Re: Bug in dhclient, isc_named or misconfiguration ?

2017-09-09 Thread Florian Ermisch 
Hi Zbyszek,

are you required to run a DHCP client?
I guess you get the same IP every time
anyway (it's a VPS, right?) so why not 
configure it statically?

Regards, Florian 

Am 7. September 2017 15:24:21 MESZ schrieb "Zbyszek Żółkiewski" 
:
>Hi group,
>
>Recently i come up with this problem: running isc_named + dhclient
>cause isc_named to periodically loose binding to TCP port:
>
>Sep  7 13:45:02 ns dhclient[12533]: DHCPREQUEST on vio0 to
>169.254.169.254
>Sep  7 13:45:02 ns dhclient[12533]: DHCPACK from 169.254.169.254
>(fe:00:00:88:fe:63)
>Sep  7 13:45:02 ns named[76593]: no longer listening on
>XXX.XXX.XXX.XXX#53
>Sep  7 13:45:02 ns named[76593]: listening on IPv4 interface vio0,
>XXX.XXX.XXX.XXX#53
>Sep  7 13:45:02 ns named[76593]: binding TCP socket: address in use
>Sep  7 13:45:02 ns dhclient[12533]: bound to XXX.XXX.XXX.XXX -- renewal
>in 40027 seconds.
>
>XXX is redacted public IP.
>
>This is OpenBSD 6.1 
>In bind i have already configured interface-interval 0; - but this do
>not fix problem, any idea ? This problem looks like isolated to
>OpenBSD.
>
>Thanks,
>
>_
>Zbyszek Żółkiewski

Re: Thinkpad R40 varia

2017-09-07 Thread Florian Ermisch 


Am 2. September 2017 17:08:17 MESZ schrieb leo_...@volny.cz:
>Just some notes on the damn thing:
>
>Swapping the general battery clears the 'CMOS' memory. I surmise that
>there is no seperate CMOS battery: I consider this a design flaw.
>
Have you checked for a separate CMOS
battery - which is probably long dead?


>As with lots of IBM PC stuff of the era (since the PS/2?), there's a
>'system partition' (or whatever they called it that week) that is
>probably best preserved when swapping hdds […]
I would be surprised if there's more than
some diagnostic software for to ease the
job of IBM's customer support.
I installed OpenBSD on an ancient T20
(which has a serial port, that's why I kept
it around) once and didn't look out for any 
"system partitions"

>[…]
>
>There's what appears to be an extra port above the PCMCIA one, with a
>female connector, but otherwise looking suspiciously similar, which I
>haven't seen described (seperately) anywhere. […]

Probably be a second PCMCIA/CardBus 
slot. Those were important back then.

Regards, Florian

Re: OpenBSD 6.1-stable lock up

2017-09-02 Thread Florian Ermisch 
Am 1. September 2017 06:38:49 MESZ schrieb Philipp Buehler 
:
>Hello,
>
>Am 01.09.2017 00:33 schrieb Maxim Bourmistrov:
>> 0/232/64 mbuf 2048 byte clusters in use (current/peak/max)
>> 423/2865/120 mbuf 2112 byte clusters in use (current/peak/max)
>> 0/160/64 mbuf 4096 byte clusters in use (current/peak/max)
>> 0/200/64 mbuf 8192 byte clusters in use (current/peak/max)
>
>I've seen this before - including a kind of "lock up".
>How does one reach a peak/current way over the maximum - and 2112 byte 
>mcl?
>IIRC, there was activity in this area changing allocation and 
>statistics.

Hm, could this be the same performance
regression as VLANs saw?
http://www.grenadille.net/post/2017/02/13/What-happened-to-my-vlan

The post and the one on tech@ don't 
mention the version but as it was a
discussion between OpenBSD devs I
guess it was what became 6.1 a few
month later.
I think I've heard or read something about
improvements in this area (on BSDnow or
undeadly) so maybe you could try a 6.2-
BETA.

Regards, Florian

Re: ksh ^R vs EDITOR=vi

2017-08-27 Thread Florian Ermisch 


Am 27. August 2017 23:43:38 MESZ schrieb Jeremie Courreges-Anglas 
<j...@wxcvbn.org>:
>On Sun, Aug 27 2017, Florian Ermisch <florian.ermi...@mailbox.org>
>wrote:
>> Hi Jeremie,
>>
>> Am 27. August 2017 17:57:57 MESZ schrieb Jeremie Courreges-Anglas
><j...@wxcvbn.org>:
>>>On Sun, Aug 27 2017, Jan Stary <h...@stare.cz> wrote:
>>>> This is current/amd64. I am using ksh(1) as a shell.
>>>> Using ^R opens a search in the command history.
>>>> However, with 'export EDITOR=vi', pressing ^R
>>>> just literarily types '^R' and does not open
>>>> the history search. Is that expected?
>>>
>>>EDITOR=vi puts the shell cli editor in vi mode,
>>> see EDITOR and VISUAL in the manpage.  
>>> "Traditional" but quite annoying behavior.
>>
>> Shouldn't setting VISUAL override this
>> function of EDITOR? AFAIK most tools
>> look at EDITOR when choosing which
>> editor ("visual" or not) to spawn for things 
>> like commit messages and not VISUAL.
>
>I think most tools do use VISUAL, then EDITOR if VISUAL isn't set, then
>some kind of default.  VISUAL being a fullscreen editor like vi(1), and
>EDITOR a line editor like ed(1).
>
>> I'd think setting EDITOR to vi (or vim) and VISUAL to emacs should
>give you the 
>> behavior you want.
>
>If the intent is to use vi, this doesn't work with programs that first
>check VISUAL (eg crontab -e).
>
>Rather:
>VISUAL=vi
>maybe EDITOR=vi if some of your tools don't look at VISUAL.
>set -o emacs

You're right,  it's a custom one 
({SUDO,HG,GIT…}_EDITOR), then VISUAL, 
then EDITOR. ksh's manpage got me
confused were it's "EDITOR unless VISUAL
is set" and not "1st VISUAL than EDITOR".
Shouldn't make those claims without 
testing this late at night.

Of course `set -o emacs` if you want
to have EDITOR=vi _and_ ^R.

Regards, Florian

Re: ksh ^R vs EDITOR=vi

2017-08-27 Thread Florian Ermisch 
Hi Jeremie,

Am 27. August 2017 17:57:57 MESZ schrieb Jeremie Courreges-Anglas 
:
>On Sun, Aug 27 2017, Jan Stary  wrote:
>> This is current/amd64. I am using ksh(1) as a shell.
>> Using ^R opens a search in the command history.
>> However, with 'export EDITOR=vi', pressing ^R
>> just literarily types '^R' and does not open
>> the history search. Is that expected?
>
>EDITOR=vi puts the shell cli editor in vi mode,
> see EDITOR and VISUAL in the manpage.  
> "Traditional" but quite annoying behavior.

Shouldn't setting VISUAL override this
function of EDITOR? AFAIK most tools
look at EDITOR when choosing which
editor ("visual" or not) to spawn for things 
like commit messages and not VISUAL. 
I'd think setting EDITOR to vi (or vim) and VISUAL to emacs should give you the 
behavior you want.

