misbehaving localtime zone link
hi everyone i have two raspberry pi's setup as dns servers running unbound and nsd both are installed with the latest snapshots both are configured the same (os and dns) both sync off the ntpd at firewall.mydomain even though i have set the local time link on both to Europe/London ivy insist on returning the time for localzone AEST, i've tried deleting and recreating the link, rebooting but no joy, any pointers to why ivy is misbehaving ? candace$ uname -a OpenBSD candace.mydomain 7.5 GENERIC #118 arm64 candace$ ls -l /etc/localtime lrwxr-xr-x 1 root wheel 33 Jul 22 2023 /etc/localtime -> /usr/share/zoneinfo/Europe/London candace$ date Sun Aug 4 11 :13 :16 BST 2024 candace$ doas rdate firewall.mydomain Sun Aug 4 11 :13 :57 BST 2024 candace$ date Sun Aug 4 11 :14 :30 BST 2024 ls -l /usr/share/zoneinfo/Europe/London -r--r--r-- 4 root bin 3661 Mar 7 08 :19 /usr/share/zoneinfo/Europe/London candace$ cat /etc/ntpd.conf # $OpenBSD : ntpd.conf,v 1.16 2019/11/06 19 :04 :12 deraadt Exp $ # server 10.2.1.1 trusted #sensor * constraint from "9.9.9.9" # quad9 v4 without DNS constraint from "2620:fe::fe" # quad9 v6 without DNS constraints from "www.google.com # intentionally not 8.8.8.8 - ivy$ uname -a OpenBSD ivy.mydomain 7.5 GENERIC #118 arm64 ivy$ ls -l /etc/localtime lrwxr-xr-x 1 root wheel 33 Aug 4 05 :21 /etc/localtime -> /usr/share/zoneinfo/Europe/London ivy$ date Sun Aug 4 20 :15 :23 AEST 2024 ivy$ doas rdate firewall.mydomain Sun Aug 4 20 :15 :51 AEST 2024 ivy$ date Sun Aug 4 20 :16 :08 AEST 2024 ivy$ doas rm /etc/localtime ivy$ date Sun Aug 4 10 :17 :43 GMT 2024 ivy$ doas ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime ivy$ date Sun Aug 4 20 :18 :51 AEST 2024 ivy$ ls -l /usr/share/zoneinfo/Europe/London -r--r--r-- 4 root bin 3661 Mar 7 19 :19 /usr/share/zoneinfo/Europe/London ivy$ cat /etc/ntpd.conf # $OpenBSD : ntpd.conf,v 1.16 2019/11/06 19 :04 :12 deraadt Exp $ # server 10.2.1.1 trusted #sensor * constraint from "9.9.9.9" # quad9 v4 without DNS constraint from "2620:fe::fe" # quad9 v6 without DNS constraints from "www.google.com"" thanks shadrock
gnumeric fails to start
Hi everyone gnumeric fails to start, i have tried staring it from the commandline with the following result gnumeric ld.so: gnumeric: can't load library 'libwayland-egl.so.0.0' Killed i noticed this from the last snapshot before the latest so i sysupgraded but gnumeric still fails to start, has this been noticed by anyone else ? shadrock
Re: crippled my laptop trying to reclaim root space
hi everyone many thanks to brian, crystal and walter for their replies, i was able to attach the the softraid0 with the correct command, i fsck everything then mounted the root partition, I found the rogue file in /dev, it was a 26mb file called sd1, I then rebooted and was able to login. time now for a full backup, again many thanks shadrock
crippled my laptop trying to reclaim root space
hi everyone i've managed to cripple my laptop after trying to restore some space on my root partition using techniques based on flawed ideas, the story start with my root partition being totally out of space which caused me great problem when i came to using sysupgrade, most of the space was taken up by the /dev directory, so here comes the boo boo, i thought without thinking it through that if i create a partition from the spare space on my hard disk i could move the dev fils to the partition then i could mount it on my /dev directory which would recover some usable space in the root partition, so i backed up the /dev directory and the /home partition with dump, i destroyed the home partition with disklabel, created a partition for dev then recreated the home partition again, i mounted the new partitions in the /mnt directory then restored the home backup to the new home partition, i was the going to restore the dev backup but after some research i decided to just copied MAKEDEV from /dev and recreate the devices with sh MAKEDEV all. I edited fstab with ed reassigned the new partition to the home entry and added an entry to mount the dev partition on /dev. i rebooted the laptop, the boot sequence completed all the way to the x-window login, there was problem logging in with the normal user, the login was accepted as correct but it failed to login, it just kept returning me to the username and password prompt, i left that issue for the moment to fix later, i could login as root which shows that the problem has to do with my normal user login file, something was missing or corrupted, so i had the laptop up a running as root user, dmesg showed me that the root partition was still full, so without thinking it through i booted into single user mode and rm everything from /dev then rebooted, then the poo hit the fan and i realised that the laptop would be unable to boot and mount the partitions as the files in /dev has to be accessible to do the mounts in the first place. I ended up doing a hard shutdown as the boot sequence stopped at that point. my laptop is FDE with keydisk, after the hard shutdown i tried to reboot in single user mode but softriad0 threw errors saying softriad0: sd2 was not shutdown properly bioctl: KDF hint has invalid size the next thing i tried was to boot up from an installation disk but i don't know the commands to fix the softraid0 error and then mount it here's some information about the drives the laptop disk disklabel -h -p g sd0 type: scsi disk: scsi disk sizefstype a: 1862g raid c: 1862g unused i: 0.3g msdos the install usb stick disklabel -h -p g sd1 type: scsi disk: vnd device sizefstype a: 0.6g4.2bsd c: 14g unused i: 0.0g msdos the usb keydisk disklabel -h -p g sd2 type: scsi disk: scsi disk sizefstype a: 0.0g raid c: 1.9gunused i: 0.3g msdos fsck sd0i, sd1a, sd1i, sd2i i tried bioctl -c C -l /dev/sd0a softraid0 which returned the following errors softraid0: sd2 was not shutdown properly softraid0: sd2 was not shutdown properly bioctl: KDF hint has invalid size -- could someone show me the command to 1 fix the softraid0 sd2 error 2 mount the softraid0 device then i can remove the dev partition restore the /dev directory with MAKEDEV then hopefully boot up normally thanks shadrock
Re: a couple question about my fde setup
From: Nick Holland To: misc@openbsd.org Date: Mon, 20 Nov 2023 07:47:40 -0500 Subject: Re: a couple question about my fde setup On 11/19/23 18:09, Shadrock Uhuru wrote: hi all a couple question about my fde first, i have fde setup using a keydisk on my laptop, encryption and decryption works fine when i reboot with the key inserted it doesn't find the key, i have to shut the machine down and restart it then the key is detected, is this normally how a reboot works with fde and keydisk ? second when i boot the laptop it tries to boot from the wrong disk, it tries to boot off hd0 whereby at the boot prompt i then have to type boot sd0a:/bsd which then proceeds to a normal boot, do i just run /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 to fix this ? You have provided a whole lot of no-information here. dmesg, disk layout and boot mode would be nice starting points. "hd0"? What is that in your machine? Hi Nick ok lets fix that see below for dmesg, fdisk and disklabel output and corrected boot messages. Both issues sound like a firmware issue. Boot device is usually controllable in BIOS/firmware setup -- once the OpenBSD boot loader is running, it is too late to determine what you boot from. USB storage not being found under some boot conditions and being seen on others, sounds like a firmware bug. Almost certainly, in fact, as OpenBSD itself isn't loaded and running, it's just the boot code talking to the firmware or BIOS. any modern-ish computers support both UEFI and BIOS booting. They often have different bugs in different modes. I have a couple machines here that were sold running embedded Linux with a warning "must use BIOS mode" in the firmware for their original application...but OpenBSD only can see storage in EFI mode. Also look for firmware updates to your system. I'd suggest starting with reloading in the opposite boot mode first, because if a new BIOS will have to reinstall to switch boot modes technically, no, but if you have to ask, yes). Nick. = Dmesg: OpenBSD 7.3 (GENERIC.MP) #0: Wed Jul 12 05:09:49 MDT 2023 r...@syspatch-73-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8482910208 (8089MB) avail mem = 8206409728 (7826MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0850 (63 entries) bios0: vendor Phoenix Technologies Ltd. version "07QA" date 04/20/2012 bios0: SAMSUNG ELECTRONICS CO., LTD. 300E4A/300E5A/300E7A/3430EA/3530EA efi0 at bios0: UEFI 2.0 acpi0 at bios0: ACPI 3.0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP SLIC SSDT ASF! HPET APIC MCFG SSDT SSDT UEFI UEFI UEFI acpi0: wakeup devices P0P1(S4) GLAN(S4) HDEF(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz, 2294.83 MHz, 06-2a-07 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz, 2294.82 MHz, 06-2a-07 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz, 2294.83 MHz, 06-2a-07 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 3MB 64b/line 12-way L3 cache cpu2:
a couple question about my fde setup
hi all a couple question about my fde first, i have fde setup using a keydisk on my laptop, encryption and decryption works fine when i reboot with the key inserted it doesn't find the key, i have to shut the machine down and restart it then the key is detected, is this normally how a reboot works with fde and keydisk ? second when i boot the laptop it tries to boot from the wrong disk, it tries to boot off hd0 whereby at the boot prompt i then have to type boot sd0a:/bsd which then proceeds to a normal boot, do i just run /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 to fix this ? shadrock
Re: nsd listening on localhost is zone transfer possible transfer ?
yes, they have to have some way to talk. Lots of ways around this, including alternate ports, redirection in PF, etc. For example...you could redirect from ONE IP address (your "other" server) to NSD, the rest goes to unbound. Or have unbound listen on another port that is filtered to only listen to your other server. But my recommended way: don't do zone transfers. Manage your DNS in another way. I consider the whole zone transfer thing a bad idea. What's the reason for having multiple DNS servers? Redundancy. What do you get when one of your "redundant" systems controls the other? A: A system that isn't very redundant. If that controlling system goes down, you have issues. LONG TIME AGO...in a job far, far away, I set up a pair of DNS servers, and a little script. I (or my teammates) could make changes to either DNS server, test them, then run the script. The script would: 1) run a diff between the zone file on THIS system and the OTHER system. 2) Put that diff into a file, named with the date and time. 3) Put me in vi to edit that file, so I could put a comment in it' explaining what the change was for. This gives me a chance to verify the change is JUST what I want, and make sure there weren't other changes made that didn't get replicated. 4) IFF I saved that file with changes, it would: a) copy and install the file to the "other" system b) save the diff file to a history directory on BOTH systems 5) Compare the replication script to make sure I didn't update one and forget to update the other. Now you have two DNS servers that hold the same data when you want them to, can be managed separately for testing, and brought back into sync. Either machine can run indefinitely without the other, either machine can be used as a source for rebuilding the other. You also have near zero-effort "change control". Same concept works for PF and other redundant systems. Today, lots of people will recommend a central management system, and that's not all bad, but I have found often with DNS, you want to be able to test a change on one machine before breaking everything...and then waiting for the next refresh cycle to fix it. Nick. hi nick sorry for the delay in replying thanks for the idea, yes it does sound better than zone transfer. i will have a go implimenting this when i have some spare time. again many thanks shadrock
Re: nsd listening on localhost is zone transfer possible transfer ?
From: Paul de Weerd To: openbsd Date: Sat, 5 Aug 2023 19:31:06 +0200 Subject: Re: nsd listening on localhost is zone transfer possible transfer ? On Fri, Aug 04, 2023 at 06:23:48PM +0100, Shadrock Uhuru wrote: | hi everyone | i have unbound setup on port 53 | and nsd listening on localhost port 53530 | i have set up another dns server as a secondary | am i correct to assume that i can't zone transfer because | as the nsd's are listening on localhost | the primary can't reach the secondary ? | | i have these errors on the primary | error: xfrd: zone 1.10.10.in-addr.arpa: max notify send count reached, 10.10.1.5 unreachable | error: xfrd: zone forwardzone: max notify send count reached, 10.10.1.5 unreachable Your question isn't quite clear .. where is this other dns server located? Is it on the same network? yes in the same network. If you have NSD only listening on localhost, I'm not sure by which logic you concluded that a secondary nameserver would be able to talk to it at all, let alone do zone transfers? this was my thought but was just checking. At any rate, IP addresses in the 10/8 range are free - you can use more than one without incurring a cost. Then configure your NSD to listen to the additional address and transfer from there. If you have IPv6, this will probably even apply to globally routable addresses. thanks for the suggestion. Paul 'WEiRD' de Weerd -- [<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
nsd listening on localhost is zone transfer possible transfer ?
hi everyone i have unbound setup on port 53 and nsd listening on localhost port 53530 i have set up another dns server as a secondary am i correct to assume that i can't zone transfer because as the nsd's are listening on localhost the primary can't reach the secondary ? i have these errors on the primary error: xfrd: zone 1.10.10.in-addr.arpa: max notify send count reached, 10.10.1.5 unreachable error: xfrd: zone forwardzone: max notify send count reached, 10.10.1.5 unreachable shadrock
Re: still struggling with dhcpcd and ipv6
hi Zack sorry persistent was a mistype in the e-mail. you were right about the pf rules, once i'd loosened the ipv6 rule following your example pass out quick inet6 proto icmp6 allow-opts pass out quick pass in quick inet6 proto icmp6 allow-opts pass in quick on $wan inet6 proto udp to port 546 no state the ipv6 addresses were assigned, many thanks for bearing with me, much appreiciated. shadrock
Re: still struggling with dhcpcd and ipv6
noipv6rs
duid
persistent
option rapid_commit
script ""
allowinterfaces pppoe0
interface pppoe0
ia_na 0
ia_pd 0/::/48 em0/0/64 em1/1/64
ipv6rs
Also don't discount that Zen might have broken your v6 config, I gave up
using their v6 in the end and shifted it to a tunnel via work instead
because I got fed up asking them to fix it after 2 or 3 times ..
phoned them, they say that my /64 and my /48 are routed to me.
