Re: Firewall setup
This is my dmesg, if anyone is interested: OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4047122432 (3859MB) avail mem = 3904729088 (3723MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.3 @ 0x74c77000 (117 entries) bios0: vendor American Megatrends International, LLC. version "JK4LV105" date 08/31/2022 bios0: Default string Default string efi0 at bios0: UEFI 2.7 efi0: American Megatrends rev 0x50013 acpi0 at bios0: ACPI 6.2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT HPET APIC PRAM SSDT SSDT NHLT LPIT SSDT SSDT DBGP DBG2 DMAR SSDT TPM2 WSMT FPDT acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xc000, bus 0-255 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2893.74 MHz, 06-9c-00, patch 2424 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.96 MHz, 06-9c-00, patch 2424 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) N5105 @ 2.00GHz, 2793.95 MHz, 06-9c-00, patch 2424 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,RDSEED,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,MISC_PKG_CT,ENERGY_FILT,FB_CLEAR,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 12-way L2 cache, 4MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PC00) acpiprt1 at acpi0: bus -1 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 1 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 2 (RP05) acpiprt6 at acpi0: bus 3 (RP06) acpiprt7 at acpi0: bus 4 (RP07) acpiprt8 at acpi0: bus 5 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at
Re: Firewall setup
First and most importantly, I would like to apologize to anyone who was disturbed by my conversation. It is not my intention to offend people. I may be curt, but that's not because it's in my character. In daily life I work with electronics and computers and am much less familiar with networks. I don't need this knowledge for what I do in daily life. It is therefore difficult for me to estimate what is important to link back to this mailing list. So if I am curt, please try to remember that it is not intentional, but a matter of lack of knowledge. Again, I don't want to hurt anyone. Second, the firewall. This is set up as a bridge with the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0 ... igc3. Connection igc0 is the input that goes to the ISDN modem, and igc1 and igc2 are the two outputs that go to the internal network. These two connections are more flexible for the underlying network. This makes it possible to connect two different networks, if desired, albeit with one and the same IP range (192.168.2.0/24), or two different networks, if so configured. So two possibilities (which is best?). So there is no need to use two connections at the same time, although this should be possible. Finally, connection igc3. This is given the IP address 192.168.2.252, because it is intended for remote administration, including upgrades. This connection will therefore not be part of the firewall bridge, and will therefore not appear in pf.conf. The internal network consists mainly of regular clients, so no email, web or name servers. These clients will work with Linux, mac OSX, or OpenBSD, but not Windows, but there will be a small file server or NAS. This file server or NAS is only intended for the clients in the network and has no connection to the internet. For now it is important to get ping and traceroute working properly, after which work on normal internet traffic can be started. What I'm wondering is whether I need NAT for my firewall configuration. This is my plan for my firewall. It seems to me that there are much more difficult configurations than this one. I hope there are still people who are willing to help me. Op 16-04-2024 om 07:24 schreef Peter N. M. Hansteen: I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source.
Re: Firewall setup
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen: On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. Output from ifconfig igc0: igc0: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f4 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc1: igc1: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f5 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex) sratus: active Output from ifconfig igc2: igc2: flags=8b43 mtu 1500 lladdr 7c:2b:e1:13:dd:f6 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier /etc/hostname.bridge0: add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2 up /etc/hostname.igc0: up /etc/hostname.igc1: up /etc/hostname.igc2: up
Re: Firewall setup
That's a possibility I hadn't thought of yet. But how do I do that, and on which page can I find that in your book? Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen: The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules.
Re: Firewall setup
Op 14-04-2024 om 21:57 schreef Jens Kaiser: Hello Karel, if you want to start simply, then I would recommend to remove all marcos from your pf.conf which are not referenced. You can add them later if needed. As already state by others, there is a syntax error in marco martians. If there are syntax errors in pf.conf, the rules are not loaded at all. These have now been resolved, sse below. Also correct the syntax errors in the rules "Letting ping through". The key word "on" without interfacename, -group or keyword any looks incorrect. Give it a parameter or remove it. As far as I can see there are no errors in the ping rules. the key words "on", "group" or "any" do not appear there. Moreover, I have copied these rules, except the key words "log", exactly from Peter Hansteen's book (The book of PF), just like the rules of the martians. Please check your current running configuration with > pfctl -sr It prints out all currently active rules. If something behaves too wired, it can help to proof that the ruleset in /etc/pf.conf is the same as we assume to be active in the kernel. Because of the syntax errors I would guest that this is not true in your case. After correcting some errors, I reloaded pf.conf and found no errors. Here I give the output of pfctl -sr: match in all scrub (no-df max-mss 1440) block return in all block return in quick on igc0 inet from any to <__automatic_628bc734_1> pass log inet proto icmp all icmp-type echoreq pass log inet proto icmp all icmp-type echorep pass log inet proto icmp all icmp-type unreach pass log inet6 proto ipv6-icmp all icmp6-type echoreq pass log inet6 proto ipv6-icmp all icmp6-type echorep pass log inet6 proto ipv6-icmp all icmp6-type unreach pass out all flags S/SA /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts # localnet = "192.168.2.0/24" # Hosts on the screened LAN # tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" # udp_services = "{ domain, ntp }" # email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, echorep, unreach }" icmp6_types = "{ echoreq, echorep, unreach }" # nameservers = "{ 195.121.1.34, 195.121.1.66 }" # client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log inet proto icmp icmp-type $icmp_types pass log inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: Firewall setup
This gives the following error messages when booting: no IP address found for igc1:network /etc/pf.conf:41: could not parse host specification no IP address found for igc2:network /etc/pf.conf:42: could not parse host specification Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen: On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote: Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. I'd put this somewhere after your block rules: pass inet proto { tcp, udp } from igc1:network to port $client_out pass inet proto { tcp, udp } from igc2:network to port $client_out - that way you will actually use the macro. But the macro sitll references the invalid service nportntp (you probably want ntp instead), and I would think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely to be useful unless you *know* you need to pass traffic for those.
Re: Firewall setup
They both give a syntax error by booting. Op 14-04-2024 om 17:45 schreef Zé Loff: pass in on $int_if proto udp to port 53 pass in on $int_if proto udp to $nameservers port 53
Firewall setup
Hi all, Everything about PF is all very confusing to me at the moment, so any help is appreciated. So let's start simple and then proceed step by step. I want to continue with ping so that I can test the connection to the internet. This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others have stated, I have a problem with using DNS servers on the internet. The PF ruleset needs to be adjusted for this, but it is still not clear to me how to do that. What else do I need to get ping to work correctly? To get started simply, I created a new pf.conf file, see below. /etc/pf.conf: ext_if = igc0 # The interface to the outside world int_if = "{ igc1, igc2 }" # The interfaces to the private hosts localnet = "192.168.2.0/24" # Hosts on the screened LAN tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" # Options: set block-policy return set skip on lo block log all # block stateless traffic # Normalize packets: match in all scrub ( no-df max-mss 1440 ) block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types pass out all
Re: No internet connection (firewall block)
Output from "tcpdump -neti pflog0": tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG ... rule 4/(match) pass in on igc1: 192.168.2.252 > 17.253.53.207: icmp: echo request ... output from "pfctl -sr -R 4": pass log inet proto icmp all icmp-type echoreq Op 12-04-2024 om 19:46 schreef Zé Loff: On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote: Hi all, Traceroute still won't work. I'm playing around with the rules and wondering what's right and what's wrong with the traceroute rules. Can anyone give me some starting points here? /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 Your final four rules (for traceroute) only apply to the $ext_if, so I am assuming you are trying to traceroute _from_ the firewall itself to some machine on the internet. If you want to start traceroute from your local network, and to a machine on the internet, you'll need to add $int_if to those rules (and perhaps NAT, but let's not get ahead of ourselves). Again, assuming you are trying to traceroute from the firewall to the internet, I would use tcpdump to check if that traffic is being blocker, and, if so, which rule is blocking it: tcpdump -neti pflog0 (-n and -t are optional, but help to keep thing simpler in this case) Then on another terminal try to traceroute an easily identifiable IP, such as 1.1.1.1, and see what comes up on the tcpdump. It'll be something like "rule 2/(match) block ..." or "rule 2/(match) pass ...", and if you don't want to count the rules by hand, you can use pfctl to tell you which: pfctl -sr -R where is the rule number. Then, assuming it is being blocked, its time to figure out why the "pass" rules aren't being matched.
Re: Ping blocked by firewall
This makes no difference. Op 13-04-2024 om 22:06 schreef Peter J. Philipp: On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote: What should I add then, considering my PF ruleset? To be honest, all of this is very unclear to me at the moment, so any help is appreciated. How about: pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state see if that will do it for you. You have a service called "domain" in your rules but it's only a macro/alias and not active Also if I remember it right (without looking) traceroute defaults to UDP mode by default, with ports (32768 + 666) + (every "*" in every hop counting as 1) so depending on how many hops outbound you want to traceroute you'll have to open those udp ports outbound. Of course you can be like windows and do traceroute -P1 to traceroute with ICMP. Remember, from your basic networking texts that each hop decrements (-1) the time to live, or the hop count. When a router encounters an IP[46] packet that would decrement to 0 it will not get forwarded and will reply an ICMP time exceeded message aka timex reply. Please familiarize yourself with tcpdump and for learning purposes wireshark and really analyze the packet headers with RFC's 791, 792, 8200 found at https://rfc-editor.org. Best of Luck! -pjp Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
What should I add to get it working? Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
What should I add then, considering my PF ruleset? To be honest, all of this is very unclear to me at the moment, so any help is appreciated. Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
No internet connection (firewall block)
Hi all, Traceroute still won't work. I'm playing around with the rules and wondering what's right and what's wrong with the traceroute rules. Can anyone give me some starting points here? /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4 pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
Ping blocked by firewall
Hi all, Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Can someone help me? /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types
Re: No internet connection (firewall block)
PF's ruleset will be put under a magnifying glass. Op 11-04-2024 om 11:09 schreef Peter N. M. Hansteen: On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote: pass log out on egress inet proto udp to port 33433:33626 # for IPv4 pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state If I read this correctly, you are not allowing any "in" traffic, except for the two "Letting ping through lines", which are just for ICMP, and on the first two rules on the last part ("...$icmp_types" and "...$client_out"). I am assuming "log log" on the last rule is a typo, and it is actually "log out". Those are as far as I can tell correct observations. There appears to be no rule allowing traffic other than the selected icmp types to pass from anywhere but the local host.
Re: No internet connection (firewall block)
The typos have been fixed, and PF's ruleset will be put under a magnifying glass. Op 11-04-2024 om 10:34 schreef Zé Loff: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: Hi all, With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass log out on egress inet proto udp to port 33433:33626 # for IPv4 pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state If I read this correctly, you are not allowing any "in" traffic, except for the two "Letting ping through lines", which are just for ICMP, and on the first two rules on the last part ("...$icmp_types" and "...$client_out"). I am assuming "log log" on the last rule is a typo, and it is actually "log out".
Re: No internet connection (firewall block)
I do get the following error message: sysctl: toplevel name net/inet6 in net/inet6.ip6.forwarding is invalid Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need.
Re: No internet connection (firewall block)
Output van 'sysctl net.inet | grep forward': net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 This may sound strange, but I don't get an error message when booting. I did have that problem because the word 'log' appeared in some lines, but that has already been resolved. I'm going to apply a "step by step" approach to the rules in pf.conf. Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen: On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need.
