Re: Renew/extend CA created with ikectl
Hello Stuart thanks for the reply, already suspected something along those lines. On 12/10/18 7:14 PM, Stuart Henderson wrote: It's a bit awkward but can be done, you'll find some information at https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal You'll need to get the new CA cert installed on clients anyway though (and I don't suppose the client certs have much longer validity either?) so doing the above might not save you much trouble .. In the end I followed doing something along these lines. As we have quite some clients in the field it was easier to get them to add the new CA. I didn't find anything in the man pages nor on the mailing list. Having had a look at ikeca.c gave me some idea of how the file is created. Also is there a way of having the ca cert valid for more than 365 days? Not without patching the command-line in ikectl code, or generating the cert manually. It's not ideal.. I would be willing to patch ikectl to contain a ca renew, but would like some 'guidance' concerning sane defaults for this. I'd probably recommend using something else to manage your internal CA (or just avoiding X509 if you don't actually need it...). Any suggestions? We used some other CA management SW over the years but enjoyed the clean and simple approach that ikectl gave us so far. Cheers Kim
Renew/extend CA created with ikectl
Hello, before I start getting creative with openssl(1) on my ikectl(8) created ca. Yesterday my ca certificate expired and I need to renew it (without loosing all the client certificates) Is there a recommended way of renewing the ca.crt created using ikectl ca create? I didn't find anything in the man pages nor on the mailing list. Having had a look at ikeca.c gave me some idea of how the file is created. Also is there a way of having the ca cert valid for more than 365 days? Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Good morning Radek, I have a suspicion ... For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server. My question was concerning the VPN_server, is the server NATed? How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
Hello Radek, On 11/2/18 10:16 PM, Radek wrote: Thank you for your response, Following your suggestion I removed IP from enc0 and changed iked.conf as below: $ cat /etc/iked.conf dns1 = "8.8.8.8" dns2 = "8.8.4.4" ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error. I know this set-up to be working, as it is currently running here in production. I also tried another scenario: puffy_server <-> puffy_warrior The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23. Both machines are 6.3/i386. Your set-up is still a bit 'unclear', I would rather say you have a firewall/routing problem than an IPSec problem. Error 809 means no data received. Could you post your pf.conf? How do you connect to networks !A.B.C.0/23 Is your IPSec connection NATed? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: syntax error and doas.conf
On 10/31/18 10:42 AM, Markus Rosjat wrote: ... doas vi /etc/doas.conf # Edit in vi :w :! doas -C % You don't even have to leave your editor smime.p7s Description: S/MIME Cryptographic Signature
Re: ikev2 and road warriors setup
On 10/28/18 3:04 PM, Radek wrote: Hello, I really need your help. I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows). The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23). Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same. Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23 I do not know what I am doing wrong. Can anyone please help me with solving this problem? Thank you. This is a fresh 6.3/i386 install: # cat /etc/hostname.enc0 inet 10.0.1.1 255.255.255.0 10.0.1.255 up You don't need an IP on enc0 # cat /etc/iked.conf ikev2 "test" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local A.B.C.77 peer any \ srcid A.B.C.77 \ config address 10.0.1.0/24 \ config name-server 8.8.8.8 \ tag "IKED" Try something like this, it works for both Win7 and Win10: /etc/iked.conf - ikev2 "roadWarrior" ipcomp esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ peer any \ srcid $srcid \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server $dns1 \ config name-server $dns2 \ config access-server A.B.C.77 \ config protected-subnet 0.0.0.0/0 \ tag "$id" 'access-server' tells Windows what gateway to use for 'protected-subnet' (see iked.conf(5)). smime.p7s Description: S/MIME Cryptographic Signature
Re: Intel i350 Offloading not working
On 07/18/18 11:37, Adonis Peralta wrote: Will definitely do that, but still looking for any explanation from devs :). https://marc.info/?l=openbsd-tech&m=135203532704213&w=2 Seems there have been some errors with offloading and I350 in the past Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
OpenIKED match on user/cert instead of gateway
hello misc, I got the requirement for a more exotic setup in which some road warriors are required to be in a different network segment. From strongSWAN I know it is possible to match connections based on userid/cert. iked.conf(5) only gives examples for different gateways. To cut a long story short - is it possible to do this in openiked or do I need to setup a separate instance? Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: iked: how to request a virtual IP when running as a road warrior
Hello
On 01/30/18 22:00, Peter Müller wrote:
Hello *,
I am trying to set up an IPsec connection between OpenBSD 6.2
and an IPFire firewall, while the OpenBSD is a road warrior.
There, I use "iked", while the firewall is running "strongswan".
After struggling with some cryptography issues (curve25519 and
brainpool512 did not work, neither did aes-gcm), the IKE
connection is now established, but the firewall requires a
request for a virtual IP:
[log snippet from "iked" @ OpenBSD:]
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED
[log snippet from "strongswan" @ IPFire:]
21:45:26 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
N(AUTH_LFT) N(FAIL_CP_REQ) ]
21:45:26 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
21:45:26 charon: 07[IKE] configuration payload negotiation failed, no CHILD_SA
built
21:45:26 charon: 07[IKE] expected a virtual IP request, sending
FAILED_CP_REQUIRED
Until now, I tried inserting the following directives to my
/etc/iked.conf - without luck, they didn't seem to change anything:
(1) config address 10.XXX.XXX.XXX
(2) config address 10.XXX.XXX.XXX/24
(3) config address 10.XXX.XXX.XXX\
config address 10.XXX.XXX.XXX/24
How do I configure "iked" to request a virtual IP?
Any help is highly appreciated, since I am flying blind here.
Thanks and best regards,
Peter Müller
Last time I looked, OpenIKED was not yet able to request a config
payload, only reply to one. Looking at the source code of iked confirms
this.
/src/sbin/iked/ikev2.c
ssize_t
ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
{
...
switch (sa->sa_cp) {
case IKEV2_CP_REQUEST:
cp->cp_type = IKEV2_CP_REPLY;
break;
case IKEV2_CP_REPLY:
case IKEV2_CP_SET:
case IKEV2_CP_ACK:
/* Not yet supported */ <===!!!
return (-1);
}
...
Cheers Kim
smime.p7s
Description: S/MIME Cryptographic Signature
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/08/17 08:37, Claudio Jeker wrote:
On Tue, Nov 07, 2017 at 04:13:51PM +0100, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Kim Zeitler wrote:
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote:
On Tue, Nov 07 2017, Stuart Henderson wrote:
I have a question concerning routes and ospf.
We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20
routing.
If the ipsec tunnel is down, no ospf route is set and the default route=20
used.
Is it sensible and possible to add a null-route from the vpn-gateway to=20
the remote-networks so a 'Network not reachable' is sent immediately?
Sensible - yes.
Possible - not sure but I think you would probably need to monitor the ipsec
status and add the route and/or gif interface only once the SA is up.
I may be missing something, but maybe just add a -reject route with
a low -priority for each of your ospf routes? When an ospf route
disappears the -reject one would be preferred.
(And if all your "vpn" routes are in a common prefix, you can just use
a single -reject route for that prefix and let more-specifics win.)
something like this was actually my plan. just wasn't so sure if one
actually does it like this or if there are other ways of doing it.
so basically a
route add -inet 172.16/12 -reject -priority 33
would suffice (33 as the ospf routes have a prio of 32)
Yes, but I think that what Stuart points out is that your gif tunnel
might be used even if ipsec isn't protecting it...
I use pf(4) to make sure that gif is not leaking outside of the enc
interface (more or less):
block out proto { ipencap ipv6 }
pass on enc0 keep state (if-bound)
Using if-bound is needed else the enc0 state would float to the egress
interface.
I want to thank all for there time and answers.
not sure how I will implement this yet, but Stuart's and Claudio's
clearly made me think a bit further.
Cheers,
Kim
smime.p7s
Description: S/MIME Cryptographic Signature
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/07/17 16:13, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Kim Zeitler wrote: On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson wrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately? Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up. I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32) Yes, but I think that what Stuart points out is that your gif tunnel might be used even if ipsec isn't protecting it... OK, maybe I am missing something now. I got two networks 192.168.1/24 and 192.168.2/24, each with a VPN GW 192.168.X.254 and a default GW at 192.168.X.1. Between the VPN GWs I have a gif tunnel using 192.168.X.254 -> IP otherside>, inside tunnel 10.23.23.1->10.23.23.2. My iked is configured to use: ikev2 "charlie" passive ipcomp esp \ proto encap \ from $OWN_IP to $CHARLIE \ peer $CHARLIE \ srcid $GW dstid $CHARLIE To add the routing over this we use ospfd. As soon as the sa is loaded ospf discovers its neighbour and loads the route via the gif interface. Without the sa no traffic is passed. @Stuart you say, I should only establish the gif "link" after I have an SA? My question was, when the ospfd has a problem or the connection between both end-points can't be established (like now, due to roadworks and some cable) can I add a -reject route with low prio to use instead of the default route on my VPN GW? Currently my VPN GW gets the traffic, has no route due to no ospf and sends it to the default gw, which returns it to the vpn gw and so forth. I would like it to reply with 'Netork unreachable' instead immediately. As far as I see my idea is similar to what Jeremie wrote. Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
On 11/07/17 15:31, Jeremie Courreges-Anglas wrote: On Tue, Nov 07 2017, Stuart Henderson wrote: I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up=20 routing. If the ipsec tunnel is down, no ospf route is set and the default route=20 used. Is it sensible and possible to add a null-route from the vpn-gateway to=20 the remote-networks so a 'Network not reachable' is sent immediately? Sensible - yes. Possible - not sure but I think you would probably need to monitor the ipsec status and add the route and/or gif interface only once the SA is up. I may be missing something, but maybe just add a -reject route with a low -priority for each of your ospf routes? When an ospf route disappears the -reject one would be preferred. (And if all your "vpn" routes are in a common prefix, you can just use a single -reject route for that prefix and let more-specifics win.) something like this was actually my plan. just wasn't so sure if one actually does it like this or if there are other ways of doing it. so basically a route add -inet 172.16/12 -reject -priority 33 would suffice (33 as the ospf routes have a prio of 32) smime.p7s Description: S/MIME Cryptographic Signature
iked + gif + ospfd - use null-route to stop default route being used in case of no vpn
Hello I have a question concerning routes and ospf. We are using iked(8) with a gif(4) interface and ospfd(8) to set up routing. If the ipsec tunnel is down, no ospf route is set and the default route used. Is it sensible and possible to add a null-route from the vpn-gateway to the remote-networks so a 'Network not reachable' is sent immediately? Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
RESEND: Advice on migration to OpenBSD
Hi,� For some strange reason Yandex keeps messing up messages sent from it,sorry about that.� My original message:� I am in the process of migrating to OpenBSD on personal usage and in myoffice as well, but I need some advice.� Both at home and in the office we have several Linux boxes runningSamba. Originally because we had some Windows machines, but now it'sjust a very convenient and easy way to run with different shares withdifferent groups and permissions and it's tuned so it's running veryfast.� We also have a bunch of external drives with EXT4 and some with XFS.� Normally I run Arch and Debian and I have no problem with the abovesetup. However, migrating to OpenBSD on my personal laptop and desktopI suspect will give me some problems mounting both Samba shares andexternal drives.� We could change the file systems on the external drives to say EXT2 ifthat's a "good" idea or NTFS if that's better supported, I don't know.Both read and write access is needed.� The Samba boxes aren't going to change as to many people use those. Iremember something about sharity-light in the past, but that was notvery good back then.� Update: I tried sharity-light, but had no success mounting at all. I also tries"usmb", but once it freezes the entire box once you try to view the contentof a file.� How do you guys do it? Is it even doable running only OpenBSD on myboxes in such an environment?� Thank you for your time.� Kind regards,� Kim� End of forwarded message
Advice on migration to OpenBSD
Hi,� I am in the process of migrating to OpenBSD on personal usage and in myoffice as well, but I need some advice.� Both at home and in the office we have several Linux boxes runningSamba. Originally because we had some Windows machines, but now it'sjust a very convenient and easy way to run with different shares withdifferent groups and permissions and it's tuned so it's running veryfast.� We also have a bunch of external drives with EXT4 and some with XFS.� Normally I run Arch and Debian and I have no problem with the abovesetup. However, migrating to OpenBSD on my personal laptop and desktopI suspect will give me some problems mounting both Samba shares andexternal drives.� We could change the file systems on the external drives to say EXT2 ifthat's a "good" idea or NTFS if that's better supported, I don't know.Both read and write access is needed.� The Samba boxes aren't going to change as to many people use those. Iremember something about sharity-light in the past, but that was notvery good back then.� How do you guys do it? Is it even doable running only OpenBSD on myboxes in such an environment?� Thank you for your time.� Kind regards,� Kim
Qubes-OS is "fake" security
Hi, I am at novice level of security, studying and trying to understand some of the different aspects of running an OS and applications as securely as possible. I have been running OpenBSD for years and understand a little of what's being done to make it more secure, albeit not the technical details of programming as much as I am not a C programmer. A friend of mine, who is computer a scientist with speciality in security, suggested Qubes-OS as a secure "solution" to security problems related to OS's and applications on a personal computer. I read up about the project and tested it out, but I am not convinced that it is a good solution at all. I am writing to this list because I know that a lot of people on this list is very security-minded. I found the reading "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments" very insightful. http://taviso.decsystem.org/virtsec.pdf First, I cannot really see the difference between an OS and a hypervisor. Both runs on the "bare metal" and both perform similar tasks. In the specific case with Qubes-OS, there isn't really a difference as it's "just" Fedora with Xen. Possibilities of exploiting the hypervisor isn't lower than possibilities of exploiting the OS. And specifically in the case of OpenBSD as the OS, that has been developed from the ground up with security in mind, the possibilities are much lower than a hypervisor that hasn't even been developed with security measures from the beginning. Second, the virtualization part as I see it, just ads another level of tons of code. If I am running Firefox on OpenBSD and Firefox gets exploited, the cracker finds himself on a very secure OS that's really hard to compromise. If I am running Firefox in some virtualization container on Qubes-OS and Firefox gets exploited, then the cracker finds himself inside a container that could possible contain lots of exploitable security holes that again runs on a hypervisor with possibly lots of security holes, stuff that hasn't been developed with security in mind and has perhaps never been audited. Qubes-OS seems to me as a solution of "patching". OpenBSD on the other hand is a completely different story. Rather than running something like Qubes-OS, which IMHO provides a fake feeling of security, with it's different "qubes", I would think of another situation that's much better. I either set up 3 different computers, or one computer where I can physically change the hard drive and I then have 3 different hard drives. On one box I setup OpenBSD and the most secure-minded browser I can find (do such a thing even exist?). On this particular setup I *ONLY* do my home banking. Absolutely nothing else. On the second box I also setup OpenBSD and the most secure-minded email client I can find and I do all my email there. I possibly also setup an office application for writing letters, etc. I don't use a browser on this setup, if someone sends an email with a link, I write the link down for latter usage. And on the third box I also setup OpenBSD with a browser and possible other applications like a video player, and this box I use for all the other casual stuff, the links from emails, etc. I possibly even run this from a non-writeable CD or SD card. It will be an inconvenience to shift between the drives, but no more than using Qubes-OS. IMHO the setup with the different OpenBSD installations provides a much more security alternative than running Qubes-OS. Am I completely of track here? Kind regards, Kim
Re: bgp-spamd question
On 05/08/17 15:12, Markus Rosjat wrote: Am 08.05.2017 um 15:02 schrieb Kim Zeitler: Did you allow BGP on your firewall? I was not aware there need to be special rules for bgp I meant your outer-bound firewall, that you pass towards the internet. Depending on your network setup you need to allow outbound traffic on a specific port and take care of nat. smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 14:42, Markus Rosjat wrote: Am 08.05.2017 um 14:37 schrieb Kim Zeitler: Could you check bgpctl s are there any messages received? You can also check bgpctl s neigh | grep state This should give you least 2 connections claiming to be established regards Cheers Kim I checked and I have both neighbors in my list $ doas bgpctl s Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd 217.31.80.170 65066 0 0 0 NeverActive 64.142.121.62 65066 0 0 0 NeverActive They appear as soon as you have configured them, but as you can see, neither MsgRcvd nor MsgSent show anything # bgpctl s Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd 2a00:15a8:0:100:0:d965066 0 0 0 NeverActive 217.31.80.170 65066271134 0 01:05:59 15975 64.142.121.62 65066253134 0 01:05:59 15975 If you look at # bgpctl show neigh | grep -C2 state BGP neighbor is 2a00:15a8:0:100:0:d91f:50aa:1, remote AS 65066, Multihop (64) BGP version 4, remote router-id 0.0.0.0 BGP state = Active Last read Never, holdtime 240s, keepalive interval 80s -- BGP neighbor is 217.31.80.170, remote AS 65066, Multihop (64) BGP version 4, remote router-id 217.31.80.170 BGP state = Established, up for 01:07:27 Last read 00:00:11, holdtime 90s, keepalive interval 30s Neighbor capabilities: -- BGP neighbor is 64.142.121.62, remote AS 65066, Multihop (64) BGP version 4, remote router-id 64.142.121.62 BGP state = Established, up for 01:07:27 Last read 00:00:10, holdtime 90s, keepalive interval 30s Neighbor capabilities: you can see that out IPv6 connection is only active and waiting, while the IPv4 connections clearly show that they are established. You can also see it in the sumamry, as the v6 only says Active while the v4s tell you for how long. Did you allow BGP on your firewall? still no success with $ doas bgpctl show rib community 65066:42 flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin $ doas bgpctl show rib community 65066:666 flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 14:13, Markus Rosjat wrote: Am 08.05.2017 um 13:58 schrieb Kim Zeitler: On 05/08/17 09:59, Markus Rosjat wrote: match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" Try to remove this line from your /etc/bgpd.conf, it is not in the example on http://bgp-spamd.net Checked it gainst my working setup and it is missing there too. Well this doesn't solve the problem still. Even if I remove the line, which should simply update a pf table. I don't get any result on the cmd with a bgpctl command. maybe it's related to my test environment I'll try it on a machine that has direct access to the net and see if there is a change. Could you check bgpctl s are there any messages received? You can also check bgpctl s neigh | grep state This should give you least 2 connections claiming to be established regards Cheers Kim smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 09:59, Markus Rosjat wrote: match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" Try to remove this line from your /etc/bgpd.conf, it is not in the example on http://bgp-spamd.net Checked it gainst my working setup and it is missing there too. -- Kim Zeitler Bachelor of Science (Hons) Konzept Informationssysteme GmbH Am Weiher 13 • 88709 Meersburg Fon: +49 7532 4466-240 Fax: +49 7532 4466-66 kim.zeit...@konzept-is.de www.konzept-is.de Amtsgericht Freiburg 581491 • Geschäftsführer: Dr. Peer Griebel, Frank Häßler, Dr. Christophe Schoenenberger smime.p7s Description: S/MIME Cryptographic Signature
Re: bgp-spamd question
On 05/08/17 12:26, Markus Rosjat wrote:
Hi,
I have something like
bgp-spamd:\
:black:\
:msg="Your address %A has sent mail to a spamtrap\n\
within the last 24 hours":\
:method=file:\
:file=/var/mail/spamd.black:
in /etc/mail/spamd.conf
and a cron job /bin/sh /etc/mail/bgp-spamd.black.sh which has
#!/bin/sh
AS=65066
bgpctl show rib community ${AS}:666 |
sed -e '1,4d' -e 's/\/.*$//' -e 's/[ \*\>]*//' >
/var/mail/spamd.black
/usr/libexec/spamd-setup
# EOF
Just double checked and can see it is being updated.
