Re: Confusion about hw.cpuspeed

[Christer Solskogen via misc]

On Fri, Mar 15, 2024 at 2:02 PM Zé Loff via misc  wrote:
>
> Hope this clears things up.
>

Ah, now I understand. Thank you! :-)

-- 
chs

Re: Confusion about hw.cpuspeed

[Zé Loff via misc]

On Fri, Mar 15, 2024 at 01:07:22PM +0100, Christer Solskogen via misc wrote:
> On Fri, Mar 15, 2024 at 11:43 AM Zé Loff via misc  wrote:
> 
> > Your cpu*.frequency lines show you that it does.
> 
> In that case, what does hw.cpuspeed mean?
> 

Jonathan Gray already told you that:

> > hw.cpuspeed is only updated when a set speed is selected by the kernel.
> > With turbo mode the hardware continually changes the speed without
> > notifying the kernel.

You have

cpu0: Enhanced SpeedStep 2693 MHz: speeds: 1701, 1700, 1600, 1500, 1400, 
1300, 1200, 1100, 1000, 900, 800 MHz

on your dmesg, so you have a CPU that is meant to run at (up to)
1700MHz, but can go to 2700MHz in turbo mode.

The 1701Mhz speed ("normal max" + 1) is the speed that the kernel needs
to set to get it into turbo mode.  So, when 

hw.cpuspeed=1701

it means your CPU is running in turbo mode.  If you or the kernel wants
to throttle it down to save power, hw.cpuspeed will change to something
lower.

As Jonathan said, when in turbo mode, the CPU it won't tell the kernel
about speed changes, but you can always get them from the
hw.sensors.cpu*.frequency readings.  Which, incidentally, might not even
be the same for each CPU core, as they are throttled differently:

   $ sysctl hw.sensors | grep frequency0
   hw.sensors.cpu0.frequency0=245000.00 Hz
   hw.sensors.cpu1.frequency0=27.00 Hz
   hw.sensors.cpu2.frequency0=285000.00 Hz
   hw.sensors.cpu3.frequency0=235000.00 Hz

Hope this clears things up.

Cheers
Zé

P.S.: I'm by no means whatsoever an authority on this matter.  I'm
replying because you asked me directly.  

-- 

Re: pf nat64 rule not matching

[Stuart Henderson via misc]

On 2024-03-15, Tobias Fiebig via misc  wrote:
>
> Moin,
>>     # perform nat64 (NOT WORKING)
>>     pass in to 64:ff9b::/96 af-to inet from ($wan:0)
>
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
> af-to inet from "actual IP on igc0"/32

"actual IP on igc0" is a good idea. If I try a similar rule without ()
using an interface with v4+v6 addresses, pfctl rejects it due to af
mismatch.

> I am suspecting that the missing inet6 may lead to some confusion.
> Alternatively, remove the block rules; URPF may be an issue here, if
> you lack a route for the /96.

"match log(matches)" and "tcpdump -neipflog0" is your friend for
figuring out which rules are used. I suspect the urpf too.

Regarding the other rules and tests, the ::1 rule is wrong, packets
outgoing on the network won't have a ::1 address, try "!received-on
any", and packets sourced from the router itself won't hit the af-to
rule so tests need to be from another machine (and probably best use
different DNS servers not doing dns64 on the router).

Re: USB peripherals hang, nothing in messages

[Dan via misc]

Interesting..

Laurence Tratt via misc :

> This sounds to me like it might be due to USB stack performance problems,
> though you'll at least want to give `dmesg` output so that those who better
> understand this have a chance of helping.
>
> FWIW, there seem to be notable differences in USB performance on nominally
> similar hardware with OpenBSD.

Do you suggest to phisically (hub) separate peripherals from
eg. storage devices for who is working in this kind of fashion?

-Dan

Re: USB peripherals hang, nothing in messages

[ofthecentury via misc]

Thanks, this sounds about what I experience.
On Linux kernel it complains about some sort
of "potential EMI interference" when auto
disabling USB ports, and then it complains
that it cannot reenable it because it cannot
enumerate the device and assign it an address
or something.
I am curious how it's possible to debug this
on OpenBSD. Is there a way to enable debug
level verbosity on drivers? /var/log/messages
is so bareboned, almost spartan I would dare
to put forth.

On Fri, Mar 15, 2024 at 5:11 PM Laurence Tratt via misc
 wrote:
>
> On Wed, Mar 13, 2024 at 05:12:29PM +0500, ofthecentury wrote:
>
> > My USB mouse and keyboard hang intermittently.
> >
> > Very weird things happen, i.e. my mouse's red LED
> > light begins to flicker in a very weird fashion, or my
> > keyboard stops responding and my sound output
> > is suddenly muted by itself (I don't even touch sound).
> >
> > This was in the /var/log/messages regarding sound:
> > wrapper-2.0: vfprintf %s NULL in "[xfce-mixer-plugin.
> > c:374 xfce_mixer_plugin_set_property]: could not
> > set sound-card to '%s', trying the default card instead"
> > wrapper-2.0: vfprintf %s NULL in "%s: muted"
> >
> > Nothing else to show up in /var/log/messages. Is there
> > a more detailed log?
>
> This sounds to me like it might be due to USB stack performance problems,
> though you'll at least want to give `dmesg` output so that those who better
> understand this have a chance of helping.
>
> FWIW, there seem to be notable differences in USB performance on nominally
> similar hardware with OpenBSD. On an AMD 7900x w/MSI motherboard, I had
> very few USB performance problems (though there were other non-USB issues).
> On an Intel 13900k w/Asus motherboard I have frequent, significant, USB
> performance problems. Every USB peripheral suffers from random disconnects,
> particularly under load. This is most notable with USB sound and USB
> webcam, which disconnect several times per hour, but the USB keyboard and
> USB mouse are also sometimes affected (perhaps once a week, mostly the
> mouse).
>
> I have absolutely no idea what the cause for this difference might be. The
> CPU and motherboard differences might be significant or not, I don't know.
> And it may, or may not, have any relation to the symptoms you're seeing.
>
>
> Laurie
>

Re: USB peripherals hang, nothing in messages

[Laurence Tratt via misc]

On Wed, Mar 13, 2024 at 05:12:29PM +0500, ofthecentury wrote:

> My USB mouse and keyboard hang intermittently.
> 
> Very weird things happen, i.e. my mouse's red LED
> light begins to flicker in a very weird fashion, or my
> keyboard stops responding and my sound output
> is suddenly muted by itself (I don't even touch sound).
> 
> This was in the /var/log/messages regarding sound:
> wrapper-2.0: vfprintf %s NULL in "[xfce-mixer-plugin.
> c:374 xfce_mixer_plugin_set_property]: could not
> set sound-card to '%s', trying the default card instead"
> wrapper-2.0: vfprintf %s NULL in "%s: muted"
> 
> Nothing else to show up in /var/log/messages. Is there
> a more detailed log?

This sounds to me like it might be due to USB stack performance problems,
though you'll at least want to give `dmesg` output so that those who better
understand this have a chance of helping.

FWIW, there seem to be notable differences in USB performance on nominally
similar hardware with OpenBSD. On an AMD 7900x w/MSI motherboard, I had
very few USB performance problems (though there were other non-USB issues).
On an Intel 13900k w/Asus motherboard I have frequent, significant, USB
performance problems. Every USB peripheral suffers from random disconnects,
particularly under load. This is most notable with USB sound and USB
webcam, which disconnect several times per hour, but the USB keyboard and
USB mouse are also sometimes affected (perhaps once a week, mostly the
mouse).

I have absolutely no idea what the cause for this difference might be. The
CPU and motherboard differences might be significant or not, I don't know.
And it may, or may not, have any relation to the symptoms you're seeing.


Laurie

Re: Confusion about hw.cpuspeed

[Christer Solskogen via misc]

On Fri, Mar 15, 2024 at 11:43 AM Zé Loff via misc  wrote:

> Your cpu*.frequency lines show you that it does.

In that case, what does hw.cpuspeed mean?

Saving UKC> list output

[ofthecentury via misc]

When you want to turn off
a device on OpenBSD you
can do it at boot time with
manual `boot -c` command.
(Can also be automated)
After entering entering
`boot -c` you get UKC>
configuration prompt.
I type `list` and get a nice
list of all drivers I can
disable with `disable
mei` or disable `lpc`.
But how do I get
that list into a file
so I can review it?
Is there some
way to do it?
Thx!

Re: pf nat64 rule not matching

[Tobias Fiebig via misc]

Moin,
>     # perform nat64 (NOT WORKING)
>     pass in to 64:ff9b::/96 af-to inet from ($wan:0)

Can you try if the same happens with a more specific rule (for
testing)?

i.e.:

pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
af-to inet from "actual IP on igc0"/32

I am suspecting that the missing inet6 may lead to some confusion.
Alternatively, remove the block rules; URPF may be an issue here, if
you lack a route for the /96.

A minimal (== based on the default pf.conf) config working  for me:

```
#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return# block stateless traffic
pass# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

pass in on vio0 inet6 from 2a06:d1c0:deac:1:d5:64:a115:1 to
2a06:d1c7:a:4764::/96 af-to inet from 193.104.168.184/29 random
```

With best regards,
Tobias

Re: Confusion about hw.cpuspeed

[Zé Loff via misc]

On Fri, Mar 15, 2024 at 10:09:37AM +0100, Christer Solskogen via misc wrote:
> On Fri, Mar 15, 2024 at 10:00 AM Jonathan Gray  wrote:
> >
> > On Fri, Mar 15, 2024 at 08:49:14AM +0100, Christer Solskogen via misc wrote:
> > > On Fri, Mar 15, 2024 at 1:15 AM Jonathan Gray  wrote:
> > > >
> > >
> > > > The 1MHz higher is the turbo setting.  When speedstep speeds are shown
> > > > in dmesg it is the highest.
> > > >
> > > > The sensors use cpu_hz_update_sensor().
> > > >
> > >
> > > I don't understand. dmesg says this:
> > > cpu0: Intel(R) N95, 2693.79 MHz, 06-be-00, patch 0015
> > >
> > > But hw.cpuspeed stays the same no matter what happens.
> >
> > your dmesg will have a "Enhanced SpeedStep" line, for example:
> > cpu0: Enhanced SpeedStep 2494 MHz: speeds: 2601, 2600, 2500, 2300, 2100, 
> > 2000, 1800, 1700, 1500, 1400, 1200, 1100, 900, 800, 600, 500 MHz
> >
> > hw.cpuspeed is only updated when a set speed is selected by the kernel.
> > With turbo mode the hardware continually changes the speed without
> > notifying the kernel.
> >
> > to force the lowest non-turbo mode
> >
> > sysctl hw.perfpolicy=manual
> > sysctl hw.setperf=0
> >
> 
> Ah, yes.
> cpu0: Enhanced SpeedStep 2693 MHz: speeds: 1701, 1700, 1600, 1500,
> 1400, 1300, 1200, 1100, 1000, 900, 800 MHz
> 
> I wonder why it never reaches 2,6GHz.
> 

Your cpu*.frequency lines show you that it does.

-- 
 

Re: Confusion about hw.cpuspeed

[Christer Solskogen via misc]

On Fri, Mar 15, 2024 at 10:00 AM Jonathan Gray  wrote:
>
> On Fri, Mar 15, 2024 at 08:49:14AM +0100, Christer Solskogen via misc wrote:
> > On Fri, Mar 15, 2024 at 1:15 AM Jonathan Gray  wrote:
> > >
> >
> > > The 1MHz higher is the turbo setting.  When speedstep speeds are shown
> > > in dmesg it is the highest.
> > >
> > > The sensors use cpu_hz_update_sensor().
> > >
> >
> > I don't understand. dmesg says this:
> > cpu0: Intel(R) N95, 2693.79 MHz, 06-be-00, patch 0015
> >
> > But hw.cpuspeed stays the same no matter what happens.
>
> your dmesg will have a "Enhanced SpeedStep" line, for example:
> cpu0: Enhanced SpeedStep 2494 MHz: speeds: 2601, 2600, 2500, 2300, 2100, 
> 2000, 1800, 1700, 1500, 1400, 1200, 1100, 900, 800, 600, 500 MHz
>
> hw.cpuspeed is only updated when a set speed is selected by the kernel.
> With turbo mode the hardware continually changes the speed without
> notifying the kernel.
>
> to force the lowest non-turbo mode
>
> sysctl hw.perfpolicy=manual
> sysctl hw.setperf=0
>

Ah, yes.
cpu0: Enhanced SpeedStep 2693 MHz: speeds: 1701, 1700, 1600, 1500,
1400, 1300, 1200, 1100, 1000, 900, 800 MHz

I wonder why it never reaches 2,6GHz.

Re: Confusion about hw.cpuspeed

[Christer Solskogen via misc]

On Fri, Mar 15, 2024 at 1:15 AM Jonathan Gray  wrote:
>

> The 1MHz higher is the turbo setting.  When speedstep speeds are shown
> in dmesg it is the highest.
>
> The sensors use cpu_hz_update_sensor().
>

I don't understand. dmesg says this:
cpu0: Intel(R) N95, 2693.79 MHz, 06-be-00, patch 0015

But hw.cpuspeed stays the same no matter what happens.

Re: Dell Poweedge 750 Mellanox ConnectX-6 LX with 1G SFP SX

[Jonathan Matthew via misc]

On Thu, Mar 14, 2024 at 10:13:52AM +0100, Joerg Streckfuss wrote:
> 
> Hi misc,
> 
> I am trying to connect a 1GE SFP of type 1G SFP SX (Flexoptix S.8512.02.D)
> to a Power Edge R750 with a Connect Mellanox ConnectX-6 Lx.
> 
> The mellanox driver supports the corresponding mode. I think it should be
> "1000base-SGMII":
> 
> 
> mcx5: flags=8843 mtu 1500
> lladdr a0:88:c2:33:d1:b7
> index 8 priority 0 llprio 3
> media: Ethernet autoselect
> status: no carrier
> supported media:
> media 1000base-SGMII
> media 1000base-KX
> media 10GbaseKR
> media 10GSFP+Cu
> media 10GbaseSR
> media 10GbaseLR
> media 25GbaseCR
> media 25GbaseKR
> media 25GbaseSR
> media autoselect
> 
> 
> The SFP is recognized correctly:
> 
> 
> fw# ifconfig mcx5 transceiver
> mcx5: flags=8843 mtu 1500
> lladdr a0:88:c2:33:d1:b7
> index 8 priority 0 llprio 3
> media: Ethernet autoselect
> status: no carrier
> transceiver: SFP LC, 850 nm, 270m OM1, 550m OM2
> model: FLEXOPTIX S.8512.02.D rev A
> serial: F7AM3CB, date: 2023-06-13
> voltage: 3.30 V, bias current: 9.70 mA
> temp: 40.60 C (low -10.00 C, high 85.00 C)
> tx: -6.30 dBm (low -12.00 dBm, high -1.00 dBm)
> rx: -8.40 dBm (low -20.00 dBm, high 1.00 dBm)
> 
> 
> However, the status remains in state "no carrier". It is interesting to note
> that the interface can obviously receive network packets:

There are some extra media status bits that the driver wasn't checking,
so it didn't see that the link was up, which in turn stops it from sending
packets.

This diff adds the missing media status bits, which should get it working
for you.

diff --git sys/dev/pci/if_mcx.c sys/dev/pci/if_mcx.c
index 9108423827d..6b156ed3210 100644
--- sys/dev/pci/if_mcx.c
+++ sys/dev/pci/if_mcx.c
@@ -199,6 +199,19 @@ CTASSERT(MCX_MAX_QUEUES * MCX_WQ_DOORBELL_STRIDE <
 #define MCX_ETHER_CAP_50G_CR2  30
 #define MCX_ETHER_CAP_50G_KR2  31
 
+#define MCX_ETHER_EXT_CAP_SGMII_1000
+#define MCX_ETHER_EXT_CAP_1000_X   1
+#define MCX_ETHER_EXT_CAP_5G_R 3
+#define MCX_ETHER_EXT_CAP_XAUI 4
+#define MCX_ETHER_EXT_CAP_XLAUI5
+#define MCX_ETHER_EXT_CAP_25G_AUI1 6
+#define MCX_ETHER_EXT_CAP_50G_AUI2 7
+#define MCX_ETHER_EXT_CAP_50G_AUI1 8
+#define MCX_ETHER_EXT_CAP_CAUI49
+#define MCX_ETHER_EXT_CAP_100G_AUI210
+#define MCX_ETHER_EXT_CAP_200G_AUI412
+#define MCX_ETHER_EXT_CAP_400G_AUI815
+
 #define MCX_MAX_CQE32
 
 #define MCX_CMD_QUERY_HCA_CAP  0x100
@@ -406,11 +419,14 @@ struct mcx_reg_ptys {
uint8_t rp_reserved2;
uint8_t rp_proto_mask;
 #define MCX_REG_PTYS_PROTO_MASK_ETH(1 << 2)
-   uint8_t rp_reserved3[8];
+   uint8_t rp_reserved3[4];
+   uint32_trp_ext_eth_proto_cap;
uint32_trp_eth_proto_cap;
-   uint8_t rp_reserved4[8];
+   uint8_t rp_reserved4[4];
+   uint32_trp_ext_eth_proto_admin;
uint32_trp_eth_proto_admin;
-   uint8_t rp_reserved5[8];
+   uint8_t rp_reserved5[4];
+   uint32_trp_ext_eth_proto_oper;
uint32_trp_eth_proto_oper;
uint8_t rp_reserved6[24];
 } __packed __aligned(4);
@@ -2691,6 +2707,21 @@ static const struct mcx_eth_proto_capability 
mcx_eth_cap_map[] = {
[MCX_ETHER_CAP_50G_KR2] = { IFM_50G_KR2,IF_Gbps(50) },
 };
 
+static const struct mcx_eth_proto_capability mcx_ext_eth_cap_map[] = {
+   [MCX_ETHER_EXT_CAP_SGMII_100]   = { IFM_100_FX, IF_Mbps(100) },
+   [MCX_ETHER_EXT_CAP_1000_X]  = { IFM_1000_SX,IF_Gbps(1) },
+   [MCX_ETHER_EXT_CAP_5G_R]= { IFM_5000_T, IF_Gbps(5) },
+   [MCX_ETHER_EXT_CAP_XAUI]= { IFM_10G_SFI,IF_Gbps(10) },
+   [MCX_ETHER_EXT_CAP_XLAUI]   = { IFM_40G_XLPPI,  IF_Gbps(40) },
+   [MCX_ETHER_EXT_CAP_25G_AUI1]= { 0 /*IFM_25G_AUI*/,  IF_Gbps(25) },
+   [MCX_ETHER_EXT_CAP_50G_AUI2]= { 0 /*IFM_50G_AUI*/,  IF_Gbps(50) },
+   [MCX_ETHER_EXT_CAP_50G_AUI1]= { 0 /*IFM_50G_AUI*/,  IF_Gbps(50) },
+   [MCX_ETHER_EXT_CAP_CAUI4]   = { 0 /*IFM_100G_AUI*/, IF_Gbps(100) },
+   [MCX_ETHER_EXT_CAP_100G_AUI2]   = { 0 /*IFM_100G_AUI*/, IF_Gbps(100) },
+   [MCX_ETHER_EXT_CAP_200G_AUI4]   = { 0 /*IFM_200G_AUI*/, IF_Gbps(200) },
+   [MCX_ETHE

pf nat64 rule not matching

[Evan Sherwood via misc]

Hello,

I'm trying to get a basic OpenBSD NAT64 router setup. I'm following
along with these instructions:

- https://blog.obtusenet.com/dns64-nat64-on-openbsd/

My unbound instance looks like it's correctly configured and returning
correct IPv6 addresses, so that's good.