Regards, Florian 

PS: I actually use ZSH (and years ago
ksh93 on OpenSolaris) with VISUAL=vi…

Re: mount_nfs(8) -b option

2017-08-27 Thread Florian Ermisch 
Hi Alessandro,

Am 15. August 2017 15:57:01 MESZ schrieb Alessandro DE LAURENZIS 
:
>Dear misc@ readers,
>
>From mount_nfs(8):
>
>  -b  If an initial attempt to contact the server fails, fork off a
>  child to keep trying the mount in the background.  Useful for
> fstab(5), where the file system mount is not critical to
> multiuser operation.
>
>My understanding is that, in case the server is not reachable when the 
>command is run (specifically, at boot, if there is a proper entry in 
>fstab(5)), it will be forked and keep trying the mount operation, till 
>when the server is back.
>
>I had a look at the code and, if I am not mistaken, the process sleeps 
>for 60s, then retries and so on.
>
>Now: this is my fstab:
>
># Blk dev  Mount point FS type 
>Mnt optsDump freq   Pass
>no.  
>  […]
>  # Network file sharing
>egeo:/vol/datavol01/nfs/egeo/vol/datavol01 nfs 
>net,rw,-i,-b0   0
>[…]
>
>I observe two unexpected behaviors:
>
>1) when I switch on the machine in an environment without any network 
>available, I see the messages "Cannot resolve egeo..." and the boot 
>process goes on; but when the server comes back (I simply make a wifi 
>network available and run "doas sh /etc/netstart" on the client), 
>nothing happens (I was instead expecting that the shares were mounted 
>after a minute or so);
>
>2) when I boot without any network available and removing the "-b" 
>option from the client's fstab, again I see the messages "Cannot
>resolve 
>egeo...", and again the process continues without lagging...
>[…]

In case nobody pointed this out off-list: 
You should add your fileserver's IP to to 
your /etc/hosts so its name can be 
resolved during boot when there's no 
DNS available (or you're outside your 
LAN).

Regards, Florian

Re: octeon port, ubiquity edgerouter

2017-07-22 Thread Florian Ermisch 
Hi,

if noone chimes in then maybe 
you can get a dmesg or lshw 
output from the linux-based 
EdgeOS to get some more 
details on the hardware.
I would guess it's quite a bit 
beefier than the ERL3 and for
embedded platforms this can 
mean more differences than 
just more cores and more RAM.

Regards, Florian 

Am 22. Juli 2017 11:46:02 MESZ schrieb "Peter J. Philipp" :
>Hi,
>
>Someone has offered me a deal on a somewhat used Ubiquiti Edgerouter,
>https://www.ubnt.com/edgemax/edgerouter/  <-- this one.
>
>Is it supported by OpenBSD/octeon and if not what needs to be done to
>make it
>work?  Has anyone experience with this hardware?
>
>Regards,
>-peter

Re: Get an MAC address of a LAN PC - OpenBSD

2017-06-23 Thread Florian Ermisch 
Some systems list their onboard 
NIC's MAC in the BIOS. A few ones 
may even have it printed on the 
board or a sticker with the MAC
somewhere close to the NIC's port.
Or get a permit to unplug its disk(s)
before booting an OpenBSD CD,
then drop to a shell and run ifconfig.

If the MAC was spoofed but the
system was connected to a managed
switch the switch may still have the
MAC from when it powered on cached.
If your worried about spoofed MACs
you may also want to look into the
feature called port security (at least 
on Juniper and Cisco devices) on your 
access switches.
Which causes interesting problems with
VMs bridged to the hosts NIC, btw ; )

Regards, Florian 

Am 23. Juni 2017 07:40:42 MESZ schrieb Indunil Jayasooriya 
:
>>
>> > no idea what to do?
>>
>> Plug it back in.  Power it up.  
>> Make sure it has a reachable IP. 
>> Ping it.
>>
>
>very sorry. It is prohibited to plug it back in and power it up.
>
>To do it, We might need a special request.
>
>Theo, Anyway, thanks for you support.

Re: isakmpd dies quietly with over 100 tunnels

2017-05-29 Thread Florian Ermisch 
Hi all,

I got to admit I've seen isakmpd dying on 5.9*
(amd64 on VMware). But after having to deal 
with half a dozen peers all over Europe using 
different proprietary solutions a cronjob like
"rcctl ls faulty | grep isakmpd && rcctl restart…"
worked well enough for me.

I won't be able to test with the setup at work 
but I got a little VPS running 6.1 I could use
(and update to -STABLE if necessary).
We probably won't get to over 100 tunnels but
I've seen the problem with ~8 tunnels.
The question would be if this problem would
even show up in a homogeneous OpenBSD
network…

Regards, Florian

*) the central hub isn't my problem anymore, 
and it will take some time to convince my 
replacement there to update to 6.1…

Am 29. Mai 2017 09:26:18 MESZ schrieb Alexis VACHETTE :
>Hi Michał,
>
>I'm having same issue without 100 ipsec tunnels and dedicated hardware.
>
>Unfortunately it's a production environment so I can't really 
>troubleshooting this issue to track down the culprit.
>
>Anyway maybe it's not related to your issue.
>
>Regards,
>Alexis.
>On 28/05/2017 14:31, Michał Koc wrote:
>> Hi all,
>>
>> I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels.
>>
>> Everything was running just fine when the number of tunnels was
>lower. 
>> But as we have been setting up more and more tunnels we suddenly run 
>> on problems.
>> The isakmpd deaemon keeps dying quietly. Probably I'm running out of 
>> something, but I need some help to find out what it is and how to 
>> monitor it and tweak.
>>
>> Thank You in advance.
>>
>> Best Regards
>> M.K.
>>
>> root@vgate0:/root# netstat -m
>> 215 mbufs in use:
>> 163 mbufs allocated to data
>> 46 mbufs allocated to packet headers
>> 6 mbufs allocated to socket names and addresses
>> 160/920/6144 mbuf 2048 byte clusters in use (current/peak/max)
>> 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
>> 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
>> 0/14/6146 mbuf 9216 byte clusters in use (current/peak/max)
>> 0/10/6150 mbuf 12288 byte clusters in use (current/peak/max)
>> 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
>> 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
>> 2760 Kbytes allocated to network (13% in use)
>> 0 requests for memory denied
>> 0 requests for memory delayed
>> 0 calls to protocol drain routines
>>
>> Sample tail of the log:
>> When I run "isakmpd -K -d -DA=10":
>> 142043.246192 Sdep 10 pf_key_v2_set_spi: satype 2 dst xxx.xxx.xxx.xxx
>
>> SPI 0x42f03e5d
>> 142043.246209 Timr 10 timer_add_event: event 
>> sa_soft_expire(0x1fb9d0bdf400) added before 
>> sa_soft_expire(0x1fb9c8f05400), expiration in 25056s
>> 142043.246223 Timr 10 timer_add_event: event 
>> sa_hard_expire(0x1fb9d0bdf400) added before 
>> sa_soft_expire(0x1fb9dd458200), expiration in 28800s
>> 142043.246326 Sdep 10 pf_key_v2_set_spi: satype 2 dst xxx.xxx.xxx.xxx
>
>> SPI 0x3ffa5955
>> 142043.268229 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload 
>> without a group desc. attribute
>> 142043.268250 Default dropped message from xxx.xxx.xxx.xxx port 500 
>> due to notification type NO_PROPOSAL_CHOSEN
>> 142043.268281 Timr 10 timer_add_event: event 
>> exchange_free_aux(0x1fb9a5336400) added before 
>> sa_soft_expire(0x1fba0d6a2a00), expiration in 120s
>> 142043.268289 Exch 10 exchange_establish_p2: 0x1fb9a5336400 
>
>>  policy initiator phase 2 doi 1 exchange 5 step 0
>> 142043.268295 Exch 10 exchange_establish_p2: icookie 8c58f4e7f8269ed3
>
>> rcookie 0fe2d7657125a339
>> 142043.268301 Exch 10 exchange_establish_p2: msgid de2c5cc3 sa_list
>> 142043.269079 Timr 10 timer_add_event: event 
>> message_send_expire(0x1fb994136900) added before 
>> connection_checker(0x1fb9b2646280), expiration in 7s
>> 142043.269614 Exch 10 exchange_finalize: 0x1fb9a5336400  
>> policy> policy initiator phase 2 doi 1 exchange 5 step 1
>> 142043.269630 Exch 10 exchange_finalize: icookie 8c58f4e7f8269ed3 
>> rcookie 0fe2d7657125a339
>> 142043.269637 Exch 10 exchange_finalize: msgid de2c5cc3 sa_list
>> 142043.269653 Timr 10 timer_remove_event: removing event 
>> exchange_free_aux(0x1fb9a5336400)
>> 142043.289465 Timr 10 timer_remove_event: removing event 
>> message_send_expire(0x1fb994136900)
>> 142043.289513 Exch 10 exchange_finalize: 0x1fb972b59400 
>> from-xxx.xxx.xxx.xxx/24-to-xxx.xxx.xxx.xxx/24  policy 
>> responder phase 2 doi 1 exchange 32 step 2
>> 142043.289521 Exch 10 exchange_finalize: icookie 8c58f4e7f8269ed3 
>> rcookie 0fe2d7657125a339
>> 142043.289528 Exch 10 exchange_finalize: msgid de079ef6 sa_list 
>> 0x1fb9dd458800 0x1fb985d09e00
>> 142043.289578 Sdep 10 pf_key_v2_set_spi: satype 2 dst xxx.xxx.xxx.xxx
>
>> SPI 0xe5d04953
>> 142043.289594 Timr 10 timer_add_event: event 
>> sa_soft_expire(0x1fb9dd458800) added before 
>> sa_soft_expire(0x1fba1d81de00), expiration in 3279s
>> 142043.289608 Timr 10 timer_add_event: event 
>> sa_hard_expire(0x1fb9dd458800) added before 
>>

