Re: VLAN-tagging - follow-up

2024-06-07 Thread Loff 


On Fri, Jun 07, 2024 at 03:04:54AM +, Martin wrote:
> Are you supposed to "bridge" the vlan with the physical interface?

No

> I have:
> 
> $ cat /etc/hostname.em0
> up
> 
> $ cat /etc/hostname.vlan101
> vnetid 101 parent em0
> inet autoconf
> up

OK

> In /etc/pf.conf I have replaced em0 with vlan101 for ext_if.

OK

> I get "No route to host" if I try to ping something, etc.
> 
> But if add:
> 
> $ cat /etc/hostname.bridge0
> add vlan101
> add em0
> up
> 
> Then it works.

When not bridged, what does ifconfig em0 and ifconfig vlan101 say?
And when the bridge is up, what does ifconfig bridge0 say?

What type of upstream device is em0 connected to?  Is it a simple modem,
(e.g. an ONT) or a router of some sort?

> Was the bridge part missed in the previous emails about how to use
> VLAN-tagging or am I missing something?

No, there is no need to bridge them.  I gave you an example with veb
(layer 2) bridge, which is what I use to make a "passthrough" for a
specific VLAN, across two physical interfaces.


Going a bit deeper, to explain my questions above:
802.1Q VLANs are basically a tag that gets attached to a packet's
header.  And it is perfectly possible for both types of packets to
coexist in the same "wire".  Some of them might be tagged, some of them
might not.

When you create a VLAN interface with a physical interface as its parent
(like your vlan101 on em0) you are telling the kernel "pick up all
packets that arrive on this interface and that have this specific tag,
and bring them to me", for incoming traffic, and "take any packet I am
sending out of this interface and attach this VLAN tag to it".

Sidenote: this can be replicated many times, so you can have multiple
VLANs being handled by different interfaces, with different IPs on
different subnets, etc, all sharing the same wire, while being
segregated (hence the name "virtual LANs").

As I said above, tagged and untagged traffic can coexist, and all
untagged packets will still be routed through the physical interface
(em0).

Routers and some switches can add/remove tags from packets (e.g. you can
tell a switch to do something like "Get all vlan101 traffic from port 1,
strip the tag, and send it out on port 8, untagged.  Also, get all
incoming untagged traffic from port 8, and tag it with vlan101", etc).


Try bringing both interfaces down, remove their IP addresses (ifconfig
em0 -inet), run:

tcpdump -ti em0 port \(66 or 67\)

on a terminal and then bring both interfaces up on a different terminal
and see what comes up.

As I said above, tagged and untagged traffic coexist on the physical
interface, so VLAN tagged traffic (i.e. packets that you will get on the
vlan101 interface) will show up in lines starting with

802.1Q vid 101 pri 1 ...

and untagged traffic (i.e. packets that will show up on em0) won't have
that.


*If* you are getting an IP on em0, then my guess is that one of two
things might be happening:

- there is a DHCP server upstream that is OK with getting untagged
  traffic, and so your em0 is getting configured through it

- your upstream device is getting tagged traffic from your ISP,
  stripping its tags and sending it to em0 untagged (and the other way
  round, for your outgoing traffic).


-- 
 

Re: No mails since 2 days

2024-06-06 Thread Loff 


On Thu, Jun 06, 2024 at 09:18:46PM +0300, Mihai Popescu wrote:
> > I havn't got no mails in the last two days.
> > Can you tell me something about the issue?
> 
> I was very unfortunate in the last 10 years.
> Can you fix this? Or help me to debug.
> 
> tx
> 

There's a chance he won't get the joke.  Nor the email.


-- 
 

Re: VLAN-tagging, how?

2024-05-31 Thread Loff 
On Thu, May 30, 2024 at 10:12:12PM +, Martin wrote:
> I am currently using a home made router with OpenBSD which is connected
> directly to my ISP's fiber router. The OpenBSD router is setup with a
> fixed IP on the WAN port and I do internal NAT etc.
> 
> In about a month a new ISP is going to provide internet via the fiber
> and they are changing the equipment.
> 
> What they have told me is that in order to use my own router, the
> router has to support VLAN tagging.
> 
> The statement I got was:
> 
> "We send traffic out on VLAN 100 so your router needs to be tagged to
> 100. Then all it has to do is to get an IP via DHCP."
> 
> I have not done any VLAN stuff before and I am unsure exactly how to do
> this.
> 
> Is this possible and how exactly is that done?
> 
> Thanks.
> 

Keeping it simple (change re1 to whatever is relevant in your case):

# cat /etc/hostname.re1
up

# cat /etc/hostname.vlan100
vnetid 100 parent re1
inet autoconf
up

So, in summary, (1) make sure the physical interface comes up and (2)
create a VLAN interface, with 100 as the VLAN number, the physical
interface as its parent.  The rest is the same as for any other
interface (inet autoconf and up).



Incidentally, I am running this with an ISP that also provides VoIP over
VLAN 101, which I don't want to filter, rather sending it straight to
the VoIP phone they provided (which gets configured via DHCP).  I
achieved this by 

(1) creating an interface on VLAN 101, with the external physical
interface as the parent:

# cat /etc/hostname.vlan1010  <- the extra 0 at the end is not a typo
vnetid 101 parent re1
up

(2) creating another interface on the same VLAN, but with an internal
interface as the parent:

# cat /etc/hostname.vlan1011  <- note the extra 1 at the end
vnetid 101 parent re2
up

(3) bridging them together

# cat /etc/hostname.veb101
add vlan1010
add vlan1011
up

Re: ifconfig autoconf stopped working - how to debug?

2024-05-27 Thread Loff 
On Mon, May 27, 2024 at 01:51:25PM +0100, Chris Narkiewicz wrote:
> I have a netcup VPS and it crashed recently. After service restoration
> and fsck, the system cannot obtain IPv4 using autoconf.
> 
> I'm wondering how I can debug DHCP autoconfiguration.  dhclient -v -d
> doesn't show anything, as the functionality has been mmoved to
> ifconfig.

dhcpleased now handles this.  You can run it with -d and with one or
more "-v"s.  You can also use dhcpleasectl to request a new lease.

> 
> ifconfig vio0 debug doesn't print anything.
> 
> Best regards,
> Chris Narkiewicz
> 

-- 
 

Re: Q: Problems forwarding traffic using pf ...

2024-05-24 Thread Loff 
On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote:
> On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> > pfctl reports:
> > # pfctl -vvs rules | grep @
> > @0 block return log all
> > @1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP
> > @2 pass out log on ure0 all flags S/SA tagged UDP

Why setting "flags S/SA" on a rule meant for UDP packets?

> > 
> > I see that rule 1 is matched, but never rule 2. E.g.
> > ...
> > May 23 10:32:06.602759 rule 0/(match) block in on em0: 192.168.178.179.5353 
> > > 224.0.0.251.5353: 46[|domain] (DF)
> > May 23 10:32:06.603963 rule 0/(match) block in on em0: 
> > fe80::4434:8bff:fecd:b116.5353 > ff02::fb.5353: 46[|domain] [flowlabel 
> > 0xbaff9]
> > May 23 10:32:09.700212 rule 0/(match) block in on em0: 192.168.178.254 > 
> > 224.0.0.1: igmp query [len 12] (DF) [tos 0xc0] [ttl 1]
> > May 23 10:32:13.267374 rule 1/(match) pass in on em0: 192.168.178.166.56334 
> > > 192.168.178.11.54321: udp 7
> 
> So this last one never leaves, right?
> 
> what does the gateway's routing table say about how to reach the destination 
> network?
> 
> also relevant, what is the configuration of the interfaces involved?
> 
> I'm thinking this could be down to using RFC1918 addresses and not being 
> extra careful
> about netmasks and routes, but we need more info on the actual configuration 
> to be sure.
> 
> - Peter
> 
> -- 
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> 

-- 
 

Re: Q: Problems forwarding traffic using pf ...

2024-05-23 Thread Loff 
On Thu, May 23, 2024 at 08:24:03PM +0300, Kapetanakis Giannis wrote:
> On 23/05/2024 20:18, Peter N. M. Hansteen wrote:
> > On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> > > I need to quickly create a solution for forwarding multicast traffic
> > > between two systems, so I though perhaps I could use pf to do just that
> > > by writing some rules along the lines of:
> > > 
> > >  1. pass in on iface A proto UDP ... tag mcast
> > >  2. pass out on iface B tagged mcast
> > > 
> > >  And another pair of rules for the reverse direction B -> A.
> > > 
> > > (Obviously I'd add more options to filter specific addresses, etc.)
> > Possibly stupid question, but did you set the sysctl(s) to enable 
> > forwarding?
> > 
> > $ sysctl net.inet.ip.forwarding
> > 
> > and
> > 
> > $ sysctl net.inet6.ip6.forwarding
> > 
> > will provide the answer (as in, if those values are not 1, forwarding
> > between interfaces is not enabled)
> > 
> > 
> And there is also mforwarding
> 
> net.inet.ip.forwarding
> net.inet.ip.mforwarding
> net.inet6.ip6.forwarding
> net.inet6.ip6.mforwarding
> 
> G
> 

And multicast=YES rc.conf.local
-- 
 

Re: Hardware recommendation for small form factor, noiseless, server

2024-05-06 Thread Loff 


On Mon, May 06, 2024 at 09:03:17PM +0100, James Johnson wrote:
> Hi all,
> 
> can anyone please advise on what computer I can purchase with the following 
> requirements:
> 
> - fully supports OpenBSD
> - no noise
> - good quality wifi
> - small form factor preferably
> - processor does not need to be fast (no highly intensive compute load)
> - low RAM need
> - needs 1 TB of hard drive at least
> - will be used only remotely, for basic and low-intensity server-type 
> applications (no desktop use)
> - under $500
> 
> Thanks!
> James

You can get a Fujistu Futro S920 with a quad-core AMD GX-424GC @2.4GHz,
up to 8Gb RAM, for around €75.  Models with a GX-222GC (dual-core
@2.1GHz) or a GX-415GA (quad-core @1.5Ghz) go for even less.  Stick a
wifi card and a 2.5" disk in it, and bob's your uncle.

I have one as (very) low traffic web + mail server, and another as a
development machine running a VM with Alpine Linux hosting docker
containers (which works better than I anticipated, honestly).

dmesg for a model with a GX-222CG dual-core @2.2GHz (no wifi, though):

OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8213266432 (7832MB)
avail mem = 7943299072 (7575MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xacfdc018 (55 entries)
bios0: vendor FUJITSU // American Megatrends Inc. version "V4.6.5.4 R1.16.0 for 
D3313-G1x" date 08/13/2018
bios0: FUJITSU FUTRO S920
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT TCPA MCFG HPET SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices LAN1(S4) LAN2(S4) LAN3(S4) SBAZ(S4) EHC1(S4) EHC2(S4) 
EHC3(S4) XHC0(S4) GFX_(S3)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD GX-222GC SOC with Radeon(TM) R5E Graphics, 2196.02 MHz, 16-30-01, 
patch 07030106
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP
 
CNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL
 3,HWPSTATE,ITSC,BMI1,IBPB,XSAVEOPT
cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 1MB 64b/line 
16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD GX-222GC SOC with Radeon(TM) R5E Graphics, 2196.05 MHz, 16-30-01, 
patch 07030106
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP
 
CNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL
 3,HWPSTATE,ITSC,BMI1,IBPB,XSAVEOPT
cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 2-way I-cache, 1MB 64b/line 
16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 3 pa 0xfec0, version 21, 24 pins
ioapic1 at mainbus0: apid 4 pa 0xfec01000, version 21, 32 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318180 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (GPP0)
acpiprt2 at acpi0: bus -1 (GPP1)
acpiprt3 at acpi0: bus -1 (GPP2)
acpiprt4 at acpi0: bus -1 (GPP3)
acpiprt5 at acpi0: bus -1 (GFX_)
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
com0 at acpi0 UAR0 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo
com0: console
acpicmos0 at acpi0
com1 at acpi0 UAR1 addr 0x2f8/0x8 irq 3: ns16550a, 16 byte fifo
"FUJ02E3" at acpi0 not configured
acpibtn0 at acpi0: PWRB
tpm0 at acpi0 TPM_ 1.2 (TIS) addr 0xfed4/0x5000, device 0x001a15d1 rev 0x10
acpicpu0 at acpi0: C2(0@400 io@0x414), C1(@1 halt!), PSS
acpicpu1 at acpi0: C2(0@400 io@0x414), C1(@1 halt!), PSS
acpivideo0 at acpi0: VGA_
acpivout0 at acpivideo0: LCD_
acpivideo1 at acpi0: VGA_
cpu0: 2196 MHz: speeds: 2200 2000 1800 1600 1400 1200 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD 16h Root Complex" rev 0x00
radeondrm0 at pci0 dev 1 function 0 "ATI Mullins" rev 0x06
drm0 at radeondrm0
radeondrm0: msi
azalia0 at pci0 dev 1 function 1 "ATI Radeon HD Audio" rev 0x00: msi
azalia0: no supported codecs
pchb1 at pci0 dev 2 function 0 "AMD 16h Host" rev 0x00
ppb0 at pci0 dev 2 function 2 "AMD 16h PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G (0x4c00), 
msi, address 4c:52:62:11:13:ef
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ccp0 at pci0 dev 8 function 0 "AMD 16h Crypto" rev 0x00
ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: msi, AHCI 1.3
ahci0: port 0:

Re: Relayd forward to multiple ports on one target host?

2024-05-02 Thread Loff 


On Thu, May 02, 2024 at 06:34:51AM -0700, Paul Pace wrote:
> Hello!
> 
> I have an OpenBSD server that hosts multiple services listening on various
> ports (some projects have their own web server, some projects require a
> reverse proxy, some projects just use httpd, etc.). This server receives
> requests via relayd on a different server. I was hoping to not insert relayd
> between every request to the host, but it's not the end of the world if this
> is the only viable solution while using relayd.
> 
> The requests to relayd go to domains (e.g., www.example.com,
> serviceone.example.com, servicetwo.example.com, etc.) for web services
> (ports 80 and 443), but I cannot figure out a way to specify a port on the
> target server to forward requests to when there are multiple ports (e.g.,
> www is on port 80, serviceone is on port 8080, servicetwo is on port 3,
> etc.). Running relayd -n does not report syntax errors when there are
> multiple forward to rules for the same target server with different ports in
> the relay block, but I can't find a way to specify which request should go
> to which port.
> 
> Thank you,
> 
> Paul
> 

Not sure if this is what you are looking for but, I use something like
this on my relayd.conf:

table  { 10.17.16.10 }
table  { 10.17.16.10 }
table  { 10.17.16.10 }

http protocol "http_revproxy" {
  match request header "Host" value "www.example.com" forward to 
  match request header "Host" value "serviceone.example.com" forward to 

}
https protocol "https_revproxy" {
   tls keypair "servicetwo.example.com"
   match request header "Host" value "servicetwo.example.com" forward to 

}

relay "http_relay" {
  listen on re0 port 80
  protocol "http_revproxy"

  forward to  port 80 check tcp
  forward to  port 8080 check tcp
}
relay "https_relay" {
  listen on re0 port 443
  protocol "https_revproxy"

  forward to  port  check tcp
}


Three notes:
- servicetwo is internally served over simple HTTP (i.e. no TLS) on port
  . So you get HTTPS between the client and relayd, and HTTP between
  relayd and the service itself

- change re0 to the appropriate interface on the "listen" lines

- I find it preferable to have everything going through relayd,
  especially since in makes it easier for me to centralise the whole TLS
  certificates dance.

--

Re: Usb tethering

2024-04-27 Thread Loff 
On Sat, Apr 27, 2024 at 07:48:29AM +0400, Pascal wrote:
> Internet on phone is ok with -70dBm 4G

Even if it is connected to a cellular network, that doesn't mean that
it is configured for packet switching, your contract with your operator
might not allow for mobile data services, etc.  That's why its important
to know if the phone _itself_ can access the internet.  Another way to
be sure would be to tether a machine running some other OS, and see if
things change, but that may not be necessary.

> No results when ping to google.com

Does google.com get resolved to an IP address? The first line of ping's
output should be something like

PING google.com (142.250.200.78) [...]

If it doesn't get resolved, you'll get something like

ping: no address associated with name


If your OpenBSD box is unable to resolve hostnames, even after getting
urdis0 properly configured via DHCP, then I strongly suspect the problem
is that your phone isn't configured for internet access.

> No pf here
> 
> 26 avr. 2024 19:25:32 Zé Loff :
> 
> > On Fri, Apr 26, 2024 at 06:53:33PM +0400, Pascal wrote:
> >> https://qsl.net/fr5dh/route.jpg
> >> https://qsl.net/fr5dh/ifconfig.jpg
> >> 
> >> Sorry for the format...
> >> 
> >> 26 avr. 2024 15:37:36 Zé Loff :
> >> 
> >>> On Fri, Apr 26, 2024 at 03:19:58PM +0400, Pascal wrote:
> >>>> GM/GA
> >>>> 
> >>>> Would like connect to internet with usb tethering on openbsd 7.4  and 
> >>>> Phone SM-A426B.
> >>>> 
> >>>> After: # ifconfig urndis0 up autoconf
> >>>> I can't : fw_update & syspatch
> >>>> Failed timeout
> >>>> 
> >>>> Any idea please?
> >>>> 
> >>>> -- 
> >>>> Pascal
> >>>> 
> >>>> 
> >>> 
> >>> What's the output of "ifconfig urndis0" and "route -n show"?
> >>> 
> >>> -- 
> >>>  
> >> 
> >> -- 
> >> Pascal
> >> 
> >> 
> > 
> > So you get an IP from your phone, and it is your default gateway.
> > Everything seems normal, there.  Does your phone have internet access
> > itself?
> > 
> > And on the OpenBSD box:
> > - Can you resolve hostnames?
> > - Can you access other websites?
> > - Are you running pf to do some sort of filtering?
> > 
> > -- 
> >  
> 
> -- 
> Pascal
> 
> 

-- 
 

Re: Usb tethering

2024-04-26 Thread Loff 
On Fri, Apr 26, 2024 at 06:53:33PM +0400, Pascal wrote:
> https://qsl.net/fr5dh/route.jpg
> https://qsl.net/fr5dh/ifconfig.jpg
> 
> Sorry for the format...
> 
> 26 avr. 2024 15:37:36 Zé Loff :
> 
> > On Fri, Apr 26, 2024 at 03:19:58PM +0400, Pascal wrote:
> >> GM/GA
> >> 
> >> Would like connect to internet with usb tethering on openbsd 7.4  and 
> >> Phone SM-A426B.
> >> 
> >> After: # ifconfig urndis0 up autoconf
> >> I can't : fw_update & syspatch
> >> Failed timeout
> >> 
> >> Any idea please?
> >> 
> >> -- 
> >> Pascal
> >> 
> >> 
> > 
> > What's the output of "ifconfig urndis0" and "route -n show"?
> > 
> > -- 
> >  
> 
> -- 
> Pascal
> 
> 

So you get an IP from your phone, and it is your default gateway.
Everything seems normal, there.  Does your phone have internet access
itself?

And on the OpenBSD box:
- Can you resolve hostnames?
- Can you access other websites?
- Are you running pf to do some sort of filtering?

-- 
 

Re: Usb tethering

2024-04-26 Thread Loff 
On Fri, Apr 26, 2024 at 03:19:58PM +0400, Pascal wrote:
> GM/GA
> 
> Would like connect to internet with usb tethering on openbsd 7.4  and Phone 
> SM-A426B.
> 
> After: # ifconfig urndis0 up autoconf
> I can't : fw_update & syspatch
> Failed timeout
> 
> Any idea please?
> 
> -- 
> Pascal
> 
> 

What's the output of "ifconfig urndis0" and "route -n show"?

-- 
 

Re: Firewall setup

2024-04-16 Thread Loff 


On Tue, Apr 16, 2024 at 12:01:38AM +0200, Karel Lucas wrote:
> 
> Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen:
> > On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
> > > This gives the following error messages when booting:
> > > no IP address found for igc1:network
> > > /etc/pf.conf:41: could not parse host specification
> > > no IP address found for igc2:network
> > > /etc/pf.conf:42: could not parse host specification
> > This sounds to me like those interfaces either do not exist or
> > have not been correctly configured.
> > 
> > Are those interfaces configured, as in do they have IP addresses?
> > 
> > the output of ifconfig igc1 and ifconfig igc2 will show you.
> > 
> Output from ifconfig igc0:
> igc0: flags=8b43
> mtu 1500
>         lladdr 7c:2b:e1:13:dd:f4
>         index 1 priority 0 llprio 3
>         media: Ethernet autoselect (1000baseT full-duplex)
>         sratus: active
> 
> Output from ifconfig igc1:
> igc1: flags=8b43
> mtu 1500
>         lladdr 7c:2b:e1:13:dd:f5
>         index 2 priority 0 llprio 3
>         media: Ethernet autoselect (1000baseT full-duplex)
>         sratus: active
> 
> Output from ifconfig igc2:
> igc2: flags=8b43
> mtu 1500
>         lladdr 7c:2b:e1:13:dd:f6
>         index 3 priority 0 llprio 3
>         media: Ethernet autoselect (none)
>         status: no carrier
> 
> /etc/hostname.bridge0:
> add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2
> up
> 
> /etc/hostname.igc0:
> up
> 
> /etc/hostname.igc1:
> up
> 
> /etc/hostname.igc2:
> up
> 

Either Stuart is right, and you are trying to put up some weird
firewall, or Diana is right, and you are way out of your depth and need
to learn some of the basics of IPv4 networking.  Or they are both right.
Any other way, Peter is also right: you have been giving us information
piecemeal, and not only this doesn't help you to solve your problems, it
can be frustrating for the rest of us, because you've (involuntarily)
been wasting our time, chasing the wrong problem.  Your issues seem to
be broader than just configuring PF.

Incidentally, this is also an example on why copying/pasting stuff into
your machine is often a bad idea.  You need to understand what you are
putting in there, bit by bit.  Otherwise either it will fail immediately
(as in your case) or it will fail later on the first time you try to
tweak it.  And with a firewall being key in network security, you'll
really want to get it right.

There is no harm in not knowing things, no one is born knowing what a
routing table is, we've all had to start somewhere (I hope you don't
find this patronizing, that's really not the point).  And, as you've
just seen, despite this mailing list having a reputation of being
unfriendly, you've got plenty of people willing to help.  There are just
a few steps you need to take _on your own_ first.

Peter's book is great for PF, as is the PF user's guide [1].  For the
networking bits you can also take a look at the respective chapters on
Michael W. Lucas' "Absolute OpenBSD" [2].  Palmer and Nazario's "Secure
architectures with OpenBSD" also helped me a lot with system
administration in general, back in the day.  Others might have other
suggestions, I'm sure there's a ton of stuff out there.

[1] https://www.openbsd.org/faq/pf/index.html
[2] https://www.michaelwlucas.com/os/ao2e


-- 
 

Re: Firewall setup

2024-04-14 Thread Loff 
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
> 
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly?

You are blocking everything by default, with the "block log all" on top
of your ruleset.  This means that _everything_ needs to be explicitely
allowed in and out of your firewall.

If you want to resolve hostnames, you need to allow DNS requests (i.e.
traffic _to_ UDP port 53) to enter and leave the firewall.  So if a
machine on your LAN needs to make a DNS request, you need something like

pass in on $int_if proto udp to port 53

You have a $nameservers macro, which suggests you want to allow traffic
to only those two, so you could rewrite the above rule as 

pass in on $int_if proto udp to $nameservers port 53

But then you need to make sure every machine on your LAN uses those IPs
as resolvers, otherwise they'll try to query other DNS servers and fail.