$ ls -l /var/mail/spamd.black
-rw-r--r-- 1 root wheel 233006 May 8 05:20 /var/mail/spamd.black
Hope this helps,
Vijay
I don't want to copy the results in a list for now I simply want to get
any results at all :)
so as long as
bgpctl show rib community 65066:666
doesn't give any results I won't see any IP's in a spamlist file at all
regards
Hello Markus,
just on a hunch, did you remove the deny blocks that are listed in
/etc/examples/bgpd.conf?
Cheers
Kim
smime.p7s
Description: S/MIME Cryptographic Signature
Re: WARNING: symbol(icudt58_dat) size mismatch, relink your program
I get the same but with Firefox. > On 25 Apr 2017, at 12:29, Stuart Henderson wrote: > > You aren't doing anything wrong to trigger it. Known problem but we > haven't figured out the cause of this yet. Alright. Do you know if you have any leads? Might take a look this week
Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP
Hi Markus On 01/27/17 09:44, Markus Rosjat wrote: > Hi there, > > so my question is what is the best strategy to migrate an exsiting LDAP > directory from a system that has sendmail and courier running to a > system with openSMTP and Dovecot. > Couple of years ago we changed from Courier to Dovecot and in short we wouldn't go back. As setup we hold all our users in LDAP except for system users (_*, root, ...) and have a dedicated server for mail running postfix as MTA and dovecot. We started from Postfix+Courier with the LDAP users as system users. The users could log into their accounts via ssh and do what ever they wanted. This configuration caused some problems with performance and also caused some permission problems as the dovecot process had to run as the user. Now Dovecot has direct access to the LDAP using the users as virtual users, all maildirs belong to the dovecot user _vmail. Postfix distinguishes between local users and ldap users, local users are directly delivered via local delivery, ldap users relayed to dovecot's lmtp server. > - is it possible to migrate old maildirs to use with dovecot It is possible, Maildir can be used directly, mbox transferred. There also exists an courier-dovecot-migrate script that rewrites couriers index et. al. for dovecot. (https://wiki2.dovecot.org/Migration/Courier) You might want to move courier's flat maildir format to a file system format > > I dont want to set up just one virtual user to handle dovecot delivery > since I already have the LDAP users. I tested to set permissions on > directories and files for a LDAP user that has no systemaccount > counterpart and it seems to work but it doesn't feel right to do so in a > production environement :) See my comment further up to using an _vmail user Cheers Kim [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Allow FTP through Openbsd firewall
Hello On 10/28/16 08:55, Mik J wrote: Hello, I have FTP clients behind my Openbsd firewall and they want to access ftp sites on the internet I have read numerous documentations but haven't found the answer yet. * I start the ftp-proxy like this /usr/sbin/ftp-proxy -D7 -v * I have rules in my pf.conf anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to 127.0.0.1 port 8021 pass out quick on $ext_if inet proto tcp from $ext_add to any port 21 I filter both interfaces lan and wan on my firewall I'm able to connect to a ftp server from inside the lan but when I do the command ls it fails Of course, this is normal because there is no rule that allow the ftp data (passive) to go out and the packets are dropped when they try to go out of the firewall's external interface. Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327 > x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 This is not entirely correct ftp-proxy(8) creates dynamic rules and loads them at the anchor point allowing the traffic from your client to the server. As an example On a client: $ftp ftp://ftp.hostserver.de ... ftp> ls 150 Opening ASCII mode data connection for '/bin/ls'. total 225608 -rw-r--r-- 1 rootwheel 104857600 Sep 16 2013 100M.dat -rw-r--r-- 1 rootwheel10485760 Sep 16 2013 10M.dat drwxr-xr-x 82 mirror mirror 2048 Oct 28 01:29 archive lrwxr-xr-x 1 rootwheel 10 Apr 16 2014 debian -> pub/debian dr-x--x--x 2 rootwheel 512 Apr 15 2014 etc drwxr-xr-x 10 rootwheel 512 Jul 26 10:20 internal drwxr-xr-x 8 mirror wheel 512 Oct 28 09:05 pub drwxr-xr-x 2 1000wheel 512 Mar 28 2016 special 226 Transfer complete. ftp> cd pub 250 CWD command successful. ftp> On the firewall 'systat rules' shows these two anchor rules added by ftp-proxy(8) #systat rules ... 0 /ftp-proxy/27562.62 Pass In Qtcp K 8 14771 1 inet from 192.168.3.5/32 to 217.31.80.35/32 port = 52891 1 /ftp-proxy/27562.62 Pass Out Qtcp K 8 14771 1 inet from 192.168.3.5/32 to 217.31.80.35/32 port = 65081 * My question The ftp data channel connects to an unknown server and an unknown port. I don't want to open a large range of ports on my external firewall's interface. How can I only allow a specific set of outgoing port when the connection is initiated by the ftp-proxy only ? I am not sure I understand your question correctly, but you do not actually open a large port range. - Your client tries to connect to the external server and your firewall rule "pass quick ... to any port ftp divert-to ..." hands it over to the ftp-proxy(8) - ftp-proxy(8) opens the connection for the client and adds 2 firewall rules at the anchor "ftp-proxy" in your ruleset. (See ftp-proxy(8) for the rules that are added) So only ftp-proxy(8) opens a connection and only to the port negotiated with the ftp server.
ipsec+tunnel vs. 'pure' ipsec
Hello having run a 'pure' ipsec tunnel for some years now I was wondering if there are more advantages in using a tunnel like gre(4),gif(4) or ehterip(4) over ipsec except being able to set the mtu or pass Layer2 traffic? Thanks for your answer Kim
Re: problem with carp on 5.9, MAC address of carp interface?
/24 192.168.3.229 UC10 2736 - 4 em1 192.168.3/24 192.168.3.4C 00 - 4 carp1 192.168.3.268:05:ca:1e:b7:ae UHLc 0 3925 - 4 em1 192.168.3.368:05:ca:1e:b5:92 UHLc 0 4806 - 4 em1 192.168.3.400:00:5e:00:01:04 UHLl 0 622 - 1 carp1 192.168.3.506:8d:9a:d6:7c:61 UHLc 0 161749 - 4 em1 192.168.3.10 00:27:0e:09:05:22 UHLc 1 4189 - 4 em1 192.168.3.13 52:54:00:86:87:74 UHLc 0 1154 - 4 em1 192.168.3.15 52:54:00:08:71:b5 UHLc 0 7157 - 4 em1 192.168.3.23 ea:e9:e8:31:03:b7 UHLc 0 2962 - 4 em1 192.168.3.24 3e:24:4a:7d:b0:a9 UHLc 0 3212 - 4 em1 192.168.3.30 36:32:31:df:52:27 UHLc 0 5294 - 4 em1 192.168.3.70 link#2 UHRLc 1 2831 - 4 em1 192.168.3.229 90:e2:ba:c3:df:79 UHLl 0 66 - 1 em1 192.168.3.255 192.168.3.229 UHb00 - 1 em1 192.168.3.255 192.168.3.4Hb 00 - 1 carp1 192.168.32/24 192.168.3.10 UGS00 - 8 em1 192.168.80.120 192.168.3.10 UGHS 0 2550 - 8 em1 192.168.150/24 192.168.150.202UCP0 2092 - 4 vlan100 192.168.150/24 192.168.150.1 CP 00 - 4 carp2 192.168.150.1 00:00:5e:00:01:c9 UHLl 0 12 - 1 carp2 192.168.150.20290:e2:ba:c3:df:7a UHLl 00 - 1 vlan100 192.168.150.255192.168.150.202UHPb 00 - 1 vlan100 192.168.150.255192.168.150.1 HPb00 - 1 carp2 192.168.151/24 192.168.151.202UCP2 28 - 4 vlan101 192.168.151/24 192.168.151.1 CP 00 - 4 carp3 192.168.151.1 00:00:5e:00:01:ca UHLl 06 - 1 carp3 192.168.151.11 00:cd:fe:bd:1e:75 UHLc 1 147 - 4 vlan101 192.168.151.16 44:d9:e7:58:d9:2e UHLc 0 11 - 4 vlan101 192.168.151.20290:e2:ba:c3:df:7a UHLl 0 10 - 1 vlan101 192.168.151.255192.168.151.202UHPb 00 - 1 vlan101 192.168.151.255192.168.151.1 HPb 0 0 - 1 carp3 ... cheers Kim
Re: problem with carp on 5.9, MAC address of carp interface?
Hello Martin On 04/25/16 11:12, Martin Pieuchot wrote: On 25/04/16(Mon) 10:47, Kim Zeitler wrote: He is running a carp interface on top of a vlan interface. In this scenario the carp interface can not be pinged but the vlan interfaces can. Do you mean the CARP node does not answer to ping with a destination address on the carp(4) interfaces? Is it for MASTER, BACKUP or both? em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1) \ --> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1) This is my setup if I ping either address assigned to carp2 or carp3 from a host on the network I do not get an answer, pinging the vlan address answers. One node is clearly in MASTER, the other in BACKUP, demote works. The host also has two further carp interfaces sitting directly on a physical interface which work as expected. I described a similar issue here https://www.mail-archive.com/misc@openbsd.org/msg146230.html but sadly had no replies yet How do your routing table looks like? # route -n show ... 192.168.150/24 192.168.150.202CP 02 - 4 vlan100 192.168.150/24 192.168.150.1 CP 00 - 4 carp2 192.168.150.1 00:00:5e:00:01:c9 UHLl 00 - 1 carp2 192.168.150.20290:e2:ba:c3:df:7a UHLl 00 - 1 vlan100 192.168.150.255192.168.150.202HPb00 - 1 vlan100 192.168.150.255192.168.150.1 HPb00 - 1 carp2 192.168.151/24 192.168.151.202CP 02 - 4 vlan101 192.168.151/24 192.168.151.1 CP 00 - 4 carp3 192.168.151.1 00:00:5e:00:01:ca UHLl 00 - 1 carp3 192.168.151.20290:e2:ba:c3:df:7a UHLl 00 - 1 vlan101 192.168.151.255192.168.151.202HPb00 - 1 vlan101 192.168.151.255192.168.151.1 HPb00 - 1 carp3 Currently I am upgrading my cluster to the latest snapshot to see if there is any change. There won't be no change. If it helps, here are the hostname.if configs for vlan100 and carp2 # cat /etc/hostname.em2 up # cat /etc/hostname.vlan100 inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2 # cat /etc/hostname.carp2 inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev vlan100 pass 1234 group wlan Cheers Kim
Re: problem with carp on 5.9, MAC address of carp interface?