Re: bioctl crypto size limitation ?

2017-05-26 Thread Florian Ermisch 
Just make slice sd0a smaller
than 100% of the RAID array.

Regards, Florian 

Am 25. Mai 2017 19:03:59 MESZ schrieb myml...@gmx.com:
>I'm wondering if there is a limit to the size of a disk for full disk 
>encryption.
>
>I'm trying to encrypt a 32Tb raid 6 drive on a lsi 9265-8i with 8 x 6Tb
>
>drives and it's failing with the error "unknown error". (very
>descriptive!)
>
>I was able to encrypt the 256Gb system disk without error during 
>installation.
>
>Without encrypting the 32Tb drive, I had no problem creating the FS and
>
>mounting it.
>
>I know people will say this is a bad idea because of fsck (and maybe 
>other reasons), but this drive will be mounted ro 99% of the time.
>
>Steps to recreate:
>
>dd if=/dev/random of=/dev/rsd0c bs=1m   (took over a week)
>
>fdisk -iy -g sd0  (I left off the "-b 960" because this is not a 
>bootable partiton)
>
>disklabel -E sd0
>
>Label editor (enter '?' for help at any prompt)
> > a a
>offset: [64]
>size: [70319603585]
>FS type: [4.2BSD] RAID
> > w
> > q
>
># bioctl -v -c C -l sd0a softraid0
>New passphrase:
>Re-type passphrase:
>Deriving key using bcrypt PBKDF with 16 rounds...
>bioctl: unknown error
>
>
>dmesg:
>
>OpenBSD 6.1-current (GENERIC.MP) #54: Thu May 11 19:20:09 MDT 2017
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>real mem = 34333851648 (32743MB)
>avail mem = 33287512064 (31745MB)
>mpath0 at root
>scsibus0 at mpath0: 256 targets
>mainbus0 at root
>bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9d000 (51 entries)
>bios0: vendor American Megatrends Inc. version "2.1" date 03/17/2012
>bios0: Supermicro X8DT3
>acpi0 at bios0: rev 2
>acpi0: sleep states S0 S1 S4 S5
>acpi0: tables DSDT FACP APIC MCFG SLIT SLIC OEMB SRAT HPET SSDT
>acpi0: wakeup devices NPE1(S4) NPE2(S4) NPE3(S4) NPE4(S4) NPE5(S4) 
>NPE6(S4) NPE7(S4) NPE8(S4) NPE9(S4) NPEA(S4) P0P1(S4) PS2K(S4) USB0(S4)
>
>USB1(S4) USB2(S4) USB5(S4) [...]
>acpitimer0 at acpi0: 3579545 Hz, 24 bits
>acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>cpu0 at mainbus0: apid 0 (boot processor)
>cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.32 MHz
>cpu0: 
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
>cpu0: 256KB 64b/line 8-way L2 cache
>cpu0: TSC frequency 2400324600 Hz
>cpu0: smt 0, core 0, package 0
>mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
>cpu0: apic clock running at 133MHz
>cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
>cpu1 at mainbus0: apid 2 (application processor)
>cpu1: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.00 MHz
>cpu1: 
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
>cpu1: 256KB 64b/line 8-way L2 cache
>cpu1: smt 0, core 1, package 0
>cpu2 at mainbus0: apid 18 (application processor)
>cpu2: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz
>cpu2: 
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
>cpu2: 256KB 64b/line 8-way L2 cache
>cpu2: smt 0, core 9, package 0
>cpu3 at mainbus0: apid 20 (application processor)
>cpu3: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.00 MHz
>cpu3: 
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
>cpu3: 256KB 64b/line 8-way L2 cache
>cpu3: smt 0, core 10, package 0
>cpu4 at mainbus0: apid 32 (application processor)
>cpu4: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz
>cpu4: 
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
>cpu4: 256KB 64b/line 8-way L2 cache
>cpu4: smt 0, core 0, package 1
>cpu5 at mainbus0: apid 48 (application processor)
>cpu5: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz
>cpu5: 
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
>cpu5: 256KB 64b/line 8-way L2 cache
>cpu5: smt 0, core 8, package 1
>cpu6 at mainbus0: apid 50 (application processor)
>cpu6: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz
>cpu6:

Re: cloud docs

2017-05-24 Thread Florian Ermisch 
If it's text as in plaintext with some 
light markup: net/syncthing works 
well enough for me. The version in 
ports is reasonably up to date¹
and you get clients for anything 
else, too.
(Initial configuration of all the peers 
is a little fiddly though.)
And when you've accepted 
markdown's omnipresence you can
combine syncthing with Writeily Pro 
on your android devices.

Or just use any VCS, a distributed
one when you don't have a reliable
central server.

