is pfsync loosing data on reboot?

[Harald Dunkel]

Hi folks,

I have a question about pfsync protocol in a master-backup firewall
configuration (OpenBSD 6.3 and 6.4):

If I reboot (let's say) the backup host, will it receive the whole
set of state information again, when it gets back online?

Hopefully I am not too blind to see, but pfsync(4) doesn't tell.


Every helpful comment is highly appreciated.
Harri

Re: Use xenodm like startx?

[lists]

Thu, 31 Jan 2019 17:33:01 +0100 Freddy Fisker 
> Hi
> 
> I am using the Xfce desktop, and the only thing I am doing is making the 
> 
> file with:
> 
> $ echo xfce4-session > ~/.xinitrc
> 

Hi Freddy,

Alright, I was running startx pretty happily with an .xinitrc to set up
programs started, terminal positions & everything, then along comes the
notorious fix and now, it's renamed to .xsession, and xenodm starts it.

But now I have to log twice to the console and then again log in to the
X display manager, which I totally don't like having to do, a nuisance.

The console is used ironically to setup & add ssh agent keys, before X.
So that the agent could persist and be used regardless of the X server.

With the help of the tips from this thread, now it's back to manual log
at the console and running the x alias to start the session.  All good.

https://man.openbsd.org/xenodm#RESOURCES

  DisplayManager.*.autoLogin
  DisplayManager.*.terminateServer

The only issue is, these sets of complexities called xenodm, needlessly
just because people want to log in a Windows graphical display manager.

I just have no use for this login manager stuff, and never had any use,
of desktop environments complex dysfunctional distro style all mixed up
graphical 'experience'.  Plain cwm, simplest X setup and it just works.

It would be nicer if we could run X with a session file WITHOUT xenodm.
Not sure your suggested xinit is not a fall through of the setuid bug..

  2018-10-26 setuid bit removed from /usr/X11R6/bin/Xorg
  The Xorg binary is no longer installed setuid.
  So startx(1) can no longer be used by non-root users.
  The xenodm(1) display manager has to be used.

Kind regards,
Anton Lazarov

> 
> And then starting the Xfce desktop with the command:
> 
> $ xinit
> 
> 
> Best regards
> Freddy Fisker
> 
> 
> On Thursday, 31 January 2019 16:55:20 CET, li...@wrant.com wrote:
> > Thu, 31 Jan 2019 12:23:08 +0100 Freddy Fisker   
> >> Hi
> >> 
> >> I have never used the startx command. I use the xinit command 
> >> together with 
> >> the ~/.xinitrc file.  
> >
> > Hi Freddy,
> >
> > Are you referring to a recent OpenBSD, or some other customised variant?
> > If that's a bypass of the recent security fixes don't bother responding.
> > I'm only interested how it solves or improves on-demand X session model.
> >
> > Kind regards,
> > Anton Lazarov
> >  
> >> Best regards
> >> Freddy Fisker
> >> 
> >> 
> >> On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote: ...  
> >
> >
> >  
> 

Re: [SOLVED] Re: apu2 em0/dhclient problems

[Chris Cappuccio]

Edgar Pettijohn [ed...@pettijohn-web.com] wrote:
> 
> Don't know why it works, but em1 works. I guess I'll rewrite my config files.
> 

This shouldn't be an acceptable solution to you. Unless the port is physically
damaged, you should figure out what's going on. Tcpdump is a great start. 

Chris

Re: Getting traffic from rdomain X to talk to a daemon in default rdomain 0

[Sebastian Benoit]

Jiri B(jiri...@gmail.com) on 2019.01.31 22:23:34 +0100:
> Hello,
> 
> I'm trying to isolate an app running on OpenBSD on network level and thus I
> have started
> the app in a specific rdomain.
> 
> I can successfully make traffic from the rdomain to reach Internet:
> 
> pass out quick on rdomain 1 to any nat-to (egress) rtable 0

that rule is only evaluated when the packes pass through a network
interface.

