk-pixbuf definition not found
Direct dependencies for librsvg-2.50.7 resolve to pango-1.48.10 libxml-2.9.12p0 
gdk-pixbuf-2.42.6
Full dependency tree is fribidi-1.0.10 xz-5.2.5 tiff-4.3.0 shared-mime-info-2.1 
libxml-2.9.12p0 png-1.6.37 libffi-3.3p1 lz4-1.9.3p0 lzo2-2.10p2 harfbuzz-2.9.1 
sqlite3-3.35.5p0 gettext-runtime-0.21p1 zstd-1.5.0 pango-1.48.10 bzip2-1.0.8p0 
graphite2-1.3.14 gdk-pixbuf-2.42.6 glib2-2.68.4 cairo-1.16.0 libiconv-1.16p0 
jpeg-2.1.1v0 pcre-8.44 python-3.8.12
Can't install adwaita-icon-theme-40.1.1: can't resolve librsvg-2.50.7
Can't install gtk+3-3.24.30: can't resolve 
adwaita-icon-theme-40.1.1,dconf-0.40.0
Can't install firefox-esr-91.7.0: can't resolve gtk+3-3.24.30
The following new rcscripts were installed: /etc/rc.d/messagebus
See rcctl(8) for details.
New and changed readme(s):
/usr/local/share/doc/pkg-readmes/dbus
/usr/local/share/doc/pkg-readmes/glib2
Couldn't install adwaita-icon-theme-40.1.1 dconf-0.40.0 firefox-esr-91.7.0 
gtk+3-3.24.30 librsvg-2.50.7
OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8473923584 (8081MB)
avail mem = 8201093120 (7821MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe8ad1 (27 entries)
bios0: vendor Hewlett-Packard version "L04 v02.31" date 05/18/2018
bios0: Hewlett-Packard HP EliteDesk 800 G1 DM
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT MCFG HPET SSDT SSDT SSDT SLIC 
MSDM ASF! TCPA DMAR
acpi0: wakeup devices PS2K(S3) PS2M(S3) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S3) 
HDEF(S4) PEG0(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz, 1995.80 MHz, 06-3c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz, 1995.39 MHz, 06-3c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz, 1995.39 MHz, 06-3c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) 

Ryzen 9 4900H amdgpu firmware

[Fredrik Engberg]

Hey, Im having a bit problem with my Ryzen 9 4900H. When I install the
amdgpu firmware, I only get a black screen after it loads the
firmware. Im running -current. Im wondering if anyone else has this
problem. This is the error I get. I will attach my dmesg also.

drm:pid0:psp_get_runtime_db_entry *WARNING* PSP runtime database doesn't exist
[drm] Unknown EDID CEA parser results
drm:pid0:gmc_v9_0_process_interrupt *ERROR* [mmhub0] no-retry page
fault (src_id:0 ring:158 vmid:0 pasid:0, for process  pid 0 thread
pid 0)
drm:pid0:gmc_v9_0_process_interrupt *ERROR*   in page starting at
address 0x00561000 from IH client 0x12 (VMC)
drm:pid0:gmc_v9_0_process_interrupt *ERROR*
VM_L2_PROTECTION_FAULT_STATUS:0x3B3C
drm:pid0:gmc_v9_0_process_interrupt *ERROR* Faulty UTCL2 client ID: VCNU (0x1d)
drm:pid0:gmc_v9_0_process_interrupt *ERROR* MORE_FAULTS: 0x0
drm:pid0:gmc_v9_0_process_interrupt *ERROR* WALKER_ERROR: 0x6
drm:pid0:gmc_v9_0_process_interrupt *ERROR* PERMISSION_FAULTS: 0x3
drm:pid0:gmc_v9_0_process_interrupt *ERROR* MAPPING_ERROR: 0x1
drm:pid0:gmc_v9_0_process_interrupt *ERROR* RW: 0x0
[drm] *ERROR* ring vcn_dec test failed (-60)
[drm] *ERROR* hw_init of IP block  failed -60
drm:pid0:amdgpu_device_init *ERROR* amdgpu_device_ip_init failed
drm:pid0:amdgpu_attachhook *ERROR* Fatal error during GPU init


