Re: VLAN-tagging, how?

[Martin]

Thank you all very much for the setup examples, very helpful!

subscribe

[Trent Acklez]

subscribe

Re: New filters auth and sign

[Kirill A . Korinsky]

On Sat, 01 Jun 2024 00:34:41 +0100,
Kirill A. Korinsky  wrote:
> 
> Greetings,
> 
> I'd like to announce a two new filters for OpenSMTD which better to use
> together: auth and sign.
>

Oops, wrong list. It should be m...@opensmtpd.org.

Sorry for nosy.

-- 
wbr, Kirill

New filters auth and sign

[Kirill A . Korinsky]

Greetings,

I'd like to announce a two new filters for OpenSMTD which better to use
together: auth and sign.

auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds
Authentication-Results header or ARC-Authentication-Results.

sign is a filter which adds DKMI or ARC signature, or ARC seal.

For example, I run configuration:

  filter "auth" proc-exec "filter-auth"
  listen on egress port smtp ... filter { admdscrub, "auth", dnsbl }

  filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D 
/etc/mail/domains \
 -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user 
_dkimsign group _dkimsign
  filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \
 -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign

  filter arc_auth proc-exec "filter-auth -A"
  filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \
 -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign
  filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \
 -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign

  filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal }

  listen on egress port submission ... filter sign

Here all incomming messages is autorised by adding Authentication-Results,
and all outcomming messages:
 - signed by two DKMI signature with correct domain (list in /etc/mail/domains)
 - signed by one ARC signature with domain mx.catap.net
 - seal by one ARC seal with domain mx.catap.net

Yeah, it is possible to use different selectors for ARC signature and seal,
but I haven't tested it.

The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify
and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD.

Man pages for both filters are updated.

Thus, sign filter is drop-in replacment for filter-dkimsign.

Code available here:
 - https://github.com/catap/opensmtpd-filter-auth
 - https://github.com/catap/opensmtpd-filter-sign

I also attached ports for OpenBSD which I used to run it.

How stable it is? Well, enough to share and ask for feedback. It may
contains bugs, but it should be fine to use.

Produced signature was tested against gmail, yahoo, icloud.com and dkimpy
and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or
47 (what does it mean?) and produced invalid signature as the next in ARC
chain (tested by dkimpy).

Thus, this email were sent via server which uses that filters, so, headers
from this email a good example.

-- 
wbr, Kirill


filters.tgz
Description: Binary data

Re: vim editor with TERM

[Abel Abraham Camarillo Ojeda]

:0 I can start using EDITOR instead of VISUAL and start removing: $ set -o
vi; in my .profiles

On Fri, May 31, 2024 at 3:17 PM Nathaniel Griswold  wrote:

> There is also the VISUAL param which overrides what is inferred from
> EDITOR.
>
> On Fri, May 31, 2024, at 2:23 PM, Stuart Henderson wrote:
>
> On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com>
> wrote:
> > Hi all,
> >
> > I use the following terminal:
> >
> > echo $TERM
> > xterm-256color
> >
> > when in my ~/.profile I do:
> >
> > export EDITOR=nano
> >
> > everything works well.
> >
> > However, if I do
> >
> > export EDITOR=vim
> >
> > then when I ssh into the machine, up and down arrow in the terminal do
> not work anymore (it does not give me access to previous commands entered).
>
> It's an extremely annoying misfeature in ksh.
>
> If $EDITOR starts with the letters "vi" then it defaults to vi-style
> command line editing. You can use "set -o emacs" to override that, but
> then if you sudo/doas to root it will reset to vi-style editing because
> of the exported EDITOR variable.
>
> On some machines I got fed up enough with this to symlink
> "emacs-notreally" to vim and set EDITOR=emacs-notreally...
>
>
>
>
>

Re: vim editor with TERM

[Nathaniel Griswold]

There is also the VISUAL param which overrides what is inferred from EDITOR.

