is pfsync loosing data on reboot?
Hi folks, I have a question about pfsync protocol in a master-backup firewall configuration (OpenBSD 6.3 and 6.4): If I reboot (let's say) the backup host, will it receive the whole set of state information again, when it gets back online? Hopefully I am not too blind to see, but pfsync(4) doesn't tell. Every helpful comment is highly appreciated. Harri
Re: Use xenodm like startx?
Thu, 31 Jan 2019 17:33:01 +0100 Freddy Fisker > Hi > > I am using the Xfce desktop, and the only thing I am doing is making the > > file with: > > $ echo xfce4-session > ~/.xinitrc > Hi Freddy, Alright, I was running startx pretty happily with an .xinitrc to set up programs started, terminal positions & everything, then along comes the notorious fix and now, it's renamed to .xsession, and xenodm starts it. But now I have to log twice to the console and then again log in to the X display manager, which I totally don't like having to do, a nuisance. The console is used ironically to setup & add ssh agent keys, before X. So that the agent could persist and be used regardless of the X server. With the help of the tips from this thread, now it's back to manual log at the console and running the x alias to start the session. All good. https://man.openbsd.org/xenodm#RESOURCES DisplayManager.*.autoLogin DisplayManager.*.terminateServer The only issue is, these sets of complexities called xenodm, needlessly just because people want to log in a Windows graphical display manager. I just have no use for this login manager stuff, and never had any use, of desktop environments complex dysfunctional distro style all mixed up graphical 'experience'. Plain cwm, simplest X setup and it just works. It would be nicer if we could run X with a session file WITHOUT xenodm. Not sure your suggested xinit is not a fall through of the setuid bug.. 2018-10-26 setuid bit removed from /usr/X11R6/bin/Xorg The Xorg binary is no longer installed setuid. So startx(1) can no longer be used by non-root users. The xenodm(1) display manager has to be used. Kind regards, Anton Lazarov > > And then starting the Xfce desktop with the command: > > $ xinit > > > Best regards > Freddy Fisker > > > On Thursday, 31 January 2019 16:55:20 CET, li...@wrant.com wrote: > > Thu, 31 Jan 2019 12:23:08 +0100 Freddy Fisker > >> Hi > >> > >> I have never used the startx command. I use the xinit command > >> together with > >> the ~/.xinitrc file. > > > > Hi Freddy, > > > > Are you referring to a recent OpenBSD, or some other customised variant? > > If that's a bypass of the recent security fixes don't bother responding. > > I'm only interested how it solves or improves on-demand X session model. > > > > Kind regards, > > Anton Lazarov > > > >> Best regards > >> Freddy Fisker > >> > >> > >> On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote: ... > > > > > > >
Re: [SOLVED] Re: apu2 em0/dhclient problems
Edgar Pettijohn [ed...@pettijohn-web.com] wrote: > > Don't know why it works, but em1 works. I guess I'll rewrite my config files. > This shouldn't be an acceptable solution to you. Unless the port is physically damaged, you should figure out what's going on. Tcpdump is a great start. Chris
Re: Getting traffic from rdomain X to talk to a daemon in default rdomain 0
Jiri B(jiri...@gmail.com) on 2019.01.31 22:23:34 +0100: > Hello, > > I'm trying to isolate an app running on OpenBSD on network level and thus I > have started > the app in a specific rdomain. > > I can successfully make traffic from the rdomain to reach Internet: > > pass out quick on rdomain 1 to any nat-to (egress) rtable 0 that rule is only evaluated when the packes pass through a network interface. > But I cannot figure out how to make the app in this rdomain 1 to communicate > which daemons in default rdomain (0). > > With above rule I would see something like this on lo0 (rdomain0): > > Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17) > > Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org. > It seems it does not know how to send back replies ? yes, because rdomain 0 does not have a route to what network you have in rdomain 1. Btw. its hard to talk about this without you giving the actual networks and IPs used. > Without 'nat-to (egress)' the replies would be just send via default gw in > rdomain 0: > > mx1# tcpdump -i vio0 -n -e -ttt icmp > tcpdump: listening on vio0, link-type