Hello Martin, hello Sebastian On 04/25/16 10:15, Martin Pieuchot wrote: On 25/04/16(Mon) 09:48, Sebastian Reitenbach wrote: I'm trying to upgrade a HA carped firewall cluster to 5.9 but run into issues. Which issues? After reading your whole email I still don't understand your problem(s). What does not work? He is running a carp interface on top of a vlan interface. In this scenario the carp interface can not be pinged but the vlan interfaces can. I described a similar issue here https://www.mail-archive.com/misc@openbsd.org/msg146230.html but sadly had no replies yet Currently I am upgrading my cluster to the latest snapshot to see if there is any change. Cheers Kim
Carp interface sitting on vlan can not be pinged
Hello
maybe a stupid question, but is it possible to run a carp(4) interface
on vlan(4) interfaces?
In the following setup we have the problem that both boxes can be pinged
on their address associated with their respective vlan(4) interface, but
not on the carp(4) interface IP. Both boxes are recent installs and are
running -current
em2 (no ip) ---> vlan100 (192.168.150.200) ---> carp2 (192.168.150.1)
\
--> vlan101 (192.168.151.200) ---> carp3 (192.168.151.1)
respectively the corresponding node using .202 instead of .200 for the
vlan(4) interfaces
== The configuration ==
# uname -a
OpenBSD router12 5.9 GENERIC.MP#1983 amd64
# cat /etc/hostname.em2
up
# cat /etc/hostname.vlan100
inet 192.168.150.200 255.255.255.0 192.168.150.255 vlan 100 vlandev em2
# cat /etc/hostname.carp2
inet 192.168.150.1 255.255.255.0 192.168.150.255 vhid 201 carpdev
vlan100 pass 1234 group wlan
# cat /etc/pf.conf
...
pass quick on {em2,vlan100,vlan101} proto carp
...
pass inet proto icmp icmp-type $icmp_types
pass vlan100:network
...
# netstat -rn
...
192.168.150/24 192.168.150.200UCP0 4401 - 4
vlan100
192.168.150/24 192.168.150.1 CP 00 - 4
carp2
192.168.150.1 00:00:5e:00:01:c9 UHLl 0 9981 - 1
carp2
192.168.150.20090:e2:ba:c1:11:11 UHLl 0 30 - 1
vlan100
192.168.150.255192.168.150.200UHPb 0 80 - 1
vlan100
192.168.150.255192.168.150.1 HPb00 - 1
carp2
192.168.151/24 192.168.151.200UCP1 3040 - 4
vlan101
192.168.151/24 192.168.151.1 CP 00 - 4
carp3
192.168.151.1 00:00:5e:00:01:ca UHLl 0 182 - 1
carp3
192.168.151.20090:e2:ba:c1:11:11 UHLl 0 36 - 1
vlan101
192.168.151.255192.168.151.200UHPb 00 - 1
vlan101
192.168.151.255192.168.151.1 HPb00 - 1
carp3
Cheers
Kim
Re: Squid slow in connecting to SSL
Sorry for the long wait, but had a free weekend and none of the site techs got back to me until later today. On 01/29/16 22:03, Stuart Henderson wrote: If you have contact with any of the site admins see if they are running on linux with tcp_tw_recycle=1, I think there is a strong possibility that they are, and if so then they should fix their configuration. I wrote to our contact there and am trying to get the information if they are using this setting. I managed to get the information from their server and sadly net.ipv4.tcp_tw_recycle = 0 Typical Linux behaviour (at least the version I tried) is to use a single counter for all TCP sessions from the host so it would be more likely to use 1,2,3 - 7,8,9 - 49,50,51 - 67,68,69. This isn't required by TCP though - that only needs timestamps *within a session* i.e src+dest host-port quad - to be increasing. Multiple sessions are treated separately and can be in any order wrt each other. If I understand correctly tw_recycle reduces it to just src+dest *host*. If you have two hosts with the simple behaviour (single counter) going through a NAT, it doesn't usually touch timestamps so they will be out of order - maybe 49,50,51 - 67,68,69 - 1,2,3 - 7,8,9. This is OK as far as TCP goes but breaks with tw_recycle. But in the NAT case it's usually only noticed if two people from behind the same NAT visit the site within the TIME_WAIT timeout window. For a proxy, there is a cutoff. There are two TCP sessions end-to-end, the packet data are copied across but not headers. The headers are subject to the proxy's OS's behaviour. Now... OpenBSD randomizes these per session. A random offset is applied and stored as part of the TCP state. This is good because it's extra entropy to help protect against blind spoofing, and avoids leaking information about the host's uptime. So simplified example you could have 4 consecutive sessions using 1,2,3 - 49,50,51 - 67,68,69 - 7,8,9 -- and that's ok. In spec for TCP, suggested by the newer RFC, and as you can see above, it's totally normal for a natted connection to act like this. It's just that Linux's tw_recycle misfeature gets confused. If you run the proxy on an OS which doesn't offset timestamps like this (note that OpenBSD has done this for many years), you won't trigger it, but run it on OpenBSD and it's easy. You'll also be able to trigger it by connecting from a single machine with a simple timestamp but running the connection through a PF nat with the "modulate timestamps" option. It can be worked around your side. But if you do that the server admins will likely never fix things (and maybe blame it on OpenBSD) so I'm reluctant to mention it on list - and that workaround will throttle tcp for all connections to/from the server, limiting you to about 5Mb max for transatlantic connections. Thank you Stuart again for this great explanation of this behaviour. Sadly as noted above the server doesn't have this option set. I am currently at a lose and gladly provide more information. Cheers Kim
Re: Squid slow in connecting to SSL
On 01/29/16 15:00, Stuart Henderson wrote:
$ curl https://owncloud.XX/apps/files_pdfviewer/js/previewplugin.js
curl: (7) Failed to connect to owncloud.XX port 443: Operation timed out
I have access to the logs and they show a mixture of 200 and 503
...and that pretty much matches the pattern I've seen connecting by
hand, so it's no big surprise that there are problems with the proxy
too.
Glad that you could reproduce the problem, I was starting to doubt my
own abilities with a 'simple' proxy.
If you have contact with any of the site admins see if they are
running on linux with tcp_tw_recycle=1, I think there is a strong
possibility that they are, and if so then they should fix their
configuration.
I wrote to our contact there and am trying to get the information if
they are using this setting.
They're likely to be breaking connections for NATted clients
too (and this is only going to get worse as more ISPs start
using CG-NAT for IPv4). The links in the above post have
detailed explanations.
OpenBSD uses this method which is described in RFC7323 sec 5.4
(OpenBSD's implementation predates this RFC by some years).
o A random offset may be added to the timestamp clock on a per-
connection basis. See [RFC6528], Section 3, on randomizing the
initial sequence number (ISN). The same function with a different
secret key can be used to generate the per-connection timestamp
offset.
There was a recent-ish change to the method used to generate the
offsets (MD5 to SHA512), I wondered if that had changed anything
so I've just checked from a 5.6 box, it does exactly the same -
if I make repeated connections to the owncloud box, some of them
fail.
Currently am not fully able to get my mind round the details in the
post, but if I read it correctly the machine running with tw_recycle has
problems associating connections correctly together because similar
host,port pairs but different timestamps. Shouldn't this cause problems
with all proxied or nated connections? Am simply asking as I somehow
can't fit it in that openbsd+squid shows this particular behaviour yet
{freebsd,debian}squid does not.
Thanks Stuart so far for what you have found and the patience to explain
it to me.
Cheers
Kim
Re: Squid slow in connecting to SSL
On 01/28/16 23:04, Stuart Henderson wrote: On 2016-01-28, Kim Zeitler wrote: currently I try to solve the phenomenon, that certain SSL sites are slow when accessed via squid on OpenBSD. Mostly ownCloud in my case as well as several web shops. The login screen alone taking minutes to load. I'm not seeing that here (squid 3.5.13 and squidclamav from packages on recent -current, in front of a handful of Windows boxes and 30-odd OpenBSD/GNOME/Chromium/LibreOffice workstations). Running a similar sized setup here with ~60 Clients (Win/Linux/OpenBSD) and normal operation is fine some complains bout it being slightly slow but... Need more information. If it's consistent for certain sites, which sites? Have you looked in logs etc? I gladly provide any information you need. It was reported to me that several webshops seem to have this problem and one of our clients owncloud sites (I'll send zou the link off-list) I have access to the logs and they show a mixture of 200 and 503 # /var/squid/logs/access.log ... 1454058493.156 67 172.16.10.42 TCP_TUNNEL/200 2748 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - ... 1454058498.761 18089 172.16.10.42 TCP_TUNNEL/200 20017 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058498.830 65 172.16.10.42 TCP_TUNNEL/200 2917 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058498.899 67 172.16.10.42 TCP_TUNNEL/200 4307 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058499.091 6055 172.16.10.42 TCP_TUNNEL/200 866 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058499.268 6110 172.16.10.42 TCP_TUNNEL/200 33106 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058540.011 59136 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058541.017 59623 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058547.097 59817 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058558.228 59326 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058559.036 59766 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058559.036 59943 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058559.087 18066 172.16.10.42 TCP_TUNNEL/200 6251 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058559.116 74 172.16.10.42 TCP_TUNNEL/200 1096 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058559.121 78 172.16.10.42 TCP_TUNNEL/200 4679 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058559.174 77 172.16.10.42 TCP_TUNNEL/200 7765 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058564.304 6071 172.16.10.42 TCP_TUNNEL/200 15279 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058600.688 60672 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058607.767 60665 172.16.10.42 TAG_NONE/503 0 CONNECT owncloud.some.domain:443 - HIER_NONE/- - 1454058607.838 67 172.16.10.42 TCP_TUNNEL/200 2395 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058607.842 72 172.16.10.42 TCP_TUNNEL/200 3877 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058607.989172 172.16.10.42 TCP_TUNNEL/200 21988 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058613.832 6061 172.16.10.42 TCP_TUNNEL/200 1197 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058613.870 6063 172.16.10.42 TCP_TUNNEL/200 7086 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - 1454058625.902 18089 172.16.10.42 TCP_TUNNEL/200 21260 CONNECT owncloud.some.domain:443 - HIER_DIRECT/ - The current configuration is squid-ldap(3.5.13) from packages on -current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC) That seems a bit low RAM for Squid, but I doubt that's the problem for TLS sites which will just be CONNECT tunnels unless you've made a lot more config changes than you mentioned. I doubled the RAM on the machine, but no difference. As a test if the virtualization is to blame we set up a similar machine on HW basically virgin -current with only squid installed from packages without touching he config in anyway and had the same effect. As an idea I added a ocal unbound to the test proxy and had squid run its DNS through that, but to no avail.
Squid slow in connecting to SSL
Hello all currently I try to solve the phenomenon, that certain SSL sites are slow when accessed via squid on OpenBSD. Mostly ownCloud in my case as well as several web shops. The login screen alone taking minutes to load. I tested this also with squid running on a debian vm showing no problems at all. The current configuration is squid-ldap(3.5.13) from packages on -current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC) My squid.cfg is basically the default except for setting $localnet bit stricter. Any help is much appreciated Cheers Kim
Re: Advices for a new laptop
What about the B50-80 (80LT003C): i3, Intel HD 4400, wifi B/G/N/AC, Gigabit Ethernet, 2x USB3. Got some for testing here ( meant to run Windows actually) and had some minor issues with them and sadly not enough time to look fully into it. But first impressions weren't that 'impressive' My x220 is outstanding. The only device that isn't supported is the fingerprint reader. Also the mSATA slot is great for a second SSD. I dual boot OpenBSD and Arch (for when I need a Virtual Machine) and just use the F12 key at boot to select the drive I boot off of. Really simplifies the set up. Also you can put 16gb of ram in this model (even with an i5 processor) even though the specs say max of 8gb. Can only second this, running on an older x220 with an i7 on a fully encrypted mSATA SSD. Still faster than my coworkers newer kits. Only thing I had to replace was one battery. Otherwise fine even after several years of service. Money on an x220 is well spent. Also they feel more solid than the B50s. Need to try extending my RAM to 16GB - thanks for the hint Bryan. Cheers, Kim
Re: pledge(2) problems on 18/x/ octeon snapshot
Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? boot bsd.rd and select upgrade in the installer. (i hope.) I'm afraid this is not as simple as this, yet. You will also need to copy your kernel to the fat16 partition created during the install, since this is the only filesystem #$%^@# u-boot can read. Wouldn't this be a sensible addition to the INSTALL.octeon readme? Something along the lines of: --- INSTALL.octeon.new Wed Oct 21 09:29:17 2015 +++ INSTALL.octeon Wed Oct 21 09:34:50 2015 @@ -816,7 +816,8 @@ helper script, since all components of your system may not function correctly until your files in `/etc' are updated. - +Note: Due to the limitations of U-Boot scripts/bootloader you need to +copy your new bsd and bsd.rd to the MSDOS partition. Getting source code for your OpenBSD System:
Re: pledge(2) problems on 18/x/ octeon snapshot
Sorry for the last empty answer - you shouldnt try to multi-task boot bsd.rd and select upgrade in the installer. (i hope.) Thanks for the answer Ted, I will try it with the next snapshot and will give feedback Cheers Kim
Re: pledge(2) problems on 18/x/ octeon snapshot
On 10/20/15 15:30, Ted Unangst wrote: Kim Zeitler wrote: Hello Sebastien, hello Jonathan @Sebastien thank you for your valuable hints and advice, I did learn quite a bit from it. The machine has been reinstalled to the latest snapshot, as it is needed. On 10/20/15 12:30, Jonathan Gray wrote: There is no OpenBSD bootloader for armv7 or octeon, in part because u-boot by default provides no interface for enumerating disks, reading blocks or putc/getc equivalents unlike firmware shipped with almost every other system. As a result the kernel has to live on filesystems u-boot understands, fat32 or ext2 not ffs. So /bsd will not be the kernel that is loaded. Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? boot bsd.rd and select upgrade in the installer. (i hope.) -- Kim Zeitler Bachlor of Science (Hons) Konzept Informationssysteme GmbH Am Weiher 13 • 88709 Meersburg Fon: +49 7532 4466-240 Fax: +49 7532 4466-66 kim.zeit...@konzept-is.de www.konzept-is.de Amtsgericht Freiburg 581491 • Geschäftsführer: Heinz Grötzinger, Dr. Udo Konzack, Hans-Peter Zimmermann
Re: pledge(2) problems on 18/x/ octeon snapshot
Hello Sebastien, hello Jonathan @Sebastien thank you for your valuable hints and advice, I did learn quite a bit from it. The machine has been reinstalled to the latest snapshot, as it is needed. On 10/20/15 12:30, Jonathan Gray wrote: There is no OpenBSD bootloader for armv7 or octeon, in part because u-boot by default provides no interface for enumerating disks, reading blocks or putc/getc equivalents unlike firmware shipped with almost every other system. As a result the kernel has to live on filesystems u-boot understands, fat32 or ext2 not ffs. So /bsd will not be the kernel that is loaded. Might be a stupid question, but I haven't found an answer to it yet - how does one update to a new snapshot/kernel on an octeon system? kernel arguments like -c to get into ukc can be set via setenv bootargs though it seems the octeon code may not use that while armv7 does. This was the part I was missing, ta. Cheers, Kim
Re: pledge(2) problems on 18/x/ octeon snapshot
Hello
On 10/19/15 19:58, Sebastien Marie wrote:
RELEASE 5.8 returns ENOSYS ("Function not implemented") on tame(2) call
(which is the old name for pledge, so with the same syscall number).
