OpenBSD 6.7 - uncommon behavior

2020-05-19 Thread R0me0 *** 
Hello guys.

Today, I've installed OpenBSD 6.7 on Windows 10 pro ( Hyper-V ) which I
already has 6.6 running very well.

So, the planning was:

Migrate my conf's, turn off my 6.6 and make use of 6.7.

1 - By default hyper-v add's one processor.  In the end of my fresh install
it doesn't work ( tried two times )  ( My NTFS has 1M alignment ) - doesn't
work = not boot


2 - I've recreated the VM and add two processors. It booted and I have
installed some packages:

pkg_add vim
pkg_add tor
pkg_add curl
and pkg_add openvpn

shutdown ( disks were synced )

Add additional network card and then Power ON again. ( with a lot of errors
on filesystem )

My /etc/group file just get blank.

Regards,

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-10 Thread R0me0 *** 
That Talk of isopen ... is a joke! He start agreeing  with puffy supremacy.

All these years I have made jokes with fbsd guys and some "hax0rs" during
event's. The reason is simple, they attack OpenBSD community and then
always end with a lack of arguments.

Even with Qualys recent discoveries, which in my personal opinion they
could send all issues together, they preferred to do on that way.

That said, I still asking, why the other projects do not try at least start
to make their operating system more secure by default? OpenBSD since the
begin  the main focus is paranoid security.

They will take years to have a solid rock like OpenBSD.

Also that said, all mothafuckaaa which keep send posts like this, put your
head within your ass and just accept:  you are OpenBSD user!





Em dom., 10 de mai. de 2020 às 01:45, Stéphane Aulery 
escreveu:

> Hello,
>
> Le 07/05/2020 à 16:00, i...@aulix.com a écrit :
> >
> > Can you please comment negative appraisal from the following website:
> >
> > https://isopenbsdsecu.re/quotes/
> >
> > I did not want to hurt anyone, just looking for a secure OS and OpenBSD
> looked very nice to me before I have found this website.
> >
>
> This explanation [1] from the author of the site should be enough for you:
>
> 
> Why was this website created?
>
> Someone was bragging on IRC about how secure OpenBSD is compared to
> everything else, but this came without concrete evidences.
>
> Tired of having to endure this once too often, time was spent
> documenting OpenBSD’s security features:
>
>  where are they coming from?
>  against what are they defending?
>  how successful are they?
>
> Because, in the words of Ryan Mallon:
>
>  Threat modelling rule of thumb: if you don’t explain exactly what
> you are securing against and how you secure against it, the answers can
> be assumed to be: “bears” and “not very well”.
> 
>
> The quotes were chosen to be especially aggressive but we could find as
> many against other operating systems.
>
> For me it's on the same level as "The UNIX-HATERS Handbook" [2], just a
> big ball of hate and FUD.
>
> After full reading, out of 52 exposed points there are 4 frankly against
> OpenBSD, 12 for OpenBSD and all the rest is opinion and filling.
>
> It wants to be impressive, but it’s just swank of a meticulous hater.
>
> Regards,
>
> 
>
> [1] https://isopenbsdsecu.re/about/
> [2] https://web.mit.edu/~simsong/www/ugh.pdf
>
> 
>
> Mitigations
>
>  Arc4random
>
> [...] Nowadays, arc4random in userland is available on various
> platforms, even when not being natively implemented, thanks to libbsd.
> NetBSD, FreeBSD, Linux, … have all moved to a ChaCha20-based CSPRNG.
> Even Tor is now using some of its code, for performance reasons.
>
> OpenBSD took inspiration from Linux two decades ago, but nowadays, it’s
> the other way around, OpenBSD is driving the CSRPNG game!
>
> OK.
>
>  ASLR
>
> [...] OpenBSD randomizing everything is neat, and forces attackers to
> find/create better leaks. But nowadays, all the modern operating systems
> have those kind of mitigations, are are now focusing on killing bugs
> exploitable when an attacker has some reading capabilities.
>
> And what are these modern OSes? OpenBSD is a fossilized and archived OS
> on archive.org?
>
>  Atexit hardening
>
> [...] In the glibc, the pointers to the function are obfuscated with a
> rol+xor via the PTR_MANGLE macro against a secret, which is roughly
> equivalent to what Windows is doing. This mitigation is completely
> bypassed with an arbitrary read: get the secret, obfuscate the pointer
> to your payload, done.
>
> Musl has no hardening at all
>
> On OpenBSD, the pointers are stored in a read-only memory zone, only
> made writeable when __cxa_atexit is called. To bypass this, an attacker
> would need to get code execution to modify the permissions of the memory
> zone.
>
> Where is the point?
>
>
>  Development practises - Development practises
>
> OpenBSD got no continuous integration system, and apparently build
> breakage are, according to the FAQ, happening from time to time [...]
>
> There is a code style, but since it’s not automatically enforced, if
> only because there is no CI.
>
> The VCS used is CVS, the Concurrent Versions System [...]
>
> This is not what makes security!
>
>  Development practises - Code reviews
>
> OpenBSD claims that they have “between six and twelve members who
> continue to search for and fix new security holes”, but it seems that
> this doesn’t prevent low-hanging bugs from entering the codebase, for
> example: [...]
>
> Ah, because those who don't read their code are more likely to find errors?
>
>  Development practises - Security advisories
>
> OpenBSD is publishing security issues on its Errata pages, but doesn’t
> provide much context nor analysis. [...]
>
>

Re: Unable to create IKEv2 VPN using strongSwan to iked

2020-04-20 Thread R0me0 *** 
Ajust as your necessity *

( Don't forget to adjust your pf rules accordingly ) *



OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN )

ikev2 "roadwarrior"  passive esp from 0.0.0.0/0 to 10.20.30.0/24 \
 local egress peer any  \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32



Iphone = just disable certificates and set psk


Interoperability with StrongSwan


# cat /etc/ipsec.conf

 ipsec.conf – strongSwan IPsec configuration file
# basic configuration

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!

conn strongswan
left=%any
leftfirewall=yes
leftsourceip=%config
right=REMOTE_PEER_IP
rightid=puffymagic.ikedvpn.com
rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on
other side ) ( behind magic puffer fish )
auto=add



# cat /etc/ipsec.secrets

# ipsec.secrets – strongSwan IPsec secrets file
: PSK “strongopeniked”



PS: Magic Puffer Fish Rock!

Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim 
escreveu:

> Hi,
>
> I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan
> 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am
> using x509 certificates generated by ikectl.
>
> The tunnel cannot be established. It is hard for me to see what's going
> on. strongswan seems to be sending the same IKE_AUTH packet again and
> again and iked does not seem to respond even though it receives the
> packet and does not show an error. The only thing fishy I see in iked
> output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why
> it "cannot switch".
>
> Does anybody have a working setup between iked and strongSwan or any
> insights? Config files and logs below.
>
> Thanks,
>
> Jona
>
>
> iked.conf:
>
> ikev2 passive esp \
>  from 0.0.0.0/0 to 10.201.201.0/24 \
>  from 192.168.0.0/16 to 10.244.244.0/24 \
>  from 10.244.244.0/24 to 192.168.0.0/16 \
>  local 1.2.3.4 peer any \
>  srcid vpn.example.com \
> config address 10.201.201.0/24 \
> config name-server 10.201.201.1 \
>  tag "IKED"
>
>
> ipsec.conf (strongSwan):
>
> config setup
>  # strictcrlpolicy=yes
>  # uniqueids = no
>
> conn puffvpn
>  keyexchange=ikev2
>  dpddelay=5s
>  dpdtimeout=60s
>  dpdaction=restart
>
>  left=%defaultroute
>  leftcert=wookie.crt
>  leftsubnet=192.168.0.0/16
>  leftfirewall=yes
>  leftid="wookie"
>
>  right=vpn.example.com
>  rightsubnet=10.201.201.0/24
>  rightid="vpn.example.com"
>
>  auto=start
>
> strongswan log:
>
> # ipsec up puffvpn
> initiating IKE_SA puffvpn[5] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes)
> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group ECP_256, it requested MODP_2048
> initiating IKE_SA puffvpn[5] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> retransmit 1 of request with message ID 0
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> retransmit 2 of request with message ID 0
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(HASH_ALG) ]
> selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> local host is behind NAT, sending keep alives
> received 1 cert requests for an unknown ca
> sending cert request for "CN=35.180.187.116"
> sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD,
> OU=iked, CN=VPN CA, E=j...@joachim.cc"
> authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
> sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn,
> OU=iked, CN=wookie, E=j...@joachim.cc"
> establishing CHILD_SA puffvpn{7}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 1 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 2 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 3 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> sending keep alive to 1.2.3.4[4500]
> retransmit 4

Re: Security of OpenBSD

2019-06-03 Thread R0me0 *** 
I think the OpenBSD code review is taken so seriously thank is more than a
good practice matter.

https://www.openbsd.org/security.html




Em seg, 3 de jun de 2019 às 22:33, Josef Pospisil 
escreveu:

> Hey, thank you all for this mailing list.
>
> I have a question regarding the security of OpebBSD.
>
> I am asuming that linux has some mathematics and logic that lets you
> get into every system just for e.g. because of portknocking!
> That opens an Interface for people that know the system to do
> everything! I also think that linux is not beeing verified ragarding
> these paid programer backholes.
>
> Can someone be that kind and explain to me if the whole code of OpenBSD
> was checked at least once since the openBSD was founded? That there are
> no backholes like i was describing?
>
> It would be beautifull if someone could answer me!
>
> Greetings
>
> Josef Pospisil
>
>
>

Re: OpenBSD on VMware ESXi

2019-05-22 Thread R0me0 *** 
Vmware ESXI detects as FreeBSD 32bit.

Set network interface to vmxnet3.

Also you can use pvscsi driver ( I had some issues with filesystem
corruption,
there is a weird bug, but there is a workaround.)

In general buslogic is more resilient.

Regards,


Em qua, 22 de mai de 2019 às 14:26, mxb  escreveu:

> I think FreeBSD or any Linux template will work just fine and add vmxnet3.
> However, last I checked (1year ago) vmxnet3 been less stable than e1000
> under pressure.
>
> Sent from my iDevice
>
> > 22 мая 2019 г., в 13:47, Reyk Floeter  написал(а):
> >
> >> On Wed, May 22, 2019 at 01:43:35PM +0200, Janne Johansson wrote:
> >> Den ons 22 maj 2019 kl 12:52 skrev Roderick :
> >>
> >>> Hallo!
> >>> As far as I read in WWW, OpenBSD do run on VMware ESXi out of the box.
> >>> What does run better on amd64 virtual machine? i386 or amd64?
> >>> Are there reasons to preffer one to the other?
> >>>
> >>
> >> The ESX template for 64-bit comes with more recent "hardware" in the
> >> environment IIRC, so it will be less tweaking the supplied virtualized
> >> hardware if you select 64bit guest instead of 32bit.
> >> Apart from that, 64bit is better on both virtual and real hw.
> >>
> >
> > But unfortunately, there is no openbsd template.  So use "Other 64bit"
> > and enable vmxnet3 manually, as mentioned in vmx(4):
> >
> > The following entry must be added to the VMware configuration file to
> > provide the vmx device:
> >
> >   ethernet0.virtualDev = "vmxnet3"
> >
> > This is much better than the e1000 emulation.
> >
> > Reyk
> >
>
>

Re: Firefox bug: 66.0.3 disables all extensions

2019-05-06 Thread R0me0 *** 
They already fixed it a couple of hours after the issue.


Em seg, 6 de mai de 2019 às 11:45, Juan Francisco Cantero Hurtado <
i...@juanfra.info> escreveu:

> On Mon, May 06, 2019 at 11:54:04AM +0300, Dumitru Moldovan wrote:
> > On Sat, May 04, 2019 at 10:13:39PM +0200, Juan Francisco Cantero Hurtado
> wrote:
> > > On Sat, May 04, 2019 at 07:01:55PM +0100, Anthony Campbell wrote:
> > > > After upgrading Firefox today to 66.0.3  in -current, all my add-ons
> > > > were inactivated. A quick search showed that this is a widespread
> > > > problem, apparently due to a bug in FF. I was able to fix it
> > > > temporarily by means of a suggestion on ghacks.net to change
> > > >
> > > > xpinstall.signatures.required
> > > >
> > > > in about.config to "false".
> > > >
> > > > Presumably it will be fixed soon upstream.
> > >
> > > Disabling signature checks is almost always a bad idea.
> > >
> > > Open this url with firefox and install the extension.
> > >
> > >
> https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi
> >
> >
> > Installing random extensions from the big bad Internet is almost always
> > a bad idea.  :-D
>
> The extension is signed by Mozilla. Just in case someone doesn't know,
> the xpi extensions are just zip files. If you're worried about what
> you're installing, unzip the file and check the content. The changes are
> in the file "experiments/skeleton/api.js".
>
>
> >
> > This issue was fixed upstream in Firefox 66.0.4.  Use Landry Breuil's
> > repo to keep Firefox updated in -stable or -release.  More at
> > https://undeadly.org/cgi?action=article=20170425173917.
> >
> > Final result from pkg_add should be:
> >
> >firefox-66.0.2->66.0.4: ok
> >
>
> --
> Juan Francisco Cantero Hurtado http://juanfra.info
>
>

Re: packet loss when > 1000 clients connect

2019-04-16 Thread R0me0 *** 
+1

Em ter, 16 de abr de 2019 às 09:44, Torsten  escreveu:

> > Check with pfctl -si if you reach a limit
>
> Thanks, will do.
>
> Marc Peters also suggested to check pf state limit, upon digging into
> that I found
>
>   https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html
>
> and therefore added
>
>   set limit states 20
>
> to pf.conf.
>
>

Re: hacked for the second time

2019-04-03 Thread R0me0 *** 
you can block connections from tor, the ssh keys must be replaced and of
course, are you using a passphrase for them?

Regards,


Em qua, 3 de abr de 2019 às 16:12, Zeb Packard 
escreveu:

> If you've got money go here:  https://www.openbsd.org/support.html
>
> If you don't have money go ask here: http://daemonforums.org/
>
> Generally, msp, isp, it requests don't go on this list. You've posted no
> evidence - a big no no. You need a high level of forensic verification
> before you bring this problem to the list.
>
> Good luck,
>
> Zeb
>
> On Wed, Apr 3, 2019 at 11:59 AM Cord  wrote:
>
> > Hi,
> > I have some heavy suspect that my openbsd box was been hacked for the
> > second time in few weeks. The first time was been some weeks ago, I have
> > got some suspects and after few checks I have found that someone was been
> > connected to my vps via ssh on a non-standard port using my ssh key. The
> > connection came from a tor exit node. There were been 2 connections and
> up
> > since 5 days. Now I have some other new suspects because some private
> email
> > seems knew from others. Also I have found other open sessions on the web
> > gui of my email provider, but I am abolutely sure I have done the logout
> > always.
> > I am using just chrome+unveil and I haven't used any other script or
> > opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have
> > used epiphany *only* to open the webmail because chrome crash. My email
> > provider support html (obviously) but generally photo are not loaded.
> > Ofcourse I have pf enable and few service.
> > I also use a vpn and I visit very few web site with chrome.. maybe 20 or
> > 25 website just to read news. Sometimes I search things about openbsd.
> > Anyone could help me ?
> > Cord.
> >
> >
> >
> >
>

OpenBSD HTTPD and yourls

2019-02-18 Thread R0me0 *** 
Hello guys,

Please anyone already deployed yourls with OpenBSD HTTPD?

I´m having issues with url rewrite.

Any direction will be appreciated.

Thanks in advance.

relayd websocket issue

2018-10-19 Thread R0me0 *** 
Hello misc,
I am trying to perform a relay on webapp that uses websocket.
I am able to use the app, but when websocket is requested it does not work

.Any direction will be appreciated

Here is my config:

# cat /etc/relayd.conf

http protocol "https" {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By"  value
"$SERVER_ADDR:$SERVER_PORT"
   match header set "Upgrade" value "$HTTP_UPGRADE"
match header set "Connection" value "upgrade"
match request header set "Connection" value "close"

#  tcp tunnings
   tcp { nodelay, sack, socket buffer 65536, backlog 100 }

pass request quick header "Host" value "example.com \
forward to 

tls { no tlsv1.0, ciphers "HIGH" }
}

relay "webservices" {
listen on egress port 443 tls
protocol "https"
forward with tls to  port 443
}

Re: IKEDv2 OpenBSD Roadwarrior

2018-05-29 Thread R0me0 *** 
Puffy to puffy


# cat /etc/iked.conf

ikev2 “virtualmachine” passive esp from 172.0.16.0/24 to 192.168.10.0/24  \
local egress peer any psk “secret”



# cat /etc/iked.conf

ikev2 “openbsdgw” active esp from 192.168.10.0/24 to 172.0.16.0/24 \
local egress peer 10.20.30.10 psk “secret”






OpenBSD 6.X ( IPHONE AND STRONGSWAN )

ikev2 "roadwarrior"  passive esp from 0.0.0.0/0 to 10.20.30.0/24 \
 local egress peer any  \
 ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32



Iphone = just disable certificates and set psk


Interoperability with StrongSwan


# cat /etc/ipsec.conf

 ipsec.conf – strongSwan IPsec configuration file
# basic configuration

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!

conn strongswan
left=%any
leftfirewall=yes
leftsourceip=%config
right=REMOTE_PEER_IP
rightid=puffymagic.ikedvpn.com
rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on
other side ) ( behind magic puffer fish )
auto=add



# cat /etc/ipsec.secrets

# ipsec.secrets – strongSwan IPsec secrets file
: PSK “strongopeniked”




Hope it helps

You welcome !



2018-05-29 9:42 GMT-03:00 Jan :

> Hi Christophe,
>
> i think i’ve got it now. I removed the „config“ Options from the Server
> config and things started working.
> (for what interface should they be applied at all ?)
> Since then my home lan (192.168.1.0/24) stoped working for other devices
> at home. When this is working again i will post my Setup.
> I think now everything from 192.168.1.0/24 gets routed through vpn to my
> Notebook and others are not allowed anymore. Maybe putting vpn ips and
> local ips in different address ranges is a good idea…
>
> Jan
>
>

Re: RPI3 fails to relink kernel

2017-10-17 Thread R0me0 *** 
thanks for that


[] 's


2017-10-17 22:22 GMT-02:00 Jonathan Gray :

> On Tue, Oct 17, 2017 at 04:48:19PM -0700, Carlos Cardenas wrote:
> > Howdy.
> >
> > I found a working USB (Sandisk Cruzer Fit 8GB) to install 6.2 on a RPI3.
> >
> > Install went fine and so was first boot, then I noticed that relinking
> > the kernel failed.
> >
> > Below is my dmesg and error log.
> >
> > I thought it might have been due to the clock being way skewed by I
> > sync'ed it manually and still run into the same error.
> >
> > Any pointers on how to proceed?
>
> The version of lld (4.0.0) in 6.2 could not handle the linker script
> required for that.  Snapshots have llvm/lld 5.0.0 and relinking should
> work there.
>
> >
> > +--+
> > Carlos
> > OpenBSD 6.2 (GENERIC) #34: Tue Oct  3 23:53:05 MDT 2017
> > dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC
> > real mem  = 964972544 (920MB)
> > avail mem = 909017088 (866MB)
> > mainbus0 at root: Raspberry Pi 3 Model B Rev 1.2
> > cpu0 at mainbus0: ARM Cortex-A53 r0p4
> > simplefb0 at mainbus0: 656x416
> > wsdisplay0 at simplefb0 mux 1
> > wsdisplay0: screen 0 added (std, vt100 emulation)
> > simplebus0 at mainbus0: "soc"
> > bcmintc0 at simplebus0
> > bcmdog0 at simplebus0
> > pluart0 at simplebus0
> > bcmaux0 at simplebus0
> > com0 at simplebus0: ns16550, no working fifo
> > com0: console
> > dwctwo0 at simplebus0
> > agtimer0 at simplebus0: tick rate 19200 KHz
> > syscon0 at simplebus0
> > simplebus1 at mainbus0: "clocks"
> > usb0 at dwctwo0: USB revision 2.0
> > uhub0 at usb0 configuration 1 interface 0 "Broadcom DWC2 root hub" rev
> 2.00/1.00 addr 1
> > uhub1 at uhub0 port 1 configuration 1 interface 0 "Standard Microsystems
> product 0x9514" rev 2.00/2.00 addr 2
> > smsc0 at uhub1 port 1 configuration 1 interface 0 "Standard Microsystems
> SMSC9512/14" rev 2.00/2.00 addr 3
> > smsc0: address b8:27:eb:1c:06:b7
> > ukphy0 at smsc0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x0001f0, model 0x000c
> > umass0 at uhub1 port 5 configuration 1 interface 0 "SanDisk Cruzer Fit"
> rev 2.10/1.00 addr 4
> > umass0: using SCSI over Bulk-Only
> > scsibus0 at umass0: 2 targets, initiator 0
> > sd0 at scsibus0 targ 1 lun 0:  SCSI4 0/direct
> removable serial.07815571040905110075
> > sd0: 7632MB, 512 bytes/sector, 15630336 sectors
> > vscsi0 at root
> > scsibus1 at vscsi0: 256 targets
> > softraid0 at root
> > scsibus2 at softraid0: 256 targets
> > bootfile: sd0a:/bsd
> > boot device: sd0
> > root on sd0a (b045dd5058980495.a) swap on sd0b dump on sd0b
> > WARNING: CHECK AND RESET THE DATE!
> >
> >
> > # cat /usr/share/compile/GENERIC/relink.log
> > (SHA256) /bsd: OK
> > LD="ld" sh makegap.sh 0xd4d4d4d4 gapdummy.o
> > ld: error: gap.link:11: unknown command ;
> > ld: error: gap.link:11: LONG(0xd4d4d4d4);
> > ld: error: gap.link:11:   ^
> > ld: error: cannot open gapdummy.o: No such file or directory
> > ld: error: target emulation unknown: -m or at least one .o file required
> > *** Error 1 in /usr/share/compile/GENERIC (Makefile:529 'newbsd')
> >
>
>

Re: About WPA2 compromised protocol

2017-10-17 Thread R0me0 *** 
Stefan Sperling r0x

:D

Cheers

2017-10-17 15:19 GMT-02:00 Christoph R. Murauer :

> The patch is there since 6.1 027 on the errata page.
>
> Saw the comic yesterday at Libertree.
>
> > On Tue, 17 Oct 2017 19:09:29 +0200
> > "Stephane HUC \"PengouinBSD\""  wrote:
> >
> >> Just for the fun:
> >> http://www.commitstrip.com/en/2017/10/16/wpa2-vulnerability-
> just-a-small-update/
> >
> > I saw somebody share that on Mastodon this morning. :)
> >
> > On a more serious note; am I correct in assuming that the patch is
> > already in 6.2?
> >
>
>
>

Re: OpenBSD IPsec/L2TP to Android VPN?

