Re: dmesg for Riverbed Steelhead 250/550

[Aaron Mason]

Here's a quick rundown on how I got it installed - you will need an
existing OpenBSD installation.

1. Download the FS install image.
2. Mount it in your existing OpenBSD system and edit etc/boot.conf to
set the tty to com0.
3. Write the resulting image to a USB stick.
4. Plug in your USB stick, then plug in the power.
5. When it says to press any key, do so.  When the GRUB menu appears, hit 'c'.
6. Set the root device (which will likely be hd2): root (hd2)
7. Fire up the chainloader: chainloader +1
8. Boot: boot
9. ???
10. Profit!

On Tue, Nov 19, 2019 at 1:31 PM Aaron Mason  wrote:
>
> All
>
> Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased
> from fleabay for about $30 ea (plus shipping) - the 250 runs a single
> core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power
> dual-core Xeon at the same speed and 2GB DDR2 - both x86 only.  Both
> have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and
> 320GB for the 550) likely for caching (these being WAN accelerators).
>
> The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
> likely because there's some GPIO magic required to switch back the
> relays.  The Xeon-powered 550 definitely seems to have a bit more
> oompf than the 250's hamster whee-- err, Celeron M CPU.
>
> The output for dmesg for each is attached.
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

dmesg for Riverbed Steelhead 250/550

[Aaron Mason]

All

Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased
from fleabay for about $30 ea (plus shipping) - the 250 runs a single
core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power
dual-core Xeon at the same speed and 2GB DDR2 - both x86 only.  Both
have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and
320GB for the 550) likely for caching (these being WAN accelerators).

The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
likely because there's some GPIO magic required to switch back the
relays.  The Xeon-powered 550 definitely seems to have a bit more
oompf than the 250's hamster whee-- err, Celeron M CPU.

The output for dmesg for each is attached.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
OpenBSD 6.6 (GENERIC) #298: Sat Oct 12 11:06:10 MDT 2019
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem  = 1073037312 (1023MB)
avail mem = 1037803520 (989MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 10/22/13, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 
0x9f800 (40 entries)
bios0: vendor American Megatrends Inc. version "MINOW035" date 10/22/2013
bios0: Riverbed Technology, Inc. DTABA
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET
acpi0: wakeup devices P0P1(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) M CPU @ 1.66GHz ("GenuineIntel" 686-class) 1.67 GHz, 
06-0e-0c
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,SSE3,MWAIT,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2, IBE
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 7 (EPA0)
acpiprt2 at acpi0: bus 6 (EPA1)
acpiprt3 at acpi0: bus 5 (P0P4)
acpiprt4 at acpi0: bus 4 (P0P5)
acpiprt5 at acpi0: bus 3 (P0P6)
acpicpu0 at acpi0: C1(@1 halt!)
acpitz0 at acpi0: critical temperature is 99 degC
acpipwrres0 at acpi0: GFAN, resource for SBRG, FN00
"PNP0A08" at acpi0 not configured
acpicmos0 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 3100 Host" rev 0x00
"Intel 3100 Error Reporting" rev 0x00 at pci0 dev 0 function 1 not configured
vendor "Intel", unknown product 0x35b5 (class system subclass miscellaneous, 
rev 0x00) at pci0 dev 1 function 0 not configured
ppb0 at pci0 dev 2 function 0 "Intel 3100 EDMA" rev 0x00
pci1 at ppb0 bus 7
ppb1 at pci0 dev 3 function 0 "Intel 3100 PCIE" rev 0x00
pci2 at ppb1 bus 6
em0 at pci2 dev 0 function 0 "Intel 82571EB" rev 0x06: apic 1 int 16, address 
00:0e:b6:95:dc:0e
em1 at pci2 dev 0 function 1 "Intel 82571EB" rev 0x06: apic 1 int 17, address 
00:0e:b6:95:dc:0f
ppb2 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 5
em2 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
00:0e:b6:3e:23:08
ppb3 at pci0 dev 28 function 1 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 4
em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
00:0e:b6:3e:23:09
ppb4 at pci0 dev 28 function 2 "Intel 6321ESB PCIE" rev 0x01: apic 1 int 18
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 3 "Intel 6321ESB PCIE" rev 0x01
pci6 at ppb5 bus 2
uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x01: apic 1 int 23
uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x01: apic 1 int 19
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x01: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc9
pci7 at ppb6 bus 1
ichpcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x01: PM disabled
ahci0 at pci0 dev 31 function 2 "Intel 6321ESB AHCI" rev 0x01: apic 1 int 19, 
AHCI 1.1
ahci0: port 0: 1.5Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  naa.50e0448be8ca
sd0: 114473MB, 512 bytes/sector, 234441648 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 6321ESB SMBus" rev 0x01: apic 1 int 19
iic0 at ichiic0
ichiic0: abort failed, status 0x41
iic0: addr 0x24 a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff e1=02 e3=02 words 
00=01aa 01=01aa 02=01aa 03=01aa 04=01aa 05=01aa 06=01aa 07=01aa
adt0 at iic0 addr 0x2e: sch5017 rev 0x8a
iic0: addr 0x48 00=22 02=4b 03=50 04=22 06=4b 07=50 08=22 0a=4b 0b=50 0c=22 
0e=4b 0f=50 10=22 12=4b 13=50 14=22 16=4b 17=50 18=22 1a=4b 1b=50 1c=22 1e=4b 
1f=50 20=22 22=4b 23=50 

Re: Iked/unbound ~ more info.