# dig ipv4.google.com  +short
ipv4.l.google.com.
64:ff9b::8efa:bc0e

However, the pf rule using af-to does not appear to do anything and 
I haven't been able to figure out why. When I try to ping6, I get 100%
packet loss.

I inspected packets through tcpdump (after adding "log" to everything
in pf.conf) and nothing seems to be getting blocked, though it also
appears the 64:ff9b::/96 address are not being translated either; I
think the packets are passing through pf unchanged (the rule doesn't
apply, but I don't know why).

Here is my entire pf.conf:

wan   = "igc0"
trusted   = "igc1"
untrusted = "igc2"
iot   = "igc3"

cerberus_ssh = "36285"

table  persist file "/etc/martians" 

set block-policy drop
set loginterface egress
set skip on lo0

block in log quick from urpf-failed
block in log quick on egress from  to any
block return out log quick on egress from any to 
block return log all
pass

# allow IPv6 PD from ISP
pass in inet6 proto udp from fe80::/10 port dhcpv6-server to fe80::/10 port 
dhcpv6-client no state

# allow ICMPv6 traffic (necessary for IPv6 to work)
pass inet6 proto icmp6 all

# perform nat64 (NOT WORKING)
pass in to 64:ff9b::/96 af-to inet from ($wan:0)

# allow outbound queries from local unbound and NTP
pass out inet6 proto { tcp, udp } from ::1 to port { domain, ntp }

# allow DNS & NTP queries from the iot network
pass in on $iot proto { tcp, udp } from $iot:network to port { domain, ntp }

# allow ssh, http, & https
pass inet6 proto tcp to port { ssh, http, https, $cerberus_ssh }

I have IP forwarding turned on:

# sysctl | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=1

I have an IPv4 and IPv6 address for igc0 via autoconf.

Here's a rough sketch of my network topology:

+---+
| ISP modem |
+---+
   |
   |
  igc0
+---+
| cerberus (OpenBSD router) |
+---+
  igc1  igc2 igc3
   | ||
   | ||
  ...   ...   +-+
  | vulpes (OpenBSD client) |
  +-+
  
>From both vulpes and cerberus, ping6 ipv4.google.com hangs and never
returns.

I tried substituting ($wan:0) for my actual IPv4 address assigned to
igc0, but I got no change in behavior. I read in the man page that
:0 does not include aliases when used on an interface. When I print
the rules out using pfctl -vvsr, it gets expanded to (igc0:0:1),
which looks weird and I don't understand why. My understanding is
that it should be "... af-to inet from IPV4_ADDRESS_OF_WAN_IF", but
I don't know if (igc0:0:1) is the IPv4 address of igc0, and I can't
figure out how to verify if that's right... or even if that's
the problem in the first place and I'm chasing a red herring.

I feel like I'm missing something, but I can't see it. The Book of PF
doesn't have any information on NAT64 that I could see, and the man page
for pf.conf shows an example of what I'm already doing with no
additional instructions. I've found maybe 3 articles about NAT64 on
OpenBSD through searching, but none give me any more context or clues
beyond the one I mentioned earlier.

I'd appreciate any help I could get!

Evan
  

Here's my dmesg:

OpenBSD 7.4 (GENERIC.MP) #1397: Tue Oct 10 09:02:37 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8332189696 (7946MB)
avail mem = 8059916288 (7686MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.5 @ 0x75d9f000 (122 entries)
bios0: vendor American Megatrends International, LLC. version "ALN4L102" date 
11/08/2023
bios0: Default string Default string
efi0 at bios0: UEFI 2.8
efi0: American Megatrends rev 0x5001a
acpi0 at bios0: ACPI 6.4
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP FIDT SSDT SSDT SSDT SSDT SSDT HPET APIC MCFG SSDT UEFI 
RTCT PSDS NHLT LPIT SSDT SSDT DBGP DBG2 SSDT DMAR FPDT SSDT SSDT SSDT SSDT TPM2 
PHAT WSMT
acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP09(S4) PXSX(S4) 
RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) RP13(S4) PXSX(S4) 
RP14(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) N100, 3392.18 MHz, 06-be-00, patch 0012
cpu0: 

Re: Looking for a well supported wireless card

[Stefan Moran via misc]

On Thu, 14 Mar 2024 11:41:22 +0100
Stefan Sperling  wrote:

> On Thu, Mar 14, 2024 at 12:01:40AM -0400, Stefan Moran via misc wrote:
> > On Wed, 13 Mar 2024 20:58:12 +0100
> > Stefan Sperling  wrote:
> > 
> > > ...
> > > 
> > > iwm should work just fine.
> > 
> > I don't doubt it. I did some more research on my device (Intel AC
> > 7260, should have put it in my original message but I forgot to),
> > and it doesn't support MU-MIMO, which the router in the residence
> > I'm staying was set to use.
> 
> Interesting. This could be an interop issue, though in general the
> AP should be backwards compatible with 11ac MIMO.
> 
> There is a flag you can use to disable the use of MIMO in the driver:
> 
>   ifconfig iwm0 nwflag nomimo
> 
> This flag is generally only required if the second antenna is absent
> or damaged. Neither the driver nor firmware attempt to detect "dead"
> antennas. Apparently, this is too difficult to do reliably.

I notice the black antenna wire is very loose no matter how well I
connect it, so it could very well be an antenna issue, I could try
disconnecting it intentionally and see if my issues are the same to
verify.

> 
> > I got the admin to disable this on the router, and it
> > seems to be working better.
> 
> And the router is still using regular MIMO now?

Yes.

> 
> Plesae run this while associated:
> 
>   tcpdump -n -i iwm0 -y IEEE802_11_RADIO -v -s 4096 type mgt subtype
> beacon
> 
> And show the following fields:
> 
>   htcaps=<...> htop=<...> vhtcaps=<...> vhtop=<...>

htcaps=<20/40MHz,LDPC,SGI@20MHz,SGI@40MHz,TXSTBC,RXSTBC 1 stream,A-MSDU 
7935,A-MPDU max 65535,A-MPDU spacing 4.00us,RxMCS 0x>

htop=<40MHz chan 149:153,htprot 20MHz,non-greenfield STA,non-HT STA,basic MCS 
set 0x>

vhtcaps=

vhtop=<80MHz chan,center chan 155,basic MCS set 0-7@1SS 0-7@2SS 0-7@3SS 0-7@4SS 
0-7@5SS 0-7@6SS 0-7@7SS>

> ... 

Confusion about hw.cpuspeed

[Christer Solskogen via misc]

I've got a hold of two iKOOLCORE R2 today and installed OpenBSD(latest
amd64 snapshot) on them, but I can't seem to wrap my head around if
it's running at full speed or not.

hugs# sysctl hw
hw.machine=amd64
hw.model=Intel(R) N95
hw.ncpu=4
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0:d93f521d3c55b907,sd1:
hw.diskcount=2
hw.sensors.cpu0.temp0=44.00 degC
hw.sensors.cpu0.frequency0=27.00 Hz
hw.sensors.cpu1.frequency0=27.00 Hz
hw.sensors.cpu2.frequency0=27.00 Hz
hw.sensors.cpu3.frequency0=27.00 Hz
hw.sensors.acpitz0.temp0=27.80 degC (zone temperature)
hw.cpuspeed=1701
hw.setperf=100
hw.vendor=iKOOLCORE TECHNOLOGY
hw.product=iKOOLCORE R2
hw.version=Default string
hw.serialno=VME50IKLGT8
hw.uuid=20231018-4682-2636-0882-000392308688
hw.physmem=8272797696
hw.usermem=8272670720
hw.ncpufound=4
hw.allowpowerdown=1
hw.perfpolicy=auto
hw.smt=0
hw.ncpuonline=4
hw.power=1
hw.ucomnames=

hw.cpuspeed seems to suggest that it's running on 1701MH, even if
apmd(-A) is running and/or if I have full load on the machine. While
hw.sensors.cpu*.frequency0 seems to suggest otherwise. That seems to
be running at full speed if there's load on the machine or not.


-- 
chs

Re: Is this a security issue?

[jslee via misc]

Hi,

On Thu, 14 Mar 2024, at 00:25, ofthecentury wrote:
>. And I was under the impression there would be no graphics
> errors week 1 of me using OpenBSD due to the way OpenBSD was
> centered around code auditing and only releasing something very
> stable and tested, especially something so senstive as graphics.

A nice but naive assumption, I think.

There’s a wild variety of hardware out there and AIUI developers are mostly 
volunteers who probably give their paid jobs, family, etc a higher priority.

John

Re: Looking for a well supported wireless card

[Stefan Moran via misc]

On Wed, 13 Mar 2024 20:58:12 +0100
Stefan Sperling  wrote:

> ...
> 
> iwm should work just fine.

I don't doubt it. I did some more research on my device (Intel AC 7260,
should have put it in my original message but I forgot to), and it
doesn't support MU-MIMO, which the router in the residence I'm staying
was set to use. I got the admin to disable this on the router, and it
seems to be working better. Either way, I decided to order an Intel
AX210, which appears to be supported by iwx(4). I would have gone for
an Atheros device, but it seems 802.11ac support hasn't been added for
those yet (looking at ath(4) and athn(4)).

> Please make sure that both antennas are connected properly.

I reconnected the antennas, no different results.

Re: [TUHS] Re: SunOS 4 in 2024

[Dan via misc]

Prepare yourself,I feel Jan is around searching to bit anyone.. :-/


"Alexis via misc"  wrote:

> 
> Sorry for accidentally sending this here, rather than to the TUHS 
> list. :-/
> 
> Alexis  writes:
> [snip]
> 

Re: [TUHS] Re: SunOS 4 in 2024

[Alexis via misc]

Sorry for accidentally sending this here, rather than to the TUHS 
list. :-/


Alexis  writes:
[snip]

Re: [TUHS] Re: SunOS 4 in 2024

[Alexis via misc]

Henry Bent  writes:

Now, I find that there is a fragmentation happening. There are 
those of us
who still cling to mailing lists - like this one! - and those 
who are
willing to navigate the realms of increasingly compartmentalized 
other
forms of community, Discord included. The fact that there is not 
a
recognized central repository of unpaid support for a product, 
like

sun-managers, I find to be frustrating.


i basically agree. i won't dwell on this too much further because 
i recognise that i'm going off-topic, list-wise, but:


i think part of the problem is related to different people having 
different preferences around the interfaces they want/need for 
discussions. What's happened is that - for reasons i feel are 
typically due to a lock-in-oriented business model - many 
discussion systems don't provide different interfaces/'views' to 
the same underlying discussions. Which results in one community on 
platform X, another community on platform Y, another community on 
platform Z  Whereas, for example, the 'Rocksolid Light' 
BBS/forum software provides a Web-based interface to an underlying 
NNTP-based system, such that people can use their NNTP clients to 
engage in forum discussions. i wish this sort of approach was more 
common.



Alexis.

Re: Badwolf and LC_CTYPE

[Dan via misc]

For the same reason..

Looking to my dev env tcl/tk utilities..also tcl/tk renders textbox's
text in different way causing text or windows'objects to overlap too.


Dan  wrote:

> Hello,
> 
> Setting LC_CTYPE to zh_CN.UTF-8 in .xinitrc makes Badwolf (webkit)
> opening websites in chinese language by default while Firefox remains
> in English.
> 
> Thxs!
> 
> -Dan

Badwolf and LC_CTYPE

[Dan via misc]

Hello,

Setting LC_CTYPE to zh_CN.UTF-8 in .xinitrc makes Badwolf (webkit)
opening websites in chinese language by default while Firefox remains in
English.

Thxs!

-Dan

Re: DMARC/DKIM and OpenBSD Mailinglists

[Tobias Fiebig via misc]

Moin,

On Wed, 2024-03-13 at 11:54 -0600, Todd C. Miller wrote:
> I've just added support to our majordomo for rewriting the From:
> header when the sender's domain has a DMARC policy.  Messages from
> domains using DMARC will now have a From: header like:

Awesome, thanks!

> I could relax this but I worry that doing so will lower the IP or
> domain "reputation" in Google's eyes (something that is already a
> black box).
Yeah, it tends to be... difficult.

Did you already give https://email-security-scans.org/ a spin? Small
service we threw together, checking some stuff about sending behavior.

With best regards,
Tobias

webGL viewer, networkload without proper session, burning bun..

[Dan via misc]

Hello,

After some hours my station was unused shell messages appeared
from Badwolf:
[...]
ERR: Display.cpp:1038 (initialize): ANGLE Display::initialize error
12289: Could not dlopen native EGL: File not found 
ERR: Display.cpp:1038 (initialize): ANGLE Display::initialize error
12289: Could not dlopen native EGL: File not found 
Attempted to create a NetworkLoad with a session
(id=9223372036854775815) that does not exist. 
Attempted to create a NetworkLoad with a session
(id=9223372036854775815) that does not exist

The first two lines are probably still related to the webGL animation
playing on my new website (actually it is played by a web viewer from a
3rd party portal probably using some special javascript api)..

Average temperature was stuck on 64C per core, against a normal
temperature of 54C.
I closed Badwolf and the temperature returned normal.

Don't say me that I can expect to get a silicon burned sandwich
inside my station like being under Windows..


-Dan

Looking for a well supported wireless card

[Stefan Moran via misc]

I'm looking for a new M.2 wireless card for my Framework laptop (no
bios restrictions), and I'm wondering what would be the best supported
for use on OpenBSD. Currently I'm using an old intel device with the
iwm(4) driver, and I'm finding it's having trouble (lots of dropped
packets (even with a strong signal), weak signal) on newer network
configurations. Only requirements for the new device is that it must
support at least the 802.11ac standard (preferably 802.11ax), and be
the M.2 2230 form factor (See here:
https://guides.frame.work/Guide/WiFi+Replacement+Guide/96).

Bonus things I would want, if you know of any:
802.11ax support, for whenever that's added
Requires no badly licensed/proprietary firmware
Open hardware
a modem??? :D

Re: DMARC/DKIM and OpenBSD Mailinglists

[Josh Grosse via misc]

On March 13, 2024 1:54:14 PM EDT, "Todd C. Miller"  wrote:
>I've just added support to our majordomo for rewriting the From:
>header when the sender's domain has a DMARC policy.  Messages from
>domains using DMARC will now have a From: header like:
>
>    From: "John Connor via misc" 
>
>and the original From: address is preserved in the X-Original-From:
>header if one is not already present.
>
>This seems like the only reliable way to address the problem given
>that the mailing list server often reformats or otherwise modifies
>the message body.
>
>The rewriting currently happens even for a DMARC policy of "none"
>since some large senders (for example gmail.com) use a policy of
>"none" but receivers may still enforce SPF.  I could relax this but
>I worry that doing so will lower the IP or domain "reputation" in
>Google's eyes (something that is already a black box).
>
> - todd
>

Thank you! 

  -Josh-

Re: certbot in cron - best way?

[misc]

On 2/21/24 10:07, Stuart Henderson wrote:

You might like to investigate ~ in crontab(5), e.g. "~ 0,12" and lose
the "sleep".

Wouldn't it be better to have certbot write files into a directory
served by httpd so you don't need the "rcctl stop" though?


Yes, it would be better. Today had a problem in which rcctl stop worked, but 
rcctl start didn't.
Seems like --webroot from certbot can do the trick. Will test in a few days 
with an expiring certificate.

--fm

Re: certbot in cron - best way?

[misc]

Thanks. Worked like a charm.

Cheers,

--fm

On 2/20/24 12:54, Odhiambo Washington wrote:

On Tue, Feb 20, 2024 at 6:47 PM  wrote:


Hi misc,

Usually am updating certificates manually this way:

rcctl stop httpd ; certbot certonly --standalone -d DOMAIN.org -m
notifyc...@domain.org ; rcctl start httpd

but recently saw newer certificates being deployed as 0001,0002,0003
etc, like:

/etc/letsencrypt/live/DOMAIN.org-0002/fullchain.pem

Which setup are you using to automatically update certs with certbot, in
cron, and keeping /etc/httpd.conf updated accordingly?


This should work:

0 0,12 * * * /bin/sleep 1552 &&  rcctl stop httpd  && certbot renew &&
rcctl start httpd


--

certbot in cron - best way?

[misc]

Hi misc,

Usually am updating certificates manually this way:

rcctl stop httpd ; certbot certonly --standalone -d DOMAIN.org -m 
notifyc...@domain.org ; rcctl start httpd


but recently saw newer certificates being deployed as 0001,0002,0003 
etc, like:


/etc/letsencrypt/live/DOMAIN.org-0002/fullchain.pem

Which setup are you using to automatically update certs with certbot, in 
cron, and keeping /etc/httpd.conf updated accordingly?


Cheers,

--fm

--
Att.

(+5521) 97914-8106 (Signal)
PHOSPHORUS NETWORKS | HNO3 SYSTEMS
https://www.linkedin.com/in/fabio1337br/

Re: OT: SSH3 proposal

[misc]

I liked the ability to forward UDP packets as well, but that can be 
implemented in SSH itself, instead of adding another unnecessary layer.


On 2/5/24 04:26, Carlos Lopez wrote:

Hi all,

https://blog.apnic.net/2024/02/02/towards-ssh3-how-http-3-improves-secure-shells/

Uhmm ... ssh over http/3? What do you think about it?

Best regards,
C. L. Martinez


--
fm

Re: Upgrading from 7.3 to 7.4 with sysupgrade

[misc]

On Sat, Nov 18, 2023, at 11:57, Mark wrote:
> "> That will never happen."
> 
> And some serious reason?
> 
> It was a great idea indeed. :/

They don't go out of their way to assist with foot shooting.

The files under /usr take up about 8 GB and I've installed gnome
and what not.

Just get a bigger SD-card?  

puffy$ df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a  986M128M809M14%/
/dev/sd0l  131G1.9G123G 2%/home
/dev/sd0d  3.9G   49.9M3.6G 2%/tmp
/dev/sd0f 23.5G2.0G   20.3G10%/usr
/dev/sd0g  986M290M647M31%/usr/X11R6
/dev/sd0h 19.4G4.9G   13.5G27%/usr/local
/dev/sd0k  5.8G   86.0K5.5G 1%/usr/obj
/dev/sd0j  2.9G2.0K2.8G 1%/usr/src
/dev/sd0e 28.7G   79.5M   27.2G 1%/var

How to print using Samsung ML-1670

[misc]

I want to print using my Samsung ML-1670.

Started up cupsd and set it up using Samsung_ML-1670_Series.ppd.

It doesn't print, status complains about "rastertospl" which I think is a 
linux(R) binary, and the linux emulation is gone now right?

Cups status message:

 Idle - "File "/usr/local/libexec/cups/filter/rastertospl" not available: 
No such file or directory"

I've tried chosing Samsung ML-1640 from the list instead, in which case 
printing fails claiming 'filter failed':

 stopped "Filter failed"
 
Any ideas?

