Re: Bug in dhclient, isc_named or misconfiguration ?
Hi Zbyszek, are you required to run a DHCP client? I guess you get the same IP every time anyway (it's a VPS, right?) so why not configure it statically? Regards, Florian Am 7. September 2017 15:24:21 MESZ schrieb "Zbyszek Żółkiewski": >Hi group, > >Recently i come up with this problem: running isc_named + dhclient >cause isc_named to periodically loose binding to TCP port: > >Sep 7 13:45:02 ns dhclient[12533]: DHCPREQUEST on vio0 to >169.254.169.254 >Sep 7 13:45:02 ns dhclient[12533]: DHCPACK from 169.254.169.254 >(fe:00:00:88:fe:63) >Sep 7 13:45:02 ns named[76593]: no longer listening on >XXX.XXX.XXX.XXX#53 >Sep 7 13:45:02 ns named[76593]: listening on IPv4 interface vio0, >XXX.XXX.XXX.XXX#53 >Sep 7 13:45:02 ns named[76593]: binding TCP socket: address in use >Sep 7 13:45:02 ns dhclient[12533]: bound to XXX.XXX.XXX.XXX -- renewal >in 40027 seconds. > >XXX is redacted public IP. > >This is OpenBSD 6.1 >In bind i have already configured interface-interval 0; - but this do >not fix problem, any idea ? This problem looks like isolated to >OpenBSD. > >Thanks, > >_ >Zbyszek Żółkiewski
Re: Thinkpad R40 varia
Am 2. September 2017 17:08:17 MESZ schrieb leo_...@volny.cz: >Just some notes on the damn thing: > >Swapping the general battery clears the 'CMOS' memory. I surmise that >there is no seperate CMOS battery: I consider this a design flaw. > Have you checked for a separate CMOS battery - which is probably long dead? >As with lots of IBM PC stuff of the era (since the PS/2?), there's a >'system partition' (or whatever they called it that week) that is >probably best preserved when swapping hdds […] I would be surprised if there's more than some diagnostic software for to ease the job of IBM's customer support. I installed OpenBSD on an ancient T20 (which has a serial port, that's why I kept it around) once and didn't look out for any "system partitions" >[…] > >There's what appears to be an extra port above the PCMCIA one, with a >female connector, but otherwise looking suspiciously similar, which I >haven't seen described (seperately) anywhere. […] Probably be a second PCMCIA/CardBus slot. Those were important back then. Regards, Florian
Re: OpenBSD 6.1-stable lock up
Am 1. September 2017 06:38:49 MESZ schrieb Philipp Buehler: >Hello, > >Am 01.09.2017 00:33 schrieb Maxim Bourmistrov: >> 0/232/64 mbuf 2048 byte clusters in use (current/peak/max) >> 423/2865/120 mbuf 2112 byte clusters in use (current/peak/max) >> 0/160/64 mbuf 4096 byte clusters in use (current/peak/max) >> 0/200/64 mbuf 8192 byte clusters in use (current/peak/max) > >I've seen this before - including a kind of "lock up". >How does one reach a peak/current way over the maximum - and 2112 byte >mcl? >IIRC, there was activity in this area changing allocation and >statistics. Hm, could this be the same performance regression as VLANs saw? http://www.grenadille.net/post/2017/02/13/What-happened-to-my-vlan The post and the one on tech@ don't mention the version but as it was a discussion between OpenBSD devs I guess it was what became 6.1 a few month later. I think I've heard or read something about improvements in this area (on BSDnow or undeadly) so maybe you could try a 6.2- BETA. Regards, Florian
Re: ksh ^R vs EDITOR=vi
Am 27. August 2017 23:43:38 MESZ schrieb Jeremie Courreges-Anglas <j...@wxcvbn.org>: >On Sun, Aug 27 2017, Florian Ermisch <florian.ermi...@mailbox.org> >wrote: >> Hi Jeremie, >> >> Am 27. August 2017 17:57:57 MESZ schrieb Jeremie Courreges-Anglas ><j...@wxcvbn.org>: >>>On Sun, Aug 27 2017, Jan Stary <h...@stare.cz> wrote: >>>> This is current/amd64. I am using ksh(1) as a shell. >>>> Using ^R opens a search in the command history. >>>> However, with 'export EDITOR=vi', pressing ^R >>>> just literarily types '^R' and does not open >>>> the history search. Is that expected? >>> >>>EDITOR=vi puts the shell cli editor in vi mode, >>> see EDITOR and VISUAL in the manpage. >>> "Traditional" but quite annoying behavior. >> >> Shouldn't setting VISUAL override this >> function of EDITOR? AFAIK most tools >> look at EDITOR when choosing which >> editor ("visual" or not) to spawn for things >> like commit messages and not VISUAL. > >I think most tools do use VISUAL, then EDITOR if VISUAL isn't set, then >some kind of default. VISUAL being a fullscreen editor like vi(1), and >EDITOR a line editor like ed(1). > >> I'd think setting EDITOR to vi (or vim) and VISUAL to emacs should >give you the >> behavior you want. > >If the intent is to use vi, this doesn't work with programs that first >check VISUAL (eg crontab -e). > >Rather: >VISUAL=vi >maybe EDITOR=vi if some of your tools don't look at VISUAL. >set -o emacs You're right, it's a custom one ({SUDO,HG,GIT…}_EDITOR), then VISUAL, then EDITOR. ksh's manpage got me confused were it's "EDITOR unless VISUAL is set" and not "1st VISUAL than EDITOR". Shouldn't make those claims without testing this late at night. Of course `set -o emacs` if you want to have EDITOR=vi _and_ ^R. Regards, Florian
Re: ksh ^R vs EDITOR=vi
Hi Jeremie, Am 27. August 2017 17:57:57 MESZ schrieb Jeremie Courreges-Anglas: >On Sun, Aug 27 2017, Jan Stary wrote: >> This is current/amd64. I am using ksh(1) as a shell. >> Using ^R opens a search in the command history. >> However, with 'export EDITOR=vi', pressing ^R >> just literarily types '^R' and does not open >> the history search. Is that expected? > >EDITOR=vi puts the shell cli editor in vi mode, > see EDITOR and VISUAL in the manpage. > "Traditional" but quite annoying behavior. Shouldn't setting VISUAL override this function of EDITOR? AFAIK most tools look at EDITOR when choosing which editor ("visual" or not) to spawn for things like commit messages and not VISUAL. I'd think setting EDITOR to vi (or vim) and VISUAL to emacs should give you the behavior you want. Regards, Florian PS: I actually use ZSH (and years ago ksh93 on OpenSolaris) with VISUAL=vi…
Re: mount_nfs(8) -b option
Hi Alessandro, Am 15. August 2017 15:57:01 MESZ schrieb Alessandro DE LAURENZIS: >Dear misc@ readers, > >From mount_nfs(8): > > -b If an initial attempt to contact the server fails, fork off a > child to keep trying the mount in the background. Useful for > fstab(5), where the file system mount is not critical to > multiuser operation. > >My understanding is that, in case the server is not reachable when the >command is run (specifically, at boot, if there is a proper entry in >fstab(5)), it will be forked and keep trying the mount operation, till >when the server is back. > >I had a look at the code and, if I am not mistaken, the process sleeps >for 60s, then retries and so on. > >Now: this is my fstab: > ># Blk dev Mount point FS type >Mnt optsDump freq Pass >no. > […] > # Network file sharing >egeo:/vol/datavol01/nfs/egeo/vol/datavol01 nfs >net,rw,-i,-b0 0 >[…] > >I observe two unexpected behaviors: > >1) when I switch on the machine in an environment without any network >available, I see the messages "Cannot resolve egeo..." and the boot >process goes on; but when the server comes back (I simply make a wifi >network available and run "doas sh /etc/netstart" on the client), >nothing happens (I was instead expecting that the shares were mounted >after a minute or so); > >2) when I boot without any network available and removing the "-b" >option from the client's fstab, again I see the messages "Cannot >resolve >egeo...", and again the process continues without lagging... >[…] In case nobody pointed this out off-list: You should add your fileserver's IP to to your /etc/hosts so its name can be resolved during boot when there's no DNS available (or you're outside your LAN). Regards, Florian