[Dale C.]

I don't know how unbound will be aware of iked couple/decouple, so I
wonder how I'd specify "as appropriate" in this case short of a DNS
failover from the remote side using forward-zones in unbound. I'll
take a look at unwind...


On 11/18/19, Dale C.  wrote:
> "I'd go for a local unbound or local unwind instance, listening for
> queries on localhost, configured to use a forwarder as appropriate, plus
> the bypass rule suggested in faq17."
>
> Right.
>
> Thanks again,
>
> Dale
>
> On 11/18/19, Dale C.  wrote:
>> Stuart,
>>
>> Hmmm, thanks for taking the time to write. I'll consider these things.
>>
>> My server has a static IP, and I'd also like to start looking at DNS
>> over TLS. My client has a dynamic (shared even - cellular gateway) IP
>> address.
>>
>> There are some implications there I'll also need to consider. Routing
>> DNS through to the server which can do DoT would be difficult without
>> accepting DNS config from the responder, no?
>>
>> Thank you,
>>
>> Dale
>>
>

Re: Iked/unbound ~ more info.

[Dale C.]

"I'd go for a local unbound or local unwind instance, listening for
queries on localhost, configured to use a forwarder as appropriate, plus
the bypass rule suggested in faq17."

Right.

Thanks again,

Dale

On 11/18/19, Dale C.  wrote:
> Stuart,
>
> Hmmm, thanks for taking the time to write. I'll consider these things.
>
> My server has a static IP, and I'd also like to start looking at DNS
> over TLS. My client has a dynamic (shared even - cellular gateway) IP
> address.
>
> There are some implications there I'll also need to consider. Routing
> DNS through to the server which can do DoT would be difficult without
> accepting DNS config from the responder, no?
>
> Thank you,
>
> Dale
>

Re: Iked/unbound ~ more info.

[Antonino Sidoti]

Hi Dale,

I had unbound working with iked for a short time. I actually configured the 
interface enc0 like so;

** Server hostname.enc0
inet 10.0.5.1 255.255.255.0 10.0.5.255

---
** Server iked.conf
ikev2 “roaming" passive esp \
  from 0.0.0.0/0 to 0.0.0.0/0 \
  local egress peer any \
  psk "---" \
  config protected-subnet 0.0.0.0/0 \
  config address 10.0.5.0/24 \
  config name-server 10.0.5.1 \
  tag "IKED"

As you can see I then added the IP of the enc0 interface in iked.conf "config 
name-server 10.0.5.1”.
I then added the subnet 10.0.5.0/24 as an “allow “ in the unbound.conf

access-control: 10.0.5.0/24 allow

Though I too am not sure if this is a good way of using iked and unbound. 
In fact I actually stopped using this and just added a Public DNS server like 
1.1.1.1. 
>From all my reading, I think it is not required to configure the enc0 
>interface. 

Further testing using an OpenBSD iked client, I had very little success is 
making that work. 
For my scenario I have iPhones and MacBooks using the native ikev2 Apple client 
and they work fine.
All the clients get the Public IP of the iked Server when they connect.