> But I cannot figure out how to make the app in this rdomain 1 to communicate
> which daemons in default rdomain (0).
> 
> With above rule I would see something like this on lo0 (rdomain0):
> 
> Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17)
> 
> Tested with route -T 1 exec dig @199.195.x.x  www.openbsd.org.
> It seems it does not know how to send back replies ?

yes, because rdomain 0 does not have a route to what network you have in
rdomain 1.

Btw. its hard to talk about this without you giving the actual networks and
IPs used.
 
> Without 'nat-to (egress)' the replies would be just send via default gw in
> rdomain 0:
> 
> mx1# tcpdump -i vio0 -n -e -ttt icmp
> tcpdump: listening on vio0, link-type EN10MB
> Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98:
> 199.195.x.x > 172.16.1.2: icmp: echo reply
> 
> (172.16.1.2 was the IP in rdomain 1)
> 
> Any idea what would be PF rule to make this working - ie. make an app in
> rdomain X talk to daemons in rdomain 0.
> 
> I also tried to use pair interfaces but I failed too.

Try this:

# set up two connected pair interfaces:
ifconfig pair8 inet 192.168.2.8/24 rdomain 8
ifconfig pair1 inet 192.168.2.1/24 rdomain 0
ifconfig pair1 patch pair8

# they now can ping each other:
ping 192.168.2.8
route -T 8 exec ping 192.168.2.1

# my em0 interface in rdomain 0 has the IP 192.168.1.52:
em0: flags=208847 mtu 
1500
lladdr 44:c6:86:5a:c2:f7
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 192.168.1.52 netmask 0xff00 broadcast 192.168.1.255

# add a route to 192.168.1.52 to rdomain 8:
route -T 8 add 192.168.1.52 192.168.2.1
route -T 8 exec ping 192.168.1.52

# the traffic back from rdomain 0 to rdomain 8 works now, because packets
# are send with source ip 192.168.2.8, and rdomain 0 has a route to that IP
# through pair1.

Now run your service on 192.168.1.52.

/Benno

Re: Questions about Carp / PF / PFSync

[Sebastian Benoit]

Charles Amstutz(charl...@binary.net) on 2019.01.30 23:16:17 +:
> Hello
> 
> We are running into an issue with a lot of dropped packets where states are 
> failing to be created. We have noticed that it coincides with a fair amount 
> of congestion, around 10-15/s according to 'pfctl -si'.
> 
> We finally tried disabling our Carp Interfaces (we are using carp for 
> failover) and the problem seems to completely go away. We have 53 carp 
> interfaces on these two boxes and are just looking for some input on what 
> might be causing an issue like this, where having carp interfaces enabled is 
> causing such high congestion.
> 
> We are running OpenBSD 6.4.
> 
> Thanks,

Set sysctl net.inet.carp.log=7 (and activate carp again).
What does it show (in /var/log/messages)?

Also, whats the output of

sysctl net.inet.ip.ifq.drops
sysctl net.inet6.ip6.ifq.drops
netstat -m
pfctl -vsi

?

Getting traffic from rdomain X to talk to a daemon in default rdomain 0

[Jiri B]

Hello,

I'm trying to isolate an app running on OpenBSD on network level and thus I
have started
the app in a specific rdomain.

I can successfully make traffic from the rdomain to reach Internet:

pass out quick on rdomain 1 to any nat-to (egress) rtable 0

But I cannot figure out how to make the app in this rdomain 1 to communicate
which daemons in default rdomain (0).

With above rule I would see something like this on lo0 (rdomain0):

Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17)

Tested with route -T 1 exec dig @199.195.x.x  www.openbsd.org.
It seems it does not know how to send back replies ?

Without 'nat-to (egress)' the replies would be just send via default gw in
rdomain 0:

mx1# tcpdump -i vio0 -n -e -ttt icmp
tcpdump: listening on vio0, link-type EN10MB
Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98:
199.195.x.x > 172.16.1.2: icmp: echo reply

(172.16.1.2 was the IP in rdomain 1)

Any idea what would be PF rule to make this working - ie. make an app in
rdomain X talk to daemons in rdomain 0.