As I said on a reply to your other thread, you will probably need to use
NAT on your egress traffic.

I personally prefer to keep the most general rules at the top, and then
to the specifics, so I would move "pass out all" next to "block log
all", but it's a matter of taste. 

> To get started simply, I created a new pf.conf file, see
> below.
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0                              # The interface to the outside
> world
> int_if = "{ igc1, igc2 }"                # The interfaces to the private
> hosts
> localnet = "192.168.2.0/24"      # Hosts on the screened LAN
> 
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>                       446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>                     10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
>                     0.0.0.0/8, 240.0.0.0/4 }"
> 
> # Options:
> set block-policy return
> 
> set skip on lo
> 
> block log all                # block stateless traffic
> 
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> pass out all
> 
> 

-- 
 

Re: No internet connection (firewall block)

2024-04-14 Thread Loff 


On Sun, Apr 14, 2024 at 04:33:58PM +0200, Karel Lucas wrote:
> Output from "tcpdump -neti pflog0":
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> ...
> rule 4/(match) pass in on igc1: 192.168.2.252 > 17.253.53.207: icmp: echo
> request
> ...
> 
> output from "pfctl -sr -R 4":
> pass log inet proto icmp all icmp-type echoreq

CAVEAT: I assume that 17.253.53.207 is NOT the address of igc0, and that
you are trying to ping a host on the internet.  If this is not true
(i.e. if you are pinging the internet-facing IP if your firewall), some
of what I write below won't apply.


So you sent an ICMP ping (an 'Echo request', or echoreq, for short) to
17.253.53.207, which was allowed to enter via igc1.  It matched rule 4
which allows ICMP echoreqs on an interfaces (regardless of source or
destination).

Now there are three questions:
1.  Did the firewall forward the echoreq to 17.253.53.207, via icg0?
2.  Did 17.253.53.207 send an "echo reply" (or "echorep") in response to
your request?
3.  Did the firewall let that reply enter igc0, and did it forward it
to 192.168.2.252, via igc1?

You don't show any logs for it, but I think we can stop at question 1,
and the answer to that is: no.  You are not NATing your outgoing traffic
for the internet.  Without NAT, the package that should leave via igc0
will leave igc0 have 192.168.2.252 as its source address (you should
see something like "pass out on igc0: 192.168.2.252 > 17.253.53.207 ..."
on tcpdump.  Even if it's not filtered along the way, the host a
17.252.53.207 will want to send the "echo reply" to 192.168.2.252.  But
since this is an address reserved for private use, it won't be routed
across the internet and back to your network (of which only the IPv4
address on igc0 will be 'visible').

So, in short, you need to add a "nat-to rule".  You can find examples of
this on the pf.conf man page.  But I would advise you to pick up Peter
Hansteen's The Book of pf and give it a good read (at least the first
few chapters).


Now note that even with NATting, you still might not get a reply, since
the remote host might choose to ignore it (question 2, above) and,
crucially, even if it does, you don't have "echorep" on yout $icmp_types
macro.  Which means you allow for ICMP echo requests, but not for the
echo replies to them (question 3, above).


To better debug this, you might want to add two more tcpdumps, to see
what goes out and comes in at each interface:  

tcpdump -nti igc0 icmp
tcpdump -nti igc1 icmp

It then becomes easier to see where along the way the traffic is being
dropped.

> 
> Op 12-04-2024 om 19:46 schreef Zé Loff:
> > On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote:
> > > Hi all,
> > > 
> > > Traceroute still won't work. I'm playing around with the rules and 
> > > wondering
> > > what's right and what's wrong with the traceroute rules. Can anyone give 
> > > me
> > > some starting points here?
> > > 
> > > 
> > > /etc/pf.conf:
> > > 
> > > ext_if = igc0 # Extern interface
> > > int_if = "{ igc1, igc2 }" # Intern interfaces
> > > localnet = "192.168.2.0/24"
> > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> > > udp_services = "{ domain, ntp }"
> > > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> > > icmp_types = "{ echoreq, unreach }"
> > > icmp6_types = "{ echoreq, unreach }"
> > > nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> > > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> > >                        446, cvspserver, 2628, 5999, 8000, 8080 }"
> > > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> > >                      10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> > >                      0.0.0.0/8, 240.0.0.0/4 }"
> > > 
> > > set skip on lo
> > > # By default, do not permit remote connections to X11
> > > block return in on ! lo0 proto tcp to port 6000:6010
> > > 
> > > block log all                # block stateless traffic
> > > 
> > > block in quick on $ext_if from $martians to any
> > > block out quick on $ext_if from any to $martians
> > > 
> > > # Letting ping through:
> > > pass log on inet proto icmp icmp-type $icmp_types
> > > pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> > > 
> > > # Allow out the default range for traceroute(*):
> > > # "base+nhops*nqueries-1&qu

Re: No internet connection (firewall block)

2024-04-12 Thread Loff 
On Fri, Apr 12, 2024 at 07:04:16PM +0200, Karel Lucas wrote:
> Hi all,
> 
> Traceroute still won't work. I'm playing around with the rules and wondering
> what's right and what's wrong with the traceroute rules. Can anyone give me
> some starting points here?
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0 # Extern interface
> int_if = "{ igc1, igc2 }" # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>                       446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>                     10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
>                     0.0.0.0/8, 240.0.0.0/4 }"
> 
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> block log all                # block stateless traffic
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> # Allow out the default range for traceroute(*):
> # "base+nhops*nqueries-1" (3434+64*3-1)
> pass in  on $ext_if inet proto udp to port 33433:33626   # for IPv4
> pass log out on $ext_if inet proto udp to port 33433:33626   # for IPv4
> pass in on $ext_if inet6 proto udp to port 33433:33626   # for IPv6
> pass log out on $ext_if inet6 proto udp to port 33433:33626  # for IPv6
> 

Your final four rules (for traceroute) only apply to the $ext_if, so I
am assuming you are trying to traceroute _from_ the firewall itself to
some machine on the internet.  If you want to start traceroute from
your local network, and to a machine on the internet, you'll need to
add $int_if to those rules (and perhaps NAT, but let's not get ahead of
ourselves).

Again, assuming you are trying to traceroute from the firewall to the
internet, I would use tcpdump to check if that traffic is being blocker,
and, if so, which rule is blocking it:

tcpdump -neti pflog0

(-n and -t are optional, but help to keep thing simpler in this case)

Then on another terminal try to traceroute an easily identifiable IP,
such as 1.1.1.1, and see what comes up on the tcpdump.  It'll be
something like "rule 2/(match) block ..." or "rule 2/(match) pass ...",
and if you don't want to count the rules by hand, you can use pfctl to
tell you which:

pfctl -sr -R 

where  is the rule number.

Then, assuming it is being blocked, its time to figure out why the
"pass" rules aren't being matched.


-- 
 

Re: Universal screen mirroring from mobile devices

2024-04-12 Thread Loff 
On Fri, Apr 12, 2024 at 01:06:10PM +0200, Dan wrote:
> Hello,
> 
> Intringuing this subject from my daughter watching mum doing
> lessons at the computer using her mobile. It came out that from
> her sparkling mind mum need to connect her mobile to the laptop
> (an old 2011 mac) to watch to her student.
> 
> Do you think remote the possibility to have some screen mirroring
> functionalities embedded in our favorit desktop environemnt under
> OpenBSD?
> 
> I imagine a more *flexible* desk environment where sort of universal
> screen mirroring is allowed among devices exacly how today we can
> do in our livingroom on Samsung or other brand TVs..
> 
> -Dan
> 

You can use ffmpeg to capture the screen and then multicast the
video/audio stream.  You can choose to stream only a specific window by
using `xwininfo` to pick which one first, e.g.:

  #!/bin/sh

  IP=239.255.0.1
  PORT=9000

  eval `xwininfo | awk '
  /Absolute.*X:/ { print "XOFFSET="$4 }
  /Absolute.*Y/ { print "YOFFSET="$4 }
  /Width/ { print "WIDTH="$2}
  /Height/ { print "HEIGHT="$2 } '`
  
  ffmpeg -f x11grab -s ${WIDTH}x${HEIGHT} -grab_x $XOFFSET -grab_y $YOFFSET \
-framerate 10 -i :0.0 \
-vcodec libx264 -x264-params nal-hrd=cbr:force-cfr=1:keyint=250 \
-preset medium -profile high -pix_fmt yuv420p -tune zerolatency \
-b:v 2000K -minrate 2000K -maxrate 2000K -bufsize 4000k \
-f mpegts "udp://${IP}:${PORT}?ttl=12_size=1316"


Note: you have to enable multicasting, and consider this as untested.
It's been a lng time since I wrote and used it.  You can adapt it
easily to capture the whole screen.  I also have a different version
that uses Xephyr to simulate an entirely new desktop on a smaller
window.

There are a lot of variants for this out there, much more polished that
this.  Just search for "ffmpeg screencast", and you're bound to find a
few.


-- 
 

Re: No internet connection (firewall block)

2024-04-11 Thread Loff 


On Thu, Apr 11, 2024 at 07:45:18PM +0200, Karel Lucas wrote:
> The typos have been fixed, and PF's ruleset will be put under a magnifying
> glass.

This is a bit of a personal preference, but (assuming you trust any
traffic generated on the firewall itself), I find it helpful to 
start the ruleset with a simple:

block log in
pass out

and then do the filtering what comes _in_ (either via $ext_if or
$int_ifs), by adding "pass in ... on ... " rules. 

> Op 11-04-2024 om 10:34 schreef Zé Loff:
> > On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
> > > Hi all,
> > > 
> > > With the new firewall I am setting up I cannot connect to the internet. 
> > > That
> > > starts with traceroute, so let's start there. Ping works fine. Below I 
> > > have
> > > listed my pf.conf file.
> > > 
> > > 
> > > 
> > > /etc/pf.conf:
> > > 
> > > ext_if = igc0 # Extern interface
> > > int_if = "{ igc1, igc2 }" # Intern interfaces
> > > localnet = "192.168.2.0/24"
> > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> > > udp_services = "{ domain, ntp }"
> > > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> > > icmp_types = "{ echoreq, unreach }"
> > > icmp6_types = "{ echoreq, unreach }"
> > > nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> > > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> > >                        446, cvspserver, 2628, 5999, 8000, 8080 }"
> > > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> > >                      10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> > >                      0.0.0.0/8, 240.0.0.0/4 }"
> > > 
> > > set skip on lo
> > > # By default, do not permit remote connections to X11
> > > block return in on ! lo0 proto tcp to port 6000:6010
> > > 
> > > block log all                # block stateless traffic
> > > 
> > > block in quick on $ext_if from $martians to any
> > > block out quick on $ext_if from any to $martians
> > > 
> > > # Letting ping through:
> > > pass log on inet proto icmp icmp-type $icmp_types
> > > pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> > > 
> > > # Allow out the default range for traceroute(*):
> > > # "base+nhops*nqueries-1" (3434+64*3-1)
> > > pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> > > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> > > 
> > > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> > >          to port $udp_services
> > > pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> > > pass log on $ext_if inet proto tcp from $localnet to port $client_out
> > > pass log out proto tcp to port $tcp_services   # establish keep-stat
> > > pass log log proto udp to port $udp_services   # Establish keep-state
> > If I read this correctly, you are not allowing any "in" traffic, except
> > for the two "Letting ping through lines", which are just for ICMP, and
> > on the first two rules on the last part ("...$icmp_types"  and
> > "...$client_out").  I am assuming "log log" on the last rule is a typo,
> > and it is actually "log out".
> 

-- 
 

Re: No internet connection (firewall block)

2024-04-11 Thread Loff 
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
> Hi all,
> 
> With the new firewall I am setting up I cannot connect to the internet. That
> starts with traceroute, so let's start there. Ping works fine. Below I have
> listed my pf.conf file.
> 
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0 # Extern interface
> int_if = "{ igc1, igc2 }" # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>                       446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>                     10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
>                     0.0.0.0/8, 240.0.0.0/4 }"
> 
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> block log all                # block stateless traffic
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> # Allow out the default range for traceroute(*):
> # "base+nhops*nqueries-1" (3434+64*3-1)
> pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> 
> pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
>         to port $udp_services
> pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> pass log on $ext_if inet proto tcp from $localnet to port $client_out
> pass log out proto tcp to port $tcp_services   # establish keep-stat
> pass log log proto udp to port $udp_services   # Establish keep-state
   
If I read this correctly, you are not allowing any "in" traffic, except
for the two "Letting ping through lines", which are just for ICMP, and
on the first two rules on the last part ("...$icmp_types"  and
"...$client_out").  I am assuming "log log" on the last rule is a typo,
and it is actually "log out".

Re: Bridging firewall with online update/upgrade

2024-04-03 Thread Loff 
On Wed, Apr 03, 2024 at 06:19:29PM +0200, Karel Lucas wrote:
> Hi all,
> 
> I am creating a bridging firewall with OpenBSD and the following hardware:
> https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image=1.
> OpenBSD is already installed. I want to use ETH1 for the input from my ADSL
> modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like
> to use ETH4 for the update/upgrade of the firewall. Remove the connection
> from ETH1, plug it into ETH4, and update/upgrade. Then the connection
> returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and
> ETH3 not. But now the problem: as long as the network connection of the ADSL
> modem is in ETH4, my network, including the firewall, is no longer secured,
> and attackers can take advantage. I therefore wonder whether it is possible
> to let the data flow via ETH1 and ETH4 first pass through PF before an
> update/upgrade is done via ETH4. This means that the bridging firewall will
> have two entrances, one without and one with an IP address. I would like to
> know if that is possible, or if there is another option.
> 

I'd just run sysupgrade -n, unplug ETH1, reboot into the installer and
upgrade, reboot, and finally plug ETH1 back in.

-- 
 

Re: UKC> disable "smth"

2024-03-16 Thread Loff 
On Sat, Mar 16, 2024 at 05:52:22PM +0500, ofthecentury wrote:
> I boot with 'boot -c' and then
> enter 'disable mei' and then
> 'quit'.
> Pcidump still shows Intel MEI,
> just as it does when booting
> with default config. I don't
> think anything changed.
> But UKC doesn't complain
> when I disable mei, so I know
> it knows 'mei' and disables it.
> But how would I know it
> does disable it?
> 
> Also, 'boot -c' accumulates what
> changes I do. How does one
> reset changes to go back to
> vanilla kernel?
> 

Just because it is detected it does not mean a driver is attached to it.

E.g. on my machine:

# pcidump | grep -i mei
 0:22:0: Intel 200 Series MEI

# dmesg | grep -i mei
"Intel 200 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured

The "not configured" is the relevant part, here.

Plus, more knowledgeable people will correct me if I'm wrong, but I
don't think a "mei" driver exists.

If for some reason you want to "disable" it further that this you'll
have to do it in BIOS or find a way to power it off, but good luck with
that.

Cheers
Zé
-- 
 

Re: Confusion about hw.cpuspeed

2024-03-15 Thread Loff via misc 


On Fri, Mar 15, 2024 at 01:07:22PM +0100, Christer Solskogen via misc wrote:
> On Fri, Mar 15, 2024 at 11:43 AM Zé Loff via misc  wrote:
> 
> > Your cpu*.frequency lines show you that it does.
> 
> In that case, what does hw.cpuspeed mean?
> 

Jonathan Gray already told you that:

> > hw.cpuspeed is only updated when a set speed is selected by the kernel.
> > With turbo mode the hardware continually changes the speed without
> > notifying the kernel.

You have

cpu0: Enhanced SpeedStep 2693 MHz: speeds: 1701, 1700, 1600, 1500, 1400, 
1300, 1200, 1100, 1000, 900, 800 MHz

on your dmesg, so you have a CPU that is meant to run at (up to)
1700MHz, but can go to 2700MHz in turbo mode.

The 1701Mhz speed ("normal max" + 1) is the speed that the kernel needs
to set to get it into turbo mode.  So, when 

hw.cpuspeed=1701

it means your CPU is running in turbo mode.  If you or the kernel wants
to throttle it down to save power, hw.cpuspeed will change to something
lower.

As Jonathan said, when in turbo mode, the CPU it won't tell the kernel
about speed changes, but you can always get them from the
hw.sensors.cpu*.frequency readings.  Which, incidentally, might not even
be the same for each CPU core, as they are throttled differently:

   $ sysctl hw.sensors | grep frequency0
   hw.sensors.cpu0.frequency0=245000.00 Hz
   hw.sensors.cpu1.frequency0=27.00 Hz
   hw.sensors.cpu2.frequency0=285000.00 Hz
   hw.sensors.cpu3.frequency0=235000.00 Hz

Hope this clears things up.

Cheers
Zé

P.S.: I'm by no means whatsoever an authority on this matter.  I'm
replying because you asked me directly.  

--

Re: Confusion about hw.cpuspeed

2024-03-15 Thread Loff via misc 
On Fri, Mar 15, 2024 at 10:09:37AM +0100, Christer Solskogen via misc wrote:
> On Fri, Mar 15, 2024 at 10:00 AM Jonathan Gray  wrote:
> >
> > On Fri, Mar 15, 2024 at 08:49:14AM +0100, Christer Solskogen via misc wrote:
> > > On Fri, Mar 15, 2024 at 1:15 AM Jonathan Gray  wrote:
> > > >
> > >
> > > > The 1MHz higher is the turbo setting.  When speedstep speeds are shown
> > > > in dmesg it is the highest.
> > > >
> > > > The sensors use cpu_hz_update_sensor().
> > > >
> > >
> > > I don't understand. dmesg says this:
> > > cpu0: Intel(R) N95, 2693.79 MHz, 06-be-00, patch 0015
> > >
> > > But hw.cpuspeed stays the same no matter what happens.
> >
> > your dmesg will have a "Enhanced SpeedStep" line, for example:
> > cpu0: Enhanced SpeedStep 2494 MHz: speeds: 2601, 2600, 2500, 2300, 2100, 
> > 2000, 1800, 1700, 1500, 1400, 1200, 1100, 900, 800, 600, 500 MHz
> >
> > hw.cpuspeed is only updated when a set speed is selected by the kernel.
> > With turbo mode the hardware continually changes the speed without
> > notifying the kernel.
> >
> > to force the lowest non-turbo mode
> >
> > sysctl hw.perfpolicy=manual
> > sysctl hw.setperf=0
> >
> 
> Ah, yes.
> cpu0: Enhanced SpeedStep 2693 MHz: speeds: 1701, 1700, 1600, 1500,
> 1400, 1300, 1200, 1100, 1000, 900, 800 MHz
> 
> I wonder why it never reaches 2,6GHz.
> 

Your cpu*.frequency lines show you that it does.

-- 
 

Re: Is this a security issue?

2024-03-13 Thread Loff 
On Wed, Mar 13, 2024 at 05:01:57PM +0500, ofthecentury wrote:
> Just saw this in my /var/log/messages:
> 
> '/bsd: drm:pid1338:intel_pipe_update_start *ERROR*
> [drm] *ERROR* Potential atomic update failure on pipe B'
> 
> Intel_pipe_update???
> 

No, it isn't a security issue, it's an underrun on the graphics driver.


A quick search would have told you so.  This is a mailing list, with
people that actually have to take some of their time to reply, not a
search engine.



-- 
 

Re:

2024-03-10 Thread Loff 


On Sun, Mar 10, 2024 at 02:43:02PM +, Hari wrote:
> Here is the requested output:
> 
> lo0: flags=2008049 mtu 32768
>     index 2 priority 0 llprio 3
>     groups: lo
>     inet6 ::1 prefixlen 128
>     inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
>     inet 127.0.0.1 netmask 0xff00
> enc0: flags=0<>
>     index 1 priority 0 llprio 3
>     groups: enc
>     status: active
> mtw0:
> flags=a48843
> mtu 1500
>     lladdr 00:e0:2d:4c:73:7f
>     index 4 priority 4 llprio 3
>     groups: wlan
>     media: IEEE802.11 autoselect (DS1 mode 11g)
>     status: active
>     ieee80211: nwid net chan 2 bssid 2e:d1:fa:8e:62:51 -27dBm wpakey
> wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
>     inet6 fe80::2e0:2dff:fe4c:737f%mtw0 prefixlen 64 scopeid 0x4
> pflog0: flags=141 mtu 33136
>     index 5 priority 0 llprio 3
>     groups: pflog
> nwid net
> wpakey connect2net
> inet autoconf
> inet6 autoconf
> Routing tables
> 
> Internet:
> Destination    Gateway    Flags   Refs  Use   Mtu  Prio Iface
> 224/4  127.0.0.1  URS    0    0 32768 8 lo0
> 127/8  127.0.0.1  UGRS   0    0 32768 8 lo0
> 127.0.0.1  127.0.0.1  UHhl   1    2 32768 1 lo0
> 
> Internet6:
> Destination
> Gateway Flags   Refs  Use   Mtu  Prio 
> Iface
> ::/96  
> ::1 UGRS   0    0 32768 8 lo0
> ::1
> ::1 UHhl  10  100 32768 1 lo0
> :::0.0.0.0/96  
> ::1 UGRS   0    0 32768 8 lo0
> 2002::/24  
> ::1 UGRS   0    0 32768 8 lo0
> 2002:7f00::/24 
> ::1 UGRS   0    0 32768 8 lo0
> 2002:e000::/20 
> ::1 UGRS   0    0 32768 8 lo0
> 2002:ff00::/24 
> ::1 UGRS   0    0 32768 8 lo0
> fe80::/10  
> ::1 UGRS   0    2 32768 8 lo0
> fec0::/10  
> ::1 UGRS   0    0 32768 8 lo0
> fe80::1%lo0
> fe80::1%lo0 UHl    0    0 32768 1 lo0
> fe80::%mtw0/64 
> fe80::2e0:2dff:fe4c:737f%mtw0   UCn    0    0 - 8 mtw0
> fe80::2e0:2dff:fe4c:737f%mtw0  
> 00:e0:2d:4c:73:7f   UHLl   0    0 - 1 mtw0
> ff01::/16  
> ::1 UGRS   0   12 32768 8 lo0
> ff01::%lo0/32  
> fe80::1%lo0 Um 0    1 32768 4 lo0
> ff01::%mtw0/32 
> fe80::2e0:2dff:fe4c:737f%mtw0   Um 0    0 - 4 mtw0
> ff02::/16  
> ::1 UGRS   0   12 32768 8 lo0
> ff02::%lo0/32  
> fe80::1%lo0 Um 0    1 32768 4 lo0
> ff02::%mtw0/32 
> fe80::2e0:2dff:fe4c:737f%mtw0   Um 0    1 - 4 mtw0
> 
> 
> 
> 
> 
> 
> 
> 
> Sorry for delayed reply

Your mrt0 interface is connected to the access point ("status: active")
but has no IP address.  Since its set for autoconf, this means it's not
getting an address from a DHCP server.

Are you sure you have one listening on the wifi network?  Are you able
to connect other hosts to it (e.g. a mobile phone, or another machine)?
If so, does the access point or the host running the DHCP server have
any kind of MAC filtering?

-- 
 

Re: No internet while using wifi

2024-03-10 Thread Loff 
On Sun, Mar 10, 2024 at 10:00:23AM +, Hari wrote:
> Hello,
> 
> I wanted to connect my openbsd system to wifi. So I downloaded and installed 
> the
> the necessary wifi firmware using wired connetion. As stated in openbsd 
> wireless
> networking faq I edited the /etc/hostname.mtw0 file and added the necessary
> details according to the format. Then  I started the /etc/netstart and 
> ifconfig
> showed the status to be active. But I had no internet connection. I tried 
> using
> dhcp via ifconfig mtw0 inet autoconf and tried dhclient but noone work there 
> was
> no ip in netstat -rn.