Nino

> On 19 Nov 2019, at 7:46 am, Dale C.  wrote:
> 
> I'm thinking you're correct Chuck, I can't route traffic for localhost
> through iked...
> 
> So... "It might be necessary to exclude this traffic from the
> flows to ensure connections to services running locally (such as a
> local resolver)
> 
> ^ Then I'd have local dns while connected to my VPN?
> 
> OH... queries to external nameservers will still go through the VPN
> though? So it should be alright?
> 
> I'd much rather be doing DNS on the responder localhost though...
> isn't that the correct way here?
> 
> So, I'll try that, but any better solution for openbsd -> openbsd iked
> when both are using unbound localhost DNS would be appreciated :)
> 
> It works.
> 
> Thanks Chuck ;)
> 
> On 11/18/19, Dale C. mailto:maatk...@gmail.com>> wrote:
>> Chuck,
>> 
>> Hey thanks for the information. Yeah I've tried having unbound listen
>> on 10.0.1.2 (the VPN support net), that didn't work. I have not tried
>> putting unbound on an external interface, and would like to avoid
>> that.
>> 
>> I've actually taken unbound out of the equation on both sides.
>> Disabled unbound, commented supercede directive from dhclient and used
>> public name servers on both ends - that didn't work.
>> 
>> Today, I'll try some things again with the simplified pf confs. I'll
>> get some output from pflog. I'll try putting unbound on the public IP.
>> 
>> In the faq there are a few lines:
>> 
>> "Since all traffic goes through the VPN, including traffic targeted at
>> localhost, it might be necessary to exclude this traffic from the
>> flows to ensure connections to services running locally (such as a
>> local resolver) reach the right target. This can be achieved by adding
>> a single line to /etc/ipsec.conf on the initiator: flow from
>> 127.0.0.1/32 to 127.0.0.1/32 type bypass"
>> 
>> ^ I'm confused by this, i excluded this ipsec bypass and the rdr-to
>> rule in the responder pf conf. I would've expected that to work with
>> DNS targeting localhost? I'm also not clear how `match out log on enc0
>> inet all nat-to 10.0.5.2' behaves, is it akin to a "quick" directive?
>> Packets do not evaluate further rules because there are no more inet
>> packets after this? Does the position of this line in my initiator
>> pf.conf seem reasonable? I think perhaps it should go up...
>> 
>> Also this: "One caveat with using an OpenBSD client is that it doesn't
>> send configuration requests to the responder to configure its IP, so
>> the initiator needs to manually NAT its outgoing packets on the enc0
>> interface so that packets appear on the responder with an IP on the
>> VPN subnet."
>> 
>> I tried a config name-server directive on the initiator iked.conf, but
>> because it wants to verify the host at load-time, I get iked start
>> errors with it. *I think this is the reason anyway, I'll take a closer
>> look today*... So, I'm kind of wondering if a seamless way to switch
>> in and out of the VPN exists for openbsd clients? I should be able to
>> `ikectl couple/decouple' and just have it work right, so I'm looking
>> for a way to configure name-server in the iked.conf initiator ideally?
>> 
>> I'll go through your post a few more times and try your suggestions,
>> thank you very much!
>> 
>> Dale
>> 
>>> Chuck Wrote
>>> I am not sure if you noticed but 127.0.0.1 is always local to the machine
>>> using it.  If you try routing with it the packets will never leave the
>>> system.  If they do somehow leave then the system getting them will
>>> reject
>>> it as the packet did not come from itself.  I mention this as I see in
>>> both resolve.conf files the nameserver is listed as 127.0.0.1
>>> 
>>> You might try instead to have the unbound listen on the inside (or even
>>> the outside) address.  

Re: Iked/unbound ~ more info.

[Dale C.]

Stuart,

Hmmm, thanks for taking the time to write. I'll consider these things.

My server has a static IP, and I'd also like to start looking at DNS
over TLS. My client has a dynamic (shared even - cellular gateway) IP
address.

There are some implications there I'll also need to consider. Routing
DNS through to the server which can do DoT would be difficult without
accepting DNS config from the responder, no?

Thank you,

Dale

Re: Iked/unbound ~ more info.

[Stuart Henderson]

On 2019-11-18, Dale C.  wrote:
> "Since all traffic goes through the VPN, including traffic targeted at
> localhost, it might be necessary to exclude this traffic from the
> flows to ensure connections to services running locally (such as a
> local resolver) reach the right target. This can be achieved by adding
> a single line to /etc/ipsec.conf on the initiator: flow from
> 127.0.0.1/32 to 127.0.0.1/32 type bypass"
>
> ^ I'm confused by this, i excluded this ipsec bypass and the rdr-to
> rule in the responder pf conf.

On OpenBSD (and many other systems) IPsec works with "flows" which, for
want of a better word, "steal" traffic so that it doesn't follow the
routing table but instead matching traffic is diverted over the VPN.
(This is the traditional way of handling IPsec; some systems also
do "route based" IPsec which is a bit more straightforward for people
who understand IP routing but that's not possible with OpenBSD without
an additional tunnel interface).

> I would've expected that to work with
> DNS targeting localhost? I'm also not clear how `match out log on enc0
> inet all nat-to 10.0.5.2' behaves, is it akin to a "quick" directive?
> Packets do not evaluate further rules because there are no more inet
> packets after this? Does the position of this line in my initiator
> pf.conf seem reasonable? I think perhaps it should go up...

NAT rules take place *after* traffic has been selected by flows.
(This is why there's a special "srcnat" config in iked.conf/ipsec.conf
to handle this).

For this simple case with 0.0.0.0/0 I don't think you'll need to touch that,
just the "flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass" in ipsec.conf
should do the trick. (Yes, ipsec.conf, even though you're using iked!
iked doesn't have a way to handle setting up bypass flows itself other
than the built-in very annoying "block IPv6 by default" mode that is
enabled by default, so you need to defer to ipsec.conf + ipsecctl for this).

> I tried a config name-server directive on the initiator iked.conf, but

"config name-server" is something that would go on the responder side,
but it's pointless if the only clients are iked.

>   I should be able to
> `ikectl couple/decouple' and just have it work right, so I'm looking
> for a way to configure name-server in the iked.conf initiator ideally?

I'd go for a local unbound or local unwind instance, listening for
queries on localhost, configured to use a forwarder as appropriate, plus
the bypass rule suggested in faq17.

Re: Tape drive

[Pietro Paolini]

Hi,

Thanks for the answer, yes it is indeed second hand - even though they
guaranteed what it is working. I've updated and I am still getting the
same result, I will try cleaning it first... and fingers crossed.

Thanks,
P.

