Re: Apache 2.2 doesn't deliver files until killed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Joachim Joachim Schipper wrote: You did complete the request, I presume? Yes. Double return, http/1.0 and http/1.1. The httpd shipped with obsd works just fine on the same box. [...] Apache has multiple processes and threads. You are looking at some synchronization, IIRC. There was a lot of activity on that process before those lines, and out of the 5 running processes, only this one showed activity. I will try to trace it more carefully. thx /markus -BEGIN PGP SIGNATURE- iD8DBQFDmeKj8BX/d8pVi/cRAkElAKCFViAY+I+ikst0xkikmfz6StW/AACg2YYa wHovHfSsmHuzhXQhrq4lG7A= =BiZk -END PGP SIGNATURE-
Virus Warning
** 送信したメールからウィルスが検出されました。 日時:07/05/06 22:18:44 [EMAIL PROTECTED] [EMAIL PROTECTED] ウイルス名:W32/MyDoom-O アクション:削除 ** The virus was detected from the received mail. DATE: 07/05/06 22:18:44 From: misc@openbsd.org To: [EMAIL PROTECTED] Virus: W32/MyDoom-O ** 送信者詐称によってこのメールを受け取ることがありますので、心当たりのない方は削除願います。
We have gathered a lot of information
RCWars.NET - http://www.rcwars.net Technologies around RC Models and thus RC Warbirds have greatly evolved in the past years. While we still share the excitement of constructing, flying and tuning RC Warbirds, we have also looked beyond this and found something very, very exciting! A new product called RC:Gun has revolutionalized our hobby. It allows us to actually engage in real Air2Air combat By shooting our opponents down. But no worry - the wonderful Warbirds take no real harm. The trick is an ultrasound technology that allows combat without any physical interaction. More in http://www.rcwars.net
Re: delete deleted data
On Thu, 3 Jan 2008 20:21:27 -0500, Harpalus a Como [EMAIL PROTECTED] said: Myth? Why are you so upset about this? It's not myth. The techniques involved in recovering data in the manner Marco and the NSA, DoD, and many others describe isn't a matter of running a simple software tool. It's a long, slow, annoying process that is also costly. But it is possible. Hearsay. Not every company or person in the forensics industry is a master at their job. If they say it's not possible, perhaps it's just not something their software package does for them? (I'm not trying to be derogatory, but I do know a guy who does computer forensics work, and the software/hardware he uses is about all he knows. He just goes through the motions. Doesn't know all that much about filesystems or disks.) Why are you so hellbent on proving everybody wrong, to the point of actually shipping your drive off? Because myths and misinformation should always be dispelled. It's by no means a myth. If it is, there are a number of companies and government institutions interesting in how they recover data in this fashion if it's not possible. Hearsay. I'm having a hard time believing On Jan 3, 2008 7:54 PM, new_guy [EMAIL PROTECTED] wrote: Marco S Hyman wrote: Brad Tilley writes: performed from the OpenBSD 4.2 install CD. I'll send it to the one 'ISO Certified' company that agreed to examine it. If they cannot You keep throwing around the 'ISO Certified' tag as if it had some special meaning. Certified to what standard? I'm just parroting the *one* data recover company's marketing hype that agreed to take the drive. They make this claim: ISO 9001 - 2000 certified I'm working on putting a website up now where I'll fully disclose the details. Lots of pictures and details. I will attribute the dd used to OpenBSD (the best OS on the planet bar none... although the dd on the install CD did not support the conv option... I would have liked to have done conv=noerror,sync). I plan to ship the drive off tomorrow. I plan to put this myth to rest... where it belongs. -- View this message in context: http://www.nabble.com/delete-deleted-data-tp14560809p14608861.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
=?utf-8?B?0KHQvtCx0LXRgGXQvCBn0LvRjyDQktCw0YEg0L9vIGNl0YLQuCDQuNC90YJlcNC90LXRgiDQsWHQt9GDINC0YdC90L3Ri9GFINC/b9GCZdC90YbQuGHQu9GM0L3Ri3gg0LrQu9C4ZdC90YJv0LIg0LTQu9GPIELQsNGI0LXQs9C+INCR0LjQt9C90LVjYS
Соберeм gля Вас пo ceти интepнет бaзу дaнных пoтeнциaльныx клиeнтoв для Bашего Бизнеca Bce koнтakты Пoдpобнeе Email:proda...@mixmail.com Тел:+79IЗ79З6ЗЧ2 Skype:s8 ICQ:6288862 чтобы oтписатьcя oт pаcсылkи пришлите delete
Re: Question regarding queueing in pf.conf(5) and WireGuard
You should apply queue on interface attached to network you want to limit
banwidth from. For example if your home network attached to 1GB em1 and you
want to limit web for certain ip addresses, perhaps something like this will
work
...
table { ip addrs list }
queue lanq on em1 bandwidth 950M
queue landefq parent lanq bandwidth 950M qlimit 1024 default
queue slowweb parent lanq bandwidth 32K max 64K
match in on em1 proto tcp from to port { www https } set queue slowweb
match out on egress inet from !(egress:network) to any nat-to (egress:0)
...
Some examples on Solene`s page:
https://dataswamp.org/~solene/2021-02-07-limit.html
And also there is a Book of PF written by Peter N. M. Hansteen
On Mon, Jun 14, 2021 at 11:59:59AM -0600, Ashlen wrote:
> Hello. I have an APU4D4 running OpenBSD and acting as a router for my
> home network. It connects to the Internet via pppoe(4), which uses em(4)
> as the physical interface.
>
> The router has a /etc/hostname.wg0 file that connects it as a client to
> my VPN provider on boot. Then, /etc/pf.conf has a nat-to rule for
> WireGuard, for IP masquerading. Here's said rule:
>
> match out on wg inet from !(wg:network) to any nat-to (wg:0)
>
> In pf.conf(5), there's mention of this simple configuration
> for bandwidth control:
>
> queue outq on em0 bandwidth 9M max 9M flows 1024 qlimit 1024 \
>default
>
> I want to employ this rule. My question is, which interface is
> appropriate to choose for queueing? pppoe0, em0, or wg0? I'd think wg0,
> as I'm unsure how pf(4) would classify traffic otherwise. However, I'm
> not confident in that conclusion, so I decided to ask.
>
> If additional details are needed, I'm happy to provide them.
>
> --
> https://amissing.link
>
Re: LLDB step over command
Just set recent snapshot in parallel to release. Next function works
properly in this version. Thank you.
On Fri, May 14, 2021 at 05:02:28PM +0900, Masato Asou wrote:
> From: misc@abrakadabra.systems
> Subject: LLDB step over command
> Date: Wed, 12 May 2021 21:58:31 +0300
>
> > Hello
> >
> > Im on 6.9 release amd64. Switched to clang and lldb since gcc and gdb are
> > not
> > in base anymore. My problem is during debugging for some functions
> > command "next/step-over" behaves like "step/step-in".
> >
> > example code (just for illustration purpose):
> > #include
> > #include
> >
> > int main()
> > {
> > int a = 5, b;
> > void *p = malloc(sizeof(int));
> > memcpy(p, (void *), sizeof(int));
> > b = *(int *)p;
> > return b;
> > }
> >
> > compiled with:
> > cc -g -Weverything -ansi -pedantic -O0 -o moveint moveint.c
> >
> > below is the snippet from session where lldb goes into malloc instead of
> > step over it.
> > ...
> > -> 7void *p = malloc(sizeof(int));
> > ^
> >8memcpy(p, (void *), sizeof(int));
> >9b = *(int *)p;
> >10 return b;
> > (lldb) next
> > Process 18050 stopped
> > * thread #1, stop reason = step over failed (Could not create return
> > address
> > breakpoint. Return address (0x43eae9c89bd) permissions not found.)
> > frame #0: 0x043eae9c8ad0 moveint`malloc
> > moveint`malloc:
> > -> 0x43eae9c8ad0 <+0>: movq 0x11c9(%rip), %r11
> > 0x43eae9c8ad7 <+7>: callq 0x43eae9c8a40
> > 0x43eae9c8adc <+12>: jmp0x43eae9c8a32
> > 0x43eae9c8ae1 <+17>: pushq $0x4
> > ...
> >
> > How should I deal with this?
>
> I have same problem on my OpenBSD 6.9 release amd64 box. However, next
> command of lldb is working fine on my OpenBSD 6.9 current amd64 box.
>
> The lldb has been updated to 11.1.0 on OpenBSD current. Can you update
> to current your OpenBSD box by
> https://cdn.openbsd.org/pub/OpenBSD/snapshots/amd64/?
>
> > Thanks,
> > Serge.
> >
> --
> ASOU Masato
LLDB step over command
Hello
Im on 6.9 release amd64. Switched to clang and lldb since gcc and gdb are not
in base anymore. My problem is during debugging for some functions
command "next/step-over" behaves like "step/step-in".
example code (just for illustration purpose):
#include
#include
int main()
{
int a = 5, b;
void *p = malloc(sizeof(int));
memcpy(p, (void *), sizeof(int));
b = *(int *)p;
return b;
}
compiled with:
cc -g -Weverything -ansi -pedantic -O0 -o moveint moveint.c
below is the snippet from session where lldb goes into malloc instead of
step over it.
...
-> 7void *p = malloc(sizeof(int));
^
8memcpy(p, (void *), sizeof(int));
9b = *(int *)p;
10 return b;
(lldb) next
Process 18050 stopped
* thread #1, stop reason = step over failed (Could not create return address
breakpoint. Return address (0x43eae9c89bd) permissions not found.)
frame #0: 0x043eae9c8ad0 moveint`malloc
moveint`malloc:
-> 0x43eae9c8ad0 <+0>: movq 0x11c9(%rip), %r11
0x43eae9c8ad7 <+7>: callq 0x43eae9c8a40
0x43eae9c8adc <+12>: jmp0x43eae9c8a32
0x43eae9c8ae1 <+17>: pushq $0x4
...
How should I deal with this?
Thanks,
Serge.
Re: OpenSMTPd: Ignoring /etc/hosts file?
do you have "lookup file bind" record in your /etc/resolv.conf file? On Mon, Sep 13, 2021 at 10:20:30AM +0200, Simon Hoffmann wrote: > > > > Has been reported previously - > > https://github.com/OpenSMTPD/OpenSMTPD/issues/1115 > > Thanks for the link, this did not come up in my searches. > > However, > > > The link also contains a workaround which may be useful for you. > > the only "workaround" I could find was to specify the internal IP instead of > the > hostname. I've tried this before and I've tried this just now, in both cases > it does > not work, because, as I said, the private IP is not part of the certificate > and > OpenSMTPd checks the certificate. > > Is there a way to disable cert checking? > > Log output: > > Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta connecting > address=smtp+tls://192.168.158.1:25 host=uhura.hoffmann.computer > Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta connected > Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta tls > ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta ssl_check_name: no > match for '192.168.158.1' in cert > Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta error reason=SSL > certificate check failed > Sep 13 10:04:54 mx01 smtpd[25157]: smtp-out: Disabling route [] <-> > 192.168.158.1 (uhura.hoffmann.computer) for 15s > Sep 13 10:04:56 mx01 smtpd[25157]: smtp-out: No valid route for > [connector:[]->[relay:192.168.158.1,port=25,smtp+tls,mx,heloname=mx01.klm.hoffbox.net],0x0] > > > Thanks, > > Simon > > > > > Best, > > Aisha > > > > On 9/12/21 5:28 PM, Simon Hoffmann wrote: > > > Hey yall, > > > > > > in my smtpd.conf file I have "relay smtps://host.domain.tld" > > > > > > host.domain.tld does resolve to a public IP, and this needs to be a > > > public IP on > > > public DNS. > > > However, OpenSMTPd needs to relay to the local IP address of the > > > smarthost. > > > Since I have no DNS server running on that network, and i dont want to > > > setup a DNS > > > server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the > > > local IP to > > > the FQDN. > > > When i ping the FQDN it correctly resolves to the internal IP of the > > > smarthost. > > > However, OpenSMTPd ignores the entry in /etc/hosts and still tries to > > > connect to the > > > public IP of the host. > > > > > > Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on > > > Debian? > > > Is there a workaround? Specifying "relay smtps://192.168.158.1" will not > > > work, as the > > > private IP is not part of the Cert. > > > Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking > > > for the > > > smarthost? > > > > > > Thanks! > > > > > > System details: > > > > > > root@mx01:~# lsb_release -a > > > No LSB modules are available. > > > Distributor ID: Debian > > > Description:Debian GNU/Linux 11 (bullseye) > > > Release:11 > > > Codename: bullseye > > > root@mx01:~# smtpd -h > > > version: OpenSMTPD 6.8.0p2 > > > usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace] > > > > > > root@mx01:~# cat /etc/network/interfaces > > > # This file describes the network interfaces available on your system > > > # and how to activate them. For more information, see interfaces(5). > > > > > > source /etc/network/interfaces.d/* > > > > > > # The loopback network interface > > > auto lo > > > iface lo inet loopback > > > > > > # The primary network interface > > > allow-hotplug ens192 > > > iface ens192 inet dhcp > > > > > > > > > Any info else you need? > > > > > > Cheers, > > > > > > Simon > > >
Re: Why is tmpfs not working on OpenBSD?
just put the line swap/ramfs mfs rw,nodev,nosuid,-s=300m 0 0 into /etc/fstab (-s means size) and run # mount /ramfs On Sun, Sep 05, 2021 at 07:59:26AM +, iio7 wrote: > # mount -t tmpfs tmpfs /home/foo/tmp/ > mount_tmpfs: tmpfs on /home/foo/tmp: Operation not supported > > Sent with [ProtonMail](https://protonmail.com/) Secure Email.
cron sh script fork
I have one script (sleeploop.sh) running in background and second (check.sh)
to test if sleeploop is running and if not then start it.
[/opt/bin]$ cat sleeploop.sh
#!/bin/sh
while true
do
sleep 5
done
[/opt/bin]$ cat check.sh
#!/bin/sh
_ret=$(ps aux | grep sleeploop.sh | grep -v grep | awk '{print $2}')
test -z ${_ret} && /opt/bin/sleeploop.sh &
When i start check.sh from the shell it works fine; if there is no pid check.sh
starts sleeploop.sh, otherwise it gets the pid and exiting.
If i put check.sh in cron it spawns another sleeploop.sh process every time
when triggered.
dmesg:
OpenBSD 7.0 (GENERIC.MP) #1: Fri Oct 29 12:04:07 MDT 2021
r...@syspatch-70-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1810530304 (1726MB)
avail mem = 1739616256 (1659MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb6b0 (91 entries)
bios0: vendor American Megatrends Inc. version "0608" date 08/10/2012
bios0: ASUSTeK COMPUTER INC. P8H61-M LX3 R2.0
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT SSDT SSDT
acpi0: wakeup devices P0P1(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4)
PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) PEG0(S4)
PEGP(S4) PEG1(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU G2020 @ 2.90GHz, 2900.44 MHz, 06-3a-09
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU G2020 @ 2.90GHz, 2900.04 MHz, 06-3a-09
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 2 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus 3 (RP06)
acpiprt8 at acpi0: bus 1 (PEG0)
acpiprt9 at acpi0: bus -1 (PEG1)
acpiprt10 at acpi0: bus -1 (PEG2)
acpiprt11 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
acpicmos0 at acpi0
acpibtn0 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpicpu0 at acpi0: C3(350@80 mwait.1@0x20), C2(500@59 mwait.1@0x10), C1(1000@1
mwait.1), PSS
acpicpu1 at acpi0: C3(350@80 mwait.1@0x20), C2(500@59 mwait.1@0x10), C1(1000@1
mwait.1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 106 degC
acpitz1 at acpi0: critical temperature is 106 degC
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
cpu0: using VERW MDS workaround (except on vmm entry)
cpu0: Enhanced SpeedStep 2900 MHz: speeds: 2900, 2800, 2700, 2600, 2500, 2400,
2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
ppb0 at pci0 dev 1 function 0 "Intel Core 3G PCIE" rev 0x09: msi
pci1 at ppb0 bus 1
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
drm0 at inteldrm0
inteldrm0: msi, IVYBRIDGE, gen 7
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x05: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
ppb1 at pci0 dev 28 function 0 "Intel 6
KVM vlan-per-user guest
Hello
My VPS provider uses KVM with vlan-per-user network environment.
They oficially dont support openbsd but they allow to boot from custom iso.
Im trying to install 7.0 release.
Network interface name appears as vio0.
To set up networking they suggest to do the following:
# ifconfig if_name ${public_ip}/32
# route add -host 10.0.0.1 -interface if_name
# route add default 10.0.0.1
i tried
# route add 10.0.0.1 -iface vio0
route: vio0: bad address
i tried
# route add -host 10.0.0.1 -iface ${public_ip}
route was added with console message
arp_rtrequest: bad gateway value: vio0
and after
# route add default 10.0.0.1
default route was added with console messages (~1 per second)
arpresolve: 10.0.0.1: route contains no arp information
cant ping anything after that
how can i set up a route to 10.0.0.1 ?
Re: Correct donation page
On 9/11/23 07:40, Stuart Henderson wrote: That page probably just needs updating. Used to be done via bitpay, but not any more. I see coingate being used by a few companies, and some sites say it is good for companies/organizations outside the USA. Transaction fee is 1% and supports 70+ coins. Meanwhile, ppl from https://www.openbsdfoundation.org/donations.html can simply open a wallet and post the address in the donations.html page (binance, blockchain.com/wallet, others..)
