Re: Why isn't OpenBSD in Google Summer of Code 2017?...

[Jacob L. Leifman]

Security and correctness should never be an after-thought. Have you 
done any real software development? And have you ever tried to find 
your way through cruddy code? 999 times out of 1000 it is less painful 
and much more effective to rewrite from scratch. So what's the point of 
having that previous iteration?

On 5 Apr 2017 at 13:10, Luke Small wrote:

> I imagine there are some projects that need some love that are on the back
> burner at the moment that could use some hacking; even if it is totally
> redone later by someone that wants to refactor it for privsep and such.
> On Tue, Apr 4, 2017 at 4:21 PM Theo de Raadt  wrote:
> 
> > Pete, you propose a waste of time.
> >
> > Everyone has the source code.  Everyone can run it.  Everyone can see
> > the problems other people report, and the things which are not supported.
> >
> > Everyone already can tell what needs improving.  Everyone has a brain,
> > and can come up with their own goals.
> >
> > If they don't come up with goals, there's nothing we can write which
> > will change anything.
> >
> > Finally, not everyone has time.  It would not be time spent well making
> > lists for other people who may or may not perform.
> >
> > > Would the devs consider compiling a list of specific improvements they'd
> > like
> > > to see volunteer'd upon this summer? I'd love to help especially if it
> > was a
> > > group effort/friendly competition.
> > >
> > > 
> > > From: owner-m...@openbsd.org  on behalf of Bob
> > Beck
> > > 
> > > Sent: April 2, 2017 10:16:21 PM
> > > To: Luke Small
> > > Cc: openbsd-misc
> > > Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?...
> > >
> > > We tried it for two years, it was too much effort on the part of the
> > > foundation organizers mentors to deal with the bureaucracy involved, and
> > we
> > > didn't really see enough
> > > return in terms of new developers to the project, which, frankly being
> > > selfish on OpenBSD's part is the only reason for us to do it.
> > >
> > > Both Ken Westerback and I organized our end of it and dealt with the
> > google
> > > paperwork the two years we did it, Neither of us is willing to do it
> > again,
> > > and while I won't
> > > directly speak for Ken, I would not support us spending effort on this
> > when
> > > there are lots of other things to do.. It just doesn't have the benefit
> > for
> > > OpenBSD, especially
> > > in light of the effort of the volunteers necessary to participate.
> > >
> > >
> > >
> > > On Sun, Apr 2, 2017 at 8:54 AM, Luke Small  wrote:

Re: Please: Is there ANY chance that Linux binaries might run again???

[Jacob L. Leifman]

On 11 Mar 2017 at 15:47, ropers wrote:

> On 11 March 2017 at 15:18, Stuart Henderson  wrote:
> 
> > On 2017/03/10 23:56, ropers wrote:
> > > On 10 March 2017 at 01:30, Stuart Henderson 
> > > wrote:
> > >
> > > (And unlike Linux, 32-bit OpenBSD binaries won't run on OpenBSD/
> > > amd64)
> > >
> > >
> > > Is there a technical reason for that?
> > > I'm not trying to demand anything here; just curious.
> > >
> > > This is NOT intended to be a "but teh Linux does X, so should we, so
> > > why can't we" whine.
> > > I'm merely ignorantly interested in a "what are they doing, what's
> > > OpenBSD doing" kind of way.
> >
> > I think that even just adding basic support would be complicated and
> > likely error-prone. Is there anything it would actually be useful for?
> >
> 
> Personally, I'm really just asking out of technical curiosity.
> This is not about whether I'd ever actually want or feel I'd need to run
> 32-bit OpenBSD binaries on OpenBSD/amd64.
> 
> Was 32-on-64 compatibility somehow easier to achieve on the Linux side?
> Or did they just keep throwing code and more code at the problem because
> they felt they really, really had to have this?
> It's that kind of idle curiosity. If nobody's interested in explaining or
> hearing this explained, then sorry for the noise.
> 
> 