No internet connection (firewall block)
Hi all, With the new firewall I am setting up I cannot connect to the internet. That starts with traceroute, so let's start there. Ping works fine. Below I have listed my pf.conf file. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic block in quick on $ext_if from $martians to any block out quick on $ext_if from any to $martians # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass log out on egress inet proto udp to port 33433:33626 # for IPv4 pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state
Re: Ping blocked by firewall
The errors were caused by the word 'log' in lines where it apparently did not belong. Those errors have now been resolved. In Peter Hansteen's book, the rules are clearly stated on page 91, and there is no 'match' in them. Op 09-04-2024 om 17:12 schreef l...@trungnguyen.me: Still dont know whats happening because we dont know what those line errors mean. When you changed the macros to tables, did you also update the rules to to match? On April 9, 2024 9:32:06 AM UTC, Karel Lucas wrote: I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
In /etc/pf.conf: table persist file "/etc/martians" In /etc/martians: 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 240.0.0.0/4 Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
The example I'm referring to is how to define a table (page 42), and I applied that to the martians example (page 91). Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
I can assure you that I did not use capital letters in the macro names, and used the '<' and '>'. Op 09-04-2024 om 11:58 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. macro names are case sensitive, to wit peter@kapet:~$ cat martians Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block from $martians peter@skapet:~$ doas pfctl -vnf martians Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" martians:5: macro 'martians' not defined martians:5: syntax error for conversion to tables, keep in mind that references need the surrounding '<' and '>'.
Re: Ping blocked by firewall
I managed to get ping through. The error was the "log" words in the lines. But this is just the beginning. Now I have another problem with traceroute, as well as with all the normal internet traffic that has to go through it. In the traceroute rules I replaced "$ext_if" with "egress", but that makes very little difference. Creating a table for the martians doesn't work either. I have restored the old situation, so that it does not cause an error message.
Re: Ping blocked by firewall
I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Ping blocked by firewall
Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. /etc/pf.conf: ext_if = igc0 # Extern interface int_if = "{ igc1, igc2 }" # Intern interfaces localnet = "192.168.2.0/24" tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" udp_services = "{ domain, ntp }" email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ echoreq, unreach }" nameservers = "{ 195.121.1.34, 195.121.1.66 }" client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ 446, cvspserver, 2628, 5999, 8000, 8080 }" Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 block log all # block stateless traffic # Letting ping through: pass log on inet proto icmp icmp-type $icmp_types pass log on inet6 proto icmp6 icmp6-type $icmp6_types # Allow out the default range for traceroute(*): # "base+nhops*nqueries-1" (3434+64*3-1) pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4 pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6 pass log quick on $ext_if inet proto {tcp, udp} from $localnet \ to port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass log on $ext_if inet proto tcp from $localnet to port $client_out block log in quick on $ext_if from $martians to any block log out quick on $ext_if from any to $martians pass log out proto tcp to port $tcp_services # establish keep-stat pass log log proto udp to port $udp_services # Establish keep-state /var/log/pflog: tcpdump: WARNING: snaplen raised from 116 to 160 Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 2 group record(S) [hlim 1] apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 2 group record(S) [hlim 1]
Bridging firewall with online update/upgrade
Hi all, I am creating a bridging firewall with OpenBSD and the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1. OpenBSD is already installed. I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option.
Bash instead of ksh
Hi all, Instead of ksh I want to use bash as a general shell. But how can I set it up that way? Bash is already installed.
Re: Today's snapshot brokes some Qt app?
On 2024-03-31, Kirill A. Korinsky wrote: > Folks, > > I just run: pkg_add -D snap -u > > After that I've discovered that some Qt apps are crashing with errors like: > > Cannot add multiple registrations for QtQuick > Abort trap (core dumped) > > for example telegram-desktop crashes but wireshark doesn't. > > -- > wbr, Kirill > Telegram-desktop (net/tdesktop) also crashed here after a package update. I then noticed it was caused by linking issues with the qt6 libraries. Deleting and adding net/tdesktop simply solved that. That should not be a problem tho. Applications are normally reinstalled after the library is updated (or does that only happen when a major version of the library is installed?).
Re: No coloring with colorls
This method also works! Instead of vt220 I now used xterm-256color. Thank you! Op 30-03-2024 om 11:51 schreef Stuart Henderson: On 2024-03-29, Karel Lucas wrote: What should I put in /etc/ttys, taking into account that I regularly use multiple virtual consoles? And where in that file do I place that? At the beginning or the end? Or somewhere in between? Replace "vt220" with your preferred option on "console" and "ttyC" lines.
Re: No coloring with colorls
What should I put in /etc/ttys, taking into account that I regularly use multiple virtual consoles? And where in that file do I place that? At the beginning or the end? Or somewhere in between? Op 29-03-2024 om 09:15 schreef Stuart Henderson: On 2024-03-28, Karel Lucas wrote: Op 28-03-2024 om 07:51 schreef Stuart Henderson: For the console, use /etc/ttys. For an X terminal, use whatever mechanism is correct for that terminal (.Xdefaults XTerm*termName for xterm). The file /etc/ttys is 22.5kB in size and is full of all kinds of "tty** ...". I don't think this is the right file to use something like that. It seems to me that you are making the system disrupted/unstable by doing so. Those "ttys**..." won't vouch for it for nothing. Yes that is exactly the right file. That is what the file is *for*. It sets the console type for various ways of accessing consoles on the system. The "console" and "ttyC*" lines are the ones you want (the additional ones are for various virtual consoles on ctrl-alt-f2, etc). (The "tty0*" are for serial consoles if you have them.)
Re: No coloring with colorls
Op 28-03-2024 om 07:51 schreef Stuart Henderson: For the console, use /etc/ttys. For an X terminal, use whatever mechanism is correct for that terminal (.Xdefaults XTerm*termName for xterm). The file /etc/ttys is 22.5kB in size and is full of all kinds of "tty** ...". I don't think this is the right file to use something like that. It seems to me that you are making the system disrupted/unstable by doing so. Those "ttys**..." won't vouch for it for nothing.
Re: No coloring with colorls
What is the correct setting, taking into account the coloring of the directory listing? Op 27-03-2024 om 14:02 schreef Stuart Henderson: On 2024-03-27, Karel Lucas wrote: It works correctly! My /etc/profile now looks like this: export TERM=xterm-256color That is not working correctly, because you forcibly override the correct TERM which is set for things like screen/tmux. For the console, use /etc/ttys. For an X terminal, use whatever mechanism is correct for that terminal (.Xdefaults XTerm*termName for xterm).
Re: No coloring with colorls
It works correctly! My /etc/profile now looks like this: export TERM=xterm-256color export CLICOLOR=yes export CLICOLOR_FORCE=yes export LSCOLORS=exfxcxdxbxegedabagacad And with colorls -Ghl I get the output in color. Thank you all very much! Op 25-03-2024 om 23:46 schreef Benjamin Stürz: On 25.03.24 23:40, Karel Lucas wrote: Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad Try CLICOLOR=1 (and TERM=xterm-256color, if it doesn't help).
Re: No coloring with colorls
Dear Benjamin, In which configuration file can I change TERM? Op 25-03-2024 om 23:46 schreef Benjamin Stürz: On 25.03.24 23:40, Karel Lucas wrote: Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad Try CLICOLOR=1 (and TERM=xterm-256color, if it doesn't help).
Re: No coloring with colorls
Dear Amelia, In which configuration file can I change this? Is 'wsvt25' universally suitable for use? Op 26-03-2024 om 00:03 schreef Amelia A Lewis: On Mon, 25 Mar 2024 23:40:52 +0100, Karel Lucas wrote: After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 $ pkg_info -q colorls ls(1) that can use color to display file attributes This is a simple hack, taken from FreeBSD, to OpenBSD's ls(1) to use ANSI sequences to display file attributes in color. There is a -G flag (somewhat similar to the -F flag). Take a look at the man page for details. The program is called "colorls", so you may want to use an alias such as ls=/usr/local/bin/colorls. Note that you need a color-capable terminal to enable colorls. This means you should set your TERM to "wsvt25" on the wscons(4) console and to "sun-color" when using the Sun console, not "vt220" and "sun", respectively, which are not color-capable in termcap(5). Maintainer: Christian Weisgerber Amy!
No coloring with colorls
Hi all, After installing colorls and making some adjustments to the system, I still have no colored output from colorls. Below I have indicated the settings that have been made or are present by default. I would like to know what is wrong and what needs to be improved. Default environment: TERM=vt220 Added environment: CLICOLOR=yes CLICOLOR_FORCE=yes LSCOLORS=exfxcxdxbxegedabagacad
Re: Bridging firewall and ntpd
Dear Mr. Henderson, From your answer I understand that to use the ntp daemon the interfaces still need an IP address. Unfortunately, a GPS unit is not available or desirable, so it seems to me that I will have to do it without a calibrated time, if there is no other option. Op 20-12-2023 om 00:04 schreef Stuart Henderson: On 2023-12-19, Karel Lucas wrote: Hi all, I am creating a bridging firewall, and am wondering if it is possible to use the ntp daemon to ensure that all log files are timed correctly. Is there a way to achieve that despite the fact that the network connections do not have an IP address? Yes, e.g. with a gps unit and nmea(4) If you want to fetch time over the network, however, the machine will need to have network access.
Bridging firewall and ntpd
Hi all, I am creating a bridging firewall, and am wondering if it is possible to use the ntp daemon to ensure that all log files are timed correctly. Is there a way to achieve that despite the fact that the network connections do not have an IP address?
Xbox 360 wireless controller support
Hi, I want to make my Xbox 360 wireless controller work. Although it is "wireless", it actually communicates through usb(4) to a dongle receiver[1] that connects with up to 4 controllers. For that, I recompiled the kernel with the attached patch, and booted into it. When plugging the receiver, I get this output from usbdevs(8) and dmesg(8): | $ usbdevs -v | Controller /dev/usb0: | [...] | addr 02: 045e:0719 \M-)Microsoft, Xbox 360 Wireless Receiver for Windows | full speed, power 260 mA, config 1, rev 1.00, iSerial FF4CC9A0 | driver: uhidev1 | driver: uhidev2 | driver: uhidev3 | driver: uhidev4 | [...] | | $ dmesg | [...] | uhidev0 at uhub0 port 1 configuration 1 interface 0 "\M-)Microsoft Xbox 360 Wireless Receiver for Windows" rev 2.00/1.00 addr 2 | uhidev0: iclass 255/93 | ujoy0 at uhidev0: input=20, output=0, feature=0 | uhidev1 at uhub0 port 1 configuration 1 interface 2 "\M-)Microsoft Xbox 360 Wireless Receiver for Windows" rev 2.00/1.00 addr 2 | uhidev1: iclass 255/93 | ujoy1 at uhidev1: input=20, output=0, feature=0 | uhidev2 at uhub0 port 1 configuration 1 interface 4 "\M-)Microsoft Xbox 360 Wireless Receiver for Windows" rev 2.00/1.00 addr 2 | uhidev2: iclass 255/93 | ujoy2 at uhidev2: input=20, output=0, feature=0 | uhidev3 at uhub0 port 1 configuration 1 interface 6 "\M-)Microsoft Xbox 360 Wireless Receiver for Windows" rev 2.00/1.00 addr 2 | uhidev3: iclass 255/93 | ujoy3 at uhidev3: input=20, output=0, feature=0 | ugen2 at uhub0 port 1 configuration 1 "\M-)Microsoft Xbox 360 Wireless Receiver for Windows" rev 2.00/1.00 addr 2 Four ujoy(4) drivers are automatically attached after plugging the receiver. And the controllers are listed on SuperTuxKart, for example. But when I pair the controller with the receiver (both have a button I need to press at the same time for that) the controller does not see itself as paired. I think that some kind of communication between the driver and the receiver needs to be performed. I checked the code of the xbox gamepad driver in the Linux kernel (see xpad.c[2]), and I could identify two things: First, Linux driver calls xpad360w_start_input() when a device is plugged to send it an HID output request. Here's a comment from that function: > Send presence packet. > This will force the controller to resend connection packets. > This is useful in the case we activate the module after the > adapter has been plugged in, as it won't automatically > send us info about the controllers. On OpenBSD, I fixed uhidev_use_rdesc() in sys/dev/usb/uhidev.c to make the driver send the same packets that Linux does. But I do not think the device ever receives them, as dmesg(8) says that the size of the output report is zero. Also, I found the following comment in the wired controller's report descriptor, which the wireless controller also uses (more on that bellow), in sys/dev/usb/uhid_rdesc.h: > The descriptor has no output report format, thus preventing > you from controlling the LEDs and the built-in rumblers. I do not know how to expand the report descriptor to include a format for output report (nor whether that is feasible). Second, the Linux driver converts input requests into requests for the regular wired controller report descriptor. It parses the first 4 byts of the report data (with info about whether a controller has been connected/disconnected), then it processes the remaining data ([4]) as if it was read from a regular wired controller. See xpad360w_process_packets() in the Linux file. Again, I do not know how I can expand the existing xbox report descriptor (or write a new one for the wireless controller) to ignore the first four bytes. So I am stuck now. I ask for help on how I can continue hacking the driver to add support for this controller. Thank you, -- Lucas de Sena [1]: https://commons.wikimedia.org/wiki/File:Xbox_360_Wireless_Receiver.png [2]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/plain/drivers/input/joystick/xpad.c diff /usr/src commit - b87515de6c2d632ea9e8c74e8b0ceb61cc0773ae path + /usr/src blob - c0664fbf239386b0aaf5191c0663db387aea27f5 file + sys/dev/usb/uhidev.c --- sys/dev/usb/uhidev.c +++ sys/dev/usb/uhidev.c @@ -65,6 +65,8 @@ int uhidev_use_rdesc(struct uhidev_softc *, usb_interf int, int, void **, int *); #define UISUBCLASS_XBOX360_CONTROLLER 0x5d #define UIPROTO_XBOX360_GAMEPAD0x01 +#define UISUBCLASS_XBOX360W_CONTROLLER 0x5d +#define UIPROTO_XBOX360W_GAMEPAD 0x81 #define UISUBCLASS_XBOXONE_CONTROLLER 0x47 #define UIPROTO_XBOXONE_GAMEPAD0xd0 #endif /* !SMALL_KERNEL */ @@ -126,6 +128,10 @@ uhidev_match(struct device *parent, void *match, void id->bInterfaceProtocol == UIPROTO
Re: ls in color
Op 08-12-2023 om 19:42 schreef Theo de Raadt: Karel Lucas wrote: In openBSD V7.4 I would like to see the output of ls in color, and therefore would like to know how to configure that. The output of "man ls" provides no information about this. Can anyone give me a tip? Black and white are also colours. That is not what I had in mind!