This is way WAY to little info for anyone to figure out what is wrong.
Please send the contents of your /etc/hostname.mtw0 (mask out the nwid
and the wpakey bits), as well as the output of ifconfig and route -n
show.  A full dmesg wouldn't hurt either.

Cheers
Zé



-- 
 

Re: Huawei K5161h 4G dongle

2024-01-23 Thread Loff 


On Tue, Jan 23, 2024 at 11:52:01AM +, Alex Frolkin wrote:
> Hi all,
> 
> Has anyone had any success with getting a Huawei (Vodafone-branded)
> K5161h 4G dongle working on OpenBSD?
> 
> It looks like it should work with the umb(4) driver, but the problem is
> getting it into the right mode.  When I plug it in, it appears as a USB
> CD drive, and there are magic commands you can send to it to make it
> appear either as an Ethernet interface (where it does NAT and DHCP for
> you, should be supported by the cdce(4) driver) or as an MBIM device
> plus three USB serial ports (which should be supported by umb(4) and
> hopefully ucom(4)).
> 
> On FreeBSD and Linux, the mode switching is done by usb_modeswitch,
> which supports switching it to either mode.  usb_modeswitch compiles
> fine on OpenBSD, but fails to actually send the magic command, and the
> error code (from the usb_bulk_io function in libusb) says "unsupported
> on this platform".
> 
> The other approach is to find a magic AT command that would switch it to
> MBIM mode permanently, but I've failed to find anything online for this
> model, and AT commands that I've found for other models don't work on
> this one.
> 

This may sound silly, but does ejecting it (e.g. "eject /dev/cd0") make
a difference?  I seem to recall some devices that (temporarily) switched
mode after being ejected.

-- 
 

Re: mountd

2024-01-09 Thread Loff 
On Tue, Jan 09, 2024 at 10:13:56AM +0300, 4 wrote:
> >> i'm quoting the man page for mountd:
> >>  The -n flag historically allowed clients to use non-reserved ports 
> >> when
> >>  communicating with mountd.  In OpenBSD, a reserved port is always 
> >> used.
> >> "reserved port". "always".. however the port is different each time. how 
> >> to deal with this?
> >> 
> 
> > resreved means that the port number is below 1024. The RPC system,
> > (which is used to implement NFS) iuses portmapper to determine which
> > service runs on which port. What problem are you trying to solve?
> 
> > -Otto
> i'm trying to solve the problem of which port need to open on the pf.
> the variant of processing rpcinfo output with script and then putting
> a rules into an anchor is not very pretty. especially considering that
> this is not enough, and i still need to repeat this action by cron.
> this variant works, but it's not even close to how it should work %\
> why i should solve such the task at a time when humanity is flying to
> conquer Mars?
> 

No need to be so dramatic, the ports only change when the service is
restarted, so there is no need for constant monitoring and/or script
running.  Either you run the script (a one-liner, by the way, see below)
on the server upon starting the daemon, or run it on the firewall via
cron at appropriate intervals (I'm assuming you don't reboot your server
every 10 minutes, so it can be run at large intervals).

You may not find it "very pretty", but hey, it works fine.  NFS over
firewalls decidedly isn't great, but it's the smallest of my NFS woes.

OT, they got to the moon with the computing power of a pocket
calculator, and the physics of going to mars are pretty much the same,
so I find your argument moot.  Also, its literally a one line script.
Not exactly rocket science.

rpcinfo -p a.b.c.d | awk 'NR>1 { print "pass inet proto " $3 " to port "  
$4 " flags any" }' | pfctl -a "portmap/$a" -f -

-- 
 

Re: Any tool in base which allows to get all IPs in prefix?

2023-12-19 Thread Loff 
On Tue, Dec 19, 2023 at 04:27:14PM +0300, Maksim Rodin wrote:
> Hello
> Is there any tool in base which allows to get something like this?
> $ nmap -sL -n IP_PREFIX
> ...
> a long list of ip addresses
> ...
> 
> -- 
> Maksim
> 

Not on base (I know, sorry), but ipcalc, on ports, is a 12k binary that
pulls no dependencies other than libc.

-- 
 

Re: Two parent NICs for VLAN

2023-12-19 Thread Loff 


On Tue, Dec 19, 2023 at 02:25:01PM +0100, Lars Bonnesen wrote:
> That is exactly what I want.
> 
> Ah, veb... although I cannot make it work. I see a lot of arp'ing not
> getting any replies. So devices that working before tries to arp for the
> gateway and not getting any replies.even though they are on the same layer2
> net:
> 
> 12:28:54.101968 arp who-has 172.18.14.1 tell 172.18.14.201
> 12:28:54.573677 arp who-has 172.18.14.1 tell 172.18.14.101
> 12:28:55.101913 arp who-has 172.18.14.1 tell 172.18.14.201
> 12:28:55.597716 arp who-has 172.18.14.1 tell 172.18.14.101
> 12:28:56.101910 arp who-has 172.18.14.1 tell 172.18.14.201

Apologies, there was a missing detail on my suggestion: it is meant to
completely bypass the router, which plays no part in that vlan's
traffic (more details below, if needed).

If you want the router/gateway to be connected to that VLAN, you need to
create a vport interface and add it to the veb, as noted on veb's man
page.


Unecessary details:
I get thee VLANs from my ISP on the same wire: internet, VoIP and IPIV.
I need to manage the internet connection, but not the rest, so I used
the veb to simply forward all traffic (DHCP, etc) on the VoIP VLAN
directly to the VoIP phone.  This means that the firewall/gateway plays
no part in it, other than blindly forwarding at L2.  I could to this
simply putting the managed switch before the firewall, but the idea of
having a managed switch directly connected to the internet, makes me
itchy.

> 
> 
> On Tue, Dec 19, 2023 at 10:09 AM Zé Loff  wrote:
> 
> > On Tue, Dec 19, 2023 at 09:33:18AM +0100, Lars Bonnesen wrote:
> > > I have a physical switch with a number of VLANs and a NIC connected to a
> > > wireless setup. I want to have those two separated except for one
> > > particular VLAN that I want on the physical switch as well as on the APs.
> > >
> > > So I have vmx1 connected to the APs and vmx3 to the switch.
> > >
> > > Then some vlans that each has one of these as parents.
> > >
> > > But then for VLAN 860, I want both vmx1 and vmx3 as parent... Can't they
> > > have joint custody?
> > >
> > > I could of course bridge vmx1 and vmx3 - but I only want vmx1 and vmx3
> > > bridged for vlan 860. Does it make sense?
> > >
> > > How to achieve this? Something similar to:
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > *vlan860: flags=8943 mtu
> > > 1500lladdr 00:0c:29:e0:88:9cdescription: IoTindex
> > > 27 priority 0 llprio 3encap: vnetid 860 parent vmx3 AND VMX1
> > txprio
> > > packet rxprio outergroups: vlanmedia: Ethernet autoselect
> > > (10GbaseT)status: active*
> > >
> > > ... which of coarse does not work.
> > >
> > > Regards, Lars.
> >
> > I'm not entirely sure if this is what you are asking, but I achieved
> > something like this by
> >
> > - Creating one vlan interface on each physical interface *with the same
> >   vnetid, but with different names (obviously):
> > - veb-ing the two vlan interfaces:
> >
> > I.e.:
> >
> > $ cat /etc/hostname.vlan1010
> > description "VoIP WAN"
> > vnetid 101 parent re1
> > -inet6
> > up
> >
> > $ cat /etc/hostname.vlan1011
> > description "VoIP DMZ"
> > vnetid 101 parent re2
> > -inet6
> > up
> >
> > $ cat /etc/hostname.veb1
> > add vlan1010
> > add vlan1011
> > up
> >
> > Hope this helps
> >
> > --
> >
> >

-- 
 

Re: Two parent NICs for VLAN

2023-12-19 Thread Loff 
On Tue, Dec 19, 2023 at 09:33:18AM +0100, Lars Bonnesen wrote:
> I have a physical switch with a number of VLANs and a NIC connected to a
> wireless setup. I want to have those two separated except for one
> particular VLAN that I want on the physical switch as well as on the APs.
> 
> So I have vmx1 connected to the APs and vmx3 to the switch.
> 
> Then some vlans that each has one of these as parents.
> 
> But then for VLAN 860, I want both vmx1 and vmx3 as parent... Can't they
> have joint custody?
> 
> I could of course bridge vmx1 and vmx3 - but I only want vmx1 and vmx3
> bridged for vlan 860. Does it make sense?
> 
> How to achieve this? Something similar to:
> 
> 
> 
> 
> 
> 
> 
> 
> *vlan860: flags=8943 mtu
> 1500lladdr 00:0c:29:e0:88:9cdescription: IoTindex
> 27 priority 0 llprio 3encap: vnetid 860 parent vmx3 AND VMX1 txprio
> packet rxprio outergroups: vlanmedia: Ethernet autoselect
> (10GbaseT)status: active*
> 
> ... which of coarse does not work.
> 
> Regards, Lars.

I'm not entirely sure if this is what you are asking, but I achieved
something like this by

- Creating one vlan interface on each physical interface *with the same
  vnetid, but with different names (obviously):
- veb-ing the two vlan interfaces:

I.e.:

$ cat /etc/hostname.vlan1010
description "VoIP WAN"
vnetid 101 parent re1
-inet6
up

$ cat /etc/hostname.vlan1011
description "VoIP DMZ"
vnetid 101 parent re2
-inet6
up

$ cat /etc/hostname.veb1
add vlan1010
add vlan1011
up

Hope this helps

-- 
 

Re: NFS Server performance

2023-12-05 Thread Loff 


On Tue, Dec 05, 2023 at 02:06:44PM +, Steven Surdock wrote:
> Using an OBSD 7.4 VM on VMware as an NFS server on HOST02.   It is primarily 
> used to store VMWare VM backups from HOST01, so VMWare is the NFS client.  
> I'm seeing transfers of about 1.2 MB/s.  
> 
> SCP from HOST01 to OBSD VM (same filesystem) copies at 110 MB/s.  
> Iperf3 from a VM on HOST01 to OBSD on HOST02 gives me 900+ mbps.  
> OBSD is a stock install running -stable.
> NFS is using v3 (according to VMWare) and using TCP
> During the NFS transfer the RECV-Q on the OBSD interface runs either 64000+ 
> or 0.
> I tried both em and vmx interface types.
> 
> /etc/rc.conf.local:
> mountd_flags="" # for normal use: ""
> nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
> ntpd_flags=""   # enabled during install
> portmap_flags=""# for normal use: ""
> 
> Any clues on where to look to (greatly) improve NFS performance would be 
> appreciated.

Increasing write size, read size and the read-ahead count on the client has 
helped me.

E.g., on the client's fstab:

  10.17.18.10:/shared/stuff  /nfs/stuff  nfs  
rw,nodev,nosuid,intr,tcp,bg,noatime,-a=4,-r=32768,-w=32768 0 0

Cheers
Zé

> 
> -Steve S.
> 

-- 
 

Re: Scanning (documents) no longer works: scanner not found?

2023-12-04 Thread Loff 


On Mon, Dec 04, 2023 at 05:48:55PM +0100, Why 42? The lists account. wrote:
> 
> Hi All,
> 
> I just noticed that "simple-scan" no longer works, it cannot find my
> scanner. This used to work just fine.
> 
> I'm running the latest (installed today) snapshot, but I don't know when
> this stopped working - I try not to do much scanning :-)
> 
> The scanner is a Canon Pixma "Multi Function" device, connected via
> Ethernet. (I never ever got it to print.)

How did simple-scan find the scanner?  Is the IP address hardcoded
somewhere in its config?  Maybe the printer/scanner got a different IP
from the DHCP server.  (BTW, this is a very good reason for NOT putting
network printers with dynamic IPs.  I've seen one instance of Windows
having 7 or 8 different "copies" of the same printer, all automatically
setup each time the printer got a different address, and the user then
had to go round-robin trying to figure out which was the IP-of-the-day.)

> 
> Running simple-scan in debug mode doesn't show me much, I see:
> > simple-scan -d
> > [+0.00s] DEBUG: simple-scan.vala:2015: Starting simple-scan 44.0, PID=91216
> > [+0.01s] DEBUG: unsetenv() is not thread-safe and should not be used after 
> > threads are created
> > [+0.04s] DEBUG: _g_io_module_get_default: Found default implementation gvfs 
> > (GDaemonVfs) for ‘gio-vfs’
> > [+0.18s] DEBUG: Portal not found: 
> > GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name 
> > org.freedesktop.portal.Desktop was not provided by any .service files
> > [+0.18s] DEBUG: Portal not found: 
> > GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name 
> > org.freedesktop.portal.Desktop was not provided by any .service files
> > [+0.18s] DEBUG: Portal not found: 
> > GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name 
> > org.freedesktop.portal.Desktop was not provided by any .service files
> > [+0.18s] DEBUG: _g_io_module_get_default: Found default implementation 
> > dconf (DConfSettingsBackend) for ‘gsettings-backend’
> > [+0.18s] WARNING: Using GtkSettings:gtk-application-prefer-dark-theme 
> > together with HdyStyleManager is unsupported. Please use 
> > HdyStyleManager:color-scheme instead.
> > [+0.66s] DEBUG: app-window.vala:2002: Loading state from 
> > /home/robb/.config/simple-scan/state
> > [+0.66s] DEBUG: app-window.vala:1981: Restoring window to 1002x1235 pixels
> > [+0.72s] DEBUG: scanner.vala:1619: sane_init () -> SANE_STATUS_GOOD
> > [+0.72s] DEBUG: scanner.vala:1625: SANE version 1.2.1
> > [+0.72s] DEBUG: scanner.vala:1686: Requesting redetection of scan devices
> > [+0.72s] DEBUG: scanner.vala:863: Processing request
> > [+0.86s] DEBUG: app-window.vala:2078: Saving state to 
> > /home/robb/.config/simple-scan/state
> > [+2.67s] DEBUG: scanner.vala:348: sane_get_devices () -> SANE_STATUS_GOOD
> > [+2.67s] DEBUG: platform does not do hotplug, using polling
> > ...
> 
> I have the saned daemon running, it seems to run OK. No matter what I
> tried I have been unable to trick it into logging any debug output e.g.
> even with "-d 32" I just see this logged:
> > mjoelnir:log 4.12 17:10:14 # grep sane *   
> > messages:Dec  4 10:02:07 mjoelnir pkg_add: Added 
> > sane-backends-1.2.1p0->1.2.1p0
> > messages:Dec  4 16:58:31 mjoelnir pkg_add: Added xsane-0.999p7

saned is for sharing a local scanner to over the network (i.e. as a
server, not as a client).  I don't think you need it.

> (The second message is me adding xsane, but it also fails to find the
> scanner.)
> 
> The README "sane-backends" ends with this cryptic (to me) advice, but
> I don't know what a "scanner device node" is for a thing with an IP
> address:
> > ...
> > NETWORK
> > ===
> > By default, the saned(8) daemon runs as _saned, so you need to allow the
> > _saned user access to the scanner device node.

Yes, this is for local (scsi/parallel/usb/etc) devices.

> What am I missing? Any tips for me?

According to the SANE project's webpage, your device is probably
supported by the pixma backend (you don't specify the model, so I can't
be sure).  This means that, in theory, all you need is to enable it in
/etc/sane.d/dll.conf, by making sure it is uncommented.  You can comment
everything else in there.

/etc/sane.d/pixma.conf configures the backend itself.  Defaults should
be enough for most cases but, as the comments in the file state, network
detection is none via broadcast, so both the scanner and your machine
must be on the same subnet.  Otherwise you need to specify the scanner's
address.

"scanimage -L" should find it.  Otherwise, I've had success in the past
with a networked epson multifunction device by using xsane like this:

xsane epson2:net:10.17.18.40

where 10.17.18.40 is the IP address of the scanner.
Best of luck.

Cheers
Zé

> (Oh, I also tried "pfctl -d" to disable the local firewall, didn't seem
> to make any difference.)
> 
> Cheers,
> Robb.
> 
> mjoelnir:/etc 4.12 17:14:41 # uname -a
> OpenBSD mjoelnir.fritz.box 7.4 GENERIC.MP#1471 amd64

Re: mkdir

2023-11-23 Thread Loff 
On Thu, Nov 23, 2023 at 12:38:50PM +, Pascal Deveaux wrote:
> simple command to create a directories return:
> 
> $ mkdir test
> ksh: mkdir: not found
> 
> I don't understand...
> 
> OpenBSD 7.4 - fresh install
> 
> Pascal

Is /bin in your PATH, and if so, does /bin/mkdir exist? On an amd64
install /bin should have 41 files.

-- 
 

Re: Logging daemon message in a specific file

2023-11-12 Thread Loff 
On Sun, Nov 12, 2023 at 02:37:08AM +, Mik J wrote:
> Hello,
> I would like to log isakmpd and unbound messages in a specific file but I 
> don't want them to be logged in messages or daemon.
> 1) With this first method, the messages are logged in their files but also in 
> messages and I don't want them to be logged in messages: I find many queries 
> and isakmpd logs in messages
> 
> !isakmpd
> daemon.*    /var/log/isakmpd.log
> 
> !unbound
> daemon.*    
> /var/unbound/var/queries.log
> *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
> kern.debug;syslog,user.info /var/log/messages
> 
> 
> 
> 2) With this second method, the messages are logged in their files but not in 
> messages. So I'm happy the way it behaves for isakmpd and unbound because 
> it's logged in their files and not in messages.The problem is that any other 
> message are not logged in messages. No more syslogs are added to messages.
> 
> !!isakmpd
> daemon.*    /var/log/isakmpd.log
> 
> !!unbound
> daemon.*    
> /var/unbound/var/queries.log
> *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
> kern.debug;syslog,user.info /var/log/messages
> How can I first filter syslogs so they can be logged in a specific log and 
> everything that doesn't match would end in messages.That second solution 
> should have done that but it doesn't.
> Regards

>From syslog.conf(5):

!!prog causes the subsequent block to abort evaluation when a message
matches, ensuring that only a single set of actions is taken.  !*
can be used to ensure that any ensuing blocks are further evaluated
(i.e.  cancelling the effect of a !prog or !!prog).

So after your isakmpd and unbound-specific blocks, you need to add a !*
line to ensure that all further rules are applied to all other
processes. E.g.:

!!isakmpd


!!unbound


!*



Since matching stops the evaluation of further rules, this makes sure
that isakmpd and unbound logs don't end up matched by the "all other
stuff" rules.

Cheers

-- 
 

Re: pf logging in ascii and send to remote syslog

2023-11-11 Thread Loff 
On Sat, Nov 11, 2023 at 06:32:26PM +0100, Daniele B. wrote:
> 
> "Peter N. M. Hansteen" wrote:
> 
> > something like the good old
> > https://home.nuug.no/~peter/pf/newest/log2syslog.html should still
> > work, I think.
> > 
> > - Peter
> 
> 
> To disable pflogd completely what to you consider best:
> 
> ifconfig pflog0 down
> 
> or 
> 
> pflogd_flags="-f /dev/null"
> 
> 
> = Daniele Bonini
> 

rcctl disable pflogd ?

-- 
 

Re: Jumbo frame, just a little late..

2023-11-07 Thread Loff 


On Tue, Nov 07, 2023 at 11:33:04AM +0100, Daniele B. wrote:
> 
> Sorry Claudio, my fault.
> 
> wiz# ifconfig reX hwfeatures
> hwfeatures= [*] hardmtu 9194
> 
> by hostname.reX: 
> 
>   wiz# nano /etc/hostname.reX:
>   inet 192.168.XXX.XXX 0xff00 mtu 9018

>From man hostname.if:

Regular IPv4 network setup:
inet [alias] addr netmask broadcast_addr options

The third argument after "inet" is the broadcast address.  You have
"mtu", which isn't one, hence the error.  Try adding "NONE" before
"mtu":

inet 192.168.XXX.XXX 0xff00 NONE mtu 9018


>   ctrl+S; ctrl+X
> 
>   wiz# sh /etc/netstart
> 
>   ifconfig: mtu: bad value
> 
>   (same eventually at boot time)
> 
> by shell or rc.local:
> 
>   wiz# ifconfig reX mtu 9018
>(accepted)
>   wiz# ifconfig reX
> 
>   reX: flags=8843 mtu 9018
>  lladdr XX:XX:XX:XX:XX:XX
>  index 1 priority 0 llprio 3
>  groups: egress
>  media: Ethernet autoselect (1000baseT
>   full-duplex,master,rxpause,txpause) status: active inet
>   192.168.XXX.XXX netmask 0xff00 broadcast 192.168.XXX.XXX
> 
> 
> == Daniele Bonini
> 
> 
> Claudio Jeker  wrote:
> 
> > Sorry this bug report lacks all important information.
> > 
> > a) what is your hostame.mynicdevice contents
> > b) where does the error pop up? neither netstart nor ifconfig contain
> > the word "wrong"
> > c) what interface are you playing with?
> > 
> > So we can't help you.
> 

-- 
 

Re: Default Revival of a ten years old computer : how would you do it?

2023-11-07 Thread Loff 
On Mon, Nov 06, 2023 at 11:29:22AM +0100, h...@mailo.com wrote:
> 
> 
> since few months im discovering openbsd ; as linux has been often
> recommended for windows's users with a very slow system, i guess that
> it's not that unadvised to use openbsd with a GUI for web browsing and
> little software (eg LO, gimp..)
> 
> i have tested "recent" openbsd releases, since 2022, and almost all of
> them are a bit slow with xfce/firefox etc.
> 
> i was wondering, for laptops range of 2013/16 years old, what would
> you recommmend them for a common web browsing using openbsd?
> 
> I thank you vm 
> 

My two cents, just to balance some of the "you must be out of your mind"
answers you've been getting.

You are talking about 10 year-old laptops, which are likely to be
memory-limited, and in some cases have weaker CPUs and GPUs.  Ten years
ago, Firefox 25 recommended 512MB of RAM, a reasonably good digital
camera took 12Mp images and recorded 1080p 60fps videos.  Nowadays, it
all increased fourfold: Firefox recommends 2Gb RAM, and a smartphone
will get you 48Mp images and 4K video at 60fps.  A ten year old laptop
probably will only have USB 2, now you'll get (you guessed it) four
times the bandwidth with USB 3.2, etc.

None of this has anything to do with whether you use OpenBSD.  I'm just
stating that it is not reasonable to expect that running OpenBSD (or
Linux, or whatever) will suddenly botox your aging hardware to make it
look 5 years younger.  Will it run faster than on Windows?  Almost
certainly.  Will it be capable of running Firefox with eight tabs open?
Probably, but it sure won't be "snappy" and "responsive".

In summary, manage your/the end user's expectations.  I've thought of
repurposing an old laptop for my 10yo kid, but I known that within a
week or two I'd be hearing complains about the videos on the n-th
firefox tab not playing properly, or how nothing happens when you click
on some link.  I'd be able to live with that machine, my kid probably
wouldn't.

You can probably guess from what I wrote above that, in *my* experience,
the main frustrations with running older machines -- and by older I mean
at least 10 years old -- is web browsing (most browsers are bloated
memory-hogs, and the sites have followed suit), manipulating my own
photos and videos (and I mean just moving them around, not editing)
because of file size, and transfer rates to/from USB devices.  That
being said, I've used a ThinkPad X201 for many many happy years, after
getting as much RAM as possible into it.  But admittedly, I work mostly
on the terminal, with a lightweight WM (dwm, but there are many more
options), mutt for email, vim for work (statistical programming with R +
LaTeX), the ocasional, inkscape-ing and minor gimp-ing, and some usage
of LibreOffice.  It was certainly faster than Windows, and I don't think
it was much slower than Linux, if at all.

