Re: installing packages mentioned as dependency in ports package
On Fri, 21 Jun 2024 20:16:57 +0530 Sandeep Gupta wrote: > My query is how to install build dependency of a package listed in > ports? i have FETCH_PACKAGES=-Dsnap in my /etc/mk.conf so that for all dependencies pkg_add -Dsnap is tried first (see bsd.port.mk(5) for details). you can also pass that as argument to make(1).
Re: sftp server empty password login
On Tue, 26 Mar 2024 10:28:11 +0100 Sylvain Saboua wrote: > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes you probably also want DisableForwarding there. otherwise everyone can use your machine as a proxy. this happened to me with a similar setup to allow anonymous git cloning. some spammer figured it out and used my server as a relay. don't be me ... ;)
Re: Ignore some USB devices
On Mon, 19 Feb 2024 19:43:14 +0100 Kirill A. Korinsky wrote: > I do have two USB audio device: > > ~ $ usbdevs -v > Controller /dev/usb0: > ... > addr 07: 043e:9a66 LG Electronics Inc., LG UltraFine Display Audio >high speed, self powered, config 1, rev 0.03 >driver: uaudio0 > ... > addr 13: 041e:3130 Creative, Creative BT-W5 >full speed, self powered, config 1, rev 10.00, iSerial > D97E0B7F86B95AC32000 driver: uhidev10 >driver: uhidev11 >driver: uaudio1 > ~ $ > > both of them is managed by uaudio. How can I dissable the first one, > without disabling the second one? you can select which audio device is used with -f/-F flags to sndiod (details in man-page) in /etc/rc.conf.local. maybe that helps?
crontab and /usr/local/{,s}bin
hi, what is the reason that /usr/local/{,s}bin is not in PATH in crontab? this seems to be the case on all unix-like systems and it regularly bites people. sometimes someone says it's for security w/o being able to tell what is being prevented by this. or is it just some historic default noone bothered to change? kind regards, thomas
Re: tcpdump rotating issue with newsyslog
On Sun, 10 Apr 2022 17:00:25 -0400 Nick Holland wrote: > On 4/10/22 9:39 AM, Yogendra Kumar Chaudhary wrote: > > I am running the following command in the OpenBSD 6.2. You should really upgrade. That version no longer gets security patches for several years. > So, I'm thinking you probably want a 'b' and a SIGHUP sent to tcpdump. > You can validate my second point by disabling the compression, I > suspect you will see your .0 file continue to grow in size, until it > becomes .1, etc. What Nick suspects is likely true, but tcpdump will just quit on SIGHUP. You could restart the capture instead. Capturing network traffic for days might use a lot of disk space though. Kind regards, Thomas
Re: video shows green box on -current
On Wed, 17 Mar 2021 00:05:24 +0100 Pau wrote: > Any idea? https://www.openbsd.org/faq/current.html#r20201229 by any chance? > thanks, > > Pau Kind regards, Thomas
Any experience with 10Gbe?
I'm supporting a small business who needs more bandwidth due to the work-from-home situation. They've asked me to help them do the upgrade to 10Gbe. I'd preferto keep them on an OpenBSD router, since I love how liuttle maintenance it needs, but I can't find any accounts of someone actually managing to get close to line speed above 1 Gbe. I don't want to just buy expensive hardware and hope that it works. Has anyone here been able to get close to 10 Gb/s networking with OpenBSD? I don't need to be able to have more than a few pf-rules. -- Nicholas C. L. Ipsen
Re: Strange behavior when I try to use lladdr
On Fri, 22 May 2020 13:12:15 +0300 Денис Давыдов wrote: > P.S. offtopic: I turn to the developers: I tearfully ask you to add > python to the base installation. This would allow the configuration > to be rolled automatically using Ansible right after install an OS. > It would simplify the task of configuring OpenBSD on remote hosts. I solved this by having a task - name: install python3 raw: pkg_add python3 at the beginning (raw doesn't need python on the target maschine). Kind regards, Thomas
Re: pkg_add: how to specify both flavor and branch
On Sun, 26 Jan 2020 10:54:25 - (UTC) Stuart Henderson wrote: > You need to know the name of the directory in ports to use this > notation. Formats vary. Here you would use "pkg_add gnupg--%gnupg2". > > If you don't have a ports tree installed and need to find the path, > install the package interactively and look for the "@comment pkgpath" > line in /var/db/pkg/$packagename/+CONTENTS, take the last element of > the directory name. Thanks, this is the info I was missing. :)
pkg_add: how to specify both flavor and branch
Hello, `pkg_add gnupg` is ambiguous since there is both gnupg-1.4.23p3-card-ldap, gnupg-1.4.23p3 and gnupg-2.2.12p0, but neither `pkg_add gnupg%2.2`, `pkg_add gnupg--%2.2` nor `pkg_add gnupg%2.2--` work. So how do i specify the exact package in this case? (I know that `pkg_add gnupg-2.2.12p0` works, but I rather not specify the version down to the patch level in my deploy script.) Kind regards, Thomas
Re: openup service question
On Mon, 16 Sep 2019 at 09:13:13 +, rsyk...@disroot.org wrote: > Dear list, > > > I have been using the "openup" service to keep my amd64 machine updated > to the latest stable, i.e. 6.5, available at > > https://www.mtier.org/solutions/apps/openup/ > > Recently I get: > > odin# ./openup > > ===> Checking for openup update > ===> Installing/updating syspatches > Get/Verify syspatch65-011_expat.tgz 100% |**| 588 KB00:00 > > Installing patch 011_expat > Errata can be reviewed under /var/syspatch > ===> Updating package(s) > https://stable.mtier.org/updates/6.5/amd64/: ftp: Error retrieving file: 401 > Unauthorized > https://stable.mtier.org/updates/6.5/amd64/: empty > > If anybody here understands what is happening to me, I'd be grateful to know. > The site claims the support for the most recent release is free. Yet, ... > > I tried to contact their support twice, but got no reply. > > > Thank you for any comments! > Ruda > > > PS.: Does using openup convey any advantage over running "syspatch" and > "pkg_add -u" on amd64? > Now you can switch: https://undeadly.org/cgi?action=article;sid=20190814112133 -- - gonzalo
Re: Upgrade procedure (6.4 -> 6.5)
On Thu, 02 May 2019 at 11:46:20 +0200, Noth wrote: > > On 02/05/2019 11:02, Consus wrote: > > On 10:27 Thu 02 May, Markus Hennecke wrote: > > > Am 02.05.2019 um 09:52 schrieb Consus: > > > > I've upgraded my systems from 6.4 to 6.5 without a glitch, but I see > > > > that /etc/networks and some other files (like malloc.conf.5) are still > > > > present, although there is no use for them in the new release. > > > > > > > > Is there a reason why these files are not listed in "FIles to remove"? > > > > Is there a way to track them? It's not like something gonna break, but > > > > old configuration files (and manual pages) lying around can make > > > > someone's life harder during the debug session. > > > Take a look at the sysutils/sysclean port. > > That's pretty much how I discovered this. But I want to know the > > "official" way. Maybe there is a reason why e.g. perl files are to be > > removed, but man pages are not. > > > I set up a script for sysclean: > > cat sysclean65.txt | while read line ; do rm -rf "${line}" ; done You probably want some /etc/sysclean.ignore bits before that > sysclean65.txt is obtained by running sysclean -a >>sysclean65.txt . I don't > run that line in sysclean65.sh because the files have to be reviewed to > prevent deletion of any additional files you may have added, like certs or > scripts. > > HTH > > Noth > -- - gonzalo
Re: NextCloud: failed integrity checks
On [22/07/18] [08:32P], Johan Huldtgren wrote: On 2018/07/22 15:39, Nicolas Schmidt wrote: After installation on OpenBSD 6.3 with pkg_add, NextCloud complains about files failing the integrity checks. More specifically: - occ * expected hash: 7e3fce0d7b5c20a7775ed1b548cb2e29bed078d3ca77b01a83d438f671b3d473147d4e8217d2084e17b6fe23a18ba258b11ba60106e23381f1e2889ce14971c4 * current hash: 7693eb89c0bc218712d68ec58599efa46e5c3729814e2aad16bf2c0079be7ae1909f072ead7889883c0a89b6c51570800d9e8a71f35866cb4e0c47aeaa5a4b2b - version.php * expected hash: 4e9046aca4fd8e942ba7bd505374e22ddd500a99b3a46d57d629b99c3132a66206883053f22801894929e51fca307c740062b497d55639bcc9a3154ada3504ff * current hash: 30cd43589fc8ab273fa25e1a477c8cbadb13bac5541daa6d3fa0490a0c2054c2c29a274fd50eec66934a9d9adc541dec8701e7463922d36174478ae3e9a64981 - apps/updatenotification/appinfo/info.xml * expected hash: bf7983ffe422ba215c04a0069081fab0c78ba81fa40a90cbdd3595182e011fb7f3e0bd1cd14cdea742cafb89f1da001582fe8d560749d98ea540b4ee76dd9898 * current hash: d2984fa816b4cea71e7c09f36a4132e7cb88d357f22e1c795778deccdb4066beaef2876b95d849e6eeae37b879c0f63500b0958a6a61bab1c933736bf135c440 Anybody able to reproduce? yeah this is known. The port modifies these files to work with OpenBSD (if you look at the port these files are the ones we patch). You can work around this by adding this to your config.php 'integrity.check.disabled' => true, .jh https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/nextcloud/Makefile?rev=1.17=text/x-cvsweb-markup -- Sending from my toaster.
Re: NextCloud: failed integrity checks
On [22/07/18] [07:39P], Nicolas Schmidt wrote: After installation on OpenBSD 6.3 with pkg_add, NextCloud complains about files failing the integrity checks. More specifically: - occ * expected hash: 7e3fce0d7b5c20a7775ed1b548cb2e29bed078d3ca77b01a83d438f671b3d473147d4e8217d2084e17b6fe23a18ba258b11ba60106e23381f1e2889ce14971c4 * current hash: 7693eb89c0bc218712d68ec58599efa46e5c3729814e2aad16bf2c0079be7ae1909f072ead7889883c0a89b6c51570800d9e8a71f35866cb4e0c47aeaa5a4b2b - version.php * expected hash: 4e9046aca4fd8e942ba7bd505374e22ddd500a99b3a46d57d629b99c3132a66206883053f22801894929e51fca307c740062b497d55639bcc9a3154ada3504ff * current hash: 30cd43589fc8ab273fa25e1a477c8cbadb13bac5541daa6d3fa0490a0c2054c2c29a274fd50eec66934a9d9adc541dec8701e7463922d36174478ae3e9a64981 - apps/updatenotification/appinfo/info.xml * expected hash: bf7983ffe422ba215c04a0069081fab0c78ba81fa40a90cbdd3595182e011fb7f3e0bd1cd14cdea742cafb89f1da001582fe8d560749d98ea540b4ee76dd9898 * current hash: d2984fa816b4cea71e7c09f36a4132e7cb88d357f22e1c795778deccdb4066beaef2876b95d849e6eeae37b879c0f63500b0958a6a61bab1c933736bf135c440 Anybody able to reproduce? --Nicolas Hello, This is fixed on -current, I disabled the patching on the nextcloud version to avoid this error. Cheers.- -- Sending from my toaster.