ls in color
Hi all, In openBSD V7.4 I would like to see the output of ls in color, and therefore would like to know how to configure that. The output of "man ls" provides no information about this. Can anyone give me a tip?
Re: Pimp my APU
On Sat, Nov 11, 2023 at 10:42:22AM -, Stuart Henderson wrote: > > 3) There is a simple watchdog timer in the NCT5104D that can be > > connected to the reset line. Would this be implemented? > > also AFAIK no. > > wbsio(4) has code to probe for the device these days so it's unlikely > to be difficult for someone with an interest in such a thing to add > support for watchdog and/or gpio. Look at other superio drivers which > already have this functionality, in particular look at cvs history > from when it was added. As far as device driver coding goes, adding > GPIO/sensors/watchdog support to an existing driver for a device with > an available datasheet is fairly straightforward and doesn't need deep > coding skills. There is https://marc.info/?l=openbsd-tech=158113851919238=2 from 2020.
Connecting a wireless keyboard via Bluetooth
Hi all, I have a computer with openBSD V7.4 without X11, to which I want to connect a wireless keyboard via Bluetooth. The keyboard is connected via a separate USB Bluetooth receiver. What software do I need for this, and how do I configure it? I hope someone responds to this.
Re: reorder_kernel: failed
Op 17-10-2023 om 16:50 schreef Janne Johansson: Den tis 17 okt. 2023 kl 16:49 skrev Karel Lucas : Hi all, After a new installation of openBSD 7.4 I received the following message: "reorder_kernel: failed -- see /usr/share/relink/kernel/GENERIC.MP/relink.log <http://GENERIC.MP/relink.log>". That turns out to be a zlib compressed data file, and I don't know how to unpack or read it. Does anyone know how I can do that? If it actually is a zlib compressed file, then "zcat" or "zless" should work fine. -- May the most significant bit of your life be positive. Content of relink.log: (SHA256) /bsd: OK LD="ld" sh makegap.sh 0x gapdummy.o ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o ${OBJS} text data bss dec hex 21325291 403432 1241088 22969811 15e7dd3 mv newbsd newbsd.gdb ctfstrip -S -o newbsd newbsd.gdb rm -f bsd.gdb mv -f newbsd bsd install -F -m 700 bsd /bsd && sha256 -h /var/db/kernel.SHA256 /bsd install: rename: INS@4erJJ3bo3 to /bsd: Operation not permitted *** Error 1 in /usr/share/relink/kernel/GENERIC.MP (Makefile:2267 'newinstall')
Re: reorder_kernel: failed
Op 17-10-2023 om 16:53 schreef Jan Stary: On Oct 17 16:46:13, cahlu...@planet.nl wrote: Hi all, After a new installation of openBSD 7.4 I received the following message: "reorder_kernel: failed -- see /usr/share/relink/kernel/GENERIC.MP/relink.log". That turns out to be a zlib compressed data file, and I don't know how to unpack or read it. Does anyone know how I can do that? That's supposed to be a text file (a log, duh). Have you looked at it? What makes you think it's a zlib file? file /usr/share/relink/kernel/GENERIC.MP/relink.log
reorder_kernel: failed
Hi all, After a new installation of openBSD 7.4 I received the following message: "reorder_kernel: failed -- see /usr/share/relink/kernel/GENERIC.MP/relink.log". That turns out to be a zlib compressed data file, and I don't know how to unpack or read it. Does anyone know how I can do that?
OpenBSD 7.4
Is it already known when openBSD 7.4 will be released? I would like to know that, because of a project I am working on.
Re: Mouse not working via KVM switch
Dear Nick, I have now installed Linux on the same computer in place of openBSD and the mouse works fine via the KVM switch. This despite possible broken capacitors, wrong voltages and malfunctioning computers. Note that not all computers connected to the KVM switch will work at the same time. There appear to be other problems with openBSD's X-window system. The X session on openBSD is started manually with "startx". After stopping such a session with ctrl + alt + backspace I get the following error messages: WARNING: Kernel has no file descriptor comparison support: No such file or directory (EE) Failed to open authorization file "/root/.serverauth.xx": Permission denied (xx has different characters at each session) xterm: fatal IO error 35 (resource temporarily unavailable) or KillClient on X server ":0" I don't know what these error messages mean and how to fix them. Maybe someone can help me with that. It looks like it's not just a problem with the mouse, but there's more to it. Op 19-08-2023 om 03:58 schreef Chris Bennett: On Fri, Aug 18, 2023 at 07:58:03PM +0200, Karel Lucas wrote: Dear Nick, For more than ten years I have been working with an ATEN brand KVM switch together with several computers, including linux and openBSD (version 4.1). In all these years I have had no problems, not with my KVM switch, nor with any degree of disconnection. The keyboard works flawlessly via the switch, it's only the mouse that I have a problem with, and only with openBSD. This is not very clear at all. You have used the same KVM switch for ten years, but haven't considered it having hardware degradation over that time? Capacitors are well known for having limited lifetimes and are *usually* the first item looked at in repairs. Switches also fail due to dirty contacts. Or, are you saying that everything worked fine for OpenBSD 4.1, but not for OpenBSD 7.3? The changes over that time have been enormous. Op 17-08-2023 om 13:56 schreef Nick Holland: First of all, does your mouse work directly plugged into the OpenBSD computer? Yes, it does. If so, it's your KVM switch. As I mentioned above I have been working with my KVM switch and openBSD for over ten years with very good results. Second...if you boot the OpenBSD machine with the KVM pointed at the OpenBSD machine, does it work? No, even then it won't work. Have you swapped ports on the KVM switch to rule out a partial hardware failure on the switch? Have you also disconnected the other hardware and OS inputs to rule out them as the source of the problem? Have you checked that the other machines are producing the correct supply voltages? Power supply failures are a consistent problem with computers. High or low voltages don't mix well. Have you checked with your switch manufacturer to make sure there wasn't a problem with your switches model? It happens a lot. After ten years of service, if you insist that the switch isn't the problem, (Prove it) then you need to also prove that the other hardware is functioning properly. Do not believe what the BIOS or sensors say that the voltage is. A bad voltage will cause those readings to fail. Get a good voltmeter with excellent probes for this kind of work and check *everything*. Please use a great deal of care. You will need to measure voltages on the motherboards in addition to what the power supply puts out. Everything is running and you will need to check in many spots. Also, there are high voltages inside the power supply. Don't get electrocuted. Drain the voltages off the capacitors in there with a suitable tool for that purpose if you go inside there. Yes, even with the power off and power cable disconnected. And it's tricky. I have a power supply cable for two hard drives. Two connectors crimped across the same cable. One of the crimps is bad. Recognizing that saved me a trip to hell after about an hour. Easy to fix, damned hard to locate. Chris Bennett You might be able to improve how OpenBSD deals with KVM switched mice, because yes, it does seem to be a little more touchy than some other OSs, but someone with good programming and HW trouble shooting skills AND a cheap-*** POS KVM switch would have to care. Most people that skilled generally just buy a better KVM switch and move on. That more than ten years of loyal service proves that my KVM is of good quality. What does the dmesg show as you switch the KVM around? That would tell us how the KVM works. Some are equiv. of plugging and unplugging the mouse/keyboard/monitor, some do some kind of "keep alive" so the computer thinks the mouse is still there. Both can cause problems of different types (my "good" one seems to plug/unplug the mouse/keyboard, but has a great keep-alive for the monitor). What I've learned about my KVM switch over the past ten years is that both the mouse and keyboard are e
Re: Mouse not working via KVM switch
Dear Nick, For more than ten years I have been working with an ATEN brand KVM switch together with several computers, including linux and openBSD (version 4.1). In all these years I have had no problems, not with my KVM switch, nor with any degree of disconnection. The keyboard works flawlessly via the switch, it's only the mouse that I have a problem with, and only with openBSD. Op 17-08-2023 om 13:56 schreef Nick Holland: First of all, does your mouse work directly plugged into the OpenBSD computer? Yes, it does. If so, it's your KVM switch. As I mentioned above I have been working with my KVM switch and openBSD for over ten years with very good results. Second...if you boot the OpenBSD machine with the KVM pointed at the OpenBSD machine, does it work? No, even then it won't work. You might be able to improve how OpenBSD deals with KVM switched mice, because yes, it does seem to be a little more touchy than some other OSs, but someone with good programming and HW trouble shooting skills AND a cheap-*** POS KVM switch would have to care. Most people that skilled generally just buy a better KVM switch and move on. That more than ten years of loyal service proves that my KVM is of good quality. What does the dmesg show as you switch the KVM around? That would tell us how the KVM works. Some are equiv. of plugging and unplugging the mouse/keyboard/monitor, some do some kind of "keep alive" so the computer thinks the mouse is still there. Both can cause problems of different types (my "good" one seems to plug/unplug the mouse/keyboard, but has a great keep-alive for the monitor). What I've learned about my KVM switch over the past ten years is that both the mouse and keyboard are emulated when they are switched to another computer. Never have I had any problems with my computers when switching with my KVM switch.
Mouse not working via KVM switch
HI all, On a recent install of openBSD I can't get the mouse to work through my KVM switch. I work with various computers via a KVM switch on 1 monitor with a keyboard/mouse combination. Only on the PC with openBSD the mouse does not work, the keyboard on the other hand works fine. Both are connected to the KVM switch via USB, and the switch via USB to the computers. The brand of the mouse is Logitech. Does anyone know why the mouse doesn't work, but the keyboard does?