Samsung_ML-1670_Series.ppd:

*PPD-Adobe: "4.3"
*% ===
*% PPD for Samsung ML-1670 Series CUPS
*% For Linux Only
*% === 
*FormatVersion: "4.3"
*FileVersion: "0.9"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PCFileName:"ML1670.ppd"
*Manufacturer: "SAMSUNG"
*Product:   "(LaserPrinter)"
*cupsVersion: 1.0
*cupsManualCopies: False
*% *cupsModelNumber is used as the indicator of variable bandwidth and QPDL 
version number field.
*% MSB 1st bit is index of variable bandwidth.
*% LSB 4bits - 1 is used as QPDL version number.
*% 1011 : variable bandwidth = True, QPDL version number = 3 - 1 = 2.
*cupsModelNumber:  134
*cupsFilter:  "application/vnd.cups-raster 0 rastertospl"
*% Emulators: Number Of Packet Size in KB + "_" + Compression Type + "_" + 
Emulation Name
*% FBB do not need this field. Newly introduced from CLP-600.
*Emulators: "Banded_JBIG_SPL-C_scms"
*ModelName: "Samsung ML-1670 Series"
*ShortNickName: "ML-1670"
*linuxLanguage: "SPL-C"
*linuxPriority: "1"
*linuxURL:"http://www.samsungprinter.com/;
*linuxIdentify: "ML-1670"
*NickName:  "Samsung ML-1670 Series"
*PSVersion: "(3010.000) 550"
*LanguageLevel: "3"
*ColorDevice:   False
*DefaultColorSpace: Gray
*FileSystem:  False
*Throughput:"21"

*%
*%LandscapeOrientation: Plus90
*%VariablePaperSize: False
*%TTRasterizer: Type42
*% Base options group 
*%

*OpenGroup: General/General
*% =
*%  Color & Gray Option
*% =
*OpenUI *ColorModel/Color Mode: PickOne
*OrderDependency: 10 AnySetup *ColorModel
*DefaultColorModel: Gray
*ColorModel Gray/Grayscale: "<>setpagedevice"
*CloseUI: *ColorModel

*secPJLColorModel Gray/Grayscale: "@PJL SET COLORMODE = MONO<0A>"

*% =
*%  Media Type
*% =
*JCLOpenUI *MediaType/Paper Type: PickOne
*OrderDependency: 10 JCLSetup *MediaType
*DefaultMediaType: None
*MediaType None/Printer Default: "@PJL SET PAPERTYPE = OFF<0A>"
*MediaType Plain/Plain: "@PJL SET PAPERTYPE = NORMAL<0A>"
*MediaType Thick/Thick: "@PJL SET PAPERTYPE = THICK<0A>"
*MediaType Thin/Thin: "@PJL SET PAPERTYPE = THIN<0A>"
*MediaType OHP/Transparency: "@PJL SET PAPERTYPE = OHP<0A>"
*MediaType Bond/Bond: "@PJL SET PAPERTYPE = BOND<0A>"
*MediaType Color/Color: "@PJL SET PAPERTYPE = COLOR<0A>"
*MediaType Card/CardStock: "@PJL SET PAPERTYPE = CARD<0A>"
*MediaType Labels/Labels: "@PJL SET PAPERTYPE = LABEL<0A>"
*MediaType Preprinted/Preprinted: "@PJL SET PAPERTYPE = USED<0A>"   
*MediaType Cotton/Cotton: "@PJL SET PAPERTYPE = COTTON<0A>" 
*MediaType Archive/Archive: "@PJL SET PAPERTYPE = ARCHIVE<0A>" 
*MediaType Recycled/Recycled: "@PJL SET PAPERTYPE = RECYCLED<0A>" 
*MediaType Envelope/Envelope: "@PJL SET PAPERTYPE = ENV<0A>" 
*JCLCloseUI: *MediaType

*% =
*%  Quality
*% =
*OpenUI *Quality/Quality: PickOne
*OrderDependency: 10 AnySetup *Quality
*DefaultQuality: 600x600_Draft
*Quality 600x600_Best/1200 dpi(Best) : "<>setpagedevice"
*Quality 600x600_Draft/600 dpi(Normal): "<>setpagedevice"
*CloseUI: *Quality

*DefaultResolution: 600dpi

*% =
*%  Paper Source
*% =
*OpenUI *InputSlot/Paper Source: PickOne
*OrderDependency: 25 AnySetup *InputSlot
*DefaultInputSlot: Auto
*InputSlot Auto/Auto Selection: ""
*InputSlot Manual/Manual Feeder: ""
*%InputSlot Upper/Tray 1: ""
*CloseUI: *InputSlot


*% =
*%  Paper Handling
*% =
*% Use these entries to set paper size unless there is a specific
*% reason to use PageRegion, such as when using manual Feeder.
*OpenUI *PageSize/Page Size: PickOne
*OrderDependency: 30 AnySetup *PageSize
*DefaultPageSize: Letter
*PageSize Letter/Letter: "<> /PageSize [612 792] 
/ImagingBBox null>> setpagedevice"
*PageSize Legal/Legal: "<> /PageSize [612 1008] 
/ImagingBBox null>> setpagedevice"
*PageSize A4/A4: "<> /PageSize [595 842] /ImagingBBox 
null>> 

Re: OpenBSD FDE: Protect with keydisk + passphrase

[misc]

On 11/6/23 17:01, tetrosalame wrote:

Il 05/11/2023 12:16, m...@phosphorus.com.br ha scritto:
[...]
Now I use FDE with a keydisk, but would like to protect the bootable 
system with a keydisk + passphase (something you have + something you 
know).


Any chance doing this directly using bioctl ?


I don't think so: softraid's on-disk volume key can be encrypted with 
a keydisk or with a passphrase. Not both of them.
See this recent explanation written by Stefan Sperling: 
https://marc.info/?l=openbsd-misc=168500028802972=2 


@https://marc.info/?l=openbsd-misc=168500028802972=2

It is not yet possible to encrypt a key disk with a passphrase, which would
provide two-factor authentication. There is no technical reason which would
prevent this from being implemented, it just hasn't been done.


Thanks. Will take a look in the code.

OpenBSD FDE: Protect with keydisk + passphrase

[misc]

Hi misc,

In the past, I used to mount a secondary drive into /mnt/, the keydisk 
protected by a password.


Now I use FDE with a keydisk, but would like to protect the bootable 
system with a keydisk + passphase (something you have + something you know).


Any chance doing this directly using bioctl ?

-fm

Re: OpenBSD 7.4 released -- Oct 16, 2023

[misc]

Same. Preparing to upgrade.

On 10/16/23 10:42, Claudio Miranda wrote:

Congratulations to Theo and everyone involved in making OpenBSD 7.4 a
reality and for this awesome project altogether! I also love the
artwork (big thanks also to the artist that created it). so I'll be
getting some 7.4 merch soon!

Claudio Miranda

On Mon, Oct 16, 2023 at 9:37 AM pela0  wrote:

Upgrading...

;)




--- Original Message ---
On Monday, October 16th, 2023 at 09:53, Theo de Raadt  
wrote:






- OpenBSD 7.4 RELEASED -

October 16, 2023.

We are pleased to announce the official release of OpenBSD 7.4.
This is our 55th release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 7.4 provides significant improvements,
including new features, in nearly all areas of the system:

- Various kernel improvements:
o On arm64, show BTI and SBSS features in dmesg(8).
o New kqueue1(2) system call supporting the O_CLOEXEC flag.
o Map device tree read/write to unbreak root on softraid(4).
o Correctly recognize umass(4) floppy disk devices as floppy disks.
o In wscons(4), catch up with box drawing characters which have been
standardized in unicode after the original wscons code was written
and chose placeholder values.
o In wscons(4), make sure we do not increase the escape sequence
argument count beyond usable bounds.
o Implement dt(4) utrace(2) support on amd64 and i386.
o Correct undefined behavior when using MS-DOS filesystems, fixes
imported from FreeBSD.
o Make the softdep mount(8) option a no-op. Softdep was a
significant impediment to improving the vfs layer.
o Allow unveil(2)ed programs to dump core(5) into the current
working directory.
o Address incomplete validation of ELF program headers in execve(2).
o On arm64, use the deep idle state available on Apple M1/M2 cores
in the idle loop and for suspend, resulting in power savings.
o Update AMD CPU microcode if a newer patch is available.
o Enable a workaround for the 'Zenbleed' AMD CPU bug.
o Report speculation control bits in dmesg(8) CPU lines.
o To give the primary CPU an opportunity to perform clock interrupt
preparation in a machine-independent manner we need to separate
the "initialization" parts of cpu_initclocks() from the "start the
clock interrupt" parts. Separate cpu_initclocks() from
cpu_startclock().
o Fix a problem where CPU time accounting and RLIMIT_CPU was
unreliable on idle systems.
o Improve the output of the "show proc" command of the kernel
debugger ddb(4) and show both the PID and TID of the proc.

- SMP Improvements
o Rewrite pfsync(4), in particular to improve locking and to help
with unlocking more of pf(4) and with parallelisation of the
network stack in the future. The protocol remains compatible with
the older version.
o Remove kernel locks from the ARP input path.
o Pull MP-safe arprequest() out of kernel lock.
o Remove the kernel lock from IPv6 neighbor discovery.
o Unlock more parts of ioctl(2) and the routing code in the network
stack.

- Direct Rendering Manager and graphics drivers
o Update drm(4) to Linux 6.1.55.
o Don't change end marker in sg_set_page(). Caused bad memory
accesses when using page flipping on Alder Lake and Raptor Lake.

- VMM/VMD improvements
o Allowed vmm(4) guests to enable and use supervisor IBT.
o Suppressed AMD hardware p-state visibility to vmm(4) guests.
o Avoid use of uninitialised memory in vmd(8).
o Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm object
to be transmitted over an ipc channel.
o Cleaned up file descriptor closing in vmd(8) vmm process.
o Fixed vm send/receive, restoring device virtqueue addresses on
receive.
o Introduced execvp(3) after fork for child vm processes.
o No longer generate an error in vmd(8) if vm.conf(5) is absent.
o Split vmm(4) into MI/MD parts.
o Introduced multi-process model for vmd(8) virtio block and network
devices.
o Allowed vm owners to override boot kernel when using vmctl(8) to
start a vm.
o Changed staggered start of vms to number of online CPUs.
o Fixed a segfault on vm creation.
o Switched to anonymous shared memory mappings for vmd(8) vm
processes, introducing a new vmm(4) ioctl(2).
o Relaxed absolute path requirements for vmd(8) configtest mode
(-n).
o Adjusted shutdown logic by vm id to function similarly as by name.
o Moved validation of local network prefixes for the internal vmd(8)
DHCP service into the config parser.
o Fixed QCOW2 base images when used with the vmd(8) multi-process
device model.
o Fixed setting verbose logging in child processes.
o Fixed a race condition related to the emulated i8259 interrupt
controller by ignoring interrupt masks on assert.
o Inlined pending interrupts in the vmm(4) ioctl(2) for running the
vcpu, reducing vm latency.
o Added zero-copy, vectored io to the vmd(8) virtio block device.
o Changed to logging 

mail.openbsd.org behaviour

[misc]

Hi misc,

Recently am receiving this lines from mail.openbsd.org:

2023-10-16 16:34:06 no MAIL in SMTP connection from (mail.openbsd.org) 
[199.185.178.25] D=11s X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no 
C=EHLO,STARTTLS,EHLO,QUIT


Is that normal? Any misconfiguration from my side?

Regards,

Fabio

Re: openFPGAloader successfully built, but can't flash with ftdi error

[misc]

This subject interests me a lot. Can you tell us which model of FPGA 
have you bought / are you using?


On 10/5/23 21:01, S V wrote:

Good Day, List!

This mail is call for help, advice and to stir interest.

While playing with open source workflow for FPGA chips
I found with pleasure that not only GoWin FPGAs supported by open
source tools, but also all needed tools easily built on OpenBSD
(working on ports now). yosys, project apycula, nextpnr-gowin,
openFPGAloader all successfully build.

But I can't flash "compiled" bitstream to hardware device with
openFPGAloader.

Here is description of problem:

After building software and attaching HW I can successfully scan usb

found 10 USB device
Bus device vid:pid probe type manufacturer serial product
000 001 0x:0x xvc-client Generic none xHCI root hub
001 001 0x:0x xvc-client Generic none xHCI root hub
001 005 0x0403:0x6010 FTDI2232 SIPEED FactoryAIOT Pro JTAG Debugger

but cant detect or flash bitstream with next error

doas openFPGALoader -b tangnano9k pack.fs --verbose-level=3
try to open 403 6010 0 0
iProduct : JTAG Debugger
8
b
8
b
fail to read data usb bulk read failed
JTAG init failed with: low level FTDI init failed


here dmesg

 uftdi0 at uhub3 port 3 configuration 1 interface 0 "SIPEED JTAG
Debugger" rev 2.00/5.00 addr 5 ucom0 at uftdi0 portno 1
 uftdi1 at uhub3 port 3 configuration 1 interface 1 "SIPEED JTAG
Debugger" rev 2.00/5.00 addr 5 ucom1 at uftdi1 portno 2

and also usbdevs outputs

 addr 05: 0403:6010 SIPEED, JTAG Debugger
 full speed, power 90 mA, config 1, rev 5.00, iSerial FactoryAIOT Pro
 driver: uftdi0
 driver: uftdi1


I also posted issue to original github
https://github.com/trabucayre/openFPGALoader/issues/382

Any tips and tricks on how to debug it? Any interest in helping?

Re: keepassxc-2.7 + Hardware Key

[misc]

ping

On 9/30/23 07:39, m...@phosphorus.com.br wrote:
Hi, anyone using keepassxc-2.7.4p2 with a hardware dongle - preferably 
opensource or DIY type - succesfully in OpenBSD?



--

Fabio

keepassxc-2.7 + Hardware Key

[misc]

Hi, anyone using keepassxc-2.7.4p2 with a hardware dongle - preferably 
opensource or DIY type - succesfully in OpenBSD?



--

Fabio

Re: Panic during 7.3 installation on VM

[misc]

Also got a lot of these trying to install 7.3 in Virtualbox, under 
Linux. Then installed in tmpfs (memory) and later moved the virtual disk 
(.vdi) to the SATA disk, then it booted properly. SATA disk isnt 
corrupted, must be something related to disk access / read / write 
speed, while under virtualization.


On 9/26/23 09:08, Alessandro Baggi wrote:

Hi list,
I'm trying to install OpenBSD 7.3 on a VM (Linux KVM) but when it 
starts to install sets I got panic and "syncing disk... 8 8 8 8 ..." 
until it reboot automatically.


This is a simple installation, no disk encryption, default OpenBSD 
layout...


The VM has VNC Server as "graphic" instead of spice, disk is SATA and 
it has fixed allocation.


Someone can put me in the right direction?

Thank you in advance.

Re: OpenBSD FUD with Contributing

[misc]

On 9/24/23 15:56, Christoff Humphries wrote:

...
(Theo still has some of the best quotes on the Internet.)



Used this one, for quite some time, as my email signature a few years ago:

“You've been smoking something really mind altering, and I think you 
should share it.” (Theo de Raadt)

Re: Correct donation page

[misc]

On 9/11/23 07:40, Stuart Henderson wrote:

That page probably just needs updating. Used to be done via
bitpay, but not any more.


I see coingate being used by a few companies, and some sites say it is 
good for companies/organizations outside the USA. Transaction fee is 1% 
and supports 70+ coins. Meanwhile, ppl from 
https://www.openbsdfoundation.org/donations.html can simply open a 
wallet and post the address in the donations.html page (binance, 
blockchain.com/wallet, others..)

Correct donation page

[misc]

Hi misc,

Trying to donate some BTC. In the donation page 
"https://www.openbsd.org/donations.html;


There is a mention to cryptocurrencies being accepted.

The OpenBSD Foundation collects donations by Cheque, Bank Draft, PayPal, 
PayPal recurring, or Bitcoin. 
<https://www.openbsdfoundation.org/donations.html>


Following "https://www.openbsdfoundation.org/donations.html; lacks an 
address to receive the funds.


Cheers

AR9485 on Lenovo G505 not configured.

[misc]

v 2.00/1.00 
addr 1
ohci1 at pci0 dev 19 function 0 "AMD Hudson-2 USB" rev 0x39: apic 4 int 18, 
version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 17
usb2 at ehci1: USB revision 2.0
uhub2 at usb2 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
addr 1
piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x3a: SMBus disabled
azalia1 at pci0 dev 20 function 2 "AMD Hudson-2 HD Audio" rev 0x02: apic 4 int 
16
azalia1: codecs: Conexant/0x5115
audio0 at azalia1
pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11
pchb2 at pci0 dev 24 function 0 "AMD 16h Link Cfg" rev 0x00
pchb3 at pci0 dev 24 function 1 "AMD 16h Address Map" rev 0x00
pchb4 at pci0 dev 24 function 2 "AMD 16h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD 16h Misc Cfg" rev 0x00
pchb5 at pci0 dev 24 function 4 "AMD 16h CPU Power" rev 0x00
pchb6 at pci0 dev 24 function 5 vendor "AMD", unknown product 0x1535 rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pms0: Synaptics touchpad, firmware 7.5, 0x1e0b1 0x24 0x189f0c 0xd00073 
0xa0400
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: SVM/RVI
efifb at mainbus0 not configured
uvideo0 at uhub1 port 4 configuration 1 interface 0 "CGCD8N0ZB Lenovo 
EasyCamera" rev 2.00/0.10 addr 2
video0 at uvideo0
ugen0 at uhub2 port 1 "Generic USB2.0-CRW" rev 2.00/39.60 addr 2
ugen1 at uhub4 port 2 "Atheros Communications Bluetooth USB Host Controller" 
rev 1.10/0.01 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (f00f087230c26ec6.a) swap on sd0b dump on sd0b
radeondrm0: KABINI
radeondrm0: 1366x768, 32bpp
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)


2:0:0: Atheros AR9485
0x: Vendor ID: 168c, Product ID: 0032
0x0004: Command: 0003, Status: 0010
0x0008: Class: 02 Network, Subclass: 80 Miscellaneous,
Interface: 00, Revision: 01
0x000c: BIST: 00, Header Type: 00, Latency Timer: 00,
Cache Line Size: 10
0x0010: BAR mem 64bit addr: 0xf080/0x0008
0x0018: BAR empty ()
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 17aa Product ID: 3218
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 03 Min Gnt: 00 Max Lat: 00
0x0040: Capability 0x01: Power Management
State: D0
0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
Enabled: no
0x0070: Capability 0x10: PCI Express
Max Payload Size: 128 / 128 bytes
Max Read Request Size: 512 bytes
Link Speed: 2.5 / 2.5 GT/s
Link Width: x1 / x1
0x0100: Enhanced Capability 0x01: Advanced Error Reporting
0x0140: Enhanced Capability 0x02: Virtual Channel Capability
0x0160: Enhanced Capability 0x03: Device Serial Number
Serial Number: 

Re: xenodm + Xvfb + x11vnc = virtual display for vmm(4) OpenBSD guests

[misc]

Thanks, will test. Will be useful.

On 7/18/23 20:09, Morgan Aldridge wrote:

I'm maintaining an OpenBSD X11 window manager (WM) port, but try to
keep my primary workstation on -stable, so do most of my development
there and test in Xephyr. I test & submit patches from an OpenBSD
-current VM running under vmm(4), but since vmm(4) doesn't emulate
video hardware, I haven't been run-testing there.

I'm already comfortable with x11vnc under OpenBSD, plus Xephyr, but
they both use an existing X display. After studying xenodm(1),
Xvfb(1), x11vnc(1), and a bunch of other X(1)-related manual pages,
plus tons of experimenting, the solution was actually quite simple.