If you examine a typical 64-bit Linux installation, you will notice 
that it contains duplicate sets of most libraries and even many of the 
drivers -- one x86_64 and the other i586. On disk, the packages for the 
latter are almost always the exact same ones as those installed on a 
pure 32-bit Linux. So in essence the 64-bit Linux is like two OS 
running simultaneously. I am guessing that this is facilitated by the 
Linux's micro-kernel approach -- in oversimplified terms, their kernel 
is little more than a traffic cop at a docking terminal and all the 
drivers and libraries are "modules" communicating through a rather 
complex but broadly accommodating API that does not discriminate 32-bit 
vs. 64-bit. In contrast, OpenBSD uses monolithic kernel (and unlike 
FreeBSD it no longer even supports LKM) where all the communication 
paths have been streamlined and a decision is made upfront whether they 
are based on 32-bit or 64-bit architecture.

Re: where is the image of openbsd arm ?

[Jacob L. Leifman]

Is it possible to add more wired NICs to the APU? Alternatively, is 
there a comparably robust and OpenBSD supported low-wattage platform 
with at least 4 (and preferrably 5-6) NICs?

Thank you.

On 24 Jun 2016 at 13:37, Chris Cappuccio wrote:

> li...@wrant.com [li...@wrant.com] wrote:
> > 
> > 1) How do the APU systems go as pricing to comparable systems from
> > other similar (industrial class, desktop enclosure) manufacturers?
> > 
> 
> The pricing direct from PC Engines is roughly 2x to 3x the cost
> of certain cheap, popular ARM boards. It's on par or lower than
> the pricing of the higher end ARM boards (some of which are supported
> in the armv7 port)
> 
> > 2) How is the OpenBSD experience on the APU systems, do they have serial
> > RS232 console (serial BIOS), do they expose all the hardware to OpenBSD?
> > 
> 
> Everything is exposed. The serial console requires boot.conf setup,
> and Bob Beck recently fixed some aggressive behaviour in the boot loader
> so that it no longer prints garbage characters on the screen during
> the 'set tty com0' transition. Thank you Bob for spending the time to
> track this annoying behaviour down !
> 
> Chris

Re: text-mode gui

[Jacob L. Leifman]

On 20 Dec 2015 at 17:25, Luke Small wrote:

8<-- lots of drivel snipped --->8
>... but a
>normal user shouldn't have to wade through man pages to discover how to fix
>...

This is the crux of the issue -- linux upbringing! If you bothered to 
read the FAQ or scan through some message threads on the mailing lists 
you would know that:

 a) ALL users are expected to read the man pages, because
 b) OpenBSD deservedly prides itself on the accuracy, completelness, 
and readability of the documentation -- the man pages and the FAQ.

If you value gooey compexity because you cannot be bothered to learn 
about the tool you plan to use, please go away and pick one of the many 
shiny toys that promise you what you want. I, for one, very much 
appreciate the OpenBSD way of no-nonsense, minimalist interfaces 
balanced with very comprehensive documentation.