Unable to add packages
Hi all, Entered on a fresh install of openBSD : pkg_add bash. I got the following error: ftp: ftp.nluug.nl/pub/OpenBSD: no address associated with name. Not too long ago I did this on another machine and it worked. The correct site is listed in /etc/installurl: https://ftp.nluug.nl/pub/OpenBSD. Can someone give me a tip on how to solve this?
Re: re-create certs server/laptop both OpenBSD 7.3
latin...@vcn.bc.ca wrote: > Hello > > i am testing IKEv2; and because i felt really confuse trying to configure > them; i delete all certs; and i can not find how to re-create them, on FAQ > and misc! > > May somebody help please? > > Thank you. It's in /etc/rc , function make_keys at line 135: # Generate keys for isakmpd, iked and sshd if they don't exist yet. make_keys() { # ... local _iked_key=/etc/iked/private/local.key local _iked_pub=/etc/iked/local.pub # ... if [[ ! -f $_iked_key ]]; then echo -n "openssl: generating iked ECDSA keys... " if openssl ecparam -genkey -name prime256v1 -out $_iked_key >/dev/null 2>&1 && chmod 600 $_iked_key && openssl ec -out $_iked_pub -in $_iked_key \ -pubout >/dev/null 2>&1; then echo done. else echo failed. fi fi # ... } -Lucas
Re: Mouse does not work
dmesg: ... uhub5 at uhub0 port 1 configuration 1 interface 0 "NEC hub" rev 2.00/1.00 addr 2 uhidev0 at uhub5 port 1 configuration 1 interface 0 "Logitech HID compliant keyboard" rev 1.10/1.80 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0: console keyboard uhidev1 at uhub5 port 1 configuration 1 interface 1 "Logitech HID compliant keyboard" rev 1.10/1.80 addr 3 uhidev1: iclass 3/0, 2 report ids ... uhub6 at uhub5 port 4 configuration 1 interface 0 "ATEN International product 0x8021" rev 1.10/1.00 addr 4 uhidev2 at uhub6 port 1 configuration 1 interface 0 "Logitech USB Receiver" rev 2.00/12.11 addr 5 uhidev2: iclass 3/1 ukbd1 at uhidev2: 8 variable keys, 6 key codes wskbd2 at ukbd1 mux 1 uhidev3 at uhub6 port 1 configuration 1 interface 1 "Logitech USB Receiver" rev 2.00/12.11 addr 5 uhidev3: iclass 3/1, 8 report ids ums0 at uhidev3 reportid 2: 16 buttons, Z and W dir wsmouse0 at ums0 mux 0 ... usbdevs: Controller /dev/usb0: addr 01: 8086: Intel, EHCI root hub addr 02: 0409:005a NEC, hub addr 03: 046d:c30e Logitech, HID compliant keyboard addr 04: 0557:8021 ATEN International, product 0x8021 addr 05: 046d:c52b Logitech, USB Receiver addr 06: 04b4:6560 Cypress Semiconductor, USB2 Hub addr 07: 1221:3234 USB2.0, Flash Diskr Controller /dev/usb1: addr 01: 8086: Intel, UHCI root hub Controller /dev/usb2: addr 01: 8086: Intel, UHCI root hub Controller /dev/usb3: addr 01: 8086: Intel, UHCI root hub Controller /dev/usb4: addr 01: 8086: Intel, UHCI root hub Op 04-08-2023 om 16:41 schreef Peter J. Philipp: On Fri, Aug 04, 2023 at 04:24:09PM +0200, Karel Lucas wrote: Hi all, I have a few computers that I control with the same keyboard, mouse and monitor via an electronic switch. Namely a Linux PC and an Apple (macos x), but now also a PC with openBSD. Both Linux PC and Apple work fine with the switch, only with the PC with openBSD the mouse does not work. No problem with the keyboard and monitor. The mouse is of the wireless type, so radio controlled. What is the problem here, and what can I do about it? Hi Karel, I have a KVM switch too, though not sure if they are similar. I can control three computers and a possible fourth if I had it hooked up. There is USB inputs for keyboard and mouse and an extra USB port on a hub, as well as a built in sound card that has an on/off switch. I also have a selection button that toggles the PC # I want to switch to. This is also doable by pressing shift-lock twice and the number 1 through 4. This is a USB intercept and not passed through to the computer which was selected's hardware. The way I fathom your setup is similar to mine, with an adapter for the wireless mouse to go into USB? It is always good to post a dmesg with any hardware description so I'm gonna ask you for yours, it also doesn't hurt to give a usbdevs output. Best Regards, -peter
Mouse does not work
Hi all, I have a few computers that I control with the same keyboard, mouse and monitor via an electronic switch. Namely a Linux PC and an Apple (macos x), but now also a PC with openBSD. Both Linux PC and Apple work fine with the switch, only with the PC with openBSD the mouse does not work. No problem with the keyboard and monitor. The mouse is of the wireless type, so radio controlled. What is the problem here, and what can I do about it?
Two problems
Hi all, On a desktop PC on which I have openBSD, I installed KDE. When I start the X-window system, I still see Fvwm, and no KDE. I also want to start the X window system when I start this PC, and that is not yet the case. How can I solve both problems?
Re: Installing openBSD
Hi, My openBSD installation was successful! I first removed all partitions except for the EFI partition, which I left. Second I created one openBSD partition(type A6) on the freed space, after which I partitioned that partition with auto layout. Then I continued with the regular installation, and after reboot I got the login prompt. So in hindsight it was wise to leave the EFI partition. Perhaps others can benefit from this experience. Op 01-08-2023 om 07:04 schreef patric conant: Hitting enter in the installer to use the whole disk will take care of you. As pointed out repeatedly, there are no requirements from pfsense to install or maintain openbsd. In the same way that pfsense didn't need anything form OpenBSD to install, OpenBSD can create all the necessary partitions for successful EFI experience, and doesn't need anything from pfsense. On Sun, Jul 30, 2023 at 12:41 PM Karel Lucas wrote: Hi all, I'm going to install openBSD on a small PC that currently has PfSense on it. This PC boots this OS via (U)EFI, and therefore has an EFI partition on the existing SSD. The current partition table looks like, as shown by openBSD fdisk: 0: efiboot0 1: gptboot0 2: swap0 3: zfs0. Should I keep the (U)EFI partition? And if so, how do I mount the future openBSD root partition to this (U)EFI installation? Are there any other things I should watch out for? I look forward to receiving responses from this community. Sincerely, Karel. -- Patric Conant Mirage Computing Lead Consultant @MirageComputing <https://twitter.com/MirageComputing>on twitter https://m.facebook.com/MirageComputing/ 316 409 2424
Re: Installing openBSD
Hi, But fdisk also has an option to edit the existing partition table. This allows me to delete only the partitions related to PfSense without deleting the (U)EFI partition. The question here is whether I will need it to boot openBSD's root partition. Op 31-07-2023 om 16:10 schreef Theo de Raadt: Karel Lucas wrote: Multi-boot is not an option here. The intention is to replace the entire PfSense installation with openBSD. Eventually this computer becomes a firewall with PF, so the current installation is unnecessary. But my question remains whether I need the (U)EFI partition for that or not. Can anyone give me some helpful advice? you are overthinking it the default way through the installer reuses the whole disk.
Re: Installing openBSD
Hi, Multi-boot is not an option here. The intention is to replace the entire PfSense installation with openBSD. Eventually this computer becomes a firewall with PF, so the current installation is unnecessary. But my question remains whether I need the (U)EFI partition for that or not. Can anyone give me some helpful advice? Op 31-07-2023 om 14:33 schreef Peter N. M. Hansteen: On Mon, Jul 31, 2023 at 07:52:02AM -0400, Nick Holland wrote: IF you want to multiboot, just don't until you can answer questions like this yourself. Multibooting is very complicated, and requires a mastery of the boot process of ALL the OSs installed. People often consider it a way to "learn" a new OS, I disagree, it is a good way to get massively frustrated and lose a lot of data. I could not agree more. Unless you are specifically interested in learning how to develop bootloaders and that is something that yo consider essential to your career plan going forward, please do not mess with multibooting. If your plan is to learn anything besides bootloader internals, please do the sane thing and either run the one you are trying to learn on bare hardware (the best you can afford) or if you are comfortable with a virtualization platform, use that. Multibooting will always be a painful distraction unless bootloaders and their interactions with OSes and random hardware is what you want to spend the bulk of your time on. - Peter
Re: Installing openBSD
Hi, It is not intended to be a dual boot installation. Therefore, the PfSense installation must be replaced by open BSD. My question is what I should do with the (U)efi partition, and how I can possibly link open BSD to it. Does anyone have some good suggestions for me? Op 31-07-2023 om 00:06 schreef Saïd AARAB: Hi, It depends if you want to keep the existing psfsens install or if you want dual boot. If looking to install beside pfsens, I would beleive that installing OpenBSD along any existing OS should be no different than installing linux or windows along another OS, as you would need to prepare the block device (SDD) by making space if possible (and if you dont have any) for another partition in which you would install OpenBSD. so any documentation (explaining how to shrink existing partitions, create another partion, handle dual boot) that is not necessarily specific to OpenBSD should help. Im not very familiar with how pfsens work and if it did install a bootloader, if not you might need to install one like GRUB and configure it to be able to select between the two OS at startup. Overall installing dual boot is very tricky and you should be carefull to not wipe your existing data, a backup is advised On Jul 30, 2023 19:30, Karel Lucas wrote: Hi all, I'm going to install openBSD on a small PC that currently has PfSense on it. This PC boots this OS via (U)EFI, and therefore has an EFI partition on the existing SSD. The current partition table looks like, as shown by openBSD fdisk: 0: efiboot0 1: gptboot0 2: swap0 3: zfs0. Should I keep the (U)EFI partition? And if so, how do I mount the future openBSD root partition to this (U)EFI installation? Are there any other things I should watch out for? I look forward to receiving responses from this community. Sincerely, Karel.
Installing openBSD
Hi all, I'm going to install openBSD on a small PC that currently has PfSense on it. This PC boots this OS via (U)EFI, and therefore has an EFI partition on the existing SSD. The current partition table looks like, as shown by openBSD fdisk: 0: efiboot0 1: gptboot0 2: swap0 3: zfs0. Should I keep the (U)EFI partition? And if so, how do I mount the future openBSD root partition to this (U)EFI installation? Are there any other things I should watch out for? I look forward to receiving responses from this community. Sincerely, Karel.
Mounting an SD-card and an USB-stick
Dear all, For a fresh install of openBSD, I want to mount an SD card or a USB stick on an existing openBSD install, but don't know which device name to use. Maybe someone can help me out?
Which hardware for a firewall?