I pulled the kernel down from the same URL path as the tgz I used.
Before reinstalling the system I noticed, the Kernel login string having
an older date than the snapshot.
I would be great if you can grab the kernel version echoed at boot time.
You could use `boot -c' in the boot loader, in order to enter in config
mode, and have the time to read the OpenBSD version.
Sadly EdgeRouterLite have no 'real bootloader' but use U-Boot. Which I
guess is part of the problem.
My steps where as followed:
mv bsd obsd
mv /tmp/bsd /bsd
mv /tmp/bsd.rd /bsd.rd
reboot
Can i be, that U-boot does not cleanly reload the new kernel on reboot?
Cheers,
Kim
pledge(2) problems on 18/x/ octeon snapshot
I just tried updating an EdgeRouterLite to the latest octeon snapshot after replacing the kernel and unpacking base58.tgz Literally all commands lead to : pledge: Function not implemented I would offer a ktrace/kdump but sadly my kdump also returns with said error. Cheers, Kim
OpenIKED - send traffic selectors in own child sa
Hello Running -current I have currently got a minor issue with iked. Trying to connect a security gateway running OpenIKED to a Fortinet IPSEC fw. Connection is set up and seems to work (mostly) but following behaviour is a bit of an issue. IKED sends one CHILD_SA request containing all Traffic Selectors. This is RFC 5996 conform. Sadly some of the proprietary VPN boxes have a *suboptimal* implementation and want *one* CHILD_SA per traffic selector. Reading ikevd/ikev2.c I found comments about iked not being able to initiate multiple concurrent CREATE_CHILD_SA exchanges. Coming round to my question - is it somehow possible to configure iked in such a way, that it sends one CHILD_SA per Traffic Selector or do I read the code correctly and it is simply NOT possible? Cheers Kim
Re: cu with XMODEM won't transfer file
Hello
On 10/05/15 19:59, Nicholas Marriott wrote:
On Mon, Oct 05, 2015 at 10:07:21AM -0700, Philip Guenther wrote:
On Mon, Oct 5, 2015 at 6:54 AM, Kim Zeitler wrote:
I am trying to transfer a new firmware to a switch using cu(1) with XMODEM
using a USB-to-RS232 adapter and running on -current.
Connection works fine, but for the XMODEM resulting in 'Resource temporarily
unavailable'
$cu -d -l /dev/ttyU0
...
~X
Local file? /tmp/fw.swi
cu: /tmp/fw.swi: Resource temporarily unavailable
Tthe -d option makes cu open the tty with O_NONBLOCK so that it won't
block for carrier; perhaps it should be clearing the flag afterwards?
Hmm, no, it uses libevent, so maybe it should be *always* turning it
on xmodem_{read,write}() updated to use libevent too, or xmodem_send()
updated to explicitly mark it blocking during the transfer.
How about this?
(Not tested as I don't have any serial cables around at the moment :-/)
I have just tested it and can confirm it works great.
Many thanks to you for finding this and providing a patch so quickly.
Cheers Kim
Index: command.c
===
RCS file: /cvs/src/usr.bin/cu/command.c,v
retrieving revision 1.14
diff -u -p -r1.14 command.c
--- command.c 5 Oct 2015 17:53:56 - 1.14
+++ command.c 5 Oct 2015 17:56:14 -
@@ -51,6 +51,7 @@ pipe_command(void)
return;
restore_termios();
+ set_blocking(line_fd, 1);
switch (pid = fork()) {
case -1:
@@ -81,6 +82,7 @@ pipe_command(void)
break;
}
+ set_blocking(line_fd, 0);
set_termios();
}
@@ -102,6 +104,7 @@ connect_command(void)
return;
restore_termios();
+ set_blocking(line_fd, 1);
switch (pid = fork()) {
case -1:
@@ -129,6 +132,7 @@ connect_command(void)
break;
}
+ set_blocking(line_fd, 0);
set_termios();
}
Index: cu.c
===
RCS file: /cvs/src/usr.bin/cu/cu.c,v
retrieving revision 1.22
diff -u -p -r1.22 cu.c
--- cu.c18 May 2015 09:35:05 - 1.22
+++ cu.c5 Oct 2015 17:56:14 -
@@ -186,6 +186,7 @@ main(int argc, char **argv)
NULL);
bufferevent_enable(output_ev, EV_WRITE);
+ set_blocking(line_fd, 0);
line_ev = bufferevent_new(line_fd, line_read, NULL, line_error,
NULL);
bufferevent_enable(line_ev, EV_READ|EV_WRITE);
@@ -209,6 +210,21 @@ signal_event(int fd, short events, void
}
void
+set_blocking(int fd, int state)
+{
+ int mode;
+
+ if ((mode = fcntl(fd, F_GETFL)) == -1)
+ cu_err(1, "fcntl");
+ if (!state)
+ mode |= O_NONBLOCK;
+ else
+ mode &= ~O_NONBLOCK;
+ if (fcntl(fd, F_SETFL, mode) == -1)
+ cu_err(1, "fcntl");
+}
+
+void
set_termios(void)
{
struct termios tio;
@@ -342,7 +358,7 @@ try_remote(const char *host, const char
if (entry != NULL && cgetset(entry) != 0)
cu_errx(1, "cgetset failed");
- error = cgetent(&cp, (char**)paths, (char*)host);
+ error = cgetent(&cp, (char **)paths, (char *)host);
if (error < 0) {
switch (error) {
case -1:
Index: cu.h
===
RCS file: /cvs/src/usr.bin/cu/cu.h,v
retrieving revision 1.6
diff -u -p -r1.6 cu.h
--- cu.h10 Jul 2012 12:47:23 - 1.6
+++ cu.h5 Oct 2015 17:56:14 -
@@ -27,6 +27,7 @@ extern FILE *record_file;
extern struct termios saved_tio;
extern int line_fd;
extern struct bufferevent *line_ev;
+voidset_blocking(int, int);
intset_line(int);
void set_termios(void);
void restore_termios(void);
Index: xmodem.c
===
RCS file: /cvs/src/usr.bin/cu/xmodem.c,v
retrieving revision 1.7
diff -u -p -r1.7 xmodem.c
--- xmodem.c21 Sep 2014 05:29:47 - 1.7
+++ xmodem.c5 Oct 2015 17:56:14 -
@@ -137,8 +137,9 @@ xmodem_send(const char *file)
if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &tio) != 0)
cu_err(1, "tcsetattr");
}
-
+ set_blocking(line_fd, 1);
tcflush(line_fd, TCIFLUSH);
+
if (xmodem_read(&c) != 0)
goto fail;
if (c == XMODEM_C)
@@ -214,6 +215,7 @@ fail:
cu_warn("%s", file);
out:
+ set_blocking(line_fd, 0);
set_termios();
sigaction(SIGINT, &oact, NULL);
cu with XMODEM won't transfer file
Hello, I am trying to transfer a new firmware to a switch using cu(1) with XMODEM using a USB-to-RS232 adapter and running on -current. Connection works fine, but for the XMODEM resulting in 'Resource temporarily unavailable' $cu -d -l /dev/ttyU0 ... ~X Local file? /tmp/fw.swi cu: /tmp/fw.swi: Resource temporarily unavailable ... I tried this with different files and also with not existing files, resulting correctly in a file not found. $ ls -la /tmp/fw.swi -rw-r--r-- 1 zeitler wheel 6903134 Oct 5 15:29 /tmp/fw.swi $ ls -la /dev/ttyU0 crw-rw-rw- 1 uucp dialer 66, 0 Oct 5 15:48 /dev/ttyU0 Any help how to debug this further is much appreciated. Cheers Kim -- Kim Zeitler
IKEd, rising SAD count and DPD
Hello I have iked running connecting to a Fortigate FW. Running 'ipsecctl -s a' gives me the correct flows, but a rising number of SADs. The tunnel has been up 5 days and I got 212 SADs installed. Do I need to set up some kind of dpd to have the old SADs pulled down, or is my error, that ikelifetime and lifetime are not in seconds? #cat /etc/iked.conf ... ikev2 "h" active esp \ from $k_dev to $h_server \ from $k_server to $h_dev \ peer $h_gw \ ikesa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ childsa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ srcid '80.80.80.80' \ ikelifetime 28800 \ lifetime 14400 \ psk 'Some nice long hash' ... Cheers, Kim
pfkey_sa_last_used: message: No such process
Hi I'm currently trying to set up a OpenIKED GW running 5.7-stable with a proprietary fw/VPN hosted at one of our clients. Seemingly worked so far ipsecctl shows flows and SADs. I was able to ping a machine on the 'other-side' but this stopped without apparent reason. Diving deeper into the logs and running iked in foreground gave me two messages 'pfkey_sa_last_used: message: No such process' and 'ikev2_init_ike_sa: "h" is already active' I would greatly appreciate any help with this one. # ipsecctl -s all FLOWS: flow esp in from 192.168.80.120 to 172.16.10.0/24 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use flow esp out from 172.16.10.0/24 to 192.168.80.120 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require flow esp in from 192.168.106.0/24 to 192.168.3.30 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use flow esp out from 192.168.3.30 to 192.168.106.0/24 peer 217.6.6.6 srcid IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.32.2 to 217.6.6.6 spi 0x2360324c auth hmac-sha2-256 enc aes-256 esp tunnel from 217.6.6.6 to 192.168.32.2 spi 0xa6537a08 auth hmac-sha2-256 enc aes-256 #iked -dvv ... ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 16 bytes ikev2_prfplus: T2 with 16 bytes ikev2_prfplus: T3 with 16 bytes ikev2_prfplus: T4 with 16 bytes ikev2_prfplus: T5 with 16 bytes ikev2_prfplus: T6 with 16 bytes ikev2_prfplus: T7 with 16 bytes ikev2_prfplus: T8 with 16 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_add: add spi 0x2360324c pfkey_sa: udpencap port 4500 ikev2_childsa_enable: loaded CHILD SA spi 0x2360324c pfkey_sa_add: update spi 0xa6537a08 pfkey_sa: udpencap port 4500 ikev2_childsa_enable: loaded CHILD SA spi 0xa6537a08 ikev2_childsa_enable: loaded flow 0x151839b73800 ikev2_childsa_enable: loaded flow 0x15180aa49400 ikev2_childsa_enable: loaded flow 0x151839b73c00 ikev2_childsa_enable: loaded flow 0x151839b73000 sa_state: VALID -> ESTABLISHED from 217.6.6.6:4500 to 192.168.32.2:4500 policy 'h' config_free_proposals: free 0x15180bc69880 ikev2_recv: INFORMATIONAL request from responder 217.6.6.6:4500 to 192.168.32.2:4500 policy 'h' id 0, 80 bytes ikev2_recv: ispi 0xd6e43c6448fe0750 rspi 0x7f77a74b12244234 ikev2_init_recv: unknown SA ikev2_init_ike_sa: "h" is already active -- last line repeated several times -- ... /var/log/daemon ... Sep 21 11:38:46 h iked[8231]: pfkey_sa_last_used: message: No such process Sep 21 11:39:46 h last message repeated 2 times ... #cat /etc/iked.conf ... ikev2 "h" active esp \ from $k_dev to $h_server \ from $postgres_server to $h_dev \ peer $h_gw \ ikesa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ childsa auth hmac-sha2-256 \ enc aes-256 \ group modp1536 \ srcid '80.154.4.243' \ ikelifetime 28800 \ lifetime 28800 \ psk "" #cat /etc/pf.conf ... block return# block stateless traffic pass proto udp to port $ipsec_types pass in on $ext_if proto esp from $h_gw pass out on $ext_if proto esp to $h_gw pass in on $ipsec_if proto ipencap from $h_gw keep state (if-bound) pass out on $ipsec_if proto ipencap to $h_gw keep state (if-bound) pass proto tcp from $k_dev to $h_server port $test_ports pass proto tcp from $h_server port $test_ports to $k_dev pass proto tcp from $h_dev to $h_postgres port postgresql pass proto tcp from $h_postgres port postgresql to $h_dev pass proto tcp from $k to (self) port ssh pass proto tcp from 192.168.32.1 to (self) port ssh pass inet proto icmp icmp-type $icmp_types ... -- Cheers Kim
Re: Ubiquiti EdgeRouter Lite
Here are my notes, which are basic, but should be enough to get you through if you're familiar with openbsd. http://www.tedunangst.com/flak/post/OpenBSD-on-ERL Hi Ted, I just worked through the /pub/OpenBSD/snapshots/octeon/INSTALL.octeon write up and also read through your notes. Had problems getting the boot loader to work with either bootcmd. It booted but ignored my rootdev option. I finally managed to get it booting through using 'fatload usb 0 $loadaddr bsd; bootoctlinux $loadaddr rootdev=/dev/sd0' Any ideas to this? Furthermore your notes said it to be a bit weak as a ipsec gw, I actually was trying to use it as a small VPN box with ipsec with a 10M-50M through-put, can it handle this? Cheers Kim
Re: how to add squid access log in /etc/newsyslog.conf
Hello, On 07/13/15 22:29, Stuart Henderson wrote: On 2015-07-13, Indunil Jayasooriya wrote: I delted 30 from that line. Now it looks like this. /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid Now it seems to work But now it sends the default signal which is HUP. In Squid, this drains existing connections and reloads the configuration, blocking new connections while that occurs. You probably want USR1. This is correct, Squid wants a SIGUSR1 as this triggers the rotate ( like calling squid -k rotate). You need to configure logfile_rotate 0 in the squid.conf. This tells squid to rotate the files but keep itself. Your newsyslog.conf file should look like this /var/squid/logs/cache.log _squid:_squid 640 2 250 @T00 ZB /var/run/squid.pid SIGUSR1 Compared to only using 'squid -k rotate' as Craig suggested, this will also compress the rotated log files. Cheerskim
Re: Not able to pass BIOS drive check with OpenBSD drive attached
Hello Adrian, On 31.07.2014 18:59, Adrian Jervolino wrote: > > My questions to you are: Has anybody ran into similar issues and was > able to resolve them? Do you think this is a OpenBSD related issue and > actually solveable (in a reasonable amount of time)? > > Swaping the motherboard is currently no option, so I'm thankfull for > every hint. We ran into this issue twice so far, once beginning of the year with a couple of Gigabyte boards and some weeks ago with a couple of Intel 4th Generation NUCs. The NUCs were simple to solve as Intel has provided a BIOS Patch. With the Gigabytes, after one week we had analyzed it so far that simply attaching a HDD used under OpenBSD (not only a system disk that was installed upon) would trigger this problem. Rewriting the partition table with fdisk on another machine let the 'faulty' boards access their bios again and see the disks. Our suspicion at the time was the block size used by the OpenBSD system (512 vs 4k) We also disable UEFI boot in the bios. Cheers, Kim
Re: carp setup firewall
Hello Waldemar, On 24.07.2014 17:44, Waldemar Brodkorb wrote: > Hi Peter, > Peter Hessler wrote, > >> if the addresses on the carp interface are out of sync, then the hashes >> won't mash, and the firewalls *WILL* conflict with each other. >> >> I recommend one IP per carp interface. Far nicer in case you screw that >> bit up, and much easier to balance IPs to one system or the other. > > Thanks for the hints. The previous firewall is managed via > fwbuilder, which does manage all the ip aliases for the wan > interface for us. It seems fwbuilder has some support for carp, > but I am not sure it will work with ip aliases. > > Thanks so far > Waldemar > we have a similar setup here, with only a /29 range of external addresses. Until now, we have had no problems so far running this using only one external carp IF (using a private IP) and adding all external addresses as aliases. But we do not use bi-nat for our DMZ Servers. As for fwbuilder, we did use it for some years with iptables, but during our switch to OpenBSD found writing pf.conf by hand gave a cleaner and faster fw. The file is under version control and distributed and enabled by Puppet on both our FW-CARP nodes. Cheers, Kim
Re: libiconv-1.14p1 - library c not found, bad major
On 22.07.2014 17:55, Philip Guenther wrote: >> OpenBSD gaia 5.5 GENERIC.MP#126 amd64 >> > > That's not the 5.5 release. The 5.5 release GENERIC.MP for amd64 had a > banner of: > OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar 5 09:37:46 MST 2014 > > so the build number is clearly off. > > > You have libc.so.75.0? That was only present for about a month starting in > mid May. You've installed a snapshot of -current that's something between > a month and 3 months old and *not* the 5.5 release. You'll have a hard > time finding packages that match that, so you should reinstall with the > correct release files. Thanks Philip for your fast reply, that explains a lot - a colleague of gave me the install disk, claiming it to be the 5.5-Release. *sigh* - if you want something done right ... again many thanks. Kim
libiconv-1.14p1 - library c not found, bad major
Hello, yesterday I had to do a clean reinstall of a machine (RELEASE) and on installing additional packages I ran into a libc error bad major with libiconv. # uname -a OpenBSD gaia 5.5 GENERIC.MP#126 amd64 # export PKG_PATH=http://openbsd.cs.fau.de/pub/OpenBSD/5.5/packages/amd64/ # pkg_add -iv libiconv Update candidates: quirks-1.113 -> quirks-1.113 (ok) Can't install libiconv-1.14p1 because of libraries |library c.73.1 not found | /usr/lib/libc.so.75.0 (system): bad major Cheers, -- Kim Zeitler
Re: Only two holes in a heck of a long time, but why?
