Re: High Interrupt After 7.3 Upgrade

[Mark (obsd)]

Hi Chris,

On Tue, May 30, 2023 at 8:59 AM Chris Cappuccio  wrote:

> Samuel Jayden [samueljaydan1...@gmail.com] wrote:
> > Hi again,
> >
> > Just for the record:
> > I've downgraded to OpenBSD 7.2 (reinstalled) and everything is working
> like
> > a charm again.
> > I don't know what is wrong with 7.3 but ipi interrupt rate is too much
> and
> > somehow OpenBSD performance is too bad..
> > Thanks for reading.
> >
>
> Sounds like you are using 'systat' to measure interrupts. This is a bug
> in systat was was fixed in 7.3. Here is Scott Cheloha's message from that
> fix:
>
> "systat(1): vmstat: measure elapsed time with clock_gettime(2) instead of
> ticks
>
> The vmstat view in systat(1) should not use statclock() ticks to count
> elapsed time.  First, ticks are low resolution.  Second, the statclock
> is sometimes randomized, so each tick is not necessarily of equal
> length.  Third, we're counting ticks from every CPU on the system, so
> every rate in the view is divided by the number of CPUs.  For example,
> on an amd64 system with 8 CPUs you currently see:
>
>  200 clock
>
> ... when the true clock interrupt rate on that system is 1600.
>
> Instead, measure elapsed time with clock_gettime(2).  Use CLOCK_UPTIME
> here so we exclude time when the system is suspended.  With this
> change we no longer need "stathz" or "hertz".  We can also get rid of
> the anachronistic secondary clock failure test.
>
>
>
I'm not the OP, but that's interesting to me because I'm wondering if it's
why Prometheus'
node_exporter from packages is reporting wildly wrong CPU stats on 7.3 that
don't at all
match what you'd expect when comparing top/htop output? It was fine prior
to upgrading
to 7.3, but I've just left digging into it on the back burner due to other
priorities.

Thanks!
Mark

Re: trying to add auth to specific location in httpd.conf

[fm+obsd+misc+list]

My bad.

Just plain authenticate with "/path/to/the/htpasswd/file" above the fastcgi 
line did the trick.

Regards, 

Fabio

trying to add auth to specific location in httpd.conf

[fm+obsd+misc+list]

Hi misc, 

Am trying to add HTTP Basic auth to an specific location in httpd.conf (a1).
Is it possible?

The other locations I want to mantain unprotected.



usually can be done to the entire site with:

authenticate "HTTP Basic" with "/htdocs/dev/.htpasswd"


but for specific files, dunno how

httpd.conf:

location "/API/v1/a1" {
  fastcgi socket "/run/php-fpm.sock"
}

location "/API/v1/a2" {
  fastcgi socket "/run/php-fpm.sock"
}

location "/API/v1/a3" {
  fastcgi socket "/run/php-fpm.sock"
}

Regards, 

Fabio

Re: Faking the same LAN over the Internet

[obsd]

Sorry for top posting,

Would
https://openvpn.net/vpn-server-resources/site-to-site-layer-2-bridging-using-openvpn-access-server/

solve your problem?

Regards,
Erik

Op 31-3-2020 om 11:34 schreef Chris Rawnsley:
> In the period of The Great Isolation, a friend and I wish to play
> a game that has LAN-only multiplayer. We, however, live in different
> locations and, more importantly, different LANs. An often cited
> approach to solving this is to set up a VPN and connect the two
> devices to it. This requires that both devices run a VPN client
> that connects to the third device that manages the connection. And
> then, hey presto! You have a "LAN".
>
> The complication I have found is that we are both using a Nintendo
> Switch (NinSw) and this device comes without a VPN client. Initially,
> I thought it would be possible to use a VPN client on a computer
> which was wired in over Ethernet and then share the wireless to the
> NinSw. This setup would be mirrored on the other side. The diagram
> below tries to make this clearer. Search for "Where my thinking"
> to skip over this.
>
>
>   ||
>   ||   ..
>   ||   ) ) )  |:|  |:|
>   ||   `'
>  .---/::\[NinSw]
>  |   [laptop]
>  |
>[VPN] 
>  |
>  |  \/
>  |  _\__/_
>  `-| ...  |[uplink]// mirrored on the other side
> ``
>  [gateway]
>
>
> Where my thinking comes stuck is how the wired connection is shared
> to the NinSw over wireless. The laptop, running MacOS in the case
> of my friend, will setup its own NAT to isolate the wireless
> connections from the uplink. The NinSw is then unable to receive
> an IP from the VPN and therefore not appear as part of the same
> network.
>
> Ignoring the particular case of how "Internet Connection Sharing"
> works on MacOS, would it be possible to setup some "VPN bridge"
> (yes, I made that up) on OpenBSD where it handles the details of
> the VPN connection but forwards the IP address to another device?
>
> If anyone has more insight into this and can point me in the right
> direction I would be grateful. Similarly if there's been a mistake
> in my thinking please point it out as that could help too.
>
>
> --
> Chris Rawnsley
>
> P.S. the game in question is Civilization 6 and, yes, they very
> annoyingly restricted it to LAN-only multiplayer...
>


pEpkey.asc
Description: application/pgp-keys

Relayd Crashing in transparent mode

[oBSD Nub]

Wondering if someone can help point me in the right direction.
relayd keeps crashing on me, I suspect someone is attacking using corrupted
packets in someway.
Other attacks are much higher than normal (application layer)
States look look inline (less than 5k) processor usage about 20 percent
Running on KVM, Fully patched -Stable (6.4)

Anyway right before the relay stop working, I am getting errors such as:
session failed: Operation timed out
bindany failed, invalid socket: Invalid argument
Socket is not connected: Socket is not connected
relay exiting, pid [X]

Can anyone point me in the right direction to get more logging/how to
investigate the errors I am getting?
rcctl restart relayd always fixes the issue
interment problem, but when an issue it will crash every couple minutes

Config is:
interval 30
log state changes
log connection
prefork 10

vip01 = "159.100.208.71"
table  { 10.5.6.121 10.5.6.171 }

relay webRedirect0180 {
listen on $vip01 port 80
transparent forward to  port 80 \
mode loadbalance check tcp
}
relay webRedirect01443 {
listen on $vip01 port 443
transparent forward to  port 443 \
mode loadbalance check tcp
}
...repeats about 20 times w/ different VIPs

Re: Certificate authority software

[obsd]

Op 21-9-2018 om 14:21 schreef Gregory Edigarov:

Hello, list.

I need to setup a CA for intranet. I have some (rather not very 
positive) experience with ejbca.
before I will set it up, I want to take a look at alternatives, and so 
i need an advice on the choice of software.


what would you guys use? something with less dependencies is preferred 
(but with web interface).



thank you.

--

With best regards,

  Gregory Edgarov



I was quite happy with xCA.

Kind regards,
Erik

Re: Syspatch failures?

[obsd]

Op 3-3-2018 om 22:07 schreef Jeffrey Joshua Rollin:

Hi all,

I've installed OpenBSD today (not new to it, or to the list, but I am a
chronic distro-hopper), and syspatch fails with the error message:

syspatch: invalid URL configured in /etc/installurl

All other software I've installed (including, but not limited to, zsh,
mate, libreoffice) seems to work. My /etc/installurl is as follows:

https://www.mirrorservice.org/pub/OpenBSD/

I would add that this is not the first time I've installed OpenBSD 6.2,
either - but it is the first time syspatch has failed, IIRC.

I've no idea what other info might be helpful, but I'll be happy to provide
it if asked.

Thanks,

Jeff.


Trailing /? Shouldn't it be

https://www.mirrorservice.org/pub/OpenBSD

?

Regards,
Erik

Re: Need an advice about DHCP IPv6 server software

[obsd]

Op 9-12-2017 om 16:03 schreef Marc Peters:

On Sat, Dec 09, 2017 at 01:50:37PM +0300, Denis wrote:

Can you share IPv6 part of PF.conf you're using for local network SLAAC?

Did you even bother to open the link Claus send? There is everything neatly 
documented you need IPv6 wise to get it up and running with pf.

hth,
Marc


My pf.conf  does not deviate too much from that one indeed. The only 
thing I did not see (but I did not look that well) was the pass out 
inet6 all statement...

Re: Need an advice about DHCP IPv6 server software

[obsd]

Op 8-12-2017 om 15:07 schreef Jan Kalkus:

For what it’s worth, I’ve noticed Windows frequently will not grab IPv6 
addresses via SLAAC.

If I disable IPv6 on the network interface and then re-enable it, then I will 
be assigned an IPv6 address.

Jan Kalkus


[snip]

I would recheck my configuration if I were you then... Here it is 
working 100% of the time on approx 10 windows (mixed W7/W10) machines. 
The rest of the network (linux and OpenBSD works very well as well with 
IPv6). Of course the firewall handing out the SLAAC is OpenBSD. Only be 
careful with virtual machines, since you would need settings on the 
hypervisor to permit multicast on vlans. The SLAAC broadcast is multicast...


Erik

Re: authpf error: failed to create table (Device busy)

[md . obsd . bugs]

Did you test whether disabling ruleset optimization "fixes"
the issue in your case too?

\md
 
 

Gesendet: Freitag, 07. Juli 2017 um 02:59 Uhr
Von: "rafal.ramocki" 
An: misc@openbsd.org
Betreff: Re: authpf error: failed to create table (Device busy)
It looks like I've just hit the same bug. It looks like it is not related
with authpf but rather with anchors generaly. I'm loading anchor from
pf.conf, then this anchor loads another one with some rules. I have two
similar rules in there and disabling one of them will stop returning an
error from this anchor.

pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port
1522
pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port
1522

I have quite a bit ancors so I'm failing to load rules few anchors ahead
anyway.

