Re: TLS now supported on openbsd.org?
> >It's great to see OpenBSD Project supporting Let's Encrypt. > > I am absolutely not supporting Let's Encrypt. The client scares the > shit out of me, and shows me how low the bar has become. "client effectively containing millions of lines of code, connects to server on the internet to get a cert" Oh, but you can trust those guys at the other end... Yeah, I can trust that if their client code is of this quality, their server code is... probably a lot like it?
Re: ftp/www.openbsd.org will be down for an upgrade today.
it has been back for quite some time On Mon, May 9, 2016 at 1:02 PM, Markus Rosjatwrote: > Hi there, > > just a short question about the site coming up again. > Since our spamd-setup tries to get some blacklists form the site I was > wondering if there is any info about the the time schedule for the > maintenance? > > Regards > > Markus > > > Am 08.05.2016 um 23:44 schrieb Stefan Wollny: >> >> Am 05/08/16 um 20:03 schrieb Bob Beck: >>> >>> There will be an extended downtime of the main ftp and www sites for >>> an upgrade today starting in approximately one hour's time from now. >>> >>> The mirror sites should be unaffected - so use a mirror if you >>> discover the main site is unavailable today. >>> >> Anyone know of an up2date mirror of 'current.html'? >> (Google just found one with the latest entries from 2005...) >> :-( >> >> TIA. >> >> STEFAN >> > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT
Re: TLS now supported on openbsd.org?
>It's great to see OpenBSD Project supporting Let's Encrypt. I am absolutely not supporting Let's Encrypt. The client scares the shit out of me, and shows me how low the bar has become. Considering all I need is put something on a web site that I can convince a DNS server is the one they'll check, well, that's pretty darn bad - you'd all probably be a lot better off pinning self-signed certs. > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? And statements like this - and people that think this is a good idea, are why I spoof DNS answers in bars and coffee shops, and why I don't read misc@. This is never a good idea, unless you want the connections intercepted and MITM'ed.
Remove translated versions of donations.html in the robots.txt file.
These are the lines from the robots.txt [1] file. Disallow: /cs/donations.html Disallow: /de/donations.html Disallow: /es/donations.html Disallow: /fr/donations.html Disallow: /hu/donations.html Disallow: /ja/donations.html Disallow: /lt/donations.html Disallow: /nl/donations.html Disallow: /pt/donations.html Disallow: /ro/donations.html The translated pages are removed back in April 2014. For the sake of it, viewing the deleted pages results in a 404 error. [1] http://www.openbsd.org/robots.txt
Re: apache-httpd-openbsd?
On 5/9/16 4:26 PM, Daniel Jakots wrote: On Mon, 9 May 2016 15:03:30 -0600, Jeff Rosswrote: Trying to install apache-httpd-openbsd in -current https://marc.info/?l=openbsd-ports-cvs=146186762111571=2 Hmm--I went through all of the ports@ messages looking for a removal announcement but didn't find one. Thank you, Daniel! Jeff
Re: apache-httpd-openbsd?
On 5/9/16 4:25 PM, Fred wrote: On 05/09/16 22:58, Jeff Ross wrote: On 5/9/16 3:21 PM, arrowscr...@mail.com wrote: try pkg_add http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz That's apache 2.4, I want the 1.3.9 version that is, as my subject line says, apache-httpd-openbsd. Jeff It was removed 11 days ago: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd-openbsd/Attic/Makefile You'll need a cvs version before 28 Apr 16 if you want to build it yourself. Cheers Fred Thanks, Fred! That explains the missing package! Jeff
Re: apache-httpd-openbsd?
On 5/9/16 4:30 PM, Stuart Henderson wrote: On 2016-05-09, Jeff Rosswrote: Trying to install apache-httpd-openbsd in -current and it seems the package is no longer available. Correct. Options: - (preferred) migrate your configuration to a maintained http server version. I need mod_rewrite so I guess I'm headed for apache2. - install 5.9 release. - checkout an old version of the port (mkdir -p /usr/ports/mystuff/www; cd /usr/ports/mystuff/www; cvs get -D \ 2016/04/01 -d apache-httpd-openbsd ports/www/apache-httpd-openbsd) and build it yourself; things will break again at some point though. I cvs uped my src and ports and built the system from source but when I try to install apache-httpd-openbsd from ports I'm getting the "reading plist|Error: unknown fragment SHARED at /usr/libdata/perl5/OpenBSD/Subst.pm line 109, <$fh> line 2." error. that's not unexpected; the PFRAG.shared complexity has been removed from ports now that vax is no longer a supported arch. Okay--I think this must be above my pay grade because I can't see how vax is related, nor do I think I need to know ;-) Thank you, Stuart, as always! Jeff
Re: apache-httpd-openbsd?
On 2016-05-09, Jeff Rosswrote: > Trying to install apache-httpd-openbsd in -current and it seems the > package is no longer available. Correct. Options: - (preferred) migrate your configuration to a maintained http server version. - install 5.9 release. - checkout an old version of the port (mkdir -p /usr/ports/mystuff/www; cd /usr/ports/mystuff/www; cvs get -D \ 2016/04/01 -d apache-httpd-openbsd ports/www/apache-httpd-openbsd) and build it yourself; things will break again at some point though. > I cvs uped my src and ports and built > the system from source but when I try to install apache-httpd-openbsd > from ports I'm getting the "reading plist|Error: unknown fragment SHARED > at /usr/libdata/perl5/OpenBSD/Subst.pm line 109, <$fh> line 2." error. that's not unexpected; the PFRAG.shared complexity has been removed from ports now that vax is no longer a supported arch.