Re: octeon port, ubiquity edgerouter
Hi, if noone chimes in then maybe you can get a dmesg or lshw output from the linux-based EdgeOS to get some more details on the hardware. I would guess it's quite a bit beefier than the ERL3 and for embedded platforms this can mean more differences than just more cores and more RAM. Regards, Florian Am 22. Juli 2017 11:46:02 MESZ schrieb "Peter J. Philipp": >Hi, > >Someone has offered me a deal on a somewhat used Ubiquiti Edgerouter, >https://www.ubnt.com/edgemax/edgerouter/ <-- this one. > >Is it supported by OpenBSD/octeon and if not what needs to be done to >make it >work? Has anyone experience with this hardware? > >Regards, >-peter
Re: Get an MAC address of a LAN PC - OpenBSD
Some systems list their onboard NIC's MAC in the BIOS. A few ones may even have it printed on the board or a sticker with the MAC somewhere close to the NIC's port. Or get a permit to unplug its disk(s) before booting an OpenBSD CD, then drop to a shell and run ifconfig. If the MAC was spoofed but the system was connected to a managed switch the switch may still have the MAC from when it powered on cached. If your worried about spoofed MACs you may also want to look into the feature called port security (at least on Juniper and Cisco devices) on your access switches. Which causes interesting problems with VMs bridged to the hosts NIC, btw ; ) Regards, Florian Am 23. Juni 2017 07:40:42 MESZ schrieb Indunil Jayasooriya: >> >> > no idea what to do? >> >> Plug it back in. Power it up. >> Make sure it has a reachable IP. >> Ping it. >> > >very sorry. It is prohibited to plug it back in and power it up. > >To do it, We might need a special request. > >Theo, Anyway, thanks for you support.
Re: isakmpd dies quietly with over 100 tunnels
Hi all, I got to admit I've seen isakmpd dying on 5.9* (amd64 on VMware). But after having to deal with half a dozen peers all over Europe using different proprietary solutions a cronjob like "rcctl ls faulty | grep isakmpd && rcctl restart…" worked well enough for me. I won't be able to test with the setup at work but I got a little VPS running 6.1 I could use (and update to -STABLE if necessary). We probably won't get to over 100 tunnels but I've seen the problem with ~8 tunnels. The question would be if this problem would even show up in a homogeneous OpenBSD network… Regards, Florian *) the central hub isn't my problem anymore, and it will take some time to convince my replacement there to update to 6.1… Am 29. Mai 2017 09:26:18 MESZ schrieb Alexis VACHETTE: >Hi Michał, > >I'm having same issue without 100 ipsec tunnels and dedicated hardware. > >Unfortunately it's a production environment so I can't really >troubleshooting this issue to track down the culprit. > >Anyway maybe it's not related to your issue. > >Regards, >Alexis. >On 28/05/2017 14:31, Michał Koc wrote: >> Hi all, >> >> I'm running 6.0/amd64 inside KVM/Quemu with over 100 ipsec tunnels. >> >> Everything was running just fine when the number of tunnels was >lower. >> But as we have been setting up more and more tunnels we suddenly run >> on problems. >> The isakmpd deaemon keeps dying quietly. Probably I'm running out of >> something, but I need some help to find out what it is and how to >> monitor it and tweak. >> >> Thank You in advance. >> >> Best Regards >> M.K. >> >> root@vgate0:/root# netstat -m >> 215 mbufs in use: >> 163 mbufs allocated to data >> 46 mbufs allocated to packet headers >> 6 mbufs allocated to socket names and addresses >> 160/920/6144 mbuf 2048 byte clusters in use (current/peak/max) >> 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) >> 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) >> 0/14/6146 mbuf 9216 byte clusters in use (current/peak/max) >> 0/10/6150 mbuf 12288 byte clusters in use (current/peak/max) >> 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) >> 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) >> 2760 Kbytes allocated to network (13% in use) >> 0 requests for memory denied >> 0 requests for memory delayed >> 0 calls to protocol drain routines >> >> Sample tail of the log: >> When I run "isakmpd -K -d -DA=10": >> 142043.246192 Sdep 10 pf_key_v2_set_spi: satype 2 dst xxx.xxx.xxx.xxx > >> SPI 0x42f03e5d >> 142043.246209 Timr 10 timer_add_event: event >> sa_soft_expire(0x1fb9d0bdf400) added before >> sa_soft_expire(0x1fb9c8f05400), expiration in 25056s >> 142043.246223 Timr 10 timer_add_event: event >> sa_hard_expire(0x1fb9d0bdf400) added before >> sa_soft_expire(0x1fb9dd458200), expiration in 28800s >> 142043.246326 Sdep 10 pf_key_v2_set_spi: satype 2 dst xxx.xxx.xxx.xxx > >> SPI 0x3ffa5955 >> 142043.268229 Default responder_recv_HASH_SA_NONCE: KEY_EXCH payload >> without a group desc. attribute >> 142043.268250 Default dropped message from xxx.xxx.xxx.xxx port 500 >> due to notification type NO_PROPOSAL_CHOSEN >> 142043.268281 Timr 10 timer_add_event: event >> exchange_free_aux(0x1fb9a5336400) added before >> sa_soft_expire(0x1fba0d6a2a00), expiration in 120s >> 142043.268289 Exch 10 exchange_establish_p2: 0x1fb9a5336400 > >> policy initiator phase 2 doi 1 exchange 5 step 0 >> 142043.268295 Exch 10 exchange_establish_p2: icookie 8c58f4e7f8269ed3 > >> rcookie 0fe2d7657125a339 >> 142043.268301 Exch 10 exchange_establish_p2: msgid de2c5cc3 sa_list >> 142043.269079 Timr 10 timer_add_event: event >> message_send_expire(0x1fb994136900) added before >> connection_checker(0x1fb9b2646280), expiration in 7s >> 142043.269614 Exch 10 exchange_finalize: 0x1fb9a5336400 >> policy> policy initiator phase 2 doi 1 exchange 5 step 1 >> 142043.269630 Exch 10 exchange_finalize: icookie 8c58f4e7f8269ed3 >> rcookie 0fe2d7657125a339 >> 142043.269637 Exch 10 exchange_finalize: msgid de2c5cc3 sa_list >> 142043.269653 Timr 10 timer_remove_event: removing event >> exchange_free_aux(0x1fb9a5336400) >> 142043.289465 Timr 10 timer_remove_event: removing event >> message_send_expire(0x1fb994136900) >> 142043.289513 Exch 10 exchange_finalize: 0x1fb972b59400 >> from-xxx.xxx.xxx.xxx/24-to-xxx.xxx.xxx.xxx/24 policy >> responder phase 2 doi 1 exchange 32 step 2 >> 142043.289521 Exch 10 exchange_finalize: icookie 8c58f4e7f8269ed3 >> rcookie 0fe2d7657125a339 >> 142043.289528 Exch 10 exchange_finalize: msgid de079ef6 sa_list >> 0x1fb9dd458800 0x1fb985d09e00 >> 142043.289578 Sdep 10 pf_key_v2_set_spi: satype 2 dst xxx.xxx.xxx.xxx > >> SPI 0xe5d04953 >> 142043.289594 Timr 10 timer_add_event: event >> sa_soft_expire(0x1fb9dd458800) added before >> sa_soft_expire(0x1fba1d81de00), expiration in 3279s >> 142043.289608 Timr 10 timer_add_event: event >> sa_hard_expire(0x1fb9dd458800) added before >>
Re: bioctl crypto size limitation ?