Revelant parts of config are as follows:

/etc/pf.conf:
anchor "vpn1" in on $if_vpn1
load anchor vpn1 from "/etc/anchors/vpn1.conf"

/etc/anchors/vpn1.conf:
anchor "user4" in from 172.31.224.217
load anchor user4 from "/etc/anchors/vpn1/user4"

/etc/anchors/vpn1/user4:
pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port
1522
pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port
1522




--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/authpf-error-failed-to-create-table-Device-busy-tp321195p322214.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.
 

Re: authpf error: failed to create table (Device busy)

[md . obsd . bugs]

Hi again

i was able to further track down the issue.

If i set ruleset-optimization to none everything works fine.
So it seems that the behavior is triggered somehow by the 
optimizer.

Having a look at where the EBUSY is triggered, it looks like 
pf_find_ruleset in pfr_ina_define (sys/net/pf_table.c) does 
not return anything. I did not get any further yet, but possibly
others can?

Can anyone else confirm this behavior?

regards
\md
 
 
 Forwarded Message 
Date: Donnerstag, 22. Juni 2017 um 10:27 Uhr
From: md.obsd.b...@gmx.at
To: misc@openbsd.org
Subject: authpf error: failed to create table (Device busy)
Hi

I recently transmitted a bug report concerning an authpf issue in 6.1
(see also [1]) where loading the rules in the authpf anchor fails like
this:

"pfctl: failed to create table __automatic_ba6b4284_0 in /newuser(25710): \
Device busy" Unable to modify filters


I've not been able to reproduce the error using another set of source IPs.
Maybe I'm overlooking an syntax/config error, but using the same rule in the
base pf.conf file does not result in an evaluation error using pfctl -nf.

Is any one able to reproduce the error either using the info in [1]
or by it's own ruleset?

I'd love to deliver additional debug info.

Looking forward for feedback.
\md

[1] https://marc.info/?l=openbsd-bugs&m=149613063520544

authpf error: failed to create table (Device busy)

[md . obsd . bugs]

Hi 

I recently transmitted a bug report concerning an authpf issue in 6.1
(see also [1]) where loading the rules in the authpf anchor fails like
this:

"pfctl: failed to create table __automatic_ba6b4284_0 in /newuser(25710): \
Device busy"   Unable to modify filters


I've not been able to reproduce the error using another set of source IPs.
Maybe I'm overlooking an syntax/config error, but using the same rule in the
base pf.conf file does not result in an evaluation error using pfctl -nf.

Is any one able to reproduce the error either using the info in [1]
or by it's own ruleset?

I'd love to deliver additional debug info.

Looking forward for feedback.
\md

[1] https://marc.info/?l=openbsd-bugs&m=149613063520544

IKEv1 to AzureVPN exchange_validate failed

[oBSD Nub]

I am struggling to setup an ipsec vpn to azure.
Following the azure IPSec parameters in the doc below:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Getting the below errors in isakmpd, and am stumped where to look next:
Default exchange_run: exchange_validate failed
Default dropped message from 2.2.2.2 port 500 due to notification type
PAYLOAD_MALFORMED

Can anyone point me in the right direction, as my google-fu isn't
feeling strong.

Thanks!

OpenBSD6.0/AMD64 MP vm on esxi 6.5

# cat /etc/ipsec.conf
WAN1= "carp901001" #Interface address 1.1.1.1
localNets   = "{10.10.0.0/24}"
remoteGW= "2.2.2.2" #AzureGateway
remoteNets  = "{10.20.2.0/24}" #remote azure networks

ike esp from $localNets to $remoteNets \
peer $remoteGW \
main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 3600 \
psk somekey

# isakmpd -dvvvK
073538.301968 Default isakmpd: starting [priv]
073548.958802 Default isakmpd: phase 1 done: initiator id 1.1.1.1,
responder id 2.2.2.2, src: 1.1.1.1 dst: 2.2.2.2
073548.993564 Default isakmpd: quick mode done: src: 1.1.1.1 dst: 2.2.2.2
073549.027410 Default exchange_run: exchange_validate failed
073549.027425 Default dropped message from 2.2.2.2 port 500 due to
notification type PAYLOAD_MALFORMED
^C073612.581088 Default isakmpd: shutting down...
# 073612.581509 Default isakmpd: exit

# ipsecctl -s all
FLOWS:
flow esp in from 10.20.2.0/24 to 10.10.0.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type use
flow esp out from 10.10.0.0/24 to 10.20.2.0/24 peer 2.2.2.2 srcid
1.1.1.1/32 dstid 2.2.2.2/32 type require

SAD:
esp tunnel from 2.2.2.2 to 1.1.1.1 spi 0x44461664 auth hmac-sha1 enc aes-256
esp tunnel from 1.1.1.1 to 2.2.2.2 spi 0x55f07894 auth hmac-sha1 enc aes-256

07:29:44.949102 0.0.0.0.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03-> msgid:  len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute KEY_LENGTH = 256
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212)
07:29:44.992169 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 212
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz:
0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 256
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 7080
payload: VENDOR len: 24
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20
payload: VENDOR len: 20
payload: VENDOR len: 20 [ttl 0] (id 1, len 240)
07:29:44.993067 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 256)
07:29:45.036032 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 260
payload: KEY_EXCH len: 132
payload: NONCE len: 52
payload: NAT-D len: 24
payload: NAT-D len: 24 [ttl 0] (id 1, len 288)
07:29:45.036815 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp
v1.0 exchange ID_PROT
cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid:  len: 92
payload: ID len: 12 type: IPV4_ADDR = 1.1.1.1
p

Re: pf rule for openvpn

[obsd]

Op 23-10-2016 om 17:01 schreef Thuban:
> Hi,
> I have an openvpn server running and working, but can't
> go "outside" the server to access the web.
>
> To configure the server, I followed this :
> http://2f30.org/guides/openvpn.html
>
> So ip forwarding is ative, vpn port is open, clients can connect to the
> vpn. But they can't access wwweb.
>
> I guess the problem comes from this pf rule :
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
>
> I've been on this issue for too many hours to have a clear mind on this.
> Any advice to find why I'm stuck on the server?
>
> Regards.
>
>
How about a rule that permits tunnel traffic to go out? How about a rule
that permits the traffic to come in on the tunnel?

Started having bioctl encryption problems recently - lost data. Error within FAQ?

[obsd]

'Encrypting external disks'
http://www.openbsd.org/faq/faq14.html#softraidCrypto

Followed the FAQ instructions EXACTLY to encrypt an external drive, then copied 
data to it and after restarting the computer again.. I cannot access the drive, 
infact it doesn't look like anything is even on it. This has happened whilst 
following this tutorial on two different systems, using two different hard 
disks.. Are the FAQ instructions wrong? Thanks

# Find the drive out
$ dmesg | grep '^[sw]d'

# Check the available partition on it
$ fdisk wd1
Disk: wd1 geometry: 14593/255/63 [234441648 Sectors]
Offset: 0 Signature: 0x0
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
---
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused

# disklabel wd1
# /dev/rwd1c:
type: ESDI
disk: ESDI/IDE disk
label: KINGSTON SV300S3
duid: 
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 14593
total sectors: 234441648
boundstart: 0
boundend: 234441648
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
c: 234441648 0 unused
#

#

Re: assigning ipv6 addresses to interfaces

[obsd]

On 31-01-16 17:13, LÉVAI Dániel wrote:

LÉVAI Dániel @ 2016-01-31T14:10:21 +0100:

Stuart Henderson @ 2016-01-30T23:01:54 +0100:

On 2016-01-30, LÉVAI Dániel  wrote:

Hi!

My ISP recently enabled ipv6 on their network, and started sending
router advertisements (offering a /64 prefix) on their pppoe end. So now
I have an autoconf'd v6 address on my pppoe0 device (yay!), and I wish
to set my in-home devices a v6 address each.

[...]

You aren't supposed to have addresses within the same /64 on more than
one interface.

The normal method is that you get an address for the PPP interface using
SLAAC autoconf (as you have now), and request one or more *additional* /64s
using DHCPv6-PD (prefix delegation) - one per interface. The DHCPv6 client
assigns to "downstream" (client-facing) interfaces from this assignment,
and you would use rtadvd to advertise the prefix (and possibly other
information) to clients.

There is no software in OpenBSD base to handle prefix delegation.
I recommend "dhcpcd" from packages and I've added a pkg-readme with a
minimal setup to handle just this (it is also a full-featured DHCP client
for v4, but I'm personally only using it for v6). Unlike some alternatives
it is actively maintained upstream by a responsive developer.

[...]

re1: IAID <>
pppoe0: IAID 00:00:00:01
pppoe0: IAID 00:00:00:02
pppoe0: no useable IA found in lease
pppoe0: dhcp6_readlease: /var/db/dhcpcd-pppoe0.lease6: No such process
pppoe0: soliciting a DHCPv6 lease
athn0: IAID <>
athn1: IAID <>
pppoe0: ADV 2a01:36d:300:<>::/64 from fe80::5dd9:bcc7:cbab:8bb8
pppoe0: REPLY6 received from fe80::5dd9:bcc7:cbab:8bb8
re1: adding address 2a01:36d:300:<1>::1/72
athn0: preferring 2a01:36d:300:<1>::1/72 on re1
athn1: preferring 2a01:36d:300:<1>::1/72 on re1
pppoe0: renew in 302400 seconds, rebind in 483840 seconds
pppoe0: adding reject route to 2a01:36d:300:<>::/64 via ::1
athn0: adding route to 2a01:36d:300:<1>::/72
forked to background, child pid 346

[...]

Do I understand it correctly, that this should delegate each interface a
/72, while leaving pppoe0's autoconf[privacy]'d addresses intact?