OpenBSD 7.1-beta (GENERIC.MP) #429: Tue Mar 22 10:45:17 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 33703485440 (32142MB)
avail mem = 32664760320 (31151MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.2 @ 0xcd01f000 (44 entries)
bios0: vendor American Megatrends Inc. version "5.16" date 10/13/2021
bios0: BESSTAR TECH LIMITED HM90
acpi0 at bios0: ACPI 6.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT IVRS FIDT MCFG HPET SSDT VFCT BGRT TPM2
SSDT CRAT CDIT SSDT SSDT SSDT SSDT WSMT APIC SSDT SSDT FPDT
acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP2(S4) GPP3(S4) GPP4(S4)
GPP5(S4) GP17(S4) XHC0(S4) XHC1(S4) GP18(S4) GP19(S4) SIO1(S3)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Ryzen 9 4900H with Radeon Graphics, 3294.30 MHz, 17-60-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 32KB 64b/line 8-way I-cache, 32KB 64b/line 8-way D-cache, 512KB
64b/line 8-way L2 cache
cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Ryzen 9 4900H with Radeon Graphics, 3293.82 MHz, 17-60-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 32KB 64b/line 8-way I-cache, 32KB 64b/line 8-way D-cache, 512KB
64b/line 8-way L2 cache
cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD Ryzen 9 4900H with Radeon Graphics, 3293.82 MHz, 17-60-01
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,PQM,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 32KB 64b/line 8-way I-cache, 32KB 64b/line 8-way D-cache, 512KB
64b/line 8-way L2 cache
cpu2: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu2: 

Re: tcpdump - ifname in filter expression

[Aner Perez]

On 3/22/22 00:37, David Gwynne wrote:

On Mon, Mar 21, 2022 at 04:37:59PM -0400, Aner Perez wrote:

I noticed that if I put an "ifname" (or "on") in a fllter expression for
tcpdump, it will show all traffic that has an ifname that *starts with* the
name I provided.?? e.g.

# tcpdump -n -l -e -ttt -i pflog0 ifname vlan1

Will show packets for vlan1 but also for vlan110, vlan140, etc (but not for 
em0).

It's not clear from the man page if that is the intended behavior.

https://man.openbsd.org/tcpdump.8#ifname

|ifname|  interface
True if the packet was logged as coming from the specified interface 
(applies only to
packets logged by pf(4) ).

While testing I also tried using "ifname vlan" as the filter but it fails
with a syntax error.?? I'm thinking that is probably an unintended
interaction with the "vlan" primitive since "ifname em" or "ifname bnx" seem
to work with no error.

This is all tested on 6.7 so apologies if this is not the current behavior.

i think this behaviour with ifname is unintended. the diff below tries
to fix it by having the ifname comparison include the terminating nul
when doing a comparison of the supplied interface name and the one in
the pflog header.

the consequence is that it will not longer do string prefix matches,
only whole name matches.

the vlan thing is different because there's a "vlan" keyword in our
pcap filter language that lets you do things like "tcpdump vlan
123" when sniffing on a vlan parent interface to limit the packets
to those with tag 123. the parser is saying it didnt expect you to
talk about vlan when it's supposed to be a string (ie, not a keyword)
at that point.

Index: gencode.c
===
RCS file: /cvs/src/lib/libpcap/gencode.c,v
retrieving revision 1.60
diff -u -p -r1.60 gencode.c
--- gencode.c   13 Feb 2022 20:02:30 -  1.60
+++ gencode.c   22 Mar 2022 04:29:40 -
@@ -3230,7 +3246,7 @@ gen_pf_ifname(char *ifname)
len - 1);
/* NOTREACHED */
}
-   b0 = gen_bcmp(off, strlen(ifname), ifname);
+   b0 = gen_bcmp(off, strlen(ifname) + 1, ifname);
return (b0);
  }
  

That certainly seems like it would do the trick.  Would your diff make it into the 
official source tree for a future release or is this something that needs to be discussed 
by the powers that be?


Thanks for looking into it!

    - Aner

question regarding rc.d multi daemon tool and synmlink

[Sven F.]