On Fri, May 31, 2024, at 2:23 PM, Stuart Henderson wrote:
> On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> 
> wrote:
> > Hi all,
> >
> > I use the following terminal:
> >
> > echo $TERM
> > xterm-256color
> >
> > when in my ~/.profile I do:
> >
> > export EDITOR=nano
> >
> > everything works well.
> >
> > However, if I do 
> >
> > export EDITOR=vim
> >
> > then when I ssh into the machine, up and down arrow in the terminal do not 
> > work anymore (it does not give me access to previous commands entered).
> 
> It's an extremely annoying misfeature in ksh.
> 
> If $EDITOR starts with the letters "vi" then it defaults to vi-style
> command line editing. You can use "set -o emacs" to override that, but
> then if you sudo/doas to root it will reset to vi-style editing because
> of the exported EDITOR variable.
> 
> On some machines I got fed up enough with this to symlink
> "emacs-notreally" to vim and set EDITOR=emacs-notreally...
> 
> 
> 

Re: mounting audio cd

[Harald Arnesen]

MIZSEI Zoltán [31/05/2024 20.15]:

Interestingly BeOS and Haiku lets you to mount an audio cd, it generates 
a vfs from the toc and shows the tracks as wav or flac (fixme), it does 
an automatic conversion behind the courtains if you copy a file from an 
audio cd.


Linux also had such a thing in the past - I can't remember the name of 
the file-system.

--
Hilsen Harald

Re: vim editor with TERM

[Stuart Henderson]

On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> wrote:
> Hi all,
>
> I use the following terminal:
>
> echo $TERM
> xterm-256color
>
> when in my ~/.profile I do:
>
> export EDITOR=nano
>
> everything works well.
>
> However, if I do 
>
> export EDITOR=vim
>
> then when I ssh into the machine, up and down arrow in the terminal do not 
> work anymore (it does not give me access to previous commands entered).

It's an extremely annoying misfeature in ksh.

If $EDITOR starts with the letters "vi" then it defaults to vi-style
command line editing. You can use "set -o emacs" to override that, but
then if you sudo/doas to root it will reset to vi-style editing because
of the exported EDITOR variable.

On some machines I got fed up enough with this to symlink
"emacs-notreally" to vim and set EDITOR=emacs-notreally...

Re: vim editor with TERM

[Chris Bennett]

On Fri, May 31, 2024 at 04:52:29PM +0100, 04-psyche.tot...@icloud.com wrote:
> 
> export EDITOR=vim
> 
> Does anyone have a clue as to what could cause this issue?
> 
> Thanks,
> Jake

Your ksh is now using vi editing mode instead of emacs.
You can verify this by hitting esc, then i and you can then type
normally, but with some different conditions.
If you want to keep this, hit esc and k for earlier commands, j for
later commands.

I use both vi and emacs editing modes (this has nothing to do with the
actual editors. man ksh will help.
vi editing mode has very similar commands to the vi editor.

-- 
Regards,
Chris Bennett

"Who controls the past controls the future. Who controls the present controls 
the past."
 George Orwell - 1984

Re: mounting audio cd

[MIZSEI Zoltán]

Interestingly BeOS and Haiku lets you to mount an audio cd, it generates a vfs 
from the toc and shows the tracks as wav or flac (fixme), it does an automatic 
conversion behind the courtains if you copy a file from an audio cd.

vim editor with TERM

[04-psyche . totter]

Hi all,

I use the following terminal:

echo $TERM
xterm-256color

when in my ~/.profile I do:

export EDITOR=nano

everything works well.

However, if I do 

export EDITOR=vim

then when I ssh into the machine, up and down arrow in the terminal do not work 
anymore (it does not give me access to previous commands entered).

I have installed the following vim:

$ pkg_info | grep vim 
vim-9.1.139-no_x11  vi clone, many additional features


Does anyone have a clue as to what could cause this issue?

Thanks,
Jake

Re: Correct fdisk info for ext2fs?

[nisp1953]

Brian:

 Thanks so much. I ended up formatting it in OpenBSD 's ffs file
system. Too many issues with Linux.
If I need to transfer data from the Linux computer, then I will ssh
into OpenBSD.