2017-08-07 Thread R0me0 *** 
https://www.authbsd.com/blog/?p=20

2017-08-07 14:54 GMT-03:00 aaron marcher :

> hi dan,
>
> i recently set up something like that using the following two tutorials
> (note that this is l2tp/ipsec instead of raw ipsec):
>
> - http://bluepilltech.blogspot.co.at/2017/02/openbsd-l2tp-
> over-ipsec-android-601-ios.html
> - http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-
> for-android.html
>
> regards,
> drkhsh
>
> On 17-08-07 Mon, Daniel Mumford wrote:
> >
> > First post on mail list.  Hope I do it correctly.
> >
> > Is there anyone able to assist setting up an IPsec VPN between Openbsd
> machine and an android device?
> >
> > I have worked on for a week or so to no avail.  I would like to get a
> good understanding of the  necessary configuration.
> >
> > Thanks in advance.
> > Dan
>
> --
> web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
> gpg: 0x435BF54B
>
>

Question from Dummies about FreeBSD PF VS Magic Puffer Fish

2017-07-25 Thread R0me0 *** 
Hello Misc,

I already used currently FreeBSD PF grammar on OpenBSD during years and
AFAIK and I remember this always worked ( On Magic Puffer Fish of course )

My case is simple:

FreeBSD RPI3/AMD64 ( That I tested ) - ( DNS REQUESTS TO LOCALHOST  port
1053 running TOR)


rdr pass on ue0 inet proto udp to port domain ->  127.0.0.1 port 1053

RPI3 just has ethernet and lo interface.

NOT WORK, I NEED explicitly set 127 to IP address of ue0 interface. and
then works ( tried set skip on lo and all magic route-to does ) NOT WORK (
ip forwarding enabled too )

AND then

On magic puffer fish as simple it its works ! not matter's if match or pass
rule/ divert-to or rdr-to

WORKS

JUST WORKS

Anyone, Please can tell me why it does not work on FreeBSD?

What kind of black magic is needed?

Thanks in advance,

Re: Recommendation on OpenBSD host

2017-07-25 Thread R0me0 *** 
Vultr/Linode I already tested and are good choices.

DigitalOcean - If you used disk encryption, they corrupt your disk



2017-07-25 22:01 GMT-03:00 :

> Hey list. I need a server to host a very simple website.
> I've been looking for a OpenBSD host that offers 'full' control
> over the machine though SSH. Anyone has recommendations?
> My needs: simple low traffic httpd(8) website (no javascript),
> even a Core2Duo, 2GB of RAM and a HDD with space to install
> base system (without Xenocara, of course) would be enough.
> I can't do it on some random laptop because I need it to be
> anonymous (it will have sensitive journalistic information[*]).
> Ideally that accept cryptocoins (dashcoin or plain bitcoin) and
> from a country like Romania or Iceland, because of their historic
> free-speech protection (again, *ideally*).
> I see the people from Libreboot have a project to build a host,
> but I don't think they support OpenBSD yet and I think they never
> will... because of Stallmanism BS ("closed firmware == blob").
>
>
> Regards.
>
>
>
> ps. Yes, I've searched the marc.info archive.
> ps2. please don't reply directly to this mail, but to the list.
>
> [*] nothing illegal, btw, it will just possibly make some political
> people very angry.
>
>

Re: vmd: routing problem

2017-07-25 Thread R0me0 *** 
Hetzner routes additional subnets through a specified mac address on robots
page. ( Some cases you need to open a trouble ticket )
Also, all related information is provided there.

Cheers,

2017-07-25 10:26 GMT-03:00 Stuart Henderson :

> On 2017-07-20, Mike Larkin  wrote:
> > On Thu, Jul 20, 2017 at 02:19:29PM +0200, Leo Unglaub wrote:
> >> Hey,
> >>
> >> On 07/20/17 13:05, Mischa Peters wrote:
> >> > Can you ask them how they route the separate subnet to you?
> >>
> >> as far as i understand it they route the subnet on my main ip address.
> >>
> >>
> >> From there documentation:
> >> > Newly assigned IPv4 subnets are statically routed on the main IP
> address of the server, so no gateway is required.
> >>
> >> I hope that answers your question.
> >> Thanks and greetings
> >> Leo
> >
> >
> > Like I said before, I'm not a networking expert, but what you've said
> there
> > doesn't make sense (at least to me). You'll probably need to explain to
> them
> > what you are trying to do and have them help you. I don't think this is
> a vmd
> > related network issue.
>
> It's a common setup at large-scale colo hosts to conserve IP addresses
> while
> still keeping each customer on their own L2 network. Given a gateway
> address
> of 192.0.2.1 you should be able to use something like this:
>
> route add -inet 192.0.2.1/32 -link -iface em0
> route add -inet default 192.0.2.1
>
> To run these commands automatically at boot, you can prefix the lines
> with ! and add them to hostname.em0.
>
>
>

Httpd Content-Length with NextCloud

2017-07-17 Thread R0me0 *** 
Hello guys, not sure if its a bug or not.

But trying to contribute.

I am running OpenBSD 6.1 stable branch

When downloading a large file with from poor connection ie: 100 kbps ( I
don't have time remaining )

I notice that OpenBSD HTTPD does not set Content-Lenght and connections is
unexpectable closed.

I tried to move to Nginx just to test. The Content-Lenght is set and the
file is downloaded normally.

Any thoughts/directions and workarounds are very appreciated.

Thanks in advance

Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?

2017-07-06 Thread R0me0 *** 
@Reyk

Yes on ESXi ahci(4) hangs as you described, the procedure is to remove,
since "sata" is a default to cdrom device.

A great feedback you provided!

Long life to magic puffer fish


Cheers,

2017-07-04 9:21 GMT-03:00 Reyk Floeter :

> On Mon, Jul 03, 2017 at 02:36:20PM -0400, J Doe wrote:
> >
> > >> On 27 Jun 2017 10:45 am, "Stuart Henderson" 
> wrote:
> > >>
> > >>> On 2017-06-26, Josh Stephens  wrote:
> > >>> I could be wrong when I say this but the only gotcha that you will
> run
> > >> into
> > >>> with virtual box will be the guest additions.
> > >>
> > >> Does virtualbox still do that thing where it patches the running
> > >> kernel when it detects OpenBSD?
> >
> > Hi,
> >
> >
> > Just thought I'd chime in that I've had success with OpenBSD 5.x to
> > 6.0 running under VMware Fusion (Mac OS X version of VMware).  There
> > isn't support for guest additions with the most recent version of
> > Fusion (8.x), but I haven't had any issues.
> >
>
> I don't know what you mean with "there isn't support for guest
> additions".  We don't support VMware's 3rd party tools but we use our
> own drivers.
>
> VMware Fusion Pro 8.5.8 with version 12 VMs works fine, vmt(4)
> attaches, provides guest services such as shutdown/reboot, timedelta
> sensor, and access to VMware's guestinfo key/value via hostctl(8) (eg.
> hostctl guestinfo.ip).  X11-related features are provide by vmwh in
> ports, but I've never tested it.  We also have vmx(4) for vmxnet3
> networking but you manually have to edit the .vmx file and change
> ethernetX.virtualDev = "vmxnet3" (VMware has ignored all of our
> requests to add a device profile for OpenBSD).
>
> The only issue that I just saw with -current is that ahci(4)
> initialization hangs on boot - I had to disable ahci and use SCSI or
> IDE.  I haven't noticed this on ESXi.
>
> I mostly used Fusion for testing and development for ESXi/vSphere but
> I switched to OpenBSD VMM for most of the testing.
>
> > I saw in the thread that someone was mentioning full screen support.
> > There's no problem with that under Fusion, but you are limited to
> > legacy style video output (ie: not a high res display).  The easiest
> > way around that is I run OpenBSD minimized and SSH in from Terminal on
> > Mac OS X, then use the full-screen mode on OS X Terminal.
> >
> > If you're interested in OpenBSD in virtual machines in the cloud, I
> > have nothing but praise for the people at RootBSD [1], which have
> > supported OpenBSD for a while.  IIRC they run OpenBSD on top of Xen,
> > so the previous comments about security not being the same as running
> > it natively do apply, but it's definitely an option.
> >
> > I believe Undeadly recently posted about partial support for Hyper-V
> > has been committed, which also opens up the future possibly of running
> > OpenBSD on Azure.  Seems like the only holdout is AWS, but there is
> > now official support for FreeBSD on it, so here's hoping its' more
> > secure cousin will make it's way to Amazon.
>
> You cannot really compare FreeBSD in Azure or AWS to OpenBSD.  We have
> totally different drivers for Hyper-V and Xen.  But Hyper-V is "fully"
> supported on OpenBSD, the latest hvs(4) driver adds support for
> StorVSC paravirtual SCSI.  mikeb@ has done some great work to
> implement all the missing drivers and I helped where I could and
> focussed on the part to get it from Hyper-V/Xen to the "cloud".
>
> The situation in Azure is about the same as in AWS: we don't provide
> OpenBSD images in the marketplaces or community images yet, but there
> are scripts and howtos to create your OpenBSD VMs in Azure.  This
> might change as soon as we feel confident enough with the VM "layout"
> and the (mandatory) agent.  But, for now, use the tools from
> unofficial external github projects:
>
> For AWS:
> https://github.com/ajacoutot/aws-openbsd
>
> For Azure (also works in AWS and under VMM):
> https://github.com/reyk/cloud-openbsd   (create images with cloud-agent)
> https://github.com/reyk/cloud-agent (an alternative to waagent in
> ports)
> https://github.com/reyk/meta-data   (test + boot cloud images under
> VMM)
>
> We also have VirtIO drivers for OpenBSD VMM and KVM, as used by most
> other clouds, and I'm planning to add support for OpenStack (JSON) and
> OpenNebula (contexts) to my cloud-agent.
>
> But please note that we're currently trying to find ways to create VM
> images that still provide the benefits of OpenBSD-style things like
> KARL.  The problem with pre-provisioned VM images is that they all
> have the "same random values" in the filesystem, kernel, and libraries
> where the installer usually makes each installation unique.  A
> pre-provisioned image is always the same, at least on first boot,
> unless we create something that prepares or installs everything before
> getting a new VM instance online.  The first real* OpenBSD image on
> Azure will probably be fully pre-provisioned,

Re: DHCP in vmm guest

2017-06-16 Thread R0me0 *** 
Hello guys,

I am testing Nested OpenBSD VMM -current under Vmware ESXI 6.5 and the
console aleatory freezes ( the VM  still working  as well as "~^D" (
reattach to console but can't interact through  )

Error is: Jun 16 18:55:08 vmm vmd[94945]: vcpu_process_com_data: guest
reading com1 when not ready
Jun 16 18:56:21 vmm last message repeated 22 times

Also "local interface" -> vm.conf" or -L -> vmcl  works with OpenBSD guest
and linux guest running dhcpcd ( http://roy.marples.name/projects/dhcpcd/) but
dns resolution does not work ( pointing another DNS works ) . Furthermore,
 udhcpc ( tested with Alpine Linux ) does not get address


Error:

localhost:~# udhcpc eth0
udhcpc: started, v1.26.2
udhcpc: sending discover
udhcpc: no message type option, ignoring packet


* Just trying to contribute *

Best,


dmesg:


OpenBSD 6.1-current (GENERIC.MP) #0: Fri Jun 16 16:25:18 CEST 2017
   r...@vmm.nested.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6425608192 (6127MB)
avail mem = 6225076224 (5936MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (248 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 04/05/2016
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S8F0(S3)
S16F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) S1F0(S3)
PE50(S3) S1F0(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.42 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X
SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 3600415280 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.15 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X
SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 0, package 2
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.16 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X
SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 0, package 4
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz, 3600.12 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,X
SAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,SENSOR,ARAT

cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 0, package 6
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpicpu2 at acpi0: C1(@1 halt!)
acpicpu3 at acpi0: C1(@1 halt!)
"PNP0001" at acpi0 not configured
"PNP0303" at acpi0 not configured
"VMW0003" at acpi0 not configured
"PNP0A05" at acpi0 not configured
acpiac0 at acpi0: AC unit online
pvbus0 at mainbus0: VMware
vmt0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
"VMware VMCI" rev 0x10 at pci0 dev 7

Re: httpd and Wordpress

2017-06-10 Thread R0me0 *** 
+1
Wordpress must be installed on the desired path, if you are moving from
previous scheme like site/wordpress to wordpress, you have a problem. Refer
to wordpress manual and you find how to fix. The best bet is like Todd
said: Deploy again.


2017-06-10 20:56 GMT-03:00 Todd :

> What is in your httpd error log?
> My guess is that WP is trying to pull some content from /wordpress which no
> longer exists since you moved the docroot.
>
> My suggestion for having your WP site available without going to the
> /wordpress URL is to redeploy the WordPress files to /var/www/html instead
> of /var/www/html/wordpress.
> Or add a 301 redirect from / to /wordpress
>
> On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach  wrote:
>
> > Hi guys,
> >
> > I have a small problem with httpd and Wordpress.
> > When I go to https://myipaddress I get "Access denied". If I go to
> > https://myipaddress/wordpress, everything works as expected.
> > I have tried to change the appropriate line in the httpd.conf to:
> > root "/htdocs/wordpress". In that case the webpage is loaded, but in the
> > "broken" form.
> >
> > My current httpd.conf:
> >
> > # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
> > # Macros
> > ext_addr="*"
> > # Global Options
> > # prefork 3
> > # Servers
> > # A minimal default server
> > server "default" {
> > listen on $ext_addr port 80
> > listen on $ext_addr tls port 443 block return 301 "https://
> > $SERVER_NAME$REQUEST_URI"
> > tls {
> > key "/etc/ssl/private/server.key"
> > certificate "/etc/ssl/server.crt"
> > }
> > directory {
> > no auto index, index "index.php"
> > }
> > location "*.php" {
> > fastcgi socket "/run/php-fpm.sock"
> > }
> > root "/htdocs"
> > }
> > # Include MIME types instead of the built-in ones
> > types {
> > include "/usr/share/misc/mime.types"
> > }
> >
> >
> > Any ideas where I am making a mistake?
> >
> > Thank you
> >
> > Jan
> >
>

Re: /etc/mygate equivalent for IPv6?

2017-06-06 Thread R0me0 *** 
That's it: magic puffer fish


2017-06-06 16:53 GMT-03:00 mabi :

> Fantastic, that was an easy one. Somehow I missed that from the OpenBSD
> FAQ, must have skimmed it too fast...
>
> So I guess here that I can have my IPv4 default gw and IPv6 default gw
> both on two different lines in the /etc/mygate file.
>
>
>
>  Original Message 
> Subject: Re: /etc/mygate equivalent for IPv6?
> Local Time: June 6, 2017 9:50 PM
> UTC Time: June 6, 2017 7:50 PM
> From: knight@gmail.com
> To: Janne Johansson 
> mabi , openbsd-misc 
>
> for example:
>
> fe80::1%carp0
>
> :)
>
> 2017-06-06 16:48 GMT-03:00 Janne Johansson :
>
>> Just add the ipv6 gw ip to /etc/mygate.
>>
>>
>>
>> 2017-06-06 21:45 GMT+02:00 mabi :
>>
>> > Hi,
>> >
>> > What is the "standard" approach for adding an IPv6 default gateway to an
>> > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default
>> > route?
>> >
>> > There are no /etc/mygate6 file and as such for now I manually run:
>> >
>> > route -n add -inet6 default 
>> >
>> > Regards,
>> > Mabi
>>
>>
>>
>>
>> --
>> May the most significant bit of your life be positive.
>>
>
>

Re: /etc/mygate equivalent for IPv6?

2017-06-06 Thread R0me0 *** 
for example:

fe80::1%carp0

:)

2017-06-06 16:48 GMT-03:00 Janne Johansson :

> Just add the ipv6 gw ip to /etc/mygate.
>
>
> 2017-06-06 21:45 GMT+02:00 mabi :
>
> > Hi,
> >
> > What is the "standard" approach for adding an IPv6 default gateway to an
> > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default
> > route?
> >
> > There are no /etc/mygate6 file and as such for now I manually run:
> >
> > route -n add -inet6 default 
> >
> > Regards,
> > Mabi
>
>
>
>
> --
> May the most significant bit of your life be positive.
>

Re: OpenBSD and you

2017-05-10 Thread R0me0 *** 
Peter,

With a presentation like that, everyone is tempt to met Mr. Puffy

Thank you for keep it uptated ! ( ~6.1 )

It's amazing job ! You rock .

Cheers,





2017-05-10 7:20 GMT-03:00 Manolis Tzanidakis :

> On Wed (10/05/17), Peter N. M. Hansteen wrote:
> > That was the first option that came to mind, and the one I may go for as
> > a supplemental format *if* I can find a way to generate PDFs from this
> > source format *and* get the page breaks right. The print preview is
> > available browsers does not leave much hope of that actually happening,
> > however.
>
> You can give wkhtmltopdf (https://wkhtmltopdf.org/) a shot; it's in
> packages.
>
> A quick test I ran:
>
> $ wkhtmltopdf "https://home.nuug.no/~peter/openbsd_and_you/; output.pdf
>
> produces nice results, but omits the titles. I guess adding ", sans-serif"
> in
> the "font-family" lines in your css should fix that, eg:
>
> - body { font-family: 'Droid Serif'; }
> + body { font-family: 'Droid Serif', sans-serif; }
>
>

Re: Arch and vmd

2017-05-07 Thread R0me0 *** 
Thanks Karl

Your instructions saved a lot of research.

Running funtoo linux  -current with minimal kernel ( compiled by hand )
adjusted root  partition to vda disk.

Tests performed with OpenBSD 6.0 with binary patches applied .

Cheers,










2017-04-26 13:47 GMT-03:00 Karl Pettersson :

> Arch Linux works well as a vmd guest. Some notes about my experiences
> installing the system:
>
> * The Arch installation can be started from the serial console, see:
>   https://wiki.archlinux.org/index.php/Working_with_the_serial_console
>   #Installing_Arch_Linux_using_the_serial_console
>   However, the installation still tends to be unstable, due to unreliable
>   downloads (which has been discussed earlier). Until this is fixed, the
>   installation can be run in QEMU, or in a guest under Linux/KVM (as is
>   currently required by distributions with graphical install).
>
> * Syslinux has to be used as bootloader, and serial console should be
>   enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console
>   Moreover, the generated config has to be edited to point to the
>   correct root device, and if Ext4 is used as root file system, it must
>   not be 64bit (which is enabled by default when the file system is
>   created): http://www.syslinux.org/wiki/index.php?title=Filesystem
>
>

OpenBSD 6.1 - Song released

2017-04-27 Thread R0me0 *** 
Great work !