> All in all the default install is pretty useless in itself and I am going > to quote "Absolute OpenBSD" by Michael Lucas: > > «You're installed OpenBSD and rebooted into a bare-bones system. Of > course, a minimal Unix-like system is actually pretty boring. While it > makes a powerful foundation, it doesn't actually do much of anything.» I may be a bit pedantic here but considering Michael's quote, he said *boring* not *useless*. This is also reflected in his second sentence "... making a *powerful* foundation ..." Having a small pool of OpenBSD machines running for web, email, CARPed firewalls and networking applications, I usually only install one ports package - puppet to have it fit into our configuration management
Joining the state of two carp interfaces
Hello, I have recently stumbled over a problem with a CARP router setup. The routers have 2 carped interfaces, one for network A and B respectively. We had the scenario that Router1 was Master for A and Backup for B, Router2 Backup A and Master B. A manual demote managed to get one router to be Master on A and B. Is there a possibility to join the CARP state of 2 interfaces i.e. both Master or both Backup, no mix. Thanks in advance Kim Zeitler
Re: power failure resistance
Another possibility which we use here is mounting "/" ro and hold any other partition in rw as mfs filesystems (namely /tmp, /home, /var/log and /var/db). Syslog goes o a central server. These systems are managed via puppetd and the client remounts "/" rw, runs and remounts back to "ro" On 19.02.2014 12:38, Marko Cupać wrote: > Hi, > > I need to deploy a number of openbsd firewalls based on alix2d13 > hardware. The goal is to separate industrial network from LAN, in order > to protect unpatched systems on industrial network from potential > malware on LAN, while providing some level of access (mostly > low-traffic VNC from LAN to industrial and sql in the opposite > direction). > > The problem is that we have very unstable power grid, resulting in > unclean shutdnowns of devices. I cannot UPS them all. > > How can I configure firewalls so they are resistant to those power > failures (ie do not need fsck)? How should I partition? Which partitions > should be mount read-only? Which should be mount as memory disks? Which > size shoud I allocate for memory disks (RAM is a constraint here as I > have only 256Mb)? Any other advices? > > Thank you in advance, > -- Kim Zeitler
Panic using tmpfs on current
So, I know this may be the wrong mailing list, well, it is, but I'm a first time user and I don't think I have enough information to open a bug report. I am trying openbsd 5.5 (current) on an smp amd64 machine. after some late-night experimentations with systrace, I decided that, for untrusted applications, it would be better to have a separate user (let's say temp1). I added, on /etc/rc.local mount_tmpfs -u temp1 -g temp1 -s 8G tmpfs /home/temp1 to recreate the home directory of the user at every startup. I could have done it via fstab, I know. The machine has 16G of ram installed. I was watching a long (1h+) video with "minitube", so data may have been written to /home/temp1, and I had a kernel panic. trace: panic() at panic+0xee amap_wipeout() at amap_wipeout+0xf0 uvm_unmap_detach() at uvm_unmap_detach+0x90 sys_munmap() at sys_munmap+0x120 syscall() at syscall+0x24f end trace frame: 0x832e23dc0, count: 0 show map: MAP 0x81345da5: [0x71880c70a74->0x1c28348] brk() allocate range: 0xc3c9df7540fa8348-0x90669066 stack allocate range: 0x53e589485590-0x48b486508ec8348 sz=1216454588, ref=838853055, version=2685829333, flags=0x48b48d2 show page: PAGE 0x81345da5: flags=40fa8348, vers=-1010180235, wire_count=-1872337306, pa=0x53e589485590 uobject=0x71880c70a74, uanon=0xc0854881a01680d5, offset=0xc28348 loan_count=-1872337306 [page ownership tracking disabled] wm_page_md 0x81345e0d I also had show mount, show vnode and registers, but apparently output is truncated... I'm not sure about the cause, but after the panic, every time I ran firefox X froze, I couldn't switch back to a tty and had to perform a hard reset. now I unmounted the tmpfs over /home/temp1 and so far, I had no trouble. I did run tmpfs without problems for some time, without specifiying -s 8G and -u temp1 -g temp1.
Re: Is [binary] package signing planned?
Thanks. I tried 5.5 on my laptop and as I said, it works, even better than freebsd 10, despite being a beta. I will switch to openbsd with the release. The only other problem is that I have external/ultrabay hdds that use lvm2, and I'll have to migrate the data, I think. Anyway, while it's fine to only warn the user in case of an invalid signature, it would be nice to somehow inform him of the fact that packages are signed, are being verified (outside of the man page), and that they passed signature checks, like, for example, yum does. After all, https informs the user of its use, via the extra S, a lock, a green bar. SSH is implicitly secure, and exposes the server's fingerprint. Not providing positive feedback might trick the user into thinking that packages are being installed securely while working with old or misconfigured systems Il martedì 4 febbraio 2014, Marc Espie ha scritto: > 2014-02-04 Kim Twain >: > > Does pkg_add automatically check these signatures, or, as of now, I'd > need > > to manually download the packages, verify them with signify and then > install > > them locally with pkg_add? > > In -current, if you don't use any flags to pkg_add, and you don't see any > message at the end, the packages were signed and verified. > > (and by default, post 5.5, pkg_add will probably error out if the packages > are not signed if you don't use -Dunsigned !) > > Maybe you're already using signed packages and haven't noticed. > (there were two or hiccups in some snapshots, but apart from that, things > have been working great). > > > Getting a streamlined process WAS the difficult part in getting signed > packages out, NOT the technical feat of having signed packages... > > After all, pkg_create/pkg_add has known how to sign stuff for 3 years by > now. > > signify(1) makes things more transparent: no chain of trust, pure keys. > > One cool thing is that the signatures are small enough that they can be > embedded directly in the package (which already has sha256 for everything). > > This has the advantage of decentralization: package snapshots can be > partially > synchronized, and still each package carries its own signature. Less margin > for strange errors -> stuff that works most of the time -> more > trustworthy. > > Remember that message about ssh keys that changed that you used to get when > admins weren't savvy about getting keys around, or all those self-signed > https certificates you've been trained to ignore ? signatures are the same. > if they're not 100% present by default, people will be trained to ignore > them. > > > If you think security is a technicality, you only have 1/3rd of the > story.Getting the process right and making sure the users don't do > anything stupid is the right part.
Is [binary] package signing planned?
Hi. I'm seeing, in this mailing list, much talk about the datagate and related matters, and I can see why the topic may be of interest to many OpenBSD users. Anyway, I really like OpenBSD, but I always restrain myself from using it on a desktop machine for a single reason: while pkg_add supports signed packages, those provided by the OpenBSD project aren't. You can easily find other similar complaints on the internet... but I really fail to understand why the project isn't providing signed packages, when there is already support for it. Why do signed packages matter? Well, I can fetch the ports tree in a secure way, verify its integrity and origin, and then ports definitions contain source packages hashes. I like the idea and the flexibility, but on desktop computers, it may be undesirable to compile software, especially big suites like X, Gnome, Firefox, LibreOffice. This gets even worse when the "desktop" is a laptop computer, like in my case. I won't use unsigned packages, because there's a concrete risk of corruption, I don't know if I should trust the mirror, and even with the official OpenBSD mirrors... it's easy, really easy, for someone to run an http/ftp MITM on me and give me a backdoored, or trojaned, binary package. Not only on a free WiFi, on a hotel, abroad, but even using a "secure" connection, it's easy for the isp, or the government, to just give me a "bad" bash package, and gain root in a clap of hands. Then, the datagate revealed how it's easy to modify stream "in between": if there are people capable of intercepting someone request to linkedin on a rogue router in the path, and immediately give back a page that contains a browser exploit, before the real site can produce a response, how it's easy to intercept, say, a pkg_add update to an openbsd mirror and give back a backdoored package? I'm not talking only about the five eyes, any government, even private entities, are capable of this. That's the reason why almost all gnu/linux distributions sign packages. Even other *BSD distributions are starting to adopt signed binary packages: pkg(ng), on freebsd, checks that the repository signature is made with the right key. It calculates the public key's hash, and confronts it with the hash present in /usr/share/keys/pkg/trusted/. The repository definition contains a list of packages' hashes, which is the signed part. Every package provides a signature of all files provided. TL;DR: pkgng is totally signed. and pkg_add, as I already stated, while it doesn't have the concept of a "repository", still supports individually signed packages. What is holding the OpenBSD project from implementing signed binary packages, and, is it planned?
Re: Patch to remove "adult" content from spamd(8) man page
On 23/11/13 04:20, Jason Barbier wrote: > > On 11/22/2013 10:50 AM, Rick Pettit wrote: >> Lewis, >> >> If censorship is your thing, why don’t you start by censoring yourself. >> >> What you are asking for here is offensive. >> >> -Rick > +1 +1 >> >> On Nov 22, 2013, at 12:26 PM, Paolo Aglialoro wrote: >> >>> Il 22/nov/2013 19:07 "J. Lewis Muir" ha scritto: On 11/22/13 11:17 AM, Giancarlo Razzolini wrote: > If it's offensive for you, compile your own spamd man page with > the diff you so happily provided, and live the rest of your life > happy. Remember to always take this pill again on 1st of May, and 1st > of November, every year. Hi, Giancarlo. Well, no one wants to maintain a patch forever. I'd maintain it for a while if there was a good chance it would get accepted at some point, but if there's no chance, then I wouldn't bother. I'm a little puzzled over the whole resistance to the patch. If I wrote a man page for some software I wrote, and if an example in it was considered off-color by someone, and that someone submitted a patch to me to change it slightly to no longer be off-color to them, and they asked in a kind way, and the patch didn't hurt the clarity of the man page in any way, I would likely accept the patch. How am I hurt by it? I may not agree with the person, but why would I insist on keeping an example that seems off-color to them? If it's somehow offensive to them and can be changed in a small way not to be, then I would accept the patch to change it. Everybody wins--no big deal. Lewis >>> +1
Re: OpenBSD Culture? - dual boot info
@ Zachary fwiw - I have Windows XP, Linux, and OpenBSD running on one machine using two drives, but it should be possible with one. I would recommend installing Windows first, or if already installed, shrink the partition using Ranish partition manager or Parted Magic. Create two new primary partitions and an extended partition. Install OpenBSD on primary partition 2, GRUB on a small primary partition 3, and Linux on the extended partition at the end of the disk. Use the chainloader method of booting with GRUB, where the GRUB partition is marked active, and it hands off the boot to the individual OS bootloaders on the other partitions. See here for more: http://www.justlinux.com/forum/showthread.php?threadid=143973
OpenSSH and Certificate based
Hi Everyone, I am new to this emailing list, so please excuse me if I am asking you the question that has been asked many times... We use OpenSSH for secure remote access, and we are wondering if we can use x.509 certificate for authentication. I have found the Roumen Petrov's patch that provides x.509 support (http://roumenpetrov.info/openssh/), and I was wondering if Openbsd development team plan on incorporating the patch into a future release. I think this should be a great additional feature for OpenSSH and OpenBSD. Could please tell me if you plan on incorporating this batch? If not, could you please tell me why not? Thank you, BR - John
Re: Open Vs Free BSD
You'll struggle to find a proper apples-to-apples test to prove/disprove those statements, but commonly held BSD Lore states: FreeBSD offers the best performance, and it supports the most software. It's commonly used for web or file servers and desktops. Also, FreeBSD is more actively developed than the others. OpenBSD focuses on security. It runs on more platforms than FreeBSD, but less than NetBSD. Since security is the primary goal, it's excellent for routers and secure-by-default servers. Popular desktop applications like Mozilla and OpenOffice are supported, but don't expect every other Linux/UNIX program to work. NetBSD runs on just about anything. That's it's primary goal. Since I don't have any weird hardware, I've never had a use for NetBSD. Kim Attree IT Manager Playsafe South Africa -Original Message- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Michal Sent: 19 June 2009 10:48 AM To: misc@openbsd.org; freebsd-sta...@freebsd.org Subject: Open Vs Free BSD Someone once said this too me "Comparing FreeBSD and OpenBSD, FreeBSD is generally better at disk-related I/O whereas OpenBSD handles net-I/O better. No test has been carried out to prove this though." Every offence to the person which said this, but they are not the best admin ever, though they like to think they are (the worst kind I think) Can anyone shed any light, the reason I ask is we where debating about a network and he said OpenBSD on the network (routers firewall etc) and FreeBSD as the app servers (mail, files etc etc), which I can see makes sense.but without having evidence it's pointless making a claim. Thanks :-) ___ freebsd-sta...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
small diff for cp.c - again
Hi.
This is just a small diff for cp.c I believe it will improve
readability a little bit.
Regards.