Dear reader,

according to the rc.d man:

--
daemon_class is a special read-only variable.  It is set to "daemon"
unless there is a login class configured in login.conf(5) with the same
name as the rc.d script itself, in which case it will be set to that
login class.  This allows setting many initial process properties, for
example environment variables, scheduling priority, and process limits
such as maximum memory use and number of files.
--

If the demon requires a specific class, like lets say `unbound`,
but it s launched through a symlink `unbound_jail -> unbound`,
the class will not be used and login.conf
*must* declare `unbound_jail` ?

In other words,

Is there a way to, without rewriting rc_exec, use a specific class
for all 'instances' created through a symlink of the rc.d/script directory.
So all other unbound daemon actually do `su -c unbound` and not
`su -c unbound_secondary`

Best,

firefox killed - out of swap

[Jan Stary]

This is current/amd64 on a Thinkpad T410 (dmesg below).
My firefox session just got killed with

UVM: pid 76017 (firefox), uid 1000 killed: out of swap

The machine has 8GB of ram and no swap.
There was a few GB of free ram at the moment.

Is there something that makes the system want to use swap
even if there is real memory available? On amd64 systems
with enough memeory, I have no swap as a rule: if there
is a swap partition, something will start using it it seems,
slowing everything down. But never before have I had
a process killed for not having swap ...

Jan


OpenBSD 7.1-beta (GENERIC.MP) #0: Tue Mar 22 10:57:47 CET 2022
h...@t410.stare.cz:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8357658624 (7970MB)
avail mem = 8087089152 (7712MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
bios0: vendor LENOVO version "6IET75WW (1.35 )" date 02/01/2011
bios0: LENOVO 2537BN8
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! SLIC BOOT SSDT TCPA DMAR 
SSDT SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) 
EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.44 MHz, 06-25-05
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.01 MHz, 06-25-05
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.02 MHz, 06-25-05
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz, 2926.01 MHz, 06-25-05
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpiprt5 at acpi0: bus 5 (EXP4)
acpiprt6 at acpi0: bus 13 (EXP5)
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpipci0 at acpi0 UNCR
acpipci1 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
tpm0 at acpi0 TPM_ 1.2 (TIS) addr 0xfed4/0x5000, device 0x104a rev 0x4e
acpibat0 at acpi0: BAT0 model "42T4751" serial  1780 type LION oem "SANYO"
acpiac0 at acpi0: AC unit offline
acpithinkpad0 at acpi0: version 1.0
"*pnp0c14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpicpu0 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpicpu1 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpicpu2 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpicpu3 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), 
C1(1000@3 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 100 degC
acpivideo0 at acpi0: VID_
acpivout0 at acpivideo0: LCD0
acpivideo1 at acpi0: VID_
cpu0: using IvyBridge MDS workaround
cpu0: Enhanced SpeedStep 2926 MHz: speeds: 2667, 2666, 

Re: ipsec traffic is dropped between two machines

[readme]

On Wed, Mar 23, 2022 at 02:10:03PM +0100, Tobias Heider wrote:
>On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote:
>> I have two openbsd machines configured to connect their respective
>> downstream networks over ipsec. When I try to generate traffic (ping)
>> from server-west's enc0 interface (10.255.255.1) to server-east's enc0
>> interface (10.254.255.1), traffic is sent out the corresponding
>> SA but is never seen on server-east's enc0 interface. Only when I
>> simultaneously generate traffic (ping, again) on server-east back to 
>> server-west do I see the echo replies from server-east on server-west.
>> 
>I don't fully understand your setup but having both 10.255.255.0/24 to
>10.254.255.0/24 and 10.254.255.0/24 to 10.255.255.0/24 configured on both
>sides does not make sense to me.

Good point, I've cleaned the configs up and just created statements
necessary following your configs here, with one addition on each side (so
the servers can ping each other over the tunnel without using their
respective enc0 interfaces as a source.