On Mon, Nov 18, 2019 at 2:02 PM Kenneth Gober  wrote:
>
> On Sun, Nov 17, 2019 at 6:00 PM Pietro Paolini 
>  wrote:
>>
>> On a x86-64 Dell, the tape drive is an HP StorageWorks Ultrium 960.
>>
>> # tar cf /dev/rst0 ./test.txt
>> # mt -f  /dev/nrst0 rewind
>> # tar xf /dev/rst0 .out
>> tar: Failed read on archive volume 1: Input/output error
>> tar: Unable to recover from an archive read failure.
>> tar: Sorry, unable to determine archive format.
>>
>> What can I do to diagnose the problem ? Using other utilities such as
>> pax did not make any difference.
>
>
> That model is an LTO3 tape drive, which at this point is very old.  Did you 
> purchase
> it used, by chance?  It's possible that the hardware is simply defective.  
> I've bought
> several used tape drives and while most of them worked fine, some did not.  I 
> think
> I had one that didn't work until I ran a cycle with a cleaning cartridge.
>
> It's also possible that your tapes are defective.  I've bought tapes on eBay 
> where it
> turned out that 2 out of 3 tapes in the box were bad.
>
> I use LTO2/4 drives routinely with dump/restore, and very occasionally with 
> tar, and
> there is nothing special you have to do to make it work.  SCSI and SAS drives 
> work
> equally well (I have both).  The only thing special about LTO is that you 
> have to match
> the tape and drive.  An LTO3 tape drive will read LTO1, LTO2 and LTO3 tapes, 
> but it
> will not write LTO1 (only 2 and 3).
>
> So your diagnostic steps should include:
> 1. run a cleaning cartridge cycle
> 2. try a different tape (from a different batch or manufacturer)
> 3. try another drive
>
> -ken

Re: 'machine/cdefs.h' file not found when installing nokogiri gem

[Stuart Henderson]

On 2019-11-16, mabi  wrote:
> ‐‐‐ Original Message ‐‐‐
> On Saturday, November 16, 2019 2:38 PM, Stuart Henderson 
>  wrote:
>
>> For native extensions, it's really best to install from packages.
>>
>> pkg_add ruby25-nokogiri
>
> Thanks for the tip, I didn't think about that alternative. What puzzles me is 
> that I managed to install that nokogiri gem on OpenBSD 6.4 using 'gem 
> install' in the past. Will have to check with 6.6.
>
>

For the actual problem: I suspect you may have done an install at some
point without the comp*.tgz set and so didn't get the machine -> amd64
symlink correctly installed in /usr/include. Fix for this would be to
rm -r /usr/include/* then boot the "bsd.rd" install kernel and tell it
to do an upgrade to the version you're currently using, and install
all sets, then re-run syspatch when you've rebooted.

But using packages means that you'll automatically get updates from
pkg_add -u when you update the OS, as these may be needed to cope with
updates to Ruby/libc/kernel versions. So that's why I'd suggest them.

Re: Iked/unbound ~ more info.

[Dale C.]

I'm thinking you're correct Chuck, I can't route traffic for localhost
through iked...

So... "It might be necessary to exclude this traffic from the
flows to ensure connections to services running locally (such as a
local resolver)

^ Then I'd have local dns while connected to my VPN?

OH... queries to external nameservers will still go through the VPN
though? So it should be alright?

I'd much rather be doing DNS on the responder localhost though...
isn't that the correct way here?

So, I'll try that, but any better solution for openbsd -> openbsd iked
when both are using unbound localhost DNS would be appreciated :)

It works.

Thanks Chuck ;)