Re: apache-httpd-openbsd?
On 05/09/16 22:58, Jeff Ross wrote: On 5/9/16 3:21 PM, arrowscr...@mail.com wrote: try pkg_add http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz That's apache 2.4, I want the 1.3.9 version that is, as my subject line says, apache-httpd-openbsd. Jeff It was removed 11 days ago: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd-openbsd/Attic/Makefile You'll need a cvs version before 28 Apr 16 if you want to build it yourself. Cheers Fred
Re: apache-httpd-openbsd?
On Mon, 9 May 2016 15:03:30 -0600, Jeff Rosswrote: > Trying to install apache-httpd-openbsd in -current https://marc.info/?l=openbsd-ports-cvs=146186762111571=2
Re: apache-httpd-openbsd?
On 5/9/16 3:21 PM, arrowscr...@mail.com wrote: try pkg_add http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz That's apache 2.4, I want the 1.3.9 version that is, as my subject line says, apache-httpd-openbsd. Jeff
Re: TLS now supported on openbsd.org?
On Mon, May 09, 2016 at 08:42:32PM +, Stuart Henderson wrote: > On 2016-05-09, arrowscr...@mail.comwrote: > > - Do you plan to support ftp.openbsd.org? Would be great to > > download packages with more security > > https is meant to provide privacy from eavesdroppers on the network > path between the endpoints. security is a different matter (packages > have been signed for several releases now which gives far greater > benefit than https). > > (also with often 500-1000 short connections for a package update, > https is going to suck with the current implementation, there is > no pipelining or session caching). Admittedly, I have an http 1.1 implementation somewhere in pkg_add. But the http servers have been lacking. Losing the connection for no reason and not knowing about it for a while is much worse than the current flurry of small connections. I don't fancy reimplementing some RTT estimate in the http client code to know when the connection goes dead... :-/
Re: TLS now supported on openbsd.org?
> Giancarlo Razzoliniwrote: > > It is really nice to finally see TLS on openbsd.org. How about redirecting > > http to https? > > I dislike the idea. Let me be more clear, both of you. Those decisions will made by the people (Bob et all) who maintain the back end. They don't need your opinions. Go take your opinions and give them to your BANKS INSTEAD.
Re: TLS now supported on openbsd.org?
> Giancarlo Razzoliniwrote: > > It is really nice to finally see TLS on openbsd.org. How about redirecting > > http to https? > > I dislike the idea. And noone cares what you like or dislike. It is not your site.
Re: TLS now supported on openbsd.org?
Giancarlo Razzoliniwrote: > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? I dislike the idea. An http->https redirect does not prevent a MITM by itself. It also prevents the easy use of caching or proper proxies with the site. Purely informative sites are ok without https for the most part. If the user feels that TLS is somehow required, he can enable it by different means. http->https redirection does not add much in terms of security unless the user takes additional steps, but if the user is going to take additional steps he does not really require the redirection. -- OpenPGP Key Fingerprint: BB5A C2A2 2CAD ACB7 D50D C081 1DB9 6FC4 5AB7 92FA
Re: watchdog issues ?
On Sun, May 08, 2016 at 11:46:11AM +0200, Sjöholm Per-Olov wrote: > > On 08 May 2016, at 00:39, Sjöholm Per-Olovwrote: > > > > Hi > > > > I have skipped all major releases of OpenBSD after 5.4 for one firewall due > to > > watchdog timeout resets on the em driver. Earlier today I fired up a 5.9 > > release and patched it up to 5.9 stable and let it take over from the old > one. > > It seems to go very well. But I do have one question. > > > > > > The system seems to work as it should. > > > > But what does this mean? > > Is it bad? > > > > > > root@xanadu:~#grep -i watchdog /var/log/messages > > May 8 00:12:15 xanadu /bsd: em1: watchdog: head 118 tail 182 TDH 118 TDT > 118 > > May 8 00:25:33 xanadu /bsd: em1: watchdog: head 181 tail 246 TDH 181 TDT > 181 > > May 8 00:26:35 xanadu /bsd: em1: watchdog: head 137 tail 202 TDH 137 TDT > 137 > > root@xanadu:~# > > Hey, At the very least, you'll want to fire up the 5.9 install and provide a full dmesg output, or better yet ``sendbug -P''. Cheers! > > > > > > > > Thanks in advance > > > > Regards > > Peo > > -- > > GPG keyID: 9429C093 > > GPG fingerprint: 5F37 4298 A07F C614 647B 458C A756 5C4E 9429 C093 > > > > > Well??? It was not good. I once again had to go back to the old 5.4 as the > network traffic was not stable. > > > I have two nics (PCI pass through in KVM). > em0 at pci0 dev 3 function 0 "Intel 82576" rev 0x01: irq 11, address > 00:1b:21:cc:51:7c > em1 at pci0 dev 4 function 0 "Intel 82576" rev 0x01: irq 10, address > 00:1b:21:cc:51:7d > > I use a couple of VLANs and also IPv6 on top on em0. em1 on the other hand is > just an interface with an IP and an IP alias on it, no VLANs or so. > > Any clues of how to track this down? I can fire the machine up again and to > some test... > > Thanks > Peo