>Assuming 10.255.255.0/24 is reachable via server-west and 10.254.255.0/24 via
>server-east the configs should probably be:
>
>server-west:/etc/iked.conf
>-
>ikev2 'server-east.example.com' passive esp \
>from 10.255.255.0/24 to 10.254.255.0/24 \
>from 203.0.113.50/32 to 10.254.255.0/24 \
+from 203.0.113.50/32 to 100.64.1.92/32 \
>local 203.0.113.50 peer server-east.example.com \
>srcid server-west.example.com \
>dstid server-east.example.com \
>psk "12345" \
>tag "VPN.EAST"
>
>server-east:/etc/iked.conf
>-
>ikev2 'server-west.example.com' active esp \
>from 10.254.255.0/24 to 10.255.255.0/24 \
>from 100.64.1.92/32 to 10.255.255.0/24 \
+from 100.64.1.92/32 to 203.0.113.50/32 \
>local 100.64.1.92 peer server-west.example.com \
>srcid server-east.example.com \
>dstid server-west.example.com \
>psk "12345" \
>tag "VPN.WEST"
>

The general diagram of what this looks like is:

em0:203.0.113.50 -~-~- ipsec tunnel -~-~-~- vio0:100.64.1.92
 | SERVER-WEST | | SERVER-EAST |
enc0:10.255.255.1/24enc0:10.254.255.1/24

Trying to generate traffic from the physical interfaces on either server
(em0 or vio) fails towards either the remote physical interface or the
remote enc0 interface. I've included flows and `iked -dvvv` at the bottom.


Ping from enc0 on server-west to enc0 on server-east. Works as expected.

server-west# ping -I 10.255.255.1 10.254.255.1
PING 10.254.255.1 (10.254.255.1): 56 data bytes
64 bytes from 10.254.255.1: icmp_seq=0 ttl=255 time=46.493 ms
64 bytes from 10.254.255.1: icmp_seq=1 ttl=255 time=46.439 ms
64 bytes from 10.254.255.1: icmp_seq=2 ttl=255 time=46.222 ms
^C
--- 10.254.255.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 46.222/46.385/46.493/0.117 ms


Now try pinging from em0 on server-west to the remote side with no success.

server-west# ifconfig em0 |grep 174.136.105
inet 203.0.113.50 netmask 0xfffc broadcast 174.136.105.51

server-west# ping -I 203.0.113.50 10.254.255.1
PING 10.254.255.1 (10.254.255.1): 56 data bytes
^C
--- 10.254.255.1 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss


Shouldn't this be covered by the following flow?
spi=0x3a561aeb30f190ce: ikev2_childsa_enable: loaded flows:
ESP-10.254.255.0/24=10.255.255.0/24(0),ESP-100.64.1.92/32=10.255.255.0/24(0), 
ESP-100.64.1.92/32=203.0.113.50/32(0) spi=0x3a561aeb30f190ce: sa_state: VALID 
-> ESTABLISHED from 203.0.113.50:500 to 100.64.1.92:500 policy 
'server-west.example.com'


Same problem on server-east ping server-west enc0 with traffic sourcing 
from server-east enc0

server-east# ping -I 10.254.255.1 10.255.255.1
PING 10.255.255.1 (10.255.255.1): 56 data bytes
64 bytes from 10.255.255.1: icmp_seq=0 ttl=255 time=46.407 ms
64 bytes from 10.255.255.1: icmp_seq=1 ttl=255 time=46.360 ms
64 bytes from 10.255.255.1: icmp_seq=2 ttl=255 time=46.361 ms
^C
--- 10.255.255.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 46.360/46.376/46.407/0.022 ms


Now try and ping from server-east vio0 to the remote side. This fails.

server-east# ifconfig vio0 |grep 45.76.227
inet 100.64.1.92 netmask 0xfe00 broadcast 45.76.227.255

server-east# ping -I 100.64.1.92 10.255.255.1
PING 10.255.255.1 (10.255.255.1): 56 data bytes
^C
--- 10.255.255.1 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss


FLOWS
=

server-west# ipsecctl -sa
FLOWS:
flow esp in from 10.254.255.0/24 to 10.255.255.0/24 peer 100.64.1.92 srcid 
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp in from 10.254.255.0/24 to 203.0.113.50 peer 

Re: Identifying a network

[Daniel Gracia]