Bryan Adams - Summer of 69 - Parody


Long Life to Puffy

Cheers

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread R0me0 *** 
+1 Queue Prioritization and ToS ( set prio / set tos combinations ) by
examples will be great

2017-04-07 13:00 GMT-03:00 I love OpenBSD :

> I second to more IPv6 related information.
> I am curious about blocking port scanning in IPv6 Web. Does pf let me put
> a CIDR into the named table based on offending IPv6 address and 64-bit
> mask? I mean something similar to 'overload ' option.

vmwpvs driver

2016-12-05 Thread R0me0 *** 
Hello misc,

Some days ago , I tried to install OpenBSD 6.0 using vmwpvs ( Vmware
Paravirtual )

When obsd installer finish, I received a message that the boot could not
been done using my disk.

So I did a research on OBSD mailing lists and found:


"There's a problem with vmwpvs(4) where the first write gets lost.
IIRC if you shell out from the installer and run fdisk -iy sd0 manually
once, then resume installing, it then works. "



I follow it and solved ! I was able to boot my new OpenBSD fresh install.

* I performed it using full disk encryption

Is there any workaround beside this or is it  a legit bug ?


Thank you

Re: IPv6 Setup not working on Hetzner server

2016-12-05 Thread R0me0 *** 
+1
 ping -c 1 fe80::1%em0 > /dev/null

2016-12-05 11:05 GMT-02:00 Marc Peters :

> Am 12/02/16 um 13:39 schrieb Leo Unglaub:
> > I just found out that since i changed my mygate up to your suggestion
> > that i now have to ping6 fe80::1%em0 first and then i am able to
> > connecto to other hosts via IPv6. But not before i pinged the
> > fe80::1%em0. WTF?
>
> i have the same setup at hetzner and as someone suggested, i am using in
> my root crontab:
>
> @reboot sleep 10 && ping6 -c 10 fe80::1\%em0 > /dev/null
>
> works for me, at least.

OpenBSD and you

2016-11-25 Thread R0me0 *** 
Hello everybody,

As I did see any mention around here, I was boosted to post this great
presentation by Peter N . M. Hansteen.


https://home.nuug.no/~peter/blug2016/

Individually my sincerely grateful for each developer of OpenBSD the true
reliable and high secure operating system.

Regards,

Re: OpenBSD 6-stable vmd

2016-10-24 Thread R0me0 *** 
Hey @Peter, one more time thank so much for the heads up :)

For those that interest.

I'm running OpenBSD-Current under VMware-Workstation 12 ( just need to set
processor proprieties to virtualize intel VT-x/EPT or AMD-V/RVI )

And have fun to test VMD

:)

Thank you





2016-10-22 8:43 GMT-02:00 R0me0 *** <knight@gmail.com>:

> Hey Peter ,
>
> Thank you for the advice, I'll get current
>
> Cheers dude !
>
> (:
>
>
> 2016-10-22 6:44 GMT-02:00 Peter Hessler <phess...@theapt.org>:
>
>> This isn't expected to work at all.  That is why it was disabled.
>> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is
>> released.
>>
>>
>>
>> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote:
>> :Hello misc.
>> :
>> :For testing purposes
>> :
>> :I compiled kernel with vmd support.
>> :
>> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k
>> /bsd.rd
>> :
>> :I created a bridge and added vether0 and tap0
>> :
>> :In the vm I have configured an ip 192.168.1.30
>> :
>> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all
>> packages
>> :are send and received "on the fly"
>> :
>> :But if I perform the same step from "myvm", there is no packet loss but
>> the
>> :packets take so long to be send and consecutively replied
>> :
>> :I am performing this tests on Linux  running Vmware Workstation 12 .
>> :
>> :Is this behavior expected ?
>> :
>> :Any directions will be appreciated.
>> :
>> :Thank you
>> :
>> :myvm dmesg:
>> :
>> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016
>> :   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
>> :RTC BIOS diagnostic error 20
>> :real mem = 520093696 (496MB)
>> :avail mem = 502673408 (479MB)
>> :mainbus0 at root
>> :bios0 at mainbus0
>> :acpi at bios0 not configured
>> :cpu0 at mainbus0: (uniprocessor)
>> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz
>> :cpu0:
>> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,
>> PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,
>> FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1
>> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
>> :pvbus0 at mainbus0: OpenBSD
>> :pci0 at mainbus0 bus 0
>> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00
>> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
>> :viornd0 at virtio0
>> :virtio0: irq 3
>> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
>> :vioblk0 at virtio1
>> :scsibus0 at vioblk0: 2 targets
>> :sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct
>> fixed
>> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors
>> :virtio1: irq 5
>> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
>> :vio0 at virtio2: address fe:e1:ba:d0:d0:94
>> :virtio2: irq 9
>> :isa0 at mainbus0
>> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
>> :com0: console
>> :softraid0 at root
>> :scsibus1 at softraid0: 256 targets
>> :root on rd0a swap on rd0b dump on rd0b
>> :WARNING: invalid time in clock chip
>> :WARNING: CHECK AND RESET THE DATE!
>> :
>> :openbsd hypervisor :
>> :
>> :
>> :OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016
>> :   root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> :real mem = 2130640896 (2031MB)
>> :avail mem = 2061631488 (1966MB)
>> :mpath0 at root
>> :scsibus0 at mpath0: 256 targets
>> :mainbus0 at root
>> :bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries)
>> :bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015
>> :bios0: VMware, Inc. VMware Virtual Platform
>> :acpi0 at bios0: rev 2
>> :acpi0: sleep states S0 S1 S4 S5
>> :acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
>> :acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
>> S3F0(S3)
>> :S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
>> :S12F(S3) S13F(S3) [...]
>> :acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> :cpu0 at mainbus0: apid 0 (boot processor)
>> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz
>> :cpu0:
>> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,P

Re: pf rule for openvpn

2016-10-24 Thread R0me0 *** 
Assuming you block the traffic by default

pf.conf

block log all


# tcpdump -e -ttt -ni pflog0 action block

You will be able to see what exactly is being blocked :)


-Regards

2016-10-24 12:19 GMT-02:00 Kenneth Gober :

> On Sun, Oct 23, 2016 at 4:46 PM, Thuban  wrote:
> > Here are the relevant parts of my pf.conf :
> >
> > ext_if = "re0"
> > tcp_pass = "{ gopher ipp 8000 }"
> > udp_pass = "{ 1194 }"
> >
> > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
> > pass in quick on $ext_if proto udp to any port $udp_pass keep state
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if
> >
> > pass out on $ext_if proto { tcp udp icmp } all modulate state
>
> Do you have rules that allow traffic in from tun0?  Something like:
>
> pass in quick on tun0 keep state
>
> Otherwise traffic will reach OpenVPN but get no further, being blocked
> coming out of the tunnel.
>
> -ken

Re: OpenBSD 6-stable vmd

2016-10-22 Thread R0me0 *** 
Hey Peter ,

Thank you for the advice, I'll get current

Cheers dude !

(:


2016-10-22 6:44 GMT-02:00 Peter Hessler <phess...@theapt.org>:

> This isn't expected to work at all.  That is why it was disabled.
> You'll need to upgrade the Hypervisor to -current, or to 6.1 when it is
> released.
>
>
>
> On 2016 Oct 22 (Sat) at 00:06:08 -0200 (-0200), R0me0 *** wrote:
> :Hello misc.
> :
> :For testing purposes
> :
> :I compiled kernel with vmd support.
> :
> :After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k
> /bsd.rd
> :
> :I created a bridge and added vether0 and tap0
> :
> :In the vm I have configured an ip 192.168.1.30
> :
> :If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all
> packages
> :are send and received "on the fly"
> :
> :But if I perform the same step from "myvm", there is no packet loss but
> the
> :packets take so long to be send and consecutively replied
> :
> :I am performing this tests on Linux  running Vmware Workstation 12 .
> :
> :Is this behavior expected ?
> :
> :Any directions will be appreciated.
> :
> :Thank you
> :
> :myvm dmesg:
> :
> :OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016
> :   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> :RTC BIOS diagnostic error 20
> :real mem = 520093696 (496MB)
> :avail mem = 502673408 (479MB)
> :mainbus0 at root
> :bios0 at mainbus0
> :acpi at bios0 not configured
> :cpu0 at mainbus0: (uniprocessor)
> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz
> :cpu0:
> :FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,
> SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1
> :6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
> :pvbus0 at mainbus0: OpenBSD
> :pci0 at mainbus0 bus 0
> :pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00
> :virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> :viornd0 at virtio0
> :virtio0: irq 3
> :virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> :vioblk0 at virtio1
> :scsibus0 at vioblk0: 2 targets
> :sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct
> fixed
> :sd0: 5120MB, 512 bytes/sector, 10485760 sectors
> :virtio1: irq 5
> :virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> :vio0 at virtio2: address fe:e1:ba:d0:d0:94
> :virtio2: irq 9
> :isa0 at mainbus0
> :com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> :com0: console
> :softraid0 at root
> :scsibus1 at softraid0: 256 targets
> :root on rd0a swap on rd0b dump on rd0b
> :WARNING: invalid time in clock chip
> :WARNING: CHECK AND RESET THE DATE!
> :
> :openbsd hypervisor :
> :
> :
> :OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016
> :   root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> :real mem = 2130640896 (2031MB)
> :avail mem = 2061631488 (1966MB)
> :mpath0 at root
> :scsibus0 at mpath0: 256 targets
> :mainbus0 at root
> :bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries)
> :bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015
> :bios0: VMware, Inc. VMware Virtual Platform
> :acpi0 at bios0: rev 2
> :acpi0: sleep states S0 S1 S4 S5
> :acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> :acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
> S3F0(S3)
> :S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
> :S12F(S3) S13F(S3) [...]
> :acpitimer0 at acpi0: 3579545 Hz, 24 bits
> :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> :cpu0 at mainbus0: apid 0 (boot processor)
> :cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz
> :cpu0:
> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,
> PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN
> :E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,
> PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> :
> :cpu0: 256KB 64b/line 8-way L2 cache
> :cpu0: smt 0, core 0, package 0
> :mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> :cpu0: apic clock running at 65MHz
> :cpu1 at mainbus0: apid 1 (application processor)
> :cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3810.50 MHz
> :cpu1:
> :FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,
> PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEAD

OpenBSD 6-stable vmd

2016-10-21 Thread R0me0 *** 
Hello misc.

For testing purposes

I compiled kernel with vmd support.

After start the vm -> vmctl start "myvm" -m 512M -i 1 -d disk.img -k /bsd.rd

I created a bridge and added vether0 and tap0

In the vm I have configured an ip 192.168.1.30

If I perform ping from OpenBSD Hypervisor -> ping 192.168.1.30 all packages
are send and received "on the fly"

But if I perform the same step from "myvm", there is no packet loss but the
packets take so long to be send and consecutively replied

I am performing this tests on Linux  running Vmware Workstation 12 .

Is this behavior expected ?

Any directions will be appreciated.

Thank you

myvm dmesg:

OpenBSD 6.0 (RAMDISK_CD) #2100: Tue Jul 26 13:05:59 MDT 2016
   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
RTC BIOS diagnostic error 20
real mem = 520093696 (496MB)
avail mem = 502673408 (479MB)
mainbus0 at root
bios0 at mainbus0
acpi at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 14335.74 MHz
cpu0:
FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,AVX,F1
6C,RDRAND,HV,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT
pvbus0 at mainbus0: OpenBSD
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio0
virtio0: irq 3
virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus0 at vioblk0: 2 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 5120MB, 512 bytes/sector, 10485760 sectors
virtio1: irq 5
virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio2: address fe:e1:ba:d0:d0:94
virtio2: irq 9
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
com0: console
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: invalid time in clock chip
WARNING: CHECK AND RESET THE DATE!

openbsd hypervisor :


OpenBSD 6.0-stable (GENERIC.MP) #0: Fri Oct 21 20:07:42 BRST 2016
   root@puffysor.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130640896 (2031MB)
avail mem = 2061631488 (1966MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (242 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/02/2015
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3800.69 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN
E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 3810.50 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLIN
E,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
"PNP0001" at acpi0 not configured
"PNP0303" at acpi0 not configured
"VMW0003" at acpi0 not configured
"PNP0A05" at acpi0 not configured
acpiac0 at acpi0: AC unit online
pvbus0 at mainbus0: VMware
vmt0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun

Re: what all touches the carp demote counter?

2016-10-10 Thread R0me0 *** 
Hello sorry my bad english

So, Let's debug

Review carp/pfsync ( NODE1-carp0/NODE2-carp0 samepassword  and same vhid
 for each pair ) ( pfsync syncdev ) ( /etc/hostname.pfsync0 = up syndev
IFACE )

check default gateway on both ( /etc/mygate)  /  sysctl ip.forwarding=1 and
carp.preempt=1  (  /etc/sysctl.conf )

( pf rules )

put carp and pfsync rules on the TOP of your rules ( for debug purpose set
skip on { lo0 $pfsyncdev }

=> pass quick on { $carpdev $carpdev2 $carpdev3 } proto carp keep state
(no-sync) <=

- Check with tcpdump pflog if carp packets are being dropped

- Check if all carps interfaces are as  MASTER in the current node and
check if all is as BACKUP on another

- Check if in the current backup node the states are syncing ( systat
states )  ( compare on both pfctl -ss | wc -l )  almost the same quantity .


Bring up to MASTER  the primary node ( ifconfig -g carp carpdemote 30 on
current master node ) the slave need to have a lower value of carpdemote
 and  NOT DEFINE advskew in the Primary leave default ( 0 )  just on backup
set  advskew and put a high value ( advskew 100 )  ( hostname.carp )

- Check  carpdemote on the new primary master  ( ifconfig -g carp )  if the
value is not 0 set to

- Reboot the slave node ... and when back check if  keep as slave ( check
systat states ) ( compare on both pfctl -ss | wc -l ) must be almost equal.

- Check carpdemote on slave should be 0

Reboot the Primary/Master and when back its supposed to be Master


* if you have a huge traffic ( the node you rebooted must delay until
states be syncronized )

About ospf I have no experience working with carp.

one more time sorry any typo

[]'s



2016-10-10 22:58 GMT-03:00 Paul B. Henson <hen...@acm.org>:

> On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote:
>
> > Did you adjust advskew value on the machine you want to be Backup ?
>
> Yes, the backup has an advskew of 5 and the primary an advskew of 1. As
> I mentioned, when I first configured the interfaces by hand the two
> systems properly negotiated master/backup roles, it was only after I
> rebooted the one that was supposed to be primary on this interface that
> it came up as backup, and I traced it to the fact the the carp demote value
> was set to 2. When I manually changed the carp demote value to 0, the
> system once again pre-empted the master role on the interface.
>
> I'm just not sure what is twiddling with the carp demotion value. Unless
> ospdf does it by default? The man page for the config file reads like it
> would only do it if you explicitly include the demote keyword in the
> area or interface section.
>
> Thanks for the suggestion though.

Re: what all touches the carp demote counter?

2016-10-10 Thread R0me0 *** 
Hello Paul,

Did you adjust advskew value on the machine you want to be Backup ?

For example:


Primary/Master

# cat hostname.carp0

vhid 1 cardev em0 pass THEPASSWORD
inet 10.20.30.40 255.255.255.0


Slave/Backup
# cat hostname.carp0

vhid 1 cardev em0 advskew 100 pass THEPASSWORD
inet 10.20.30.40 255.255.255.0

I think could be it

Regards,

2016-10-10 20:30 GMT-03:00 Paul B. Henson :

> I'm setting up a second router that's going to sit next to an existing
> one and become a redundant failover system. The current one is in
> production, and I've been converting some of the existing LAN subnets on it
> to use carp interfaces and making them primary and the new box
> secondary. I also set up a carp interface on the WAN side and made the
> new box primary for testing as that didn't exist before. That all
> worked fine when I set it up by hand, but when I rebooted the new box,
> the old box stayed primary for everything including the WAN interface,
> which I tracked down to the carp demote counter, which ended up at 2 on
> the new box after the reboot:
>
> bash-4.3# ifconfig -g carp
> carp: carp demote count 2
>
> After I manually decreased the demote counter by 2 back to 0 the WAN
> interface master switched back to the new box.
>
> I'm not sure what's doing that at boot? I am running ospfd on the box,
> but I don't have any demote statements in my configuration. I'm also
> running npppd, but I don't see anything about that and carp demotion.
> What else might be setting carp demotion values?
>
> Thanks...

Re: OpenBSD 6 + CARP + PFSYNC + vmware esxi 6 - stalled nat connections

2016-10-09 Thread R0me0 *** 
Just a plus


After performed a ton of test's I bring up debian linux  freebsd and
Windows .

freebsd : with fetch tool  no issue using ftp causes the stalled

OpenBSD: wget and ftp tool causes connection stalled

linux debian: wget works

Windows: works

I tested the retrieve  with http://mirrors.slackware.com/slackware/
slackware-iso/slackware64-14.2-iso/slackware64-14.2-install-dvd.iso

Workaround to solve "ifconfig pfsync0 down" was use "no-sync" on nat rule

pass out  (no-sync) nat-to 10.20.30.40


Thanks

















2016-10-08 18:54 GMT-03:00 R0me0 *** <knight@gmail.com>:

> Hello Misc,
>
> I kindly would like to ask if anyone already faced something like this:
>
> I have the follow setup
>
> VMware 6 ( one physical interface )
>
> 2x OpenBSD 6 ( cloned machine) ( using E1000 ) ( was using vmxnet3 )
>
> OpenBSD Router running 3 carps ( ext / dmz / lan )
>
> Physical Carp interfaces has no IP
>
> em0 up
> em1 up
> em2 up
> em3 192.168.0.1/30 ( vmware virtual machine port VLAN ) ( tried with
> separeted vswitch )
>
> pfsync0 up syncdev em3 ( tried using syncpeer )
>
> DMZ (carped ) has 4 hosts running  OpenBSD 6
>
>
> ifconfig -g carp carpdemote 20
>
> Failover works as expected ( no issue )
>
> Issue : OpenBSD'S on  DMZ to internet
>
> ftp -d  openbsd.iso  ( I have stalled connection )
>
> pkg_add -u ( in the middle way connect goes stalled  )
>
> It just happen when performing NAT
>
>
> OpenBSD CARP Backup
>
> ifconfig pfsync0 down
>
> connections stop to be stalled
>
> This behavior is happening with OpenBSD hosts and http traffic
>
>
> Thanks in advance

OpenBSD 6 + CARP + PFSYNC + vmware esxi 6 - stalled nat connections

2016-10-08 Thread R0me0 *** 
Hello Misc,

I kindly would like to ask if anyone already faced something like this:

I have the follow setup

VMware 6 ( one physical interface )

2x OpenBSD 6 ( cloned machine) ( using E1000 ) ( was using vmxnet3 )

OpenBSD Router running 3 carps ( ext / dmz / lan )

Physical Carp interfaces has no IP

em0 up
em1 up
em2 up
em3 192.168.0.1/30 ( vmware virtual machine port VLAN ) ( tried with
separeted vswitch )

pfsync0 up syncdev em3 ( tried using syncpeer )

DMZ (carped ) has 4 hosts running  OpenBSD 6


ifconfig -g carp carpdemote 20

Failover works as expected ( no issue )

Issue : OpenBSD'S on  DMZ to internet

ftp -d  openbsd.iso  ( I have stalled connection )

pkg_add -u ( in the middle way connect goes stalled  )

It just happen when performing NAT


OpenBSD CARP Backup

ifconfig pfsync0 down

connections stop to be stalled

This behavior is happening with OpenBSD hosts and http traffic


Thanks in advance

Re: Building OpenBSD 6.0 -stable - Error

2016-09-03 Thread R0me0 *** 
Hello Teno,

I have successfully updated five OpenBSD 5.9 to 6.0 on release day ,
following https://www.openbsd.org/faq/upgrade60.html

After, I rebuilt all them to stable branch from:

$ cd /usr
$ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_6_0 -P src


Was magical as expected.