TL; DR

I could find much on the Internet, list archives, etc., regarding this
specific situation, so here's my solution for a [slow] X11 virtual
display on a vmm(4) OpenBSD guest, accessible via VNC over an SSH
tunnel:

   doas rcctl enable xenodm
   doas rcctl set xenodm flags \
 "-server ':0 local /usr/X11R6/bin/Xvfb :0 -screen 1024x768x24 -shmem'"
   doas rcctl start xenodm
   doas pkg_add x11vnc
   doas rcctl enable x11vnc
   doas rcctl start x11vnc

Hope someone else finds this useful down the road,

Morgan

Re: Encrypted softraid - Operational question

[misc]

Thanks man. Will use it.

On 2023-05-01 11:39, Thomas Bohl wrote:

Hi

In a server with an encrypted root - server boots with key in USB 
stick, not passphrase.


Can I remove the USB stick with the key, after the server is up and 
running?


Yes



Will I have any problems doing that?


No. Though not at the moment, I used such a setup for years. Only 
inserting the stick for reboots.

Encrypted softraid - Operational question

[misc]

Hi misc,

In a server with an encrypted root - server boots with key in USB stick, 
not passphrase.


Can I remove the USB stick with the key, after the server is up and 
running? Will I have any problems doing that?


I know that in the case of a reboot, it will be necessary to go and 
re-insert the USB stick holding the encryption key. I plan to use a good 
UPS/batteries to avoid that.


Thanks in advance.

Re: acme-client fails to renew certificate

[misc]

I do not know about acme-client, but certbot works pretty well:

mwavetorture# rcctl stop httpd ; certbot certonly --agree-tos 
--standalone -d web.XXX.com.br



On 2023-04-12 10:36, rea...@catastrophe.net wrote:
I started having some problems with cert renewal using acme-client 
after
upgrading to 7.3 (not really sure 7.3 has anything to do with the 
following,
however). I've verified that nothing has changed and that httpd is 
listening

correctly, etc.

When I run acme-client and watch for any changes to
/var/www/htdocs/example.org/.well-known/acme-client I never see any 
files
being written to that directory (which is likely leading to the 404). 
Is

the client supposed to write a temporary file for remote validation?

Does anyone see any issues with the configurations that follow the 
output

which may have any errors?

Thanks in advance.


# acme-client -v www.example.com
acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate 
renewable: 29 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: 
directories

acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: acme-v02.api.letsencrypt.org: DNS: 
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: challenge, token: 
2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, 
status: 0
acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: 
created
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: challenge, token: 
8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, 
status: 0
acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: 
created
acme-client: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg: 
challenge
acme-client: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw: 
challenge

acme-client: order.status 0
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: challenge, token: 
2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg, 
status: -1
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: challenge, token: 
8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri: 
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw, 
status: -1

acme-client: order.status -1
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: 2600:fee:bee::e:8:0: Invalid response from 
https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk: 
404
acme-client: dochngreq: 
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: 2600:fee:bee::e:8:0: Invalid response from 
https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8: 
404

acme-client: bad exit: netproc(16493): 1


### The www directory exists for the acme-challenge exists:

# ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/
drwxr-xr-x  2 username  staff  512 Apr 12 08:08 
/var/www/htdocs/example.com/.well-known/acme-challenge/



### Relevant portions of my httpd.conf

www_v4="x.y.10.10"
www_v6_a="2600:fee:bee::e:8:0"

server "www.example.com" {
  listen on $www_v4 tls port 443
  listen on $www_v6_a tls port 443
  tls {
certificate "/etc/ssl/certs/www.example.com.chain.pem"
key "/etc/ssl/private/www.example.com.key.pem"
protocols "TLSv1.2,TLSv1.3"
  }
  hsts {
max-age 31536000
preload
subdomains
  }
  log style combined
log { access "access.log", error "error.log" }
  root "/htdocs/example.com"
  directory auto index
}

server "example.com" {
  listen on $www_v4 tls port 443
  listen on $www_v6_a tls port 443
  tls {
certificate "/etc/ssl/certs/www.example.com.chain.pem"
key "/etc/ssl/private/www.example.com.key.pem"
protocols "TLSv1.2,TLSv1.3"
  }
  hsts {
max-age 31536000
preload
subdomains
  }
  log style combined
log { access "access.log", error "error.log" }
  root "/htdocs/example.com"
  directory auto index
}

server "www.example.com" {
  listen on $www_v4   port 80
  listen on $www_v6_a port 80
  location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
  }
  block return 301 "https://www.example.com$REQUEST_URI;
}

server "example.com" {
  listen on $www_v4   port 80
  listen on $www_v6_a port 80
  location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
  }
  block return 301 "https://www.example.com$REQUEST_URI;
}


### ACME client config

# acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory;
account key 

Re: Cannot connect to iked, authenticate fails

[misc]

inline

On 2023-04-08 04:33, Stuart Henderson wrote:

On 2023-04-07, m...@phosphorus.com.br  wrote:

ikev2 "vpn" passive esp \
 from dynamic to 185.21.22.23/32 \


that should definitely be "from ... to dynamic", though that's not the
problem you're running into yet.

(that /32 you have will only setup a tunnel to the machine itself,
if you want all traffic to go via vpn then use 0.0.0.0/0).

If anyone has a working setup for iphone via 4G (dynamic) connecting 
to

a VPS (fixed IP) is much appreciated.


maybe try with user/password auth and get that working first before
moving on to client certificates? something like this:

---
user  ""

ikev2 "ikevpn" passive esp from 0.0.0.0/0 to dynamic \
  local  peer any \
  srcid "" \
  eap "mschap-v2" \
  config address 172.28.15.128/25 \
  config name-server 172.28.15.2 \
  tag "$name-$id"
---


Good point, will try it simple first. What should be used for localid 
and remoteid on the phone client?
Also, Is there a need to generate a certificate matching the servers's 
name?

Re: Cannot connect to iked, authenticate fails

[misc]

Hi,

Thanks for replying. answer below.

On 2023-04-07 16:45, Thomas Bohl wrote:

Hello,


ikev2 "vpn" passive esp \
     from dynamic to 185.21.22.23/32 \
     local egress peer any \
     ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group 
modp2048 \

     childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
     srcid 185.21.22.23 \
     dstid p7.local \
     config address 172.24.24.0/24 \
     config name-server 172.24.24.1 \




Any ideas / working config for a dynamic client hosting an iked on a 
VPS?


When using certificates I always use ASN1_DN for srcid and dstid. It 
should look something like this:


srcid "/C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org 
" \
dstid "/C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org" 
\


(I have never used "ikectl ca", so I'm not sure what the files a 
called. But with something like this you should be able get the 
srcid/dstid-lines:

openssl x509 -subject -noout -in 185.21.22.23.crt
openssl x509 -subject -noout -in p7.local.crt)






Hi,

I could successfully get the name from the certificate, as suggested:

myhost# openssl x509 -subject -noout -in 
/etc/iked/certs/185.21.22.23.crt
subject= /C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org

myhost#
myhost#





... and updated /etc/iked.conf accordingly:

ikev2 "vpn" passive esp \
from dynamic to 185.21.22.23/32 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group 
modp2048 \

childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid "/C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org 
" \
dstid "/C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org" 
\

config address 172.24.24.0/24 \
config name-server 172.24.24.1 \





myhost# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0 to 185.21.22.23/32 
local 185.21.22.23 peer any ikesa enc aes-256 prf hmac-sha2-256 auth 
hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 
group modp2048 esn noesn srcid /C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org 
 dstid /C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org 
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 
config name-server 172.24.24.1



spi=0x5e92324a01d56a7b: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389 
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0x5e92324a01d56a7b: send IKE_SA_INIT res 0 peer 189.11.12.13:8389 
local 185.21.22.23:500, 473 bytes
spi=0x5e92324a01d56a7b: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local 
185.21.22.23:4500, 496 bytes, policy 'vpn'

spi=0x5e92324a01d56a7b: ikev2_ike_auth_recv: no compatible policy found
spi=0x5e92324a01d56a7b: ikev2_send_auth_failed: authentication failed 
for
spi=0x5e92324a01d56a7b: send IKE_AUTH res 1 peer 189.11.12.13:8390 local 
185.21.22.23:4500, 80 bytes, NAT-T

spi=0x5e92324a01d56a7b: sa_free: authentication failed
spi=0xa5460ef7687cbbc8: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389 
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0xa5460ef7687cbbc8: send IKE_SA_INIT res 0 peer 189.11.12.13:8389 
local 185.21.22.23:500, 473 bytes
spi=0xa5460ef7687cbbc8: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local 
185.21.22.23:4500, 496 bytes, policy 'vpn'

spi=0xa5460ef7687cbbc8: ikev2_ike_auth_recv: no compatible policy found
spi=0xa5460ef7687cbbc8: ikev2_send_auth_failed: authentication failed 
for
spi=0xa5460ef7687cbbc8: send IKE_AUTH res 1 peer 189.11.12.13:8390 local 
185.21.22.23:4500, 80 bytes, NAT-T

spi=0xa5460ef7687cbbc8: sa_free: authentication failed
^Cikev2 exiting, pid 73990
control exiting, pid 75201
ca exiting, pid 38355
parent terminating
myhost#



If anyone has a working setup for iphone via 4G (dynamic) connecting to 
a VPS (fixed IP) is much appreciated.

Re: Cannot connect to iked, authenticate fails

[misc]

answer inline

On 2023-04-04 20:35, Stuart Henderson wrote:

On 2023-04-04, m...@phosphorus.com.br  wrote:

ikectl ca VPN create
ikectl ca VPN install
ikectl ca VPN certificate 33.33.33.33 create server
ikectl ca VPN certificate 33.33.33.33 install
ikectl ca VPN certificate p6.local create client
ikectl ca VPN certificate p6.local install


here you installed the client's cert onto the server, you don't want 
that,

it should only go on the client. that's probably what you run into now.





ok, I cleaned up all certs first:

rm -rf /etc/ssl/VPN/* /etc/iked/*

then generated new ones and stopped short from installing the client 
certificate, as advised:


myhost# history -50 | egrep ikectl
326 ikectl ca VPN create
327  ikectl ca VPN install
329 ikectl ca VPN certificate 185.21.22.23 create server
330 ikectl ca VPN certificate 185.21.22.23 install
331 ikectl ca VPN certificate p7.local create client
336 ikectl ca VPN certificate p7.local export





ikectl ca VPN certificate p6.local export

Then imported p6.local.pfx from p6.local.zip into the iphone





ikev2 "vpn" passive esp \
 from 0.0.0.0/0 to 0.0.0.0/0 \
 from ::0/0 to ::0/0 \




you normally want "to dynamic" with "config address"





tried with this conf:

(also used "from 185.21.22.23/32 to dynamic \" but didnt worked also)

ikev2 "vpn" passive esp \
from dynamic to 185.21.22.23/32 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group 
modp2048 \

childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 185.21.22.23 \
dstid p7.local \
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \




 local egress peer any \
 ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
 srcid 33.33.33.33 \
 dstid p6.local \
 config address 172.24.24.0/24 \
 config address 2001:470:203a:a0::/64 \




i'm not sure if it works to list both v4 and v6 "config address" 
blocks,
try with just one or the other if it seems like you have 
address-related

problems



Ok, Removed the IPv6 section


Test:

myhost# iked -d -v

ikev2 "vpn" passive tunnel esp inet from 0.0.0.0 to 185.21.22.23/32 
local 185.21.22.23 peer any ikesa enc aes-256 prf hmac-sha2-256 auth 
hmac-sha2-256 group modp2048
 childsa enc aes-256 auth hmac-sha2-256 group modp2048 esn noesn srcid 
185.21.22.23 dstid p7.local lifetime 10800 bytes 4294967296 signature 
config address 172.24.24.

0 config name-server 172.24.24.1


spi=0x6b22863051e616a0: recv IKE_SA_INIT req 0 peer 177.11.12.13:63712 
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0x6b22863051e616a0: send IKE_SA_INIT res 0 peer 177.11.12.13:63712 
local 185.21.22.23:500, 473 bytes
spi=0x6b22863051e616a0: recv IKE_AUTH req 1 peer 177.11.12.13:63726 
local 185.21.22.23:4500, 496 bytes, policy 'vpn'
spi=0x6b22863051e616a0: ikev2_send_auth_failed: authentication failed 
for FQDN/p7.local
spi=0x6b22863051e616a0: send IKE_AUTH res 1 peer 177.11.12.13:63726 
local 185.21.22.23:4500, 80 bytes, NAT-T

spi=0x6b22863051e616a0: sa_free: authentication failed
spi=0x936e6ee7184d1923: recv IKE_SA_INIT req 0 peer 177.11.12.13:63712 
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0x936e6ee7184d1923: send IKE_SA_INIT res 0 peer 177.11.12.13:63712 
local 185.21.22.23:500, 473 bytes
spi=0x936e6ee7184d1923: recv IKE_AUTH req 1 peer 177.11.12.13:63726 
local 185.21.22.23:4500, 496 bytes, policy 'vpn'
spi=0x936e6ee7184d1923: ikev2_send_auth_failed: authentication failed 
for FQDN/p7.local
spi=0x936e6ee7184d1923: send IKE_AUTH res 1 peer 177.11.12.13:63726 
local 185.21.22.23:4500, 80 bytes, NAT-T

spi=0x936e6ee7184d1923: sa_free: authentication failed
^Cikev2 exiting, pid 91539
ca exiting, pid 6137
control exiting, pid 22078
parent terminating


Any ideas / working config for a dynamic client hosting an iked on a 
VPS?


Thanks in advance,







 config name-server 172.24.24.1 \
 config name-server 2001:470:203a:a0::1 \






host9# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 
auth
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid 
p6.local

lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config address 2001:470:203a:a0:: config name-server 172.24.24.1 
config

name-server 2001:470:203a:a0::1


spi=0xe461b2e822193627: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe461b2e822193627: send IKE_SA_INIT res 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 473 bytes
spi=0xe461b2e822193627: recv IKE_AUTH req 1 peer 44.55.66.77:11460 
local

33.33.33.33:4500, 496 bytes, policy 'vpn'

Cannot connect to iked, authenticate fails

[misc]

Hi misc,

Cannot get the iphone to connect to an iked server with ikev2 using 
certificate exported by ikectl. Logs below.


I imported p6.local.pfx cert from the zip generated by:

#ikectl ca VPN certificate p6.local export

into the iPhone profile. But iked fails with:

spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but 
without matching key.


Local ID is p6.local
Remote ID is the server IP address.

Any ideas?



certs were generated / exported thus way:


certs generation was done this way:

ikectl ca VPN create
ikectl ca VPN install
ikectl ca VPN certificate 33.33.33.33 create server
ikectl ca VPN certificate 33.33.33.33 install
ikectl ca VPN certificate p6.local create client
ikectl ca VPN certificate p6.local install

ikectl ca VPN certificate p6.local export

Then imported p6.local.pfx from p6.local.zip into the iphone



/etc/pf.conf

#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

table  persist
block quick on em0 from  to any

block return# block stateless traffic
pass# establish keep-state

# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep 
state

pass on enc0 from any to self keep state (if-bound)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild



/etc/iked.conf

ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
from ::0/0 to ::0/0 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group 
modp2048 \

childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 33.33.33.33 \
dstid p6.local \
config address 172.24.24.0/24 \
config address 2001:470:203a:a0::/64 \
config name-server 172.24.24.1 \
config name-server 2001:470:203a:a0::1 \






host9# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from 
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf 
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth 
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local 
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 
config address 2001:470:203a:a0:: config name-server 172.24.24.1 config 
name-server 2001:470:203a:a0::1



spi=0xe461b2e822193627: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461 
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe461b2e822193627: send IKE_SA_INIT res 0 peer 44.55.66.77:11461 
local 33.33.33.33:500, 473 bytes
spi=0xe461b2e822193627: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local 
33.33.33.33:4500, 496 bytes, policy 'vpn'
spi=0xe461b2e822193627: ikev2_send_auth_failed: authentication failed 
for FQDN/p6.local
spi=0xe461b2e822193627: send IKE_AUTH res 1 peer 44.55.66.77:11460 local 
33.33.33.33:4500, 80 bytes, NAT-T

spi=0xe461b2e822193627: sa_free: authentication failed
spi=0xe461b2e822193627: ca_getreq: found cert with matching ID but 
without matching key.
spi=0xe71692de490589ab: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461 
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe71692de490589ab: send IKE_SA_INIT res 0 peer 44.55.66.77:11461 
local 33.33.33.33:500, 473 bytes
spi=0xe71692de490589ab: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local 
33.33.33.33:4500, 496 bytes, policy 'vpn'
spi=0xe71692de490589ab: ikev2_send_auth_failed: authentication failed 
for FQDN/p6.local
spi=0xe71692de490589ab: send IKE_AUTH res 1 peer 44.55.66.77:11460 local 
33.33.33.33:4500, 80 bytes, NAT-T

spi=0xe71692de490589ab: sa_free: authentication failed
spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but 
without matching key.


^Cikev2 exiting, pid 93228
ca exiting, pid 55488
control exiting, pid 6213
parent terminating






host9# iked -d -vv

create_ike: using signature for peer p6.local
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from 
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf 
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth 
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local 
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 
config address 2001:470:203a:a0:: config name-server 172.24.24.1 config 
name-server 2001:470:203a:a0::1

/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1193
config_getpfkey: received pfkey fd 3
ca_getkey: received public key type RSA_KEY

cron sh script fork

[misc]

I have one script (sleeploop.sh) running in background and second (check.sh)
to test if sleeploop is running and if not then start it. 


[/opt/bin]$ cat sleeploop.sh
#!/bin/sh
while true
do
sleep 5
done

[/opt/bin]$ cat check.sh
#!/bin/sh

_ret=$(ps aux | grep sleeploop.sh | grep -v grep | awk '{print $2}')
test -z ${_ret} && /opt/bin/sleeploop.sh &


When i start check.sh from the shell it works fine; if there is no pid check.sh 
starts sleeploop.sh, otherwise it gets the pid and exiting.
If i put check.sh in cron it spawns another sleeploop.sh process every time
when triggered.


dmesg:
OpenBSD 7.0 (GENERIC.MP) #1: Fri Oct 29 12:04:07 MDT 2021

r...@syspatch-70-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1810530304 (1726MB)
avail mem = 1739616256 (1659MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb6b0 (91 entries)
bios0: vendor American Megatrends Inc. version "0608" date 08/10/2012
bios0: ASUSTeK COMPUTER INC. P8H61-M LX3 R2.0
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SSDT
acpi0: wakeup devices P0P1(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) PEG0(S4) 
PEGP(S4) PEG1(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU G2020 @ 2.90GHz, 2900.44 MHz, 06-3a-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU G2020 @ 2.90GHz, 2900.04 MHz, 06-3a-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 2 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus 3 (RP06)
acpiprt8 at acpi0: bus 1 (PEG0)
acpiprt9 at acpi0: bus -1 (PEG1)
acpiprt10 at acpi0: bus -1 (PEG2)
acpiprt11 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
acpicmos0 at acpi0
acpibtn0 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpicpu0 at acpi0: C3(350@80 mwait.1@0x20), C2(500@59 mwait.1@0x10), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: C3(350@80 mwait.1@0x20), C2(500@59 mwait.1@0x10), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 106 degC
acpitz1 at acpi0: critical temperature is 106 degC
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
cpu0: using VERW MDS workaround (except on vmm entry)
cpu0: Enhanced SpeedStep 2900 MHz: speeds: 2900, 2800, 2700, 2600, 2500, 2400, 
2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
ppb0 at pci0 dev 1 function 0 "Intel Core 3G PCIE" rev 0x09: msi
pci1 at ppb0 bus 1
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
drm0 at inteldrm0
inteldrm0: msi, IVYBRIDGE, gen 7
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x05: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb1 at pci0 dev 28 function 0 "Intel 6 

KVM vlan-per-user guest

[misc]

Hello

My VPS provider uses KVM with vlan-per-user network environment.
They oficially dont support openbsd but they allow to boot from custom iso.
Im trying to install 7.0 release.
Network interface name appears as vio0.
To set up networking they suggest to do the following:

# ifconfig if_name ${public_ip}/32
# route add -host 10.0.0.1 -interface if_name
# route add default 10.0.0.1

i tried
# route add 10.0.0.1 -iface vio0
route: vio0: bad address

i tried
# route add -host 10.0.0.1 -iface ${public_ip}
route was added with console message

arp_rtrequest: bad gateway value: vio0

and after
# route add default 10.0.0.1
default route was added with console messages (~1 per second)

arpresolve: 10.0.0.1: route contains no arp information

cant ping anything after that

how can i set up a route to 10.0.0.1 ?

