Re: Kindly support this initiative for a public git repository of OpenBSD source code located at Germany!
Reminds me of this article: https://blogs.msdn.microsoft.com/bharry/2017/05/24/the-largest-git-repo-on-the-planet/ "As a refresher, the Windows code base is approximately 3.5M files and, when checked in to a Git repo, results in a repo of about 300GB... Before the move to Git, in Source Depot, it was spread across 40+ depots and we had a tool to manage operations that spanned them."` On Sun, Jan 7, 2018 at 4:13 PM, Stuart Hendersonwrote: > On 2018-01-06, Lari Rasku wrote: > > On 01/02/18 14:03, Stuart Henderson wrote: > >> Hosting a large git repository is not trivial, it uses far more server > >> resources (memory and cpu time) than an anoncvs/cvsync/rsync mirror, and > >> OpenBSD src/ (or even just ports/) is *huge* for a git repo. It works > >> better on Linux where things are more separated. Even *just the kernel* > >> is split across multiple repos. > > > > The Linux kernel repo is multiple times the size of OpenBSD-src [1], > > so I don't see how things being more separated helps them re: hosting. > > Perhaps kernel.org just has more hardware to throw at the problem? > > > > And in case anyone else was confused, the Linux kernel itself isn't split > > across multiple repos: you can build a fully functional one from a single > > checkout. It is the kernel *development* that is split across multiple > > repos, with occasional merges to mainline. > > > > [1]: Naive estimate based on comparing object counts when cloning from > > GitHub: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > - 5,779,337 objects, > > Ah thanks, I didn't manage to track that down with the 850 others :) > > > https://github.com/openbsd/src - 1,741,047 objects. > > When I've tried converting in the past I've had things like it taking > about a minute to do a git log, even after the git repack that people > familiar with git suggested I try. > > >> Anyway, has anyone fetched your openbsd-src0-test repo from github while > >> crossing crypto export boundaries? That has the exact same issue, > >> except that now as it's your repo, it may well be considered that it's > >> *you* that is responsible for exporting it. > > > > Surely the responsibility for exporting lies with the one doing the > > checkout? Otherwise I don't see how operators of OpenBSD CVS mirrors > > in the US aren't in the same position. > > > > Or is there some technical distinction between "mirroring" and "checking > out" > > a repository? (I ask because the warning against fetching sources from > USA > > when located outside North America only appears on > > https://www.openbsd.org/cvsync.html, not https://www.openbsd.org/ > anoncvs.html > > or https://www.openbsd.org/ftp.html.) > > I don't know all the details. But the github page about it at > https://help.github.com/articles/github-and-export-controls/ > makes it sound like it's the repo owner's responsibility to me. > > >
Re: Community-driven OpenBSD tutorials wiki?
Just my two bits here.. some open, running, example systems might add more than just a wiki; a documented installion with a visible config..? Dhu On Thu, 04 Jan 2018 14:17:51 + Andreas Thulinwrote: > Hi all! > > Thought I'd create an OpenBSD wiki somewhere, where anyone (especially > non-developers like myself) could create and edit tutorials for stuff > non-developers like myself would find useful. I find that sometimes > existing tutorials become outdated, and was thinking that a wiki would make > updates easier. > > Before I go and create anything - are there already a place similar to what > I'm describing, where I could get myself involved? (I'm too junior to start > suggesting changes and updates to the docs on OpenBSD.org, and I'm not sure > they should be used for what I want to achieve.) > > I know this comes out as yet another "let's start another project no one is > asking for", but please be gentle with flaming me - I honestly want to > contribute to the community to the extent of my abilities. > > Cheers, > Andreas > -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) http://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt
Re: iked with Windows 10 MS-ChapV2