I also tried to use pair interfaces but I failed too.

Jiri

Re: Use xenodm like startx?

[Greg]

My .xsession looks like this:

userresources=$HOME/.Xresources

if [ -f "$userresources" ]; then
    /usr/X11R6/bin/xrdb -merge "$userresources"
fi

export ENV='$HOME/.kshrc'

# See /usr/local/share/doc/pkg-readmes/dbus

# if dbus is installed, start its daemon
if [ -x /usr/local/bin/dbus-launch -a -z "${DBUS_SESSION_BUS_ADDRESS}" 
]; then

    eval `dbus-launch --sh-syntax --exit-with-x11`
fi

# I like my cursor bigger, needs adwaita-icon-theme port

export XCURSOR_PATH="/usr/local/share/icons"
export XCURSOR_THEME=Adwaita
export XCURSOR_SIZE=32

numlockx on &

exec icewm-session


On 1/31/19 10:36 AM, trondd wrote:

On Thu, January 31, 2019 5:57 am, John Ankarström wrote:

Only thing I never figured out is how to make X and xenodm shutdown when
I
exit my window manager.

This too makes me feel like xenodm is far too complex for what I want.


It's not an issue of complexity.  It's a different tool that does a
different thing.  Bending it to work like something it's not will
inherently have caveats.

The thing is, what we had before was a trivial privilege escalation.
Sometimes you just have to adapt a little and you can benefit greatly from
improvements.

Tim.

Re: Use xenodm like startx?

[Freddy Fisker]

Hi

I am using the Xfce desktop, and the only thing I am doing is making the 


file with:

$ echo xfce4-session > ~/.xinitrc


And then starting the Xfce desktop with the command:

$ xinit


Best regards
Freddy Fisker


On Thursday, 31 January 2019 16:55:20 CET, li...@wrant.com wrote:

Thu, 31 Jan 2019 12:23:08 +0100 Freddy Fisker 

Hi

I have never used the startx command. I use the xinit command 
together with 
the ~/.xinitrc file.


Hi Freddy,

Are you referring to a recent OpenBSD, or some other customised variant?
If that's a bypass of the recent security fixes don't bother responding.
I'm only interested how it solves or improves on-demand X session model.

Kind regards,
Anton Lazarov


Best regards
Freddy Fisker


On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote: ...

Re: Use xenodm like startx?

[lists]

Thu, 31 Jan 2019 12:23:08 +0100 Freddy Fisker 
> Hi
> 
> I have never used the startx command. I use the xinit command together with 
> the ~/.xinitrc file.

Hi Freddy,

Are you referring to a recent OpenBSD, or some other customised variant?
If that's a bypass of the recent security fixes don't bother responding.
I'm only interested how it solves or improves on-demand X session model.

Kind regards,
Anton Lazarov

> Best regards
> Freddy Fisker
> 
> 
> On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote:
> > trondd  wrote:  
> >> It's not really that complicated.  The bare minimum is to copy your
> >> .xinitrc to .xsession and then just run xenodm on demand with doas.  All
> >> the configs already exist in /etc/X11/xenodm.  Nothing requires you to run
> >> it at startup.
> >> 
> >> Here's what I've done: ...  
> >
> > Hm.  Thank you.  This works, except the environment in which I 
> > run xenodm is lost.  For example, I have ENV=~/.kshrc in my 
> > ~/.profile, but this isn't inherited to X11 ... I guess I should 
> > add these things to my .xsession, but then I'll have it in two 
> > places instead of once.
> >  
> >> Only thing I never figured out is how to make X and xenodm shutdown when I
> >> exit my window manager.  
> >
> > This too makes me feel like xenodm is far too complex for what I want.
> >
> >
> >  
> 

Re: Use xenodm like startx?