Re: kernel logs "v_type 1" and "f_type 1"
Hi Ville, > Am 09.05.2016 um 18:04 schrieb Ville Valkonen: > > On 9 May 2016 at 16:03, Axel Rau wrote: >> A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current > (GENERIC.MP) >> #1219) >> suddenly started logging >>v_type 1 >>f_type 1 >> (up to 40 times/sec) and stopped routing. >> >> The effect went away after disconnecting all but one nic. >> >> Any help appreciated, > Hi, > > you forgot to attach: > - dmesg > - routes > - netstat > > and probably something else. Thanks for answering. I attach: dmesg with above error logs (startup protocol did not fit) . . . f_type 1 v_type 1 f_type 1 v_type 1 f_type 1 v_type 1 f_type 1 v_type 1 f_type 1 v_type 4 bad fd type syslogd(6521): syscall 27 . Historical dmesg, showing hardware [fw2:/etc] root# dmesg OpenBSD 4.7 (GENERIC.MP) #1: Sat May 29 21:00:26 CEST 2010 r...@openbsd.in.chaos1.de:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR real mem = 2137485312 (2038MB) avail mem = 2062290944 (1966MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/25/09, BIOS32 rev. 0 @ 0xfa7d0, SMBIOS rev. 2.2 @ 0xf (45 entries) bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 08/25/2009 bios0: PhoenixAward 945GSE acpi0 at bios0: rev 2 acpi0: tables DSDT FACP MCFG APIC SSDT acpi0: wakeup devices PEG1(S3) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USBE(S3) AC97(S5) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG1) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus 2 (PEX1) acpiprt4 at acpi0: bus 3 (PEX2) acpiprt5 at acpi0: bus 4 (PEX3) acpiprt6 at acpi0: bus -1 (PEX4) acpiprt7 at acpi0: bus -1 (PEX5) acpiprt8 at acpi0: bus 5 (HUB0) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature 70 degC acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xe400! 0xef000/0x1000! cpu0: Enhanced SpeedStep 1597 MHz: speeds: 1600, 1333, 1067, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82945GME Host" rev 0x03 vga1 at pci0 dev 2 function 0 "Intel 82945GME Video" rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 (irq 5) drm0 at inteldrm0 "Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 2 int 16 (irq 5) pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 16 (irq 5), address 00:0f:c9:04:da:7a ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 2 int 17 (irq 11) pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 17 (irq 11), address 00:0f:c9:04:da:7b ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 2 int 18 (irq 10) pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 18 (irq 10), address 00:0f:c9:04:da:7c ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 2 int 19 (irq 15) pci4 at ppb3 bus 4 em3 at pci4 dev 0 function 0 "Intel PRO/1000 PF (82572EI)" rev 0x06: apic 2 int 19 (irq 15), address 00:0f:c9:04:da:7d uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 2 int 23 (irq 15) uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 2 int 19 (irq 15) uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 2 int 18 (irq 10) uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 2 int 16 (irq 5) ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 2 int 23 (irq 15) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2 pci5 at ppb4 bus 5 em4 at pci5 dev 10 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic 2 int 19 (irq 15), address 00:0f:c9:04:da:7e em5 at pci5 dev 11 function 0 "Intel PRO/1000MT (82541GI)"
Re: TLS now supported on openbsd.org?
Giancarlo Razzoliniwrote: > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? I dislike the idea. For one, it does not stop a MITM by itself. In addition, enforced encryption makes it hard to cache and/or use proper http proxies with the site. Purely informative sites don't need TLS. The user can opt to use TLS if he thinks the content he needs to read is somehow sensitive, or configure his browser not to use the regular http version if he feels like doing that. A pure simple redirect does not add much to security unless the user takes extra steps - but if the user takes extra steps he does not need a redirect at all. -- OpenPGP Key Fingerprint: BB5A C2A2 2CAD ACB7 D50D C081 1DB9 6FC4 5AB7 92FA
apache-httpd-openbsd?
try pkg_add http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/apache-httpd-2.4.20p1.tgz
apache-httpd-openbsd?
Hi all, Trying to install apache-httpd-openbsd in -current and it seems the package is no longer available. I cvs uped my src and ports and built the system from source but when I try to install apache-httpd-openbsd from ports I'm getting the "reading plist|Error: unknown fragment SHARED at /usr/libdata/perl5/OpenBSD/Subst.pm line 109, <$fh> line 2." error. As I saw suggested in a recent message to ports@ (1) I rebuilt pkg_add from /usr/src/usr.sbin/pkg_add/ but that made no difference. dmesg below Thanks, Jeff Ross (1) http://marc.info/?l=openbsd-ports=146213655323699=2 OpenBSD 5.9-current (GENERIC.MP) #1: Mon May 9 13:08:53 MDT 2016 r...