Regards,








2016-09-03 8:11 GMT-03:00 Teno Deuter :

> meaning I shall try at a later time?
>
> Thank you
>
> On Sat, Sep 3, 2016 at 12:40 PM, Ted Unangst  wrote:
> > Teno Deuter wrote:
> >> installed a fresh 6.0 AMD64 and tried to build 'stable' from source.
> >>
> >> Here is what I did as 'root' (as described in:
> >> http://www.openbsd.org/stable.html):
> >>
> >> export CVSROOT=anon...@anoncvs1.ca.openbsd.org:/cvs
> >> cd /usr; cvs checkout -P -rOPENBSD_6_0 src
> >
> > there's some repo surgery in progress. it should be fixed eventually.

Re: OpenBSD 6.0 release and errata60.html

2016-09-01 Thread R0me0 *** 
Howdy !

Thanks for quick reply

Really appreciated.

Regards,





2016-09-01 16:06 GMT-03:00 Francois Pussault <fpussa...@contactoffice.fr>:

> hello, no apply patches new if you want to
>
> > ----
> > From: R0me0 *** <knight@gmail.com>
> > Sent: Thu Sep 01 20:59:43 CEST 2016
> > To: OpenBSD Misc <misc@openbsd.org>
> > Subject: OpenBSD 6.0 release and errata60.html
> >
> >
> > Hello misc,
> >
> > I have a little doubt
> >
> > Today was a Official Release of 6.0
> >
> > This release already include errata60.html patches or I need to apply ?
> >
> > Thanks in advance,
> >
>
>
> Cordialement
> Francois Pussault
> 10 chemin de négo saoumos
> apt 202 - bat 2
> 31300 Toulouse
> +33 6 17 230 820
> fpussa...@contactoffice.fr

OpenBSD 6.0 release and errata60.html

2016-09-01 Thread R0me0 *** 
Hello misc,

I have a little doubt

Today was a Official Release of 6.0

This release already include errata60.html patches or I need to apply ?

Thanks in advance,

Re: DigitalOcean and OpenBSD

2016-08-25 Thread R0me0 *** 
Work, BUT

I have experienced at least 3 droplet corruptions in 3 different locations
 in less than 1 month.

I know OpenBSD isn't officially supported by DigitalOcean.

At this moment I have several thoughts.

The droplet keep running but if you intend to reboot, and have an encrypted
OpenBSD installtion consider to have a freesh backup before reboot

LoL

:)

 That's my point

2016-08-25 11:35 GMT-03:00 ds <d...@bitmail.cc>:

> On Thu, 25 Aug 2016 11:28:19 -0300
> "R0me0 ***" <knight@gmail.com> wrote:
>
> > http://www.elnur.pro/digitalocean-droplet-corruption
> >
>
> so what's your point? that openbsd doesn't work on DI?

Re: DigitalOcean and OpenBSD

2016-08-25 Thread R0me0 *** 
http://www.elnur.pro/digitalocean-droplet-corruption



2016-08-25 11:18 GMT-03:00 ds <d...@bitmail.cc>:

> On Wed, 24 Aug 2016 10:40:38 -0300
> "R0me0 ***" <knight@gmail.com> wrote:
>
> > Hello everybody !
> >
> > Please,
> >
> > Anyone  already had a disk corruption running OpenBSD @ DigitalOcean
> > with disk encryption ?
> >
> > I had this issue for the third time running OpenBSD 5.9 stable branch
> > and a simple "reboot" == No O/S
> >
> >
> > Thanks in advance,
> >
>
> if you're installing OpenBSD on a random VPS, i usually do this: boot
> up their ubuntu linux rescue image, and:
>
>   apt-get update; apt-get -y install qemu
>
> download your OpenBSD iso and do this:
>
> qemu-system-x86_64 -nographic -curses -smp 4  -m 2G  -drive
> file=/dev/sda,cache=none,if=virtio  -boot d -cdrom $THEISO
>
> (assuming /dev/sda is your drive)

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hey James,

Thank you for your reply . I have OpenBSD running on Vultr almost thirty
days with the same setup and everything is going very well. Also I bring up
a OpenBSD on Linode today and seems ok as well :)

Cheers,




2016-08-24 21:42 GMT-03:00 James Pole <ja...@pole.net.nz>:

> I second the recommendation for Vultr. Loading an OpenBSD ISO and using
> that to install OpenBSD is a very straightforward process and it works very
> well in my experience. I have had a Vultr VPS running OpenBSD 5.9 for the
> last few months. It is part of a test to see whether it will function as a
> replacement for my exisiting FreeBSD and Debian VPS instances. I have been
> impressed enough that I plan to replace my FreeBSD and Debian instances
> with OpenBSD instances before the end of the year.
>
> - James
>
> > On 25/08/2016, at 8:25 AM, Pedro Tender <mascar...@sailormoon.pt> wrote:
> >
> > Not helping to the question but...
> >
> > Regarding similar cheap vps service you could try vultr where one can
> > install a custom ISO and have a clean OpenBSD install without
> > pre-installing other OSes - from what I can see it makes everything a big
> > mess.
> > I run a 5.9 stable (updated since original 5.7 install) there without any
> > problems but I don't have HD encryption so I don't have any idea and can
> > only suppose it should work without problems being a clean install.
> > While installing with their webKVM I can only have my keyboard layout
> (PT)
> > working if I use MSWindows, nor OSX nor OpenBSD make correct keyboard
> > attribution (and I cannot remove X packages on install because I don't
> have
> > the - key anywhere). I don't know if other keyboards will have similar
> > problems.
> >
> > Just wanted to share my experience so you could try alternatives if you
> > DOcean experience leaves you hanging.
> >
> > On Aug 24, 2016 20:52, "R0me0 ***" <knight@gmail.com> wrote:
> >
> >> Hey Adam,
> >>
> >> I have had this issue for the third time in different regions on the
> last
> >> 30 days and my procedure was getting minirootfs like Tubsta procedure.
> >>
> >> the only thing different was  get openbsd 5.9 stable branch, recompiled
> >> kernel, rebooted and then recompiled userland tools and rebooted . (
> Works
> >> like a charm ) and as expected :P
> >>
> >> Procedures from here https://www.openbsd.org/stable.html
> >>
> >> But suddenly like today the same # reboot
> >> I have NO O/S found .
> >>
> >> That's it
> >>
> >>
> >>
> >>
> >>
> >> 2016-08-24 16:12 GMT-03:00 Adam Taylor <artay...@gmail.com>:
> >>
> >>> I have not run into any issues with reboots on my encrypted OpenBSD
> >>> droplet on DO.
> >>>
> >>> It's running a 5.9 snapshot, not quite current.
> >>>
> >>> I followed the Tubsta instructions on getting it running.  But deviated
> >>> since I wanted encryption just for fun.
> >>>
> >>> On Aug 24, 2016 9:42 AM, "R0me0 ***" <knight@gmail.com> wrote:
> >>>
> >>>> Hello everybody !
> >>>>
> >>>> Please,
> >>>>
> >>>> Anyone  already had a disk corruption running OpenBSD @ DigitalOcean
> >> with
> >>>> disk encryption ?
> >>>>
> >>>> I had this issue for the third time running OpenBSD 5.9 stable branch
> >> and
> >>>> a
> >>>> simple "reboot" == No O/S
> >>>>
> >>>>
> >>>> Thanks in advance,

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hello misc
Unfortunately even copying raw disk and writing it to a local vm,
Disklabel isn't able to "see" labels, the only thing is partitioning
scheme.

Thank you everyone that gime directions really appreciated ( all those in
pvt as well )

Cheers guys !





2016-08-24 15:37 GMT-03:00 Martin Schröder :

> 2016-08-24 16:48 GMT+02:00  :
> > You did not provide any sensible detail, so consider this guess work.
>
> You're not helping.

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hey Cris

I don't think so, because everything was going very well. The OpenBSD there
just run a unbound , dnscrypt ( pkg_add )  and  ipsec vpn. I rebooted today
just for curiosity ( because I already faced ) and for my surprise happened
again.

I guess is something there as cited by @Troy

Resume: The Problem is not with OpenBSD but something on DigitalOcean.


Thank you man !








2016-08-24 17:00 GMT-03:00 Chris Cappuccio <ch...@nmedia.net>:

> R0me0 *** [knight@gmail.com] wrote:
> >
> > I have NO O/S found .
> >
> > That's it
> >
>
> Is it possible that the instructions you are using are incomplete and/or
> incompatible with the software ? Have you tried this on a standalone
> machine?

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hey Anton !

I didn't ask for support !  You are miss understanding ! If I need a
support from OpenBSD will be related with some kernel panic or something
related as I already reported in the past.
In my point of view, I could be wrong sorry if it the case,

I see a lot of people sharing experiences here in misc dot openbsd dot org
.

I always dig before ask . So you need be more smooth and as I said better
the silence through a useless shit . If you have a experience to share like
"Hey dude I already faced"  OK nice you welcome ! but if no, why you guys
are writing.

Come on dude grow up !



2016-08-24 16:50 GMT-03:00 :

> Wed, 24 Aug 2016 20:37:22 +0200 Martin Schröder 
> > 2016-08-24 16:48 GMT+02:00  :
> > > You did not provide any sensible detail, so consider this guess work.
> >
> > You're not helping.
> >
>
> Hi Martin,
>
> Neither are you, of course, needless to say.  Because you just won't get
> it.  OpenBSD worked anywhere I've tried before on any KVM set up cheaper
> than on these toy virtual server offers.  You have to do it yourself, so
> that you actually can support yourself.  There is "NO"body doing support
> for you in these self service providers.  Not for peanuts monthly, add 5
> bucks more and get a dedicated server, then choose bare metal or any KVM
> and be done with it, eliminating entirely the weak spot: lame VPS offer.
>
> This is why, the person in trouble can't get you any technical feedback,
> because he can't get sensible feedback from the provider technical team.
> The truth is: this is a misplaced support call, you can't help that guy.
> Because the target audience for such providers are not technical people.
>
> Read again, ask others, you will get pretty good picture of these facts.
> You can help other guys by giving them an idea what actually would work.
> Of course cut one sentence and start your interpretations, just perfect.
> Well now, let me expand the sentence back again to what I actually said.
>
> Yet one other way to proceed, would be to seek support from the provider
> & be ready to pass tech info back and forth so OpenBSD help is possible.
>
> Kind regards,
> Anton

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hey Adam,

I have had this issue for the third time in different regions on the last
30 days and my procedure was getting minirootfs like Tubsta procedure.

the only thing different was  get openbsd 5.9 stable branch, recompiled
kernel, rebooted and then recompiled userland tools and rebooted . ( Works
like a charm ) and as expected :P

Procedures from here https://www.openbsd.org/stable.html

But suddenly like today the same # reboot
I have NO O/S found .

That's it





2016-08-24 16:12 GMT-03:00 Adam Taylor <artay...@gmail.com>:

> I have not run into any issues with reboots on my encrypted OpenBSD
> droplet on DO.
>
> It's running a 5.9 snapshot, not quite current.
>
> I followed the Tubsta instructions on getting it running.  But deviated
> since I wanted encryption just for fun.
>
> On Aug 24, 2016 9:42 AM, "R0me0 ***" <knight@gmail.com> wrote:
>
>> Hello everybody !
>>
>> Please,
>>
>> Anyone  already had a disk corruption running OpenBSD @ DigitalOcean with
>> disk encryption ?
>>
>> I had this issue for the third time running OpenBSD 5.9 stable branch and
>> a
>> simple "reboot" == No O/S
>>
>>
>> Thanks in advance,

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hey Troy, thank you for your reply

At this moment I am performing a dd over ssh.
I was able to check with recovery iso provided by DigitalOcean the
partition table of OpenBSD seems be there.

After that I will try to restore MBR. and hope a obsd boot :)

I will post the results.



2016-08-24 15:18 GMT-03:00 Troy Frericks <troy.freri...@gmail.com>:

> -- Forwarded message --
> From: Troy Frericks <troy.freri...@gmail.com>
> Date: Wed, Aug 24, 2016 at 1:17 PM
> Subject: Re: DigitalOcean and OpenBSD
> To: Daniel Ouellet <dan...@presscom.net>
>
>
> OpenBSD is not supported on/by DigitalOcean.
>
> https://www.google.com/search?q=site%3Awww.digitalocean.com+
> openbsd=utf-8=utf-8
>
> There are some tricks you can play... install FreeBSD, then put OpenBSD
> very carefully over it.
>
> http://www.tubsta.com/2015/04/openbsd-on-digital-ocean/
>
> You need to be careful of what you do. You can not backup the droplet and
> then restore it. There is something about what is stored on the first few
> tracks (I believe) of the disk that is not backed up nor restored... but if
> changed, can make the droplet unbootable.
>
> Suggest working from a hosting service that is OpenBSD friendly. You'll
> have an easier time things that manipulate the disk.
>
> Troy.
> #
>
>
> On Wed, Aug 24, 2016 at 11:41 AM, Daniel Ouellet <dan...@presscom.net>
> wrote:
>
> > On 8/24/16 12:24 PM, R0me0 *** wrote:
> > > Ok, here is a reply for you and all other motherfuckers that think and
> > > answer like you.
> >
> > Love you too.
> >
> > But note that someone wanted to help you. Quote:
> >
> > "A dmesg would be nice. And maybe a less snarky attitude."
> >
> > As I said we have no clue what you run, version and all. How do you
> > frankly expect an answer?
> >
> > Have a nice day.
> >
> > Peace,
> >
> > Daniel
> >
> > PS: No, your mother told you we had a date last week? Holy shit... I
> > didn't remember that one

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Ok, here is a reply for you and all other motherfuckers that think and
answer like you.

No so close, OpenBSD and EC2 just is running not more than one year. ( I
know very well EC2 )
Based on success history of OpenBSD and KVM in places like DigitalOcean and
others why not use a shit place to run a decent OS ? OK , Not control over
hardware there and all other stuff, and unfortunately this shits happens.
Did I ask you to open a ticket or guess what is happening or I asked if
someone faced ?  Big difference Humm? Do you need a draw ? I guess so !
 but I won't ,  Here answer who wants and a at least the silence its better
that write a holy fucking shift .


2016-08-24 13:00 GMT-03:00 Daniel Ouellet <dan...@presscom.net>:

> On 8/24/16 10:52 AM, R0me0 *** wrote:
> > Just asked if someone already faced this issue after a simple reboot
> >
> > # reboot
> >
> > Do you need a draw ?
> >
> > KIND Regards,
>
> OK here is an answer as good as your question.
>
> Not so far. My son use Digital Ocean, only because they are cheap and he
> put up with shit more then I do. Not that they are shit, but his word,
> is "not the easier place to install and run quickly weird setup", but no
> problem or crash so far. When he needs more serious space, EC2 is where
> he goes.
>
> So, no issue so far, but he also keep installing current on Digital
> Ocean when/if he install it. No ne have a clue what you run there, so
> why bother to answer you!
>
> So, do you also " Do you need a draw ?"?
>
> Peace,
>
> Daniel

Re: DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Just asked if someone already faced this issue after a simple reboot

# reboot

Do you need a draw ?

KIND Regards,





2016-08-24 11:48 GMT-03:00 <li...@wrant.com>:

> Wed, 24 Aug 2016 10:40:38 -0300 "R0me0 ***" <knight@gmail.com>
> > Hello everybody !
> >
> > Please,
> >
> > Anyone  already had a disk corruption running OpenBSD @ DigitalOcean with
> > disk encryption ?
> >
> > I had this issue for the third time running OpenBSD 5.9 stable branch
> and a
> > simple "reboot" == No O/S
> >
> >
> > Thanks in advance,
> >
>
> Hi R0me0,
>
> You did not provide any sensible detail, so consider this guess work.
> The rest of the feedback is your guess work, so consider this solved.
>
> On a more helpful side, have you tried contacting their tech support?
> Commercial providers are typically servicing offered products by SLA.
>
> Kind regards,
> Anton

DigitalOcean and OpenBSD

2016-08-24 Thread R0me0 *** 
Hello everybody !

Please,

Anyone  already had a disk corruption running OpenBSD @ DigitalOcean with
disk encryption ?

I had this issue for the third time running OpenBSD 5.9 stable branch and a
simple "reboot" == No O/S


Thanks in advance,

relayd as transparent reverse proxy

2016-08-09 Thread R0me0 *** 
Hello misc,

I'm trying to use relayd as transparent reverse proxy with httpd. The goal
is keep source IP

I'am using OBSD 5.9 stable branch

relayd and httpd coexist in the same machine.

pf.conf ( tried with rdr and divert-to )

pass in on egress   divert-to localhost port 8080


relayd.conf

relay "proxyrelay"
 listen on 127.0.0.1 port 8080
 protocol "httpfilter"
 transparent forward to destination ( used accordingly rdr/divert-to )


works great , but if I use the word "transparent" doesn't work.
Using tcpdump I am able to see the traffic being blocked from my egress and
source port of httpd.

Ok

I take a look on this
https://marc.info/?l=openbsd-misc=130479125318862=2

Removed from pf.conf "set skip on lo0" and tried to perform rules like the
thread above

The grammar in relay section doesn't accept "interface" keyword

but debuging with tcpdump,  now I see a "loop" and the  client never get a
response.


Is there a way to get it working in the same host ?


Thanks in advance.

Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?

2016-08-06 Thread R0me0 *** 
Take a look on router config.
Some routers you need enable "VPN passthrough" "ipsec" something like that,
get the router manual. In the worst case perform DMZ pointing everything to
OpenBSD box ( I particularly prefer this one )

2016-08-06 16:43 GMT-03:00 Sebastian Wain <sebastian.w...@nektra.com>:

> That ipsec.conf works perfectly if I am connecting to the VPN from the LAN
> but doesn't work if I put the VPN behind a router doing NAT and redirecting
> ports 500 and 4500 to the VPN server. In this case this is logged:
>
> 192.168.1.35 is the IP of the machine behind the router at 221.12.3.4 which
> is trying to connect to the VPN through the router at 200.1.32.22)
>
>  Aug  6 10:10:19 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id
> 200.1.32.22
>  Aug  6 10:10:19 fw isakmpd[7947]: dropped message from 221.12.3.4 port
> 4500 due to notification type INVALID_ID_INFORMATION
>  Aug  6 10:10:34 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.1.35, responder id
> 200.1.32.22
>  Aug  6 10:10:34 fw isakmpd[7947]: dropped message from 221.12.3.4 port
> 4500 due to notification type INVALID_ID_INFORMATION
>  Aug  6 10:11:16 fw isakmpd[7947]: transport_send_messages: giving up
> on
> exchange peer-default, no response from peer 221.12.3.4:500
>
> Thanks,
> Sebastian
>
> -Original Message-
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
> R0me0 ***
> Sent: Thursday, August 4, 2016 1:57 PM
> To: Sebastian Wain <sebastian.w...@nektra.com>
> Cc: OpenBSD misc <misc@openbsd.org>
> Subject: Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows
> 10?
>
> ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \
>main auth hmac-sha1 enc 3des group modp2048 \
>quick auth hmac-sha1 enc 3des psk "YOURSECRET"
>
>
> You are welcome
>
> (:
>
> 2016-08-04 13:15 GMT-03:00 Sebastian Wain <sebastian.w...@nektra.com>:
>
> > I can't figure out how to make an OpenBSD VPN work. I followed the
> > guide at [1] to set up a VPN, modified the network interface there to
> > tun0 instead of pppoe0, and didn't configure the pf.conf. When I tried
> > to connect from Win10 using the "L2TP/IPsec with pre-shared key" VPN
> > type I see the issues below in phase
> > 2:
> >
> > Thanks
> > Sebastian
> >
> > [1] http://blog.fuckingwith.it/2015/08/openbsd-l2tpipsec-vpn-
> > works-with.html
> >
> > Aug  3 responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2
> IDs:
> > initiator id 192.168.0.129, responder id 192.168.0.253
> > Aug  3 11:17:13 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:17:14 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> > responder id
> > 192.168.0.253
> > Aug  3 11:17:14 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:17:15 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> > responder id
> > 192.168.0.253
> > Aug  3 11:17:15 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:17:18 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> > responder id
> > 192.168.0.253
> > Aug  3 11:17:18 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:17:25 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> > responder id
> > 192.168.0.253
> > Aug  3 11:17:25 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:17:40 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> > responder id
> > 192.168.0.253
> > Aug  3 11:17:40 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:17:55 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id 192.168.0.129,
> > responder id
> > 192.168.0.253
> > Aug  3 11:17:55 fw isakmpd[7947]: dropped message from
> > 192.168.0.129 port 500 due to notification type INVALID_ID_INFORMATION
> > Aug  3 11:18:38 fw isakmpd[7947]: transport_send_messages: giving
> > up on exchange peer-default, no response from peer 192.168.0.129:500

Re: How to configure OpenBSD L2TP/IPSEC VPN to work with Windows 10?