Re: OpenSMTPd: Ignoring /etc/hosts file?

[misc]

do you have "lookup file bind" record in your /etc/resolv.conf file?

On Mon, Sep 13, 2021 at 10:20:30AM +0200, Simon Hoffmann wrote:
> 
> 
> > Has been reported previously -
> > https://github.com/OpenSMTPD/OpenSMTPD/issues/1115
> 
> Thanks for the link, this did not come up in my searches.
> 
> However, 
> 
> > The link also contains a workaround which may be useful for you.
> 
> the only "workaround" I could find was to specify the internal IP instead of 
> the
> hostname. I've tried this before and I've tried this just now, in both cases 
> it does
> not work, because, as I said, the private IP is not part of the certificate 
> and
> OpenSMTPd checks the certificate.
> 
> Is there a way to disable cert checking?
> 
> Log output: 
> 
> Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta connecting 
> address=smtp+tls://192.168.158.1:25 host=uhura.hoffmann.computer
> Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta connected
> Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta tls 
> ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
> Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta ssl_check_name: no 
> match for '192.168.158.1' in cert
> Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta error reason=SSL 
> certificate check failed
> Sep 13 10:04:54 mx01 smtpd[25157]: smtp-out: Disabling route [] <-> 
> 192.168.158.1 (uhura.hoffmann.computer) for 15s
> Sep 13 10:04:56 mx01 smtpd[25157]: smtp-out: No valid route for 
> [connector:[]->[relay:192.168.158.1,port=25,smtp+tls,mx,heloname=mx01.klm.hoffbox.net],0x0]
> 
> 
> Thanks, 
> 
> Simon
> 
> > 
> > Best,
> > Aisha
> > 
> > On 9/12/21 5:28 PM, Simon Hoffmann wrote:
> > > Hey yall,
> > > 
> > > in my smtpd.conf file I have "relay smtps://host.domain.tld"
> > > 
> > > host.domain.tld does resolve to a public IP, and this needs to be a 
> > > public IP on
> > > public DNS.
> > > However, OpenSMTPd needs to relay to the local IP address of the 
> > > smarthost.
> > > Since I have no DNS server running on that network, and i dont want to 
> > > setup a DNS
> > > server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the 
> > > local IP to
> > > the FQDN.
> > > When i ping the FQDN it correctly resolves to the internal IP of the 
> > > smarthost.
> > > However, OpenSMTPd ignores the entry in /etc/hosts and still tries to 
> > > connect to the
> > > public IP of the host.
> > > 
> > > Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on 
> > > Debian?
> > > Is there a workaround? Specifying "relay smtps://192.168.158.1" will not 
> > > work, as the
> > > private IP is not part of the Cert.
> > > Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking 
> > > for the
> > > smarthost?
> > > 
> > > Thanks!
> > > 
> > > System details:
> > > 
> > > root@mx01:~# lsb_release -a
> > > No LSB modules are available.
> > > Distributor ID: Debian
> > > Description:Debian GNU/Linux 11 (bullseye)
> > > Release:11
> > > Codename:   bullseye
> > > root@mx01:~# smtpd -h
> > > version: OpenSMTPD 6.8.0p2
> > > usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]
> > > 
> > > root@mx01:~# cat /etc/network/interfaces
> > > # This file describes the network interfaces available on your system
> > > # and how to activate them. For more information, see interfaces(5).
> > > 
> > > source /etc/network/interfaces.d/*
> > > 
> > > # The loopback network interface
> > > auto lo
> > > iface lo inet loopback
> > > 
> > > # The primary network interface
> > > allow-hotplug ens192
> > > iface ens192 inet dhcp
> > > 
> > > 
> > > Any info else you need?
> > > 
> > > Cheers,
> > > 
> > > Simon
> > 
> 

Re: Why is tmpfs not working on OpenBSD?

[misc]

just put the line 
swap/ramfs  mfs rw,nodev,nosuid,-s=300m 0   0
into /etc/fstab (-s means size) 
and run 
# mount /ramfs

On Sun, Sep 05, 2021 at 07:59:26AM +, iio7 wrote:
> # mount -t tmpfs tmpfs /home/foo/tmp/
> mount_tmpfs: tmpfs on /home/foo/tmp: Operation not supported
> 
> Sent with [ProtonMail](https://protonmail.com/) Secure Email.

Re: Question regarding queueing in pf.conf(5) and WireGuard

[misc]

You should apply queue on interface attached to network you want to limit 
banwidth from. For example if your home network attached to 1GB em1 and you
want to limit web for certain ip addresses, perhaps something like this will 
work

...
table  { ip addrs list }

queue lanq on em1 bandwidth 950M
queue landefq parent lanq bandwidth 950M qlimit 1024 default
queue slowweb parent lanq bandwidth 32K max 64K

match in on em1 proto tcp from  to port { www https } set queue slowweb
match out on egress inet from !(egress:network) to any nat-to (egress:0)
...

Some examples on Solene`s page: 
https://dataswamp.org/~solene/2021-02-07-limit.html

And also there is a Book of PF written by Peter N. M. Hansteen


On Mon, Jun 14, 2021 at 11:59:59AM -0600, Ashlen wrote:
> Hello. I have an APU4D4 running OpenBSD and acting as a router for my
> home network. It connects to the Internet via pppoe(4), which uses em(4)
> as the physical interface.
> 
> The router has a /etc/hostname.wg0 file that connects it as a client to
> my VPN provider on boot. Then, /etc/pf.conf has a nat-to rule for
> WireGuard, for IP masquerading. Here's said rule:
> 
> match out on wg inet from !(wg:network) to any nat-to (wg:0)
> 
> In pf.conf(5), there's mention of this simple configuration
> for bandwidth control:
> 
> queue outq on em0 bandwidth 9M max 9M flows 1024 qlimit 1024 \
>default
> 
> I want to employ this rule. My question is, which interface is
> appropriate to choose for queueing? pppoe0, em0, or wg0? I'd think wg0,
> as I'm unsure how pf(4) would classify traffic otherwise. However, I'm
> not confident in that conclusion, so I decided to ask.
> 
> If additional details are needed, I'm happy to provide them.
> 
> --
> https://amissing.link
> 

Re: trying to add auth to specific location in httpd.conf

[fm+obsd+misc+list]

My bad.

Just plain authenticate with "/path/to/the/htpasswd/file" above the fastcgi 
line did the trick.

Regards, 

Fabio

trying to add auth to specific location in httpd.conf

[fm+obsd+misc+list]

Hi misc, 

Am trying to add HTTP Basic auth to an specific location in httpd.conf (a1).
Is it possible?

The other locations I want to mantain unprotected.



usually can be done to the entire site with:

authenticate "HTTP Basic" with "/htdocs/dev/.htpasswd"


but for specific files, dunno how

httpd.conf:

location "/API/v1/a1" {
  fastcgi socket "/run/php-fpm.sock"
}

location "/API/v1/a2" {
  fastcgi socket "/run/php-fpm.sock"
}

location "/API/v1/a3" {
  fastcgi socket "/run/php-fpm.sock"
}

Regards, 

Fabio

Re: LLDB step over command

[misc]

Just set recent snapshot in parallel to release. Next function works 
properly in this version. Thank you. 

On Fri, May 14, 2021 at 05:02:28PM +0900, Masato Asou wrote:
> From: misc@abrakadabra.systems
> Subject: LLDB step over command
> Date: Wed, 12 May 2021 21:58:31 +0300
> 
> > Hello
> > 
> > Im on 6.9 release amd64. Switched to clang and lldb since gcc and gdb are 
> > not
> > in base anymore. My problem is during debugging for some functions 
> > command "next/step-over" behaves like "step/step-in".
> > 
> > example code (just for illustration purpose): 
> > #include
> > #include
> > 
> > int main()
> > {
> > int a = 5, b;
> > void *p = malloc(sizeof(int));
> > memcpy(p, (void *), sizeof(int));
> > b = *(int *)p;
> > return b;
> > }
> > 
> > compiled with: 
> > cc -g -Weverything -ansi -pedantic -O0 -o moveint moveint.c  
> > 
> > below is the snippet from session where lldb goes into malloc instead of
> > step over it.
> > ...
> > -> 7void *p = malloc(sizeof(int));
> >   ^
> >8memcpy(p, (void *), sizeof(int));
> >9b = *(int *)p;
> >10   return b;
> > (lldb) next
> > Process 18050 stopped
> > * thread #1, stop reason = step over failed (Could not create return 
> > address 
> > breakpoint. Return address (0x43eae9c89bd) permissions not found.)
> > frame #0: 0x043eae9c8ad0 moveint`malloc
> > moveint`malloc:
> > ->  0x43eae9c8ad0 <+0>:  movq   0x11c9(%rip), %r11
> > 0x43eae9c8ad7 <+7>:  callq  0x43eae9c8a40
> > 0x43eae9c8adc <+12>: jmp0x43eae9c8a32
> > 0x43eae9c8ae1 <+17>: pushq  $0x4
> > ...
> > 
> > How should I deal with this? 
> 
> I have same problem on my OpenBSD 6.9 release amd64 box. However, next
> command of lldb is working fine on my OpenBSD 6.9 current amd64 box.
> 
> The lldb has been updated to 11.1.0 on OpenBSD current. Can you update
> to current your OpenBSD box by
> https://cdn.openbsd.org/pub/OpenBSD/snapshots/amd64/?
> 
> > Thanks,
> > Serge.
> > 
> --
> ASOU Masato

LLDB step over command

[misc]

Hello

Im on 6.9 release amd64. Switched to clang and lldb since gcc and gdb are not
in base anymore. My problem is during debugging for some functions 
command "next/step-over" behaves like "step/step-in".

example code (just for illustration purpose): 
#include
#include

int main()
{
int a = 5, b;
void *p = malloc(sizeof(int));
memcpy(p, (void *), sizeof(int));
b = *(int *)p;
return b;
}

compiled with: 
cc -g -Weverything -ansi -pedantic -O0 -o moveint moveint.c  

below is the snippet from session where lldb goes into malloc instead of
step over it.
...
-> 7void *p = malloc(sizeof(int));
  ^
   8memcpy(p, (void *), sizeof(int));
   9b = *(int *)p;
   10   return b;
(lldb) next
Process 18050 stopped
* thread #1, stop reason = step over failed (Could not create return address 
breakpoint. Return address (0x43eae9c89bd) permissions not found.)
frame #0: 0x043eae9c8ad0 moveint`malloc
moveint`malloc:
->  0x43eae9c8ad0 <+0>:  movq   0x11c9(%rip), %r11
0x43eae9c8ad7 <+7>:  callq  0x43eae9c8a40
0x43eae9c8adc <+12>: jmp0x43eae9c8a32
0x43eae9c8ae1 <+17>: pushq  $0x4
...

How should I deal with this? 

Thanks,
Serge.

Re: umount at boot possible?

[misc nick]

It worked exactly as you explained it and i learned how to use ed on the way.

A million thanks Paul!

> Sent: Tuesday, February 02, 2021 at 2:38 PM
> From: "Paul de Weerd" 
> To: "misc nick" 
> Cc: "misc" 
> Subject: Re: umount at boot possible?
>
> On Tue, Feb 02, 2021 at 01:30:28PM +0100, misc nick wrote:
> | Hello
> |
> | I have a separate disk that i was mounting as a nfs partition. That disk 
> crashed (it was very old). Now that OpenBSD 6.7/i386 release system cannot 
> boot because it can't mount the disk.
> | Is it possible to umount the partition or somehow skip mounting it at boot 
> time and continue booting from the disk that contains the OS?
>
> Before loading the OpenBSD kernel, at the bootloader type `boot -s`.
> This boots the system in single user mode.  Now you can manually mount
> the root filesystem (`mount -u -w /`), and you can then fix your
> /etc/fstab to exclude the broken disk.
>
> Note that in single user mode, many userland tools are not available
> if /usr is on a separate partition (which is a sane default).  You'll
> have to fix /etc/fstab with tools like cat and ed, or mount /usr.
>
> Once things are fixed, unmount everything that you manually mounted,
> and remount the root filesystem read-only again (`mount -u -r /`).
> Then exit the single user shell, the system should continue booting
> from there.
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> --
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
>  http://www.weirdnet.nl/
>

Re: umount at boot possible?

[misc nick]

Thanks for the prompt reply. I will do what you suggested and report back.

> Sent: Tuesday, February 02, 2021 at 2:38 PM
> From: "Paul de Weerd" 
> To: "misc nick" 
> Cc: "misc" 
> Subject: Re: umount at boot possible?
>
> On Tue, Feb 02, 2021 at 01:30:28PM +0100, misc nick wrote:
> | Hello
> |
> | I have a separate disk that i was mounting as a nfs partition. That disk 
> crashed (it was very old). Now that OpenBSD 6.7/i386 release system cannot 
> boot because it can't mount the disk.
> | Is it possible to umount the partition or somehow skip mounting it at boot 
> time and continue booting from the disk that contains the OS?
>
> Before loading the OpenBSD kernel, at the bootloader type `boot -s`.
> This boots the system in single user mode.  Now you can manually mount
> the root filesystem (`mount -u -w /`), and you can then fix your
> /etc/fstab to exclude the broken disk.
>
> Note that in single user mode, many userland tools are not available
> if /usr is on a separate partition (which is a sane default).  You'll
> have to fix /etc/fstab with tools like cat and ed, or mount /usr.
>
> Once things are fixed, unmount everything that you manually mounted,
> and remount the root filesystem read-only again (`mount -u -r /`).
> Then exit the single user shell, the system should continue booting
> from there.
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> --
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
>  http://www.weirdnet.nl/
>

umount at boot possible?

[misc nick]

Hello

I have a separate disk that i was mounting as a nfs partition. That disk 
crashed (it was very old). Now that OpenBSD 6.7/i386 release system cannot boot 
because it can't mount the disk.
Is it possible to umount the partition or somehow skip mounting it at boot time 
and continue booting from the disk that contains the OS?

Thanks in advance

using webcam with webex

[misc nick]

Greetings

I can't use my webcam while hosting a webex session from Chrome. Specifically, 
when i start my session the webcam turns on for an instant and then shuts down. 
When i try to start the video stream again the webcam flickers on and off a 
couple of times and then i get a message from webex: "We cannot display your 
video. Make sure your camera is shared in your browser and is not used in other 
applications, and then try again.". I have allowed Chrome to use my webcam of 
course and no other application is using it.

I have done everything mentioned here 
http://www.openbsd.org/faq/faq13.html#webcam. I can test that my webcam is 
indeed working with ffplay and by using a random online test 
(https://www.iobit.com/en/webcam-test.php) using Chrome. I can record my 
webcam's stream with ffmpeg. I have added the device path of my webcam 
(/dev/video0) to /etc/chromium/unveil.main and 
/etc/chromium/unveil.utility_video. I'm using OpenBSD-amd64 6.8 release.

Is this a known problem or can i do something more to overcome it?

Thank you in advance

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

> Honestly, as one of the devs involved with this security fix, I can tell
> you that I don't know. It is a use-after-free in some situations.
> Is it reachable from remote? I don't know.
> Is it reachable from local? Maybe.
> Is the use-after-free exploitable? Damn hard to tell, it is for sure not easy.
> Was there a PoC exploit? No, there was no PoC.
> I will not invest hours of my time to figure out something that does not
> really interest me. The fix is out, everyone can update.

Thx, that was the answer I was hoping for! :)

-- 
Jonathan

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

To close this thread, I found this: 
https://twitter.com/m00nbsd/status/1321524807473782784

> Am 30.10.2020 um 11:15 schrieb js-openbsd-m...@webkeks.org:
> 
>> Am 30.10.2020 um 01:28 schrieb Theo de Raadt :
>> 
>> js-openbsd-m...@webkeks.org wrote:
>> 
>>> I just saw
>>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig,
>>> however, it's unclear from the description and the context around the
>>> patch if this is a read after free or write after free (or both).
>> 
>> I think it is fair you can study the code yourself and make your own
>> factual determination.
> 
> As said, it is not immediately obvious to me if this is just read-after-free 
> or also write-after-free. Hence I was hoping someone who either wrote the fix 
> or who is more familiar with the code than me could enlighten me. It's not 
> one of those obvious fixes where you see the buffer overflow just below.
> 
>>> In the case of a write after free, would this change "Only two remote
>>> holes in the default install, in a heck of a long time!" to three? Or
>>> does it need more than IPv6 being configured?
>> 
>> First off, is ipv6 deployment really part of the default install?  No,
>> not really it takes some effort to configure v6, it is not natural.
> 
> The same could be said for v4 though, so is networking not considered part of 
> the default install? How did the 2 remote holes happen without network then, 
> though? Please help me understand, because the installer asked me for IPv6 
> just as it did for IPv4, so I would consider them both equally default.
> 
>> It is active on the loopback, but then that's not remote..
> 
> What about link-local IPv6? That's active by default, isn't it?
> 
> In any case, are you saying just removing the inet6 address from all 
> interfaces would be a sufficient workaround if an immediate update is not 
> possible? (Of course, only as a workaround until it's possible)
> 
>> But there's a bigger assumption in your mail:
>> 
>> We've released the errata as security because it is possibly exploitable
>> or could cause a crash, and we have a rapid fix release process.  It was
>> released without even seeing any evidence of a remote crash, nor any
>> evidence of a remote exploit.  Incorrect code gets fixed, and if we
>> judge it important we release a fix to the public in expedited fashion,
>> and apparently get judged for doing so.
> 
> And that is good. But it still does not help in determining the impact, i.e.: 
> Was this just a remote DoS (read-after-free) or a potential RCE 
> (write-after-free)? For the latter, I would just update, for the former, time 
> to reinstall my machines.
> 
>> Now that the fix is released and deployed by most openbsd users, we
>> quickly become uncurious and head back to other work.  The only
>> conversations related to this are asking how we can harden the mbuf
>> layer to avoid similar issues in the future.
> 
> Which seems like a good strategy, but still, don't you think it's valuable to 
> know what the maximum impact was in the worst-case? I fully agree with being 
> over cautious and calling something an RCE rather than a DoS when it's 
> unclear (a write-after-free could look like a DoS at first and turn out to be 
> RCE, after all), but some things are limited in impact (a read-after-free 
> usually isn't more than a DoS).
> 
>> I guess many other operating systems would wait weeks or months to
>> collect all the "facts" and make a fancy disclosure, but we shipped
>> source and binary fixes in just over 24 hours.
> 
> Again, I think that time is better spent fixing it fast than writing a fancy 
> disclosure. I am merely curious if this was just read-after-free or 
> write-after-free (or both) to make my own risk determination.
> 
>> So, is it a remote crash?  Possibly, but we'd like to see a packet
>> that causes it.
>> 
>> Next after that, is it a remote exploit?
>> 
>> I think it is fair to wait for facts.
> 
> So, what you're saying is, it is only tagged as a security out of caution, 
> not because it necessarily is exploitable?
> 
>> I also think you are a troll.
> 
> Not everybody trying to understand the impact of a security bug is a troll ;).
> 
> I merely brought up the 2 remote holes because I was wondering if this could 
> be used as a signal that it's not remotely exploitable, as it's still 2.
> 
> -- 
> Jonathan
> 

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

> Am 30.10.2020 um 01:28 schrieb Theo de Raadt :
> 
> js-openbsd-m...@webkeks.org wrote:
> 
>> I just saw
>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig,
>> however, it's unclear from the description and the context around the
>> patch if this is a read after free or write after free (or both).
> 
> I think it is fair you can study the code yourself and make your own
> factual determination.