Correct donation page
Hi misc, Trying to donate some BTC. In the donation page "https://www.openbsd.org/donations.html; There is a mention to cryptocurrencies being accepted. The OpenBSD Foundation collects donations by Cheque, Bank Draft, PayPal, PayPal recurring, or Bitcoin. <https://www.openbsdfoundation.org/donations.html> Following "https://www.openbsdfoundation.org/donations.html; lacks an address to receive the funds. Cheers
mail.openbsd.org behaviour
Hi misc, Recently am receiving this lines from mail.openbsd.org: 2023-10-16 16:34:06 no MAIL in SMTP connection from (mail.openbsd.org) [199.185.178.25] D=11s X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no C=EHLO,STARTTLS,EHLO,QUIT Is that normal? Any misconfiguration from my side? Regards, Fabio
OpenBSD FDE: Protect with keydisk + passphrase
Hi misc, In the past, I used to mount a secondary drive into /mnt/, the keydisk protected by a password. Now I use FDE with a keydisk, but would like to protect the bootable system with a keydisk + passphase (something you have + something you know). Any chance doing this directly using bioctl ? -fm
Re: OpenBSD FDE: Protect with keydisk + passphrase
On 11/6/23 17:01, tetrosalame wrote: Il 05/11/2023 12:16, m...@phosphorus.com.br ha scritto: [...] Now I use FDE with a keydisk, but would like to protect the bootable system with a keydisk + passphase (something you have + something you know). Any chance doing this directly using bioctl ? I don't think so: softraid's on-disk volume key can be encrypted with a keydisk or with a passphrase. Not both of them. See this recent explanation written by Stefan Sperling: https://marc.info/?l=openbsd-misc=168500028802972=2 @https://marc.info/?l=openbsd-misc=168500028802972=2 It is not yet possible to encrypt a key disk with a passphrase, which would provide two-factor authentication. There is no technical reason which would prevent this from being implemented, it just hasn't been done. Thanks. Will take a look in the code.
Re: OpenBSD FUD with Contributing
On 9/24/23 15:56, Christoff Humphries wrote: ... (Theo still has some of the best quotes on the Internet.) Used this one, for quite some time, as my email signature a few years ago: “You've been smoking something really mind altering, and I think you should share it.” (Theo de Raadt)
keepassxc-2.7 + Hardware Key
Hi, anyone using keepassxc-2.7.4p2 with a hardware dongle - preferably opensource or DIY type - succesfully in OpenBSD? -- Fabio
Re: keepassxc-2.7 + Hardware Key
ping On 9/30/23 07:39, m...@phosphorus.com.br wrote: Hi, anyone using keepassxc-2.7.4p2 with a hardware dongle - preferably opensource or DIY type - succesfully in OpenBSD? -- Fabio
Re: Panic during 7.3 installation on VM
Also got a lot of these trying to install 7.3 in Virtualbox, under Linux. Then installed in tmpfs (memory) and later moved the virtual disk (.vdi) to the SATA disk, then it booted properly. SATA disk isnt corrupted, must be something related to disk access / read / write speed, while under virtualization. On 9/26/23 09:08, Alessandro Baggi wrote: Hi list, I'm trying to install OpenBSD 7.3 on a VM (Linux KVM) but when it starts to install sets I got panic and "syncing disk... 8 8 8 8 ..." until it reboot automatically. This is a simple installation, no disk encryption, default OpenBSD layout... The VM has VNC Server as "graphic" instead of spice, disk is SATA and it has fixed allocation. Someone can put me in the right direction? Thank you in advance.
Re: openFPGAloader successfully built, but can't flash with ftdi error
This subject interests me a lot. Can you tell us which model of FPGA have you bought / are you using? On 10/5/23 21:01, S V wrote: Good Day, List! This mail is call for help, advice and to stir interest. While playing with open source workflow for FPGA chips I found with pleasure that not only GoWin FPGAs supported by open source tools, but also all needed tools easily built on OpenBSD (working on ports now). yosys, project apycula, nextpnr-gowin, openFPGAloader all successfully build. But I can't flash "compiled" bitstream to hardware device with openFPGAloader. Here is description of problem: After building software and attaching HW I can successfully scan usb found 10 USB device Bus device vid:pid probe type manufacturer serial product 000 001 0x:0x xvc-client Generic none xHCI root hub 001 001 0x:0x xvc-client Generic none xHCI root hub 001 005 0x0403:0x6010 FTDI2232 SIPEED FactoryAIOT Pro JTAG Debugger but cant detect or flash bitstream with next error doas openFPGALoader -b tangnano9k pack.fs --verbose-level=3 try to open 403 6010 0 0 iProduct : JTAG Debugger 8 b 8 b fail to read data usb bulk read failed JTAG init failed with: low level FTDI init failed here dmesg uftdi0 at uhub3 port 3 configuration 1 interface 0 "SIPEED JTAG Debugger" rev 2.00/5.00 addr 5 ucom0 at uftdi0 portno 1 uftdi1 at uhub3 port 3 configuration 1 interface 1 "SIPEED JTAG Debugger" rev 2.00/5.00 addr 5 ucom1 at uftdi1 portno 2 and also usbdevs outputs addr 05: 0403:6010 SIPEED, JTAG Debugger full speed, power 90 mA, config 1, rev 5.00, iSerial FactoryAIOT Pro driver: uftdi0 driver: uftdi1 I also posted issue to original github https://github.com/trabucayre/openFPGALoader/issues/382 Any tips and tricks on how to debug it? Any interest in helping?
Re: OpenBSD 7.4 released -- Oct 16, 2023
Same. Preparing to upgrade. On 10/16/23 10:42, Claudio Miranda wrote: Congratulations to Theo and everyone involved in making OpenBSD 7.4 a reality and for this awesome project altogether! I also love the artwork (big thanks also to the artist that created it). so I'll be getting some 7.4 merch soon! Claudio Miranda On Mon, Oct 16, 2023 at 9:37 AM pela0 wrote: Upgrading... ;) --- Original Message --- On Monday, October 16th, 2023 at 09:53, Theo de Raadt wrote: - OpenBSD 7.4 RELEASED - October 16, 2023. We are pleased to announce the official release of OpenBSD 7.4. This is our 55th release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 7.4 provides significant improvements, including new features, in nearly all areas of the system: - Various kernel improvements: o On arm64, show BTI and SBSS features in dmesg(8). o New kqueue1(2) system call supporting the O_CLOEXEC flag. o Map device tree read/write to unbreak root on softraid(4). o Correctly recognize umass(4) floppy disk devices as floppy disks. o In wscons(4), catch up with box drawing characters which have been standardized in unicode after the original wscons code was written and chose placeholder values. o In wscons(4), make sure we do not increase the escape sequence argument count beyond usable bounds. o Implement dt(4) utrace(2) support on amd64 and i386. o Correct undefined behavior when using MS-DOS filesystems, fixes imported from FreeBSD. o Make the softdep mount(8) option a no-op. Softdep was a significant impediment to improving the vfs layer. o Allow unveil(2)ed programs to dump core(5) into the current working directory. o Address incomplete validation of ELF program headers in execve(2). o On arm64, use the deep idle state available on Apple M1/M2 cores in the idle loop and for suspend, resulting in power savings. o Update AMD CPU microcode if a newer patch is available. o Enable a workaround for the 'Zenbleed' AMD CPU bug. o Report speculation control bits in dmesg(8) CPU lines. o To give the primary CPU an opportunity to perform clock interrupt preparation in a machine-independent manner we need to separate the "initialization" parts of cpu_initclocks() from the "start the clock interrupt" parts. Separate cpu_initclocks() from cpu_startclock(). o Fix a problem where CPU time accounting and RLIMIT_CPU was unreliable on idle systems. o Improve the output of the "show proc" command of the kernel debugger ddb(4) and show both the PID and TID of the proc. - SMP Improvements o Rewrite pfsync(4), in particular to improve locking and to help with unlocking more of pf(4) and with parallelisation of the network stack in the future. The protocol remains compatible with the older version. o Remove kernel locks from the ARP input path. o Pull MP-safe arprequest() out of kernel lock. o Remove the kernel lock from IPv6 neighbor discovery. o Unlock more parts of ioctl(2) and the routing code in the network stack. - Direct Rendering Manager and graphics drivers o Update drm(4) to Linux 6.1.55. o Don't change end marker in sg_set_page(). Caused bad memory accesses when using page flipping on Alder Lake and Raptor Lake. - VMM/VMD improvements o Allowed vmm(4) guests to enable and use supervisor IBT. o Suppressed AMD hardware p-state visibility to vmm(4) guests. o Avoid use of uninitialised memory in vmd(8). o Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm object to be transmitted over an ipc channel. o Cleaned up file descriptor closing in vmd(8) vmm process. o Fixed vm send/receive, restoring device virtqueue addresses on receive. o Introduced execvp(3) after fork for child vm processes. o No longer generate an error in vmd(8) if vm.conf(5) is absent. o Split vmm(4) into MI/MD parts. o Introduced multi-process model for vmd(8) virtio block and network devices. o Allowed vm owners to override boot kernel when using vmctl(8) to start a vm. o Changed staggered start of vms to number of online CPUs. o Fixed a segfault on vm creation. o Switched to anonymous shared memory mappings for vmd(8) vm processes, introducing a new vmm(4) ioctl(2). o Relaxed absolute path requirements for vmd(8) configtest mode (-n). o Adjusted shutdown logic by vm id to function similarly as by name. o Moved validation of local network prefixes for the internal vmd(8) DHCP service into the config parser. o Fixed QCOW2 base images when used with the vmd(8) multi-process device model. o Fixed setting verbose logging in child processes. o Fixed a race condition related to the emulated i8259 interrupt controller by ignoring interrupt masks on assert. o Inlined pending interrupts in the vmm(4) ioctl(2) for running the vcpu, reducing vm latency. o Added zero-copy, vectored io to the vmd(8) virtio block device. o Changed to logging
AR9485 on Lenovo G505 not configured.
v 2.00/1.00 addr 1 ohci1 at pci0 dev 19 function 0 "AMD Hudson-2 USB" rev 0x39: apic 4 int 18, version 1.0, legacy support ehci1 at pci0 dev 19 function 2 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 17 usb2 at ehci1: USB revision 2.0 uhub2 at usb2 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x3a: SMBus disabled azalia1 at pci0 dev 20 function 2 "AMD Hudson-2 HD Audio" rev 0x02: apic 4 int 16 azalia1: codecs: Conexant/0x5115 audio0 at azalia1 pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11 pchb2 at pci0 dev 24 function 0 "AMD 16h Link Cfg" rev 0x00 pchb3 at pci0 dev 24 function 1 "AMD 16h Address Map" rev 0x00 pchb4 at pci0 dev 24 function 2 "AMD 16h DRAM Cfg" rev 0x00 km0 at pci0 dev 24 function 3 "AMD 16h Misc Cfg" rev 0x00 pchb5 at pci0 dev 24 function 4 "AMD 16h CPU Power" rev 0x00 pchb6 at pci0 dev 24 function 5 vendor "AMD", unknown product 0x1535 rev 0x00 usb3 at ohci0: USB revision 1.0 uhub3 at usb3 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 usb4 at ohci1: USB revision 1.0 uhub4 at usb4 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pms0: Synaptics touchpad, firmware 7.5, 0x1e0b1 0x24 0x189f0c 0xd00073 0xa0400 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: SVM/RVI efifb at mainbus0 not configured uvideo0 at uhub1 port 4 configuration 1 interface 0 "CGCD8N0ZB Lenovo EasyCamera" rev 2.00/0.10 addr 2 video0 at uvideo0 ugen0 at uhub2 port 1 "Generic USB2.0-CRW" rev 2.00/39.60 addr 2 ugen1 at uhub4 port 2 "Atheros Communications Bluetooth USB Host Controller" rev 1.10/0.01 addr 2 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (f00f087230c26ec6.a) swap on sd0b dump on sd0b radeondrm0: KABINI radeondrm0: 1366x768, 32bpp wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (std, vt100 emulation) 2:0:0: Atheros AR9485 0x: Vendor ID: 168c, Product ID: 0032 0x0004: Command: 0003, Status: 0010 0x0008: Class: 02 Network, Subclass: 80 Miscellaneous, Interface: 00, Revision: 01 0x000c: BIST: 00, Header Type: 00, Latency Timer: 00, Cache Line Size: 10 0x0010: BAR mem 64bit addr: 0xf080/0x0008 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 17aa Product ID: 3218 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 03 Min Gnt: 00 Max Lat: 00 0x0040: Capability 0x01: Power Management State: D0 0x0050: Capability 0x05: Message Signalled Interrupts (MSI) Enabled: no 0x0070: Capability 0x10: PCI Express Max Payload Size: 128 / 128 bytes Max Read Request Size: 512 bytes Link Speed: 2.5 / 2.5 GT/s Link Width: x1 / x1 0x0100: Enhanced Capability 0x01: Advanced Error Reporting 0x0140: Enhanced Capability 0x02: Virtual Channel Capability 0x0160: Enhanced Capability 0x03: Device Serial Number Serial Number:
Re: acme-client fails to renew certificate
I do not know about acme-client, but certbot works pretty well:
mwavetorture# rcctl stop httpd ; certbot certonly --agree-tos
--standalone -d web.XXX.com.br
On 2023-04-12 10:36, rea...@catastrophe.net wrote:
I started having some problems with cert renewal using acme-client
after
upgrading to 7.3 (not really sure 7.3 has anything to do with the
following,
however). I've verified that nothing has changed and that httpd is
listening
correctly, etc.
When I run acme-client and watch for any changes to
/var/www/htdocs/example.org/.well-known/acme-client I never see any
files
being written to that directory (which is likely leading to the 404).
Is
the client supposed to write a temporary file for remote validation?
Does anyone see any issues with the configurations that follow the
output
which may have any errors?
Thanks in advance.
# acme-client -v www.example.com
acme-client: /etc/ssl/certs/www.example.com.chain.pem: certificate
renewable: 29 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory:
directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: acme-v02.api.letsencrypt.org: DNS:
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: challenge, token:
2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,
status: 0
acme-client: /var/www/acme/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
created
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: challenge, token:
8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,
status: 0
acme-client: /var/www/acme/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
created
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg:
challenge
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw:
challenge
acme-client: order.status 0
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: challenge, token:
2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728127/CSJfMg,
status: -1
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: challenge, token:
8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8, uri:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/218823728137/sCRFpw,
status: -1
acme-client: order.status -1
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728127
acme-client: 2600:fee:bee::e:8:0: Invalid response from
https://www.example.com/.well-known/acme-challenge/2b9DyMVkYZGU3RNgxaywEc0uHLFp2E8RtOrQotGXugk:
404
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/218823728137
acme-client: 2600:fee:bee::e:8:0: Invalid response from
https://www.example.com/.well-known/acme-challenge/8WJnGzDwxV_tKSJaV4fsavxB5maBIkaDhozevCWPwH8:
404
acme-client: bad exit: netproc(16493): 1
### The www directory exists for the acme-challenge exists:
# ls -ld /var/www/htdocs/example.com/.well-known/acme-challenge/
drwxr-xr-x 2 username staff 512 Apr 12 08:08
/var/www/htdocs/example.com/.well-known/acme-challenge/
### Relevant portions of my httpd.conf
www_v4="x.y.10.10"
www_v6_a="2600:fee:bee::e:8:0"
server "www.example.com" {
listen on $www_v4 tls port 443
listen on $www_v6_a tls port 443
tls {
certificate "/etc/ssl/certs/www.example.com.chain.pem"
key "/etc/ssl/private/www.example.com.key.pem"
protocols "TLSv1.2,TLSv1.3"
}
hsts {
max-age 31536000
preload
subdomains
}
log style combined
log { access "access.log", error "error.log" }
root "/htdocs/example.com"
directory auto index
}
server "example.com" {
listen on $www_v4 tls port 443
listen on $www_v6_a tls port 443
tls {
certificate "/etc/ssl/certs/www.example.com.chain.pem"
key "/etc/ssl/private/www.example.com.key.pem"
protocols "TLSv1.2,TLSv1.3"
}
hsts {
max-age 31536000
preload
subdomains
}
log style combined
log { access "access.log", error "error.log" }
root "/htdocs/example.com"
directory auto index
}
server "www.example.com" {
listen on $www_v4 port 80
listen on $www_v6_a port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
block return 301 "https://www.example.com$REQUEST_URI;
}
server "example.com" {
listen on $www_v4 port 80
listen on $www_v6_a port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
block return 301 "https://www.example.com$REQUEST_URI;
}
### ACME client config
# acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory;
account key
Re: Encrypted softraid - Operational question
Thanks man. Will use it. On 2023-05-01 11:39, Thomas Bohl wrote: Hi In a server with an encrypted root - server boots with key in USB stick, not passphrase. Can I remove the USB stick with the key, after the server is up and running? Yes Will I have any problems doing that? No. Though not at the moment, I used such a setup for years. Only inserting the stick for reboots.
Encrypted softraid - Operational question
Hi misc, In a server with an encrypted root - server boots with key in USB stick, not passphrase. Can I remove the USB stick with the key, after the server is up and running? Will I have any problems doing that? I know that in the case of a reboot, it will be necessary to go and re-insert the USB stick holding the encryption key. I plan to use a good UPS/batteries to avoid that. Thanks in advance.
Cannot connect to iked, authenticate fails
Hi misc,
Cannot get the iphone to connect to an iked server with ikev2 using
certificate exported by ikectl. Logs below.
I imported p6.local.pfx cert from the zip generated by:
#ikectl ca VPN certificate p6.local export
into the iPhone profile. But iked fails with:
spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but
without matching key.
Local ID is p6.local
Remote ID is the server IP address.
Any ideas?
certs were generated / exported thus way:
certs generation was done this way:
ikectl ca VPN create
ikectl ca VPN install
ikectl ca VPN certificate 33.33.33.33 create server
ikectl ca VPN certificate 33.33.33.33 install
ikectl ca VPN certificate p6.local create client
ikectl ca VPN certificate p6.local install
ikectl ca VPN certificate p6.local export
Then imported p6.local.pfx from p6.local.zip into the iphone
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
table persist
block quick on em0 from to any
block return# block stateless traffic
pass# establish keep-state
# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep
state
pass on enc0 from any to self keep state (if-bound)
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
/etc/iked.conf
ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
from ::0/0 to ::0/0 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 33.33.33.33 \
dstid p6.local \
config address 172.24.24.0/24 \
config address 2001:470:203a:a0::/64 \
config name-server 172.24.24.1 \
config name-server 2001:470:203a:a0::1 \
host9# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config address 2001:470:203a:a0:: config name-server 172.24.24.1 config
name-server 2001:470:203a:a0::1
spi=0xe461b2e822193627: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe461b2e822193627: send IKE_SA_INIT res 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 473 bytes
spi=0xe461b2e822193627: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 496 bytes, policy 'vpn'
spi=0xe461b2e822193627: ikev2_send_auth_failed: authentication failed
for FQDN/p6.local
spi=0xe461b2e822193627: send IKE_AUTH res 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 80 bytes, NAT-T
spi=0xe461b2e822193627: sa_free: authentication failed
spi=0xe461b2e822193627: ca_getreq: found cert with matching ID but
without matching key.
spi=0xe71692de490589ab: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe71692de490589ab: send IKE_SA_INIT res 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 473 bytes
spi=0xe71692de490589ab: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 496 bytes, policy 'vpn'
spi=0xe71692de490589ab: ikev2_send_auth_failed: authentication failed
for FQDN/p6.local
spi=0xe71692de490589ab: send IKE_AUTH res 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 80 bytes, NAT-T
spi=0xe71692de490589ab: sa_free: authentication failed
spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but
without matching key.