So turns out, that if I request anything other than sla_id 0 or 1, I get
another subnet, but with a /72 prefix. Also, using:
ia_pd 1 re1/1 athn0/2 athn1/3
... resulted in the same subnet/prefix sent to me, for all interfaces.

For some reason I had to increment the sla_ids by 4 to get another
subnet. So:
ia_pd 1 re1/1 athn0/4 athn1/8
... actually worked, and got three different subnets, but all came with
a /72 prefix. And for some other reason, none of my devices (Linux,
Android, Chromecast...) would accept a /72 address advertised, so
although they all got a reply for their rtsol, they ignored it...

I'm now just requesting one PD, with sla_id 0, assigning that to re1,
bridging the athns and re1 together, and running rtadvd(8) on re1.


Daniel



A /72 should not work (and indeed does not work as you found out)! The 
smallest subnet (with the exception of a /127 /128) is /64. Your ISP is 
doing The Wrong Thing (tm). Instead your ISP should provide you with a 
/56 (for 256 subnets) or, even better, with a /48, where you would have 
65536 subnets. The latter is the preferred standard although some ISP's 
do not understand the sheer size of IPv6, and therefore think that they 
are wasting space handing out /48's. NANOG is full of discussions about 
this.


See 
http://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting 
for example.


Erik Jan.

Re: OpenBSD on Fiber

[obsd]

Using an HP proliant microserver N40 as firewall will get you enough
bandwith at a very reasoble price (approx. 200 Euro). My 500 Mbit/s link
can be fully saturated both down and uplink.
Firewalling something like 10 vlan's (using a dedicated em interface for
egress, and bge for the vlan's) works well. I did some tests for maximum
bandwith and I got to the maximum 1 Gbit/s with a rather long pf. Get
away from vmware for your firewall as others already suggested.

Re: Interface sequencing

[obsd]

Stefan Olsson schreef op 5-11-2014 om 16:48:
>> That needs to go in a dhclient config file, you'll need different config
>> files for each interface and run dhclient from a hostname.if line like
>> "!dhclient -c /etc/dhclient-nogw em0".
> is it not enough to just append the following to /etc/dhclient.conf?:
>
> interface "em0" {
> ignore routers;
> }
You will get dns pushed though, and I doubt if you want to use the
internal or the external ones...

Are there any default password managers in OpenBSD?

[obsd, cgi]

So I know the rule.. only remember a few very very long passwords (ex.:
based on several words and a few special chars), and keep the rest of the
passwords in a password manager (those aren't remembered and extreme long).

But this gets me to 2 questions:

- Are there any default password managers in OpenBSD (console/GUI based?)?
Or there are only from ports that are not very audited? What is the advise
to where to store the pwd's?

- Are there any best-practises to generate a password? - that are kept in
password manager, so ex.: 128 char long with special/random chars, etc.

Thanks for your time

Re: is zeroing CRYPT needed?

[obsd, cgi]

Thanks everyone, now I understand!

have a nice day! :) :)


2013/11/26 Ted Unangst 

> On Tue, Nov 26, 2013 at 09:49, obsd, cgi wrote:
> > Wouldn't it be much easier that before I create the bioctl softraid
> CRYPTO
> > I would dd zero the psychical disk for the first.. dunno, 10 MBytes?
>
> Putting zeroes on the outside of an encrypted partition does not put
> zeroes on the inside of the encrypted partition.

Re: is zeroing CRYPT needed?

[obsd, cgi]

Wouldn't it be much easier that before I create the bioctl softraid CRYPTO
I would dd zero the psychical disk for the first.. dunno, 10 MBytes?


2013/11/25 Nick Holland 

> On 11/25/13 04:07, obsd, cgi wrote:
> > according to:
> > http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl
> >
> > dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
> >
> > is needed. but Why?
> >
>
> I've actually found it more useful to zero the raw RAID partition than
> the "assembled" softraid "disk".  This takes care of the case where
> previous softraid disks had been created, which can be quite frustrating
> when they pop up again unexpectedly.
>
> That's from experience...haven't been able to convince the softraid
> developers, so I suspect there's something to *also* zeroing the
> assembled disk.
>
> It takes but a couple seconds to do.  Just do it.
>
> Nick.

is zeroing CRYPT needed?

[obsd, cgi]

according to:
http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl

dd if=/dev/zero of=/dev/rsd3c bs=1m count=1

is needed. but Why?

apache bug?

[obsd, cgi]

http://i.imgur.com/9SJOrhq.png

In the directory listing the ISO file looks like ~40 MByte, but the reality
is 4 GBytes. What could the problem be? Or I should use nginx since apache
will be obsolete? :)

Thanks!

Re: GNOME on OpenBSD 5.3 amd64

[obsd, cgi]

I installed XFCE4. It works :) BIG THANKS!


2013/10/10 Richard Toohey 

> On 10/10/13 18:13, obsd, cgi wrote:
>
>> Hi!
>>
>> "External tutorial for 4.8 vs. official documentation for 5.3.
>> This leads to the nonsense you've done to your 5.3 system below."
>>
>> -->>
>>
>> I went to openbsd.org, typed GNOME in the search form:
>> - the first hit was a PDF from 2007
>> - all the remaining were regarding packages
>>
>> What now? Can you please point out where is the "official GNOME install
>> documentation for 5.3"? or no one uses GNOME with 5.3 on the misc list?
>>
>> ps.: I found that other people have problems with GNOME on 5.3, maybe it's
>> a bug? (
>> http://community.spiceworks.**com/topic/349701-gnome-on-**
>>
openbsd-5-3-amd64<http://community.spiceworks.com/topic/349701-gnome-on-openb
sd-5-3-amd64>)
>>
>> Thanks
>>
>> UPDATE: oh, ok I just read the bottom part: "don't use virtualbox." - so
>> the bug comes out when using virtualbox?, ok, Thanks! I will try it with
>> other VM's or directly!
>>
>>
>> 2013/10/9 Jérémie Courrèges-Anglas 
>>
>>  "obsd, cgi"  writes:
>>>
>>>  I tried to install GNOME on OpenBSD 5.3 amd64 for Desktop use (on
>>>> VirtualBox), see the howto below.
>>>>
>>>> But after the howto, reboot, startx with a normal user:
>>>> https://i.imgur.com/MaT8lcW.**png <https://i.imgur.com/MaT8lcW.png>
>>>>
>>>> Xorg.0.log
>>>> https://pastee.org/p8ppa
>>>>
>>>> # original:
>>>>
>>>>  http://www.gabsoftware.com/**tips/tutorial-install-gnome-**
>>
desktop-and-gnome-disp<http://www.gabsoftware.com/tips/tutorial-install-gnome
-desktop-and-gnome-disp>
>> lay-manager-on-openbsd-4-8/
>>
>>> External tutorial for 4.8 vs. official documentation for 5.3.
>>> This leads to the nonsense you've done to your 5.3 system below.
>>>
>>>  --**-
>>>>
>>>> when installing:
>>>> -g*
>>>>
>>>> --**-
>>>>
>>>> echo 'export PKG_PATH=
>>>>
>>>
ftp://ftp.openbsd.org/pub/**OpenBSD/5.3/packages/amd64/<ftp://ftp.openbsd.org
/pub/OpenBSD/5.3/packages/amd64/>
>>> '
>>>
>>>> ~/.profile; . ~/.profile
>>>>>>
>>>>> pkg_add -i -vv gnome-session gdm
>>>> # if there was "Can't install foo" message, try the pkg_add line again
>>>>
>>>> --**-
>>>>
>>>> vi /etc/rc.local
>>>>
>>>> Append/modify the following lines in /etc/rc.local:
>>>>
>>>> if [ -x /usr/local/sbin/gdm ]; then
>>>> echo -n ' gdm'; (sleep 5; /usr/local/sbin/gdm) &
>>>> fi
>>>>
>>>> --**-
>>>>
>>>> echo 'exec gnome-session' > /root/.xinitrc; chmod +x /root/.xinitrc
>>>> exit
>>>> echo 'exec gnome-session' > .xinitrc; chmod +x .xinitrc
>>>>
>>>> --**-
>>>>
>>>> pkg_add -i -vv metacity
>>>> pkg_add -i -vv gnome-panel
>>>> pkg_add -i -vv nautilus
>>>>
>>>> --**-
>>>>
>>>> vi /etc/rc.conf.local
>>>>
>>>> Append/modify the following lines :
>>>>
>>>> xdm_flags=NO
>>>> gnome_enable=YES
>>>> gdm_enable=YES
>>>>
>>>> --**-
>>>>
>>>> pkg_add -i -vv gnome-terminal gnome-control-center gnome-menus
>>>> gnome-settings-daemon gnome-themes-standard
>>>> # for some reason, these aren't found: gnome-themes-extras gnome-utils
>>>> gnome-applets2 gnome-system-monitor gnome-nettool
>>>>
>>>> --**-
>>>>
>>>> So the question is anybody has a working howto for installing GNOME on
>>>> OpenBSD?
>>>>
>>> Just so that Antoine doesn't feel forced to send another mail about this
>>> recurring subject: pkg_add gnome, *read* the various readmes, don't use
>>> virtualbox.
>>>
>> Did you look in the archives - e.g. marc.info is a good place to search?
>
> e.g.
>
>
http://marc.info/?l=openbsd-**misc&m=135275664028541&w=2<http://marc.info/?l=
openbsd-misc&m=135275664028541&w=2>
>
> Don't use Gnome on OpenBSD these days, but used to without problems.
>
>
>>> --
>>> jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1
>>> 1494

Re: USB ethernet for OpenBSD

[obsd, cgi]

So I bought a digitus dn-10050, it works!! BIG THANKS!