Yes, Windows 10 as road warrior, with ms-chapv2 authentication. That means server side I have a certificate and client side using username and password. My config works with my iPhone as road warrior, but not windows 10. I will try to post the logs for both as soon as I can. Kinda strange I think it has something to do with how Windows offers the proposal or peerid. On Mon, 8 Jan 2018 at 6:13 AM, Patrick Wildtwrote: > On Wed, Jan 03, 2018 at 03:11:01AM +, Michael Lam wrote: > > Hi all, > > > > Does anyone have experience with using iked with a Windows 10 and EAP > > mschap-v2 authentication in a road warrior setup? > > You mean Windows 10 connecting as a road warrior to iked? > > > I tried but it doesn’t work. It always return error saying no local > > certificate found. On a side note - Windows seems to report it’s IP > address > > as peerid. > > Make sure you load the complete certificate chain for your _local_ iked > certifikate to /etc/iked/ca/. This is, so far, required. I have some > upcoming diff that removes the requirement to trust all CAs of your > local certificate. > > Patrick > > > On the OpenBSD side, I am using the latest iked from cvs and a valid > > letsencrypt certificate. The resulting server does not have issue with > iOS > > configuration but never got pass Windows 10. > > > > The same certififcate works properly with strongswan in a freebsd ikev2 > > setup hence server certificate issue can be eliminated. > > > > Will post logs and config once I am back home. > > -- > > > > Rgds, Michael > -- Rgds, Michael
Re: suckless st on OpenBSD62
Frederic Fichterwrote: > Hello all, > Hello > My $HOME/.profile has only one line in it: > export ENV=$HOME/.kshrc > > And I set some variables in my $HOME/.kshrc > > Now, everything's cool in xterm (i.e. variables are set) - but that's not the > case in st, when I launch st from dmenu. > If I launch st from xterm, variables are set as well. > > Where should I look for an explanation? I don't know your setup, here using Xenodm autologin I can reproduce that only if I don't source ~/.profile in ~/.xsession. Regards, Julien
Re: iked with Windows 10 MS-ChapV2
On Wed, Jan 03, 2018 at 03:11:01AM +, Michael Lam wrote: > Hi all, > > Does anyone have experience with using iked with a Windows 10 and EAP > mschap-v2 authentication in a road warrior setup? You mean Windows 10 connecting as a road warrior to iked? > I tried but it doesn’t work. It always return error saying no local > certificate found. On a side note - Windows seems to report it’s IP address > as peerid. Make sure you load the complete certificate chain for your _local_ iked certifikate to /etc/iked/ca/. This is, so far, required. I have some upcoming diff that removes the requirement to trust all CAs of your local certificate. Patrick > On the OpenBSD side, I am using the latest iked from cvs and a valid > letsencrypt certificate. The resulting server does not have issue with iOS > configuration but never got pass Windows 10. > > The same certififcate works properly with strongswan in a freebsd ikev2 > setup hence server certificate issue can be eliminated. > > Will post logs and config once I am back home. > -- > > Rgds, Michael
Re: Kindly support this initiative for a public git repository of OpenBSD source code located at Germany!
On 2018-01-06, Lari Raskuwrote: > On 01/02/18 14:03, Stuart Henderson wrote: >> Hosting a large git repository is not trivial, it uses far more server >> resources (memory and cpu time) than an anoncvs/cvsync/rsync mirror, and >> OpenBSD src/ (or even just ports/) is *huge* for a git repo. It works >> better on Linux where things are more separated. Even *just the kernel* >> is split across multiple repos. > > The Linux kernel repo is multiple times the size of OpenBSD-src [1], > so I don't see how things being more separated helps them re: hosting. > Perhaps kernel.org just has more hardware to throw at the problem? > > And in case anyone else was confused, the Linux kernel itself isn't split > across multiple repos: you can build a fully functional one from a single > checkout. It is the kernel *development* that is split across multiple > repos, with occasional merges to mainline. > > [1]: Naive estimate based on comparing object counts when cloning from > GitHub: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ - > 5,779,337 objects, Ah thanks, I didn't manage to track that down with the 850 others :) > https://github.com/openbsd/src - 1,741,047 objects. When I've tried converting in the past I've had things like it taking about a minute to do a git log, even after the git repack that people familiar with git suggested I try. >> Anyway, has anyone fetched your openbsd-src0-test repo from github while >> crossing crypto export boundaries? That has the exact same issue, >> except that now as it's your repo, it may well be considered that it's >> *you* that is responsible for exporting it. > > Surely the responsibility for exporting lies with the one doing the > checkout? Otherwise I don't see how operators of OpenBSD CVS mirrors > in the US aren't in the same position. > > Or is there some technical distinction between "mirroring" and "checking out" > a repository? (I ask because the warning against fetching sources from USA > when located outside North America only appears on > https://www.openbsd.org/cvsync.html, not https://www.openbsd.org/anoncvs.html > or https://www.openbsd.org/ftp.html.) I don't know all the details. But the github page about it at https://help.github.com/articles/github-and-export-controls/ makes it sound like it's the repo owner's responsibility to me.