Just make slice sd0a smaller than 100% of the RAID array. Regards, Florian Am 25. Mai 2017 19:03:59 MESZ schrieb myml...@gmx.com: >I'm wondering if there is a limit to the size of a disk for full disk >encryption. > >I'm trying to encrypt a 32Tb raid 6 drive on a lsi 9265-8i with 8 x 6Tb > >drives and it's failing with the error "unknown error". (very >descriptive!) > >I was able to encrypt the 256Gb system disk without error during >installation. > >Without encrypting the 32Tb drive, I had no problem creating the FS and > >mounting it. > >I know people will say this is a bad idea because of fsck (and maybe >other reasons), but this drive will be mounted ro 99% of the time. > >Steps to recreate: > >dd if=/dev/random of=/dev/rsd0c bs=1m (took over a week) > >fdisk -iy -g sd0 (I left off the "-b 960" because this is not a >bootable partiton) > >disklabel -E sd0 > >Label editor (enter '?' for help at any prompt) > > a a >offset: [64] >size: [70319603585] >FS type: [4.2BSD] RAID > > w > > q > ># bioctl -v -c C -l sd0a softraid0 >New passphrase: >Re-type passphrase: >Deriving key using bcrypt PBKDF with 16 rounds... >bioctl: unknown error > > >dmesg: > >OpenBSD 6.1-current (GENERIC.MP) #54: Thu May 11 19:20:09 MDT 2017 >dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >real mem = 34333851648 (32743MB) >avail mem = 33287512064 (31745MB) >mpath0 at root >scsibus0 at mpath0: 256 targets >mainbus0 at root >bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9d000 (51 entries) >bios0: vendor American Megatrends Inc. version "2.1" date 03/17/2012 >bios0: Supermicro X8DT3 >acpi0 at bios0: rev 2 >acpi0: sleep states S0 S1 S4 S5 >acpi0: tables DSDT FACP APIC MCFG SLIT SLIC OEMB SRAT HPET SSDT >acpi0: wakeup devices NPE1(S4) NPE2(S4) NPE3(S4) NPE4(S4) NPE5(S4) >NPE6(S4) NPE7(S4) NPE8(S4) NPE9(S4) NPEA(S4) P0P1(S4) PS2K(S4) USB0(S4) > >USB1(S4) USB2(S4) USB5(S4) [...] >acpitimer0 at acpi0: 3579545 Hz, 24 bits >acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >cpu0 at mainbus0: apid 0 (boot processor) >cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.32 MHz >cpu0: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT >cpu0: 256KB 64b/line 8-way L2 cache >cpu0: TSC frequency 2400324600 Hz >cpu0: smt 0, core 0, package 0 >mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges >cpu0: apic clock running at 133MHz >cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE >cpu1 at mainbus0: apid 2 (application processor) >cpu1: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.00 MHz >cpu1: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT >cpu1: 256KB 64b/line 8-way L2 cache >cpu1: smt 0, core 1, package 0 >cpu2 at mainbus0: apid 18 (application processor) >cpu2: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz >cpu2: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT >cpu2: 256KB 64b/line 8-way L2 cache >cpu2: smt 0, core 9, package 0 >cpu3 at mainbus0: apid 20 (application processor) >cpu3: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.00 MHz >cpu3: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT >cpu3: 256KB 64b/line 8-way L2 cache >cpu3: smt 0, core 10, package 0 >cpu4 at mainbus0: apid 32 (application processor) >cpu4: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz >cpu4: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT >cpu4: 256KB 64b/line 8-way L2 cache >cpu4: smt 0, core 0, package 1 >cpu5 at mainbus0: apid 48 (application processor) >cpu5: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz >cpu5: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT >cpu5: 256KB 64b/line 8-way L2 cache >cpu5: smt 0, core 8, package 1 >cpu6 at mainbus0: apid 50 (application processor) >cpu6: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.01 MHz >cpu6:
Re: cloud docs
If it's text as in plaintext with some light markup: net/syncthing works well enough for me. The version in ports is reasonably up to date¹ and you get clients for anything else, too. (Initial configuration of all the peers is a little fiddly though.) And when you've accepted markdown's omnipresence you can combine syncthing with Writeily Pro on your android devices. Or just use any VCS, a distributed one when you don't have a reliable central server. Regards, Florian ¹) at 0.14.25 according to [0] with the android app being at 0.14.26 [0]: https://github.com/openbsd/ports/blob/master/net/syncthing/distinfo Am 24. Mai 2017 19:49:46 MESZ schrieb Scott Bonds: >unison? > >On 05/24, Asbel Kiprop wrote: >>Yeah, i was using it for some time and i wonder if there is some more >text >>document based solution. >> >>2017-05-24 20:33 GMT+03:00 Ulises M. Alvarez : >> >>> On 24/05/17 12:22, Asbel Kiprop wrote: >>> Hello, friends. Is there is some solution (in OpenBSD packages, >like ownCloud, for example) to handle with cloud documents? All i want >is to editsome text files on 3-4 computers with synchronization(like ONLYOFFICE, i think, but not so complicated) >>> Hi, >>> Both, ownCloud and NextCloud, include an editor for text documents; >i.e., >>> *.txt >>> -- >>> Ulises M. Alvarez >>> http://sophie.unam.mx/ >>>
Re: Qubes-OS is "fake" security
Sorry, out of herrings. Have a listen to this instead: "Risky Biz Soap Box: A microvirtualisation primer with Bromium co-founder Ian Pratt (a.k.a. how to run Java plugin on IE8 and not die!)" https://risky.biz/soapbox3/ Am 12. Mai 2017 03:41:05 MESZ schrieb Kim Blackwood: >Hi, > >I am at novice level of security, studying and trying to understand >some of the different aspects of running an OS and applications as >securely as possible. > >I have been running OpenBSD for years and understand a little of what's >being done to make it more secure, albeit not the technical details of >programming as much as I am not a C programmer. > >A friend of mine, who is computer a scientist with speciality in >security, suggested Qubes-OS as a secure "solution" to security >problems related to OS's and applications on a personal computer. > >I read up about the project and tested it out, but I am not convinced >that it is a good solution at all. > >I am writing to this list because I know that a lot of people on this >list is very security-minded. > >I found the reading "An Empirical Study into the Security Exposure to >Hosts of Hostile Virtualized Environments" very insightful. > >http://taviso.decsystem.org/virtsec.pdf > >First, I cannot really see the difference between an OS and a >hypervisor. Both runs on the "bare metal" and both perform similar >tasks. In the specific case with Qubes-OS, there isn't really a >difference as it's "just" Fedora with Xen. > >Possibilities of exploiting the hypervisor isn't lower than >possibilities of exploiting