Re: installing packages mentioned as dependency in ports package

[Thomas L.]

On Fri, 21 Jun 2024 20:16:57 +0530
Sandeep Gupta  wrote:
> My query is how to install build dependency of a package listed in
> ports?

i have FETCH_PACKAGES=-Dsnap in my /etc/mk.conf so that for all dependencies
pkg_add -Dsnap is tried first (see bsd.port.mk(5) for details). you can also
pass that as argument to make(1).

Re: sftp server empty password login

[Thomas L.]

On Tue, 26 Mar 2024 10:28:11 +0100
Sylvain Saboua  wrote:
> Match User media
>  ForceCommand internal-sftp -d /home/media
>  ChrootDirectory /home/media
>  PasswordAuthentication yes
>  AuthenticationMethods none
>  PermitEmptyPasswords yes

you probably also want DisableForwarding there. otherwise everyone can use
your machine as a proxy. this happened to me with a similar setup to allow
anonymous git cloning. some spammer figured it out and used my server as a
relay. don't be me ... ;)

Re: Ignore some USB devices

[Thomas L.]

On Mon, 19 Feb 2024 19:43:14 +0100
Kirill A. Korinsky  wrote:
> I do have two USB audio device:
>
>   ~ $ usbdevs  -v
>   Controller /dev/usb0:
>   ...
>   addr 07: 043e:9a66 LG Electronics Inc., LG UltraFine Display Audio
>high speed, self powered, config 1, rev 0.03
>driver: uaudio0
>   ...
>   addr 13: 041e:3130 Creative, Creative BT-W5
>full speed, self powered, config 1, rev 10.00, iSerial
> D97E0B7F86B95AC32000 driver: uhidev10
>driver: uhidev11
>driver: uaudio1
>   ~ $
>
> both of them is managed by uaudio. How can I dissable the first one,
> without disabling the second one?

you can select which audio device is used with -f/-F flags to sndiod
(details in man-page) in /etc/rc.conf.local. maybe that helps?

crontab and /usr/local/{,s}bin

[Thomas L.]

hi,

what is the reason that /usr/local/{,s}bin is not in PATH in crontab?
this seems to be the case on all unix-like systems and it regularly
bites people. sometimes someone says it's for security w/o being
able to tell what is being prevented by this. or is it just some
historic default noone bothered to change?

kind regards,

thomas

Re: tcpdump rotating issue with newsyslog

[Thomas L.]

On Sun, 10 Apr 2022 17:00:25 -0400
Nick Holland  wrote:
> On 4/10/22 9:39 AM, Yogendra Kumar Chaudhary wrote:
> > I am running the following command in the OpenBSD 6.2.

You should really upgrade. That version no longer gets security patches
for several years.

> So, I'm thinking you probably want a 'b' and a SIGHUP sent to tcpdump.
> You can validate my second point by disabling the compression, I
> suspect you will see your .0 file continue to grow in size, until it
> becomes .1, etc.

What Nick suspects is likely true, but tcpdump will just quit on
SIGHUP. You could restart the capture instead. Capturing network traffic
for days might use a lot of disk space though.

Kind regards,

Thomas

Re: video shows green box on -current

[Thomas L.]

On Wed, 17 Mar 2021 00:05:24 +0100
Pau  wrote:
> Any idea?

https://www.openbsd.org/faq/current.html#r20201229 by any chance?

> thanks,
>
> Pau

Kind regards,

Thomas

Any experience with 10Gbe?

[Nicholas C. L. Ipsen]

I'm supporting a small business who needs more bandwidth due to the 
work-from-home situation. They've asked me to help them do the upgrade to 
10Gbe. I'd preferto keep them on an OpenBSD router, since I love how liuttle 
maintenance it needs, but I can't find any accounts of someone actually 
managing to get close to line speed above 1 Gbe.

I don't want to just buy expensive hardware and hope that it works. Has anyone 
here been able to get close to 10 Gb/s networking with OpenBSD? I don't need to 
be able to have more than a few pf-rules.

-- 
Nicholas C. L. Ipsen

Re: Strange behavior when I try to use lladdr

[Thomas L.]

On Fri, 22 May 2020 13:12:15 +0300
Денис Давыдов  wrote:

> P.S. offtopic: I turn to the developers: I tearfully ask you to add
> python to the base installation. This would allow the configuration
> to be rolled automatically using Ansible right after install an OS.
> It would simplify the task of configuring OpenBSD on remote hosts.

I solved this by having a task
- name: install python3
  raw: pkg_add python3
at the beginning (raw doesn't need python on the target maschine).

Kind regards,

Thomas

Re: pkg_add: how to specify both flavor and branch

[Thomas L.]

On Sun, 26 Jan 2020 10:54:25 - (UTC)
Stuart Henderson  wrote:
> You need to know the name of the directory in ports to use this
> notation. Formats vary. Here you would use "pkg_add gnupg--%gnupg2".
>
> If you don't have a ports tree installed and need to find the path,
> install the package interactively and look for the "@comment pkgpath"
> line in /var/db/pkg/$packagename/+CONTENTS, take the last element of
> the directory name.

Thanks, this is the info I was missing. :)

pkg_add: how to specify both flavor and branch

[Thomas L.]

Hello,

`pkg_add gnupg` is ambiguous since there is both
gnupg-1.4.23p3-card-ldap, gnupg-1.4.23p3 and gnupg-2.2.12p0, but neither
`pkg_add gnupg%2.2`, `pkg_add gnupg--%2.2` nor `pkg_add gnupg%2.2--`
work. So how do i specify the exact package in this case?
(I know that `pkg_add gnupg-2.2.12p0` works, but I rather not specify
the version down to the patch level in my deploy script.)

Kind regards,

Thomas

Re: openup service question

[Gonzalo L. Rodriguez]

On Mon, 16 Sep 2019 at 09:13:13 +, rsyk...@disroot.org wrote:
> Dear list,
> 
> 
> I have been using the "openup" service to keep my amd64 machine updated
> to the latest stable, i.e. 6.5, available at
> 
> https://www.mtier.org/solutions/apps/openup/
> 
> Recently I get:
> 
> odin# ./openup
>  
> ===> Checking for openup update
> ===> Installing/updating syspatches
> Get/Verify syspatch65-011_expat.tgz 100% |**|   588 KB00:00   
>  
> Installing patch 011_expat
> Errata can be reviewed under /var/syspatch
> ===> Updating package(s)
> https://stable.mtier.org/updates/6.5/amd64/: ftp: Error retrieving file: 401 
> Unauthorized
> https://stable.mtier.org/updates/6.5/amd64/: empty
> 
> If anybody here understands what is happening to me, I'd be grateful to know.
> The site claims the support for the most recent release is free. Yet, ...
> 
> I tried to contact their support twice, but got no reply.
> 
> 
> Thank you for any comments!
> Ruda
> 
> 
> PS.: Does using openup convey any advantage over running "syspatch" and
> "pkg_add -u" on amd64?
> 

Now you can switch:

https://undeadly.org/cgi?action=article;sid=20190814112133

-- 

- gonzalo

Re: Upgrade procedure (6.4 -> 6.5)

[Gonzalo L. Rodriguez]

On Thu, 02 May 2019 at 11:46:20 +0200, Noth wrote:
> 
> On 02/05/2019 11:02, Consus wrote:
> > On 10:27 Thu 02 May, Markus Hennecke wrote:
> > > Am 02.05.2019 um 09:52 schrieb Consus:
> > > > I've upgraded my systems from 6.4 to 6.5 without a glitch, but I see
> > > > that /etc/networks and some other files (like malloc.conf.5) are still
> > > > present, although there is no use for them in the new release.
> > > > 
> > > > Is there a reason why these files are not listed in "FIles to remove"?
> > > > Is there a way to track them? It's not like something gonna break, but
> > > > old configuration files (and manual pages) lying around can make
> > > > someone's life harder during the debug session.
> > > Take a look at the sysutils/sysclean port.
> > That's pretty much how I discovered this. But I want to know the
> > "official" way. Maybe there is a reason why e.g. perl files are to be
> > removed, but man pages are not.
> > 
> I set up a script for sysclean:
> 
> cat sysclean65.txt | while read line ; do rm -rf "${line}" ; done

You probably want some /etc/sysclean.ignore bits before that

> sysclean65.txt is obtained by running sysclean -a >>sysclean65.txt . I don't
> run that line in sysclean65.sh because the files have to be reviewed to
> prevent deletion of any additional files you may have added, like certs or
> scripts.
> 
> HTH
> 
> Noth
> 


-- 

- gonzalo

Re: NextCloud: failed integrity checks

[Gonzalo L. Rodriguez]

On [22/07/18] [08:32P], Johan Huldtgren wrote:

On 2018/07/22 15:39, Nicolas Schmidt wrote:

After installation on OpenBSD 6.3 with pkg_add, NextCloud complains about files 
failing the integrity checks. More specifically:

- occ
 * expected hash: 
7e3fce0d7b5c20a7775ed1b548cb2e29bed078d3ca77b01a83d438f671b3d473147d4e8217d2084e17b6fe23a18ba258b11ba60106e23381f1e2889ce14971c4
 * current hash:  
7693eb89c0bc218712d68ec58599efa46e5c3729814e2aad16bf2c0079be7ae1909f072ead7889883c0a89b6c51570800d9e8a71f35866cb4e0c47aeaa5a4b2b

- version.php
 * expected hash: 
4e9046aca4fd8e942ba7bd505374e22ddd500a99b3a46d57d629b99c3132a66206883053f22801894929e51fca307c740062b497d55639bcc9a3154ada3504ff
 * current hash:  
30cd43589fc8ab273fa25e1a477c8cbadb13bac5541daa6d3fa0490a0c2054c2c29a274fd50eec66934a9d9adc541dec8701e7463922d36174478ae3e9a64981

- apps/updatenotification/appinfo/info.xml
 * expected hash: 
bf7983ffe422ba215c04a0069081fab0c78ba81fa40a90cbdd3595182e011fb7f3e0bd1cd14cdea742cafb89f1da001582fe8d560749d98ea540b4ee76dd9898
 * current hash:  
d2984fa816b4cea71e7c09f36a4132e7cb88d357f22e1c795778deccdb4066beaef2876b95d849e6eeae37b879c0f63500b0958a6a61bab1c933736bf135c440


Anybody able to reproduce?


yeah this is known. The port modifies these files to work with OpenBSD
(if you look at the port these files are the ones we patch). You can
work around this by adding this to your config.php

'integrity.check.disabled' => true,

.jh




https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/nextcloud/Makefile?rev=1.17=text/x-cvsweb-markup

--
Sending from my toaster.

Re: NextCloud: failed integrity checks

[Gonzalo L. Rodriguez]

On [22/07/18] [07:39P], Nicolas Schmidt wrote:

After installation on OpenBSD 6.3 with pkg_add, NextCloud complains about files 
failing the integrity checks. More specifically:

- occ
* expected hash: 
7e3fce0d7b5c20a7775ed1b548cb2e29bed078d3ca77b01a83d438f671b3d473147d4e8217d2084e17b6fe23a18ba258b11ba60106e23381f1e2889ce14971c4
* current hash:  
7693eb89c0bc218712d68ec58599efa46e5c3729814e2aad16bf2c0079be7ae1909f072ead7889883c0a89b6c51570800d9e8a71f35866cb4e0c47aeaa5a4b2b

- version.php
* expected hash: 
4e9046aca4fd8e942ba7bd505374e22ddd500a99b3a46d57d629b99c3132a66206883053f22801894929e51fca307c740062b497d55639bcc9a3154ada3504ff
* current hash:  
30cd43589fc8ab273fa25e1a477c8cbadb13bac5541daa6d3fa0490a0c2054c2c29a274fd50eec66934a9d9adc541dec8701e7463922d36174478ae3e9a64981

- apps/updatenotification/appinfo/info.xml
* expected hash: 
bf7983ffe422ba215c04a0069081fab0c78ba81fa40a90cbdd3595182e011fb7f3e0bd1cd14cdea742cafb89f1da001582fe8d560749d98ea540b4ee76dd9898
* current hash:  
d2984fa816b4cea71e7c09f36a4132e7cb88d357f22e1c795778deccdb4066beaef2876b95d849e6eeae37b879c0f63500b0958a6a61bab1c933736bf135c440


Anybody able to reproduce?

--Nicolas



Hello,

This is fixed on -current, I disabled the patching on the nextcloud version to
avoid this error.

Cheers.-

--
Sending from my toaster.

Re: roundcube installation php modules

[Gonzalo L. Rodriguez]

On [10/07/18] [02:59P], Danny AwesomeRetro wrote:

No problem,that fixed the issue for me ;)

thank you,this has cost me around 18 hours of searching

Cheers,

Danny


On 07/10/2018 04:25 PM, Vijay Sankar wrote:

Sorry to interject -- just wondering if you read the instructions
towards the bottom in /usr/local/share/doc/pkg-readmes for php-5.6. It
specifically says

    # cd /etc/php-5.6.sample
    # for i in *; do ln -sf ../php-5.6.sample/$i ../php-5.6/; done

HTH,

Vijay

Quoting Teno Deuter :


actually I had to define the absolute path to the module. After doing
this it did work!

I still have the issue with Imagick though! There is no module for
that in OpenBSD repository as it's already integrated in php -
correct? In that case should I ignore that?

Thank you

On Tue, Jul 10, 2018 at 2:30 PM, Teno Deuter 
wrote:

sorry forgot to mention that after doing the below changes I did
restart the server!

Thank you

On Tue, Jul 10, 2018 at 2:29 PM, Teno Deuter 
wrote:

here are my current extension settings in php-5.6.ini:

;extension=php_bz2.dll
;extension=php_curl.dll
;extension=php_fileinfo.dll

extension=php_gd2.dll

;extension=php_gettext.dll
;extension=php_gmp.dll

extension=php_intl.dll

;extension=php_imap.dll
;extension=php_interbase.dll
;extension=php_ldap.dll
;extension=php_mbstring.dll
;extension=php_exif.dll  ; Must be after mbstring as it depends
on it
;extension=php_mysql.dll
;extension=php_mysqli.dll
;extension=php_oci8_12c.dll  ; Use with Oracle Database 12c Instant
Client
;extension=php_openssl.dll
;extension=php_pdo_firebird.dll
;extension=php_pdo_mysql.dll
;extension=php_pdo_oci.dll
;extension=php_pdo_odbc.dll
;extension=php_pdo_pgsql.dll

extension=php_pdo_sqlite.dll

;extension=php_pgsql.dll
;extension=php_shmop.dll
;extension=php_soap.dll
;extension=php_sockets.dll

extension=php_sqlite3.dll

;extension=php_sybase_ct.dll
;extension=php_tidy.dll
;extension=php_xmlrpc.dll
;extension=php_xsl.dll

but nothing happens. I still get the same error in the first
installer step.