> 
> 
> -Luke
> 
> On Sun, Dec 20, 2015 at 3:33 PM,  wrote:
> 
> > On Sun, 20 Dec 2015 14:03:18 -0600 Luke Small 
> > wrote:
> >
> > > I don't know the best way, but I like how there are "check-boxes", from
> > > what I recall, in lynx webpages.
> >
> > And?  Bookmarks or... direct private cumulus clouds of edible sugar,
> > preferably in cyanide algae nuances with self attaching axons.
> >
> > > Maybe full-disk encryption and maybe home
> > > folder encryption if it is available are the only remaining installer
> >
> > It's called a directory, which is a file, and not a drawer, and not a
> > folder, neither a closet, nor a wardrobe nor even a chest.
> >
> > > options that you don't have to have prior specialized knowledge to
> > perform,
> > > that you can't do after you boot into the system.
> >
> > I'm sorry to break up the bubble for you but prior knowledge is a
> > prerequisite and this is not exclusive to OpenBSD.  Anything you can do
> > in the installer can also be done after installation, except probably
> > finding a list of nice check boxes in a JavaScript web page.  For that
> > you need to use www.
> >
> > > If there are other
> > > things, then it may become a little less tedious for less experienced
> > folks
> > > to look at all the options at once, rather than having to start over.
> >
> > Many inexperienced folds tried OpenBSD first and did not have to become
> > experienced in other complicated installers.  Can you elaborate on
> > this?  You want a long check list, is that it?
> >
> > > If
> > > there are any irreconcilable differences in options, JavaScript can more
> > > easily display that the other changes are incompatible by changing the
> > > other options back.
> >
> > The editor said: scratch this part, messy wording.
> >
> > > But maybe the OpenBSD way is about no surprises, but it
> > > doesn't seem right to only be able to boot into the system in the way you
> > > want,
> >
> > It is a cargo "principle of least astonishment" to be found in another
> > set of online docs elsewhere, unrelated perhaps, no?
> >
> > > if you have the mindset of a Computer Scientist like us, and read the
> > > right configuration webpages.
> >
> > Correction, man pages.  They are in English, comprehensive to lower
> > intermediate level readers.
> >
> > > Things like not having softdep mounted file
> > > systems by default really tripped me up for a couple versions.
> >
> > There is a clear section on this in the Frequently Asked Questions.  It
> > is a very nice idea to read these prior or during installation on the
> > other computer, or why not print out sections you best liked or thought
> > useful for the upcoming installation process.
> >
> > > I have
> > > virtualbox HDs and I had to keep backups in case Windows did something
> > > funny, because I sometimes couldn't repair the file systems.
> >
> > Can you point where the docs say "install in a virtualbox" or any other
> > virtual software brand for what it matters?
> >
> > > It seems like
> > > something that should be an option in the installer, or a default. It
> > would
> > > be nice to do that with noatime and maybe an optional mfs or tmpfs
> > mounted
> > > /tmp folder like I have now.
> >
> > So you're basically proposing to rewrite the installer in JavaScript to
> > add the noatime and softdep mount options, add full disk and home
> > directory encryption, use the SSL tool kit and also make it like a text
> > menu installer with a lot of check boxes and... web based interface,
> > and be able to install in a virtual machine with memory based file
> > systems?
> >
> > Why don't you just pick the install media of the operating system that
> > offers you these nice goodies, and save yourself the rewrite.  Oh, and
> > then come back teach how to do it.
> >
> > If this seems too much to ask, just simply use the installer in OpenBSD
> > as it is, and after a couple of iterations, and some (minutes/years) of
> > enlightenment, you will start to appreciate the time and effort is has
> > saved you and the powerful options provided without 

PF tables -- anchors and scope

[Jacob L. Leifman]

Can anyone confirm whether it is possible to modify a global table 
within an anchor? If so, what is the proper syntax for referencing it?

I have a dynamic table of addresses to block declared and updated in 
the main body of pf.conf. I would like to update the same table using 
'overload' operator within an anchor, however, I get "namespace 
collision" warning message and a distinctly separate table created when 
I try that. Interestingly, I can use global tables as the source or 
destination address in any rule inside an anchor, i.e. it does work in 
read-only mode (unless an anchor-local table is created per above).

This firewall is currently running 5.6 with upgrade to 5.8 being 
planned for the near future.

Thank you,
-Jacob.

Re: Unified BSD?

[Jacob L. Leifman]

yes, you are young, naïve, and 'bat crazy'/idealistic (never could find 
the difference between these two ;) ...

but you are also quite lazy -- had you taken the time to research the 
history behind the forks and the current stated goals and objectives of 
each of these OS's, you would see why only a tiny minority of 
developers participate in more than one of the projects, and that 
despite the common ancestry and BSD philosophy, there are 
irreconcilable differences between all of the projects.

On 12 Nov 2012 at 21:37, Robin  Björklin wrote:

 Hi!
 
 First and foremost I'd like to present myself, I'm a young and naive
 junior sys admin that think people should be able to compromise and see
 the bigger picture and the good of the cause.
 
 Now over to the reason for my post.
 
 As all of you probably know there's a lot of buzz around Gnu/Linux these
 days and I'm pretty sure you couldn't care less. What I'm wondering is
 why the BSD community which from what I can gather isn't as big as the
 Linux community have decided to split their resources into several
 different projects/forks/distributions. To me it seems *BSD would be in
 a more competitive shape if all developers would get in under one roof?
 