On 11/18/19, Dale C.  wrote:
> Chuck,
>
> Hey thanks for the information. Yeah I've tried having unbound listen
> on 10.0.1.2 (the VPN support net), that didn't work. I have not tried
> putting unbound on an external interface, and would like to avoid
> that.
>
> I've actually taken unbound out of the equation on both sides.
> Disabled unbound, commented supercede directive from dhclient and used
> public name servers on both ends - that didn't work.
>
> Today, I'll try some things again with the simplified pf confs. I'll
> get some output from pflog. I'll try putting unbound on the public IP.
>
> In the faq there are a few lines:
>
> "Since all traffic goes through the VPN, including traffic targeted at
> localhost, it might be necessary to exclude this traffic from the
> flows to ensure connections to services running locally (such as a
> local resolver) reach the right target. This can be achieved by adding
> a single line to /etc/ipsec.conf on the initiator: flow from
> 127.0.0.1/32 to 127.0.0.1/32 type bypass"
>
> ^ I'm confused by this, i excluded this ipsec bypass and the rdr-to
> rule in the responder pf conf. I would've expected that to work with
> DNS targeting localhost? I'm also not clear how `match out log on enc0
> inet all nat-to 10.0.5.2' behaves, is it akin to a "quick" directive?
> Packets do not evaluate further rules because there are no more inet
> packets after this? Does the position of this line in my initiator
> pf.conf seem reasonable? I think perhaps it should go up...
>
> Also this: "One caveat with using an OpenBSD client is that it doesn't
> send configuration requests to the responder to configure its IP, so
> the initiator needs to manually NAT its outgoing packets on the enc0
> interface so that packets appear on the responder with an IP on the
> VPN subnet."
>
> I tried a config name-server directive on the initiator iked.conf, but
> because it wants to verify the host at load-time, I get iked start
> errors with it. *I think this is the reason anyway, I'll take a closer
> look today*... So, I'm kind of wondering if a seamless way to switch
> in and out of the VPN exists for openbsd clients? I should be able to
> `ikectl couple/decouple' and just have it work right, so I'm looking
> for a way to configure name-server in the iked.conf initiator ideally?
>
> I'll go through your post a few more times and try your suggestions,
> thank you very much!
>
> Dale
>
>> Chuck Wrote
>> I am not sure if you noticed but 127.0.0.1 is always local to the machine
>> using it.  If you try routing with it the packets will never leave the
>> system.  If they do somehow leave then the system getting them will
>> reject
>> it as the packet did not come from itself.  I mention this as I see in
>> both resolve.conf files the nameserver is listed as 127.0.0.1
>>
>> You might try instead to have the unbound listen on the inside (or even
>> the outside) address.  After that only allow access to it from the IKE
>> networks.
>>
>> I would also mention that rdr-to is not NAT.  It does reroute the packets
>> but the return packets can take a different route.  If the unbound is
>> listening on 127.0.0.1 then that is where the packets will be coming
>> from.
>>  You would need to NAT the outgoing DNS packets to the correct interface.
>>
>> No idea if any of this will help you.
>>
>>
>> I did see a request on pflog, here is a really brief run down on how it
>> is
>> used.
>>
>> 1. Add 'log' to one of the rules.  Ex rule from your pf rules:
>> #name servers
>> pass out log on $ext proto udp from $ext to any port $udp_services
>>
>> 2. View the pflog after some of the packets have been captured.  Ex:
>> /usr/sbin/tcpdump -n -e -ttt -s1500 -r /var/log/pflog
>>
>> This will display the packets in tcpdump format.  The -e option is to
>> give
>> you the rule number that captured the packet, in case you have multiple
>> logging rules.  You can get the rule number from your pf.conf file by
>> doing: /usr/sbin/pf -nvvvf /etc/pf.conf
>>
>> The -n is so the rules do not reload.  The rule is @#
>>
>>
>> Have Fun!
>> Chuck Hall
>>
>>
>>> Update:
>>>
>>> Spent a lot of time trying different things, still no DNS.
>>>
>>> Simplified and cleaned up all my confs as much as possible.
>>>
>>> Everything works, but DNS.
>>>
>>> 

ahci cd/dvd failure key_sense

[Heppler, J. Scott]

On amd64 6.6release/stable and -current my TSSTcorp CDDVDW SH-223DB has
failed to function.  It does not key_sense and backends
cdio/xorriso-tcltk seem to write a lead-in track and nothing else.

The system dual boots with Debian 10 the same drive is recognized and
works without issue.

# xorriso -as cdrecord dev=/dev/rcd0c crux-3.5-updated.iso  
xorriso 1.5.2 : RockRidge filesystem manipulator, libburnia project.


Drive current: -outdev '/dev/rcd0c' Media current: CD-R
Media status : is blank
Media summary: 0 sessions, 0 data blocks, 0 data,  703m free
Beginning to write data track.
libburn : FATAL : SCSI error on write(-22,16): See MMC specs:
Sense Key 2 "Drive not ready", ASC 00 ASCQ 00.
libburn : FATAL : CDB= WRITE(10) : 2a 00 ff ff ff ea 00 00 10 00  :
dxfer_len= 32768
libburn : FAILURE : Failed to synchronize drive cache. SCSI error : See
MMC specs: Sense Key 2 "Drive not ready", ASC 00 ASCQ 00.  xorriso :
FATAL : -abort_on 'FAILURE' encountered 'FATAL' during image writing
xorriso : NOTE : libburn has now been urged to cancel its operation
libburn : FATAL : Burn run failed
xorriso : FAILURE : libburn indicates failure with writing.
xorriso : NOTE : Gave up -outdev ''
xorriso : FAILURE : -as cdrecord: Job could not be performed properly.
xorriso : aborting : -abort_on 'FAILURE' encountered 'FATAL'

If found this which seems to fit the issue I am having.

https://marc.info/?l=openbsd-misc=147411010102451=2

There were no F/U's to this post.  It appears this is device dependent.
Can anyone recommend a make/model of SATA drive that can be used in
OpenBSD.  The recommended to use "xorriso -as cdrecord" in OpenBSD?
Lastly, are any developer interested in addressing key sense in the ahci
driver?  I'm willing to test on the hardware I have.



--
J. Scott Heppler

Re: Iked/unbound ~ more info.

[Dale C.]

Chuck,

Hey thanks for the information. Yeah I've tried having unbound listen
on 10.0.1.2 (the VPN support net), that didn't work. I have not tried
putting unbound on an external interface, and would like to avoid
that.

I've actually taken unbound out of the equation on both sides.
Disabled unbound, commented supercede directive from dhclient and used
public name servers on both ends - that didn't work.