Thank you

On Tue, Jul 10, 2018 at 2:07 PM,   wrote:

Have you altered your php.ini to load the extensions and restart
php-fpm?
On Jul 10, 2018 7:00 AM, Teno Deuter  wrote:


Dear list,

in a OpenBSD 6.3 machine I run httpd and opensmptd and try to intall
roundcubemail 1.3.5 from the OpenBSD packages repository.

When running the installer, in the first page, I get following
warnings:

FileInfo:  OK
Libiconv:  OK
Intl:  NOT AVAILABLE(See http://www.php.net/manual/en/book.intl.php)
Exif:  OK
LDAP:  NOT AVAILABLE(See http://www.php.net/manual/en/book.ldap.php)
GD:  NOT AVAILABLE(See http://www.php.net/manual/en/book.image.php)
Imagick:  NOT AVAILABLE(See
http://www.php.net/manual/en/book.imagick.php)

but pkg_info shows:

php-gd-5.6.34   image manipulation extensions for php
php-intl-5.6.34 intl library support for php

and I think php-imagick is already part of the php OpenBSD package.

Why do I get the above warnings?

Also, in the second installation page I get the following:

Mimetype to file extension mapping:  NOT OK

but in httpd.conf, on the top of the file, I have the following
entry:

types { include "/usr/share/misc/mime.types" }

Thank you







Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca





You always can check /usr/local/share/doc/pkg-readmes for the README

--
Sending from my toaster.

Re: WHere to put certificates for IKEDv2?

[C. L. Martinez]

On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote:
> On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote:
> > On 2018-06-23, C. L. Martinez  wrote:
> > > Hi all,
> > >
> > >  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> > > connections (using strongswan mainly). My question is where do I need to 
> > > put OpenBSD certs under /etc/iked?
> > >
> > >  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" 
> > > returns me the following error:
> > 
> > The CA cert needs to go in /etc/iked/ca, do you have that?
> > 
> > 
> 
> Yes, it is there: -rw-r--r--  1 root  wheel  1326 Jun 24 10:12 
> /etc/iked/ca/ca.crt 
> 
> 

But when I start iked using "-dvv" and client tries to connect, I see the 
following error:

sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x )
config_free_proposals: free 0x177c81779900
config_free_proposals: free 0x177c81773080
config_free_proposals: free 0x177c81773400
config_free_proposals: free 0x177c81773580
ca_getreq: found CA /C=ES/ST=Barcelona/
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b 
initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b 
initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x )


But CA cert is loaded:

ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 
peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user testusr
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1191
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: /C=ES/ST=Barcelona/
ca_reload: loaded 1 ca certificate
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20

 But I am thinking that maybe exist some problems:

 - First, I am using strongswan for Android as a client, do I need to use some 
specific crypto algorithms on iked side?
 - Second, maybe is it best option to use EAP user auth instead of certificates?
 - I am using ECDSA certs, any problem with that?

Thanks

-- 
Greetings,
C. L. Martinez

Re: WHere to put certificates for IKEDv2?

[C. L. Martinez]

On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote:
> On 2018-06-23, C. L. Martinez  wrote:
> > Hi all,
> >
> >  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> > certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> > connections (using strongswan mainly). My question is where do I need to 
> > put OpenBSD certs under /etc/iked?
> >
> >  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns 
> > me the following error:
> 
> The CA cert needs to go in /etc/iked/ca, do you have that?
> 
> 

Yes, it is there: -rw-r--r--  1 root  wheel  1326 Jun 24 10:12 
/etc/iked/ca/ca.crt 


-- 
Greetings,
C. L. Martinez

WHere to put certificates for IKEDv2?

[C. L. Martinez]

Hi all,

 I am using Easy-RSA to manage my home's CA (using elliptic curve 
certificates). I have created a certificate for my OpenBSD gw for IKEv2 
connections (using strongswan mainly). My question is where do I need to put 
OpenBSD certs under /etc/iked?

 I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me 
the following error:

ikev2_msg_auth: initiator auth data length 960
ikev2_msg_authverify: method SIG keylen 962 type X509_CERT
_dsa_verify_init: signature scheme 4 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 10
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0xb9bb7e8a80
config_free_proposals: free 0xb9bb7e8700
config_free_proposals: free 0xb965e22400
config_free_proposals: free 0xba238e1e80
ca_getreq: found CA /C=ES/ST=Barcelona..
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=ES/... ok

 Do i need to install user certificates also in OpenBSD gw?

thanks
-- 
Greetings,
C. L. Martinez

Re: Autocompletion with pass in ksh

[Thomas L.]

On Fri, 25 May 2018 08:36:44 +0200
Niels Kobschaetzki  wrote:
> I got a reply on twitter from Roman Zolltarif who wrote a blog post
> about it :)
> https://www.romanzolotarev.com/pass.html#Completions%20in%20Korn%20shell

This seems to be a custom pass implementation.
Anyway, you can get autocompletion for pass (mostly) with

IFS='
'
set -A complete_pass init ls find show grep insert edit generate rm mv cp git 
help version $(cd ~/.password-store; find * -name '*.gpg' | sed -ne 
's/^\(.*\)\.gpg$/\1/p')
IFS=' '

Kind regards

Thomas

Re: Errors with Php and curl under OpenBSD 6.3

[C. L. Martinez]

Works!! ... Many thanks Manolis.

On Tue, Apr 24, 2018 at 9:10 AM, Manolis Tzanidakis <mtzanida...@gmail.com>
wrote:

> Oops, forgot a sub-directory. Try this, instead:
>
> # mkdir -p /var/www/etc/ssl; cp /etc/ssl/cert.pem /var/www/etc/ssl
>
> On Tue (24/04/18), Manolis Tzanidakis wrote:
> > Hello,
> > try copying cert.pem to the www chroot:
> >
> > # mkdir -p /var/www/etc; cp /etc/ssl/cert.pem /var/www/etc/ssl
> >
> > and restart php-fpm.
> >
> > On Tue (24/04/18), C. L. Martinez wrote:
> > > Hi all,
> > >
> > >   Since this morning my OpenBSD 6.3 host (with tt-rss installed)
> returns
> > > the following error when I try to add some feeds:
> > >
> > > Couldn't download the specified URL: ; 77 error setting certificate
> verify
> > > locations: CAfile: /etc/ssl/cert.pem CApath: none
> > >
> > >  It seems some type of problem with curl ... Am I right? I found some
> > > solutions but all of them involves to make use of an insecure
> connection
> > > with curl.
> > >
> > >  Any idea?
> > >
> > > Thanks.
>
>

Errors with Php and curl under OpenBSD 6.3

[C. L. Martinez]

Hi all,

  Since this morning my OpenBSD 6.3 host (with tt-rss installed) returns
the following error when I try to add some feeds:

Couldn't download the specified URL: ; 77 error setting certificate verify
locations: CAfile: /etc/ssl/cert.pem CApath: none

 It seems some type of problem with curl ... Am I right? I found some
solutions but all of them involves to make use of an insecure connection
with curl.

 Any idea?

Thanks.

Re: OpenBSD blocks IPsec traffic

[C. L. Martinez]

Thanks Marko, but I have found the problem.

These rules are under anchor sub-group rules ... Moving these rules to top
after "block log all", all it is working ...

Maybe is it a bug with anchor rules?

On Wed, Apr 18, 2018 at 3:16 PM, Marko Cupać <marko.cu...@mimar.rs> wrote:

> On Wed, 18 Apr 2018 15:01:24 +0200
> "C. L. Martinez" <carlopm...@gmail.com> wrote:
>
> > Hi all,
> >
> >  I am trying to configure an ipsec tunnel (host-to-host) between two
> > hosts that go through an openbsd firewall. Tunnel is established, but
> > when I try to, for example, connect via ssh from one host to the
> > other, pf blocks traffic:
> >
> > Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> > Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
> > vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF)
> > [tos 0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
> >
> >  To do some tests, I have configured the following rules:
> >
> > pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
> > (if-bound)
> > pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
> > (if-bound)
> >
> > Any idea?
>
> Hard to say without complete ruleset, but from what I see here, your
> rule 24 blocks outbound esp from 172.22.59.6 to 172.22.55.2 on vio0,
> while no other rule after that (or one before that with 'quick'
> keyword) permits it.
>
> Check exact line with pfctl -vvsr. Add either dafault 'pass out'
> somewhere below (I prefer it at the end of my ruleset, as I have so far
> never blocked out stuff I already passed in), or pass out exact traffic
> you need, eg:
>
> pass out on vio0 proto esp from 172.22.59.6 to 172.22.55.2
>
> Hope this helps,
>
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>

OpenBSD blocks IPsec traffic

[C. L. Martinez]

Hi all,

 I am trying to configure an ipsec tunnel (host-to-host) between two hosts
that go through an openbsd firewall. Tunnel is established, but when I try
to, for example, connect via ssh from one host to the other, pf blocks
traffic:

Apr 18 12:53:00.286351 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 1 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:02.292330 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 2 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:06.300396 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 3 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:14.324382 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 4 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)
Apr 18 12:53:30.356437 rule 24/(match) [uid 0, pid 19127] block out on
vio0: esp 172.22.59.6 > 172.22.55.2 spi 0xf8bef4b3 seq 5 len 100 (DF) [tos
0x10] (ttl 63, id 0, len 120, bad ip cksum 700f! -> 710f)

 To do some tests, I have configured the following rules:

pass in inet from 172.22.55.2 to 172.22.59.6 flags S/SA keep state
(if-bound)
pass in inet from 172.22.59.6 to 172.22.55.2 flags S/SA keep state
(if-bound)

Any idea?

Migrating nginx config to OpenBSD's httpd

[C. L. Martinez]

Hi all,

 I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
working ok, except for some proxy reverse config that I use with nginx's
config, like for example:

server {
listen 80;
server_name internal.w01.domain.org;

location / {
proxy_pass http://192.168.30.4;
}
}

 I don't see what is the option to use with httpd.conf or is it best
option to use relayd.conf for this type of configs?

Thanks.

Re: Writing "ones" instead of "zeroes" when wiping disk

[L. V. Lammert]

On Thu, 11 Jan 2018, STeve Andre' wrote:

> Don't bother.   Wiping the disk twice is enough.   If you are storing state
> secrets melt the disk.
>
An anvil big hammer also works well and gives some exercise in the
process.

Lee

Re: Testing IKEv2 with Android devices

[C. L. Martinez]

On Wed, Nov 29, 2017 at 9:33 AM, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2017-11-26, C. L. Martinez <carlopm...@gmail.com> wrote:
>>
>> Ok, it is seems the prolem is that iked(8) does not know how to perform 
>> Diffie-Hellman group negotiation:
>>
>> https://marc.info/?l=openbsd-tech=151136800328145=2
>>
>>  Am I correct? What is the current status for Tim's fix?
>
> patrick@ has been following this rabbit hole, try his latest diff.
>

Thanks Stuart. Are you referring to this one:
https://marc.info/?l=openbsd-tech=151187345915827=2?

Re: Testing IKEv2 with Android devices

[C. L. Martinez]

On Sun, Nov 26, 2017 at 09:02:46PM +0100, C. L. Martinez wrote:
> Hi all,
> 
>  I am testing IKEv2 for Android roadwarriors clients ... I have done a very 
> basic config:
> 
> ikev2 "roadwarriors" passive esp \
> from 0.0.0.0/0 to 172.22.55.0/27 \
> peer any \
> config name-server 172.22.55.1 \
> psk "stargazer"
> 
>  Launching "iked -dvv" returns me:
> 
> ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to 
> 172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes
> ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x
> ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26
> ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 
> 652 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244
> ikev2_pld_sa: more than one proposal specified
> ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 
> xforms 15 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id 
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group  reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x 
> 172.17.35.20:500
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP 
> encapsulation
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x 
> 172.17.35.9:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA1 (1)
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x, require 0x 
> sa_stateflags: 0x -> 0x0020 sa (required 0x )
> ikev2_sa_keys: SKEYSEED with 32 bytes
> ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb 
> 172.17.35.9:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb 
> 172.17.35.20:500
> ikev2_ne

Testing IKEv2 with Android devices

[C. L. Martinez]

 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 5
ikev2_pld_certreq: type RSA_KEY length 0
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 
msgid 0, 451 bytes
config_free_proposals: free 0x1ccfc4952580

 According to this:

sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x, require 0x
sa_stateflags: 0x -> 0x0020 sa (required 0x )

 phase-1 is established, correct? but I am not sure because last message is:

ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 
msgid 0, 451 bytes
config_free_proposals: free 0x1ccfc4952580

 Android device is a Samsung Galaxy Edge S7 (Adnroid 7.0) and OpenBSD is 6.2 
with all patches ... What ma I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined (SOLVED)

[C. L. Martinez]

On Fri, Nov 10, 2017 at 07:28:19PM +, C. L. Martinez wrote:
> Hi all,
> 
>  I need to configure ifstated for two public interfaces and one of them is a 
> dhcp interface. To accomplish this I have configured the following macro in 
> ifcstated.conf's file:
> 
> wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' 
> /var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' 
> /var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )'
> 
>  But it returns the following error:
> 
> wired_linkup = "em1.link.up"
> wireless_linkup = "em2.link.up"
> /etc/ifstated.conf:4: syntax error
> /etc/ifstated.conf:4: macro '2' not defined
> /etc/ifstated.conf:34: macro 'wired_gate_test' not defined
> /etc/ifstated.conf:34: syntax error
> ifstated: invalid start state wired
> 
>  From command line, ping command works ... What am I doing wrong?
> 
> Thanks.
> 
Oops .. I have the problem ... I need to escape awk like awk \'/fixed... Sorry 
for the noise ...