2016-08-04 Thread R0me0 *** 
ike passive esp transport proto udp from egress to 0.0.0.0/0 port 1701 \
   main auth hmac-sha1 enc 3des group modp2048 \
   quick auth hmac-sha1 enc 3des psk "YOURSECRET"


You are welcome

(:

2016-08-04 13:15 GMT-03:00 Sebastian Wain :

> I can't figure out how to make an OpenBSD VPN work. I followed the guide at
> [1] to set up
> a VPN, modified the network interface there to tun0 instead of pppoe0, and
> didn't
> configure the pf.conf. When I tried to connect from Win10 using the
> "L2TP/IPsec with pre-shared key" VPN type I see the issues below in phase
> 2:
>
> Thanks
> Sebastian
>
> [1] http://blog.fuckingwith.it/2015/08/openbsd-l2tpipsec-vpn-
> works-with.html
>
> Aug  3 responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs:
> initiator id 192.168.0.129, responder id 192.168.0.253
> Aug  3 11:17:13 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:17:14 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id
> 192.168.0.253
> Aug  3 11:17:14 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:17:15 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id
> 192.168.0.253
> Aug  3 11:17:15 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:17:18 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id
> 192.168.0.253
> Aug  3 11:17:18 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:17:25 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id
> 192.168.0.253
> Aug  3 11:17:25 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:17:40 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id
> 192.168.0.253
> Aug  3 11:17:40 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:17:55 fw isakmpd[7947]: responder_recv_HASH_SA_NONCE: peer
> proposed invalid phase 2 IDs: initiator id 192.168.0.129, responder id
> 192.168.0.253
> Aug  3 11:17:55 fw isakmpd[7947]: dropped message from 192.168.0.129
> port 500 due to notification type INVALID_ID_INFORMATION
> Aug  3 11:18:38 fw isakmpd[7947]: transport_send_messages: giving up on
> exchange peer-default, no response from peer 192.168.0.129:500

Re: HTTPD location index issue

2016-07-28 Thread R0me0 *** 
Solved

location "/app/" { directory index index.php }

location "/app/*.php" { fastcgi socket "/run/php-fpm.sock" }

Thanks

2016-07-28 18:17 GMT-03:00 R0me0 *** <knight@gmail.com>:

> Yes that's what I intend
>
> I noticed directory index grammar just works out of location grammar and I
> cant setup more than one time
>
>
>
> 2016-07-28 18:00 GMT-03:00 Alexander Hall <alexan...@beard.se>:
>
>>
>>
>> On July 28, 2016 10:33:04 PM GMT+02:00, R0me0 *** <knight@gmail.com>
>> wrote:
>> >Howdy !
>> >
>> >I'm running OpenBSD 5.9 stable branch
>> >
>> >I can't setup two different locations with different index files
>> >
>> >Sample:
>> >
>> >
>> >server "example.com"
>> > listen on egress port 80
>> ># Root path and directory index is already index.php
>> >root "/htdocs/example.com"
>> >
>> >location "/app/*.php" {
>>
>> I doubt location "/app/*.php" will match the /app directory itself.
>>
>> /Alexander
>>
>> ># setting new index for /app directory
>> >directory index "index.php"
>> >fastcgi socket "/run/php-fpm.sock"
>> >}
>> >
>> >Even configuring  diferent locations / and /app and put index.html and
>> >index.php respectively I can't to have the expected behavior.
>> >
>> >Just able to set one or another not both.
>> >
>> >Any ideas ?
>> >
>> >Thanks in advance

Re: HTTPD location index issue

2016-07-28 Thread R0me0 *** 
Yes that's what I intend

I noticed directory index grammar just works out of location grammar and I
cant setup more than one time



2016-07-28 18:00 GMT-03:00 Alexander Hall <alexan...@beard.se>:

>
>
> On July 28, 2016 10:33:04 PM GMT+02:00, R0me0 *** <knight@gmail.com>
> wrote:
> >Howdy !
> >
> >I'm running OpenBSD 5.9 stable branch
> >
> >I can't setup two different locations with different index files
> >
> >Sample:
> >
> >
> >server "example.com"
> > listen on egress port 80
> ># Root path and directory index is already index.php
> >root "/htdocs/example.com"
> >
> >location "/app/*.php" {
>
> I doubt location "/app/*.php" will match the /app directory itself.
>
> /Alexander
>
> ># setting new index for /app directory
> >directory index "index.php"
> >fastcgi socket "/run/php-fpm.sock"
> >}
> >
> >Even configuring  diferent locations / and /app and put index.html and
> >index.php respectively I can't to have the expected behavior.
> >
> >Just able to set one or another not both.
> >
> >Any ideas ?
> >
> >Thanks in advance

Re: HTTPD location index issue

2016-07-28 Thread R0me0 *** 
diiff
< # Root path and directory index is already index.php
> # Root path and directory index is already index.hml

2016-07-28 17:33 GMT-03:00 R0me0 *** <knight@gmail.com>:

> Howdy !
>
> I'm running OpenBSD 5.9 stable branch
>
> I can't setup two different locations with different index files
>
> Sample:
>
>
> server "example.com"
>  listen on egress port 80
> # Root path and directory index is already index.php
> root "/htdocs/example.com"
>
> location "/app/*.php" {
> # setting new index for /app directory
> directory index "index.php"
> fastcgi socket "/run/php-fpm.sock"
> }
>
> Even configuring  diferent locations / and /app and put index.html and
> index.php respectively I can't to have the expected behavior.
>
> Just able to set one or another not both.
>
> Any ideas ?
>
> Thanks in advance

HTTPD location index issue

2016-07-28 Thread R0me0 *** 
Howdy !

I'm running OpenBSD 5.9 stable branch

I can't setup two different locations with different index files

Sample:


server "example.com"
 listen on egress port 80
# Root path and directory index is already index.php
root "/htdocs/example.com"

location "/app/*.php" {
# setting new index for /app directory
directory index "index.php"
fastcgi socket "/run/php-fpm.sock"
}

Even configuring  diferent locations / and /app and put index.html and
index.php respectively I can't to have the expected behavior.

Just able to set one or another not both.

Any ideas ?

Thanks in advance

Gource

2015-03-26 Thread R0me0 *** 
http://www.echothrust.com/blogs/monitoring-pf-logs-gource

Re: DNS over IPSec weirdness

2014-12-11 Thread R0me0 *** 
Hey man,
I'm not sure about what is happening, but pflog is your best friend ever !

http://www.openbsd.org/faq/pf/logging.html

Try find out if a specific rule is blocking traffic in one of endpoints (
both ? )

Cheers,

2014-12-11 14:13 GMT-02:00 Zé Loff zel...@zeloff.org:

 TL,DR:
 Queries to DNS server over IPSec made using host or dig work OK,
 requests made by e.g. ping exit the enc0 interface but don't show up on
 enc0 on the other end.


 Hi all

 I'm puzzled by some weird stuff happening with DNS queries over IPSec. I
 have a fully working tunnel over a roaming laptop and our network. The
 laptop gets its IP and DNS resolvers via DHCP and sets up a route to
 192.168.16.0/22 over IPSec with NAT:

   ike dynamic esp from 192.168.19.3 (egress) to 192.168.16.0/22 \
 peer vpn.foo.bar \
 srcid laptop.foo.bar dstid vpn.foo.bar

 All works fine, I can ping, SSH, http, etc machines on 192.168.16.0/22,
 as long as I use their IP addresses. However, if I change the laptop's
 resolv.conf to use our DNS server (nameserver 192.168.16.2) weird things
 happen.

 If I use host or dig to query our server, I can see the DNS requests and
 answers pass correctly on the enc0 interfaces of both endpoints.
 However, if I try to do something like ping -c 1 www_lan.foo.bar (or
 e.g. ssh) I can see the packets with the DNS request pass through enc0
 on the tunnel (and on the physical interface too) but nothing traffic
 shows up on enc0 on the other endpoint (I do believe they show up on the
 physical interface on that end, but my tcpdump foo isn't good enough to
 be sure).

 Again, all other traffic works fine, routing tables look ok, AFAICT pf
 isn't blocking anything, the laptop is running Dec 9 -current (amd64)
 and the other endpoint is running 5.4-release w/ mtier binpatches (i386)
 (planning to upgrade within a couple of days), and most importantly,
 both host and dig have their queries properly answered.

 Does anyone have any idea of what is going on? Apologies in advance if
 important information is missing, and/or this is a known problem and an
 upgrade to 5.6 is enough (I briefly STFA and didn't find it, though).

 Cheers
 Zé

 --

Re: CARP cluster: howto keep pf.conf in sync?

2014-08-01 Thread R0me0 *** 
I wrote a little script sometime ago and it run from crontab every 5 min
and do:

check and generate md5 of important files like hostname.if , pf include
files, etc ...

All necessaries modification is monitored natively by OpenBSD, but there is
an ossec in deployment as well.

ifstated is used to invert from/to ( always from master to slave )

I hope this help you =)



2014-07-28 8:50 GMT-03:00 Peus, Christoph christoph.p...@uni-wh.de:

 Hi all,



 is there a standard or recommended way to keep the pf.conf on the CARP
 cluster
 members in sync?

 Thanks!

 Regards
 Christoph

 --
 Christoph Peus
 Universität Witten/Herdecke
 Bereich Informationstechnologie
 Tel:  +49 2302 926-212
 Fax: +49 2302 926-44857
 mailto:christoph.p...@uni-wh.de











 Private Universität Witten/Herdecke gGmbH
 Alfred-Herrhausen-Straße 50
 D - 58448 Witten

 Homepage: http://www.uni-wh.de
 Twitter: http://twitter.com/UniWH
 Facebook: http://www.facebook.com/UniWH

 Geschäftsführung: Prof. Dr. Martin Butzlaff (Präsident), Dipl. oec. Jan
 Peter
 Nonnenkamp (Kanzler)

 Sitz der Gesellschaft: Witten
 Handelsregister des Amtsgerichts Bochum Nr. HRB 8671

Re: CARP cluster: howto keep pf.conf in sync?

2014-08-01 Thread R0me0 *** 
Hi Giancarlo,
I would like to thank your background (:
Yes the important files is included @changelist and it's sha256, but as
firewall rules has modifications during all time, another nodes need be
updated. So, it's because of this I run the script every 5 min and I sync
it using SCP.

* My script runs independent of daily scripts * and the hash is md5.

Thank you @misc .















2014-08-01 9:22 GMT-03:00 Giancarlo Razzolini grazzol...@gmail.com:

 On 01-08-2014 09:07, sven falempin wrote:
  doh !
  this is done in daily/security
  look at /etc/changelist
 It's not md5, it's sha256. md5 should not be used anymore. But what
 Romeo does is to run a script from cron every 5 minutes. Daily runs,
 obviously, daily. It's not suited for the task at hand. But if you ask
 me, I don't like this reactive approach. I use git repo with hooks to
 apply changes as they are pushed to the central repository. But that's
 the nicest about *unix. There are lots of ways of doing things. You can
 copy things manually, create scripts to semi-automate things, use
 version control, use puppet and friends, etc. It's all about what you
 are most comfortably with.

 Cheers,

 --
 Giancarlo Razzolini
 GPG: 4096R/77B981BC

Happy New Year

2013-12-31 Thread R0me0 *** 
Hi there !

I would like to wish a Happy New Year for all.

Sincerely


Guilherme Hakme

Re: OpenBSD, ipsec and sasyncd issue

2013-04-25 Thread R0me0 *** 
mxb - my em's not have any ip only inside hostname.emX up

my advskew is 100 on backup node




2013/4/24 mxb m...@alumni.chalmers.se


 Then there is also a question regarding how quick your CARP will fail
 over, eg. what is your advskew on the backup node?

 On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote:

 
  I'd start by looking at sasyncd and if it actually works.
  If it works 'netstat -rn' should show flows at the end of its output on
 the backup node.
 
  Encap:
  Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
  flows  should be  printed  here
 
  Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do
 initial handshake
  and check their IP-adresses. Are you sure your carp0 IP is talking and
 NOT em0 IP?
 
  I'd also force isakmpd to bind to specific IP
 (/etc/isakmpd/isakmpd.conf):
 
  [General]
  Listen-on= your carp0 IP goes here
  DPD-check-interval= 60
  Default-phase-1-lifetime=   3600,360:86400
  Default-phase-2-lifetime=   1200,160:86400
 
  If you do above you might need to specify srcid in your ipsec.conf:
 
  local_gw=your carp0 IP goes here
 
  ike active esp……
main ……
quick …..
srcid $local_gw
 
 
  //mxb
 
  On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote:
 
  Hello misc,
 
  A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd.
  I searching at google and misc, read the man pages and I do a review of
  configurations many times to do work something that apparently is very
 very
  simple.
 
  my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with
  OpenBSD current too )
 
  match out on em0 from 10.50.60.0/24 nat-to (carp0:0)
  pass log
 
  ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of
 carp0 )
 
  ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \
peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \
quick auth hmac-sha2-256 enc blowfish psk 'sapeca'
 
 
  sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface
  dedicate to firewalls comunicate between self
 
  interface carp0
  group carp
  listen on 10.20.30.1 inet
  peer 10.20.30.2
  sharedkey
 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
 
 
  sasyncd.conf ( firewall slave )
 
  interface carp0
  group carp
  listen on 10.20.30.2 inet
  peer 10.20.30.1
  sharedkey
 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
 
 
  ip forward and carp preempt enabled on both firewalls
 
 
  steps to initiate on both firewalls
 
  isakmpd -K -S
  ipsecctl -f /etc/ipsec.conf
  sasyncd
 
 
  other openbsd peer without HA ( OpenBSD 5.2 )
 
  ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer
  10.10.20.29 \
main auth hmac-sha2-256 enc blowfish \
quick auth hmac-sha2-256 enc blowfish \
psk 'sapeca'
 
 
  Alright,
 
  Let me explain what is ocurring:
 
 
  VPN work perfectly, I access other resources behind 10.15.1.33 peer,
 and in
  OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa )
 
  if I force a FailOver ( OpenBSD Master ) with:
  ifconfig -g carp carpdemote 10
 
  Another Node assume, connections continues working perfectly ( example
  download of OpenBSD ISO, continue beautifull :) ) but:
 
  ipsec VPN not , it freezes and  take between 25s to 30s to vpn
 reestablish
  connection
 
  and if I move the service again to old OpenBSD master ( ifconfig -g carp
  -carpdemote 10)
 
  VPN freezes completely and not back, I need kill isakmpd and start again
 
 
  I expected it to be transparent like as beautifull failover and without
  IPSEC disruption.
 
  In my configuration, Am I doing something wrong ? Am I forgeting
 something ?
 
  Please, someone can put me on correctly way ?
 
  Regards,

Re: OpenBSD, ipsec and sasyncd issue

2013-04-25 Thread R0me0 *** 
I think that this is not needed :)




2013/4/25 mxb m...@alumni.chalmers.se


 According to the carp(4):

  … Assume that host A is the preferred master and 192.168.1.x/24 is
  configured on one physical interface and 192.168.2.y/24 on another.
  This
  is the setup for host A: …

 Eg, this means that you have to configure em0 with IP, if em0 is physical
 NIC used for carp0.


 On 25 apr 2013, at 13:16, R0me0 *** knight@gmail.com wrote:

 mxb - my em's not have any ip only inside hostname.emX up

 my advskew is 100 on backup node




 2013/4/24 mxb m...@alumni.chalmers.se


 Then there is also a question regarding how quick your CARP will fail
 over, eg. what is your advskew on the backup node?

 On 24 apr 2013, at 22:30, mxb m...@alumni.chalmers.se wrote:

 
  I'd start by looking at sasyncd and if it actually works.
  If it works 'netstat -rn' should show flows at the end of its output on
 the backup node.
 
  Encap:
  Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
  flows  should be  printed  here
 
  Next thing is to 'tcpdump -i em0 port 500' while your VPN endpoints do
 initial handshake
  and check their IP-adresses. Are you sure your carp0 IP is talking and
 NOT em0 IP?
 
  I'd also force isakmpd to bind to specific IP
 (/etc/isakmpd/isakmpd.conf):
 
  [General]
  Listen-on= your carp0 IP goes here
  DPD-check-interval= 60
  Default-phase-1-lifetime=   3600,360:86400
  Default-phase-2-lifetime=   1200,160:86400
 
  If you do above you might need to specify srcid in your ipsec.conf:
 
  local_gw=your carp0 IP goes here
 
  ike active esp……
main ……
quick …..
srcid $local_gw
 
 
  //mxb
 
  On 24 apr 2013, at 20:33, R0me0 *** knight@gmail.com wrote:
 
  Hello misc,
 
  A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd.
  I searching at google and misc, read the man pages and I do a review of
  configurations many times to do work something that apparently is very
 very
  simple.
 
  my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with
  OpenBSD current too )
 
  match out on em0 from 10.50.60.0/24 nat-to (carp0:0)
  pass log
 
  ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of
 carp0 )
 
  ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \
peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \
quick auth hmac-sha2-256 enc blowfish psk 'sapeca'
 
 
  sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface
  dedicate to firewalls comunicate between self
 
  interface carp0
  group carp
  listen on 10.20.30.1 inet
  peer 10.20.30.2
  sharedkey
 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
 
 
  sasyncd.conf ( firewall slave )
 
  interface carp0
  group carp
  listen on 10.20.30.2 inet
  peer 10.20.30.1
  sharedkey
 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5
 
 
  ip forward and carp preempt enabled on both firewalls
 
 
  steps to initiate on both firewalls
 
  isakmpd -K -S
  ipsecctl -f /etc/ipsec.conf
  sasyncd
 
 
  other openbsd peer without HA ( OpenBSD 5.2 )
 
  ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer
  10.10.20.29 \
main auth hmac-sha2-256 enc blowfish \
quick auth hmac-sha2-256 enc blowfish \
psk 'sapeca'
 
 
  Alright,
 
  Let me explain what is ocurring:
 
 
  VPN work perfectly, I access other resources behind 10.15.1.33 peer,
 and in
  OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa )
 
  if I force a FailOver ( OpenBSD Master ) with:
  ifconfig -g carp carpdemote 10
 
  Another Node assume, connections continues working perfectly ( example
  download of OpenBSD ISO, continue beautifull :) ) but:
 
  ipsec VPN not , it freezes and  take between 25s to 30s to vpn
 reestablish
  connection
 
  and if I move the service again to old OpenBSD master ( ifconfig -g
 carp
  -carpdemote 10)
 
  VPN freezes completely and not back, I need kill isakmpd and start
 again
 
 
  I expected it to be transparent like as beautifull failover and without
  IPSEC disruption.
 
  In my configuration, Am I doing something wrong ? Am I forgeting
 something ?
 
  Please, someone can put me on correctly way ?
 
  Regards,

OpenBSD, ipsec and sasyncd issue

2013-04-24 Thread R0me0 *** 
Hello misc,

A couple of days, I'm fighting with OpenBSD+Ipsec+sasyncd.
I searching at google and misc, read the man pages and I do a review of
configurations many times to do work something that apparently is very very
simple.

my simple pf.conf on both firewalls in HA ( OpenBSD 5.2 and tests with
OpenBSD current too )

match out on em0 from 10.50.60.0/24 nat-to (carp0:0)
pass log

ipsec.conf ( both firewalls in HA) ( local 10.10.20.29 is address of carp0 )

ike esp from 10.50.60.0/24 to 192.168.12.0/24 local 10.10.20.29 \
peer 10.15.1.33 main auth hmac-sha2-256 enc blowfish \
quick auth hmac-sha2-256 enc blowfish psk 'sapeca'


sasyncd.conf ( firewall Master ) network 10.20.30.0/30 on interface
dedicate to firewalls comunicate between self

interface carp0
group carp
listen on 10.20.30.1 inet
peer 10.20.30.2
sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5


sasyncd.conf ( firewall slave )

interface carp0
group carp
listen on 10.20.30.2 inet
peer 10.20.30.1
sharedkey 0x1aab92f9e646be974301b4ed107d3ad39794ce0e7426bc462bad3eb5de979ae5


ip forward and carp preempt enabled on both firewalls


steps to initiate on both firewalls

isakmpd -K -S
ipsecctl -f /etc/ipsec.conf
sasyncd


other openbsd peer without HA ( OpenBSD 5.2 )

ike esp from 192.168.12.0/24 to 10.50.60.0/24 local 10.15.1.33 peer
10.10.20.29 \
main auth hmac-sha2-256 enc blowfish \
quick auth hmac-sha2-256 enc blowfish \
psk 'sapeca'


Alright,

Let me explain what is ocurring:


VPN work perfectly, I access other resources behind 10.15.1.33 peer, and in
OpenBSD slave I see SA'S syncronized from the Master ( ipsecctl -sa )

if I force a FailOver ( OpenBSD Master ) with:
ifconfig -g carp carpdemote 10

Another Node assume, connections continues working perfectly ( example
download of OpenBSD ISO, continue beautifull :) ) but:

ipsec VPN not , it freezes and  take between 25s to 30s to vpn reestablish
connection

and if I move the service again to old OpenBSD master ( ifconfig -g carp
-carpdemote 10)

VPN freezes completely and not back, I need kill isakmpd and start again


I expected it to be transparent like as beautifull failover and without
IPSEC disruption.