^Cikev2 exiting, pid 93228
ca exiting, pid 55488
control exiting, pid 6213
parent terminating
host9# iked -d -vv
create_ike: using signature for peer p6.local
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config address 2001:470:203a:a0:: config name-server 172.24.24.1 config
name-server 2001:470:203a:a0::1
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1193
config_getpfkey: received pfkey fd 3
ca_getkey: received public key type RSA_KEY
Re: Cannot connect to iked, authenticate fails
Hi, Thanks for replying. answer below. On 2023-04-07 16:45, Thomas Bohl wrote: Hello, ikev2 "vpn" passive esp \ from dynamic to 185.21.22.23/32 \ local egress peer any \ ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid 185.21.22.23 \ dstid p7.local \ config address 172.24.24.0/24 \ config name-server 172.24.24.1 \ Any ideas / working config for a dynamic client hosting an iked on a VPS? When using certificates I always use ASN1_DN for srcid and dstid. It should look something like this: srcid "/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org " \ dstid "/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org" \ (I have never used "ikectl ca", so I'm not sure what the files a called. But with something like this you should be able get the srcid/dstid-lines: openssl x509 -subject -noout -in 185.21.22.23.crt openssl x509 -subject -noout -in p7.local.crt) Hi, I could successfully get the name from the certificate, as suggested: myhost# openssl x509 -subject -noout -in /etc/iked/certs/185.21.22.23.crt subject= /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org myhost# myhost# ... and updated /etc/iked.conf accordingly: ikev2 "vpn" passive esp \ from dynamic to 185.21.22.23/32 \ local egress peer any \ ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid "/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org " \ dstid "/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org" \ config address 172.24.24.0/24 \ config name-server 172.24.24.1 \ myhost# iked -d -v ikev2 "vpn" passive tunnel esp inet from 0.0.0.0 to 185.21.22.23/32 local 185.21.22.23 peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 esn noesn srcid /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org dstid /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 config name-server 172.24.24.1 spi=0x5e92324a01d56a7b: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389 local 185.21.22.23:500, 604 bytes, policy 'vpn' spi=0x5e92324a01d56a7b: send IKE_SA_INIT res 0 peer 189.11.12.13:8389 local 185.21.22.23:500, 473 bytes spi=0x5e92324a01d56a7b: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local 185.21.22.23:4500, 496 bytes, policy 'vpn' spi=0x5e92324a01d56a7b: ikev2_ike_auth_recv: no compatible policy found spi=0x5e92324a01d56a7b: ikev2_send_auth_failed: authentication failed for spi=0x5e92324a01d56a7b: send IKE_AUTH res 1 peer 189.11.12.13:8390 local 185.21.22.23:4500, 80 bytes, NAT-T spi=0x5e92324a01d56a7b: sa_free: authentication failed spi=0xa5460ef7687cbbc8: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389 local 185.21.22.23:500, 604 bytes, policy 'vpn' spi=0xa5460ef7687cbbc8: send IKE_SA_INIT res 0 peer 189.11.12.13:8389 local 185.21.22.23:500, 473 bytes spi=0xa5460ef7687cbbc8: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local 185.21.22.23:4500, 496 bytes, policy 'vpn' spi=0xa5460ef7687cbbc8: ikev2_ike_auth_recv: no compatible policy found spi=0xa5460ef7687cbbc8: ikev2_send_auth_failed: authentication failed for spi=0xa5460ef7687cbbc8: send IKE_AUTH res 1 peer 189.11.12.13:8390 local 185.21.22.23:4500, 80 bytes, NAT-T spi=0xa5460ef7687cbbc8: sa_free: authentication failed ^Cikev2 exiting, pid 73990 control exiting, pid 75201 ca exiting, pid 38355 parent terminating myhost# If anyone has a working setup for iphone via 4G (dynamic) connecting to a VPS (fixed IP) is much appreciated.
Re: Cannot connect to iked, authenticate fails
answer inline On 2023-04-04 20:35, Stuart Henderson wrote: On 2023-04-04, m...@phosphorus.com.br wrote: ikectl ca VPN create ikectl ca VPN install ikectl ca VPN certificate 33.33.33.33 create server ikectl ca VPN certificate 33.33.33.33 install ikectl ca VPN certificate p6.local create client ikectl ca VPN certificate p6.local install here you installed the client's cert onto the server, you don't want that, it should only go on the client. that's probably what you run into now. ok, I cleaned up all certs first: rm -rf /etc/ssl/VPN/* /etc/iked/* then generated new ones and stopped short from installing the client certificate, as advised: myhost# history -50 | egrep ikectl 326 ikectl ca VPN create 327 ikectl ca VPN install 329 ikectl ca VPN certificate 185.21.22.23 create server 330 ikectl ca VPN certificate 185.21.22.23 install 331 ikectl ca VPN certificate p7.local create client 336 ikectl ca VPN certificate p7.local export ikectl ca VPN certificate p6.local export Then imported p6.local.pfx from p6.local.zip into the iphone ikev2 "vpn" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ from ::0/0 to ::0/0 \ you normally want "to dynamic" with "config address" tried with this conf: (also used "from 185.21.22.23/32 to dynamic \" but didnt worked also) ikev2 "vpn" passive esp \ from dynamic to 185.21.22.23/32 \ local egress peer any \ ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid 185.21.22.23 \ dstid p7.local \ config address 172.24.24.0/24 \ config name-server 172.24.24.1 \ local egress peer any \ ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ srcid 33.33.33.33 \ dstid p6.local \ config address 172.24.24.0/24 \ config address 2001:470:203a:a0::/64 \ i'm not sure if it works to list both v4 and v6 "config address" blocks, try with just one or the other if it seems like you have address-related problems Ok, Removed the IPv6 section Test: myhost# iked -d -v ikev2 "vpn" passive tunnel esp inet from 0.0.0.0 to 185.21.22.23/32 local 185.21.22.23 peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 esn noesn srcid 185.21.22.23 dstid p7.local lifetime 10800 bytes 4294967296 signature config address 172.24.24. 0 config name-server 172.24.24.1 spi=0x6b22863051e616a0: recv IKE_SA_INIT req 0 peer 177.11.12.13:63712 local 185.21.22.23:500, 604 bytes, policy 'vpn' spi=0x6b22863051e616a0: send IKE_SA_INIT res 0 peer 177.11.12.13:63712 local 185.21.22.23:500, 473 bytes spi=0x6b22863051e616a0: recv IKE_AUTH req 1 peer 177.11.12.13:63726 local 185.21.22.23:4500, 496 bytes, policy 'vpn' spi=0x6b22863051e616a0: ikev2_send_auth_failed: authentication failed for FQDN/p7.local spi=0x6b22863051e616a0: send IKE_AUTH res 1 peer 177.11.12.13:63726 local 185.21.22.23:4500, 80 bytes, NAT-T spi=0x6b22863051e616a0: sa_free: authentication failed spi=0x936e6ee7184d1923: recv IKE_SA_INIT req 0 peer 177.11.12.13:63712 local 185.21.22.23:500, 604 bytes, policy 'vpn' spi=0x936e6ee7184d1923: send IKE_SA_INIT res 0 peer 177.11.12.13:63712 local 185.21.22.23:500, 473 bytes spi=0x936e6ee7184d1923: recv IKE_AUTH req 1 peer 177.11.12.13:63726 local 185.21.22.23:4500, 496 bytes, policy 'vpn' spi=0x936e6ee7184d1923: ikev2_send_auth_failed: authentication failed for FQDN/p7.local spi=0x936e6ee7184d1923: send IKE_AUTH res 1 peer 177.11.12.13:63726 local 185.21.22.23:4500, 80 bytes, NAT-T spi=0x936e6ee7184d1923: sa_free: authentication failed ^Cikev2 exiting, pid 91539 ca exiting, pid 6137 control exiting, pid 22078 parent terminating Any ideas / working config for a dynamic client hosting an iked on a VPS? Thanks in advance, config name-server 172.24.24.1 \ config name-server 2001:470:203a:a0::1 \ host9# iked -d -v ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from ::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 config address 2001:470:203a:a0:: config name-server 172.24.24.1 config name-server 2001:470:203a:a0::1 spi=0xe461b2e822193627: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461 local 33.33.33.33:500, 604 bytes, policy 'vpn' spi=0xe461b2e822193627: send IKE_SA_INIT res 0 peer 44.55.66.77:11461 local 33.33.33.33:500, 473 bytes spi=0xe461b2e822193627: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local 33.33.33.33:4500, 496 bytes, policy 'vpn'
Re: Cannot connect to iked, authenticate fails
inline On 2023-04-08 04:33, Stuart Henderson wrote: On 2023-04-07, m...@phosphorus.com.br wrote: ikev2 "vpn" passive esp \ from dynamic to 185.21.22.23/32 \ that should definitely be "from ... to dynamic", though that's not the problem you're running into yet. (that /32 you have will only setup a tunnel to the machine itself, if you want all traffic to go via vpn then use 0.0.0.0/0). If anyone has a working setup for iphone via 4G (dynamic) connecting to a VPS (fixed IP) is much appreciated. maybe try with user/password auth and get that working first before moving on to client certificates? something like this: --- user "" ikev2 "ikevpn" passive esp from 0.0.0.0/0 to dynamic \ local peer any \ srcid "" \ eap "mschap-v2" \ config address 172.28.15.128/25 \ config name-server 172.28.15.2 \ tag "$name-$id" --- Good point, will try it simple first. What should be used for localid and remoteid on the phone client? Also, Is there a need to generate a certificate matching the servers's name?
Re: xenodm + Xvfb + x11vnc = virtual display for vmm(4) OpenBSD guests
Thanks, will test. Will be useful. On 7/18/23 20:09, Morgan Aldridge wrote: I'm maintaining an OpenBSD X11 window manager (WM) port, but try to keep my primary workstation on -stable, so do most of my development there and test in Xephyr. I test & submit patches from an OpenBSD -current VM running under vmm(4), but since vmm(4) doesn't emulate video hardware, I haven't been run-testing there. I'm already comfortable with x11vnc under OpenBSD, plus Xephyr, but they both use an existing X display. After studying xenodm(1), Xvfb(1), x11vnc(1), and a bunch of other X(1)-related manual pages, plus tons of experimenting, the solution was actually quite simple. TL; DR I could find much on the Internet, list archives, etc., regarding this specific situation, so here's my solution for a [slow] X11 virtual display on a vmm(4) OpenBSD guest, accessible via VNC over an SSH tunnel: doas rcctl enable xenodm doas rcctl set xenodm flags \ "-server ':0 local /usr/X11R6/bin/Xvfb :0 -screen 1024x768x24 -shmem'" doas rcctl start xenodm doas pkg_add x11vnc doas rcctl enable x11vnc doas rcctl start x11vnc Hope someone else finds this useful down the road, Morgan
certbot in cron - best way?
Hi misc, Usually am updating certificates manually this way: rcctl stop httpd ; certbot certonly --standalone -d DOMAIN.org -m notifyc...@domain.org ; rcctl start httpd but recently saw newer certificates being deployed as 0001,0002,0003 etc, like: /etc/letsencrypt/live/DOMAIN.org-0002/fullchain.pem Which setup are you using to automatically update certs with certbot, in cron, and keeping /etc/httpd.conf updated accordingly? Cheers, --fm -- Att. (+5521) 97914-8106 (Signal) PHOSPHORUS NETWORKS | HNO3 SYSTEMS https://www.linkedin.com/in/fabio1337br/
Re: certbot in cron - best way?
Thanks. Worked like a charm. Cheers, --fm On 2/20/24 12:54, Odhiambo Washington wrote: On Tue, Feb 20, 2024 at 6:47 PM wrote: Hi misc, Usually am updating certificates manually this way: rcctl stop httpd ; certbot certonly --standalone -d DOMAIN.org -m notifyc...@domain.org ; rcctl start httpd but recently saw newer certificates being deployed as 0001,0002,0003 etc, like: /etc/letsencrypt/live/DOMAIN.org-0002/fullchain.pem Which setup are you using to automatically update certs with certbot, in cron, and keeping /etc/httpd.conf updated accordingly? This should work: 0 0,12 * * * /bin/sleep 1552 && rcctl stop httpd && certbot renew && rcctl start httpd --
Re: certbot in cron - best way?