On Thu, May 30, 2024 at 11:04 PM Brian Conway  wrote:
>
> On Thu, May 30, 2024, at 6:02 PM, nisp1953 wrote:
> > OpenBSD  7.5 GENERIC.MP#82 amd64
> >
> > Hi all:
> >
> >  I formatted a 2TB USB Hard Drive under Linux and get the following from 
> > fdisk:
> >
> > # fdisk sd1
> > Disk: sd1   geometry: 243201/255/63 [3907029167 Sectors]
> > Offset: 0   Signature: 0x0
> > Starting Ending LBA Info:
> >  #: id  C   H   S -  C   H   S [   start:size ]
> > ---
> >  0: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
> >  1: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
> >  2: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
> >  3: 00  0   0   0 -  0   0   0 [   0:   0 ] Unused
> >
> > I had to add a disklabel before I could mount it and use it on OpenBSD:
> > # disklabel sd1
> > # /dev/rsd1c:
> > type: SCSI
> > disk: SCSI disk
> > label: BUP Slim
> > duid: 3cca86bd1e312e1f
> > flags:
> > bytes/sector: 512
> > sectors/track: 63
> > tracks/cylinder: 255
> > sectors/cylinder: 16065
> > cylinders: 243201
> > total sectors: 3907029167
> > boundstart: 0
> > boundend: 3907029167
> >
> > 16 partitions:
> > #size   offset  fstype [fsize bsize   cpg]
> >   c:   39070291670  unused
> >   i:   39070291670 unknown
> >
> > It does have an signed DUID:
> > # sysctl hw.disknames
> > hw.disknames=sd0:c9251986e646484c,sd1:3cca86bd1e312e1f
> >
> > I have been using it for several days and I write to it both under
> > Linux and OpenBSD.
> > What am I doing wrong here that no partitions show un in fdisk?
> > Here is the relevant dmesg info:
> > scsibus4 at umass0: 2 targets, initiator 0
> > sd1 at scsibus4 targ 1 lun 0: 
> > serial.0bc2ac30NAEA4KVV
> > sd1: 1907729MB, 512 bytes/sector, 3907029167 sectors
> > /dev/sd1i: file system not clean; please fsck(8)
> >
> > Thanks in advance for any advice on this.
>
> It looks like you have formatted an entire drive without partitioning it 
> first. This isn't wrong *per se*, in the same way you might format certain 
> types of external media without partitioning them, but it's not expected and 
> could become a footgun if you go to perform an operation on the drive and 
> forget that it isn't a filesystem within a partition. As you've noted, it 
> does operate correctly.
>
> Brian Conway
> Owner
> RCE Software, LLC
>

Re: mounting audio cd

[Manfred Koch]

Hi,

yes I run a GUI, you are right that that I cannot mount
a audio CD. To rip a audio CD, I was transient in the
operator group. That worked. Nevertheless thank you
for the answer.
Sorry for the mix up

Manfred

On 5/30/24 20:54, Ampie Niemand wrote:

On Thu, May 30, 2024 at 06:43:13PM +0200, Manfred Koch wrote:

Hi all,

I have tried to mount an audio cd with the command:

doas mount -t cd9660 /dev/cd0c /cdrom
mount_cd9660: /dev/cd0c on /cdrom: Invalid argument


You cannot mount it like that because its an audio CD and not a Data 
CD. If it was a data CD, you will only have access to the files, such 
as a file backup.


The following website might have the answer for you:

https://www.openbsdhandbook.com/multimedia/

Not sure if you run a GUI, but if you do, install vlcplayer and you 
should be able to just play it, but go read a bit on the website given 
above.


Regards
Ampie



doas dmesg | grep cd shows me:

cd0 at scsibus1 targ 0 lun 0:  
removable

cd0(ahci0:0:0): Check Condition (error 0x70) on opcode 0x0
cd0 at scsibus1 targ 0 lun 0:  
removable

cd0(ahci0:0:0): Check Condition (error 0x70) on opcode 0x0
cd0 at scsibus1 targ 0 lun 0:  
removable


using 7.5 GENERIC.MP#82 amd64

Two weeks ago I could mount it with success.

Forgive me, I'm a rookie.
Does anyone have an idea?

Manfred

Re: Call sysctl before sysctl.conf

[hahahahacker2009]

Vào Th 6, 31 thg 5, 2024 vào lúc 05:05 <04-psyche.tot...@icloud.com> đã viết:
>
> Hi all,
>
> When openBSD runs my processor at 100%, it makes a noise. Interestingly, when 
> in bios, this noise does not appear.
>

I also heard the noise... but it seems quite when I plugged in my headphone.
What's the noise you are referring to, from fan or from the speaker?

Re: VLAN-tagging, how?