SafeIcmpTypes = "{ echorep, echoreq, unreach }"
pass quick log on em0 all
pass log inet6 proto icmp6 all icmp6-type $SafeIcmpTypes
pass out log inet6 proto udp from any port dhcpv6-client to any port
dhcpv6-server no state
pass in on egress inet6 proto icmp6 all \
icmp6-type { routeradv neighbrsol neighbradv }
pass in on egress inet6 proto udp \
from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client \
no state
why the "no state" for these?
https://lipidity.com/openbsd/router/
states
The DHCPv6 request is sent to a multicast address
and the ISP router replies with its own link-local address as the source address,
so state matching doesn't catch it. An explicit pass rule is required for the reply.
and while i'm at it
was wondering about the following
match in all scrub (no-df random-id min-ttl 64 max-mss 1440)
the following page states that PMTU works exactly using DF
should i be using no-df in the scrub rule ?
https://serverfault.com/questions/412083/openbsd-pf-match-in-all-scrub-no-df-causes-https-to-be-unreachable-on-mobile
shadrock
still struggling with dhcpcd and ipv6
hi everyone
my isp is zen which uses pppoe
i have a /64 nd and a /48 pd
i have configured dhcpcd.conf but can only get an ipv6 address on the external
pppoe0 interface,
the internal lan interface only gets a link local from slaac
i have the following in dhcpcd.conf
ipv6only
noipv6rs
waitip 6
duid
persistant
vendorclassid
option interface_mtu
option host_name
option rapid_commit
require dhcp_server_identifier
slaac private
script ""
allowinterfaces pppoe0 em0 em1
interface pppoe0
ipv6rs
ia_na 1
ia_pd 2 em0/1 em1/2
cat /etc/rad.conf
dns {
nameserver {
2606:4700:4700::
2606:4700:4700::1001
}
}
interface em0
interface em1
cat /etc/hostname.bge0
inet 88.00.00.00 255.255.255.255 NONE mtu 1508
inet6 autoconf
cat /etc/hostname.em0
inet 10.200.100.50 0xff00
inet6 autoconf
my ipv6 section in pf.conf is
SafeIcmpTypes = "{ echorep, echoreq, unreach }"
pass quick log on em0 all
pass log inet6 proto icmp6 all icmp6-type $SafeIcmpTypes
pass out log inet6 proto udp from any port dhcpv6-client to any port
dhcpv6-server no state
pass in on egress inet6 proto icmp6 all \
icmp6-type { routeradv neighbrsol neighbradv }
pass in on egress inet6 proto udp \
from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client \
no state
ifconfig pppoe0
pppoe0: flags=8951 mtu 1492
index 9 priority 0 llprio 3
dev: bge0 state: session
sid: 0x28 PADI retries: 20 PADR retries: 0 time: 07:13:23
sppp: phase network authproto chap
dns: 212.23.3.100 212.23.6.100
groups: pppoe egress
status: active
inet6 fe80::200:0:0:1%pppoe0 --> prefixlen 64 scopeid 0x9
inet 88.00.00.00 --> 51.148.72.22 netmask 0x
inet6 2a02:8011:d000:xxx:::: --> prefixlen 64 autoconf
pltime 172462 vltime 258862
ifconfig bge0
bge0: flags=248843 mtu 1500
lladdr 00:18:8b:6a:ab:48
index 1 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::218:8bff:fe6a:ab48%bge0 prefixlen 64 scopeid 0x1
inet 88.00.00.00 netmask 0x
ifconfig em0
em0: flags=248843 mtu 1500
lladdr 00:11:0a:5f:6d:40
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::211:aff:fe5f:6d40%em0 prefixlen 64 scopeid 0x2
inet 10.200.100.50 netmask 0xff00 broadcast 10.200.100.255
any suggestions why i am not getting a global ipv6 on em0 ?
shadrock
Re: pf tcpdump rule def ?
Hi many thanks Otto and Stuart forgot to move my default block rule back to the top after adding some ipv6 stuff at the beginning. have a happy and successful new year. shadrock
pf tcpdump rule def ?
hi everyone viewing my pf logs with tcpdump -nettt -i pflog0 there are lines with no rule numbers just rule def on the line instead, i've tried googling without success, need to know if they are wolf,sheep or misconfigurations causing them, and against which rule do i match them up with. the following is a snippet showing the rules thanks shadrock Dec 27 03:00:40.557716 rule 7/(match) block in on em0: 192.168.1.1 > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] Dec 27 03:00:59.495834 rule 35/(match) block in on pppoe0: 167.248.133.160.60037 > 88.97.5.79.12473: S 904362479:904362479(0) win 1024 Dec 27 03:00:59.813362 rule def/(match) pass in on pppoe0: 198.252.206.25.443 > 10.2.1.79.13522: P 3251931305:3251931366(61) ack 27080 26055 win 63 Dec 27 03:00:59.820893 rule def/(match) pass out on pppoe0: 88.97.5.79.14256 > 198.252.206.25.443: P 4273536371:4273536410(39) ack 334 5204755 win 256 (DF) Dec 27 03:00:59.823015 rule def/(match) pass out on pppoe0: 88.97.5.79.14256 > 198.252.206.25.443: P 39:78(39) ack 1 win 256 (DF) Dec 27 03:00:59.825388 rule def/(match) pass out on pppoe0: 88.97.5.79.14256 > 198.252.206.25.443: P 78:117(39) ack 1 win 256 (DF) Dec 27 03:00:59.900318 rule def/(match) pass in on pppoe0: 198.252.206.25.443 > 10.2.1.79.13522: . ack 40 win 63 Dec 27 03:00:59.902502 rule def/(match) pass in on pppoe0: 198.252.206.25.443 > 10.2.1.79.13522: . ack 79 win 63 Dec 27 03:00:59.904998 rule def/(match) pass in on pppoe0: 198.252.206.25.443 > 10.2.1.79.13522: . ack 118 win 63 Dec 27 03:01:03.661072 rule 35/(match) block in on pppoe0: 45.64.84.24.27789 > 88.97.5.79.23: S 1482753359:1482753359(0) win 30613 Dec 27 03:01:11.480942 rule 35/(match) block in on pppoe0: 205.185.127.238.40598 > 88.97.5.79.60001: S 1843251311:1843251311(0) win 65535 Dec 27 03:01:11.935746 rule 7/(match) block in on bge0: 0.0.0.0 > 224.0.0.1: igmp query [len 12] [tos 0xc0] [ttl 1] Dec 27 03:01:25.422772 rule 38/(match) pass in on pppoe0: 145.131.132.84.443 > 10.2.1.79.42434: P 5666:5697(31) ack 1264 win 244 Dec 27 03:01:25.422795 rule 38/(match) pass in on pppoe0: 145.131.132.84.443 > 10.2.1.79.42434: F 5697:5697(0) ack 1264 win 244 Dec 27 03:01:25.424055 rule 38/(match) pass out on pppoe0: 88.97.5.79.8748 > 145.131.132.84.443: . ack 5698 win 255 (DF) Dec 27 03:01:28.600657 rule 37/(match) pass in on pppoe0: 93.184.220.29.80 > 10.2.1.79.12939: . ack 481 win 131 Dec 27 03:01:28.601419 rule 37/(match) pass out on pppoe0: 88.97.5.79.31263 > 93.184.220.29.80: . ack 575 win 256 (DF)
firewall woes: ipv6 dhcpcd rad pppoe
hi everyone these are my router configs at bootup i get a timeout on the dhcpcd some of my global ipv6 addresses are missing and i have a mtu warning at boot in one or two of the interfaces files could someone have a quick look over the configs and see whats wrong please also should i add the pppoe0 interface to rad.conf also ? shadrock cat /etc/hostname.bge0 inet 88.97.5.79 255.255.255.255 NONE mtu 1508 inet6 autoconf up ifconfig bge0 bge0: flags=248843 mtu 1500 lladdr 00:18:8b:6a:ab:48 index 1 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet6 fe80::218:8bff:fe6a:ab48%bge0 prefixlen 64 scopeid 0x1 inet 88.97.5.79 netmask 0x cat /etc/hostname.pppoe0 !/bin/sleep 10 inet 0.0.0.0 255.255.255.255 NONE mtu 1500 \ pppoedev bge0 authproto chap \ authname 'myuser' authkey 'mypass' dest 0.0.0.1 inet6 eui64 !/sbin/route add default -ifp pppoe0 0.0.0.1 # !/sbin/route add inet6 default -ifp pppoe0 fe80::%pppoe0 ifconfig pppoe0 pppoe0: flags=8851 mtu 1492 index 6 priority 0 llprio 3 dev: bge0 state: session sid: 0x1e PADI retries: 48 PADR retries: 0 time: 03:16:43 sppp: phase network authproto chap dns: 212.23.3.100 212.23.6.100 groups: pppoe egress status: active inet6 fe80::200:0:0:1%pppoe0 --> prefixlen 64 scopeid 0x6 inet 88.97.5.79 --> 51.148.72.22 netmask 0x inet6 2a02:8011:d000:57d:930c:8392:d5e2:6c10 --> prefixlen 64 autoconf pltime 172749 vltime 259149 cat /etc/dhcpcd.conf # Allow users of this group to interact with dhcpcd via the control socket. #controlgroup wheel # Inform the DHCP server of our hostname for DDNS. #hostname ipv6only noipv6rs # Use the hardware address of the interface for the Client ID. #clientid # or # Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361. # Some non-RFC compliant DHCP servers do not reply with this set. # In this case, comment out duid and enable clientid above. duid # Persist interface configuration when dhcpcd exits. persistent # vendorclassid is set to blank to avoid sending the default of # dhcpcd-::: vendorclassid # A list of options to request from the DHCP server. option domain_name_servers, domain_name, domain_search option classless_static_routes # Respect the network MTU. This is applied to DHCP routes. option interface_mtu # Request a hostname from the network option host_name # Most distributions have NTP support. #option ntp_servers # Rapid commit support. # Safe to enable by default because it requires the equivalent option set # on the server to actually work. option rapid_commit # A ServerID is required by RFC2131. require dhcp_server_identifier # Generate SLAAC address using the Hardware Address of the interface #slaac hwaddr # OR generate Stable Private IPv6 Addresses based from the DUID slaac private script "" allowinterfaces pppoe0 em0 em1 interface pppoe0 ipv6rs ia_na 1 ia_pd 2 em0/1 em1/2 cat /etc/rad.conf interface em0 interface em1 cat /etc/hostname.em0 inet 10.2.1.1 0xff00 inet6 autoconf ifconfig em0 em0: flags=248843 mtu 1500 lladdr 00:11:0a:5f:6d:40 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::211:aff:fe5f:6d40%em0 prefixlen 64 scopeid 0x2 inet 10.2.1.1 netmask 0xff00 broadcast 10.2.1.255
recommended partitions to backup with dump
hi everyone after losing a considerable amount of data that i had accumulated over the last year or so by trying to remove a directory called '~' that i had created by mistake in a sub directory of my home directory with rm -rf ~ which of course started to eat through my home directory with a vengence, i managed to stop it before it went to far, i didn't have any recent backups, needless to say i've learning my lesson about having a good policy of regular backups. what are the recommended partition to backup if 1 i want to do a fresh reinstall e.g. to move to a larger hard drive. 2 for a disaster recovery like what i experienced above. i will be using ville walveranta's autodump 1.5a script which does a full dump on sundays and incremental dumps during the week, i already have /home /etc and /root set for backup, are there any other partitions i should bear in mind ? shadrock
no output from zathura
Hi everyone i have zathura zathura-ps zathura-pdf-mupdf installed, i run zathura from the command line with zathura file.pdf which opens zathura with nothing displayed, the shell that i run zathura from displays the following zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_ctx_new_imp' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_data_in' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_make_global_ctx' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_global_ctx_free' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_complete_page' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_page_out' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_release_page' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'jbig2_ctx_free' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_set_default_decoder_parameters' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_create_decompress' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_set_info_handler' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_set_warning_handler' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_set_error_handler' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_setup_decoder' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_default_create' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_set_read_function' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_set_skip_function' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_set_seek_function' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_set_user_data' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_set_user_data_length' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_read_header' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_decode' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_stream_destroy' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_destroy_codec' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'opj_image_destroy' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'gumbo_parse_with_options' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'gumbo_destroy_output' zathura:/usr/local/lib/zathura/libpdf-mupdf.so: undefined symbol 'gumbo_normalized_tagname' error: Could not load plugin '/usr/local/lib/zathura/libpdf-mupdf.so' (Cannot load specified object). error: Could not determine file type. --- this error appears if i try to open a pdf or ps file, i managed to open one out of about ten ps files i tried, is this a known problem or something i'm not doing right ? shadrock
tldextract ?
hi everyone i use qutebrowser to surf the web i added the qute-pass userscript which needs tldextract, there's no tldextract package i can find in openbsd so i installed py3-tld-0.9.3p4 qutebrowser still errors when i try i use qute-pass, the process report shows the following :- Process 65554: /home/shadrock/.config/qutebrowser/userscripts/qute-pass Info Command /home/shadrock/.config/qutebrowser/userscripts/qute-pass Status Userscript exited with status 1. Standard output No output. Standard error Traceback (most recent call last): File "/home/shadrock/.config/qutebrowser/userscripts/qute-pass", line 63, in import tldextract ModuleNotFoundError: No module named 'tldextract' any help would be appreciated. thanks shadrock
Re: raspberry pi 3b+ how to boot with hdmi
From: Marcus MERIGHI To: openbsd Date: Sat, 1 Jan 2022 08:42:27 +0100 Subject: Re: raspberry pi 3b+ how to boot with hdmi Good morning 2022, niyal...@gmail.com (Shadrock Uhuru), 2021.01.01 (Sat) 05:54 (CET): > From: Stuart Henderson > To: misc@openbsd.org > Date: Tue, 28 Dec 2021 12:55:27 - (UTC) > Subject: Re: raspberry pi 3b+ how to boot with hdmi > > On 2021-12-28, Shadrock Uhuru wrote: > > i have successfully installed the latest snapshot onto a rpi3b+ > > using a serial cable, > > after rebooting still with the serial cable everything startup > > fine, > > when i try to reboot with a hdmi monitor connected > > i get a few line at startup then the screen goes blank, > > what configuration do i change to make the hdmi monitor the > > primary > > display when booting ? > See the text around "To use video output on the framebuffer instead" > in the INSTALL.arm64 file distributed with the install sets. i now have output on the hdmi monitor, one thing that i've noticed is the boot up information stops after displaying the date and doesn't proceed to the login prompt, i can ping and ssh into the pi but no login prompt, It might need something like this in /etc/ttys: ttyC0 "/usr/libexec/getty std.9600" vt220 on secure See ttys(5)! Marcus Hi Marcus your suggestion solved the problem, many thanks shadrock
Re: raspberry pi 3b+ how to boot with hdmi
From: Stuart Henderson To: misc@openbsd.org Date: Tue, 28 Dec 2021 12:55:27 - (UTC) Subject: Re: raspberry pi 3b+ how to boot with hdmi > On 2021-12-28, Shadrock Uhuru wrote: > hi everyone > i have successfully installed the latest snapshot onto a rpi3b+ > using a serial cable, > after rebooting still with the serial cable everything startup fine, > when i try to reboot with a hdmi monitor connected > i get a few line at startup then the screen goes blank, > what configuration do i change to make the hdmi monitor the primary > display when booting ? See the text around "To use video output on the framebuffer instead" in the INSTALL.arm64 file distributed with the install sets. hi stuart thanks for the reply, i now have output on the hdmi monitor, one thing that i've noticed is the boot up information stops after displaying the date and doesn't proceed to the login prompt, i can ping and ssh into the pi but no login prompt, is there still something i need to do ? shadrock
From: Stuart Henderson To: misc@openbsd.org Date: Tue, 28 Dec 2021 12:55:27 - (UTC) Subject: Re: raspberry pi 3b+ how to boot with hdmi On 2021-12-28, Shadrock Uhuru wrote: hi everyone i have successfully installed the latest snapshot onto a rpi3b+ using a serial cable, after rebooting still with the serial cable everything startup fine, when i try to reboot with a hdmi monitor connected i get a few line at startup then the screen goes blank, what configuration do i change to make the hdmi monitor the primary display when booting ? See the text around "To use video output on the framebuffer instead" in the INSTALL.arm64 file distributed with the install sets. hi stuart thanks for the reply, i now have output on the hdmi monitor, one thing that i've noticed is the boot up information stops after displaying the date and doesn't proceed to the login prompt, i can ping and ssh into the pi but no login prompt, is there still something i need to do ? shadrock
raspberry pi 3b+ how to boot with hdmi
hi everyone i have successfully installed the latest snapshot onto a rpi3b+ using a serial cable, after rebooting still with the serial cable everything startup fine, when i try to reboot with a hdmi monitor connected i get a few line at startup then the screen goes blank, what configuration do i change to make the hdmi monitor the primary display when booting ? thanks shadrock
raspberry pi3 doesn,t boot after install
hi everyone i've installed openbsd 7.0 onto a usb stick connected to my raspberry pi 3 with a serial cable, installation completes without a problem, after the congratulation promt i remove the power supply remove the usb stick and mount the i partition of the usb stick on my laptop, and add program_usb_boot_mode=1 to config.txt file, i unmount and return the usbstick to the raspberry pi, i removed the installation sd card and power up again connected the serial console with cu -l cuaU0 -s 115200 but the pi has not booted. have i missed any steps out ?