Re: roundcube installation php modules
On [10/07/18] [02:59P], Danny AwesomeRetro wrote: No problem,that fixed the issue for me ;) thank you,this has cost me around 18 hours of searching Cheers, Danny On 07/10/2018 04:25 PM, Vijay Sankar wrote: Sorry to interject -- just wondering if you read the instructions towards the bottom in /usr/local/share/doc/pkg-readmes for php-5.6. It specifically says # cd /etc/php-5.6.sample # for i in *; do ln -sf ../php-5.6.sample/$i ../php-5.6/; done HTH, Vijay Quoting Teno Deuter : actually I had to define the absolute path to the module. After doing this it did work! I still have the issue with Imagick though! There is no module for that in OpenBSD repository as it's already integrated in php - correct? In that case should I ignore that? Thank you On Tue, Jul 10, 2018 at 2:30 PM, Teno Deuter wrote: sorry forgot to mention that after doing the below changes I did restart the server! Thank you On Tue, Jul 10, 2018 at 2:29 PM, Teno Deuter wrote: here are my current extension settings in php-5.6.ini: ;extension=php_bz2.dll ;extension=php_curl.dll ;extension=php_fileinfo.dll extension=php_gd2.dll ;extension=php_gettext.dll ;extension=php_gmp.dll extension=php_intl.dll ;extension=php_imap.dll ;extension=php_interbase.dll ;extension=php_ldap.dll ;extension=php_mbstring.dll ;extension=php_exif.dll ; Must be after mbstring as it depends on it ;extension=php_mysql.dll ;extension=php_mysqli.dll ;extension=php_oci8_12c.dll ; Use with Oracle Database 12c Instant Client ;extension=php_openssl.dll ;extension=php_pdo_firebird.dll ;extension=php_pdo_mysql.dll ;extension=php_pdo_oci.dll ;extension=php_pdo_odbc.dll ;extension=php_pdo_pgsql.dll extension=php_pdo_sqlite.dll ;extension=php_pgsql.dll ;extension=php_shmop.dll ;extension=php_soap.dll ;extension=php_sockets.dll extension=php_sqlite3.dll ;extension=php_sybase_ct.dll ;extension=php_tidy.dll ;extension=php_xmlrpc.dll ;extension=php_xsl.dll but nothing happens. I still get the same error in the first installer step. Thank you On Tue, Jul 10, 2018 at 2:07 PM, wrote: Have you altered your php.ini to load the extensions and restart php-fpm? On Jul 10, 2018 7:00 AM, Teno Deuter wrote: Dear list, in a OpenBSD 6.3 machine I run httpd and opensmptd and try to intall roundcubemail 1.3.5 from the OpenBSD packages repository. When running the installer, in the first page, I get following warnings: FileInfo: OK Libiconv: OK Intl: NOT AVAILABLE(See http://www.php.net/manual/en/book.intl.php) Exif: OK LDAP: NOT AVAILABLE(See http://www.php.net/manual/en/book.ldap.php) GD: NOT AVAILABLE(See http://www.php.net/manual/en/book.image.php) Imagick: NOT AVAILABLE(See http://www.php.net/manual/en/book.imagick.php) but pkg_info shows: php-gd-5.6.34 image manipulation extensions for php php-intl-5.6.34 intl library support for php and I think php-imagick is already part of the php OpenBSD package. Why do I get the above warnings? Also, in the second installation page I get the following: Mimetype to file extension mapping: NOT OK but in httpd.conf, on the top of the file, I have the following entry: types { include "/usr/share/misc/mime.types" } Thank you Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca You always can check /usr/local/share/doc/pkg-readmes for the README -- Sending from my toaster.
Re: WHere to put certificates for IKEDv2?
On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote: > On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote: > > On 2018-06-23, C. L. Martinez wrote: > > > Hi all, > > > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > > connections (using strongswan mainly). My question is where do I need to > > > put OpenBSD certs under /etc/iked? > > > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" > > > returns me the following error: > > > > The CA cert needs to go in /etc/iked/ca, do you have that? > > > > > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 > /etc/iked/ca/ca.crt > > But when I start iked using "-dvv" and client tries to connect, I see the following error: sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x ) config_free_proposals: free 0x177c81779900 config_free_proposals: free 0x177c81773080 config_free_proposals: free 0x177c81773400 config_free_proposals: free 0x177c81773580 ca_getreq: found CA /C=ES/ST=Barcelona/ ca_getreq: no valid local certificate found ca_setauth: auth length 256 ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x ) But CA cert is loaded: ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user testusr ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpolicy: received policy ca_getkey: received private key type RSA_KEY length 1191 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: /C=ES/ST=Barcelona/ ca_reload: loaded 1 ca certificate ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 But I am thinking that maybe exist some problems: - First, I am using strongswan for Android as a client, do I need to use some specific crypto algorithms on iked side? - Second, maybe is it best option to use EAP user auth instead of certificates? - I am using ECDSA certs, any problem with that? Thanks -- Greetings, C. L. Martinez
Re: WHere to put certificates for IKEDv2?
On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote: > On 2018-06-23, C. L. Martinez wrote: > > Hi all, > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > connections (using strongswan mainly). My question is where do I need to > > put OpenBSD certs under /etc/iked? > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns > > me the following error: > > The CA cert needs to go in /etc/iked/ca, do you have that? > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 /etc/iked/ca/ca.crt -- Greetings, C. L. Martinez
WHere to put certificates for IKEDv2?
Hi all, I am using Easy-RSA to manage my home's CA (using elliptic curve certificates). I have created a certificate for my OpenBSD gw for IKEv2 connections (using strongswan mainly). My question is where do I need to put OpenBSD certs under /etc/iked? I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me the following error: ikev2_msg_auth: initiator auth data length 960 ikev2_msg_authverify: method SIG keylen 962 type X509_CERT _dsa_verify_init: signature scheme 4 selected ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 10 ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 4 sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0xb9bb7e8a80 config_free_proposals: free 0xb9bb7e8700 config_free_proposals: free 0xb965e22400 config_free_proposals: free 0xba238e1e80 ca_getreq: found CA /C=ES/ST=Barcelona.. ca_getreq: no valid local certificate found ca_setauth: auth length 256 ca_validate_pubkey: unsupported public key type ASN1_DN ca_validate_cert: /C=ES/... ok Do i need to install user certificates also in OpenBSD gw? thanks -- Greetings, C. L. Martinez
Re: Autocompletion with pass in ksh
On Fri, 25 May 2018 08:36:44 +0200 Niels Kobschaetzkiwrote: > I got a reply on twitter from Roman Zolltarif who wrote a blog post > about it :) > https://www.romanzolotarev.com/pass.html#Completions%20in%20Korn%20shell This seems to be a custom pass implementation. Anyway, you can get autocompletion for pass (mostly) with IFS=' ' set -A complete_pass init ls find show grep insert edit generate rm mv cp git help version $(cd ~/.password-store; find * -name '*.gpg' | sed -ne 's/^\(.*\)\.gpg$/\1/p') IFS=' ' Kind regards Thomas
Re: Errors with Php and curl under OpenBSD 6.3
Works!! ... Many thanks Manolis. On Tue, Apr 24, 2018 at 9:10 AM, Manolis Tzanidakis <mtzanida...@gmail.com> wrote: > Oops, forgot a sub-directory. Try this, instead: > > # mkdir -p /var/www/etc/ssl; cp /etc/ssl/cert.pem /var/www/etc/ssl > > On Tue (24/04/18), Manolis Tzanidakis wrote: > > Hello, > > try copying cert.pem to the www chroot: > > > > # mkdir -p /var/www/etc; cp /etc/ssl/cert.pem /var/www/etc/ssl > > > > and restart php-fpm. > > > > On Tue (24/04/18), C. L. Martinez wrote: > > > Hi all, > > > > > > Since this morning my OpenBSD 6.3 host (with tt-rss installed) > returns > > > the following error when I try to add some feeds: > > > > > > Couldn't download the specified URL: ; 77 error setting certificate > verify > > > locations: CAfile: /etc/ssl/cert.pem CApath: none > > > > > > It seems some type of problem with curl ... Am I right? I found some > > > solutions but all of them involves to make use of an insecure > connection > > > with curl. > > > > > > Any idea? > > > > > > Thanks. > >
Errors with Php and curl under OpenBSD 6.3
Hi all, Since this morning my OpenBSD 6.3 host (with tt-rss installed) returns the following error when I try to add some feeds: Couldn't download the specified URL: ; 77 error setting certificate verify locations: CAfile: /etc/ssl/cert.pem CApath: none It seems some type of problem with curl ... Am I right? I found some solutions but all of them involves to make use of an insecure connection with curl. Any idea? Thanks.
Re: OpenBSD blocks IPsec traffic
Thanks Marko, but I have found the problem. These rules are under anchor sub-group rules ... Moving these rules to top after "block log all", all it is working ... Maybe is it a bug with anchor rules? On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać <marko.cu...@mimar.rs> wrote: > On Wed, 18 Apr 2018 15:01:24 +0200 > "C. L. Martinez" <carlopm...@gmail.com> wrote: > > > Hi all, > > > > I am trying to configure an ipsec tunnel (host-to-host) between two > > hosts that go through an openbsd firewall. Tunnel is established, but > > when I try to, for example, connect via ssh from one host to the > > other, pf blocks traffic: > > > > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on > > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) > > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) > > > > To do some tests, I have configured the following rules: > > > > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state > > (if-bound) > > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state > > (if-bound) > > > > Any idea? > > Hard to say without complete ruleset, but from what I see here, your > rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0, > while no other rule after that (or one before that with 'quick' > keyword) permits it. > > Check exact line with pfctl -vvsr. Add either dafault 'pass out' > somewhere below (I prefer it at the end of my ruleset, as I have so far > never blocked out stuff I already passed in), or pass out exact traffic > you need, eg: > > pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2 > > Hope this helps, > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
OpenBSD blocks IPsec traffic
Hi all, I am trying to configure an ipsec tunnel (host-to-host) between two hosts that go through an openbsd firewall. Tunnel is established, but when I try to, for example, connect via ssh from one host to the other, pf blocks traffic: Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f) To do some tests, I have configured the following rules: pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state (if-bound) pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state (if-bound) Any idea?
Migrating nginx config to OpenBSD's httpd
Hi all, I am trying to migrate nginx configuration to OpenBSD's httpd. All it is working ok, except for some proxy reverse config that I use with nginx's config, like for example: server { listen 80; server_name internal.w01.domain.org; location / { proxy_pass http://192.168.30.4; } } I don't see what is the option to use with httpd.conf or is it best option to use relayd.conf for this type of configs? Thanks.
Re: Writing "ones" instead of "zeroes" when wiping disk
On Thu, 11 Jan 2018, STeve Andre' wrote: > Don't bother. Wiping the disk twice is enough. If you are storing state > secrets melt the disk. > An anvil big hammer also works well and gives some exercise in the process. Lee
Re: Testing IKEv2 with Android devices
On Wed, Nov 29, 2017 at 9:33 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-11-26, C. L. Martinez <carlopm...@gmail.com> wrote: >> >> Ok, it is seems the prolem is that iked(8) does not know how to perform >> Diffie-Hellman group negotiation: >> >> https://marc.info/?l=openbsd-tech=151136800328145=2 >> >> Am I correct? What is the current status for Tim's fix? > > patrick@ has been following this rabbit hole, try his latest diff. > Thanks Stuart. Are you referring to this one: https://marc.info/?l=openbsd-tech=151187345915827=2?