@fw.openvistas.net:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz ("GenuineIntel" 686-class) 1.84 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR real mem = 1040486400 (992MB) avail mem = 1007853568 (961MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 07/29/05, SMBIOS rev. 2.4 @ 0xe (38 entries) bios0: vendor Apple Inc. version "MM21.88Z.009A.B00.0706281359" date 06/28/07 bios0: Apple Inc. Macmini2,1 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT acpi0: wakeup devices PXS1(S4) PXS2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB7(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 166MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz ("GenuineIntel" 686-class) 1.84 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (PCIB) acpicpu0 at acpi0: !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS acpicpu1 at acpi0: !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS acpibtn0 at acpi0: PWRB "APP0001" at acpi0 not configured acpivideo0 at acpi0: GFX0 bios0: ROM list: 0xc/0xe600! cpu0: Enhanced SpeedStep 1834 MHz: speeds: 1833, 1667, 1500, 1333, 1000 MHz memory map conflict 0xe00f8000/0x1000 memory map conflict 0xfed1c000/0x4000 memory map conflict 0xfffb/0x3 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03 inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0x4000, size 0x1000 inteldrm0: apic 1 int 16 error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder is 30 Raw EDID: 00 ff ff ff ff ff ff 00 4c 2d 15 15 39 31 53 53 11 0f 01 03 6c 26 1e 78 2a 6f 86 a2 5a 4d 94 24 1a 4f 54 bf ef 80 81 81 71 4f 01 01 01 01 01 01 01 01 01 01 01 01 30 30 00 98 51 51 2a 40 30 30 13 00 78 2d 11 00 00 00 00 00 00 00 00 38 4b 4b 51 0e 00 0a 20 20 20 20 20 20 00 00 00 fc 00 53 79 6e 63 4d 61 73 74 74 72 0a 20 20 00 00 00 00 00 48 39 39 59 34 33 33 38 33 39 39 20 20 00 00 error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder is 30 Raw EDID: 00 ff ff ff ff ff ff 00 4c 2d 15 15 39 31 53 53 11 0f 01 03 6c 26 1e 78 2a 6f 86 a2 5a 4d 94 24 1a 4f 54 bf ef 80 81 81 71 4f 01 01 01 01 01 01 01 01 01 01 01 01 30 30 00 98 51 51 2a 40 30 30 13 00 78 2d 11 00 00 00 00 00 00 00 00 38 4b 4b 51 0e 00 0a 20 20 20 20 20 20 00 00 00 fc 00 53 79 6e 63 4d 61 73 74 74 72 0a 20 20 00 00 00 00 00 48 39 39 59 34 33 33 38 33 39 39 20 20 00 00 error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder is 30 Raw EDID: 00 ff ff ff ff ff ff 00 4c 2d 15 15 39 31 53 53 11 0f 01 03 6c 26 1e 78 2a 6f 86 a2 5a 4d 94 24 1a 4f 54 bf ef 80 81 81 71 4f 01 01 01 01 01 01 01 01 01 01 01 01 30 30 00 98 51 51 2a 40 30 30 13 00 78 2d 11 00 00 00 00 00 00 00 00 38 4b 4b 51 0e 00 0a 20 20 20 20 20 20 00 00 00 fc 00 53 79 6e 63 4d 61 73 74 74 72 0a 20 20 00 00 00 00 00 48 39 39 59 34 33 33 38 33 39 39 20 20 00 00 error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum is invalid, remainder is 30 Raw EDID: 00 ff ff ff ff ff ff 00 4c 2d 15 15 39 31 53 53 11 0f 01 03 6c 26 1e 78 2a 6f 86 a2 5a 4d 94 24 1a 4f 54 bf ef 80 81 81 71 4f 01 01 01 01 01 01 01 01 01 01 01 01 30 30 00 98 51 51 2a 40 30 30 13 00 78 2d 11 00 00 00 00 00 00 00 00 38 4b
Re: TLS now supported on openbsd.org?
On 2016-05-09, arrowscr...@mail.comwrote: > - Do you plan to support ftp.openbsd.org? Would be great to > download packages with more security https is meant to provide privacy from eavesdroppers on the network path between the endpoints. security is a different matter (packages have been signed for several releases now which gives far greater benefit than https). (also with often 500-1000 short connections for a package update, https is going to suck with the current implementation, there is no pipelining or session caching).
Re: TLS now supported on openbsd.org?
On Mon, May 09, 2016 at 06:23:51PM +, Giancarlo Razzolini wrote: > > Let's Encrypt uses 4096. > > > > I think lets encrypt uses by default 2048, not 4096. You're right. The default is 2048. > Also, 4096 might indeed cause trouble with some old software. I recall > issues with mono and older java versions. > > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? Also, it seems STS isn't being used. I don't know if this is a > testing phase, but it would be nice to have those nevertheless. > > Cheers, > Giancarlo Razzolini > -- Juan Francisco Cantero Hurtado http://juanfra.info
kernel: protection fault trap, code=0
Hi, I got a "kernel: protection fault trap, code=0" on OpenBSD 5.9-current (GENERIC.MP) #2008: Sat May 7 08:16:29 MDT 2016 snapshot. It seems that this is not a kernel panic: ddb{2}> show panic the kernel did not panic If you need more info just ask. kernel: protection fault trap, code=0 Stopped at rtisvalid+0x59: testb $0x2,mptramp_gdt32_desc+0x3a(%rdx) ddb{0}> ps TID PPID PGRPUID S FLAGS WAIT COMMAND 77614 72948 45849 0 30x1000b2 poll ping 72948 45849 45849 0 30x10008a pause sh 16140 48265 48265518 30x92 kqreadauth 21498 48265 48265 0 30x92 kqreadconfig 35620 42242 35620 1000 30x100083 ttyin more 42242 93172 42242 1000 30x100083 wait man 18260 60693 18260 1000 30x100083 kqreadtmux 60693 43846 60693 1000 30x10008b pause ksh 43846 4619 4619 1000 30x90 selectsshd 4619 64071 4619 0 30x92 poll sshd 60800 17751 60800 1000 30x100083 kqreadtail 28106 82380 51669 95 30x92 