-- 
Greetings,
C. L. Martinez

Problems configuring ifstated with dhcp interfaces /etc/ifstated.conf:4: macro '2' not defined

[C. L. Martinez]

Hi all,

 I need to configure ifstated for two public interfaces and one of them is a 
dhcp interface. To accomplish this I have configured the following macro in 
ifcstated.conf's file:

wired_gate_test = '( "ping -q -c1 -w1 -I `awk '/fixed-address/ { print $2 }' 
/var/db/dhclient.leases.em1 | sed -e 's/;//'` `awk '/routers/ { print $3 }' 
/var/db/dhclient.leases.em1 | sed -e 's/;//'` > /dev/null" every 30 )'

 But it returns the following error:

wired_linkup = "em1.link.up"
wireless_linkup = "em2.link.up"
/etc/ifstated.conf:4: syntax error
/etc/ifstated.conf:4: macro '2' not defined
/etc/ifstated.conf:34: macro 'wired_gate_test' not defined
/etc/ifstated.conf:34: syntax error
ifstated: invalid start state wired

 From command line, ping command works ... What am I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Debugging a php's script startup

[C. L. Martinez]

On Wed, Nov 08, 2017 at 08:43:55PM +0100, Martijn van Duren wrote:
> Hello C.,
> 
> Can you start up the daemon process from the CLI (without the rc
> script)? If not and it still has the same error message as below (which
> I reckon it will) you might want to change your mysqli.default_socket =
> in your /etc/php-7.0.ini.
> Do note however that this will also affect php-fpm and mod_php which run
> chrooted by default (hence the weird path), so if you need those installs
> unaffected try to create a custom ini-file and specify it with -c as a
> php-argument.
> 
> Also note that php is not designed to write daemons in and should only
> be done if there are no other options. The rc-script won't restart your
> daemon automatically if it crashes.
> 
> Hope this helps.
> 
> martijn@
> 
> > 

Wow!! ... Many many thanks Martijn. I have added "-c" switch to daemon_args and 
created another .ini file for this "daemon", and it works. Here it is:

#!/bin/sh -x
#

daemon="/usr/local/bin/php-7.0"
daemon_flags="-c /etc/tt-rss/php-7.0.ini /var/www/htdocs/rss/update_daemon2.php 
--log /tmp/update_rss.log"
daemon_user="www"

. /etc/rc.d/rc.subr

pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"

rc_bg=YES
rc_reload=NO

rc_post() {
rm -f /var/www/htdocs/rss/lock/update_daemon.lock
}

rc_cmd $1

 Inside .ini I have configured mysqli.default_socket option:

mysqli.default_socket = /var/www/var/run/mysql/mysql.sock

-- 
Greetings,
C. L. Martinez

Debugging a php's script startup

[C. L. Martinez]

Hi all,

 I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 
host, fully patched). This is the script:

#!/bin/sh -x
#

daemon="/usr/local/bin/php-7.0"
daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log"
daemon_user="www"

. /etc/rc.d/rc.subr

pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}"

rc_bg=YES
rc_reload=NO

rc_post() {
rm -f /var/www/htdocs/rss/lock/update_daemon.lock
}

rc_cmd $1

 And when I try to start it, this is the output:

root@rssweb:/etc/rc.d# ./tt_rss start
+ daemon=/usr/local/bin/php-7.0
+ daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log /tmp/update_rss.log
+ daemon_user=www
+ . /etc/rc.d/rc.subr
+ _rc_actions=start stop restart reload check
+ readonly _rc_actions
+ [ -n  ]
+ basename ./tt_rss
+ _name=tt_rss
+ _rc_check_name tt_rss
+ [ -n /usr/local/bin/php-7.0 ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/tt_rss
+ _rc_do _rc_parse_conf
+ eval _rcflags=${tt_rss_flags}
+ _rcflags=
+ eval _rcrtable=${tt_rss_rtable}
+ _rcrtable=
+ eval _rcuser=${tt_rss_user}
+ _rcuser=
+ eval _rctimeout=${tt_rss_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf tt_rss
+ > /dev/null 
+ 2>&1 
+ daemon_class=daemon
+ [ -z  ]
+ daemon_rtable=0
+ [ -z www ]
+ [ -z  ]
+ daemon_timeout=30
+ [ -n  -o start != start ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ [ -n  ]
+ readonly daemon_class
+ unset _rcflags _rcrtable _rcuser _rctimeout
+ pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
/tmp/update_rss.log
+ rcexec=su -l -c daemon -s /bin/sh www -c
+ [ 0 -eq 0 ]
+ pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
/tmp/update_rss.log
+ rc_bg=YES
+ rc_reload=NO
+ rc_cmd start
tt_rss(failed)

 pexp's option seems good ... I think the problem is with 'www' user and with 
this command: "su -l -c daemon -s /bin/sh www -c". Launching from console 
returns an error:

root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c 
'/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
/tmp/update_rss.log'
PHP Warning:  mysqli_connect(): (HY000/2002): Can't connect to local MySQL 
server through socket '/var/run/mysql/mysql.sock' (2 "No such file or 
directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8
Unable to connect to database (as rss to localhost, database dbrss): Can't 
connect to local MySQL server through socket '/var/run/mysql/mysql.sock'

 mysql's socket is created under www's chroot like in pkg-readme says: 
srwxrwxrwx  1 _mysql  _mysql  0 Nov  8 17:45 /var/www/var/run/mysql/mysql.sock

 If I am not wrong, then, how can I configure this startup script?

Thanks
-- 
Greetings,
C. L. Martinez

About WPA2 compromised protocol

[C. L. Martinez]

HI all,

 Regarding WPA2 alert published today: https://www.krackattacks.com/,
if I use an IPSec tunnel with shared-key or certifcate or an OpenVPN
connection to authenticate and protect clients and hostAP comms, is
this vulnerability mitigated?

 Thanks.

Re: sysmerge is not needed when updating to 6.2?

[C. L. Martinez]

On Thu, Oct 12, 2017 at 11:45:24AM +0200, Theo Buehler wrote:
> > But I have only one question: Is sysmerge not longer needed for
> > updating process like in previous releases?
> 
> Since 6.0 the installer installs an rc.sysmerge that runs 'sysmerge -b'
> on first boot of the updated system.
> 

Perfect. 

Many thanks.

-- 
Greetings,
C. L. Martinez

sysmerge is not needed when updating to 6.2?

[C. L. Martinez]

Hi all,

 Today I have updated two OpenBSD 6.1 hosts to 6.2 after reading the FAQ and 
all works really well. Congratulations to all OpenBSD's developers for their 
hard work.

 But I have only one question: Is sysmerge not longer needed for updating 
process like in previous releases?

 Many thanks.

-- 
Greetings,
C. L. Martinez

Running OpenBSD 6.1 under vmware fusion

[C. L. Martinez]

Hi all,

 I have installed OpenBSD 6.1 under Vmware Fusion on a MacBook Pro 2017. All it 
is running ok, except when I would start graphical environment (i3).

 a) Resolution: I have configured /etc/xorg.conf file several times trying to 
catch a good resolution (2560x1600), but Xorg goes to 1280x768 every time.

 b) Mouse speed is really slow slow slow ... How can I increase mouse speed? 

Mouse conf to increase speed (but it doesn't works):

Section "InputClass"
Identifier "My Mouse"
MatchIsPointer "yes"
Option "AccelerationNumerator" "2"
Option "AccelerationDenominator" "1"
Option "AccelerationThreshold" "4"
EndSection


Display conf :

Section "Monitor"
Identifier  "default monitor"
DisplaySize 311 170
EndSection

Section "Device"
Identifier  "default device"
Driver  "vmware"
EndSection

Section "Screen"
Identifier  "default screen"
    Device  "default device"
Monitor "default monitor"
EndSection


 I have attached Xorg.log. Any help please?

Thanks
-- 
Greetings,
C. L. Martinez
[  4640.706] (--) checkDevMem: using aperture driver /dev/xf86
[  4640.888] (--) Using wscons driver on /dev/ttyC2
[  4640.891] 
X.Org X Server 1.18.4
Release Date: 2016-07-19
[  4640.892] X Protocol Version 11, Revision 0
[  4640.892] Build Operating System: OpenBSD 6.1 amd64 
[  4640.892] Current Operating System: OpenBSD stirling.lab.uxdom.org 6.1 
GENERIC#23 amd64
[  4640.892] Build Date: 01 April 2017  02:00:27PM
[  4640.892]  
[  4640.892] Current version of pixman: 0.34.0
[  4640.892]Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[  4640.892] Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[  4640.892] (==) Log file: "/var/log/Xorg.0.log", Time: Sat Sep  9 10:06:36 
2017
[  4640.892] (==) Using config file: "/etc/xorg.conf"
[  4640.892] (==) Using config directory: "/etc/X11/xorg.conf.d"
[  4640.892] (==) Using system config directory 
"/usr/X11R6/share/X11/xorg.conf.d"
[  4640.892] (==) No Layout section.  Using the first Screen section.
[  4640.892] (**) |-->Screen "default screen" (0)
[  4640.892] (**) |   |-->Monitor "default monitor"
[  4640.892] (**) |   |-->Device "default device"
[  4640.892] (**) |   |-->GPUDevice "default device"
[  4640.892] (==) Disabling SIGIO handlers for input devices
[  4640.892] (==) Automatically adding devices
[  4640.892] (==) Automatically enabling devices
[  4640.892] (==) Not automatically adding GPU devices
[  4640.892] (==) Max clients allowed: 256, resource mask: 0x1f
[  4640.892] (==) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF/,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
[  4640.892] (==) ModulePath set to "/usr/X11R6/lib/modules"
[  4640.892] (II) The server relies on wscons to provide the list of input 
devices.
If no devices become available, reconfigure wscons or disable 
AutoAddDevices.
[  4640.892] (II) Loader magic: 0xd7e0a733020
[  4640.892] (II) Module ABI versions:
[  4640.892]X.Org ANSI C Emulation: 0.4
[  4640.892]X.Org Video Driver: 20.0
[  4640.892]X.Org XInput driver : 22.1
[  4640.892]X.Org Server Extension : 9.0
[  4640.893] (--) PCI:*(0:0:15:0) 15ad:0405:15ad:0405 rev 0, Mem @ 
0xe800/134217728, 0xfe00/8388608, I/O @ 0x1070/16
[  4640.893] (II) LoadModule: "glx"
[  4640.893] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so
[  4640.894] (II) Module glx: vendor="X.Org Foundation"
[  4640.894]compiled for 1.18.4, module version = 1.0.0
[  4640.894]ABI class: X.Org Server Extension, version 9.0
[  4640.894] (==) AIGLX enabled
[  4640.894] (II) LoadModule: "vmware"
[  4640.895] (II) Loading /usr/X11R6/lib/modules/drivers/vmware_drv.so
[  4640.895] (II) Module vmware: vendor="X.Org Foundation"
[  4640.895]compiled for 1.18.4, module version = 13.1.0
[  4640.895]Module class: X.Org Video Driver
[  4640.895]ABI class: X.Org Video Driver, version 20.0
[  4640.895] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710
[  4640.895] (II) vmware(0): Driver was compiled without KMS- and 3D support.
[  4640.895] (WW) vmware(0): Disabling 3D support.
[  4640.895] (WW) vmware(0): Disabling Render Acceleration.
[  4640.895] (WW) vmware(0): Disabling RandR12+ support.
[  46

Re: Problem with key bindings with mutt under OpenBSD 6.1

[C. L. Martinez]

On Sat, Sep 02, 2017 at 02:48:12PM +0200, Anton Lindqvist wrote:
> On Sat, Sep 02, 2017 at 11:01:14AM +, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I have used mutt over several months under FreeBSD and RHEL/CentOS. I have 
> > migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package 
> > installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl).
> > 
> >  In my mutt's config file I have defined the following key bindings:
> > 
> > #
> > # Key bindings
> > #
> > bind index \CP sidebar-prev
> > bind index \CN sidebar-next
> > bind index \CO sidebar-open
> > 
> >  Problem is with "\CO". It doesn't works under OpenBSD but it works without 
> > problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or 
> > "\CI" or "\CH", for example, works without problems ... Is it "\CO" defined 
> > by default under OpenBSD? How can I revert this behavior?
> 
> $ stty discard undef; mutt
> 

Perfect!! .. It is working.. Many thanks Anton.

-- 
Greetings,
C. L. Martinez

Problem with key bindings with mutt under OpenBSD 6.1

[C. L. Martinez]

Hi all,

 I have used mutt over several months under FreeBSD and RHEL/CentOS. I have 
migrated my desktop to OpenBSD 6.1 and I have a problem with mutt's package 
installed from official OpenBSD's repos (neomutt-20170306-gpgme-sasl).

 In my mutt's config file I have defined the following key bindings:

#
# Key bindings
#
bind index \CP sidebar-prev
bind index \CN sidebar-next
bind index \CO sidebar-open

 Problem is with "\CO". It doesn't works under OpenBSD but it works without 
problems under FreeBSD 11 or RHEL7/CentOS7. If I change "\CO" to "\CA" or "\CI" 
or "\CH", for example, works without problems ... Is it "\CO" defined by 
default under OpenBSD? How can I revert this behavior?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?

[L. V. Lammert]

On Mon, 26 Jun 2017, SOUL_OF_ROOT 55 wrote:

> Can I use OpenBSD in a virtual machine, for example, VirtualBox?
>
Yep, .. have had them for many years, VirtualBox & Xen.

Lee

Re: Sad story

[L. R. S.]

>Simply restore from backup.

I have only one old backup, not the newest changes...

>10% are files you will not ever need
>20% are files that you will never use

That's not my case, sadly.

Sad story

[L. R. S.]

Forgot the passphrase of a full-disk encrypted OpenBSD system ;_;
So many documents will be lost, like [coughs] accesses to NULL.


--luiz r.

OpenBSD 6.1 on Lenovo P50

[L. Jankok]

Hi there,

 

Anybody running OpenBSD on a Lenovo P50 laptop?

I am looking for tips and experiences.

 

Regards,

 

LJ

 

-- 

Shall artificial plants be given artificial water?

 

Re: After applying patches, kernel version is slower?

[C. L. Martinez]

On Thu, May 04, 2017 at 07:49:04AM +, Stuart Henderson wrote:
> On 2017-05-04, C. L. Martinez <carlopm...@gmail.com> wrote:
> > Hi all,
> >
> >  I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
> > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:
> >
> > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64
> >
> >  .. and in an OpenBSD 6.1 host with patches applied:
> >
> > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64
> >
> >  Any idea why??
> >
> 
> They're built on a different machine. (The number after GENERIC# shows
> how many builds were done in that directory since it was cleaned.)
> 
> Check the date in "sysctl kern.version".
> 

Ahh ... Ok, many thanks for the info Stuart.

-- 
Greetings,
C. L. Martinez

After applying patches, kernel version is slower?

[C. L. Martinez]

Hi all,

 I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:

OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64

 .. and in an OpenBSD 6.1 host with patches applied:

OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64

 Any idea why??

-- 
Greetings,
C. L. Martinez

Sysctl options to install IDS software

[C. L. Martinez]

Hi all,

 In the following days, I want to replace some linux systems that acts as 
IDS/IPS nodes with OpenBSD 6.1 (congratulations to all OpenBSD's team. IMO, the 
best OpenBSD that I have used).