Regards, Florian

¹) at 0.14.25 according to [0] with
the android app being at 0.14.26
[0]: https://github.com/openbsd/ports/blob/master/net/syncthing/distinfo

Am 24. Mai 2017 19:49:46 MESZ schrieb Scott Bonds :
>unison?
>
>On 05/24, Asbel Kiprop wrote:
>>Yeah, i was using it for some time and i wonder if there is some more
>text
>>document based solution.
>>
>>2017-05-24 20:33 GMT+03:00 Ulises M. Alvarez :
>>
>>> On 24/05/17 12:22, Asbel Kiprop wrote:
>>>
 Hello, friends. Is there is some solution (in OpenBSD packages,
>like
 ownCloud, for example) to handle with cloud documents? All i want
>is
 to editsome text files on 3-4 computers with synchronization(like
 ONLYOFFICE, i think, but not so complicated)


>>> Hi,
>>> Both, ownCloud and NextCloud, include an editor for text documents;
>i.e.,
>>> *.txt
>>> --
>>> Ulises M. Alvarez
>>> http://sophie.unam.mx/
>>>

Re: Qubes-OS is "fake" security

2017-05-11 Thread Florian Ermisch 
Sorry, out of herrings. Have a listen to this 
instead: 
"Risky Biz Soap Box: A microvirtualisation 
primer with Bromium co-founder Ian Pratt
(a.k.a. how to run Java plugin on IE8 and 
not die!)"
https://risky.biz/soapbox3/

Am 12. Mai 2017 03:41:05 MESZ schrieb Kim Blackwood 
:
>Hi,
>
>I am at novice level of security, studying and trying to understand
>some of the different aspects of running an OS and applications as
>securely as possible.
>
>I have been running OpenBSD for years and understand a little of what's
>being done to make it more secure, albeit not the technical details of
>programming as much as I am not a C programmer.
>
>A friend of mine, who is computer a scientist with speciality in
>security, suggested Qubes-OS as a secure "solution" to security
>problems related to OS's and applications on a personal computer.
>
>I read up about the project and tested it out, but I am not convinced
>that it is a good solution at all.
>
>I am writing to this list because I know that a lot of people on this
>list is very security-minded.
>
>I found the reading "An Empirical Study into the Security Exposure to
>Hosts of Hostile Virtualized Environments" very insightful.
>
>http://taviso.decsystem.org/virtsec.pdf
>
>First, I cannot really see the difference between an OS and a
>hypervisor. Both runs on the "bare metal" and both perform similar
>tasks. In the specific case with Qubes-OS, there isn't really a
>difference as it's "just" Fedora with Xen.
>
>Possibilities of exploiting the hypervisor isn't lower than
>possibilities of exploiting the OS. And specifically in the case of
>OpenBSD as the OS, that has been developed from the ground up with
>security in mind, the possibilities are much lower than a hypervisor
>that hasn't even been developed with security measures from the
>beginning.
>
>Second, the virtualization part as I see it, just ads another level of
>tons of code.
>
>If I am running Firefox on OpenBSD and Firefox gets exploited, the
>cracker finds himself on a very secure OS that's really hard to
>compromise.
>
>If I am running Firefox in some virtualization container on Qubes-OS
>and Firefox gets exploited, then the cracker finds himself inside a
>container that could possible contain lots of exploitable security
>holes that again runs on a hypervisor with possibly lots of security
>holes, stuff that hasn't been developed with security in mind and has
>perhaps never been audited.
>
>Qubes-OS seems to me as a solution of "patching".
>
>OpenBSD on the other hand is a completely different story.
>
>Rather than running something like Qubes-OS, which IMHO provides a fake
>feeling of security, with it's different "qubes", I would think of
>another situation that's much better.
>
>I either set up 3 different computers, or one computer where I can
>physically change the hard drive and I then have 3 different hard
>drives.
>
>On one box I setup OpenBSD and the most secure-minded browser I can
>find (do such a thing even exist?). On this particular setup I *ONLY*
>do my home banking. Absolutely nothing else.
>
>On the second box I also setup OpenBSD and the most secure-minded email
>client I can find and I do all my email there. I possibly also setup an
>office application for writing letters, etc. I don't use a browser on
>this setup, if someone sends an email with a link, I write the link
>down for latter usage.
>
>And on the third box I also setup OpenBSD with a browser and possible
>other applications like a video player, and this box I use for all the
>other casual stuff, the links from emails, etc. I possibly even run
>this from a non-writeable CD or SD card.
>
>It will be an inconvenience to shift between the drives, but no more
>than using Qubes-OS.
>
>IMHO the setup with the different OpenBSD installations provides a
>much more security alternative than running Qubes-OS.
>
>Am I completely of track here?
>
>Kind regards,
>
>Kim

Re: IPv6, sshd, and latest patches?

2017-05-07 Thread Florian Ermisch 


Am 8. Mai 2017 04:18:30 MESZ schrieb Eric Johnson :
>
>
>On Mon, 8 May 2017, Sterling Archer wrote:
>
>> On Mon, May 8, 2017 at 1:58 AM, Eric Johnson
> wrote:
>>
>>
>>   Has anyone else had problems with sshd and IPv6 after applying
>the latest
>>   patches?  It seems to me that the patches disabled the use of
>IPv6 for
>>   ssh.
>>
>>   When I try to set the IPv6 address I want it to listen to in
>sshd_config,
>>   sshd fails with the following message:
>>
>>   bad addr or host: 2001:1890:1263:a14:: (no address associated
>with name)
>>
>>   Using the default sshd_config, ssh is only listening on IPv4
>addresses.
>>
>>   Eric Johnson
>>
>>
>> It's working here, fully patched 6.1 system.
>> To make sure it's not because of the :: inet6 address, I tested this,
>where
>> 2001:: is the /48 my ISP delegates to me:
>>
>> # doas ifconfig em1 inet6 2001::::
>> # doas rcctl restart sshd
>> sshd (ok)
>> sshd (ok)
>> # telnet 2001::::
>> Trying 2001::::...
>> Connected to 2001::::.
>> Escape character is '^]'.
>> SSH-2.0-OpenSSH_7.5
>
>After playing around with it some more, if I use "AddressFamily inet6"
>in
>sshd_config, then it will do IPv6 okay, but not IPv4.  The problem
>occurs
>when I don't specify an address family (and so "AddressFamily any" is
>the
>default) or I use "AddressFamily any".
>
>Eric Johnson

Have you tried putting the IPv6 address
in brackets, i.e. [2001::::]?
Seems to me you manage to confuse
the parser, maybe by trying to specify an
IPv6 address with a port but omitting the
then necessary brackets.

And when setting an explicit IPv6 address
to listen on you have to have an IPv4  ListenAdress, too, if you want your 
"AddressFamily any" to matter.

HTH, Florian

Re: OpenBSD 6.1: relayd does not start more than 3 processes

2017-05-05 Thread Florian Ermisch 


Am 5. Mai 2017 16:05:09 MESZ schrieb Maxim Bourmistrov 
:
>
>> 5 maj 2017 kl. 15:55 skrev Maxim Bourmistrov
>:
>> 
>> 
>>> 5 maj 2017 kl. 14:41 skrev Hiltjo Posthuma :
>>> 
>>> On Fri, May 05, 2017 at 12:30:56PM +0200, Maxim Bourmistrov wrote:
 […] 
 Changing ’prefork’ from 15 to 3 makes it work.
 
 Is this a bug?
 
 Br
>>> 
>>> Hey,
>>> 
>>> This is a random guess since you haven't posted the whole config,
>>> but I think
>>> it has bitten me too sometime:
>>> 
>>> Do you have the global options such as prefork defined before your
>>> relays and routes or not?
>>> 
>>> The order of the global options matter. If the global options are
>>> set after
>>> the table they are not initialized on the tables and can actually
>>> crash relayd.
>>> This is because the health checking uses a different prefork value
>and checks
>>> the "wrong" amount.
>>> 
>>> I'm not sure, but I think it is not a bug: it is documented in
>>> relayd.conf(5).
>>> 
>>> Thinking about it: would it be acceptable if `relayd -n` shows a
>>> warning if
>>> global options are defined in the wrong order? I can write the patch
>>> for it
>>> if it makes sense.
>>> 
>>> I hope this helps you in some way,
>>> 
>>> -- 
>>> Kind regards,
>>> Hiltjo
>> 
>> The whole config is like this:
>> 
>> […]
>> 
>> Note, config layout exactly the same which runs already on
>6.0-stable.
>> 
>> My original question is why I can’t fork more than 3 procs any more
>> and why relayd starts then prefork > 3
>> and does not do a health check.
>> 
>> Br
>
>Hm, I tried this out - re-ordering the layout of the config.
>You are, indeed, correct here.
>
>Strange that this runs on 6.0.
>
>Case closed.
>Sorry for the noise.
>
>Br

I would still say it's worth the patch
Hiltjo offered to write. Or At least have
the warning printed when testing the
config with `-v -n`.