the OS. And specifically in the case of >OpenBSD as the OS, that has been developed from the ground up with >security in mind, the possibilities are much lower than a hypervisor >that hasn't even been developed with security measures from the >beginning. > >Second, the virtualization part as I see it, just ads another level of >tons of code. > >If I am running Firefox on OpenBSD and Firefox gets exploited, the >cracker finds himself on a very secure OS that's really hard to >compromise. > >If I am running Firefox in some virtualization container on Qubes-OS >and Firefox gets exploited, then the cracker finds himself inside a >container that could possible contain lots of exploitable security >holes that again runs on a hypervisor with possibly lots of security >holes, stuff that hasn't been developed with security in mind and has >perhaps never been audited. > >Qubes-OS seems to me as a solution of "patching". > >OpenBSD on the other hand is a completely different story. > >Rather than running something like Qubes-OS, which IMHO provides a fake >feeling of security, with it's different "qubes", I would think of >another situation that's much better. > >I either set up 3 different computers, or one computer where I can >physically change the hard drive and I then have 3 different hard >drives. > >On one box I setup OpenBSD and the most secure-minded browser I can >find (do such a thing even exist?). On this particular setup I *ONLY* >do my home banking. Absolutely nothing else. > >On the second box I also setup OpenBSD and the most secure-minded email >client I can find and I do all my email there. I possibly also setup an >office application for writing letters, etc. I don't use a browser on >this setup, if someone sends an email with a link, I write the link >down for latter usage. > >And on the third box I also setup OpenBSD with a browser and possible >other applications like a video player, and this box I use for all the >other casual stuff, the links from emails, etc. I possibly even run >this from a non-writeable CD or SD card. > >It will be an inconvenience to shift between the drives, but no more >than using Qubes-OS. > >IMHO the setup with the different OpenBSD installations provides a >much more security alternative than running Qubes-OS. > >Am I completely of track here? > >Kind regards, > >Kim
Re: IPv6, sshd, and latest patches?
Am 8. Mai 2017 04:18:30 MESZ schrieb Eric Johnson: > > >On Mon, 8 May 2017, Sterling Archer wrote: > >> On Mon, May 8, 2017 at 1:58 AM, Eric Johnson > wrote: >> >> >> Has anyone else had problems with sshd and IPv6 after applying >the latest >> patches? It seems to me that the patches disabled the use of >IPv6 for >> ssh. >> >> When I try to set the IPv6 address I want it to listen to in >sshd_config, >> sshd fails with the following message: >> >> bad addr or host: 2001:1890:1263:a14:: (no address associated >with name) >> >> Using the default sshd_config, ssh is only listening on IPv4 >addresses. >> >> Eric Johnson >> >> >> It's working here, fully patched 6.1 system. >> To make sure it's not because of the :: inet6 address, I tested this, >where >> 2001:: is the /48 my ISP delegates to me: >> >> # doas ifconfig em1 inet6 2001:::: >> # doas rcctl restart sshd >> sshd (ok) >> sshd (ok) >> # telnet 2001:::: >> Trying 2001::::... >> Connected to 2001::::. >> Escape character is '^]'. >> SSH-2.0-OpenSSH_7.5 > >After playing around with it some more, if I use "AddressFamily inet6" >in >sshd_config, then it will do IPv6 okay, but not IPv4. The problem >occurs >when I don't specify an address family (and so "AddressFamily any" is >the >default) or I use "AddressFamily any". > >Eric Johnson Have you tried putting the IPv6 address in brackets, i.e. [2001::::]? Seems to me you manage to confuse the parser, maybe by trying to specify an IPv6 address with a port but omitting the then necessary brackets. And when setting an explicit IPv6 address to listen on you have to have an IPv4 ListenAdress, too, if you want your "AddressFamily any" to matter. HTH, Florian
Re: OpenBSD 6.1: relayd does not start more than 3 processes
Am 5. Mai 2017 16:05:09 MESZ schrieb Maxim Bourmistrov: > >> 5 maj 2017 kl. 15:55 skrev Maxim Bourmistrov > : >> >> >>> 5 maj 2017 kl. 14:41 skrev Hiltjo Posthuma : >>> >>> On Fri, May 05, 2017 at 12:30:56PM +0200, Maxim Bourmistrov wrote: […] Changing ’prefork’ from 15 to 3 makes it work. Is this a bug? Br >>> >>> Hey, >>> >>> This is a random guess since you haven't posted the whole config, >>> but I think >>> it has bitten me too sometime: >>> >>> Do you have the global options such as prefork defined before your >>> relays and routes or not? >>> >>> The order of the global options matter. If the global options are >>> set after >>> the table they are not initialized on the tables and can actually >>> crash relayd. >>> This is because the health checking uses a different prefork value >and checks >>> the "wrong" amount. >>> >>> I'm not sure, but I think it is not a bug: it is documented in >>> relayd.conf(5). >>> >>> Thinking about it: would it be acceptable if `relayd -n` shows a >>> warning if >>> global options are defined in the wrong order? I can write the patch >>> for it >>> if it makes sense. >>> >>> I hope this helps you in some way, >>> >>> -- >>> Kind regards, >>> Hiltjo >> >> The whole config is like this: >> >> […] >> >> Note, config layout exactly the same which runs already on >6.0-stable. >> >> My original question is why I can’t fork more than 3 procs any more >> and why relayd starts then prefork > 3 >> and does not do a health check. >> >> Br > >Hm, I tried this out - re-ordering the layout of the config. >You are, indeed, correct here. > >Strange that this runs on 6.0. > >Case closed. >Sorry for the noise. > >Br I would still say it's worth the patch Hiltjo offered to write. Or At least have the warning printed when testing the config with `-v -n`. Regards, Florian
Re: Pf with secondary DNS resolution
Am 4. Mai 2017 08:39:51 MESZ schrieb Janne Johansson: >I would make those rules have a table, and a cronjob to feed the table >with >the current ips that these hostnames resolve to. Same here. >But of course, that implies you trust the replies you get all the time >from >that cronjob. > Is there no DNSsec enabled dynamic DNS service? ;) When you can't trust your (upstream) DNS server a whole new world of ugly hacks will open up. How about sharing signed files via SyncThing? ^^ Regards, Florian > >2017-05-03 22:16 GMT+02:00 Luke Small : > >> Is it worthwhile to set up a hook for pf to load rules that have URLs >after >> the network services that can resolve them come into effect? >>
Re: pledge for sockets?