 Am I bat crap crazy for thinking it could be good to merge the four
 largest BSD variants out there, take the best bits and pieces out of
 each and create a Unified BSD?
 
 Kind Regards,
 Robin Bjorklin

Re: Hi-Five OpenBSD World - New installation - Power management questions

[Jacob L. Leifman]

First the caveats: I am long time OpenBSD user, but not a developer. 
The original post was extremely long, and as I wanted to embed my 
comments next to the original content they belong to, I also snipped 
some irrelevant sections.

On 11 Apr 2012 at 22:14, Michael Davies wrote:

 Hello OpenBSD World!!!
 
 Long time Linux user who has recently been looking closely at OpenBSD

...[snipped]

 without any problems. I used these package options: -x* then -game*

I have deployed many servers using the same selection with no ill 
effect. However, a growing number of ports and packages has various x* 
dependencies; and as Theo just recently pointed out on this ML, the 
recommended and the only fully supported system configuration is with 
everything installed.

 (removing these packages from the install - it's a NAS I'm creating
 here). I had no problem setting up my static network address etc. etc. I
 will install rsync via pkg_add later.
 
 However, I have been trying to find out how OpenBSD handles ACPI/APM
 Power Management and disk hibernation.
 
 I have read quite a bit:
 1) Michael Lucas' Absolute OpenBSD (2004)

Was highly rated at the time, but that was 16 releases ago...

 2) Secure Architectures with OpenBSD (2004)

ditto; good for concepts overview, but most implementation details have 
changed quite radically.

 3) Michael Lucas' Absolute BSD (for FreeBSD) (2002)

old and mostly irrelevant -- the OpenBSD kernel is very different from 
FreeBSD, and much of the stuff that FreeBSD chooses to import is either 
dated or lacks the necessary kernel support (or both, as for example 
the PF code).

 4) Calomel - you know the one

too bad -- now you have to UNread it; seriously, according to core 
developers it is ALL wrong.

 5) I've tried to search the archived dialogues on Old Nabble (Difficult)

I have observed that when the developers refer to an old posting they 
use http://marc.info/ almost exclusively.

 6) I've searched Daemon Forums
 7) I've read the FAQ - Always the last place I look ;-)

When it comes to OpenBSD, the FAQ should be your first stop, closely 
followed by the man pages. Official documentation is a source of pride 
for the project -- documentation errors, even silly little typos, are 
treated as seriously as any other bug.

 
 This is what I feel I have learned:
 
 1) Advanced Power Management on OpenBSD is handled by apmd. I know that
 because enabling it through /etc/rc.conf, rebooting and then issuing zzz
 puts the PC to sleep. When I tap a key - it wakes up again (exactly
 where I left it). GREAT!
 2) apmd does not automatically hibernate my disk (unless I am missing
 something) - but it is possible that there are ports (I've read about these
 for FreeBSD) which might handle disk hibernation: spindown and diskidle
 3) I read somewhere that there is a danger in suspending/hibernating the
 disk security wise - but haven't found a full explanation (Is RAM dumped
 to disk unencrypted, perhaps?). That would explain why a program to
 hibernate the disk isn't included in the default install of OpenBSD.
 
 Unfortunately - searching the OpenBSD mailing lists I have subscribed
 too is darn awkward (compared to some other fora - I know some issue
 'tarred' archives that can be imported into an e-mail client - ever
 considered it? :-) ).
 
 SO... I've come to the fount of all knowledge to seek guidance on the
 following:
 
 1) Beyond apmd, is there a default handler of disk hibernation 
 install-ed/able via default OpenBSD?
 2) To use apmd, do I need to maintain a swap partition? Indeed, should I
 ALWAYS maintain a swap partition on this simple setup (which is running
 fine)? I was hoping to get away without one (currently b: is undefined).

Are you really hurting for space that much? Unlike linux, OpenBSD will 
not access the swap unless absolutely necessary. However, once again, 
having no swap defined is neither standard nor fully supported setup. 
Moreover, swap partition is where the system dumps core during panic. I 
found it beneficial to have some swap space defined even when disk 
capacity is an issue, and nowhere is it written that it needs to be big 
(not even equal to RAM size).