kqread filter-spamassas 49488 82380 51669 95 30x92 kqreadfilter-regex 45904 82380 51669 95 30x92 kqreadfilter-pause 41200 82380 51669 95 30x92 kqreadfilter-dnsbl 66585 82380 51669 95 30x92 kqreadfilter-dnsbl 52012 82380 51669 95 30x92 kqreadfilter-dnsbl 57249 82380 51669 95 30x92 kqreadfilter-clamav 89008 51669 51669 95 30x100090 kqreadsmtpd 82380 51669 51669 95 30x100090 kqreadsmtpd 56714 51669 51669 95 30x100090 kqreadsmtpd 86769 51669 51669 95 30x100090 kqreadsmtpd 30104 51669 51669 95 30x100090 kqreadsmtpd 40810 51669 51669103 30x100090 kqreadsmtpd 51669 1 51669 0 30x100080 kqreadsmtpd 2453 28186 28186 67 30x90 netconphp-fpm-5.6 93172 9678 93172 1000 30x10008b pause ksh 52489 97510 97510506 30x90 selectperl 63318 97510 97510506 30x90 selectperl 97510 1 97510 0 30x80 selectperl 26203 1 26203539 30x90 poll clamd 59058 1 26203539 3 0x490 poll clamd 78110 1 26203539 3 0x490 thrsleep clamd 17751 9678 17751 1000 30x10008b pause ksh 63217 1 63217577 30x90 poll openvpn 3246 48265 48265 0 30x92 kqreadlog 84044 48265 48265518 30x92 kqreadanvil 48265 1 48265 0 30x80 kqreaddovecot 94685 9678 94685 1000 30x100083 ttyin ksh 9678 1 9678 1000 30x100080 kqreadtmux 60655 1 60655 0 30x100083 ttyin getty 43560 1 1 0 30x8a pause ldattach 45643 1 45643 0 30x100083 ttyin getty 90081 1 90081 0 30x100083 ttyin getty 44894 1 44894 0 30x100083 ttyin getty 52716 1 52716 0 30x100083 ttyin getty 77261 1 77261 0 30x100083 ttyin getty 30777 1 30777 0 30x100098 poll cron 91021 1 91021562 30x82 netconperl 93287 1 93287529 30x90 poll upsd 99640 1 99640529 30x90 selectpowercom 99471 98271 99471550 30x90 poll nagios 22929 98271 22929550 30x82 poll nagios 50322 98271 50322550 30x82 poll nagios 43604 98271 43604550 30x82 poll nagios 53216 98271 53216550 30x82 poll nagios 22362 98271 22362550 30x82 poll nagios 89569 98271 89569550 30x82 poll nagios 98271 1 98271550 30x90 poll nagios 3330 1 3330562 30x80 nanosleep perl 70355 3562 70355503 30x80 netio postgres 42194 1 94080 67 30x83 nanosleep php-5.6 60435 1 60435 0 30x80 selectsymux 57128 1 57128535 30x90 nanosleep symon 60385 1 22802697 30x80 poll cvsyncd 57549 79829 18199515 30x82 netio log_file_daemon 79829 18199 18199515 30xb2 kqreadsquid 18199 1 18199515 30x90 wait squid 22859 69480 69480 67 30x90 kqreadnginx 69480 1 69480 0 30x88 pause
Re: TLS now supported on openbsd.org?
On 2016-05-09, arrowscr...@mail.comwrote: > - The RSA is 4096 bits. If I remember correctly, reyk@ said once > that 4096 is overkill. Any specific reason to use 4096 instead of > 2048? That was then, this is now. -- Christian "naddy" Weisgerber na...@mips.inka.de
IKED Host to Host VPN
I have a couple questions regarding IKED use that I couldn’t find in the docs: Is it capable of use for host-to-host tunnels or just net-to-net? In my case I’m trying to do a simple tunnel between hosts for spamd synching and a few other misc things. Running OpenBSD 5.9. PF rules: set skip on enc0 pass in on egress proto udp from $ipsec_peer to any port {500, 4500} Host A /etc/iked.conf: remote_gw = “x.x.x.x" ikev2 active esp from any to any \ local y.y.y.y peer $remote_gw \ srcid y.y.y.y Host B /etc/iked.conf remote_gw = “y.y.y.y" ikev2 esp from any to any \ local x.x.x.x peer $remote_gw \ srcid x.x.x.x I’ve tried a few variations and never get any flows in the ipsecctl -sa output. What am I missing? Thanks! Scott
IKED Host to Host VPN
I have a couple questions regarding IKED use that I couldn’t find in the docs: Is it capable of use for host-to-host tunnels or just net-to-net? In my case I’m trying to do a simple tunnel between hosts for spamd synching and a few other misc things. Running OpenBSD 5.9. PF rules: set skip on enc0 pass in on egress proto udp from $ipsec_peer to any port {500, 4500} Host A /etc/iked.conf: remote_gw = “x.x.x.x" ikev2 active esp from any to any \ local y.y.y.y peer $remote_gw \ srcid y.y.y.y Host B /etc/iked.conf remote_gw = “y.y.y.y" ikev2 esp from any to any \ local x.x.x.x peer $remote_gw \ srcid x.x.x.x I’ve tried a few variations and never get any flows in the ipsecctl -sa output. What am I missing? Thanks! Scott
generic.mp #2018 amd64 install and packages.
Hi misc@, Just a user experience for your consideration. I picked up a new bsd.rd from snapshots in toronto. Checked the sha256 and signify to make sure it's good. Moved it to / and rebooted with: boot> hd0a:/bsd.rd selected Install with standard options. clean download from the mirror followed by reboot. -- logged in as root -- # pkg_info quirks-2.232 rtwn-formware-1.0 # -- # pkg_add nano Can't installl libiconv-1.14p3 because of libraries |library.c.86.0 not found | /usr/lib/libc.so.87.0 (system) bad major Can't install gettext-0.19.7: can't resolve libiconv-1.14p3 Can't install nano-25.3: can't resolve gettext-0.19.7 -- Just looked at the toronto mirror ../snapshots/packages/amd64 and libiconv-1.14p3 is in the directory from May 8. -- Switched /etc/pkg.conf from "%c" to "snapshots" -- Same error as above As always I want to express my gratitude to Theo and all the past and present devs --- have a great week ahead !!