Hi all, I'm going to create a firewall with openBSD, and would like to use the ARM64 or ARMv7 distribution for that. Unfortunately I don't know what hardware I can get for this, and that's the reason for this mail. Can someone point me to a suitable platform for this? If this email does not belong on this mailing list, I offer my apology. This is my first post on this mailing list, and ask for understanding. Sincerely, Karel.
unresponsive system after programs have segfault
hi, sabiá, my laptop OpenBSD system, became unresponsive and all the open terminals sessions were closed leaving a ksh.core file all around, including one at the root directory (/ksh.core). Firefox, hexchat and other processes also terminated leaving coredumps at my home directory and a line at dmesg ending with "not MAP_STACK". I had a virtual machine open and connected via ssh at a virtual network (10.0.0.0/24). I also had my phone charging on an USB port. All that and additional information can be read at the dmesg. I could not shutdown the laptop, so I powered it down forcefully. What could have happened? Thanks, Lucas de Sena Jun 16 08:54:32 sabia /bsd: OpenBSD 7.3-current (GENERIC.MP) #1226: Thu Jun 8 09:14:29 MDT 2023 Jun 16 08:54:32 sabia /bsd: dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Jun 16 08:54:32 sabia /bsd: real mem = 8384462848 (7996MB) Jun 16 08:54:32 sabia /bsd: avail mem = 8110710784 (7734MB) Jun 16 08:54:32 sabia /bsd: random: good seed from bootblocks Jun 16 08:54:32 sabia /bsd: mpath0 at root Jun 16 08:54:32 sabia /bsd: scsibus0 at mpath0: 256 targets Jun 16 08:54:32 sabia /bsd: mainbus0 at root Jun 16 08:54:32 sabia /bsd: bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdae9c000 (68 entries) Jun 16 08:54:32 sabia /bsd: bios0: vendor LENOVO version "G1ETB4WW (2.74 )" date 09/25/2017 Jun 16 08:54:32 sabia /bsd: bios0: LENOVO 23501M2 Jun 16 08:54:32 sabia /bsd: efi0 at bios0: UEFI 2.3.1 Jun 16 08:54:32 sabia /bsd: efi0: Lenovo rev 0x2740 Jun 16 08:54:32 sabia /bsd: acpi0 at bios0: ACPI 5.0 Jun 16 08:54:32 sabia /bsd: acpi0: sleep states S0 S3 S4 S5 Jun 16 08:54:32 sabia /bsd: acpi0: tables DSDT FACP SLIC TCPA SSDT SSDT SSDT HPET APIC MCFG ECDT FPDT ASF! UEFI UEFI POAT SSDT SSDT DMAR UEFI DBG2 Jun 16 08:54:32 sabia /bsd: acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) HDEF(S4) Jun 16 08:54:32 sabia /bsd: acpitimer0 at acpi0: 3579545 Hz, 24 bits Jun 16 08:54:32 sabia /bsd: acpihpet0 at acpi0: 14318179 Hz Jun 16 08:54:32 sabia /bsd: acpimadt0 at acpi0 addr 0xfee0: PC-AT compat Jun 16 08:54:32 sabia /bsd: cpu0 at mainbus0: apid 0 (boot processor) Jun 16 08:54:32 sabia /bsd: cpu0: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.24 MHz, 06-3a-09 Jun 16 08:54:32 sabia /bsd: cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN Jun 16 08:54:32 sabia /bsd: cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache Jun 16 08:54:32 sabia /bsd: cpu0: smt 0, core 0, package 0 Jun 16 08:54:32 sabia /bsd: mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges Jun 16 08:54:32 sabia /bsd: cpu0: apic clock running at 99MHz Jun 16 08:54:32 sabia /bsd: cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE Jun 16 08:54:32 sabia /bsd: cpu1 at mainbus0: apid 1 (application processor) Jun 16 08:54:32 sabia /bsd: cpu1: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.14 MHz, 06-3a-09 Jun 16 08:54:32 sabia /bsd: cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN Jun 16 08:54:32 sabia /bsd: cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache Jun 16 08:54:32 sabia /bsd: cpu1: smt 1, core 0, package 0 Jun 16 08:54:32 sabia /bsd: cpu2 at mainbus0: apid 2 (application processor) Jun 16 08:54:32 sabia /bsd: cpu2: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.17 MHz, 06-3a-09 Jun 16 08:54:32 sabia /bsd: cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN Jun 16 08:54:32 sabia /bsd: cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache Jun 16 08:54:32 sabia /bsd: cpu2: smt 0, core 1, package 0 Jun 16 08:54:32 sabia /bsd: cpu3 at mainbus0: apid 3 (application processor) Jun 16 08:54:32 sabia /bsd: cpu3: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.18 MHz, 06-3a-09 Jun 16 08:54:32 sabia /bsd: cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,M
dmesg Lenovo ThinkPad X13 Gen2
Suspend and hibernate works. Lidaction works. Internal mic doesn't work but audio recording does work with a headset. Webcam works. vmm works. Turning down the screen brightness with the keyboard does turn the whole screen black for an instant when getting at low values: display.brightness=100.00% display.brightness=75.39% display.brightness=57.13% display.brightness=42.46% display.brightness=32.14% display.brightness=23.41% display.brightness=17.06% display.brightness=12.30% display.brightness=8.72% display.brightness=5.95% display.brightness=4.76% display.brightness=3.97% # single black screen blink starts here display.brightness=2.77% display.brightness=1.98% display.brightness=0.79% display.brightness=0.00% OpenBSD 7.3-current (GENERIC.MP) #1175: Wed May 3 08:19:33 MDT 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 16868896768 (16087MB) avail mem = 16338006016 (15581MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.2 @ 0x90cb1000 (63 entries) bios0: vendor LENOVO version "N35ET44W (1.44 )" date 01/28/2022 bios0: LENOVO 20WLS03M00 efi0 at bios0: UEFI 2.7 efi0: Lenovo rev 0x1440 acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT SSDT SSDT SSDT TPM2 ECDT HPET APIC SSDT SSDT SSDT NHLT SSDT SSDT SSDT LPIT WSMT SSDT DBGP DBG2 MSDM SSDT BATB DMAR MCFG SSDT PTDT UEFI FPDT acpi0: wakeup devices PEG0(S4) PEGP(S4) PEGP(S4) PEGP(S4) GLAN(S4) XHCI(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2693.79 MHz, 06-8c-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,PT,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,WAITPKG,SRBDS_CTRL,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 12MB 64b/line 12-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 38MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.1.2.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2693.80 MHz, 06-8c-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,PT,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,SRBDS_CTRL,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 12MB 64b/line 12-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2693.80 MHz, 06-8c-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,PT,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,SRBDS_CTRL,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 12MB 64b/line 12-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2693.80 MHz, 06-8c-01 cpu3:
Re: Securely managing TLS certificates on growing server (website, XMPP, soon email)?
> > Then the private keys within would all have 0400 permissions, user and group > > being the same (so _prosody:_prosody for XMPP-related TLS). I noted that the > > default is 700 permissions on `/etc/ssl/private` with root:wheel ownership. > > Is > > the approach I've just outlined with adding a group and modifying > > permissions a > > bad idea? > > Personally, I wouldn't deviate from the os defaults by changing the > permission on /etc/ssl/private. > > it seems fragile, and you'd also need to make sure permissions are > kept when updating the certificates. 100% agree with this. Also, you should update mtree accordingly to avoid security(8) noise, then you can get some sysmerge noise on updates, ... > all handled by cron as usual: > > ~ * * * * acme-client example.com && rcctl reload httpd > ~ * * * * acme-client xmpp && rcctl restart prosody What I do is replacing `rcctl restart prosody` with a script that 1. Copies private key and certificate into `/etc/prosody/certs` and fixes the owners and permissions 2. Runs `rcctl reload prosody` instead I believe that a plain `rcctl re{load,start} prosody` shouldn't work after acme-client creates a new private key, as that is created with mode 0400 owned by root, and prosody runs under _prosody user directly, not starting as root, reading the key and then dropping to _prosody. -Lucas
ksh: documented substitution behavior contradicts actual behavior
Hi, After trying to split a string into fields delimited with colons and spaces, I found this bug in how ksh(1) does substitution. The actual behavior contradicts what other shells like bash and mksh do and also contradicts its own manual. Running the following on other shells (say, bash) prints "/foo/bar/". This command splits the string " foo : bar " into two fields: "foo" and "bar", considering colon and space as delimiters. echo " foo : bar " | { IFS=": " read -r a b printf -- "/%s/%s/\n" "$a" "$b" } However, running the same command in OpenBSD ksh(1) (or sh(1)) splits the string into "foo" and ": bar". The manual ksh(1) provides the following, similar example: > Example: If IFS is set to “:”, and VAR is set to > “A:B::D”, the substitution for $VAR > results in four fields: ‘A’, ‘B’, ‘’ (an empty field), and ‘D’. > Note that if the IFS parameter is set to the NULL string, no field > splitting is done; if the parameter is unset, the default value of > space, tab, and newline is used. Let's try it: echo " A : B::D" | { IFS=" :" read -r arg1 arg2 arg3 arg4 printf -- '1st: "%s"\n' "$arg1" printf -- '2nd: "%s"\n' "$arg2" printf -- '3rd: "%s"\n' "$arg3" printf -- '4th: "%s"\n' "$arg4" } bash(1) splits the line into the following fields: 1st: "A" 2nd: "B" 3rd: "" 4th: "D" This is actually the expected output, as described in the manual. However, running the same command in OpenBSD ksh, prints this: 1st: "A" 2nd: "" 3rd: "B" 4th: ":D" A completelly different thing. The same occurs with OpenBSD sh(1). I could not understand how OpenBSD does the spliting, but the way it does is clearly a bug: it does not only contradicts its own manual, but also differs from other implementations. Thank you, Lucas de Sena.
mount_ntfs(8) -u/-g problem?
Hi, I'm running: OpenBSD victim.blackhelicopters.org 7.2 GENERIC.MP#640 amd64 According to mount_ntfs(8), -u and -g let you set UID and GID of mounted filesystems. Took an NTFS USB drive, plugged it in, mounted it, and checked ownership. # mount_ntfs -u mwlucas -g mwlucas /dev/sd4i /mnt/ # ls -lai /mnt/ total 107 4 -rwxr-xr-x 1 root wheel 2560 Dec 31 1600 $AttrDef 8 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $BadClus 6 -rwxr-xr-x 1 root wheel 32768 Dec 31 1600 $Bitmap 7 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $Boot 11 drwxr-xr-x 1 root wheel 0 Aug 17 15:05 $Extend 2 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $LogFile 1 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $MFTMirr 9 -rwxr-xr-x 1 root wheel 0 Aug 17 15:05 $Secure 10 -rwxr-xr-x 1 root wheel 131072 Dec 31 1600 $UpCase 3 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $Volume 5 drwxr-xr-x 1 root wheel 0 Dec 31 1600 . 2 drwxr-xr-x 15 root wheel512 Aug 16 13:02 .. 36 drwxr-xr-x 1 root wheel 0 Aug 17 15:05 System Volume Information 38 -rwxr-xr-x 1 root wheel 111496224 Aug 17 13:35 VirtualBox-6.1.36-152435-Win.exe If I create /tmp/mnt owned by mwlucas:mwlucas and mount there, ownership of the mount point is changed to root:wheel and the files are owned by root. # chown mwlucas:mwlucas /tmp/mnt ls -lai /tmp/ total 1 2 drwxrwxrwt 9 root wheel 512 Aug 17 15:42 . 2 drwxr-xr-x 15 root wheel 512 Aug 16 13:02 .. 25920 drwxrwxrwt 2 root wheel 512 Aug 16 13:02 .ICE-unix 388800 drwxrwxrwt 2 root wheel 512 Aug 16 13:02 .X11-unix 77760 drwxr-xr-x 2 mwlucas mwlucas 512 Aug 17 15:42 mnt 259200 drwxr-xr-x 2 root wheel 512 Aug 16 13:02 sndio ... # mount_ntfs -u mwlucas -g mwlucas /dev/sd4i /tmp/mnt/ # ls -lai /tmp/mnt/ total 107 4 -rwxr-xr-x 1 root wheel 2560 Dec 31 1600 $AttrDef 8 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $BadClus 6 -rwxr-xr-x 1 root wheel 32768 Dec 31 1600 $Bitmap 7 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $Boot 11 drwxr-xr-x 1 root wheel 0 Aug 17 15:05 $Extend ... Am I doing something wrong here, or did I find a bug? FWIW, mount_msdos -u and -g assigns ownership. Thanks, ==ml -- Michael W. Lucashttps://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Absolute FreeBSD, Immortal Clay, Prohibition Orcs, etc, etc, etc... ### New books: TLS Mastery, the Networknomicon, $ git sync murder ###
Re: Xterm copy-paste not happening on OpenBSD 7.1 i386.
