Re: Kindly support this initiative for a public git repository of OpenBSD source code located at Germany!

[Bobby Foster]

Reminds me of this article:
https://blogs.msdn.microsoft.com/bharry/2017/05/24/the-largest-git-repo-on-the-planet/

"As a refresher, the Windows code base is approximately 3.5M files and,
when checked in to a Git repo, results in a repo of about 300GB...  Before
the move to Git, in Source Depot, it was spread across 40+ depots and we
had a tool to manage operations that spanned them."`

On Sun, Jan 7, 2018 at 4:13 PM, Stuart Henderson 
wrote:

> On 2018-01-06, Lari Rasku  wrote:
> > On 01/02/18 14:03, Stuart Henderson wrote:
> >> Hosting a large git repository is not trivial, it uses far more server
> >> resources (memory and cpu time) than an anoncvs/cvsync/rsync mirror, and
> >> OpenBSD src/ (or even just ports/) is *huge* for a git repo. It works
> >> better on Linux where things are more separated. Even *just the kernel*
> >> is split across multiple repos.
> >
> > The Linux kernel repo is multiple times the size of OpenBSD-src [1],
> > so I don't see how things being more separated helps them re: hosting.
> > Perhaps kernel.org just has more hardware to throw at the problem?
> >
> > And in case anyone else was confused, the Linux kernel itself isn't split
> > across multiple repos: you can build a fully functional one from a single
> > checkout.  It is the kernel *development* that is split across multiple
> > repos, with occasional merges to mainline.
> >
> > [1]: Naive estimate based on comparing object counts when cloning from
> >  GitHub:
> >  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> - 5,779,337 objects,
>
> Ah thanks, I didn't manage to track that down with the 850 others :)
>
> >  https://github.com/openbsd/src - 1,741,047 objects.
>
> When I've tried converting in the past I've had things like it taking
> about a minute to do a git log, even after the git repack that people
> familiar with git suggested I try.
>
> >> Anyway, has anyone fetched your openbsd-src0-test repo from github while
> >> crossing crypto export boundaries? That has the exact same issue,
> >> except that now as it's your repo, it may well be considered that it's
> >> *you* that is responsible for exporting it.
> >
> > Surely the responsibility for exporting lies with the one doing the
> > checkout?  Otherwise I don't see how operators of OpenBSD CVS mirrors
> > in the US aren't in the same position.
> >
> > Or is there some technical distinction between "mirroring" and "checking
> out"
> > a repository?  (I ask because the warning against fetching sources from
> USA
> > when located outside North America only appears on
> > https://www.openbsd.org/cvsync.html, not https://www.openbsd.org/
> anoncvs.html
> > or https://www.openbsd.org/ftp.html.)
>
> I don't know all the details. But the github page about it at
> https://help.github.com/articles/github-and-export-controls/
> makes it sound like it's the repo owner's responsibility to me.
>
>
>

Re: Community-driven OpenBSD tutorials wiki?

[Duncan Patton a Campbell]

Just my two bits here.. some open, running, example systems might
add more than just a wiki; a documented installion with a visible
config..?

Dhu

On Thu, 04 Jan 2018 14:17:51 +
Andreas Thulin  wrote:

> Hi all!
> 
> Thought I'd create an OpenBSD wiki somewhere, where anyone (especially
> non-developers like myself) could create and edit tutorials for stuff
> non-developers like myself would find useful. I find that sometimes
> existing tutorials become outdated, and was thinking that a wiki would make
> updates easier.
> 
> Before I go and create anything - are there already a place similar to what
> I'm describing, where I could get myself involved? (I'm too junior to start
> suggesting changes and updates to the docs on OpenBSD.org, and I'm not sure
> they should be used for what I want to achieve.)
> 
> I know this comes out as yet another "let's start another project no one is
> asking for", but please be gentle with flaming me - I honestly want to
> contribute to the community to the extent of my abilities.
> 
> Cheers,
> Andreas
> 


-- 
 Je suis Canadien. Ce n'est pas Francais ou Anglaise.  
 C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) 

http://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt

Re: iked with Windows 10 MS-ChapV2

[Michael Lam]

Yes, Windows 10 as road warrior, with ms-chapv2 authentication.