Re: suckless st on OpenBSD62
I use only .profile file, I have ENV set to $HOME/.kshrc but it is empty. I run st -e ksh -l without any problems. 07.01.2018, 17:15, "Frederic Fichter": > Hello all, > > I recently switched one of my machines from Debian to OpenBSD, Still a few > things left to fix (otherwise it would be no fun) and it looks promising. > > I'm running suckless software, I've installed these packages: > dwm-6.1p0 dynamic window manager > st-0.7p1 simple X terminal > > My $HOME/.profile has only one line in it: > export ENV=$HOME/.kshrc > > And I set some variables in my $HOME/.kshrc > > Now, everything's cool in xterm (i.e. variables are set) - but that's not the > case in st, when I launch st from dmenu. > If I launch st from xterm, variables are set as well. > > Where should I look for an explanation? > > Thanks much for your help with this. > > Best, > > Fred
OpenVPN Help
Hi, All I am useing openbsd 6.2 release, as an server production. My network is split with vlan into int_ and ext_ . However, I'm not sure which way to run the VPN in a virtual machine or configure it on the int_ or ext_ so that all the traffic from the int_ side is encrypted tun when it hit HTTPS or TLS. I'm also using desktop environment this is the reason for the needed outgoing under VPN. Thanks LeRoy Jordan
Re: Simplifying pf-rules
On Thu, Jan 4, 2018 at 8:09 AM, Jon Swrote: > This led to my first experieces with pf. After some work I came up with > whats below. It works as I want it to work, but I wonder if there is a way > to create a rule where incomming traffic to the internal NIC (re0) is > passed if it is targeted for em0 (external, internet NIC)? The current > solution would require an update of the "pass in on re0 to > !re0:network"-rule if another NIC is added (lets say a DMZ). > > [ruleset omitted] For years I used a vaguely similar ruleset on my own router; similar in the sense that it used "pass out all" and relied only on filtering inbound traffic. But over time I've decided that it's better to block both inbound and outbound by default, then explicitly allow traffic in 3 categories: 1. traffic to this router as the final destination (for services running on the router) 2. traffic to be forwarded (with NAT if needed) 3. traffic that originates from this router #3 is especially important if the router is also running other services which may make announcements on the network. If you are running Samba for example you probably don't want to send announcements to the Internet. Yes, this means you need to know explicitly what your services are doing so you know what to enable. On the plus side it means nothing gets sent to the Internet simply because you didn't know you needed to turn it off. To differentiate between #1 and #2 I use tags to mark packets as ACCEPT or FORWARD. Only the packets tagged FORWARD are allowed to pass out. Inbound packets start with a TBD tag that basically means "not yet tagged" and ensures that once a rule sets an ACCEPT or FORWARD tag, other rules don't then try to re-tag it. Also, I try to avoid using ! anywhere. It is too easy to make mistakes with it, and configuration mistakes are the #1 reason unwanted traffic will get through your firewall. A very stripped down subset of my ruleset follows, showing the essentials. em0 is my internal interface, em1 is my 'guest' interface (that friends can use for their WiFi when they visit) and em2 connects to my Internet cable modem (I don't use variable name substitutions for unrelated reasons, but you may want to do so anyway). I have included em1 because it's very similar to a DMZ network. I am running several services on my router so I've also included the DNS and ftp-proxy rules because they are good examples. Note that I make extensive use of "quick" to give "first matching rule wins" behavior. I think this is easier to understand. # pf.conf - PF configuration file # tables table const { 10/8, 172.16/12, 192.168/16 } # by default, block all traffic not explicitly allowed block in log all tag TBD block out log all # ACCEPT - traffic that should be accepted by this router (not forwarded) # accept ping requests pass in log quick on em0 inet proto icmp from em0:network to (self) icmp-type echoreq tagged TBD tag ACCEPT pass in log quick on em1 inet proto icmp from em1:network to em1 icmp-type echoreq tagged TBD tag ACCEPT # accept DNS requests pass in log quick on em0 inet proto { udp tcp } to (self) port domain tagged TBD tag ACCEPT pass in log quick on em1 inet proto { udp tcp } from em1:network to em1 port domain tagged TBD tag ACCEPT # accept SSH connections pass in log quick on em0 inet proto tcp from em0:network to (self) port ssh tagged TBD tag ACCEPT pass in log quick on em1 inet proto tcp from em1:network to em1 port ssh tagged TBD tag ACCEPT # FORWARD / Inbound - traffic that