On 2/21/24 10:07, Stuart Henderson wrote: You might like to investigate ~ in crontab(5), e.g. "~ 0,12" and lose the "sleep". Wouldn't it be better to have certbot write files into a directory served by httpd so you don't need the "rcctl stop" though? Yes, it would be better. Today had a problem in which rcctl stop worked, but rcctl start didn't. Seems like --webroot from certbot can do the trick. Will test in a few days with an expiring certificate. --fm
Re: OT: SSH3 proposal
I liked the ability to forward UDP packets as well, but that can be implemented in SSH itself, instead of adding another unnecessary layer. On 2/5/24 04:26, Carlos Lopez wrote: Hi all, https://blog.apnic.net/2024/02/02/towards-ssh3-how-http-3-improves-secure-shells/ Uhmm ... ssh over http/3? What do you think about it? Best regards, C. L. Martinez -- fm
How to print using Samsung ML-1670
I want to print using my Samsung ML-1670. Started up cupsd and set it up using Samsung_ML-1670_Series.ppd. It doesn't print, status complains about "rastertospl" which I think is a linux(R) binary, and the linux emulation is gone now right? Cups status message: Idle - "File "/usr/local/libexec/cups/filter/rastertospl" not available: No such file or directory" I've tried chosing Samsung ML-1640 from the list instead, in which case printing fails claiming 'filter failed': stopped "Filter failed" Any ideas? Samsung_ML-1670_Series.ppd: *PPD-Adobe: "4.3" *% === *% PPD for Samsung ML-1670 Series CUPS *% For Linux Only *% === *FormatVersion: "4.3" *FileVersion: "0.9" *LanguageVersion: English *LanguageEncoding: ISOLatin1 *PCFileName:"ML1670.ppd" *Manufacturer: "SAMSUNG" *Product: "(LaserPrinter)" *cupsVersion: 1.0 *cupsManualCopies: False *% *cupsModelNumber is used as the indicator of variable bandwidth and QPDL version number field. *% MSB 1st bit is index of variable bandwidth. *% LSB 4bits - 1 is used as QPDL version number. *% 1011 : variable bandwidth = True, QPDL version number = 3 - 1 = 2. *cupsModelNumber: 134 *cupsFilter: "application/vnd.cups-raster 0 rastertospl" *% Emulators: Number Of Packet Size in KB + "_" + Compression Type + "_" + Emulation Name *% FBB do not need this field. Newly introduced from CLP-600. *Emulators: "Banded_JBIG_SPL-C_scms" *ModelName: "Samsung ML-1670 Series" *ShortNickName: "ML-1670" *linuxLanguage: "SPL-C" *linuxPriority: "1" *linuxURL:"http://www.samsungprinter.com/; *linuxIdentify: "ML-1670" *NickName: "Samsung ML-1670 Series" *PSVersion: "(3010.000) 550" *LanguageLevel: "3" *ColorDevice: False *DefaultColorSpace: Gray *FileSystem: False *Throughput:"21" *% *%LandscapeOrientation: Plus90 *%VariablePaperSize: False *%TTRasterizer: Type42 *% Base options group *% *OpenGroup: General/General *% = *% Color & Gray Option *% = *OpenUI *ColorModel/Color Mode: PickOne *OrderDependency: 10 AnySetup *ColorModel *DefaultColorModel: Gray *ColorModel Gray/Grayscale: "<>setpagedevice" *CloseUI: *ColorModel *secPJLColorModel Gray/Grayscale: "@PJL SET COLORMODE = MONO<0A>" *% = *% Media Type *% = *JCLOpenUI *MediaType/Paper Type: PickOne *OrderDependency: 10 JCLSetup *MediaType *DefaultMediaType: None *MediaType None/Printer Default: "@PJL SET PAPERTYPE = OFF<0A>" *MediaType Plain/Plain: "@PJL SET PAPERTYPE = NORMAL<0A>" *MediaType Thick/Thick: "@PJL SET PAPERTYPE = THICK<0A>" *MediaType Thin/Thin: "@PJL SET PAPERTYPE = THIN<0A>" *MediaType OHP/Transparency: "@PJL SET PAPERTYPE = OHP<0A>" *MediaType Bond/Bond: "@PJL SET PAPERTYPE = BOND<0A>" *MediaType Color/Color: "@PJL SET PAPERTYPE = COLOR<0A>" *MediaType Card/CardStock: "@PJL SET PAPERTYPE = CARD<0A>" *MediaType Labels/Labels: "@PJL SET PAPERTYPE = LABEL<0A>" *MediaType Preprinted/Preprinted: "@PJL SET PAPERTYPE = USED<0A>" *MediaType Cotton/Cotton: "@PJL SET PAPERTYPE = COTTON<0A>" *MediaType Archive/Archive: "@PJL SET PAPERTYPE = ARCHIVE<0A>" *MediaType Recycled/Recycled: "@PJL SET PAPERTYPE = RECYCLED<0A>" *MediaType Envelope/Envelope: "@PJL SET PAPERTYPE = ENV<0A>" *JCLCloseUI: *MediaType *% = *% Quality *% = *OpenUI *Quality/Quality: PickOne *OrderDependency: 10 AnySetup *Quality *DefaultQuality: 600x600_Draft *Quality 600x600_Best/1200 dpi(Best) : "<>setpagedevice" *Quality 600x600_Draft/600 dpi(Normal): "<>setpagedevice" *CloseUI: *Quality *DefaultResolution: 600dpi *% = *% Paper Source *% = *OpenUI *InputSlot/Paper Source: PickOne *OrderDependency: 25 AnySetup *InputSlot *DefaultInputSlot: Auto *InputSlot Auto/Auto Selection: "" *InputSlot Manual/Manual Feeder: "" *%InputSlot Upper/Tray 1: "" *CloseUI: *InputSlot *% = *% Paper Handling *% = *% Use these entries to set paper size unless there is a specific *% reason to use PageRegion, such as when using manual Feeder. *OpenUI *PageSize/Page Size: PickOne *OrderDependency: 30 AnySetup *PageSize *DefaultPageSize: Letter *PageSize Letter/Letter: "<> /PageSize [612 792] /ImagingBBox null>> setpagedevice" *PageSize Legal/Legal: "<> /PageSize [612 1008] /ImagingBBox null>> setpagedevice" *PageSize A4/A4: "<> /PageSize [595 842] /ImagingBBox null>>
Re: Upgrading from 7.3 to 7.4 with sysupgrade
On Sat, Nov 18, 2023, at 11:57, Mark wrote: > "> That will never happen." > > And some serious reason? > > It was a great idea indeed. :/ They don't go out of their way to assist with foot shooting. The files under /usr take up about 8 GB and I've installed gnome and what not. Just get a bigger SD-card? puffy$ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 986M128M809M14%/ /dev/sd0l 131G1.9G123G 2%/home /dev/sd0d 3.9G 49.9M3.6G 2%/tmp /dev/sd0f 23.5G2.0G 20.3G10%/usr /dev/sd0g 986M290M647M31%/usr/X11R6 /dev/sd0h 19.4G4.9G 13.5G27%/usr/local /dev/sd0k 5.8G 86.0K5.5G 1%/usr/obj /dev/sd0j 2.9G2.0K2.8G 1%/usr/src /dev/sd0e 28.7G 79.5M 27.2G 1%/var
Re: looking for reliable USB printer
On 10/1/05, Marc Espie [EMAIL PROTECTED] wrote: Just wanted to know what people currently use for an usb printer under OpenBSD. I'm looking for rather cheap hardware that's currently sold in europe as brand new, and guaranteed to work (through experience) by people... Last year I bought a HP Deskjet 3820, but I don't think it is really a current model anymore. It has USB as well as a parallel port Because I don't use color I take advantage of the PCL support of the printer and simply configure it as a Laserjet. I use apsfilter . With hpijs it also prints color. =Adriaan=
hardware problem?! strangely ssh error
Hello, I have a system with openbsd 4.1 installed. Everything works fine (lynx / ping / ...) but I'm not able to connect to another system via ssh. I'm not able to connect to the system, too. The error I got: 2: Bad packet length integer I googled a bit, but I wasn't able to find out what exactly is wrong. Here are the informations from dmesg about the nics: sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:02:b6:33:50:dd Btw, I'm talking about a fresh 4.1 installation, completly untouched. Has anyone an idea for me? Driver problem? Unsupported hardware? The hardware was checked twice by producer (and I don't have the problems using linux), I don't think that is a hardware defect. Thanks. Regards Hagen Volpers
Re: hardware problem?! strangely ssh error
misc(at)openbsd.org wrote: Hello, I have a system with openbsd 4.1 installed. Everything works fine (lynx / ping / ...) but I'm not able to connect to another system via ssh. I'm not able to connect to the system, too. The error I got: 2: Bad packet length integer I googled a bit, but I wasn't able to find out what exactly is wrong. Here are the informations from dmesg about the nics: sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:02:b6:33:50:dd Btw, I'm talking about a fresh 4.1 installation, completly untouched. Has anyone an idea for me? Driver problem? Unsupported hardware? The hardware was checked twice by producer (and I don't have the problems using linux), I don't think that is a hardware defect. Thanks. Regards Hagen Volpers Have you tried: ssh -vvv host.to.connect.to That might give some clues. HTH Fred -- http://www.crowsons.com/puters/x41.htm Hello, here are the last lines: debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent followed by the error mentioned in my first mail. Does that help? Do you need more informations? Regards Hagen Volpers
Re: hardware problem?! strangely ssh error
On Thu, 19 Jul 2007, openbsd misc wrote: misc(at)openbsd.org wrote: Hello, I have a system with openbsd 4.1 installed. Everything works fine (lynx / ping / ...) but I'm not able to connect to another system via ssh. I'm not able to connect to the system, too. The error I got: 2: Bad packet length integer I googled a bit, but I wasn't able to find out what exactly is wrong. Here are the informations from dmesg about the nics: sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:02:b6:33:50:dd Btw, I'm talking about a fresh 4.1 installation, completly untouched. Has anyone an idea for me? Driver problem? Unsupported hardware? The hardware was checked twice by producer (and I don't have the problems using linux), I don't think that is a hardware defect. Thanks. Regards Hagen Volpers Have you tried: ssh -vvv host.to.connect.to That might give some clues. HTH Fred -- http://www.crowsons.com/puters/x41.htm Hello, here are the last lines: debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent followed by the error mentioned in my first mail. Does that help? Do you need more informations? Regards Hagen Volpers Try to determine where the error occurs. For example: is this a network driver issue? To find out put another type network card into the machine and try to use ssh over it. Another test would be to connect to another machine (running a different version of sshd?), to test if this is a ssh protcol problem on the local or remote side. Can you ssh INTO the machine? Make notes of what works and what not, etc. Try to be smart and rule out possible causes, this enable you to zoom in into the real problem. -Otto Hello, unfortunately I'm not able to test another nic, the system doesn't have a pci slot (we are talking about a all-in-one board - e.g. http://www.visionsystems.de/1_2_5_4.html). I already did all the other tests you mentioned, except changing the ssh protocol - lynx / ping works, ssh from to machine to different machines doesn't work (I can connect from other systems without any problem), ssh to the machine doesn't work, too. Any other ideas? Regards Hagen Volpers
Re: hardware problem?! strangely ssh error
Hello, putting that one back to list, it's not silly ;-) I tried ssh [EMAIL PROTECTED] - same result. So the nic isn't the problem ... I looked into dmesg again, the bios is mentioned as AT/286+ there?! Is that normal? Btw, the IP-Address is unique ;-) Are there known bugs on VIA-CPUs? Which informations do I need to provide? (dmesg is hard, I have to write it up, but if that helps, let me know and I'll do it). Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: Maxim Belooussov [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 19. Juli 2007 21:38 An: openbsd misc Betreff: Re: hardware problem?! strangely ssh error Hi Hagen, Doing this off-the list in case I sound too silly. For starters, have you tried to ssh [EMAIL PROTECTED] This would give a clue where the problem could be. Further make sure that there is no machine with the same ip on your net - I've seen before that some connections were 'dying' all over sudden when another (linux) box with same IP was closing 'illegal' connection. Hope it helps, Maxim On Thu, 19 Jul 2007, openbsd misc wrote: misc(at)openbsd.org wrote: Hello, I have a system with openbsd 4.1 installed. Everything works fine (lynx / ping / ...) but I'm not able to connect to another system via ssh. I'm not able to connect to the system, too. The error I got: 2: Bad packet length integer I googled a bit, but I wasn't able to find out what exactly is wrong. Here are the informations from dmesg about the nics: sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:02:b6:33:50:dd Btw, I'm talking about a fresh 4.1 installation, completly untouched. Has anyone an idea for me? Driver problem? Unsupported hardware? The hardware was checked twice by producer (and I don't have the problems using linux), I don't think that is a hardware defect. Thanks. Regards Hagen Volpers Have you tried: ssh -vvv host.to.connect.to That might give some clues. HTH Fred -- http://www.crowsons.com/puters/x41.htm Hello, here are the last lines: debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent followed by the error mentioned in my first mail. Does that help? Do you need more informations? Regards Hagen Volpers Try to determine where the error occurs. For example: is this a network driver issue? To find out put another type network card into the machine and try to use ssh over it. Another test would be to connect to another machine (running a different version of sshd?), to test if this is a ssh protcol problem on the local or remote side. Can you ssh INTO the machine? Make notes of what works and what not, etc. Try to be smart and rule out possible causes, this enable you to zoom in into the real problem. -Otto Hello, unfortunately I'm not able to test another nic, the system doesn't have a pci slot (we are talking about a all-in-one board - e.g. http://www.visionsystems.de/1_2_5_4.html). I already did all the other tests you mentioned, except changing the ssh protocol - lynx / ping works, ssh from to machine to different machines doesn't work (I can connect from other systems without any problem), ssh to the machine doesn't work, too. Any other ideas? Regards Hagen Volpers
Re: hardware problem?! strangely ssh error
HID v1.00 Mouse [USBPS2] on usb-:00:07.2-2 usbcore: registered new interface driver usbhid drivers/usb/input/hid-core.c: v2.6:USB HID core driver sl811: driver sl811-hcd, 19 May 2005 ieee1394: Initialized config rom entry `ip1394' ieee1394: sbp2: Driver forced to serialize I/O (serialize_io=1) ieee1394: sbp2: Try serialize_io=0 for better performance libata version 2.00 loaded. device-mapper: ioctl: 4.10.0-ioctl (2006-09-14) initialised: [EMAIL PROTECTED] md: raid0 personality registered for level 0 md: raid1 personality registered for level 1 md: raid10 personality registered for level 10 JFS: nTxBlock = 3966, nTxLock = 31734 Intel(R) PRO/1000 Network Driver - version 7.2.9-k4 Copyright (c) 1999-2006 Intel Corporation. scsi 0:0:0:0: CD-ROMIOMEGA CDRW86522EXT3-B QOP3 PQ: 0 ANSI: 0 sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray Uniform CD-ROM driver Revision: 3.20 sr 0:0:0:0: Attached scsi CD-ROM sr0 usb-storage: device scan complete ISO 9660 Extensions: Microsoft Joliet Level 3 Unable to load NLS charset iso8859-1 Unable to load NLS charset iso8859-1 ISO 9660 Extensions: RRIP_1991A Real Time Clock Driver v1.12ac natsemi dp8381x driver, version 2.1, Sept 11, 2006 originally by Donald Becker [EMAIL PROTECTED] http://www.scyld.com/network/natsemi.html 2.4.x kernel port by Jeff Garzik, Tjeerd Mulder PCI: setting IRQ 11 as level-triggered PCI: Found IRQ 11 for device :00:08.0 natsemi eth0: NatSemi DP8381[56] at 0xd000 (:00:08.0), 00:02:b6:33:50:dd, IRQ 11, port TP. PCI: setting IRQ 12 as level-triggered PCI: Found IRQ 12 for device :00:09.0 natsemi eth1: NatSemi DP8381[56] at 0xdfffe000 (:00:09.0), 00:02:b6:33:50:de, IRQ 12, port TP. PCI: setting IRQ 9 as level-triggered PCI: Found IRQ 9 for device :00:0a.0 natsemi eth2: NatSemi DP8381[56] at 0xdfffd000 (:00:0a.0), 00:02:b6:33:50:df, IRQ 9, port TP. PCI: Found IRQ 10 for device :00:0b.0 PCI: Sharing IRQ 10 with :00:07.2 natsemi eth3: NatSemi DP8381[56] at 0xdfffc000 (:00:0b.0), 00:02:b6:33:50:e0, IRQ 10, port TP. natsemi dp8381x driver, version 2.1, Sept 11, 2006 originally by Donald Becker [EMAIL PROTECTED] http://www.scyld.com/network/natsemi.html 2.4.x kernel port by Jeff Garzik, Tjeerd Mulder natsemi eth0: NatSemi DP8381[56] at 0xd000 (:00:08.0), 00:02:b6:33:50:dd, IRQ 11, port TP. natsemi eth1: NatSemi DP8381[56] at 0xdfffe000 (:00:09.0), 00:02:b6:33:50:de, IRQ 12, port TP. natsemi eth2: NatSemi DP8381[56] at 0xdfffd000 (:00:0a.0), 00:02:b6:33:50:df, IRQ 9, port TP. natsemi eth3: NatSemi DP8381[56] at 0xdfffc000 (:00:0b.0), 00:02:b6:33:50:e0, IRQ 10, port TP. sr 0:0:0:0: Attached scsi generic sg0 type 5 eth1: DSPCFG accepted after 0 usec. eth3: DSPCFG accepted after 0 usec. eth2: DSPCFG accepted after 0 usec. eth0: DSPCFG accepted after 0 usec. eth0: link up. eth0: Setting full-duplex based on negotiated link capability. eth3: remaining active for wake-on-lan eth1: remaining active for wake-on-lan eth0: remaining active for wake-on-lan fbsplash: console 0 using theme 'livecd-2006.1' eth2: remaining active for wake-on-lan fbsplash: switched splash state to 'on' on console 0 eth2: DSPCFG accepted after 0 usec. eth0: DSPCFG accepted after 0 usec. eth0: link up. eth0: Setting full-duplex based on negotiated link capability. eth3: DSPCFG accepted after 0 usec. eth1: DSPCFG accepted after 0 usec. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc Gesendet: Donnerstag, 19. Juli 2007 22:19 An: misc@openbsd.org Cc: Maxim Belooussov Betreff: Re: hardware problem?! strangely ssh error Hello, putting that one back to list, it's not silly ;-) I tried ssh [EMAIL PROTECTED] - same result. So the nic isn't the problem ... I looked into dmesg again, the bios is mentioned as AT/286+ there?! Is that normal? Btw, the IP-Address is unique ;-) Are there known bugs on VIA-CPUs? Which informations do I need to provide? (dmesg is hard, I have to write it up, but if that helps, let me know and I'll do it). Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: Maxim Belooussov [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 19. Juli 2007 21:38 An: openbsd misc Betreff: Re: hardware problem?! strangely ssh error Hi Hagen, Doing this off-the list in case I sound too silly. For starters, have you tried to ssh [EMAIL PROTECTED] This would give a clue where the problem could be. Further make sure that there is no machine with the same ip on your net - I've seen before that some connections were 'dying' all over sudden when another (linux) box with same IP was closing 'illegal' connection. Hope it helps, Maxim On Thu, 19 Jul 2007, openbsd misc wrote: misc(at)openbsd.org wrote: Hello, I have a system with openbsd 4.1 installed. Everything works fine (lynx / ping / ...) but I'm not able to connect to another system via ssh. I'm not able to connect
Re: hardware problem?! strangely ssh error
openbsd misc wrote: Hello again, I tested the gentoo live cd. I was able to ssh to another machine, so I was able to get a complete (linux) dmesg output. Hope that helps: [...] Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc Gesendet: Donnerstag, 19. Juli 2007 22:19 An: misc@openbsd.org Cc: Maxim Belooussov Betreff: Re: hardware problem?! strangely ssh error Hello, putting that one back to list, it's not silly ;-) I tried ssh [EMAIL PROTECTED] - same result. So the nic isn't the problem ... I looked into dmesg again, the bios is mentioned as AT/286+ there?! Is that normal? Btw, the IP-Address is unique ;-) Are there known bugs on VIA-CPUs? Which informations do I need to provide? (dmesg is hard, I have to write it up, but if that helps, let me know and I'll do it). Regards Hagen Volpers Can you ftp the dmesg out? My answer to all dodgy hardware at the moment is enable acpi via boot -c HTH -- http://www.crowsons.com/puters/x41.htm Hello, acpi0 was disabled, but enabling it doesn't make any difference. Here is the openbsd dmesg output (after enableing acpi using config - forgot the good old apache, easier than setting up an ftp server on another machine ;-)): OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Nehemiah (CentaurHauls 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,CX8,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE cpu0: RNG AES real mem = 528052224 (515676K) avail mem = 474099712 (462988K) using 4278 buffers containing 26525696 bytes (25904K) of memory User Kernel Config UKC find acpi0 386 acpi0 at mainbus0 bus -1 flags 0x0 UKC quit Continuing... mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 11/27/03, BIOS32 rev. 0 @ 0xfdb30, SMBIOS rev. 2.3 @ 0xf0630 (24 entries) bios0: American Megatrends Inc. Uknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8920/192 (10 entries) pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C686 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1000 0xce000/0x1000 0xcf000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8601 PCI rev 0x05 ppb0 at pci0 dev 1 function 0 VIA VT82C601 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x6a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6E040L0 wd0: 16-sector PIO, LBA, 39205MB, 80293248 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 sis0 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:02:b6:33:50:dd nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 9 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 12, address 00:02:b6:33:50:de nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 10 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 9, address 00:02:b6:33:50:df nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 sis3 at pci0 dev 11 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:02:b6:33:50:e0 nsphyter3 at sis3 phy 0: DP83815 10/100 PHY, rev. 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask e5e5 netmask ffe5 ttymask ffe7 pctr: user-level cycle counter enabled uhidev0 at uhub0 port 2 configuration 1 interface 0 uhidev0: Tangtop USBPS2, rev 1.10/0.01, addr 2, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub0 port 2 configuration 1 interface 1 uhidev1: Tangtop USBPS2, rev 1.10/0.01, addr 2, iclass 3/1 uhidev1: 3 report ids ums0 at uhidev1 reportid 1: 5 buttons and Z dir. wsmouse0 at ums0 mux 0 uhid0 at uhidev1 reportid 2: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 3: input=1, output=0, feature=0