OpenBSD doesn't target speed (even if it runs pretty lean, compared to
most Linux distros I've come across), it targets security and
consistency.  If speed is all you're after, maybe other OSs will better
suit your needs.  Otherwise its a trade-off, and only you will know if
its worth it or not.

I am using OpenBSD like I said above for about 15 years now, the machine
I'm writing this in about five years old, and I've been doing fine.
You'll probably do too.  Just stay clear of NVIDIA hardware, which can't
be properly supported.  Oh, and forget about bluetooth.

In the end, the proof is in the pudding.  If you have a spare HDD around
just install OpenBSD (not onto a USB device if the machine only has
USB2!), which is pleasantly quick, pkg_add firefox and browse about a
bit.  I won't take you long, and you'll get a good feel of how the
machine will behave.  Then, you can do some customizing
(https://www.openbsd.org/faq/faq11.html), add LibreOffice and Gimp, move
around a bit more, and then decide whether you find it worth it or not.

It all depends on the kind of usage you are planning, it depends on the
hardware, it depends on the your (or the machine's final user's)
expectations, and on how much you value security, stability and
consistency over "performance" (however *you* define it).

Cheers
Zé

-- 
 

Re: PineView not using the whole screen

2023-10-26 Thread Loff 
On Thu, Oct 26, 2023 at 01:18:13PM +0200, Daniele B. wrote:
> Crystal Kolipe :
> 
> >> Then, if you are asking tips on how to attack my working station by 
> >> injection of keystrocks on a
> >> pseudo keyboard device I have no clue but is it important indeed?
> > 
> > If you are concerned about that possibility then you can disable the ucc 
> > driver.
> 
> How to do that, please?
> Is it something easy that doesn't impact my OpenBSD 7.3 stable buddy ?
> 
> -- Daniele Bonini
> 

man config
man boot_config
man bsd.re-config

-- 
 

Re: Connecting a wireless keyboard via Bluetooth

2023-10-25 Thread Loff 


On Wed, Oct 25, 2023 at 03:24:27PM +0200, Karel Lucas wrote:
> Hi all,
> 
> I have a computer with openBSD V7.4 without X11, to which I want to connect
> a wireless keyboard via Bluetooth. The keyboard is connected via a separate
> USB Bluetooth receiver. What software do I need for this, and how do I
> configure it? I hope someone responds to this.

I've read tales of some legendary (literally, not in the "awesome" sense
of the word) bluetooth adapters that could be switched in to "HID proxy
mode", and present themselves as uhid(4) devices, which would then be
picked up by the OS as HIDs.  Supposedly those devices would remember
the pairings with keyboards/mice, and that would stick across boots.
Apparently, they're very hard to find, and even harder to get to work
properly.

If you are really desperate, apparently you can use a whole computer
with a full OS just for the task: https://github.com/mikerr/pihidproxy


-- 
 

Re: Bridging em and vlan

2023-10-01 Thread Loff 
On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote:
> All of my devices until now have been behind my OpenBSD NAT router, but I
> recently acquired a Internet of Trash device that I would like to be
> accessible to the internet (yes, I know).
> 
> My home configuration uses a Unifi AP to translate my various SSIDs into
> VLANs which plug into one of my APU em(4) ports.  The IoT thing already has
> its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT.

Define "doesn't enjoy".  It absolutely requires a public IP?  It needs
some ports to be forwarded?  Has some sort of network connection
detection that fails because some ports are blocked for outgoing
traffic?

> Is there a way for me to bridge just one of the vlan(4) logical interfaces
> with my other em(4) uplink, so that my IoT item can speak DHCP directly
> with my internet provider?

Assuming your WAN connection also gets its IP address by DHCP, will your
ISP assign you multiple IP addresses, one for your uplink, one for the
IoT device?
 
> Can this be done with veb/vport or bridge, or will I need to use something
> more exotic to strip the 802.1q tags before they are sent to my ISP?

If you absolutely need the IoT device to have unfiltered connection to
the internet, you can just create a DMZ of sorts for that VLAN, let all
traffic pass out, forward the necessary ports for incoming traffic, and,
assuming you don't trust the device at all, block all traffic from that
VLAN to the rest of the network (or be very selective about it), and
maybe also from other VLANs to that VLAN.  Putting it in a different
rdomain altogether might also be a good idea.
 
> Thanks in advance,
> 
> --david

-- 
 

Re: Update from 6.5 to 7.3

2023-09-08 Thread Loff 
On Fri, Sep 08, 2023 at 10:01:45AM +0200, Alessandro Baggi wrote:
> Hi list,
> I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This
> is a firewall.
> The problem is that I cannot find older ISO of OpenBSD. Can someone point me
> in the right direction?
> 
> Thank you in advance.
> 

Considering this is a firewall I'm assuming it doesn't differ
significantly from a base install (network config, pf.conf, perhaps some
ssh keys, a couple of packages).  If this is the case I'd much rather do
a fresh install and redo the changes.  Unless you have a very complex
setup, it's much quicker to start from scratch than do eight upgrades in
a row.

-- 
 

Re: Some harddisks can't be recognized

2023-08-08 Thread Loff 
On Tue, Aug 08, 2023 at 04:25:31PM +0800, Yue Wu wrote:
> Hi list,
> 
> I have a mainboard which has 12 SATA ports, but only 8 ports could
> be recognized by openbsd, other 4 ports can't, dmesg has messages
> something like this:
> 
> ahci2.1: port is unplugged
> ahci2.1: unable to probe PMP port; portreset failed
> ahci2.3: port is unplugged
> ahci2.3: unable to probe PMP port; portreset failed
> 
> What should I do?

You should send a full dmesg.  There is a lot of crucial information
missing, here, not least about the ahci controller.

> btw, debian and FreeBSD work well, all disks could be recognized.
> 
> -- 
> 吴悦
> Yue Wu
> 

-- 
 

Re: Mounting an SD-card and an USB-stick

2023-07-25 Thread Loff 
On Tue, Jul 25, 2023 at 06:08:00PM +0200, Karel Lucas wrote:
> 
> Dear all,
> 
> For a fresh install of openBSD, I want to mount an SD card or a USB stick on
> an existing openBSD install, but don't know which device name to use. Maybe
> someone can help me out?
> 

You can check the device name to which they are attached by checking the
dmesg or /var/log/messages.  This is from attaching a card reader with
multiple slots, but only one of them holding a card (sd4):

$ dmesg
...
umass0 at uhub0 port 12 configuration 1 interface 0 "Generic USB Storage" 
rev 2.10/12.09 addr 9
umass0: using SCSI over Bulk-Only
scsibus5 at umass0: 2 targets, initiator 0
sd2 at scsibus5 targ 1 lun 0:  removable
sd3 at scsibus5 targ 1 lun 1:  removable
sd4 at scsibus5 targ 1 lun 2:  removable
sd4: 30608MB, 512 bytes/sector, 62685184 sectors
sd5 at scsibus5 targ 1 lun 3:  removable

If in doubt, you can then check which partitions that disk holds using 
disklabel:

$ disklabel sd4
...
#size   offset  fstype [fsize bsize   cpg]
  c: 626851840  unused
  i: 62676992 8192   MSDOS

In this case, a single MSDOS partition (i) that you can then mount:

# mount /dev/sd4i /mnt

Cheers
Zé

-- 
 

Re: NFS mounted but shows nothing even df -h has it

2023-05-31 Thread Loff 
On Wed, May 31, 2023 at 05:25:07PM +0800, Jazzi Hong wrote:
> You made the point, thank you Maksim.
> I checked /mnt/hdd and nothing there.
> > # cat /etc/fstab
> 1593ab2ee369c420.b none swap sw
> 1593ab2ee369c420.a / ffs rw 1 1
> 1593ab2ee369c420.e /var ffs rw,nodev,nosuid 1 2
> 2b6c2b5b929f9a55.i /mnt/hdd ffs rw,noexec,nosuid,nodev 0 0
> > # doas sysctl hw.disknames
> hw.disknames=sd0:2b6c2b5b929f9a55,sd1:1593ab2ee369c420
> > # doas fdisk sd0
> Disk: sd0 geometry: 121601/255/63 [1953525168 Sectors]
> Offset: 0 Signature: 0xAA55
> Starting Ending LBA Info:
>  #: id  C   H   S -  C   H   S [   start:size ]
> ---
>  0: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>  1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>  2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
> *3: A6  0   1   2 - 121601  80  63 [  64:  1953525104 ] OpenBSD
> 
> So /dev/sd0 is my NFS share hard disk, and when I tried to mount it manually:
> > # doas mount /mnt/hdd
> mount_ffs: 2b6c2b5b929f9a55.i on /mnt/hdd: Invalid argument
> +++
> The error message mentioned about "Invalid argument" of mount, anything wrong?
> So the problem now is why can not mount the drive even it's detected?

It can detect the drive, but it doesn't find the i partition.  What does
disklabel sd0 say?


-- 
 

Can't assign rules to anchors using wildcards

2023-04-17 Thread Loff 


This is probably a case of misplaced expectations, but I can't assign
the same rules to a group of pf anchors, using something like "foo/*".
Rules get attached to the parent anchor.

Minimal working example:

/tmp/pf.conf:

anchor "foo" {
  anchor "lan"  from 192.168.0.1
  anchor "wlan" from 192.168.1.1
}


# pfctl -f /tmp/pf.conf
# pfctl -a '*' -sr
anchor "foo" all {
  anchor "lan" inet from 192.168.0.1 to any {
  }
  anchor "wlan" inet from 192.168.1.1 to any {
  }
}


# echo "pass inet proto tcp to port 80" | pfctl -a 'foo/*' -f -
# pfctl -a '*' -sr
anchor "foo" all {
  pass inet proto tcp from any to any port = 80 flags S/SA
}


Of course things work fine if you assign them individually:

# pfctl -f /tmp/pf.conf
# echo "pass inet proto tcp to port 80" | pfctl -a 'foo/lan' -f -
# echo "pass inet proto tcp to port 80" | pfctl -a 'foo/wlan' -f -
# pfctl -a '*' -sr
anchor "foo" all {
  anchor "lan" inet from 192.168.0.1 to any {
pass inet proto tcp from any to any port = 80 flags S/SA
  }
  anchor "wlan" inet from 192.168.1.1 to any {
pass inet proto tcp from any to any port = 80 flags S/SA
  }
}


Is this the expected behaviour?  From reading pf.conf(5) I'd expect the
"foo/*" syntax to work in the same manner for getting ("-sr")  or
setting ("-f -") rules, but maybe I'm getting it wrong.  Just wondering
if I stepped on a bug.

All the best
Zé

-- 
 

Re: Securing ttys

2023-04-03 Thread Loff 


On Mon, Apr 03, 2023 at 06:11:25AM +0200, Daniele Bonini wrote:
> 
> Hello,
> 
> After the last patches, thanks gosh it is arrived the last
> *trendy*, *new* as *much acclaimed* keystrokes attack.. So I turned from
> the road to work this night -> to try to fix my ttys. 
> Indeed, I'm here asking your help to avoid ways to remain locked out or
> to just not remain more dirty in this "pond", possibly.
> 
> My constraints are the followings:
> 1) I would like to avoid root password request on single-user shell
>(that it permits me to solve risky quiz while troubleshooting the system in
>bad conditions)
> 2) I would like as less as possible active ttys for a dev workstation
>and indeed I would like all ttys locally bound. 
> 3) I would like to disable - if possible - the CTRL + ALT + FN
>keystrokes combinations to recall each single TTY
> 
> Doing this I wonder a couple of more details:
> a) what is the cleanest as safest syntax to not jump start getty on
>the network (including the zero possibility to eventually trigger
>it..)
> b) where to specify correctly the flag "local" (eg. in console and
>ttyC0 ?)
> c) I can safely disable all CN apart C0 or you consider this move
>hazardous in the optic to rescue the system or so forth?
> 
> Thnks, appreciated! :D
> 
> 
> -- Daniele Bonini
> 

Sometimes it *really* looks like you use this mailing list as a search
engine...

The answer for question 2 can be easily found on man ttys.  The fact
that you didn't find it strongly suggests you didn't even *try* to find
it.


-- 
 

Re: Mail Etiquette: Reply above or below

2023-03-07 Thread Loff 



On Tue, Mar 07, 2023 at 09:36:10AM +, Johannes Thyssen Tishman wrote:
> Hi,
> 
> When I reply to an email I do so above the senders message, however I
> see many people in the mailing lists replying below it. Is this the
> preferred way or just preference? Thanks.
> 
> Kind regards,
> Johannes

For OpenBSD's mailing lists, the netiquette rules are clearly presented
here https://www.openbsd.org/mail.html.

Another unwritten rule (and not exclusive to these lists, I'd say) is
that if someone replies off-list you *don't* reply back through the list
(i.e.  you don't "pull" the reply back in to the list), at least not
without asking first.  There's probably a reason for someone not wanting
their reply made public (otherwise they wouldn't have gone off-list) and
it's rude to publish a private exchange.

Cheers
Zé

-- 
 

Re: Unbound prisoner :D

2023-02-20 Thread Loff 
On Sun, Feb 19, 2023 at 07:33:54AM +0100, Daniele Bonini wrote:
> 
> Hello,
> 
> I'm currently using Unbound in my own setup with a very basic
> and incomplete configuration that should serve myself mainly the local
> dns caching mechanism factor.
> 
> Problem arising are two:
> 1) I'm not able to stop (or refresh) unbound via my own unload script as
> unbound-control is disabled. This save my boat from a security
> prospective, if it's not real the following..
> 2) Caching forbid me often to deal the actual nameservers of this or the
> other of even my own websites. I change nameservers of the website I'm
> currently working on and I'm stuck, I can't rich it anymore.
> 
> Any tip, tweak or hack ? Eheh.. 

Use a local socket for unbound's remote control:

remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock

or use unwind to force some domains to be resolved elsewhere, bypassing
your caching resolver.

> 
> 
> Daniele Bonini
> 
> -- Damn, and the security of everthing!?
> 

-- 
 

Re: No

2022-12-12 Thread Loff 
On Sun, Dec 11, 2022 at 04:20:53PM -0800, Randall Gellens wrote:
> I have a Protectli box that is the router for my home network. The home
> network uses U-Verse to connect to the outside, and has separate Ethernet
> networks for servers, wired clients, and Wi-Fi IoT clients. U-Verse supplies
> their own box (a "Residential Gateway" or RG) that sits at the connection
> points. The RG throws a tantrum if it detects an internal router or
> multi-homed devices, so the OpenBSD box is set up as a transparent filtering
> bridge so the RG thinks all the devices are connected directly to it. The
> OpenBSD box has Ethernet ports for the U-Verse RG and one for the three
> internal networks, with pf filtering the packets. The /etc/hostname.if files
> provide an IP address for the interface for the server network and one for
> the Wi-Fi interface (these are on different networks). The /etc/hostname.if
> files for the U-Verse and wired client Ethernet ports have just a
> description.
> 
> The Protectli was running (I think) OpenBSD 6.2, but suffered a disk failure
> and I couldn't find my backup, so I installed a fresh OpenBSD 7.2 on it and
> added the users and config files (I had current versions of those). The
> config files are pretty minimal: /etc/hostname.if files for the four
> Ethernet ports and the bridge, /etc/sysctl.conf to set
> net.inet.ip.forwarding=1, pf.conf for the rules. There aren't any other
> services running on the box (other boxes are used for DHCP, DNS, etc.).
> 
> Initially, the server and Wi-Fi Ethernet ports had traffic and packets were
> routed between them, but there was no traffic on the wired clients nor
> U-Verse Ethernet ports, and no packets got between them. A client on Wi-Fi
> could ping a server and vice versa, and other servers could reach the
> OpenBSD box. But clients couldn't reach servers, and nothing could get
> outside. All interfaces looked right when viewed using ifconfig, and the
> bridge looked right (it was up and had the four interfaces). There were no
> errors during startup, nor when running netstart.
> 
> Changing the /etc/hostname.if files for the U-Verse and client ports to add
> an 'inet' line with a dummy IP address made it all start working. Before,
> they just had a line with "description" and text.
> 
> Questions:
> 
> (1) I'd like to understand the interfaces worked without having IP addresses
> in OpenBSD 6 but not in OpenBSD 7. They showed as up and as part of the
> bridge, but no traffic.

Without *at least* the applicable /etc/hostname.* files its hard to help
you with this.  FWIW, I have a 7.1 box with a similar setup that
forwards packets adequately (bridging two vlan interfaces, with no IP
addresses on the parent interfaces, the vlan interfaces or the bridge).

> (2) Also, I have several old machines that can no longer SSH into the
> OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy way to
> get the OpenBSD box to accept connections from older clients? Presumably I
> need to enable older key algorithms, but after hunting through the OpenSSH
> manual I can't see what I need to do. The packet rules block access to the
> OpenBSD box from outside.

RSA was deprecated some time ago.  Add

HostKeyAlgorithms=+ssh-rsa
PubkeyAcceptedAlgorithms=+ssh-rsa

to /etc/ssh/sshd_config, or, better yet, change the clients' config to
bring them up to speed (I understand it might not be feasible).

 
> Thank you for any help,
> 
> --Randall
> 

-- 
 

Re: Syncthing permissions question

2022-10-27 Thread Loff 
On Wed, Oct 26, 2022 at 10:38:04PM -0400, Jag Talon wrote:
> Hello,
> 
> I'm new to OpenBSD and I'm unfamiliar with permissions in general so I'm a
> little lost. I installed syncthing, and it creates the default folder in
> /var/syncthing/Sync which is owned by _syncthing and has the group
> _syncthing.
> 
> I'm able to read the contents of the directory, but I'm unable to write into
> them. I tried adding myself to the _syncthing group by doing:
> 
> usermod -G jag _syncthing

This must be the other way round: usermod -G  
Don't forget that you'll need a new login to notice the effects of this.

> But it seems that I'm still unable to write to the directory. I know I can
> change the ownership of the files by using chmod -R, but new files will
> still have the same _syncthing user and group and it seems off to keep
> changing permissions of the files.
> 
> How do I enable the user `jag` to read and write to things owned by the
> daemon `_syncthing`?
> 
> Thank you so much!
> 

-- 
 

Re: Broken softraid0

2022-09-07 Thread Loff 


On Wed, Sep 07, 2022 at 07:24:49PM +0200, Danny Koenig wrote:
(trimmed)
> > > > root@core-fs:~ => disklabel -p g /dev/sd5c 
> > > > # /dev/sd5c:
> > > > type: SCSI
> > > > disk: SCSI disk
> > > > label: SR RAID 1
  ^^
(trimmed)
> 
> 
> Yes, that's the output:
> 
> # /dev/rsd5c:
> type: SCSI
> disk: SCSI disk
> label: SR RAID 1C
^^^

Are you sure you reassembled things correctly?  Your backup disklabel
seems to indicate an encrypted volume (a RAID1 encrypted volume, to be
precise),  but your "new" disklabel (the one you got when things stopped
working) indicates only RAID1.


-- 
 

Re: Broken softraid0

2022-09-07 Thread Loff 


On Wed, Sep 07, 2022 at 06:14:59PM +0100, Zé Loff wrote:
> On Wed, Sep 07, 2022 at 06:42:54PM +0200, Danny König wrote:
> > Hi,
> >  
> > first time I need your support regarding a broken softraid0. After a
> > normal reboot the softraid0 (RAID 1, two disks sd0 and sd1, softraid0
> > as sd5) was broken what means no mounts, no nothing.
> > 
> >  
> > root@core-fs:~ => disklabel -p g /dev/sd0c 
> > # /dev/sd0c: 
> > type: SCSI 
> > disk: SCSI disk 
> > label: ST16000NM003G-2K 
> > duid: b1c256d6dc122fa7 
> > flags: 
> > bytes/sector: 512 
> > sectors/track: 63 
> > tracks/cylinder: 255 
> > sectors/cylinder: 16065 
> > cylinders: 1945332 
> > total sectors: 31251759104 # total bytes: 14902.0G 
> > boundstart: 0 
> > boundend: 31251759104 
> > drivedata: 0
> > 16 partitions: 
> > # size offset fstype [fsize bsize cpg] 
> > a: 14902.0G 0 RAID 
> > c: 14902.0G 0 unused
> > 
> > 
> > 
> > root@core-fs:~ => disklabel -p g /dev/sd1c 
> > # /dev/sd1c: 
> > type: SCSI 
> > disk: SCSI disk 
> > label: ST16000NM003G-2K 
> > duid: acedcb2d1684fb18 
> > flags: 
> > bytes/sector: 512 
> > sectors/track: 63 
> > tracks/cylinder: 255 
> > sectors/cylinder: 16065 
> > cylinders: 1945332 
> > total sectors: 31251759104 # total bytes: 14902.0G 
> > boundstart: 0 
> > boundend: 31251759104 
> > drivedata: 0
> > 16 partitions: 
> > # size offset fstype [fsize bsize cpg] 
> > a: 14902.0G 0 RAID 
> > c: 14902.0G 0 unused 
> > 
> > 
> > 
> > root@core-fs:~ => disklabel -p g /dev/sd5c 
> > # /dev/sd5c:
> > type: SCSI
> > disk: SCSI disk
> > label: SR RAID 1
> > duid: 
> > flags:
> > bytes/sector: 512
> > sectors/track: 255
> > tracks/cylinder: 511
> > sectors/cylinder: 130305
> > cylinders: 239835
> > total sectors: 31251758576 # total bytes: 14902.0G
> > boundstart: 0
> > boundend: 31251758576
> > drivedata: 0 
> > 
> > 16 partitions:
> > #size   offset  fstype [fsize bsize   cpg]
> >   c: 14902.0G0  unused
> > 
> > 
> > 
> >  
> > root@core-fs:~ => bioctl softraid0 
> > Volume Status Size Device 
> > softraid0 0 Online 16000900390912 sd5 RAID1 
> > 0 Online 16000900390912 0:0.0 noencl  
> > 1 Online 16000900390912 0:1.0 noencl 
> > 
> > 
> >  
> > Thats what we got, but no mounts are possible.
> >  
> > Any ideas how to become the data back available?
> >  
> > Thank you very much.
> >  
> > Regards,
> > Danny
> > 
> 
> sd5's disklabel looks pretty empty (duid included), but you already know
> that...
> Do you have a backup disklabel, e.g., in /var/backups?

Actually, I'll just quote scan_ffs's manpage:

 1.Panic.  You usually do so anyways, so you might as well get it over
   with.  Just don't do anything stupid.  Panic away from your
   machine.  Then relax, and see if the steps below won't help you
   out.

 2.Try to find your old disklabel by any other means possible.  This
   includes printouts, backups (look in /var/backups/), screendumps,
   and whatever other method you can think of.  The more information
   you have, the better your chances are in recovering the disklabel
   of the disk.

 3.Create a disklabel on the affected disk, which covers the whole
   disk, and has at least one partition which covers the whole disk.
   As the “c” partition usually covers the whole disk anyways, this
   sounds like a good place to start.

 4.Run scan_ffs over this partition.  If you have any information
   about the disklabel which used to exist on the disk, keep that in
   mind while scan_ffs spews out its things.

 5.Use disklabel(8) to reconstruct the disklabel on the affected disk,
   using all the information you gathered from scan_ffs and other
   sources.