Regards, Florian

Re: Pf with secondary DNS resolution

2017-05-04 Thread Florian Ermisch 


Am 4. Mai 2017 08:39:51 MESZ schrieb Janne Johansson :
>I would make those rules have a table, and a cronjob to feed the table
>with
>the current ips that these hostnames resolve to.

Same here.

>But of course, that implies you trust the replies you get all the time
>from
>that cronjob.
>
Is there no DNSsec enabled dynamic DNS
service? ;)
When you can't trust your (upstream) DNS 
server a whole new world of ugly hacks will 
open up.
How about sharing signed files via 
SyncThing? ^^

Regards, Florian 
>
>2017-05-03 22:16 GMT+02:00 Luke Small :
>
>> Is it worthwhile to set up a hook for pf to load rules that have URLs
>after
>> the network services that can resolve them come into effect?
>>

Re: pledge for sockets?

2017-04-26 Thread Florian Ermisch 
Hi Luke,

you can have rules to filter by user for both
incoming and outgoing connections, see
http://man.openbsd.org/OpenBSD-6.1/pf.conf.5#user

I don't think there's too much gain in adding
support for this kinda thing in pledge but
that's for the devs to decide. 

Regards, Florian 

Am 26. April 2017 10:09:18 MESZ schrieb Luke Small :
>Would it be a good idea to make a pledge like call that limits a
>process
>from connecting to ports and/or hosts? Maybe it could be done in way
>that
>the kernel is made aware of the limitations like in a pledge call and
>while
>the process is alive, the kernel spawns pf rules based upon the socket
>ports that are created to connect to remote host ports.
>
>You could conceivably do things like limiting ntpd to predetermined
>hosts
>and port 123 and 53 on the respective processes involved.
>
>It would make processes that need the inet pledge permission merely to
>use
>libhiredis to connect to a Redis database more safe.

Re: nvi(1)

2017-04-23 Thread Florian Ermisch 


Am 23. April 2017 15:30:02 MESZ schrieb Unixway1 :
>Dear,
>
>I started to use nvi(1) OpenBSD base editor, the manpage isn't clean
>about:
>1- How copy and paste between xterms? 
> Should I use Marks? is it possible or not?

Use one terminal with tmux, split it into 
several panes, then use tmux' copy mode?
You'll find a quick intro into copy & paste 
in tmux under [0].
That's how I work these days.

Regards, Florian 

[0]: https://awhan.wordpress.com/2010/06/20/copy-paste-in-tmux/

> […]

Re: howto show IPv6 address lifetime?

2017-04-20 Thread Florian Ermisch 
Hi Harri,

until someone in the know replies you
could take a look at the DHCPv6 traffic
to see if a lifetime is included in the 
replies (and maybe keep them handy for
a dev to look at). Maybe dhcpcd supports 
this feature but there's an uncommon 
combination of flags it doesn't know about
yet.

Regards, Florian 

Am 20. April 2017 10:25:54 MESZ schrieb Harald Dunkel :
>On 04/19/17 15:38, Dimitris Papastamos wrote:
>> 
>> You don't seem to have any autoconfigured addresses.
>> Try ifconfig vether0 inet6 autoconf first.
>> 
>
>Here is the output of ifconfig on my gateway:
>
># ifconfig re1
>re1: flags=8843 mtu 1500
>lladdr 80:ee:73:95:c1:0d
>index 3 priority 0 llprio 3
>groups: intern
> media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>status: active
>inet 10.42.0.2 netmask 0xff00 broadcast 10.42.100.255
>inet6 fe80::82ee:73ff:fe95:c10d%re1 prefixlen 64 scopeid 0x3
>inet6 2003:::e500::1 prefixlen 56
>inet6 2003:::4200::1 prefixlen 56
>
>There is no "inet6 autoconf". Both IPv6 addresses have been assigned to
>re1 by dhcpcd during prefix delegation via pppoe0.
>
>Point is, the address with "e500" is not valid anymore, since
>Deutsche Telekom gave me the new prefix a few days ago. I had
>expected some kind of "expiration procedure" here.
>
>Is this a bug with my dhcpcd.conf or is this feature simply "not in"?
>Should I set re1 to "inet6 autoconf", even though it is not? (I will
>try, but let me send this EMail first.)
>
># cat /etc/dhcpcd.conf
>ipv6only
>persistent
>option rapid_commit
>require dhcp_server_identifier
>nohook lookup-hostname, resolv.conf
>allowinterfaces re1 pppoe0
>noipv6rs
>
>interface pppoe0
>ipv6rs
># static static domain_name_servers=
>iaid 0
>ia_pd 0 re1/0
>
>
>Every helpful hint is highly appreciated.
>Harri

Re: pf.conf: best practice for IP address lookup?

2017-04-16 Thread Florian Ermisch 
Am 16. April 2017 14:22:42 MESZ schrieb Florian Ermisch
<florian.ermi...@mailbox.org>:
>Am 16. April 2017 10:54:51 MESZ schrieb Harald Dunkel
><ha...@afaics.de>:
>>Hash: SHA256
>>
>>Hi Florian,
>>
>>sorry to say, but you missed the point. The IP address of
>>*another* host inside my LAN changes, e.g. a mail server,
>>a http proxy, etc. The interface identifier of each host is
>>surely stable. The prefix is not. Using the old prefix in
>>pf.conf these hosts are affected as soon as it expires.
>>
>>
>>Regards
>>Harri
>
>Aw, crap, right IPv6.
>Then: Link local addresses.
>

And of course I have to correct myself:
You want RFC4193's Unique Local IPv6
Unicast Addresses (ULA) [1].
I found them when stumbling across a
thread about IPv6 troubles on this very
list [2].

I was thinking about a workaround with
some ifstated(8) triggered script re-
populating tables with only one member
each (i.e. the mailserver's new address).
But then I couldn't even say if an address change would trigger
ifstated(8)…

Regards, Florian

[1]: https://tools.ietf.org/html/rfc4193
[2]: https://www.mail-archive.com/misc@openbsd.org/msg142557.html

Re: pf.conf: best practice for IP address lookup?

2017-04-16 Thread Florian Ermisch 
Am 16. April 2017 10:54:51 MESZ schrieb Harald Dunkel :
>Hash: SHA256
>
>Hi Florian,
>
>sorry to say, but you missed the point. The IP address of
>*another* host inside my LAN changes, e.g. a mail server,
>a http proxy, etc. The interface identifier of each host is
>surely stable. The prefix is not. Using the old prefix in
>pf.conf these hosts are affected as soon as it expires.
>
>
>Regards
>Harri

Aw, crap, right IPv6.
Then: Link local addresses.

There may be a way for `($IFACE_ext:network) & $IP_mailserver:host` but until
someone
smarter and more attentive figures this out
there are link local addresses.
Unless you get a /(>64) from your ISP and
hand out a bunch of /64s to your subnets
internally in what you call your LAN for
simplicity's sake.

Regards, Florian

Re: pf.conf: best practice for IP address lookup?