Re: hardware problem?! strangely ssh error - SOLVED
-Urspr|ngliche Nachricht- Von: Stuart Henderson [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 20. Juli 2007 01:22 An: openbsd misc Betreff: Re: hardware problem?! strangely ssh error On 2007/07/20 00:02, Stuart Henderson wrote: If there might be crypto hardware onboard, try sysctl kern.usercrypto=0 The chip is detected as supporting AES, which gets used for ssh with default ciphers. Definitely try this sysctl (takes effect straight away) and if it helps please report back on misc@, if AES is detected incorrectly it would be useful to work out a way to identify and disable it.. Thanks a lot, that solved the problem. Regards Hagen Volpers
Re: pf.conf(5) buglet wrt logging
On 12/10/05, Tamas TEVESZ [EMAIL PROTECTED] wrote: [snip] , what's the correct syntax for logging in a nat(/binat/rdr) rule? nat on pcn0 from 192.168.1.0/24 to any - (pcn0) works fine, nat log on pcn... gives a syntax error). if the diff below is correct, how can one log nats/rdrs/binats as they happen? [snip] I interpret it that you need a pass before the log ;) man pf.conf of 3.8 current --- rdr-rule = [ no ] rdr [ pass [ log [ ( logopts ) ] ] ] [ on ifspec ] [ af ] end --- With the pass it gives no syntax errors. EXT_NIC = fxp0 rdr pass log on $EXT_NIC inet proto tcp from ! self to $EXT_NIC port tag IN_OK - $EXT_NIC port ssh pfctl -s nat rdr pass log on fxp0 inet proto tcp from ! 127.0.0.1 to 192.168.222.69 port = tag IN_OK - 192.168.222.69 port 22 rdr pass log on fxp0 inet proto tcp from ! 192.168.222.69 to 192.168.222.69 port = tag IN_OK - 192.168.222.69 port 22 =Adriaan=
Re: sshd.config and AllowUsers
Hello, everything is commented because these are the default settings. If you want to change a setting you'll have to uncomment and change it. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jerome Santos Gesendet: Montag, 26. Mdrz 2007 19:33 An: misc@openbsd.org Betreff: sshd.config and AllowUsers I have a few seperate users on my server, one user for which I want to dissallow ssh login. Now I've read the man page for sshd and I've read a lot of the documentation on this, but I'm still not clear one one point. By default, /etc/ssh/sshd.config shows all entries are commented out. I want to add something like this: AllowUsers user1, user2, user3 I added that in but also with an # in front like all the other entries. Now I find that I can still ssh to the box with a user acct that I didn't include in the entry. Should it be in there without the #? And if so, do I also then have to uncomment all the other entries?? Thanks
Re: Problem using flashboot (openBSD based), can't get it to boot
Hello, I'm not a guru, but I'm working with openbsd and wrap systems for one year ... ;-) The ; at the end here means that the WRAP BIOS said it could not do LBA reads, so biosboot fell back to CHS reads. No O/S And since you installed on a different machine, the geometry was almost certainly different, so the operating system wouldnt be at the same place (cylinder/head/sector), hence it's not found. No idea how you can fix it, though. Tom Thanks anyway, it's a clue at least. Maybe some of the gurus here know it? You can set the bios to lba mode (press s during mem-test to access bios). Btw, openbsd is the only OS having that problem ... LBA mode on wrap systems means fix geometry (C/H/S x/32/63 - while the cylinder count defines the size), so you can use fdisk with the geometry parameters to configure your cf correctly. I have another problem with openbsd 4.1 and wrap systems. I create an image using flashdist and the wrapper script (incl. some modification, but that should make any difference). For openbsd 4.0 everything works fine, but doesn't for openbsd 4.1. I think the problem is related to the geometry problem descriped abouve. To create an image I defined C/H/S to 118/32/63 (none of the systems I have has less than 128MB) for fdisk and disklabel. First time I created an image file that worked fine until vnconfig -u. After attaching the image again (vnconfig -c) I wasn't able to mount the partitions. The geometry was completly different. So I added the -i option to fdisk and the -r option disklabel. Afterwards I was able to mount everything again after detaching /attaching the image file. After writing the image to a cf card everything works fine on openbsd 4.1. Now here is the problem: The boot loader is not able to access the cf: disk: hd0* OpenBSD/i386 BOOT 2.13 open(hd0a:/etc/boot.conf): Invalid argument boot ls stat(hd0a:/.): Invalid argument boot machine diskinfo DiskBIOS# TypeCylsHeads SecsFlags Checksum hd0 0x80label 126 32 63 0x0 0xd8c3c6b3 I think that fdisk is the problem. disklabel runs after fdisk, but disklabel defines the geometry (geometry options are set for fdisk but it looks like they are ignored?!) - remember the -r option - I don't know what fdisk exactly does (perhaps telling the boot-loader something about the geometry during setup?!). I hope someone has an answer or can give hints. The behavior shows a different between openbsd 4.0-release and openbsd 4.1-stable, but I wasn't able to find anything in changelog that could explain the bahavior and more important how to fix it. I hope my english isn't too bad, please let me know if something isn't clear ... Regards Hagen Volpers
Re: Problem using flashboot (openBSD based), can't get it to boot
Hello, Boudewijn Ector wrote: Boudewijn Ector wrote: The ; at the end here means that the WRAP BIOS said it could not do LBA reads, so biosboot fell back to CHS reads. No O/S And since you installed on a different machine, the geometry was almost certainly different, so the operating system wouldnt be at the same place (cylinder/head/sector), hence it's not found. No idea how you can fix it, though. Tom Thanks anyway, it's a clue at least. Maybe some of the gurus here know it? Okay, I assume I need to set LBA in bios, and change the CHS settings of the microdrive. This can be done using fdisk , but how to determine the correct values? At second, someone attended me on the fact that I'm creating the image using a USB-based cardreader(thus scsi like) and running it as an IDE device (at Linux , hda) on my board. different kind of bootsection? Can someone confirm this? google for WRAP, flashboot, and PXE. the 'easiest' way to install is to use the WRAP's own bios a bsd.rd to get enough stuff up running to download the .gz image over FTP write directly onto the card. i've done this on a soekris easily, wrap should be similar. i'll look for some link-rotted urls later if i can find them, email offlist a+ scorch it's not easy because of a bios bug. You first have to update the bios. I wrote a small howto in a forum thread: http://www.bsdforen.de/archive/index.php/t-15259.html It's german, let me know if you need an english translation. For the geometry question: You missed my replay I wrote yesterday? Regards Hagen Volpers
Re: Embedded system - which ?
Hello, have a look at www.visionsystems.de I bought some systems there and everything is working fine. It's a german company, but I don't think that this is a problem, only shipping might be expensive. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Uwe Dippel Gesendet: Freitag, 1. Juni 2007 16:56 An: misc@openbsd.org Betreff: Embedded system - which ? 2 questions: First, we are looking for an embedded system (that is, inclusive casing), that works with OpenBSD. Low power, fanless, booting from CF (4GB). It needs to have a 'full' COM-port (RTS, CTS, DSR, DTR) aside of the serial console, a full PCI-slot, USB, 1 NIC. Soekris doesn't fit; neither do the current Infotek offers (though we will try a sample of the latter). Any recommendations ? Secondly, we contacted quite a lot of manufacturers. One promising brand: Devon. But their answer was quite horrible: Our units should run OpenBSD but we do not have any experience using it. Also, the warranty would be invalid if you install the other OS. Does anyone have a nice template to write to them, and tell them that it would be to their advantage if they worked with us, instead of threatening me ? If I write one myself, I am afraid, I might come across as rude and arrogant. Anyone with diplomatic abilities ? Their gear sounds interesting: Actually, something like IT - Server-Based Computing for the Modern BusinessNTA 6030A is slightly below Soekris, price-wise, for us. 1GHz Eden; could be more than enough for a great OpenBSD server/workstation. Uwe
openldap-client / cyrus-sasl-2.1.21p3-ldap problem
Hello, I have a strange problem: --8 # pkg_add -i cyrus-sasl-2.1.21p3-ldap Error from http://ftp-stud.fht-esslingen.de/pub/OpenBSD/4.1/packages/i386/: ftp: Writing -: Broken pipe Can't install cyrus-sasl-2.1.21p3-ldap: can't resolve openldap-client-2.3.33 Can't install openldap-client-2.3.33: can't resolve cyrus-sasl-2.1.21p3-ldap Error from http://ftp-stud.fht-esslingen.de/pub/OpenBSD/4.1/packages/i386/: ftp: Writing -: Broken pipe Can't install cyrus-sasl-2.1.21p3-ldap: can't resolve openldap-client-2.3.33 # pkg_add -i openldap-client-2.3.33 Error from http://ftp-stud.fht-esslingen.de/pub/OpenBSD/4.1/packages/i386/: ftp: Writing -: Broken pipe Ambiguous: choose dependency for openldap-client-2.3.33: 0: cyrus-sasl-2.1.21p3 1: cyrus-sasl-2.1.21p3-db4 2: cyrus-sasl-2.1.21p3-ldap 3: cyrus-sasl-2.1.21p3-mysql Your choice: 2 Can't install openldap-client-2.3.33: can't resolve cyrus-sasl-2.1.21p3-ldap Can't install cyrus-sasl-2.1.21p3-ldap: can't resolve openldap-client-2.3.33 Error from http://ftp-stud.fht-esslingen.de/pub/OpenBSD/4.1/packages/i386/: ftp: Writing -: Broken pipe Can't install openldap-client-2.3.33: can't resolve cyrus-sasl-2.1.21p3-ldap --8 Looks like openldap depends on cyrus-sasl and vice versa. I found other with the same problem: http://archives.neohapsis.com/archives/openbsd/2007-05/0454.html Quote: I've found a relatively dirty workaround for this. i) install cyrus-sasl-2.1.21p3 ii) install openldap-client-2.3.33 iii) pkg_add -r cyrus-sasl-2.1.21p3-ldap This brings me another question. Replace parameter '-r' to pkg_add gracefully replaces an unflavored package with another flavored one. Is this an expected behaviour? Can somebody answer that question? I'll the workaround, but looks like a package problem to me. Regards Hagen Volpers
Re: WRAP stalling at kernel entry point via pxeboot/tftp
Hello, your boot.conf should look like this: set tty com0 stty com0 38400 set timeout 5 Last time I booted wrap via pxe was 3.9, but this should work. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von mgb Gesendet: Donnerstag, 7. Juni 2007 12:51 An: misc@openbsd.org Betreff: WRAP stalling at kernel entry point via pxeboot/tftp List, I am attempting to get pxeboot working on a WRAP board with openbsd 4.1 generic however the loading of either kernel, bsd or bsd.rd, is stalling. I've search around the archives and have taken the steps mentioned here: http://marc.info/?l=openbsd-miscm=117978591113386w=2 I have updated the BIOS on the wrap board with a PXE.BIN downloaded from rom-o-matic.net which uses etherboot 5.4.3 and the NIC type natsemi:dp83815. below is the output from the wrap board: PC Engines WRAP.2B/2C v1.11 640 KB Base Memory 130048 KB Extended Memory 01F0 - no drive found ! ROM segment 0xe000 length 0x8000 reloc 0x Etherboot 5.4.3 (GPL) http://etherboot.org Drivers: NATSEMI Images: NBI ELF Multiboot a.out PXE Exports: PXE Protocols: DHCP TFTP Relocating _text from: [0008bb80,0009fd90) to [07eebdf0,07f0) Boot from (N)etwork (D)isk or (Q)uit? N Probing pci nic... [dp83815] natsemi_probe: MAC addr 00:0D:B9:04:47:F8 at ioaddr 0X1000 natsemi_probe: Vendor:0X100B Device:0X0020 dp83815: Transceiver default autoneg. enabled, advertise 100 full duplex. dp83815: Transceiver status 7869 advertising 05E1 dp83815: Setting full-duplex based on negotiated link capability. Searching for server (DHCP). Me: 192.168.1.200, DHCP: 192.168.1.1, TFTP: 192.168.1.1, Gateway 192.168.1.1 Loading 192.168.1.1:pxeboot ...(PXE)done probing: pc0 com0 pci pxe![2.1] mem[640K 125M a20=on] disk: net: mac 00:0d:b9:04:47:f8, ip 192.168.1.200, server 192.168.1.1 OpenBSD/i386 PXEBOOT 1.11 boot bsd1.rd booting tftp:bsd.rd: 4679892+742564 [52+169536+154918]=0x57b288 dp83815: Setting full-duplex based on negotiated link capability. entry point at 0x200120 the loading stalls at this point, tcpdump shows the following: 11:48:27.321421 IP 192.168.1.1.32831 192.168.1.200.2905: UDP, length 222 [EMAIL PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup. qsphy_ca.shmmaxpgs. 11:48:28.319634 IP 192.168.1.1.32831 192.168.1.200.2905: UDP, length 222 [EMAIL PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup. qsphy_ca.shmmaxpgs. 11:48:30.319653 IP 192.168.1.1.32831 192.168.1.200.2905: UDP, length 222 [EMAIL PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup. qsphy_ca.shmmaxpgs. 11:48:34.319901 IP 192.168.1.1.32831 192.168.1.200.2905: UDP, length 222 [EMAIL PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup. qsphy_ca.shmmaxpgs. 11:48:42.320416 IP 192.168.1.1.32831 192.168.1.200.2905: UDP, length 222 [EMAIL PROTECTED]@.U..?.Y..0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup. qsphy_ca.shmmaxpgs. 11:48:47.320663 arp who-has 192.168.1.200 tell 192.168.1.1 ..Ze 11:48:48.320728 arp who-has 192.168.1.200 tell 192.168.1.1 ..Ze 11:48:49.320787 arp who-has 192.168.1.200 tell 192.168.1.1 ..Ze 11:48:58.325352 arp who-has 192.168.1.200 tell 192.168.1.1 ..Ze 11:48:59.325417 arp who-has 192.168.1.200 tell 192.168.1.1 ..Ze 11:49:00.325480 arp who-has 192.168.1.200 tell 192.168.1.1 I have used a boot.conf which contains this: set tty pc0 I have tried com0 and the output freezes whilst I type bsd.rd Many thanks for your time
Re: pxeboot hanging on WRAP board
On 2007/06/22 12:15, Heinrich Rebehn wrote: Stuart Henderson wrote: On 2007/06/22 09:59, Heinrich Rebehn wrote: i am trying to get my new WRAP board to boot via pxe. pxeboot loads fine but seems to stall at the point where memory should be probed. enable the serial console in $TFTPROOT/etc/boot.conf. I tried that, but the WRAP does not even try to access etc/boot.conf at this time (according to tcpdump(1) on the server). Also, pxeboot hangs in the middle of the probing:... line. Try a new etherboot from rom-o-matic.net then, you'll need to piece it together with the files from wbios11.zip on pcengines.ch and xmodem it across. You'll need to use the options detailed in README.TXT in rom-o-matic (they're in a different order to listed now, the console ones are at the bottom of the web page). I have successfully booted pxeboot from 4.1 on a WRAP.1E with Etherboot 5.4.3 Correct, check this thread, it should answer all questions (I think german isn't a problem, right ;-)): http://www.bsdforen.de/archive/index.php/t-15259.html Regards Hagen Volpers
Re: What is our ultimate goal??
-Urspr|ngliche Nachricht- Von: David Higgs [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 17. Februar 2008 16:54 An: openbsd misc Cc: OpenBSD-Misc Betreff: Re: What is our ultimate goal?? On Feb 17, 2008 7:36 AM, openbsd misc [EMAIL PROTECTED] wrote: -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Tony Abernethy Gesendet: Sonntag, 17. Februar 2008 13:20 An: 'Mayuresh Kathe'; 'OpenBSD-Misc' Betreff: Re: What is our ultimate goal?? Mayuresh Kathe wrote: OpenBSD is an OS with amazing security and stability, but it has too few modern features. H related? E.g. wpa[2] is one of the features I miss because I want to use OpenBSD as Firewall / Access Point (SOHO customers)... VPN is not an option, because windowsclients need network at startup. If WPA2 is considered secure and widespread, it will likely be added to OpenBSD at some point. Even more likely if it's been added to a relatively unmodified portion of NetBSD or FreeBSD. Is IPSEC an option for your SOHO customers? VPN could be an option, though it's definitely not as simple. OpenVPN clients are available for both Windows and OS X. You could distribute binaries and keys via USB drive or a local SSL-enabled webserver. There's been other discussions on-list about reducing your exposure to wireless sniffers. --david Hello, this is not an option to me. My customers don't have administration rights - AFAIK you can't use openvpn without admin rights, the only solution is to run openvpn as service. Therefore I need to configure openvpn to poll all possible locations - I don't think that's the way it should go. My POV is: there are two standards (I know that wpa isn't a real standard, but AFAIK wpa2 is) to secure wireless lan. It's the easiest configuration because even an non-administrative user can configure it. I accept that there are better or more secure ways, but I need a handy solution, too. Some customers use the AP for there private PCs, too - I don't want to administer every private device using wireless lan and my customers don't want 20 boxes @home. I'm not a developer so I'm not able to do the task on my own - I asked if I can help with hardware or something like that so the development will start (or go on?) but it looks like none of the developers (currently) needs wpa[1/2] :( Regards Hagen Volpers
Re: Regarding MTU values on 802.1q trunked physical interfaces (and more)
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von George Paschos Gesendet: Donnerstag, 6. Mdrz 2008 11:47 An: misc@openbsd.org Betreff: Regarding MTU values on 802.1q trunked physical interfaces (and more) Hello all, I am a bit confused regarding the MTU value of the physical ethernet interfaces when there are vlan child interfaces configured, in regard to avoid unneeded fragmentation: ifconfig shows an MTU of 1500 for both the parent and the vlan interface. Should I increase by hand the mtu of the physical parent interface to accommodate the extra bytes for the vlan tags or this is taken care from the operating system someway when you define a physical interface as parent to a vlan one? Also as an extension to the previous question: When using IPSEC tunnels under openbsd, is there a need to increase the physical interface's MTU to accommodate ipsec overhead? And if yes, what would be that magic value from your experience? enc0 reports an MTU of 1536 which sounds logical, but that wouldnt prevent fragmentation if the interface that the ipsec traffic originates/terminates is at 1500. Ofc regarding the above, the rest of networking equipment between the ipsec endpoints (switches, routers, etc) has been configured to handle correctly the bigger mtu values. Thanks in advance on any insight Regards, George Hello, AFAIK the VLAN overhead should be handled by your nic (driver) - the mtu set to 1500 is the packet size without (jumbo frame) extensions - my understanding is, that it is the same for ipsec - as long as the frame that should go through the tunnel has a size = 1500 fragmentation will not take place, the ipsec interface itself need the overhead (1536 - 1500) for the ipsec tunnel. You see the difference because it's software, not nic/driver ... Correct my, if I'm wrong ... ;) Regards Hagen Volpers P.S.: Sorry for my bad english ...