In my configuration, Am I doing something wrong ? Am I forgeting something ?

Please, someone can put me on correctly way ?

Regards,

Microsoft VPN PPTP

2013-01-31 Thread R0me0 *** 
Hello misc,

I've the follow situation:


WAN --OBSD---LAN
   |
   |__DMZ 192.168.1.0/24 ---Windows 2003 - RRAS --
10.20.30.x/27- VPN IP's CLIENT


Clients connect to RRAS server and pf, filter traffic from VPN clients to
LAN services.

The problem is: when vpn clients die, PF keep state of connections and I've
a storm of tcp packets with PSH flag or RST , and bandwidth traffic
increase incredibly.

when storm occurs, if executed : 'pfctl -k 10.20.30.7' , by example, storm
stop instantly.

I'm searching by incidentes, but i no founded nothing.

Someone would could show me a correct direction to solve this issue ?

Regards,

Re: Microsoft VPN PPTP

2013-01-31 Thread R0me0 *** 
In future I will migrate, but for now, i need solve this issue.
I' ve tried to change tcp.closed and tcp.closing timeout but without
success.

Thanks for replies.
Any tips will be apprecited,

Regards

2013/1/31 Aaron Mason simplersolut...@gmail.com

 If you can, change to a different type of VPN.  Not because of the storm,
 but because PPTP has been broken security-wise.  Good results have been
 achieved with OpenVPN.


 On Thu, Jan 31, 2013 at 11:56 PM, R0me0 *** knight@gmail.com wrote:

 Hello misc,

 I've the follow situation:


 WAN --OBSD---LAN
|
|__DMZ 192.168.1.0/24 ---Windows 2003 - RRAS --
 10.20.30.x/27- VPN IP's CLIENT


 Clients connect to RRAS server and pf, filter traffic from VPN clients to
 LAN services.

 The problem is: when vpn clients die, PF keep state of connections and
 I've
 a storm of tcp packets with PSH flag or RST , and bandwidth traffic
 increase incredibly.

 when storm occurs, if executed : 'pfctl -k 10.20.30.7' , by example, storm
 stop instantly.

 I'm searching by incidentes, but i no founded nothing.

 Someone would could show me a correct direction to solve this issue ?

 Regards,




 --
 Aaron Mason - Programmer, open source addict
 I've taken my software vows - for beta or for worse

CARP compatibility between 5.1 and 5.2

2013-01-15 Thread R0me0 *** 
Hello misc,

I've a OpenBSD 5.1 in production and I will put another OpenBSD 5.2 and
then configure CARP.
will I have some compatibility issue ?

Thanks in advanced

Re: No route to host

2012-11-27 Thread R0me0 *** 
Look for states of pf
the default is 1
if the maximum is reached
pf will block

# systat pf

If needed increase this



2012/11/27 Laurent Caron (Mobile) lca...@unix-scripts.info

 Loïc BLOT loic.b...@frostsapphirestudios.com a écrit :

 Hello to OpenBSD users,
 
 i have a little problem, i think it's linked with PF, but i have no
 proofs. System is OpenBSD 5.1 but OpenBSD 5.2 get the same things (with
 different card, 5.1 uses bnx and 5.2 use em)
 I have a router with squid proxy, named and isc-dhcpd. The problem is,
 sometimes i get no route to host for some transmissions (often on the
 proxy), but randomly. Our connexion is perfectly stable (Renater 1Gbit
 fiber connection), and the routes are static and right.
 When squid says no route to host and i refresh the page, it works. I
 think it's a packet filter problem. Nmap has sometimes the same problem
 and says no route to host when i try to scan. Example:
 
 Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:56 CET
 sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, aaa.bbb.ccc.20,
 16) = No route to host
 Offending packet: TCP xxx.yyy.zzz.1:42282  aaa.bbb.ccc.20:5200 S
 ttl=37
 id=32702 iplen=44  seq=2453102157 win=2048 mss 1460
 Sleeping 15 seconds then retrying
 
 This scan was realized in two differents networks, but in this capture,
 this is the same networks
 
 Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:58 CET
 sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, xxx.yyy.zzz.50,
 16) = No route to host
 Offending packet: TCP xxx.yyy.zzz.1:49053  xxx.yyy.zzz.50:161 S ttl=52
 id=62248 iplen=44  seq=3073961720 win=1024 mss 1460
 Sleeping 15 seconds then retrying
 
 if don't have the problem with pf disabled.
 
 All my outgoing packets are allowed and somes are nated.
 
 Where do you think the problem comes ?
 
 Thanks for Advance.
 
 Lo��c Blot,
 UNIX systems engineer.

 Hello Loïc

 What does your ruleset look like ?

 Do.you have à.log of rejected packets (tcpdump on pflog 0)?

Re: Carp doubt

2012-10-31 Thread R0me0 *** 
I tried this: ifconfig -g carp carpdemote 50 , and all carps are moved to
another node
:) that is

sorry


2012/10/31 R0me0 *** knight@gmail.com

 Hello misc,
 I' ve a simple setup to test carp

 my setup is follow:

 - Frw A

 # cat /etc/hostname.carp0
 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass
 secret

 # cat /etc/hostname.vic0
 up

 # cat /etc/hostname.carp1
 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass
 othersecret

 # cat /etc/hostname.vic1
 up

 # cat /etc/hostname.pfsync0


 up syncdev vlan13

 # cat /etc/hostname.vlan13


 inet 10.20.30.1 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1

 - Frw B

 # cat /etc/hostname.carp0


 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass
 secret advskew 100

 # cat /etc/hostname.vic0
 up

 # cat /etc/hostname.carp1
 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass
 othersecret advskew 100

 # cat /etc/hostname.vic1
 up

 # cat /etc/hostname.pfsync0


 up syncdev vlan13

 # cat /etc/hostname.vlan13


 inet 10.20.30.2 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1

 net.inet.carp.preempt=1 on both nodes


 pf.conf ( equal on both frw's )

 # cat /etc/pf.conf


 ext_if = vic0


 int_if = vic1


 pfsync_if = vlan13





 set skip on lo





 match out on $ext_if from 192.168.12.0/24 nat-to (carp0)





 # Carp and Pfsync


 pass log quick  on $pfsync_if proto pfsync keep state (no-sync)


 pass in log quick on {vic0 vic1} proto carp keep state (no-sync)





 block log all

 pass in log (to pflog1) quick on { vic0 vic1 } inet proto tcp to port 22
 keep state (no-sync)
 pass in quick on $int_if from 192.168.12.0/24
 pass out


 Tests:

 ifconfig carp0 down or ifconfig advskew100
 on MASTER node

 Only carp0 is transfered to another node

 But if executed ifconfig vic0 down

 All carp nodes ( carp0 and carp1 ) are transferred to another node as
 expected

 I tried this setup on real machines and the results are the same.

 My doubt,
 To do maintenance on master node, i will need execute : ifconfig advskew
 128  on both carp interfaces ?
 Which the better pratice to move all carp groups to another node ?

 I will appreciate the sugestions of misc

 Regards,

Re: Carp doubt

2012-10-31 Thread R0me0 *** 
My doubt persists,
from FAQ

To failover a particular CARP group, shut down the carp(4) interface on
the master node ..

I think that if execute ifconfig carp0 down, all carps would be moved ,
because default carp group is carp



2012/10/31 R0me0 *** knight@gmail.com

 I tried this: ifconfig -g carp carpdemote 50 , and all carps are moved to
 another node
 :) that is

 sorry


 2012/10/31 R0me0 *** knight@gmail.com

 Hello misc,
 I' ve a simple setup to test carp

 my setup is follow:

 - Frw A

 # cat /etc/hostname.carp0
 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass
 secret

 # cat /etc/hostname.vic0
 up

 # cat /etc/hostname.carp1
 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass
 othersecret

 # cat /etc/hostname.vic1
 up

 # cat /etc/hostname.pfsync0


 up syncdev vlan13

 # cat /etc/hostname.vlan13


 inet 10.20.30.1 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1

 - Frw B

 # cat /etc/hostname.carp0


 inet 192.168.28.128 255.255.255.0 192.168.28.255 vhid 1 carpdev vic0 pass
 secret advskew 100

 # cat /etc/hostname.vic0
 up

 # cat /etc/hostname.carp1
 inet 192.168.12.130 255.255.255.0 192.168.12.255 vhid 2 carpdev vic1 pass
 othersecret advskew 100

 # cat /etc/hostname.vic1
 up

 # cat /etc/hostname.pfsync0


 up syncdev vlan13

 # cat /etc/hostname.vlan13


 inet 10.20.30.2 255.255.255.252 10.20.30.255 vlan 13 vlandev vic1

 net.inet.carp.preempt=1 on both nodes


 pf.conf ( equal on both frw's )

 # cat /etc/pf.conf


 ext_if = vic0


 int_if = vic1


 pfsync_if = vlan13





 set skip on lo





 match out on $ext_if from 192.168.12.0/24 nat-to (carp0)





 # Carp and Pfsync


 pass log quick  on $pfsync_if proto pfsync keep state (no-sync)


 pass in log quick on {vic0 vic1} proto carp keep state (no-sync)





 block log all

 pass in log (to pflog1) quick on { vic0 vic1 } inet proto tcp to port 22
 keep state (no-sync)
 pass in quick on $int_if from 192.168.12.0/24
 pass out


 Tests:

 ifconfig carp0 down or ifconfig advskew100
 on MASTER node

 Only carp0 is transfered to another node

 But if executed ifconfig vic0 down

 All carp nodes ( carp0 and carp1 ) are transferred to another node as
 expected

 I tried this setup on real machines and the results are the same.

 My doubt,
 To do maintenance on master node, i will need execute : ifconfig advskew
 128  on both carp interfaces ?
 Which the better pratice to move all carp groups to another node ?

 I will appreciate the sugestions of misc

 Regards,

Re: Can't install rrdtool on OpenBSD 5.0

2012-05-03 Thread R0me0 *** 
Hello Nick,
I understand your their point of view.
But Nicolas, shared a thing very cool, and I believe that there, many mates
that watch the list, sometimes, learn something new, with the experience of
each one.

Regards

Guilherme Hakme


2012/5/2 Nick Holland n...@holland-consulting.net

 On 05/02/12 16:47, Nicolas Pence wrote:
  Hi, if you upgrade to 5.1 you'll have the same problem
  (but for libfreetype.so.18.1).
 
  You don't really need to install the complete xbase,

 oh, please don't.

  just that specific library, you can do it like this
  (change the values for your release and libfreetype version):
 
  tar -C / -xzphf xbase51.tgz ./usr/X11R6/lib/libfreetype.so.18.1
 
  you can check yours with:
 
  tar tvzf xbase${RELEASE}.tgz | grep libfreetype.so

 why?
 You can also chop your leg off with a chain saw, and I'm sure the weight
 savings would increase your car's fuel economy a bit.

 Good administration is not about showing what kind of pain you can
 inflict on yourself, or convince others to do to themselves.

 Just do it simple...install xbase, if not all of X.  On a modern system,
 there's no reason not to, and I suspect you aren't running rrdtool on a
 resource-starved system.

 Nick.

Can't install rrdtool on OpenBSD 5.0

2012-05-02 Thread R0me0 *** 
Hello misc,

I'm trying to install:
pkg_add -vi
ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz
but
I got this error:

Can't install rrdtool-1.2.30p3 because of libraries
|library freetype.18.0 not found
| not found anywhere
Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4 libart-2.3.21
Full dependency tree is png-1.5.4 libart-2.3.21

png and libart are installed, ( I tried install X sets too without success )

Any directions are appreciated,

Regards,

Re: Can't install rrdtool on OpenBSD 5.0

2012-05-02 Thread R0me0 *** 
Installing xbase solve problem

=/

2012/5/2 R0me0 *** knight@gmail.com

 Hello misc,

 I'm trying to install:
 pkg_add -vi
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz
 but
 I got this error:

 Can't install rrdtool-1.2.30p3 because of libraries
 |library freetype.18.0 not found
 | not found anywhere
 Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4 libart-2.3.21
 Full dependency tree is png-1.5.4 libart-2.3.21

 png and libart are installed, ( I tried install X sets too without success
 )

 Any directions are appreciated,

 Regards,

Re: Can't install rrdtool on OpenBSD 5.0

2012-05-02 Thread R0me0 *** 
Hello Nicolas,

Installing xbase50.tgz , solved the problem

:)

Regards



2012/5/2 Nicolas Pence nico...@pence.com.uy

 Hi, if you upgrade to 5.1 you'll have the same problem
 (but for libfreetype.so.18.1).

 You don't really need to install the complete xbase,
 just that specific library, you can do it like this
 (change the values for your release and libfreetype version):

 tar -C / -xzphf xbase51.tgz ./usr/X11R6/lib/libfreetype.so.18.1

 you can check yours with:

 tar tvzf xbase${RELEASE}.tgz | grep libfreetype.so

 good luck!

 El 02/05/12 17:30, R0me0 *** escribis:
  Installing xbase solve problem
 
  =/
 
  2012/5/2 R0me0 *** knight@gmail.com
 
  Hello misc,
 
  I'm trying to install:
  pkg_add -vi
 
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz
  but
  I got this error:
 
  Can't install rrdtool-1.2.30p3 because of libraries
  |library freetype.18.0 not found
  | not found anywhere
  Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4
 libart-2.3.21
  Full dependency tree is png-1.5.4 libart-2.3.21
 
  png and libart are installed, ( I tried install X sets too without
 success
  )
 
  Any directions are appreciated,
 
  Regards,

time exceeded in-transit

2012-04-17 Thread R0me0 *** 
Hello misc,
I have an OpenBSD 5.0 running with outgoing load balance and  ifstated to
check link status

I've pf.conf with rules for outgoing load balance for link 1 and link 2 ,
pf.link1 and pf.link2 respectively

ifstated.conf
link1_test   = '(ping -q -c 3 74.125.234.212  /dev/null every 20)'
link2_test = '(ping -q -c 3 74.125.234.208  /dev/null every 20)'

at pf.conf
pass out log quick on $link1_if inet proto icmp to 74.125.234.208 nat-to
192.168.20.2 route-to ($link2_if $link2_gw)
pass out log quick on $link1_if inet proto icmp from $link1_if to
74.125.234.212

and I do the same tests when link status change and I load the pf to
corresponding link
Ok, it works great, but if one of interfaces change status do down
example:
ifconfig em1 down

the follow rule stop to working
pass out log quick on $link1_if inet proto icmp to 74.125.234.208 nat-to
192.168.20.2 route-to ($link2_if $link2_gw)

and the ifstated not work correctly.


# tcpdump -vvni em0 host 74.125.234.208
tcpdump: listening on em0, link-type EN10MB


23:24:56.762984 192.168.20.2  74.125.234.208: icmp: echo request (id:ae4c
seq:0) (ttl 255, id 13722, len 84, bad cksum 0! differs by 7c16)
23:24:56.774130 74.125.234.208  192.168.20.2: icmp: echo reply (id:ae4c
seq:0) (ttl 57, id 42659, len 84)23
:24:56.774295 192.168.20.2  74.125.234.208: icmp: time exceeded in-transit
for 74.125.234.208  192.168.20.2: icmp: echo reply (id:ae4c seq:0) [ttl 1]
(id 42659, len 84) (ttl 255, id 58775, len 56, bad cksum 0! differs by cc34)

But if interface stay UP, work very well

Other thing, I'm doing ping at google servers, because sometimes some
gateways respond to a ping but the problem is ISP.


Please, someone can show to me the correctly form to do this?

Regards,

Re: My OpenBSD 5.0 installation experience (long rant)

2012-03-07 Thread R0me0 *** 
*UNIX was not designed to stop its users from doing stupid things, as that
would also stop them from doing clever things.*  Doug
Gwynhttp://pt.wikipedia.org/w/index.php?title=Doug_Gwynaction=editredlink=
1


Em 7 de margo de 2012 11:27, Leonardo Sabino dos Santos 
leonardo.sab...@gmail.com escreveu:

 On Wed, Mar 7, 2012 at 2:44 PM, Russell Garrison
 russell.garri...@gmail.com wrote:
  I am absolutely intrigued by this story despite my better judgement.
  You were able to cook your own full OpenBSD installer on a USB stick
  with GRUB instead of downloading an ISO or using PXE, but you failed
  disk setup in the installer? It really would be interesting to see if
  you can read just http://www.openbsd.org/faq/faq4.html , particularly
  4.5.3 and then come back to us with anything other than a mea culpa.

 I admit to pressing Enter at some of the questions without reading
 carefully. It simply never crossed my mind that the default action for
 the installer is to erase the whole disk without chance for review. I
 still think that's a disaster waiting to happen.

 On Wed, Mar 7, 2012 at 3:04 PM, Christer Solskogen
 christer.solsko...@gmail.com wrote:
  What if you mistyped there as well? Do you want a Are you REALLY
  REALLY sure??

 Then again, partitioning your disk is a bit more serious than What's
 your hostname? or What time zone are you in?. Maybe that one
 question deserves an extra confirmation, or a less dangerous default.
 Just saying.

Re: OpenBSD 4.4

2012-01-25 Thread R0me0 *** 
Hello misc, I've appreciated all answers.
the kernel is GENERIC. My complex setup is many networks, pf rules , Vans
and a route to all. ( route add )

If I execute: - nmap -sV -T4 -O -F 10.20.0/16 ( I'm at 10.20.76 )
the follow error ocurs:

http://img41.imageshack.us/img41/9500/20120123213213394.jpg

After read all comments, I only am writing to show the error and share the
information.
As soon as possible, I will upgrade.
Thank's to all


Em 24 de janeiro de 2012 20:46, Peter N. M. Hansteen pe...@bsdly.netescreveu:

 R0me0 *** knight@gmail.com writes:

  I'm running a full patched OpenBSD 4.4 with very complex setup, and I'm
  planning an upgrade to 5.0.

 That's a seriously long jump, but then again, that upgrade may very well
 be a blessing in disguise -- an opportunity to identify what parts of
 your complex setup are actually just cascades of accidents that followed
 quasi-logically from other earlier accidents (no worries, this should
 sound familiar to most of the people who've been around for a while) and
 what actually matters and needs to be that way for a reason.

 Do take the time for proper preparations, though: at the very least read
 through the upgrade steps for each of the versions, starting from
 http://www.openbsd.org/faq/upgrade45.html and proceeding through
 http://www.openbsd.org/faq/upgrade50.html.

 The only *supported* method is to go through all of those upgrade steps,
 but you might find it easier to back up your data and config, do a clean
 install, restore data and then introduce those configuration elements
 that are in fact essential or at least useful for your particular
 environment.

  At this moment, if I execute nmap 10.20.0/16, I have a dbg . I've
 limited
  the number of max connections and connections per seconds, that solved
 the
  problem.
  When dbg occurs, I cannot do a trace because it completely hangs.

 Others have offered as useful input as can be had on those.

 Good luck with the upgrade!

 All the best,
 Peter
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

OpenBSD 4.4

2012-01-24 Thread R0me0 *** 
Hello misc :)
I'm running a full patched OpenBSD 4.4 with very complex setup, and I'm
planning an upgrade to 5.0.
At this moment, if I execute nmap 10.20.0/16, I have a dbg . I've limited
the number of max connections and connections per seconds, that solved the
problem.
When dbg occurs, I cannot do a trace because it completely hangs.