Re: Testing IKEv2 with Android devices
On Sun, Nov 26, 2017 at 09:02:46PM +0100, C. L. Martinez wrote: > Hi all, > > I am testing IKEv2 for Android roadwarriors clients ... I have done a very > basic config: > > ikev2 "roadwarriors" passive esp \ > from 0.0.0.0/0 to 172.22.55.0/27 \ > peer any \ > config name-server 172.22.55.1 \ > psk "stargazer" > > Launching "iked -dvv" returns me: > > ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to > 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes > ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x > ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26 > ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 652 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244 > ikev2_pld_sa: more than one proposal specified > ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 > xforms 15 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 > ikev2_pld_ke: dh group reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x > 172.17.35.20:500 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP > encapsulation > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x > 172.17.35.9:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > ikev2_pld_notify: signature hash SHA1 (1) > ikev2_pld_notify: signature hash SHA2_256 (2) > ikev2_pld_notify: signature hash SHA2_384 (3) > ikev2_pld_notify: signature hash SHA2_512 (4) > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED > sa_state: INIT -> SA_INIT > ikev2_sa_negotiate: score 4 > sa_stateok: SA_INIT flags 0x, require 0x > sa_stateflags: 0x -> 0x0020 sa (required 0x ) > ikev2_sa_keys: SKEYSEED with 32 bytes > ikev2_sa_keys: S with 80 bytes > ikev2_prfplus: T1 with 32 bytes > ikev2_prfplus: T2 with 32 bytes > ikev2_prfplus: T3 with 32 bytes > ikev2_prfplus: T4 with 32 bytes > ikev2_prfplus: T5 with 32 bytes > ikev2_prfplus: T6 with 32 bytes > ikev2_prfplus: T7 with 32 bytes > ikev2_prfplus: Tn with 224 bytes > ikev2_sa_keys: SK_d with 32 bytes > ikev2_sa_keys: SK_ai with 32 bytes > ikev2_sa_keys: SK_ar with 32 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 32 bytes > ikev2_sa_keys: SK_pr with 32 bytes > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 264 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload NOTIFY > ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb > 172.17.35.9:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb > 172.17.35.20:500 > ikev2_ne
Testing IKEv2 with Android devices
3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 5 ikev2_pld_certreq: type RSA_KEY length 0 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 msgid 0, 451 bytes config_free_proposals: free 0x1ccfc4952580 According to this: sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x, require 0x sa_stateflags: 0x -> 0x0020 sa (required 0x ) phase-1 is established, correct? but I am not sure because last message is: ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 msgid 0, 451 bytes config_free_proposals: free 0x1ccfc4952580 Android device is a Samsung Galaxy Edge S7 (Adnroid 7.0) and OpenBSD is 6.2 with all patches ... What ma I doing wrong? Thanks. -- Greetings, C. L. Martinez
Re: Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined (SOLVED)
On Fri, Nov 10, 2017 at 07:28:19PM +, C. L. Martinez wrote: > Hi all, > > I need to configure ifstated for two public interfaces and one of them is a > dhcp interface. To accomplish this I have configured the following macro in > ifcstated.conf's file: > > wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' > /var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' > /var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )' > > But it returns the following error: > > wired_linkup = "em1.link.up" > wireless_linkup = "em2.link.up" > /etc/ifstated.conf:4: syntax error > /etc/ifstated.conf:4: macro '2' not defined > /etc/ifstated.conf:34: macro 'wired_gate_test' not defined > /etc/ifstated.conf:34: syntax error > ifstated: invalid start state wired > > From command line, ping command works ... What am I doing wrong? > > Thanks. > Oops .. I have the problem ... I need to escape awk like awk \'/fixed... Sorry for the noise ... -- Greetings, C. L. Martinez
Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined
Hi all, I need to configure ifstated for two public interfaces and one of them is a dhcp interface. To accomplish this I have configured the following macro in ifcstated.conf's file: wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' /var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' /var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )' But it returns the following error: wired_linkup = "em1.link.up" wireless_linkup = "em2.link.up" /etc/ifstated.conf:4: syntax error /etc/ifstated.conf:4: macro '2' not defined /etc/ifstated.conf:34: macro 'wired_gate_test' not defined /etc/ifstated.conf:34: syntax error ifstated: invalid start state wired From command line, ping command works ... What am I doing wrong? Thanks. -- Greetings, C. L. Martinez
Re: Debugging a php's script startup
On Wed, Nov 08, 2017 at 08:43:55PM +0100, Martijn van Duren wrote: > Hello C., > > Can you start up the daemon process from the CLI (without the rc > script)? If not and it still has the same error message as below (which > I reckon it will) you might want to change your mysqli.default_socket = > in your /etc/php-7.0.ini. > Do note however that this will also affect php-fpm and mod_php which run > chrooted by default (hence the weird path), so if you need those installs > unaffected try to create a custom ini-file and specify it with -c as a > php-argument. > > Also note that php is not designed to write daemons in and should only > be done if there are no other options. The rc-script won't restart your > daemon automatically if it crashes. > > Hope this helps. > > martijn@ > > > Wow!! ... Many many thanks Martijn. I have added "-c" switch to daemon_args and created another .ini file for this "daemon", and it works. Here it is: #!/bin/sh -x # daemon="/usr/local/bin/php-7.0" daemon_flags="-c /etc/tt-rss/php-7.0.ini /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log" daemon_user="www" . /etc/rc.d/rc.subr pexp="${daemon}${daemon_flags:+ ${daemon_flags}}" rc_bg=YES rc_reload=NO rc_post() { rm -f /var/www/htdocs/rss/lock/update_daemon.lock } rc_cmd $1 Inside .ini I have configured mysqli.default_socket option: mysqli.default_socket = /var/www/var/run/mysql/mysql.sock -- Greetings, C. L. Martinez
Debugging a php's script startup
Hi all, I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 host, fully patched). This is the script: #!/bin/sh -x # daemon="/usr/local/bin/php-7.0" daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log" daemon_user="www" . /etc/rc.d/rc.subr pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}" rc_bg=YES rc_reload=NO rc_post() { rm -f /var/www/htdocs/rss/lock/update_daemon.lock } rc_cmd $1 And when I try to start it, this is the output: root@rssweb:/etc/rc.d# ./tt_rss start + daemon=/usr/local/bin/php-7.0 + daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + daemon_user=www + . /etc/rc.d/rc.subr + _rc_actions=start stop restart reload check + readonly _rc_actions + [ -n ] + basename ./tt_rss + _name=tt_rss + _rc_check_name tt_rss + [ -n /usr/local/bin/php-7.0 ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/tt_rss + _rc_do _rc_parse_conf + eval _rcflags=${tt_rss_flags} + _rcflags= + eval _rcrtable=${tt_rss_rtable} + _rcrtable= + eval _rcuser=${tt_rss_user} + _rcuser= + eval _rctimeout=${tt_rss_timeout} + _rctimeout= + getcap -f /etc/login.conf tt_rss + > /dev/null + 2>&1 + daemon_class=daemon + [ -z ] + daemon_rtable=0 + [ -z www ] + [ -z ] + daemon_timeout=30 + [ -n -o start != start ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + [ -n ] + readonly daemon_class + unset _rcflags _rcrtable _rcuser _rctimeout + pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + rcexec=su -l -c daemon -s /bin/sh www -c + [ 0 -eq 0 ] + pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log + rc_bg=YES + rc_reload=NO + rc_cmd start tt_rss(failed) pexp's option seems good ... I think the problem is with 'www' user and with this command: "su -l -c daemon -s /bin/sh www -c". Launching from console returns an error: root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c '/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log' PHP Warning: mysqli_connect(): (HY000/2002): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' (2 "No such file or directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8 Unable to connect to database (as rss to localhost, database dbrss): Can't connect to local MySQL server through socket '/var/run/mysql/mysql.sock' mysql's socket is created under www's chroot like in pkg-readme says: srwxrwxrwx 1 _mysql _mysql 0 Nov 8 17:45 /var/www/var/run/mysql/mysql.sock If I am not wrong, then, how can I configure this startup script? Thanks -- Greetings, C. L. Martinez
About WPA2 compromised protocol
HI all, Regarding WPA2 alert published today: https://www.krackattacks.com/, if I use an IPSec tunnel with shared-key or certifcate or an OpenVPN connection to authenticate and protect clients and hostAP comms, is this vulnerability mitigated? Thanks.
Re: sysmerge is not needed when updating to 6.2?
On Thu, Oct 12, 2017 at 11:45:24AM +0200, Theo Buehler wrote: > > But I have only one question: Is sysmerge not longer needed for > > updating process like in previous releases? > > Since 6.0 the installer installs an rc.sysmerge that runs 'sysmerge -b' > on first boot of the updated system. > Perfect. Many thanks. -- Greetings, C. L. Martinez
sysmerge is not needed when updating to 6.2?
Hi all, Today I have updated two OpenBSD 6.1 hosts to 6.2 after reading the FAQ and all works really well. Congratulations to all OpenBSD's developers for their hard work. But I have only one question: Is sysmerge not longer needed for updating process like in previous releases? Many thanks. -- Greetings, C. L. Martinez
Running OpenBSD 6.1 under vmware fusion
Hi all, I have installed OpenBSD 6.1 under Vmware Fusion on a MacBook Pro 2017. All it is running ok, except when I would start graphical environment (i3). a) Resolution: I have configured /etc/xorg.conf file several times trying to catch a good resolution (2560x1600), but Xorg goes to 1280x768 every time. b) Mouse speed is really slow slow slow ... How can I increase mouse speed? Mouse conf to increase speed (but it doesn't works): Section "InputClass" Identifier "My Mouse" MatchIsPointer "yes" Option "AccelerationNumerator" "2" Option "AccelerationDenominator" "1" Option "AccelerationThreshold" "4" EndSection Display conf : Section "Monitor" Identifier "default monitor" DisplaySize 311 170 EndSection Section "Device" Identifier "default device" Driver "vmware" EndSection Section "Screen" Identifier "default screen" Device "default device" Monitor "default monitor" EndSection I have attached Xorg.log. Any help please? Thanks -- Greetings, C. L. Martinez [ 4640.706] (--) checkDevMem: using aperture driver /dev/xf86 [ 4640.888] (--) Using wscons driver on /dev/ttyC2 [ 4640.891] X.Org X Server 1.18.4 Release Date: 2016-07-19 [ 4640.892] X Protocol Version 11, Revision 0 [ 4640.892] Build Operating System: OpenBSD 6.1 amd64 [ 4640.892] Current Operating System: OpenBSD stirling.lab.uxdom.org 6.1 GENERIC#23 amd64 [ 4640.892] Build Date: 01 April 2017 02:00:27PM [ 4640.892] [ 4640.892] Current version of pixman: 0.34.0 [ 4640.892]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [ 4640.892] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 4640.892] (==) Log file: "/var/log/Xorg.0.log", Time: Sat Sep 9 10:06:36 2017 [ 4640.892] (==) Using config file: "/etc/xorg.conf" [ 4640.892] (==) Using config directory: "/etc/X11/xorg.conf.d" [ 4640.892] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" [ 4640.892] (==) No Layout section. Using the first Screen section. [ 4640.892] (**) |-->Screen "default screen" (0) [ 4640.892] (**) | |-->Monitor "default monitor" [ 4640.892] (**) | |-->Device "default device" [ 4640.892] (**) | |-->GPUDevice "default device" [ 4640.892] (==) Disabling SIGIO handlers for input devices [ 4640.892] (==) Automatically adding devices [ 4640.892] (==) Automatically enabling devices [ 4640.892] (==) Not automatically adding GPU devices [ 4640.892] (==) Max clients allowed: 256, resource mask: 0x1f [ 4640.892] (==) FontPath set to: /usr/X11R6/lib/X11/fonts/misc/, /usr/X11R6/lib/X11/fonts/TTF/, /usr/X11R6/lib/X11/fonts/OTF/, /usr/X11R6/lib/X11/fonts/Type1/, /usr/X11R6/lib/X11/fonts/100dpi/, /usr/X11R6/lib/X11/fonts/75dpi/ [ 4640.892] (==) ModulePath set to "/usr/X11R6/lib/modules" [ 4640.892] (II) The server relies on wscons to provide the list of input devices. If no devices become available, reconfigure wscons or disable AutoAddDevices. [ 4640.892] (II) Loader magic: 0xd7e0a733020 [ 4640.892] (II) Module ABI versions: [ 4640.892]X.Org ANSI C Emulation: 0.4 [ 4640.892]X.Org Video Driver: 20.0 [ 4640.892]X.Org XInput driver : 22.1 [ 4640.892]X.Org Server Extension : 9.0 [ 4640.893] (--) PCI:*(0:0:15:0) 15ad:0405:15ad:0405 rev 0, Mem @ 0xe800/134217728, 0xfe00/8388608, I/O @ 0x1070/16 [ 4640.893] (II) LoadModule: "glx" [ 4640.893] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so [ 4640.894] (II) Module glx: vendor="X.Org Foundation" [ 4640.894]compiled for 1.18.4, module version = 1.0.0 [ 4640.894]ABI class: X.Org Server Extension, version 9.0 [ 4640.894] (==) AIGLX enabled [ 4640.894] (II) LoadModule: "vmware" [ 4640.895] (II) Loading /usr/X11R6/lib/modules/drivers/vmware_drv.so [ 4640.895] (II) Module vmware: vendor="X.Org Foundation" [ 4640.895]compiled for 1.18.4, module version = 13.1.0 [ 4640.895]Module class: X.Org Video Driver [ 4640.895]ABI class: X.Org Video Driver, version 20.0 [ 4640.895] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710 [ 4640.895] (II) vmware(0): Driver was compiled without KMS- and 3D support. [ 4640.895] (WW) vmware(0): Disabling 3D support. [ 4640.895] (WW) vmware(0): Disabling Render Acceleration. [ 4640.895] (WW) vmware(0): Disabling RandR12+ support. [ 46
Re: Problem with key bindings with mutt under OpenBSD 6.1
On Sat, Sep 02, 2017 at 02:48:12PM +0200, Anton Lindqvist wrote: > On Sat, Sep 02, 2017 at 11:01:14AM +, C. L. Martinez wrote: > > Hi all, > > > > I have used mutt over several months under FreeBSD and RHEL/CentOS. I have > > migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package > > installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl). > > > > In my mutt's config file I have defined the following key bindings: > > > > # > > # Key bindings > > # > > bind index \CP sidebar-prev > > bind index \CN sidebar-next > > bind index \CO sidebar-open > > > > Problem is with "\CO". It doesn't works under OpenBSD but it works without > > problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or > > "\CI" or "\CH", for example, works without problems ... Is it "\CO" defined > > by default under OpenBSD? How can I revert this behavior? > > $ stty discard undef; mutt > Perfect!! .. It is working.. Many thanks Anton. -- Greetings, C. L. Martinez
Problem with key bindings with mutt under OpenBSD 6.1
Hi all, I have used mutt over several months under FreeBSD and RHEL/CentOS. I have migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl). In my mutt's config file I have defined the following key bindings: # # Key bindings # bind index \CP sidebar-prev bind index \CN sidebar-next bind index \CO sidebar-open Problem is with "\CO". It doesn't works under OpenBSD but it works without problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or "\CI" or "\CH", for example, works without problems ... Is it "\CO" defined by default under OpenBSD? How can I revert this behavior? Thanks. -- Greetings, C. L. Martinez
Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?
On Mon, 26 Jun 2017, SOUL_OF_ROOT 55 wrote: > Can I use OpenBSD in a virtual machine, for example, VirtualBox? > Yep, .. have had them for many years, VirtualBox & Xen. Lee
Re: Sad story
>Simply restore from backup. I have only one old backup, not the newest changes... >10% are files you will not ever need >20% are files that you will never use That's not my case, sadly.
Sad story
Forgot the passphrase of a full-disk encrypted OpenBSD system ;_; So many documents will be lost, like [coughs] accesses to NULL. --luiz r.
OpenBSD 6.1 on Lenovo P50
Hi there, Anybody running OpenBSD on a Lenovo P50 laptop? I am looking for tips and experiences. Regards, LJ -- Shall artificial plants be given artificial water?