(Make sure to read the rest of it, though)

> 
> -- 
>  
> 

-- 
 

Re: Broken softraid0

2022-09-07 Thread Loff 
On Wed, Sep 07, 2022 at 06:42:54PM +0200, Danny König wrote:
> Hi,
>  
> first time I need your support regarding a broken softraid0. After a
> normal reboot the softraid0 (RAID 1, two disks sd0 and sd1, softraid0
> as sd5) was broken what means no mounts, no nothing.
> 
>  
> root@core-fs:~ => disklabel -p g /dev/sd0c 
> # /dev/sd0c: 
> type: SCSI 
> disk: SCSI disk 
> label: ST16000NM003G-2K 
> duid: b1c256d6dc122fa7 
> flags: 
> bytes/sector: 512 
> sectors/track: 63 
> tracks/cylinder: 255 
> sectors/cylinder: 16065 
> cylinders: 1945332 
> total sectors: 31251759104 # total bytes: 14902.0G 
> boundstart: 0 
> boundend: 31251759104 
> drivedata: 0
> 16 partitions: 
> # size offset fstype [fsize bsize cpg] 
> a: 14902.0G 0 RAID 
> c: 14902.0G 0 unused
> 
> 
> 
> root@core-fs:~ => disklabel -p g /dev/sd1c 
> # /dev/sd1c: 
> type: SCSI 
> disk: SCSI disk 
> label: ST16000NM003G-2K 
> duid: acedcb2d1684fb18 
> flags: 
> bytes/sector: 512 
> sectors/track: 63 
> tracks/cylinder: 255 
> sectors/cylinder: 16065 
> cylinders: 1945332 
> total sectors: 31251759104 # total bytes: 14902.0G 
> boundstart: 0 
> boundend: 31251759104 
> drivedata: 0
> 16 partitions: 
> # size offset fstype [fsize bsize cpg] 
> a: 14902.0G 0 RAID 
> c: 14902.0G 0 unused 
> 
> 
> 
> root@core-fs:~ => disklabel -p g /dev/sd5c 
> # /dev/sd5c:
> type: SCSI
> disk: SCSI disk
> label: SR RAID 1
> duid: 
> flags:
> bytes/sector: 512
> sectors/track: 255
> tracks/cylinder: 511
> sectors/cylinder: 130305
> cylinders: 239835
> total sectors: 31251758576 # total bytes: 14902.0G
> boundstart: 0
> boundend: 31251758576
> drivedata: 0 
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   c: 14902.0G0  unused
> 
> 
> 
>  
> root@core-fs:~ => bioctl softraid0 
> Volume Status Size Device 
> softraid0 0 Online 16000900390912 sd5 RAID1 
> 0 Online 16000900390912 0:0.0 noencl  
> 1 Online 16000900390912 0:1.0 noencl 
> 
> 
>  
> Thats what we got, but no mounts are possible.
>  
> Any ideas how to become the data back available?
>  
> Thank you very much.
>  
> Regards,
> Danny
> 

sd5's disklabel looks pretty empty (duid included), but you already know
that...
Do you have a backup disklabel, e.g., in /var/backups?

-- 
 

Re: httpd multiple site same address and port TLS issue

2022-08-29 Thread Loff 
On Sun, Aug 28, 2022 at 09:45:00PM -0400, George wrote:
> Hi guys,
> I am wish to run multiple site from the same IP and use different TLS certs
> for each.
> Example:
> server "example01.com" {
>   listen on 1.2.3.4 port 80
>   listen on 1.2.3.4 tls port 443
>   tls {
>     certificate "example01.com.fullchain.pem"
>     key "example01.com.key"
>   }
> }
> server "example02.com" {
>   listen on 1.2.3.4 port 80
>   listen on 1.2.3.4 tls port 443
>   tls {
>     certificate "example02.com.fullchain.pem"
>     key "example02.com.key"
>   }
> }
> Problem is I get the certificate for the first declared
> server each time unless I change the IP or port.
> Is it possible to have a configuration to serve different
> servers on the same address and port with different
> TLS certs?
> Thanks in advance,
> George

Have you considered using relayd?


table  { 1.2.3.4 }

http protocol "http" {
return error

match request header "Host" value "example01.com" forward to 

match request header "Host" value "example02.com" forward to 

}

https protocol "https" {
tls keypair "example01.com"
tls keypair "example02.com"

match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-For-By" value "$REMOTE_ADDR:$SERVER_PORT"

match query hash "sessid"

match request header "Host" value "example01.com" forward to 

match request header "Host" value "example02.com" forward to 

}

relay "http_relay" {
listen on 1.2.3.4 port 80
protocol "http"

forward to  port 80 check tcp
}

relay "https_relay" {
listen on 1.2.3.4 port 443 tls
protocol "https"

forward with tls to  port 443 check tcp
}



DISCLAIMER: this is adapted from one of my setups and, obviously, hasn't
been properly tested.  I hope it's enough to point you in the right
direction.  See relayd's man page for the details about the certificates
and the "tls keypair" parts of the config.

Cheers
Zé

-- 
 

Re: Freeze on OpenBSD 7.1

2022-07-20 Thread Loff 
On Wed, Jul 20, 2022 at 07:20:15AM -, Stuart Henderson wrote:
> On 2022-07-20, Stuart Henderson  wrote:
> > On 2022-07-19, Zé Loff  wrote:
> >> You have a single core machine with 2Gb RAM, and the data you sent seems
> >> to indicate that there is no free RAM left.
> >
> > Where are you seeing that? systat vm shows ~850MB free. No apparent mbuf 
> > leak.
> > No pool allocation failures.

You are absolutely right, my apologies.  I read it all too fast and
misinterpreted the "Free 83K" on netstat -m, and didn't do the math to
see that the "In use 20334K" actually aren't close to 2Gb.

> Also it is a dual core machine but currently running a single-processor kernel
> (GENERIC not GENERIC.MP) - see the "cpu: not configured"

Also missed that, although in practice it acts as a single core machine,
so it will be less responsive when overworked, which was what I was
thinking about.  Again, reading the load average would have saved me
from the embarrassment.

Sorry for the noise, and thanks for setting me straight.

> 
> 
> -- 
> Please keep replies on the mailing list.
> 

-- 
 

Re: Freeze on OpenBSD 7.1

2022-07-19 Thread Loff 


On Tue, Jul 19, 2022 at 03:27:53PM +0200, Nicolas wrote:
> Hello Stuart,
> 
> I haven't seen your messages immediately, it was incorrectly filtered by my
> email client.
> 
> Here are the results of the commands. I hope my email client won't render it
> useless !
> 
> For the moment, I try to cool the AC adapter and plan to plug in a monitor
> if another freeze occurs.
> 
> Thank you, Stuart !
> 
> Nicolas, Paris.

In the past, I managed to "freeze" my laptop by exhausting RAM and
starting to swap.  Actually, it wasn't really frozen, just very very
VERY slow in responding, to the point that it was equivalent to a
freeze (e.g. even the Wi-Fi firmware would start freaking out with
timeouts).  The only option was to hard reset the machine.

You have a single core machine with 2Gb RAM, and the data you sent seems
to indicate that there is no free RAM left.  Would a similar scenario be
plausible (i.e., RAM usage keeps adding up, until a tipping point)?

Cheers
Zé

-- 
 

Re: Browser access to file system on new install OpenBSD missing.

2022-07-14 Thread Loff 
On Thu, Jul 14, 2022 at 09:44:20AM +0200, Brian Durant wrote:
> The browser issue has returned. An open dialog window to upload a file or to
> open a file cannot find the downloads directory and it is impossible to
> access by using "recents" or "computer" in the open dialog window. Not sure
> what is going on, but it sure is irritating.
> 

Add /tmp and/or other unveil'ed folders to your GTK3 bookmarks.  That
way there is always an accessible folder on the sidebar on which to
click:

echo "file:///tmp" >> ~/.config/gtk-3.0/bookmarks

-- 
 

Re: Mutt cannot sent mail in OpenBsd

2022-07-08 Thread Loff 
On Fri, Jul 08, 2022 at 07:22:51PM +0200, Wim wrote:
> The strange thing is that the client machine and server are the same...

The client's not necessarily the same.  Linux might be using OpenSSL,
OpenBSD is almost certainly using LibreSSL, there might be differences
on the root certificates accepted by each OS, etc.

Compare the output of

openssl s_client -showcerts -servername mail.thinkerwim.org -connect 
mail.thinkerwim.org:587 -starttls smtp

and check for differences. 

> Maybe Mut looks into the wrong place. I installed mutt from the openbsd 
> package and using openbsd 7.1
> 
> Thanks for the help.
> Kind regards
> Wim
> 
> Philipp Buehler  schreef op 8 
> juli 2022 16:31:31 CEST:
> >Am 08.07.2022 15:49 schrieb Dave Voutila:
> >
> >> $ openssl s_client -showcerts -servername mail.thinkerwim.org -connect
> >> mail.thinkerwim.org:587
> >
> >`-starttls smtp` helps a lot. The cert is there (also on :25 ftm) and signed 
> >by LE.
> >
> >The rub is that the mutt client machine does not know that issuer,
> >See openssl documentation how to do this.
> >
> >HTH
> >-- 
> >pb
> >

-- 
 

Re: PF table issue on 7.1-Current

2022-06-07 Thread Loff 
On Tue, Jun 07, 2022 at 04:26:11PM +0300, Barbaros Bilek wrote:
> Hello Misc,
> 
> I think there is an issue about PF tables at current.
> Here my working PF config sample before 7.1-Current.
> block log quick inet from 
> pfctl -f /etc/pf.conf
> Another software fills this Malicious table with this command:
> # pfctl -t Malicious -T add 1.2.3.4
>  1 table created.
>  1/1 addresses added.
> # pfctl -t Malicious -T show 1.2.3.4
>  1.2.3.4
> 
> But with my newly upgraded OpenBSD version it doesn't.
> OpenBSD 7.1-current (GENERIC.MP) #575: Mon Jun 6 10:11:31 MDT 2022
> #pfctl -t Malicious -T add 1.2.3.4
> 1 table created.
> pfctl: Table does not exist
> 
> #pfctl -t Malicious -T show
> pfctl: Table does not exist
> 
> 
> Thanks for your time.
> 
> --
> Barbaros

You now need to explicitly create the table with

table 

on your pf.conf.  This was not enforced in 7.1, so you got away with it,
but it is now.



-- 
 

Re: Telegraf returns an error in OpenBSD 7.1

2022-05-12 Thread Loff 


On Thu, May 12, 2022 at 03:40:36PM +0200, Carlos López Martínez wrote:
> Hi all,
> 
> Does telegraf package works under OpenBSD 7.1? I have installed from package
> binaries and returns the following error:
> 
> + daemon=/usr/local/bin/telegraf
> + daemon_logger=daemon.info
> + daemon_user=_telegraf
> + . /etc/rc.d/rc.subr
> + _rc_actions=start stop restart reload check
> + readonly _rc_actions
> + [ -n  ]
> + _name=telegraf
> + _rc_check_name telegraf
> + [ -n @(#)PD KSH v5.2.14 99/07/13.2 ]
> + [ -n /usr/local/bin/telegraf ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/telegraf
> + _rc_do _rc_parse_conf
> + rc_reload_signal=HUP
> + rc_stop_signal=TERM
> + eval _rcflags=${telegraf_flags}
> + _rcflags=
> + eval _rclogger=${telegraf_logger}
> + _rclogger=
> + eval _rcrtable=${telegraf_rtable}
> + _rcrtable=
> + eval _rctimeout=${telegraf_timeout}
> + _rctimeout=
> + eval _rcuser=${telegraf_user}
> + _rcuser=
> + getcap -f /etc/login.conf.d/telegraf:/etc/login.conf telegraf
> + > /dev/null
> + 2>&1
> + daemon_class=telegraf
> + [ -z  ]
> + daemon_rtable=0
> + [ -z  ]
> + daemon_timeout=30
> + [ -z _telegraf ]
> + [ -n  -o start != start ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rclogger _rcrtable _rctimeout _rcuser
> + eval echo /usr/local/bin/telegraf
> + echo /usr/local/bin/telegraf
> + pexp=/usr/local/bin/telegraf
> + rcexec=su -fl -c telegraf -s /bin/sh _telegraf -c
> + id -R
> + [ 0 -eq 0 ]
> + rc_bg=YES
> + rc_reload=NO
> + rc_cmd start
> telegraf(failed)
> 
>  Trying to execute as root from shell:
> 
> root@obsdnode01:/etc/login.conf.d# telegraf -h
> 2022/05/12 13:39:49 mmap: cannot allocate memory
> 
>  Any idea?
> -- 
> Best regards,
> C. L. Martinez
> 

I'm running telegraf on several amd64 7.1 (both -stable and recent-ish
-current) machines.  I also get the mmap error when running by hand,
but it works fine with the default rc script:

$ cat /etc/rc.d/telegraf
#!/bin/ksh

daemon="/usr/local/bin/telegraf"
daemon_logger="daemon.info"
daemon_user="_telegraf"

. /etc/rc.d/rc.subr

rc_bg=YES
rc_reload=NO

rc_cmd $1

Cheers
Zé

-- 
 

Re: Telegraf returns an error in OpenBSD 7.1

2022-05-12 Thread Loff 
On Thu, May 12, 2022 at 05:51:34PM +0200, Carlos López Martínez wrote:
> 
> 
> On 12/05/2022 17:40, Zé Loff wrote:
> > 
> > On Thu, May 12, 2022 at 03:40:36PM +0200, Carlos López Martínez wrote:
> > > Hi all,
> > > 
> > > Does telegraf package works under OpenBSD 7.1? I have installed from 
> > > package
> > > binaries and returns the following error:
> > > 
> > > + daemon=/usr/local/bin/telegraf
> > > + daemon_logger=daemon.info
> > > + daemon_user=_telegraf
> > > + . /etc/rc.d/rc.subr
> > > + _rc_actions=start stop restart reload check
> > > + readonly _rc_actions
> > > + [ -n  ]
> > > + _name=telegraf
> > > + _rc_check_name telegraf
> > > + [ -n @(#)PD KSH v5.2.14 99/07/13.2 ]
> > > + [ -n /usr/local/bin/telegraf ]
> > > + unset _RC_DEBUG _RC_FORCE
> > > + getopts df c
> > > + shift 0
> > > + _RC_RUNDIR=/var/run/rc.d
> > > + _RC_RUNFILE=/var/run/rc.d/telegraf
> > > + _rc_do _rc_parse_conf
> > > + rc_reload_signal=HUP
> > > + rc_stop_signal=TERM
> > > + eval _rcflags=${telegraf_flags}
> > > + _rcflags=
> > > + eval _rclogger=${telegraf_logger}
> > > + _rclogger=
> > > + eval _rcrtable=${telegraf_rtable}
> > > + _rcrtable=
> > > + eval _rctimeout=${telegraf_timeout}
> > > + _rctimeout=
> > > + eval _rcuser=${telegraf_user}
> > > + _rcuser=
> > > + getcap -f /etc/login.conf.d/telegraf:/etc/login.conf telegraf
> > > + > /dev/null
> > > + 2>&1
> > > + daemon_class=telegraf
> > > + [ -z  ]
> > > + daemon_rtable=0
> > > + [ -z  ]
> > > + daemon_timeout=30
> > > + [ -z _telegraf ]
> > > + [ -n  -o start != start ]
> > > + [ -n  ]
> > > + [ -n  ]
> > > + [ -n  ]
> > > + [ -n  ]
> > > + [ -n  ]
> > > + [ -n  ]
> > > + readonly daemon_class
> > > + unset _rcflags _rclogger _rcrtable _rctimeout _rcuser
> > > + eval echo /usr/local/bin/telegraf
> > > + echo /usr/local/bin/telegraf
> > > + pexp=/usr/local/bin/telegraf
> > > + rcexec=su -fl -c telegraf -s /bin/sh _telegraf -c
> > > + id -R
> > > + [ 0 -eq 0 ]
> > > + rc_bg=YES
> > > + rc_reload=NO
> > > + rc_cmd start
> > > telegraf(failed)
> > > 
> > >   Trying to execute as root from shell:
> > > 
> > > root@obsdnode01:/etc/login.conf.d# telegraf -h
> > > 2022/05/12 13:39:49 mmap: cannot allocate memory
> > > 
> > >   Any idea?
> > > -- 
> > > Best regards,
> > > C. L. Martinez
> > > 
> > 
> > I'm running telegraf on several amd64 7.1 (both -stable and recent-ish
> > -current) machines.  I also get the mmap error when running by hand,
> > but it works fine with the default rc script:
> > 
> >  $ cat /etc/rc.d/telegraf
> >  #!/bin/ksh
> > 
> >  daemon="/usr/local/bin/telegraf"
> >  daemon_logger="daemon.info"
> >  daemon_user="_telegraf"
> > 
> >  . /etc/rc.d/rc.subr
> > 
> >  rc_bg=YES
> >  rc_reload=NO
> > 
> >  rc_cmd $1
> > 
> > Cheers
> > Zé
> > 
> Uhmm ... In my case, it fails using rc script also ... and it is the same as
> yours ...

/etc/login.conf.d/telegraf sets the datasize at 8G.  You might not have
as much.

In my case, it fails as a regular user -- because they aren't allowed to
allocate that much -- but works using the rc script because in that case
the daemon is ran as _telegraf, which has its own login class, with the
appropriate values.


> 
> -- 
> Best regards,
> C. L. Martinez
> 

-- 
 

Re: Question how to delete somewhat encrypted partisions / softraid?

2022-03-25 Thread Loff 
On Fri, Mar 25, 2022 at 10:28:55AM +0100, soko.tica wrote:
> Hello list,
> 
> I have tried to encrypt disk before the installation of OpenBSD 7.0
> according to the instructions here
> https://www.openbsd.org/faq/faq14.html#softraid and managed to mess it.


First of all, if this is a fresh install onto an otherwise clean disk, I
see no reason not to restart everything from scratch.

> 
> I have performed
> 
> # cd /dev && sh MAKEDEV sd0
> # fdisk -iy -g -b 960 sd0
> # disklabel -E sd0
> Label editor (enter '?' for help at any prompt)
> sd0> a a
> offset: [64]
> size: [39825135] *
> FS type: [4.2BSD] RAID
> sd0*> w
> sd0> q
> No label changes.
> # bioctl -c C -l sd0a softraid0
> 
> But I have failed to proceed before the installation with
> 
> # cd /dev && sh MAKEDEV sd1
> # dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
> 
> So i ended up with unbootable install.

There is some missing information here.  How did the installation
proceed?  Did it go all the way to the end?  Did the installer create a
disklabel?  And if so, on which disk?

If you boot the RAMDISK, exit to a shell, build the crypto volume
(bioctl), create the dev node (MAKEDEV sd1) and check its disklabel
(disklabel sd1) does it show anything?  If there are partitions on the
sd1 disklabel, can they be mounted and do they have anything in them?

Again, if the disk was empty to begin with (and the information below
seems to indicate so), there is nothing that needs to be salvaged, just
restart the whole process.

> The disk is shown
> 
> # disklabel sd0
> # /dev/rsd0c:
> type: SCSI
> disk: SCSI disk
> label: HGST HTS725050A7
> duid: f62d9ae29f67d326
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 60801
> total sectors: 976773168
> boundstart: 1024
> boundend: 976773135
> drivedata: 0
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a:976772111 1024RAID
>   c:9767731680  unused
>   i:  960   64   MSDOS
> 
> #fdisk sd0
> Disk: sd0   Usable LBA: 34 to 976773134 [976773168 Sectors]
>#: type [   start: size ]
> 
>0: EFI Sys  [  64:  960 ]
>1: OpenBSD  [1024:976772111 ]
> 
> 
> Is it safe to delete all somewhat encrypted partitions by
> # fdisk -iy sd0
> ?
> 
> Should I perhaps first delete somewhat encrypted partitions by
> 
> # disklabel -E sd0
> 
> d a
> d i
> 
> ?
> 
> Thank you in advance for your answers.

-- 
 

Identifying a network

2022-03-23 Thread Loff 


Hi all

I have a laptop in which I use ifstated to determine whether it is "at
home" or whether it is "roaming", and bring up the VPN -- used to be
iked, now its wg -- for unwind and some NFS shares, if it is.

My question is: how would you detect if the machine it's "at home"? 

My present setup is a combination of checking the BSSID of the AP if it
is connected to one, and some MAC addresses of other machines on the
network.  I can think of a couple other ways (SSH host keys, external IP
-- though it might change --, DHCP-assigned domain, etc).  Is there an
easier way I'm not thinking of?  How would you do it?

Note that this doesn't have 100% fail proof nor am I worried about
covering absolutely all corner cases, or paranoid about someone spoofing
my network's BSSID, MAC addresses, etc, etc, just to prevent me from
setting up a VPN.  This is just for convenience.

Cheers and TIA
Zé

-- 
 

Re: install the sets, install70.img

2022-02-13 Thread Loff 
On Sun, Feb 13, 2022 at 12:25:45PM -0500, Raul Miller wrote:
> On Sun, Feb 13, 2022 at 10:25 AM Maurice McCarthy  wrote:
> > Wow, cannot even see your usb drive. Now I am right out of my depth.
> > The sdhc0 and sdmmc0 are to do with the SD card slot.
> 
> I am also out of my depth.
> 
> That said, here is dmesg | grep -n ^ (hand typed to another machine,
> and then proofread).

Not quite sure what is going on exactly, but something odd is going on
with your USB internal hub:

> 190:xhci0 at pci0 dev 21 function 0 "Intel Apollo Lake xHCI" rev 0x0b: msi, 
> xHCI 1.0
> 191:usb0 at xhci0: USB revision 3.0
> 192:uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 
> 3.00/1.00 addr 1
...
> 232:uhub0: port 2, set config 0 at addr 2 failed
> 233:uhub0: device problem, disabling port 2
> 234:"Quectel EC25-AF" rev 2.00/3.18 addr 2 at uhub0 port 3 not configured
> 235:"Generic USB2.0-CRW" rev 2.00/39.60 addr 3 at uhub port 4 not configured
> 236:"Realtek 802.11n WLAN Adapter" rev 2.00/2.00 addr 4 at uhub0 port 7 not 
> configured
> 237:"vendor 0x090c YinZhiJie  Y220A" rev 2.0/8.00 addr 5 at uhub0 port 8 not 
> configured
 
Which explains why you are not seeing your USB disk anywhere.
-- 
 

Re: Limit dir write by its storage size

2022-01-11 Thread Loff 
On Wed, Jan 12, 2022 at 02:06:39AM +0800, Yamadaえりな wrote:
> For a BSD based system, how can I setup that, if a dir has total storage
> size reached to the max, it won’t be writable anymore?
> 
> Thank you very much!
> Yamada

Create a separate partition for it.

-- 
 

Re: Some Thoughts on resolv.conf.tail Deprecation

2021-11-11 Thread Loff 


On Thu, Nov 11, 2021 at 05:36:07PM +, beebeet...@posteo.de wrote:
> Hi all,
> 
> I was reading the manual page of resolv.conf(5) today and realized that
> paragraph on resolv.conf.tail has disappeared since the upgrade to 7.0, so I
> assume that resolv.conf.tail has been deprecated in response to resolvd
> being enabled by default.
> 
> Previously, my backup strategy was to back up the customized system
> configuration files, which involves backing up resolv.conf.tail, but
> not resolv.conf. With the new behaviour in 7.0, it appears that my best
> shot is to back up resolv.conf, which constantly gets edited by
> resolvd(8). This seems less than ideal.