Hi Luke, you can have rules to filter by user for both incoming and outgoing connections, see http://man.openbsd.org/OpenBSD-6.1/pf.conf.5#user I don't think there's too much gain in adding support for this kinda thing in pledge but that's for the devs to decide. Regards, Florian Am 26. April 2017 10:09:18 MESZ schrieb Luke Small: >Would it be a good idea to make a pledge like call that limits a >process >from connecting to ports and/or hosts? Maybe it could be done in way >that >the kernel is made aware of the limitations like in a pledge call and >while >the process is alive, the kernel spawns pf rules based upon the socket >ports that are created to connect to remote host ports. > >You could conceivably do things like limiting ntpd to predetermined >hosts >and port 123 and 53 on the respective processes involved. > >It would make processes that need the inet pledge permission merely to >use >libhiredis to connect to a Redis database more safe.
Re: nvi(1)
Am 23. April 2017 15:30:02 MESZ schrieb Unixway1: >Dear, > >I started to use nvi(1) OpenBSD base editor, the manpage isn't clean >about: >1- How copy and paste between xterms? > Should I use Marks? is it possible or not? Use one terminal with tmux, split it into several panes, then use tmux' copy mode? You'll find a quick intro into copy & paste in tmux under [0]. That's how I work these days. Regards, Florian [0]: https://awhan.wordpress.com/2010/06/20/copy-paste-in-tmux/ > […]
Re: howto show IPv6 address lifetime?
Hi Harri, until someone in the know replies you could take a look at the DHCPv6 traffic to see if a lifetime is included in the replies (and maybe keep them handy for a dev to look at). Maybe dhcpcd supports this feature but there's an uncommon combination of flags it doesn't know about yet. Regards, Florian Am 20. April 2017 10:25:54 MESZ schrieb Harald Dunkel: >On 04/19/17 15:38, Dimitris Papastamos wrote: >> >> You don't seem to have any autoconfigured addresses. >> Try ifconfig vether0 inet6 autoconf first. >> > >Here is the output of ifconfig on my gateway: > ># ifconfig re1 >re1: flags=8843 mtu 1500 >lladdr 80:ee:73:95:c1:0d >index 3 priority 0 llprio 3 >groups: intern > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) >status: active >inet 10.42.0.2 netmask 0xff00 broadcast 10.42.100.255 >inet6 fe80::82ee:73ff:fe95:c10d%re1 prefixlen 64 scopeid 0x3 >inet6 2003:::e500::1 prefixlen 56 >inet6 2003:::4200::1 prefixlen 56 > >There is no "inet6 autoconf". Both IPv6 addresses have been assigned to >re1 by dhcpcd during prefix delegation via pppoe0. > >Point is, the address with "e500" is not valid anymore, since >Deutsche Telekom gave me the new prefix a few days ago. I had >expected some kind of "expiration procedure" here. > >Is this a bug with my dhcpcd.conf or is this feature simply "not in"? >Should I set re1 to "inet6 autoconf", even though it is not? (I will >try, but let me send this EMail first.) > ># cat /etc/dhcpcd.conf >ipv6only >persistent >option rapid_commit >require dhcp_server_identifier >nohook lookup-hostname, resolv.conf >allowinterfaces re1 pppoe0 >noipv6rs > >interface pppoe0 >ipv6rs ># static static domain_name_servers= >iaid 0 >ia_pd 0 re1/0 > > >Every helpful hint is highly appreciated. >Harri
Re: pf.conf: best practice for IP address lookup?
Am 16. April 2017 14:22:42 MESZ schrieb Florian Ermisch <florian.ermi...@mailbox.org>: >Am 16. April 2017 10:54:51 MESZ schrieb Harald Dunkel ><ha...@afaics.de>: >>Hash: SHA256 >> >>Hi Florian, >> >>sorry to say, but you missed the point. The IP address of >>*another* host inside my LAN changes, e.g. a mail server, >>a http proxy, etc. The interface identifier of each host is >>surely stable. The prefix is not. Using the old prefix in >>pf.conf these hosts are affected as soon as it expires. >> >> >>Regards >>Harri > >Aw, crap, right IPv6. >Then: Link local addresses. > And of course I have to correct myself: You want RFC4193's Unique Local IPv6 Unicast Addresses (ULA) [1]. I found them when stumbling across a thread about IPv6 troubles on this very list [2]. I was thinking about a workaround with some ifstated(8) triggered script re- populating tables with only one member each (i.e. the mailserver's new address). But then I couldn't even say if an address change would trigger ifstated(8)… Regards, Florian [1]: https://tools.ietf.org/html/rfc4193 [2]: https://www.mail-archive.com/misc@openbsd.org/msg142557.html
Re: pf.conf: best practice for IP address lookup?
Am 16. April 2017 10:54:51 MESZ schrieb Harald Dunkel: >Hash: SHA256 > >Hi Florian, > >sorry to say, but you missed the point. The IP address of >*another* host inside my LAN changes, e.g. a mail server, >a http proxy, etc. The interface identifier of each host is >surely stable. The prefix is not. Using the old prefix in >pf.conf these hosts are affected as soon as it expires. > > >Regards >Harri Aw, crap, right IPv6. Then: Link local addresses. There may be a way for `($IFACE_ext:network) & $IP_mailserver:host` but until someone smarter and more attentive figures this out there are link local addresses. Unless you get a /(>64) from your ISP and hand out a bunch of /64s to your subnets internally in what you call your LAN for simplicity's sake. Regards, Florian
Re: pf.conf: best practice for IP address lookup?