2017-04-16 Thread Florian Ermisch 
Hi Harald,

just use `($IFACE)` to get interface's current
IP (with the rules being updated when the IP
changes).
In addition you can use the interface group
`egress` to address the interface which is
used for the default route.
Both options are used together in the
OpenBSD router tutorial on bsdnow.tv [0]
written by tj@.

Of course everything is documented but
the first one is a little hard to find: It's in pf.conf(5)'s Packet Filtering
section under
"from source port source os source to
$dest port dest" [1].
The later one is in ifconfig(8)[2].

And of course there's always The Book of
PF by Peter Hansteen [3].

Regards, Florian

[0]: http://www.bsdnow.tv/tutorials/openbsd-router
[1]: http://man.openbsd.org/pf.conf#from
[2]: http://man.openbsd.org/ifconfig.8#group
[3]: https://www.nostarch.com/pf3

Am 15. April 2017 16:10:46 MESZ schrieb Harald Dunkel :
>Hi folks,
>
>Since I don't get a static IPv6 prefix from Deutsche Telekom, but
>a different prefix on every new pppoe connection, I have to rely
>upon some lookup service for pf.conf.
>
>pf.conf(5) doesn't mention dynamic IP addresses at all (except
>for its own interfaces), so I wonder what is best practice here?
>DNS? A table for every internal host, updated by a watchdog?
>
>
>Every helpful comment is highly appreciated
>Harri

Blocking outgoing, non-privacy ext. IPv6 addresses' traffic?

2017-04-12 Thread Florian Ermisch 
Hi everyone,

is there a way with to identify and filter
automatically generated, MAC-based IPv6
addresses in pf?
I think there was some bit set or flipped in
the MAC-based or the RFC 4941 privacy
extensions based addresses. But I then
still had to match an address based on a
single bit (and the networks prefix, of
course).
Are bitwise matches even possible with
pf?

The usecase, of course, is to prevent
devices too stupid or too poorly configured
to use the privacy extensions to access
anything outside the LAN via IPv6.

Kind regards, Florian

Re: ipv6 router ping6 = good, web = bad

2017-04-09 Thread Florian Ermisch 
Hi Edgar,

check the MTU on your tunnel device.
It has to be lower than the one on your NIC.
As DNS and ICMP packets are tiny they
will pass through anyway but the browser's
TCP connections' packets will max out
the configured MTU and get dropped.
You can give it a try with
  doas ifconfig gif0 MTU 1400

HTH, Florian

Am 9. April 2017 11:18:49 MESZ schrieb Edgar Pettijohn
:
>I recently decided to join the ipv6 world.  I set up a tunnel since my
>isp doesn't provide ipv6 yet. I'm almost there. I can ping6 and host -6
>
>from my laptop, but I can't browse the ipv6 web. I appologize in
>advance
>if thunderbird screws this up.
>
>[Sun Apr 09 03:57:59 edgar@thinkpad:~ ] $ ping6 google.com
>PING google.com (2607:f8b0:4000:80a::200e): 56 data bytes
>64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=0 hlim=57 time=65.239
>ms
>64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=1 hlim=57 time=82.029
>ms
>64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=2 hlim=57 time=77.891
>ms
>64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=3 hlim=57 time=77.393
>ms
>^C
>--- google.com ping statistics ---
>4 packets transmitted, 4 packets received, 0.0% packet loss
>round-trip min/avg/max/std-dev = 65.239/75.638/82.029/6.268 ms
>
>[Sun Apr 09 04:07:14 edgar@thinkpad:~ ] $ host -6 google.com
>2001:470:be02:e2::3
>Using domain server:
>Name: 2001:470:be02:e2::3
>Address: 2001:470:be02:e2::3#53
>Aliases:
>
>google.com has address 216.58.194.142
>google.com has IPv6 address 2607:f8b0:4000:80d::200e
>google.com mail is handled by 20 alt1.aspmx.l.google.com.
>google.com mail is handled by 30 alt2.aspmx.l.google.com.
>google.com mail is handled by 50 alt4.aspmx.l.google.com.
>google.com mail is handled by 10 aspmx.l.google.com.
>google.com mail is handled by 40 alt3.aspmx.l.google.com.
>
>[Sun Apr 09 03:58:30 edgar@thinkpad:~ ] $ route show -inet6
>Routing tables
>
>Internet6:
>DestinationGatewayFlags   Refs  Use   Mtu Prio
>Iface
>defaultfe80::21d:6aff:fe6 UG 0  227 -56
>iwn0
>::/96  localhost  UGRS   00 32768 8
>lo0
>::/104 localhost  UGRS   00 32768 8
>lo0
>localhost  localhost  UHhl  14   28 32768 1
>lo0
>::127.0.0.0/104localhost  UGRS   00 32768 8
>lo0
>::224.0.0.0/100localhost  UGRS   00 32768 8
>lo0
>::255.0.0.0/104localhost  UGRS   00 32768 8
>lo0
>:::0.0.0.0/96  localhost  UGRS   00 32768 8
>lo0
>2001:470:be02:a0:: 2001:470:be02:a0:2 UCn12 - 8
>iwn0
>2001:470:be02:a0:: 00:1d:6a:60:e1:a9  UHLc   0  186 - 7
>iwn0
>2001:470:be02:a0:2 24:77:03:5f:12:38  UHLl   0   31 - 1
>iwn0
>2001:470:be02:a0:7 24:77:03:5f:12:38  UHLl   0   34 - 1
>iwn0
>2002::/24  localhost  UGRS   00 32768 8
>lo0
>2002:7f00::/24 localhost  UGRS   00 32768 8
>lo0
>2002:e000::/20 localhost  UGRS   00 32768 8
>lo0
>2002:ff00::/24 localhost  UGRS   00 32768 8
>lo0
>fe80::/10  localhost  UGRS   01 32768 8
>lo0
>fec0::/10  localhost  UGRS   00 32768 8
>lo0
>fe80::%iwn0/64 fe80::2677:3ff:fe5 UCn11 - 8
>iwn0
>fe80::21d:6aff:fe6 00:1d:6a:60:e1:a9  UHLch  1  368 - 7
>iwn0
>fe80::2677:3ff:fe5 24:77:03:5f:12:38  UHLl   0   75 - 1
>iwn0
>fe80::1%lo0fe80::1%lo0UHl00 32768 1
>lo0
>ff01::/16  localhost  UGRS   01 32768 8
>lo0
>ff01::%iwn0/32 fe80::2677:3ff:fe5 Um 02 - 4
>iwn0
>ff01::%lo0/32  localhost  Um 01 32768 4
>lo0
>ff02::/16  localhost  UGRS   01 32768 8
>lo0
>ff02::%iwn0/32 fe80::2677:3ff:fe5 Um 02 - 4
>iwn0
>ff02::%lo0/32  localhost  Um 01 32768 4
>lo0
>
>[Sun Apr 09 03:59:12 edgar@thinkpad:~ ] $ ndp -na
>Neighbor Linklayer Address   Netif Expire
>
>S Flags
>2001:470:be02:a0::   00:1d:6a:60:e1:a9iwn0
>23h59m26s S R
>2001:470:be02:a0:2677:3ff:fe5f:1238  24:77:03:5f:12:38iwn0
>permanent R l
>2001:470:be02:a0:7843:3366:8838:f579 24:77:03:5f:12:38iwn0
>permanent R l
>fe80::21d:6aff:fe60:e1a9%iwn000:1d:6a:60:e1:a9iwn0
>23h59m56s S R
>fe80::2677:3ff:fe5f:1238%iwn024:77:03:5f:12:38iwn0
>permanent R l
>
><-on the
>router->
>
># route show -inet6
>Routing tables
>
>Internet6:
>DestinationGatewayFlags   Refs  Use   Mtu Prio
>Iface
>defaultepettijohn-1.tunne UGS0  612 - 8
>gif0
>::/96  localhost

Re: Looking for replacement of thinkpad x201

2017-02-26 Thread Florian Ermisch 
Hi Florian,

the maintainability of the x2?? Thinkpads
dropped from great to good(ish) starting
with the x230. With the recent ones you
have to remove the bottom half of the case
to access anything but the rear battery*,
see [0].
But at least the x250 and the x260 have
dedicated buttons for the trackpoint again.
With the x260 support for a 16gb RAM stick (now DDR4) in the single slot is
now official
but it's not clear if you can have both a 2.5"
(7mm thick) drive and a m.2/NVMe SSD.
The option of having an m.2/_SATA_ SSD sure
is gone from what I've found.