# uname -a
OpenBSD .foo 5.3 GENERIC#50 i386
#
# dmesg|grep -i axe | sort -u
axe0 at uhub0 port 4 configuration 1 interface 0 "ASIX Electronics
AX88772A" rev 2.00/0.01 addr 3
axe0: AX88772, address 00:10:a3:XX:XX:XX
ukphy0 at axe0 phy 16: Generic IEEE 802.3u media interface, rev. 1: OUI
0x000ec6, model 0x0006
#

Only problem that after a reboot I have to re-plug the RJ45 because there
will be no link.



2013/10/4 Janne Johansson 

> I bought two blue $2 usb-eth from china, they did not work on obsd, but
> similar stuff (UNKNOWN4 in usbdevs) is available, so if anyone wants one,
> we can try to whip up a working driver together.
> The closest thing seems to be axe(4), except the current supported chip is
> named 96xx-something and mine is marked 9700.
>
> I still think I got what I paid for though. 8^D
>
>
>
> 2013/10/3 alexey.kurin...@gmail.com 
>
> > I want to buy D-Link DUB-E100, in man AXE(4) they listed, but not tested
> > myself. I can reply when got it.
> >
> >
> > On 10/04/13 00:27, Joseph A Borg wrote:
> >
> >> Hi!
> >>
> >>>
> >>> Can someone please mention a working USB to Ethernet adapter for
> OpenBSD
> >>> 5.3? (anybody has a working one and can share the name of it?)
> >>>
> >>> It doesn't need to be Gbit big... just a 10/100 would be more then
> >>> enough..
> >>>
> >>> +1 if it could be buyed from:
> >>>
> >>> http://www.ebay.co.uk/
> >>>
> >>> Many Thanks, have a nice day!
> >>>
> >>
> >
>
>
> --
> May the most significant bit of your life be positive.

Re: GNOME on OpenBSD 5.3 amd64

[obsd, cgi]

Hi!

"External tutorial for 4.8 vs. official documentation for 5.3.
This leads to the nonsense you've done to your 5.3 system below."

-->>

I went to openbsd.org, typed GNOME in the search form:
- the first hit was a PDF from 2007
- all the remaining were regarding packages

What now? Can you please point out where is the "official GNOME install
documentation for 5.3"? or no one uses GNOME with 5.3 on the misc list?

ps.: I found that other people have problems with GNOME on 5.3, maybe it's
a bug? (
http://community.spiceworks.com/topic/349701-gnome-on-openbsd-5-3-amd64 )

Thanks

UPDATE: oh, ok I just read the bottom part: "don't use virtualbox." - so
the bug comes out when using virtualbox?, ok, Thanks! I will try it with
other VM's or directly!


2013/10/9 Jérémie Courrèges-Anglas 

> "obsd, cgi"  writes:
>
> > I tried to install GNOME on OpenBSD 5.3 amd64 for Desktop use (on
> > VirtualBox), see the howto below.
> >
> > But after the howto, reboot, startx with a normal user:
> > https://i.imgur.com/MaT8lcW.png
> >
> > Xorg.0.log
> > https://pastee.org/p8ppa
> >
> > # original:
> >
>
http://www.gabsoftware.com/tips/tutorial-install-gnome-desktop-and-gnome-disp
lay-manager-on-openbsd-4-8/
>
> External tutorial for 4.8 vs. official documentation for 5.3.
> This leads to the nonsense you've done to your 5.3 system below.
>
> > ---
> >
> > when installing:
> > -g*
> >
> > ---
> >
> > echo 'export PKG_PATH=
> ftp://ftp.openbsd.org/pub/OpenBSD/5.3/packages/amd64/'
> >>> ~/.profile; . ~/.profile
> > pkg_add -i -vv gnome-session gdm
> > # if there was "Can't install foo" message, try the pkg_add line again
> >
> > ---
> >
> > vi /etc/rc.local
> >
> > Append/modify the following lines in /etc/rc.local:
> >
> > if [ -x /usr/local/sbin/gdm ]; then
> > echo -n ' gdm'; (sleep 5; /usr/local/sbin/gdm) &
> > fi
> >
> > ---
> >
> > echo 'exec gnome-session' > /root/.xinitrc; chmod +x /root/.xinitrc
> > exit
> > echo 'exec gnome-session' > .xinitrc; chmod +x .xinitrc
> >
> > ---
> >
> > pkg_add -i -vv metacity
> > pkg_add -i -vv gnome-panel
> > pkg_add -i -vv nautilus
> >
> > ---
> >
> > vi /etc/rc.conf.local
> >
> > Append/modify the following lines :
> >
> > xdm_flags=NO
> > gnome_enable=YES
> > gdm_enable=YES
> >
> > ---
> >
> > pkg_add -i -vv gnome-terminal gnome-control-center gnome-menus
> > gnome-settings-daemon gnome-themes-standard
> > # for some reason, these aren't found: gnome-themes-extras gnome-utils
> > gnome-applets2 gnome-system-monitor gnome-nettool
> >
> > ---
> >
> > So the question is anybody has a working howto for installing GNOME on
> > OpenBSD?
>
> Just so that Antoine doesn't feel forced to send another mail about this
> recurring subject: pkg_add gnome, *read* the various readmes, don't use
> virtualbox.
>
> --
> jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

GNOME on OpenBSD 5.3 amd64

[obsd, cgi]

I tried to install GNOME on OpenBSD 5.3 amd64 for Desktop use (on
VirtualBox), see the howto below.

But after the howto, reboot, startx with a normal user:
https://i.imgur.com/MaT8lcW.png

Xorg.0.log
https://pastee.org/p8ppa

# original:
http://www.gabsoftware.com/tips/tutorial-install-gnome-desktop-and-gnome-display-manager-on-openbsd-4-8/
---

when installing:
-g*

---

echo 'export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.3/packages/amd64/'
>> ~/.profile; . ~/.profile
pkg_add -i -vv gnome-session gdm
# if there was "Can't install foo" message, try the pkg_add line again

---

vi /etc/rc.local

Append/modify the following lines in /etc/rc.local:

if [ -x /usr/local/sbin/gdm ]; then
echo -n ' gdm'; (sleep 5; /usr/local/sbin/gdm) &
fi

---

echo 'exec gnome-session' > /root/.xinitrc; chmod +x /root/.xinitrc
exit
echo 'exec gnome-session' > .xinitrc; chmod +x .xinitrc

---

pkg_add -i -vv metacity
pkg_add -i -vv gnome-panel
pkg_add -i -vv nautilus

---

vi /etc/rc.conf.local

Append/modify the following lines :

xdm_flags=NO
gnome_enable=YES
gdm_enable=YES

---

pkg_add -i -vv gnome-terminal gnome-control-center gnome-menus
gnome-settings-daemon gnome-themes-standard
# for some reason, these aren't found: gnome-themes-extras gnome-utils
gnome-applets2 gnome-system-monitor gnome-nettool

---

So the question is anybody has a working howto for installing GNOME on
OpenBSD?

Thanks

USB ethernet for OpenBSD

[obsd, cgi]

Hi!

Can someone please mention a working USB to Ethernet adapter for OpenBSD
5.3? (anybody has a working one and can share the name of it?)

It doesn't need to be Gbit big... just a 10/100 would be more then enough..

+1 if it could be buyed from:

http://www.ebay.co.uk/

Many Thanks, have a nice day!

Premature end of script headers error with CGI

[obsd, cgi]

http://unix.stackexchange.com/questions/88062/how-to-enable-cgi-in-openbsd

How could someone use a CGI (with a shell script) on OpenBSD? What could
the problem be?

The CGI is this:

# cat /var/www/htdocs/cgi-bin/SEARCH.cgi
printf "Content-type: text/html\n\n";
printf hi

but it keeps saying:


# cat /var/www/logs/error_log
[Mon Aug 26 10:09:13 2013] [error] [client 10.0.2.2] Premature end of
script headers: /htdocs/cgi-bin/SEARCH.cgi
#


yes, I tried many things..(permissions looks good, printf binary copied to
chroot, httpd.conf looks ok..) several hours of pain.. can someone post a
howto/URL?

Thanks, have a better day :)

WPA2 AES on OpenBSD

[obsd, wifi]

I have an OpenBSD 5.1 i386 installed. I have no GUI/X. I googled for the
answer but I can't find authentic one. How can I connect to a WPA2 PSK/AES
wifi network using only the terminal? (so I don't have a "network manager"
to simply select the given SSID, then enter passphare)

Thanks for the short help, IMHO a lot of you configure wireless through
terminal..

Thanks!

Re: sshguard

[obsd]

SshGuard are just a layer of the onion.
Not the sole solution.
Most methods you can, with certain degrees of effort and stubbornness,
circumvent or break.

/hasse

-Ursprungligt meddelande-
Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För David
Diggles
Skickat: den 26 juli 2012 05:57
Till: misc@openbsd.org
Ämne: Re: sshguard

How secure is the principle of log sucking for anything more than stats?
The inherent assumptions are risky I would think.

I mean, if someone could deliberately craft certain strings with spaces or
tabs that get passed, then they could subvert the sucking script.

There is an absolute reliance on the syslog behaving in a certain way under
all conditions!