Hi Harald, just use `($IFACE)` to get interface's current IP (with the rules being updated when the IP changes). In addition you can use the interface group `egress` to address the interface which is used for the default route. Both options are used together in the OpenBSD router tutorial on bsdnow.tv [0] written by tj@. Of course everything is documented but the first one is a little hard to find: It's in pf.conf(5)'s Packet Filtering section under "from source port source os source to $dest port dest" [1]. The later one is in ifconfig(8)[2]. And of course there's always The Book of PF by Peter Hansteen [3]. Regards, Florian [0]: http://www.bsdnow.tv/tutorials/openbsd-router [1]: http://man.openbsd.org/pf.conf#from [2]: http://man.openbsd.org/ifconfig.8#group [3]: https://www.nostarch.com/pf3 Am 15. April 2017 16:10:46 MESZ schrieb Harald Dunkel: >Hi folks, > >Since I don't get a static IPv6 prefix from Deutsche Telekom, but >a different prefix on every new pppoe connection, I have to rely >upon some lookup service for pf.conf. > >pf.conf(5) doesn't mention dynamic IP addresses at all (except >for its own interfaces), so I wonder what is best practice here? >DNS? A table for every internal host, updated by a watchdog? > > >Every helpful comment is highly appreciated >Harri
Blocking outgoing, non-privacy ext. IPv6 addresses' traffic?
Hi everyone, is there a way with to identify and filter automatically generated, MAC-based IPv6 addresses in pf? I think there was some bit set or flipped in the MAC-based or the RFC 4941 privacy extensions based addresses. But I then still had to match an address based on a single bit (and the networks prefix, of course). Are bitwise matches even possible with pf? The usecase, of course, is to prevent devices too stupid or too poorly configured to use the privacy extensions to access anything outside the LAN via IPv6. Kind regards, Florian
Re: ipv6 router ping6 = good, web = bad
Hi Edgar, check the MTU on your tunnel device. It has to be lower than the one on your NIC. As DNS and ICMP packets are tiny they will pass through anyway but the browser's TCP connections' packets will max out the configured MTU and get dropped. You can give it a try with doas ifconfig gif0 MTU 1400 HTH, Florian Am 9. April 2017 11:18:49 MESZ schrieb Edgar Pettijohn: >I recently decided to join the ipv6 world. I set up a tunnel since my >isp doesn't provide ipv6 yet. I'm almost there. I can ping6 and host -6 > >from my laptop, but I can't browse the ipv6 web. I appologize in >advance >if thunderbird screws this up. > >[Sun Apr 09 03:57:59 edgar@thinkpad:~ ] $ ping6 google.com >PING google.com (2607:f8b0:4000:80a::200e): 56 data bytes >64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=0 hlim=57 time=65.239 >ms >64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=1 hlim=57 time=82.029 >ms >64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=2 hlim=57 time=77.891 >ms >64 bytes from 2607:f8b0:4000:80a::200e: icmp_seq=3 hlim=57 time=77.393 >ms >^C >--- google.com ping statistics --- >4 packets transmitted, 4 packets received, 0.0% packet loss >round-trip min/avg/max/std-dev = 65.239/75.638/82.029/6.268 ms > >[Sun Apr 09 04:07:14 edgar@thinkpad:~ ] $ host -6 google.com >2001:470:be02:e2::3 >Using domain server: >Name: 2001:470:be02:e2::3 >Address: 2001:470:be02:e2::3#53 >Aliases: > >google.com has address 216.58.194.142 >google.com has IPv6 address 2607:f8b0:4000:80d::200e >google.com mail is handled by 20 alt1.aspmx.l.google.com. >google.com mail is handled by 30 alt2.aspmx.l.google.com. >google.com mail is handled by 50 alt4.aspmx.l.google.com. >google.com mail is handled by 10 aspmx.l.google.com. >google.com mail is handled by 40 alt3.aspmx.l.google.com. > >[Sun Apr 09 03:58:30 edgar@thinkpad:~ ] $ route show -inet6 >Routing tables > >Internet6: >DestinationGatewayFlags Refs Use Mtu Prio >Iface >defaultfe80::21d:6aff:fe6 UG 0 227 -56 >iwn0 >::/96 localhost UGRS 00 32768 8 >lo0 >::/104 localhost UGRS 00 32768 8 >lo0 >localhost localhost UHhl 14 28 32768 1 >lo0 >::127.0.0.0/104localhost UGRS 00 32768 8 >lo0 >::224.0.0.0/100localhost UGRS 00 32768 8 >lo0 >::255.0.0.0/104localhost UGRS 00 32768 8 >lo0 >:::0.0.0.0/96 localhost UGRS 00 32768 8 >lo0 >2001:470:be02:a0:: 2001:470:be02:a0:2 UCn12 - 8 >iwn0 >2001:470:be02:a0:: 00:1d:6a:60:e1:a9 UHLc 0 186 - 7 >iwn0 >2001:470:be02:a0:2 24:77:03:5f:12:38 UHLl 0 31 - 1 >iwn0 >2001:470:be02:a0:7 24:77:03:5f:12:38 UHLl 0 34 - 1 >iwn0 >2002::/24 localhost UGRS 00 32768 8 >lo0 >2002:7f00::/24 localhost UGRS 00 32768 8 >lo0 >2002:e000::/20 localhost UGRS 00 32768 8 >lo0 >2002:ff00::/24 localhost UGRS 00 32768 8 >lo0 >fe80::/10 localhost UGRS 01 32768 8 >lo0 >fec0::/10 localhost UGRS 00 32768 8 >lo0 >fe80::%iwn0/64 fe80::2677:3ff:fe5 UCn11 - 8 >iwn0 >fe80::21d:6aff:fe6 00:1d:6a:60:e1:a9 UHLch 1 368 - 7 >iwn0 >fe80::2677:3ff:fe5 24:77:03:5f:12:38 UHLl 0 75 - 1 >iwn0 >fe80::1%lo0fe80::1%lo0UHl00 32768 1 >lo0 >ff01::/16 localhost UGRS 01 32768 8 >lo0 >ff01::%iwn0/32 fe80::2677:3ff:fe5 Um 02 - 4 >iwn0 >ff01::%lo0/32 localhost Um 01 32768 4 >lo0 >ff02::/16 localhost UGRS 01 32768 8 >lo0 >ff02::%iwn0/32 fe80::2677:3ff:fe5 Um 02 - 4 >iwn0 >ff02::%lo0/32 localhost Um 01 32768 4 >lo0 > >[Sun Apr 09 03:59:12 edgar@thinkpad:~ ] $ ndp -na >Neighbor Linklayer Address Netif Expire > >S Flags >2001:470:be02:a0:: 00:1d:6a:60:e1:a9iwn0 >23h59m26s S R >2001:470:be02:a0:2677:3ff:fe5f:1238 24:77:03:5f:12:38iwn0 >permanent R l >2001:470:be02:a0:7843:3366:8838:f579 24:77:03:5f:12:38iwn0 >permanent R l >fe80::21d:6aff:fe60:e1a9%iwn000:1d:6a:60:e1:a9iwn0 >23h59m56s S R >fe80::2677:3ff:fe5f:1238%iwn024:77:03:5f:12:38iwn0 >permanent R l > ><-on the >router-> > ># route show -inet6 >Routing tables > >Internet6: >DestinationGatewayFlags Refs Use Mtu Prio >Iface >defaultepettijohn-1.tunne UGS0 612 - 8 >gif0 >::/96 localhost
Re: Looking for replacement of thinkpad x201