That means server side I have a certificate and client side using username
and password.

My config works with my iPhone as road warrior, but not windows 10. I will
try to post the logs for both as soon as I can.

Kinda strange I think it has something to do with how Windows offers the
proposal or peerid.

On Mon, 8 Jan 2018 at 6:13 AM, Patrick Wildt  wrote:

> On Wed, Jan 03, 2018 at 03:11:01AM +, Michael Lam wrote:
> > Hi all,
> >
> > Does anyone have experience with using iked with a Windows 10 and EAP
> > mschap-v2 authentication in a road warrior setup?
>
> You mean Windows 10 connecting as a road warrior to iked?
>
> > I tried but it doesn’t work. It always return error saying no local
> > certificate found. On a side note - Windows seems to report it’s IP
> address
> > as peerid.
>
> Make sure you load the complete certificate chain for your _local_ iked
> certifikate to /etc/iked/ca/.  This is, so far, required.  I have some
> upcoming diff that removes the requirement to trust all CAs of your
> local certificate.
>
> Patrick
>
> > On the OpenBSD side, I am using the latest iked from cvs and a valid
> > letsencrypt certificate. The resulting server does not have issue with
> iOS
> > configuration but never got pass   Windows 10.
> >
> > The same certififcate works properly with strongswan in a freebsd ikev2
> > setup hence server certificate issue can be eliminated.
> >
> > Will post logs and config once I am back home.
> > --
> >
> > Rgds, Michael
>
-- 

Rgds, Michael

Re: suckless st on OpenBSD62

[Julien Steinhauser]

Frederic Fichter  wrote:

> Hello all,
> 

Hello

> My $HOME/.profile has only one line in it:
> export ENV=$HOME/.kshrc
> 
> And I set some variables in my $HOME/.kshrc 
> 
> Now, everything's cool in xterm (i.e. variables are set) - but that's not the 
> case in st, when I launch st from dmenu. 
> If I launch st from xterm, variables are set as well.
> 
> Where should I look for an explanation?

I don't know your setup, here using Xenodm autologin
I can reproduce that only if I don't source ~/.profile in ~/.xsession.

Regards,
Julien

Re: iked with Windows 10 MS-ChapV2

[Patrick Wildt]

On Wed, Jan 03, 2018 at 03:11:01AM +, Michael Lam wrote:
> Hi all,
> 
> Does anyone have experience with using iked with a Windows 10 and EAP
> mschap-v2 authentication in a road warrior setup?

You mean Windows 10 connecting as a road warrior to iked?

> I tried but it doesn’t work. It always return error saying no local
> certificate found. On a side note - Windows seems to report it’s IP address
> as peerid.

Make sure you load the complete certificate chain for your _local_ iked
certifikate to /etc/iked/ca/.  This is, so far, required.  I have some
upcoming diff that removes the requirement to trust all CAs of your
local certificate.

Patrick

> On the OpenBSD side, I am using the latest iked from cvs and a valid
> letsencrypt certificate. The resulting server does not have issue with iOS
> configuration but never got pass   Windows 10.
> 
> The same certififcate works properly with strongswan in a freebsd ikev2
> setup hence server certificate issue can be eliminated.
> 
> Will post logs and config once I am back home.
> -- 
> 
> Rgds, Michael

Re: Kindly support this initiative for a public git repository of OpenBSD source code located at Germany!