Re: After applying patches, kernel version is slower?
On Thu, May 04, 2017 at 07:49:04AM +, Stuart Henderson wrote: > On 2017-05-04, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a > > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: > > > > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 > > > > .. and in an OpenBSD 6.1 host with patches applied: > > > > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 > > > > Any idea why?? > > > > They're built on a different machine. (The number after GENERIC# shows > how many builds were done in that directory since it was cleaned.) > > Check the date in "sysctl kern.version". > Ahh ... Ok, many thanks for the info Stuart. -- Greetings, C. L. Martinez
After applying patches, kernel version is slower?
Hi all, I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 .. and in an OpenBSD 6.1 host with patches applied: OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 Any idea why?? -- Greetings, C. L. Martinez
Sysctl options to install IDS software
Hi all, In the following days, I want to replace some linux systems that acts as IDS/IPS nodes with OpenBSD 6.1 (congratulations to all OpenBSD's team. IMO, the best OpenBSD that I have used). These OpenBSD nodes will be installed with Suricata, Bro and Snort components. In the Linux and FreeBSD world, when you try to monitor 1GB/10GB networks (which is my case), some kernel variables needs to be tweaked. An example for linux systems some options are: net.core.rmem_max net.core.wmem_max net.core.rmem_default net.core.wmem_default net.core.optmem_max net.ipv4.tcp_rmem net.ipv4.tcp_wmem net.ipv4.udp_mem In the OpenBSD's old days, you can tweak some options like send and receive network buffers, etc. But in most recent OpenBSD releases, most of these options are not available, from what I understand, that is already made some sort of "tunning" by default in GENERIC kernel. But I see some kernel options that could need to be modified to use IDS/IPS software. Some of them: kern.somaxconn net.inet.udp.recvspace net.inet.udp.sendspace net.bpf.maxbufsize (I am not sure about this option) On the other side, I don't want to break anything in this first stage :) ... I prefer to do some type of control first and after apply these changes. Any recommendation? Many thanks. -- Greetings, C. L. Martinez
Re: What does it mean this error when I try install a package?
On Mon, Apr 17, 2017 at 01:39:22PM +0200, Christoph R. Murauer wrote: > > Hi all, > > > > After install an OpenBSD 6.1, I am trying to install some packages, > > for example python-2.7. When I launch the following command: > > > > pkg_add -v python-2.7 > > > > ... returns the following errors: > > > > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short > > file. > > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz: > > ftp: Error retrieving file: 404 Not Found > > signify: gzheader truncated > > Can't find python-2.7 > > Extracted 11548847 from 11550420 > > > > What does these errors mean?? My PKG_PATH variable is > > "PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64; > > It means, that the package you try to install does not exist. Run > > pkg_info -Q python > > See FAQ https://www.openbsd.org/faq/faq15.html#PkgFind > > you see something like (in my case it is already installed) > > ... > python-2.7.13p0 (installed) > ... > > You can also check the list of packages at > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/index.txt > > So, try > > pkg_add -v python-2.7.13p0 > > or, check the -z switch of pkg_add (man pkg_add) > > pkg_add -v -z python-2.7.13 > Yep, undertood. Many thanks. -- Greetings, C. L. Martinez
What does it mean this error when I try install a package?
Hi all, After install an OpenBSD 6.1, I am trying to install some packages, for example python-2.7. When I launch the following command: pkg_add -v python-2.7 ... returns the following errors: http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short file. http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz: ftp: Error retrieving file: 404 Not Found signify: gzheader truncated Can't find python-2.7 Extracted 11548847 from 11550420 What does these errors mean?? My PKG_PATH variable is "PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64; -- Greetings, C. L. Martinez
Re: Why isn't OpenBSD in Google Summer of Code 2017?...
Security and correctness should never be an after-thought. Have you done any real software development? And have you ever tried to find your way through cruddy code? 999 times out of 1000 it is less painful and much more effective to rewrite from scratch. So what's the point of having that previous iteration? On 5 Apr 2017 at 13:10, Luke Small wrote: > I imagine there are some projects that need some love that are on the back > burner at the moment that could use some hacking; even if it is totally > redone later by someone that wants to refactor it for privsep and such. > On Tue, Apr 4, 2017 at 4:21 PM Theo de Raadtwrote: > > > Pete, you propose a waste of time. > > > > Everyone has the source code. Everyone can run it. Everyone can see > > the problems other people report, and the things which are not supported. > > > > Everyone already can tell what needs improving. Everyone has a brain, > > and can come up with their own goals. > > > > If they don't come up with goals, there's nothing we can write which > > will change anything. > > > > Finally, not everyone has time. It would not be time spent well making > > lists for other people who may or may not perform. > > > > > Would the devs consider compiling a list of specific improvements they'd > > like > > > to see volunteer'd upon this summer? I'd love to help especially if it > > was a > > > group effort/friendly competition. > > > > > > > > > From: owner-m...@openbsd.org on behalf of Bob > > Beck > > > > > > Sent: April 2, 2017 10:16:21 PM > > > To: Luke Small > > > Cc: openbsd-misc > > > Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?... > > > > > > We tried it for two years, it was too much effort on the part of the > > > foundation organizers mentors to deal with the bureaucracy involved, and > > we > > > didn't really see enough > > > return in terms of new developers to the project, which, frankly being > > > selfish on OpenBSD's part is the only reason for us to do it. > > > > > > Both Ken Westerback and I organized our end of it and dealt with the > > google > > > paperwork the two years we did it, Neither of us is willing to do it > > again, > > > and while I won't > > > directly speak for Ken, I would not support us spending effort on this > > when > > > there are lots of other things to do.. It just doesn't have the benefit > > for > > > OpenBSD, especially > > > in light of the effort of the volunteers necessary to participate. > > > > > > > > > > > > On Sun, Apr 2, 2017 at 8:54 AM, Luke Small wrote:
Re: Please: Is there ANY chance that Linux binaries might run again???
On 11 Mar 2017 at 15:47, ropers wrote: > On 11 March 2017 at 15:18, Stuart Hendersonwrote: > > > On 2017/03/10 23:56, ropers wrote: > > > On 10 March 2017 at 01:30, Stuart Henderson > > > wrote: > > > > > > (And unlike Linux, 32-bit OpenBSD binaries won't run on OpenBSD/ > > > amd64) > > > > > > > > > Is there a technical reason for that? > > > I'm not trying to demand anything here; just curious. > > > > > > This is NOT intended to be a "but teh Linux does X, so should we, so > > > why can't we" whine. > > > I'm merely ignorantly interested in a "what are they doing, what's > > > OpenBSD doing" kind of way. > > > > I think that even just adding basic support would be complicated and > > likely error-prone. Is there anything it would actually be useful for? > > > > Personally, I'm really just asking out of technical curiosity. > This is not about whether I'd ever actually want or feel I'd need to run > 32-bit OpenBSD binaries on OpenBSD/amd64. > > Was 32-on-64 compatibility somehow easier to achieve on the Linux side? > Or did they just keep throwing code and more code at the problem because > they felt they really, really had to have this? > It's that kind of idle curiosity. If nobody's interested in explaining or > hearing this explained, then sorry for the noise. > > If you examine a typical 64-bit Linux installation, you will notice that it contains duplicate sets of most libraries and even many of the drivers -- one x86_64 and the other i586. On disk, the packages for the latter are almost always the exact same ones as those installed on a pure 32-bit Linux. So in essence the 64-bit Linux is like two OS running simultaneously. I am guessing that this is facilitated by the Linux's micro-kernel approach -- in oversimplified terms, their kernel is little more than a traffic cop at a docking terminal and all the drivers and libraries are "modules" communicating through a rather complex but broadly accommodating API that does not discriminate 32-bit vs. 64-bit. In contrast, OpenBSD uses monolithic kernel (and unlike FreeBSD it no longer even supports LKM) where all the communication paths have been streamlined and a decision is made upfront whether they are based on 32-bit or 64-bit architecture.
Re: New features in VMM for OpenBSD 6.1?
On Mon, Mar 06, 2017 at 10:55:23AM -0800, Mike Larkin wrote: > On Mon, Mar 06, 2017 at 06:22:07PM +0100, Juan Francisco Cantero Hurtado > wrote: > > On Mon, Mar 06, 2017 at 10:40:52AM +, C. L. Martinez wrote: > > > Hi all, > > > > > > Where can I see what new features will be released in VMM for OpenBSD > > > 6.1? For example, it could be possible to run linux or freebsd guests > > > apart of openbsd guests? > > > > No, vmm will only support OpenBSD in the next release. > > https://www.openbsd.org/61.html will include a list of new features and > > fixes. > > > > -- > > Juan Francisco Cantero Hurtado http://juanfra.info > > > > As Juan states, I'm sure someone will go back through the cvs logs and update > that page with what new changes/features went in. Probably the biggest change > will be adding SVM support, if I can manage to get the last +/- 900 lines of > local changes in, and add interrupt windowing support. > > -ml Thanks for the info. -- Greetings, C. L. Martinez
New features in VMM for OpenBSD 6.1?
Hi all, Where can I see what new features will be released in VMM for OpenBSD 6.1? For example, it could be possible to run linux or freebsd guests apart of openbsd guests? Many thanks. -- Greetings, C. L. Martinez
Re: How easy is to do a MITM/spoof/etc. a public IP address?
On Thu, Jan 26, 2017 at 10:51:14AM +, Stuart Henderson wrote: > On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote: > >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > >> > Hi all, > >> > > >> > I have received a (maybe) "stupid" request from one of our customers. > >> > We have a pair of public OpenBSD firewalls (CARPed) that our development > >> > team use to access to several customers via VPN IPsec tunnels. But this > >> > morning we have received a request from one of these cutomers to access > >> > to our development servers using only one acl to permit their public IP > >> > address (without using VPN IPsec, or VPN SSL tunnels). > >> > > >> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing > >> > for example, or another type of attack that permits to fake source > >> > public ip address) in this scenario? > >> > >> For an attacker with no access to endpoints or network in between: > >> > >> - For many protocols including UDP, it is absolutely trivial to send > >> traffic from a fake source address. > > > > But, only SYN can be sent, right?? Source's attacker ip address will not > > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS > > attack, they can't steal information, right? > > > >> - With TCP it depends on various things but sometimes you can predict > >> enough of the IP stack behaviour to spoof blindly and send data. > >> reassemble tcp + random-id can help. > > They won't get any responses, but if an attacker can predict some of > what's in the packets (port numbers, sequence numbers etc), they can > send a bunch of packets that *might* match. If they get lucky and hit > on a correct one, they can handshake and transmit, obviously not > receive data directly on that connection, but sending might be enough > to do damage. > > >> If an attacker can MITM (either by getting $client to send to their > >> machine instead of yours directly, they can obviously log or modify > >> packets before forwarding on to the real server. It depends what > >> you're running over it as to whether this is a problem. > >> > > > > Uhmmm ... but in this case, I don't see how an attacker can fake original > > ip public source address ... Any theorical example? > > If they have access to a machine that the packets pass through, or a > machine that they can be made to pass through (e.g. by DNS manipulation, > or if they're on an unprotected layer-2 network with a real router ARP > attacks etc might work) they can just inspect/modify the packets as > they're passing. > > Even if it's just a router that doesn't let them do much with the > packets directly, they might still be able to forward them over a GRE > tunnel or similar to a machine where they can do this. > > There are enough ISPs and colos around that don't do BCP38 (i.e. don't > check source addresses) that there won't be too much difficulty > re-forwarding packets with the original sender IP address. > > > Many thanks Stuart for your help. > > tl;dr: if VPN isn't suitable, make sure comms are protected by some > other method that includes at least strong authentication and protects > messages against being modified - e.g. modern SSH, TLS or equivalent - > and be careful with certificates (test to make sure that you'll notice > an unexpected change). > Many thanks for your explained answer Stuart. Fantastic. Only one more question. Due to this access only requires http service, will be sufficient if I try to convince them to use https instead? And in the case that we could use https, a MITM attack would be minimized? -- Greetings, C. L. Martinez
Re: How easy is to do a MITM/spoof/etc. a public IP address?