Following is a dmesg, any directions will be appreciated



OpenBSD 4.4 (TENMA.MP) #3: Tue Jan 24 00:46:50 BRST 2012
r...@ns1.mycompany.com:/home/src/sys/arch/amd64/compile/TENMA.MP
real mem = 2132389888 (2033MB)
avail mem = 2070573056 (1974MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (68 entries)
bios0: vendor HP version P58 date 08/03/2008
bios0: HP ProLiant DL360 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST SSDT
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.79 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: apic clock running at 333MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG
cpu1: 6MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG
cpu2: 6MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG
cpu3: 6MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0 apid 9 pa 0xfec8, version 20, 24 pins
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 11 (IPE1)
acpiprt2 at acpi0: bus 10 (IPE4)
acpiprt3 at acpi0: bus 17 (P2P2)
acpiprt4 at acpi0: bus 9 (PT02)
acpiprt5 at acpi0: bus 6 (PT03)
acpiprt6 at acpi0: bus 20 (PT04)
acpiprt7 at acpi0: bus 3 (NB01)
acpiprt8 at acpi0: bus 5 (NB02)
acpiprt9 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C3
acpicpu1 at acpi0: C3
acpicpu2 at acpi0: C3
acpicpu3 at acpi0: C3
acpitz0 at acpi0: critical temperature 31 degC
ipmi at mainbus0 not configured
cpu0: unknown i686 model 7, can't get bus clockcpu0: EST: unknown system
bus clock
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
pci1 at ppb0 bus 9
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 10
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 11
ppb3 at pci3 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x0e
pci4 at ppb3 bus 12
ppb4 at pci4 dev 2 function 0 vendor IDT, unknown product 0x8018 rev 0x0e
pci5 at ppb4 bus 13
em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8
int 19 (irq 10), address 00:1f:29:5f:fe:b5
em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8
int 18 (irq 10), address 00:1f:29:5f:fe:b4
ppb5 at pci4 dev 4 function 0 vendor IDT, unknown product 0x8018 rev 0x0e
pci6 at ppb5 bus 14
em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8
int 17 (irq 7), address 00:1f:29:5f:fe:b7
em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 8
int 16 (irq 5), address 00:1f:29:5f:fe:b6
ppb6 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci7 at ppb6 bus 15
ppb7 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
pci8 at ppb7 bus 16
ppb8 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci9 at ppb8 bus 17
ppb9 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
pci10 at ppb9 bus 6
ciss0 at pci10 dev 0 function 0 Hewlett-Packard Smart Array rev 0x04:
apic 8 int 16 (irq 5)
ciss0: 1 LD, HW rev 4, FW 4.12/4.12
scsibus0 at ciss0: 1 targets, initiator 1
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct
fixed
sd0: 139979MB, 17844 cyl, 255 head, 63 sec, 512 bytes/sec, 286677120 sec
total
ppb10 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1
pci11 at ppb10 bus 20
ppb11 at pci11 dev 0 function 0 vendor IDT, unknown product 0x8018 rev
0x0e
pci12 at ppb11 bus 21
ppb12 at pci12 dev 2 function 0 vendor IDT, unknown product 0x8018 rev
0x0e
pci13 at ppb12 bus 22
em4 at pci13 dev 0 function 0 Intel PRO/1000 QP

Re: OpenBSD 4.4

2012-01-24 Thread R0me0 *** 
It is a GENERIC kernel, the name is only copy of GENERIC.MP :) . As I said,
it is a complex setup and I'm planning an upgrade.

Cheers,


Em 24 de janeiro de 2012 16:10, Rares Aioanei bsdlis...@gmail.comescreveu:

 On 01/24/2012 07:48 PM, R0me0 *** wrote:

 Hello misc :)
 I'm running a full patched OpenBSD 4.4 with very complex setup, and I'm
 planning an upgrade to 5.0.
 At this moment, if I execute nmap 10.20.0/16, I have a dbg  . I've
 limited
 the number of max connections and connections per seconds, that solved the
 problem.
 When dbg occurs, I cannot do a trace because it completely hangs.

 Following is a dmesg, any directions will be appreciated



 OpenBSD 4.4 (TENMA.MP) #3: Tue Jan 24 00:46:50 BRST 2012
 
 r...@ns1.mycompany.com:/home/**src/sys/arch/amd64/compile/TEN**MA.MPhttp://TENMA.MP
 real mem = 2132389888 (2033MB)
 avail mem = 2070573056 (1974MB)
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (68 entries)
 bios0: vendor HP version P58 date 08/03/2008
 bios0: HP ProLiant DL360 G5
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST SSDT
 acpi0: wakeup devices PCI0(S5)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpihpet0 at acpi0: 14318179 Hz
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.79 MHz
 cpu0:
 FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,**
 CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,**
 SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG
 cpu0: 6MB 64b/line 16-way L2 cache
 cpu0: apic clock running at 333MHz
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz
 cpu1:
 FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,**
 CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,**
 SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG
 cpu1: 6MB 64b/line 16-way L2 cache
 cpu2 at mainbus0: apid 1 (application processor)
 cpu2: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz
 cpu2:
 FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,**
 CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,**
 SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG
 cpu2: 6MB 64b/line 16-way L2 cache
 cpu3 at mainbus0: apid 3 (application processor)
 cpu3: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz, 2833.44 MHz
 cpu3:
 FPU,VME,DE,PSE,TSC,MSR,PAE,**MCE,CX8,APIC,SEP,MTRR,PGE,MCA,**
 CMOV,PAT,PSE36,CFLUSH,DS,ACPI,**MMX,FXSR,SSE,SSE2,SS,HTT,TM,**
 SBF,SSE3,MWAIT,DS-CPL,VMX,EST,**TM2,CX16,xTPR,LONG
 cpu3: 6MB 64b/line 16-way L2 cache
 ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins
 ioapic1 at mainbus0 apid 9 pa 0xfec8, version 20, 24 pins
 acpiprt0 at acpi0: bus 1 (IP2P)
 acpiprt1 at acpi0: bus 11 (IPE1)
 acpiprt2 at acpi0: bus 10 (IPE4)
 acpiprt3 at acpi0: bus 17 (P2P2)
 acpiprt4 at acpi0: bus 9 (PT02)
 acpiprt5 at acpi0: bus 6 (PT03)
 acpiprt6 at acpi0: bus 20 (PT04)
 acpiprt7 at acpi0: bus 3 (NB01)
 acpiprt8 at acpi0: bus 5 (NB02)
 acpiprt9 at acpi0: bus 0 (PCI0)
 acpicpu0 at acpi0: C3
 acpicpu1 at acpi0: C3
 acpicpu2 at acpi0: C3
 acpicpu3 at acpi0: C3
 acpitz0 at acpi0: critical temperature 31 degC
 ipmi at mainbus0 not configured
 cpu0: unknown i686 model 7, can't get bus clockcpu0: EST: unknown system
 bus clock
 pci0 at mainbus0 bus 0: configuration mode 1
 pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
 pci1 at ppb0 bus 9
 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci2 at ppb1 bus 10
 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci3 at ppb2 bus 11
 ppb3 at pci3 dev 0 function 0 vendor IDT, unknown product 0x8018 rev
 0x0e
 pci4 at ppb3 bus 12
 ppb4 at pci4 dev 2 function 0 vendor IDT, unknown product 0x8018 rev
 0x0e
 pci5 at ppb4 bus 13
 em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic
 8
 int 19 (irq 10), address 00:1f:29:5f:fe:b5
 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic
 8
 int 18 (irq 10), address 00:1f:29:5f:fe:b4
 ppb5 at pci4 dev 4 function 0 vendor IDT, unknown product 0x8018 rev
 0x0e
 pci6 at ppb5 bus 14
 em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic
 8
 int 17 (irq 7), address 00:1f:29:5f:fe:b7
 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic
 8
 int 16 (irq 5), address 00:1f:29:5f:fe:b6
 ppb6 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
 pci7 at ppb6 bus 15
 ppb7 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
 pci8 at ppb7 bus 16
 ppb8 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
 pci9 at ppb8 bus 17
 ppb9 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
 pci10 at ppb9 bus 6
 ciss0 at pci10 dev 0 function 0 Hewlett-Packard Smart Array rev 0x04:
 apic 8 int 16 (irq 5)
 ciss0: 1 LD, HW rev 4, FW 4.12/4.12
 scsibus0 at ciss0: 1 targets, initiator 1
 sd0 at scsibus0 targ 0 lun 0:HP, LOGICAL

Re: essential reading for beginning OpenBSD users

2011-09-06 Thread R0me0 *** 
http://www.amazon.com/Absolute-OpenBSD-Unix-Practical-Paranoid/dp/1886411999
 !

2011/9/6 Daniel Villarreal yclwebmas...@gmail.com

 I consider the following to be essential reading for beginning OpenBSD
 users...

 Absolute FreeBSD, 2nd Edition information by Michael W. Lucas...
 http://www.nostarch.com/abs_bsd2.htm

 Don't forget the Book of PF, 2nd Edition by Peter N.M. Hansteen ...
 http://nostarch.com/pf2.htm

 Over the years I've spent a lot of money on O'Reilly GNU/Linux books, but
 the 1st ed. versions of the above books astound me with their clarity in
 explaining very technical concepts in an easy-to-understand manner. I never
 before considered technical computer writing to be elegantly handled, but
 combined with the man pages, the documentation is simply superb. Usually I
 wouldn't even consider buying a newer version of a computer book I already
 have, but I will be buying the second editions of said books when I can.

 Thanks for your efforts!
 Daniel Villarreal

 On Tue, Sep 6, 2011 at 7:12 AM, Amit Kulkarni amitk...@gmail.com wrote:

  Lucas is bringing out a 2nd edition of absolute openbsd, which i am gonna
  buy
 
  ...

change pciide0 native-pci to compatibility mode

2011-08-01 Thread R0me0 *** 
Hello, misc,

I'm with a problem pluggin pci ethernet card which is suported by Openbsd

I have a machine that:  channel 0 configured to compatibility, and this
machine the network card is recognized.
On another machine : channel 0 configured to native-PCI , on this machine
the network card not is recognized.

My question :

It's possible i change native-pci to use compatibility mode ? It is done
through boot -c ?


Best Regards,

Re: Transparent smtp/pop3 proxy

2011-07-29 Thread R0me0 *** 
Hy  Stuart,
Is always very good read your mails here at misc :)

a friend has done it, and he say to me the same that you, to me use  (
always_bcc )
Thank you, I'm read a little more, but the ideias now are fixed

Best regards,



2011/7/29 Stuart Henderson s...@spacehopper.org

 On 2011-07-28, R0me0 *** knight@gmail.com wrote:
  Hello misc.
 
  I would like to know if is possible do the following:
 
  clients--OpenBSD_FWExternal_mail_server
 
  when clients send or receive an email, OpenBSD catch this mail and send a
  copy of this to another email account, it must be transparently to user.
 
  Please, anybody, can indicate the correctly way to do this?
 
  Thanks in advanced
 
  Cheers,
 
 

 dsniff has mailsnarf which claims to do this, it won't
 handle encrypted sessions even if you have the key material
 and I have no idea how well it can handle recent SMTP
 implementations.

 For SMTP you can run a standard MTA like Postfix and divert
 all connections to it and use always_bcc or similar.

 In some places intercepting communications will likely be illegal
 (at least without consent from one or possibly both parties), so
 do your own research as to whether you're allowed to do this.

 Intercepting mail like this is *very easy*. People who want
 to avoid having their mail intercepted in this way should
 1) use encryption and 2) carefully check that they're
 connecting to the server which they're expecting (check
 certificates etc).

Transparent smtp/pop3 proxy

2011-07-28 Thread R0me0 *** 
Hello misc.

I would like to know if is possible do the following:

clients--OpenBSD_FWExternal_mail_server

when clients send or receive an email, OpenBSD catch this mail and send a
copy of this to another email account, it must be transparently to user.

Please, anybody, can indicate the correctly way to do this?

Thanks in advanced

Cheers,

Re: Transparent smtp/pop3 proxy

2011-07-28 Thread R0me0 *** 
Hello Robert,

I appreciated your email:

I would like explain:

Yes is corporate organization, all employees are aware that a copy of sended
and received email.
All employees sign a document which they are aware. Here, in Brazil, since
that exists a document, signed, it is valid, of course.
Nothing ilegal.
Thank you, you help me so much,

Cheers,



2011/7/28 roberth rob...@openbsd.pap.st

 On Thu, 28 Jul 2011 18:00:03 -0300
 R0me0 *** knight@gmail.com wrote:

  when clients send or receive an email, OpenBSD catch this mail and
  send a copy of this to another email account, it must be
  transparently to user.

 bad juju!

 sooo, you want to intercept email not destined for yourself.
 you are asking about it on a public mailinglist.
 hmmm, hot water, bad karma.

 ethically you will be reborn as a snail and those that help you with it
 won't even have a house on their backs.

 if you have control over the clients that are sending mail, lets say in
 a corporate enviroment, where the people sending mail are aware of the
 copying policy...
 you don't do it transparently, but by mandatory configuring the mail
 clients to use one of your smarthosts to send mail. copy/duplicate it
 there. that's a smtpd solution you are looking for.

 otherwise, feel obligated to educate your clients to configure their
 mailcients to use ssl/tls for receiving/sending mail.

 if you are being presured into implementing that spy stuff, lets say by
 your boss, just tell ver i'll get to it. if you get fired over it,
 get a lawyer and a hopefully satisfying settlement.

 blub,
- Robert

Re: Transparent smtp/pop3 proxy

2011-07-28 Thread R0me0 *** 
Again, thank you
I know that an user very determined can do some things, but he don't know
what I can do with PF
People should be educated like you :)

Best regards and Thank you !



2011/7/28 roberth rob...@openbsd.pap.st

 On Thu, 28 Jul 2011 19:39:20 -0300
 R0me0 *** knight@gmail.com wrote:

  Yes is corporate organization, all employees are aware that a copy of
  sended and received email.
  All employees sign a document which they are aware. Here, in Brazil,
  since that exists a document, signed, it is valid, of course.
  Nothing ilegal.
  Thank you, you help me so much,

 So the incoming mail allready touches your own smtpd.
 For outgoing mail, as i said, _smarthost_ and do the best you can to
 block any mail that isn't going out through there. (eg via pf rules)
 You will only catch the low hanging fruits as there are too many
 possible ways to deceive by any determined person.
 Blocking all webmail websites from work? :)

 It only works if the people are not trying to get around the set
 limitations. Even with deep packet inspection, you won't get that one
 mail you setup all that hupla-di-do up for.

 Cheers,
- Robert

RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
Hello misc,

I Have a ethernet RTL8169SC based chipset and it work very well with OpenBSD
4.8, the same card not work with 4.9

The motherboard of 4.9 is Intel DP43BF

in attach dmesg.boot of 4.9

Regards,

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of dmesg.boot]

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
Sorry,

The link of dmesg on pastebin : http://pastebin.com/fK9HSrfY

Regards,



2011/7/7 Sergey Bronnikov este...@gmail.com

 Hi

 The only mailing list that allows attachments is the _ports_ list,
 they will be removed from messages on the other mailing lists. 
 http://www.openbsd.org/mail.html

 you can upload your dmesg to pastebin and provide link in email.

 On 14:53 Thu 07 Jul , R0me0 *** wrote:
  Hello misc,
 
  I Have a ethernet RTL8169SC based chipset and it work very well with
 OpenBSD
  4.8, the same card not work with 4.9
 
  The motherboard of 4.9 is Intel DP43BF
 
  in attach dmesg.boot of 4.9
 
  Regards,
 
  [demime 1.01d removed an attachment of type application/octet-stream
 which had a name of dmesg.boot]
 

 --
 sergeyb@

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
Allright, I disabled bge0 on BIOS SETUP but the error continues:

pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA
(unsupported), channel 0 configured to native-PCI, channel 1
configured to native-PCI




2011/7/7 Zeb Packard zeb.pack...@gmail.com

 *Sorry about the direct response Nick. :0

 These two lines make me think it's a configuration problem.

 bge0 at pci7 dev 0 function 0 Broadcom BCM57788 rev 0x01, BCM57780
 A1 (0x57780001): apic 0 int 17 (irq 10), address 00:22:4d:4c:40:ee
 brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1




 Dmesg below.

 penBSD 4.9 (GENERIC.MP) #794: Wed Mar  2 07:19:02 MST 2011
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3
 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE
 real mem  = 2135498752 (2036MB)
 avail mem = 2090401792 (1993MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @
 0xe9230 (58 entries)
 bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.1954
 date 05/10/2010
 bios0: Intel Corporation DP43BF
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S3 S4 S5
 acpi0: tables DSDT FACP APIC MCFG HPET
 acpi0: wakeup devices P0P1(S3) PS2K(S4) PS2M(S4) UAR1(S3) P0P2(S4)
 USB0(S3) USB1(S3) USB2(S3) USB5(S3) USB6(S3) EUSB(S3) USB3(S3)
 USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4)
 PEX5(S4) SLPB(S4) PWRB(S3)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class) 3
 GHz
 cpu1:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE
 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
 acpimcfg0 at acpi0 addr 0xf000, bus 0-127
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 32 (P0P2)
 acpiprt2 at acpi0: bus 2 (PEX0)
 acpiprt3 at acpi0: bus 3 (PEX1)
 acpiprt4 at acpi0: bus 4 (PEX2)
 acpiprt5 at acpi0: bus 5 (PEX3)
 acpiprt6 at acpi0: bus 6 (PEX4)
 acpiprt7 at acpi0: bus 7 (PEX5)
 acpicpu0 at acpi0:, C3, C2, C1, PSS
 acpicpu1 at acpi0:, C3, C2, C1, PSS
 acpibtn0 at acpi0: SLPB
 acpibtn1 at acpi0: PWRB
 bios0: ROM list: 0xc/0xe600! 0xce800/0x400 0xcf000/0x2400
 cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2800, 2600, 2400,
 2200, 2000, 1800, 1600, 1400, 1200 MHz
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel G45 Host rev 0x03
 ppb0 at pci0 dev 1 function 0 Intel G45 PCIE rev 0x03: apic 0 int 16 (irq
 11)
 pci1 at ppb0 bus 1
 vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x10c3 rev
 0xa2
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 azalia0 at pci1 dev 0 function 1 vendor NVIDIA, unknown product
 0x0be3 rev 0xa1: apic 0 int 17 (irq 10)
 azalia0: no supported codecs
 azalia0: initialization failure, detaching
 uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0
 int 16 (irq 11)
 uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0
 int 21 (irq 5)
 uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0
 int 18 (irq 3)
 ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0
 int 18 (irq 3)
 ehci0: timed out waiting for BIOS
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
 azalia1 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00:
 apic 0 int 22 (irq 7)
 azalia1: codecs: Realtek ALC888
 audio0 at azalia1
 ppb1 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: apic 0
 int 17 (irq 10)
 pci2 at ppb1 bus 2
 pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA
 (unsupported), channel 0 configured to native-PCI, channel 1
 configured to native-PCI
 pciide0: using apic 0 int 16 (irq 11) for native-PCI interrupt
 pciide0: channel 0 ignored (not responding; disabled or no drives?)
 pciide0: channel 1 ignored (not responding; disabled or no drives?)
 ppb2 at pci0 dev 28 function 1 Intel 82801JI PCIE rev 0x00: apic 0
 int 16 (irq 11)
 pci3 at ppb2 bus 3
 ppb3 at pci0 dev 28 function 2 Intel 82801JI PCIE rev 0x00: apic 0
 int 18 (irq 3)
 pci4 at ppb3 bus 4
 ppb4 at pci0 dev 28 function 3 Intel 82801JI PCIE rev 0x00: apic 0
 int 19 (irq 11)
 pci5 at ppb4 bus 5
 ppb5 at pci0 dev 28 function 4 Intel 82801JI PCIE rev 0x00: apic 0
 int 17 (irq 10)
 pci6 at ppb5 bus 6
 vendor VIA, unknown product 0x3403 (class serial bus subclass
 Firewire, rev 0x00) at pci6 dev 0 function 0 not configured
 ppb6 at pci0

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
I booted OBSD 4.8 on this motherboard and I have the same error:
can be this error related with BUG as described on man page of re driver ?