Re: after sysupgrade, /etc/rc syntax error
worked perfectly many thanks shadrock On Sat, 24 Jul 2021 at 21:42, shadrock uhuru wrote: > thanks for the quick reply Andreas > will try it later tonight when i'm back at the laptop. > shadrock > > On Sat, 24 Jul 2021 at 20:36, Andreas Kusalananda Kähäri < > andreas.kah...@abc.se> wrote: > >> On Sat, Jul 24, 2021 at 07:11:30PM +0100, shadrock uhuru wrote: >> > Hi all >> > i am running openbsd snapshot and have sysupgraded often without a >> single >> > hitch, >> > on this occasion i have encountered the following error after the >> > sysupgrade and the laptop tried to reboot >> > i entered sh and had a look at /etc/rc with ed, >> > the if is matched with a fi. >> > so i need suggestions where to turn to next >> > - >> > >> > reordeing libraries: done >> > /etc/rc[464]: syntax error: `if' unmatched >> > enter pathname of shell or return for sh: >> > >> > >> > laptop# ed /etc/rc >> > 16304 >> > 464 >> > if (($(ifconfig | grep -c ': flags=.*<.*AUTOCONF.*> mtu) == 0)); then >> > count=0 >> > while ((count++ < 20 && $(route -n show | grep -c '^default ') == >> 0)); >> > do >> > sleep .5 >> > done >> > fi >> > >> > --- >> > >> > any help would be appreciated. >> > shadrock >> >> I ran into this too. It's fixed in the most recent snapshot(s). Note >> the missing single quote after "mtu". Fix with >> >> 464s/mtu/&' >> w >> >> in ed. >> >> Regards, >> >> -- >> Andreas (Kusalananda) Kähäri >> SciLifeLab, NBIS, ICM >> Uppsala University, Sweden >> >> . >> >
Re: after sysupgrade, /etc/rc syntax error
thanks for the quick reply Andreas will try it later tonight when i'm back at the laptop. shadrock On Sat, 24 Jul 2021 at 20:36, Andreas Kusalananda Kähäri < andreas.kah...@abc.se> wrote: > On Sat, Jul 24, 2021 at 07:11:30PM +0100, shadrock uhuru wrote: > > Hi all > > i am running openbsd snapshot and have sysupgraded often without a > single > > hitch, > > on this occasion i have encountered the following error after the > > sysupgrade and the laptop tried to reboot > > i entered sh and had a look at /etc/rc with ed, > > the if is matched with a fi. > > so i need suggestions where to turn to next > > - > > > > reordeing libraries: done > > /etc/rc[464]: syntax error: `if' unmatched > > enter pathname of shell or return for sh: > > > > > > laptop# ed /etc/rc > > 16304 > > 464 > > if (($(ifconfig | grep -c ': flags=.*<.*AUTOCONF.*> mtu) == 0)); then > > count=0 > > while ((count++ < 20 && $(route -n show | grep -c '^default ') == > 0)); > > do > > sleep .5 > > done > > fi > > > > --- > > > > any help would be appreciated. > > shadrock > > I ran into this too. It's fixed in the most recent snapshot(s). Note > the missing single quote after "mtu". Fix with > > 464s/mtu/&' > w > > in ed. > > Regards, > > -- > Andreas (Kusalananda) Kähäri > SciLifeLab, NBIS, ICM > Uppsala University, Sweden > > . >
after sysupgrade, /etc/rc syntax error
Hi all i am running openbsd snapshot and have sysupgraded often without a single hitch, on this occasion i have encountered the following error after the sysupgrade and the laptop tried to reboot i entered sh and had a look at /etc/rc with ed, the if is matched with a fi. so i need suggestions where to turn to next - reordeing libraries: done /etc/rc[464]: syntax error: `if' unmatched enter pathname of shell or return for sh: laptop# ed /etc/rc 16304 464 if (($(ifconfig | grep -c ': flags=.*<.*AUTOCONF.*> mtu) == 0)); then count=0 while ((count++ < 20 && $(route -n show | grep -c '^default ') == 0)); do sleep .5 done fi --- any help would be appreciated. shadrock
can't set export GPG_TTY=$(tty)
hi everyone i have added export GPG_TTY=$(tty); eval $(gpg-agent --daemon) to my .profile file and also tried adding it to my .zshrc, my window manager is I3, when i open a terminal and and type env | grep GPG_TTY i get GPG_TTY=not a tty, if i run the export command in the terminal then i get GPG_TTY=/dev/ttype3 . where should i be putting the export command so that there is a tty ready when the terminal is opened. shadrock
can texlive package be installed ?
system information. OpenBSD 6.9 GENERIC.MP#343 amd64 flavor: current when i try to install texlive, all i get is :- doas pkg_add -v texlive_texmf-full Update candidates: quirks-3.588 -> quirks-3.588 quirks-3.588 signed on 2021-02-26T23:14:00Z Ustar [https://ftp.OpenBSD.org/pub/OpenBSD/snapshots/packages/amd64/texlive_texmf-full-2020p1.tgz][share/texmf-dist/bibtex/bib/beebe/printing-history.bib]: Premature end of archive in header: pkg_add: Installation of texlive_texmf-full-2020p1 failed, partial installation recorded as partial-texlive_texmf-full-2020p1.6 any suggestions ? shadrock
firefox crashed, no web access after attempted fix
hi everyone i'm running 6.8 current, my problem started when firefox which had been working perfectly suddenly started crashing on startup, i don't know if it was because i shutdown the laptop with to many tab open in firefox, after many google searches i tried creating a new profile and copying over from a previous profile the suggested files and directories which gave me a startable firefox, my bookmark sidebar lists my bookmarks, and my addons are displayed on the toolbar, the problem is nothing happens if i type in an address, type something in the search bar or click a bookmark in the sidebar, the rotating arrow doesn't change to a cross , or if i click an addon icon either nothing happens or an empty menu is opened, the next thing i did was to backup my mozilla/firefox folder then removed the original, i sysupgraded, pkg_add -Uu, had to repeat it a couple of time thinking the repositories were not in sync after doing pkg_add -u instead the packages upgraded, i threw in a pkg_clean to tidy things up, then i pkg_delete then pkg_add firefox, i'm still unable to surf the web before or after restoring my backup mozilla/firefox directory, could i have missing libraries of software that firefox needs ? pkg_add firefox installs without a problem, i have pastebined a copy of the directory structure and a copy of the log output when i start firefox with the -p option. fox_directory http://sprunge.us/79hyB7 fox_log_output http://sprunge.us/umVBxr i am currently using netsurf as my browser but i would like firefox up and running again asap any help would be welcomed shadrock
Re: what should i do with these package warnings
From: Stuart Henderson To: misc@openbsd.org Subject: Re: what should i do with these package warnings Date: Tue, 7 Jul 2020 08:36:51 - (UTC) On 2020-07-07, Shadrock Uhuru wrote: hi everyone Q2 should i remove these missing dependencies ? also the issue of "lib should exist, lib is not a directory", all the indicated files are in /usr/local/lib, is /usr/local/lib a directory, or have you done something non-standard? these are not normal, try to figure out what caused them. Reverse dependencies: ok Files from packages: ok --- .libs-partial-evince-3.32.0p0-light.1 --- lib should exist lib is not a directory lib/libevdocument3.so.0.2 should exist lib/libevdocument3.so.0.2 is not a file can't read lib/libevdocument3.so.0.2 lib/libevview3.so.0.0 should exist lib/libevview3.so.0.0 is not a file no idea what is going on with your system but something is messed up! Hi Stuart thanks for the reply, i let pkg_check fix the various warnings and removed the Obsolete package, /usr/local/lib is a directory, i removed python3.7 as i have python3.8 installed, and i have done nothing non-standard to the filesystem? i am running the latest snapshot i have pastebin the output of the latest 'pkg_check -Fvvv' i have done at http://ix.io/2rrW , the issue with the 'lib should exist' and 'lib is not a directory' warnings relate to older versions of software than the currently installed ones. are there file that i could edit or repair to remove references to these older software ? is there anything else i can do to figure out what the problem is ? == current installed version is evince 3.36.7 --- .libs-partial-evince-3.32.0p0-light.1 --- lib should exist lib is not a directory lib/libevdocument3.so.0.2 should exist lib/libevdocument3.so.0.2 is not a file can't read lib/libevdocument3.so.0.2 lib/libevview3.so.0.0 should exist lib/libevview3.so.0.0 is not a file can't read lib/libevview3.so.0.0 current installed version is firefox 78.0.1 --- .libs-partial-firefox-67.0 --- lib should exist lib is not a directory lib/firefox should exist lib/firefox is not a directory lib/firefox/gmp-clearkey should exist lib/firefox/gmp-clearkey is not a directory lib/firefox/gmp-clearkey/0.1 should exist lib/firefox/gmp-clearkey/0.1 is not a directory lib/firefox/gmp-clearkey/0.1/libclearkey.so.84.0 should exist lib/firefox/gmp-clearkey/0.1/libclearkey.so.84.0 is not a file can't read lib/firefox/gmp-clearkey/0.1/libclearkey.so.84.0 lib/firefox/gtk2 should exist lib/firefox/gtk2 is not a directory lib/firefox/gtk2/libmozgtk.so.84.0 should exist lib/firefox/gtk2/libmozgtk.so.84.0 is not a file can't read lib/firefox/gtk2/libmozgtk.so.84.0 lib/firefox/liblgpllibs.so.84.0 should exist lib/firefox/liblgpllibs.so.84.0 is not a file can't read lib/firefox/liblgpllibs.so.84.0 lib/firefox/libmozavcodec.so.84.0 should exist lib/firefox/libmozavcodec.so.84.0 is not a file can't read lib/firefox/libmozavcodec.so.84.0 lib/firefox/libmozavutil.so.84.0 should exist lib/firefox/libmozavutil.so.84.0 is not a file can't read lib/firefox/libmozavutil.so.84.0 lib/firefox/libmozgtk.so.84.0 should exist lib/firefox/libmozgtk.so.84.0 is not a file can't read lib/firefox/libmozgtk.so.84.0 lib/firefox/libxul.so.84.0 should exist lib/firefox/libxul.so.84.0 is not a file can't read lib/firefox/libxul.so.84.0 current installed version is gtk+3-- --- .libs-partial-gtk+2-2.24.32p5 --- lib should exist lib is not a directory lib/libgailutil.so.26.0 should exist lib/libgailutil.so.26.0 is not a file can't read lib/libgailutil.so.26.0 lib/libgdk-x11-2.0.so.2400.0 should exist lib/libgdk-x11-2.0.so.2400.0 is not a file python3.7 removed --- .libs-partial-python-3.7.6p1 --- lib should exist lib is not a directory lib/libpython3.7m.so.0.0 should exist lib/libpython3.7m.so.0.0 is not a file can't read lib/libpython3.7m.so.0.0 thank shadrock smime.p7s Description: S/MIME cryptographic signature
what should i do with these package warnings
libmozavutil.so.84.0 is not a file can't read lib/firefox/libmozavutil.so.84.0 lib/firefox/libmozgtk.so.84.0 should exist lib/firefox/libmozgtk.so.84.0 is not a file can't read lib/firefox/libmozgtk.so.84.0 lib/firefox/libxul.so.84.0 should exist lib/firefox/libxul.so.84.0 is not a file can't read lib/firefox/libxul.so.84.0 --- .libs-partial-gtk+2-2.24.32p5 --- lib should exist lib is not a directory lib/libgailutil.so.26.0 should exist lib/libgailutil.so.26.0 is not a file can't read lib/libgailutil.so.26.0 lib/libgdk-x11-2.0.so.2400.0 should exist lib/libgdk-x11-2.0.so.2400.0 is not a file can't read lib/libgdk-x11-2.0.so.2400.0 --- .libs-partial-gtk+3-3.24.13 --- lib should exist lib is not a directory lib/libgailutil-3.so.0.0 should exist lib/libgailutil-3.so.0.0 is not a file can't read lib/libgailutil-3.so.0.0 lib/libgdk-3.so.2201.1 should exist lib/libgdk-3.so.2201.1 is not a file can't read lib/libgdk-3.so.2201.1 --- .libs-partial-qt4-4.8.7p19 --- lib should exist lib is not a directory lib/qt4 should exist lib/qt4 is not a directory lib/qt4/libQt3Support.so.9.0 should exist lib/qt4/libQt3Support.so.9.0 is not a file can't read lib/qt4/libQt3Support.so.9.0 lib/qt4/libQtCLucene.so.1.0 should exist lib/qt4/libQtCLucene.so.1.0 is not a file can't read lib/qt4/libQtCLucene.so.1.0 lib/qt4/libQtCore.so.10.0 should exist lib/qt4/libQtCore.so.10.0 is not a file can't read lib/qt4/libQtCore.so.10.0 lib/qt4/libQtDBus.so.3.0 should exist lib/qt4/libQtDBus.so.3.0 is not a file can't read lib/qt4/libQtDBus.so.3.0 lib/qt4/libQtDeclarative.so.1.0 should exist lib/qt4/libQtDeclarative.so.1.0 is not a file can't read lib/qt4/libQtDeclarative.so.1.0 lib/qt4/libQtDesigner.so.8.0 should exist lib/qt4/libQtDesigner.so.8.0 is not a file can't read lib/qt4/libQtDesigner.so.8.0 lib/qt4/libQtDesignerComponents.so.8.0 should exist lib/qt4/libQtDesignerComponents.so.8.0 is not a file can't read lib/qt4/libQtDesignerComponents.so.8.0 lib/qt4/libQtGui.so.11.0 should exist lib/qt4/libQtGui.so.11.0 is not a file can't read lib/qt4/libQtGui.so.11.0 lib/qt4/libQtHelp.so.2.0 should exist lib/qt4/libQtHelp.so.2.0 is not a file can't read lib/qt4/libQtHelp.so.2.0 lib/qt4/libQtMultimedia.so.1.0 should exist lib/qt4/libQtMultimedia.so.1.0 is not a file can't read lib/qt4/libQtMultimedia.so.1.0 lib/qt4/libQtNetwork.so.11.0 should exist lib/qt4/libQtNetwork.so.11.0 is not a file can't read lib/qt4/libQtNetwork.so.11.0 lib/qt4/libQtOpenGL.so.8.0 should exist lib/qt4/libQtOpenGL.so.8.0 is not a file can't read lib/qt4/libQtOpenGL.so.8.0 lib/qt4/libQtScript.so.3.0 should exist lib/qt4/libQtScript.so.3.0 is not a file can't read lib/qt4/libQtScript.so.3.0 lib/qt4/libQtScriptTools.so.1.0 should exist lib/qt4/libQtScriptTools.so.1.0 is not a file can't read lib/qt4/libQtScriptTools.so.1.0 lib/qt4/libQtSql.so.9.0 should exist lib/qt4/libQtSql.so.9.0 is not a file can't read lib/qt4/libQtSql.so.9.0 lib/qt4/libQtSvg.so.8.0 should exist lib/qt4/libQtSvg.so.8.0 is not a file can't read lib/qt4/libQtSvg.so.8.0 lib/qt4/libQtTest.so.8.0 should exist lib/qt4/libQtTest.so.8.0 is not a file can't read lib/qt4/libQtTest.so.8.0 lib/qt4/libQtWebKit.so.5.0 should exist lib/qt4/libQtWebKit.so.5.0 is not a file can't read lib/qt4/libQtWebKit.so.5.0 --- .libs1-partial-python-3.7.6p1 --- lib should exist lib is not a directory lib/libpython3.7m.so.0.0 should exist lib/libpython3.7m.so.0.0 is not a file can't read lib/libpython3.7m.so.0.0 --- py3-setuptools-41.6.0v0 --- checksum for /usr/local/lib/python3.7/site-packages/pkg_resources/_vendor/__pycache__/__init__.cpython-37.pyc does not match checksum for /usr/local/lib/python3.7/site-packages/setuptools/_vendor/__pycache__/__init__.cpython-37.pyc does not match Q3 why can i info gmucash but cannot install it ? doas pkg_info gnucash Information for inst:gnucash-3.10 Comment: personal and small-business financial-accounting software Description: GnuCash is a personal finance manager. A check-book like register GUI allows you to enter and track bank accounts, stocks, income and even currency trades. A full set of reports allow you to see the state of your finances. The interface is designed to be simple and easy to use, but is backed with double-entry accounting principles to ensure balanced books. Maintainer: Antoine Jacoutot WWW: https://www.gnucash.org/ doas pkg_add gnucash quirks-3.367 signed on 2020-06-23T19:37:37Z Can't find gnucash - thanks shadrock smime.p7s Description: S/MIME cryptographic signature
Re: pass 'password manager' problem
On 26.02.2020 10:57, Andreas Kusalananda Kähäri wrote:
On Wed, Feb 26, 2020 at 09:37:53AM +, Shadrock Uhuru wrote:
> > ---
> >
> > shadrock
Hi
yes i have gpg2 installed
gpg-agent.conf has cat .gnupg/gpg-agent.conf
default-cache-ttl 300
max-cache-ttl 99
and i've added export GPG_TTY=$(tty) ~/.profile
but still no joy.