Brian Durant wrote: > I have installed OpenBSD 7.1 i386 on my Lenovo T60 and am experiencing a > couple of issues. The first is related to the following addition that I > made to my .Xdefaults file, which works with OpenBSD 7.1 amd64 installs, > but not with the OpenBSD 7.1 i386 install on my Lenovo T60: > XTerm*VT100.Translations: #override\ > Ctrl Shift C: copy-selection(CLIPBOARD) \n\ > Ctrl Shift V: insert-selection(CLIPBOARD) > Any ideas how to get copy and paste working in Xterm with an i386 install? I don't know if it's relevant, but my Xdefaults looks like this XTerm.VT100.translations: #override \n\ Ctrl Alt C:copy-selection(CLIPBOARD) \n\ Ctrl Alt V:insert-selection(CLIPBOARD) \n\ [...other stuff...] In particular, do note the "\n" after #override, which isn't present in your snippet. This works fine for me. Also, vi(1) is showing \xc2\xa0 before your lines, which I don't know if it's product of your MUA or if it's actually part of the file (it's a non-breaking space, aka in XML/HTML), do double-check the whitespaces in there. -Lucas
openssl/libressl s_client -crlf difference
Hi, Should LibreSSL and OpenSSL be strictly command line compatible? The reason I ask is: using OpenSSL, I can use openssl s_client to connect to a site like so: $ openssl s_client -crlf www:443 LibreSSL requires I add the -connect $ openssl s_client -crlf -connect www:443 Thanks, ==ml -- Michael W. Lucashttps://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... ### New books: SNMP Mastery, the Networknomicon, Drinking Heavy Water ###
Re: A concerning commit which breaks compatibility
goldeneagle96 wrote: > Hello OpenBSD devs. It has come to my attention that a mysterious commit > , unlogged by CVS, has appeared. This commit changes language, breaking > compatibility on header and source files. > Thankfully, it was logged by the Github mirror. > The commit's author is the Github username "djmdjm", and the one who > okayed it was "markus@". > Please, I ask of you and specially of Theo to look at this strange > commit, and decide what to do about it. > Its link is > https://github.com/openbsd/src/commit/5bde2954c180034a27b079acaff46073dc75139b > cc @misc @tech I'll only reply on misc@ as I think this is where it belongs. Here it's the commit in cvsweb[0], the mail in marc.info[1], and I can confirm the change is present at least in obsdacvs.cs.toronto.edu. Also, claiming "breaking compatibility on header and source files" in *internal* files is stupid. Please do your homework before shitposting. -Lucas [0]: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?rev=1.38=text/x-cvsweb-markup [1]: https://marc.info/?l=openbsd-cvs=159399360827650=2
Re: reposync out of memory
Stuart Henderson wrote: > I can add something to the readme after the ports tree has unlocked. > > I think you're seeing this now due to the churn because every file in > the repositories was touched when the tree was tagged with OPENBSD_6_7. > I haven't seen it on the 2 machines I have running reposync, but they > update more frequently so probably didn't have to deal with updating > all of ports+src+xenocara together, which is probably what tipped it > over the edge. For the archive, creating a new login class bumping datasize-cur and adding cvs to that new login class did the trick. I doubt that's the magic number tho, as I went over half of ports repo before that change, so ymmv. # # reposync might choke during releases with default datasize # reposync:\ :datasize-cur=1024M:\ :tc=default:
Re: TOFU/cert pinning in libtls
Hello Stephen, > My basic idea for the client is: > > - load a db of self-signed certs. > - connect to host > - if host cert is self signed > - if not in db, prompt user and add to db > - if in db, check fingerprint and warn user if they don't match. > > Browsing the manuals/source code, there doesn't seem to be an easy way > to configure this. I don't want to have to use the OpenSSL API for this > :(. I experimented with cert FP pinning in the past, too. tls_peer_cert_hash is probably what you're looking for. Found it looking at /usr/include/tls.h. Then tried to find it referenced in other manpages, oolong$ man -k Xr=tls_peer_cert_hash nc(1) - arbitrary TCP and UDP connections and listens That's far from ideal IMO, but I don't know where, of the many tls_* manpages, would I reference it. HTH, -Lucas
reposync out of memory
Hello misc@, Starting today, reposync is running out of memory for me. Happened 3 times in a row already, in different stages. It looks like this when it happens: >f.st.. ports/net/megatools/pkg/PLIST,v ERROR: out of memory in flist_expand [receiver] rsync error: error allocating core memory buffers (code 22) at util2.c(105) [receiver=3.1.3] rsync: [generator] write error: Broken pipe (32) rsync error: error in socket IO (code 10) at io.c(820) [generator=3.1.3] rsync: [receiver] write error: Broken pipe (32) reposync: rsync failed I'm issuing the following command: oolong$ doas -u cvs /usr/local/bin/reposync rsync://obsdacvs.cs.toronto.edu/obsdcvs/ /home/cvs I set up cvs user as described in the pkg-readme: oolong$ getent passwd cvs; id -c cvs cvs:*:1001:1001::/nonexistent:/sbin/nologin default default class is unaltered in the system: default:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\ :umask=022:\ :datasize-max=768M:\ :datasize-cur=768M:\ :maxproc-max=256:\ :maxproc-cur=128:\ :openfiles-max=1024:\ :openfiles-cur=512:\ :stacksize-cur=4M:\ :localcipher=blowfish,a:\ :tc=auth-defaults:\ :tc=auth-ftp-defaults: FTR, I'm using reposync since it came out and this is the first time it happens. I update once a week, if that matters. Is anyone experiencing this too? I guess I can work it around bumping datasize for cvs user, but if this is happening to other ones, maybe it's worht to add something to the pkg-readme. Just in case, dmesg can be found after the email. Thanks in advance. -Lucas OpenBSD 6.7 (GENERIC.MP) #182: Thu May 7 11:11:58 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3944083456 (3761MB) avail mem = 3811930112 (3635MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdae9d000 (68 entries) bios0: vendor LENOVO version "G2ET33WW (1.13 )" date 07/24/2012 bios0: LENOVO 2325BG4 acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC TCPA SSDT SSDT SSDT HPET APIC MCFG ECDT FPDT ASF! UEFI UEFI POAT SSDT SSDT DMAR UEFI acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 1197.52 MHz, 06-3a-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 1197.29 MHz, 06-3a-09 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 2 (EXP1) acpiprt3 at acpi0: bus 3 (EXP2) acpiprt4 at acpi0: bus 4 (EXP3) acpicpu0 at acpi0: C3(200@87 mwait.1@0x30), C2(500@59 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@87 mwait.1@0x30), C2(500@59 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1, EHC2 acpitz0 at acpi0: critical temperature is 103 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 tpm0 at acpi0: TPM_ addr 0xfed4/0x5000, device 0x104a rev 0x4e acpibat0 at acpi0: BAT0 model "45N1029" serial 15304 type LION oem "LGC" acpiac0 at acpi0: AC unit offline acpithinkpad0 at acpi0: version 1.0 "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured acpidock0 at acpi0: GDCK not docked (0) acpivideo0 at acpi0: VID_ acpivout0 at acpivideo0: LCD0 acpivideo1 at acpi0: VID_ cpu0: using VERW MDS workaround (except on vmm entry) cpu0: Enhanced Spe
Re: IPsec and MTU / fragmentation
Hi Denis, Denis wrote: > It can be re-keying issue. You can check this out by adding to iked.conf > on both ends: I took this line off from the mail while cleaning up the config. I have ikelifetime 3h lifetime 1h in both ends. > By the way, can your let us know "big files" exact size? > > perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80 > > > > client receives 1386 "a"s, but with any bigger size the client sees no > > response at all. Anything bigger than 1386 bytes. -Lucas
IPsec and MTU / fragmentation
Hi misc@, I've set up an IPsec tunnel to for serving my website from my home. The tunnel works quite well most of the time, but if I try to deliver big files over it, the HTTP client never gets a response. After some testing, if I ran in the HTTP server end perl -e 'print "a" x 1386;' | doas nc -l 10.200.0.80 80 client receives 1386 "a"s, but with any bigger size the client sees no response at all. This smells of MTU / fragmentation issues, but I don't know enough about networks to configure it properly. Is this the case? Any recommendations on how to configure a sensible value? Any clue sticks? I can bang different MTUs until it works, but that solution doesn't seem to scale. You can find my iked and pf configs below. Also would like to understand why it happens, so pointers to docs are more than welcome. Thanks in advance, -Lucas Initiator /etc/iked.conf: initiator_www = 10.200.0.80 initiator_peer =192.0.2.1 responder = 198.51.100.1 ikev2 "www" active proto tcp \ from $initiator_www port 80 to $responder \ peer $responder \ srcid initiator dstid responder \ tag IPSECWWW Initiator /etc/pf.conf: set block-policy drop set loginterface egress set skip on lo0 block all pass out quick on { egress enc0 } pass in quick on enc0 tagged IPSECWWW pass in on egress proto tcp to port ssh pass in on egress inet proto icmp all pass in on egress inet6 proto ipv6-icmp all Responder /etc/iked.conf: initiator_www = 10.200.0.80 initiator_peer =192.0.2.1 responder = 198.51.100.1 ikev2 "www" passive proto tcp \ from $responder to $initiator_www port 80 \ peer $initiator_peer \ srcid responder dstid initiator \ tag IPSECWWW Responder /etc/pf.conf: set block-policy drop set loginterface egress set skip on lo0 block log all pass out quick on egress pass in log on egress proto udp from any to (egress) \ port { isakmp ipsec-nat-t } pass in log on egress proto esp from any to (egress) pass in log on enc0 tagged IPSECWWW pass out log on enc0 pass in on egress proto tcp to port { ssh http https } pass in on egress inet proto icmp all pass in on egress inet6 proto icmp6 all
Re: OpenBSD IKED Client Issues
Hello Antonio, Although providing the output of `iked -dv` can help to debug further, I don't see you're letting traffic in on `enc0` in your server's pf ruleset. Adding `pass in on enc0` after `block all` should be enough to make it work, I think. HTH, -Lucas
Re: Pass, gpg2, gpg
I think it all came down to `export LC_CTYPE="en_US.UTF-8"` ^^'. Thank you all for your answers, Lucas On 12/10/18, Edd Barrett wrote: > On Fri, Dec 07, 2018 at 04:33:36PM +0100, Lucas López wrote: >> Question: How to set gpg, gpg2 as interactive mode *by default*? > > I don't use passwordstore, but I do use gpg2 (gpg is a different program > entirely). > > If you use gpg2, did you try manually setting a pinentry? > https://wiki.archlinux.org/index.php/GnuPG#pinentry > > -- > Best Regards > Edd Barrett > > http://www.theunixzoo.co.uk >
Re: Pass, gpg2, gpg
On Fri, Dec 7, 2018 at 8:54 PM Kai Wirt wrote: > > On Fri, Dec 07, 2018 at 04:33:36PM +0100, Lucas López wrote: > > > > I can deduce pass command uses gpg2 command which in turn uses gpg command. > > The issue is *gpg is always in batch mode*, so if I want to use pass, I > > have to manually decrypt something directly using gpg2 (gpg2 -d bla -> > > prompt for passphrase). This way pass is usable as one would expect. > > > In my understanding gpg and gpg2 are two different programs. Thus for > pass to work you need to setup your keys in gpg2 or import them from gpg. > > For me pass and gpg2 worked out-of-the-box as expected. > > > Kai I think it all came down to `export LC_CTYPE="en_US.UTF-8"` ^^'
Pass, gpg2, gpg
Hi everyone, I can not seem to find a solution to this. I like https://www.passwordstore.org/ and I am so gratefull to have it in OpenBSD as a package! I can deduce pass command uses gpg2 command which in turn uses gpg command. The issue is *gpg is always in batch mode*, so if I want to use pass, I have to manually decrypt something directly using gpg2 (gpg2 -d bla -> prompt for passphrase). This way pass is usable as one would expect. Question: How to set gpg, gpg2 as interactive mode *by default*? Thank you very much! Lucas.