[trondd]

On Thu, January 31, 2019 5:57 am, John Ankarström wrote:
>
>> Only thing I never figured out is how to make X and xenodm shutdown when
>> I
>> exit my window manager.
>
> This too makes me feel like xenodm is far too complex for what I want.
>

It's not an issue of complexity.  It's a different tool that does a
different thing.  Bending it to work like something it's not will
inherently have caveats.

The thing is, what we had before was a trivial privilege escalation. 
Sometimes you just have to adapt a little and you can benefit greatly from
improvements.

Tim.

Re: Use xenodm like startx?

[trondd]

On Thu, January 31, 2019 7:35 am, Bruno Flueckiger wrote:
>
> Add the following line to /etc/X11/xenodm/xenodm-config:
>
> DisplayManager.*.terminateServer: true
>
> Cheers,
> Bruno
>

That doesn't work how you think it does.  It does shut down the X server
after quitting a window manager but then xenodm will restart X and log you
right back in.  That option is there is prevent resource leaks between X
sessions.

Tim.

Questions about Carp / PF / PFSync

[Charles Amstutz]

Hello

We are running into an issue with a lot of dropped packets where states are 
failing to be created. We have noticed that it coincides with a fair amount of 
congestion, around 10-15/s according to 'pfctl -si'.

We finally tried disabling our Carp Interfaces (we are using carp for failover) 
and the problem seems to completely go away. We have 53 carp interfaces on 
these two boxes and are just looking for some input on what might be causing an 
issue like this, where having carp interfaces enabled is causing such high 
congestion.

We are running OpenBSD 6.4.

Thanks,

Re: boot problems, nvme?

[kasak]

31.01.2019 15:18, Kapetanakis Giannis пишет:

Hi,

I've just installed current as well 6.4 on a new pc and I have problems booting 
it.

Although I can boot bsd.rd and install system fine I cannot boot the normal 
kernel.
Boot hungs after
wskbd0 at pckbd0: console keyboard, using wsdisplay1

In bsd.rd next line is
softraid0 at root

I couldn't transfer the dmesg from bsd.rd so I took pictures of it.
Maybe someone can have a look?
https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu

thanks

G


I can advice you to try to disable pcppi driver.

boot -c

disable pcppi

quit

What motherboard you own?

Re: Use xenodm like startx?

[Freddy Fisker]

Hi

I have never used the startx command. I use the xinit command together with 
the ~/.xinitrc file.


Best regards
Freddy Fisker


On Thursday, 31 January 2019 11:57:12 CET, John Ankarström wrote:

trondd  wrote:

It's not really that complicated.  The bare minimum is to copy your
.xinitrc to .xsession and then just run xenodm on demand with doas.  All
the configs already exist in /etc/X11/xenodm.  Nothing requires you to run
it at startup.

Here's what I've done: ...


Hm.  Thank you.  This works, except the environment in which I 
run xenodm is lost.  For example, I have ENV=~/.kshrc in my 
~/.profile, but this isn't inherited to X11 ... I guess I should 
add these things to my .xsession, but then I'll have it in two 
places instead of once.



Only thing I never figured out is how to make X and xenodm shutdown when I
exit my window manager.


This too makes me feel like xenodm is far too complex for what I want.

Re: boot problems, nvme?

[Janne Johansson]

I think I saw something similar on a box, until I disabled X-APIC in BIOS
setup.
If you have that option, do try disabling it.


Den tors 31 jan. 2019 kl 14:37 skrev Kapetanakis Giannis <
bil...@edu.physics.uoc.gr>:

> Hi,
>
> I've just installed current as well 6.4 on a new pc and I have problems
> booting it.
>
> Although I can boot bsd.rd and install system fine I cannot boot the
> normal kernel.
> Boot hungs after
> wskbd0 at pckbd0: console keyboard, using wsdisplay1
>
> In bsd.rd next line is
> softraid0 at root
>
> I couldn't transfer the dmesg from bsd.rd so I took pictures of it.
> Maybe someone can have a look?
> https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu
>
> thanks
>
> G
>
>

-- 
May the most significant bit of your life be positive.

boot problems, nvme?