shadrock
Hi,
Do you *also* have gpg installed? If I remember correctly, pass tries
to use gpg rather than gpg2 if gpg is installed when installing pass.
--
Andreas (Kusalananda) Kähäri
SciLifeLab, NBIS, ICM
Uppsala University, Sweden
.
Hi yes i also have gpg installed,
i see this at the beginning of the pass script :-
GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes"
"--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
which gpg2 &>/dev/null && GPG="gpg2"
[[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch"
"--use-agent" )
which looks like gpg2 is used if it is installed.
shadrock
smime.p7s
Description: S/MIME cryptographic signature
Re: pass 'password manager' problem
Date: Mon, 24 Feb 2020 14:11:19 - (UTC) As far as I have seen in the pass script, --batch mode is oly invoked if you are running a gpg agent or are running gpg2. Do you have gpg2 installed? Do you have a gpg agent configured? You may need to include the following line in your ~.profile : export GPG_TTY=$(tty) Shadrock Uhuru wrote: [-- text/plain, encoding 8bit, charset: utf-8, 61 lines --] Hi From: Rubén Llorente To: misc@openbsd.org Subject: Re: pass 'password manager' problem Date: Fri, 21 Feb 2020 16:22:37 - (UTC) Do you have a ~.gnupg/gpg.conf ? Pass works fine for me. Shadrock Uhuru wrote: [-- text/plain, encoding 7bit, charset: utf-8, 6 lines --] running 'pass username' returns "gpg: Sorry, we are in batchmode - can't get input", am i missing a piece of software or setting ? shadrock yes i have the following cat ~/.gnupg/gpg.conf use-agent pinentry-mode loopback personal-cipher-preferences CAMELLIA256 AES256 AES192 AES CAST5 # personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192 # BLOWFISH TWOFISH CAMELLIA128 3DES personal-digest-preferences SHA512 SHA384 SHA256 SHA224 personal-compress-preferences BZIP2 ZIP ZLIB default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 digest-algo SHA256 s2k-mode 3 s2k-digest-algo SHA512 s2k-cipher-algo AES256 s2k-count 1015808 charset utf-8 fixed-list-mode no-greeting no-secmem-warning no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity keyserver-options import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids keyserver hkp://hkps.pool.sks-keyservers.net keyserver-options auto-key-retrieve keyserver-options no-honor-keyserver-url escape-from-lines bzip2-compress-level 9 compress-level 9 with-fingerprint --- shadrock Hi yes i have gpg2 installed gpg-agent.conf has cat .gnupg/gpg-agent.conf default-cache-ttl 300 max-cache-ttl 99 and i've added export GPG_TTY=$(tty) ~/.profile but still no joy. shadrock
Re: pass 'password manager' problem
Hi From: Rubén Llorente To: misc@openbsd.org Subject: Re: pass 'password manager' problem Date: Fri, 21 Feb 2020 16:22:37 - (UTC) Do you have a ~.gnupg/gpg.conf ? Pass works fine for me. Shadrock Uhuru wrote: [-- text/plain, encoding 7bit, charset: utf-8, 6 lines --] running 'pass username' returns "gpg: Sorry, we are in batchmode - can't get input", am i missing a piece of software or setting ? shadrock yes i have the following cat ~/.gnupg/gpg.conf use-agent pinentry-mode loopback personal-cipher-preferences CAMELLIA256 AES256 AES192 AES CAST5 # personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192 # BLOWFISH TWOFISH CAMELLIA128 3DES personal-digest-preferences SHA512 SHA384 SHA256 SHA224 personal-compress-preferences BZIP2 ZIP ZLIB default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 digest-algo SHA256 s2k-mode 3 s2k-digest-algo SHA512 s2k-cipher-algo AES256 s2k-count 1015808 charset utf-8 fixed-list-mode no-greeting no-secmem-warning no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity keyserver-options import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids keyserver hkp://hkps.pool.sks-keyservers.net keyserver-options auto-key-retrieve keyserver-options no-honor-keyserver-url escape-from-lines bzip2-compress-level 9 compress-level 9 with-fingerprint --- shadrock smime.p7s Description: S/MIME cryptographic signature
pass 'password manager' problem
running 'pass username' returns "gpg: Sorry, we are in batchmode - can't get input", am i missing a piece of software or setting ? shadrock smime.p7s Description: S/MIME cryptographic signature
Re: no flows with my iked vpn
On 13.02.2020 08:43, Robert Paschedag wrote: sent from my mobile device Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru : hi everyone i have setup iked on my firewall and laptop as a roadwarrior setup following https://www.openbsd.org/faq/faq17.html i.ve tested from within the local network but no flows are started. could someone have a look at the following files to see where i have erred. Looks like your client cert (pegasus) is missing a subjectAltName. Robert # my iked config method http://paste.openstack.org/show/789464/ imhoptep iked logs (responder) http://paste.openstack.org/show/789465/ pegasus iked logs (initiator) http://paste.openstack.org/show/789466/ thanks shadrock As https://www.openbsd.org/faq/faq17.html does not mention anything about subjectAltName i've researched across the net and found the following information :- IKEv2 VPN server certificate must contain either the server's IP address or its FQDN as the subjectAltName, Roadwarriors usually have dynamic IP addresses assigned by the ISP they are currently attached to. In order to simplify the routing from my-net (tissisat.co.uk) back to the roadwarrior (pegasus) it would be desirable if the roadwarrior had an inner IP address chosen from a pre-assigned pool. if this is the way to deal with subjectAltName what are the steps to achieve this ? shadrock smime.p7s Description: S/MIME cryptographic signature
no flows with my iked vpn
hi everyone i have setup iked on my firewall and laptop as a roadwarrior setup following https://www.openbsd.org/faq/faq17.html i.ve tested from within the local network but no flows are started. could someone have a look at the following files to see where i have erred. # my iked config method http://paste.openstack.org/show/789464/ imhoptep iked logs (responder) http://paste.openstack.org/show/789465/ pegasus iked logs (initiator) http://paste.openstack.org/show/789466/ thanks shadrock smime.p7s Description: S/MIME cryptographic signature
Re: do i need to configure mkinitcpio.conf for my md array ?
On 16.01.2020 13:20, infoomatic wrote: what do you want to achieve? If you want to access the array from OpenBSD then I see no possibility with this configuration. If you want a dual-boot system I suggest you configure the 4-disk raid in OpenBSD and in arch linux you could use a VM and use hardware passthrough to access the data. Am 16.01.20 um 13:10 schrieb Shadrock Uhuru: i have just configured my 4 disk raid 10 array with mdadm, the filesystem is ext4 unencrypted and arch is installed on a separate disk, do i need to reconfigure mkinitcpio.conf for my md array so that the array is assembled and started at boot, all the examples i've seen have arch installed on the raid array including the example in tne wiki https://wiki.archlinux.org/index.php/RAID i have not reboot the new array yet so i would like to make sure everything necessary is configure before i do that. shadrock please accept my apoligies this was for the arch maillist shadrock smime.p7s Description: S/MIME cryptographic signature
do i need to configure mkinitcpio.conf for my md array ?
i have just configured my 4 disk raid 10 array with mdadm, the filesystem is ext4 unencrypted and arch is installed on a separate disk, do i need to reconfigure mkinitcpio.conf for my md array so that the array is assembled and started at boot, all the examples i've seen have arch installed on the raid array including the example in tne wiki https://wiki.archlinux.org/index.php/RAID i have not reboot the new array yet so i would like to make sure everything necessary is configure before i do that. shadrock smime.p7s Description: S/MIME cryptographic signature
Re: [arch-general] how to upgrade 2017 server ?
On 15.01.2020 02:05, Shadrock Uhuru wrote: On 11.01.2020 14:00, Chris Billington wrote: Pacman static will likely help, but you'll need to actually install it and use it, i.e.: sudo pacman -S pacman-static sudo pacman-static -Syu On Sat, Jan 11, 2020 at 1:57 PM Shadrock Uhuru via arch-general < arch-gene...@archlinux.org> wrote: i have a server that has not been booted since 2017, i tried upgrading with pacman -Syu, i have post the screen output at http://paste.openstack.org/show/788264/ i thought adding Eli Schwartz' personal repository to pacman.conf would have allowed the upgrade with his Binary builds of pacman-static. is my problem still to do with the xz to zstd change or something different ? shadrock many thanks to Eli Schwartz and his repository and all who offered suggestions the server is now upgraded. shadrock smime.p7s Description: S/MIME cryptographic signature
Re: wrong pkg_add url after sysupgrade
On 10/9/19 2:56 PM, Paul de Weerd wrote: On Wed, Oct 09, 2019 at 01:40:42PM +, shadrock uhuru wrote: | after trying sysupgrade for the first time on my laptop running snapshots | running the following command returns no such dir. | | doas pkg_add -u | https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir | pkg_info p5-finance | https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir | | my /etc/installurl has | cat /etc/installurl | https://ftp.OpenBSD.org/pub/OpenBSD | | does this need editing | if so what url should i use ? Same url, different command: pkg_add -u -Dsnap Twice a year there's a brief window where snapshots have the name of the upcoming release. During that time, you must add -Dsnap to pkg_add. It doesn't hurt to have -Dsnap when you're running something -current or -beta, so if you always run snaps, best to train you muscle memory to do -Dsnap always :) Cheers, Paul 'WEiRD' de Weerd thanks Paul
wrong pkg_add url after sysupgrade
after trying sysupgrade for the first time on my laptop running snapshots running the following command returns no such dir. doas pkg_add -u https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir pkg_info p5-finance https://ftp.OpenBSD.org/pub/OpenBSD/6.6/packages/amd64/: no such dir my /etc/installurl has cat /etc/installurl https://ftp.OpenBSD.org/pub/OpenBSD does this need editing if so what url should i use ? shadrock
dhcpcd[82953]: pppoe0: DHCPv6 REPLY: NoAddrsAvail
hi everyone
does the following error in */var/log/*{messages,daemon} indicate a problem
at my internet providers end of the line or one of my config files
dhcpcd[82953]: pppoe0: DHCPv6 REPLY: NoAddrsAvail
i have pd prefix addresses being assigned on my lan network but no nd
prefix address assigned to my egress interface on the firewall ?
dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier
slaac private
nohook resolv.conf, lookup-hostname
allowinterfaces em0 em1 tun0 pppoe0
script ""
interface pppoe0
ia_na 1
ia_pd 2 em0/0
ia_pd 3 em1/1
ia_pd 4 tun0/2
==
this is a section from /var/log/daemon after a restart of dhcpcd.