Hi Florian, the maintainability of the x2?? Thinkpads dropped from great to good(ish) starting with the x230. With the recent ones you have to remove the bottom half of the case to access anything but the rear battery*, see [0]. But at least the x250 and the x260 have dedicated buttons for the trackpoint again. With the x260 support for a 16gb RAM stick (now DDR4) in the single slot is now official but it's not clear if you can have both a 2.5" (7mm thick) drive and a m.2/NVMe SSD. The option of having an m.2/_SATA_ SSD sure is gone from what I've found. You may also want to look at the slightly bigger t440 (14") which can have both a 2.5" and a m.2 drive and also (officially) supports 32gb of RAM. HTH, Florian PS: Yes, I've been looking at the new Thinkpads a lot lately, but I rarely carry mine around so 14" isn't a problem - and also want lots of RAM for ZFS & bhyve ;) *) The optional integrated front battery still is a "Field Replaceable" Unit, just not as easy to swap as the rear one ;) [0] http://www.laptopmain.com/how-to-disassemble-lenovo-thinkpad-x260-to-upgrade- ssd-and-ram/ Am 26. Februar 2017 09:19:32 MEZ schrieb Florian Obser: > I need some help since I'm terrible with hardware... > > So my x201 main hacking laptop is getting old and benno@ is always > mocking me for the amount of gaffer and stickers that are holding it > together. > > Long story short, I'm in the market for a new thinkpad. > Yes it has to be a thinkpad. I require the pointing stick and 3 > physical mouse buttons. > > On the x201 I like the ease of changing the HDD and battery. I would > prefer if that was the case with the new one. > > So what's the done thing here? I'm not a hardware hacker, so I want a > kinda fully supported one. That means accelerated X and working wifi > (this is probably not an issue with stsp@'s hard work). Also I'm happy > with the size of the x201, I don't want to lug a brick around, so that > means an x series laptop. As a first approximation assume that money > is > not an issue. > > Thanks, > Florian
Re: pkg_add: ftp: connect: Invalid argument
Am 5. Februar 2017 07:46:43 MEZ schrieb jungle boogie: > On 02/04/2017 07:17 PM, Philip Guenther wrote: > >> Is this it? > >> > >> "Trying 129.128.5.191... > > ... > >> 80377 ftp CALL connect(3,0xaf766dd0bf0,16) > >> 80377 ftp STRU struct sockaddr { AF_INET, 129.128.5.191:80 } > >> 80377 ftp RET connect -1 errno 22 Invalid argument > > > > It dumped the sockaddr and didn't complain about it being invalid, > > so it made it into soconnect(). That puts the problem somewhere in the > > network stack or network config. To quote connect(2): > > > > [EINVAL] A TCP connection with a local broadcast, the all-ones > > or a multicast address as the peer was attempted. > > > > Double/triple check your network configuration, routing table, etc. > > Good luck! > > > > AH! I think it was a pf rule. I deleted some pf rules, rebooted and > now > it works! > […] I like adding a "log (to pflogX)" to my "block all" rule for debugging. Running tcpdump on the pflog device makes it easy to spot things you don't want blocked. At least when you somewhat know what you're looking for. If not the tcpdump filter expression can get rather big on a noisy network. Regards, Florian
Re: IPSEC from behind NAT stage 2 failure
Am 6. Dezember 2016 23:38:31 MEZ, schrieb Damian McGuckin: > On Tue, 6 Dec 2016, Robert Szasz wrote: > > > I'll try it, but that would be a problem if I have to add the local > > address for any machine that wants to connect. I assume there is a > way > > to work through NAT because picked up nat-t and works for phase 1. I > was > > hoping I had just missed a parameter in the ipsec.conf to get phase > 2 > > working. > > the NPPPD/IPSec combination does not need to know about the IP. Not > knowing is the only way it can handle road-warrior types. The only > issue > as the far-more-knowledgeable-than-I Stuart Henderson pointed out is > that > you can have only one such Pre-Shared=-Key for all these unknown > peers. Guess I didn't stress it's just the ID the client is most probably using he should try. He could just skip this part and go to figuring out how to set a proper ID on his windows client. >From `ipsec.conf(5)': srcid string dstid string […] If srcid is omitted, the default is to use the IP address of the connecting machine. dstid is similar to srcid, but instead specifies the ID to be used by the remote peer. This section also shows how to handle IDs like "b...@example.com". > > Sorry, busy with other things yesterday. I will try and find the time > to > go through your configurations later today. > > Did you try to use 3des and modp1024 in your ipsec.conf because that > is > the only config some Windows clients will handle? Did you read this? > > https://support.microsoft.com/en-us/kb/325158 > If the windows client couldn't handle the configured options the error message would contain NO_PROPOSAL_CHOSEN. Regards, Florian
Re: IPSEC from behind NAT stage 2 failure
Am 6. Dezember 2016 10:04:34 MEZ, schrieb Florian Ermisch <florian.ermi...@alumni.tu-berlin.de>: > Hi Robert, > > Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz > <rsz...@saxonco.com>: > > I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users > to > > > > tunnel in to our office network. > > > > I'm testing with the following setup > > > > Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC) > > > > I'd like something reasonably robust, able to pass through most NAT > a > > user might find themselves behind. Our current cisco vpn handles > that > > part fairly well, but otherwise is unreliable and a pain to manage. > > > > The connection process fails at stage 2 with the error message > below > > where X is the public IP of the box being connected to, and Y is the > > ip > > of the firewall the win10 machine is behind 10...58 is the private > ip > > of > > the win10 machine. > > > > Thanks, > > > > Robert Szasz > > > > > > > > error in the isakmpd log > > > > --- > > > > 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed > > invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x > > 010420.423325 Default dropped message from y.y.y.y port 58544 due to > > > notification type INVALID_ID_INFORMATION > > And I guess that's the problem: the client > goes "hi I'm 10.1.1.58 and I'd like to > connect" and isakmpd doesn't know no > 10.1.1.58. IKEv1 is very picky about those > things: When it doesn't expect an ID no > peer presenting one will be allowed to > connect AFAIK. Little correction: the client comes from y.y.y.y but probably says it's 10.1.1.58 thus presented ID doesn't match the one taken from the src address as your ipsec.conf doesn't specify one. > > > > > ipsec.conf > > > > ike passive esp transport \ > > proto udp from x.x.x.x to any port 1701 \ > > main auth hmac-sha1 enc "aes" group modp2048\ > > quick auth hmac-sha1 enc "aes" group modp2048\ > > psk "" > > Maybe adding local/peer or srcid/dstid > will help. You can try with using the > clients current local IP of 10.1.1.58 > as ID to expect. > > Regards, Florian
Re: IPSEC from behind NAT stage 2 failure