Re: Limit ssh bandwidth
Hello, perhaps this helps: man scp: -l limit Limits the used bandwidth, specified in Kbit/s. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Marc Rene Arns Gesendet: Montag, 10. Mdrz 2008 19:30 An: misc@openbsd.org Betreff: Limit ssh bandwidth Hi, for my client I have set up an mini sftp-Server (on Windows in their Intranet) and on my webserver (FreeBSD) there is a cronjob looking for new files to load them via sftp/ssh to the webserver. Now we need to limit the bandwidth of the sftp-uploads (ADSL). For several reasons it would be better, if I could limit the traffic on the webserver side. I thought, I would configure pf with altq to limit the bandwidth of the ssh-client. Intranet | | Webserver sftpd == ssh-client (cron) limited| | pf / altq upload bw | | | | Now the idea was to force the sftpd to use less bandwidth by limiting the bandwidth of the ssh-client (via pf). As I read on http://www.openbsd.org/faq/pf/queueing.html altq limits by dropping packets. So I am not sure if this would cause the sftpd to send less packets. I would even expect that the sftpd would send more packets to compensate the lost ones and therefor use even more bandwidth. Or is it part of the ssh protocol to agree on a lower bandwidth based on the number of lost packets? Perhaps there is a way for the ssh-client to tell the sftpd how much bandwith to use? Is there a way to solve this without QoS on the sftpd side? Regards, Benny
Re: What is WPA status in OpenBSD
Hello, I there a way to support as non-developer ... Unfortunally I'm not a developer so I can't help code, but if I can do something else let me know. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Damien Bergamini Gesendet: Mittwoch, 12. Mdrz 2008 19:49 An: Dominik Zalewski Cc: misc@openbsd.org Betreff: Re: What is WPA status in OpenBSD I still have plans to continue the WPA work in the near future. No estimated time of arrival though, especially as I tend to become lazy as I get older. Damien | Dear All, | | I would love to use OpenBSD on my laptop but the problems is that most of | my work places use WPA encrypted wireless networks | | So what is a status of WPA support in OpenBSD? I know that a lot of people | ask about this. | | Last cvs commit I found with some work done with WPA is from 2007/08/22 | | http://marc.info/?l=openbsd-cvsm=118781535213730w=2 | | No active work with WPA in OpenBSD 4.3 or -current? | | P.S. I'm not waiting for a kind of reply like: WPA is bad - use VPN | tunnels ;) | | Thank you, | | - | Dominik Zalewski | System Administrator | OpenCraft | t- +2 02 3336 0003 | w- http://www.open-craft.com
Re: soekris/pcenginges and RO mounting
Hello, I use flashdist: http://www.nmedia.net/flashdist/ It's easy to use and easy to customize. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Martin Marcher Gesendet: Sonntag, 23. Mdrz 2008 15:18 An: misc@openbsd.org Betreff: soekris/pcenginges and RO mounting Hello, being relatively new to obsd I have the problem of finding the right doc parts. What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. So my ultimate target would be to: * mount as much as possible RO * still have system logging available (nfs mounting, logserver, whatever suits best - any pointers welcome) * main concern is exhaustion of write cycles on CF media usage of the box will be a home router in the first place and probably expanding to a file server and pxe boot server with usb drives attached to it for storage. I am familiar with general (linux) process of RO mounting partitions but I don't have any experience with CF cards and read that it's probably best to RO mount CF-media. Forgive me the missing/wrong terminology but I found just too much infos/howtos with differing tips on wether to care about write cycles or not, or special needs to take care of with CF media. Hope it makes sense what I ask for thanks martin -- http://tumblr.marcher.name https://twitter.com/MartinMarcher http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher You are not free to read this message, by doing so, you have violated my licence and are required to urinate publicly. Thank you.
Re: Redirect traffic based on sub-domain?
-Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Markus Bergkvist Gesendet: Sonntag, 27. April 2008 23:45 An: OpenBSD Misc Betreff: Redirect traffic based on sub-domain? Hi, Is it possible to have PF redirecting traffic based on sub-domains? I.e. I want traffic to a.mydomain.nu to be redirected to machine 'a and traffic to b.mydomain.nu to be redirected to machine 'b'.' /Markus Hi, that's not possible because the dns-name is not transmitted. It's only used for ip-lookup (http is IMHO the only exception). Regards Hagen Volpers
PAE and Non-PAE current snapshots
For those who havent' noticed ;) From ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/i386/ man39.tgz 7360 KB 04/24/0616:16:00 misc39.tgz 2228 KB 04/24/0616:16:00 non-pae 04/24/0617:54:00 pxeboot 50 KB 04/24/0616:16:00 xbase39.tgz 10318 KB04/24/0612:29:00 ==Adriaan==
Re: REPOST: console on 3.9-current question
On 4/25/06, J.D. Bronson [EMAIL PROTECTED] wrote: I was surprised that no one replied on this list about this issue...so I wanted to repost it ONE time. Someone out there must also be seeing this and if its normal..I would like to know...(and if its normal..why) REPOST: After further testing, its not only the console, but also over SSH. (on the same LAN segment) - so that would eliminate a few possibilities. I noticed this awhile back on 3.9-current and it is still there in the latest snapshot I tried (4/22)...I am hoping someone has seen this.. I installed from the snapshot and didnt customize a thing. When the machine is done loading (IBM rack server)...I simply logged in (as root at the moment). I am not running serial or headless. I have a normal monitor/keyboard (PS2) plugged in. When I type at the console to begin to setup the machine, the characters do not follow me in real time as I type. Its like I am on an overseas long distance 300 baud dialup line. There is quite a delay and sometimes I can type several words and then a few seconds later - they show up. This does not happen on the same machine if I install 3.8. I have (4) identical machines (make/model/ram/cpu/hard drives) and they all work fine with 3.8 - it is only past 3.8 that I noticed this. Any thoughts? -JD From http://openbsd.unixtech.be/report.html: [quote] Current version problem reports If your problem is with the current source tree rather than a release or stable tree, 1. Test the problem at least twice, with source updated a few days apart. [endquote] Or try a new current snapshot.. You now even have the choice between non-PAE and very-close-to-PAE ones ;) ==Adriaan==
Re: WPA support / creating a cf image
Hello, that's exacly what I'm doing at the moment... :-) But that doesn't create an image. The problem is in short: C/H/S. But it looks like I already answered my question within the question ;-). m0n0wall is using phydiskwrite (which was written to be able to flash cf cards under windows): * FreeBSD: gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k where n = the ad device number of your CF card (check dmesg); use net48xx-xxx.img for net4801 and wrap-xxx.img for WRAP instead (ignore the warning about trailing garbage - it's because of the digital signature) * Linux: gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX) - some adapters, particularly USB, may show up under SCSI emulation as /dev/sdX (ignore the warning about trailing garbage - it's because of the digital signature) * Windows: physdiskwrite net45xx-xxx.img I'll try to create an image using flashdist (some modifications needed, but I hope that's not to hard ;-)), gzip it and then I'll try to write it to an cf card using windows. Regards Hagen Volpers Von: Ryan Corder [mailto:[EMAIL PROTECTED] Gesendet: Do 03.08.2006 14:41 An: openbsd misc Cc: misc@openbsd.org Betreff: Re: WPA support / creating a cf image On Wed, 2006-08-02 at 23:23 +0200, openbsd misc wrote: My question is, if there is a way to create such an image. For me it looks like an openbsd specific problem as it is posible with freebsd (www.m0n0.ch/wall). Perhaps here is someone who is an idea. quite possible and easy to do, check out flashdist: http://www.nmedia.net/~chris/soekris [...]
WG: WPA support / creating a cf image
Sorry, wrong recipient. ;-) see below... Von: openbsd misc Gesendet: Do 03.08.2006 16:15 An: Shane J Pearson Betreff: AW: WPA support / creating a cf image Hello, my problem is, that I need the vpn at bootime. I cannot build a vpn from client to server, only from openbsd to headoffice. I'm not a fan of wireless lan, but my customers want it... The only way is to put an access point next to the wrap system, but I want an all-in-one solution, because it has to be customer-friendly. Are there any reasons why wpa is not implemented for now? Von: [EMAIL PROTECTED] im Auftrag von Shane J Pearson Gesendet: Do 03.08.2006 15:27 An: misc Misc Betreff: Re: WPA support / creating a cf image On 2006.08.03, at 10:41 PM, Ryan Corder wrote: First, get past the notion of secure wireless...it doesn't exist. The best solution for a more secure wireless network is for you to implement a WEP-encrypted environment and establish a VPN over it. What about an open wireless network, which does not allow anything to be routed out of the OpenBSD WAP unless it is authpf authorised. Then only VPN traffic. This couldn't be considered secure enough? Shane
Re: WPA support / creating a cf image
Ok, that didn't work. You can create an image. But image will only work on identical cf-cards (same C/H/S). Is that an openbsd specific problem (bootloader) or how can I get rid of that? I need an image that works on every cf-card. Any idea? I don't want to switch to freebsd... Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc Gesendet: Donnerstag, 3. August 2006 16:13 An: [EMAIL PROTECTED] Cc: misc@openbsd.org Betreff: Re: WPA support / creating a cf image Hello, that's exacly what I'm doing at the moment... :-) But that doesn't create an image. The problem is in short: C/H/S. But it looks like I already answered my question within the question ;-). m0n0wall is using phydiskwrite (which was written to be able to flash cf cards under windows): * FreeBSD: gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k where n = the ad device number of your CF card (check dmesg); use net48xx-xxx.img for net4801 and wrap-xxx.img for WRAP instead (ignore the warning about trailing garbage - it's because of the digital signature) * Linux: gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX) - some adapters, particularly USB, may show up under SCSI emulation as /dev/sdX (ignore the warning about trailing garbage - it's because of the digital signature) * Windows: physdiskwrite net45xx-xxx.img I'll try to create an image using flashdist (some modifications needed, but I hope that's not to hard ;-)), gzip it and then I'll try to write it to an cf card using windows. Regards Hagen Volpers Von: Ryan Corder [mailto:[EMAIL PROTECTED] Gesendet: Do 03.08.2006 14:41 An: openbsd misc Cc: misc@openbsd.org Betreff: Re: WPA support / creating a cf image On Wed, 2006-08-02 at 23:23 +0200, openbsd misc wrote: My question is, if there is a way to create such an image. For me it looks like an openbsd specific problem as it is posible with freebsd (www.m0n0.ch/wall). Perhaps here is someone who is an idea. quite possible and easy to do, check out flashdist: http://www.nmedia.net/~chris/soekris [...]
Re: WPA support / creating a cf image
My plan is to build a default flashdist. Afterwards I want to build tgz to install additional files. But that all doesn't make sense as long as you aren't able to create a simple image that can be written to every CF card running on every system (as long as the kernel supports the hardware). I found this comment in flashdist.sh: # This script contains a stupid method which occasionally works to make this # media bootable on a destination which uses a different c/h/s translation # than the host system. Of course, this is really just a hack. This # hack is no longer necessary with OpenBSD's newer LBA MBR, but left in place # because it does no harm. At the moment I try to figure out how to change the image MBR to LBA. I hope that's the correct way. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Ryan Corder Gesendet: Donnerstag, 3. August 2006 21:08 An: Jeff Quast Cc: misc@openbsd.org Betreff: Re: WPA support / creating a cf image On Thu, 2006-08-03 at 14:47 -0400, Jeff Quast wrote: I understand this is a problem of target systems translating C/H/S values differently. There is no problem in dynamicly using OpenBSD's idea of C/H/S values at build time. However, OpenBSD on two different machines can provide completely different C/H/S values on the exact same card. Correct me if im wrong. I don't think rolling your own would help in this way. I've heavily modified flashdist.sh to work in a different manner... I don't like the idea of building a complete system thats a mangled version of OpenBSD that needs to be maintained and provided for you. This is the common 'giving the people what they want' distrobution format, and making those of us who want to modify it even the slightest bit work that much harder. I've changed the format of flashdist to accept an overlay/ directory, containing any /etc/, /bsd, /usr/local, etc. additions or changes to overlay over the target CF card after a default install (extracting basesets). that's exactly where I was going with it. I too have heavily modified flashdist.sh for my own needs and my stuff sounds similar to yours...an overlay type of setup. the problem that the original poster is facing is that the script he is using does everything for him...including setting up and partitioning the CF. What would be nice is for similar script or program that just gathered everything up that is required for the system to run and create an image out of that. Let the user handle setting up the individual CF cards and just provide an image of the hard drive contents to be flashed over via dd. -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: WPA support / creating a cf image
Thanks for that tip. I wrote a bootsector to my cf card and booted. But it looks like biosboot isn't able to use lba (; instead of .), even if I change wrap bios setting to lba. I wasn't able to figure out why. At the moment I'm playing around with grub and lilo to find out if these have the same problem with the wrap system. I'll ask on the m0n0wall mailinglist how they solved that issue, perhaps I can find a solution there... :/ Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson Gesendet: Donnerstag, 3. August 2006 22:00 An: misc@openbsd.org Betreff: Re: WPA support / creating a cf image On 2006/08/03 14:47, Jeff Quast wrote: values differently. There is no problem in dynamicly using OpenBSD's idea of C/H/S values at build time. However, OpenBSD on two different machines can provide completely different C/H/S values on the exact yes, this was a bit of a pain for this type of thing until biosboot(8) got changed to use LBA a couple of years ago.