As said, it is not immediately obvious to me if this is just read-after-free or 
also write-after-free. Hence I was hoping someone who either wrote the fix or 
who is more familiar with the code than me could enlighten me. It's not one of 
those obvious fixes where you see the buffer overflow just below.

>> In the case of a write after free, would this change "Only two remote
>> holes in the default install, in a heck of a long time!" to three? Or
>> does it need more than IPv6 being configured?
> 
> First off, is ipv6 deployment really part of the default install?  No,
> not really it takes some effort to configure v6, it is not natural.

The same could be said for v4 though, so is networking not considered part of 
the default install? How did the 2 remote holes happen without network then, 
though? Please help me understand, because the installer asked me for IPv6 just 
as it did for IPv4, so I would consider them both equally default.

> It is active on the loopback, but then that's not remote..

What about link-local IPv6? That's active by default, isn't it?

In any case, are you saying just removing the inet6 address from all interfaces 
would be a sufficient workaround if an immediate update is not possible? (Of 
course, only as a workaround until it's possible)

> But there's a bigger assumption in your mail:
> 
> We've released the errata as security because it is possibly exploitable
> or could cause a crash, and we have a rapid fix release process.  It was
> released without even seeing any evidence of a remote crash, nor any
> evidence of a remote exploit.  Incorrect code gets fixed, and if we
> judge it important we release a fix to the public in expedited fashion,
> and apparently get judged for doing so.

And that is good. But it still does not help in determining the impact, i.e.: 
Was this just a remote DoS (read-after-free) or a potential RCE 
(write-after-free)? For the latter, I would just update, for the former, time 
to reinstall my machines.

> Now that the fix is released and deployed by most openbsd users, we
> quickly become uncurious and head back to other work.  The only
> conversations related to this are asking how we can harden the mbuf
> layer to avoid similar issues in the future.

Which seems like a good strategy, but still, don't you think it's valuable to 
know what the maximum impact was in the worst-case? I fully agree with being 
over cautious and calling something an RCE rather than a DoS when it's unclear 
(a write-after-free could look like a DoS at first and turn out to be RCE, 
after all), but some things are limited in impact (a read-after-free usually 
isn't more than a DoS).

> I guess many other operating systems would wait weeks or months to
> collect all the "facts" and make a fancy disclosure, but we shipped
> source and binary fixes in just over 24 hours.

Again, I think that time is better spent fixing it fast than writing a fancy 
disclosure. I am merely curious if this was just read-after-free or 
write-after-free (or both) to make my own risk determination.

> So, is it a remote crash?  Possibly, but we'd like to see a packet
> that causes it.
> 
> Next after that, is it a remote exploit?
> 
> I think it is fair to wait for facts.

So, what you're saying is, it is only tagged as a security out of caution, not 
because it necessarily is exploitable?

> I also think you are a troll.

Not everybody trying to understand the impact of a security bug is a troll ;).

I merely brought up the 2 remote holes because I was wondering if this could be 
used as a signal that it's not remotely exploitable, as it's still 2.

-- 
Jonathan

Impact of 002_icmp6.patch

[js-openbsd-misc]

Hi!

I just saw 
https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig, 
however, it's unclear from the description and the context around the patch if 
this is a read after free or write after free (or both).

In the case of a write after free, would this change "Only two remote holes in 
the default install, in a heck of a long time!" to three? Or does it need more 
than IPv6 being configured?

-- 
Jonathan

How to open new window/pane in the current working directory in tmux?

[openbsd-misc-nospam]

I have next options in tmux.conf:

bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"

But it doesn't work anymore. And I can't find working options in Google. I tried
all suggestions from stackexchange and it doesn't work either. What working 
options
for OpenBSD 6.6?

Thanks!

Bad fonts in pdf

[openbsd-misc-nospam]

Here is screenshot: https://screenshots.firefox.com/LyKbRyGMRT3sDHbu/null

I had this problem in the past, but can't remeber what font should I install?

Thanks!

Re: Secondary monitor switches off when inteldrm switches on

[Misc User]

On 7/2/2019 2:45 PM, Henry Jensen wrote:

Greetings,

to keep it short:

- older Fujitsu Esprimo PC, Core2Duo, Integrated Intel Graphics
- 2 monitors, connected at VGA and DVI
- during installation both monitors were on all the time.
- Computer switched on, both displays on, boot begins
- inteldrm kicks in, the monitor at the DVI port switches OFF (short message on the 
display says "power saving mode")
- Xenodm starts, only at 1 display. xrandr reports only 1 monitor, Xorg log 
says DVI monitor is disconnected
- similar behaviour on FreeBSD, but:
- on Linux both monitors are working with drm and X.

Where to begin to look?

Kind regards,

Henry




Can you post a dmesg, there were a -lot- of different video chips used
on the core2duo architecture and each has its quirks.  Yours might be
actually supported, but a lot of them aren't.

From what I remember, there is some kind of proprietary bit of firmware
that needs to be installed to get both outputs working simultaneously,
but it requires a binary blob to be injected into the driver.  IIRC its
some undocumented set of registers that need to get their bits flipped
for the second output to be recognized by the itneldrm code.

Re: OT: hardware war with manufacturers (espionage claims)

[Misc User]

On 7/2/2019 12:43 AM, John Long wrote:

On Tue, 2 Jul 2019 10:07:59 +0300
Mihai Popescu  wrote:


Hello,

I keep finding articles about some government bans against some
hardware manufacturers related to some backdoor for espionage. I know
this is an old talk. Most China manufacturers are under the search:
Huawei, ZTE, Lenovo, etc.


It seems painfully obvious what's driving all the bans and vilification
of Chinese hardware and software is that the USA wants exclusive rights
to spy on you and won't tolerate any competition.

Does anybody think maybe the reason Google and Facebook don't pay taxes
anywhere might have something to do with what they do with all that
info they collect? Is the "new" talk about USA banning any meaningful
encryption proof of how seriously they take security and privacy?


What do you think and do when using OpenBSD on this kind of hardware?


Lemote boxes are kinda neat but they're not the fastest in the world.
It beats the hell out of the alternatives if you can live with the
limitations.


Do you prefer Dell, HP and Fujitsu?


Your only choice is probably to pick the least objectionable entity to
spy on you. If you buy Intel you know you're getting broken, insecure
crap no matter whose box it comes in. Sure it runs fast, but... in that
case everybody is going to spy on you.

/jl



Assume everything is compromised.  Don't trust something because someone
else said it was good.  Really, the only way to test if a machine is
spying on you, do some kind of packet capture to watch its traffic until
you are satisfied.  But also put firewalls in front of your devices to
ensure that if someone is trying to spy on you, their command and
control packets don't make it to the compromised hardware.

Besides, subverting a supply a hardware supply chain is a difficult and
expensive process.  And if there is one thing I've learned in my career
as a security consultant, its that no matter how malevolent or
benevolent a government is, they are still, above all, cheap and lazy.
And in a world where everything is built with the first priority is
making the ship date, there are going to be so many security flaws to be
exploited.  So much cheaper and easier to let Intel rush a design to
market or Red Hat push an OS release without doing thorough testing and
exploit the inevitable remote execution flaws.

Or intelligence agencies can take advantage of the average person's 
tendency to laziness and cheapness by just asking organizations like 
Google, Facebook, Comcast, Amazon to just hand over the data they 
gathered in the name of building an advertising profile.

Re: Ansible install Re: Reboot and re-link

[Misc User]

On 6/21/2019 1:08 PM, Frank Beuth wrote:

On Fri, Jun 21, 2019 at 12:36:22PM -0700, Misc User wrote:

I use PXE + install.conf + siteXX.tgz + siteXX-%hostname%.tgz for my
installs.  I also have an rc.firsttime to download and install the
required packages.


Thanks, but neither this nor the autoinstall suggestion seem applicable 
for my use case.


I am dealing with virtualized servers which usually start out as 
Ubuntu/Debian/Fedora images, then the hosting provider supplies the IP 
address and root password for a first-time SSH login.
In many cases it is not possible to upload an ISO to be used as server 
installation media, and VNC consoles (if available) are often not even 
encrypted. (How would you feel about installing OpenBSD and then having 
your root password sent in plaintext at the very beginning?)


I realize installing OpenBSD under these constraints is rather like 
installing a ship in a bottle, but it seemed worth it to ask...


You could stick bsd.rd onto a bootable partition then point grub to it.
You could also disable password login for root and just use a key pair.
That way you wouldn't be sending the password encrypted (or at most only
giving it a password that is useless without console access, then run
'doas passwd' the first chance you get to eliminate even that vector).
That temp password could even be a long string of random junk so long as
you enter it twice.

You could copy bsd.rd and a copy of your pub key into /boot, or carve
out a new partition using some unused disk space.

Re: Ansible install Re: Reboot and re-link

[Misc User]

On 6/21/2019 11:02 AM, Frank Beuth wrote:

On Wed, Jun 19, 2019 at 11:29:32PM +0200, Maxim Bourmistrov wrote:
Installing via NOT RECOMMENDED WAY(following upgrade65.html) - 
scripting on

steroides (ansible).


I don't want to re-open the hostilities, but installing OpenBSD via 
Ansible is very relevant to my interests. Previously discussed on this 
list was a very roundabout approach using Qemu -- is there a better way 
now?




I use PXE + install.conf + siteXX.tgz + siteXX-%hostname%.tgz for my
installs.  I also have an rc.firsttime to download and install the
required packages.

I have my machines configured to use the harddisk first and PXE second.
When I go to upgrade systems, I clear the system's boot block so the
boot process skips to PXE booting.

Once I got the wrinkles ironed out, installs and upgrades are very much
fire-and-forget.  Hell, new server installs just require plugging the
machine into power and network, and then walk away (The BIOS comes
pre-configured with "On power restore: 'Power-on'").

Best part, this solution requires zero third party binaries or tools.

Just yesterday I had to replace a failed webserver.  Replaced the failed
system's MAC in dhcpd.conf and then had the datacenter folks rip the old
system out, install the new one, make sure it powers up, then walk away.
Four hours later, I had a fully operational server up and slinging html,
probably finished a lot sooner, but I didn't bother to check until then.

Re: The su manual doesn't mention use root account by default

[Misc User]

On 6/13/2019 9:42 AM, Adam Thompson wrote:

On 2019-06-12 03:55, Ingo Schwarze wrote:
During initial system installation & deployment, before doas is 
configured, and assuming you haven't [yet] added your SSH keys to 
~root/.ssh/allowed_keys, it's quite impossible to avoid using su. 
(AFAIK.  If there's another way, let me know!)



siteXX.tgz

https://www.openbsd.org/faq/faq4.html#site

Re: single user question

[Misc User]

On 5/10/2019 1:28 AM, cho...@jtan.com wrote:

Misc User writes:

It is theoretically possible to do that, but you'd have to do -a lot-
of work to get it to do so.  It'd be much easier finding a proper
way to accomplish what you want without running single-user.


I wouldn't recommend using single user mode to do anything other than
repair but it's not true to say that doing so is a lot of work. /etc/rc
is only ~600 lines and a lot of that is unnecessary if the server is
going to run a single thing. In many cases you can probably get away
with just mount/fsck/pfctl/netstart.

There is actually no such thing as "single user mode". All there is is a
kernel which hasn't done anything yet, and everything OpenBSD's does as
it "enters multi-user mode" is described clearly and comprehensively in
/etc/rc. Duplicating what little of it you want is, literally, as simple
as copy-paste.

Matthew


What I'm saying is that it would take far more work to get something
like httpd to run at that stage than it would take to make the changes
to a fully booted, and supportable, system.  Making changes to rc is
going to force the system's operator to make adjustments at every
system upgrade.

Besides, it is possible to build a very light-weight system to run a
single thing while still be secure and supportable.  I have a VM
template (Wel, a sitexx.tgz file) that just contains an rc.conf.local,
a new crontab, a syslogd.conf, and a few trivial scripts.  The system
weighs in at 8 MB of used RAM in normal operation and a load average of
zero.  It is also trivial to upgrade, has all its protections, and I can
remotely monitor it.  Took me two hours to build it, most of that spent
modifying copies of daily/weekly/monthly to output via syslog instead of
mail.


What I"m saying is that it takes less work overall to subtract from a
system in a supportable way than it is to try and handcraft an
unsupportable system.

Re: single user question

[Misc User]

On 5/9/2019 9:21 AM, James Huddle wrote:

If the following questions trigger a sense of road rage, you may
safely assume they are not directed to you.

Is anyone running in single-user mode regularly?
Is anyone running a web server, for instance, in single-user mode?

Many thanks in advance.  Shields up.
-Jim



It is theoretically possible to do that, but you'd have to do -a lot-
of work to get it to do so.  It'd be much easier finding a proper
way to accomplish what you want without running single-user.

Single-user is meant as a fail-safe in case your system is too broken
to boot normally, but not so broken that you have to resort to bsd.rd
It lacks the ability to start any daemons that aren't run as root,
you'll have to manually mount your partitions (including remounting
root as R/W), networking isn't going to be configured yet, and even
when its up, you aren't going to have any security features turned on, 
and just so much else you'd expect in an OS is going to be missing.

Re: trackpad reversed scrolling broken on -current

[lists+misc]

On Mon, Mar 25, 2019 at 10:53:08PM +0100, Ulf Brosziewski wrote:
> You can make that permanent with an entry in wsconsctl.conf. However,
> please note that the "param" field is for debugging and development,
> there are no guarantees about its future.

Thanks yet again, Ulf.  For long term plans, please don't forget about
us backwards people ;)

You helped me a short while ago with different sensitivities between the
trackpoint/trackpad, and I've been using the specified xorg.conf with
much more enjoyment since then.

trackpad reversed scrolling broken on -current

[lists+misc]

Hello all -

On the latest snap of -current, my reversed trackpad scrolling seems to
have broken.  My xorg.conf is as follows:

Section "InputClass"
Identifier "ws pointer"
MatchIsPointer "true"
Option "AccelerationProfile" "2"
Option "AccelerationNumerator" "5"
Option "AccelerationDenominator" "2"
Option "AccelerationThreshold" "0"
EndSection

Section "InputClass"
Identifier "ws touchpad"
MatchIsTouchpad "true"
Option "AccelerationProfile" "2"
Option "AccelerationNumerator" "10"
Option "AccelerationDenominator" "9"
Option "AccelerationThreshold" "0"
Option "ZAxisMapping" "5 4"
EndSection

I saw on the "following -current" page that "Using a new kernel with
touchpads requires an updated version of ws(4). The touchpad input
driver generates new types of wscons events for scrolling.", which I
think could be related.  However, xev shows that the button events are
still 4 and 5 for Z axis scrolling.

dmesg as follows (Lenovo 5th gen X1):

OpenBSD 6.5-beta (GENERIC.MP) #830: Sun Mar 24 19:44:30 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16908881920 (16125MB)
avail mem = 16386105344 (15627MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xbf0ed000 (62 entries)
bios0: vendor LENOVO version "N1MET52W(1.37)" date 02/14/2019
bios0: LENOVO 20HRCTO1WW
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT BOOT BATB SSDT 
SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM DMAR ASF! FPDT UEFI
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) RP02(S4) 
RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4) RP10(S4) RP11(S4) 
RP12(S4) RP13(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2593.62 MHz, 06-8e-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2593.98 MHz, 06-8e-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf000, bus 0-127
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 4 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus 5 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus -1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpiprt9 at acpi0: bus -1 (RP09)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus -1 (RP11)
acpiprt12 at acpi0: bus -1 (RP12)
acpiprt13 at acpi0: bus -1 (RP13)
acpiprt14 at acpi0: bus -1 (RP14)
acpiprt15 at acpi0: bus -1 (RP15)
acpiprt16 at acpi0: bus -1 (RP16)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHC_
acpipwrres1 at acpi0: WRST
acpipwrres2 at acpi0: WRST
acpitz0 at acpi0: critical temperature is 128 degC
acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
acpithinkpad0 at acpi0
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "01AV494" serial  2264 type LiP oem "LGC"
acpicmos0 at acpi0
"ALPS" at acpi0 not configured
"INT0E0C" at acpi0 not configured

Re: setup authoritative DNS for myself with nsd + unbound

[Misc User]

On 1/18/2019 11:10 AM, Kaya Saman wrote:

It really depends on what you want/need.


If you would like to host your own DNS servers, then multi location is a 
good idea:



Example: Master NS1 in LA and Slave NS2 in Miami.


I have no idea about GoDiddy but my US based domain hosting company 
let's me specify my own ns servers, as their DNS hosting is a little 
limited for what I need.



Just whack Bind9 onto both systems in master/slave setup, and away you 
go. DNS isn't really complicated so you should be up and running in no 
time. ;-)



Once that's done a good online tool for checking certain parts of the 
domain is: https://mxtoolbox.com/ but then don't forget your local tools 
such as nslookup and dig!!



Regards,


Kaya


On 1/18/19 6:38 PM, Chris Bennett wrote:

I have had problems with setting up DNS for myself and I need it to be
authoritative.
I have my domains registered with Godaddy and they do not support for
domains not hosted on their servers. I have been using their DNS without
big problems, except that I'm not getting proper results with regards to
email. I've got a pretty bad problem with spam. I now have two servers,
each with a different company.

Will that then solve the problems with PTR, DKIM and DMARC?
I also particularly hate the web GUI that Godaddy uses and it's SOA
record is much too long timewise.

Should I set it up with just one of my servers or both?
One is in Los Angeles and the other is in Miami.
Do I need to use a different one to cover the other server or can I just
use the same one to cover the email stuff like DKIM and DMARC?

Since I'm having problems from the ground up, this seems like a good
idea to start at.

I'm also seeing conflicting advice on whether I should use multiple A
records for subdomains, like www. smtp. etc. or CNAME.
Plus it's not clear to me whether to use records like _smtp.tcp or not
bother with those.

I have spent a lot of time reading pages on all of these subjects but I
have yet to find a complete example of all DNS records for a site.
Would anyone care to share one with me?