Sorry, the diff goes here:
--- cp.c2008-01-04 00:26:09.0 +0100
+++ cp_new.c2008-01-04 00:28:48.0 +0100
@@ -215,8 +215,9 @@
type = DIR_TO_DNE;
else
type = FILE_TO_FILE;
- } else
+ } else {
type = FILE_TO_FILE;
+ }
} else {
/*
* Case (2). Target is a directory.
Re: Error updating 4.2 - permission denied (Solved)
Jason George wrote: === I have cleared the /usr/src directory and reloaded the tree from the CD, and gone through the whole process again, but get the same error. >>> This is the second time I've heard of this problem... >>> >>> Could you tell us what the permissions are >>> on /usr/src/gnu/usr.bin/binutils/gdb/observer.sh? >>> >>> The permissions should be 755, whereas I'm guessing that you're missing the >>> execute bit(s). If this is the case correcting the file permissions should >>> allow you to run make build. >>> >>> >> The permissions on /observer.sh were rw for owner (root) only. This was >> also the case with all of the .sh files in that directory and others. >> >> I removed the /usr/src directory and all contents, and reloaded the >> source files again from the CD and checked the permissions. >> All of the .sh files now had the proper 755 permissions. >> >> When I then updated from [EMAIL PROTECTED] and when I >> checked the permissions again, they had reverted back to rw only. >> >> All these were performed logged in as root. >> >> What would you recommend? >> > > "Try another anoncvs server just in the event that something is corrupted" > would seem more than reasonable. There are around 20 servers listed at > anoncvs.html. > > > Thanks for the help. I removed the /usr/src directory and fetched source files from the anoncvs3.usa server without using the source files from the CD first. The build worked normally this time. Still a puzzle.
Re: Using the C programming language
On Sat, 22 Dec 2007 15:08:05 +0100 Erik Wikstrvm <[EMAIL PROTECTED]> wrote: > On 2007-12-22 12:06, Brian Hansen wrote: > Hi. > > I address this issue on this list, because a lot of people here are > very skillfull C programmers. > > When looking at some of the different "reasons for security > problems" such as: > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ > > I can't help wonder, why so much software are being developed using > C. This isn't the right place, but since you did it anyway, try looking at the compiler issue. The Portable C Compiler (PCC) was written in mid-1970s. PCC shipped with BSD Unix until the release of 4.4BSD in 1994. The history of Ada is?
Re: Error updating 4.2 - permission denied
Joel Sing wrote: > On Saturday 22 December 2007, kim wrote: > >> Could anyone offer some help with an upgrading problem with 4.2 -stable? >> The source tree and ports were installed from the official CD, and >> upgraded with: >> >> Update source tree: >> >> cd /usr/src >> cvs -d [EMAIL PROTECTED]:/cvs -q up -rOPENBSD_4_2 -Pd >> >> >> >> Update ports tree: >> >> cd /usr/ports >> cvs -d [EMAIL PROTECTED]:/cvs -q up -rOPENBSD_4_2 -Pd >> >> >> >> Rebuild the kernel: >> >> cd /usr/src/sys/arch/i386/conf >> /usr/sbin/config GENERIC >> cd /usr/src/sys/arch/i386/compile/GENERIC >> make clean && make depend && make >> >> >> >> Reboot the kernel: >> >> cd /usr/src/sys/arch/i386/compile/GENERIC >> cp /bsd /bsd.old >> cp bsd /bsd >> reboot >> >> >> >> Rebuild system binaries: >> >> rm -rf /usr/obj/* >> cd /usr/src >> make obj >> cd /usr/src/etc && env DESTDIR=/ make distrib-dirs >> cd /usr/src >> make build >> >> = >> >> When rebuilding system binaries, I get this: >> >> /usr/src/gnu/usr.bin/binutils/gdb/observer.sh h >> /usr/src/gnu/usr.bin/binutils/gdb/doc/observer.texi observer.h >> /usr/src/gnu/usr.bin/binutils/gdb/observer.sh: Permission denied >> *** Error code 1 >> >> Stop in /usr/src/gnu/usr.bin/binutils/obj/gdb (line 1333 of Makefile). >> *** Error code 1 >> >> Stop in /usr/src/gnu/usr.bin/binutils/obj (line 21479 of Makefile). >> *** Error code 1 >> >> Stop in /usr/src/gnu/usr.bin/binutils (line 81 of >> /usr/src/gnu/usr.bin/binutils/Makefile.bsd-wrapper). >> *** Error code 1 >> >> Stop in /usr/src/gnu/usr.bin. >> *** Error code 1 >> >> Stop in /usr/src/gnu. >> *** Error code 1 >> >> Stop in /usr/src. >> *** Error code 1 >> >> Stop in /usr/src (line 73 of Makefile). >> >> === >> >> I have cleared the /usr/src directory and reloaded the tree from the CD, >> and gone through the >> whole process again, but get the same error. >> > > This is the second time I've heard of this problem... > > Could you tell us what the permissions are > on /usr/src/gnu/usr.bin/binutils/gdb/observer.sh? > > The permissions should be 755, whereas I'm guessing that you're missing the > execute bit(s). If this is the case correcting the file permissions should > allow you to run make build. > The permissions on /observer.sh were rw for owner (root) only. This was also the case with all of the .sh files in that directory and others. I removed the /usr/src directory and all contents, and reloaded the source files again from the CD and checked the permissions. All of the .sh files now had the proper 755 permissions. When I then updated from [EMAIL PROTECTED] and when I checked the permissions again, they had reverted back to rw only. All these were performed logged in as root. What would you recommend? Thanks
Re: Error Updating 4.2-stable - Permission denied
oOOps It seems someone else has the same error http://archives.neohapsis.com/archives/openbsd/2007-12/1903.html One solution: "However... It seems to work as it should from the anoncvs1.usa.openbsd.org mirror but *NOT* from my most used mirror which is anoncvs1.ca.openbsd.org. " >From the OpenBSD site: " NOTE: If you are updating a source tree that you initially fetched from a different server, or from a CD, you *must* add the /-d [EMAIL PROTECTED]:/cvs/ options to cvs. # *cd /usr/src* # *cvs -d [EMAIL PROTECTED]:/cvs -q up -Pd"* Is it possible to update the tree fetched from the CD with this server (broken?), or do I need to use the .usa server for the entire download? Thanks
Error updating 4.2 - permission denied
Could anyone offer some help with an upgrading problem with 4.2 -stable? The source tree and ports were installed from the official CD, and upgraded with: Update source tree: cd /usr/src cvs -d [EMAIL PROTECTED]:/cvs -q up -rOPENBSD_4_2 -Pd Update ports tree: cd /usr/ports cvs -d [EMAIL PROTECTED]:/cvs -q up -rOPENBSD_4_2 -Pd Rebuild the kernel: cd /usr/src/sys/arch/i386/conf /usr/sbin/config GENERIC cd /usr/src/sys/arch/i386/compile/GENERIC make clean && make depend && make Reboot the kernel: cd /usr/src/sys/arch/i386/compile/GENERIC cp /bsd /bsd.old cp bsd /bsd reboot Rebuild system binaries: rm -rf /usr/obj/* cd /usr/src make obj cd /usr/src/etc && env DESTDIR=/ make distrib-dirs cd /usr/src make build = When rebuilding system binaries, I get this: /usr/src/gnu/usr.bin/binutils/gdb/observer.sh h /usr/src/gnu/usr.bin/binutils/gdb/doc/observer.texi observer.h /usr/src/gnu/usr.bin/binutils/gdb/observer.sh: Permission denied *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils/obj/gdb (line 1333 of Makefile). *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils/obj (line 21479 of Makefile). *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils (line 81 of /usr/src/gnu/usr.bin/binutils/Makefile.bsd-wrapper). *** Error code 1 Stop in /usr/src/gnu/usr.bin. *** Error code 1 Stop in /usr/src/gnu. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile). === I have cleared the /usr/src directory and reloaded the tree from the CD, and gone through the whole process again, but get the same error. Is this possibly an error from the CD or the CVS site? Thank you
OpenBSD 4.3 in peril?
Hello all! All this toing and froing is exhilirating, but is there any coding still going on? Don't make me install Frosty Warthog!!
Re: Printing with apsfilter
Jacob Meuser wrote:
On Fri, Nov 09, 2007 at 01:20:14PM -0700, [EMAIL PROTECTED] wrote:
Hello all,
I would like to get some advise on printing with apsfilter on 4.2. I
have an Epson CX5400 multifunction printer that I normally use with the
Gutenprint drivers and CUPS on other Unix systems. I am only using this
as a local printer, so I don't really need something as elaborate as
CUPS to do the job.
Gutenprint is not available in ports, so I used ghostscript, which does
not include this printer as a supported device. I have been able to get
it to print somewhat in black and white using one of the drivers, but no
color.
How feasible is it to use FreeBSD compatibility mode and Gutenprint,
etc. packages from FreeBSD to use with apsfilter to make this work?
probably more of a hassle than running -current, IMO.
What are other folks using on OpenBSD?
I don't have a working printer anymore but, I have used Epson printers
with OpenBSD for years. there are now ports for:
print/gutenprint
print/ijs
print/foomatic-finters
print/foomatic-db
print/foomatic-db-engine
in -current, which allow the easy integration of gutenprint drivers
with the standard ghostscript port/package. these drivers can then
be used with lpd, CUPS, direct printing, or whatever way you prefer.
but please read the messages that are displayed when the packages
are installed!!
Thanks
Hi Kim,
I do not use LPD(apsfilter) on OpenBSD but rather CUPS which is in
packages. That would probably be easy solution to your problem as you
could get PPD file directly from
http://www.linux-foundation.org/en/OpenPrinting
without the need for compiling Gutenprint.
not true.
plus, with the foomatic-db* packages, there is no need to go searching
for PPD files.
Thanks for the good info. Running -current seems a little daunting at
the moment, so I think I will improvise until 4.3 release.
Cheers!
Printing with apsfilter
Hello all, I would like to get some advise on printing with apsfilter on 4.2. I have an Epson CX5400 multifunction printer that I normally use with the Gutenprint drivers and CUPS on other Unix systems. I am only using this as a local printer, so I don't really need something as elaborate as CUPS to do the job. Gutenprint is not available in ports, so I used ghostscript, which does not include this printer as a supported device. I have been able to get it to print somewhat in black and white using one of the drivers, but no color. How feasible is it to use FreeBSD compatibility mode and Gutenprint, etc. packages from FreeBSD to use with apsfilter to make this work? What are other folks using on OpenBSD? Thanks
Re: Problems booting 4.2 CD on two older machines.
Barry Miller wrote: On Sat, Oct 27, 2007 at 05:51:25PM -0700, kim wrote: When the CD that I burned booted up, I got a message at boot: "/etc/boot.conf too large" But that came from cdboot, right? I don't think the rest of us in this thread are getting that far. The error message came as I was successfully booting with the new burned CD.
Re: Problems booting 4.2 CD on two older machines.
Same problem here on a 3 year old i386. I copied the iso file from the install CD ( /4.2/i386/cd42.iso ) and burned it to another CD. This booted fine, and then I copied all of the OpenBSD file sets from the install CD to complete the setup. When the CD that I burned booted up, I got a message at boot: "/etc/boot.conf too large" I will submit a bug report tomorrow. I have ordered another install CD from the supplier.
New to OpenBSD - SSHD required?
When installing OpenBSD and using anoncvs for updating, it is necessary to have SSHD enabled? I do not need to access this box remotely. and don't want any unnecessary services running. Thanks.
Re: IPSec help..
Window's firewall is off. Dump is as follows: # tcpdump -i sis0 'esp or (udp and (port 500 or port 4500))' tcpdump: listening on sis0, link-type EN10MB 21:06:26.205252 work.isakmp > home.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2-> msgid: len: 3632 (frag 51066:[EMAIL PROTECTED]) 21:06:26.735801 home.isakmp > work.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 188 21:06:26.745392 work.isakmp > home.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 184 21:06:27.103644 home.isakmp > work.isakmp: isakmp v1.0 exchange ID_PROT cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 232 21:06:27.138275 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 860 21:06:27.575196 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 892 21:06:32.575767 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: dbc958f1 len: 92 21:06:37.235054 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 860 21:06:37.248721 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 892 21:06:37.619710 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 4c3bb90c len: 92 21:06:42.647504 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 88ad6544 len: 92 21:06:47.244914 work.ipsec-nat-t > home.ipsec-nat-t:udpencap: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 860 21:06:47.263416 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange ID_PROT encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: len: 892 21:06:47.684881 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: 5337bf54 len: 92 21:06:52.715304 home.isakmp > work.ipsec-nat-t: isakmp v1.0 exchange INFO encrypted cookie: 1a0f8d5bb2637ce2->d37038c8086c3c7a msgid: eaeb08da len: 92 On 4/11/07, Dag Richards <[EMAIL PROTECTED]> wrote: Roy Kim wrote: > I'm trying to setup an ipsec tunnel between an openbsd and a windows > box using X.509 certificates. Phase 1 gets successfully negotiated but > then things crap out at step 1 of phase 2 and I don't have a clue > what's wrong. Any thoughts? > > Isakmpd debug messages just after phase 1 is negotiated and ipsec.conf > are as follows: > > ipsec.conf: > ike dynamic esp tunnel from 192.168.0/8 to any \ > srcid home dstid work > ike dynamic esp tunnel from any to 192.168.0/8 \ > srcid work dstid home > > isakmpd output using 'isakmpd -KvdD A=50' > 191751.046228 Timr 10 timer_add_event: event > exchange_free_aux(0x7df9b500) added before sa_soft_expire(0x85229200), > expiration in 120s > 191751.047319 Exch 10 exchange_establish_p2: 0x7df9b500 policy> policy initiator phase 2 doi 1 exchange 5 step 0 > 191751.049266 Exch 10 exchange_establish_p2: icookie 395faa725fd4c3b3 > rcookie 8e784c12cb6b04bd > 191751.050294 Exch 10 exchange_establish_p2: msgid 47ef99ad sa_list > 191751.052677 Cryp 50 crypto_init_iv: initialized IV: > 191751.054075 Cryp 50 033b6e99 5e66c7ba 8efd5d22 8ffe8567 > 191751.055068 Cryp 30 crypto_encrypt: before encryption: > 191751.057166 Cryp 30 0b18 68790ed1 9f0d6417 66838f05 de3393d7 > 9ec6dcb3 0020 0001 > 191751.058368 Cryp 30 01108d28 395faa72 5fd4c3b3 8e784c12 cb6b04bd > 3340 > 191751.060004 Cryp 30 crypto_encrypt: after encryption: > 191751.061996 Cryp 30 bb6cda82 ec0c809f eac5e496 3102dffb 726b62a3 > 9f0d19e6 624ee717 c65f1486 > 191751.063409 Cryp 30 a35e8fb2 c9a6b8c8 2d03723f 7d6d0c68 909c42ea > 0bf57a7f d8c817ce 070b8719 > 191751.064686 Cryp 50 crypto_update_iv: updated IV: > 191751.066224 Cryp 50 909c42ea 0bf57a7f d8c817ce 070b8719 > 191751.068932 Exch 40 exchange_run: exchange 0x7df9b500 finished step > 0, advancing... > 191751.069968 Timr 10 timer_add_event: event > dpd_check_event(0x85229200) added before > connection_checker(0x8522a060), expiration in 5s > 191751.07 Exch 10 exchange_finalize: 0x7df9b500 policy> policy initiator phase 2 doi 1 exchange 5 step 1 > 191751.073402 E
IPSec help..