Regards,



2011/7/7 R0me0 *** knight@gmail.com

 Allright, I disabled bge0 on BIOS SETUP but the error continues:


 pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA
 (unsupported), channel 0 configured to native-PCI, channel 1
 configured to native-PCI




 2011/7/7 Zeb Packard zeb.pack...@gmail.com

 *Sorry about the direct response Nick. :0

 These two lines make me think it's a configuration problem.

 bge0 at pci7 dev 0 function 0 Broadcom BCM57788 rev 0x01, BCM57780
 A1 (0x57780001): apic 0 int 17 (irq 10), address 00:22:4d:4c:40:ee
 brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1




 Dmesg below.

 penBSD 4.9 (GENERIC.MP) #794: Wed Mar  2 07:19:02 MST 2011
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class)
 3 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE
 real mem  = 2135498752 (2036MB)
 avail mem = 2090401792 (1993MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @
 0xe9230 (58 entries)
 bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.1954
 date 05/10/2010
 bios0: Intel Corporation DP43BF
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S3 S4 S5
 acpi0: tables DSDT FACP APIC MCFG HPET
 acpi0: wakeup devices P0P1(S3) PS2K(S4) PS2M(S4) UAR1(S3) P0P2(S4)
 USB0(S3) USB1(S3) USB2(S3) USB5(S3) USB6(S3) EUSB(S3) USB3(S3)
 USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4)
 PEX5(S4) SLPB(S4) PWRB(S3)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class)
 3 GHz
 cpu1:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE
 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
 acpimcfg0 at acpi0 addr 0xf000, bus 0-127
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 32 (P0P2)
 acpiprt2 at acpi0: bus 2 (PEX0)
 acpiprt3 at acpi0: bus 3 (PEX1)
 acpiprt4 at acpi0: bus 4 (PEX2)
 acpiprt5 at acpi0: bus 5 (PEX3)
 acpiprt6 at acpi0: bus 6 (PEX4)
 acpiprt7 at acpi0: bus 7 (PEX5)
 acpicpu0 at acpi0:, C3, C2, C1, PSS
 acpicpu1 at acpi0:, C3, C2, C1, PSS
 acpibtn0 at acpi0: SLPB
 acpibtn1 at acpi0: PWRB
 bios0: ROM list: 0xc/0xe600! 0xce800/0x400 0xcf000/0x2400
 cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2800, 2600, 2400,
 2200, 2000, 1800, 1600, 1400, 1200 MHz
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel G45 Host rev 0x03
 ppb0 at pci0 dev 1 function 0 Intel G45 PCIE rev 0x03: apic 0 int 16
 (irq 11)
 pci1 at ppb0 bus 1
 vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x10c3 rev
 0xa2
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 azalia0 at pci1 dev 0 function 1 vendor NVIDIA, unknown product
 0x0be3 rev 0xa1: apic 0 int 17 (irq 10)
 azalia0: no supported codecs
 azalia0: initialization failure, detaching
 uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0
 int 16 (irq 11)
 uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0
 int 21 (irq 5)
 uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0
 int 18 (irq 3)
 ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0
 int 18 (irq 3)
 ehci0: timed out waiting for BIOS
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
 azalia1 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00:
 apic 0 int 22 (irq 7)
 azalia1: codecs: Realtek ALC888
 audio0 at azalia1
 ppb1 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: apic 0
 int 17 (irq 10)
 pci2 at ppb1 bus 2
 pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA
 (unsupported), channel 0 configured to native-PCI, channel 1
 configured to native-PCI
 pciide0: using apic 0 int 16 (irq 11) for native-PCI interrupt
 pciide0: channel 0 ignored (not responding; disabled or no drives?)
 pciide0: channel 1 ignored (not responding; disabled or no drives?)
 ppb2 at pci0 dev 28 function 1 Intel 82801JI PCIE rev 0x00: apic 0
 int 16 (irq 11)
 pci3 at ppb2 bus 3
 ppb3 at pci0 dev 28 function 2 Intel 82801JI PCIE rev 0x00: apic 0
 int 18 (irq 3)
 pci4 at ppb3 bus 4
 ppb4 at pci0 dev 28 function 3 Intel 82801JI PCIE rev 0x00: apic 0
 int 19 (irq 11)
 pci5 at ppb4 bus 5
 ppb5 at pci0 dev 28 function 4 Intel 82801JI

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
the ethernet  that I'm plugging work very well on old hardware and work very
well ( OBSD 4.8 )
the same ethernet accurs this error:  ( re(4) chip  )

pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA
:(unsupported), channel 0 configured to native-PCI, channel 1
:configured to native-PCI

The bge is onboard ethernet, and it will be disabled

As I said, I booted obsd 4.8 on new hardware and the error is the same as
described up,


Regards


2011/7/7 Peter Hessler phess...@theapt.org

 This machine does not have an re(4) chip in it.  You need to use bge0
 for your ethernet device.



 On 2011 Jul 07 (Thu) at 11:39:20 -0700 (-0700), Zeb Packard wrote:
 :*Sorry about the direct response Nick. :0
 :
 :These two lines make me think it's a configuration problem.
 :
 :bge0 at pci7 dev 0 function 0 Broadcom BCM57788 rev 0x01, BCM57780
 :A1 (0x57780001): apic 0 int 17 (irq 10), address 00:22:4d:4c:40:ee
 :brgphy0 at bge0 phy 1: BCM57780 10/100/1000baseT PHY, rev. 1
 :
 :
 :
 :
 :Dmesg below.
 :
 :penBSD 4.9 (GENERIC.MP) #794: Wed Mar  2 07:19:02 MST 2011
 :   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 :cpu0: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class)
 3 GHz
 :cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE
 :real mem  = 2135498752 (2036MB)
 :avail mem = 2090401792 (1993MB)
 :mainbus0 at root
 :bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @
 :0xe9230 (58 entries)
 :bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.1954
 :date 05/10/2010
 :bios0: Intel Corporation DP43BF
 :acpi0 at bios0: rev 2
 :acpi0: sleep states S0 S1 S3 S4 S5
 :acpi0: tables DSDT FACP APIC MCFG HPET
 :acpi0: wakeup devices P0P1(S3) PS2K(S4) PS2M(S4) UAR1(S3) P0P2(S4)
 :USB0(S3) USB1(S3) USB2(S3) USB5(S3) USB6(S3) EUSB(S3) USB3(S3)
 :USB4(S3) USBE(S3) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4)
 :PEX5(S4) SLPB(S4) PWRB(S3)
 :acpitimer0 at acpi0: 3579545 Hz, 24 bits
 :acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 :cpu0 at mainbus0: apid 0 (boot processor)
 :cpu0: apic clock running at 199MHz
 :cpu1 at mainbus0: apid 1 (application processor)
 :cpu1: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz (GenuineIntel 686-class)
 3 GHz
 :cpu1:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,XSAVE
 :ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
 :acpimcfg0 at acpi0 addr 0xf000, bus 0-127
 :acpihpet0 at acpi0: 14318179 Hz
 :acpiprt0 at acpi0: bus 0 (PCI0)
 :acpiprt1 at acpi0: bus 32 (P0P2)
 :acpiprt2 at acpi0: bus 2 (PEX0)
 :acpiprt3 at acpi0: bus 3 (PEX1)
 :acpiprt4 at acpi0: bus 4 (PEX2)
 :acpiprt5 at acpi0: bus 5 (PEX3)
 :acpiprt6 at acpi0: bus 6 (PEX4)
 :acpiprt7 at acpi0: bus 7 (PEX5)
 :acpicpu0 at acpi0:, C3, C2, C1, PSS
 :acpicpu1 at acpi0:, C3, C2, C1, PSS
 :acpibtn0 at acpi0: SLPB
 :acpibtn1 at acpi0: PWRB
 :bios0: ROM list: 0xc/0xe600! 0xce800/0x400 0xcf000/0x2400
 :cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2800, 2600, 2400,
 :2200, 2000, 1800, 1600, 1400, 1200 MHz
 :pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 :pchb0 at pci0 dev 0 function 0 Intel G45 Host rev 0x03
 :ppb0 at pci0 dev 1 function 0 Intel G45 PCIE rev 0x03: apic 0 int 16
 (irq 11)
 :pci1 at ppb0 bus 1
 :vga1 at pci1 dev 0 function 0 vendor NVIDIA, unknown product 0x10c3 rev
 0xa2
 :wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 :wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 :azalia0 at pci1 dev 0 function 1 vendor NVIDIA, unknown product
 :0x0be3 rev 0xa1: apic 0 int 17 (irq 10)
 :azalia0: no supported codecs
 :azalia0: initialization failure, detaching
 :uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0
 :int 16 (irq 11)
 :uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0
 :int 21 (irq 5)
 :uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0
 :int 18 (irq 3)
 :ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0
 :int 18 (irq 3)
 :ehci0: timed out waiting for BIOS
 :usb0 at ehci0: USB revision 2.0
 :uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
 :azalia1 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00:
 :apic 0 int 22 (irq 7)
 :azalia1: codecs: Realtek ALC888
 :audio0 at azalia1
 :ppb1 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: apic 0
 :int 17 (irq 10)
 :pci2 at ppb1 bus 2
 :pciide0 at pci2 dev 0 function 0 Marvell 88SE6101 IDE rev 0xb2: DMA
 :(unsupported), channel 0 configured to native-PCI, channel 1
 :configured to native-PCI
 :pciide0: using apic 0 int 16 (irq 11) for native-PCI interrupt
 :pciide0: channel 0 ignored (not responding; disabled or no drives?)
 :pciide0: channel 1 ignored (not responding; disabled or no drives?)
 :ppb2 at pci0 dev 28 function 1 Intel 82801JI PCIE

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
dmesg.boot of old hardware: ( same ethernet )


OpenBSD 4.8 (GENERIC.MP) #359: Mon Aug 16 09:16:26 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 1069051904 (1019MB)
avail mem = 1041580032 (993MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/25/06, BIOS32 rev. 0 @ 0xfad90,
SMBIOS rev. 2.3 @ 0xf0100 (34 entries)
bios0: vendor Award Software International, Inc. version F3e DB date
04/25/2006
bios0: Gigabyte Technology Co., Ltd. 8I865GME-775
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices HUB0(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1)
PCI0(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpitz0 at acpi0: critical temperature 75 degC
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xa400! 0xcc000/0x8000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xf000, size 0x800
inteldrm0 at vga1: apic 2 int 16 (irq 3)
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic 2 int
16 (irq 3)
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic 2 int
19 (irq 11)
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: apic 2 int
18 (irq 11)
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: apic 2 int
16 (irq 3)
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: apic 2 int
23 (irq 6)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xc2
pci1 at ppb0 bus 1
rl0 at pci1 dev 1 function 0 Realtek 8139 rev 0x10: apic 2 int 21 (irq
12), address 00:1a:3f:51:46:59
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci1 dev 2 function 0 Realtek 8139 rev 0x10: apic 2 int 22 (irq
10), address 00:1a:3f:52:34:4f
rlphy1 at rl1 phy 0: RTL internal PHY
re0 at pci1 dev 3 function 0 Realtek 8169 rev 0x10: RTL8169/8110SB
(0x1000), apic 2 int 18 (irq 11), address 00:08:54:69:13:54
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 3
fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x02, i82562: apic 2
int 20 (irq 5), address 00:0f:ea:2a:56:2f
inphy0 at fxp0 phy 1: i82562G 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02
pciide0 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: SAMSUNG HD082GJ
wd0: 16-sector PIO, LBA48, 76318MB, 156299375 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TSSTcorp, CD/DVDW SH-S182D, SB04 ATAPI
5/cdrom removable
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: apic 2
int 17 (irq 9)
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x2e/2: IT8712F rev 8, EC port 0x290
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b





2011/7/7 Nick Holland n...@holland-consulting.net

 On

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
# uname -smr
OpenBSD 4.8 i386
# ifconfig
re0

re0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu
1500
lladdr 00:08:54:69:13:54
priority: 0
media: Ethernet 100baseTX full-duplex
status: active
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::208:54ff:fe69:1354%re0 prefixlen 64 scopeid 0x3



2011/7/7 Zeb Packard zeb.pack...@gmail.com

 I'd like to see the output from ifconfig.

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
Yes, the machine are different, I'm doing upgrade of hardware,  I buy
tp-link model n. TG-3269 and have the same chipset and work very well on
this machine that have OBSD 4.8, but I tested the SAME ethernet that I'm
running on 4.8 in new hardware with 4.9





2011/7/7 Miod Vallat m...@online.fr

  dmesg.boot of old hardware: ( same ethernet )

 [...]

  bios0 at mainbus0: AT/286+ BIOS, date 04/25/06, BIOS32 rev. 0 @ 0xfad90,
  SMBIOS rev. 2.3 @ 0xf0100 (34 entries)
  bios0: vendor Award Software International, Inc. version F3e DB date
  04/25/2006
  bios0: Gigabyte Technology Co., Ltd. 8I865GME-775

 [...]

   bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @
   0xe9230 (58 entries)
   bios0: vendor Intel Corp. version RKG4310H.86A.0082.2010.0510.**1954
   date 05/10/2010
   bios0: Intel Corporation DP43BF

 These are not the same machines.

 Are you trying to waste people's time?

Re: RTL8169SC OpenBSD 4.8 to 4.9 issue

2011-07-07 Thread R0me0 *** 
Other thing, I have others servers, that are running OBSD 4.8 with the same
ethernet model, and it work very well.

The ethernet is ENLGA-1320 ( encore electronics ) ( YES, is a generic
network card  )

2011/7/7 R0me0 *** knight@gmail.com

 Yes, the machine are different, I'm doing upgrade of hardware,  I buy
 tp-link model n. TG-3269 and have the same chipset and work very well on
 this machine that have OBSD 4.8, but I tested the SAME ethernet that I'm
 running on 4.8 in new hardware with 4.9






 2011/7/7 Miod Vallat m...@online.fr

  dmesg.boot of old hardware: ( same ethernet )

 [...]

  bios0 at mainbus0: AT/286+ BIOS, date 04/25/06, BIOS32 rev. 0 @ 0xfad90,
  SMBIOS rev. 2.3 @ 0xf0100 (34 entries)
  bios0: vendor Award Software International, Inc. version F3e DB date
  04/25/2006
  bios0: Gigabyte Technology Co., Ltd. 8I865GME-775

 [...]

   bios0 at mainbus0: AT/286+ BIOS, date 05/10/10, SMBIOS rev. 2.6 @
   0xe9230 (58 entries)
   bios0: vendor Intel Corp. version
 RKG4310H.86A.0082.2010.0510.**1954
   date 05/10/2010
   bios0: Intel Corporation DP43BF

 These are not the same machines.

 Are you trying to waste people's time?

Re: Routing Issue

2011-05-18 Thread R0me0 *** 
Put a route !?

2011/5/18 David Schulz mailingli...@ironwhale.com

 Hi there,

 if i disable pf, it will not work (except when trying from router itself
 via
 ssh). Here some output from hostname.ifs and mygate, my routing table.
 Would
 be most grateful for any tips that help solving this.

 Best regards,
 D

 cndlne001'root(~) cat /etc/hostname.sis0
 inet 10.1.3.19 255.255.254.0 NONE
 cndlne001'root(~) cat /etc/hostname.sis1
 inet 192.168.1.1 255.255.255.0 NONE
 cndlne001'root(~) cat /etc/mygate
 10.1.3.1
 cndlne001'root(~) route -n show
 Routing tables

 Internet:
 DestinationGatewayFlags   Refs  Use   Mtu  Prio
 Iface
 default10.1.3.1   UGS03 - 8
 sis0
 10.1.2/23  link#1 UC 40 - 4
 sis0
 10.1.3.1   00:18:4d:33:e3:df  UHLc   10 - 4
 sis0
 10.1.3.7   f4:ce:46:b1:a6:26  UHLc   1   10 - 4
 sis0
 10.1.3.37  20:cf:30:56:15:80  UHLc   1  107 - 4
 sis0
 10.1.3.46  1c:af:f7:0e:17:20  UHLc   0   41 - 4
 sis0
 127/8  127.0.0.1  UGRS   00 33200 8 lo0
 127.0.0.1  127.0.0.1  UH 10 33200 4 lo0
 192.168.1/24   link#2 UC 10 - 4
 sis1
 192.168.1.200:14:97:02:2b:b2  UHLc   0   41 - 4
 sis1
 224/4  127.0.0.1  URS00 33200 8 lo0

 cndlne001'root(~) sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1

 sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:ca:a9:f4
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.1.3.19 netmask 0xfe00 broadcast 10.1.3.255
inet6 fe80::200:24ff:feca:a9f4%sis0 prefixlen 64 scopeid 0x1
 cndlne001'root(~) ifconfig sis1
 sis1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:24:ca:a9:f5
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
inet6 fe80::200:24ff:feca:a9f5%sis1 prefixlen 64 scopeid 0x2
 cndlne001'root(~)


 On May 18, 2011, at 2:29 PM, Aaron Mason wrote:

  If you've disabled pf and it doesn't, then yes, possibly.
 
  If the network is configured like this:
 
  192.168.1.0/24]192.168.1.1(em0)[Router]10.1.0.1(em1)[10.1.0.0/21
 
  Setting the default routes to the required interface on each side
  should allow packets to flow freely from end to end.  There should be
  no need for PF trickery unless you wish to restrict access to certain
  machines on either side.
 
  Your best test is a traceroute.  Perform a traceroute from one side to
  the other, and see what the last step is before you get a string of
  timeouts.
 
  All said, I see rules in your PF that allow certain ICMP types, but
  haven't included the echo response - that's probably why you can't
  ping across the router.
 
  On Wed, May 18, 2011 at 3:29 PM, David Schulz
  mailingli...@ironwhale.com wrote:
  Basically i am just trying to verify whether i actually do need the
 match
  out
  statements in pf.conf in order for both Sides on each Network Cards to
 talk
  to
  each other. Say i do not, and it should all just work, does the fact
 that
  it
  does not work suggest that i most likely have a routing issue?
 
  best regards,
  D
 
  On May 17, 2011, at 9:29 PM, David Gwynne wrote:
 
  hey david,
 
  pf is run twice on packets going through a box, once before the network
  stack
  and again as it leaves it. this means you have to allow a packet in one
  side
  as well as when it goes out the other.
 
  dlg
 
  On 17/05/2011, at 10:16 PM, David Schulz wrote:
 
  Hi all,
 
  i have a LAN within a LAN and the setup is as follows:
 
  192.168.1.0/24 -- OpenBSD 4.9 Router with 2 NICS -- 10.1.0.0/21
 
  My goal is to get both Sides talking to each other (lets start with
  making
  them be able to ping each other). I got it working by using the
 following
  pf.conf, however i thought i should not need to have those match out
  statements, because OpenBSD routes packets between interfaces by
 default
  as
  long sysctl net.inet.ip.forwarding=1 is set.
 
  From inside my OpenBSD Box i can ping Devices on either Side just
 fine.
  From
  a
  machine sitting on either Side, i can ping the OpenBSD Box just fine.
 But
  i
  simply cannot get Side A Machines to talk to Side B Machines unless i
  uncomment the two below match out statements inside my pf.conf.
 
  If someone could share some insight, id be most thankful.
 
  regards,
  D
 
  Here my simplified pf.conf which again does not work unless i
 uncomment
  the
  two match out Rules:
   pf.conf
  int_if=sis0
  ext_if=sis1
 
  icmp_types = { echoreq, unreach }
 
  set require-order yes
  set

Re: Squid on LAN

2011-05-09 Thread R0me0 *** 
You can too try this:

pass in on $int proto tcp from $int:network to port www route-to ( $dmz
$ip_of_squid )
pass out on $dmz proto tcp to $ip_of_squid to port  www


Cheers

2011/5/9 Stuart Henderson s...@spacehopper.org

 If possible, put the proxy server on a different vlan.

 If you can't, try the method in
 http://www.openbsd.org/faq/pf/rdr.html#rdrnat
 It works, but your proxy logs will then only show the firewall's address
 rather than the original client addresses.


 On 2011-05-09, Alessandro Baggi alessandro.ba...@gmail.com wrote:
  Hi list. I've a question about positioning a proxy server into the LAN.
  I've tried this in dmz (also in transparent mode + rdr pf), and works
  great, but now I'm trying to put this proxy in LAN.
  Also in this case it works, but when I try to set it in transparent
  mode, and put rdr rules on the firewall (OpenBSD 4.8):
 
  match in on $int proto tcp from $int:network to any port 80 rdr-to
  $proxy port 3128
 
  it does not work, and the request seems not be redirected on the proxy.
  I've ridden this:
 
   http://www.openbsd.org/faq/pf/rdr.html
 
  I'm trying to get solution only with pf rules without no results.
  Could some point me in the right direction?
 
  Thanks in advance

Re: Squid on LAN

2011-05-09 Thread R0me0 *** 
Yes, You have the reason,
I put DMZ because of this :)



2011/5/9 Stuart Henderson s...@spacehopper.org

 On 2011/05/09 16:31, R0me0 *** wrote:
  You can too try this:
 
  pass in on $int proto tcp from $int:network to port www route-to ( $dmz
  $ip_of_squid )
  pass out on $dmz proto tcp to $ip_of_squid to port  www

 This won't work for machines on the same subnet as the proxy.
 In that case the return traffic (proxy-client) will bypass the
 firewall so PF only sees half of the packets so state tracking
 will break things. (It might initially appear to work but
 try a larger download and watch for the connection breaking).

  1   2   >