 These OpenBSD nodes will be installed with Suricata, Bro and Snort components. 
In the Linux and FreeBSD world, when you try to monitor 1GB/10GB networks 
(which is my case), some kernel variables needs to be tweaked.

 An example for linux systems some options are:

net.core.rmem_max
net.core.wmem_max
net.core.rmem_default
net.core.wmem_default
net.core.optmem_max
net.ipv4.tcp_rmem
net.ipv4.tcp_wmem
net.ipv4.udp_mem

 In the OpenBSD's old days, you can tweak some options like send and receive 
network buffers, etc. But in most recent OpenBSD releases, most of these 
options are not available, from what I understand, that is already made some 
sort of "tunning" by default in GENERIC kernel.

 But I see some kernel options that could need to be modified to use IDS/IPS 
software. Some of them:

kern.somaxconn
net.inet.udp.recvspace
net.inet.udp.sendspace
net.bpf.maxbufsize (I am not sure about this option)


 On the other side, I don't want to break anything in this first stage :) ... I 
prefer to do some type of control first and after apply these changes.

 Any recommendation? 

Many thanks.


-- 
Greetings,
C. L. Martinez

Re: What does it mean this error when I try install a package?

[C. L. Martinez]

On Mon, Apr 17, 2017 at 01:39:22PM +0200, Christoph R. Murauer wrote:
> > Hi all,
> >
> >  After install an OpenBSD 6.1, I am trying to install some packages,
> > for example python-2.7. When I launch the following command:
> >
> > pkg_add -v python-2.7
> >
> >  ... returns the following errors:
> >
> >  http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short
> > file.
> > http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz:
> > ftp: Error retrieving file: 404 Not Found
> > signify: gzheader truncated
> > Can't find python-2.7
> > Extracted 11548847 from 11550420
> >
> >  What does these errors mean?? My PKG_PATH variable is
> > "PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64;
> 
> It means, that the package you try to install does not exist. Run
> 
> pkg_info -Q python
> 
> See FAQ https://www.openbsd.org/faq/faq15.html#PkgFind
> 
> you see something like (in my case it is already installed)
> 
> ...
> python-2.7.13p0 (installed)
> ...
> 
> You can also check the list of packages at
> http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/index.txt
> 
> So, try
> 
> pkg_add -v python-2.7.13p0
> 
> or, check the -z switch of pkg_add (man pkg_add)
> 
> pkg_add -v -z python-2.7.13
> 

Yep, undertood.

Many thanks.


-- 
Greetings,
C. L. Martinez

What does it mean this error when I try install a package?

[C. L. Martinez]

Hi all,

 After install an OpenBSD 6.1, I am trying to install some packages, for 
example python-2.7. When I launch the following command:

pkg_add -v python-2.7

 ... returns the following errors:

 http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/: Read short file.
http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/python-2.7.tgz: ftp: 
Error retrieving file: 404 Not Found
signify: gzheader truncated
Can't find python-2.7
Extracted 11548847 from 11550420

 What does these errors mean?? My PKG_PATH variable is 
"PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64;
-- 
Greetings,
C. L. Martinez

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

[Jacob L. Leifman]

Security and correctness should never be an after-thought. Have you 
done any real software development? And have you ever tried to find 
your way through cruddy code? 999 times out of 1000 it is less painful 
and much more effective to rewrite from scratch. So what's the point of 
having that previous iteration?

On 5 Apr 2017 at 13:10, Luke Small wrote:

> I imagine there are some projects that need some love that are on the back
> burner at the moment that could use some hacking; even if it is totally
> redone later by someone that wants to refactor it for privsep and such.
> On Tue, Apr 4, 2017 at 4:21 PM Theo de Raadt  wrote:
> 
> > Pete, you propose a waste of time.
> >
> > Everyone has the source code.  Everyone can run it.  Everyone can see
> > the problems other people report, and the things which are not supported.
> >
> > Everyone already can tell what needs improving.  Everyone has a brain,
> > and can come up with their own goals.
> >
> > If they don't come up with goals, there's nothing we can write which
> > will change anything.
> >
> > Finally, not everyone has time.  It would not be time spent well making
> > lists for other people who may or may not perform.
> >
> > > Would the devs consider compiling a list of specific improvements they'd
> > like
> > > to see volunteer'd upon this summer? I'd love to help especially if it
> > was a
> > > group effort/friendly competition.
> > >
> > > 
> > > From: owner-m...@openbsd.org  on behalf of Bob
> > Beck
> > > 
> > > Sent: April 2, 2017 10:16:21 PM
> > > To: Luke Small
> > > Cc: openbsd-misc
> > > Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?...
> > >
> > > We tried it for two years, it was too much effort on the part of the
> > > foundation organizers mentors to deal with the bureaucracy involved, and
> > we
> > > didn't really see enough
> > > return in terms of new developers to the project, which, frankly being
> > > selfish on OpenBSD's part is the only reason for us to do it.
> > >
> > > Both Ken Westerback and I organized our end of it and dealt with the
> > google
> > > paperwork the two years we did it, Neither of us is willing to do it
> > again,
> > > and while I won't
> > > directly speak for Ken, I would not support us spending effort on this
> > when
> > > there are lots of other things to do.. It just doesn't have the benefit
> > for
> > > OpenBSD, especially
> > > in light of the effort of the volunteers necessary to participate.
> > >
> > >
> > >
> > > On Sun, Apr 2, 2017 at 8:54 AM, Luke Small  wrote:

Re: Please: Is there ANY chance that Linux binaries might run again???

[Jacob L. Leifman]

On 11 Mar 2017 at 15:47, ropers wrote:

> On 11 March 2017 at 15:18, Stuart Henderson  wrote:
> 
> > On 2017/03/10 23:56, ropers wrote:
> > > On 10 March 2017 at 01:30, Stuart Henderson 
> > > wrote:
> > >
> > > (And unlike Linux, 32-bit OpenBSD binaries won't run on OpenBSD/
> > > amd64)
> > >
> > >
> > > Is there a technical reason for that?
> > > I'm not trying to demand anything here; just curious.
> > >
> > > This is NOT intended to be a "but teh Linux does X, so should we, so
> > > why can't we" whine.
> > > I'm merely ignorantly interested in a "what are they doing, what's
> > > OpenBSD doing" kind of way.
> >
> > I think that even just adding basic support would be complicated and
> > likely error-prone. Is there anything it would actually be useful for?
> >
> 
> Personally, I'm really just asking out of technical curiosity.
> This is not about whether I'd ever actually want or feel I'd need to run
> 32-bit OpenBSD binaries on OpenBSD/amd64.
> 
> Was 32-on-64 compatibility somehow easier to achieve on the Linux side?
> Or did they just keep throwing code and more code at the problem because
> they felt they really, really had to have this?
> It's that kind of idle curiosity. If nobody's interested in explaining or
> hearing this explained, then sorry for the noise.
> 
> 

If you examine a typical 64-bit Linux installation, you will notice 
that it contains duplicate sets of most libraries and even many of the 
drivers -- one x86_64 and the other i586. On disk, the packages for the 
latter are almost always the exact same ones as those installed on a 
pure 32-bit Linux. So in essence the 64-bit Linux is like two OS 
running simultaneously. I am guessing that this is facilitated by the 
Linux's micro-kernel approach -- in oversimplified terms, their kernel 
is little more than a traffic cop at a docking terminal and all the 
drivers and libraries are "modules" communicating through a rather 
complex but broadly accommodating API that does not discriminate 32-bit 
vs. 64-bit. In contrast, OpenBSD uses monolithic kernel (and unlike 
FreeBSD it no longer even supports LKM) where all the communication 
paths have been streamlined and a decision is made upfront whether they 
are based on 32-bit or 64-bit architecture.

Re: New features in VMM for OpenBSD 6.1?

[C. L. Martinez]

On Mon, Mar 06, 2017 at 10:55:23AM -0800, Mike Larkin wrote:
> On Mon, Mar 06, 2017 at 06:22:07PM +0100, Juan Francisco Cantero Hurtado 
> wrote:
> > On Mon, Mar 06, 2017 at 10:40:52AM +, C. L. Martinez wrote:
> > > Hi all,
> > > 
> > >  Where can I see what new features will be released in VMM for OpenBSD 
> > > 6.1? For example, it could be possible to run linux or freebsd guests 
> > > apart of openbsd guests?
> > 
> > No, vmm will only support OpenBSD in the next release.
> > https://www.openbsd.org/61.html will include a list of new features and
> > fixes.
> > 
> > -- 
> > Juan Francisco Cantero Hurtado http://juanfra.info
> >
> 
> As Juan states, I'm sure someone will go back through the cvs logs and update
> that page with what new changes/features went in. Probably the biggest change
> will be adding SVM support, if I can manage to get the last +/- 900 lines of
> local changes in, and add interrupt windowing support.
> 
> -ml

Thanks for the info.

-- 
Greetings,
C. L. Martinez

New features in VMM for OpenBSD 6.1?

[C. L. Martinez]

Hi all,

 Where can I see what new features will be released in VMM for OpenBSD 6.1? For 
example, it could be possible to run linux or freebsd guests apart of openbsd 
guests?

Many thanks.

-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

On Thu, Jan 26, 2017 at 10:51:14AM +, Stuart Henderson wrote:
> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> >> > Hi all,
> >> >
> >> > I have received a (maybe) "stupid" request from one of our customers.
> >> > We have a pair of public OpenBSD firewalls (CARPed) that our development
> >> > team use to access to several customers via VPN IPsec tunnels. But this
> >> > morning we have received a request from one of these cutomers to access
> >> > to our development servers using only one acl to permit their public IP
> >> > address (without using VPN IPsec, or VPN SSL tunnels).
> >> >
> >> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> >> > for example, or another type of attack that permits to fake source
> >> > public ip address) in this scenario?
> >> 
> >> For an attacker with no access to endpoints or network in between:
> >> 
> >> - For many protocols including UDP, it is absolutely trivial to send
> >> traffic from a fake source address.
> >
> > But, only SYN can be sent, right?? Source's attacker ip address will not 
> > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> > attack, they can't steal information, right?
> > 
> >> - With TCP it depends on various things but sometimes you can predict
> >> enough of the IP stack behaviour to spoof blindly and send data.
> >> reassemble tcp + random-id can help.
> 
> They won't get any responses, but if an attacker can predict some of
> what's in the packets (port numbers, sequence numbers etc), they can
> send a bunch of packets that *might* match. If they get lucky and hit
> on a correct one, they can handshake and transmit, obviously not
> receive data directly on that connection, but sending might be enough
> to do damage.
> 
> >> If an attacker can MITM (either by getting $client to send to their
> >> machine instead of yours directly, they can obviously log or modify
> >> packets before forwarding on to the real server. It depends what
> >> you're running over it as to whether this is a problem.
> >> 
> >
> > Uhmmm ... but in this case, I don't see how an attacker can fake original 
> > ip public source address ... Any theorical example?
> 
> If they have access to a machine that the packets pass through, or a
> machine that they can be made to pass through (e.g. by DNS manipulation,
> or if they're on an unprotected layer-2 network with a real router ARP
> attacks etc might work) they can just inspect/modify the packets as
> they're passing.
> 
> Even if it's just a router that doesn't let them do much with the
> packets directly, they might still be able to forward them over a GRE
> tunnel or similar to a machine where they can do this.
> 
> There are enough ISPs and colos around that don't do BCP38 (i.e. don't
> check source addresses) that there won't be too much difficulty
> re-forwarding packets with the original sender IP address.
> 
> > Many thanks Stuart for your help.
> 
> tl;dr: if VPN isn't suitable, make sure comms are protected by some
> other method that includes at least strong authentication and protects
> messages against being modified - e.g. modern SSH, TLS or equivalent -
> and be careful with certificates (test to make sure that you'll notice
> an unexpected change).
> 

Many thanks for your explained answer Stuart. Fantastic. Only one more 
question. Due to this access only requires http service, will be sufficient if 
I try to convince them to use https instead? And in the case that we could use 
https, a MITM attack would be minimized?

-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

On Wed, Jan 25, 2017 at 08:20:32PM +0100, Daniel Gillen wrote:
> On 25.01.2017 15:42, C. L. Martinez wrote:
> > On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> >> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> >>> Hi all,
> >>>
> >>> I have received a (maybe) "stupid" request from one of our customers.
> >>> We have a pair of public OpenBSD firewalls (CARPed) that our development
> >>> team use to access to several customers via VPN IPsec tunnels. But this
> >>> morning we have received a request from one of these cutomers to access
> >>> to our development servers using only one acl to permit their public IP
> >>> address (without using VPN IPsec, or VPN SSL tunnels).
> >>>
> >>> And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> >>> for example, or another type of attack that permits to fake source
> >>> public ip address) in this scenario?
> >>
> >> For an attacker with no access to endpoints or network in between:
> >>
> >> - For many protocols including UDP, it is absolutely trivial to send
> >> traffic from a fake source address.
> > 
> > But, only SYN can be sent, right?? Source's attacker ip address will not 
> > receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS 
> > attack, they can't steal information, right?
> > 
> 
> UDP and many other protocols are connectionless, so there is no such
> thing as SYN/ACK. You basically just send your data package and hope it
> somehow gets to its destination.
> 
> https://en.wikipedia.org/wiki/User_Datagram_Protocol

Yep, sorry. My mistake. I am referring to TCP connections ...

> 
> >>
> >> - With TCP it depends on various things but sometimes you can predict
> >> enough of the IP stack behaviour to spoof blindly and send data.
> >> reassemble tcp + random-id can help.
> >>
> >> If an attacker can MITM (either by getting $client to send to their
> >> machine instead of yours directly, they can obviously log or modify
> >> packets before forwarding on to the real server. It depends what
> >> you're running over it as to whether this is a problem.
> >>
> > 
> > Uhmmm ... but in this case, I don't see how an attacker can fake original 
> > ip public source address ... Any theorical example?
> > 
> > Many thanks Stuart for your help.
> > 
> > 
> 
> In an MITM scenario, the send data packets actually flow _trough_ the
> MITM's machine before they are forwarded to your machine. No need to
> fake original source address, as it won't be changed. Think of the
> MITM's machine as a simple router interconnecting your and the $client's
> WAN.
> 
> https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Thanks. I see the concept when you are in a LAN. But with a WAN, I can't see 
how you can accomplish this. For example: ip public source address is 1.1.1.1, 
destination public ip address is 2.2.2.2 and attacker ip public address is 
3.3.3.3. To establish communications between these three elements, there are 
several routers between them to route packets. What  I don't see is how when 
attacker sends packets to 2.2.2.2 using source public ip address 1.1.1.1, 
routers between all elements resturns these packets to attacker (which has 
3.3.3.3 ip address) 

Sorry for my "basic" knowledge in these fields :)


-- 
Greetings,
C. L. Martinez

Re: How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

On Wed, Jan 25, 2017 at 02:07:55PM +, Stuart Henderson wrote:
> On 2017-01-25, C. L. Martinez <carlopm...@gmail.com> wrote:
> > Hi all,
> >
> > I have received a (maybe) "stupid" request from one of our customers.
> > We have a pair of public OpenBSD firewalls (CARPed) that our development
> > team use to access to several customers via VPN IPsec tunnels. But this
> > morning we have received a request from one of these cutomers to access
> > to our development servers using only one acl to permit their public IP
> > address (without using VPN IPsec, or VPN SSL tunnels).
> >
> > And my (OT) question: how easy is to do a MITM attack (DNS spoofing
> > for example, or another type of attack that permits to fake source
> > public ip address) in this scenario?
> 
> For an attacker with no access to endpoints or network in between:
> 
> - For many protocols including UDP, it is absolutely trivial to send
> traffic from a fake source address.