I'm trying to setup an ipsec tunnel between an openbsd and a windows box using X.509 certificates. Phase 1 gets successfully negotiated but then things crap out at step 1 of phase 2 and I don't have a clue what's wrong. Any thoughts? Isakmpd debug messages just after phase 1 is negotiated and ipsec.conf are as follows: ipsec.conf: ike dynamic esp tunnel from 192.168.0/8 to any \ srcid home dstid work ike dynamic esp tunnel from any to 192.168.0/8 \ srcid work dstid home isakmpd output using 'isakmpd -KvdD A=50' 191751.046228 Timr 10 timer_add_event: event exchange_free_aux(0x7df9b500) added before sa_soft_expire(0x85229200), expiration in 120s 191751.047319 Exch 10 exchange_establish_p2: 0x7df9b500 policy initiator phase 2 doi 1 exchange 5 step 0 191751.049266 Exch 10 exchange_establish_p2: icookie 395faa725fd4c3b3 rcookie 8e784c12cb6b04bd 191751.050294 Exch 10 exchange_establish_p2: msgid 47ef99ad sa_list 191751.052677 Cryp 50 crypto_init_iv: initialized IV: 191751.054075 Cryp 50 033b6e99 5e66c7ba 8efd5d22 8ffe8567 191751.055068 Cryp 30 crypto_encrypt: before encryption: 191751.057166 Cryp 30 0b18 68790ed1 9f0d6417 66838f05 de3393d7 9ec6dcb3 0020 0001 191751.058368 Cryp 30 01108d28 395faa72 5fd4c3b3 8e784c12 cb6b04bd 3340 191751.060004 Cryp 30 crypto_encrypt: after encryption: 191751.061996 Cryp 30 bb6cda82 ec0c809f eac5e496 3102dffb 726b62a3 9f0d19e6 624ee717 c65f1486 191751.063409 Cryp 30 a35e8fb2 c9a6b8c8 2d03723f 7d6d0c68 909c42ea 0bf57a7f d8c817ce 070b8719 191751.064686 Cryp 50 crypto_update_iv: updated IV: 191751.066224 Cryp 50 909c42ea 0bf57a7f d8c817ce 070b8719 191751.068932 Exch 40 exchange_run: exchange 0x7df9b500 finished step 0, advancing... 191751.069968 Timr 10 timer_add_event: event dpd_check_event(0x85229200) added before connection_checker(0x8522a060), expiration in 5s 191751.07 Exch 10 exchange_finalize: 0x7df9b500 policy initiator phase 2 doi 1 exchange 5 step 1 191751.073402 Exch 10 exchange_finalize: icookie 395faa725fd4c3b3 rcookie 8e784c12cb6b04bd 191751.074675 Exch 10 exchange_finalize: msgid 47ef99ad sa_list 191751.076166 Timr 10 timer_remove_event: removing event exchange_free_aux(0x7df9b500) 191751.077610 Mesg 20 message_free: freeing 0x7df9e000 191756.083274 Timr 10 timer_handle_expirations: event dpd_check_event(0x85229200) 191756.084314 Mesg 10 dpd_check_event: peer not responding, retry 2 of 5
Re: Very slow raid performance with ami(4)
Do you know if an Intel-rebadged srcs28x would care if i plugged in an lsi battery? On visual inspection the hardware looks 100% identical. Probably the only thing changed is the firmware.. On 3/30/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/03/30 13:18, Roy Kim wrote: > I didn't realize there's two different batteries. What does the > 'intelligent' version of the battery do extra? LSIiBBU01 (intelligent) has some kind of comms relating to charge state etc, I think it may also have a longer runtime. LSIBBU03 (non-intelligent) doesn't, and was something like a third of the price where I bought mine (scan.co.uk). My approach was to get the cheaper one and spend the difference on drives to backup at least some of the data onto, the amount of data you can lose in one go with SATA RAID gets a bit worrying (-: (dump over ssh to a hard drive on another machine is simple and quite effective). Other tips include not rushing the installation (spend some time making the cables nice and tidy) and setup some monitoring (sensorsd is fine); besides RAID status, it is useful to check temperature, voltages, and fan speed if you can.
Re: Very slow raid performance with ami(4)
I didn't realize there's two different batteries. What does the 'intelligent' version of the battery do extra? On 3/30/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/03/30 11:07, Roy Kim wrote: > Recently I bought an Intel SRCS28X (LSI Megaraid 300-8X card in > disguise) and I'm getting terrible performance out of it. Reads are > fine at around 90mb/s but writes bog down at 3mb/s. I dont have the > battery unit installed but 3mb/s is ridiculous.. I have the battery and see faster writes than reads. There are two different batteries you can use with the 300-8X; an "intelligent" one and a reasonably-priced one :-)
Very slow raid performance with ami(4)
Recently I bought an Intel SRCS28X (LSI Megaraid 300-8X card in
disguise) and I'm getting terrible performance out of it. Reads are
fine at around 90mb/s but writes bog down at 3mb/s. I dont have the
battery unit installed but 3mb/s is ridiculous..
OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) D CPU 3.06GHz ("GenuineIntel" 686-class) 3.06 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16
real mem = 1072128000 (1047000K)
avail mem = 969981952 (947248K)
using 4256 buffers containing 53710848 bytes (52452K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(fd) BIOS, date 07/12/06, BIOS32 rev. 0 @
0xfd450, SMBIOS rev. 2.51 @ 0x3feeb000 (35 entries)
bios0: Supermicro PDSM4+
pcibios0 at bios0: rev 2.1 @ 0xfd450/0xbb0
pcibios0: PCI BIOS has 22 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801GB LPC" rev 0x00)
pcibios0: PCI bus #15 is the last bus
bios0: ROM list: 0xc/0xb000 0xcb000/0x1000 0xcc000/0x1000 0xcd000/0x400!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7230 MCH" rev 0xc0
ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci2 at ppb1 bus 2
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured
ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 3
ppb3 at pci3 dev 1 function 0 "Intel IOP331 PCIX-PCIX" rev 0x07
pci4 at ppb3 bus 4
ami0 at pci4 dev 14 function 0 "Symbios Logic MegaRAID SATA 4x/8x" rev
0x07: irq 10
ami0: Intel RAID SRCS28X, 32b, FW 813G, BIOS vH425, 128MB RAM
ami0: 1 channels, 0 FC loops, 3 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: SCSI2 0/direct fixed
sd0: 512000MB, 512000 cyl, 64 head, 32 sec, 512 bytes/sec, 1048576000 sec total
sd1 at scsibus0 targ 1 lun 0: SCSI2 0/direct fixed
sd1: 512000MB, 512000 cyl, 64 head, 32 sec, 512 bytes/sec, 1048576000 sec total
sd2 at scsibus0 targ 2 lun 0: SCSI2 0/direct fixed
sd2: 196700MB, 196700 cyl, 64 head, 32 sec, 512 bytes/sec, 402841600 sec total
scsibus1 at ami0: 16 targets
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 3 not configured
ppb4 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
pci5 at ppb4 bus 9
ppb5 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01
pci6 at ppb5 bus 13
em0 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: irq
10, address 00:30:48:8c:9e:8c
ppb6 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01
pci7 at ppb6 bus 14
em1 at pci7 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: irq
11, address 00:30:48:8c:9e:8d
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 5
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb7 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xe1
pci8 at ppb7 bus 15
vga1 at pci8 dev 4 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0:
wd1: 16-sector PIO, LBA48, 286168MB, 586072368 sectors
wd2 at pciide0 channel 1 drive 1:
wd2: 16-sector PIO, LBA48, 239372MB, 490234752 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
wd2(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: irq 10
iic0 at ichiic0
"unknown" at iic0 addr 0x18 not configured
lm1 at iic0 addr 0x2d: W83627HF
"unknown" at iic0
Re: Help with chroot
OK, I finally have it working at about 99%. Maybe not quite that much depending on how you look at it. the final problem I am having is probably related to how I set up my network when I installed OpenBSD 3.9 In previous installations of OpenBSD I just accepted the defaults during the network card setup and everything worked out ok. this time I have been struggling with my host name and domain name. The problem for me right now is I don't have a domain name for this network and before my domain was just defaulted to my.domain. But now It seems to want to act like I am some how a DNS or something, I'm not sure. Anyway the symptom is that when I visit my wiki site I go there with the url 192.168.1.106/wiki/ but as it starts to load the page it changes my url to myhost.my.domain/wiki/index.php/Main_Page and then fails to load. but if I type the url as 192.168.1.106/wiki/index.php/ Man_Page it will load the page just fine. From there I can click on the links and every thing continues to work fine. (On some pages if I leave the page up for a little while it will automaticallyswithc the url to the myhostname.my.domain and fail to load. I just retype the url with my local IP and things load back up fine again, but I have to leave that page or it will fail again. I hope I can fix this problem without having to reinstall OpenBSD (and all) again. K. Mackey
Re: Help with chroot
Last night I wiped my drive completely and did a fresh install OpenBSD 3.9 MySQL 5.0.5 PHP5 mediawiki 1.5.6 I followed the instructions presented after each package was added. I didn't setup mediawiki until today at work. After a little bit of messing around I finally got it working though somewhat flakey. It went through the set up and created the database in MySQL but would not go to the main page until I refreshed several times. Finally it went to the main page and I tried a few links and they worked ok. When I created a new user the whole thing died. I removed the LocalSettings.php file and did the setup again but I could not even get to the setup page. I removed MySQL and it's database, PHP and mediawike and added the pacakages again. Again following each of the instructions, but now it won't find the mysq.sock even though it appears to be where it belongs, (/var/www/var/run/mysql/mysql.sock Here is the page I get when I try to set it up. I hope the problem is just that I don't have the socket in the right place. If that is not it I am going to start all over by installing OpenBSD again. MediaWiki 1.5.6 installation Please include all of the lines below when reporting installation problems. Checking environment... PHP 5.0.5: ok PHP server API is apache; ok, using pretty URLs (index.php/Page_Title) Have XML / Latin1-UTF-8 conversion support. PHP is configured with no memory_limit. Have zlib support; enabling output compression. Neither Turck MMCache nor eAccelerator are installed, can't use object caching functions GNU diff3 not found. Found GD graphics library built-in, image thumbnailing will be enabled if you enable uploads. Installation directory: /mediawiki Script URI path: /mediawiki Warning: $wgSecretKey key is insecure, generated with mt_rand(). Consider changing it manually. Connecting to wikidb on localhost as root...failed with error 2002: Can't connect to local MySQL server through socket '/var/run/mysql/ mysql.sock' (61).
Re: Help with chroot
OK, I've done a clean install of OpenBSd 3.9 and mediawiki. and MySQL 5.0.18. Now I'm just working through getting things set up. Right now I seem to not have Mysql linked correctly Warning: dl() [function.dl]: Unable to load dynamic library '/var/www/ lib/php/modules/mysql.so' - File not found in /mediawiki/install- utils.inc on line 17 Could not load MySQL driver! Please compile php --with-mysql or install the mysql.so module. So that's what I'm working on right now.
Help with chroot
I'm am new to this mailing list but not new to OpenBSD. I have been having some success with working with Apache in chroot, but I am trying to experiment with setting up a wiki server (using mediawiki) and am having quite a time of it. I have figure out some of the problems and I am sure I have quite a few more to go, but right now I am struggling with one of the includes. Is there any one on this list who has set up mediawiki on their OpenBSD or knows where the right place would be to post this question. Thanks in advance K.Mackey
Strange (icmp6) packets from tcpdump
Hello, On a PC running only SSH server to a very limited number of people, and only ipv4 I ran tcpdump and got the below: 19:29:58.871915 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:10: icmp6: neighbor sol: who has a.dns.br 19:29:58.911884 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:13: icmp6: neighbor sol: who has ns-ext.isc.org 19:29:58.984958 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:1: icmp6: neighbor sol: who has a.dns.jp 19:29:58.986874 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:83: icmp6: neighbor sol: who has 2001:630:181:35::83 19:29:59.326682 fe80::20c:76ff:fe98:e72c > ff02::1:ff02:30: icmp6: neighbor sol: who has a.gtld-servers.net 19:29:59.555744 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:53: icmp6: neighbor sol: who has head.snowman.sunet.se 19:29:59.587218 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:14: icmp6: neighbor sol: who has ns0.ja.net 19:29:59.591729 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:53: icmp6: neighbor sol: who has ns2.univie.ac.at 19:29:59.637184 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:5: icmp6: neighbor sol: who has f.nic.de 19:29:59.871696 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:10: icmp6: neighbor sol: who has a.dns.br 19:29:59.911664 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:13: icmp6: neighbor sol: who has ns-ext.isc.org 19:29:59.984832 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:1: icmp6: neighbor sol: who has a.dns.jp 19:29:59.986624 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:83: icmp6: neighbor sol: who has 2001:630:181:35::83 19:29:59.986780 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:53: icmp6: neighbor sol: who has ns8.iij.ad.jp 19:29:59.988698 fe80::20c:76ff:fe98:e72c > ff02::1:ff00:44: icmp6: neighbor sol: who has 2001:502:d399::44 19:30:00.325557 fe80::20c:76ff:fe98:e72c > ff02::1:ff02:30: icmp6: neighbor sol: who has a.gtld-servers.net Any explanation
Re: Number of PTYs
-bash-3.00# ls /dev/ptyp ptyp0 ptyp6 ptypC ptypI ptypO ptypU ptypa ptypg ptypm ptyps ptypy ptyp1 ptyp7 ptypD ptypJ ptypP ptypV ptypb ptyph ptypn ptypt ptypz ptyp2 ptyp8 ptypE ptypK ptypQ ptypW ptypc ptypi ptypo ptypu ptyp3 ptyp9 ptypF ptypL ptypR ptypX ptypd ptypj ptypp ptypv ptyp4 ptypA ptypG ptypM ptypS ptypY ptype ptypk ptypq ptypw ptyp5 ptypB ptypH ptypN ptypT ptypZ ptypf ptypl ptypr ptypx -bash-3.00# ls /dev/pty* | wc -l 62 -bash-3.00# I dont understand anything :) -bash-3.00# sysctl kern.tty.maxptys kern.tty.maxptys=992 -bash-3.00# If they're 992, how can they run out ? > > > > On 1/5/06, Kim Onnel < [EMAIL PROTECTED]> wrote: > > > > > > Hello, > > > I have an OpenBSD 3.6 running as a jump-through host, people ssh in > > > and > > > telnet out > > > > > > users are systraced and they all use an expect script. > > > > > > I get this message when the users exceed the number of ptys (a-z. > > > A-Z,0-9) > > > > > > The system has no more ptys. Ask your system administrator to create > > > more. > > > > > > and at my messages log: > > > > > > > > > Jan 5 11:52:50 bastion2 sshd[5072]: error: openpty: No such file or > > > directory > > > Jan 5 11:52:50 bastion2 sshd[3002]: error: session_pty_req: session 0 > > > alloc > > > failed > > > Jan 5 11:52:53 bastion2 sshd[13660]: error: openpty: No such file or > > > directory > > > Jan 5 11:52:53 bastion2 sshd[11094]: error: session_pty_req: session > > > 0 > > > alloc failed > > > Jan 5 11:53:08 bastion2 sshd[30104]: error: openpty: No such file or > > > directory > > > Jan 5 11:53:08 bastion2 sshd[4272]: error: session_pty_req: session 0 > > > alloc > > > failed > > > Jan 5 11:53:11 bastion2 sshd[21718]: error: openpty: No such file or > > > directory > > > Jan 5 11:53:11 bastion2 sshd[16534]: error: session_pty_req: session > > > 0 > > > alloc failed > > > Jan 5 11:53:20 bastion2 sshd[8419]: error: openpty: No such file or > > > directory > > > Jan 5 11:53:20 bastion2 sshd[25920]: error: session_pty_req: session > > > 0 > > > alloc failed > > > Jan 5 11:53:21 bastion2 sshd[6613]: error: openpty: No such file or > > > directory > > > Jan 5 11:53:21 bastion2 sshd[26402]: error: session_pty_req: session > > > 0 > > > alloc failed > > > > > > > > > What can i do to increase ptys ? > > > > > > googling shows people getting the same messgae and expect/gcc being > > > involved, or is it just a system message ?