 3) If spindown or diskidle exist in the packages/ports - would
 installing these provide me with a disk hibernation facility for
 OpenBSD?
 4) Is there another way to manage the PC('NAS') using OpenBSD
 to minimize power while the 'NAS' is available 24/7?

apm(8) -C does a pretty good job of dynamically reducing CPU power 
waste and atactl(8) should help you configure the built-in functions of 
your hard drive. Keep in mind that full system hibernation (aka suspend 
to disk) is not compatible with 24/7 availability as you will have to 
issue an explicit wake-on-lan and wait for it to become available. 
OTOH, a modern system, especially one based on Atom processor and a 
laptop SATA drive, does a darn good job of minimizing power waste 
without completely shutting down.

Personally this is how I built my 

Re: apache ssl behind nat problems

[Jacob L. Leifman]

Hi Nigel,

The SSL certificate itself does not have any part in this problem as it 
never gets that far in the process. As I wrote previously, the TCP 
handshake never completes -- e.g. netstat  co. never see a connection 
in any kind of state. I did try the suggested openssl command as well 
as lynx, wget, w3m, ... and none of them emit any errors, just timed 
out. And of course, there are no errors (or connection traces) in the 
apache logs either :-(


On 12 Jul 2011 at 1:55, Nigel Taylor wrote:

 Hi,
 
 One guess would be the SSL certificate is for your internal hostname, 
 not your external hostname. Those connecting to the external hostname, 
 reject the connection because the hostname doesn't match the 
 certificate. To use both internal and external names you have to create 
 certificate under one name and include alternative names / ip addresses 
 in the certificate.
 
 Internally on my local network I refer to the my server by it's external 
 name. With a pf rule
 .
 pass in log quick on $int_if inet proto tcp from any to $webext port 
 https rdr-to 127.0.0.1 port https
 .
 
 If I connect to the internal name / ip address, I get an untrusted 
 connection response, because I haven't added the alternatives.
 
 Look in /var/www/logs,
 .
 [Tue Jul 12 01:14:16 2011] [error] OpenSSL: error:14094412:SSL 
 routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN 
 in certificate not server name or identical to CA!?]
 [Tue Jul 12 01:14:19 2011] [error] mod_ssl: SSL handshake failed (server 
 new.host.name:443, client 192.168.202.23) (OpenSSL library error follows)
 [Tue Jul 12 01:14:19 2011] [error] OpenSSL: error:14094412:SSL 
 routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN 
 in certificate not server name or identical to CA!?]
 .
 
 
 Try connecting with tools like openssl, gnutls
 
 openssl s_client -connect host:port
 .
 SSL handshake has read 2617 bytes and written 388 bytes
 ---
 New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 Server public key is 4096 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
  Protocol  : TLSv1
  Cipher: DHE-RSA-AES256-SHA
 .
 
 
 
 Regards
 
 Nigel Taylor
 
 On 07/11/11 22:57, Jacob L. Leifman wrote:
  Environment:
- OpenBSD 4.9, stock (base) apache with self-signed certificate
- behind a SOHO NAT router (with relevant in-bound redirects)
 
  Problem: non-local SSL connections never complete the handshake
  (verified while monitoring the interface with tcpdump, see below)
 
  During troubleshooting I was able to eliminate a few suspects:
- Regular un-encrypted HTTP (port 80) works every time;
- https:// from the same LAN (i.e. no NAT) always works;
- SSH always works (whether local or remote);
- PF seems to have no bearing -- no difference in behavior whether
  enabled, enabled with pass in quick for the remote test host, or even
  altogether disabled.
 
  Unfortunately, I cannot eliminate the NAT device and need to find a way
  to work with it.
 
  All clues(ticks) are appreciated,
  -Jacob.
 