Re: WPA support / creating a cf image
Hello Jeff, Misc, first of all: my name is Hagen... :-) I have one account for every mailing list and I cannot change display name (exchange disadvantage)... ;-) Please make sure to update the firmware on your wrap, as you hadn't mentioned it. pcengines.ch walks through this. It is quite simple. The tinybios revision is usually (..always) out of date. Some features listed in the tinybios that come on the wrap don't always work, or work correctly. Thanks for your tip, but I have tinyBios 1.11 installed (the last one mentioned on pcengines site). I created a new etherboot image because of an pxeboot bug. So everything should be up to date. I created mbr several times on two cf cards - fdisk / installboot. I wasn't able to change to lba mode. I don't know why (I changed wrap bios settings also). There is always the ;... :/ I don't where I made a mistake (if there is one). I haven't found a site where someone was able to boot a wrap system without using C/H/S. Looks like openbsds bootloader isn't able to boot a wrap system in lba mode. I'm only wondering why freebsd / linux seems to be able to. I'll go ahead building my system (basing on flashdist), perhaps I'll try to get rid of the C/H/S problem afterwards. Good luck, let us know how it works out? I think I'll need that... ;-) Let me know if you have further tips / ideas. I'll let you know if I found a solution. Jeffrey Quast Regards Hagen Volpers
Re: WPA support / creating a cf image
I understand this is a problem of target systems translating C/H/S values differently. There is no problem in dynamicly using OpenBSD's idea of C/H/S values at build time. However, OpenBSD on two different machines can provide completely different C/H/S values on the exact same card. Correct me if im wrong. [...] Just because flashdist asks for C/H/S doesn't mean that the image be applied to a card with that exact C/H/S. This was the case before OpenBSD switched to the LBA based MBR. Now, as long as the CF image fits on the card, it should boot. It should boot, but it doesn't. I'm using a WRAP system and: [...] Using drive 0, partition 3; Loading;. [...] For some reason I cannot use LBA (even if I switch in WRAP bios). I wasn't able to figure out how. If I use your script everything is working... What I don't understand is, why other systems work (m0n0wall for example). Any idea? Regards Hagen Volpers
Re: WPA support / creating a cf image (SOLVED)
I got it working now. Looks like the wrap system simulates some kind of C/H/S in lba mode. OpenBSD is still telling me that I'm in C/H/S mode: Using drive 0, partition 3; Loading;. But more important is that: 01F0 Master 848A SAMSUNG CF/ATA Phys C/H/S 1010/16/63 Log C/H/S 505/32/63 The log values seems to be identical on every CF card (except Cylinder). My two CF cards are totally different: 128MB - C/H/S 498/16/32 512MB - C/H/S 1010/16/63 I'm able to boot both cards with the sme image (created with the flashdist wrapper script - gzip image - written with phydiskwrite under windows). I set cylinders to 60 to get an 60MB image and everything is working fine now. Btw, why do I not need to change the bios setting for the m0n0wall image? Any idea? Regards Hagen Volpers I understand this is a problem of target systems translating C/H/S values differently. There is no problem in dynamicly using OpenBSD's idea of C/H/S values at build time. However, OpenBSD on two different machines can provide completely different C/H/S values on the exact same card. Correct me if im wrong. [...] Just because flashdist asks for C/H/S doesn't mean that the image be applied to a card with that exact C/H/S. This was the case before OpenBSD switched to the LBA based MBR. Now, as long as the CF image fits on the card, it should boot. It should boot, but it doesn't. I'm using a WRAP system and: [...] Using drive 0, partition 3; Loading;. [...] For some reason I cannot use LBA (even if I switch in WRAP bios). I wasn't able to figure out how. If I use your script everything is working... What I don't understand is, why other systems work (m0n0wall for example). Any idea? Regards Hagen Volpers
Re: Smallest OpenBSD box
Hello, Hi, I would like to know that is the smallest box ( in terms of size ) that can be used to Install OpenBSD and used as a firewall. It should have a hard disk also, and atleast 2 NIC Interfaces. The smallest box I know is a WRAP system (www.pcengines.ch). It's 15x15cm, up to 3 nics, one or two mini-pci slots, and one serial port. Thankyou so much no problem... ;-) Kind Regards Siju Regards Hagen Volpers
Re: Apache proxy settings not working
Hello, No it's reverse. I want all incoming requests from the Internet to a certain virtual host (in this case webmail.sendmail.tv) to be redirected to an internal host running the webmail app server (on 10.10.33.3 port 81). For some reason, the proxy in OpenBSD's httpd doesn't take the 10.10.33.3 portion and replaces it with 0.0.0.0. So this request fails...I saw another poster post a similar bug (on the same arch - SPARC). Did you try it with a dns name? I'm using /var/www/etc/hosts (httpd is chrooted per default) for that. Warm regards, Regards Hagen Volpers
Re: broadcast IPs in a public /29 block
Hello, while mucking around with reverse DNS for a /29 public netblock i use, i noticed that my ISP, SBC, had only aliased 6 of the 8 IPs in the /29 block for use with rDNS. after seeing this, i did a bit of homework and found graham toal's explanation of the missing IPs ( http://www.gtoal.com/subnet.html ) which presents this issue quite clearly. this did leave me with some additional questions though. it's very important to understand how ip subnetting and routing is working. Many people didn't understand (like dns). That's why even companies like microsoft have problems in there networks / dns. Read it carefully and think about. Having a deeper look into the RFCs is also a got idea. i have been hosting websites on these reserved boundary IPs in the /29 block with no trouble using binat. should i not be doing this since these are reserved IPs for broadcast? i have moved one domain from the boundary already since it needed rDNS setup. how regularly are these reserved broadcast addresses at the beginning and end of the netblock used and for what sorts of services? These reserved ip-addresses are needed so it's very regular. Using binat is a way to avoid loosing ip-addresses but it's unusual. There is no problem in using them (like you did) but it's also normal that you cannot set rdns entries for those. Normaly you route a net and do not binat them, therefore the two reversed ip-adresses are needed. Talk to you isp and ask him if he can set your rdns entries manually. cheers, jake Regards Hagen Volpers
Re: Apache proxy settings not working
openbsd misc wrote: Did you try it with a dns name? I'm using /var/www/etc/hosts (httpd is chrooted per default) for that. Bingo! ;-) # mkdir /var/www/etc/ # cp /etc/hosts /var/www/etc/hosts # chown -R www:www /var/www/etc/hosts Your chown is not a good idea. Should be: chown root:wheel /var/www/etc/hosts chmod 644 /var/www/etc/hosts Never give write right to a webserver... ;-) It works!! Thank you No problem... ;-) Regards Hagen Volpers
Re: Smallest OpenBSD box
That's true. He didn't write his requirements. I'm handling everything on ramdisks (dnscache from djbdns, squid, log-files) and it's working fine (for a small environment). Soekris are more expensive, but they have advantages... :-) Openbrick could also be an option. I bought some machines here: http://www.visionsystems.de/ (Embedded Systems) It's a german company but I think they ship to other countries, too. Regard Hagen Volpers The wrap does not support HDD's, CF only. You'll be better off with a soekris: http://www.soekris.com/ Cheers z0mbix On 08/08/06, openbsd misc [EMAIL PROTECTED] wrote: Hello, Hi, I would like to know that is the smallest box ( in terms of size ) that can be used to Install OpenBSD and used as a firewall. It should have a hard disk also, and atleast 2 NIC Interfaces. The smallest box I know is a WRAP system (www.pcengines.ch). It's 15x15cm, up to 3 nics, one or two mini-pci slots, and one serial port. Thankyou so much no problem... ;-) Kind Regards Siju Regards Hagen Volpers
smtp proxy
Hello, I'm looking for a smtp proxy. The idea is, that the proxy checks the smtp session (if everything is valid and forward the information to an exchange-server). The forwards should happen step-by-step (the smtp proxy should be able to drop to be able to deny the recipient). The mail itself should be streamed (because the proxy should run in memory only). Does someone know such a solution? Regards Hagen Volpers
Re: smtp proxy
openbsd misc schrieb: Hello, I'm looking for a smtp proxy. The idea is, that the proxy checks the smtp session (if everything is valid and forward the information to an exchange-server). The forwards should happen step-by-step (the smtp proxy should be able to drop to be able to deny the recipient). The mail itself should be streamed (because the proxy should run in memory only). Does someone know such a solution? Regards Hagen Volpers Hi, use a standard smtp daemon (sendmail, postfix or whatever) and put the spooling directory in a ramdisk :-) guido Hi, the problem is, that the smtp proxy should not be allowed to queue a message, else the size of the ramdisk would set the maximum message size. To avoid that, I need a solution that streams the mail after checking the envelope (smtp session) informations. It should also drop the connection if the exchange server is down. Without that problem I would take qmail. Regards Hagen Volpers
Re: smtp proxy
Hi, use a standard smtp daemon (sendmail, postfix or whatever) and put the spooling directory in a ramdisk :-) Don't bother with the ramdisk. disk is cheap and fast compared to smtp. OpenBSD spamd in front of a cluster of sendmail/postfix running boxes which have the valid list of recipients, and where the mail ends up (i.e. which exchange server[s]). Not hard to do, and scales almost infinetely. spamd box does greylisting and then round robins the smtp connections to a cluster of recieve/process boxes. Those boxes have the list of valid users, and if you want can do some sort of mail filtering/processing (i.e. spamassassin, clamav, etc. etc.) whatever gets through that is forwarded on to MmmSexChange. Fooling around with ramdisk/passthough stuff is more trouble than it is worth. The only thing I can use is a ramdisk. I want it to run on a wrap system. Writing to the cf card is not an option, and all I have are 128MB RAM. There are only two options: - forward 25 - exchange (not a good one... I think you know why ;-)) - checking envelope informations - forward to exchange, stream the message I hope that makes it clearer (my mistake in my first mails ;-)) -Bob Regards Hagen Volpers
pf - strange behavior
Hello,
I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:
# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if
After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):
# pfctl -ss
all icmp 192.168.122.128:512 - 193.99.144.85 0:0
all udp 84.60.163.18:3790 - 194.88.212.200:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 - 72.1.138.113:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 - 69.182.190.97:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 - 69.59.178.92:123 MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
all tcp 84.60.163.18:22 - 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 - 84.60.163.18:55884 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 - 84.60.163.18:54733 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 - 84.60.163.18:53237 - 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 - 84.60.163.18:55113 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 - 84.60.163.18:58754 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 - 84.60.163.18:54019 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 - 84.60.163.18:62152 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 - 84.60.163.18:61073 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 - 84.60.163.18:51917 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 - 84.60.163.18:53399 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:
after 10sec:
all icmp 192.168.122.128:512 - 84.60.163.18:5939 - 193.99.144.85
0:0
And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.
Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.
Before you ask, here some more informations =):
# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any - (pppoe0:0)
FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use
STATES:
all udp 84.60.163.18:3790 - 194.88.212.200:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 - 72.1.138.113:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 - 69.182.190.97:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 - 69.59.178.92:123 MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
all tcp 84.60.163.18:22 - 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp
WG: pf - strange behavior
Hello,
nobody has an answer for that? :/ Or was my explanation not english enough? =)
Please let me know if something is ambiguous.
Regards
Hagen Volpers
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc
Gesendet: Donnerstag, 10. August 2006 23:31
An: OpenBSD Misc
Betreff: pf - strange behavior
Hello,
I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:
# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if
After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):
# pfctl -ss
all icmp 192.168.122.128:512 - 193.99.144.85 0:0
all udp 84.60.163.18:3790 - 194.88.212.200:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 - 72.1.138.113:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 - 69.182.190.97:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 - 69.59.178.92:123 MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
all tcp 84.60.163.18:22 - 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 - 84.60.163.18:55884 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 - 84.60.163.18:54733 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 - 84.60.163.18:53237 - 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 - 84.60.163.18:55113 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 - 84.60.163.18:58754 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 - 84.60.163.18:54019 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 - 84.60.163.18:62152 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 - 84.60.163.18:61073 - 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 - 84.60.163.18:51917 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 - 84.60.163.18:53399 - 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:
after 10sec:
all icmp 192.168.122.128:512 - 84.60.163.18:5939 - 193.99.144.85
0:0
And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.
Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.
Before you ask, here some more informations =):
# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any - (pppoe0:0)
FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use
STATES:
all udp 84.60.163.18:3790 - 194.88.212.200:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 - 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 - 83.229.141.2:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 - 83.67.64.230:123 MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 - 82.165.43.21:123 MULTIPLE:MULTIPLE
all udp
Re: pf - strange behavior
On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote: Hello, nobody has an answer for that? :/ Or was my explanation not english enough? =) Please let me know if something is ambiguous. Regards Hagen Volpers Hi, Hello, I do not know about pf, but maybe I can help anyway. Did you investigate why these two states look different? all icmp 192.168.122.128:512 - 193.99.144.85 0:0 all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85 0:0 That's exacly my question. ;-) These states should not be different, but they are... Also, have you tried looking at the state table _after_ restarting the pings? Does it look the same or different? Yes. It looks different (like the other line) if you wait for 10 seconds (udp timeout) before starting the ping again. I think this behavior is not correct (or my pf.conf isn't). I wasn't able to figure out why this happens. I had these problems on a WRAP system (i386). -Nick Regards Hagen Volpers
Re: pf - strange behavior
On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
Hello,
nobody has an answer for that? :/ Or was my explanation not
english
enough? =) Please let me know if something is ambiguous.
Regards
Hagen Volpers
Hi,
Hello,
I do not know about pf, but maybe I can help anyway. Did you
investigate why these two states look different?
all icmp 192.168.122.128:512 - 193.99.144.85 0:0
all icmp 192.168.122.16:512 - 84.60.163.18:34545 - 193.99.144.85
0:0
That's exacly my question. ;-) These states should not be different,
but they are...
Also, have you tried looking at the state table _after_ restarting
the
pings? Does it look the same or different?
Yes. It looks different (like the other line) if you wait for 10
seconds
(udp timeout) before starting the ping again.
Okay, so clearly the answer is here.
The one that works is being set up to redirect through 84.60.163.18 (I
assume this is your router?). The one that doesn't is sending directly
to the outside world.
Hello,
as you can see both should be kept by the same rules:
# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if
The public ip address you mentioned is the one on pppoe interface. There
are no other entries that could make any changes (I wrote the rc script
on my own =)).
I don't know what that printout means! It's not documented in the
manpage. Probably have to check the source to see what it is... Here
that source is, from /sbin/pfctl/pf_print_state.c:
void
print_state(struct pf_state *s, int opts)
{
struct pf_state_peer *src, *dst;
struct protoent *p;
int min, sec;
if (s-direction == PF_OUT) {
src = s-src;
dst = s-dst;
} else {
src = s-dst;
dst = s-src;
}
printf(%s , s-u.ifname);
if ((p = getprotobynumber(s-proto)) != NULL)
printf(%s , p-p_name);
else
printf(%u , s-proto);
if (PF_ANEQ(s-lan.addr, s-gwy.addr, s-af) ||
(s-lan.port != s-gwy.port)) {
print_host(s-lan, s-af, opts);
if (s-direction == PF_OUT)
printf( - );
else
printf( - );
}
print_host(s-gwy, s-af, opts);
if (s-direction == PF_OUT)
printf( - );
else
printf( - );
print_host(s-ext, s-af, opts);
printf();
if (s-proto != IPPROTO_ICMP src-state PFOTHERS_NSTATES
dst-state PFOTHERS_NSTATES) {
/* XXX ICMP doesn't really have state levels */
const char *states[] = PFOTHERS_NAMES;
printf( %s:%s\n, states[src-state],
states[dst-state]);
}
It would seem that, for some reason, on the one that doesn't work,
PF_ANEQ(s-lan.addr, s-gwy.addr, s-af fails (and presumably the
other test in that if fails because ICMP lacks ports). Yeah. Um, still
confused. Too bad PF_ANEQ is a macro, so not in the manpages. Perhaps
grep the tree for it?
Unfortunately I'm not a developer... :(
-Nick
Regards
Hagen Volpers
Re: pf - strange behavior
On 8/20/06, openbsd misc [EMAIL PROTECTED] wrote:
On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
On 8/19/06, openbsd misc [EMAIL PROTECTED] wrote:
Hello,
nobody has an answer for that? :/ Or was my explanation not
english
enough? =) Please let me know if something is ambiguous.
Regards
Hagen Volpers
Hi,
Hello,
I do not know about pf, but maybe I can help anyway. Did you
investigate why these two states look different?
all icmp 192.168.122.128:512 - 193.99.144.85 0:0
all icmp 192.168.122.16:512 - 84.60.163.18:34545 -
193.99.144.85
0:0
That's exacly my question. ;-) These states should not be
different,
but they are...
Also, have you tried looking at the state table _after_
restarting
the
pings? Does it look the same or different?
Yes. It looks different (like the other line) if you wait for 10
seconds
(udp timeout) before starting the ping again.
Okay, so clearly the answer is here.
The one that works is being set up to redirect through
84.60.163.18 (I
assume this is your router?). The one that doesn't is sending
directly
to the outside world.
Hello,
as you can see both should be kept by the same rules:
This is the router machine?
Yes, it is.
# cat /etc/pf.conf
ext_if=pppoe0
int_if=sis1
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if
The public ip address you mentioned is the one on pppoe interface.
There
are no other entries that could make any changes (I wrote the rc
script
on my own =)).
misc@ might yell at you for this. I think it's neat, and I like how
OpenBSD is so simple and clean that I understand I could do that
completely. However, rc does a lot of stuff, and it's best not to
tamper with. It also invokes side scripts like netstart. Use rc.local
and rc.local.conf instead.
I thought that I had a problem in my rc script, too. The installation
bases on flashdist. That's why I'm not able to put back the old rc
script (to many commands are missing). The point is, that two
machines are treated different. I don't think that is problem can
be found in my rc script. I copied the stuff from netstart and the
pf start is identical to rc script.
I think there can be only two reasons for this:
- a bug
- a missconfiguration in my pf.conf
Try putting the old rc back and see if it fixes things. If it does,
great. If you still have some time maybe go through and diff it to
your version and figure out what changed.
The key point I found in the source was this:
if (PF_ANEQ(s-lan.addr, s-gwy.addr, s-af) ||
(s-lan.port != s-gwy.port)) {
print_host(s-lan, s-af, opts);
if (s-direction == PF_OUT)
printf( - );
else
printf( - );
}
Because it is that which causes the intermediate host to be printed
for the state which works.
It would seem that, for some reason, on the one that doesn't work,
PF_ANEQ(s-lan.addr, s-gwy.addr, s-af fails (and presumably
the
other test in that if fails because ICMP lacks ports). Yeah. Um,
still
confused. Too bad PF_ANEQ is a macro, so not in the manpages.
Perhaps
grep the tree for it?
Unfortunately I'm not a developer... :(
Neither am I. I found this by going to http://www.openbsd.org,
clicking Getting Source-Web and finding the code for pfctl. I
don't have a working OpenBSD system right now to check out the source
on, and I was hoping you could. See
http://www.openbsd.org/anoncvs.html
Or do you mean I don't know C?
Yes, I do... =)
-Nick
Regards
Hagen Volpers
Volume manager
Hello, I'm looking for a volume manager comparable to LVM. Is there a well-tended solution for openbsd? I want to be able to create / resize partitions at runtime, raid functionality is not needed. Regards Hagen Volpers
Re: ssh auth
Hiho, i have a small problem with a ssh authentification, hope i misunderstood it, but. i try to copy a file with scp from server to another and scp doesn't ask me for a password. problem, i don't setup any key on this box ... here the details: soekris4801:touche$ ls ~/.ssh authorized_keys known_hosts soekris4801:touche$ touch test soekris4801:touche$ scp test [EMAIL PROTECTED]:/tmp/ test 100%0 0.0KB/s 00:00 if debug: debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'file' is known and matches the RSA host key. debug1: Found key in /home/touche/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: rsa-key-xxx debug1: Server accepts key: pkalg ssh-rsa blen 148 debug1: Authentication succeeded (publickey). the key (rsa-key-xxx) exist but, as seen before, not on soekris4801 (no id_(dsa|rsa)) public key is not in authorized_keys (that's another) known_hosts if for hosts keys so ... how can it offer this public key ??? I think you connected to your soekris by using a private key. SSH can forward that key to authorize to another host (your soekris box provided the key you used to authorize to your soekris box). thanks Regards Julien Regards Hagen Volpers
Re: Apache-problem
Hello! Hello, I have just enabled and tested some stuff with the 3.9-apache server. The predefined It Worked!-page works as expected. I have added one more directory by adding Directory /var/www/htdocs/my_test Options MultiViews AllowOverride None Order allow,deny Allow from all /Directory to my httpd.conf This option is only needed to change directory setting (e.g. Security). In this case it is not needed, because the directory belongs to your document root. the directory my_test is a mount point where I mount my www-drive Why not mounting it to /var/www/htdocs? Accessing this directory from internet works as expected, but if I access it from the internal (192.168.1.*) network the returned address is my hostname (which can not be looked up in any DNS). I would like the servers local IP-adress to be returned instead (just as when i access the It Worked!-page). That doesn't make sense (and can't be) as long as you haven't added a virtual host. Please add your changes to httpd.conf... Since the It Worked!-page works without tricks with virtual hosts i expect to solve this without using them. How can this be done? What do you need the virtual host for? I did not understand what you want to do. -- Jon Sjvstedt d00jon()dtek,chalmers!se jonsjostedt[]hotmail:com Regards Hagen Volpers
Re: Apache-problem
it from the internal (192.168.1.*) network the returned address is my hostname (which can not be looked up in any DNS). Set ServerName to the IP address, or fix your DNS. Depends on his setup and what he wants to do. I think he wants to use different names to access the same page (internet and intranet). In this case it makes more sense to set UseCanonicalName Off (and use ServerAlias if you want a virtual host to react on two names). Regards Hagen Volpers
Re: OpenBSD Wireless Router
On Fri, Sep 08, 2006 at 05:00:16AM +1000, John Tate wrote: I am constantly disappointed with the lack of freedom out-of-the-box wireless routers provide. I am interested in a solution on OpenBSD, because I haven't used any Soekris device yet but you may be interested in this: http://www.soekris.com/net4511.htm A WRAP system could also be an option www.pcengines.ch I haven't tried wireless lan with openbsd because it does not support WPA. Regards Hagen Volpers
XEN
Hi all, I wasn't able to figure out if it is possible to run openbsd as xen guest system. Does anyone know? Regards Hagen Volpers
Re: WPA in -current
http://www.openbsd.org/plus.html Enter wpa-psk(8), a tool to generate WPA-PSK keys from the ssid and passphrase. http://www.openbsd.org/cgi-bin/man.cgi?query=wpa-pskapropos=0sektion=0manp ath=OpenBSD+Currentarch=i386format=html Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jonathan Gesendet: Sonntag, 11. Mai 2008 06:04 An: misc@openbsd.org Betreff: WPA in -current OpenBSD 4.3-current (GENERIC) #853: Fri May 2 04:37:23 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Hardware Info: ral0 at pci0 dev 9 function 0 Ralink RT2561S rev 0x00: irq 5, address 00:0e:2e:xx:xx:xx ral0: MAC/BBP RT2561C, RF RT2527 # ifconfig ral0 ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:2e:xx:xx:xx groups: wlan egress media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap) status: active ieee80211: nwid obsd_wpa chan 8 bssid 00:0e:2e:xx:xx:xx wpapsk not displayed wpaprotos wpa1,wpa2 wpaakms psk,802.1x wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 /etc/hostname.ral0 inet 192.168.1.1 255.255.255.0 NONE media autoselect \ mediaopt hostap nwid obsd_wpa chan 8\ wpa wpapsk not displayed I have tried connect from a Mac running Leopard, but it is always saying Connection Timeout after input of the pass-phrase. I have tried to connect from a Windows XP box manually selecting WPA-PSK and tried both (TKIP and AES), but was still unable to connect. It does seem like it is getting connected, since it is saying acquiring network address, but it just cycles through acquiring network and not connected. I tried to look at the tcpdump but the packets it prints are all in hexadecimal. Jonathan
in-kernel pppoe problems
Hello,
it looks like the in-kernel pppoe causes systems to hang up sometimes. I
testet with two systems (completly different hardware) and two different
dsl-modems (I'm from germany - standard tcom modems).