Re: relayd redirect not working
Thanks. Look at the PF rules in the relayd table. See what's redirecting from where to what. If that all looks ok, there's always tcpdump... On Wed, Mar 15, 2017 at 11:42:32PM -0700, Dave Cohen wrote: > Michael, > > Appreciate you chiming in. I'm a fan of Absolute OpenBSD! > > I'm having trouble reproducing the settings that I originally wrote about. > I've tried to restore /etc/relayd.conf and /etc/pf.conf to what they were > when I wrote the email. But right now, neither port 80 nor 443 are > redirecting to the other ports. Earlier, port 80 was working while 443 was > not. I'm at a loss as to why the behavior is not the same as before. > > Despite that trouble, I tried the commands you suggested. `relayd -dvvv` > shows > > $ doas relayd -dvvv > startup > socket_rlimit: max open files 1024 > init_filter: filter init done > init_tables: created 2 tables > socket_rlimit: max open files 1024 > socket_rlimit: max open files 1024 > socket_rlimit: max open files 1024 > hce_notify_done: 127.0.0.1 (icmp ok) > host 127.0.0.1, check icmp (32ms,icmp ok), state unknown -> up, availability > 100.00% > pfe_dispatch_hce: state 1 for host 1 127.0.0.1 > hce_notify_done: 127.0.0.1 (icmp ok) > host 127.0.0.1, check icmp (33ms,icmp ok), state unknown -> up, availability > 100.00% > pfe_dispatch_hce: state 1 for host 2 127.0.0.1 > table https: 1 added, 0 deleted, 0 changed, 0 killed > pfe_sync: enabling ruleset > sync_ruleset: rule added to anchor "relayd/https" > hce_notify_done: 127.0.0.1 (icmp ok) > hce_notify_done: 127.0.0.1 (icmp ok) > table http: 1 added, 0 deleted, 0 changed, 0 killed > pfe_sync: enabling ruleset > sync_ruleset: rule added to anchor "relayd/http" > hce_notify_done: 127.0.0.1 (icmp ok) > hce_notify_done: 127.0.0.1 (icmp ok) > hce_notify_done: 127.0.0.1 (icmp ok) > ...etc... > > and `relayctl sho sum` > > $ relayctl sho sum > Id TypeNameAvlblty Status > 1 redirecthttps active > 1 table httpshosts:8443 active (1 > hosts) > 1 host127.0.0.1 100.00% up > 2 redirecthttp active > 2 table httpshosts:8080 active (1 > hosts) > > > -Dave > > On Sun, Mar 12, 2017, at 03:16 PM, Michael W. Lucas wrote: > > On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote: > > > Ciao Dave, > > > > > > I'm also playing with relayd as a L7 gateway and as far as I can see from > > > your > > > config there is no CA and key configured. In order for HTTPS to work > > > relayd > > > needs to be able to do TLS inspection and of course you should redirect > > > all > > > your https traffic to port 8443 (using PF for example). If you check the > > > pf.conf man page under both the sections RELAYS and Examples you should be > > > able to find a lot of good hints. > > > > He's using a redirect, not a relay, so it should work just fine. No L7 > > stuff here, only low-level IP. > > > > Dave, looks OK to me. What does relayd -dvvv say? And relayctl sho sum ? > > > > -- > > Michael W. LucasTwitter @mwlauthor > > nonfiction: https://www.michaelwlucas.com/ > > fiction: https://www.michaelwarrenlucas.com/ > > blog: http://blather.michaelwlucas.com/ -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
Re: relayd redirect not working
On Sun, Mar 12, 2017 at 09:26:53AM +0100, Salvatore Cuzzilla wrote: > Ciao Dave, > > I'm also playing with relayd as a L7 gateway and as far as I can see from your > config there is no CA and key configured. In order for HTTPS to work relayd > needs to be able to do TLS inspection and of course you should redirect all > your https traffic to port 8443 (using PF for example). If you check the > pf.conf man page under both the sections RELAYS and Examples you should be > able to find a lot of good hints. He's using a redirect, not a relay, so it should work just fine. No L7 stuff here, only low-level IP. Dave, looks OK to me. What does relayd -dvvv say? And relayctl sho sum ? -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
collecting relayd check scripts?
Hi, I'm collecting relayd check scripts for the httpd/relayd book. If you have a check script that you don't mind sharing, please send it to me. Regards, ==ml -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
relayd send/expect syntax
Hi, Running the most recent amd64 snapshot on ESXi. OpenBSD r1.mwlucas.org 6.0 GENERIC#162 amd64 I'm trying to use relayd's check send/expect support to verify a daemon's banner comes up. After problems I've stripped this down to the simplest possible config, a single known good mail server. The server keeps showing up as down, with a TCP timeout. Packet sniffer shows that the connection opens and that the SMTP banner is returned in less than a second. Am I doing something obviously stupid here? Here's the config and the debugging output. relayd.conf: --- ext_ip="203.0.113.213" log updates timeout 9000 table { 104.236.197.233 } redirect smtp { listen on $ext_ip port 587 interface em0 forward to check send nothing expect "200 *" } -- Why have the "timeout 9000"? Well, because of the error I get: relayd -d pfe: filter init done startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 relayd_tls_ticket_rekey: rekeying tickets init_tables: created 1 tables hce_notify_done: 104.236.197.233 (tcp read timeout) host 104.236.197.233, check send expect (9020ms,tcp read timeout), state unknown -> down, availability 0.00% pfe_dispatch_hce: state -1 for host 1 104.236.197.233 ^Chce exiting, pid 12145 kill_tables: deleted 1 tables flush_rulesets: flushed rules pfe exiting, pid 67580 relay exiting, pid 72564 ca exiting, pid 19097 relay exiting, pid 72558 relay exiting, pid 72790 ca exiting, pid 1431 ca exiting, pid 889 parent terminating, pid 81783 Any suggestions, folks? Thanks, ==ml -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
Re: bgplg httpd "ping: socket: Permission denied"
On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote: > "Michael W. Lucas" <mwlu...@michaelwlucas.com> writes: > > > Hi, > > Hi, > > > Running the 12/12 snapshot, amd64. > > > > I'm setting up the looking glass CGI included with httpd. Requests for > > ping and traceroute fail. > > > > Per bgplg(8), I've set mode 4555 on the static binaries: > > > > ls -lai /var/www/bin/ > > total 1844 > > 77958 drwxr-xr-x 2 root daemon 512 Dec 11 17:47 . > > 77956 drwxr-xr-x 15 root daemon 512 Dec 12 15:35 .. > > 77959 -r-xr-xr-x 1 root bin 256240 Dec 8 12:09 bgpctl > > 77978 -rwxr-xr-x 1 root bin 273200 Dec 8 15:36 femail > > 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping > > 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping6 > > 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute > > 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute6 > > > > Ping and traceroute run fine as root. As an unprivileged user, though, > > I get: > > > > ./ping 8.8.8.8 > > ping: socket: Permission denied > > > > $ ./traceroute 8.8.8.8 > > traceroute: unable to revoke privs: Operation not permitted > > > > Any suggestions? Or have I found a bug? > > Is the partition that holds /var/www/bin mounted "nosuid"? (Replying mostly for the archives.) Yes, /var is mounted nosuid. bgplg(8) has lovely detailed instructions on how to set it up, including setting the suid bit, but don't mention that detail. Thank you. ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
bgplg httpd "ping: socket: Permission denied"
Hi, Running the 12/12 snapshot, amd64. I'm setting up the looking glass CGI included with httpd. Requests for ping and traceroute fail. Per bgplg(8), I've set mode 4555 on the static binaries: ls -lai /var/www/bin/ total 1844 77958 drwxr-xr-x 2 root daemon 512 Dec 11 17:47 . 77956 drwxr-xr-x 15 root daemon 512 Dec 12 15:35 .. 77959 -r-xr-xr-x 1 root bin 256240 Dec 8 12:09 bgpctl 77978 -rwxr-xr-x 1 root bin 273200 Dec 8 15:36 femail 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping6 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute6 Ping and traceroute run fine as root. As an unprivileged user, though, I get: ./ping 8.8.8.8 ping: socket: Permission denied $ ./traceroute 8.8.8.8 traceroute: unable to revoke privs: Operation not permitted Any suggestions? Or have I found a bug? ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
httpd: server match strangeness
Hi, I'm running the 2016-11-11 amd64 snapshot on a VMWare test host, working with patterns in httpd's server statements. Here's my /etc/httpd.conf: -- public_ip="*" public_ip6="::" server "default" { root "/default" listen on $public_ip port 80 listen on $public_ip6 port 80 } server match "^[w]+%.mwlucas%.org$" { listen on $public_ip port www listen on $public_ip6 port 80 root "/www1" directory auto index } -- My understanding of what this should do is: Requests that match one or more 'w's.mwlucas.org (i.e., www.mwlucas.org, w.mwlucas.org, ww.mwlucas.org, etc) should hit the server with the match statement. Other requests to the server, such as by raw IP, a plain "mwlucas.org," or any other hostname pointed at that IP address, should get the default entry. Each site only contains a single document, giving the site name in large letters. Instead, it seems that every request hits the match statement. Running the server in debug mode: # httpd -dvvv startup server_privinit: adding server default socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server default server_privinit: adding server ^[w]+%.mwlucas%.org$ server_privinit: adding server ^[w]+%.mwlucas%.org$ server_launch: configuring server default server_launch: running server default server_launch: configuring server default server_launch: running server default server_launch: configuring server default server_launch: running server default server_launch: configuring server default server_launch: running server default server_launch: configuring server default server_launch: running server default server_launch: configuring server default server_launch: running server default Lynx on another workstation. Requesting www.mwlucas.org works as expected: ^[w]+%.mwlucas%.org$ 203.0.113.208 - - [11/Nov/2016:16:35:00 -0500] "GET / HTTP/1.0" 200 51 server default, client 1 (1 active), 203.0.113.208:15679 -> 192.0.2.101, done Let's try plain mwlucas.org. That doesn't have any leading w or the explicit period, I'd expect it to hit the default server. ^[w]+%.mwlucas%.org$ 203.0.113.208 - - [11/Nov/2016:16:37:34 -0500] "GET / HTTP/1.0" 200 51 server default, client 1 (1 active), 203.0.113.208:62794 -> 192.0.2.101, done Something without any host name in it: browse by IP: ^[w]+%.mwlucas%.org$ 203.0.113.208 - - [11/Nov/2016:16:38:13 -0500] "GET / HTTP/1.0" 200 51 server default, client 1 (1 active), 203.0.113.208:61442 -> 192.0.2.101, done It seems that no matter how I get to this host, I get the server with the match statement. I've tried variants on the pattern. It seems that a simpler pattern should work, like: server match "w+.mwlucas.org" { but it seems all requests still go to the match statement server. If I remove the match statement from httpd.conf and rely on something like server www.mwlucas.org { requests go to either the default server or, if I specifically request that hostname, the named server. Any suggestions? What am I missing to use patterns in a server entry? Thanks, ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
using httpd's pattern support?
Hi, I'm writing a book on OpenBSD's web stack. If you're using httpd's Lua pattern support ('location match' or 'server match'), I'd be interested in hearing what you're using it for. I'm collecting use cases. If you can share snippets of httpd.conf, that would be VERY helpful. Please reply off-list. I've set the reply-to, but no idea if that will survive the mailing list. Thanks, ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Detroit-area BSD user group
Hi, Nick Holland and I live about three miles apart, so this was pretty inevitable. Working on starting a Detroit-area BSD user group. If you're interested, join the mailing list and help us figure out where & when to meet. www.semibug.org. Followups to... uh... not this list. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: The 2014 Book of PF Auction Concluded
On Wed, Nov 05, 2014 at 12:33:20AM +0100, Peter N. M. Hansteen wrote: You heard it here first (unless you refreshed ebay item http://www.ebay.com/itm/321563281902 more often than I did) - The auction for the first signed copy of The Book of PF, 3rd Edition concluded, with a successful bid of USD 3,050.00. The formalities are in motion, and I hope both the physical package and the money will be on their way to their intended destinations very soon. If the successful bidder allows me to announce their name, I will do so in a followup announcement. In the meantime, I *strongly* urge all those who bid on this item to make a direct donation to the OpenBSD foundation instead, equal to their highest bid. Thank you all for your kind support, it has been good fun. All the best, Peter Sincere congratulations. Well done! ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: The Book of PF, 3rd ed: You own the first author signed copy and support OpenBSD!