I am not sure about what problem you are trying to solve.  Won't the
lines added by resolvd be overwritten anyway the first time you use the
backed up file?

> I gave it some thoughts, and came up with an alternative solution to
> handling resolv.conf:
> 
>  - If resolvd is enabled, then resolv.conf is overidden entirely by
>resolvd, no more blending of user-edited and auto-configured
>information is involved. A new resolvd.conf needs to be introduced to
>instruct resolvd to add static defaults and stuff;
> 
>  - If resolvd is not enabled, then the contents of resolv.conf.tail gets
>copied to resolv.conf at system start.
> 
> To me it seems that this is cleaner than the current solution to
> resolv.conf in that static and dynamic configurations is clearly
> separated instead of being blended into a one file.
> 
> What are your thought on this? Thanks!
> 

-- 
 

Re: lpr woes printing a broken pdf

2021-11-02 Thread Loff 
On Tue, Nov 02, 2021 at 04:10:44PM +0100, Jan Stary wrote:
> This is current/amd64 on a PC, using lpr with this /etc/printcap:
> lp::lp=:rm=pr.stare.cz:rp=lp:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:sh:
> which is a Brother DCP9055CDN via ethernet.
> 
> Now, I have this pdf file (attached), broken in a way that puzzles me.
> When viewed with mupdf or gv, it shows one thing, when printed with lpr,
> it shows something else.
> 
> I don't mean a missing glyph when an exotic language is used; it is
> in Czech, but it's not the rendering of Czech letters that's strange:
> it has 11 printed instead of 10 (line 1), 22 instead of 29 (line 2),
> 7000 instead of 7084 and 5222 instead of 5268 (line 4),
> 3 h 33 mm instead of 3 h 30 min (line 5.1), etc.
> 
> Agonizing moments have been spent looking at the page,
> making sure it is actualy the file.
> 
> Vaguely speaking, in these examples, some chars/glyphs
> seem to be repeated in the print, instead of the next one
> that should have been printed:
> 
>   11 not 10 (repeating the 1)
>   22 not 29 (repeating the 2)
>   7000 not 7084 (repeating the 0)
>   33 mm not 30 min (repeating the 3 and the m)
> 
> Is that an indication of some particular kind
> of breakage in a pdf file?
> 
> Inside the pdf, I see
> 
>  /CreationDate(D:20150306075816)
>   /ModDate(D:20150306075816)
>   /Title(klic_5_tridy.xlsx)
>   /Creator(PScript5.dll Version 5.2.2
> 
> so I suppose the file was produced as a pdf export of
> a xlsx file by some awful office package or another,
> probaly on windows (dll).
> 
> When printed from gv, it prints what gv and mupdf show.
> When printed at a corporate myq print system, it prints the same;
> but when printed with lpr, it prints these strange alterations.
> 
> I don't think it's lpr's fault, so this might not even be the list,
> for lpr just sends what it gets (except wrapping it in the cf, df files
> of the lpr protocol, right?), but I would still like to know:
> is it that gv can somehow interpret the broken pdf in the right way,
> sending the right bits to the printer to print, but the Brother printer
> (i.e., the printer's pdf interpreter?) can not?
> Please excuse my pdf/ps ignorance.
> 
> gv also says
> 
>   Warning: Missing charsets in String to FontSet conversion
> 
> when viewing the file, but not with LC_CTYPE=C;
> normally my env has LC_CTYPE=en_US.UTF-8.
> There are some Czech letters printed wrong,
> but surely every FontSet (whatever that is)
> has glyphs for the digits.
> 
>   Thank you
> 
>   Jan
> 

Hi Jan

FWIW, I cannot reproduce this on my Brother HL-L3270CDW with lpr, file
prints fine.  This is on a -current (well, current-ish, October 5) amd64
machine, without cups, foomatic or anything like that.

/etc/printcap:

  lp:\
:lp=:rm=10.17.19.134:\
:sh:\
:lf=/var/log/lpd-errs:


-- 
 

Re: Please recommend wifi 6 card which supports OpenBSD

2021-10-30 Thread Loff 
On Sat, Oct 30, 2021 at 11:17:31AM +, Vilnius wrote:
> Dear OpenBSD Community,
> 
> 
> I hope you are all doing well.
> 
> I'm thinking about building OBSD based home router with wifi access
> point, but I'm not sure which card I should pickup which would provide
> best compatibility with OBSD. I'm looking with dual band support which
> most importantly supports both 2.4/5ghz and also has support for AP
> and has no issues with OBSD itself.
> 
> Does this thing exist or doing wifi AP on OBSD is not really
> recommended like some google searches suggest ? This is home based
> setup.
> 
> Thanks
> 

As has been said before on more than one occasion, you'd be much better
off using a separate non-OpenBSD access point.  You get better WiFi
performance, more recent 802.11* protocols (AFAICT there is no support
for 802.11ax yet), sometimes the router's location isn't the most
appropriate for the AP, etc.

I tried using an OpenBSD box as a wifi router, but performance was poor,
and its was hard to know whether it was the antennas, the box's
location, the card's tx power, etc.  I then repurposed my ISP's wifi
router as an AP using a separate vlan, added some block rules on the
router's pf.conf to keep it from "calling home" and never looked back.

-- 
 

Re: Dhcp client configuration in 7.0

2021-10-29 Thread Loff 
On Fri, Oct 29, 2021 at 09:57:26PM +0300, Samarul Meu wrote:
> On Fri, Oct 29, 2021 at 8:30 PM Zé Loff  wrote:
> 
> > This works for me:
> >
> >
> > /etc/hostname.em0:
> >
> > inet autoconf
> >
> >
> > /etc/resolv.conf:
> >
> > nameserver 127.0.0.1
> >
> >
> > /etc/dhcpleased.conf:
> >
> > interface em0 {
> > ignore dns
> > }
> >
> >
> My dhcpleased.conf is similar (interface urtwn0 ignore dns), but it does
> not seem to work. resolvd just overwrites the resolv.conf with the ISP DNS.
> If I disable resolvd and I leave only nameserver 127.0.0.1 the unbound
> works as expected.
> 
> Now, my question is when ignore dns from dhcpleased.conf is considered? The
> man page states "Ignore nameservers from leases on this interface" but
> maybe I am not reading it correctly?

Is that the exact contents of your dhcpleased.conf?  Reading the man
page, it seems that the curly brackets are mandatory, and if I change my
config to "interface em0 ignore dns" dhcpleased warns about the syntax
error (and doesn't start).

-- 
 

Re: Dhcp client configuration in 7.0

2021-10-29 Thread Loff 
On Fri, Oct 29, 2021 at 03:37:56PM +0300, Samarul Meu wrote:
> Hello to you all!
> 
> Prior to 7.0 I was using this line in /etc/dhclient.conf
> supersede domain-name-servers 127.0.0.1;
> so that I do not get the DNS from the ISP provider.
> 
> I am using unbound to resolve my queries. With the new changes I can not
> get the same functionality.
> 
> I tried to add this in /etc/dhcpleased.conf
> interface urtwn0 ignore dns
> where urtwn0 is my interface or disable resolvd.
> 
> If resolvd is on I get my ISP DNS server, if not when unbound starts
> resolvd  adds the ISP DNS server to resolv.conf.
> 
> Can you please tell me what am I doing wrong and how can I have only
> 127.0.0.1 on the resolv.conf file?
> 
> Thank you!

This works for me:


/etc/hostname.em0:

inet autoconf


/etc/resolv.conf:

nameserver 127.0.0.1


/etc/dhcpleased.conf:

interface em0 {
ignore dns
}


-- 
 

Re: use pfctl to reread /etc/mail/spamd-white table

2021-10-28 Thread Loff 


On Thu, Oct 28, 2021 at 11:55:33AM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> my pf.conf contains
> 
>   table  persist file "/etc/mail/spamd-white"
> 
> I understand that I can add and delete hosts from the table manually
> later, but on very large tables this is pretty painful. There is a high
> risk that the table has just been flushed and is not up-to-date yet,
> while the next EMail comes in.
> 
> Would it be possible to add some magic to pfctl -T to reread the whole
> table from file and hand it off to pf in an atomic operation?

>From the man page:

For the add, delete, replace, and test commands, the list of
addresses can be specified either directly on the command
line and/or in an unformatted text file, using the -f flag.

So:

pfctl -t spamd-white -T add -f /etc/mail/spamd-white
 
should do it.

> 
> Regards
> Harri
> 

-- 
 

Re: DHCP leases not being renewed

2021-10-19 Thread Loff 
On Tue, Oct 19, 2021 at 03:26:20PM +1000, Ryan Vitelli wrote:
> Hello,
> 
> After upgrading to 7.0 I noticed DHCP leases from my ISP were
> not being renewed.
> 
> After researching I ended up modifying my /etc/hostname.em0 file
> by replacing 'dhcp' with '!dhclient \$if' and this "appears"
> to resolve the issue.
> 
> The FAQ and the dhclient/hostname.if manpages infer that this
> shouldn't be necessary and a simple 'dhcp' should be sufficient.
> Obviously I'm missing something because our application is very basic.
> 
> With the above "fix" in place, the other thing I've noticed is that
> on bootup I now get this
> em0: no linkgot link
> em0: no lease.got lease
> em0: my.wan.ip.addr lease accepted from nnn.nnn.nnn.nnn (u:v:w:x:y:z)
> This does not appear with hostname.em0 containing 'dhcp', however
> it did previously when on 6.9
> 
> Any help on this would be great. Thanks.
> 
> Notes:
> No related messages in daemon or messages logs
> OS: openbsd 7.0 /amd64
> hardware is PC Engines APU2e4 with BIOS version v4.13.0.2
> em0 at pci1 dev 0 function 0 "Intel I210" rev 0x03: msi, address a:b:c:d:e:f
> 

dhcpleased(8) is now preferred, instead of dhclient:
http://www.openbsd.org/faq/faq6.html#DHCP

Changing "dhcp" to "inet autoconf" should suffice.

(does this warrant an entry on faq/upgrade70.html ?)

You might want to also take a look at some of the new(-ish) man pages
for dhcpleased, dhcpleased.conf and maybe resolvd.

Cheers
Zé


-- 
 

Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel

2021-08-27 Thread Loff 


On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
> Hello all,
> I have successfully set up a wg(4) based VPN tunnel from my laptop
> (current) to my home/office gateway (6.9) but have problems
> understanding how to access the LAN behind the gateway.
> 
> [Laptop]
> - wg0 (10.0.0.42)
> - egress (trunk0 {em0 iwn0} dhcp)
> [Internet]
> [Gateway]
> - egress (em0 dhcp)
> - wg0 (10.0.0.1)
> - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
> [LAN]
> - various 192.168.3.0/24
> 
> I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
> versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
> endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
> gateway (10.0.0.1).
> 
> Is it as easy as defining some routes? If so, where? There's a ton of
> more or less relevant and/or updated howto's out there but I have not
> found anyone dealing with a similar scenario. Any hints are appreciated.

I added something like

!route add 192.168.3.0/24 10.0.0.1

to /etc/hostname.wg0.

Of course this _might_ be messy if by any chance your laptop's local
network is also 192.168.3.0/24 or a subset of this range.

> 
> (My wg(4) setup is based on:
> https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
> 
> Best regards,
> 
> Erling
> 

-- 
 

Re: PF annoying messages

2021-07-09 Thread Loff 


On Fri, Jul 09, 2021 at 10:39:25AM +0200, Pierre Dupond wrote:
> Le Fri, 9 Jul 2021 07:39:26 - (UTC),
> Stuart Henderson  a écrit :
> 
> > On 2021-07-07, Pierre Dupond <76nem...@gmx.ch> wrote:
> > > HI All,
> > >  I am setting up a firewall with PF. The strategy used is quite
> > > common: set block-policy return
> > >set loginterface none
> > >set skip on lo0
> > >match in all scrub (random-id reassemble tcp)
> > >block log
> > >
> > > Then some rules are used to pass the authorized packets.
> > >
> > > One of the rule is
> > >   pass from  to 
> > >   pass from  to 
> > >
> > > where the table "multicast" contains all the multicast address and
> > > the table "TV_nets" the networks used for IT TV.
> > >
> > > In the log  regularly the following message is produced:
> > > Jul 07 10:44:40.049159 rule 26/(match) pass in on vlan120:
> > > 192.168.88.1 > 224.0.0.1: igmp query [tos 0xc0] [ttl 1]
> > >
> > > where vlan120 is part of an OpenBSD bridge used in egress part of
> > > the firewall.
> > >
> > > A lot of similar rules  (many vlan are used) and  some other
> > > pass rules are defined but only this one (26) produces a message.  
> > 
> > What is rule 26? (pfctl -sr -R 26)
> > 
> > It may relate to IP options, you can try allow-opts.
> > 
> > A more detailed packet dump might give clues, e.g. from
> > tcpdump -neipflog0 -vvXs1500
> > 
> > 
> Thanks for the answer and the clue about how to get exactly a rule with
> a specific number. I have looked for a long time how to do it without
> really finding a good solution (pfctl -s | head -26 is not as precise).
> 
> I will be able now to give more precise information.
> 

Apologies for intruding mid-thread.

TL,DR: adding allow-opts to the pf rule fixes things (explanation below)

I've been watching the same behaviour on my network for a long time:
some igmp queries are always logged, even if the matching rule has no
"log" in it, but never cared too much about it:

# tcpdump -neti pflog0 -vv
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
rule 229/(match) [uid 0, pid 66873] pass in on vlan20: 10.17.18.4 > 224.0.0.1: 
igmp query [len 12] (DF) [tos 0x88] [ttl 1] (id 25795, len 36, optlen=4 
IPOPT-148{4})

# pfctl -sr -R 229
pass in on vlan20 inet proto igmp from 10.17.18.4 to any

(just a bit of context: 10.17.18.4 is a ISP-provided wifi router for
"triple play service" (a Thomson/Technicolor TG784n v3), which has been
repurposed as a wifi AP on vlan 20)


By reading pf.conf(5)'s section about the "allow-opts" -- which I
hadn't, thanks for the pointer, Stuart -- it is very clear that packets
with options are blocked by default, and the logged packets do have the
"router alert" option set (IPOPT-148), as can be seen above, on
tcpdump's output.  This means that the packet is in fact being blocked,
even though a pass rule is being matched and logged (I find this a bit
counterintuitive, TBH, but that's on me).   Adding "allow-opts" to the
rule makes the packet pass and the logging stop.


-- 
 

Re: Go programs only using one CPU core

2021-03-26 Thread Loff 
On Fri, Mar 26, 2021 at 08:54:23PM -, Stuart Henderson wrote:
> On 2021-03-26, Richard Ulmer  wrote:
> > Hi,
> > it seems to me like Go (from the lang/go port) does not utilize more
> > than one CPU core on OpenBSD. Let's take this program, which may be run
> > with `go run main.go`:
> >
> > package main
> > func main() {
> > go work()
> > work()
> > }
> > func work() {
> > for i := 1; ; {
> > i *= 1
> > }
> > }
> >
> > The `go` directive starts a new goroutine, which I would expect to be
> > put into it's own process here. However, using htop(1) I can see, that
> > only one of my two cores gets load. Running the same program on Linux,
> > two cores are utilized.
> >
> > Can someone explain to me why this is happening? Is there any way to
> > make the program use both cores of my CPU?
> >
> > Best Regards,
> > Richard Ulmer
> >
> >
> 
> It works for me (checked using top and pressing H to show threads).
> 
> Is your system actually dual-core or is it single core with hyperthreading?
> (it's always worth including dmesg when asking a question, that would have
> shown this)
> 
> 

FWIW, I also get two threads on two of my four CPUS (i7), running March
23rd's snapshot (amd64) with a never-before-installed go-1.16.2.

-- 
 

Re: What determines source IP of traffic from OpenBSD box ?

2021-02-26 Thread Loff 
On Fri, Feb 26, 2021 at 11:53:40AM +0100, Rachel Roch wrote:
> Hi
> 
> Let's say I'm running "pkg_add -u" on a OpenBSD-based router with
> multiple interfaces.
> 
> What determines the source IP ?

I'd say the routing table.
 
> Building on that, there is no "source interface" flag for pkg_add like
> there is for ping and certain others.  Is there a way for me to
> configure a default interface for utilities such as pkg_add to use ?

See pkg_add(1) and ftp(1):

env FECTH_CMD="ftp -s " pkg_add ...

> 
> Thanks !
> 
> Rachel
> 

-- 
 

Re: pf filtering on bridge totally blown my mind

2020-11-27 Thread Loff 
On Fri, Nov 27, 2020 at 12:05:49PM +0300, kasak wrote:
> Mine configuration requires to use a brigde:
> 
> I have files:
> 
> cat /etc/hostname.bridge0
> add vether0
> add em1
> add tap1
> up
> 
> files hostname.em1 and tap1 just contain "up"
> 
> and file hostname.vether0 contain:
> 
> inet 172.16.0.1 255.240.0.0 NONE description "LAN Link"
> 
> this is ifconfig:
> 
> em1: flags=8b43 mtu
> 1500
>     lladdr 68:05:ca:22:d8:d3
>     index 3 priority 0 llprio 3
>     media: Ethernet autoselect (1000baseT full-duplex)
>     status: active
> bridge0: flags=41
>     index 6 llprio 3
>     groups: bridge
>     priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
>     tap1 flags=3
>         port 7 ifpriority 0 ifcost 0
>     em1 flags=3
>         port 3 ifpriority 0 ifcost 0
>     vether0 flags=3
>         port 8 ifpriority 0 ifcost 0
> tap1: flags=8943 mtu 1500
>     lladdr fe:e1:ba:d0:c5:d9
>     index 7 priority 0 llprio 3
>     groups: tap
>     status: active
> vether0: flags=8943 mtu 1500
>     lladdr fe:e1:ba:d1:e5:18
>     description: LAN Link
>     index 8 priority 0 llprio 3
>     groups: vether
>     media: Ethernet autoselect
>     status: active
>     inet 172.16.0.1 netmask 0xfff0 broadcast 172.31.255.255
> 
> The only option i wanted is to redirect ntp packets to router local
> interface:
> 
> gater:~$ doas pfctl -sr
> block return all
> pass all flags S/SA
> block drop in on em0 all
> pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to
> 212.233.112.10
> pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port = 123
> flags S/SA rdr-to 127.0.0.1
> pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port = 123
> rdr-to 127.0.0.1
> 
> But this rule just not working, and i cannot fix it.
> I've tryed to change "bridge0" to "em0", it doen't change anything. pflog
> doesn't log anything too.
> 
> This is from the client:
> 
> [kasak@kasakoff ~]$ ntpdate -q pool.ntp.org
> server 195.3.254.2, stratum 2, offset +0.004216, delay 0.03334
> server 192.36.143.130, stratum 1, offset +0.88, delay 0.04488
> server 193.192.36.3, stratum 3, offset -0.07, delay 0.04155
> server 80.240.216.155, stratum 2, offset +0.000807, delay 0.02821
> 27 Nov 12:04:17 ntpdate[155506]: adjust time server 192.36.143.130 offset
> +0.88 sec
> [kasak@kasakoff ~]$ ntpdate -q 172.16.0.1
> server 172.16.0.1, stratum 4, offset -0.000107, delay 0.02589
> 27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset
> -0.000107 sec
> 
> Is there some secret, I've failed to found in man?
> 

Are you sure you mean em0 and not em1 in your pf rules?

-- 
 

Re: samba macos epic fail

2020-11-23 Thread Loff 


On Sun, Nov 22, 2020 at 01:45:13PM -0800, Lyndon Nerenberg wrote:
> Somebody please tell me what the hell I am doing wrong here.
> 
> OpenBSD 6.8, samba 4.9.18 via pkg_add, MacOS 10.15.7 fully patched.
> 
> My main goal is to get Time Machine backups running, but I keep getting
> all sorts of inscrutable errors about file permissions.  The backup manages
> to create a few directories before it blows up:

Is SMB a strict necessity?  I've done this via NFS in the past, its
trivial to get NFS shares automounted in macOS. 

> 
>   : root@broken:/dump/tm; find . -ls
>   27641856   32 drwxr-xr-x3 lyndon   wheel 512 Nov 22 13:27 .
>   276418570 -rwxr--r--1 lyndon   wheel   0 Nov 22 13:27 
> ./.com.apple.timemachine.supported-d865743e-fb2-4a68-b0e7-10857c459e5c
>   276418580 -rwxr--r--1 lyndon   wheel   0 Nov 22 13:27 
> ./.com.apple.timemachine.supported-64bebc6e-ed10-4c41-9f21-301de558be49
>   27641859   32 drwx--3 lyndon   wheel 512 Nov 22 13:27 
> ./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle
>   27641860   32 -rw-r--r--1 lyndon   wheel 502 Nov 22 13:27 
> ./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/Info.plist
>   27641861   32 -rw-r--r--1 lyndon   wheel 502 Nov 22 13:27 
> ./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/Info.bckup
>   27641862   32 drwx--2 lyndon   wheel 512 Nov 22 13:27 
> ./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/bands
>   276418630 -rwx--1 lyndon   wheel   0 Nov 22 13:27 
> ./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/token
>   : root@broken:/dump/tm; ls -ld
>   drwxr-xr-x  3 lyndon  wheel  512 Nov 22 13:27 .
>   : root@broken:/dump/tm; 
> 
> There's nothing magic about the /dump mount:
>   
>   fd71e51011d0eabf.c /dump ffs rw,softdep,nodev,nosuid 0 2
> 
> Below is my smbd.conf in full.  I'm hoping somebody can point out the
> stupidly obvious mistake I'm making :-P  Note that by now I have tried
> every sample smbd.conf that exists on the web, so I'd really like to
> hear from somebody who *actually has this working*.
> 
> --lyndon
> 
> ---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
> 
> [global]
>   min protocol =  SMB2
>   ea support = yes
>   inherit acls = yes
>   #create mask = 0640
>   #directory mask = 0750
>   workgroup = BITSEA
>   server role = standalone server
>   log file = /var/log/samba/smbd.%m
>   max log size = 200
> 
> # Shares
> [homes]
>comment = Home Directories
>browseable = no
>writable = yes
> 
> [public]
>comment = Public Stuff
>path = /pub
>public = yes
>writable = no
>printable = no
> 
> # Time Machine
> [timemachine]
>   comment = Time Machine Backups
>   path = /dump/tm
>   browseable = yes
>   writeable = yes
>   vfs objects = catia fruit streams_xattr
>   fruit:aapl = yes
>   fruit:time machine = yes
>   fruit:metadata = stream
>   fruit:model = MacSamba
>   fruit:posix_rename = yes 
>   fruit:veto_appledouble = no
>   fruit:advertise_fullsync = true
> 

-- 
 

Re: Bluetooth adapter that works with OpenBSD

2020-09-22 Thread Loff 
On Tue, Sep 22, 2020 at 07:07:42AM -, Stuart Henderson wrote:
> On 2020-09-22, Tito Mari Francis Escaño  wrote:
> > Hi misc,
> > I'm building an OpenBSD desktop PC and would like to use my Royal Kludge
> > RK71 mechanical keyboard with it via USB Bluetooth dongle.
> > Can somebody please point me to USB Bluetooth dongles tested working with
> > OpenBSD?
> 
> The only way to do bluetooth on OpenBSD is with an adapter that runs
> the bluetooth stack internally and presents as a standard USB device.
> 
> There are several that do this for audio, Creative BT-W2 definitely
> works but there are others that may work too.
> 
> Some bluetooth devices can theoretically do this for human-interface devices 
> (mice/keyboards) too - it's how Apple has bluetooth working pre-boot -
> but I'm not aware of anyone having got them to work with OpenBSD.
> 
> https://www.businesswire.com/news/home/20030811005013/en/CSR-Saves-Stranded-Mice-HID-Proxy-Firmware
> ttps://www.0xf8.org/2014/02/the-crux-of-finding-a-hid-proxy-capable-usb-bluetooth-adapter/
> 

I found a Belkin adapter (model F8T016) that presents itself as a uhid
device (among other things):

I've read about other adapters that can switch between "OS managed"
(i.e. that show up as ugen) and "HID proxy" modes, but never got one.