[Odhiambo Washington]

On Fri, May 31, 2024 at 1:20 PM Zé Loff  wrote:

> On Thu, May 30, 2024 at 10:12:12PM +, Martin wrote:
> > I am currently using a home made router with OpenBSD which is connected
> > directly to my ISP's fiber router. The OpenBSD router is setup with a
> > fixed IP on the WAN port and I do internal NAT etc.
> >
> > In about a month a new ISP is going to provide internet via the fiber
> > and they are changing the equipment.
> >
> > What they have told me is that in order to use my own router, the
> > router has to support VLAN tagging.
> >
> > The statement I got was:
> >
> > "We send traffic out on VLAN 100 so your router needs to be tagged to
> > 100. Then all it has to do is to get an IP via DHCP."
> >
> > I have not done any VLAN stuff before and I am unsure exactly how to do
> > this.
> >
> > Is this possible and how exactly is that done?
> >
> > Thanks.
> >
>
> Keeping it simple (change re1 to whatever is relevant in your case):
>
> # cat /etc/hostname.re1
> up
>
> # cat /etc/hostname.vlan100
> vnetid 100 parent re1
> inet autoconf
> up
>
> So, in summary, (1) make sure the physical interface comes up and (2)
> create a VLAN interface, with 100 as the VLAN number, the physical
> interface as its parent.  The rest is the same as for any other
> interface (inet autoconf and up).
>
>
>
> Incidentally, I am running this with an ISP that also provides VoIP over
> VLAN 101, which I don't want to filter, rather sending it straight to
> the VoIP phone they provided (which gets configured via DHCP).  I
> achieved this by
>
> (1) creating an interface on VLAN 101, with the external physical
> interface as the parent:
>
> # cat /etc/hostname.vlan1010  <- the extra 0 at the end is not a typo
> vnetid 101 parent re1
> up
>
> (2) creating another interface on the same VLAN, but with an internal
> interface as the parent:
>
> # cat /etc/hostname.vlan1011  <- note the extra 1 at the end
> vnetid 101 parent re2
> up
>
> (3) bridging them together
>
> # cat /etc/hostname.veb101
> add vlan1010
> add vlan1011
> up
>

@Zé Loff ,

This explanation is excellent. I was following this thread out of sheer
curiosity :-)


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]

Re: amd64 bsd.rd for 7.0, 7.1, 7.2

[Kirill A . Korinsky]

On Fri, 31 May 2024 10:02:57 +0100,
"Quentin Carbonneaux"  wrote:
> 
> I want to upgrade an amd64 system running 6.9. Following
> the guide I would like to upgrade to 7.{0,1,2,3,4,5}
> sequentially. However it looks like
> 
> wget https://cdn.openbsd.org/pub/OpenBSD/7.{0,1,2}/amd64/bsd.rd
> 
> returns 404 for all three queries.
> 
> Where can I find the bsd.rd images for these versions?
> 
> Thanks for your help.
> 

Not all mirrors hosts old versions.

For example https://mirror.leaseweb.com/pub/OpenBSD/ from europe has old
versions, but it migth be different from your location.

-- 
wbr, Kirill

Re: VLAN-tagging, how?

[Zé Loff]

On Thu, May 30, 2024 at 10:12:12PM +, Martin wrote:
> I am currently using a home made router with OpenBSD which is connected
> directly to my ISP's fiber router. The OpenBSD router is setup with a
> fixed IP on the WAN port and I do internal NAT etc.
> 
> In about a month a new ISP is going to provide internet via the fiber
> and they are changing the equipment.
> 
> What they have told me is that in order to use my own router, the
> router has to support VLAN tagging.
> 
> The statement I got was:
> 
> "We send traffic out on VLAN 100 so your router needs to be tagged to
> 100. Then all it has to do is to get an IP via DHCP."
> 
> I have not done any VLAN stuff before and I am unsure exactly how to do
> this.
> 
> Is this possible and how exactly is that done?
> 
> Thanks.
> 

Keeping it simple (change re1 to whatever is relevant in your case):

# cat /etc/hostname.re1
up

# cat /etc/hostname.vlan100
vnetid 100 parent re1
inet autoconf
up

So, in summary, (1) make sure the physical interface comes up and (2)
create a VLAN interface, with 100 as the VLAN number, the physical
interface as its parent.  The rest is the same as for any other
interface (inet autoconf and up).