EN10MB > Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98: > 199.195.x.x > 172.16.1.2: icmp: echo reply > > (172.16.1.2 was the IP in rdomain 1) > > Any idea what would be PF rule to make this working - ie. make an app in > rdomain X talk to daemons in rdomain 0. > > I also tried to use pair interfaces but I failed too. Try this: # set up two connected pair interfaces: ifconfig pair8 inet 192.168.2.8/24 rdomain 8 ifconfig pair1 inet 192.168.2.1/24 rdomain 0 ifconfig pair1 patch pair8 # they now can ping each other: ping 192.168.2.8 route -T 8 exec ping 192.168.2.1 # my em0 interface in rdomain 0 has the IP 192.168.1.52: em0: flags=208847 mtu 1500 lladdr 44:c6:86:5a:c2:f7 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect status: active inet 192.168.1.52 netmask 0xff00 broadcast 192.168.1.255 # add a route to 192.168.1.52 to rdomain 8: route -T 8 add 192.168.1.52 192.168.2.1 route -T 8 exec ping 192.168.1.52 # the traffic back from rdomain 0 to rdomain 8 works now, because packets # are send with source ip 192.168.2.8, and rdomain 0 has a route to that IP # through pair1. Now run your service on 192.168.1.52. /Benno
Re: Questions about Carp / PF / PFSync
Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +: > Hello > > We are running into an issue with a lot of dropped packets where states are > failing to be created. We have noticed that it coincides with a fair amount > of congestion, around 10-15/s according to 'pfctl -si'. > > We finally tried disabling our Carp Interfaces (we are using carp for > failover) and the problem seems to completely go away. We have 53 carp > interfaces on these two boxes and are just looking for some input on what > might be causing an issue like this, where having carp interfaces enabled is > causing such high congestion. > > We are running OpenBSD 6.4. > > Thanks, Set sysctl net.inet.carp.log=7 (and activate carp again). What does it show (in /var/log/messages)? Also, whats the output of sysctl net.inet.ip.ifq.drops sysctl net.inet6.ip6.ifq.drops netstat -m pfctl -vsi ?
Getting traffic from rdomain X to talk to a daemon in default rdomain 0
Hello, I'm trying to isolate an app running on OpenBSD on network level and thus I have started the app in a specific rdomain. I can successfully make traffic from the rdomain to reach Internet: pass out quick on rdomain 1 to any nat-to (egress) rtable 0 But I cannot figure out how to make the app in this rdomain 1 to communicate which daemons in default rdomain (0). With above rule I would see something like this on lo0 (rdomain0): Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17) Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org. It seems it does not know how to send back replies ? Without 'nat-to (egress)' the replies would be just send via default gw in rdomain 0: mx1# tcpdump -i vio0 -n -e -ttt icmp tcpdump: listening on vio0, link-type EN10MB Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98: 199.195.x.x > 172.16.1.2: icmp: echo reply (172.16.1.2 was the IP in rdomain 1) Any idea what would be PF rule to make this working - ie. make an app in rdomain X talk to daemons in rdomain 0. I also tried to use pair interfaces but I failed too. Jiri
Re: Use xenodm like startx?
My .xsession looks like this: userresources=$HOME/.Xresources if [ -f "$userresources" ]; then /usr/X11R6/bin/xrdb -merge "$userresources" fi export ENV='$HOME/.kshrc' # See /usr/local/share/doc/pkg-readmes/dbus # if dbus is installed, start its daemon if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}" ]; then eval `dbus-launch --sh-syntax --exit-with-x11` fi # I like my cursor bigger, needs adwaita-icon-theme port export XCURSOR_PATH="/usr/local/share/icons" export XCURSOR_THEME=Adwaita export XCURSOR_SIZE=32 numlockx on & exec icewm-session On 1/31/19 10:36 AM, trondd wrote: On Thu, January 31, 2019 5:57 am, John Ankarström wrote: Only thing I never figured out is how to make X and xenodm shutdown when I exit my window manager. This too makes me feel like xenodm is far too complex for what I want. It's not an issue of complexity. It's a different tool that does a different thing. Bending it to work like something it's not will inherently have caveats. The thing is, what we had before was a trivial privilege escalation. Sometimes you just have to adapt a little and you can benefit greatly from improvements. Tim.
Re: Use xenodm like startx?