Re: TLS now supported on openbsd.org?
On Mon, May 9, 2016 12:57 pm, arrowscr...@mail.com wrote: > > - I don't know in modern browsers, but Links 2.12 say that the > certificate is not valid. It's just old browsers, or firefox also > have this same problem? Make sure you go to www.openbsd.org as it seems the cert is not valid for openbsd.org without the www. Tim.
Re: generic.mp #2018 amd64 install and packages.
> Just a user experience for your consideration. > > I picked up a new bsd.rd from snapshots in toronto. Checked the sha256 > and signify to make sure it's good. Moved it to / and rebooted with: > > boot> hd0a:/bsd.rd > selected Install with standard options. > clean download from the mirror followed by reboot. > -- > logged in as root > -- > # pkg_info > quirks-2.232 > rtwn-formware-1.0 > # > -- > # pkg_add nano > Can't installl libiconv-1.14p3 because of libraries > |library.c.86.0 not found > | /usr/lib/libc.so.87.0 (system) bad major > Can't install gettext-0.19.7: can't resolve libiconv-1.14p3 > Can't install nano-25.3: can't resolve gettext-0.19.7 > -- > Just looked at the toronto mirror ../snapshots/packages/amd64 and > libiconv-1.14p3 is in the directory from May 8. > -- > Switched /etc/pkg.conf from "%c" to "snapshots" > -- > Same error as above > > As always I want to express my gratitude to Theo and all the past and > present devs --- have a great week ahead !! > Andrew, you are using snapshots. Those are at the head of active development. When we make big changes, there is a lag until all the parts fit together. This is well documented all over the place. Between 6-month releases, you can expect snapshots to experience this approximately 2-10 times. Because ... it isn't a problem, it is how active development works in a system that changes binary interfaces to make advancements.
Re: ftp/www.openbsd.org will be down for an upgrade today.
Hi there, just a short question about the site coming up again. Since our spamd-setup tries to get some blacklists form the site I was wondering if there is any info about the the time schedule for the maintenance? Regards Markus Am 08.05.2016 um 23:44 schrieb Stefan Wollny: Am 05/08/16 um 20:03 schrieb Bob Beck: There will be an extended downtime of the main ftp and www sites for an upgrade today starting in approximately one hour's time from now. The mirror sites should be unaffected - so use a mirror if you discover the main site is unavailable today. Anyone know of an up2date mirror of 'current.html'? (Google just found one with the latest entries from 2005...) :-( TIA. STEFAN -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: TLS now supported on openbsd.org?
Let's Encrypt uses 4096. I think lets encrypt uses by default 2048, not 4096. Also, 4096 might indeed cause trouble with some old software. I recall issues with mono and older java versions. It is really nice to finally see TLS on openbsd.org. How about redirecting http to https? Also, it seems STS isn't being used. I don't know if this is a testing phase, but it would be nice to have those nevertheless. Cheers, Giancarlo Razzolini
Re: TLS now supported on openbsd.org?
2016-05-09 18:57 GMT+02:00: > - I don't know in modern browsers, but Links 2.12 say that the > certificate is not valid. It's just old browsers, or firefox also > have this same problem? All's good. See https://www.ssllabs.com/ssltest/analyze.html?viaform=on=www.openbsd.org
Re: TLS now supported on openbsd.org?
On Mon, May 09, 2016 at 06:57:52PM +0200, arrowscr...@mail.com wrote: > It's great to see OpenBSD Project supporting Let's Encrypt. I don't > know if you folks still configuring it, but there's some points > that I noticed: > - I don't know in modern browsers, but Links 2.12 say that the > certificate is not valid. It's just old browsers, or firefox also > have this same problem? Works for me with Lynx on -current and 5.8. > - The RSA is 4096 bits. If I remember correctly, reyk@ said once > that 4096 is overkill. Any specific reason to use 4096 instead of > 2048? Let's Encrypt uses 4096. > - Do you plan to support ftp.openbsd.org? Would be great to > download packages with more security You only need to check the signify keys using https (https://www.openbsd.org/59.html). I don't see how TLS is going to add "more security" to the download sites. -- Juan Francisco Cantero Hurtado http://juanfra.info
TLS now supported on openbsd.org?
It's great to see OpenBSD Project supporting Let's Encrypt. I don't know if you folks still configuring it, but there's some points that I noticed: - I don't know in modern browsers, but Links 2.12 say that the certificate is not valid. It's just old browsers, or firefox also have this same problem? - The RSA is 4096 bits. If I remember correctly, reyk@ said once that 4096 is overkill. Any specific reason to use 4096 instead of 2048? - Do you plan to support ftp.openbsd.org? Would be great to download packages with more security
Re: Claws-mail without Dbus
m...@pmars.jp writes: > Hi, > Thanks a lot for all the really nice job you re doing here. > > I'm trying to install Claws-mail without Dbus but that seems not > possible. The ports tree tries to provide packages usable by most. What if another user wants claws-mail linked against dbus, but not against xz? > Is there a way to do that via pkg_add or pkg_delete? > > I saw smtg on the man with the -D option and 'libdepends' value, > stating the lib might not be fulfilled; > would it be the way Once you start to use this kind of option, you're on your own. > (I doubt as Dbus is not a lib) ? dbus is also a lib. > I tried to ftp only the claws package and nulled $PKG_PATH, > that didn't work. > Pkg_add told me it needs claws' dependencies; > ie. dbus and its lib(and a wrapper named enchant). Obviously dbus is needed, since by default claws-mail links against it. Even if you untarred the package and installed claws manually, you wouldn't be able to run it. > Below are info about the systm Im using, > if you need more, please tell me Looks like you have packages that depend on dbus, but dbus doesn't appear in the list you provide. That kind of custom setup isn't supported. You'd better reconsider the reasons why you do not want dbus installed in the first place. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: ftp/www.openbsd.org will be down for an upgrade today.