Oct 3 11:08:07 imhotep rad[70380]: engine exiting
Oct 3 11:08:07 imhotep rad[14635]: frontend exiting
Oct 3 11:08:07 imhotep rad[39834]: terminating
Oct 3 11:08:07 imhotep rad[18320]: startup
Oct 4 01:10:25 imhotep dhcpcd[82019]: received SIGTERM, stopping
Oct 4 01:10:25 imhotep dhcpcd[82019]: tun0: removing interface
Oct 4 01:10:25 imhotep dhcpcd[82019]: em0: removing interface
Oct 4 01:10:25 imhotep dhcpcd[82019]: pppoe0: removing interface
Oct 4 01:10:25 imhotep dhcpcd[82019]: dhcpcd exited
Oct 4 01:10:25 imhotep dhcpcd[82953]: tun0: unsupported interface type 83
Oct 4 01:10:25 imhotep dhcpcd[82953]: DUID
00:04:44:45:4c:4c:38:00:10:57:80:47:b9:c0:4f:57:32:4a
Oct 4 01:10:25 imhotep dhcpcd[82953]: em0: IAID 23:e3:c7:92
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: IAID 00:00:00:06
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: IA type 3 IAID 00:00:00:01
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: IA type 25 IAID 00:00:00:02
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: IA type 25 IAID 00:00:00:03
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: IA type 25 IAID 00:00:00:04
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: DHCPv6 REPLY: NoAddrsAvail
Oct 4 01:10:25 imhotep dhcpcd[82953]: pppoe0: rebinding prior DHCPv6 lease
Oct 4 01:10:25 imhotep dhcpcd[82953]: tun0: IAID 74:75:6e:30
Oct 4 01:10:26 imhotep dhcpcd[82953]: pppoe0: DHCPv6 REPLY: NoAddrsAvail
Oct 4 01:10:26 imhotep dhcpcd[82953]: pppoe0: REPLY6 received from
fe80::4afd:8eff:feaa:a4d1
Oct 4 01:10:26 imhotep dhcpcd[82953]: pppoe0: renew in 86400, rebind in
138240, expire in 259200 seconds
Oct 4 01:10:26 imhotep dhcpcd[82953]: lo0: adding reject route to
2a02:1234:658b::/48 via ::1
Oct 4 01:10:26 imhotep dhcpcd[82953]: pppoe0: delegated prefix
2a02:1234:658b::/48
Oct 4 01:10:26 imhotep dhcpcd[82953]: em0: adding address
2a02:1234:658b::1/48
Oct 4 01:10:26 imhotep dhcpcd[82953]: em0: changing route to
2a02:1234:658b::/48
Oct 4 01:10:26 imhotep dhcpcd[82953]: forked to background, child pid 6456
thanks shadrock
Re: authpf unable to exit ssh without control C
> To: > misc@openbsd.org > > > On 9/15/19 7:31 AM, shadrock uhuru wrote: >> hi everyone >> i can login with authpf but unable to exit or control D out of the ssh >> session >> the only way out is to control C which also kills any other ordinary ssh >> user connected to the server >> my authpf user has authpf as its login shell and login class, >> is this normal behaviour ? >> shadrock >> > If I understand your request, you want someone to log into your system, > which brings up authpf, and you want them to be able to do something to > exit to a shell prompt on that server and still leave the authpf rules > in place? > > That's not the way authpf was designed. > > The idea is that when authpf is invoked, it activates certain rules, > presumably regarding the IP address in question, and when authpf exits, > it removes those changes. Connect to authpf, now you can access the > web site, or FTP or whatever it is you need, terminate authpf, and no > one else at your IP can do those things. If you are letting these same > users access the shell prompt, your usage is not as paranoid as authpf > was designed to deal with, it's probably not the right tool for the job, > or your expectations are wrong. > > I run a private IRC server, which is blocked on the 'net by PF, but as > all the users are people I know in real life and friends, I trust them > to be able to activate their own IP addresses, so I just wrote a simple > (and surely insecure) script to add that user's IP address to the PF > table that permits them access to the system. What this doesn't do > (and I'm not sure how you expect to do this) is clear the connections > when they leave. In my case, I don't care -- the odds that after Fred > gets a new IP address that his old IP address will end up in the hands > of someone wanting to have access to my IRC server for malicious > reasons (and they find it!) is pretty small. But that might not be > your use case. If you need to close those openings...you had best > think hard about how you expect that to happen. > > Nick. > > Subject: > Re: authpf unable to exit ssh without control C > From: > Nick Holland > Date: > 9/16/19, 12:39 PM > Hi Nick i have sorted the problem with some pointers from irc.openbsd folks, what i actually needed was to be able to login with ssh with a non authpf user to view tcpdumps etc and then login to another ssh session with a authpf user for testing but when i logged out the authpf user it logged out the non authpf user aswell, it turns out that as both logins were from my laptop i.e the same ip address i needed to use the authpf-noip shell for the authpf user, now i can exit the ssh session for the authpf user without taking down the ssh session for the non authpf user . thanks for your time shadrock
authpf unable to exit ssh without control C
hi everyone i can login with authpf but unable to exit or control D out of the ssh session the only way out is to control C which also kills any other ordinary ssh user connected to the server my authpf user has authpf as its login shell and login class, is this normal behaviour ? shadrock
pppoe no carrier
hi everyone i have setup pppoe and the interface comes up fine, the pppoedev is connected to a fritzbox modem and zen internet is the provider speaking to one of their advisers i was told that all i had to do was connect to one of the lan ports on the fritzbox then i could do the pppoe from my firewall when i reboot the firewall with the pppoe configuration , ifconfig shows the interface up and it shows a PADI being sent but no carrier on the pppoe interface, is there anyone who has a similar setup and can give me pointers, in particular is there anything in the fritzboz i should disable ? shadrock
antispoof or urpf-failed ?
hi everyone http://lists.dragonflybsd.org/pipermail/users/2017-August/313577.html states that the "urpf-failed" block rule causes the IPv6 traffic (ping) significant packet loss, while IPv4 remains fine is this correct ? https://lipidity.com/openbsd/router/ states The antispoof rules should be replaced by a strict Unicast Reverse Path Forwarding (uRPF) check: block in log quick from urpf-failed i have both antispoof and urpf-failed, should i leave both in my pf.conf or remove antispoof ? shadrock
Re: dhcrelay
hiya thanks for the reply > hi eveyone > if i have a dhcp server in subnet A connected to interface em0 (lan) and > subnet B connected to interface iwn0 (wireless zone) on the router > with dhcrelay -i em0 running on the router should the wireless subnet be > able?? to get its dhcp address from the dhcp server on the lan ? > No, you would need to run > >dhcrelay -i iwn0 > > to do that. finally got that sorted, but led me to another question i have two dhcp servers on samba domain controllers, can a second server-ip address be added like this to dhcrelay dhcrelay -i iwn0 i haven't seen any examples like this on the net shadrock
missing PD Prefix 's
hi everyone how do i check if rad is working correctly i have a PD Prefix address on my routers wan interface but not on its lan interface or anywhere on the lan rad is configured with the following cat /etc/rad.conf interface em0 interface em1 interface tun0 i also have dhcpcd configured cat << EOF > /etc/dhcpcd.conf ipv6only noipv6rs duid persistent option rapid_commit require dhcp_server_identifier slaac private nohook resolv.conf, lookup-hostname allowinterfaces bge0 em0 em1 tun0 script "" interface bge0 ia_na 1 ia_pd 2 em0/0 ia_pd 3 em1/1 ia_pd 4 tun0/2
Re :dhcrelay
> To: > shadrock uhuru > CC: > misc@openbsd.org > > > shadrock uhuru(niyal...@gmail.com) on 2019.08.23 18:46:32 +0100: >> hi eveyone >> if i have a dhcp server in subnet A connected to interface em0 (lan) and >> subnet B connected to interface iwn0 (wireless zone) on the router >> with dhcrelay -i em0 running on the router should the wireless subnet be >> able?? to get its dhcp address from the dhcp server on the lan ? > No, you would need to run > >dhcrelay -i iwn0 > > to do that. > > Subject: > Re: dhcrelay > From: > Sebastian Benoit > Date: > 8/23/19, 10:12 PM > thank Sebastian i have two samba active domain controllers with dhcp installed on each, is it possible to do this dhcrelay -i iwn0 or can only one dhcp server address be specified ? shadrock
dhcrelay
hi eveyone if i have a dhcp server in subnet A connected to interface em0 (lan) and subnet B connected to interface iwn0 (wireless zone) on the router with dhcrelay -i em0 running on the router should the wireless subnet be able to get its dhcp address from the dhcp server on the lan ?
Re: pf.conf anchor directories
> hiya > can you have lines like this in pf.conf > anchor "authpf/vpn/*" in on $VPN_IFACE > anchor "authpf/wireless/*" in on $WIRE_IFACE > and have anchors in /etc/authpf/vpn with your vpn rules > and anchors in /etc/authpf/wireless with your wireless rules ? > > shadrock > To: > shadrock uhuru > CC: > misc@openbsd.org > > > yes > > Subject: > Re: pf.conf anchor directories > From: > Klemens Nanni > Date: > 8/20/19, 10:28 AM > thanks shadrock
pf.conf anchor directories
hiya can you have lines like this in pf.conf anchor "authpf/vpn/*" in on $VPN_IFACE anchor "authpf/wireless/*" in on $WIRE_IFACE and have anchors in /etc/authpf/vpn with your vpn rules and anchors in /etc/authpf/wireless with your wireless rules ? shadrock
Re: can't find libpcap
> Hi, > > shadrock uhuru wrote on Sat, Aug 17, 2019 at 01:01:08PM +0100: > >> is there a package for pcap or libpcap >> or do i have to download the source and compile > to answer such questions, use pkg_locate(1). > ># pkg_add pkglocatedb >$ man pkg_locate >$ pkg_locate libpcap.so > > This may also provide a clue: > >$ ldd $(which tcpdump) > > Yours, > Ingo > thanks Ingo
Re: can't find libpcap
On 8/17/19 1:07 PM, Noth wrote: > On 17/08/2019 14:01, shadrock uhuru wrote: >> hi everyone >> is there a package for pcap or libpcap >> or do i have to download the source and compile >> shadrock >> > libpcap is in base, see man pcap. It lives in /usr/lib. thanks
can't find libpcap
hi everyone is there a package for pcap or libpcap or do i have to download the source and compile shadrock
packet filter questions
hi everyone # # internal interface INT_IFACE = "em0" # external wan interface EXT_IFACE = "bge0" # wireless interface WIRE_IFACE = "em1" # openvpn interface VPN_IFACE = "tun0" LO_IFACE = "lo" LO_ADDR_INET4 = "127.0.0.1" LO_ADDR_INET6 = "::1" pass in quick inet log on !$EXT_IFACE $ATCP to port ftp divert-to $LO_ADDR_INET4 port 8021 pass in quick inet6 log on !$EXT_IFACE $ATCP to port ftp divert-to $LO_ADDR_INET6 port 8021 pass out proto tcp from $proxy to any port ftp # if i use !$EXT_IFACE in th pass line will the proxy work for INT_IFACE,WIRE_IFACE and VPN_IFACE ? could i merge the two divert lines if i remove inet and inet6 and replaced LO_ADDR_INET4 and LO_ADDR_INET6 with LO_IFACE ? shadrock
Re: adding ipv6 and pppoe to my firewall
Hi Stuart thanks for the reply On 7/12/19 1:20 PM, owner-m...@openbsd.org wrote: >> hypothetical ipv4 Address and ipv6 prefix from zen: >> ND Prefix: :::::/64 >> PD Prefix: ::::/48 >> IPv4 Address: 12.34.56.78 (Subnet mask 255.255.255.255) --- >> fw1 em0: 192.168.2.2 (lan) >> fw1 em1: 12.34.56.78 (wan) i have taken carp out of the configuration which leaves me with: /etc/hostname.em0 mtu 1508 inet 192.168.2.2 255.255.255.0 NONE /etc/hostname.em1 mtu 1508 inet 12.34.56.78 255.255.255.255 NONE inet6 autoconf -autoconfprivacy -soii /etc/hostname.pppoe mtu 1500 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1 authproto chap authname "XXX@isp" authkey "XXX" up dest 0.0.0.1 inet6 eui64 !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8 /etc/rad.conf interface em0 dhcpcd to be added > If you need DHCPv6-PD then don't hardcode the addresses on the > inside interfaces, just let PD fetch them.(For the UK ISPs I'm most familiar > with, zen seems to need PD otherwise > they don't route the block to me, at least in the config they've got > on my user account by inside interfaces do you mean the lan facing nic on the firewall and any tun interfaces ? i am on zen also and will have a look at dhcpcd > question 5 >>> do i need to put -autoconfprivacy -soii in the nics or should i remove it. > Don't use autoconf on interfaces where you run rad(8), that is like > running dhclient and dhcpd on the same interface. > so remove autoconf from em0 ? should i be using the mtu option in rad.conf to ensure that all nodes on a link use the same MTU value i.e. 1508 ? could you send examples of the following files to compare with mine for any misconfigurations on my side please. wan hostname file lan hostname file pppoe hostname file rad.conf dhcpcd.conf thanks shadrock
Re: adding ipv6 and pppoe to my firewall
Hi Stuart thanks for the reply On 7/12/19 1:20 PM, misc@openbsd.org wrote: >> hypothetical ipv4 Address and ipv6 prefix from zen: >> ND Prefix: :::::/64 >> PD Prefix: ::::/48 >> IPv4 Address: ?? 12.34.56.78 (Subnet mask 255.255.255.255) --- >> ?? fw1 em0: 192.168.2.2 (lan) >> ?? fw1 em1: 12.34.56.78 (wan) i have taken carp out of the configuration which leaves me with: /etc/hostname.em0 mtu 1508 inet 192.168.2.2 255.255.255.0 NONE /etc/hostname.em1 mtu 1508 inet 12.34.56.78 255.255.255.255 NONE inet6 autoconf -autoconfprivacy -soii /etc/hostname.pppoe mtu 1500 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1 authproto chap authname "XXX@isp" authkey "XXX" up dest 0.0.0.1 inet6 eui64 !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8 /etc/rad.conf interface em0 dhcpcd to be added > If you need DHCPv6-PD then don't hardcode the addresses on the > inside interfaces, just let PD fetch them.(For the UK ISPs I'm most familiar > with, zen seems to need PD otherwise > they don't route the block to me, at least in the config they've got > on my user account by inside interfaces do you mean the lan facing nic on the firewall and any tun interfaces ? i am on zen also and will have a look at dhcpcd > question 5 >>> do i need to put -autoconfprivacy -soii?? in the nics or should i remove it. > Don't use autoconf on interfaces where you run rad(8), that is like > running dhclient and dhcpd on the same interface. > so remove autoconf from em0 ? should i be using the mtu option in rad.conf to ensure that all nodes on a link use the same MTU value i.e. 1508 ? could you send examples of the following files to compare with mine for any misconfigurations on my side please. wan hostname file lan hostname file pppoe hostname file rad.conf dhcpcd.conf thanks shadrock
Re: adding ipv6 and pppoe to my firewall
> hi everyone
> i have a dual redundant firewall setup the same as the example given at
> https://www.openbsd.org/faq/pf/carp.html
> i was originally with virgin media but have moved to a provider
> offering ipv4, ipv6 and fixed ip addresses,
> i am now trying to add ipv6 and pppoe to the firewall.
> i haven't found an example on the web of a carp, pppoe and ipv6 firewall ,
> so i've had to pieced together bits of info from different places
> using the following hypothetical addresses this is my planned
> configuration ,
> please feel free to correct where there are mistakes.