El mié, 23 mar 2022 a las 15:12, Zé Loff () escribió:
>
>
> Hi all
>
> I have a laptop in which I use ifstated to determine whether it is "at
> home" or whether it is "roaming", and bring up the VPN -- used to be
> iked, now its wg -- for unwind and some NFS shares, if it is.
>
> My question is: how would you detect if the machine it's "at home"?
>
> My present setup is a combination of checking the BSSID of the AP if it
> is connected to one, and some MAC addresses of other machines on the
> network.  I can think of a couple other ways (SSH host keys, external IP
> -- though it might change --, DHCP-assigned domain, etc).  Is there an
> easier way I'm not thinking of?  How would you do it?

The DHCP solution (i.e. option 15) seems to be a sane way of solving
your problem from the client side. To solve the situation the other
way around (getting to know from which AP your client is connecting at
the DHCP server) I would get some APs that cope with option 82. Then
you would know from where you are connecting, on both sides of the
wire.

>
> Note that this doesn't have 100% fail proof nor am I worried about
> covering absolutely all corner cases, or paranoid about someone spoofing
> my network's BSSID, MAC addresses, etc, etc, just to prevent me from
> setting up a VPN.  This is just for convenience.
>
> Cheers and TIA
> Zé
>
> --
>
>

Regards!

Re: Identifying a network

[Łukasz Moskała]

W dniu 23.03.2022 o 15:10, Zé Loff pisze:


Hi all

I have a laptop in which I use ifstated to determine whether it is "at
home" or whether it is "roaming", and bring up the VPN -- used to be
iked, now its wg -- for unwind and some NFS shares, if it is.

My question is: how would you detect if the machine it's "at home"?

My present setup is a combination of checking the BSSID of the AP if it
is connected to one, and some MAC addresses of other machines on the
network.  I can think of a couple other ways (SSH host keys, external IP
-- though it might change --, DHCP-assigned domain, etc).  Is there an
easier way I'm not thinking of?  How would you do it?

Note that this doesn't have 100% fail proof nor am I worried about
covering absolutely all corner cases, or paranoid about someone spoofing
my network's BSSID, MAC addresses, etc, etc, just to prevent me from
setting up a VPN.  This is just for convenience.

Cheers and TIA
Zé



Hi,

I'd just check both SSID and BSSID and call it good enough, to be honest.

In this case, if I understand correctly, to spoof it, somebody would 
have to know your wifi password, otherwise your laptop wouldn't connect 
to it.


Regards,
--
Łukasz Moskała

Identifying a network

[Zé Loff]

Hi all

I have a laptop in which I use ifstated to determine whether it is "at
home" or whether it is "roaming", and bring up the VPN -- used to be
iked, now its wg -- for unwind and some NFS shares, if it is.

My question is: how would you detect if the machine it's "at home"? 

My present setup is a combination of checking the BSSID of the AP if it
is connected to one, and some MAC addresses of other machines on the
network.  I can think of a couple other ways (SSH host keys, external IP
-- though it might change --, DHCP-assigned domain, etc).  Is there an
easier way I'm not thinking of?  How would you do it?

Note that this doesn't have 100% fail proof nor am I worried about
covering absolutely all corner cases, or paranoid about someone spoofing
my network's BSSID, MAC addresses, etc, etc, just to prevent me from
setting up a VPN.  This is just for convenience.

Cheers and TIA
Zé

-- 
 

Re: user cannot login on -current amd64: ulimit related?

[Theo de Raadt]

There was a bug related to rlimits around March 15.  It has been fixed
since.

I think it is a big weird when people using snapshots reports a bug
against week-old code.  Do you think we do nothing for that week?