On 2016-05-08, Stefan Wollnywrote: > Am 05/08/16 um 20:03 schrieb Bob Beck: >> There will be an extended downtime of the main ftp and www sites for >> an upgrade today starting in approximately one hour's time from now. >> >> The mirror sites should be unaffected - so use a mirror if you >> discover the main site is unavailable today. >> > Anyone know of an up2date mirror of 'current.html'? > (Google just found one with the latest entries from 2005...) >:-( > > TIA. Any anoncvs server, in the www repository.
Re: kernel logs "v_type 1" and "f_type 1"
On 9 May 2016 at 16:03, Axel Rauwrote: > A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current (GENERIC.MP) > #1219) > suddenly started logging > v_type 1 > f_type 1 > (up to 40 times/sec) and stopped routing. > > The effect went away after disconnecting all but one nic. > > Any help appreciated, > Axel > --- > PGP-Key:29E99DD6 ☀ computing @ chaos claudius Hi, you forgot to attach: - dmesg - routes - netstat and probably something else. -- Regards, Ville
Claws-mail without Dbus
Hi, Thanks a lot for all the really nice job you re doing here. I'm trying to install Claws-mail without Dbus but that seems not possible. Is there a way to do that via pkg_add or pkg_delete? I saw smtg on the man with the -D option and 'libdepends' value, stating the lib might not be fulfilled; would it be the way (I doubt as Dbus is not a lib) ? I tried to ftp only the claws package and nulled $PKG_PATH, that didn't work. Pkg_add told me it needs claws' dependencies; ie. dbus and its lib(and a wrapper named enchant). Below are info about the systm Im using, if you need more, please tell me TALIA! OpenBSD ecs.tamerr 5.9 GENERIC.MP#1616 i386 totally fresh install with only fluxbox as GUI (except installing/deinstalling claws-mail) mett:/home/mett/downloads:12$ pkg_info -A [15/554] aspell-0.60.6.1p2 spell checker designed to eventually replace Ispell atk-2.18.0 accessibility toolkit used by gtk+ bzip2-1.0.6p7 block-sorting file compressor, unencumbered cairo-1.14.6vector graphics library curl-7.47.0 get files from FTP, Gopher, HTTP or HTTPS servers cyrus-sasl-2.1.26p15 RFC SASL (Simple Authentication and Security Layer) desktop-file-utils-0.22p0 utilities for dot.desktop entries fluxbox-1.3.7p0 window manager based on the original Blackbox code fribidi-0.19.7 library implementing the Unicode Bidirectional Algorithm gdk-pixbuf-2.32.3 graphic library for gtk+2 gettext-0.19.7 GNU gettext runtime libraries and programs giflib-5.1.2tools and library routines for working with GIF images glib2-2.46.2p0 general-purpose utility library gmp-5.0.2p3 library for arbitrary precision arithmetic gnome-icon-theme-3.12.0p3 base icon theme for GNOME gnome-icon-theme-symbolic-3.12.0p2 base icon theme extension for special UI contexts gnupg-1.4.19p0 GNU privacy guard - a free PGP replacement gnutls-3.3.21 GNU Transport Layer Security library gpgme-1.5.1p1 GnuPG Made Easy graphite2-1.3.5 rendering for complex writing systems gtk+2-2.24.29 multi-platform graphical toolkit gtk-update-icon-cache-3.18.7 gtk+ icon theme caching utility harfbuzz-1.1.3 text shaping library hicolor-icon-theme-0.15 fallback theme of the icon theme specification imlib2-1.4.7image manipulation library jasper-1.900.1p4reference implementation of JPEG-2000 jpeg-9a IJG's JPEG compression utilities libarchive-3.1.2p0 multi-format archive and compression library libassuan-2.1.1 IPC library used by GnuPG and gpgme libcanberra-0.30p2 implementation of the Freedesktop sound theme spec. libcanberra-gtk-0.30p3 gtk+2 helper for libcanberra libcroco-0.6.11 generic CSS parsing library for GNOME project libelf-0.8.13p3 read, modify, create ELF files on any arch libetpan-1.6p0 mail purpose library libexecinfo-0.2p5v0 clone of backtrace facility found in the GNU libc libffi-3.2.1p0 Foreign Function Interface libgpg-error-1.21 error codes for GnuPG related software libiconv-1.14p3 character set conversion library libid3tag-0.15.1bp4 library for reading ID3 tags libidn-1.32 internationalized string handling libltdl-2.4.2p1 GNU libtool system independent dlopen wrapper libnettle-3.2 cryptographic library libnotify-0.7.6p0 send desktop notifications to a notification daemon libogg-1.3.2p0 Ogg bitstream library librsvg-2.40.13 SAX-based render library for SVG files libtasn1-4.7Abstract Syntax Notation One structure parser library libvorbis-1.3.5 audio compression codec library libxml-2.9.3XML parsing library lzo2-2.09 portable speedy lossless data compression library nghttp2-1.6.0 library for HTTP/2 p11-kit-0.22.1p1library for loading and enumurating of PKCS#11 modules pango-1.38.1library for layout and rendering of text pcre-8.38 perl-compatible regular expression library png-1.6.20 library for manipulating PNG images python-2.7.11 interpreted object-oriented programming language quirks-2.197exceptions to pkg_add rules shared-mime-info-1.5 shared mime database for desktops sound-theme-freedesktop-0.8p0 XDG sound theme startup-notification-0.12p4 library for tracking application startup tiff-4.0.6p0tools and library routines for working with TIFF images xz-5.2.2p0 LZMA compression and decompression tools mett:/home/mett/downloads:11$ dmesg [79/484] OpenBSD 5.9 (GENERIC.MP) #1616: Fri Feb 26 01:28:13 MST 2016 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz cpu0:
kernel logs "v_type 1" and "f_type 1"
A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current (GENERIC.MP) #1219) suddenly started logging v_type 1 f_type 1 (up to 40 times/sec) and stopped routing. The effect went away after disconnecting all but one nic. Any help appreciated, Axel --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius
Re: ftp/www.openbsd.org will be down for an upgrade today.