But, only SYN can be sent, right?? Source's attacker ip address will not 
receive ACK, etc. Is it correct? If it is, he/she/they only can do DoS attack, 
they can't steal information, right?

> 
> - With TCP it depends on various things but sometimes you can predict
> enough of the IP stack behaviour to spoof blindly and send data.
> reassemble tcp + random-id can help.
> 
> If an attacker can MITM (either by getting $client to send to their
> machine instead of yours directly, they can obviously log or modify
> packets before forwarding on to the real server. It depends what
> you're running over it as to whether this is a problem.
> 

Uhmmm ... but in this case, I don't see how an attacker can fake original ip 
public source address ... Any theorical example?

Many thanks Stuart for your help.


-- 
Greetings,
C. L. Martinez

How easy is to do a MITM/spoof/etc. a public IP address?

[C. L. Martinez]

Hi all,

 I have received a (maybe) "stupid" request from one of our customers. We have 
a pair of public OpenBSD firewalls (CARPed) that our development team use to 
access to several customers via VPN IPsec tunnels. But this morning we have 
received a request from one of these cutomers to access to our development 
servers using only one acl to permit their public IP address (without using VPN 
IPsec, or VPN SSL tunnels).

 And my (OT) question: how easy is to do a MITM attack (DNS spoofing for 
example, or another type of attack that permits to fake source public ip 
address) in this scenario?

Many thanks.

-- 
Greetings,
C. L. Martinez

Re: PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

On Wed 30.Nov'16 at 11:44:13 +0100, Stefan Sperling wrote:
> On Wed, Nov 30, 2016 at 10:12:32AM +, C. L. Martinez wrote:
> > I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not 
> > wrong this chip is not supported under OpenBSD, is it right?
> 
> Indeed, BCM4366 won't work.
> 
> There are many Atheros AR9280 devices on sites such as ebay.
> And some vendors like pcengines still sell cards with this chip.
> You could also search for other chip names listed in the athn(4) man page.

Ok, I have found a good candidate: TP-LINK TL-WDN4800. According to TP-Link's 
webpage uses an Atheros AR9380 chip. But, under athn(4) OpenBSD's man page, 
this chip doesn't appears for OpenBSD 6.0 ... but it appears under OpenBSD's 
4.9 changelog: https://www.openbsd.org/plus49.html. Then, is it supported or 
not?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

On Wed 30.Nov'16 at 10:26:32 +0100, Peter N. M. Hansteen wrote:
> On Wed, Nov 30, 2016 at 08:09:24AM +, C. L. Martinez wrote:
> >  I would like to install OpenBSD on a HP Microserver Gen8 to act as a 
> > firewall and hostap. I am searching what components I need and I have a 
> > doubt about what wireless interface I need to buy to use it as a hostap 
> > under OpenBSD.
> 
> The Microserver Gen8s are really nice machines for the application you 
> describe, once you set the disk controller to something sensible (as 
> previously reported). 
> 
> When it comes to your primary question I don't have a good answer, but in 
> case those boards are not suppurted it's worth keeping in mind one other 
> option: get the highest quality access point or 'wireless router' you can 
> afford, configure it as access point only (no dhcp or routing, leave that to 
> the OpenBSD tools)
> 
 I agree. Microserver Gen8 is a fantastic box to deploy this type of scenarios. 
My idea is to buy a SSD drive, configure this harddisk as RAID0 in B120i and 
fire up OpenBSD ..

 I prefer to avoid to buy an access point. I can wait best support and data 
rates from OpenBSD side in future releases ...

-- 
Greetings,
C. L. Martinez

Re: PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

On Wed 30.Nov'16 at 10:04:25 +0100, Stefan Sperling wrote:
> On Wed, Nov 30, 2016 at 08:09:24AM +, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I would like to install OpenBSD on a HP Microserver Gen8 to act as a 
> > firewall and hostap. I am searching what components I need and I have a 
> > doubt about what wireless interface I need to buy to use it as a hostap 
> > under OpenBSD.
> > 
> >  I have found only these:
> > 
> >  - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100
> >  - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900
> > 
> >  Searching in ASUS's web, I didn't find any info about what chip use these 
> > adapters. Are they supported under OpenBSD? Do you recommend any other 
> > wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least.
> > 
> > Thanks.
> 
> I'm afraid you won't get 300 Mbps from any wifi device on OpenBSD.
> Our 802.11n support is still in very early stages.
> 
> The best access point OpenBSD can offer uses obsolete AR9280 Atheros
> hardware with 802.11a data rates (theoretical maximum 54Mbit/s).
> 802.11n is not yet supported by any driver which has hostap support.
> 
> For your kinds of requirements, the best solution is an external
> access point connected to your OpenBSD box with gigabit ethernet.

Many thanks Stefan and Ze for your answers. But thinking about it maybe it is a 
good idea to limit throughput to 150Mbps or less at this first stage. I can 
wait until OpenBSD will support more data rates.

I have discoverd that Asus AC88 AC3100 uses BCM4366 chip, but if I am not wrong 
this chip is not supported under OpenBSD, is it right?

Thanks.

PCI Express wireless adapter supported under OpenBSD

[C. L. Martinez]

Hi all,

 I would like to install OpenBSD on a HP Microserver Gen8 to act as a firewall 
and hostap. I am searching what components I need and I have a doubt about what 
wireless interface I need to buy to use it as a hostap under OpenBSD.

 I have found only these:

 - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100
 - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900

 Searching in ASUS's web, I didn't find any info about what chip use these 
adapters. Are they supported under OpenBSD? Do you recommend any other wireless 
adpater (PCI-e)?? Throughput needs to be 300 Mbps, at least.

Thanks.

-- 
Greetings,
C. L. Martinez

FW Hardware

[L. V. Lammert]

There have been some good discussions lately about HW capable of running a
lot of traffic, .. but this question is about the other end of the
spectrum.

Have a need for a small FW appliance that can be used to protect a single
machine and provide a simple way to whitelist a single IP or two.

Two HW ethernet ports, OBSD compatible, small form factor, low cost.

Any recommendations?

Thanks!

Lee

Re: httpd: old behavior returns: Couldn't resolve host (SOLVED)

[C. L. Martinez]

On Mon  5.Sep'16 at 16:15:12 +, C. L. Martinez wrote:
> Hi all,
> 
>  I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All 
> goes perfect, except when I try to add news feeds. Like I have reported in 
> the past: http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss 
> returns "Couldn't resolve host" every time that I try to add a new feed. Like 
> Stuart appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf 
> to /var/www/etc chroot, but in OpenBSD 6.0 doesn't works.
> 
>  Is it a bug or do I need to configure any option inside httpd.conf??
> 
> Thanks.
> 
> -- 
> Greetings,
> C. L. Martinez

Ok, problem solved. php-fpm needs to be restarted. Sorry for the noise.

-- 
Greetings,
C. L. Martinez

httpd: old behavior returns: Couldn't resolve host

[C. L. Martinez]

Hi all,

 I have upgraded my TT-RSS server based on OpenBSD 5.9 to OpenBSD 6.0. All goes 
perfect, except when I try to add news feeds. Like I have reported in the past: 
http://marc.info/?l=openbsd-misc=146739024615025=2, tt-rss returns 
"Couldn't resolve host" every time that I try to add a new feed. Like Stuart 
appoints me in the past, I have copied /etc/hosts and /etc/resolv.conf to 
/var/www/etc chroot, but in OpenBSD 6.0 doesn't works.

 Is it a bug or do I need to configure any option inside httpd.conf??

Thanks.

-- 
Greetings,
C. L. Martinez

Recommendation about an Alfa usb wireless adapter to use it as HostAP

[C. L. Martinez]

Hi all,

 I would like to install OpenBSD as a hostap for my home. I have done the same 
in the past, running OpenBSD as a kvm guest on my laptop and all works really 
well. I am thinking to use an Alfa (http://www.alfa.com.tw) usb wireless 
adapter. There is not much information in Alfa's web about which of them can 
run as a HostAP.

 Any recommendation? Maybe AWUS036ACH can supports this functionality, but I am 
not sure ...

Thanks.
-- 
Greetings,
C. L. Martinez

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Thu  4.Aug'16 at 12:30:56 +, C. L. Martinez wrote:
> On Tue  2.Aug'16 at  7:54:08 +, C. L. Martinez wrote:
> > On Mon  1.Aug'16 at  7:54:57 +0000, C. L. Martinez wrote:
> > > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > > > On 28/07/16 22:47, C. L. Martinez wrote:
> > > > > Hi all,
> > > > > 
> > > > >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > > > (fully patched). According to ifconfig(8) man page:
> > > > > 
> > > > > carppeer peer_address
> > > > > Send the carp advertisements to a specified point-to-point peer or
> > > > > multicast group instead of sending the messages to the default carp
> > > > > multicast group. The peer_address is the IP address of the other host
> > > > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > > > be protected using ipsec(4) and it may be desired in networks that do
> > > > > not allow or have problems with IPv4 multicast traffic.
> > > > > 
> > > > >  And the last sentence describes the type of problem that I want to
> > > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > > > desired in networks that do not allow or have problems with IPv4
> > > > > multicast traffic".
> > > > > 
> > > > >  But I don't see how to implement this feature. If I am not wrong, I
> > > > > need to configure ipsec in transport mode. But how to encrypt carp
> > > > > protocol only and keep all others services and protocols out of ipsec
> > > > > tunnels??
> > > > > 
> > > > >  Any tip or sample??
> > > > > 
> > > > 
> > > > 
> > > > check proto (from protocol) in ipsec.conf(5)
> > > > 
> > > > G
> > > > 
> > > 
> > > Ok, after doing several tests these days, I have configured ipsec.conf 
> > > instead of iked.conf. But carp interfaces remains in MASTER mode in both 
> > > firewalls:
> > > 
> > > FwA:
> > > 
> > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:01
> > > priority: 15
> > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> > > state MASTER vhid 1 advskew 100
> > > state MASTER vhid 2 advskew 0
> > > groups: carp
> > > status: master
> > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:03
> > > priority: 15
> > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> > > state MASTER vhid 3 advskew 100
> > > state MASTER vhid 4 advskew 0
> > > groups: carp
> > > status: master
> > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > > 
> > > 
> > > 
> > > 
> > > FwB:
> > > 
> > > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:01
> > > priority: 15
> > > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> > > state MASTER vhid 1 advskew 0
> > > state MASTER vhid 2 advskew 100
> > > groups: carp
> > > status: master
> > > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > lladdr 01:00:5e:00:01:03
> > > priority: 15
> > > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> > > state MASTER vhid 3 advskew 0
> > > state MASTER vhid 4 advskew 100
> > > groups: carp
> > > status: master
> > > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > > 
> > > 
> > > IPsec flows are established in both firewalls:
> > > 
> > > FwA:
> > > 
> > > FLOWS:
> > > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 
> > > srcid 172.22.57.2/32 dstid 172.22.57.3/32 typ

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Tue  2.Aug'16 at  7:54:08 +, C. L. Martinez wrote:
> On Mon  1.Aug'16 at  7:54:57 +, C. L. Martinez wrote:
> > On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > > On 28/07/16 22:47, C. L. Martinez wrote:
> > > > Hi all,
> > > > 
> > > >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > > (fully patched). According to ifconfig(8) man page:
> > > > 
> > > > carppeer peer_address
> > > > Send the carp advertisements to a specified point-to-point peer or
> > > > multicast group instead of sending the messages to the default carp
> > > > multicast group. The peer_address is the IP address of the other host
> > > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > > be protected using ipsec(4) and it may be desired in networks that do
> > > > not allow or have problems with IPv4 multicast traffic.
> > > > 
> > > >  And the last sentence describes the type of problem that I want to
> > > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > > desired in networks that do not allow or have problems with IPv4
> > > > multicast traffic".
> > > > 
> > > >  But I don't see how to implement this feature. If I am not wrong, I
> > > > need to configure ipsec in transport mode. But how to encrypt carp
> > > > protocol only and keep all others services and protocols out of ipsec
> > > > tunnels??
> > > > 
> > > >  Any tip or sample??
> > > > 
> > > 
> > > 
> > > check proto (from protocol) in ipsec.conf(5)
> > > 
> > > G
> > > 
> > 
> > Ok, after doing several tests these days, I have configured ipsec.conf 
> > instead of iked.conf. But carp interfaces remains in MASTER mode in both 
> > firewalls:
> > 
> > FwA:
> > 
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> > state MASTER vhid 1 advskew 100
> > state MASTER vhid 2 advskew 0
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> > state MASTER vhid 3 advskew 100
> > state MASTER vhid 4 advskew 0
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > 
> > 
> > 
> > 
> > FwB:
> > 
> > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:01
> > priority: 15
> > carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> > state MASTER vhid 1 advskew 0
> > state MASTER vhid 2 advskew 100
> > groups: carp
> > status: master
> > inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > lladdr 01:00:5e:00:01:03
> > priority: 15
> > carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> > state MASTER vhid 3 advskew 0
> > state MASTER vhid 4 advskew 100
> > groups: carp
> > status: master
> > inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> > 
> > 
> > IPsec flows are established in both firewalls:
> > 
> > FwA:
> > 
> > FLOWS:
> > flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 
> > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type use
> > flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 
> > srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
> > flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 
> > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type use
> > flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 
> > srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
> > flow esp in proto carp from 172.22.55.13 to 172.22.55.12 pee