Thanks,
Chris Bennett






GoDaddy allows you to specify your own NS records in DNS.  For a while I 
was using Hurricane Electric's DNS hosting service 
(https://dns.he.net/).  It supports A, , CNAME, ALIAS, MX, NS, TXT, 
CAA, AFSDB, HINFO,RP, LOC, NAPTR, PTR, SSHFP, SPF, and SRV records. 
They also have 5 dual-stack clusters for DNS hosted on different AS 
numbers and in different datacenters.  They also support Dynamic DNS 
using curl calls.  Its also free.


I used to use them before moving all my stuff out of the US and onto 
equipment I control.

Re: Where can I find X server's core files?

[Misc User]

On 1/16/2019 12:44 PM, Leonid Bobrov wrote:

X server crashes and I can't find its core file for debugging purposes.



#find / -name '*.core'

Re: Blocking "shodan.io" - What are my options?

[Misc User]

On 1/8/2019 3:16 PM, Aaron Mason wrote:

On Sat, Jan 5, 2019 at 5:46 AM Misc User  wrote:


On 1/3/2019 11:20 PM, Radek wrote:

A little ncat, sed, pfctl, and a dash of cron are able to do
the job just fine.  cron is just there to start the ncat processes at
boot and run an hourly script to do a pfctl -T expire  86400 to
keep the table clean of old attackers.

Sounds good. Could you share your script here?



I don't have access to my systems right now, but the script is pretty
much a couple of one-liners in crontab, somethings similar to:

ncat -l -k 23 -vv | sed s/// | xargs -R 1 -I % pfctl -t honeypot
-T add %

I'll have to look up the exact command when I get get home tonight,
especially the sed I used.  Running on my local system, the ncat command
echoes out lines like:

Ncat: Connection from 172.16.11.152.
Ncat: Connection from 172.16.11.152:57562.

If I get the time today, I'll work on re-creating the regex, if not,
I'll share the one I've been using on my systems.



Hi

Any news on this? I've tried building my own and while I can get a
list of IP addresses, nothing gets sent through to xargs.  They appear
if I leave off the xargs bit:

git# nc -vnkl 21 2>&1 | sed -E 's/^Connection from
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) [0-9]*
received!$/\1/'
111.222.33.44
^C
git#

But if I include the pipe to xargs, nothing happens,  I still get
nothing happening if I change it to a while loop, using read to pull
in the IP address.

This works, though, though it assumes that the output for nc(1) will
stay the same forever - it's also IPv6 ready unlike my example above:

nc -vnkl 21 2>&1 | while read dummy dummy ipaddr dummy dummy; do pfctl
-t honeypot -T add $ipaddr; done



Doing some work on it the other day, I noticed it opens a pretty big 
command injection hole if pfctl doesn't kill the connection before the 
connecting source gets a chance to send data.  An attacker could connect 
to the port and send the string "Ncat: Connection from 172.16.11.152.\ 
&& " and whatever it uses for  will be done by a 
privileged account (At least one with permissions to add entries to pf's 
tables)


I tested it using a telnet client connecting to one of the arbitrary 
ports I set up.  So I've been trying to figure out a better way to do 
this.  There has to be, maybe something with tcpdump.


I'm looking into patching ncat to have a flag where the -v option 
doesn't output packet content, and only outputs packet metadata. 
Probably also clean up what it outputs to produce a 'honeypot' mode or 
something friendly to chaining to a firewall control program.


-CA
.

Re: vultr

[lists+misc]

On Mon, Jan 07, 2019 at 08:44:03AM -0500, Nick Holland wrote:
> Use their install ONLY to put your own bsd.rd in root (everyone seems to
> obsess over loading an ISO.  Who cares?  Just use a -current bsd.rd!),
> boot off that, reinstall exactly as you want it.  The Vultr console
> works great on OpenBSD chrome and firefox browsers.  Use DHCP for
> network.  Done.

This is exactly what I have done, and it works very well.  I just wanted
to add that I included "inet6 autoconf -autoconfprivacy" in addition to
"dhcp" in hostname.vio0, and I now have a dual-stack enabled server.  I
was pleasantly surprised that all the OpenBSD daemons I use "just work."

Re: vultr

[Misc User]

On 1/5/2019 2:22 PM, ed...@pettijohn-web.com wrote:

I was thinking about spinning up a new instance on vultr to play with.
They have an option to install OBSD 6.3/4. Has anyone tried these? I
attempted the FBSD one in the past, but the default install was all
whacked out and I had to start over with a fresh install.

Thanks,

Edgar

The default is alright, but comes with keys and passwords they 
generated, plus they do a single-partition scheme on the smaller disk 
instances and the auto partition on the others.  Good for a general 
purpose machine, but not so great if you have a specific task in mind. 
They also tend to install all the sets.


But since they let you upload an ISO and give you full console access, I 
just do a fresh install and customize as much as I want for the system I 
am building.  Usually so I can get a good partitioning scheme set up 
(256m on /, /home, /tmp, /usr/local, /var and swap; with a 1g /usr and 
swap) so I can dedicate 15g (Or more) to a partition for whatever task 
the machine was built for.


-CA

Re: Blocking "shodan.io" - What are my options?

[Misc User]

On 1/3/2019 11:20 PM, Radek wrote:

A little ncat, sed, pfctl, and a dash of cron are able to do
the job just fine.  cron is just there to start the ncat processes at
boot and run an hourly script to do a pfctl -T expire  86400 to
keep the table clean of old attackers.

Sounds good. Could you share your script here?



I don't have access to my systems right now, but the script is pretty 
much a couple of one-liners in crontab, somethings similar to:


ncat -l -k 23 -vv | sed s/// | xargs -R 1 -I % pfctl -t honeypot 
-T add %


I'll have to look up the exact command when I get get home tonight, 
especially the sed I used.  Running on my local system, the ncat command 
echoes out lines like:


Ncat: Connection from 172.16.11.152.
Ncat: Connection from 172.16.11.152:57562.

If I get the time today, I'll work on re-creating the regex, if not, 
I'll share the one I've been using on my systems.

Re: Blocking "shodan.io" - What are my options?

[Misc User]

On 1/3/2019 3:06 PM, Jordan Geoghegan wrote:

Hello,

I wrote a small script called 'pf-badhost' to block shodan and other 
annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html 
to see the script.


pf-badhost also blocks ssh bruteforcers and other annoyances by loading 
a list of regularly updated badhost lists from trusted sources. If you 
only want to block shodan specifically, just comment out the few lines 
that download the other blocklists, and you should be good to go. I've 
had a number of people give good feedback on it, and they've reported it 
blocking the scanners and baddies quite effectively; BSDNow also did a 
piece about it, so it seems to work alright.



Cheers,

Jordan


On 01/02/19 22:15, Antonino Sidoti wrote:

Hi,

I wish to block all attempts by “shodan.io”. Basically I run an 
OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of 
traffic all stemming from “shodan.io". I have PF configured so I was 
wondering how to block such a domain from making any attempts to 
connect to my server. There is little information about Public IP 
addresses being used by "shodan.io" scanner, so making an IP list for 
PF may be futile.


Could someone suggest a possible option? I was thinking along the 
lines of “relayd” or "squid proxy”. My server is hosted at Vultr and 
has a single WAN interface with Public IP. There is no internal LAN 
interface.


For those who do not know about “shodan.io”, please do a search and 
you will discover what it does.


Regards

Nino






I've always been a fan of just setting up a simple script to open a 
couple ports with ncat, then when a client connects to the port, it gets 
shoved into pf table that has a `drop' rule attached to it.  No messing 
about with blocklists or proxies or anything else.


ncat listens on various low-number ports that nothing is using on my 
servers.  A little ncat, sed, pfctl, and a dash of cron are able to do 
the job just fine.  cron is just there to start the ncat processes at 
boot and run an hourly script to do a pfctl -T expire  86400 to 
keep the table clean of old attackers.


Shodan isn't the only scanner out there, so there is no point in just 
blocking it.  And I figure if someone is trying to connect to unused 
ports on my system, they probably aren't up to any good.  If you aren't 
aware that my machine isn't legitimately listening on 22 or 23, or 443, 
I don't want to talk to you.


I usually just run on port 22 and move sshd to a different port, that 
seems to stop >95% of attackers.

Re: mount_ffs Permission denied as root

[Misc User]

On 1/2/2019 4:21 PM, myml...@gmx.com wrote:


On 1/1/19 10:02 PM, Philip Guenther wrote:
On Tue, Jan 1, 2019 at 6:27 PM myml...@gmx.com 
 mailto:myml...@gmx.com>> 
wrote:


    I just did a new install of current AMD64 from the 12/31/2018
    snapshot
    and having some permission issues mounting a usb drive, as root.
    I have
    been able to mount other usb drives just fine. (Also tried with the
    12/29 snapshots as well, same issue)

    #disklabel sd4

...

    #    size   offset  fstype [fsize bsize   cpg]
       a:    249682144   64  4.2BSD   2048 16384 12958
       c:    249692160    0  unused

    curry:/root:#mount -v /dev/sd4a /mnt/usb0
    mount_ffs: /dev/sd4a on /mnt/usb0: Permission denied

    I don't see any kind of messages in the logs related to the error.


 What's the output of "fsck /dev/rsd4a" ?

Philip Guenther

I had to reboot the machine related to this and the drive attached as a 
different device but here's the output.


20190102-1407:root@curry:/root:#disklabel sd2
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: Survivor 3.0
duid: 70568afde7f5a241
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 15542
total sectors: 249692160
boundstart: 64
boundend: 249682230
drivedata: 0

16 partitions:
#    size   offset  fstype [fsize bsize   cpg]
   a:    249682144   64  4.2BSD   2048 16384 12958
   c:    249692160    0  unused

Fsck shows clean, I noticed however the (NO WRITE) bit at the end.

20190102-1408:root@curry:/root:#fsck /dev/sd2a
** /dev/rsd2a (NO WRITE)
** File system is clean; not checking

I was able to get the drive mounted in read only mode after mounting one 
of the directories, of course the most important one, gives a bad file 
descriptor and doesn't recognize it as a directory.


20190102-1410:root@curry:/root:#mount -o ro /dev/sd2a /mnt/usb0
20190102-1410:root@curry:/root:#ls /mnt/usb0
root   sata0  tbisch usb0   usb1

20190102-1410:root@curry:/root:#ls -l /mnt/usb0
ls: tbisch: Bad file descriptor
total 16
drwx--  8 root  wheel   512 Dec 28 06:33 root
drwxr-xr-x  2 root  wheel   512 Dec 30 21:01 sata0
drwxr-xr-x  9 root  wheel  1024 Dec 31  1979 usb0
drwxr-xr-x  2 root  wheel   512 Dec 30 21:01 usb1

20190102-1410:root@curry:/root:#ls /mnt/usb0/tbisch/
ls: /mnt/usb0/tbisch/: Not a directory

I tried unmounting and doing a fsck -f -y /dev/sd4a and it shows lots of 
errors, but doesn't give y for the answer as I thought the -y flag was 
supposed to do:


20190102-1413:root@curry:/root:#fsck -f -y /dev/sd2a
** /dev/rsd2a (NO WRITE)
** File system is already clean
** Last Mounted on /mnt/usb2
** Phase 1 - Check Blocks and Sizes
PARTIALLY ALLOCATED INODE I=25984
CLEAR? no

UNKNOWN FILE TYPE I=25985
CLEAR? no

UNKNOWN FILE TYPE I=25986
CLEAR? no

UNKNOWN FILE TYPE I=25987
CLEAR? no

UNKNOWN FILE TYPE I=25988
CLEAR? no

UNKNOWN FILE TYPE I=25989
CLEAR? no

UNKNOWN FILE TYPE I=25990
CLEAR? no

UNKNOWN FILE TYPE I=25991
CLEAR? no

UNKNOWN FILE TYPE I=25992
CLEAR? no

UNKNOWN FILE TYPE I=25993
CLEAR? no

UNKNOWN FILE TYPE I=25994
CLEAR? no

UNKNOWN FILE TYPE I=25995
CLEAR? no

UNKNOWN FILE TYPE I=25996
CLEAR? no

UNKNOWN FILE TYPE I=25997
CLEAR? no

PARTIALLY ALLOCATED INODE I=25998
CLEAR? no

UNKNOWN FILE TYPE I=25999
CLEAR? no

PARTIALLY ALLOCATED INODE I=26000
CLEAR? no

UNKNOWN FILE TYPE I=26001
CLEAR? no

UNKNOWN FILE TYPE I=26002
CLEAR? no

UNKNOWN FILE TYPE I=26003
CLEAR? no

UNKNOWN FILE TYPE I=26004
CLEAR? no

UNKNOWN FILE TYPE I=26005
CLEAR? no

UNKNOWN FILE TYPE I=26006
CLEAR? no

UNKNOWN FILE TYPE I=26007
CLEAR? no

UNKNOWN FILE TYPE I=26008
CLEAR? no
  and it keeps going.


I unmounted the drive and tried to create an image of the drive, but it 
fails


20190102-1435:root@curry:/root:#time dd if=/dev/rsd2c 
of=/root/corsair.iso bs=1k

dd: /dev/rsd2c: Input/output error
15958016+0 records in
15958016+0 records out
16341008384 bytes transferred in 7313.789 secs (2234274 bytes/sec)
   122m03.94s real 0m16.54s user 6m36.66s system

After this doing a disklabel fails:

#disklabel sd2
disklabel: ioctl DIOCGDINFO: Input/output error

Additionally I see the following in the /var/log/messages.

Jan  2 13:52:52 curry /bsd: usb_insert_transfer: xfer=0xff025c1a35a0 
not free






Does it work when you revert back to the last version of OpenBSD it 
mounted properly?  There is a slight possibility that a code change has 
made OpenBSD unable to communicate properly with the controller (like 
the controller is expecting the OS to do the wear-leveling remapping or 
something), but its far more likely that the device is broken especially 
since OpenBSD seems to be able to read the partition table, but only 
parts of the file table and only a portion of your sectors.


The most likely scenario here is that your USB drive is broken and useless.

Re: Experiences with single mode fibre on OpenBSD ?

[Misc User]

On 1/2/2019 12:12 PM, Rachel Roch wrote:

Hi,

I see the man pages mention the odd SM fibre NIC, which is a good start.

However I could do with some real-world feedback from people in terms of the SM 
NICs they're using and any other experiences with SM on OpenBSD.

Thanks !

Rachel



There shouldn't be anything different, OpenBSD doesn't care about the 
media so much as the controller, and so long as the controller isn't 
doing anything different (Not that there is a reason for the controller 
to do, at least form the OS's side of the controller), there shouldn't 
be any difference.


I am using a bunch of Intel 10 Gb NICs running on OpenBSD with various 
SFPs plugged into them and I haven't seen any difference in operation 
between SM and MM SFPs other than a different media showing up in the 
ifconfig output.

Re: Advice on Security Cameras

[Misc User]

On 1/1/2019 9:46 AM, Elias M. Mariani wrote:

Hi list,
I'm thinking in installing some cameras in my private home, I have
been looking for solutions, my concern is that I wish to be able to
look the videos from outside the house and I'm a little paranoid about
the quality of the software that the different vendors use. I have
seen clusters of camaras that only work over ActiveX...
I know that is a little off-topic but maybe someone knows about a good
brand of cameras.
Of-course one can always set a VPN tunnel trough OpenBSD for the
security matter, OpenVPN works on Android so is easy to access from a
smartphone. But I would prefer to have a single secure service running
that adding a layer of complexity with the VPN.

I'm looking for:
- Not overpriced cameras.
- They don't need to be "external cameras", they will be covered under a roof.
- I need to set at least 4, so I need them to be accessible from a
single platform.
- Android / Browser friendly (not only IE plz...)
- WiFi is not needed, I have a 12v supply and Ethernet connections for
each camera.
- Good video quality but I'm not looking for anything super great...
- the ability to centralize recording and access to view the cameras is a must.

Again, sorry for the off-topic but were would I find a better place to
ask about surveillance and security ? :D

Cheers and happy new year.
Elias.

Anything that support RTP/RTSP works pretty well with OpenBSD and 
FFMPEG.  I have FFMPEG listening for my cameras' streams, then tees the 
output to a series of files (MP4) and to a socket where 
nginx-rtmp-module is able to push it out via https (HLS).


I've been using some to monitor in and around the datacenter.  A bunch 
of PoE-powered network cameras, hooked up to a PoE switch, forming an 
air-gapped surveillance network and an OpenBSD box with a couple 
high-capacity SSDs for storing video and a connection to the main 
network for users to access the web server port.


I've been using Monoprice-branded cameras, but I bought them a few years 
ago, not sure if the current models offer the same protocols.


A bit of advice for cameras outside:  You are going to want 
outdoor-rated cameras even if they aren't getting hit directly with 
rain.  Moisture in the air is still going to condense inside the camera 
if there are any gaps in the case at all.  Eventually the lens is just 
going to become a permanently foggy mess.


-CA
.

Re: syspatch, relink and kernel version/date

[lists+misc]

I can't confirm, but I think I noticed this on a box that was using the
MP kernel even though it was an SP machine.

On Thu, Dec 20, 2018 at 12:14:14PM +0200, Kapetanakis Giannis wrote:
> Hi,
> 
> I'm a bit confused about syspatch and kernel updates. One of machines after 
> latest syspatch (009) and after reboot it lists old kernel date.
> 
> This happens only on this machine. I've seen it happen before, not sure if it 
> was on the same one or some other box.
> 
> machine1:
> # syspatch -l
> 001_xserver
> 002_syspatch
> 003_portsmash
> 004_lockf
> 005_perl
> 006_uipc
> 007_smtpd
> 008_qcow2
> 009_recvwait
> 
> # uname -prsv
> OpenBSD 6.4 GENERIC.MP#364 amd64
> 
> # sysctl kern.version
> kern.version=OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> machine2:
> # syspatch -l
> 001_xserver
> 002_syspatch
> 003_portsmash
> 004_lockf
> 005_perl
> 006_uipc
> 007_smtpd
> 008_qcow2
> 009_recvwait
> 
> # uname -prsv
> OpenBSD 6.4 GENERIC.MP#2 amd64
> 
> # sysctl kern.version
> kern.version=OpenBSD 6.4 (GENERIC.MP) #2: Tue Dec 18 13:17:16 CET 2018
> 
> r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> on machine1 relink.log seems fine:
> # cat /usr/share/relink/kernel/GENERIC.MP/relink.log 
> (SHA256) /bsd: OK
> LD="ld" sh makegap.sh 0x
> ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o 
> ${OBJS}
> textdatabss dec hex
> 104959482796320 671744  13964012d512ec
> mv newbsd newbsd.gdb
> ctfstrip -S -o newbsd newbsd.gdb
> mv -f newbsd bsd
> umask 077 && cp bsd /nbsd && mv /nbsd /bsd &&  sha256 -h 
> /var/db/kernel.SHA256 /bsd
> 
> Kernel has been relinked and is active on next reboot.
> 
> SHA256 (/bsd) = 
> 8b216c359324a4a938bd35c2c97416b62ffec8c8b955f8b86d65ddf9dc0d71b1
> 
> Also /bsd has newer date so it seems updated.
> # ls -ld /bsd
> -rwx--  1 root  wheel  15461926 Dec 19 10:04 /bsd*
> 
> # ls -ld /usr/share/relink/kernel/GENERIC.MP/relink.log
> -rw-r--r--  1 root  wheel  486 Dec 19 10:04 
> /usr/share/relink/kernel/GENERIC.MP/relink.log
> 
> can someone explain this?
> 
> thanks
> 
> G
> 

Re: Thinkpad T430 random power off while sleeping

[Misc User]

On 12/4/2018 2:12 PM, Charles A Daniels wrote:

Closing the lid on the T430 causes OpenBSD to suspend, as per my
setting for machdep.lidaction=1. This usually works as expected, but
occasionally I take my laptop out of my bag to find it sitting on the
xenodm login screen, not suspended, with the lid closed, having lost
power and rebooted at some point after being suspended.