In theory, my Belkin should be able to be paired to a bluetooth keyboard
and stay that way even across reboots.  The problem is that that
requires a keyboard that pairs without using a PIN, and my Logitech K380
doesn't, so I've never been able to get it to work as I wanted, nor test
if that is entirely true.  Even if I booted linux and paired the
keyboard with it, it won't stick across reboots, not even warm ones.
The keyboard was never available before the linux kernel and BT daemons
were loaded.

Sep 22 16:14:30 prionace /bsd: uhub8 at uhub0 port 13 configuration 1 interface 
0 "Broadcom BCM2046B1" rev 2.00/1.00 addr 7
Sep 22 16:14:31 prionace /bsd: uhidev4 at uhub8 port 1 configuration 1 
interface 0 "Broadcom product 0x4502" rev 2.00/1.00 addr 8
Sep 22 16:14:31 prionace /bsd: uhidev4: iclass 3/1, 1 report id
Sep 22 16:14:31 prionace /bsd: ukbd1 at uhidev4 reportid 1: 8 variable keys, 6 
key codes
Sep 22 16:14:32 prionace /bsd: wskbd2 at ukbd1 mux 1
Sep 22 16:14:32 prionace /bsd: wskbd2: connecting to wsdisplay0
Sep 22 16:14:32 prionace /bsd: uhidev5 at uhub8 port 2 configuration 1 
interface 0 "Broadcom product 0x4503" rev 2.00/1.00 addr 9
Sep 22 16:14:32 prionace /bsd: uhidev5: iclass 3/1, 125 report ids
Sep 22 16:14:32 prionace /bsd: ums1 at uhidev5 reportid 2: 3 buttons
Sep 22 16:14:32 prionace /bsd: wsmouse1 at ums1 mux 0
Sep 22 16:14:32 prionace /bsd: uhid5 at uhidev5 reportid 125: input=2, 
output=0, feature=0
Sep 22 16:14:33 prionace /bsd: ugen0 at uhub8 port 3 "Broadcom Corp BLUETOOTH 
USB +EDR ADAPTER v2.1 UHE" rev 2.00/3.88 addr 10

In summary: not only it is hard to find a device that works, you'd also
have to find a keyboard that pairs without a PIN and keep your fingers
firmly crossed.

-- 
 

Re: FAQ file sets missing cmdbox

2020-08-25 Thread Loff 
On Tue, Aug 25, 2020 at 01:25:36AM -0700, Greg Thomas wrote:
> Interesting.  I used my phone a bunch to check the FAQ when I got back to
> OpenBSD a couple of months ago, and I'm checking on my phone now
> (Android/Chrome), and it still looks fine.

A bit like the OP, I wasn't specific enough, apologies.  On my desktop
(-current-ish, iridium-2020.04.81p2) everything's fine even with very
narrow windows.  However, if I use Developer Mode to simulate a mobile
device the indentation gets messed up, even at large page widths: each
 inside the  gets rendered further and further right and starts
pushing the s as well.

FWIW firefox (79.0) renders everything correctly at any width, including
on "device simulation" mode.  I have an old Android (5.1) device around
with a 480x854 screen and Chrome 79 also displays everything properly.

Maybe the problem is on Chrome's "device simulation" renderer, and if
that is the case, apologies for the noise.  As the OP wasn't entirely
clear, I was guessing what the problem could be and stumbled upon that.

> On Tue, Aug 25, 2020 at 1:04 AM Zé Loff  wrote:
> 
> >
> > On Tue, Aug 25, 2020 at 12:04:57AM -0700, Greg Thomas wrote:
> > > I'm getting pretty old and struggle with stuff like this more and more
> > > these days but I don't see what is "very difficult to follow" about the
> > > current layout, and  I'm not sure what's weird about it either?
> >
> > Indentation gets messed up on a narrow screen/window, I think that's
> > what the OP meant.
> >
> > > On Mon, Aug 24, 2020 at 10:09 PM Jungle Boogie 
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > I don't think it's intended for the file sets section of the FAQ is be
> > > > formatted so weird. If the current layout is correct, it's very
> > > > difficult to follow.
> > > >
> > > > https://www.openbsd.org/faq/faq4.html#FilesNeeded
> > > >
> > > > I think the section needs to go into the cmdbox class, such as the
> > > > simple install section above the file sets.
> > > >
> > > > Thanks,
> > > > j.b.
> > > >
> > > >
> >
> > --
> >
> >

-- 
 

Re: FAQ file sets missing cmdbox

2020-08-25 Thread Loff 


On Tue, Aug 25, 2020 at 12:04:57AM -0700, Greg Thomas wrote:
> I'm getting pretty old and struggle with stuff like this more and more
> these days but I don't see what is "very difficult to follow" about the
> current layout, and  I'm not sure what's weird about it either?

Indentation gets messed up on a narrow screen/window, I think that's
what the OP meant.

> On Mon, Aug 24, 2020 at 10:09 PM Jungle Boogie 
> wrote:
> 
> > Hi,
> >
> > I don't think it's intended for the file sets section of the FAQ is be
> > formatted so weird. If the current layout is correct, it's very
> > difficult to follow.
> >
> > https://www.openbsd.org/faq/faq4.html#FilesNeeded
> >
> > I think the section needs to go into the cmdbox class, such as the
> > simple install section above the file sets.
> >
> > Thanks,
> > j.b.
> >
> >

-- 
 

Re: DHCPD issue

2020-07-20 Thread Loff 



On Mon, Jul 20, 2020 at 02:06:37AM -0500, Charlie Burnett wrote:
> Hi,
> I've set up a good deal of openbsd firewalls in a professional environment
> before with little to no issue. I'm trying to set one up for me personally
> though, and am having some bizarre issues, with no clue where to begin
> trying to fix them. This is on an APU unit from PC Engines. I've managed to
> figure out a couple things when trying to debug this:
> 1. I cannot connect to the internet properly unless only em0 (which is the
> ethernet port I have connected to the external network) has a hostname
> file- I have to either add back the hostname files after boot and run
> /etc/netsetup or manually set up the internal network ports through
> ifconfig.
> 2. Even once the box is connected properly to the network, its' seemingly
> unable to assign leases to other clients, attempting to connect to it
> through another OpenBSD machine results in it timing out while getting a
> lease.
> 3. Using the same exact config, I ran it behind a standard proprietary
> router (linksys) that connects fine externally. Using that, the box
> functions as expected.
> 4. Using an openwrt router I get similar errors.
> 5. I'm using both config that I've used on external networks as well as
> subnetworks on a corporate network that worked, and the default config from
> the setting up a router page for a sanity check.
> 6. I assumed it was DHCP, but nonetheless as a sanity check I had pf pass
> through anything and everything, worked internally as well as externally.
> I'm at a complete loss- seeing as it occurs on openwrt I assume that its'
> probably because of however the hell my landlord set up the network, but
> anyone remotely have an idea how to begin debugging this? I don't like
> particularly having a proprietary router running especially without a
> firewall I trust.
> Best,
> Charlie

As has been posted, without config files nor ifconfig outputs it's hard
to figure out what might be going wrong.  Are you by any chance serving
DHCP internally on the same network segment (e.g. 192.168.0.0/24) that
you get from your landlord?

-- 
 

Re: Cleaning system's old ibraries/files after update to next -release or -current

2020-07-14 Thread Loff 


On Tue, Jul 14, 2020 at 11:11:34AM +, Martin wrote:
> After system update I found lots of 'old' libraries versions and
> possibly binaries from previous releases.
> 
> Does anybody know an automated method to remove it after update? For
> instance previous libs before update to -current.
> 
> Martin

$ pkg_info sysclean
Information for inst:sysclean-2.8

Comment:
list obsolete files between OpenBSD upgrades

Description:
sysclean is a script designed to help remove obsolete files between
OpenBSD
upgrades.

sysclean compares a reference root directory against the currently
installed
files, taking files from both the base system and packages into account.

sysclean does not remove any files on the system. It only reports
obsolete
filenames or packages using out-of-date libraries.

Maintainer: Sebastien Marie 

WWW: https://github.com/semarie/sysclean/
-- 
 

Re: dmesg memory not match spdmem and bios

2020-06-10 Thread Loff 



Wrong architecture.  You should be running amd64, not i386

On Wed, Jun 10, 2020 at 02:02:32PM +, man Chan wrote:
> Hello,
> I just got a second Gaga-H97N-wifi motherbroad and installed
> openbsd6.6 Stable. The  dmesg shows real and avail memory does not 
> match with the spdmem.  Anyone know how to solve this problem ? 
> Please help.
> Thanks
> Clarence
> OpenBSD 6.6-stable (GENERIC.MP) #1: Sun Jun  7 14:00:04 HKT 2020
>     r...@dell.my.domain:/usr/src/sys/arch/i386/compile/GENERIC.MP


-- 
 

Re: Potential awk bug?

2020-06-06 Thread Loff 
On Sat, Jun 06, 2020 at 03:51:58PM -0700, Jordan Geoghegan wrote:
> Hello,
> 
> I was hoping the fine folks here could give me a quick sanity check, I'm by
> no means an awk guru, so I'm likely missing something obvious. I wanted to
> ask here quickly before I started flapping my gums on bugs@.
> 
> I'm working on a simple awk snippet to convert the IP range data listed in
> the Extended Delegation Statistics data from ARIN [1] and convert it into
> CIDR blocks. I have a snippet that works perfectly fine on mawk and gawk,
> but not on the base system awk. I'm 99% sure I'm not using any GNUisms, as
> when I break the command up into two parts, it works perfectly.
> 
> The snippet below does not work with base awk, but does work with gawk and
> mawk: (Running on 6.6 -stable system)
> 
>   awk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n", $4,
> 32-log($5)/log(2))}' delegated-arin-extended-latest.txt
> 
> 
> The command does output data, but it also throws errors for certain lines:
> 
>   awk: log result out of range
>   input record number 94027, file delegated-arin-extended-latest.txt
>   source line number 1
> 
> Most CIDR blocks are calculated correctly, but about 10% of them have errors
> (ie something that should calculated to be a /24 is instead calculated to be
> a /30).
> 
> However, when I break it up into two parts, it produces the expected output:
> 
>   awk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") print($4, $5)}'
> delegated-arin-extended-latest.txt | awk  '{printf("%s/%d\n", $1,
> 32-log($2)/log(2)) }'
> 
> As you can see, the same number of lines are printed, but the hashes are
> different.
> 
>   luna$ gawk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n",
> $4, 32-log($5)/log(2))}' delegated-*-latest.txt | wc -l
>      56446
>   luna$ mawk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n",
> $4, 32-log($5)/log(2))}' delegated-*-latest.txt | wc -l
>      56446
>   luna$ awk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n", $4,
> 32-log($5)/log(2))}' delegated-*-latest.txt 2>/dev/null | wc -l
>      56446
> 
>   luna$ awk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n", $4,
> 32-log($5)/log(2))}' delegated-arin-extended-latest.txt 2>/dev/null | md5
>     6f549bbc0799bc202c12695f8530d1df
>   luna$ gawk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n",
> $4, 32-log($5)/log(2))}' delegated-arin-extended-latest.txt 2>/dev/null |
> md5
>     40c28b8ebfd2796e1ae15d9f6401c0c1
>   luna$ mawk -F '|' '{ if ( $3 == "ipv4" && $2 == "US") printf("%s/%d\n",
> $4, 32-log($5)/log(2))}' delegated-arin-extended-latest.txt 2>/dev/null |
> md5
>     40c28b8ebfd2796e1ae15d9f6401c0c1
> 
> 
> Example of the differences:
> 
> --- mawk.txt    Sat Jun  6 18:43:30 2020
> +++ awk.txt Sat Jun  6 18:43:38 2020
> @@ -29,7 +29,7 @@
>  9.64.0.0/10
>  9.128.0.0/9
>  11.0.0.0/8
> -12.0.0.0/8
> +12.0.0.0/30
>  13.0.0.0/11
>  13.32.0.0/12
>  13.48.0.0/14
> @@ -415,7 +415,7 @@
>  23.90.64.0/20
>  23.90.80.0/21
>  23.90.88.0/22
> -23.90.92.0/22
> +23.90.92.0/30
>  23.90.96.0/19
>  23.91.0.0/19
>  23.91.32.0/19
> @@ -545,8 +545,8 @@
>  23.133.224.0/24
>  23.133.240.0/24
>  23.134.0.0/24
> -23.134.16.0/24
> -23.134.17.0/24
> +23.134.16.0/30
> +23.134.17.0/30
> 
> 
> Any insight or advice would be much appreciated.
> 
> Regards,
> 
> Jordan
> 
> [1] https://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
> 
> 

I have no idea about what is going on, but FWIW I can reproduce this on
i386 6.7-stable and amd64 6.7-current (well, current-ish, #232).
Truncating the file to a single offending line produces the same result:
log($5) is out of range.

It appears to have something to do with the last field.  Removing it or
changing some of its characters seems to work, e.g.:

arin|US|ipv4|216.250.144.0|4096|20050503|allocated|5e58386636aa775c2106140445cf2c30
arin|US|ipv4|216.250.144.0|4096|20050503|allocated|5a58386636aa775c2106140445cf2c30
^
Fails on the first line but works on the second.

-- 
 

Re: openssl / did something change?

2020-01-06 Thread Loff 
On Mon, Jan 06, 2020 at 02:17:20PM +, Roderick wrote:
> 
> I cannot decrypt files with
> 
> openssl aes-256-cbc -d -a -salt < encrypted-file.encrypted
> 
> That I encrypted with
> 
> openssl aes-256-cbc -e -a -salt < file > file.encrypted
> 
> I get the error:
> 
> bad decrypt
> 616640944:error:06FFF064:digital envelope routines:CRYPTO_internal:bad 
> decrypt:/usr/src/lib/libcrypto/evp/evp_enc.c:527:
> 
> And it is very improvable that I forgot the password.
> 
> What I do not remember is the version of openssl and if I used
> OpenBSD or FreeBSD for encrypting. At the moment I do not have access
> to the FreeBSD machine. I tried with a modern slax-linux (in USB Stick)
> and it failed also.
> 
> I thank you for any hint.
> 
> Rodrigo
> 

Someone had the same issue some weeks ago.  See:
https://marc.info/?l=openbsd-misc=157548338310097=2
and the following discussion.  Solution: add -md md5

-- 
 

Re: Hardware for Access Point on OpenBSD

2020-01-01 Thread Loff 


On Wed, Jan 01, 2020 at 08:54:46AM -0700, List wrote:
> Hi *, 
> I am currently building a home router based upon OpenBSD. 
> I therefore need some kind of WIFI Hardware. This piece of hardware
> needs to be connected over usb. 
> Do you have any suggestions or recommendations ? As far as I can see
> it's pretty hard  to find an antenna which is connected  via USB an runs
> on a supported chipset. It is  easy to get your hands on a
> realtek-chipset driven device. But urtw(4) doesn't support  Host AP
> mode. Only ones that do are: athn(4),  ral(4), ath(4). 
> Finding those is hard. 
> 
> Maybe you guys know things I couldn't find ? 
> 
> g, 
> Stephan
> 

In all honesty, and I've tried what you are aiming for a couple of times
in the past, it's just easier to get a dedicated AP (or a cheap wifi
router with a cable on the ethernet switch, which is usually bridged
with the wifi interface) and connect to an OpenBSD router which will
do all the necessary packet filtering (including keeping the AP/router's
firmware from reaching the internet, if needed be).  IMHO this will be
stabler and faster than trying to find an adequate wifi board.  And
these days you're bound to get nice perks like multiple SSIDs and
802.11ac speeds (or whatever the latest 802.11* protocol is), which
AFAIK aren't available on OpenBSD yet.  Also, note that (if I am not
mistaken) ural(4) are the only USB Wi-Fi interfaces that can handle Host
AP mode, and they only do 802.11b/g which is kind of slow by today's
standards.

-- 
 

Re: Router with WAN subnet - dedicated IP per Host

2019-11-25 Thread Loff 
On Mon, Nov 25, 2019 at 04:31:45PM +0100, Henry Jensen wrote:
> Hi,
> 
> my ISP provides me with a /29 subnet, including 5 usable public IPv4
> addresses.
> 
> Until now my router uses only one of this public IPs (11.22.33.40),
> with port forwarding of port 443 to an host in a DMZ(192.168.1.0/24)
> like this:
> 
>  pass in on egress proto tcp from any to any port 443 rdr-to 192.168.1.2
> 
> Now I plan to have a second host in the DMZ which should use another
> public IP from the subnet the ISP gave me.
> 
> In other words, I want to do the following
> 
> 192.168.1.2  < rdr-to/nat-to > 11.22.33.40
> 192.168.1.3  < rdr-to/nat-to > 11.22.33.41
> 
> I plan to give the outgoing interface the second public IP
> (11.22.33.41) as an alias, so the egress interface holds both public IP
> addresses. Question is, how do I do the routing so that DMZ host
> 192.168.1.3 uses public IP 11.22.33.41 exclusively?
> 
> Do I have to use rtables and rdomains or is there a simpler approach?
> 
> Thanks in advance,
> 
> Henry
> 
> 
> 
> 
> 
> 

I have something similar: a fixed IP address which I use for all
internet-facing services (http, mail, etc) and a DHCP-assigned address
which is used for all outgoing stuff.  Fortunately enough the
DHCP-address is pretty much static, which makes things easier, and very
similar to your use case.  Relevant pf excerpts:


  ext_if = ""
  ext_nat = ""
  ext_dmz = ""
  dmz = 
  lan = 
  (...)
  pass out quick on $ext_if inet from { 127.0.0.1, $dmz } to any nat-to $ext_dmz
  pass out quick on $ext_if inet from $lan to any nat-to $ext_nat

  pass in log on $ext_if inet proto tcp to $ext_dmz port $webports rdr-to 
$websvr
  pass in log on $ext_if inet proto tcp to $ext_dmz port $mailports rdr-to 
$mailsvr
  (etc)

 
-- 
 

Changes to VLAN and promiscuous mode in 6.6

2019-10-29 Thread Loff 


Hi all

Some changes in VLAN-related code went into 6.6 and I think some of them
changed the way the parent interface gets into promiscuous mode.  Let me
try to explain...

Our ISP provides internet and VoIP over two separate VLANs (100 and 101,
respectively).  Our external firewall has two physical interfaces re0,
and re1, and also does the filtering and NATing for internet, but VoIP
traffic is transparently forwarded to the VoIP phone.  So it's something
like this:

GPON -> re0 -+--> vlan100  -> (PF/NAT) -> vlan90   -+-> re1 -> A switch
  \-> vlan1010 -> bridge1  -> vlan1011 -/

The VoIP phone connected to the switch, which does all the appropriate
tagging and untagging.  re0 and re1 have no IP addresses, neither do the
vlan1010, vlan1011 and bridge1 virtual interfaces.  The VoIP phone gets
configured by DHCP, and gets its address (and etc) from the ISP.  All
interfaces are up, and correctly configured (ifconfigs below).  This
worked fine up until the 6.6 upgrade.

Now, if things are left alone, the phone fails to get DHCP replies.
This can be checked by running "tcpdump -i re1 vlan 101", which clearly
shows the DHCP requests coming from the phone, but getting no replies.
Exactly the same is seen on vlan1011 and vlan1010 (i.e. on both sides of
the bridge1): DHCP requests but no replies.  If tcpdump is run on re0
("tcpdump -i re0 vlan 101") then the interface goes into promiscuous
mode and the DHCP replies start flowing from the ISP and the phone
finally gets configured.  Crucially, if the "-p" flag is added to
tcpdump (i.e. not putting the if in promiscuous mode), DHCP fails.

Is this behaviour intended and, if so, can re0 be configured to stay in
promiscuous mode without having to do something silly as tcpdump'ing
into /dev/null?