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Mon  1.Aug'16 at  7:54:57 +, C. L. Martinez wrote:
> On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> > On 28/07/16 22:47, C. L. Martinez wrote:
> > > Hi all,
> > > 
> > >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > > (fully patched). According to ifconfig(8) man page:
> > > 
> > > carppeer peer_address
> > > Send the carp advertisements to a specified point-to-point peer or
> > > multicast group instead of sending the messages to the default carp
> > > multicast group. The peer_address is the IP address of the other host
> > > taking part in the carp cluster. With this option, carp(4) traffic can
> > > be protected using ipsec(4) and it may be desired in networks that do
> > > not allow or have problems with IPv4 multicast traffic.
> > > 
> > >  And the last sentence describes the type of problem that I want to
> > > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > > desired in networks that do not allow or have problems with IPv4
> > > multicast traffic".
> > > 
> > >  But I don't see how to implement this feature. If I am not wrong, I
> > > need to configure ipsec in transport mode. But how to encrypt carp
> > > protocol only and keep all others services and protocols out of ipsec
> > > tunnels??
> > > 
> > >  Any tip or sample??
> > > 
> > 
> > 
> > check proto (from protocol) in ipsec.conf(5)
> > 
> > G
> > 
> 
> Ok, after doing several tests these days, I have configured ipsec.conf 
> instead of iked.conf. But carp interfaces remains in MASTER mode in both 
> firewalls:
> 
> FwA:
> 
> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 15
> carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
> state MASTER vhid 1 advskew 100
> state MASTER vhid 2 advskew 0
> groups: carp
> status: master
> inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:03
> priority: 15
> carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
> state MASTER vhid 3 advskew 100
> state MASTER vhid 4 advskew 0
> groups: carp
> status: master
> inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> 
> 
> 
> 
> FwB:
> 
> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 15
> carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
> state MASTER vhid 1 advskew 0
> state MASTER vhid 2 advskew 100
> groups: carp
> status: master
> inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:03
> priority: 15
> carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
> state MASTER vhid 3 advskew 0
> state MASTER vhid 4 advskew 100
> groups: carp
> status: master
> inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7
> 
> 
> IPsec flows are established in both firewalls:
> 
> FwA:
> 
> FLOWS:
> flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 
> 172.22.57.2/32 dstid 172.22.57.3/32 type use
> flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 
> srcid 172.22.57.2/32 dstid 172.22.57.3/32 type require
> flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 
> 172.22.58.2/32 dstid 172.22.58.3/32 type use
> flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 
> srcid 172.22.58.2/32 dstid 172.22.58.3/32 type require
> flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 
> srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
> flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 
> srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
> flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 
> 172.30.77.2/32 dstid 172.30.77.3/32 type use
> flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 
> srcid 172.30.77.2/32 dstid 172.30.77.3/32 type require
> flow esp in proto carp from 172.22.54.3 to 172.22.54.2 pee

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> On 28/07/16 22:47, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > (fully patched). According to ifconfig(8) man page:
> > 
> > carppeer peer_address
> > Send the carp advertisements to a specified point-to-point peer or
> > multicast group instead of sending the messages to the default carp
> > multicast group. The peer_address is the IP address of the other host
> > taking part in the carp cluster. With this option, carp(4) traffic can
> > be protected using ipsec(4) and it may be desired in networks that do
> > not allow or have problems with IPv4 multicast traffic.
> > 
> >  And the last sentence describes the type of problem that I want to
> > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > desired in networks that do not allow or have problems with IPv4
> > multicast traffic".
> > 
> >  But I don't see how to implement this feature. If I am not wrong, I
> > need to configure ipsec in transport mode. But how to encrypt carp
> > protocol only and keep all others services and protocols out of ipsec
> > tunnels??
> > 
> >  Any tip or sample??
> > 
> 
> 
> check proto (from protocol) in ipsec.conf(5)
> 
> G
> 

Ok, after doing several tests these days, I have configured ipsec.conf instead 
of iked.conf. But carp interfaces remains in MASTER mode in both firewalls:

FwA:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.13
state MASTER vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp
status: master
inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.3
state MASTER vhid 3 advskew 100
state MASTER vhid 4 advskew 0
groups: carp
status: master
inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7




FwB:

carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:01
priority: 15
carp: carpdev vio0 advbase 1 balancing ip carppeer 172.22.55.12
state MASTER vhid 1 advskew 0
state MASTER vhid 2 advskew 100
groups: carp
status: master
inet 172.22.55.14 netmask 0x19f0 broadcast 172.22.247.15
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 01:00:5e:00:01:03
priority: 15
carp: carpdev vio1 advbase 1 balancing ip carppeer 172.30.77.2
state MASTER vhid 3 advskew 0
state MASTER vhid 4 advskew 100
groups: carp
status: master
inet 172.30.77.1 netmask 0xfff8 broadcast 172.30.77.7


IPsec flows are established in both firewalls:

FwA:

FLOWS:
flow esp in proto carp from 172.22.57.3 to 172.22.57.2 peer 172.22.57.3 srcid 
172.22.57.2/32 dstid 172.22.57.3/32 type use
flow esp out proto carp from 172.22.57.2 to 172.22.57.3 peer 172.22.57.3 srcid 
172.22.57.2/32 dstid 172.22.57.3/32 type require
flow esp in proto carp from 172.22.58.3 to 172.22.58.2 peer 172.22.58.3 srcid 
172.22.58.2/32 dstid 172.22.58.3/32 type use
flow esp out proto carp from 172.22.58.2 to 172.22.58.3 peer 172.22.58.3 srcid 
172.22.58.2/32 dstid 172.22.58.3/32 type require
flow esp in proto carp from 172.22.55.13 to 172.22.55.12 peer 172.22.55.13 
srcid 172.22.55.12/32 dstid 172.22.55.13/32 type use
flow esp out proto carp from 172.22.55.12 to 172.22.55.13 peer 172.22.55.13 
srcid 172.22.55.12/32 dstid 172.22.55.13/32 type require
flow esp in proto carp from 172.30.77.3 to 172.30.77.2 peer 172.30.77.3 srcid 
172.30.77.2/32 dstid 172.30.77.3/32 type use
flow esp out proto carp from 172.30.77.2 to 172.30.77.3 peer 172.30.77.3 srcid 
172.30.77.2/32 dstid 172.30.77.3/32 type require
flow esp in proto carp from 172.22.54.3 to 172.22.54.2 peer 172.22.54.3 srcid 
172.22.54.2/32 dstid 172.22.54.3/32 type use
flow esp out proto carp from 172.22.54.2 to 172.22.54.3 peer 172.22.54.3 srcid 
172.22.54.2/32 dstid 172.22.54.3/32 type require
flow esp in proto carp from 172.22.56.3 to 172.22.56.2 peer 172.22.56.3 srcid 
172.22.56.2/32 dstid 172.22.56.3/32 type use
flow esp out proto carp from 172.22.56.2 to 172.22.56.3 peer 172.22.56.3 srcid 
172.22.56.2/32 dstid 172.22.56.3/32 type require

SAD:
esp transport from 172.22.54.3 to 172.22.54.2 spi 0x1ee8aacd auth hmac-sha2-256 
enc aes
esp transport from 172.22.55.13 to 172.22.55.12 sp

Re: Encrypting carp traffic with ipsec

[C. L. Martinez]

On Fri 29.Jul'16 at 10:55:01 +0300, Kapetanakis Giannis wrote:
> On 28/07/16 22:47, C. L. Martinez wrote:
> > Hi all,
> > 
> >  I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
> > (fully patched). According to ifconfig(8) man page:
> > 
> > carppeer peer_address
> > Send the carp advertisements to a specified point-to-point peer or
> > multicast group instead of sending the messages to the default carp
> > multicast group. The peer_address is the IP address of the other host
> > taking part in the carp cluster. With this option, carp(4) traffic can
> > be protected using ipsec(4) and it may be desired in networks that do
> > not allow or have problems with IPv4 multicast traffic.
> > 
> >  And the last sentence describes the type of problem that I want to
> > avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
> > desired in networks that do not allow or have problems with IPv4
> > multicast traffic".
> > 
> >  But I don't see how to implement this feature. If I am not wrong, I
> > need to configure ipsec in transport mode. But how to encrypt carp
> > protocol only and keep all others services and protocols out of ipsec
> > tunnels??
> > 
> >  Any tip or sample??
> > 
> 
> 
> check proto (from protocol) in ipsec.conf(5)
> 
> G
> 

Thanks Giannis. I have configured iked.conf in both firewalls.

FirewallA:

ikev2 esp proto carp from 172.22.55.12 to 172.22.55.13 psk 
"74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0


FirewallB:

ikev2 esp proto carp from 172.22.55.13 to 172.22.55.12 psk 
"74ed973deb695a3a5056e2e6ba3fdcb3" tap enc0

 Starting iked from shell, all tunnels are established. But when I add 
iked_flags= to rc.conf.local and reboot both firewalls, startup process stops 
in iked process and neves finishes. I need to a hard reset ...

 Any idea why??

Encrypting carp traffic with ipsec

[C. L. Martinez]

Hi all,

 I will try to encrypt all carp traffic between two OpenBSD 5.9 fws
(fully patched). According to ifconfig(8) man page:

carppeer peer_address
Send the carp advertisements to a specified point-to-point peer or
multicast group instead of sending the messages to the default carp
multicast group. The peer_address is the IP address of the other host
taking part in the carp cluster. With this option, carp(4) traffic can
be protected using ipsec(4) and it may be desired in networks that do
not allow or have problems with IPv4 multicast traffic.

 And the last sentence describes the type of problem that I want to
avoid: "carp(4) traffic can be protected using ipsec(4) and it may be
desired in networks that do not allow or have problems with IPv4
multicast traffic".

 But I don't see how to implement this feature. If I am not wrong, I
need to configure ipsec in transport mode. But how to encrypt carp
protocol only and keep all others services and protocols out of ipsec
tunnels??

 Any tip or sample??

Using "> /tmp/debug.log 2>&" in a startup script

[C. L. Martinez]

Hi all,

 I need to debug a daemon when it is called from init process. To accomplish 
this, I need to add "> /tmp/debug.log 2>&1" to daemon_flags (or to another 
option), but it doesn't works. I have tried the following combinations:

 a/ daemon_flags="--first-option --second-option > /tmp/debug.log 2>&1" and 
using the following rc_start options: ${rcexec} "${daemon} ${daemon_flags} 
${_bg}" (rc_bg=YES in the startup script.

 b/ daemon_flags="--first-option --second-option", adding another section with 
more_flags="> /tmp/debug.log 2>&1" and using the following rc_start options: 
${rcexec} "${daemon} ${daemon_flags} ${more_flags} ${_bg}" (rc_bg=YES in the 
startup script).

 c/ And tha last try is to use rc_start options: ${rcexec} "${daemon} 
${daemon_flags}" > /tmp/debug.log 2>&1 & 

 
 Nothing of this solutions works. 

 What am I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Core dumps with sphinx package

[C. L. Martinez]

On Fri  8.Jul'16 at 12:40:57 +0200, Adam Wolk wrote:
> On Fri, Jul 08, 2016 at 09:16:15AM +, C. L. Martinez wrote:
> > Hi all,
> > 
> >  Once a day, searchd daemon (installed from OpenBSD's packages repository) 
> > generate a core dump. How can I report this problem? To openbsd-ports 
> > mailing list??
> > 
> > Thanks.
> > 
> > -- 
> > Greetings,
> > C. L. Martinez
> > 
> 
> First of all obtain a backtrace from your core dump. You can do this with gdb 
> by
> passing in the program binary and the core dump as arguments:
>  $ gdb prog prog.core
> 
> use the 'bt' command to obtain a backtracce when it's done loading.
> 
> You might need to rebuild the package with debug symbols in order to obtain a
> useful trace.
> 
> Gather as much info as you can:
>  - check dmesg for errors
>  - did it work before? when did it start to segfault?
>  - anything in the logs?
>  - what OpenBSD version are you running? (-current?)
> 
> Take a look at the backtrace and the info you obtained. Check the upstream
> source code, maybe you can fix the error yourself now? If not. Take the
> information you gathered and post to ports@ CC'ing the port maintainer. You
> should also report the problem upstream to package developers if the problem 
> is
> not OpenBSD specific (and it's frequently worth to report even if it is
> specific).
> 
> Regards,
> Adam
> 
Many thanks Adam ... I will try to do all the steps and report to ports@ 
afterwards.


-- 
Greetings,
C. L. Martinez

Core dumps with sphinx package

[C. L. Martinez]

Hi all,

 Once a day, searchd daemon (installed from OpenBSD's packages repository) 
generate a core dump. How can I report this problem? To openbsd-ports mailing 
list??

Thanks.

-- 
Greetings,
C. L. Martinez

Strange behavior with php config

[C. L. Martinez]

Hi all

 I am using php-5.6 with NGinx web server in a OpenBSD 5.9 host. I have 
configured error_log option to log specific php errors in a separate log file: 
"error_log = /tmp/php_errors.log".

 Nginx is running in chroot (as it does by default) under /var/www. I hoped 
that the errors were fed into the above file inside of /var/www chroot, and it 
does. But it does also under system's /tmp directory. In resume, I have two 
php_errors.log file where I can see all ducplicated errors ...

 Why?? How can I fix it?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: Installing NextCloud under OpenBSD 5.9

[C. L. Martinez]

On Sat  2.Jul'16 at 22:37:49 +0200, Adam Wolk wrote:
> On Sat, 2 Jul 2016 19:26:57 +
> "C. L. Martinez" <carlopm...@gmail.com> wrote:
> 
> > Hi all,
> > 
> >  I am trying to install NextCloud under an OpenBSD 5.9 host using
> > OpenBSD's httpd. But I am not sure that Nextcloud can work with
> > OpenBSD's httpd.
> > 
> >  First of all, rewrite rules like these:
> > 
> > 
> >   RewriteEngine on
> >   RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
> >   RewriteRule ^\.well-known/host-meta /public.php?service=host-meta
> > [QSA,L] RewriteRule
> > ^\.well-known/host-meta\.json /public.php?service=host-meta-json
> > [QSA,L] RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
> > RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
> > RewriteRule ^remote/(.*) remote.php [QSA,L] RewriteRule
> > ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
> > RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
> > RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
> > 
> > 
> >  Can be backported to OpenBSD's httpd? I am thinking to install
> > apache on the same host, configure NextCloud on it, and redirect
> > requests from OpenBSD's httpd to apache (listening on localhost only).
> > 
> >  What do you think?
> > 
> > Thanks.
> > 
> > --
> > Greetings,
> > C. L. Martinez
> > 
> 
> 
> https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD
> 
> Ownclud works with httpd. Nextcloud should also work.
> 

Thans Adam. I will read carefully and I will try to configure using this guide: 
http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/owncloud/pkg/README?rev=1.44=text/x-cvsweb-markup

Many thanks to all.