Today, I'll try some things again with the simplified pf confs. I'll
get some output from pflog. I'll try putting unbound on the public IP.

In the faq there are a few lines:

"Since all traffic goes through the VPN, including traffic targeted at
localhost, it might be necessary to exclude this traffic from the
flows to ensure connections to services running locally (such as a
local resolver) reach the right target. This can be achieved by adding
a single line to /etc/ipsec.conf on the initiator: flow from
127.0.0.1/32 to 127.0.0.1/32 type bypass"

^ I'm confused by this, i excluded this ipsec bypass and the rdr-to
rule in the responder pf conf. I would've expected that to work with
DNS targeting localhost? I'm also not clear how `match out log on enc0
inet all nat-to 10.0.5.2' behaves, is it akin to a "quick" directive?
Packets do not evaluate further rules because there are no more inet
packets after this? Does the position of this line in my initiator
pf.conf seem reasonable? I think perhaps it should go up...

Also this: "One caveat with using an OpenBSD client is that it doesn't
send configuration requests to the responder to configure its IP, so
the initiator needs to manually NAT its outgoing packets on the enc0
interface so that packets appear on the responder with an IP on the
VPN subnet."

I tried a config name-server directive on the initiator iked.conf, but
because it wants to verify the host at load-time, I get iked start
errors with it. *I think this is the reason anyway, I'll take a closer
look today*... So, I'm kind of wondering if a seamless way to switch
in and out of the VPN exists for openbsd clients? I should be able to
`ikectl couple/decouple' and just have it work right, so I'm looking
for a way to configure name-server in the iked.conf initiator ideally?

I'll go through your post a few more times and try your suggestions,
thank you very much!

Dale

On 11/18/19, ch...@qatland.com  wrote:
> I am not sure if you noticed but 127.0.0.1 is always local to the machine
> using it.  If you try routing with it the packets will never leave the
> system.  If they do somehow leave then the system getting them will reject
> it as the packet did not come from itself.  I mention this as I see in
> both resolve.conf files the nameserver is listed as 127.0.0.1
>
> You might try instead to have the unbound listen on the inside (or even
> the outside) address.  After that only allow access to it from the IKE
> networks.
>
> I would also mention that rdr-to is not NAT.  It does reroute the packets
> but the return packets can take a different route.  If the unbound is
> listening on 127.0.0.1 then that is where the packets will be coming from.
>  You would need to NAT the outgoing DNS packets to the correct interface.
>
> No idea if any of this will help you.
>
>
> I did see a request on pflog, here is a really brief run down on how it is
> used.
>
> 1. Add 'log' to one of the rules.  Ex rule from your pf rules:
> #name servers
> pass out log on $ext proto udp from $ext to any port $udp_services
>
> 2. View the pflog after some of the packets have been captured.  Ex:
> /usr/sbin/tcpdump -n -e -ttt -s1500 -r /var/log/pflog
>
> This will display the packets in tcpdump format.  The -e option is to give
> you the rule number that captured the packet, in case you have multiple
> logging rules.  You can get the rule number from your pf.conf file by
> doing: /usr/sbin/pf -nvvvf /etc/pf.conf
>
> The -n is so the rules do not reload.  The rule is @#
>
>
> Have Fun!
> Chuck Hall
>
>
>> Update:
>>
>> Spent a lot of time trying different things, still no DNS.
>>
>> Simplified and cleaned up all my confs as much as possible.
>>
>> Everything works, but DNS.
>>
>> ##initiator pf.conf
>> #declare variables
>> tcp_services = " { ssh, https, http } "
>> udp_services = " { domain } "
>> ext = " iwn0  "
>>
>> #tables
>> table  persist { 155.138.139.17 }
>>
>> set skip on lo0
>>
>> block drop
>>
>> #sshserver
>> pass in log on $ext proto tcp from any to port 22 synproxy state
>>
>> #name servers
>> pass out log on $ext proto udp from $ext to any port $udp_services
>>
>> #Serving dns on lan
>> pass in on $ext proto udp from 192.168.0.0/24 to any port $udp_services
>>
>> #State
>> pass out keep state
>>
>> #roadwarrior
>> match out log on enc0 inet all nat-to 10.0.1.2
>>
>> ##initiator iked.conf
>>
>> ikev2 'roadwarrior' active esp \
>> from 0.0.0.0/0 to 0.0.0.0/0 \
>> peer 155.138.139.17 \
>> srcid roadwarrior 

Re: Best Practices for growing disk partitions on a server

[Theo de Raadt]

Stuart Henderson  wrote:

> On 2019-11-17, Lev Lazinskiy  wrote:
> > Hi folks, 
> >
> > I am new to openBSD, so forgive me if I am missing something obvious. 
> >
> > I recently installed openBSD on a server using the auto-partition layout
> > during installation and am quickly starting to run out of disk space. 
> >
> > I have read the section in the FAQ [1] regarding how to grow a disk
> > partition, but I am confused on the best way to actually do this. 
> >
> > Specifically, I am trying to grow /usr and /home but they are "busy"
> > when I try to follow these steps on a running server. 
> >
> > Is the assumption that you are supposed to reboot the server with the 
> > ISO attached and pop into a shell to complete these steps?
> >
> > [1] https://www.openbsd.org/faq/faq14.html#GrowPartition
> >
> 
> This faq entry tells you to use growfs, which won't work for /usr
> from a standard auto-defaults install because it requires empty space
> immediately following the partition to grow into.
> 
> On a larger disk it often will work for /home because auto-defaults
> place it at the end of the disk, size it at max 300G, and leave the space
> following it empty.
> 
> Sometimes you can shunt things around - if you have free space at the end
> of the disk you can move files from the filesystem immediately following
> /usr there, and growfs into the now-vacated space - sometimes you have
> another partition that is A) larger than /usr and B) that is larger than
> you need, in which case you copy files so you can swap them around.
> Or again if you have free space at the end of the disk, after what you'd
> want to grow /home into, you can make a new partition there, copy the
> files, and leave the former /usr partition empty. But it's quite delicate
> work and is often easier to reinstall.
> 
> Interested what you are bumping into on /usr, on a recently installed
> system the default size is usually ok for most uses unless it's a small
> disk or unless you are building ports and don't have a separate /usr/ports
> partition. (If you *are* using ports and have free space at the end -
> as above - you could create a new partition to hold /usr/ports in there
> and move *those* files across - that's a much easier proposition than
> moving the whole of /usr.

Which is to say, there are all sorts of complexities, and you'll have to
work through them.

On the other hand learning how to save all your files, and then do a
fresh install, is like gaining a superpower.

Re: Best Practices for growing disk partitions on a server

[Stuart Henderson]

On 2019-11-17, Lev Lazinskiy  wrote:
> Hi folks, 
>
> I am new to openBSD, so forgive me if I am missing something obvious. 
>
> I recently installed openBSD on a server using the auto-partition layout
> during installation and am quickly starting to run out of disk space. 
>
> I have read the section in the FAQ [1] regarding how to grow a disk
> partition, but I am confused on the best way to actually do this. 
>
> Specifically, I am trying to grow /usr and /home but they are "busy"
> when I try to follow these steps on a running server. 
>
> Is the assumption that you are supposed to reboot the server with the 
> ISO attached and pop into a shell to complete these steps?
>
> [1] https://www.openbsd.org/faq/faq14.html#GrowPartition
>

This faq entry tells you to use growfs, which won't work for /usr
from a standard auto-defaults install because it requires empty space
immediately following the partition to grow into.

On a larger disk it often will work for /home because auto-defaults
place it at the end of the disk, size it at max 300G, and leave the space
following it empty.

Sometimes you can shunt things around - if you have free space at the end
of the disk you can move files from the filesystem immediately following
/usr there, and growfs into the now-vacated space - sometimes you have
another partition that is A) larger than /usr and B) that is larger than
you need, in which case you copy files so you can swap them around.
Or again if you have free space at the end of the disk, after what you'd
want to grow /home into, you can make a new partition there, copy the
files, and leave the former /usr partition empty. But it's quite delicate
work and is often easier to reinstall.

Interested what you are bumping into on /usr, on a recently installed
system the default size is usually ok for most uses unless it's a small
disk or unless you are building ports and don't have a separate /usr/ports
partition. (If you *are* using ports and have free space at the end -
as above - you could create a new partition to hold /usr/ports in there
and move *those* files across - that's a much easier proposition than
moving the whole of /usr.

Re: Home NAS

[Roderick]

What can be newer or not existent yesterday, but has the same filename?
Something that one changed with an editor? Would not be better to use
a version contro system?

Rod.

On Mon, 18 Nov 2019, Nick Holland wrote:


On 2019-11-17 11:39, Jean-François Simon wrote:

Hi,

I found it, there exist glastree which is available from ports.

Nice small "poor man's" backup as the author qualifies,
though makes incremental backup through hard links:

# if yesterday does not exist or today is newer, copy the file
# else hard link the file to yesterday


rsync --link-dest -- it's been in rsync for well over 10 years at this
point.  Little wrapper shell script and away you go...

Re: Tape drive

[Kenneth Gober]

On Sun, Nov 17, 2019 at 6:00 PM Pietro Paolini <
pietro.paol...@cognitivecredit.com> wrote:

> On a x86-64 Dell, the tape drive is an HP StorageWorks Ultrium 960.
>
> # tar cf /dev/rst0 ./test.txt
> # mt -f  /dev/nrst0 rewind
> # tar xf /dev/rst0 .out
> tar: Failed read on archive volume 1: Input/output error
> tar: Unable to recover from an archive read failure.
> tar: Sorry, unable to determine archive format.
>
> What can I do to diagnose the problem ? Using other utilities such as
> pax did not make any difference.
>

That model is an LTO3 tape drive, which at this point is very old.  Did you
purchase
it used, by chance?  It's possible that the hardware is simply defective.
I've bought
several used tape drives and while most of them worked fine, some did not.
I think
I had one that didn't work until I ran a cycle with a cleaning cartridge.

It's also possible that your tapes are defective.  I've bought tapes on
eBay where it
turned out that 2 out of 3 tapes in the box were bad.