On Sat, Nov 01, 2014 at 09:23:35PM +0100, Peter N. M. Hansteen wrote: pe...@bsdly.net (Peter N. M. Hansteen) writes: The amount is certainly in the comfortable zone for me, and with three days to go it's entirely possible that this auction will indeed bring in more money than Michael Lucas' Absolute OpenBSD, 2nd edition auction[2]. Bah! Not a chance. If by some bizarre failure of natural law that should happen, I'll be compelled to write an OpenBSD book next year to auction off. Just so MY next auction can CRUSH HANSTEEN'S ABSURD FLUKE OF LUCK AND RESTORE THE NATURAL ORDER. I mean, the footnotes in BoPF3 all contain actual *facts* -- how lame is that? One other point worth considering is that with both Michael Lucas and me setting up these auctions, we have essentially created a new rule: If you write an OpenBSD book, you are morally obliged to auction off the first signed copy for the benefit of the project. That should not be seen as a barrier to entry, rather the opposite. Only if you want to be one of the cool kids. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: The Book of PF, 3rd ed: You own the first author signed copy and support OpenBSD!
On Mon, Oct 27, 2014 at 09:04:48PM +0100, Peter N. M. Hansteen wrote: Michael W. Lucas mwlu...@michaelwlucas.com writes: BAH! You think you can steal my idea for supporting OpenBSD? I don't think it's that easy. MY auction raised $1145. There is no way that BoPF3 can POSSIBLY raise more than that! Consider the gauntlet thrown. :D After two days, the highest bit lists as US $493.88, which means a) that bid was likely entered in a non-USD currency (or somebody has an odd sense of humor, I'm fine with both) b) we're on a pretty good trajectory for beating Mr. Lucas on the fundraising front Humpf. It is just BARELY possible that Mr. Hansteen's work will raise more money than mine. If so, it will clearly be the result of nepotism, collusion, and intrigue. If this happens, I'll have to write another OpenBSD book. One that will raise EVEN MORE MONEY than this petty little BoPF3 auction. ==ml One again, the auction is at http://www.ebay.com/itm/The-Book-of-PF-3rd-ed-signed-by-the-author-First-Copy-signed-/321563281902? The blog post with the nice pictures is at http://bsdly.blogspot.no/2014/10/the-book-of-pf-3rd-edition-is-here.html And if your bid turns out not to be the successful one, please make the amount of your highest bid a direct donation to OpenBSD instead. Even if you wouldn't consider bidding, go on, head over to http://www.openbsd.org/orders.html or http://www.openbsd.org/donations.html and spend some money! - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: The Book of PF, 3rd ed: You own the first author signed copy and support OpenBSD!
On Sun, Oct 26, 2014 at 12:59:03AM +0200, Peter N. M. Hansteen wrote: Ebay situation resolved, the link to the auction is http://www.ebay.com/itm/The-Book-of-PF-3rd-ed-signed-by-the-author-First-Copy-signed-/321563281902? Peter, BAH! You think you can steal my idea for supporting OpenBSD? I don't think it's that easy. MY auction raised $1145. There is no way that BoPF3 can POSSIBLY raise more than that! Consider the gauntlet thrown. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: new OpenSSL flaws
On 6 June 2014 14:38, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 06-06-2014 07:47, Eric Furman escreveu: ... talking about. Funny thing, that I didn't needed to change any of my banking passwords. I don't know what, if anything, you're implying there. Banks are generally conservative places IT-wise, and I suspect that in many cases they were simply running old versions of OpenSSL that weren't affected by Heartbleed. I know for a fact that that is the case for at least one fairly big bank. This current problem, of course, goes back to older versions of OpenSSL so there's a lot more work to be done. -Andre
Re: pf icmp redirect question
On 30 May 2014 19:13, System Administrator ad...@bitwise.net wrote: On 30 May 2014 at 13:56, Sebastian Benoit wrote: Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200: Assuming that $pub_web ip address is used exclusively for web server access, and no other ports are redirected to other internal addresses, should I also redirect icmp: pass in on $ext_if inet proto icmp from any to $pub_web rdr-to $priv_web No. This is not entirely correct -- you *may* want to have the above redirect *if* you want external users to be able to ping the real web server to ascertain that it is up, in which case you probably want to limit icmp types to echo-request/echo-reply (you certainly do NOT want to pass through the icmp redirect or the many other routing controls). Or if you're concerned about the the ICMP messages related to PMTUd, they're automatically forwarded as part of the connection state tracking IIRC. -André
debugging vio issue?
Hi, I have a 5.5/amd64 KVM VM running Ansible. Most of the time, it works great. It's running the amd64 snapshot dated 27 May, from ftp3.usa.openbsd.org. When I attempt to use the squid proxy to download large files from the Internet, however, I occasionally get stalls. This is most easily reproduced when doing an upgrade. During my last couple of upgrades, I've repeatedly done ^Z and ifconfig vio0 down ifconfig vio0 up fg to make the download resume mid-set. Very occasionally, it happens during normal use. tcpdump on the proxy shows the proxy sending packets, but the OpenBSD box not responding. My other terminal sessions hang, and I can no longer SSH to the OpenBSD box. This doesn't happen on any of my other systems, so I'm inclined to think it's vio(4) related. Any suggestions on how to debug this? Thanks, ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: debugging vio issue?
On Wed, May 28, 2014 at 11:37:54AM -0700, Philip Guenther wrote: On Wed, May 28, 2014 at 11:26 AM, Adam Thompson [1]athom...@athompso.net wrote: Don't have a good answer for you, but I have similar problems with vio(4). Switching to e1000 on the KVM side solved my random hangs completely. The vio(4) manpage mentions ? ? ? Setting flags to 0x02 disables the RingEventIndex feature. ? This can be ? ? ? tried as a workaround for possible bugs in host implementations or vio at ? ? ? the cost of slightly reduced performance. Have any of you tested that to see whether it improves the situation? I'll try that. The man page isn't exactly clear on when to use the flags, but I suppose you don't want to say If the driver hangs, try this in the man page. ==ml -- Michael W. Lucas - mwlu...@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Re: Get rid of /bsd: arp info overwritten for ?
w.r.t. Apple devices, this happens when the Bonjour Sleep Proxy ( https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy) is at work. If you have one or more Macs and one or more Airport base stations these messages will appear when the Mac sleeps and when the Airport wakes it in response to network traffic. -André On 21 May 2014 15:50, bodie bodz...@openbsd.cz wrote: On 21.05.2014 16:36, Giancarlo Razzolini wrote: Em 21-05-2014 11:09, Kenneth Westerback escreveu: On 21 May 2014 07:20, bodie bodz...@openbsd.cz wrote: On 21.05.2014 12:50, bodie wrote: On 21.05.2014 11:18, bodie wrote: Hi, testing http://marc.info/?t=14002453903r=1w=2 further and now I hit issue with corporate WIFI. I can connect perfectly fine to 2 of them provided with WPA2-PSK, either with regular ifconfig or with wpa_supplicant from packages, but the thing is that my /var/log/messages is flooded by these messages repeating like every 3s: /bsd: arp info overwritten for GW_IP by MAC_1 on iwn0 /bsd: arp info overwritten for GW_IP by MAC_2 on iwn0 arp -a shows only one MAC all the time and that's MAC_2 no matter if I reboot or just reconnect to network. Info from inside about setup of those APs is: There actually are 2 gateways having the same IP address GW_IP and the mac addresses belong to them. They work as failover and also load balacer. Not sure if it's because of that or because of ARP flooding in /var/log/messages, but performance of those WiFi is quite strange like ping replies over 20ms, a lot of web services doesn't work, takes years to connect, some are running perfectly fine immediately and such. So. 1) Is there anything I can do with ARP messages in /var/log/messages? Nothing in man arp and some sysctl switch I found only in FreeBSD 2) Is there anything what can be tweaked from OpenBSD side to improve general performance of WiFi connection or is it just either AP fix or nothing? Thanks a lot Still trying to get much more info, but that setup must be horrible. Trying arping results in: 30 packets sent, 60 received. Always doubled response with MAC_1 and MAC_2 When trying to ping some of the internal servers they all have 123.123.123.123 IP which is of course totally wrong. Same if tried with dig @GW_IP server_IP (as GW_IP is set as DNS by dhclient) So now not so sure if it's terrible AP setup or if it's something in ARP, dhclient, ieee80211 code in OpenBSD Even more suspicious details: option dhcp-client-identifier 1:0:c2:c6:1c:af:ac in lease from dhclient, but my MAC is 00:c2:c6:1c:af:ac. It got mangled or is it on purpose? This one I can solve. :-) It's on purpose and according to spec. the prepended '1' indicates the type of identifier. In this case an ethernet MAC. (investigating in the meantime of course :-)) dhcp-server-identifier is IP of totally different subnet (10..) instead of You can always add a 'reject' statement in your dhclient.conf to ignore suspicious dhcp servers. As the man page says although it should be a last resort - better to track down the bad DHCP server and fix it.. Assuming it turns out to be a rogue or misconfigured dhcp server. It seems unlikely from the other symptoms you mention. 192... of that AP/GW Well, there is no reason the dhcp server should be on the AP/GW. Of course, no reason it shouldn't. A tcpdump (tcpdump -i blah -s 2000 -vv -X) might show you who is sending what. Ken Well, Without you providing the mac address of your gateways/aps, I can only guess. But I know some access points do very funny things. The most notorious example are apple airports. It will simply change your mac with their own and anything on the wired side of the lan will get theses arp messages. But it seems to me more likely to be something misconfigured in your network. Cheers, Well trying to test on other BSD, but PC-BSD doesn't work on this laptop, Dfly is working, but on latest there's bug preventing use of WiFi which will be solved in tomorrow snapshot, release doesn't boot at all so far, NetBSD doesn't detect even WiFi and vga so OpenBSD is so far only OS where I was able to test it. Ubuntu either live or installed on this laptop is working perfectly fine on that network with isc-dhcp-client. And even arping is returning only one of two MACs available on those APs. None of that is helping much so far, still on start where either something wrong in OpenBSD or in AP, but well they will say obviously that Windows and Linux clients doesn't have those problems, which is true as of now.
Re: Documentation for Realtek 8188* devices
On Nov 14, 2013 7:30 PM, Dmitrij D. Czarkoff czark...@gmail.com wrote: Hello! I'm strugling to find any documentation for RTL8188* wireless devices (including those already supported in urtwn driver). I wrote to Realtek, but no responce followed. My problem is that I have a MiniPCI RTL8188CE device in my ThinkPad, and I want to try writing a driver for it. AFAIK RTL8188CE-VAU (supported in urtwn) is essencially RTL8188CE with USB bridge, so having access to documentation urtwn driver was based on would be very helpful. So, if anyone knows where these docs can be found, I would be very greatful. -- Dmitrij D. Czarkoff Hi Dmitrij, Wishing you the best finding documentation and receiving a response from Realtek. It is safe to say the latter has become my hobby... Not of preference but of perseverance. Anyway, I've picked up FreeBSD Device Drivers (Kong) which seems like an okay, albeit rough, place to start understanding drivers for OpenBSD (only real driver reference out there besides the tree), though adding support for the PCIe Mini routine of your device shouldn't be the most difficult feat ever, the cousin chip is already supported. Check out how other cards (iwn(4)) attach. I've an RTL8723AS-VAU which is reportedly a non-mass production analog to the 8192CU (also urtwn), except with a BT function. There is even a `urtwn-rtl8723fw' that comes with urtwn but no documentation on those magic numbers `8723'. We're on similar boats/rafts. Please post back your findings. Would be interested in helping you so as to help myself and others. Cheers.