Incidentally, I am running this with an ISP that also provides VoIP over
VLAN 101, which I don't want to filter, rather sending it straight to
the VoIP phone they provided (which gets configured via DHCP).  I
achieved this by 

(1) creating an interface on VLAN 101, with the external physical
interface as the parent:

# cat /etc/hostname.vlan1010  <- the extra 0 at the end is not a typo
vnetid 101 parent re1
up

(2) creating another interface on the same VLAN, but with an internal
interface as the parent:

# cat /etc/hostname.vlan1011  <- note the extra 1 at the end
vnetid 101 parent re2
up

(3) bridging them together

# cat /etc/hostname.veb101
add vlan1010
add vlan1011
up

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

[Stuart Henderson]

On 2024-05-30, Radek  wrote:
> Thank you all for your replies. 
>
> Actually, I did not know that providing seamless switching VPN solutions is 
> so problematic. If it can't be done in a simple way, then it doesn't have to 
> be seamless at any cost. Users will manually reconnect to this VPN when CARP 
> does switchover and there will be no drama. 
>
> I am currently using IPSEC/L2TP, but I do not insist on switching to 
> wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I 
> switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't 
> cope with updating it to get a VPN back to work. It was a pandemic, and 
> everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to 
> allow users to work remotely again, and so it remains to this day. Maybe it's 
> time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of 
> CARP deployment.

IKEv2 with certs signed by a publically trusted CA is fairly easy
to work with on the client side. The server side is a bit fiddly on
OpenBSD; iked can send the necessary intermediate certs now but it's not
obvious which file they need to go in (and I forgot the details..)

> I also need to assign to users static IP addresses per user - if I remember 
> that IKEv2 assigned to users random addresses from the entire VPN pool and I 
> couldn't cope with IP/user assignment. 

IKEv2 certainly can, it depends on the software. The in-tree
version of iked doesn't have a way to do it yet, but the patches at
https://marc.info/?l=openbsd-tech=170895540813042=2 allow doing that
via RADIUS config.

amd64 bsd.rd for 7.0, 7.1, 7.2

[Quentin Carbonneaux]

Hi,

I want to upgrade an amd64 system running 6.9. Following
the guide I would like to upgrade to 7.{0,1,2,3,4,5}
sequentially. However it looks like

wget https://cdn.openbsd.org/pub/OpenBSD/7.{0,1,2}/amd64/bsd.rd

returns 404 for all three queries.

Where can I find the bsd.rd images for these versions?

Thanks for your help.

Re: umount raid volume before shutdown?

[Claudio Jeker]

On Thu, May 30, 2024 at 08:17:27PM +0100, 04-psyche.tot...@icloud.com wrote:
> From my reading of /etc/rc, it seems that at shutdown or reboot, the OS will 
> automatically unmount everything.
> 
> So that will unmount my encrypted partition.
> 
> However, it does not run bioctl -d sd* for the pseudo-device.
> 
> So I guess the question become, is it a problem to exit the system without 
> detaching the softraid volume via bioctl?

Don't worry, the reboot code in the kernel makes sure that disks are
properly unmounted and stopped. This includes softraid.
If you want to look then check out vfs_shutdown() and sr_quiesce() in the
source code.
 
> Thanks!
> 
> > 
> > Hi all,
> > 
> > on my main hard drive, I have a partition `p` that I have encrypted in the 
> > following way:
> > 
> > $bioctl -c C -l sd0p softraid0
> > 
> > -> This created the sd1 pseudo-device, on which I ran the following:
> > 
> > $fdisk -g sd1
> > 
> > $disklabel -E sd1 # created partition i, to take all the space. This is the 
> > unique partition on this
> > 
> > $newfs sd1a
> > 
> > I then mount this via:
> > 
> > $mount /dev/sd1i /decrypt
> > 
> > 
> > I have two questions:
> > 
> > - I don't want to have to unmount /decrypt before I shutdown or restart the 
> > computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down?
> > 
> > - what should I do with the encrypted sd0p ? Should I remove it from my 
> > /etc/fstab and not even mount it? Or is it fine to keep it mounted?
> > 
> > Thanks!
> > 
> > Jake
> 

-- 
:wq Claudio

sub

[Quentin Carbonneaux]