Hi I am using the Xfce desktop, and the only thing I am doing is making the file with: $ echo xfce4-session > ~/.xinitrc And then starting the Xfce desktop with the command: $ xinit Best regards Freddy Fisker On Thursday, 31 January 2019 16:55:20 CET, li...@wrant.com wrote: Thu, 31 Jan 2019 12:23:08 +0100 Freddy Fisker Hi I have never used the startx command. I use the xinit command together with the ~/.xinitrc file. Hi Freddy, Are you referring to a recent OpenBSD, or some other customised variant? If that's a bypass of the recent security fixes don't bother responding. I'm only interested how it solves or improves on-demand X session model. Kind regards, Anton Lazarov Best regards Freddy Fisker On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote: ...
Re: Use xenodm like startx?
Thu, 31 Jan 2019 12:23:08 +0100 Freddy Fisker > Hi > > I have never used the startx command. I use the xinit command together with > the ~/.xinitrc file. Hi Freddy, Are you referring to a recent OpenBSD, or some other customised variant? If that's a bypass of the recent security fixes don't bother responding. I'm only interested how it solves or improves on-demand X session model. Kind regards, Anton Lazarov > Best regards > Freddy Fisker > > > On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote: > > trondd wrote: > >> It's not really that complicated. The bare minimum is to copy your > >> .xinitrc to .xsession and then just run xenodm on demand with doas. All > >> the configs already exist in /etc/X11/xenodm. Nothing requires you to run > >> it at startup. > >> > >> Here's what I've done: ... > > > > Hm. Thank you. This works, except the environment in which I > > run xenodm is lost. For example, I have ENV=~/.kshrc in my > > ~/.profile, but this isn't inherited to X11 ... I guess I should > > add these things to my .xsession, but then I'll have it in two > > places instead of once. > > > >> Only thing I never figured out is how to make X and xenodm shutdown when I > >> exit my window manager. > > > > This too makes me feel like xenodm is far too complex for what I want. > > > > > > >
Re: Use xenodm like startx?
On Thu, January 31, 2019 5:57 am, John Ankarström wrote: > >> Only thing I never figured out is how to make X and xenodm shutdown when >> I >> exit my window manager. > > This too makes me feel like xenodm is far too complex for what I want. > It's not an issue of complexity. It's a different tool that does a different thing. Bending it to work like something it's not will inherently have caveats. The thing is, what we had before was a trivial privilege escalation. Sometimes you just have to adapt a little and you can benefit greatly from improvements. Tim.
Re: Use xenodm like startx?
On Thu, January 31, 2019 7:35 am, Bruno Flueckiger wrote: > > Add the following line to /etc/X11/xenodm/xenodm-config: > > DisplayManager.*.terminateServer: true > > Cheers, > Bruno > That doesn't work how you think it does. It does shut down the X server after quitting a window manager but then xenodm will restart X and log you right back in. That option is there is prevent resource leaks between X sessions. Tim.
Questions about Carp / PF / PFSync
Hello We are running into an issue with a lot of dropped packets where states are failing to be created. We have noticed that it coincides with a fair amount of congestion, around 10-15/s according to 'pfctl -si'. We finally tried disabling our Carp Interfaces (we are using carp for failover) and the problem seems to completely go away. We have 53 carp interfaces on these two boxes and are just looking for some input on what might be causing an issue like this, where having carp interfaces enabled is causing such high congestion. We are running OpenBSD 6.4. Thanks,
Re: boot problems, nvme?
31.01.2019 15:18, Kapetanakis Giannis пишет: Hi, I've just installed current as well 6.4 on a new pc and I have problems booting it. Although I can boot bsd.rd and install system fine I cannot boot the normal kernel. Boot hungs after wskbd0 at pckbd0: console keyboard, using wsdisplay1 In bsd.rd next line is softraid0 at root I couldn't transfer the dmesg from bsd.rd so I took pictures of it. Maybe someone can have a look? https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu thanks G I can advice you to try to disable pcppi driver. boot -c disable pcppi quit What motherboard you own?
Re: Use xenodm like startx?
Hi I have never used the startx command. I use the xinit command together with the ~/.xinitrc file. Best regards Freddy Fisker On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote: trondd wrote: It's not really that complicated. The bare minimum is to copy your .xinitrc to .xsession and then just run xenodm on demand with doas. All the configs already exist in /etc/X11/xenodm. Nothing requires you to run it at startup. Here's what I've done: ... Hm. Thank you. This works, except the environment in which I run xenodm is lost. For example, I have ENV=~/.kshrc in my ~/.profile, but this isn't inherited to X11 ... I guess I should add these things to my .xsession, but then I'll have it in two places instead of once. Only thing I never figured out is how to make X and xenodm shutdown when I exit my window manager. This too makes me feel like xenodm is far too complex for what I want.