[Kapetanakis Giannis]

Hi,

I've just installed current as well 6.4 on a new pc and I have problems booting 
it.

Although I can boot bsd.rd and install system fine I cannot boot the normal 
kernel.
Boot hungs after
wskbd0 at pckbd0: console keyboard, using wsdisplay1

In bsd.rd next line is
softraid0 at root

I couldn't transfer the dmesg from bsd.rd so I took pictures of it.
Maybe someone can have a look?
https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu

thanks

G

Re: Use xenodm like startx?

[Bruno Flueckiger]

On 31.01.19 11:57, John Ankarström wrote:
> trondd  wrote:
> > It's not really that complicated.  The bare minimum is to copy your
> > .xinitrc to .xsession and then just run xenodm on demand with doas.  All
> > the configs already exist in /etc/X11/xenodm.  Nothing requires you to run
> > it at startup.
> > 
> > Here's what I've done:
> > Copy your .xinitrc to .xsession
> > 
> > Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME
> > 
> > Edit xenodm-config and add
> > DisplayManager*autoLogin:  yourusername
> > 
> > Comment out the call to Xsetup so you don't get the xconsole window
> > !DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0
> > 
> > Then you can alias it to run it on demand.  Alias to startx if you want.
> > alias xenodm='doas xenodm -config /home/myusername/xenodm-config'
> 
> Hm.  Thank you.  This works, except the environment in which I run xenodm is
> lost.  For example, I have ENV=~/.kshrc in my ~/.profile, but this isn't
> inherited to X11 ... I guess I should add these things to my .xsession, but
> then I'll have it in two places instead of once.

You could source either file in your ~/.xsession by adding a line like
this to it:

. ~/.kshrc

Depending on the settings you have in ~/.profile and/or ~/.kshrc this
might cause unwanted side effects. You have been warned.

> 
> > Only thing I never figured out is how to make X and xenodm shutdown when I
> > exit my window manager.
> 
> This too makes me feel like xenodm is far too complex for what I want.
> 

Add the following line to /etc/X11/xenodm/xenodm-config:

DisplayManager.*.terminateServer:   true

Cheers,
Bruno

Re: Use xenodm like startx?

[John Ankarström]

trondd  wrote:
> It's not really that complicated.  The bare minimum is to copy your
> .xinitrc to .xsession and then just run xenodm on demand with doas.  All
> the configs already exist in /etc/X11/xenodm.  Nothing requires you to run
> it at startup.
> 
> Here's what I've done:
> Copy your .xinitrc to .xsession
> 
> Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME
> 
> Edit xenodm-config and add
> DisplayManager*autoLogin:  yourusername
> 
> Comment out the call to Xsetup so you don't get the xconsole window
> !DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0
> 
> Then you can alias it to run it on demand.  Alias to startx if you want.
> alias xenodm='doas xenodm -config /home/myusername/xenodm-config'

Hm.  Thank you.  This works, except the environment in which I run xenodm is 
lost.  For example, I have ENV=~/.kshrc in my ~/.profile, but this isn't 
inherited to X11 ... I guess I should add these things to my .xsession, but 
then I'll have it in two places instead of once.

> Only thing I never figured out is how to make X and xenodm shutdown when I
> exit my window manager.

This too makes me feel like xenodm is far too complex for what I want.

Re: procmail and new grammar in smtpd.conf

[butresin]

On 1211 1636, schwack wrote:
> On Wed, Dec 05, 2018 at 10:07:34AM -0500, Daniel Corbe wrote:
> > at 6:22 AM, Eda Sky  wrote:
> > 
> > 
> > > Executive summary: delete the procmail port; the code is not safe and
> > > should not be used as a basis for any further work.
> > 
> 
> Is maildrop a recommended alternative? 
> 

In my opinion: yes.
It works well for me for long years.