[Stuart Henderson]

On 2018-01-06, Lari Rasku  wrote:
> On 01/02/18 14:03, Stuart Henderson wrote:
>> Hosting a large git repository is not trivial, it uses far more server
>> resources (memory and cpu time) than an anoncvs/cvsync/rsync mirror, and
>> OpenBSD src/ (or even just ports/) is *huge* for a git repo. It works
>> better on Linux where things are more separated. Even *just the kernel*
>> is split across multiple repos.
>
> The Linux kernel repo is multiple times the size of OpenBSD-src [1],
> so I don't see how things being more separated helps them re: hosting.
> Perhaps kernel.org just has more hardware to throw at the problem?
>
> And in case anyone else was confused, the Linux kernel itself isn't split
> across multiple repos: you can build a fully functional one from a single
> checkout.  It is the kernel *development* that is split across multiple
> repos, with occasional merges to mainline.
>
> [1]: Naive estimate based on comparing object counts when cloning from
>  GitHub:
>  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ - 
> 5,779,337 objects,

Ah thanks, I didn't manage to track that down with the 850 others :)

>  https://github.com/openbsd/src - 1,741,047 objects.

When I've tried converting in the past I've had things like it taking 
about a minute to do a git log, even after the git repack that people
familiar with git suggested I try.

>> Anyway, has anyone fetched your openbsd-src0-test repo from github while
>> crossing crypto export boundaries? That has the exact same issue,
>> except that now as it's your repo, it may well be considered that it's
>> *you* that is responsible for exporting it.
>
> Surely the responsibility for exporting lies with the one doing the
> checkout?  Otherwise I don't see how operators of OpenBSD CVS mirrors
> in the US aren't in the same position.
>
> Or is there some technical distinction between "mirroring" and "checking out"
> a repository?  (I ask because the warning against fetching sources from USA
> when located outside North America only appears on
> https://www.openbsd.org/cvsync.html, not https://www.openbsd.org/anoncvs.html
> or https://www.openbsd.org/ftp.html.)

I don't know all the details. But the github page about it at
https://help.github.com/articles/github-and-export-controls/
makes it sound like it's the repo owner's responsibility to me.

Re: suckless st on OpenBSD62

[Ve Telko]

I use only .profile file, I have ENV set to $HOME/.kshrc but it is empty. 
I run st -e ksh -l without any problems.

07.01.2018, 17:15, "Frederic Fichter" :
> Hello all,
>
> I recently switched one of my machines from Debian to OpenBSD, Still a few 
> things left to fix (otherwise it would be no fun) and it looks promising.
>
> I'm running suckless software, I've installed these packages:
> dwm-6.1p0 dynamic window manager
> st-0.7p1 simple X terminal
>
> My $HOME/.profile has only one line in it:
> export ENV=$HOME/.kshrc
>
> And I set some variables in my $HOME/.kshrc
>
> Now, everything's cool in xterm (i.e. variables are set) - but that's not the 
> case in st, when I launch st from dmenu.
> If I launch st from xterm, variables are set as well.
>
> Where should I look for an explanation?
>
> Thanks much for your help with this.
>
> Best,
>
> Fred

OpenVPN Help

[leroy jordan]

Hi, All

I am useing openbsd 6.2 release, as an server production. My network is
split with vlan into int_ and ext_ . However, I'm not sure which way to
run  the VPN in a virtual machine or configure it on the int_ or ext_ so
that all the traffic from the int_ side is encrypted tun when it hit HTTPS
or TLS. I'm also using desktop environment this is the reason for the
needed outgoing under VPN.

Thanks LeRoy Jordan

Re: Simplifying pf-rules

[Kenneth Gober]

On Thu, Jan 4, 2018 at 8:09 AM, Jon S  wrote:
> This led to my first experieces with pf. After some work I came up with
> whats below. It works as I want it to work, but I wonder if there is a way
> to create a rule where incomming traffic to the internal NIC (re0) is
> passed if it is targeted for em0 (external, internet NIC)? The current
> solution would require an update of the "pass in on re0 to
> !re0:network"-rule if another NIC is added (lets say a DMZ).
>
> [ruleset omitted]

For years I used a vaguely similar ruleset on my own router; similar
in the sense that it used "pass out all" and relied only on filtering
inbound traffic.