I would like to collect further information so a bug report can be
filed, but I feel that the above description alone is insufficient to
constitute a useful bug report. To that end, I would like to solicit
advice on what information can be collected and what debugging steps
can be taken so that I can write a useful bug report.

I'm running the 6.4 release, and I have run fw_update and syspatch
periodically since install.

I previously asked for help on r/openbsd[1], but still have not been
able to either resolve the problem or gather sufficient information for
a bug report.

~ Charles

1 -
https://old.reddit.com/r/openbsd/comments/9v0u4w/t430_wakes_from_suspend_with_lid_closed/



I have a similar issue with the X220, the problem is a watchdog timer, 
that I suspect is in the Intel ME.  It expires without being reset and 
forces the machine to restart.  Or at least that is the cause of that 
happening on my X230's.  I've ripped a few of them apart and analyzed 
their guts and found only the CPU and a few other chips are active 
during suspend.  I've probed all the buses of those other chips and none 
make a peep when the machine reboots, the only chip left active is the 
Intel ME chunk of the CPU, and for obvious reasons, I have no idea what 
it is doing, so I suspect it is the culprit.


I gave up on the work a few months ago since it seemed easier to just 
accept that suspend isn't going to work and just use suspend-to-disk or 
just shut the machine down completely.  If you want to do more, and have 
access to a Windows machine, you can try pulling apart the Lenovo 
drivers to see what the Lenovo-specific ACPI driver is doing when the 
machine goes into suspend.

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

[Misc User]

On 11/22/2018 12:56 PM, Chris Bennett wrote:

On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote:

Hello Chris,

   There is something extremely weird going on around lately. People are
easily take offense where no offense where intended (and hard to find
anyway). Nick was just telling you that (in his expert opinion) you
shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
but concentrate on the real security instead. Unfortunately the real
security takes years of learning and experience, and can't be "advised" in
a couple of emails, but he provided a lot of valuable (and valid)
information (which you where not ready to digest, I guess).
   If you are allowing to run an arbitrary code on you server you are
screwed with or without Spectre, otherwise there is nothing to spy on you
on that server (even if it's technically possible).
   If (any) government agency really want to access you server, you are
writing to the wrong list, otherwise government installed spying chips (if
any) wont really hurt you. On the other hand, crapware (like Superfish)
might.

BTW, your boss doesn't need to be stupid to compromise your password (or
keys), just a "normal" human. Security isn't grokkable by "normal" people.


I'm actually sorry, Nick.
I've got a personal situation that has me very touchy right now.
But that's another issue completely.

Since there is a forum, and one has to stay, I have a few questions.
I looked over a lot of forums, both for features and security.
I realized that I couldn't properly judge security.
If a forum has a lot of security patches, does that mean that problems
are being swiftly dealt with or that the forum has serious problems?
If a forum doesn't have reported security patches, does that mean that
it is good or just not maintained? I never thought about this before.

It seems to me that a login username should not be allowed to be the
displayed forum username. The real username is also used for purchases,
membership activities, etc.


I also think that passwords need to be enforced to be changed
occasionally. What sort of timing delay is okay with users?
Nobody really likes changing passwords, but since so many people use the
same one all over the place, it seems like a good idea since they would
then be forced to have a different one from the rest.


There is a need for pretty secure stuff, like the forum and membership,
purchases, etc.
But also very secure activities. Seems to me that 2 servers (or more)
would be best to accomplish this. Any disagreement or other suggestions?
The main website is probably the most important objective right now.
It's what the public sees. And if (which means when, not if) I make a
mistake, the world won't come tumbling down.

Thanks all,
Chris Bennett


I'd look for software that has bug bounties.  I'd also look at the CVEs 
for each product and compare with the patch history.  The delay between 
a flaw being reported versus patched is going to be a much better 
indicator than rate of patches.  I'd also consider the seriousness of 
the flaw being patched as well, like if it is due to a widespread issue 
(EG, Metldown, heartbleed, etc) or if it is due to some basic 
programming error (Apple's "enter a blank password for root enough times 
and you'll get root" or Microsoft's "patching Windows 10 will obliterate 
your install because of a typo in the patch code that is supposed to 
leave c:\users\ alone").


Also, look for something that could support external authentication, 
especially something industry standard like LDAP, so you can use the 
authentication database all your service can use while not relying on 
whoever wrote the individual bits of software to have written something 
that doesn't suck.  Also look for something that will allow the admin 
pages to be hosted on a different url from the user accessible stuff.


If you are handling payment or financial information, outsource it to 
something like paypal or another well-known payment processor.  While 
they aren't very secure, they are insured, so if they fuck something up, 
you aren't holding the bag and are very unlikely to be blamed for it by 
your users.


As for number of servers, more than one is going to be the better way. 
If something has a port accessible by any old rando, you shouldn't be 
storing anything secure on it.  Especially if the server also stores 
something the user can craft (EG, photos from the forum, arbitrary text, 
etc).


As for ISPs, just assume they are all total shit (Most of them are 
anyway) and treat them like you would an open wireless network.  Don't 
use their DNS and encrypt everything you can.  Use static IPs if you 
can.  Don't allow passwords for ssh on anything public facing.  Only 
allow admin pages to be accessible from a private network (So that you'd 
need to use an ssh tunnel to get to it remotely)


-CA

Re: Supermicro X7SPA-HF D510 and OpenBSD

[Misc User]

On 11/22/2018 6:13 AM, Stuart Henderson wrote:

On 2018-11-22, Radek  wrote:

Hello,
does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF D510?
Does it work well together?

I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack case 
for better cooling. RAID is not needed.
It must be as silent as possible. Low power consumption is also welcomed.

Thanks!


Not sure if I have that *exact* board but I have something very similar,
I wouldn't expect any problems with this.




I am running the X7SPA-HF-D525 version (Same board, different chip.  The 
D525 and D510 are really just the same chip anyway, just that the D510 
has a slightly different set of bits burned into the configuration fuses).


Everything seems to work just fine, only problems are that it can't 
support a lot of graphical modes (xenocara will run, just not very well, 
since the gpu only has 8 MB of memory and it comes from the main pool of 
memory anyway).  That and you can't communicate with the IPMI interface 
from within the OS (But doesn't prevent you from using the IPMI 
interface, you'd just need to do any configuration of it via BIOS or the 
IPMI's web interface).


dmesg from my system is below


OpenBSD 6.4 (GENERIC.MP) #0: Sat Nov 17 22:15:46 CET 2018

r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4277665792 (4079MB)
avail mem = 4138745856 (3947MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ac00 (19 entries)
bios0: vendor American Megatrends Inc. version "1.2" date 09/14/11
bios0: Supermicro X7SPA-HF
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET EINJ BERT ERST HEST
acpi0: wakeup devices P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) 
EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) 
P0P7(S4) P0P8(S4) P0P9(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.30 MHz, 06-1c-0a
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN

cpu0: 512KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 207MHz
cpu0: mwait min=64, max=64, C-substates=0.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1872.00 MHz, 06-1c-0a
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN

cpu1: 512KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P0P1)
acpiprt2 at acpi0: bus 1 (P0P4)
acpiprt3 at acpi0: bus -1 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
acpiprt5 at acpi0: bus -1 (P0P7)
acpiprt6 at acpi0: bus 2 (P0P8)
acpiprt7 at acpi0: bus 3 (P0P9)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpicmos0 at acpi0
acpibtn0 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02
ppb0 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
00:25:90:62:cc:46

ppb2 at pci0 dev 28 function 5 "Intel 82801I PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
em1 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
00:25:90:62:cc:47

uhci0 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 3 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 3 int 19
ehci0 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 3 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 
2.00/1.00 addr 1

ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
pci4 at ppb3 bus 4
vga1 at pci4 dev 4 function 0 "Matrox MGA G200eW" rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.2
ahci0: port 0: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 
0/direct fixed naa.50014ee2059bdbc4

sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

[Misc User]

On 11/20/2018 8:43 AM, Chris Bennett wrote:

I am almost certainly going to be replacing with a new server for an
organization I am a member of.
With all of this mess with Meltdown, Spectre, insecure motherboard
chips,etc.
I am pretty clueless on exactly what is going to be a secure set of
server hardware.
Intel, well no.
AMD? I have read about problems with non-CPU chips being compromised.
Another architecture? I have never used anything other than Intel/AMD.

The server will run httpd, mailserver, PostgreSQL and somehow a good way
for well encrypted messaging at times.
It is very likely to run out of Austin, Texas.
I think that having a direct connection would be best, but would a
proper setup make collocation OK?

This isn't going to be my server, I will just be in charge. That's
completely new for me.
Any advice is really welcome, everywhere I read anything, hardware seems
broken and insecure.

Thanks a bunch for any help,
Chris Bennett




Personally, I'd go with a couple of Sun T-1000s, a pair of managed 
switches and some Cyclades (or similar) serial port servers and cram 
them into a half cabinet rented from a CoLo.  2 to run as firewalls, 2 
for httpd, 2 for your database, and 2 to run Dovecot for your mail 
(Assuming just IMAP is fine for your users).  You'd probably be looking 
at about $10,000 in hardware and a few hundred a month for renting the 
rack space.  Although with some frugal ebay'ing, you can probably bring 
that hardware cost down quite a bit.  But you'll get some decent 
hardware, and SSH-based remote access to the OOB ALOM ports of the systems.


I have a similar, but much larger scale, setup sitting in an Equinix 
Datacenter over in San Jose.

Re: Missing LVM (Logical Volume Manager)

[Misc User]

On 11/18/2018 2:54 AM, Stuart Henderson wrote:

On 2018-11-17, Misc User  wrote:

I concur, software raid is a bug, not a feature, especially since if you
truly need RAID, hardware cards are fairly cheap.


Never had a RAID controller die?



I've had plenty die, but the number of HW raid chips die on me is much,
much lower than the times I've had software raid fail.  Plus HW raid 
chips allow for full disk encryption, which is far more important to me 
than worrying about a system going down due to a failed disk (I keep 
backups anyway).


But the, for the most part, I don't bother with RAID in any form and 
just opt for redundant systems instead.  Carp+rsync on cheap boxes has 
provided for a much more stable platform than trying to do 
component-level redundancy.

Re: Missing LVM (Logical Volume Manager)

[Misc User]

On 11/17/2018 10:53 AM, Predrag Punosevac wrote:

On Sat, Nov 17, 2018 at 01:35:05AM +0100, Willi Rauffer wrote:


Hello,

we want to make one logical volume out of several physical volumes, but there 
is no \
LVM (Logical Volume Manager) in OpenBSD!
Will there be a LVM in OpenBSD in the future?

Thanks...Willi Rauffer, UNOBank.org


There are people on this mailing list infinitely more knowledgeable and
experienced than I both with Linux and BSDs so they will correct me
claims if necessary.

In my experience using LVM2 (LVM is depreciated) to create software RIAD
even on Linux (I have the most experience with RHEL) is a bad idea
unless you belive at the RedHat PR BS. Most people myself included if
they have to use softraid on Linux prefer to do it from mdadm (softraid
discipline for Linux and then perhaps put LVM on the top of it although
I fail to see the purpose). In the lieu of the lack of modern file
system on Linux (Btrfs is a vaporware and ZFS is an external kernel
module which lags many version numbers behind Solaris and FreeBSD) some
PR guys from RedHat started even advertising LVM2 snapshots as a real
snapshots. That is pure BS as they are very expensive operation and for
all practical purposes useless on the legacy file system XFS which is
really the only really stable FS on Linux. If you are storing your data
on Linux you should be using Hardware RAID and XFS.

Not having LVM2 on OpenBSD is a feature not a bug!  Dragon Fly BSD has
partial not really functional implementation of LVM that I am quite
familiar with. IIRC NetBSD has LVM2 implementation but it is hard to me
to say usefulness of it as I have never used.

As somebody mentioned. OpenBSD softraid can be used to manage logical
volumes

oko# bioctl softraid0
Volume  Status   Size Device
softraid0 0 Online  2000396018176 sd3 RAID1
   0 Online  2000396018176 0:0.0   noencl 
   1 Online  2000396018176 0:1.0   noencl 

but it is quite crude and it will take you more than a week to rebuild
simple 10 TB mirror. IMHO softraid is far more useful for drive
encryption on your laptop for example than for data storage. I don't
have any experience with Hardware RAID cards on OpenBSD (Areca should
have really good support) which I do prefer over softraid (but not over
ZFS). However OpenBSD lacks modern file system (read HAMMER or HAMMER2)
to take advantage of such set up.


Best,
Predrag

P.S. OpenBSD's NFSv3 server and client implementation is pretty slow so
that begs the question how you are going to access that data pool.



I concur, software raid is a bug, not a feature, especially since if you 
truly need RAID, hardware cards are fairly cheap.  But if you can't 
afford such a card,  fairly reliable method is to just replicate the 
/altroot scheme with all your partitions.  Even just using an external 
drive that you do periodic backups to is more reliable than software 
raid.  For the most part, I've actually seen more failures with softraid 
than just independent disk even between systems where the only 
difference is the serial number being slightly incremented (sofraid, no 
matter how well coded still causes far more disk usage than a normal 
un-raided disk).


Although, really, if you need reliability, it is much cheaper, less 
effort intensive, and more reliable to just grab a bunch of low-end 
systems and cluster them together.  I have a small cluster 5 crusty old 
SunFire V120 boxes that've been running OpenBSD for nearly 10 years as 
my firewalls, I'm just running with a single disk in each.  Each of them 
has failed at least a couple items over the years (failed disks, RAM 
modules, motherboards, power supplies, etc), but collectively they've 
had 100% reliability, even counting time for required reboots for 
upgrades, patches, and other maintenance


Overall, I've found that software raid systems are only good for 
supporting whole-disk crypto and nothing else.  Otherwise you are just 
adding an unnecessary performance penalty, kills your disks faster, and 
makes it much more a pain in the ass to recover from.


-C
.

Re: Cannot mount install.fs disk image to create custom auto_install.conf based USB flash drive

[Misc User]

On 11/11/2018 1:28 PM, Andrew Lemin wrote:

Hi list,
I really need some help mounting an install.fs disk image, and hope someone
can help :)
I have been trying and failing to create an auto-installing USB flash drive
for OpenBSD.

All of the below steps are being performed using an existing OpenBSD VM

1) Create /auto_install.conf file
https://man.openbsd.org/autoinstall
http://eradman.com/posts/autoinstall-openbsd.html
- Done

2) Install 'upobsd' package
pkg_add -i upobsd
- Done

3) Inject newly created 'auto_install.conf' into a local 'bsd.rd' RAM disk
upobsd -u /auto_install.conf -o /tmp/bsd.rd
- Done

4) Add updated 'bsd.rd' file into 'install.fs'
4a) Associate image with a vnd device so disk image can be mounted as a
filesystem image
vnconfig vnd1 /home/sysadmin/install64.fs
- Done

4b) Mount new vnd1c device (this is where I'm stuck)

** Here is where I get lost. All the guides refer only to using
install.iso (whos 'a:' and 'c:' partitions are ISO9660 filetypes - for CD
based installs), but I need to use the install.fs (for USB based installs)
**

fw1# mount /dev/vnd1c /mnt
mount_ffs: /dev/vnd1c on /mnt: Invalid argument
fw1# mount -t cd9660 /dev/vnd1c /mnt
mount_cd9660: /dev/vnd1c on /mnt: Invalid argument
fw1# mount -t msdos /dev/vnd1c /mnt
mount_msdos: /dev/vnd1c on /mnt: not an MSDOS filesystem
fw1# mount -t ext2fs /dev/vnd1c /mnt
mount_ext2fs: /dev/vnd1c on /mnt: Input/output error

As you can see, none of the the types I know about are working?

bsd1# disklabel vnd1
# /dev/rvnd1c:
type: vnd
disk: vnd device
label: fictitious
duid: e5445c1e269855f0
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 7382
total sectors: 738240
boundstart: 1024
boundend: 737280
drivedata: 0
16 partitions:
#size   offset  fstype [fsize bsize   cpg]
   a:   736256 1024  4.2BSD   2048 16384 16142
   c:   7382400  unused
   i:  960   64   MSDOS

I cannot work out what the filesystem should be? It shows as 'unused' here.

NB; If I try with the 'install.iso' disk image the vnd mount works fine
(with '-t cd9660').
But I need this to work for a flash drive?



Assuming I could get past this, I think I would then need to do the
following;

4c) Copy in bsd.rd
cp /tmp/bsd.rd /mnt/

4d) Unmount /mnt
umount /mnt

4e) Disassociate vnd1
vnconfig -u /dev/vnd1

6) copy modified install.fs image to USB flash..
dd if=install*.fs of=/dev/rsd6c bs=1m

Thanks in advance for your time and help.
Andy.



Use the 'a' partition, not 'c'.

Re: spamd and google smtp ips

[Misc User]

On 11/4/2018 3:06 PM, Mik J wrote:

  Thank you Peter for this opinion.

Misc User, these gmail, live, yahoo spams you're talking about are really 
comming from IP addresses that belong to them ? Because on my side it seems 
it's not the case.

In my greylist right now I have rosaronald70s...@gmail.com but if I check the 
IP that originated the spam it's from China Unicom Henan province network. I 
check a second one and it's also from that ISP.

On the other hand if spam is coming from gmail, live, outlook we can blame them 
for not filtering out these spams and high volume sent mails.
With google you cannot send mails to more than 500 people within 24h
  


 Le dimanche 4 novembre 2018 à 23:49:47 UTC+1, Misc User 
 a écrit :
  
  On 11/4/2018 2:25 PM, Mik J wrote:

   Hello Peter,

Thank you for this article.
Do you know why, and particularly Microsoft, use very random IPs to send mails.
In that way, they make greylisting not as reliable as it should be. We could 
all use greylisting if google or microsoft would use the same 4 or 5 IPs to 
retry sending the mails.
Google and Microsoft don't help to fight against spam.



In my experience Google and Microsoft are the source of most of my spam.
About 80% of it comes from a hijacked gmail, live.com, or outlook.com
accounts.  The rest from yahoo and gmx.com addresses with a sprinkling
of one-off spam domains making up the last percentage points.
   



Yep, coming from legitimate servers.  All the mail I look after goes 
through a filter that does both a reverse-lookup of the IP address as 
well as a lookup of the owner for the AS number that that IP belongs to 
and will flag up any differences (I have a table that it uses to list 
what domains are owned by what corporate entities assembled from whois 
lookups against the domain and recording the entity).  This also goes 
into a set of filters to flag email from domains registered within the 
last 30 days.


I work for an MSSP that does virtual SOC work for a lot of high profile 
clients where a successful piece of spam has a high chance of a massive 
return.  I've noticed that a lot of spam will cycle through a bunch of 
different accounts with the accounts never being used twice for the same 
destination (I presume to avoid wasting time hitting personal spam 
filters) and will only send a few messages to the same destination 
domain (Probably to avoid company-wide filters).  The sending account 
seems to also only be used to send 100 messages per day before the next 
account is used (At least this is what I've seen when looking at data 
across all clients), probably to avoid the mail providers sending limit.