On Wed, Jan 25, 2017 at 08:20:32PM +0100, Daniel Gillen wrote: > On 25.01.2017 15:42, C. L. Martinez wrote: > > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote: > >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > >>> Hi all, > >>> > >>> I have received a (maybe) "stupid" request from one of our customers. > >>> We have a pair of public OpenBSD firewalls (CARPed) that our development > >>> team use to access to several customers via VPN IPsec tunnels. But this > >>> morning we have received a request from one of these cutomers to access > >>> to our development servers using only one acl to permit their public IP > >>> address (without using VPN IPsec, or VPN SSL tunnels). > >>> > >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing > >>> for example, or another type of attack that permits to fake source > >>> public ip address) in this scenario? > >> > >> For an attacker with no access to endpoints or network in between: > >> > >> - For many protocols including UDP, it is absolutely trivial to send > >> traffic from a fake source address. > > > > But, only SYN can be sent, right?? Source's attacker ip address will not > > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS > > attack, they can't steal information, right? > > > > UDP and many other protocols are connectionless, so there is no such > thing as SYN/ACK. You basically just send your data package and hope it > somehow gets to its destination. > > https://en.wikipedia.org/wiki/User_Datagram_Protocol Yep, sorry. My mistake. I am referring to TCP connections ... > > >> > >> - With TCP it depends on various things but sometimes you can predict > >> enough of the IP stack behaviour to spoof blindly and send data. > >> reassemble tcp + random-id can help. > >> > >> If an attacker can MITM (either by getting $client to send to their > >> machine instead of yours directly, they can obviously log or modify > >> packets before forwarding on to the real server. It depends what > >> you're running over it as to whether this is a problem. > >> > > > > Uhmmm ... but in this case, I don't see how an attacker can fake original > > ip public source address ... Any theorical example? > > > > Many thanks Stuart for your help. > > > > > > In an MITM scenario, the send data packets actually flow _trough_ the > MITM's machine before they are forwarded to your machine. No need to > fake original source address, as it won't be changed. Think of the > MITM's machine as a simple router interconnecting your and the $client's > WAN. > > https://en.wikipedia.org/wiki/Man-in-the-middle_attack Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see how you can accomplish this. For example: ip public source address is 1.1.1.1, destination public ip address is 2.2.2.2 and attacker ip public address is 3.3.3.3. To establish communications between these three elements, there are several routers between them to route packets. What I don't see is how when attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1, routers between all elements resturns these packets to attacker (which has 3.3.3.3 ip address) Sorry for my "basic" knowledge in these fields :) -- Greetings, C. L. Martinez
Re: How easy is to do a MITM/spoof/etc. a public IP address?
On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote: > On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > I have received a (maybe) "stupid" request from one of our customers. > > We have a pair of public OpenBSD firewalls (CARPed) that our development > > team use to access to several customers via VPN IPsec tunnels. But this > > morning we have received a request from one of these cutomers to access > > to our development servers using only one acl to permit their public IP > > address (without using VPN IPsec, or VPN SSL tunnels). > > > > And my (OT) question: how easy is to do a MITM attack (DNS spoofing > > for example, or another type of attack that permits to fake source > > public ip address) in this scenario? > > For an attacker with no access to endpoints or network in between: > > - For many protocols including UDP, it is absolutely trivial to send > traffic from a fake source address. But, only SYN can be sent, right?? Source's attacker ip address will not receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS attack, they can't steal information, right? > > - With TCP it depends on various things but sometimes you can predict > enough of the IP stack behaviour to spoof blindly and send data. > reassemble tcp + random-id can help. > > If an attacker can MITM (either by getting $client to send to their > machine instead of yours directly, they can obviously log or modify > packets before forwarding on to the real server. It depends what > you're running over it as to whether this is a problem. > Uhmmm ... but in this case, I don't see how an attacker can fake original ip public source address ... Any theorical example? Many thanks Stuart for your help. -- Greetings, C. L. Martinez
How easy is to do a MITM/spoof/etc. a public IP address?
Hi all, I have received a (maybe) "stupid" request from one of our customers. We have a pair of public OpenBSD firewalls (CARPed) that our development team use to access to several customers via VPN IPsec tunnels. But this morning we have received a request from one of these cutomers to access to our development servers using only one acl to permit their public IP address (without using VPN IPsec, or VPN SSL tunnels). And my (OT) question: how easy is to do a MITM attack (DNS spoofing for example, or another type of attack that permits to fake source public ip address) in this scenario? Many thanks. -- Greetings, C. L. Martinez
Re: PCI Express wireless adapter supported under OpenBSD
On Wed 30.Nov'16 at 11:44:13 +0100, Stefan Sperling wrote: > On Wed, Nov 30, 2016 at 10:12:32AM +, C. L. Martinez wrote: > > I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not > > wrong this chip is not supported under OpenBSD, is it right? > > Indeed, BCM4366 won't work. > > There are many Atheros AR9280 devices on sites such as ebay. > And some vendors like pcengines still sell cards with this chip. > You could also search for other chip names listed in the athn(4) man page. Ok, I have found a good candidate: TP-LINK TL-WDN4800. According to TP-Link's webpage uses an Atheros AR9380 chip. But, under athn(4) OpenBSD's man page, this chip doesn't appears for OpenBSD 6.0 ... but it appears under OpenBSD's 4.9 changelog: https://www.openbsd.org/plus49.html. Then, is it supported or not? Thanks. -- Greetings, C. L. Martinez
Re: PCI Express wireless adapter supported under OpenBSD
On Wed 30.Nov'16 at 10:26:32 +0100, Peter N. M. Hansteen wrote: > On Wed, Nov 30, 2016 at 08:09:24AM +, C. L. Martinez wrote: > > I would like to install OpenBSD on a HP Microserver Gen8 to act as a > > firewall and hostap. I am searching what components I need and I have a > > doubt about what wireless interface I need to buy to use it as a hostap > > under OpenBSD. > > The Microserver Gen8s are really nice machines for the application you > describe, once you set the disk controller to something sensible (as > previously reported). > > When it comes to your primary question I don't have a good answer, but in > case those boards are not suppurted it's worth keeping in mind one other > option: get the highest quality access point or 'wireless router' you can > afford, configure it as access point only (no dhcp or routing, leave that to > the OpenBSD tools) > I agree. Microserver Gen8 is a fantastic box to deploy this type of scenarios. My idea is to buy a SSD drive, configure this harddisk as RAID0 in B120i and fire up OpenBSD .. I prefer to avoid to buy an access point. I can wait best support and data rates from OpenBSD side in future releases ... -- Greetings, C. L. Martinez
Re: PCI Express wireless adapter supported under OpenBSD
On Wed 30.Nov'16 at 10:04:25 +0100, Stefan Sperling wrote: > On Wed, Nov 30, 2016 at 08:09:24AM +, C. L. Martinez wrote: > > Hi all, > > > > I would like to install OpenBSD on a HP Microserver Gen8 to act as a > > firewall and hostap. I am searching what components I need and I have a > > doubt about what wireless interface I need to buy to use it as a hostap > > under OpenBSD. > > > > I have found only these: > > > > - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100 > > - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900 > > > > Searching in ASUS's web, I didn't find any info about what chip use these > > adapters. Are they supported under OpenBSD? Do you recommend any other > > wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least. > > > > Thanks. > > I'm afraid you won't get 300 Mbps from any wifi device on OpenBSD. > Our 802.11n support is still in very early stages. > > The best access point OpenBSD can offer uses obsolete AR9280 Atheros > hardware with 802.11a data rates (theoretical maximum 54Mbit/s). > 802.11n is not yet supported by any driver which has hostap support. > > For your kinds of requirements, the best solution is an external > access point connected to your OpenBSD box with gigabit ethernet. Many thanks Stefan and Ze for your answers. But thinking about it maybe it is a good idea to limit throughput to 150Mbps or less at this first stage. I can wait until OpenBSD will support more data rates. I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not wrong this chip is not supported under OpenBSD, is it right? Thanks.
PCI Express wireless adapter supported under OpenBSD
Hi all, I would like to install OpenBSD on a HP Microserver Gen8 to act as a firewall and hostap. I am searching what components I need and I have a doubt about what wireless interface I need to buy to use it as a hostap under OpenBSD. I have found only these: - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100 - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900 Searching in ASUS's web, I didn't find any info about what chip use these adapters. Are they supported under OpenBSD? Do you recommend any other wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least. Thanks. -- Greetings, C. L. Martinez
FW Hardware
There have been some good discussions lately about HW capable of running a lot of traffic, .. but this question is about the other end of the spectrum. Have a need for a small FW appliance that can be used to protect a single machine and provide a simple way to whitelist a single IP or two. Two HW ethernet ports, OBSD compatible, small form factor, low cost. Any recommendations? Thanks! Lee
Re: httpd: old behavior returns: Couldn't resolve host (SOLVED)
On Mon 5.Sep'16 at 16:15:12 +, C. L. Martinez wrote: > Hi all, > > I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All > goes perfect, except when I try to add news feeds. Like I have reported in > the past: http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss > returns "Couldn't resolve host" every time that I try to add a new feed. Like > Stuart appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf > to /var/www/etc chroot, but in OpenBSD 6.0 doesn't works. > > Is it a bug or do I need to configure any option inside httpd.conf?? > > Thanks. > > -- > Greetings, > C. L. Martinez Ok, problem solved. php-fpm needs to be restarted. Sorry for the noise. -- Greetings, C. L. Martinez
httpd: old behavior returns: Couldn't resolve host
Hi all, I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All goes perfect, except when I try to add news feeds. Like I have reported in the past: http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss returns "Couldn't resolve host" every time that I try to add a new feed. Like Stuart appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf to /var/www/etc chroot, but in OpenBSD 6.0 doesn't works. Is it a bug or do I need to configure any option inside httpd.conf?? Thanks. -- Greetings, C. L. Martinez
Recommendation about an Alfa usb wireless adapter to use it as HostAP
Hi all, I would like to install OpenBSD as a hostap for my home. I have done the same in the past, running OpenBSD as a kvm guest on my laptop and all works really well. I am thinking to use an Alfa (http://www.alfa.com.tw) usb wireless adapter. There is not much information in Alfa's web about which of them can run as a HostAP. Any recommendation? Maybe AWUS036ACH can supports this functionality, but I am not sure ... Thanks. -- Greetings, C. L. Martinez
Re: Encrypting carp traffic with ipsec
On Thu 4.Aug'16 at 12:30:56 +, C. L. Martinez wrote: > On Tue 2.Aug'16 at 7:54:08 +, C. L. Martinez wrote: > > On Mon 1.Aug'16 at 7:54:57 +0000, C. L. Martinez wrote: > > > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > > > > On 28/07/16 22:47, C. L. Martinez wrote: > > > > > Hi all, > > > > > > > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > > > > (fully patched). According to ifconfig(8) man page: > > > > > > > > > > carppeer peer_address > > > > > Send the carp advertisements to a specified point-to-point peer or > > > > > multicast group instead of sending the messages to the default carp > > > > > multicast group. The peer_address is the IP address of the other host > > > > > taking part in the carp cluster. With this option, carp(4) traffic can > > > > > be protected using ipsec(4) and it may be desired in networks that do > > > > > not allow or have problems with IPv4 multicast traffic. > > > > > > > > > > And the last sentence describes the type of problem that I want to > > > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > > > > desired in networks that do not allow or have problems with IPv4 > > > > > multicast traffic". > > > > > > > > > > But I don't see how to implement this feature. If I am not wrong, I > > > > > need to configure ipsec in transport mode. But how to encrypt carp > > > > > protocol only and keep all others services and protocols out of ipsec > > > > > tunnels?? > > > > > > > > > > Any tip or sample?? > > > > > > > > > > > > > > > > > check proto (from protocol) in ipsec.conf(5) > > > > > > > > G > > > > > > > > > > Ok, after doing several tests these days, I have configured ipsec.conf > > > instead of iked.conf. But carp interfaces remains in MASTER mode in both > > > firewalls: > > > > > > FwA: > > > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:01 > > > priority: 15 > > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 > > > state MASTER vhid 1 advskew 100 > > > state MASTER vhid 2 advskew 0 > > > groups: carp > > > status: master > > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:03 > > > priority: 15 > > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 > > > state MASTER vhid 3 advskew 100 > > > state MASTER vhid 4 advskew 0 > > > groups: carp > > > status: master > > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > > > > > > > > > > FwB: > > > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:01 > > > priority: 15 > > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 > > > state MASTER vhid 1 advskew 0 > > > state MASTER vhid 2 advskew 100 > > > groups: carp > > > status: master > > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 01:00:5e:00:01:03 > > > priority: 15 > > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 > > > state MASTER vhid 3 advskew 0 > > > state MASTER vhid 4 advskew 100 > > > groups: carp > > > status: master > > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > > > > IPsec flows are established in both firewalls: > > > > > > FwA: > > > > > > FLOWS: > > > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 > > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 typ