>
> IPv6 Address:
> ND Prefix: :::::/64
> PD Prefix: ::::/48
> IPv4 Address: 12.34.56.78 (Subnet mask 255.255.255.255)
>
> fw1 em0: 192.168.2.2 (lan)
> fw1 em1: 192.168.3.2 (wan)
> fw1 em2: 192.168.4.1 (pfsync)
> fw2 em0: 192.168.2.3 (lan)
> fw2 em1: 192.168.3.3 (wan)
> fw2 em2: 192.168.4.2 (pfsync)
> LAN shared IP: 192.168.2.1 (carp_lan)
> WAN/internet shared IP: 12.34.56.78 (carp_wan)
>
> fw1
> /etc/hostname.em0
> inet 192.168.2.2 255.255.255.0 NONE
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::100 64
>
> /etc/hostname.em1
> inet 192.168.3.2 255.255.255.0 NONE
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::200 64
>
> /etc/hostname.em2
> inet 192.168.4.1 255.255.255.0 NONE
>
> /etc/hostname.carp_lan.nic
> inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
> 5 pass $PASSWORDIN
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::300 prefixlen 64 vhid 1 carpdev em0
> advskew 5 pass $PASSWORDIN
>
> /etc/hostname.carp_wan.nic
> inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
> advskew 100 pass $PASSWORDOUT
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::400 prefixlen 64 vhid 2 carpdev $em1
> advskew 100 pass $PASSWORDOUT
>
>
> fw2
> /etc/hostname.em0
> inet 192.168.2.3 255.255.255.0 NONE
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::150 64
>
> /etc/hostname.em1
> inet 192.168.3.3 255.255.255.0 NONE
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::250 64
>
> /etc/hostname.em2
> inet 192.168.4.2 255.255.255.0 NONE
>
> /etc/hostname.carp_lan.nic
> inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
> 5 pass $PASSWORDIN
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::350 prefixlen 64 vhid 1 carpdev em0
> advskew 5 pass $PASSWORDIN
>
> /etc/hostname.carp_wan.nic
> inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
> advskew 100 pass $PASSWORDOUT
> inet6 autoconf -autoconfprivacy -soii
> inet6 alias :::::450 prefixlen 64 vhid 2 carpdev $em1
> advskew 100 pass $PASSWORDOUT
>
> /etc/hostname.pppoe
> mtu 1500
> inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1/carp2 authproto chap
> authname "XXX@isp" authkey "XXX" up
> dest 0.0.0.1
> inet6 -autoconfprivacy
> inet6 autoconf
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8
>
> % cat /etc/rc.d/dhcp6c
> #!/bin/sh
>
> daemon="/usr/local/sbin/dhcp6c"
>
> . /etc/rc.d/rc.subr
>
> rc_reload=NO
>
> rc_cmd $1
>
> % cat /etc/dhcp6c.conf
> interface pppoe0 {
> send ia-pd 0;
> send domain-name-servers;
> send rapid-commit;
> };
>
> id-assoc pd {
> prefix-interface em1 {
> sla-id 0;
> sla-len 8;
> };
> };
>
> % echo 'dhcp6c_flags=pppoe0' | tee -a /etc/rc.conf.local
> dhcp6c_flags=pppoe0
>
> % echo '!/etc/rc.d/dhcp6c restart' | tee -a /etc/hostname.pppoe0
> !/etc/rc.d/dhcp6c restart
>
> % /etc/rc.d/dhcp6c restart
> dhcp6c(ok)
> };
> };
>
> question 1
> in hostname.pppoe do i set pppoedev to the wan facing nic or the wan
> carp interface on each firewall
> question 2
> in dhcpv6.conf do i set the interface and prefix_interface to the wan
> and lan facing nic or the wan and lan carp interface on each firewall
> question 3
> what broadcast address do i use for in the carp_wan configuration if the
> mask is 255.255.255.255
> question 4
> do i just add interface em0 to rad.conf
> or do i use the complex case to set the prefix and basic DNS options.
> interface em1 {
> prefix ::::/48
> dns {
> nameserver ::::53
> search example.org
> question 5
> do i need to put -autoconfprivacy -soii in the nics or should i remove it.
>
> shadrock
is there no one who can help me with this ?
shadrock
adding ipv6 and pppoe to my firewall
hi everyone
i have a dual redundant firewall setup the same as the example given at
https://www.openbsd.org/faq/pf/carp.html
i was originally with virgin media but have moved to a provider
offering ipv4, ipv6 and fixed ip addresses,
i am now trying to add ipv6 and pppoe to the firewall.
i haven't found an example on the web of a carp, pppoe and ipv6 firewall ,
so i've had to pieced together bits of info from different places
using the following hypothetical addresses this is my planned
configuration ,
please feel free to correct where there are mistakes.
IPv6 Address:
ND Prefix: :::::/64
PD Prefix: ::::/48
IPv4 Address: 12.34.56.78 (Subnet mask 255.255.255.255)
fw1 em0: 192.168.2.2 (lan)
fw1 em1: 192.168.3.2 (wan)
fw1 em2: 192.168.4.1 (pfsync)
fw2 em0: 192.168.2.3 (lan)
fw2 em1: 192.168.3.3 (wan)
fw2 em2: 192.168.4.2 (pfsync)
LAN shared IP: 192.168.2.1 (carp_lan)
WAN/internet shared IP: 12.34.56.78 (carp_wan)
fw1
/etc/hostname.em0
inet 192.168.2.2 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::100 64
/etc/hostname.em1
inet 192.168.3.2 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::200 64
/etc/hostname.em2
inet 192.168.4.1 255.255.255.0 NONE
/etc/hostname.carp_lan.nic
inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
5 pass $PASSWORDIN
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::300 prefixlen 64 vhid 1 carpdev em0
advskew 5 pass $PASSWORDIN
/etc/hostname.carp_wan.nic
inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
advskew 100 pass $PASSWORDOUT
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::400 prefixlen 64 vhid 2 carpdev $em1
advskew 100 pass $PASSWORDOUT
fw2
/etc/hostname.em0
inet 192.168.2.3 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::150 64
/etc/hostname.em1
inet 192.168.3.3 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::250 64
/etc/hostname.em2
inet 192.168.4.2 255.255.255.0 NONE
/etc/hostname.carp_lan.nic
inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
5 pass $PASSWORDIN
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::350 prefixlen 64 vhid 1 carpdev em0
advskew 5 pass $PASSWORDIN
/etc/hostname.carp_wan.nic
inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
advskew 100 pass $PASSWORDOUT
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::450 prefixlen 64 vhid 2 carpdev $em1
advskew 100 pass $PASSWORDOUT
/etc/hostname.pppoe
mtu 1500
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1/carp2 authproto chap
authname "XXX@isp" authkey "XXX" up
dest 0.0.0.1
inet6 -autoconfprivacy
inet6 autoconf
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8
% cat /etc/rc.d/dhcp6c
#!/bin/sh
daemon="/usr/local/sbin/dhcp6c"
. /etc/rc.d/rc.subr
rc_reload=NO
rc_cmd $1
% cat /etc/dhcp6c.conf
interface pppoe0 {
send ia-pd 0;
send domain-name-servers;
send rapid-commit;
};
id-assoc pd {
prefix-interface em1 {
sla-id 0;
sla-len 8;
};
};
% echo 'dhcp6c_flags=pppoe0' | tee -a /etc/rc.conf.local
dhcp6c_flags=pppoe0
% echo '!/etc/rc.d/dhcp6c restart' | tee -a /etc/hostname.pppoe0
!/etc/rc.d/dhcp6c restart
% /etc/rc.d/dhcp6c restart
dhcp6c(ok)
};
};
question 1
in hostname.pppoe do i set pppoedev to the wan facing nic or the wan
carp interface on each firewall
question 2
in dhcpv6.conf do i set the interface and prefix_interface to the wan
and lan facing nic or the wan and lan carp interface on each firewall
question 3
what broadcast address do i use for in the carp_wan configuration if the
mask is 255.255.255.255
question 4
do i just add interface em0 to rad.conf
or do i use the complex case to set the prefix and basic DNS options.
interface em1 {
prefix ::::/48
dns {
nameserver ::::53
search example.org
qeustion5
do i need to put -autoconfprivacy -soii in the nics or should i remove it.
shadrock
Fwd: howto verify keydisk backup
Forwarded Message Subject:Re: howto verify keydisk backup Date: Wed, 19 Jun 2019 09:23:53 +0100 From: shadrock uhuru To: noah pugsley On 6/19/19 5:25 AM, noah pugsley wrote: > On Tue, Jun 18, 2019 at 5:37 PM shadrock uhuru wrote: >> hi everyone >> my keydisk is on a compactflash sandisk ultra 2 card, >> which was created during disk encryption >> >> doas disklabel sd1 >> # /dev/rsd1c: >> type: SCSI >> disk: SCSI disk >> label: USB CARD READER >> duid: ea53e532b5ae2a0f >> flags: >> bytes/sector: 512 >> sectors/track: 63 >> tracks/cylinder: 255 >> sectors/cylinder: 16065 >> cylinders: 31 >> total sectors: 501760 >> boundstart: 64 >> boundend: 498015 >> drivedata: 0 >> >> 16 partitions: >> # size offset fstype [fsize bsize cpg] >> a:16001 64 RAID >> c:501760 0 unused >> >> >> i boot my laptop (samsung np300e5A) with this connected to a card >> reader connected to a usb port and i'm able to boot without a problem >> >> I HAVE A cruzer memory stick to use as a BACKUP keydisk >> >> doas disklabel sd3 >> # /dev/rsd3c: >> type: SCSI >> disk: SCSI disk >> label: Cruzer Fit >> duid: 7fe58412fc668f9e >> flags: >> bytes/sector: 512 >> sectors/track: 63 >> tracks/cylinder: 255 >> sectors/cylinder: 16065 >> cylinders: 972 >> total sectors: 15630336 >> boundstart: 64 >> boundend: 15615180 >> drivedata: 0 >> >> 16 partitions: >> #size offset fstype [fsize bsize cpg] >> a:16001 64RAID >> c: 156303360 unused >> >> using the backup instruction on the openbsd faq i create an image of the >> keydisk >> >> dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img >> >> 999+1 records in >> 999+1 records out >> 8184320 bytes transferred in 2.251 secs (3634754 bytes/sec) >> >> i restore the image to the backup usb memory stick using >> >> dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd3a >> >> 999+1 records in >> 999+1 records out >> 8184320 bytes transferred in 1.744 secs (4690370 bytes/sec) >> > I might be speaking out of turn here, but I'm pretty sure you want to > dd rsdXc, that images the entire disk, not just the a partition. i don't think that would work, the two memory sticks are different sizes with the compactflash being 256mb and the cruzer being 8gb, if i am wrong let me know, this is why i dd the partition with the keydisk data on. shadrock >> when i try to boot off the backup usb memory stick i get >> using drive 0 partition 3 >> no os >> >> i tried to verify the keydisk image with diff using >> >> doas diff /dev/rsd1a backup-keydisk.img >> Binary files /dev/rsd1a and backup-keydisk.img differ >> --- >> >> is there a problem with the hardware combination of usb sticks i use for >> keydisk backup >> or the commands i use especially the diff command to try and verify the >> image file ? >> >> shadrock >>
howto verify keydisk backup
hi everyone my keydisk is on a compactflash sandisk ultra 2 card, which was created during disk encryption doas disklabel sd1 # /dev/rsd1c: type: SCSI disk: SCSI disk label: USB CARD READER duid: ea53e532b5ae2a0f flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 31 total sectors: 501760 boundstart: 64 boundend: 498015 drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg] a:16001 64 RAID c:501760 0 unused i boot my laptop (samsung np300e5A) with this connected to a card reader connected to a usb port and i'm able to boot without a problem I HAVE A cruzer memory stick to use as a BACKUP keydisk doas disklabel sd3 # /dev/rsd3c: type: SCSI disk: SCSI disk label: Cruzer Fit duid: 7fe58412fc668f9e flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 972 total sectors: 15630336 boundstart: 64 boundend: 15615180 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:16001 64RAID c: 156303360 unused using the backup instruction on the openbsd faq i create an image of the keydisk dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img 999+1 records in 999+1 records out 8184320 bytes transferred in 2.251 secs (3634754 bytes/sec) i restore the image to the backup usb memory stick using dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd3a 999+1 records in 999+1 records out 8184320 bytes transferred in 1.744 secs (4690370 bytes/sec) when i try to boot off the backup usb memory stick i get using drive 0 partition 3 no os i tried to verify the keydisk image with diff using doas diff /dev/rsd1a backup-keydisk.img Binary files /dev/rsd1a and backup-keydisk.img differ --- is there a problem with the hardware combination of usb sticks i use for keydisk backup or the commands i use especially the diff command to try and verify the image file ? shadrock
how to setup wireless for redundent firewalls ?