On Wed, Jul 25, 2012 at 09:50:40AM -0600, Chris Lobkowicz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> sshguard prefers to use the "log-sucker" way of parsing authlog. I
> don't even have a mention of sshguard in syslog.conf.
>
> the rc script just basically daemonises sshguard, and points it at
> /var/log/authlog
>
> # /etc/rc.d/sshguard
> daemon="/usr/local/sbin/sshguard"
> # REALLY Touchy version
> daemon_flags="-a 3 -l /var/log/authlog -w /var/db/sshguard/friends.db
> - -b 5:/var/db/sshguard/blacklist.db"
> # Less Touchy Version
> #daemon_flags="-l /var/log/authlog -w /var/db/sshguard/friends.db -b
> 5:/var/db/sshguard/blacklist.db"
>
> . /etc/rc.d/rc.subr
>
> rc_bg=YES
> rc_reload=NO
>
> rc_cmd $1
>
>
> sshguard documentation on their website is quite thorough on how to
> install/use. The documentation on how to tweak is a little lacking though.
>
> All that is missing from an install of sshguard is the required
> entries into pf.conf, and which log files to monitor in the rc script.
>
> Works very, very well I might add.
>
> Good luck!
>
> Cheers
> Chris
>
>
>
>
>
>
> On 25/07/2012 08:04, Otto Moerbeek wrote:
> > On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote:
> >
> >> Hello all.
> >> # uname -a
> >> OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386
> >>
> >> sshguard-1.5
> >> Are we not supposed to use the entry in /etc/syslog.conf any more ?
> >> " auth.info;authpriv.info |/usr/local/sbin/sshguard "
> >>
> >> I get a message on my console saying:
> >> syslogd: unknown priority name "info   |/usr/local/sbin/sshguard"
> >>
> >> The info about the syslog.conf entry seems to be gone in the
> >> install message too.
> >>
> >> All the best
> >> Hasse
> >
> > syslog is very picky about the difference between spaces and tabs.
> > Always use one or more tabs.
> >
> > -Otto
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJQEBXQAAoJEFxdNdJhPdR3NK4IALCdIRU3ffb5W7l8rA1coIRR
> 6/UNM3IfOyBa1mO9750oiMzOCPS8qyGQ/93nt9xt8TcQC2XYV0gGhGBa0jDLXLNe
> ujRXBFHXoSmd4DZ60WaZ6Ej9+TNV3rN2WZRZRjXHWWtEm1dacTWhNDakBp3pCtY3
> GYfFLWTQe5wSHVxrI/yB9eiCz6dCdwcL1xewTsQrTYtahtT46uPweCqjUCtx5pFv
> SogLHiWvA9qiUHhiPAoh/79KM11QDQGPpX+agm+LVA9/qkMuglAMhhaBM8IzXIIN
> qkJiz4KNGQuqLh2BfEetIr6bM44W3G3QTy+z+N1HEdRH3jayC+wkvb7TT91zEbk=
> =+k75
> -END PGP SIGNATURE-

Re: sshguard

[obsd]

-Ursprungligt meddelande-
Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Chris
Lobkowicz
Skickat: den 26 juli 2012 01:26
Till: misc@openbsd.org
Ämne: Re: sshguard

I use both. Sshguard seems to catch a lot, and the subsequent pf ruleset for
max-src-conn seems to catch a fair bit as well.

Here is a snip of my pf.conf:
# SSHguard protection
table  persist
block in quick on em0 proto tcp from  to any port ssh label
"sshguard"

# Bruteforce Protection
table  persist counters
block log (all) quick from 
pass log (all) proto tcp to port ssh keep state (max-src-conn 5,
max-src-conn-rate 5/120, overload )


As for the selectivity on services, I've never used it, so your mileage may
vary, but I do believe sshguard will monitor a service, and block the
offender on that service, and leave the other services access alone.


Let us know how it goes.
Cheers
Chris



On 25/07/2012 11:15, Alvaro Mantilla Gimenez wrote:
> Is it a better solution than pf rules based on max-src-conn and/or
> max-src-conn-rate?
>
> According to the documentation sshguard add ip address to 
> tablesowhat about if I want to "selectively" block ip address
> to some services and let other services open? (i.e.: one ip offending
> ssh access but still I want to have smtp open for that ip). I can
> accomplish that with different tables/rules on pf...is there any way
> to differentiate IPs blocked by sshguard based on the offended service?
(ssh, smtp,..).

I'm running both too :-) but with a slightly different twist on bruteforce
and a "catch all" on sshguard.

block in quick on egress from  label "sshguard"

Quote from their website : http://www.sshguard.net/docs/setup/firewall/pf/
Replace $ext_if with your WAN interface name if needed. Omit the proto tcp
and the to any port 22 segment if you want to block all the traffic from
attackers (not just ssh).

/hasse

Re: sshguard

[obsd]

-Ursprungligt meddelande-
Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Otto
Moerbeek
Skickat: den 25 juli 2012 16:05
Till: Hasse Hansson
Kopia: misc@openbsd.org
Ämne: Re: sshguard

On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote:

> Hello all.
> # uname -a
> OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386
>
> sshguard-1.5
> Are we not supposed to use the entry in /etc/syslog.conf any more ?
> " auth.info;authpriv.info |/usr/local/sbin/sshguard "
>
> I get a message on my console saying:
> syslogd: unknown priority name "info  |/usr/local/sbin/sshguard"
>
> The info about the syslog.conf entry seems to be gone in the install
> message too.
>
> All the best
> Hasse

syslog is very picky about the difference between spaces and tabs.
Always use one or more tabs.

-Otto

Thanks
Will try that

/hasse

Re: sshguard

[obsd]

-Ursprungligt meddelande-
Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Otto
Moerbeek
Skickat: den 25 juli 2012 16:05
Till: Hasse Hansson
Kopia: misc@openbsd.org
Ämne: Re: sshguard

On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote:

> Hello all.
> # uname -a
> OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386
>
> sshguard-1.5
> Are we not supposed to use the entry in /etc/syslog.conf any more ?
> " auth.info;authpriv.info |/usr/local/sbin/sshguard "
>
> I get a message on my console saying:
> syslogd: unknown priority name "info  |/usr/local/sbin/sshguard"
>
> The info about the syslog.conf entry seems to be gone in the install
> message too.
>
> All the best
> Hasse

syslog is very picky about the difference between spaces and tabs.
Always use one or more tabs.

-Otto


Problem solved.
A couple of tabs instead of spaces did the trick.
The program now get triggered and runs from syslog.conf

# ps -auxw | grep 'sshguard'
_syslogd 19094  0.0  0.0   860  1148 ??  I  7:00PM0:00.01
/usr/local/sbin/sshguard

Thanks a lot everybody.

/hasse

Re: Problem understanding portupgrade error message

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr Stuart
Henderson
Skickat: den 28 maj 2012 13:42
Till: misc@openbsd.org
Dmne: Re: Problem understanding portupgrade error message

On 2012-05-27, Geir Svalland  wrote:
> Can't install p5-DBD-SQLite-1.35p0v0 because of libraries
>|library sqlite3.18.2 not found
>| /usr/lib/libsqlite3.so.18.0 (system): minor is too small
>| /usr/lib/libsqlite3.so.19.0 (system): bad major

The sqlite library in the base OS had the version number changed a couple of
times in quick succession, it will take a short while for packages to catch
up because they were built against the first version number. Wait a day or
two and try again.

> Full dependency tree is p5-Clone-0.31p1 p5-MLDBM-2.04
> p5-PlRPC-0.2018p1
> p5-SQL-Statement-1.33 p5-Params-Util-1.00p2 p5-Net-Daemon-0.43p0
> p5-DBI-1.616 p5-FreezeThaw-0.43p2
>
> Collision in p5-Geography-Countries-2009041301p0: the following files
> already exist
>
> /usr/local/libdata/perl5/site_perl/Geography/Countries.pm from
> p5-Geography-Countries-2009041301p0 (same checksum)
>
> Can't install p5-IP-Country-2.27p0: can't resolve
> p5-Geography-Countries-2009041301p0

I don't understand that, output from pkg_add -vv -ui might help.

Excellent.
That did the trick. Thank you very much.
It really got verbose, and even offered to repair my missing packet
registrations.
Problems gone. Only The sqlite library left and will follow your advice on
that one too.

/Hasse

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 28 maj 2012 03:54
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

Ok, I searched calomel and had a good laugh.

"smells like calomel"

Grow up !

I recommended Calomel because that site gave me some good advice and
understanding of spamd.
First I tried Peters site, with no up to dates rules. Therefore I don't
recommend it.
Otherwise Peter is my kind of "Guru" but a bit focused on selling his books,
and therefore dont
Want to give away the full recipe for free.

As always, you can not expect copy and paste.
But a site that realy made a difference for me and my use of spamd :
http://www.benzedrine.cx/relaydb.html

/hasse

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 27 maj 2012 02:53
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

This may seem like a dead horse to some by now, but I am disappointed no one
replied to the msg, I supplied the detailed event information with
timestamps, regarding lists.openbsd.org mails not being whitelisted by spamd
when run in greylist mode.

RFC282, 4.5.4.1 Sending Strategy:

   The sender MUST delay retrying a particular destination after one
   attempt has failed.  In general, the retry interval SHOULD be at
   least 30 minutes; however, more sophisticated and variable strategies
   will be beneficial when the SMTP client can determine the reason for
   non-delivery.

   Retries continue until the message is transmitted or the sender gives
   up; the give-up time generally needs to be at least 4-5 days.  The
   parameters to the retry algorithm MUST be configurable.

Yet I have been advised not to mess with the default timings with -G option.
It looks to me like the retry intervals of lists.openbsd.org are not
sufficient to get it whitelisted by spamd.

I am well beyond assuming anything, and prepared to learn / accept any
constructive advice.

Can anyone confirm they have the following scenario?

* A clean installed OpenBSD 5.1 configured as a primary MX
* Clean spamd settings, clean /var/db/spamd
* Default spamd with no options
* Default spamlogd with no options
* The pf.conf uses spamd entries from the example pf.conf from etc.tgz
* No manual whitelist entry for lists.openbsd.org
* Incoming from lists.openbsd.org is eventually whitelisted by spamd

I am just trying to learn the cause, and I have been fully prepared to wear
egg on my face if my own configuration is causing the problem.  I have not
yet proven this is the case.

I believe I have checked everything anyone suggested to check.