Re: Encrypting carp traffic with ipsec
On Tue 2.Aug'16 at 7:54:08 +, C. L. Martinez wrote: > On Mon 1.Aug'16 at 7:54:57 +, C. L. Martinez wrote: > > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > > > On 28/07/16 22:47, C. L. Martinez wrote: > > > > Hi all, > > > > > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > > > (fully patched). According to ifconfig(8) man page: > > > > > > > > carppeer peer_address > > > > Send the carp advertisements to a specified point-to-point peer or > > > > multicast group instead of sending the messages to the default carp > > > > multicast group. The peer_address is the IP address of the other host > > > > taking part in the carp cluster. With this option, carp(4) traffic can > > > > be protected using ipsec(4) and it may be desired in networks that do > > > > not allow or have problems with IPv4 multicast traffic. > > > > > > > > And the last sentence describes the type of problem that I want to > > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > > > desired in networks that do not allow or have problems with IPv4 > > > > multicast traffic". > > > > > > > > But I don't see how to implement this feature. If I am not wrong, I > > > > need to configure ipsec in transport mode. But how to encrypt carp > > > > protocol only and keep all others services and protocols out of ipsec > > > > tunnels?? > > > > > > > > Any tip or sample?? > > > > > > > > > > > > > check proto (from protocol) in ipsec.conf(5) > > > > > > G > > > > > > > Ok, after doing several tests these days, I have configured ipsec.conf > > instead of iked.conf. But carp interfaces remains in MASTER mode in both > > firewalls: > > > > FwA: > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:01 > > priority: 15 > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 > > state MASTER vhid 1 advskew 100 > > state MASTER vhid 2 advskew 0 > > groups: carp > > status: master > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:03 > > priority: 15 > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 > > state MASTER vhid 3 advskew 100 > > state MASTER vhid 4 advskew 0 > > groups: carp > > status: master > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > > > > > FwB: > > > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:01 > > priority: 15 > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 > > state MASTER vhid 1 advskew 0 > > state MASTER vhid 2 advskew 100 > > groups: carp > > status: master > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 01:00:5e:00:01:03 > > priority: 15 > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 > > state MASTER vhid 3 advskew 0 > > state MASTER vhid 4 advskew 100 > > groups: carp > > status: master > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > > IPsec flows are established in both firewalls: > > > > FwA: > > > > FLOWS: > > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use > > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require > > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 > > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use > > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 > > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require > > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 pee
Re: Encrypting carp traffic with ipsec
On Mon 1.Aug'16 at 7:54:57 +, C. L. Martinez wrote: > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > > On 28/07/16 22:47, C. L. Martinez wrote: > > > Hi all, > > > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > > (fully patched). According to ifconfig(8) man page: > > > > > > carppeer peer_address > > > Send the carp advertisements to a specified point-to-point peer or > > > multicast group instead of sending the messages to the default carp > > > multicast group. The peer_address is the IP address of the other host > > > taking part in the carp cluster. With this option, carp(4) traffic can > > > be protected using ipsec(4) and it may be desired in networks that do > > > not allow or have problems with IPv4 multicast traffic. > > > > > > And the last sentence describes the type of problem that I want to > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > > desired in networks that do not allow or have problems with IPv4 > > > multicast traffic". > > > > > > But I don't see how to implement this feature. If I am not wrong, I > > > need to configure ipsec in transport mode. But how to encrypt carp > > > protocol only and keep all others services and protocols out of ipsec > > > tunnels?? > > > > > > Any tip or sample?? > > > > > > > > > check proto (from protocol) in ipsec.conf(5) > > > > G > > > > Ok, after doing several tests these days, I have configured ipsec.conf > instead of iked.conf. But carp interfaces remains in MASTER mode in both > firewalls: > > FwA: > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:01 > priority: 15 > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 > state MASTER vhid 1 advskew 100 > state MASTER vhid 2 advskew 0 > groups: carp > status: master > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:03 > priority: 15 > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 > state MASTER vhid 3 advskew 100 > state MASTER vhid 4 advskew 0 > groups: carp > status: master > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > > > FwB: > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:01 > priority: 15 > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 > state MASTER vhid 1 advskew 0 > state MASTER vhid 2 advskew 100 > groups: carp > status: master > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 01:00:5e:00:01:03 > priority: 15 > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 > state MASTER vhid 3 advskew 0 > state MASTER vhid 4 advskew 100 > groups: carp > status: master > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 > > > IPsec flows are established in both firewalls: > > FwA: > > FLOWS: > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid > 172.22.57.2/32 dstid 172.22.57.3/32 type use > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid > 172.22.58.2/32 dstid 172.22.58.3/32 type use > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 > srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use > flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 > srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require > flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid > 172.30.77.2/32 dstid 172.30.77.3/32 type use > flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 > srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require > flow esp in proto carp from 172.22.54.3 to 172.22.54.2 pee
Re: Encrypting carp traffic with ipsec
On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > On 28/07/16 22:47, C. L. Martinez wrote: > > Hi all, > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > (fully patched). According to ifconfig(8) man page: > > > > carppeer peer_address > > Send the carp advertisements to a specified point-to-point peer or > > multicast group instead of sending the messages to the default carp > > multicast group. The peer_address is the IP address of the other host > > taking part in the carp cluster. With this option, carp(4) traffic can > > be protected using ipsec(4) and it may be desired in networks that do > > not allow or have problems with IPv4 multicast traffic. > > > > And the last sentence describes the type of problem that I want to > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > desired in networks that do not allow or have problems with IPv4 > > multicast traffic". > > > > But I don't see how to implement this feature. If I am not wrong, I > > need to configure ipsec in transport mode. But how to encrypt carp > > protocol only and keep all others services and protocols out of ipsec > > tunnels?? > > > > Any tip or sample?? > > > > > check proto (from protocol) in ipsec.conf(5) > > G > Ok, after doing several tests these days, I have configured ipsec.conf instead of iked.conf. But carp interfaces remains in MASTER mode in both firewalls: FwA: carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:01 priority: 15 carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13 state MASTER vhid 1 advskew 100 state MASTER vhid 2 advskew 0 groups: carp status: master inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:03 priority: 15 carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3 state MASTER vhid 3 advskew 100 state MASTER vhid 4 advskew 0 groups: carp status: master inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 FwB: carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:01 priority: 15 carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12 state MASTER vhid 1 advskew 0 state MASTER vhid 2 advskew 100 groups: carp status: master inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15 carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 01:00:5e:00:01:03 priority: 15 carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2 state MASTER vhid 3 advskew 0 state MASTER vhid 4 advskew 100 groups: carp status: master inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7 IPsec flows are established in both firewalls: FwA: FLOWS: flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type use flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type use flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 172.22.54.2/32 dstid 172.22.54.3/32 type require flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type use flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 172.22.56.2/32 dstid 172.22.56.3/32 type require SAD: esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 enc aes esp transport from 172.22.55.13 to 172.22.55.12 sp
Re: Encrypting carp traffic with ipsec
On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote: > On 28/07/16 22:47, C. L. Martinez wrote: > > Hi all, > > > > I will try to encrypt all carp traffic between two OpenBSD 5.9 fws > > (fully patched). According to ifconfig(8) man page: > > > > carppeer peer_address > > Send the carp advertisements to a specified point-to-point peer or > > multicast group instead of sending the messages to the default carp > > multicast group. The peer_address is the IP address of the other host > > taking part in the carp cluster. With this option, carp(4) traffic can > > be protected using ipsec(4) and it may be desired in networks that do > > not allow or have problems with IPv4 multicast traffic. > > > > And the last sentence describes the type of problem that I want to > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be > > desired in networks that do not allow or have problems with IPv4 > > multicast traffic". > > > > But I don't see how to implement this feature. If I am not wrong, I > > need to configure ipsec in transport mode. But how to encrypt carp > > protocol only and keep all others services and protocols out of ipsec > > tunnels?? > > > > Any tip or sample?? > > > > > check proto (from protocol) in ipsec.conf(5) > > G > Thanks Giannis. I have configured iked.conf in both firewalls. FirewallA: ikev2 esp proto carp from 172.22.55.12 to 172.22.55.13 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0 FirewallB: ikev2 esp proto carp from 172.22.55.13 to 172.22.55.12 psk "74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0 Starting iked from shell, all tunnels are established. But when I add iked_flags= to rc.conf.local and reboot both firewalls, startup process stops in iked process and neves finishes. I need to a hard reset ... Any idea why??
Encrypting carp traffic with ipsec
Hi all, I will try to encrypt all carp traffic between two OpenBSD 5.9 fws (fully patched). According to ifconfig(8) man page: carppeer peer_address Send the carp advertisements to a specified point-to-point peer or multicast group instead of sending the messages to the default carp multicast group. The peer_address is the IP address of the other host taking part in the carp cluster. With this option, carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic. And the last sentence describes the type of problem that I want to avoid: "carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic". But I don't see how to implement this feature. If I am not wrong, I need to configure ipsec in transport mode. But how to encrypt carp protocol only and keep all others services and protocols out of ipsec tunnels?? Any tip or sample??
Using "> /tmp/debug.log 2>&" in a startup script
Hi all, I need to debug a daemon when it is called from init process. To accomplish this, I need to add "> /tmp/debug.log 2>&1" to daemon_flags (or to another option), but it doesn't works. I have tried the following combinations: a/ daemon_flags="--first-option --second-option > /tmp/debug.log 2>&1" and using the following rc_start options: ${rcexec} "${daemon} ${daemon_flags} ${_bg}" (rc_bg=YES in the startup script. b/ daemon_flags="--first-option --second-option", adding another section with more_flags="> /tmp/debug.log 2>&1" and using the following rc_start options: ${rcexec} "${daemon} ${daemon_flags} ${more_flags} ${_bg}" (rc_bg=YES in the startup script). c/ And tha last try is to use rc_start options: ${rcexec} "${daemon} ${daemon_flags}" > /tmp/debug.log 2>&1 & Nothing of this solutions works. What am I doing wrong? Thanks. -- Greetings, C. L. Martinez
Re: Core dumps with sphinx package
On Fri 8.Jul'16 at 12:40:57 +0200, Adam Wolk wrote: > On Fri, Jul 08, 2016 at 09:16:15AM +, C. L. Martinez wrote: > > Hi all, > > > > Once a day, searchd daemon (installed from OpenBSD's packages repository) > > generate a core dump. How can I report this problem? To openbsd-ports > > mailing list?? > > > > Thanks. > > > > -- > > Greetings, > > C. L. Martinez > > > > First of all obtain a backtrace from your core dump. You can do this with gdb > by > passing in the program binary and the core dump as arguments: > $ gdb prog prog.core > > use the 'bt' command to obtain a backtracce when it's done loading. > > You might need to rebuild the package with debug symbols in order to obtain a > useful trace. > > Gather as much info as you can: > - check dmesg for errors > - did it work before? when did it start to segfault? > - anything in the logs? > - what OpenBSD version are you running? (-current?) > > Take a look at the backtrace and the info you obtained. Check the upstream > source code, maybe you can fix the error yourself now? If not. Take the > information you gathered and post to ports@ CC'ing the port maintainer. You > should also report the problem upstream to package developers if the problem > is > not OpenBSD specific (and it's frequently worth to report even if it is > specific). > > Regards, > Adam > Many thanks Adam ... I will try to do all the steps and report to ports@ afterwards. -- Greetings, C. L. Martinez