should be forwarded by this router # block non-Internet traffic from public (guest) network block in log quick on em1 to tagged TBD # pass internal FTP traffic pass in log quick on em0 inet proto tcp from em0:network to 192.168/18 port ftp tagged TBD tag FORWARD # proxy external FTP traffic pass in log quick on em0 inet proto tcp from em0:network to port ftp divert-to 127.0.0.1 port 8021 tagged TBD tag ACCEPT pass in log quick on em1 inet proto tcp from em1:network to port ftp divert-to 127.0.0.1 port 8021 tagged TBD tag ACCEPT anchor "ftp-proxy/*" # default forwarding rules for traffic from private network pass in log quick on em0 from em0:network to 192.168/18 tagged TBD tag FORWARD pass in log quick on em0 from em0:network modulate state tagged TBD tag FORWARD # default forwarding rules for traffic from public (guest) network pass in log quick on em1 from em1:network to em1:network tagged TBD tag FORWARD pass in log quick on em1 from em1:network modulate state tagged TBD tag FORWARD # game server pass in log quick on em2 inet proto udp to (em2) port 27016 rdr-to 192.168.24.50 tagged TBD tag FORWARD # FORWARD / Outbound # forward internal traffic pass out log quick on em0 tagged FORWARD pass out log quick on em1 tagged FORWARD # block unroutable external traffic block out log quick on em2 to tagged FORWARD # forward external traffic pass out log quick on em2 nat-to (em2) tagged FORWARD # Outbound - traffic that
Re: suckless st on OpenBSD62
Agreed, this was not an OpenBSD question. Solved by a "st -e ksh -l" that I'll run from a wrapper script, as suggested (I use such a script anyway to set the font in st). Thanks again ! Fred
Re: suckless st on OpenBSD62
On 2018-01-07, Frederic Fichterwrote: > Hello all, > > I recently switched one of my machines from Debian to OpenBSD, Still a few > things left to fix (otherwise it would be no fun) and it looks promising. > > I'm running suckless software, I've installed these packages: > dwm-6.1p0 dynamic window manager > st-0.7p1simple X terminal > > My $HOME/.profile has only one line in it: > export ENV=$HOME/.kshrc > > And I set some variables in my $HOME/.kshrc > > Now, everything's cool in xterm (i.e. variables are set) - but that's not the > case in st, when I launch st from dmenu. > If I launch st from xterm, variables are set as well. > > Where should I look for an explanation? > > Thanks much for your help with this. > > Best, > > Fred > > st isn't spawning the shell as a login shell. Normal terminals have an X resource to tell it you want a login shell, but st doesn't believe in runtime-settable configuration options. Doesn't look like it can be passed directly via the SHELL environment variable either, looks like it just wants a filename without any command line option. You could do "st -e ksh -l" but that would be an annoying way to do it.. Maybe a wrapper script?
Re: suckless st on OpenBSD62
On Sun, Jan 07, 2018 at 05:14:54PM +0100, Frederic Fichter wrote: > Hello all, > > I recently switched one of my machines from Debian to OpenBSD, Still a few > things left to fix (otherwise it would be no fun) and it looks promising. > > I'm running suckless software, I've installed these packages: > dwm-6.1p0 dynamic window manager > st-0.7p1simple X terminal > > My $HOME/.profile has only one line in it: > export ENV=$HOME/.kshrc > > And I set some variables in my $HOME/.kshrc > > Now, everything's cool in xterm (i.e. variables are set) - but that's not the > case in st, when I launch st from dmenu. > If I launch st from xterm, variables are set as well. > > Where should I look for an explanation? > > Thanks much for your help with this. > > Best, > > Fred > Have you restarted X since you set those variables? dmenu inherits dwm's environment which inherits X's environment which inherits the environment that you logged in with.
suckless st on OpenBSD62
Hello all, I recently switched one of my machines from Debian to OpenBSD, Still a few things left to fix (otherwise it would be no fun) and it looks promising. I'm running suckless software, I've installed these packages: dwm-6.1p0 dynamic window manager st-0.7p1simple X terminal My $HOME/.profile has only one line in it: export ENV=$HOME/.kshrc And I set some variables in my $HOME/.kshrc Now, everything's cool in xterm (i.e. variables are set) - but that's not the case in st, when I launch st from dmenu. If I launch st from xterm, variables are set as well. Where should I look for an explanation? Thanks much for your help with this. Best, Fred
Re: Kernel memory leaking on Intel CPUs?
There are some claims about Raspberry Pi: Here you go: We do not believe any generation of Raspberry Pi hardware is susceptible to either the Spectre or Meltdown vulnerabilities. https://twitter.com/EbenUpton/status/948999181309530116 Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/