I really don't want my next check be to roll back to 4.9 and see if
lists.openbsd.org will auto whitelist like it previously did.

In hope,
David

On Sat, May 26, 2012 at 01:19:38PM +1000, David Diggles wrote:
> Ok I am still not getting emails from lists.openbsd.org (so
> please if you reply, cc to me).
>
> I restarted spamd at this time after deleting /var/db/spamd and
> clearing the bypass tables in pf at this time:
>
> 2012-05-26 02:13:12 # /usr/libexec/spamd
>
> Here is the last message to make it to sendmail from misc:
>
> fgrep from= /var/log/maillog|fgrep owner-misc|tail -1|awk '{print
$1,$2,$3}'
> May 26 01:54:35
>
> The pf rules for spamd I have are taken from the default pf.conf:
>
> pass in on egress inet proto tcp from any to any port = 25 flags S/SA
> rdr-to 127.0.0.1 port 8025 pass in on egress proto tcp from 
> to any port = 25 flags S/SA pass in log on egress proto tcp from
>  to any port = 25 flags S/SA pass out log on egress proto
> tcp from any to any port = 25 flags S/S
>
> It is currently Sat May 26 12:54:31 EST 201
>
> Times of passed smtp connections for May 26:
>
> tcpdump -n -e -ttt -r /var/log/pflog 2>&1|fgrep ".25:"|\ fgrep 'May
> 26'|awk '{print $3}'
> 01:14:53.793995
> 04:17:11.846707
> 05:00:19.443080
> 05:15:01.487277
> 07:17:51.114440
> 09:35:58.120098
> 10:14:21.444822
> 11:53:33.611903
>
> So I will skip the first entry when I grep for the ip addresses, with
> a tail +2 because it occurred
> *before* I reset everything.
>
> tcpdump -n -e -ttt -r /var/log/pflog 2>&1|fgrep ".25:"|\ fgrep 'May
> 26'|awk '{print $10}'|tail +2|\ awk -F. '{print
> $1"."$2"."$3"."$4}'|sort -n
> 17.254.6.112
> 74.125.82.47
> 113.172.232.215
> 129.21.208.44
> 202.58.38.80
> 203.59.1.110
> 206.46.252.115
>
> I have the following tables.
>
> pfctl -s Tables
> nospamd
> spamd-white
>
> Confirming against the spamd-white table
>
> pfctl -t spamd-white -Ts
>17.254.6.112
>74.125.82.47
>113.172.232.215
>129.21.208.44
>202.58.38.80
>203.59.1.110
>206.46.252.115
>
> lists.openbsd.org = 192.43.244.163
>
> So nothing from misc has made it to sendmail since I emptied 
> and  on pf.conf
>
> These are all the attempts from lists.openbsd.org since I cleared the
> spamdb and pf tables.
>
> fgrep 192.43.244.163 /var/log/spamd|fgrep 'May 26'
> May 26 02:53:48 skitL spamd[25502]: 192.43.244.163: connected (1/0)
> May 26 02:54:00 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
> May 26 03:00:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
> May 26 03:00:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
> May 26 04:41:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
> May 26 04:41:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
> May 26 05:04:19 skitL spamd[25502]: 192.43.244.163: connected (2/1)
> May 26 05:04:31 skitL spamd[25502]: 192.43.244.163: disconnected after 12
seconds.
> May 26 05:15:24 skitL spamd[25502]: 192.43.244.163: connected (1/0)
> May 26 05:15:36 skitL spamd[25502]: 192.43.244.163: dis

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 25 maj 2012 11:14
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:
> On 25.05.2012 01:09, David Diggles wrote:
> >Can messages get dropped if mail servers fail to resend within time
> >interval, after receiving the initial temporary failure message?
>
> It's dropped when it's first received, and it will continue to get
> dropped until passtime minutes have passed.  If it is then received
> before greyexp hours have passed, it will be delivered and the remote
> host will be whitelisted for sending mail.  If greyexp hours pass
> without seeing that tuple again, the tuple is deleted and it's back to
> the beginning for that host.
>
> You reduced greyexp to 1 hour, which may well be causing your problems.
> --
>  Matthew Weigel
>  hacker
>  unique & idempot . ent

Hello

Not a behavior I can recognize.
I would recommend to start over the configuration from the beginning, after
checking the obvious system settings.
Standard settings should be fine as a starter. Later on, adjust to your
likings.
You can find some good instructions (explainations) here :
http://www.pantz.org/software/spamd/configspamd.html
https://calomel.org/spamd_config.html

Regards Hasse

Re: spamd greylisting: false positives

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David
Diggles
Skickat: den 25 maj 2012 11:14
Till: misc@openbsd.org
Dmne: Re: spamd greylisting: false positives

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:
> On 25.05.2012 01:09, David Diggles wrote:
> >Can messages get dropped if mail servers fail to resend within time
> >interval, after receiving the initial temporary failure message?
>
> It's dropped when it's first received, and it will continue to get
> dropped until passtime minutes have passed.  If it is then received
> before greyexp hours have passed, it will be delivered and the remote
> host will be whitelisted for sending mail.  If greyexp hours pass
> without seeing that tuple again, the tuple is deleted and it's back to
> the beginning for that host.
>
> You reduced greyexp to 1 hour, which may well be causing your problems.
> --
>  Matthew Weigel
>  hacker
>  unique & idempot . ent

Ahh...
Just struck me  Please check the syntax of your pf rules
This is what's working for me :

table  persist

pass in log on egress proto tcp from  rdr-to 127.0.0.1 port
smtp
pass in log on egress proto tcp from ! rdr-to 127.0.0.1 port
spamd

/Hasse

Re: Help setting up a PF NAT gateway

[Mark (obsd)]

Hi Stefan,

On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich  wrote:

> Simplest of things but I'm failing miserably.
>
> ...
>
> With tcpdump I can see packets going to vic3, but no further.
>
>
Do you definitely have forwarding enabled?

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

It that were 0 instead of 1, you'd get your symptoms.  Edit /etc/sysctl.conf
to enable forwarding if you haven't.

Regards,
Mark

Re: PF subdomain filtering

[Mark (obsd)]

On Thu, Dec 16, 2010 at 5:21 PM, Rafal Brodewicz  wrote:

> Hi.
>
> How can I pass with PF traffic from all subdomains, for example
> *.microsoft.com ?
>
>
You're thinking at the wrong layer.  PF doesn't care about *.microsoft.com.


> Thanks.
> --
> Rafal Brodewicz

Re: I can't mount HDDs

[Mark - obsd list]

Jose P.G wrote:

I swear that i am not a troll. I don't understand anything, LOL, why have to
be a troll? My questions are REAL, i haven't read the faq carefully, i only
seek for help (more fast, i think).

REALLY, i don't understand, when i was learning about Linux Debian i was
doing the same questions (though Linux is more easy for beginners), why this
mailing list is different? I repeat, i don't understand why i have to be a
troll.

"Thank you".
  


Jose, without trying to be too rude, if this is the mindset you're 
bringing to the table, you're in way over your head and should probably 
stick to learning Debian further (based on the questions you're asking 
here, you very definitely have _not_ learned Debian/linux yet).


Regards,
Mark

Re: I can't connect to Internet

[Mark - obsd list]

Jose P.G wrote:

Ok, Internet is working. But i have the same problem. The strange is that i
can connect to the ftps when i am installing openbsd4.4, but not when i am
doing this. pkg_path is correct so i suppose that i am making an error
writing, though all i do is "export pkg_path=
ftp://ftp.openbsd.org/ub/openbsd/4.4/packages/i386/"; and "pkg_add gnome2".

What could be doing this? Thank you very much.

  
I sure hope this is just a troll. He has written "OpenBSD" in just about 
every way that won't work and is ignoring everyone telling him 
repeatedly that he has to capitalize BSD.

Re: Sun M-class hardware denial of service

[list-obsd-misc]

My understanding of this issue is that it is only likely to be caused by an 
exploited domain, or running OpenBSD. Both should be a rare event (OpenBSD 
isn't really production-ready on this hardware). It's acceptable in the 
majority of cases to just let the domain be unused.

It's a bug, it's irritating, it should be fixed, but it's not a huge problem.

Re: Packet Filter: how to keep device names on hardware failure?

[list-obsd-misc]

> Question: How can I make sure that "em2" doesn't become "em0"
> if my dual-port NIC dies? This would be fatal for my firewall
> setup. At least the antispoof rules _must_ be bound to the
> network devices.

Yep, this is an ugly problem.

You could have a shellscript at boot scan ifconfig output and associate NICs 
with their MAC addresses, adding appropriate macros to pf.conf.

Re: Hardware recommendation for firewalls (more than 4 NICs)

[list-obsd-misc]

> So you expect additional reliability from stacking ebayed cisco equipment
> with OpenBSD bridges behind them, as the original poster mentioned, and cost
> effectiveness by buying used cisco equipment and paying for relicensing so
> that you can get updates, compared to setting up OpenBSD boxes as routers, I
> am not following the logic, and still think the original post was
> ridiculous. I understand the logic behind the no moving parts embedded
> solution ideas, but am I the only person whom has seen embedded equipment
> fail 2-4x more often than the Proliants behind them? I just don't think that
> embedded=reliable is a cut and dry equation.

Provided the Cisco boxes will failover to different bridges, I think that it 
would increase reliability. There are also many occasions where it is 
inpractical to have an OpenBSD box terminate a link - T3, OC-12, etc. 

I explicitly mentioned that OpenBSD is much cheaper. One might get higher cost 
effectiveness in a few occasions (such as where the networking guys are 
clueless about OpenBSD).

Of course embedded != reliable, but there are many embedded systems available 
that provide much higher reliability than standard x86 systems.