You may also want to look at the slightly
bigger t440 (14") which can have both a 2.5"
and a m.2 drive and also (officially) supports
32gb of RAM.

HTH, Florian

PS: Yes, I've been looking at the new
Thinkpads a lot lately, but I rarely carry
mine around so 14" isn't a problem - and
also want lots of RAM for ZFS & bhyve ;)

*) The optional integrated front battery still is a "Field Replaceable" Unit,
just not as easy to swap as the rear one ;)

[0]
http://www.laptopmain.com/how-to-disassemble-lenovo-thinkpad-x260-to-upgrade-
ssd-and-ram/

Am 26. Februar 2017 09:19:32 MEZ schrieb Florian Obser :
> I need some help since I'm terrible with hardware...
>
> So my x201 main hacking laptop is getting old and benno@ is always
> mocking me for the amount of gaffer and stickers that are holding it
> together.
>
> Long story short, I'm in the market for a new thinkpad.
> Yes it has to be a thinkpad. I require the pointing stick and 3
> physical mouse buttons.
>
> On the x201 I like the ease of changing the HDD and battery. I would
> prefer if that was the case with the new one.
>
> So what's the done thing here? I'm not a hardware hacker, so I want a
> kinda fully supported one. That means accelerated X and working wifi
> (this is probably not an issue with stsp@'s hard work). Also I'm happy
> with the size of the x201, I don't want to lug a brick around, so that
> means an x series laptop. As a first approximation assume that money
> is
> not an issue.
>
> Thanks,
> Florian

Re: pkg_add: ftp: connect: Invalid argument

2017-02-07 Thread Florian Ermisch 
Am 5. Februar 2017 07:46:43 MEZ schrieb jungle boogie
:
> On 02/04/2017 07:17 PM, Philip Guenther wrote:
> >> Is this it?
> >>
> >> "Trying 129.128.5.191...
> > ...
> >> 80377 ftp  CALL  connect(3,0xaf766dd0bf0,16)
> >> 80377 ftp  STRU  struct sockaddr { AF_INET, 129.128.5.191:80 }
> >> 80377 ftp  RET   connect -1 errno 22 Invalid argument
> >
> > It dumped the sockaddr and didn't complain about it being invalid,
> > so it made it into soconnect().  That puts the problem somewhere in the
> > network stack or network config.  To quote connect(2):
> >
> >  [EINVAL]   A TCP connection with a local broadcast, the
all-ones
> > or a multicast address as the peer was attempted.
> >
> > Double/triple check your network configuration, routing table, etc.
> > Good luck!
> >
>
> AH! I think it was a pf rule. I deleted some pf rules, rebooted and
> now
> it works!
> […]

I like adding a "log (to pflogX)" to my "block all"
rule for debugging. Running tcpdump on the
pflog device makes it easy to spot things you
don't want blocked.
At least when you somewhat know what you're
looking for. If not the tcpdump filter expression
can get rather big on a noisy network.

Regards, Florian

Re: IPSEC from behind NAT stage 2 failure

2016-12-06 Thread Florian Ermisch 
Am 6. Dezember 2016 23:38:31 MEZ, schrieb Damian McGuckin :
> On Tue, 6 Dec 2016, Robert Szasz wrote:
> 
> > I'll try it, but that would be a problem if I have to add the local 
> > address for any machine that wants to connect. I assume there is a
> way 
> > to work through NAT because picked up nat-t and works for phase 1. I
> was 
> > hoping I had just missed a parameter in the ipsec.conf to get phase
> 2 
> > working.
> 
> the NPPPD/IPSec combination does not need to know about the IP. Not 
> knowing is the only way it can handle road-warrior types. The only
> issue 
> as the far-more-knowledgeable-than-I Stuart Henderson pointed out is
> that 
> you can have only one such Pre-Shared=-Key for all these unknown
> peers.

Guess I didn't stress it's just the ID
the client is most probably using
he should try. He could just skip 
this part and go to figuring out how 
to set a proper ID on his windows client.

>From `ipsec.conf(5)':

srcid string dstid string
[…] If srcid is omitted, the default is to use the IP address of the 
connecting machine.
dstid is similar to srcid, but instead specifies the ID to be used by the 
remote peer.

This section also shows how to handle
IDs like "b...@example.com".
> 
> Sorry, busy with other things yesterday. I will try and find the time
> to 
> go through your configurations later today.
> 
> Did you try to use 3des and modp1024 in your ipsec.conf because that
> is 
> the only config some Windows clients will handle? Did you read this?
> 
>   https://support.microsoft.com/en-us/kb/325158
> 
If the windows client couldn't handle 
the configured options the error message
would contain NO_PROPOSAL_CHOSEN.

Regards, Florian

Re: IPSEC from behind NAT stage 2 failure

2016-12-06 Thread Florian Ermisch 
Am 6. Dezember 2016 10:04:34 MEZ, schrieb Florian Ermisch 
<florian.ermi...@alumni.tu-berlin.de>:
> Hi Robert,
> 
> Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz
> <rsz...@saxonco.com>:
> > I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users
> to
> > 
> > tunnel in to our office network.
> > 
> > I'm testing with the following setup
> > 
> > Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
> > 
> > I'd like something reasonably robust, able to pass through most NAT
> a 
> > user might find themselves behind. Our current cisco vpn handles
> that 
> > part fairly well, but otherwise is unreliable and a pain to manage.
> > 
> >  The connection process fails at stage 2 with the error message
> below 
> > where X is the public IP of the box being connected to, and Y is the
> > ip 
> > of the firewall the win10 machine is behind 10...58 is the private
> ip
> > of 
> > the win10 machine.
> > 
> > Thanks,
> > 
> > Robert Szasz
> > 
> > 
> > 
> > error in the isakmpd log
> > 
> > ---
> > 
> > 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed 
> > invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
> > 010420.423325 Default dropped message from y.y.y.y port 58544 due to
> 
> > notification type INVALID_ID_INFORMATION
> 
> And I guess that's the problem: the client 
> goes "hi I'm 10.1.1.58 and I'd like to
> connect" and isakmpd doesn't know no
> 10.1.1.58. IKEv1 is very picky about those
> things: When it doesn't expect an ID no
> peer presenting one will be allowed to
> connect AFAIK.

Little correction: the client comes from
y.y.y.y but probably says it's 10.1.1.58 
thus presented ID doesn't match the
one taken from the src address as your
ipsec.conf doesn't specify one.