Re: boot problems, nvme?
I think I saw something similar on a box, until I disabled X-APIC in BIOS setup. If you have that option, do try disabling it. Den tors 31 jan. 2019 kl 14:37 skrev Kapetanakis Giannis < bil...@edu.physics.uoc.gr>: > Hi, > > I've just installed current as well 6.4 on a new pc and I have problems > booting it. > > Although I can boot bsd.rd and install system fine I cannot boot the > normal kernel. > Boot hungs after > wskbd0 at pckbd0: console keyboard, using wsdisplay1 > > In bsd.rd next line is > softraid0 at root > > I couldn't transfer the dmesg from bsd.rd so I took pictures of it. > Maybe someone can have a look? > https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu > > thanks > > G > > -- May the most significant bit of your life be positive.
boot problems, nvme?
Hi, I've just installed current as well 6.4 on a new pc and I have problems booting it. Although I can boot bsd.rd and install system fine I cannot boot the normal kernel. Boot hungs after wskbd0 at pckbd0: console keyboard, using wsdisplay1 In bsd.rd next line is softraid0 at root I couldn't transfer the dmesg from bsd.rd so I took pictures of it. Maybe someone can have a look? https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu thanks G
Re: Use xenodm like startx?
On 31.01.19 11:57, John Ankarström wrote: > trondd wrote: > > It's not really that complicated. The bare minimum is to copy your > > .xinitrc to .xsession and then just run xenodm on demand with doas. All > > the configs already exist in /etc/X11/xenodm. Nothing requires you to run > > it at startup. > > > > Here's what I've done: > > Copy your .xinitrc to .xsession > > > > Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME > > > > Edit xenodm-config and add > > DisplayManager*autoLogin: yourusername > > > > Comment out the call to Xsetup so you don't get the xconsole window > > !DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0 > > > > Then you can alias it to run it on demand. Alias to startx if you want. > > alias xenodm='doas xenodm -config /home/myusername/xenodm-config' > > Hm. Thank you. This works, except the environment in which I run xenodm is > lost. For example, I have ENV=~/.kshrc in my ~/.profile, but this isn't > inherited to X11 ... I guess I should add these things to my .xsession, but > then I'll have it in two places instead of once. You could source either file in your ~/.xsession by adding a line like this to it: . ~/.kshrc Depending on the settings you have in ~/.profile and/or ~/.kshrc this might cause unwanted side effects. You have been warned. > > > Only thing I never figured out is how to make X and xenodm shutdown when I > > exit my window manager. > > This too makes me feel like xenodm is far too complex for what I want. > Add the following line to /etc/X11/xenodm/xenodm-config: DisplayManager.*.terminateServer: true Cheers, Bruno
Re: Use xenodm like startx?
trondd wrote: > It's not really that complicated. The bare minimum is to copy your > .xinitrc to .xsession and then just run xenodm on demand with doas. All > the configs already exist in /etc/X11/xenodm. Nothing requires you to run > it at startup. > > Here's what I've done: > Copy your .xinitrc to .xsession > > Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME > > Edit xenodm-config and add > DisplayManager*autoLogin: yourusername > > Comment out the call to Xsetup so you don't get the xconsole window > !DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0 > > Then you can alias it to run it on demand. Alias to startx if you want. > alias xenodm='doas xenodm -config /home/myusername/xenodm-config' Hm. Thank you. This works, except the environment in which I run xenodm is lost. For example, I have ENV=~/.kshrc in my ~/.profile, but this isn't inherited to X11 ... I guess I should add these things to my .xsession, but then I'll have it in two places instead of once. > Only thing I never figured out is how to make X and xenodm shutdown when I > exit my window manager. This too makes me feel like xenodm is far too complex for what I want.
Re: procmail and new grammar in smtpd.conf
On 1211 1636, schwack wrote: > On Wed, Dec 05, 2018 at 10:07:34AM -0500, Daniel Corbe wrote: > > at 6:22 AM, Eda Sky wrote: > > > > > > > Executive summary: delete the procmail port; the code is not safe and > > > should not be used as a basis for any further work. > > > > Is maildrop a recommended alternative? > In my opinion: yes. It works well for me for long years.