-- 
Greetings,
C. L. Martinez

Installing NextCloud under OpenBSD 5.9

[C. L. Martinez]

Hi all,

 I am trying to install NextCloud under an OpenBSD 5.9 host using OpenBSD's 
httpd. But I am not sure that Nextcloud can work with OpenBSD's httpd.

 First of all, rewrite rules like these:


  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json 
[QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]


 Can be backported to OpenBSD's httpd? I am thinking to install apache on the 
same host, configure NextCloud on it, and redirect requests from OpenBSD's 
httpd to apache (listening on localhost only).

 What do you think?

Thanks.

--
Greetings,
C. L. Martinez

Re: I am not sure if it is a problem with OpenBSD's httpd

[C. L. Martinez]

On Fri  1.Jul'16 at 16:21:27 +, Stuart Henderson wrote:
> On 2016-07-01, C. L. Martinez <carlopm...@gmail.com> wrote:
> >  Recently, I have installed an OpenBSD virtual machine in my laptop with 
> > TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. 
> > Every time, tt-rss returns the error "6 Couldn't resolve host". It is 
> > strange, because all other feeds migrated from other linux host, works ok.
> 
> It might be this, which used to be in faq 10 but was removed a while ago:
> 
> << Name Resolution: httpd(8) inside the chroot(2) will NOT be able to
> use the system /etc/hosts or /etc/resolv.conf. Therefore, if you have
> applications which require name resolution, you will need to populate
> /var/www/etc/hosts and/or /var/www/etc/resolv.conf in the chroot(2)
> environment. Note that some applications expect the resolution of
> "localhost" to work. >>
> 

It was!! .. Perfect, now it works. Many thanks Stuart

-- 
Greetings,
C. L. Martinez

I am not sure if it is a problem with OpenBSD's httpd

[C. L. Martinez]

Hi all

 Recently, I have installed an OpenBSD virtual machine in my laptop with 
TT-RSS, and all works perfectlly. Until I try to subscribe to a new feed. Every 
time, tt-rss returns the error "6 Couldn't resolve host". It is strange, 
because all other feeds migrated from other linux host, works ok.

 For example, if I try to subscribe to 
http://googleprojectzero.blogspot.com/feeds/posts/default feed, error is 
rturned. But when I try to resolve DNS googleprojectzero.blogspot.com name in 
the shell, works ok:

Last login: Fri Jul  1 07:06:54 2016 from 172.22.55.1
OpenBSD 5.9 (GENERIC) #4: Thu May 19 08:23:10 CEST 2016

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

root@edinburgh:~# nslookup googleprojectzero.blogspot.com   


Server: 172.22.55.1
Address:172.22.55.1#53

Non-authoritative answer:
googleprojectzero.blogspot.com  canonical name = 
blogspot.l.googleusercontent.com.
Name:   blogspot.l.googleusercontent.com
Address: 216.58.208.225

 Arrived to this point, could be a problem with OpenBSD's httpd daemon that 
runs in chroot??

Thanks.


-- 
Greetings,
C. L. Martinez

Re: Clean OpenBSD's httpd logs

[C. L. Martinez]

On Fri  1.Jul'16 at  7:39:13 +, Stuart Henderson wrote:
> On 2016-06-30, C. L. Martinez <carlopm...@gmail.com> wrote:
> > Hi all,
> >  
> >  Sorry if this question sounds stupid, but how can I avoid this type of 
> > entry in OpenBSD's httpd access.log:
> >
> > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] 
> > [/favicon.ico]
> 
> Untested, but in theory: set a location that matches the favicon.ico file and
> disable logging (e.g. "no log") in that location block.
> 

Perfect!!! .. Works like a charm. Many thanks Stuart.

-- 
Greetings,
C. L. Martinez

Re: Clean OpenBSD's httpd logs

[C. L. Martinez]

On Thu 30.Jun'16 at 15:21:05 +0200, Thuban wrote:
> * C. L. Martinez <carlopm...@gmail.com> le [30-06-2016 12:50:36 +]:
> > Hi all,
> >
> >  Sorry if this question sounds stupid, but how can I avoid this type of
> entry in OpenBSD's httpd access.log:
> >
> > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
> [/favicon.ico]
> >
> 
> Hi,
> in httpd.conf :
> 
> server "yourdomain.com" {
> ...
> no log
> }
> 
> 
> You might want to keep access log. Separate errors in another file :
> 
> 
> server "yourdomain.com" {
> ...
> log access "yourdomain.access.log"
> log error "yourdomain.errors.log"
> }
> 
> 
> see man httpd.conf for more :)
> 
> 
> --
> /Thuban/
> 

Thanks Thuban, but I want to log all requests to this web server :)

-- 
Greetings,
C. L. Martinez

Clean OpenBSD's httpd logs

[C. L. Martinez]

Hi all,
 
 Sorry if this question sounds stupid, but how can I avoid this type of entry 
in OpenBSD's httpd access.log:

172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] 
[/favicon.ico]

 ??

 Thanks.
-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

On Fri 24.Jun'16 at 18:59:09 -0400, Predrag Punosevac wrote:
> > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> > > Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez:
> > >
> > > > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > > > Searching about this topic, I think the best option is to use
> > > > customized openssl/libressl scripts, but it colud be very hard to
> > keep
> > > > for certifcate requests, revocations, etc.
> > > >
> > > > ? Any suggestion about what can be better option?
> > >
> > > Have a look at security/xca, else define "better option".
> > >
> > > Cheers
> >
> > For "better option", I am speaking about what could be the best tool or
> > procedure to \
> > manage a PKI under OpenBSD.
> >
> 
> easy-rsa
> 
> You just chose to ignore the answer.
> 
> Predrag
> 

 Where I am telling that I'm ignoring the answer? Please, before saying some 
things, wait.


-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

On Sat 25.Jun'16 at 13:56:38 +, Stuart Henderson wrote:
> On 2016-06-24, C. L. Martinez <carlopm...@gmail.com> wrote:
> > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> >> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> >> 
> >> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> >> > Searching about this topic, I think the best option is to use
> >> > customized openssl/libressl scripts, but it colud be very hard to keep
> >> > for certifcate requests, revocations, etc.
> >> > 
> >> >  Any suggestion about what can be better option?
> >> 
> >> Have a look at security/xca, else define "better option".
> >> 
> >> Cheers
> >
> > For "better option", I am speaking about what could be the best tool or 
> > procedure to manage a PKI under OpenBSD.
> 
> It really depends on what your reasons are for doing this.
> 
> If you're trying to learn about the nitty gritty of generating certs,
> CRLs, revocations, etc, then using the command line tools directly
> aren't a bad idea.
> 
> If you're trying to script things but at a higher level than the
> libressl/openssl command line tool, you might want to look at something
> like https://github.com/cloudflare/cfssl.
> 
> If you're just trying to manually generate certs for lab machines
> and are happier with something visual xca is pretty good.
> 
> Or you can look at the tools which are really made for simplifying vpn
> setup like "ikectl ca" (though the way it's designed, it really only
> makes sense if you generate the private key on a central machine, which
> is a bit non-standard though makes life easier in some cases). Or yes,
> as was already pointed out easy-rsa (though personally I find that more
> complex than easy).
> 
> If you're more interested in getting certs than investigating how to
> run pki, something like letsencrypt might work for you.
> 

Many thanks Stuart. I have configured a PKI using openssl tools, and it is 
working ok ... Now, I would like to install an oscp instance to check when a 
certificate is revoked ... But I have some doubts:

 - When a certificate is revoked, can be removed .csr and .crt files (the 
request and signed cert by CA) without problems?
 - I am trying to setup a startup script for oscp using openssl, can be 
accomplished this in OpenBSD's way?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: where is the image of openbsd arm ?

[Jacob L. Leifman]

Is it possible to add more wired NICs to the APU? Alternatively, is 
there a comparably robust and OpenBSD supported low-wattage platform 
with at least 4 (and preferrably 5-6) NICs?

Thank you.

On 24 Jun 2016 at 13:37, Chris Cappuccio wrote:

> li...@wrant.com [li...@wrant.com] wrote:
> > 
> > 1) How do the APU systems go as pricing to comparable systems from
> > other similar (industrial class, desktop enclosure) manufacturers?
> > 
> 
> The pricing direct from PC Engines is roughly 2x to 3x the cost
> of certain cheap, popular ARM boards. It's on par or lower than
> the pricing of the higher end ARM boards (some of which are supported
> in the armv7 port)
> 
> > 2) How is the OpenBSD experience on the APU systems, do they have serial
> > RS232 console (serial BIOS), do they expose all the hardware to OpenBSD?
> > 
> 
> Everything is exposed. The serial console requires boot.conf setup,
> and Bob Beck recently fixed some aggressive behaviour in the boot loader
> so that it no longer prints garbage characters on the screen during
> the 'set tty com0' transition. Thank you Bob for spending the time to
> track this annoying behaviour down !
> 
> Chris

Re: OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> 
> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > Searching about this topic, I think the best option is to use
> > customized openssl/libressl scripts, but it colud be very hard to keep
> > for certifcate requests, revocations, etc.
> > 
> >  Any suggestion about what can be better option?
> 
> Have a look at security/xca, else define "better option".
> 
> Cheers

For "better option", I am speaking about what could be the best tool or 
procedure to manage a PKI under OpenBSD.


-- 
Greetings,
C. L. Martinez

OT: Toosl to manage PKI under OpenBSD

[C. L. Martinez]

Hi all,

 I would like to deploy/setup a PKI under OpenBSD for my home lab. Searching 
about this topic, I think the best option is to use customized openssl/libressl 
scripts, but it colud be very hard to keep for certifcate requests, 
revocations, etc.

 Any suggestion about what can be better option?

Thanks

-- 
Greetings,
C. L. Martinez

support new

[Onofre L. Alvarado, Jr.]

0
C Philippines
P National Capital Region
T Makati City
Z 1203
O OpenBSD Philippines
I Onofre L. Alvarado, Jr.
A 8400 Mayapis st., Bgy. San Antonio
M i...@openbsd.org.ph
U http://www.openbsd.org.ph/
B 63-2-7281903
X 63-2-7281903
N Over a decade and a half's experience in the use and deployment of OpenBSD.
Network planning and design, firewalls, routers, email, web and database 
servers,
VPNs. OpenBSD consultancy, installation, maintenance and support.

Error loading pf rules: Device busy

[C. L. Martinez]

Hi all,


I have a strange problem. Every time that I try to reload my pf rules I see
the following error message:


pfctl: DIOCADDRULE: Device busy.


I am using OpenBSD 5.8 amd64 fully patched.


Any idea??

Clarification on vhid/carpnode settings for load-balanced fw configuration

[James L Baker]

Hi, all.  I'm setting up a pair of load-balanced firewalls using carp.
I've got nearly everything going, but encountered this in the man page:

"If IP balancing is being used on a firewall, it is recommended to
configure the carpnodes in a symmetrical manner. This is achieved by simply
using the same carpnodes list on all sides of the firewall. This ensures
that packets of one connection will pass in and out on the same host and
are not routed asymmetrically."

I'm looking for clarification on the statement "using the same carpnodes
list on all sides of the firewall."  Does this mean that the same list of
carpnodes should appear on both external and internal interfaces?

i.e (configurations abbreviated for brevity):

firewall 1:
  ifconfig carp0 carpnodes 10:0,20:100,30:0,40:100  #external carp if
  ifconfig carp1 carpnodes 10:0,20:100  #internal carp if #1
  ifconfig carp2 carpnodes 30:0,40:100  #internal carp if #2

firewall 2:
  ifconfig carp0 carpnodes 10:100,20:0,30:100,40:0  #external carp if
  ifconfig carp1 carpnodes 10:100,20:0  #internal carp if #1
  ifconfig carp2 carpnodes 30:100,40:0  #internal carp if #2

This seems odd to me, and I can't find the practice referenced anyplace
else.

According to Hansteen's "Book of PF," I should configure the carp
interfaces as follows:

firewall 1:
  ifconfig carp0 carpnodes 10:0,20:100  #external carp if
  ifconfig carp1 carpnodes 30:0,40:100  #internal carp if #1
  ifconfig carp2 carpnodes 50:0,60:100  #internal carp if #2

firewall 2:
  ifconfig carp0 carpnodes 10:100,20:0  #external carp if
  ifconfig carp1 carpnodes 30:100,40:0  #internal carp if #1
  ifconfig carp2 carpnodes 50:100,60:0  #internal carp if #2

Which carpnodes configuration is correct?  Won't the former cause vhid
conflicts?

Thanks for any consideration you folks throw at me.

Re: text-mode gui

[Jacob L. Leifman]

On 20 Dec 2015 at 17:25, Luke Small wrote:

8<-- lots of drivel snipped --->8
>... but a
>normal user shouldn't have to wade through man pages to discover how to fix
>...

This is the crux of the issue -- linux upbringing! If you bothered to 
read the FAQ or scan through some message threads on the mailing lists 
you would know that:

 a) ALL users are expected to read the man pages, because
 b) OpenBSD deservedly prides itself on the accuracy, completelness, 
and readability of the documentation -- the man pages and the FAQ.

If you value gooey compexity because you cannot be bothered to learn 
about the tool you plan to use, please go away and pick one of the many 
shiny toys that promise you what you want. I, for one, very much 
appreciate the OpenBSD way of no-nonsense, minimalist interfaces 
balanced with very comprehensive documentation.