Most Cisco routers I've seen do have moving parts - big fans.

You're probably not the only person to see such failure rates, but I expect 
new, well cared for Cisco routers have higher hardware reliability than new, 
well cared for Proliants. Other embedded equipment is very variable.

What embedded equipment were you talking about? 

The original post was ridiculous, but that doesn't make your reply accurate.

Re: Hardware recommendation for firewalls (more than 4 NICs)

[list-obsd-misc]

On Fri, Aug 08, 2008 at 06:54:05PM -0500, patric conant wrote:
> You strongly overestimate the value of your comments (3 cents), it seems
> like there are many places more appropriate than this one for you to suggest
> middle-of-the-road hardware running a proprietary OS that has among the
> worst security records in the industry.

Oh, god, Cisco vs  seems to degenerate 
into things like this.

IOS and IOS XR actually has quite a good security history - other Cisco 
software, no.

If you doubt me, actually look at the security record - oh, and be careful not 
to just compare OpenBSD's "only 2 remote holes in the default install" vs IOS - 
many (most) of the IOS vulnerabilities are for things that haven't been enabled 
by default on recent IOS images.

Cisco routers general purpose computer parts of their routers are 
"middle-of-the-road hardware" in speed; much (slow) embedded hardware is far 
more reliable than the 'PC' equivelant. 

Server hardware (you shouldn't run anything important on a PC -- use proper 
server hardware) + Linux/Solaris/NetBSD/FreeBSD/OpenBSD works well as a router 
and firewall. IOS on a Cisco router does as well. The *nix solution works well 
and is cheap, but in my experience it's still slightly less stable than the 
Cisco equivelant. More importantly in many ways, Cisco hardware is usually 
marginally more reliable (both are reliable) than server hardware. 

IOS, while a complete PITA, is easier to configure than plain *nix OSes for 
networking stuff - one does not have sprawling config files, and making a 
config change updates running-config, making it easy to save your changes; ip 
address 192.0.2.0 255.255.255.255;do wr m is much easier than ifconfig fxp0 
192.0.2.0/24;vi /etc/hostname.fxp0;. It's also much less error prone, 
which is important.

With things like Quagga/Zebra this advantage is eliminated, but both of those 
have problems far more frequently than IOS.

IOS is a lot easier to upgrade than any *nix - just copy the image,
reload. Downtime is short, though many of their routers boot slow. This
*could* be changed (I'm thinking something along the lines of Solaris
LU - but easier), but as of yet has not been.

But, it's *much* cheaper, and PF is vastly better than IOS's firewall.

Software routers struggle at high PPS; Cisco makes some nice hardware that can 
handle that. As does Juniper, and a few others.

Re: Any offshore OpenBSD hosting?

[list-obsd-misc]

> But if ISP's must have blackbox on their interfaces (hello FBI),than you can't
> trust your local hosting company even if they are very friendly ;-)

Cisco prefers a blueish-black color. Juniper boxes tend to be white and blue.

In most Western countries there are many ISPs; if many of them were forced to 
have, in secret, black boxes on their networks, it would soon be public that 
that is occuring.

Providers are, in many cases, being forced to allow, unmonitored, snooping by 
their governments - read up on CALEA. Hardware based routing platforms will be 
able to handle only a very small amount of traffic, the CPUs that are used in 
them tend to be very slow and even the fastest CPUs can route only a tiny 
amount of the traffic modern hardware-based routers can.

So, if the government wants to monitor YOU specifically, or occasionally 
monitor everyone, they might be able to do it via CALEA.

If I wished to monitor a large amount of peoples traffic (not all - that's not 
technically feasible), I would try and use passive taps with the cooperation of 
major transit providers. If I was on a smaller budget, then I would just do 
that with some major telcos.  The NSA appears to have decided to use a hybrid 
approach. If I had very large amounts of money that I am willing to spend 
(well, government has lots of money, and it's not theirs, so why would they 
mind spending it?) I would do the same with cable providers (not the coax kind).

I would definitely try and avoid small ISPs and IXPs - high maintenance, high 
whining and very difficult to perform surveillance using them clandestinely. 
Laying a submarine cable is far more expensive than starting an ISP or IXP.

So, basically, you are being paranoid about the wrong things. 

Re: ssh-keygen not reading stdin as expected

[list-obsd-misc]

> Option -f filename, Filename of the key file, seems to be the right
> option and '-' is the usual way of indicating stdin.

So? Just use /dev/stdin.

OpenBGPD IPv6 problems

[list-obsd-misc]

I'm running OpenBSD 4.2 on SPARC64. I have managed to get a simple BGP setup 
working on IPv4, however the IPv6 version of the same setup fails. A BGP 
session is established in both cases and peer B claims to be announcing what it 
should be announcing, yet in the IPv6 version peer A does not add it to its RIB.

Host A:
AS: 64512
Loopback: 192.168.0.1 2001:db8::1
To B: 192.168.1.1/24 2001:db8:1::1/64
Host B:
AS: 64513
Loopback: 192.168.0.2 2001:db8::2
To A: 192.168.1.2/24 2001:db8:1::2/64
To miscellaneous subnet: 192.168.2.1/24 2001:db8:2::1/64

Host A:

lo0:
inet6 ::1 prefixlen 128
inet6 2001:db8::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
inet 192.168.0.1 netmask 0x

gem1:
inet6 2001:db8:1::1 prefixlen 64
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255

bgp.conf.v4:
AS 64512
router-id 192.168.0.1

neighbor 192.168.1.2 {
remote-as 64513
announce all
}

allow from any

bgp.conf.v6:
AS 64512
router-id 192.168.0.1

neighbor 2001:db8:1::2 {
remote-as 64513
announce all
}

allow from any

bgpctl sh (v4):
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
192.168.1.2 64513  3  3 0 00:00:13  2

bgpctl sh (v6):
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
2001:db8:1::2   64513  3  4 0 00:00:31  0

bgpctl sh rib:
*>192.168.0.2/32  192.168.1.2100 0 64513 i
*>192.168.2.0/24  192.168.1.2100 0 64513 i

bgpctl sh rib inet6:
flags: * = Valid, > = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete

flags destination gateway  lpref   med aspath origin

Host B:

lo0:

inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet 192.168.0.2 netmask 0x
inet6 2001:db8::2 prefixlen 128

gem0:
inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255
inet6 2001:db8:2::1 prefixlen 64

gem1:
inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255
inet6 2001:db8:1::2 prefixlen 64

bgpd.conf.v4:
AS 64513
router-id 192.168.0.2

network 192.168.0.2/32
network 192.168.2.0/24

neighbor 192.168.1.1 {
remote-as 64512
announce all
}

allow from any

bgpd.conf.v6
AS 64513
router-id 192.168.0.2

network 2001:db8::2/128
network 2001:db8:2::/64

neighbor 2001:db8:1::1 {
remote-as 64512
announce all
}

allow from any

bgpctl sh (v4)
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
192.168.1.1 64512  2  4 0 00:00:11  0

bgpctl sh (v6)
Neighbor AS   MsgRcvdMsgSentOutQ  Up/Down  State/PrfRcvd
2001:db8:1::1   64512  2  2 0 00:00:06  0

bgpctl sh rib
AI*>  192.168.0.2/32  0.0.0.0100 0 i
AI*>  192.168.2.0/24  0.0.0.0100 0 i

bgpctl sh rib inet6
AI*>  2001:db8::2/128 :: 100 0 i
AI*>  2001:db8:2::/64 :: 100 0 i

Blackhole / reject routes

[list-obsd-misc]

Currently I'm blackholing and rejecting some traffic with route add 
-reject/-blackhole  127.0.0.1; this works fine, but bounces all the 
rejected/blackholed traffic to the loopback interface. 

This behaviour is.. annoying, and possibly ineffecient. I'm probably searching 
for a null/blackhole/fake address/interface. I tried creating an unconfigred 
pseudo-device, slapping an IP address on it and routing it to there; it 
blackholes traffic effectively, but also blackholes traffic if you have a 
reject. 

What is a better way to reject/blackhole traffic in OpenBSD?

KSH and Bash problem with long commands

[OBSD]

Hi All,

I have a small problem with the KSH and Bash on a OpenBSD 4.2. with very long 
commands.
I have
echo $SHELL
/bin/ksh and
echo $KSH_VERSION
@(#)PD KSH v5.2.14 99/07/13.2
and in my ~/.inputrc is
set horizontal-scroll-mode Off

I found this setting in the man readline
http://www.openbsd.org/cgi-bin/man.cgi?query=readline&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

But unfortunately it does not work.
It does not warp the line either in KSH or Bash. Instead it overwrites the 
already written text
which is annoying if you have very long commands.
I have tried as well the /etc/inputrc with this entry but it does not work 
again.
I read as well the man KSH but does not find any useable info there.

Strange enough if I start a csh it works but not with the other shells.

Has anybody maybe an fix or workaround how I can solve this?
Every hint is appreciated!!

Regards
Stefan
--

Re: brute force voip QoS

[list-obsd-misc]

To: Stuart Henderson <[EMAIL PROTECTED]>
Subject: Re: brute force voip QoS

> > pass out queue (std_out,lowdelay)
> 
> here, you place ACKs from downloads at a higher priority than
> your voip calls. this is unlikely to be what you want with priq
> over a 140Kb/s link..

According to pf.conf, that also prioritizes packets with ToS set to lowdelay; 
looking at what ToS the packets have would be a good idea.

Re: low-MHz server

[list-obsd-misc]

You said you live rurally - in that case, perhaps you should build/buy a small 
quality (read as: won't get wet) shed, have your systems there and run some 
outdoor-rated CAT5e from it to your house. That should allow you to use KVM 
extenders, serial, etc. Remember the inverse-square law for RF. RF usually is 
attentuated greatly by opaque things, though just plants etc. will also 
attentuate. If you can place it behind a hill that would be good. 