Hi Robert, Am 6. Dezember 2016 03:05:34 MEZ, schrieb Robert Szasz: > I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to > > tunnel in to our office network. > > I'm testing with the following setup > > Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC) > > I'd like something reasonably robust, able to pass through most NAT a > user might find themselves behind. Our current cisco vpn handles that > part fairly well, but otherwise is unreliable and a pain to manage. > > The connection process fails at stage 2 with the error message below > where X is the public IP of the box being connected to, and Y is the > ip > of the firewall the win10 machine is behind 10...58 is the private ip > of > the win10 machine. > > Thanks, > > Robert Szasz > > > > error in the isakmpd log > > --- > > 010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed > invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x > 010420.423325 Default dropped message from y.y.y.y port 58544 due to > notification type INVALID_ID_INFORMATION And I guess that's the problem: the client goes "hi I'm 10.1.1.58 and I'd like to connect" and isakmpd doesn't know no 10.1.1.58. IKEv1 is very picky about those things: When it doesn't expect an ID no peer presenting one will be allowed to connect AFAIK. > > ipsec.conf > > ike passive esp transport \ > proto udp from x.x.x.x to any port 1701 \ > main auth hmac-sha1 enc "aes" group modp2048\ > quick auth hmac-sha1 enc "aes" group modp2048\ > psk "" Maybe adding local/peer or srcid/dstid will help. You can try with using the clients current local IP of 10.1.1.58 as ID to expect. Regards, Florian
Re: Get active IP from an dhcp enabled interface
Am 27. Oktober 2016 17:10:16 MESZ, schrieb "Sjöholm Per-Olov": > Hi > > If you use a dhclient on the Internet interface, what is the best > method to > get the currently used IP address? A regexp to get the IP from > "ifconfig > inet” output or check the dhclient lease file? […] A regex like this? ifconfig egress | sed -ne 's/^[[:space:]]inet \([0-9\.]*\) .*/\1/p' > Thanks > Peo Regards, Florian
Re: Would you use OpenBSD on Power8, and if so what applications? (IBM asks! They're thinking about donating hw.)
Am 19. Oktober 2016 19:48:49 MESZ, schrieb Mikael: > 2016-10-20 1:15 GMT+08:00 Ralph Siegler : > .. > > > Their ecosystem? > > > > closed source softwares including for x86-64 like Websphere, DB2, MQ, > > > .. > > > Hardware platforms limited to Power ($11,000 and up), Z series ($60,000 > > > > A silly example of interest in the Power architecture that's certainly > not > typical IBM enterprise apps and chassis: > http://www.theregister.co.uk/2016/04/07/open_power_summit_power9/ Nice article, thanks for sharing! One argument for OpenBSD on POWER would be the early implementation of security features like ASLR and W^X. Want to make sure your open source efforts are well prepared for such things hitting your customers' RedHat or SLES in 5 years? Make them run on OpenBSD early. And then you can't be lured into relying on too many linuxisms either which keeps your software a little more portable. Regards, Florian
Re: 4th nic for pcengines apu2
Am 19. Oktober 2016 15:50:10 MESZ, schrieb sven falempin: > On Wed, Oct 19, 2016 at 9:20 AM, Mihai Popescu > wrote: > > > > e.g. from Lanner. > > > > Can you compensate for the price difference? […] > […] > Also you may use a usb to ethernet , or serial to ethernet and connect > the > two board. > > And keep the > apu you know. Why not use a NIC which fits in one of its two miniPCIe slots? http://lmgtfy.com/?q=Gigabit+minipcie There's even a dual port one with Intel chips, the MPX-574D2. Someone on the pcengines forum said /he was told/ it would work with an APU2C4 but didn't post a confirmation: http://www.pcengines.info/forums/?page=post=BA59278A-23D5-4FD3-87F5-CC6F146B96A5 Regards, Florian
Re: Multiple web servers behind NAT
Am 10. Oktober 2016 14:35:00 MESZ, schrieb Markus Hennecke: > Am 10.10.2016 um 12:01 schrieb Radek: > > > The second thing to do is enabling > > wesites' SSL/TLS certs. > > Each website has its own certificate > > on its server. […] > > > You can't do that. TLS exchange is done > before the host name is send in the > request. > The only thing you can do is to use one > certificate for all hosts and terminate > the TLS connection in relayd. > So relayd doesn't support SNI yet? Not that SNI and having a cert for each site on the relay covers the usecase but httpd does support SNI, right? Regards, Florian
Re: Route via gre0 works different than route via gre{1,2}?
Am 15. Juli 2016 22:22:32 MESZ, schrieb Florian Ermisch <florian.ermi...@alumni.tu-berlin.de>: > Hi, > > while debugging a problem with routing via GRE I figured > out I have to use `route add $LAN_A $GRE_REMOTE_A` > for the route going via gre0 but `route add -iface $LAN_B > $GRE_LOCAL_B` for a route via gre1. When I used `route > $LAN_B $GRE_REMOTE_B` packets for $LAN_B were > send via gre0 (and probably ended up at LAN_A's endpoint > which I don't have access to). > While `route get $LAN_B` stated the gateway was > $GRE_REMOTE_B, the local interface address was > $GRE_LOCAL_B and the remote address was > $GRE_REMOTE_B the route's interface was gre0. > > The mentioned `route add -iface …` fixed this and also > works for a route to $LAN_C via gre2. But configuring the > route to $LAN_A with the same command seems to break > forwarding to this network, the packets don't enter the GRE > tunnel anymore. > > Is this how it's supposed to work? > > Regards, Florian Sorry, forgot to mention: The host is running 5.9 (amd64 on ESXi). Regards, Florian
Route via gre0 works different than route via gre{1,2}?
Hi, while debugging a problem with routing via GRE I figured out I have to use `route add $LAN_A $GRE_REMOTE_A` for the route going via gre0 but `route add -iface $LAN_B $GRE_LOCAL_B` for a route via gre1. When I used `route $LAN_B $GRE_REMOTE_B` packets for $LAN_B were send via gre0 (and probably ended up at LAN_A's endpoint which I don't have access to). While `route get $LAN_B` stated the gateway was $GRE_REMOTE_B, the local interface address was $GRE_LOCAL_B and the remote address was $GRE_REMOTE_B the route's interface was gre0. The mentioned `route add -iface …` fixed this and also works for a route to $LAN_C via gre2. But configuring the route to $LAN_A with the same command seems to break forwarding to this network, the packets don't enter the GRE tunnel anymore. Is this how it's supposed to work? Regards, Florian