  Sanitized tcpdump -netttvv log:
  Jul 11 17:26:39.589073 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
  a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok]
  2560292710:2560292710(0) win 5840mss 1452,sackOK,timestamp 3005841692
  0,nop,wscale 0  (DF) (ttl 45, id 30330, len 60)
  Jul 11 17:26:39.590087 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
  192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok]
  1786229842:1786229842(0) ack 2560292711 win 16384mss
  1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359378
  3005841692  (DF) (ttl 64, id 5701, len 64)
  Jul 11 17:26:42.584962 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
  a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok]
  2560292710:2560292710(0) win 5840mss 1452,sackOK,timestamp 3005841992
  0,nop,wscale 0  (DF) (ttl 45, id 30331, len 60)
  Jul 11 17:26:42.585565 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
  192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok]
  1786229842:1786229842(0) ack 2560292711 win 16384mss
  1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
  3005841992  (DF) (ttl 64, id 52775, len 64)
  Jul 11 17:26:42.589685 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
  192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok]
  1786229842:1786229842(0) ack 2560292711 win 16384mss
  1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
  3005841992  (DF) (ttl 64, id 3806, len 64)
  Jul 11 17:26:48.584959 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
  a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok]
  2560292710:2560292710(0) win 5840mss 1452,sackOK,timestamp 3005842592
  0,nop,wscale 0  (DF) (ttl 45, id 30332, len 60)
  Jul 11 17:26:48.585435 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
  192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok]
  1786229842:1786229842(0) ack 2560292711 win 16384mss
  1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
  3005842592  (DF) (ttl 64, id

Re: apache ssl behind nat problems

[Jacob L. Leifman]

On 11 Jul 2011 at 20:59, Paul Suh wrote:

 On Jul 11, 2011, at 5:57 PM, Jacob L. Leifman wrote:
 
  Environment:
  - OpenBSD 4.9, stock (base) apache with self-signed certificate
  - behind a SOHO NAT router (with relevant in-bound redirects)
 
  Problem: non-local SSL connections never complete the handshake
  (verified while monitoring the interface with tcpdump, see below)
 
  During troubleshooting I was able to eliminate a few suspects:
  - Regular un-encrypted HTTP (port 80) works every time;
  - https:// from the same LAN (i.e. no NAT) always works;
  - SSH always works (whether local or remote);
  - PF seems to have no bearing -- no difference in behavior whether
  enabled, enabled with pass in quick for the remote test host, or even
  altogether disabled.
 
  Unfortunately, I cannot eliminate the NAT device and need to find a way
  to work with it.
 
 *snip*
 
 Jacob,
 
 A few things to try:
 
 1) Try a non-OpenBSD server on the inside, just to see if the problem is
 specific to OpenBSD or occurs with other server types.

good idea. I will try it as soon as I can which will not be for a few 
days.

 2) Try using
 
   openssl s_client -connect hostname:443
 
 from the outside and see what kind of error message you get back.

did that (as well as lynx and some others) -- there are no error 
message, just times out.

 3) Try connecting from the outside using wget or curl and see what kind of
 error message you get back.

see just above.

 FWIW, I'm guessing that the problem is at the router. The packet trace is
 showing a TCP SYN coming from the client, followed correctly by a SYN-ACK
 going back from the server. The client should send an ACK packet back, but
 instead it waits several seconds (i.e., timeout) then sends another TCP SYN,
 which would be what happens when the client does not receive the SYN-ACK from
 the server. Can you get a packet trace from the outside interface of the
 router?

I believe you are right; or at the very least it is some kind of weird 
interaction with the router. Unfortunately, this is a consumer DSL 
device with no packet capture/trace capability.

 Hope this helps.

some more leads to chase ;-)
 
 --Paul
 
 [demime 1.01d removed an attachment of type application/pkcs7-signature which 
 had a name of smime.p7s]

apache ssl behind nat problems

[Jacob L. Leifman]

Environment:
 - OpenBSD 4.9, stock (base) apache with self-signed certificate
 - behind a SOHO NAT router (with relevant in-bound redirects)

Problem: non-local SSL connections never complete the handshake 
(verified while monitoring the interface with tcpdump, see below)

During troubleshooting I was able to eliminate a few suspects:
 - Regular un-encrypted HTTP (port 80) works every time;
 - https:// from the same LAN (i.e. no NAT) always works;
 - SSH always works (whether local or remote);
 - PF seems to have no bearing -- no difference in behavior whether 
enabled, enabled with pass in quick for the remote test host, or even 
altogether disabled.

Unfortunately, I cannot eliminate the NAT device and need to find a way 
to work with it.