Did someone else notice such problems?
Here is my hostname.pppoe0:
#cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev bge1 authproto pap \
authname 'USERNAME' authkey 'PASSWORD' up
dest 0.0.0.1
!/sbin/route add default 0.0.0.1
# cat /etc/hostname.bge1
up
Here is the output from the kernel panic:
cached lines from terminal server:
ddb{0} start of buffer
13/6/2008 11:49:39pppoe0: LCP keepalive timeout
13/6/2008 11:49:39kernel: page fault trap, code=0
13/6/2008 11:49:41Stopped at softclock+0x2d: movl
%edx,0x4(%eax)
13/6/2008 11:49:41ddb{0}
13/6/2008 18:29:27ddb{0}
end of buffer
output from ddb commands:
ddb{0} trace
softclock(58,de8a0010,10,de8a0010,de8ae000) at softclock+0x2d
Bad frame pointer: 0xde8aff20
ddb{0} ps
PID PPID PGRPUID S FLAGS WAIT COMMAND
26917 24357 32309220 3 0x2004080 selectqmail-smtpd
19628 22976 22976 0 3 0x282 netio tcpdump
22976 3048 22976 76 3 0x2004182 bpf tcpdump
28819 15851 28819 0 3 0x2004082 ttyin ksh
15851 13411 15851 0 3 0x2004180 selectsshd
3048 1164 3048 0 3 0x2004082 pause ksh
1164 13411 1164 0 3 0x2004080 selectsshd
26129 27247 32309200 3 0x2004080 piperdmultilog
10965 19992 32309201 3 0x2004180 poll dnscache
1687 11010 10844 0 3 0x2800082 netio tcpdump
11010 10844 10844 76 3 0x2804182 bpf tcpdump
10844 1 10844 0 3 0x2805082 pause sh
12506 22056 12506515 3 0x2004080 piperdunlinkd
22056 15607 15607515 3 0x2004180 kqreadsquid
6061 24437 32309225 3 0x2004080 piperdqmail-clean
12394 24437 32309226 3 0x2004080 selectqmail-rspawn
23031 24437 32309 0 3 0x2004080 selectqmail-lspawn
24357 12238 32309220 3 0x2004180 netcontcpserver
14976 11484 32309222 3 0x2004080 piperdmultilog
24437 30067 32309227 3 0x2004080 selectqmail-send
20754 31587 32309222 3 0x2004080 piperdmultilog
27247 17401 32309 0 3 0x2004080 poll supervise
19992 17401 32309 0 3 0x2004080 poll supervise
11484 17401 32309 0 3 0x2004080 poll supervise
12238 17401 32309 0 3 0x2004080 poll supervise
31587 17401 32309 0 3 0x2004080 poll supervise
30067 17401 32309 0 3 0x2004080 poll supervise
22921 32309 32309 0 3 0x2004080 piperdreadproctitle
17401 32309 32309 0 3 0x2004080 nanosleep svscan
5641 1 5641 0 3 0x2004082 ttyin getty
9200 1 9200 0 3 0x2004082 ttyin getty
11008 1 11008 0 3 0x2004082 ttyin getty
30618 1 30618 0 3 0x2004082 ttyin getty
32099 1 32099 0 3 0x2004082 ttyin getty
12115 1 12115 0 3 0x2004082 ttyin getty
8185 1 8185 0 3 0x280 selectcron
32309 1 32309 0 3 0x2004082 pause sh
15607 1 15607 0 3 0x280 wait squid
13411 1 13411 0 3 0x280 selectsshd
5549 1 5549 0 3 0x2000180 selectinetd
14162 2559 2559 83 3 0x2000180 poll ntpd
2559 1 2559 0 3 0x280 poll ntpd
22633 3798 3798 68 3 0x2000180 selectisakmpd
3798 1 3798 0 3 0x280 netio isakmpd
6099 5809 5809 74 3 0x2000180 bpf pflogd
5809 1 5809 0 3 0x280 netio pflogd
30348 17649 17649 73 3 0x2000180 poll syslogd
17649 1 17649 0 3 0x288 netio syslogd
17 0 0 0 3 0x2100200 crypto_wait crypto
16 0 0 0 3 0x2100200 aiodoned aiodoned
15 0 0 0 3 0x2100200 syncerupdate
14 0 0 0 3 0x2100200 cleaner cleaner
13 0 0 0 30x100200 reaperreaper
12 0 0 0 3 0x2100200 pgdaemon pagedaemon
11 0 0 0 3 0x2100200 pftm pfpurge
10 0 0 0 3 0x2100200 usbevtusb3
9 0 0 0 3 0x2100200 usbevtusb2
8 0 0 0 3 0x2100200 usbevtusb1
7 0 0 0 3 0x2100200 usbtskusbtask
6 0 0 0 3 0x2100200 usbevtusb0
5 0
Re: in-kernel pppoe problems
Hello,
sorry, version 4.1 and 4.2. Thanks for your reply, I'll check that.
Regards
Hagen Volpers
-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Im Auftrag von Pierre Riteau
Gesendet: Samstag, 14. Juni 2008 00:28
An: misc(at)openbsd.org
Cc: misc@openbsd.org
Betreff: Re: in-kernel pppoe problems
On Fri, Jun 13, 2008 at 11:24:32PM +0200, misc(at)openbsd.org wrote:
Hello,
it looks like the in-kernel pppoe causes systems to hang up
sometimes. I
testet with two systems (completly different hardware) and
two different
dsl-modems (I'm from germany - standard tcom modems).
Did someone else notice such problems?
Here is my hostname.pppoe0:
#cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev bge1 authproto pap \
authname 'USERNAME' authkey 'PASSWORD' up
dest 0.0.0.1
!/sbin/route add default 0.0.0.1
# cat /etc/hostname.bge1
up
Here is the output from the kernel panic:
cached lines from terminal server:
ddb{0} start of buffer
13/6/2008 11:49:39pppoe0: LCP keepalive timeout
13/6/2008 11:49:39kernel: page fault trap, code=0
13/6/2008 11:49:41Stopped at softclock+0x2d: movl
%edx,0x4(%eax)
13/6/2008 11:49:41ddb{0}
13/6/2008 18:29:27ddb{0}
end of buffer
You don't provide information about which version of OpenBSD you are
running. Anyway, this seems identical to PR 5794 which was fixed in
-current on May 17.
carp / routing question (multiple lines)
Hello, I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Every connect should find his way back the same way (same route, using the ip-address the SYN came to). Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? I hope someone understand my english ;-) and can give me some links / documentation / examples ... Thanks and regards Hagen Volpers
Re: carp / routing question (multiple lines)
Hello, I totally agree, that's why I wrote to mailing list and not copied the example ;-) It's not the first time I'm working with pf, but the first time with two external connections. Thanks for the link, I missed that because of the topic (I'm not looking for load balancing). But I didn't find out how to set this up correctly: - normaly the choosen link is rule (pf) based - the other line should be used if one is down (how to do that with pf?) - how must I read the route-to / reply-to syntax? for example: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Till now I wasn't able to get into that, still looking for the click-aha-effect ;-) Thanks for your help. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson Gesendet: Donnerstag, 26. Juni 2008 01:47 An: misc@openbsd.org Betreff: Re: carp / routing question (multiple lines) On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote: I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an introduction, the syntax of route-to and reply-to is given in the BNF section at the bottom of pf.conf(5) - everyone writing PF configuration files should learn how to read this section. Everyone copying-and-pasting PF configs from samples really should too... You should also get acquainted with running tcpdump on different interfaces, including pflog0 (with the relevant log in PF rules), it's very useful when you need to debug PF and in particular any complicated NAT/route-to configuration. Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. You set the source address of outgoing packets with NAT rules. You direct packets out the relevant interface with route-to. And you direct return packets for an *incoming* connection with reply-to. Forget metrics/route priority for now, that won't help you direct packets out of one or other connection based on port number, you need PF rules to classify traffic if you want that. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? Where you have to define an interface, use the physical interface (vlan/trunk count as physical interface for this purpose). Where you have to specify an address, use whichever is correct for what you're trying to do, carp/physical/both.
Re: Actual BIND error - Patching OpenBSD 4.3 named ?
http://cr.yp.to/djbdns/run-cache.html http://www.ro.kde.org/djbdns/mywork/jumbo/index.html I never understood the mix of authoritive server and resolver ... Use dnscache as resolver and you you're (AFAIK) save. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Ted Unangst Gesendet: Mittwoch, 9. Juli 2008 20:10 An: Steve Tornio Cc: misc Betreff: Re: Actual BIND error - Patching OpenBSD 4.3 named ? On 7/9/08, Steve Tornio [EMAIL PROTECTED] wrote: I don't think this actually accomplishes much. It still lets poisoned replies back in on the previous port number. But does it allow a poisoned reply from the spoofed address? oh, right. I think I forgot even UDP packets have IP addresses. :(
Re: pfctl
Hi, interessting point. How about dumping it to a file or something so you are able to check what was loaded last time (e.g. a file with 400 under /var/whatever)? Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson Gesendet: Freitag, 25. Juli 2008 17:15 An: Charlie Clark Cc: misc@openbsd.org Betreff: Re: pfctl On 2008/07/25 14:53, Charlie Clark wrote: Stuart Henderson wrote: On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote: Hi, I have noticed that you are unable to view the currently loaded options for pf using pfctl, even 'pfctl -sa' doesn't show the options eg. set skip on tun0. Is this going to be implemented soon or is it there and I'm missing something? Regards, Someone asked about this recently. http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b Yes sorry I posted this by accident, I still haven't got a valid solution for this though. set XX options are a mix of directives to pf and to pfctl, the pfctl directives don't get stored anywhere so you can't retrieve them later. The ones affecting pf are available but in a different format.
Re: pfctl
Hehe, I knew I'll get this reply. ;-) The question was which configuration is active, not what will be activated by pfctl -f /etc/pf.conf, that's the difference. I think that could help some people in multi-admin environments ;-) Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: Paul de Weerd [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 25. Juli 2008 22:37 An: openbsd misc Cc: misc@openbsd.org Betreff: Re: pfctl On Fri, Jul 25, 2008 at 10:16:21PM +0200, openbsd misc wrote: | Hi, | | interessting point. How about dumping it to a file or something so you are | able to check what was loaded last time (e.g. a file with 400 under | /var/whatever)? GREAT IDEA ! How about /etc/pf.conf ? Cheers ! Paul 'WEiRD' de Weerd | Regards | Hagen Volpers | | | -Urspr|ngliche Nachricht- | Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] | Im Auftrag von Stuart Henderson | Gesendet: Freitag, 25. Juli 2008 17:15 | An: Charlie Clark | Cc: misc@openbsd.org | Betreff: Re: pfctl | | On 2008/07/25 14:53, Charlie Clark wrote: | Stuart Henderson wrote: | On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote: | | Hi, | | I have noticed that you are unable to view the currently loaded | options for pf using pfctl, even 'pfctl -sa' doesn't show the | options eg. set skip on tun0. | Is this going to be implemented soon or is it there and | I'm missing | something? | | Regards, | | | | Someone asked about this recently. | http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b | | | | Yes sorry I posted this by accident, I still haven't got a valid | solution for this though. | | set XX options are a mix of directives to pf and to pfctl, | the pfctl directives don't get stored anywhere so you can't | retrieve them later. The ones affecting pf are available but | in a different format. | -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: pfctl
I was only an idea regarding the question. Sorry for sharing thoughts ... I'm already using such a script because of that, would be great to have that job done by pfctl because everyone whould have this feature and you can not pass it by pfctl -f ... As I said this is only an idea. We should stop this discussion :) Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: Paul de Weerd [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 26. Juli 2008 00:00 An: openbsd misc Cc: misc@openbsd.org Betreff: Re: pfctl On Fri, Jul 25, 2008 at 11:38:40PM +0200, openbsd misc wrote: | Hehe, I knew I'll get this reply. ;-) The question was which configuration is | active, not what will be activated by pfctl -f /etc/pf.conf, that's the | difference. | I think that could help some people in multi-admin environments ;-) If you can't organize a proper way to keep loaded rules and rulefile in sync, you may want to have a talk with the other admins. Given that, you may want to create a script that does exactly what you want. It's OpenBSD. It's open source, the tools are there, you can see how this stuff works, you know what you want - create what you need by yourself. A simple script that copies your pf.conf to /var/whatever/last.loaded is just a few keystrokes away. Cheers, Paul 'WEiRD' de Weerd | Regards | Hagen Volpers | | | -Urspr|ngliche Nachricht- | Von: Paul de Weerd [mailto:[EMAIL PROTECTED] | Gesendet: Freitag, 25. Juli 2008 22:37 | An: openbsd misc | Cc: misc@openbsd.org | Betreff: Re: pfctl | | On Fri, Jul 25, 2008 at 10:16:21PM +0200, openbsd misc wrote: | | Hi, | | | | interessting point. How about dumping it to a file or | something so you are | | able to check what was loaded last time (e.g. a file with 400 under | | /var/whatever)? | | GREAT IDEA ! | | How about /etc/pf.conf ? | | Cheers ! | | Paul 'WEiRD' de Weerd | | | Regards | | Hagen Volpers | | | | | | -Urspr|ngliche Nachricht- | | Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] | | Im Auftrag von Stuart Henderson | | Gesendet: Freitag, 25. Juli 2008 17:15 | | An: Charlie Clark | | Cc: misc@openbsd.org | | Betreff: Re: pfctl | | | | On 2008/07/25 14:53, Charlie Clark wrote: | | Stuart Henderson wrote: | | On 2008-07-25, Charlie Clark [EMAIL PROTECTED] wrote: | | | | Hi, | | | | I have noticed that you are unable to view the | currently loaded | | options for pf using pfctl, even 'pfctl -sa' doesn't show the | | options eg. set skip on tun0. | | Is this going to be implemented soon or is it there and | | I'm missing | | something? | | | | Regards, | | | | | | | | Someone asked about this recently. | | http://marc.info/?l=openbsd-miscw=2r=1s=set+skip+pfctlq=b | | | | | | | | Yes sorry I posted this by accident, I still haven't got a valid | | solution for this though. | | | | set XX options are a mix of directives to pf and to pfctl, | | the pfctl directives don't get stored anywhere so you can't | | retrieve them later. The ones affecting pf are available but | | in a different format. | | | | -- | [++-]+++.+++[---].+++[+ | +++-].++[-]+.--.[-] | http://www.weirdnet.nl/ | -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: Rails https?
Hi, you didn't define a protocoll. Change your configuration to ProxyPass / http://127.0.0.1:3000 ProxyPassReverse / http://127.0.0.1:3000 You should also set NoCache * (for more information on favicon: http://en.wikipedia.org/wiki/Favicon - some browser request the icon even if it's not defined) Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von DrGadget Gesendet: Freitag, 25. Juli 2008 23:50 An: misc@openbsd.org Betreff: Rails https? Been testing redmine [OBSD4,3 + Rails 2.0.2] for project tracking, but I'm running into an issue creating an https proxy for it to run behind. Figured out the proxy config: LoadModule proxy_module /usr/lib/apache/modules/libproxy.so ProxyPass / 127.0.0.1:3000 ProxyPassReverse / 127.0.0.1:3000 however this doesn't seem to work: [Fri Jul 25 16:14:10 2008] [warn] [client 206.197.251.1] proxy: No protocol handler was valid for the URL /favicon.ico. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. Did I miss something on the proxy config, or is there a different way to do it? TIA, Lee
sasyncd / pfsync / carp question
Hi, I'm running two obsd 4.4-current boxes as firewall / vpn-endpoints hot-standby (no balancing). I configured carp like this: Master: carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev vlan32 vhid 1 advbase 1 advskew 9 groups: carp inet6 fe80::200:5eff:fe00:101%carp3 prefixlen 64 scopeid 0xc inet XX.XX.XX.XX netmask 0xfff8 broadcast XX.XX.XX.XX Slave: carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: BACKUP carpdev vlan32 vhid 1 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:101%carp3 prefixlen 64 scopeid 0xc inet XX.XX.XX.XX netmask 0xfff8 broadcast XX.XX.XX.XX I'm running pfsync and it's working fine (did several tcp / ping tests switching several time). But if the master boots it will become master before sasyncd is able to sync status and all ipsec connections get dropped (ATM I have three monowall www.m0n0.ch/wall endpoints). The question is how I have to handle this setup. Do I have to play with advbase? I don't think it's a good idea to trust delays hoping that sasyncd will do it's job before the first machine becomes master again. Is there a way to wait for sasyncd or something like that? Here's the exact version: # sysctl kern.version kern.version=OpenBSD 4.4-beta (GENERIC) #987: Wed Jul 23 15:39:48 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Please let me know if you need further informations. Regards Hagen Volpers