Core dumps with sphinx package
Hi all, Once a day, searchd daemon (installed from OpenBSD's packages repository) generate a core dump. How can I report this problem? To openbsd-ports mailing list?? Thanks. -- Greetings, C. L. Martinez
Strange behavior with php config
Hi all I am using php-5.6 with NGinx web server in a OpenBSD 5.9 host. I have configured error_log option to log specific php errors in a separate log file: "error_log = /tmp/php_errors.log". Nginx is running in chroot (as it does by default) under /var/www. I hoped that the errors were fed into the above file inside of /var/www chroot, and it does. But it does also under system's /tmp directory. In resume, I have two php_errors.log file where I can see all ducplicated errors ... Why?? How can I fix it? Thanks. -- Greetings, C. L. Martinez
Re: Installing NextCloud under OpenBSD 5.9
On Sat 2.Jul'16 at 22:37:49 +0200, Adam Wolk wrote: > On Sat, 2 Jul 2016 19:26:57 + > "C. L. Martinez" <carlopm...@gmail.com> wrote: > > > Hi all, > > > > I am trying to install NextCloud under an OpenBSD 5.9 host using > > OpenBSD's httpd. But I am not sure that Nextcloud can work with > > OpenBSD's httpd. > > > > First of all, rewrite rules like these: > > > > > > RewriteEngine on > > RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] > > RewriteRule ^\.well-known/host-meta /public.php?service=host-meta > > [QSA,L] RewriteRule > > ^\.well-known/host-meta\.json /public.php?service=host-meta-json > > [QSA,L] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] > > RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] > > RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule > > ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] > > RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.* > > RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L] > > > > > > Can be backported to OpenBSD's httpd? I am thinking to install > > apache on the same host, configure NextCloud on it, and redirect > > requests from OpenBSD's httpd to apache (listening on localhost only). > > > > What do you think? > > > > Thanks. > > > > -- > > Greetings, > > C. L. Martinez > > > > > https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD > > Ownclud works with httpd. Nextcloud should also work. > Thans Adam. I will read carefully and I will try to configure using this guide: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/owncloud/pkg/README?rev=1.44=text/x-cvsweb-markup Many thanks to all. -- Greetings, C. L. Martinez
Installing NextCloud under OpenBSD 5.9
Hi all, I am trying to install NextCloud under an OpenBSD 5.9 host using OpenBSD's httpd. But I am not sure that Nextcloud can work with OpenBSD's httpd. First of all, rewrite rules like these: RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L] RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.* RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L] Can be backported to OpenBSD's httpd? I am thinking to install apache on the same host, configure NextCloud on it, and redirect requests from OpenBSD's httpd to apache (listening on localhost only). What do you think? Thanks. -- Greetings, C. L. Martinez
Re: I am not sure if it is a problem with OpenBSD's httpd
On Fri 1.Jul'16 at 16:21:27 +, Stuart Henderson wrote: > On 2016-07-01, C. L. Martinez <carlopm...@gmail.com> wrote: > > Recently, I have installed an OpenBSD virtual machine in my laptop with > > TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. > > Every time, tt-rss returns the error "6 Couldn't resolve host". It is > > strange, because all other feeds migrated from other linux host, works ok. > > It might be this, which used to be in faq 10 but was removed a while ago: > > << Name Resolution: httpd(8) inside the chroot(2) will NOT be able to > use the system /etc/hosts or /etc/resolv.conf. Therefore, if you have > applications which require name resolution, you will need to populate > /var/www/etc/hosts and/or /var/www/etc/resolv.conf in the chroot(2) > environment. Note that some applications expect the resolution of > "localhost" to work. >> > It was!! .. Perfect, now it works. Many thanks Stuart -- Greetings, C. L. Martinez
I am not sure if it is a problem with OpenBSD's httpd
Hi all Recently, I have installed an OpenBSD virtual machine in my laptop with TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. Every time, tt-rss returns the error "6 Couldn't resolve host". It is strange, because all other feeds migrated from other linux host, works ok. For example, if I try to subscribe to http://googleprojectzero.blogspot.com/feeds/posts/default feed, error is rturned. But when I try to resolve DNS googleprojectzero.blogspot.com name in the shell, works ok: Last login: Fri Jul 1 07:06:54 2016 from 172.22.55.1 OpenBSD 5.9 (GENERIC) #4: Thu May 19 08:23:10 CEST 2016 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. root@edinburgh:~# nslookup googleprojectzero.blogspot.com Server: 172.22.55.1 Address:172.22.55.1#53 Non-authoritative answer: googleprojectzero.blogspot.com canonical name = blogspot.l.googleusercontent.com. Name: blogspot.l.googleusercontent.com Address: 216.58.208.225 Arrived to this point, could be a problem with OpenBSD's httpd daemon that runs in chroot?? Thanks. -- Greetings, C. L. Martinez
Re: Clean OpenBSD's httpd logs
On Fri 1.Jul'16 at 7:39:13 +, Stuart Henderson wrote: > On 2016-06-30, C. L. Martinez <carlopm...@gmail.com> wrote: > > Hi all, > > > > Sorry if this question sounds stupid, but how can I avoid this type of > > entry in OpenBSD's httpd access.log: > > > > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] > > [/favicon.ico] > > Untested, but in theory: set a location that matches the favicon.ico file and > disable logging (e.g. "no log") in that location block. > Perfect!!! .. Works like a charm. Many thanks Stuart. -- Greetings, C. L. Martinez
Re: Clean OpenBSD's httpd logs
On Thu 30.Jun'16 at 15:21:05 +0200, Thuban wrote: > * C. L. Martinez <carlopm...@gmail.com> le [30-06-2016 12:50:36 +]: > > Hi all, > > > > Sorry if this question sounds stupid, but how can I avoid this type of > entry in OpenBSD's httpd access.log: > > > > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] > [/favicon.ico] > > > > Hi, > in httpd.conf : > > server "yourdomain.com" { > ... > no log > } > > > You might want to keep access log. Separate errors in another file : > > > server "yourdomain.com" { > ... > log access "yourdomain.access.log" > log error "yourdomain.errors.log" > } > > > see man httpd.conf for more :) > > > -- > /Thuban/ > Thanks Thuban, but I want to log all requests to this web server :) -- Greetings, C. L. Martinez
Clean OpenBSD's httpd logs
Hi all, Sorry if this question sounds stupid, but how can I avoid this type of entry in OpenBSD's httpd access.log: 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] [/favicon.ico] ?? Thanks. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Fri 24.Jun'16 at 18:59:09 -0400, Predrag Punosevac wrote: > > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > > > Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez: > > > > > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > > > Searching about this topic, I think the best option is to use > > > > customized openssl/libressl scripts, but it colud be very hard to > > keep > > > > for certifcate requests, revocations, etc. > > > > > > > > ? Any suggestion about what can be better option? > > > > > > Have a look at security/xca, else define "better option". > > > > > > Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to \ > > manage a PKI under OpenBSD. > > > > easy-rsa > > You just chose to ignore the answer. > > Predrag > Where I am telling that I'm ignoring the answer? Please, before saying some things, wait. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Sat 25.Jun'16 at 13:56:38 +, Stuart Henderson wrote: > On 2016-06-24, C. L. Martinez <carlopm...@gmail.com> wrote: > > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > >> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > >> > >> > I would like to deploy/setup a PKI under OpenBSD for my home lab. > >> > Searching about this topic, I think the best option is to use > >> > customized openssl/libressl scripts, but it colud be very hard to keep > >> > for certifcate requests, revocations, etc. > >> > > >> > Any suggestion about what can be better option? > >> > >> Have a look at security/xca, else define "better option". > >> > >> Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to manage a PKI under OpenBSD. > > It really depends on what your reasons are for doing this. > > If you're trying to learn about the nitty gritty of generating certs, > CRLs, revocations, etc, then using the command line tools directly > aren't a bad idea. > > If you're trying to script things but at a higher level than the > libressl/openssl command line tool, you might want to look at something > like https://github.com/cloudflare/cfssl. > > If you're just trying to manually generate certs for lab machines > and are happier with something visual xca is pretty good. > > Or you can look at the tools which are really made for simplifying vpn > setup like "ikectl ca" (though the way it's designed, it really only > makes sense if you generate the private key on a central machine, which > is a bit non-standard though makes life easier in some cases). Or yes, > as was already pointed out easy-rsa (though personally I find that more > complex than easy). > > If you're more interested in getting certs than investigating how to > run pki, something like letsencrypt might work for you. > Many thanks Stuart. I have configured a PKI using openssl tools, and it is working ok ... Now, I would like to install an oscp instance to check when a certificate is revoked ... But I have some doubts: - When a certificate is revoked, can be removed .csr and .crt files (the request and signed cert by CA) without problems? - I am trying to setup a startup script for oscp using openssl, can be accomplished this in OpenBSD's way? Thanks. -- Greetings, C. L. Martinez
Re: where is the image of openbsd arm ?
Is it possible to add more wired NICs to the APU? Alternatively, is there a comparably robust and OpenBSD supported low-wattage platform with at least 4 (and preferrably 5-6) NICs? Thank you. On 24 Jun 2016 at 13:37, Chris Cappuccio wrote: > li...@wrant.com [li...@wrant.com] wrote: > > > > 1) How do the APU systems go as pricing to comparable systems from > > other similar (industrial class, desktop enclosure) manufacturers? > > > > The pricing direct from PC Engines is roughly 2x to 3x the cost > of certain cheap, popular ARM boards. It's on par or lower than > the pricing of the higher end ARM boards (some of which are supported > in the armv7 port) > > > 2) How is the OpenBSD experience on the APU systems, do they have serial > > RS232 console (serial BIOS), do they expose all the hardware to OpenBSD? > > > > Everything is exposed. The serial console requires boot.conf setup, > and Bob Beck recently fixed some aggressive behaviour in the boot loader > so that it no longer prints garbage characters on the screen during > the 'set tty com0' transition. Thank you Bob for spending the time to > track this annoying behaviour down ! > > Chris
Re: OT: Toosl to manage PKI under OpenBSD
On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > Searching about this topic, I think the best option is to use > > customized openssl/libressl scripts, but it colud be very hard to keep > > for certifcate requests, revocations, etc. > > > > Any suggestion about what can be better option? > > Have a look at security/xca, else define "better option". > > Cheers For "better option", I am speaking about what could be the best tool or procedure to manage a PKI under OpenBSD. -- Greetings, C. L. Martinez
OT: Toosl to manage PKI under OpenBSD
Hi all, I would like to deploy/setup a PKI under OpenBSD for my home lab. Searching about this topic, I think the best option is to use customized openssl/libressl scripts, but it colud be very hard to keep for certifcate requests, revocations, etc. Any suggestion about what can be better option? Thanks -- Greetings, C. L. Martinez
support new
0 C Philippines P National Capital Region T Makati City Z 1203 O OpenBSD Philippines I Onofre L. Alvarado, Jr. A 8400 Mayapis st., Bgy. San Antonio M i...@openbsd.org.ph U http://www.openbsd.org.ph/ B 63-2-7281903 X 63-2-7281903 N Over a decade and a half's experience in the use and deployment of OpenBSD. Network planning and design, firewalls, routers, email, web and database servers, VPNs. OpenBSD consultancy, installation, maintenance and support.
Error loading pf rules: Device busy
Hi all, I have a strange problem. Every time that I try to reload my pf rules I see the following error message: pfctl: DIOCADDRULE: Device busy. I am using OpenBSD 5.8 amd64 fully patched. Any idea??
Clarification on vhid/carpnode settings for load-balanced fw configuration
Hi, all. I'm setting up a pair of load-balanced firewalls using carp. I've got nearly everything going, but encountered this in the man page: "If IP balancing is being used on a firewall, it is recommended to configure the carpnodes in a symmetrical manner. This is achieved by simply using the same carpnodes list on all sides of the firewall. This ensures that packets of one connection will pass in and out on the same host and are not routed asymmetrically." I'm looking for clarification on the statement "using the same carpnodes list on all sides of the firewall." Does this mean that the same list of carpnodes should appear on both external and internal interfaces? i.e (configurations abbreviated for brevity): firewall 1: ifconfig carp0 carpnodes 10:0,20:100,30:0,40:100 #external carp if ifconfig carp1 carpnodes 10:0,20:100 #internal carp if #1 ifconfig carp2 carpnodes 30:0,40:100 #internal carp if #2 firewall 2: ifconfig carp0 carpnodes 10:100,20:0,30:100,40:0 #external carp if ifconfig carp1 carpnodes 10:100,20:0 #internal carp if #1 ifconfig carp2 carpnodes 30:100,40:0 #internal carp if #2 This seems odd to me, and I can't find the practice referenced anyplace else. According to Hansteen's "Book of PF," I should configure the carp interfaces as follows: firewall 1: ifconfig carp0 carpnodes 10:0,20:100 #external carp if ifconfig carp1 carpnodes 30:0,40:100 #internal carp if #1 ifconfig carp2 carpnodes 50:0,60:100 #internal carp if #2 firewall 2: ifconfig carp0 carpnodes 10:100,20:0 #external carp if ifconfig carp1 carpnodes 30:100,40:0 #internal carp if #1 ifconfig carp2 carpnodes 50:100,60:0 #internal carp if #2 Which carpnodes configuration is correct? Won't the former cause vhid conflicts? Thanks for any consideration you folks throw at me.