All clues(ticks) are appreciated,
-Jacob.

Sanitized tcpdump -netttvv log:
Jul 11 17:26:39.589073 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74: 
a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok] 
2560292710:2560292710(0) win 5840 mss 1452,sackOK,timestamp 3005841692 
0,nop,wscale 0 (DF) (ttl 45, id 30330, len 60)
Jul 11 17:26:39.590087 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359378 
3005841692 (DF) (ttl 64, id 5701, len 64)
Jul 11 17:26:42.584962 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74: 
a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok] 
2560292710:2560292710(0) win 5840 mss 1452,sackOK,timestamp 3005841992 
0,nop,wscale 0 (DF) (ttl 45, id 30331, len 60)
Jul 11 17:26:42.585565 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384 
3005841992 (DF) (ttl 64, id 52775, len 64)
Jul 11 17:26:42.589685 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384 
3005841992 (DF) (ttl 64, id 3806, len 64)
Jul 11 17:26:48.584959 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74: 
a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok] 
2560292710:2560292710(0) win 5840 mss 1452,sackOK,timestamp 3005842592 
0,nop,wscale 0 (DF) (ttl 45, id 30332, len 60)
Jul 11 17:26:48.585435 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396 
3005842592 (DF) (ttl 64, id 4014, len 64)
Jul 11 17:26:48.590024 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396 
3005842592 (DF) (ttl 64, id 59349, len 64)
Jul 11 17:27:00.584563 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74: 
a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok] 
2560292710:2560292710(0) win 5840 mss 1452,sackOK,timestamp 3005843792 
0,nop,wscale 0 (DF) (ttl 45, id 30333, len 60)
Jul 11 17:27:00.584880 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419 
3005843792 (DF) (ttl 64, id 4439, len 64)
Jul 11 17:27:00.590727 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419 
3005843792 (DF) (ttl 64, id 17093, len 64)
Jul 11 17:27:24.585829 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74: 
a.b.c.d.37325  192.168.x.y.443: S [tcp sum ok] 
2560292710:2560292710(0) win 5840 mss 1452,sackOK,timestamp 3005846192 
0,nop,wscale 0 (DF) (ttl 45, id 30334, len 60)
Jul 11 17:27:24.586302 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467 
3005846192 (DF) (ttl 64, id 12052, len 64)
Jul 11 17:27:24.592057 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78: 
192.168.x.y.443  a.b.c.d.37325: S [tcp sum ok] 
1786229842:1786229842(0) ack 2560292711 win 16384 mss 
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467 
3005846192 (DF) (ttl 64, id 15080, len 64)

Obligatory dmesg:

OpenBSD 4.9 (GENERIC) #671: Wed Mar  2 07:09:00 MST 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 848 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,
SSE
real mem  = 267915264 (255MB)
avail mem = 253403136 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/21/04, BIOS32 rev. 0 @ 
0xffe90, SMBIOS rev. 2.3 @ 0xf6ef0 (60 entries)
bios0: vendor 

Re: It is 2010. Still no 3GB support by default?

[Jacob L. Leifman]

My first programming primer (Fortran ... them days) had a very concise 
delineation of the difference between neat programming and the much 
more common alternative -- given a big enough engine, even brick will 
fly. I never cared for the american muscle cars but was always 
fascinated with the slick european sports cars. I guess that is the 
same attraction I have for OpenBSD. I also find that the currently 
popular obsession with CPU cores, GHz and GBs is nothing more than the 
computer version of the muscle car. (yes, I am aware that there are 
specialized applications that do require the use of a monster-sized 
dump truck with an engine to match, but in reality how many places have 
a genuine need of a database that even with fully optimized design 
requires that much physical RAM?)

On 8 Jun 2010 at 1:43, Dexter Tomisson wrote:

 No,
 640k ought to be enough for anybody
 
 On 7 June 2010 22:12, Bret S. Lambert bret.lamb...@gmail.com
 wrote:
 
  On Mon, Jun 07, 2010 at 09:52:50PM +0300, Dexter Tomisson wrote:
 
  It's the future, where's my goddamn flying car?