Also, apply for the JREF Million Dollar Challenge. If you succeed, you should 
have a lot more options on reducing RF.

Re: brute force voip QoS

[list-obsd-misc]

> My bandwidth is very very limited. Not more than 140 Kbps on both
> sides at any time. I use G729 as a codec in order to reduce
> consumption. Use the pf.conf below, when VoIP is the only traffic,
> the quality of the calls is excelent with no voice cutting at all.
> Now if I start a download I immediatelly see the quality degrade.
> 
> That is why I thought of using some radical policy.

That's strange; it may be your connection struggles at much lower bandwidths 
than nominal - for instance, perhaps it suffers high packet loss  at 80% 
utilization; TCP could recover, but VoIP might be affected.

Doing what you want should be quite simple, though. There are many ways I can 
think of of detecting VoIP traffic if your ruleset manages to - have pf log 
(all) on a pflog interface dedicated to it, look at queue traffic - and many 
ways of blocking everything other than that. I can't think of an elegant way of 
doing what you want, though!

Problems with pkg_add and partial installed package

[OBSD]

Hello All,

I have a problem with pkg_add on a OpenBSD 4.2.
I tried to install the package freebsd_lib-4.11p0.tgz.
The first try failed because the Internet connection breaks and on the
second try and get this error:

$ pkg_add -v freebsd_lib-4.11p0.tgz 

parsing freebsd_lib-4.11p0.tgz
Can't install freebsd_lib-4.11p0 because of conflicts 
(partial-freebsd_lib-4.11p0)
/usr/sbin/pkg_add: freebsd_lib-4.11p0:Fatal error

The same happens if I try to install it over the ports.

/usr/ports/emulators/freebsd_lib> make install
===>  Installing freebsd_lib-4.11p0 from /usr/ports/packages/i386/all/
Can't install freebsd_lib-4.11p0 because of conflicts 
(partial-freebsd_lib-4.11p0)
/usr/sbin/pkg_add: freebsd_lib-4.11p0:Fatal error
*** Error code 1

I checked in /var/db/pkg but do not find any entry.

Has anybody an idea how I can fix this?
I read the man pkg_add and tried as well the -F switch but I does not help.

Best Regards,
Stefan

--

Re: Regular Expression Problem

[OBSD]

Hi All,

thanks for all the suggestions.
With this it works:
cat mail.txt | egrep "[EMAIL PROTECTED]" | egrep "\.[a-zA-Z]{2,4}$"

It is probably possible to avoid the last egrep but I have not find out how.

Regards,
Stefan


>> I got in the output (Which I not want):
>> [EMAIL PROTECTED] -> I believed with [a-zA-Z]{2,4} I can limit it after the 
>> "." Or?
>> [EMAIL PROTECTED]  -> It should be as well not possible with [a-zA-Z]{2,4}
>> 
>> How can I exclude this?

> You did not say that after the 2-4 characters the line should end...
> End the pattern with $

>> As weel I got as output this which I do not want:
>> [EMAIL PROTECTED]
>> 
>> $ is normall end of a line. But it should not be in a mail address.
>> 
>> [a-zA-Z0-9.-_]+@
>> I use the "+" here with the meaning the [a-zA-Z0-9.-_] has to be available
>> min. one of them. Nothing for a @ makes really no sense.

> You did not say it should be at the beginning.. everything can be in
> front of the matching token. Start the pattern with ^

> Also you are not escaping the . - meaning it can match to anything.

> try it with this:
> egrep "[EMAIL PROTECTED],4}$"

> good source to read more about it is re_format(7)

> Regards,
> Julian

Regular Expression Problem

[OBSD]

Hi All,

I have a problem with regular expressions and can not solve it.
I wants to egrep from a big text file all mail addresses.

For testing I created this file:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

I did the following
cat mail.txt | egrep "[EMAIL PROTECTED],4}"
or
cat mail.txt | egrep "[EMAIL PROTECTED]"

But I did not get which I expected.

I got in the output (Which I not want):
[EMAIL PROTECTED] -> I believed with [a-zA-Z]{2,4} I can limit it after the "." 
Or?
[EMAIL PROTECTED]  -> It should be as well not possible with [a-zA-Z]{2,4}

How can I exclude this?

As weel I got as output this which I do not want:
[EMAIL PROTECTED]

$ is normall end of a line. But it should not be in a mail address.

[a-zA-Z0-9.-_]+@
I use the "+" here with the meaning the [a-zA-Z0-9.-_] has to be available
min. one of them. Nothing for a @ makes really no sense.

Every help is appreciated.
Thank you.

Regards,
Stefan

--

Max IPs per Interface

[mail . obsd]

Good Morning,

Could someone tell me what the maximum number of IP addresses OBSD will support 
per interface is please?

I'd like to setup in excess of 255 IPs on my external firewall interface, and 
I'm wondering how BSD will handle this.

Please advise.

Regards,
Garron Kramer

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

OBSD+PF+VLAN+CARP

[mail . obsd]

Good Morning,

I still seem to be having problems with PF+VLANs.

It seems that PF does not want to NAT traffic from my internal VLAN to my 
external VLAN IP address.

Can someone advise if they have managed to get PF (NAT) + VLAN + CARP working, 
and or if anyone has experienced the same issues as myself?

Regards,
Garron


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

PF+VLAN+CARP+PFSYNC

[mail . obsd]

Good Morning,

I'm currently in the process of configuring a new firewall for my company and 
would like to know the following:

1. Is it possible to configure OpenBSD firewall interface as follows:

carp10 - int/ext virtual eth dev (ip of CVI - shared between fw's)
|
vlan10 - int/ext virtual eth dev (ip of NDI - not shared)
|
pcn0 - int/ext eth device (no ip)

Basically, I'd like to use vlan's on top of physical interfaces, with carp 
devices on top of vlan logical interfaces.

2. I'm guessing that when the firewall is configured as above, I'll refer to 
vlan interface with carp specific IP address (rather than physical int)?

3. Do I need to add virtual IP addresses to the firewall to answer for each 
public IP address, or can I simply configure the router to
route all traffic for subnet through IP address of external carp device of 
firewall?

Regards,
Garron


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Tcpdstat

[OBSD]

Hi,

does anybody get on a OpenBSD 4.x tcpdstat installed?
Tcpdstat from
http://staff.washington.edu/dittrich/talks/core02/tools/tcpdstat-uw.tar
is a very nice tool to get summary information of a tcpdump file.

The output includes the number of packets, the average rate and its standard 
deviation,
the number of unique source and destination address pairs, and the breakdown of 
protocols.

I would appreciate every help or hint to get it compiled.
I can remember me that I could compile it on a OpenBSD 3.6 but on the new one 
4.1
it fails always.

Regards,
Stefan

SQUID Banner

[OBSD]

Hi,

I am using OpenBSD 4.0 with the package squid-2.5.STABLE13.tgz
I have a question to the /etc/squid.conf and the banner.

If I am using an Environment Checking WebSites how http://ipid.shat.net/
I get after using Squid this result:

HTTP_VIA1.1 obsd.test.com:3128 (squid/2.5.STABLE13)
or with an other test
Proxy Host/Type: 1.1 obsd.test.com:3128 (squid/2.5.STABLE13)

I found in the /etc/squid.conf that Squid uses this for it:
visible_hostname obsd.test.com

Exist any possibility to avoid the output (squid/2.5.STABLE13)?
and get only HTTP_VIA   1.1 obsd.test.com:3128 or only the output squid?

On an Apache is it possible with the ServerToken to reduce the Banner
but in Squid I do not find anything.

I would be grateful for every hint. Maybe an extra software package?

Regards,
Stefan

Re: dmesg and fdisk do not match about usb external disk

[obsd]

On Thu, 8 Feb 2007 15:09:10 +0100, "mickey" <[EMAIL PROTECTED]> said:
> On Thu, Feb 08, 2007 at 03:02:32PM +0100, frantisek holop wrote:
> > hmm, on Thu, Feb 08, 2007 at 02:06:45PM +0100, mickey said that
> > > On Thu, Feb 08, 2007 at 10:13:29AM +0100, frantisek holop wrote:
> > > > hmm, on Tue, Jan 30, 2007 at 07:40:52PM -0500, Nick Holland said that
> > > > > It means translation is stupid, but we keep doing it. :)
> > > > 
> > > > it is not really the translation that got me worried
> > > > (although wouldn't it be more consistent to use the n x 255 x 63
> > > > version everywhere?) but the different number of sectors..
> > > > thanks for the great explanation.
> > > 
> > > who gives a flying fuck?
> > > bios is using it's own geometry and we are using ours.
> > > how about you ask those spammers to send dick measurements in meters?
> > 
> > perhaps this could go into the faq?
> 
> what? dick measurement techniques?

And not long ago I wrote to the list that this list *is* nice and people
don't get attacked unless they become obnoxious. 
Please thank you for proving me absolutely wrong.
Jeez, you know more about how the bios and the OS report disk
geometries and his enquiries annoy you? Please get over it.

Sorry to everyone for also wasting more of this lists bandwidth.

Re: Netra X1 and Serial from OpenBSD

[scion+obsd]

Google won't help you.  Use dmesg and the manpages.

OK, first dmesg to find the real serial io ports.
If necessary man every device listed in dmesg.

I think you'll find that you have a zs or a sab device.

man sab

Look in the FILES and SEE ALSO sections of the manpage.

The message you get means that the carrier detect part
of the driver hasn't yet detected a carrier.  Traditional
ways to deal with this were to re-wire the connector to 
cheat, or to use a driver (often by a mode bit in mknod)
which ignores carrier.

ttyb is AFAIK deprecated in favor of ttyNN.

-sam