Number of PTYs
Hello, I have an OpenBSD 3.6 running as a jump-through host, people ssh in and telnet out users are systraced and they all use an expect script. I get this message when the users exceed the number of ptys (a-z. A-Z,0-9) The system has no more ptys. Ask your system administrator to create more. and at my messages log: Jan 5 11:52:50 bastion2 sshd[5072]: error: openpty: No such file or directory Jan 5 11:52:50 bastion2 sshd[3002]: error: session_pty_req: session 0 alloc failed Jan 5 11:52:53 bastion2 sshd[13660]: error: openpty: No such file or directory Jan 5 11:52:53 bastion2 sshd[11094]: error: session_pty_req: session 0 alloc failed Jan 5 11:53:08 bastion2 sshd[30104]: error: openpty: No such file or directory Jan 5 11:53:08 bastion2 sshd[4272]: error: session_pty_req: session 0 alloc failed Jan 5 11:53:11 bastion2 sshd[21718]: error: openpty: No such file or directory Jan 5 11:53:11 bastion2 sshd[16534]: error: session_pty_req: session 0 alloc failed Jan 5 11:53:20 bastion2 sshd[8419]: error: openpty: No such file or directory Jan 5 11:53:20 bastion2 sshd[25920]: error: session_pty_req: session 0 alloc failed Jan 5 11:53:21 bastion2 sshd[6613]: error: openpty: No such file or directory Jan 5 11:53:21 bastion2 sshd[26402]: error: session_pty_req: session 0 alloc failed What can i do to increase ptys ? googling shows people getting the same messgae and expect/gcc being involved, or is it just a system message ?
Re: usb2ether hw recommendation
I tried this one : > There is a working driver -- it's the rtl8150 module for the Realtek > 8150 chipset which is in the HUF11. > USB hawking Ethernet On 11/23/05, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > --On 23 November 2005 11:49 +0100, Stephan A. Rickauer wrote: > > > are there any device recommendations for usb Ethernet network > > adapters supported by the drivers listed by 'apropos usb|grep -i > > ether|grep -v Class' on 3.8? Searching the web for the chipsets > > usually gives me Japanese, Taiwanese web sites or driver issues but > > no concrete devices (= things I can touch) ... > > There are plenty listed in the manpages. I think you'd be unlucky to > buy a usb-ethernet that's not supported (and if you do, you could send > it to a developer and buy something different..) HK-based vendors on > Ebay are quite good for these.
Network goes out until i ping
Hello, on a : -bash-3.00# uname -a OpenBSD bastion2 3.6 GENERIC#59 i386 -bash-3.00# the server just looses connectivity probably when its idle, i go to its console, ping gateway with no reply, ping a diff. host in subnet and it replies, then ping gateway again and it replies ? -bash-3.00# ifconfig -a lo0: flags=8049 mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 xl0: flags=8843 mtu 1500 address: 00:b0:d0:e1:6c:63 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.31.10.26 netmask 0xff00 broadcast 172.31.10.255 inet6 fe80::2b0:d0ff:fee1:6c63%xl0 prefixlen 64 scopeid 0x1 pflog0: flags=0<> mtu 33224 pfsync0: flags=0<> mtu 2020 enc0: flags=0<> mtu 1536 No Pf running, just Cisco PIX as its gateway ? i dont think PIX will timeout all its connections, would it ?
OpenBSD as TACACS+ client to SecureACS
Hello
Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN
Hans-Joerg Hoexer wrote: [AES-SHA-GRP2] ENCRYPTION_ALGORITHM= AES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY LIFE_1_DAY is not defined Hi :) I added [LIFE_1_DAY] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,79200:93600 but still same problem Regards Kim
Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN
Rogier Krieger wrote: Last time I dealt with the NO_PROPOSAL_CHOSEN issue, it was due to an error in my keynote(4) policy. After re-creating it from scratch using the example files, things worked like a charm for me. Hope this helps, I wish that was it .. I even tried to wget http://www.allard.nu/openbsd/openbsd/isakmpd.policy and use that but still the same problem Regards Kim
Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN
Hans-Joerg Hoexer wrote: On Wed, Oct 19, 2005 at 01:34:45PM +0200, Kim Nielsen wrote: [greenbow-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE it's GRP2, not GR2 [AES-SHA-GRP2] ENCRYPTION_ALGORITHM= AES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY Thanks but the problem I have is in phase1 but now once I get to phase2 it should work :) /Kim
isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN
Hi $misc I have a problem with isakmpd and the greenbow vpn client (actually all windows vpn clients I have tried except freeswan and racoon) The problem is that I specify the protocols that the clients use but it seems that it's ignoring that I have specified A dump from tcpdump -vr /var/run/isakmpd.pcap says that the client is trying with these protocols: [SNIP] ... attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute KEY_LENGTH = 128 ... my log from isakmpd says Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute ENCRYPTION_ALGORITHM value 7 Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute HASH_ALGORITHM value 2 Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute AUTHENTICATION_METHOD value 1 Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute GROUP_DESCRIPTION value 2 Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute KEY_LENGTH value 128 Oct 19 13:15:56 tefnut isakmpd[32614]: message_validate_vendor: vendor ID seen Oct 19 13:15:56 tefnut isakmpd[32614]: nat_t_check_vendor_payload: NAT-T capable peer detected Oct 19 13:15:56 tefnut isakmpd[32614]: message_validate_vendor: vendor ID seen Oct 19 13:15:56 tefnut isakmpd[32614]: ipsec_responder: phase 1 exchange 2 step 0 Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: transform 0 proto 1 proposal 1 ok Oct 19 13:15:56 tefnut isakmpd[32614]: ike_phase_1_validate_prop: failure Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: proposal 1 failed Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: no compatible proposal found Oct 19 13:15:56 tefnut isakmpd[32614]: dropped message from 62.242.xxx.xxx port 488 due to notification type NO_PROPOSAL_CHOSEN my isakmpd.conf: [General] Retransmits=5 Exchange-max-time= 120 Shared-SADB=Defined Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 NAT-T-Keepalive=10 [Phase 1] Default=ISAKMP-clients [Phase 2] Passive-connections=IPsec-clients [ISAKMP-clients] Phase= 1 Transport= udp Configuration= greenbow-main-mode Authentication= mekmitasdigoat [IPsec-clients] Phase= 2 Configuration= greenbow-quick-mode Local-ID= default-route Remote-ID= dummy-remote [default-route] ID-type=IPV4_ADDR_SUBNET Network=0.0.0.0 Netmask=0.0.0.0 [dummy-remote] ID-type=IPV4_ADDR Address=0.0.0.0 [greenbow-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA-GRP2 [greenbow-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE [AES-SHA-GRP2] ENCRYPTION_ALGORITHM= AES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY Basiclly its taken from http://www.allard.nu/openbsd/greenbow/ since I googled for an answer but even though I take a copy of the isakmpd.conf on that page I still don't get though phase1 Hope someone has an answer Best regards Kim Ps. I'm using OpenBSD 3.7
Re: tuning systrace policy for expect
Ok, its at http://82.129.235.194/systrace_expect.txt On 5/10/05, Ray <[EMAIL PROTECTED]> wrote: > On Tue, May 10, 2005 at 10:59:40AM +0200, Kim Onnel wrote: > > I've tried to auto generate with systrace -A and tune according to > > errors, and this is what i have : > > Can you attach the systrace policy instead of pasting it? The line > wrapping's messed up. > > -- > I've found that people who are great at something are not so much > convinced of their own greatness as mystified at why everyone else > seems so incompetent. > Paul Graham
tuning systrace policy for expect
Hi, I'm trying to generate a policy for an expect script to run Script : rpm1 -bash-3.00# cat rpm1 ./rtr3 -cisco -telnet x.x.1.1 Which calls an expect script called rtr3 as you can see: -bash-3.00# more rtr3 #!/usr/local/bin/expect -- # # # Connect to a Cisco/Juniper/Unix router and execute one or multiple commands # # Syntax: rtr3 [] [ [: ] ]" # # $Log: rtr3,v $ # Revision 2.3 2004/12/01 15:55:28 markus # Remove debug code. # # Revision 2.2 2004/12/01 15:36:22 markus # Implemented command line flags to overwrite default settings. # (-username -password -enable_password) # # Revision 2.1 2004/08/16 10:52:12 markus # Module logon_cisco, modified error messagen # # Revision 2.0 2004/06/20 19:00:20 markus # Added support for Juniper routers # Added support for SSH transport # Restructured execute_command_* # Restructured logon_* # # Revision 1.6 2004/03/08 14:46:46 markus # Fix execute_command in branch ZEBRA # # Revision 1.5 2003/11/28 12:36:36 markus # Separated execute_command logic to distinguish between CISCO, ZEBRA, and UNIX. # # Revision 1.4 2003/11/28 10:28:23 markus # The script now properly handles Cisco routers that go into priviledged mode # without an explicit enable command. # The script not prints a timestamp upon invocation. # Output from "spawn telnet" and the logon procedure is now suppressed. # In non-interactive mode the command output is surrounded by begin and end markers. # The script uses now expect "#$" when waiting for command output. This fixes a bug # where lengthy output was truncated. The rtr3 script needs a .rtr3 file which is located in users home directory ~/.rtr3 and i have it in place, I've tried to auto generate with systrace -A and tune according to errors, and this is what i have : -bash-3.00# more home_test_rtr3 Policy: /home/test/rtr3, Emulation: native native-connect: sockaddr match "inet-*:23" then permit native-fsread: filename eq "/home" permit native-fsread: filename eq "/tmp" then permit native-fsread: filename eq "/usr" then permit native-fsread: filename eq "/var" then permit native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit native-umask: permit native-write: permit native-mmap: permit native-mprotect: permit native-exit: permit native-write: permit native-writev: permit native-issetugid: permit native-mprotect: permit native-mmap: permit native-__sysctl: permit native-fsread: filename eq "/var/run/ld.so.hints" then permit native-fstat: permit native-close: permit native-fsread: filename eq "/usr/lib/libc.so.34.1" then permit native-read: permit native-mquery: permit native-fsread: filename eq "/usr/local/lib/libtcl84.so.1.0" then permit native-fsread: filename eq "/usr/lib/libutil.so.11.0" then permit native-fsread: filename eq "/usr/lib/libm.so.2.0" then permit native-munmap: permit native-sigprocmask: permit native-fsread: filename eq "/etc/malloc.conf" then permit native-break: permit native-lseek: permit native-sigaction: permit native-fsread: filename eq "/home/test/." then permit native-chdir: filename eq "/usr/local/lib/tcl8.4" then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding" then permit native-chdir: filename eq "/usr/local/lib/tcl8.4/encoding" then permit native-fsread: filename eq "/" then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding/." then permit native-fsread: filename eq "/usr/local/lib/tcl8.4" then permit native-fcntl: permit native-fstatfs: permit native-getdirentries: permit native-fsread: filename eq "/usr/local/lib" then permit native-fsread: filename eq "/usr/local" then permit native-fsread: filename eq "/usr" then permit native-fchdir: permit native-fsread: filename eq "/usr/local/lib/tcl8.4/encoding/iso8859-1.enc" then permit native-ioctl: permit native-chdir: filename eq "/usr/local/lib" then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/." then permit native-fsread: filename eq "/usr/local/lib/tcl8.4/init.tcl" then permit native-getpid: permit native-fswrite: filename eq "/dev/tty" then permit native-fsread: filename eq "/usr/local/lib/expect5.43/expect.rc" then permit native-fsread: filename eq "/home/test/.expect.rc" then permit native-chdir: filename eq "/home" then permit native-fsread: filename eq "/home/test" then permit native-chdir: filename eq "/home/test" then permit native-fsread: filename eq "/home" then permit native-fsread: filename eq "/home/test/rtr3" then permit native-write: permit nativ
Re: ospf/gre or bgp over ipsec instead of cisco?
Stephen Marley wrote: I want to provide a backup for a LES100 link between 2 sites using dynamic routing over adsl/ipsec. The proposed solution involves purchasing a couple of expensive cisco layer 3 switches that are used to run eigrp over a the LES100 and a ipsec/gre tunnel between a nokia firewall and a cisco 837 adsl router. Would using bgp for dynamic routing be a better solution as I've read that bgp can be run over ipsec without the need for a gre tunnel and so would provide better performance. (I've never configured bgp though). i *assume* you have more than one connection to the internet at each site? else why would you consider bgp? anyhow, i have done some thing similar with bgp for a small private wireless network, with redundant links, etc. next is on my list to run IPSec on the backbone links. openbgp is straight forward to setup and i now have half a dozen routers linked with redundant links etc. the thing to remember about openbgp is, to put only as much information in the config file as the router needs to know; the interfaces it has, the newtorks directly connected to it (or others statically routed) and the directly connected neighbours. more than that makes life and debugging complicated =) also getting bgpd on zebra or quagga is pretty straight forward also. openbgp <-> bgpd/quagga works well to ;) (can discuss more off list) regards, kim -- Kim Hawtin : IT Systems Administrator Ratbag : Level 8 - 63 Pirie Street Adelaide SA 5000 Australia Ph +61 882 235 830 : Fx +61 882 235 746 khawtin at ratbaggames dot com This email is confidential for the addressee only and is subject to copyright where applicable.
Re: Hackathon 2005
Steve Shockley wrote: Sean Brown wrote: I'm looking forward to OpenBash If you keep saying things like that, Theo's going to change the default shell back to csh. what is this attraction to csh anyway? cheers, kim -- Kim Hawtin : IT Systems Administrator Ratbag : Level 8 - 63 Pirie Street Adelaide SA 5000 Australia Ph +61 882 235 830 : Fx +61 882 235 746 khawtin at ratbaggames dot com This email is confidential for the addressee only and is subject to copyright where applicable.