Mare Dedeu  wrote:

> Hi,
> 
> I am running -current on a thinkpad X270. After an upgrade two days ago I
> cannot login as a normal user (root is fine) via the terminal. The zsh
> shell complains about not having enough memory. Changing shells via chsh
> yields the same result on ksh and bash. I have upgraded again today to the
> latest snapshot but the result is the same.
> 
> I think this can be related to ulimit, but I am not sure. In any case,
> 
> $ ulimit -a
> -t: cpu time (seconds)  unlimited
> -f: file size (blocks)  unlimited
> -d: data seg size (kbytes)  4194304
> -s: stack size (kbytes) 8192
> -c: core file size (blocks) 0
> -m: resident set size (kbytes)  7634548
> -l: locked-in-memory size (kbytes)  7634548
> -u: processes   1310
> -n: file descriptors1024
> 
> Any hint would be appreciated.
> 
> thanks.
> 
> PS: this is my dmesg and login.conf:
> 
> ===
> OpenBSD 7.1-beta (GENERIC.MP) #422: Tue Mar 15 11:28:22 MDT 2022
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8080216064 (7705MB)
> avail mem = 7818051584 (7455MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xbf0dd000 (62 entries)
> bios0: vendor LENOVO version "R0IET43W (1.21 )" date 09/02/2017
> bios0: LENOVO 20HNA004CD
> acpi0 at bios0: ACPI 5.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT BOOT
> BATB SSDT SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM DMAR ASF! FPDT UEFI
> acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) RP02(S4)
> RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4) RP10(S4) RP11(S4)
> RP12(S4) RP13(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 2399 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 1596.28 MHz, 06-8e-09
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 24MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 1491.00 MHz, 06-8e-09
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 1396.75 MHz, 06-8e-09
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 1, core 0, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 1396.75 MHz, 06-8e-09
> cpu3:
> 

Re: ipsec traffic is dropped between two machines

[Tobias Heider]

On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote:
> I have two openbsd machines configured to connect their respective
> downstream networks over ipsec. When I try to generate traffic (ping)
> from server-west's enc0 interface (10.255.255.1) to server-east's enc0
> interface (10.254.255.1), traffic is sent out the corresponding
> SA but is never seen on server-east's enc0 interface. Only when I
> simultaneously generate traffic (ping, again) on server-east back to 
> server-west do I see the echo replies from server-east on server-west.
> 
> The flows look correct in the SA table on server-west and traffic leaves on
> enc0, hits vio0 on server-east as ESP traffic, but then is dropped. Again,
> only when I also start a ping on server-east (10.254.255.1) to server-west
> (10.255.255.1) does the original ping session see replies.
> 
> Any help is appreciated. Here are the relevant configs and outputs.

I don't fully understand your setup but having both 10.255.255.0/24 to
10.254.255.0/24 and 10.254.255.0/24 to 10.255.255.0/24 configured on both
sides does not make sense to me.

Assuming 10.255.255.0/24 is reachable via server-west and 10.254.255.0/24 via
server-east the configs should probably be:

server-west:/etc/iked.conf
-
ikev2 'server-east.example.com' passive esp \
from 10.255.255.0/24 to 10.254.255.0/24 \
from 203.0.113.50/32 to 10.254.255.0/24 \
local 203.0.113.50 peer server-east.example.com \
srcid server-west.example.com \
dstid server-east.example.com \
psk "12345" \
tag "VPN.EAST"

server-east:/etc/iked.conf
-
ikev2 'server-west.example.com' active esp \
from 10.254.255.0/24 to 10.255.255.0/24 \
from 100.64.1.92/32 to 10.255.255.0/24 \
local 100.64.1.92 peer server-west.example.com \
srcid server-east.example.com \
dstid server-west.example.com \
psk "12345" \
tag "VPN.WEST"

Re: OpenBSD Home Server + Workstation on same machine?

[David Rinehart]

On 3/21/22 20:22, Eric Thomas wrote:
> Hello,
>
> I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.)
> and generally
> harden my home network using OpenBSD. Can I use OpenBSD services AND have
> it act as a desktop workstation on the same machine?
>
> Ref:
> https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine
>
> Thanks,
> Eric

Secure networking - Consideration: Defense in depth - If your services machine 
is compromised, what will be exposed?

A server machine and a desktop machine are different roles, with different 
requirements.  Mixing both in one machine can be done but you may not learn as 
much.

I sent a message to the list in December describing my approach (covering 3 
years) - May be interesting reading:

https://marc.info/?l=openbsd-misc=164058491013379=2

Re: mailrc and muttrc

[Maurice McCarthy]

I think many use fdm from ports.
Best