hi everyone i have two firewalls setup with carp and pfsync with my wireless router fed straight into the switch connected to the lan , this is fine for me as a single user of my network. i would like to improve the setup to include other users while allowing them access to the internet and limiting their access to my network. i will be adding another network port to both firewalls , i assume i will need to have two wireless routers, one plugged into each firewall, are the two wireless routers setup to have the same ssid and password for smooth fail-over ? shadrock
Re: i3bar not working after 6.5 upgrade
On 5/13/19 12:51 PM, Edgar Pettijohn wrote: > On May 13, 2019 2:58 AM, shadrock uhuru wrote: >> >> >> On 5/13/19 1:35 AM, shadrock uhuru wrote: >>> hi everyone >>> since upgrading to 6.5 my i3bar no longer works. >>> i have not changed the configuration in any way >>> when i run the i3status command manually in a terminal the bar is not >>> displayed but the correct infomation that would be on the i3bar is >>> echoed to the terminal. >>> the message on the right hand of the i3bar is >>> error: status_command not found or is missing a library dependency >>> (exit 127) >>> the left hand side of the bar is functioning correctly >>> the following is from the i3 log file. >>> >>> grep i3bar 'i3log-2019-05-12-0-41-37' >>> >>> 05/12/19 00:41:40 - config_parser.c:parse_config:267 - CONFIG(line >>> 152): # Start i3bar to display a workspace bar (plus the system >>> information i3status >>> 05/12/19 00:41:41 - Starting bar process: i3bar --bar_id=bar-0 >>> --socket="/tmp/i3-shadrock.Q7Rfx2/ipc-socket.80799" >>> 05/12/19 00:41:41 - executing: i3bar --bar_id=bar-0 >>> --socket="/tmp/i3-shadrock.Q7Rfx2/ipc-socket.80799" >>> 05/12/19 00:41:41 - WM_CLASS changed to i3bar (instance), i3bar (class) >>> 05/12/19 00:41:41 - WM_NAME changed to "i3bar for output LVDS-1" >>> 05/12/19 00:41:41 - Checking window 0x00e00003 (class i3bar) >>> 05/12/19 00:41:41 - Checking window 0x00e3 (class i3bar) >>> [/usr/obj/ports/i3-4.16.1/i3-4.16.1/../i3-4.16.1/i3bar/src/child.c:468] >>> ERROR: Child (pid: 72679) unexpectedly exited with status 127 >>> >>> >> how do i debug for a missing library ? >> shadrock >> > LD_DEBUG=1 thanks found the problem by enabling logging for i3 i had my i3 config file at ~/.i3 instead of at ~/.config/i3 which had an old i3 config file , after copying everything from ~i3 to ~/config/i3 and restarting i3 all is working again. shadrock
Re: i3bar not working after 6.5 upgrade
On 5/13/19 1:35 AM, shadrock uhuru wrote: > hi everyone > since upgrading to 6.5 my i3bar no longer works. > i have not changed the configuration in any way > when i run the i3status command manually in a terminal the bar is not > displayed but the correct infomation that would be on the i3bar is > echoed to the terminal. > the message on the right hand of the i3bar is > error: status_command not found or is missing a library dependency > (exit 127) > the left hand side of the bar is functioning correctly > the following is from the i3 log file. > > grep i3bar 'i3log-2019-05-12-0-41-37' > > 05/12/19 00:41:40 - config_parser.c:parse_config:267 - CONFIG(line > 152): # Start i3bar to display a workspace bar (plus the system > information i3status > 05/12/19 00:41:41 - Starting bar process: i3bar --bar_id=bar-0 > --socket="/tmp/i3-shadrock.Q7Rfx2/ipc-socket.80799" > 05/12/19 00:41:41 - executing: i3bar --bar_id=bar-0 > --socket="/tmp/i3-shadrock.Q7Rfx2/ipc-socket.80799" > 05/12/19 00:41:41 - WM_CLASS changed to i3bar (instance), i3bar (class) > 05/12/19 00:41:41 - WM_NAME changed to "i3bar for output LVDS-1" > 05/12/19 00:41:41 - Checking window 0x00e3 (class i3bar) > 05/12/19 00:41:41 - Checking window 0x00e3 (class i3bar) > [/usr/obj/ports/i3-4.16.1/i3-4.16.1/../i3-4.16.1/i3bar/src/child.c:468] > ERROR: Child (pid: 72679) unexpectedly exited with status 127 > > how do i debug for a missing library ? shadrock
i3bar not working after 6.5 upgrade
hi everyone since upgrading to 6.5 my i3bar no longer works. i have not changed the configuration in any way when i run the i3status command manually in a terminal the correct information that would be on the i3bar is echoed to the terminal. the message on the right hand of the i3bar is error: status_command not found or is missing a library dependency (exit 127) the left hand side of the bar displays the workspace the following is from the i3 log file. grep i3bar 'i3log-2019-05-12-0-41-37' 05/12/19 00:41:40 - config_parser.c:parse_config:267 - CONFIG(line 152): # Start i3bar to display a workspace bar (plus the system information i3status 05/12/19 00:41:41 - Starting bar process: i3bar --bar_id=bar-0 --socket="/tmp/i3-shadrock.Q7Rfx2/ipc-socket.80799" 05/12/19 00:41:41 - executing: i3bar --bar_id=bar-0 --socket="/tmp/i3-shadrock.Q7Rfx2/ipc-socket.80799" 05/12/19 00:41:41 - WM_CLASS changed to i3bar (instance), i3bar (class) 05/12/19 00:41:41 - WM_NAME changed to "i3bar for output LVDS-1" 05/12/19 00:41:41 - Checking window 0x00e3 (class i3bar) 05/12/19 00:41:41 - Checking window 0x00e3 (class i3bar) [/usr/obj/ports/i3-4.16.1/i3-4.16.1/../i3-4.16.1/i3bar/src/child.c:468] ERROR: Child (pid: 72679) unexpectedly exited with status 127
Re: Upgrade procedure encrypted filesystem (6.4 -> 6.5)
On 5/9/19 11:56 AM, cho...@jtan.com wrote: > shadrock uhuru writes: >> i've got a couple of follow up queries concerning post upgrade things todo. >> >> --- -dbus-1.12.10p0v0 --- >> Remember to update /etc/machine-id >> how do i update machine_id, i didn't find any man pages to explain ? > Ignore it. Nothing bad will happen. It's a linuxism. > >> --- -libxml-2.9.8p0 --- >> Remember to update /var/db/xmlcatalog >> how do i update /var/db/xmlcatalog, found man xmlcatalog but mentions >> nothing about updating ? > Ignore it. Nothing bad will happen. Nothing done in XML ever mattered. > >> --- -node-8.12.0 --- >> Error deleting directory /usr/local/lib/kde4/plugins: Directory not empty >> /usr/local/lib/kde4/plugins contains: >> >> ls /usr/local/lib/kde4/plugins >> >> accessible imageformats phonon_s_backend >> accessiblebridge kauth script >> designer kscreen styles >> grantlee marble >> gui_platform phonon_platform >> >> should i go ahead and delete everything in the directory manually ? > Remove everything that is to do with KDE and go and quietly contemplate > the life choices which led to you having it installed in the first place. Hi chohag it was a leftover when i first installed my laptop used it for about a week then switch to I3 and never looked back. will pkg_delete kde4 remove it all ? shadrock > Matthew >
Re: Upgrade procedure encrypted filesystem (6.4 -> 6.5)
On 5/7/19 9:16 PM, Omar Polo wrote: > On Tue, May 07, 2019 at 02:04:03AM +0100, shadrock uhuru wrote: >> >> On 5/6/19 8:18 PM, Omar Polo wrote: >>> On Mon, May 06, 2019 at 07:46:53PM +0100, shadrock uhuru wrote: >>>> hi everyone >>>> when upgrading my laptop which is encrypted with a keydisk >>>> i assume that i boot the 6.5 kernel which will be on a usb stick with >>>> the keydisk inserted, >>>> will the hard drive still be decrypted and upgraded, >>>> also will the encryption step need to be redone or will the keydisk >>>> continue to unlock the 6.5 filesystem on subsequent reboots. >>>> thanks >>>> shadrock >>> Just follow the guide[1]: during the upgrade process the installer will >>> ask you what disk contains the installation. Be sure to point it to >>> the right disk. The disk will (of course!) still be encrypted after >>> the upgrade, and you won't need to do anything else. >>> >>> [1]: https://www.openbsd.org/faq/upgrade65.html >> many thanks Omar > I've forgot one thing (hope it's not too late.) Point the installer > to the right *virtual* disk. For example, in my case I have a disk > (attached as sd0) with FDE. When decrypted, a virtual disk sd1 is > attached, so when I upgrade I point the installer to sd1. In any case, > the installer will try to mount the partitions, so you should see an > error if you point it to the wrong disk. > > Also, sorry if I wrote directly to you instead of replying to the ml. > As always, I foget to CC :) either way works for me. Hi Omar and all who helped i got it upgraded, it was way easier than i expected, i've got a couple of follow up queries concerning post upgrade things todo. --- -dbus-1.12.10p0v0 --- Remember to update /etc/machine-id how do i update machine_id, i didn't find any man pages to explain ? --- -libxml-2.9.8p0 --- Remember to update /var/db/xmlcatalog how do i update /var/db/xmlcatalog, found man xmlcatalog but mentions nothing about updating ? --- -node-8.12.0 --- Error deleting directory /usr/local/lib/kde4/plugins: Directory not empty /usr/local/lib/kde4/plugins contains: ls /usr/local/lib/kde4/plugins accessible imageformats phonon_s_backend accessiblebridge kauth script designer kscreen styles grantlee marble gui_platform phonon_platform should i go ahead and delete everything in the directory manually ? shadrock
Upgrade procedure encrypted filesystem (6.4 -> 6.5)
hi everyone when upgrading my laptop which is encrypted with a keydisk i assume that i boot the 6.5 kernel which will be on a usb stick with the keydisk inserted, will the hard drive still be decrypted and upgraded, also will the encryption step need to be redone or will the keydisk continue to unlock the 6.5 filesystem on subsequent reboots. thanks shadrock
missing sdl header and lib files
hi everyone i have added the following packages sdl sdl-mixer sdl_image sdl_net sdl_ttf sdl2 sdl2-mixer sdl2_image sdl2_net sdl2_ttf the lib and header files are missing are there additional packages to add for these. shadrock
pycharm updates ?
hi everyone just a quick question about pycharm updates do i allow pycharm to update its's IDE and Plugins or only update it with pkg_add -u ? shadrock
howto set terminus font in .Xresources for xterm
hi everyone
what is the correct command to put in .Xresources for the terminus font,
the following is my Xresources file,
i've tried a few variation but all i get when i start xterm is cannot
load font,
font loading is new to me so i have only try examples off the web
---
XTerm*utf8: 1
! XTerm*font: -*-terminus-medium-*-*-*-18-*-*-*-*-*-iso10646-1
XTerm*font: terminus-12
XTerm*italicFont: terminus-12
XTerm*selectToClipboard: true
! ! Use a nice truetype font and size by default...
! xterm*faceName: DejaVu Sans Mono Book
! xterm*faceSize: 11
xterm*loginshell: true
xterm*savelines: 16384
! double-click to select whole URLs :D
xterm*charClass: 33:48,36-47:48,58-59:48,61:48,63-64:48,95:48,126:48
XTerm*on3Clicks: regex
([[:alpha:]]+://)?([[:alnum:]!#+,./=?@_~-]|(%[[:xdigit:]][[:xdigit:]]))+
*VT100*translations: #override Shift :
exec-formatted("google-chrome '%t'", PRIMARY)
! DOS-box colours...
! xterm*foreground: rgb:a8/a8/a8
xterm*foreground: rgb:ff/ff/00
xterm*background: rgb:00/00/00
xterm*color0: rgb:00/00/00
xterm*color1: rgb:a8/00/00
xterm*color2: rgb:00/a8/00
xterm*color3: rgb:a8/54/00
xterm*color4: rgb:00/00/a8
xterm*color5: rgb:a8/00/a8
xterm*color6: rgb:00/a8/a8
xterm*color7: rgb:a8/a8/a8
xterm*color8: rgb:54/54/54
xterm*color9: rgb:fc/54/54
xterm*color10: rgb:54/fc/54
xterm*color11: rgb:fc/fc/54
xterm*color12: rgb:54/54/fc
xterm*color13: rgb:fc/54/fc
xterm*color14: rgb:54/fc/fc
xterm*color15: rgb:fc/fc/fc
! right hand side scrollbar...
xterm*rightScrollBar: true
xterm*ScrollBar: true
! stop output to terminal from jumping down to bottom of scroll again
xterm*scrollTtyOutput: false
---
thanks shadrock
Re: ports/devel/pygame make install error
On 12/27/18 3:35 PM, Edgar Pettijohn wrote: >>>> i have openbsd 6.4 release installed >>>> how do i fix this ? > Don't mix release with current ports. > > Either install a current snapshot or ... > >> doas cvs -d anon...@anoncvs1.ca.openbsd.org:/cvs -q up -Pd -A >> > rm -rf /usr/ports > And checkout a release ports tree. > > See the FAQ for instructions. > >> shadrock >> carried out instructions as above and successfully installed pygame i didn't notice i had use the wrong cvs update command many thanks shadrock
Re: ports/devel/pygame make install error
On 12/27/18 3:48 AM, Anthony J. Bentley wrote: > shadrock uhuru writes: >> hi everyone >> >> i have openbsd 6.4 release installed >> >> when i try to make install ports/devel/pygame i get an error stating >> >> create /usr/ports/packages/amd64/all/py-game-1.9.3.tgz >> error: Libraries in packing-list in the port tree >> and libraries from installed packages don't match >> >> how do i fix this ? > As the error message says, the library versions you have installed > don't match the library versions in your checked out ports tree. > So update your ports tree and packages to -current. > > The remainder of the output (that you cut out) shows which exact > libraries are out of sync on your system. i have updated the packages with doas pkg_add -u but when updating the port tree with the following command doas cvs -d anon...@anoncvs1.ca.openbsd.org:/cvs -q up -Pd -A i was continually getting - packet_write_wait: Connection to 129.128.197.20 port 22: broken pipe but changed repository and manage to complete the update but i still get the following error Create /usr/ports/packages/amd64/all/py-game-1.9.3.tgz Error: Libraries in packing-lists in the ports tree and libraries from installed packages don't match --- /tmp/dep_cache.riRhLvqpZ/portstree-py-game-1.9.3 Thu Dec 27 14:58:48 2018 +++ /tmp/dep_cache.riRhLvqpZ/inst-py-game-1.9.3 Thu Dec 27 14:58:48 2018 @@ -3,7 +3,7 @@ -W SDL_mixer.5.0 -W SDL_ttf.8.1 -W X11.16.1 --W jpeg.70.0 +-W jpeg.69.0 -W png.17.5 -W pthread.25.1 -W freetype.29.0 *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3248 'wantlib-args') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2014 '/usr/ports/packages/amd64/all/py-game-1.9.3.tgz') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2475 '_internal-package') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2454 'package') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2027 '/var/db/pkg/py-game-1.9.3/+CONTENTS') *** Error 1 in /usr/ports/devel/pygame (/usr/ports/infrastructure/mk/bsd.port.mk:2454 'install') shadrock
ports/devel/pygame make install error
hi everyone i have openbsd 6.4 release installed when i try to make install ports/devel/pygame i get an error stating create /usr/ports/packages/amd64/all/py-game-1.9.3.tgz error: Libraries in packing-list in the port tree and libraries from installed packages don't match how do i fix this ? shadrock
keydisk not found when unhibernating
hi everyone on powering up the laptop after closing the lid the keydisk is not found i shutdown the laptop and with the power button then restart it again this time the keydisk is found. is this behaviour normal for resuming from hibernation with an encrypted filesytem ? shadrock
apmd: howto resume with screen locked
On 11/26/18 9:26 AM, Peter Hessler wrote: > On 2018 Nov 26 (Mon) at 01:18:59 + (+), shadrock uhuru wrote: > : > :also how do i resume from hibernate or suspend with the screen locked > : > :i use i3 and lock the screen with xautolock and i3lock in .i3/config > : > :i put i3lock in /etc/apm/resume > : > :when i resume from ZZZ no lock screen appears, i am brought straight > :to my desktop > : > :shadrock > : > > /etc/apm/resume is ran as root, so you'll need that script to run i3lock > as your user, or to trigger i3's screenlock mechanism > > I have a similar thing enabled on my laptop, but it's in /etc/apm/suspend: > pkill -USR1 -x xidle > > HI Peter thanks for the reply i have removed my resume file and created a suspend file and linked hibernate to it with the following in suspend: #!/bin/sh pkill -USR1 -x xidle i also removed the xautolock and i3lock line in .i3/config and added the following to .xinitrc: xscreensaver-no-splash & xidle -program '/usr/X11R6/bin/xlock -mode random' -timeout 300 & the screen lock now works as expected when resuming the laptop. thanks shadrock
apmd: howto resume with screen locked
also how do i resume from hibernate or suspend with the screen locked i use i3 and lock the screen with xautolock and i3lock in .i3/config i put i3lock in /etc/apm/resume when i resume from ZZZ no lock screen appears, i am brought straight to my desktop shadrock
apmd: howto resume with screen locked
Hi everyone i have in my /etc/rc.conf.local apmd "-A -Z8 -t120" my laptop doesn't hibernate when the power falls below 8% is there more that i need to configure ? shadrock
Re: carp mixed states
