Re: Documentation on rc.conf.local lacks important warning
On Wed, Feb 12, 2014 at 10:48 AM, Ingo Schwarze schwa...@usta.de wrote: Even though the misunderstanding does not seem to occur often, it does seem somewhat unsurprising because a lot of other software encourages the (imho questionable) practice of copying example configuration files. I think the documentation is quite clear, and the practice of copying a sample file is ...well ugly, but up to know it never confused me. When copying a sample file you have to point to a src file like /somehwere/example/file.conf or /somewhere/file.conf.sample and both makes it quite clear that they are samples. In the case of rc.conf it is pretty much clear that it is NOT a sample file. I believe that to make it even more clear, instead of writing in the documentation, the system should be deployed will all the .local files in place (empty of course), so that there will be no misunderstanding of what to edit. I don't like this approach since the system would be potentially filled of files some users do not use, and will cause some annoying behaviour of shell completion. So I vote for the documentation first, but it sounds to me quite clear as it is. As a final thought, the local-file approach is used even by other platforms, and therefore we are in a sample like scenario: users should be used to edit them properly. Luca
Re: Interface/IP limit on isakmpd, no listen-on in ipsec.conf, IPSec failover enhancement, IPSec tunnel rebuild enhancement
andy(a...@brandwatch.com) on 2014.02.12 12:22:57 +: Hi, I think this is a fairly simple one. Our firewalls are growing in complexity and the number of interfaces and IPs as time goes on, and we recently hit an isakmpd limit. When isakmpd starts it tries to bind to *every* single IP on the system. We have a LOT of IPs and isakmpd now fails to initialise; 2014-02-12T10:40:29.386318+00:00 brfw1 isakmpd[404]: udp_encap_make: socket (2, 2, 17): Too many open files 2014-02-12T10:40:29.386352+00:00 brfw1 isakmpd[404]: virtual_bind_if: failed to create a socket on 10.2.8.254 2014-02-12T10:40:29.386657+00:00 brfw1 isakmpd[404]: virtual_init: could not bind the ISAKMP port(s) on all interfaces: Too many open files More log at bottom.. We only want isakmpd to listen on the CARP IP address on the external interface (and probably the physical IPs on the external interface), not *all* IPs. The work around for now was to add '-4' to the isakmpd daemon to restrict it to our v4 addresses. However we will very soon have even too many v4 addresses for isakmpd to cope and so need a way to instruct isakmpd to only bind the necessary IPs. This would also provide a security enhancement?? Others have reported this limitation before; http://www.monkey.org/openbsd/archive2/misc/200502/msg00686.html maybe this works for you: # cat /etc/isakmpd/isakmpd.conf [General] Listen-on = em0
Re: Sluggish text cursor on tmux
hmm, on Thu, Feb 13, 2014 at 06:53:31PM +0100, Buschini Edouard said that The issue was only reproductible on xterm other term worked. no, it is also there in rxvt-unicode. it is very visible in midnight commander in every single operation. glad it is fixed, it was a mind-bender :) -f -- monday: in christian countries, the day after the footbal.
Re: opensmtpd relay via verify
Hi, On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote: I would try using a full path. pki example ca /etc/ssl/myca.pem I already tried it with full path. But I got it working now by specifying certificate and key, too: pki example certificate /etc/ssl/relay.crt pki example key /etc/ssl/private/relay.key pki example ca /etc/ssl/ca.crt and later on: accept from any for domain example.tld relay via tls://relay.example.tld pki example verify But I am still wondering if I am doing it right. Because normally it should be enough to have the signing certificate and it shouldn't be neccessary to provide the peer's cert and key or am I wrong here? Trying to test my thesis I created two empty files: foo.pem and foo.key and used them in my pki statement with some astonishing result: # smtpd -nf /etc/mail/smtpd.conf Segmentation fault (core dumped) While the test is more or less stupid I wasn't expecting a segfault ;-) Kind regards, Frank.
Re: opensmtpd relay via verify
On Sat, Feb 15, 2014 at 09:26:35PM +0100, Frank Brodbeck wrote: Hi, On Fri, Feb 14, 2014 at 07:24:32PM -0500, Ted Unangst wrote: I would try using a full path. pki example ca /etc/ssl/myca.pem I already tried it with full path. But I got it working now by specifying certificate and key, too: pki example certificate /etc/ssl/relay.crt pki example key /etc/ssl/private/relay.key pki example ca /etc/ssl/ca.crt and later on: accept from any for domain example.tld relay via tls://relay.example.tld pki example verify But I am still wondering if I am doing it right. Because normally it should be enough to have the signing certificate and it shouldn't be neccessary to provide the peer's cert and key or am I wrong here? Trying to test my thesis I created two empty files: foo.pem and foo.key and used them in my pki statement with some astonishing result: # smtpd -nf /etc/mail/smtpd.conf Segmentation fault (core dumped) While the test is more or less stupid I wasn't expecting a segfault ;-) me neither, I'll fix this tomorrow, I'm currently away from home -- Gilles Chehade https://www.poolp.org @poolpOrg
FAQ 11.1.2 outdated? (framebuffer support)
Hello, 11.1.2 - Can I have any kind of graphics without X? Assuming you won't accept ASCII graphics, that requires some kind of framebuffer console driver. Some operating systems provide this, but there is not currently one for OpenBSD, nor is there much interest among developers for one. Except doesn't drm(4) enable console framebuffer stuff now? Maybe we can't do vesa/fbdev or whatever like linux can, but I'm not sure this answer is still correct. Thoughts? - Jean-Philippe
vpn question
Does not regard openbsd at all, but this channel sounds like the proper place to take an advice from, since I consider people on it enough safety aware. I plan to get android phone and go through some channel, with home vpn server not an option. I see that play store handles openvpn clients and would like to know if someone uses free and secure public vpn server? A lot of services are available (like strongvpn, hidemyass...). I see no way to make a choice, reading their sites. Forums are some- times contradictory. I hope the subject offends no-one, since I trust not a single review about this. If the list thinks the security on the phone is not possible, I'd take a second look and revise the plan. Best regards Zoran