Thanks in advance
Zé

-- 

# ifconfig -A
lo0: flags=8049 mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
re0: flags=8b43 mtu 
1500
lladdr 00:0d:b9:3c:b0:e8
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
re1: flags=8843 mtu 9100
lladdr 00:0d:b9:3c:b0:e9
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
re2: flags=8802 mtu 1500
lladdr 00:0d:b9:3c:b0:ea
index 3 priority 0 llprio 3
media: Ethernet autoselect (10baseT half-duplex)
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
bridge1: flags=41
index 6 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
vlan1011 flags=3
port 11 ifpriority 0 ifcost 0
vlan1010 flags=3
port 10 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
00:00:5e:00:01:c9 vlan1010 1 flags=0<>
80:5e:c0:12:3f:80 vlan1011 1 flags=0<>
vlan100: flags=808843 mtu 1500
lladdr 00:0d:b9:3c:b0:e8
description: WAN
index 9 priority 0 llprio 3
encap: vnetid 100 parent re0 txprio packet rxprio outer
groups: vlan egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 148.69.164.57 netmask 0xfc00 broadcast 148.69.167.255
inet 148.69.143.1 netmask 0xfffc broadcast 148.69.143.3
vlan1010: flags=8943 mtu 1500
lladdr 00:0d:b9:3c:b0:e8
description: VoIP WAN
index 10 priority 0 llprio 3
encap: vnetid 101 parent re0 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
vlan1011: flags=8943 mtu 1500
lladdr 00:0d:b9:3c:b0:e9
description: VoIP DMZ
index 11 priority 0 llprio 3
encap: vnetid 101 parent re1 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
vlan90: flags=8843 mtu 9000
lladdr 00:0d:b9:3c:b0:e9
description: DMZ
index 14 priority 0 llprio 3
encap: vnetid 90 parent re1 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 10.17.16.1 netmask 0xfe00 broadcast 10.17.17.255
pflog0: flags=141 mtu 33136
index 15 priority 0 llprio 3
groups: pflogDear sirs


# dmesg

OpenBSD 6.6 (GENERIC.MP) #372: Sat Oct 12 10:56:27 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2098511872 (2001MB)
avail mem = 2022256640 (1928MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7e16d820 (6 entries)
bios0: vendor

/usr/X11R6/bin/xset linked to missing libXfontcache.so.5.0

2018-05-26 Thread Loff 

On a vanilla amd64-current fresh install, /usr/X11R6/bin/xset seems to
be linked to libXfontcache.so.5.0, which I believe was recently dropped
from the install sets.  This (obviously) makes xset fail on start.


pagurus# xset
ld.so: xset: can't load library 'libXfontcache.so.5.0'
Killed
pagurus# ls /usr/X11R6/lib/libXfontcache.so.5.0
ls: /usr/X11R6/lib/libXfontcache.so.5.0: No such file or directory


OpenBSD 6.3-current (GENERIC) #44: Thu May 24 19:18:04 MDT 2018 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 520093696 (496MB)
avail mem = 496361472 (473MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0
acpi at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz, 159.86 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,RDSEED,ADX,SMAP,CLFLUSHOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
pvbus0 at mainbus0: OpenBSD
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio0
virtio0: irq 3
virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3
0/direct fixed
sd0: 4096MB, 512 bytes/sector, 8388608 sectors
virtio1: irq 5
virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk1 at virtio2
scsibus2 at vioblk1: 2 targets
sd1 at scsibus2 targ 0 lun 0:  SCSI3
0/direct fixed
sd1: 360MB, 512 bytes/sector, 738240 sectors
virtio2: irq 6
virtio3 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio3: address 0a:00:10:17:18:92
virtio3: irq 7
virtio4 at pci0 dev 5 function 0 "OpenBSD VMM Control" rev 0x00
vmmci0 at virtio4
virtio4: irq 9
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
com0: console
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (281a39d09c7575bc.a) swap on sd0b dump on sd0b


-- 
 

Re: Can't boot from encrypted disk after attaching/detaching from another machine

2017-10-04 Thread Loff 
On Wed, Oct 04, 2017 at 12:18:20PM +0200, Stefan Sperling wrote:
> On Wed, Oct 04, 2017 at 10:57:28AM +0100, Zé Loff wrote:
> > On Wed, Oct 04, 2017 at 10:41:56AM +0100, Zé Loff wrote:
> > > 
> > > Hi all
> > > 
> > > I connected my laptop's encrypted HDD to my desktop machine to copy some
> > > stuff and when I put it back on the laptop the boot loader no longer
> > > asks for the passphrase and thus I can't boot from it.  Any clues?  Some
> > > notes:
> > > 
> > > - Both machines are amd64 running snapshots, 6.2 #115 (Sep 27) on the
> > >   laptop, 6.1 #125 (Oct 1) on the desktop (I had to disable pcppi on the
> > >   desktop, so not exactly vanilla).
> > > 
> > > - The softraid volume was and still is correctly attached/detached on
> > >   the desktop and on a i386 machine running 6.1-release+mtier
> > > 
> > > - The metadata changed when connecting to the desktop, roaming from sd1
> > >   to sd3.  I attached/detached it on the i386 machine to make it roam
> > >   back to sd1, just in case, but it expectedly made no difference.
> > > 
> > > - I ran installboot on the softraid volume, to no avail.
> > > 
> > > - Tried booting bsd.rd from a USB stick, starting an upgrade, dropping
> > >   to shell, MAKEDEV sd0 sd1 sd2, attaching the crypto volume and
> > >   selecting it as the root disk.  The installer complains that it is not
> > >   a valid root disk even though all tests mention here[1] pass:
> > >
> > > 
> > > [1] https://marc.info/?l=openbsd-bugs=150170071321416=2
> > 
> > Strike that last one.  Forgot to umount /mnt before going back to the
> > installer, so the "mount test" failed in the installer.  Just managed to
> > do the upgrade and it's all back to normal now.
> > 
> > Anyway, I took a bit of a scare there.  Can anyone shed some light on to
> > what happened?  Is a CAVEAT in order?  I can try to write something up,
> > but I'd need to understand it first...
> 
> Sounds like the BIOC_SCBOOTABLE flag in softraid meta data got cleared
> when the meta data was rewritten by your desktop machine.
> 
> If you compile kernels on both machines with 'option SR_DEBUG' and repeat
> the process, you should be able to confirm this. The kernel will now print
> softraid meta data to dmesg while rewriting it. Among several lines there
> will be a line 'ssd_vol_flags 0x...'. The volume is bootable only if flag
> bit 0x80 is set.
> 
> The only way to set the 'bootable' bit is via installboot(8). You said you
> were running installboot (how exactly?) but it seems this somehow didn't
> succeed and only the installer eventually succeeded with this when you
> did an upgrade?

On the desktop machine (which incidentally also has FDE, I forgot to
mention that), I attached the HDD (sd2), attached the crypto volume with
bioctl (which became sd3) and ran

# installboot -v sd3
Using / as root
installing bootstrap on /dev/rsd3c
using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot
sd3: softraid volume with 1 disk(s)
sd3: installing boot loader on softraid volume
/usr/mdec/boot is 6 blocks x 16384 bytes
sd2a: installing boot blocks on /dev/rsd2c, part offset 144
master boot record (MBR) at sector 0
partition 3: type 0xA6 offset 64 size 625136336
/usr/mdec/biosboot will be written at sector 64

(hooray for tmux's scrollback)

> So far, I cannot tell if this is a bug or intended behaviour.
> 

-- 
 

Re: Can't boot from encrypted disk after attaching/detaching from another machine

2017-10-04 Thread Loff 
On Wed, Oct 04, 2017 at 10:41:56AM +0100, Zé Loff wrote:
> 
> Hi all
> 
> I connected my laptop's encrypted HDD to my desktop machine to copy some
> stuff and when I put it back on the laptop the boot loader no longer
> asks for the passphrase and thus I can't boot from it.  Any clues?  Some
> notes:
> 
> - Both machines are amd64 running snapshots, 6.2 #115 (Sep 27) on the
>   laptop, 6.1 #125 (Oct 1) on the desktop (I had to disable pcppi on the
>   desktop, so not exactly vanilla).
> 
> - The softraid volume was and still is correctly attached/detached on
>   the desktop and on a i386 machine running 6.1-release+mtier
> 
> - The metadata changed when connecting to the desktop, roaming from sd1
>   to sd3.  I attached/detached it on the i386 machine to make it roam
>   back to sd1, just in case, but it expectedly made no difference.
> 
> - I ran installboot on the softraid volume, to no avail.
> 
> - Tried booting bsd.rd from a USB stick, starting an upgrade, dropping
>   to shell, MAKEDEV sd0 sd1 sd2, attaching the crypto volume and
>   selecting it as the root disk.  The installer complains that it is not
>   a valid root disk even though all tests mention here[1] pass:
>
> 
> [1] https://marc.info/?l=openbsd-bugs=150170071321416=2

Strike that last one.  Forgot to umount /mnt before going back to the
installer, so the "mount test" failed in the installer.  Just managed to
do the upgrade and it's all back to normal now.

Anyway, I took a bit of a scare there.  Can anyone shed some light on to
what happened?  Is a CAVEAT in order?  I can try to write something up,
but I'd need to understand it first...

> Any hints?  Thanks in advance
> Zé
> 
> -- 
>  
> 

-- 
 

Can't boot from encrypted disk after attaching/detaching from another machine

2017-10-04 Thread Loff 

Hi all

I connected my laptop's encrypted HDD to my desktop machine to copy some
stuff and when I put it back on the laptop the boot loader no longer
asks for the passphrase and thus I can't boot from it.  Any clues?  Some
notes:

- Both machines are amd64 running snapshots, 6.2 #115 (Sep 27) on the
  laptop, 6.1 #125 (Oct 1) on the desktop (I had to disable pcppi on the
  desktop, so not exactly vanilla).

- The softraid volume was and still is correctly attached/detached on
  the desktop and on a i386 machine running 6.1-release+mtier

- The metadata changed when connecting to the desktop, roaming from sd1
  to sd3.  I attached/detached it on the i386 machine to make it roam
  back to sd1, just in case, but it expectedly made no difference.

- I ran installboot on the softraid volume, to no avail.

- Tried booting bsd.rd from a USB stick, starting an upgrade, dropping
  to shell, MAKEDEV sd0 sd1 sd2, attaching the crypto volume and
  selecting it as the root disk.  The installer complains that it is not
  a valid root disk even though all tests mention here[1] pass:

[1] https://marc.info/?l=openbsd-bugs=150170071321416=2

Any hints?  Thanks in advance
Zé

-- 
 

Re: Useless firmware in /etc/firmware/ for unsupported device

2017-09-12 Thread Loff 
On Tue, Sep 12, 2017 at 09:44:15AM -0400, Puffymon wrote:
> Hi.
> When I ran OpenBSD first time at my AMD PC,
> it didn't try to fetch radeondrm(4) firmware.
> So I had to run "fw_update radeondrm"
> 
> Then after reboot it didn't try to load radeondrm(4) for my Kaveri APU
> That is a big pain, I don't have 2D and 3D accelerations.
> Xorg's log file tells me that modesetting is not supported.
> My question is:
> If kernel doesn't support radeon kaveri,
> why would I need useless /etc/firmware/radeon_kaveri_* files?

You should know, you are the one who decided to fetch them...

> The second question is:
> Are there any plans to support kaveri and other radeon graphics cards?

-- 
 

Re: Why is my USB showing as multiple disks (sd1/sd2/sd3) during installation? - OpenBSD 6.1 Release + Updates

2017-08-04 Thread Loff 
On Thu, Aug 03, 2017 at 05:44:42PM -0400, tec...@protonmail.com wrote:
> Hello,
> I'm so confused about this - I'm trying to install OBSD 6.1 to another
> USB from a USB.. This all goes well up until the point of selecting
> the disk to install to.. instead of it showing as I'd expect it to:
> sd1: Generic Storage Device
> it shows as:
> sd1: sd2: sd3: Generic Storage Device
> This same issue has happened with 2 different target USB's and 2
> different target MicroSD cards (which my system can boot from). Can't
> for the life of my figure out what's going on. All of these devices
> have been wiped fully using gparted on my linux system.
> If anyone can point me in the right direction that'd be great, I've
> been scouring search engine for the past couple of hours on this one.
> Thanks

At least show us a dmesg!  How are you attaching the card?  I have a
multi-card reader that attaches 4 different sd* devices:

sd2 at scsibus4 targ 1 lun 0:  SCSI0 0/direct removable
sd3 at scsibus4 targ 1 lun 1:  SCSI0 0/direct removable
sd4 at scsibus4 targ 1 lun 2:  SCSI0 0/direct removable
sd5 at scsibus4 targ 1 lun 3:  SCSI0 0/direct removable

Cheers
Zé

P.S.: you might want to search the archives for recent messages
regarding prontonmail's bad habit of turning plain text messages into
base64

--

Re: another iked issue

2017-06-06 Thread Loff 
On Mon, Jun 05, 2017 at 07:50:01PM -0400, Igor V. Gubenko wrote:
> Hello all,
> 
> I am continuing my assault on iked :)
> 
> Here is a perfectly working configuration that uses PSK's:
> 
> ###
> 
> local_ip = "A.B.1.153"
> local_net = "172.16.0.0/20"
> 
> ikev2 "KBweb" \
> passive ipcomp esp \
> from $local_net to 10.33.33.0/27 \
> local $local_ip \
> peer C.D.65.236 \
> ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
> childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
> srcid $local_ip \
> dstid web01.domain.org \
> psk thepsk
> 
> 
> ikev2 "KBDB" \
> passive ipcomp esp \
> from $local_net to 10.34.34.0/27 \
> local $local_ip \
> peer C.D.65.237 \
> ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
> childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
> srcid $local_ip \
> dstid db01.domain.org \
> psk thepsk
> 
> ###
> 
> Now, I am adding a third connection, using certificates (presumably):
> 
> ##
> 
> user "igor" "thepassword"
> 
> ikev2 "roaming" \
> passive esp \
> from $local_net to 192.168.200.0/26 \
> local $local_ip \
> peer any \
> eap "mschap-v2" \
> config address 192.168.200.1 \
> tag "$name-$id"
> 
> ##
> 
> 
> This results in the first 2 connections never working anymore:
> 
> ikev2_msg_auth: responder auth data length 525
> ikev2_msg_auth: initiator auth data length 488
> ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0079
> cert,auth,authvalid,sa,eapvalid)
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0079
> cert,auth,authvalid,sa,eapvalid)
> sa_stateok: VALID flags 0x0038, require 0x0079
> cert,auth,authvalid,sa,eapvalid
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_ike_auth: no CERTREQ, using default
> ikev2_policy2id: srcid IPV4/A.B.1.153 length 8
> sa_stateflags: 0x0038 -> 0x003c certreq,auth,authvalid,sa (required
> 0x0079 cert,auth,authvalid,sa,eapvalid)
> config_free_proposals: free 0x23ee58d3f80
> ca_getreq: found CA /C=US/ST=New Jersey/O=Gubenko/OU=IT/CN=cainter.dom.com
> ca_x509_subjectaltname: unsupported subjectAltName type 34
> ca_getreq: found CA /C=US/ST=New
> Jersey/L=Livingston/O=Gubenko/OU=IT/CN=caroot.dom.com
> ca_getreq: no valid local certificate found
> ikev2_getimsgdata: imsg 19 rspi 0xbd166184c4d2d33b ispi
> 0xd7fc1a37a3acdec4 initiator 0 sa valid type 0 data length 0
> ikev2_dispatch_cert: cert type NONE length 0, ignored
> 
> 
> As a side note, the certificate does contain several subjectAltName's:
> 
>  X509v3 Subject Alternative Name:
> DNS:ip6.dom.com, DNS:www.dom.com, DNS:www.ip6.dom.com,
> DNS:mail.dom.com, DNS:imap.dom.com, DNS:smtp.dom.com, DNS:proxy.dom.com,
> DNS:vpn.dom.com, DNS:pbx.dom.com
> 
> 
> As soon as the third section is commented out, and iked restarted, the
> first two connections come back up.
> 
> 
> Please help.

RTFM

>From iked.conf(5):


 For incoming connections from remote peers, the policies are evaluated
 in sequential order, from first to last.  The last matching policy
 decides what action is taken; if no policy matches the connection, the
 default action is to ignore the connection attempt or to use the
 default policy, if set.  Please also see the EXAMPLES section for a
 detailed example of the policy evaluation.

 (...)

 EXAMPLES

 (...)

 The following example illustrates the last matching policy evaluation
 for incoming connections on an IKEv2 gateway.  The peer 192.168.1.34
 will always match the first policy because of the quick keyword;
 connections from the peers 192.168.1.3 and 192.168.1.2 will be matched
 by one of the last two policies; any other connections from
 192.168.1.0/24 will be matched by the ‘subnet’ policy; and any other
 connection will be matched by the ‘catch all’ policy.

 ikev2 quick esp from 10.10.10.0/24 to 10.20.20.0/24 \
 peer 192.168.1.34
 ikev2 "catch all" esp from 10.0.1.0/24 to 10.0.2.0/24 \
 peer any ikev2 "subnet" esp from 10.0.3.0/24 to 10.0.4.0/24 \
 peer 192.168.1.0/24
 ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2
 ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3


In summary you have a "last matching policy" and a "peer any" on the
last rule.  Does it work if you move it upwards or add "quick" to the
other rules?

> 
> Many thanks,
> 
> - Igor
> 
> 
> 

--

Re: A mix: mounting ext3 usb, FF & js, audio

2017-05-19 Thread Loff 
On Thu, May 18, 2017 at 05:59:16PM -0700, system_halted wrote:
> Hi,
> I am new to BSD world, yet enjoying very much OpenBSD 6.1 that I have
> installed recently. As a newcomer I have some questions, sorry for having a
> mix of everything.
> 
> 1. I have a pendrive with ext3fs
> 
> fdisk output on Debian:
> Disk /dev/sdc: 29.8 GiB, 32027705344 bytes, 62554112 sectors
> Units: sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disklabel type: dos
> Disk identifier: 0xbb378728
> 
> Device Boot Start  End  Sectors  Size Id Type
> /dev/sdc12048 62554111 62552064 29.8G 83 Linux
> 
> disklabel:
> # /dev/rsd2c:
> type: SCSI
> disk: Debian testing a
> label: md64 1
> duid: 
> flags:
> bytes/sector: 512
> sectors/track: 32
> tracks/cylinder: 64
> sectors/cylinder: 2048
> cylinders: 30544
> total sectors: 62554112
> boundstart: 0
> boundend: 62554112
> drivedata: 0
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a: 625541120 ISO9660
>   c: 625541120 ISO9660
> 
> 
> What is that I am missing? To my understanding OpenBSD does handle ext3, is
> this some kind of a problem with partition table on the drive? I did put
> ISO image of Debian testing on that drive with cp before, but than deleted
> all partitions created new and formatted the drive. After mounting sd2a
> I can see directory tree of ISO image that originally was on that drive,
> content of the files is obviously all messed up. sd2c cannot be mounted
> "Device not configured".

Adding to Stuart Henderson's reply, note that you can't mount /dev/sd2c.
>From disklabel(8):

  disklabel supports 15 configurable partitions, ‘a’ through ‘p’,
  excluding ‘c’.  The ‘c’ partition describes the entire physical disk, is
  automatically created by the kernel, and cannot be modified or deleted
  by disklabel. 

OpenBSD's fdisk output might also be helpful.
 
> 2. Firefox
> Seem to have problems with certain sites with js - cannot get through to
> log in into protonmail.com, Epiphany handles it without any problems. This
> is not associated with any addons that I have on FF, tried in on fresh
> vanilla FF and result is the same. Did anyone observe similar issue?
> Resolving suggestions?
> 
> 3. Audio
> With headphones in there is a slight white noise that can be heard. I do
> not have that effect while on Debian. This effect does not go away when
> playing sound or reducing volume to 0 (xfce4-mixer). Any suggestions?

The only cases in which I've seen something more or less similar is on a
MacBook, in which the OS powers off the audio card when it's not being
used, which is very noticeable when on headphones, since they stop
humming.  The background hum you refer is almost certainly hardware related
-- lookup "ground loop" on wikipedia or the like --  so the software is
not (directly) at fault here.  I'm guessing that the APM in Debian is
powering off the audio card, which doesn't happen on OpenBSD, but maybe
someone else more knowledgeable wants to chime in on that.

Cheers
Zé
>
> Thanks,
> ic1
> 

--

Re: Speed tests on 11n / 11g and on different channels with the latest 6.1 snapshot from yesterday. Patterns can be observed.

2017-03-05 Thread Loff 
On Sun, Mar 05, 2017 at 04:04:00PM -0500, tec...@protonmail.com wrote:
> Why does it make no sense? It's a real world test on actual
> performance noticed by a client. It absolutely makes sense. Yes there
> are other tests which could be performed on top of that testing,
> obviously.

Because if you are comparing the results of different test runs you are
assuming that the bandwidth from your gateway to the speedtest.net
server is constant.  And it might not be for a lot of reasons.  Maybe it
is constant, and in that case all's good, but you can't be sure, can
you?  So no, it doesn't make sense.  If you want to test bandwidth from
machine A to machine B, you measure it from A to B not from A to Z and
assume B to Z is constant.


>  Original Message 
> Subject: Re: Speed tests on 11n / 11g and on different channels with the 
> latest 6.1 snapshot from yesterday. Patterns can be observed.
> Local Time: 5 March 2017 9:29 PM
> UTC Time: 5 March 2017 20:29
> From: paol...@gmail.com
> To: misc@openbsd.org
> 
> In order to measure the performance of a wireless 802.11 connection,
> speedtest.net makes no sense.
> 
> U'd better use iperf on your lan.
> 
> Il 05/mar/2017 07:45 PM,  ha scritto:
> 
> > Forgot to mention that the speed tests were performed using
> > https://speedtest.net from a mobile client connected to the AP.
> >
> > But yeah, the uploads can be pretty damn good on channels with less
> > interference.
> >
> > Thanks for letting me know about the key issue in my logs. Luckily, it was
> > just a temporary password/key for testing purposes.
> >
> > I will try the patch later and do a quick test and provide just the best
> > result!
> >
> >
> >
> >
> >
> >
> >
> > On Sat, Mar 04, 2017 at 11:16:28PM -0500, tec...@protonmail.com wrote:
> > > Hi,
> > >
> > > I have performed some speed tests with my AP (AR9287) using both 11g and
> > 11n.
> > > I am on the latest 6.1 snapshot from yestrerday.
> >
> > Thanks for taking the time to test!
> >
> > > For comparison sake, I have included tests on different channels.
> >
> > Reporting just the best results is good enough for me.
> >
> > Channels are occupied differently everywhere and occupation patterns change
> > constantly. So this comparison is mostly useful for yourself, since it
> > tells
> > you which channel is working best at your location (until some AP in your
> > area decides that this channel is so good that it is going to use it, too).
> >
> > > I have approx 70mbps download speed on my ethernet connection, and an
> > upload of under 20mbps.
> > >
> > > A pattern can be observed in these results.
> > >
> > > Upload speed is way above the download speed, infact in many of the
> > > results the upload speed is hitting the same speeds as my ethernet
> > > connection.
> >
> > What is down, and what is up?
> > Is traffic going from the client to the AP what you call "upstream"?
> >
> > There is a known issue where an A won't transmit reliably at higher data
> > rates with our athn(4) driver. I have no idea yet what is causing this
> > problem.
> >
> > > Generally 11n upload speed is better, but on one of the channels - 5 -
> > > both down and upload were pretty dire. Not sure if it is interference,
> > > or wether the card is handling that particulary well.
> >
> > Most likely there is another busy network on channel 5.
> >
> > > Upper channels seem to provide the best performance.
> > >
> > > Hope these tests help in some way.
> >
> > Your numbers are in the ranges as the ones I get. This patch (not
> > committed yet, and not in snaps) might make things a bit faster:
> > https://marc.info/?l=openbsd-tech=148866151017854=raw
> 

--

Re: PCI Express wireless adapter supported under OpenBSD

2016-11-30 Thread Loff 
On Wed, Nov 30, 2016 at 08:09:24AM +, C. L. Martinez wrote:
> Hi all,
> 
>  I would like to install OpenBSD on a HP Microserver Gen8 to act as a
>  firewall and hostap. I am searching what components I need and I have
>  a doubt about what wireless interface I need to buy to use it as a
>  hostap under OpenBSD.
> 
>  I have found only these:
> 
>  - Asus PCE-AC88 Wireless 5GHz PCI-E AC3100
>  - Asus PCE-AC68 PCI-E WiFi Dual-Band AC1900
> 
>  Searching in ASUS's web, I didn't find any info about what chip use
>  these adapters. Are they supported under OpenBSD? Do you recommend
>  any other wireless adpater (PCI-e)?? Throughput needs to be 300 Mbps,
>  at least.

>From (at least) iwn(4) and iwm(4): 

  802.11n operation is currently limited to data rates MCS 0 to MCS 7

Which means you'll get at most 150Mbps with a 40 MHz channel under
perfect conditions.  If you want that kind of bandwidth (actually, even
if you don't) I'd advise getting a dedicated access point or a wi-fi
router that you can configure as such.

Cheers
Zé

> 
> Thanks.
> 
> -- 
> Greetings,
> C. L. Martinez
> 

--

Re: iked(8) OpenBSD road warrior setup anybody?

2016-10-04 Thread Loff 
> On 04/10/2016, at 18:48, Pavel Korovin <p...@tristero.se> wrote:
>
> On 10/04, Zé Loff wrote:
>>> On 04/10/2016, at 11:58, Pavel Korovin <p...@tristero.se> wrote:
>>>
>>>> On 10/04, Zé Loff wrote:
>>>> On "the wanderer" iked.conf:
>>>>
>>>> ikev2 home active esp \
>>>>   from egress to 192.168.99.0/24 \
>>>>   local egress peer vpn.example.com \
>>>>   srcid dion.example.com dstid vpn.example.com
>>>>
>>>> On the "wanderer" pf.conf:
>>>>
>>>> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3
>> static-port
>>>
>>> Zé, do you have an interface with the address 192.168.100.3 on your
>>> wanderer?
>>
>> No
>
> Then how your pf rewrites the address to 192.168.100.3? I believe there
> must be an interface with the address specified in the rewrite rules.
> Otherwise, pf rule won't do anything.
> Did you check "tcpdump -i enc0" output?

Hey, like I said, it works for me. I don't know enough to give you a proper
answer to that, I just know that it works like this. I could speculate, but it
would probably amount to noise, so I won't.

Also, like I indicated, adding srcnat to the roaming machine's iked.conf
breaks the setup for me, as the tunnel is established but nothing goes
through.

> --
> With best regards,
> Pavel Korovin

  1   2   3   >