Hello, on 08.05.2016 23:44, Stefan Wollny wrote: Anyone know of an up2date mirror of 'current.html'? (Google just found one with the latest entries from 2005...) :-( In case of doubt, http://web.archive.org/web/20160401125246/http://www.openbsd.org/faq/current.html isn't far too "way back", either. (Cheap pun intended.) Christoph -- open...@aixplosive.net
Re: NFS over IPSec (NAT-T)
On Fri, Jun 12, 2015 at 10:46:48AM +0100, Zé Loff wrote: > Hi all > > I have a IKEv1 setup that allows my roaming laptop (amd64 -current) to > connect to the office LAN (i386 patched 5.6) using outgoing NAT. Everything* > works fine, I can ssh machines, browse internal websites, the works. > > The office LAN has a machine (amd64 patched 5.4, I know, I know) with > some NFS shares. Any machine inside the LAN -- this includes my laptop > when "at home" -- can mount those shares and all works fine. > > However, when I'm roaming NFS mounts fail with mountd stating "Refused > mount RPC from host". As far as I can tell, this happens because for > some reason the request issued by the laptop comes from a not reserved > port (tcpdump confirms this) when the connection is made through the > tunnel. All requests made "at home" come from <2048 ports and everything > works fine there. > > Any ideas as to why the requests come from high ports when on the tunnel > and reserved ports when "at home" and, more importantly? Cluebats and > flamethrowers welcome. > > Thanks in advance > Zé > > > * Actually there's something weird going on with getent and DNS queries > through the tunnel, but I'll save that for some other time > > -- > Just for the archives, I'm answering my own question (almost a year later): Cause: pf rewriting the source port when NATing, bumping it to >2048 Solution: add "static-port" to the match rule Cheers Zé
Re: ftp/www.openbsd.org will be down for an upgrade today.
On 08/05/16 18:44, Stefan Wollny wrote: Am 05/08/16 um 20:03 schrieb Bob Beck: There will be an extended downtime of the main ftp and www sites for an upgrade today starting in approximately one hour's time from now. The mirror sites should be unaffected - so use a mirror if you discover the main site is unavailable today. Anyone know of an up2date mirror of 'current.html'? (Google just found one with the latest entries from 2005...) :-( TIA. STEFAN It's up now, but for next time: http://openbsd.md5.com.ar/faq/current.html
Re: rdomain and dhcrelay
> Am 05/09/16 um 08:20 schrieb Holger Glaess: >> hi >> >> is there an possiblity to forward dhcp request from >> an rdomain X to the runing dhcp server in rdomain 0 ? >> >> >> if i start the dhcrelay -i em1 192.168.131.250, >> >> i see that he forward the request but never reach the server. >> >> the clients in rdoamin 0 works with the dhcp server. >> >> or it is need to modify the dhcrelay with an option , >> >> route -n -T 2 exec dhcrelay -i em1 -V 0 192.168.131.250 >> >> ? >> em1 is part of rdomain 2. >> 192.168.131.xxx ist part of rdomain 0 >> >> holger >> > > You can shove the packets to the correct rdomain with pf or pair(4) > maybe of help: > > "Add pair(4), a vether-based virtual Ethernet driver to interconnect > rdomains and bridges on the local system." > > http://www.openbsd.org/plus59.html > > > HTH, > Marc > > Hi , i know pair because it breaks the isolation of the rdomain. and forward a forward req. from dhcrelay with pf it´s ugly. ok i will try. thanks holger
Re: rdomain and dhcrelay
Am 05/09/16 um 08:20 schrieb Holger Glaess: > hi > > is there an possiblity to forward dhcp request from > an rdomain X to the runing dhcp server in rdomain 0 ? > > > if i start the dhcrelay -i em1 192.168.131.250, > > i see that he forward the request but never reach the server. > > the clients in rdoamin 0 works with the dhcp server. > > or it is need to modify the dhcrelay with an option , > > route -n -T 2 exec dhcrelay -i em1 -V 0 192.168.131.250 > > ? > em1 is part of rdomain 2. > 192.168.131.xxx ist part of rdomain 0 > > holger > You can shove the packets to the correct rdomain with pf or pair(4) maybe of help: "Add pair(4), a vether-based virtual Ethernet driver to interconnect rdomains and bridges on the local system." http://www.openbsd.org/plus59.html HTH, Marc
rdomain and dhcrelay
hi is there an possiblity to forward dhcp request from an rdomain X to the runing dhcp server in rdomain 0 ? if i start the dhcrelay -i em1 192.168.131.250, i see that he forward the request but never reach the server. the clients in rdoamin 0 works with the dhcp server. or it is need to modify the dhcrelay with an option , route -n -T 2 exec dhcrelay -i em1 -V 0 192.168.131.250 ? em1 is part of rdomain 2. 192.168.131.xxx ist part of rdomain 0 holger