> 
> 
> -Luke
> 
> On Sun, Dec 20, 2015 at 3:33 PM,  wrote:
> 
> > On Sun, 20 Dec 2015 14:03:18 -0600 Luke Small 
> > wrote:
> >
> > > I don't know the best way, but I like how there are "check-boxes", from
> > > what I recall, in lynx webpages.
> >
> > And?  Bookmarks or... direct private cumulus clouds of edible sugar,
> > preferably in cyanide algae nuances with self attaching axons.
> >
> > > Maybe full-disk encryption and maybe home
> > > folder encryption if it is available are the only remaining installer
> >
> > It's called a directory, which is a file, and not a drawer, and not a
> > folder, neither a closet, nor a wardrobe nor even a chest.
> >
> > > options that you don't have to have prior specialized knowledge to
> > perform,
> > > that you can't do after you boot into the system.
> >
> > I'm sorry to break up the bubble for you but prior knowledge is a
> > prerequisite and this is not exclusive to OpenBSD.  Anything you can do
> > in the installer can also be done after installation, except probably
> > finding a list of nice check boxes in a JavaScript web page.  For that
> > you need to use www.
> >
> > > If there are other
> > > things, then it may become a little less tedious for less experienced
> > folks
> > > to look at all the options at once, rather than having to start over.
> >
> > Many inexperienced folds tried OpenBSD first and did not have to become
> > experienced in other complicated installers.  Can you elaborate on
> > this?  You want a long check list, is that it?
> >
> > > If
> > > there are any irreconcilable differences in options, JavaScript can more
> > > easily display that the other changes are incompatible by changing the
> > > other options back.
> >
> > The editor said: scratch this part, messy wording.
> >
> > > But maybe the OpenBSD way is about no surprises, but it
> > > doesn't seem right to only be able to boot into the system in the way you
> > > want,
> >
> > It is a cargo "principle of least astonishment" to be found in another
> > set of online docs elsewhere, unrelated perhaps, no?
> >
> > > if you have the mindset of a Computer Scientist like us, and read the
> > > right configuration webpages.
> >
> > Correction, man pages.  They are in English, comprehensive to lower
> > intermediate level readers.
> >
> > > Things like not having softdep mounted file
> > > systems by default really tripped me up for a couple versions.
> >
> > There is a clear section on this in the Frequently Asked Questions.  It
> > is a very nice idea to read these prior or during installation on the
> > other computer, or why not print out sections you best liked or thought
> > useful for the upcoming installation process.
> >
> > > I have
> > > virtualbox HDs and I had to keep backups in case Windows did something
> > > funny, because I sometimes couldn't repair the file systems.
> >
> > Can you point where the docs say "install in a virtualbox" or any other
> > virtual software brand for what it matters?
> >
> > > It seems like
> > > something that should be an option in the installer, or a default. It
> > would
> > > be nice to do that with noatime and maybe an optional mfs or tmpfs
> > mounted
> > > /tmp folder like I have now.
> >
> > So you're basically proposing to rewrite the installer in JavaScript to
> > add the noatime and softdep mount options, add full disk and home
> > directory encryption, use the SSL tool kit and also make it like a text
> > menu installer with a lot of check boxes and... web based interface,
> > and be able to install in a virtual machine with memory based file
> > systems?
> >
> > Why don't you just pick the install media of the operating system that
> > offers you these nice goodies, and save yourself the rewrite.  Oh, and
> > then come back teach how to do it.
> >
> > If this seems too much to ask, just simply use the installer in OpenBSD
> > as it is, and after a couple of iterations, and some (minutes/years) of
> > enlightenment, you will start to appreciate the time and effort is has
> > saved you and the powerful options provided without 

Remove "flags S/SA keep state" for tcp packets

[C. L. Martinez]

Hi all,

 I am trying to remove "flags S/SA keep state" for tcp packets inside
pf.conf and use "keep state" only, as it can do with udp and icmp.

 According to pf.conf man page, this is possible inserting "no state"
in tcp rule, but I can't use keep state.

 Is it possible to remove "flags S/SA keep state" and use only "keep
state" for tcp packets?

 Thanks.

 P.D: I am using OpenBSD 5.8

Re: Remove "flags S/SA keep state" for tcp packets

[C. L. Martinez]

On Tue, Dec 15, 2015 at 9:49 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote:
> On Tue, Dec 15, 2015 at 09:24:03AM +0000, C. L. Martinez wrote:
>>
>>  I am trying to remove "flags S/SA keep state" for tcp packets inside
>> pf.conf and use "keep state" only, as it can do with udp and icmp.
>
> Why? What is it you're trying to achieve?
>
> You can override the default flags by specifying a different set or even
> 'flags any' but the question remains, why?
>
> --


Thanks Peter. Sorry for the delay response.

I am trying to use divert-packet option inside pf rules to use
Suricata/Snort as an IPS.

At this moment, I can drop comms when an alert is triggered for udp
and icmp packets, but it doesn't works when it is a tcp packet. I was
thinking about if "using keep state for udp/icmp rules works, why not
for tcp?"

But maybe I am totally wrong ...

Re: Remove "flags S/SA keep state" for tcp packets

[C. L. Martinez]

On Tue, Dec 15, 2015 at 9:56 AM, David Dahlberg
<david.dahlb...@fkie.fraunhofer.de> wrote:
> Am Dienstag, den 15.12.2015, 09:24 + schrieb C. L. Martinez:
>>  I am trying to remove "flags S/SA keep state" for tcp packets inside
>> pf.conf and use "keep state" only, as it can do with udp and icmp.
>>
>>  According to pf.conf man page, this is possible inserting "no state"
>> in tcp rule, but I can't use keep state.
>
> "keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking
> Options"), but it is not mentioned as often as it is the default.
>
> IOW: If you have not changed the default options, you you may simply
> remove "flags S/SA keep state" string without changing mutch (except
> that it might now also match UDP/ICMP).
>

Thanks David. I have not changed any default options but I can't see
how can I remove these flags ... I have tried with "flags any keep
state" without result. If I use "no state", packets are rejected ...

Re: athn0: device timeout

[Gonzalo L. Rodriguez]

I have the same problem with a new macbookpro12,1 my urtwn adapter work 
just fine in a regular ehci(4) machine, but on xhci(4)'s macbookpro I 
need to reconnect like 10 times, and even that way, doesn't work. :/

On 28/11, Stefan Sperling wrote:
; On Sat, Nov 28, 2015 at 07:35:00AM -0700, bluesun08 wrote:
; > xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0c: msi
; > usb0 at xhci0: USB revision 3.0
; > uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
; > uhub2 at uhub0 port 2 "Genesys Logic USB2.0 Hub" rev 2.00/85.37 addr 3
; > athn1 at uhub2 port 2 configuration 1 interface 0 "ATHEROS USB2.0 WLAN" rev
; > 2.00/1.08 addr 6
; > athn1: could not load firmware
; 
; I believe your problems are rooted in xhci(4) not athn(4).
; There are several known problems with xhci, some of which
; don't have a known fix yet.
; 
; To confirm this theory, could you try this athn adapter in a
; machine with USB ports driven by ehci(4) instead of xhci(4)?
; 

-- 
Sending from my toaster.

Re: EFI: Booting from other (not the first) GPT partition possible? How? It's an Apple :-O

[Gonzalo L. Rodriguez]

Oh yes, so then on 8,2 still you can boot legacy, on 12,1 you don't :(

Enviado desde mi tostadora de mano

> El 19 nov 2015, a las 15:53, Marc  escribió:
>
> Thank you Gonzalo.
>
> Just to make sure we are talking about the same thing:
>
> I was already able to boot OpenBSD in BIOS legacy mode.
>
> What I want to achieve is booting OpenBSD current with the new EFI OpenBSD
boot loader.
>
> Are you sure that following the tutorial you mentioned can be of any help to
do this?
>
> I will be happy to get enlightened if I am just missing the point. :)
>
> Regards
> Marcel
>
>> Hello,
>>
>> I'm kinda at the same step, but in a macbookpro12,1
>>
>> I resize my OSX partition, burn a install58.fs on a usb stick, boot
>> holding ALT, install OpenBSD on the part of resize partition, and then
>> follow jcs@ tutorial:
>>
>> https://gist.github.com/jcs/5573685
>>
>> Now, "El Capitan" have like a 'Secure Level' thing that you can do the
>> step Mac OS X Encryption -> 3-6. So, you need to boot on Rescue Mode and
>> disable this new protection from the console on rescue mode:
>>
>> # csrutil disable
>>
>> Then reboot, and try the "Mac OS X Encryption" step. Install refind and
>> cross your fingers :)
>>
>>
>> On 16/11, Marcel Timm wrote:
>> ; Hi there,
>> ;
>> ; one thing I would like to try is to boot from created OpenBSD EFI USB
stick
>> ; with
>> ;
>> ; boot -a
>> ;
>> ; and enter the OpenBSD's root partition on the HD.
>> ;
>> ; Unfortunately neither the MacBook Pro 8,2 's integrated
>> ; nor an external USB keyboard work at the prompt where to enter the
>> ; root device's location. :(
>> ;
>> ; Is there another way of telling the kernel which root device to use
>> ; (maybe at boot's prompt - although I haven't found anything in man
page..)?
>> ;
>> ; If this seems to be a XY question to you, I am happy about other
proposals.
>> ;
>> ; Greetings
>> ; Marcel
>> ;
>> ; On 11.11.2015 16:01, Marcel Timm wrote:
>> ; >Hello!
>> ; >
>> ; >My computer is a MacBook Pro 8,2.
>> ; >
>> ; >There is a GPT on the HD (big surprise!) with four partitions,
>> ; >the last one being of type OpenBSD.
>> ; >
>> ; >I managed to put a recent OpenBSD 5.8 snapshot there
>> ; >by booting and installing from an USB stick via EFI created like that
(in
>> ; >OSX):
>> ; >
>> ; >dd if=~/install58.fs of=/dev/rdisk2 bs=1m
>> ; >
>> ; >After installing rEFInd 0.9.2 and putting OpenBSD 5.8 snapshot's
>> ; >BOOTX64.EFI file
>> ; >to the MacBook's EFI partition the rEFInd boot manager shows the
OpenBSD
>> ; >EFI option.
>> ; >
>> ; >Selecting that OpenBSD entry starts the boot programm showing hd0 hd1
hd2
>> ; >and hd3.
>> ; >
>> ; >Is it possible to boot my "EFI OpenBSD installation" from here?
>> ; >If so, how to proceed?
>> ; >
>> ; >I already played with
>> ; >
>> ; >set device hd0d
>> ; >
>> ; >etc. - but it did not work.
>> ; >
>> ; >I will gladly share more details, if of any help.
>> ; >
>> ; >Thanks in advance!
>> ; >
>> ; >Marcel
>> ;
>>
>> --
>> Sending from my toaster.

Re: EFI: Booting from other (not the first) GPT partition possible? How? It's an Apple :-O

[Gonzalo L. Rodriguez]

Hello,

I'm kinda at the same step, but in a macbookpro12,1

I resize my OSX partition, burn a install58.fs on a usb stick, boot 
holding ALT, install OpenBSD on the part of resize partition, and then 
follow jcs@ tutorial:

https://gist.github.com/jcs/5573685

Now, "El Capitan" have like a 'Secure Level' thing that you can do the 
step Mac OS X Encryption -> 3-6. So, you need to boot on Rescue Mode and 
disable this new protection from the console on rescue mode:

# csrutil disable

Then reboot, and try the "Mac OS X Encryption" step. Install refind and 
cross your fingers :)


On 16/11, Marcel Timm wrote:
; Hi there,
; 
; one thing I would like to try is to boot from created OpenBSD EFI USB stick
; with
; 
; boot -a
; 
; and enter the OpenBSD's root partition on the HD.
; 
; Unfortunately neither the MacBook Pro 8,2 's integrated
; nor an external USB keyboard work at the prompt where to enter the
; root device's location. :(
; 
; Is there another way of telling the kernel which root device to use
; (maybe at boot's prompt - although I haven't found anything in man page..)?
; 
; If this seems to be a XY question to you, I am happy about other proposals.
; 
; Greetings
; Marcel
; 
; On 11.11.2015 16:01, Marcel Timm wrote:
; >Hello!
; >
; >My computer is a MacBook Pro 8,2.
; >
; >There is a GPT on the HD (big surprise!) with four partitions,
; >the last one being of type OpenBSD.
; >
; >I managed to put a recent OpenBSD 5.8 snapshot there
; >by booting and installing from an USB stick via EFI created like that (in
; >OSX):
; >
; >dd if=~/install58.fs of=/dev/rdisk2 bs=1m
; >
; >After installing rEFInd 0.9.2 and putting OpenBSD 5.8 snapshot's
; >BOOTX64.EFI file
; >to the MacBook's EFI partition the rEFInd boot manager shows the OpenBSD
; >EFI option.
; >
; >Selecting that OpenBSD entry starts the boot programm showing hd0 hd1 hd2
; >and hd3.
; >
; >Is it possible to boot my "EFI OpenBSD installation" from here?
; >If so, how to proceed?
; >
; >I already played with
; >
; >set device hd0d
; >
; >etc. - but it did not work.
; >
; >I will gladly share more details, if of any help.
; >
; >Thanks in advance!
; >
; >Marcel
; 

-- 
Sending from my toaster.

PF tables -- anchors and scope

[Jacob L. Leifman]

Can anyone confirm whether it is possible to modify a global table 
within an anchor? If so, what is the proper syntax for referencing it?

I have a dynamic table of addresses to block declared and updated in 
the main body of pf.conf. I would like to update the same table using 
'overload' operator within an anchor, however, I get "namespace 
collision" warning message and a distinctly separate table created when 
I try that. Interestingly, I can use global tables as the source or 
destination address in any rule inside an anchor, i.e. it does work in 
read-only mode (unless an anchor-local table is created per above).

This firewall is currently running 5.6 with upgrade to 5.8 being 
planned for the near future.

Thank you,
-Jacob.

Re: Captive portal with OpenBSD as a hostap

[C. L. Martinez]

On Mon, Oct 5, 2015 at 1:26 PM, laudarch  wrote:
> I made a custom implementation and a diff to authpf, will share that
> later just in case anyone wants it.
>
> I hope this helps you, it pretty simple
> http://bastienceriani.fr/?p=70
>

Thanks laudarch ... Very close to what I am searching... I will try your config.

5.7 & Nagios

[L. V. Lammert]

What is the intended upgrade path for i386 versions of monitoring
software? No Nagios in packages, .. icinga is reported amd only, .. Nagios
in ports is amd only, .. and nagioscore will not build:

# make all
cd ./base && make
make -C ../lib
Using $< in a non-suffix rule context is a GNUmake idiom (Makefile:157)
*** Error 2 in /usr/src/nagioscore (Makefile:71 'all')

Inquiring minds want with Nagios installations want to know!

Lee

nginx & Perl on 5.6

[L. V. Lammert]

What is the prefered configuration for using Perl & Nginx? php is fairly
straightforward, .. but can't find anything for perl except some Linux
notes to recompile.

Thanks!

Lee

Slightly OT, .. 5.5 Nagios

[L. V. Lammert]

Trying to upgrade our 5.4 Nagios system to 5.5, .. everything went fine
with the system, but it appears that there are some new dependencies for
the web UI:

# pkg_add nagios-web-4.0.1-chroot
Can't install php-gd-5.4.24 because of libraries
|library X11.16.0 not found
| not found anywhere
|library Xpm.9.0 not found
| not found anywhere
|library freetype.22.0 not found
| not found anywhere

X has never been installed on this box, .. why now?

Lee