But over time I've decided that it's better to block both inbound and
outbound by default, then explicitly allow traffic in 3 categories:
1. traffic to this router as the final destination (for services
running on the router)
2. traffic to be forwarded (with NAT if needed)
3. traffic that originates from this router

#3 is especially important if the router is also running other
services which may make announcements on the network.  If you are
running Samba for example you probably don't want to send
announcements to the Internet.  Yes, this means you need to know
explicitly what your services are doing so you know what to enable.
On the plus side it means nothing gets sent to the Internet simply
because you didn't know you needed to turn it off.

To differentiate between #1 and #2 I use tags to mark packets as
ACCEPT or FORWARD.  Only the packets tagged FORWARD are allowed to
pass out.  Inbound packets start with a TBD tag that basically means
"not yet tagged" and ensures that once a rule sets an ACCEPT or
FORWARD tag, other rules don't then try to re-tag it.

Also, I try to avoid using ! anywhere.  It is too easy to make
mistakes with it, and configuration mistakes are the #1 reason
unwanted traffic will get through your firewall.

A very stripped down subset of my ruleset follows, showing the
essentials.  em0 is my internal interface, em1 is my 'guest' interface
(that friends can use for their WiFi when they visit) and em2 connects
to my Internet cable modem (I don't use variable name substitutions
for unrelated reasons, but you may want to do so anyway).  I have
included em1 because it's very similar to a DMZ network.  I am running
several services on my router so I've also included the DNS and
ftp-proxy rules because they are good examples.  Note that I make
extensive use of "quick" to give "first matching rule wins" behavior.
I think this is easier to understand.

# pf.conf - PF configuration file

# tables
table  const { 10/8, 172.16/12, 192.168/16 }

# by default, block all traffic not explicitly allowed
block in log all tag TBD
block out log all

# ACCEPT - traffic that should be accepted by this router (not forwarded)

# accept ping requests
pass in log quick on em0 inet proto icmp from em0:network to (self)
icmp-type echoreq tagged TBD tag ACCEPT
pass in log quick on em1 inet proto icmp from em1:network to em1
icmp-type echoreq tagged TBD tag ACCEPT

# accept DNS requests
pass in log quick on em0 inet proto { udp tcp } to (self) port domain
tagged TBD tag ACCEPT
pass in log quick on em1 inet proto { udp tcp } from em1:network to
em1 port domain tagged TBD tag ACCEPT

# accept SSH connections
pass in log quick on em0 inet proto tcp from em0:network to (self)
port ssh tagged TBD tag ACCEPT
pass in log quick on em1 inet proto tcp from em1:network to em1 port
ssh tagged TBD tag ACCEPT

# FORWARD / Inbound - traffic that should be forwarded by this router

# block non-Internet traffic from public (guest) network
block in log quick on em1 to  tagged TBD

# pass internal FTP traffic
pass in log quick on em0 inet proto tcp from em0:network to 192.168/18
port ftp tagged TBD tag FORWARD

# proxy external FTP traffic
pass in log quick on em0 inet proto tcp from em0:network to port ftp
divert-to 127.0.0.1 port 8021 tagged TBD tag ACCEPT
pass in log quick on em1 inet proto tcp from em1:network to port ftp
divert-to 127.0.0.1 port 8021 tagged TBD tag ACCEPT
anchor "ftp-proxy/*"

# default forwarding rules for traffic from private network
pass in log quick on em0 from em0:network to 192.168/18 tagged TBD tag FORWARD
pass in log quick on em0 from em0:network modulate state tagged TBD tag FORWARD

# default forwarding rules for traffic from public (guest) network
pass in log quick on em1 from em1:network to em1:network tagged TBD tag FORWARD
pass in log quick on em1 from em1:network modulate state tagged TBD tag FORWARD

# game server
pass in log quick on em2 inet proto udp to (em2) port 27016 rdr-to
192.168.24.50 tagged TBD tag FORWARD

# FORWARD / Outbound

# forward internal traffic
pass out log quick on em0 tagged FORWARD
pass out log quick on em1 tagged FORWARD

# block unroutable external traffic
block out log quick on em2 to  tagged FORWARD

# forward external traffic
pass out log quick on em2 nat-to (em2) tagged FORWARD

# Outbound - traffic that 

Re: suckless st on OpenBSD62

[Frederic Fichter]

Agreed, this was not an OpenBSD question. Solved by a "st -e ksh -l" that I'll 
run from a wrapper script, as suggested (I use such a script anyway to set the 
font in st).