Re: text-mode gui
On 20 Dec 2015 at 17:25, Luke Small wrote: 8<-- lots of drivel snipped --->8 >... but a >normal user shouldn't have to wade through man pages to discover how to fix >... This is the crux of the issue -- linux upbringing! If you bothered to read the FAQ or scan through some message threads on the mailing lists you would know that: a) ALL users are expected to read the man pages, because b) OpenBSD deservedly prides itself on the accuracy, completelness, and readability of the documentation -- the man pages and the FAQ. If you value gooey compexity because you cannot be bothered to learn about the tool you plan to use, please go away and pick one of the many shiny toys that promise you what you want. I, for one, very much appreciate the OpenBSD way of no-nonsense, minimalist interfaces balanced with very comprehensive documentation. > > > -Luke > > On Sun, Dec 20, 2015 at 3:33 PM,wrote: > > > On Sun, 20 Dec 2015 14:03:18 -0600 Luke Small > > wrote: > > > > > I don't know the best way, but I like how there are "check-boxes", from > > > what I recall, in lynx webpages. > > > > And? Bookmarks or... direct private cumulus clouds of edible sugar, > > preferably in cyanide algae nuances with self attaching axons. > > > > > Maybe full-disk encryption and maybe home > > > folder encryption if it is available are the only remaining installer > > > > It's called a directory, which is a file, and not a drawer, and not a > > folder, neither a closet, nor a wardrobe nor even a chest. > > > > > options that you don't have to have prior specialized knowledge to > > perform, > > > that you can't do after you boot into the system. > > > > I'm sorry to break up the bubble for you but prior knowledge is a > > prerequisite and this is not exclusive to OpenBSD. Anything you can do > > in the installer can also be done after installation, except probably > > finding a list of nice check boxes in a JavaScript web page. For that > > you need to use www. > > > > > If there are other > > > things, then it may become a little less tedious for less experienced > > folks > > > to look at all the options at once, rather than having to start over. > > > > Many inexperienced folds tried OpenBSD first and did not have to become > > experienced in other complicated installers. Can you elaborate on > > this? You want a long check list, is that it? > > > > > If > > > there are any irreconcilable differences in options, JavaScript can more > > > easily display that the other changes are incompatible by changing the > > > other options back. > > > > The editor said: scratch this part, messy wording. > > > > > But maybe the OpenBSD way is about no surprises, but it > > > doesn't seem right to only be able to boot into the system in the way you > > > want, > > > > It is a cargo "principle of least astonishment" to be found in another > > set of online docs elsewhere, unrelated perhaps, no? > > > > > if you have the mindset of a Computer Scientist like us, and read the > > > right configuration webpages. > > > > Correction, man pages. They are in English, comprehensive to lower > > intermediate level readers. > > > > > Things like not having softdep mounted file > > > systems by default really tripped me up for a couple versions. > > > > There is a clear section on this in the Frequently Asked Questions. It > > is a very nice idea to read these prior or during installation on the > > other computer, or why not print out sections you best liked or thought > > useful for the upcoming installation process. > > > > > I have > > > virtualbox HDs and I had to keep backups in case Windows did something > > > funny, because I sometimes couldn't repair the file systems. > > > > Can you point where the docs say "install in a virtualbox" or any other > > virtual software brand for what it matters? > > > > > It seems like > > > something that should be an option in the installer, or a default. It > > would > > > be nice to do that with noatime and maybe an optional mfs or tmpfs > > mounted > > > /tmp folder like I have now. > > > > So you're basically proposing to rewrite the installer in JavaScript to > > add the noatime and softdep mount options, add full disk and home > > directory encryption, use the SSL tool kit and also make it like a text > > menu installer with a lot of check boxes and... web based interface, > > and be able to install in a virtual machine with memory based file > > systems? > > > > Why don't you just pick the install media of the operating system that > > offers you these nice goodies, and save yourself the rewrite. Oh, and > > then come back teach how to do it. > > > > If this seems too much to ask, just simply use the installer in OpenBSD > > as it is, and after a couple of iterations, and some (minutes/years) of > > enlightenment, you will start to appreciate the time and effort is has > > saved you and the powerful options provided without
Remove "flags S/SA keep state" for tcp packets
Hi all, I am trying to remove "flags S/SA keep state" for tcp packets inside pf.conf and use "keep state" only, as it can do with udp and icmp. According to pf.conf man page, this is possible inserting "no state" in tcp rule, but I can't use keep state. Is it possible to remove "flags S/SA keep state" and use only "keep state" for tcp packets? Thanks. P.D: I am using OpenBSD 5.8
Re: Remove "flags S/SA keep state" for tcp packets
On Tue, Dec 15, 2015 at 9:49 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > On Tue, Dec 15, 2015 at 09:24:03AM +0000, C. L. Martinez wrote: >> >> I am trying to remove "flags S/SA keep state" for tcp packets inside >> pf.conf and use "keep state" only, as it can do with udp and icmp. > > Why? What is it you're trying to achieve? > > You can override the default flags by specifying a different set or even > 'flags any' but the question remains, why? > > -- Thanks Peter. Sorry for the delay response. I am trying to use divert-packet option inside pf rules to use Suricata/Snort as an IPS. At this moment, I can drop comms when an alert is triggered for udp and icmp packets, but it doesn't works when it is a tcp packet. I was thinking about if "using keep state for udp/icmp rules works, why not for tcp?" But maybe I am totally wrong ...
Re: Remove "flags S/SA keep state" for tcp packets
On Tue, Dec 15, 2015 at 9:56 AM, David Dahlberg <david.dahlb...@fkie.fraunhofer.de> wrote: > Am Dienstag, den 15.12.2015, 09:24 + schrieb C. L. Martinez: >> I am trying to remove "flags S/SA keep state" for tcp packets inside >> pf.conf and use "keep state" only, as it can do with udp and icmp. >> >> According to pf.conf man page, this is possible inserting "no state" >> in tcp rule, but I can't use keep state. > > "keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking > Options"), but it is not mentioned as often as it is the default. > > IOW: If you have not changed the default options, you you may simply > remove "flags S/SA keep state" string without changing mutch (except > that it might now also match UDP/ICMP). > Thanks David. I have not changed any default options but I can't see how can I remove these flags ... I have tried with "flags any keep state" without result. If I use "no state", packets are rejected ...
Re: athn0: device timeout
I have the same problem with a new macbookpro12,1 my urtwn adapter work just fine in a regular ehci(4) machine, but on xhci(4)'s macbookpro I need to reconnect like 10 times, and even that way, doesn't work. :/ On 28/11, Stefan Sperling wrote: ; On Sat, Nov 28, 2015 at 07:35:00AM -0700, bluesun08 wrote: ; > xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0c: msi ; > usb0 at xhci0: USB revision 3.0 ; > uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1 ; > uhub2 at uhub0 port 2 "Genesys Logic USB2.0 Hub" rev 2.00/85.37 addr 3 ; > athn1 at uhub2 port 2 configuration 1 interface 0 "ATHEROS USB2.0 WLAN" rev ; > 2.00/1.08 addr 6 ; > athn1: could not load firmware ; ; I believe your problems are rooted in xhci(4) not athn(4). ; There are several known problems with xhci, some of which ; don't have a known fix yet. ; ; To confirm this theory, could you try this athn adapter in a ; machine with USB ports driven by ehci(4) instead of xhci(4)? ; -- Sending from my toaster.
Re: EFI: Booting from other (not the first) GPT partition possible? How? It's an Apple :-O
Oh yes, so then on 8,2 still you can boot legacy, on 12,1 you don't :( Enviado desde mi tostadora de mano > El 19 nov 2015, a las 15:53, Marcescribió: > > Thank you Gonzalo. > > Just to make sure we are talking about the same thing: > > I was already able to boot OpenBSD in BIOS legacy mode. > > What I want to achieve is booting OpenBSD current with the new EFI OpenBSD boot loader. > > Are you sure that following the tutorial you mentioned can be of any help to do this? > > I will be happy to get enlightened if I am just missing the point. :) > > Regards > Marcel > >> Hello, >> >> I'm kinda at the same step, but in a macbookpro12,1 >> >> I resize my OSX partition, burn a install58.fs on a usb stick, boot >> holding ALT, install OpenBSD on the part of resize partition, and then >> follow jcs@ tutorial: >> >> https://gist.github.com/jcs/5573685 >> >> Now, "El Capitan" have like a 'Secure Level' thing that you can do the >> step Mac OS X Encryption -> 3-6. So, you need to boot on Rescue Mode and >> disable this new protection from the console on rescue mode: >> >> # csrutil disable >> >> Then reboot, and try the "Mac OS X Encryption" step. Install refind and >> cross your fingers :) >> >> >> On 16/11, Marcel Timm wrote: >> ; Hi there, >> ; >> ; one thing I would like to try is to boot from created OpenBSD EFI USB stick >> ; with >> ; >> ; boot -a >> ; >> ; and enter the OpenBSD's root partition on the HD. >> ; >> ; Unfortunately neither the MacBook Pro 8,2 's integrated >> ; nor an external USB keyboard work at the prompt where to enter the >> ; root device's location. :( >> ; >> ; Is there another way of telling the kernel which root device to use >> ; (maybe at boot's prompt - although I haven't found anything in man page..)? >> ; >> ; If this seems to be a XY question to you, I am happy about other proposals. >> ; >> ; Greetings >> ; Marcel >> ; >> ; On 11.11.2015 16:01, Marcel Timm wrote: >> ; >Hello! >> ; > >> ; >My computer is a MacBook Pro 8,2. >> ; > >> ; >There is a GPT on the HD (big surprise!) with four partitions, >> ; >the last one being of type OpenBSD. >> ; > >> ; >I managed to put a recent OpenBSD 5.8 snapshot there >> ; >by booting and installing from an USB stick via EFI created like that (in >> ; >OSX): >> ; > >> ; >dd if=~/install58.fs of=/dev/rdisk2 bs=1m >> ; > >> ; >After installing rEFInd 0.9.2 and putting OpenBSD 5.8 snapshot's >> ; >BOOTX64.EFI file >> ; >to the MacBook's EFI partition the rEFInd boot manager shows the OpenBSD >> ; >EFI option. >> ; > >> ; >Selecting that OpenBSD entry starts the boot programm showing hd0 hd1 hd2 >> ; >and hd3. >> ; > >> ; >Is it possible to boot my "EFI OpenBSD installation" from here? >> ; >If so, how to proceed? >> ; > >> ; >I already played with >> ; > >> ; >set device hd0d >> ; > >> ; >etc. - but it did not work. >> ; > >> ; >I will gladly share more details, if of any help. >> ; > >> ; >Thanks in advance! >> ; > >> ; >Marcel >> ; >> >> -- >> Sending from my toaster.
Re: EFI: Booting from other (not the first) GPT partition possible? How? It's an Apple :-O
Hello, I'm kinda at the same step, but in a macbookpro12,1 I resize my OSX partition, burn a install58.fs on a usb stick, boot holding ALT, install OpenBSD on the part of resize partition, and then follow jcs@ tutorial: https://gist.github.com/jcs/5573685 Now, "El Capitan" have like a 'Secure Level' thing that you can do the step Mac OS X Encryption -> 3-6. So, you need to boot on Rescue Mode and disable this new protection from the console on rescue mode: # csrutil disable Then reboot, and try the "Mac OS X Encryption" step. Install refind and cross your fingers :) On 16/11, Marcel Timm wrote: ; Hi there, ; ; one thing I would like to try is to boot from created OpenBSD EFI USB stick ; with ; ; boot -a ; ; and enter the OpenBSD's root partition on the HD. ; ; Unfortunately neither the MacBook Pro 8,2 's integrated ; nor an external USB keyboard work at the prompt where to enter the ; root device's location. :( ; ; Is there another way of telling the kernel which root device to use ; (maybe at boot's prompt - although I haven't found anything in man page..)? ; ; If this seems to be a XY question to you, I am happy about other proposals. ; ; Greetings ; Marcel ; ; On 11.11.2015 16:01, Marcel Timm wrote: ; >Hello! ; > ; >My computer is a MacBook Pro 8,2. ; > ; >There is a GPT on the HD (big surprise!) with four partitions, ; >the last one being of type OpenBSD. ; > ; >I managed to put a recent OpenBSD 5.8 snapshot there ; >by booting and installing from an USB stick via EFI created like that (in ; >OSX): ; > ; >dd if=~/install58.fs of=/dev/rdisk2 bs=1m ; > ; >After installing rEFInd 0.9.2 and putting OpenBSD 5.8 snapshot's ; >BOOTX64.EFI file ; >to the MacBook's EFI partition the rEFInd boot manager shows the OpenBSD ; >EFI option. ; > ; >Selecting that OpenBSD entry starts the boot programm showing hd0 hd1 hd2 ; >and hd3. ; > ; >Is it possible to boot my "EFI OpenBSD installation" from here? ; >If so, how to proceed? ; > ; >I already played with ; > ; >set device hd0d ; > ; >etc. - but it did not work. ; > ; >I will gladly share more details, if of any help. ; > ; >Thanks in advance! ; > ; >Marcel ; -- Sending from my toaster.
PF tables -- anchors and scope
Can anyone confirm whether it is possible to modify a global table within an anchor? If so, what is the proper syntax for referencing it? I have a dynamic table of addresses to block declared and updated in the main body of pf.conf. I would like to update the same table using 'overload' operator within an anchor, however, I get "namespace collision" warning message and a distinctly separate table created when I try that. Interestingly, I can use global tables as the source or destination address in any rule inside an anchor, i.e. it does work in read-only mode (unless an anchor-local table is created per above). This firewall is currently running 5.6 with upgrade to 5.8 being planned for the near future. Thank you, -Jacob.
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 1:26 PM, laudarchwrote: > I made a custom implementation and a diff to authpf, will share that > later just in case anyone wants it. > > I hope this helps you, it pretty simple > http://bastienceriani.fr/?p=70 > Thanks laudarch ... Very close to what I am searching... I will try your config.
5.7 & Nagios
What is the intended upgrade path for i386 versions of monitoring software? No Nagios in packages, .. icinga is reported amd only, .. Nagios in ports is amd only, .. and nagioscore will not build: # make all cd ./base && make make -C ../lib Using $< in a non-suffix rule context is a GNUmake idiom (Makefile:157) *** Error 2 in /usr/src/nagioscore (Makefile:71 'all') Inquiring minds want with Nagios installations want to know! Lee
nginx & Perl on 5.6
What is the prefered configuration for using Perl & Nginx? php is fairly straightforward, .. but can't find anything for perl except some Linux notes to recompile. Thanks! Lee
Slightly OT, .. 5.5 Nagios
Trying to upgrade our 5.4 Nagios system to 5.5, .. everything went fine with the system, but it appears that there are some new dependencies for the web UI: # pkg_add nagios-web-4.0.1-chroot Can't install php-gd-5.4.24 because of libraries |library X11.16.0 not found | not found anywhere |library Xpm.9.0 not found | not found anywhere |library freetype.22.0 not found | not found anywhere X has never been installed on this box, .. why now? Lee