> 
> > 
> > ipsec.conf
> > 
> > ike passive esp transport \
> >   proto udp from x.x.x.x to any port 1701 \
> >   main auth hmac-sha1 enc "aes" group modp2048\
> >   quick auth hmac-sha1 enc "aes" group modp2048\
> >   psk ""
> 
> Maybe adding local/peer or srcid/dstid
> will help. You can try with using the 
> clients current local IP of 10.1.1.58
> as ID to expect.
> 
> Regards, Florian

Re: IPSEC from behind NAT stage 2 failure

2016-12-06 Thread Florian Ermisch 
Hi Robert,

Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz :
> I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to
> 
> tunnel in to our office network.
> 
> I'm testing with the following setup
> 
> Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
> 
> I'd like something reasonably robust, able to pass through most NAT a 
> user might find themselves behind. Our current cisco vpn handles that 
> part fairly well, but otherwise is unreliable and a pain to manage.
> 
>  The connection process fails at stage 2 with the error message below 
> where X is the public IP of the box being connected to, and Y is the
> ip 
> of the firewall the win10 machine is behind 10...58 is the private ip
> of 
> the win10 machine.
> 
> Thanks,
> 
> Robert Szasz
> 
> 
> 
> error in the isakmpd log
> 
> ---
> 
> 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed 
> invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
> 010420.423325 Default dropped message from y.y.y.y port 58544 due to 
> notification type INVALID_ID_INFORMATION

And I guess that's the problem: the client 
goes "hi I'm 10.1.1.58 and I'd like to
connect" and isakmpd doesn't know no
10.1.1.58. IKEv1 is very picky about those
things: When it doesn't expect an ID no
peer presenting one will be allowed to
connect AFAIK.

> 
> ipsec.conf
> 
> ike passive esp transport \
>   proto udp from x.x.x.x to any port 1701 \
>   main auth hmac-sha1 enc "aes" group modp2048\
>   quick auth hmac-sha1 enc "aes" group modp2048\
>   psk ""

Maybe adding local/peer or srcid/dstid
will help. You can try with using the 
clients current local IP of 10.1.1.58
as ID to expect.

Regards, Florian

Re: Get active IP from an dhcp enabled interface

2016-10-27 Thread Florian Ermisch 
Am 27. Oktober 2016 17:10:16 MESZ, schrieb "Sjöholm Per-Olov" :
> Hi
> 
> If you use a dhclient on the Internet interface, what is the best
> method to
> get the currently used IP address? A regexp to get the IP from
> "ifconfig 
> inet”  output or check the dhclient lease file? […]

A regex like this?
ifconfig egress | sed -ne 's/^[[:space:]]inet \([0-9\.]*\) .*/\1/p'

> Thanks
> Peo

Regards, Florian

Re: Would you use OpenBSD on Power8, and if so what applications? (IBM asks! They're thinking about donating hw.)

2016-10-20 Thread Florian Ermisch 
Am 19. Oktober 2016 19:48:49 MESZ, schrieb Mikael :
> 2016-10-20 1:15 GMT+08:00 Ralph Siegler :
> ..
> 
> > Their ecosystem?
> >
> > closed source softwares including for x86-64 like Websphere, DB2, MQ,
> >
> ..
> 
> > Hardware platforms limited to Power ($11,000 and up), Z series ($60,000
> >
> 
> A silly example of interest in the Power architecture that's certainly
> not
> typical IBM enterprise apps and chassis:
> http://www.theregister.co.uk/2016/04/07/open_power_summit_power9/

Nice article, thanks for sharing!

One argument for OpenBSD on POWER
would be the early implementation of
security features like ASLR and W^X.
Want to make sure your open source
efforts are well prepared for such things
hitting your customers' RedHat or SLES in 
5 years? Make them run on OpenBSD
early. 
And then you can't be lured into relying
on too many linuxisms either which keeps
your software a little more portable.

Regards, Florian

Re: 4th nic for pcengines apu2

2016-10-19 Thread Florian Ermisch 
Am 19. Oktober 2016 15:50:10 MESZ, schrieb sven falempin 
:
> On Wed, Oct 19, 2016 at 9:20 AM, Mihai Popescu 
> wrote:
> 
> > > e.g. from Lanner.
> >
> > Can you compensate for the price difference? […]
> […]
> Also you may use a usb to ethernet , or serial to ethernet and connect
> the
> two board.
> 
> And keep the
> apu you know.

Why not use a NIC which fits in one
of its two miniPCIe slots?
http://lmgtfy.com/?q=Gigabit+minipcie

There's even a dual port one with
Intel chips, the MPX-574D2.
Someone on the pcengines forum said
/he was told/ it would work with an 
APU2C4 but didn't post a confirmation:
http://www.pcengines.info/forums/?page=post=BA59278A-23D5-4FD3-87F5-CC6F146B96A5

Regards, Florian

Re: Multiple web servers behind NAT

2016-10-11 Thread Florian Ermisch 
Am 10. Oktober 2016 14:35:00 MESZ, schrieb Markus Hennecke 
:
> Am 10.10.2016 um 12:01 schrieb Radek:
> 
> > The second thing to do is enabling
> > wesites' SSL/TLS certs.
> > Each website has its own certificate
> > on its server. […]
> >
> You can't do that. TLS exchange is done
> before the host name is send in  the 
> request.
> The only thing you can do is to use one
> certificate for all hosts and terminate
> the TLS connection in relayd.
> 
So relayd doesn't support SNI yet?
Not that SNI and having a cert for each 
site on the relay covers the usecase but
httpd does support SNI, right?

Regards, Florian

Re: Route via gre0 works different than route via gre{1,2}?

2016-07-16 Thread Florian Ermisch 
Am 15. Juli 2016 22:22:32 MESZ, schrieb Florian Ermisch 
<florian.ermi...@alumni.tu-berlin.de>:
> Hi,
> 
> while debugging a problem with routing via GRE I figured 
> out I have to use `route add $LAN_A $GRE_REMOTE_A`
> for the route going via gre0 but `route add -iface $LAN_B
> $GRE_LOCAL_B` for a route via gre1. When I used `route
> $LAN_B $GRE_REMOTE_B` packets for $LAN_B were 
> send via gre0 (and probably ended up at LAN_A's endpoint
> which I don't have access to).
> While `route get $LAN_B` stated the gateway was 
> $GRE_REMOTE_B, the local interface address was 
> $GRE_LOCAL_B and the remote address was 
> $GRE_REMOTE_B the route's interface was gre0.
> 
> The mentioned `route add -iface …` fixed this and also
> works for a route to $LAN_C via gre2. But configuring the 
> route to $LAN_A with the same command seems to break
> forwarding to this network, the packets don't enter the GRE
> tunnel anymore.
> 
> Is this how it's supposed to work?
> 
> Regards, Florian

Sorry, forgot to mention: The host is
running 5.9 (amd64 on ESXi).

Regards, Florian

Route via gre0 works different than route via gre{1,2}?

2016-07-15 Thread Florian Ermisch 
Hi,

while debugging a problem with routing via GRE I figured 
out I have to use `route add $LAN_A $GRE_REMOTE_A`
for the route going via gre0 but `route add -iface $LAN_B
$GRE_LOCAL_B` for a route via gre1. When I used `route
$LAN_B $GRE_REMOTE_B` packets for $LAN_B were 
send via gre0 (and probably ended up at LAN_A's endpoint
which I don't have access to).
While `route get $LAN_B` stated the gateway was 
$GRE_REMOTE_B, the local interface address was 
$GRE_LOCAL_B and the remote address was 
$GRE_REMOTE_B the route's interface was gre0.

The mentioned `route add -iface …` fixed this and also
works for a route to $LAN_C via gre2. But configuring the 
route to $LAN_A with the same command seems to break
forwarding to this network, the packets don't enter the GRE
tunnel anymore.

Is this how it's supposed to work?

Regards, Florian