Thanks again !

Fred 

Re: suckless st on OpenBSD62

[Stuart Henderson]

On 2018-01-07, Frederic Fichter  wrote:
> Hello all,
>
> I recently switched one of my machines from Debian to OpenBSD, Still a few 
> things left to fix (otherwise it would be no fun) and it looks promising.
>
> I'm running suckless software, I've installed these packages:
> dwm-6.1p0   dynamic window manager
> st-0.7p1simple X terminal
>
> My $HOME/.profile has only one line in it:
> export ENV=$HOME/.kshrc
>
> And I set some variables in my $HOME/.kshrc 
>
> Now, everything's cool in xterm (i.e. variables are set) - but that's not the 
> case in st, when I launch st from dmenu. 
> If I launch st from xterm, variables are set as well.
>
> Where should I look for an explanation?
>
> Thanks much for your help with this.
>
> Best,
>
> Fred
>
>

st isn't spawning the shell as a login shell. Normal terminals have an X
resource to tell it you want a login shell, but st doesn't believe in
runtime-settable configuration options.

Doesn't look like it can be passed directly via the SHELL environment
variable either, looks like it just wants a filename without any command
line option.

You could do "st -e ksh -l" but that would be an annoying way to do it..
Maybe a wrapper script?

Re: suckless st on OpenBSD62

[Daniel Wilkins]

On Sun, Jan 07, 2018 at 05:14:54PM +0100, Frederic Fichter wrote:
> Hello all,
> 
> I recently switched one of my machines from Debian to OpenBSD, Still a few 
> things left to fix (otherwise it would be no fun) and it looks promising.
> 
> I'm running suckless software, I've installed these packages:
> dwm-6.1p0   dynamic window manager
> st-0.7p1simple X terminal
> 
> My $HOME/.profile has only one line in it:
> export ENV=$HOME/.kshrc
> 
> And I set some variables in my $HOME/.kshrc 
> 
> Now, everything's cool in xterm (i.e. variables are set) - but that's not the 
> case in st, when I launch st from dmenu. 
> If I launch st from xterm, variables are set as well.
> 
> Where should I look for an explanation?
> 
> Thanks much for your help with this.
> 
> Best,
> 
> Fred
> 

Have you restarted X since you set those variables? dmenu inherits dwm's 
environment which inherits X's environment which inherits the environment
that you logged in with.

suckless st on OpenBSD62

[Frederic Fichter]

Hello all,

I recently switched one of my machines from Debian to OpenBSD, Still a few 
things left to fix (otherwise it would be no fun) and it looks promising.

I'm running suckless software, I've installed these packages:
dwm-6.1p0   dynamic window manager
st-0.7p1simple X terminal

My $HOME/.profile has only one line in it:
export ENV=$HOME/.kshrc

And I set some variables in my $HOME/.kshrc 

Now, everything's cool in xterm (i.e. variables are set) - but that's not the 
case in st, when I launch st from dmenu. 
If I launch st from xterm, variables are set as well.

Where should I look for an explanation?

Thanks much for your help with this.

Best,

Fred

Re: Kernel memory leaking on Intel CPUs?

[Lampshade]

There are some claims about Raspberry Pi:

Here you go:
We do not believe any generation of Raspberry Pi hardware
is susceptible to either the Spectre or Meltdown vulnerabilities.
https://twitter.com/EbenUpton/status/948999181309530116


Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown

https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/