hi thanks to everyone who responded, the problem was due to connectivity on the em0 interface between both firewalls being block by pf.conf Hi On Fri, 18 may 2012 at 02:38 CEST shadrock wrote: > still looking for an answer to the following question > > hi all > > have configured two firewalls with carp > > i have connectivity to the internet and the firewalls failover properly. > > when i check the carp states of each firewall the slave reports that its > > wan connection is in the master state the same as the master firewall > > while the slave carp lan connection is in the backup state. > > is this normal or should both carps be in backup for the slave ? > > shadrock > > > > > > master firewall > > /etc/hostname.carp1 > > inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1 > > > > /etc/hostname.carp2 > > inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2 > > > > /etc/hostname.em0 > > inet 192.168.5.2 255.255.255.0 > > > > /etc/hostname.em1 > > inet 10.5.5.2 255.255.255.0 NONE > > > > /etc/hostname.bge0 > > inet 172.16.0.2 255.255.255.0 NONE > > > > /etc/hostname.pfsync0 > > up syncdev bge0 > > > > > > ifconfig -a > > > > lo0: flags=8049 mtu 33196 > >priority: 0 > >groups: lo > >inet6 ::1 prefixlen 128 > >inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > >inet 127.0.0.1 netmask 0xff00 > > bge0: flags=8843 mtu 1500 > >lladdr 00:18:8b:60:7b:06 > >priority: 0 > >media: Ethernet autoselect (1000baseT > > full-duplex,master,rxpause,txpause) > >status: active > >inet 172.16.0.2 netmask 0xff00 broadcast 172.16.0.255 > >inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1 > > em0: flags=8b43 > > mtu 1500 > >lladdr 00:04:23:df:6b:a4 > >priority: 0 > >groups: egress > >media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > >status: active > >inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255 > >inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2 > > em1: flags=8b43 > > mtu 1500 > >lladdr 00:04:23:df:6b:a5 > >priority: 0 > >media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > >status: active > >inet 10.5.5.2 netmask 0xff00 broadcast 10.5.5.255 > >inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3 > > enc0: flags=41 > >priority: 0 > >groups: enc > >status: active > > pfsync0: flags=41 mtu 1500 > >priority: 0 > >pfsync: syncdev: bge0 maxupd: 128 defer: off > >groups: carp pfsync > > pflog0: flags=141 mtu 33196 > >priority: 0 > >groups: pflog > > carp1: flags=8843 mtu 1500 > >lladdr 00:00:5e:00:01:01 > >priority: 0 > >carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0 > >groups: carp > >status: master > >inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 > >inet 10.5.5.1 netmask 0xff00 broadcast 10.5.5.255 > > carp2: flags=8843 mtu 1500 > >lladdr 00:00:5e:00:01:02 > >priority: 0 > >carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0 > >groups: carp > >status: master > >inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 > >inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255 > > > > > > slave firewall > > > > /etc/hostname.carp1 > > inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100 > > pass pass1 > > > > /etc/hostname.carp2 > > inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew > > 100 pass pass2 > > > > /etc/hostname.em0 > > inet 192.168.5.3 255.255.255.0 > > > > /etc/hostname.em1 > > inet 10.5.5.3 255.255.255.0 NONE > > > > /etc/hostname.bge0 > > inet 172.16.0.3 255.255.255.0 NONE > > > > /etc/hostname.pfsync0 > > up syncdev
carp mixed states
hi still looking for an answer to the following question hi all have configured two firewalls with carp i have connectivity to the internet and the firewalls failover properly. when i check the carp states of each firewall the slave reports that its wan connection is in the master state the same as the master firewall while the slave carp lan connection is in the backup state. is this normal or should both carps be in backup for the slave ? shadrock master firewall /etc/hostname.carp1 inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1 /etc/hostname.carp2 inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2 /etc/hostname.em0 inet 192.168.5.2 255.255.255.0 /etc/hostname.em1 inet 10.5.5.2 255.255.255.0 NONE /etc/hostname.bge0 inet 172.16.0.2 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev bge0 ifconfig -a lo0: flags=8049 mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bge0: flags=8843 mtu 1500 lladdr 00:18:8b:60:7b:06 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 172.16.0.2 netmask 0xff00 broadcast 172.16.0.255 inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1 em0: flags=8b43 mtu 1500 lladdr 00:04:23:df:6b:a4 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2 em1: flags=8b43 mtu 1500 lladdr 00:04:23:df:6b:a5 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.5.5.2 netmask 0xff00 broadcast 10.5.5.255 inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3 enc0: flags=41 priority: 0 groups: enc status: active pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: bge0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141 mtu 33196 priority: 0 groups: pflog carp1: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 inet 10.5.5.1 netmask 0xff00 broadcast 10.5.5.255 carp2: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255 slave firewall /etc/hostname.carp1 inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100 pass pass1 /etc/hostname.carp2 inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew 100 pass pass2 /etc/hostname.em0 inet 192.168.5.3 255.255.255.0 /etc/hostname.em1 inet 10.5.5.3 255.255.255.0 NONE /etc/hostname.bge0 inet 172.16.0.3 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev bge0 ifconfig -a lo0: flags=8049 mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bge0: flags=8843 mtu 1500 lladdr 00:18:8b:6c:4e:85 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255 inet6 fe80::218:8bff:fe6c:4e85%bge0 prefixlen 64 scopeid 0x1 em0: flags=8b43 mtu 1500 lladdr 00:04:23:e3:c7:92 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.5.3 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::204:23ff:fee3:c792%em0 prefixlen 64 scopeid 0x2 em1: flags=8b43 mtu 1500 lladdr 00:04:23:e3:c7:93 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.5.5.3 netmask 0xff00 broadcast 10.5.5.255 inet6 fe80::204:23ff:fee3:c793%em1 prefixlen 64 scopeid 0x3 enc0: flags=41 priority: 0 groups: enc status: active pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: bge0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141 mtu 33196 priority: 0 groups: pflog carp1: flags=8843 mtu 1500
carp mixed states
hi all have configured two firewalls with carp i have connectivity to the internet and the firewalls failover properly. when i check the carp states of each firewall the slave reports that its wan connection is in the master state the same as the master firewall while the slave carp lan connection is in the backup state. is this normal or should both carps be in backup for the slave ? shadrock master firewall /etc/hostname.carp1 inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1 /etc/hostname.carp2 inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2 /etc/hostname.em0 inet 192.168.5.2 255.255.255.0 /etc/hostname.em1 inet 10.5.5.2 255.255.255.0 NONE /etc/hostname.bge0 inet 172.16.0.2 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev bge0 ifconfig -a lo0: flags=8049 mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bge0: flags=8843 mtu 1500 lladdr 00:18:8b:60:7b:06 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 172.16.0.2 netmask 0xff00 broadcast 172.16.0.255 inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1 em0: flags=8b43 mtu 1500 lladdr 00:04:23:df:6b:a4 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2 em1: flags=8b43 mtu 1500 lladdr 00:04:23:df:6b:a5 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.5.5.2 netmask 0xff00 broadcast 10.5.5.255 inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3 enc0: flags=41 priority: 0 groups: enc status: active pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: bge0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141 mtu 33196 priority: 0 groups: pflog carp1: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 inet 10.5.5.1 netmask 0xff00 broadcast 10.5.5.255 carp2: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255 slave firewall /etc/hostname.carp1 inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100 pass pass1 /etc/hostname.carp2 inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew 100 pass pass2 /etc/hostname.em0 inet 192.168.5.3 255.255.255.0 /etc/hostname.em1 inet 10.5.5.3 255.255.255.0 NONE /etc/hostname.bge0 inet 172.16.0.3 255.255.255.0 NONE /etc/hostname.pfsync0 up syncdev bge0 ifconfig -a lo0: flags=8049 mtu 33196 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bge0: flags=8843 mtu 1500 lladdr 00:18:8b:6c:4e:85 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255 inet6 fe80::218:8bff:fe6c:4e85%bge0 prefixlen 64 scopeid 0x1 em0: flags=8b43 mtu 1500 lladdr 00:04:23:e3:c7:92 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.5.3 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::204:23ff:fee3:c792%em0 prefixlen 64 scopeid 0x2 em1: flags=8b43 mtu 1500 lladdr 00:04:23:e3:c7:93 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 10.5.5.3 netmask 0xff00 broadcast 10.5.5.255 inet6 fe80::204:23ff:fee3:c793%em1 prefixlen 64 scopeid 0x3 enc0: flags=41 priority: 0 groups: enc status: active pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: bge0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141 mtu 33196 priority: 0 groups: pflog carp1: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: BACKUP carpdev em1 vhid 1 advbase 1 advskew 100 groups: carp status: backup inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid
Re: ipsec.conf ,routers and endpoints - third try
> firewall dual homed > network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) > virgin media router facing static nic address = 3.3.3.2 > (rfc1918/rfc6598) > virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) > virgin media dynamic wan address = 1.1.1.1 (internet-routable) > firewall default route = 3.3.3.3 > network_a default route = 5.5.5.4 your local_gw address would be the router-facing rfc1918 address and remote_gw would be the dynamic internet-routable address of the other gateway. > hi stuart > thanks for your answer and advice, > i am working on a modified ddns update script to signal a restart of > isakmpd when the dynamic ip changes, will implement isakmpd else will > follow your suggestion and use openvpn for my net to net link, i had > already planned to use openvpn for my roadwarriors. > shadrock > > The problem is that when the address of one side changes, it's the *other* side that yo uneed to restart. so you might want a regularly-run script to do a lookup to work out when this needs doing, although in practice I don't think VM change addresses all that often so it might be good enough to have the update script email/text you to tell you to update the other side... hi stuart having reread your first post on the subject, i now realize when the address of one side changes it's the*other* side that needs to update remote_gw in ipsec.conf and restart. i was considering each end running a script which used ping to check connectivity to the remote gateway like openvpn's method, if ping timed out then a dns hostname lookup would be used to resolve the ip, ipsec.conf would then be updated and restarted and an email sent to the manager of the network informing of the remote address change. this would be all scripted so there would be no need for me to get involved. shadrock
Re: ipsec.conf ,routers and endpoints - third try
hi stuart thanks for your answer and advice, i am working on a modified ddns update script to signal a restart of isakmpd when the dynamic ip changes, will implement isakmpd else will follow your suggestion and use openvpn for my net to net link, i had already planned to use openvpn for my roadwarriors. shadrock
ipsec.conf ,routers and endpoints - third try
my apologies for my first post network topology home network remote network 3.3.3.3 1.1.1.12.2.2.2 4.4.4.4 -- router_a internet router_b - | | | | | | | | | 3.3.3.2 4.4.4.2| firewall_a firewall_b | 5.5.5.4 7.7.7.4| | | | | | | network_a network_b 5.5.5.0/24 7.7.7.0/24 --- network_a home network = 5.5.5.0/24 firewall dual homed network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) virgin media router facing static nic address = 3.3.3.2 (rfc1918/rfc6598) virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) virgin media dynamic wan address = 1.1.1.1 (internet-routable) firewall default route = 3.3.3.3 network_a default route = 5.5.5.4 network_b home network = 7.7.7.0/24 firewall dual homed network facing static nic address = 7.7.7.4 (rfc1918/rfc6598) virgin media router facing static nic address = 4.4.4.2 (rfc1918/rfc6598) virgin media router static address = 4.4.4.4 (rfc1918/rfc6598) virgin media dynamic wan address = 2.2.2.2(internet-routable) firewall default route = 4.4.4.4 network_a default route = 7.7.7.4 both firewalls run ipsec both firewalls run NAT both will have ddns for the internet-routable address both routers configured for vpn passthrough network_a connects to firewall_a via a switch firewall_a connects to router_a via a switch router_a connects to virgin media cable -- network_a ipsec.conf # Macros local_gw= "local_addr" # External interface local_net = "5.5.5.0/24" # Local private network remote_gw = "remote_addr" # Remote IPsec gateway remote_nets = "7.7.7.0/24" # Remote private networks # Set up the VPN between the gateway machines ike esp from $local_gw to $remote_gw # Between local gateway and remote networks ike esp from $local_gw to $remote_nets peer $remote_gw # Between the networks ike esp from $local_net to $remote_nets peer $remote_gw --- Q1: for my local_gw is local_addr 3.3.3.2 or 3.3.3.3 or 1.1.1.1 Q2: for my remote_gw is remote_addr 2.2.2.2 or 4.4.4.4 or 4.4.4.2
ipsec.conf ,routers and endpoints -- corrected
my apologies for my first post network topology home network remote network 3.3.3.3 1.1.1.1 2.2.2.2 4.4.4.4 -- router_a internet router_b - | | | | | | | | | 3.3.3.2 4.4.4.2 | firewall_a firewall_b | 5.5.5.4 7.7.7.4 | | | | | | | network_a network_b 5.5.5.0/24 7.7.7.0/24 --- network_a home network = 5.5.5.0/24 firewall dual homed network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) virgin media router facing static nic address = 3.3.3.2 (rfc1918/rfc6598) virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) virgin media dynamic wan address = 1.1.1.1 (internet-routable) firewall default route = 3.3.3.3 network_a default route = 5.5.5.4 network_b home network = 7.7.7.0/24 firewall dual homed network facing static nic address = 7.7.7.4 (rfc1918/rfc6598) virgin media router facing static nic address = 4.4.4.2 (rfc1918/rfc6598) virgin media router static address = 4.4.4.4 (rfc1918/rfc6598) virgin media dynamic wan address = 2.2.2.2(internet-routable) firewall default route = 4.4.4.4 network_a default route = 7.7.7.4 both firewalls run ipsec both firewalls run NAT both will have ddns for the internet-routable address both routers configured for vpn passthrough network_a connects to firewall_a via a switch firewall_a connects to router_a via a switch router_a connects to virgin media cable -- network_a ipsec.conf # Macros local_gw= "local_addr"# External interface local_net = "5.5.5.0/24" # Local private network remote_gw = "remote_addr" # Remote IPsec gateway remote_nets = "7.7.7.0/24" # Remote private networks # Set up the VPN between the gateway machines ike esp from $local_gw to $remote_gw # Between local gateway and remote networks ike esp from $local_gw to $remote_nets peer $remote_gw # Between the networks ike esp from $local_net to $remote_nets peer $remote_gw --- Q1: for my local_gw is local_addr 3.3.3.2 or 3.3.3.3 or 1.1.1.1 Q2: for my remote_gw is remote_addr 2.2.2.2 or 4.4.4.4 or 4.4.4.2
openvpn bridge ip/netmask
I have a lan interface A tun0 interface Both are bridged with bridge0 Bridge0 is configured by brconfig I have setup openvpn in bridge mode But only broadcasts and arp request pass tun0 How do I add an address/ip to bridge0 ? shadrock - Email sent from www.ntlworld.com Virus-checked using McAfee(R) Software Visit www.ntlworld.com/security for more information
openbsd 3.7 pkg_add error
hi i am having trouble installing a few of the packages from 3.7 postgresql,aide,syslog-ng all pkg_add fine but LPRng,gawk,tcpcat all return with errors when i pkg_add LPRng it returns the following :- pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.7/packages/i386/LPRng-3.8.21p0.t gz Can't find ftp://ftp.openbsd.org/pub/OpenBSD/3.7/packages/i386/LPRng-3.8.21p0.tgz /usr/sbin/pkg_add: ftp://ftp.openbsd.org/pub/OpenBSD/3.7/packages/i386/LPRng-3.8.21p0.tgz:Fatal error has anyone come across this problem and whats the solution Shadrock - Email sent from www.ntlworld.com Virus-checked using McAfee(R) Software Visit www.ntlworld.com/security for more information