Re: Question about webmail for users who are not busy on ports prep for 4.6

[Jacob L. Leifman]

So far this thread has focused on the various IMAP based solutions and 
the merits of the many alternate components to such. Keying off some 
comments in the OP (below) I would  like to point out that there _is_ 
an OpenBSD package openwebmail-2.51p1.tgz for a non-IMAP webmail. A few 
of the things that I like about this solution are:
 - it is written entirely in perl (no php or other non-base prereqs)
 - it works well when deployed on the mail server or over POP3
 - its interface is very clean yet fairly feature rich
 - it is browser agnostic and renders decently even on mobiles

Again, I bring this up only because it seems to me that the original 
goal was a simple non-IMAP solution and this suggestion should be taken 
completely independent of the rest of this thread -- IMAP adds 
capabilities and complexities that make any comparison of solutions 
with and without it mostly invalid.


On 4 Jul 2009 at 20:05, Rod Whitworth wrote:

 I have been running email for a couple of small domains for a few years
 using Postfix and Teapop on OpenBSD. No complaints.
 
 I have scripted user addition with passwords etc etc.
 
 Now somebody (important of course) wants webmail.
 
 I went hunting. About the only webmail server I found that did not need
 an imapd was sqwebmail and we don't have a port for that. Yes, I could
 have a crack at making a port but that, given a lng absence from C
 for me and also that it doesn't look really modern, sounded like it
 would be loading myself with a pressure job.
 
 So looking at others needing imap showed me RoundCube. Pretty snazzy
 looks, renders all that fancy junk that seems to be all the go now and
 we have a package for it.
 
 So which imap? Dovecot looked like a candidate. It can use sqlite as
 does Roundcube and I know it can do authentication for Postfix so it
 looked like a suitable candidate.
 
 Then I found out that Roundcube uses sqlite and Dovecot uses sqlite3. I
 don't think I want to have to synch two databases all the time.
 
 Does anybody know what combination works well with nothing as silly as
 mismatched db versions? Maybe there is a way to get Roundcube (the
 component I'd like to keep) to compile with sqlite3 but I haven't seen
 a hint that that is supported, and whilst I do more research I'd like
 to hear from someone who has invented the wheel I'm working on.
 
 Thanks,
 
 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is 
 tarpitted. The reply-to: address is provided for those who feel compelled to 
 reply off list. Thankyou.
 
 Rod/
 /earth: write failed, file system is full
 cp: /earth/creatures: No space left on device

Re: Partition confusion

[Jacob L. Leifman]

On 6 Jun 2009 at 12:11, Donald Allen wrote:

 On Sat, Jun 6, 2009 at 11:49 AM, Lars Noodenlars.cura...@gmail.com wrote:
  Can't the legacy system be modified to work with FFS or EXT2?
 
 Hi --
 
 Are you addressing that question to me? If so, I'm really not sure I
 understand your question. What do you mean by the legacy system? If
 so, are you suggesting that perhaps XP can be modified to work with
 FFS or ext2? The answer to that, I believe, is no. While proudly not
 a Windows expert, I believe XP supports only Microsoft filesystems --
 ntfs, fat and fat32.

It is common to use the term legacy system to refer to proprietary OS 
including/especially Micro$oft Windows. And since I learned more than I 
ever cared about Windows XP, it _can_ be made to support much more than 
what is provided by Microsoft. In particular, there are a few stable 
and open source drivers to allow XP to access Linux ext2/3 filesystems. 
There is also a FOSS driver for FFS but it has not been updated in a 
long time and in my experience did not work too well with OpenBSD.

 As I said in my previous post, pscp and another machine present a
 simple workaround for this issue. I've got multiple machines, I rsync
 my home directory from one to the other  when I have occasion to use
 something other than my primary machine, and so it's a simple matter
 to pscp file from the Windows filesystem to another machine running
 OpenBSD or Linux (which I run on my old TP 600x, on which OpenBSD
 doesn't fare too well, discussed in an earlier thread). This is needed
 very rarely (typically only when I travel and get on the network via
 wifi, which I do with Windows, just because it's easier) and so it's
 probably not worth bothering to build a kernel to add ntfs support.
 
 /Don
 
 
 
  -Lars