I use LTO2/4 drives routinely with dump/restore, and very occasionally with
tar, and
there is nothing special you have to do to make it work.  SCSI and SAS
drives work
equally well (I have both).  The only thing special about LTO is that you
have to match
the tape and drive.  An LTO3 tape drive will read LTO1, LTO2 and LTO3
tapes, but it
will not write LTO1 (only 2 and 3).

So your diagnostic steps should include:
1. run a cleaning cartridge cycle
2. try a different tape (from a different batch or manufacturer)
3. try another drive

-ken

Re: Home NAS

[Nick Holland]

On 2019-11-17 11:39, Jean-François Simon wrote:
> Hi,
> 
> I found it, there exist glastree which is available from ports.
> 
> Nice small "poor man's" backup as the author qualifies,
> though makes incremental backup through hard links:
> 
>   # if yesterday does not exist or today is newer, copy the file
>   # else hard link the file to yesterday

rsync --link-dest -- it's been in rsync for well over 10 years at this
point.  Little wrapper shell script and away you go...

Nick.

Re: pkg_info -Q bug?

[Antonio Bibiano]

Hello,
I just wanted to add to this thread that I incurred in the same
issue on a fresh 6.6 installation.
I also tried with a different mirror in /etc/installurl and receive
the same partial response from pkg_info -Q.
What makes it even more odd is that pkg_add finds the correct package.


Cheers,
Antonio Bibiano

On Fri, Nov 08, 2019 at 09:34:06PM GMT, Dumitru Moldovan wrote:
>On Fri, Nov 08, 2019 at 08:04:45PM +, Raf Czlonka wrote:
>>On Fri, Nov 08, 2019 at 05:45:23PM GMT, Dumitru Moldovan wrote:
>>>
>>> Hi misc,
>>>
>>> I see pkg_info's man page says:
>>>
>>>-Q query
>>>Show all packages in $PKG_PATH which match the given query.
>>>
>>> Trying in 6.6 to find the Python module "mysqlclient", I get the
>>> following puzzling results:
>>>
>>> $ pkg_info -Q mysql
>>> php-mysqli-7.2.24
>>> php-mysqli-7.3.11
>>> php-pdo_mysql-7.2.24
>>> php-pdo_mysql-7.3.11
>>>
>>> $ pkg_info -Q py-mysql
>>> py-mysql-1.2.5p6
>>> py-mysqlclient-1.4.2p0
>>>
>>> Am I doing something wrong?  Why is "py-mysqlclient" not matched for
>>> the first query?
>>>
>>
>>Hi Dumitru,
>>
>>Not only isn't "py-mysqlclient" matched, but also over 40 other
>>packages with "mysql" string.
>>
>>How does your $PKG_PATH look like?
>
>Thanks for looking into it!
>
>$PKG_PATH is empty here, should have checked it first.  I get the
>expected results with:
>
>PKG_PATH=`cat /etc/installurl`/`uname -r`/packages/`uname -m`/ pkg_info -Q 
>mysql
>
>But now I don't understand why I got any results at all with an empty
>$PKG_PATH...  Maybe I would have read that one line in the man page
>more carefully if there was no result at all to begin with.  :-]
>

Re: Best Practices for growing disk partitions on a server

[Joseph A Borg]

you have to boot in single user mode:

https://www.openbsd.org/faq/faq8.html


> On 18 Nov 2019, at 00:12, Lev Lazinskiy  wrote:
> 
> Hi Edgar, 
> 
> Thanks for the response. 
> On Sun, Nov 17, 2019 at 04:06:18PM -0600, Edgar Pettijohn wrote:
>> 
>> On Nov 17, 2019 2:35 PM, Lev Lazinskiy  wrote:
>>> 
>>> Hi folks, 
>>> 
>>> I am new to openBSD, so forgive me if I am missing something obvious. 
>>> 
>>> I recently installed openBSD on a server using the auto-partition layout
>>> during installation and am quickly starting to run out of disk space. 
>>> 
>>> I have read the section in the FAQ [1] regarding how to grow a disk
>>> partition, but I am confused on the best way to actually do this. 
>>> 
>>> Specifically, I am trying to grow /usr and /home but they are "busy"
>>> when I try to follow these steps on a running server. 
>>> 
>> 
>> You must umount them first.
> 
> Right, the issue is that I am unable to unmount them because they are
> actively being used. 
>> 
>> 
>>> Is the assumption that you are supposed to reboot the server with the 
>>> ISO attached and pop into a shell to complete these steps?
>>> 
>>> [1] https://www.openbsd.org/faq/faq14.html#GrowPartition
>>> 
>>> -- 
>>> Lev Lazinskiy
>>> 
>> 
>> If it's a fresh install probably be easier to just reinstall and size 
>> partitions how you need them.
> 
> This makes sense, but I was curious what the recommended approach is for
> a server that you cannot simply reinstall. 
> 
> Someone else suggested using single user mode on boot and that approach
> seems to work very well. 
> 
>> 
>> Edgar
> 

httpd redirect based on query parameters

[Thomas]

Hi,

I have another question regarding redirects with httpd.

I need to redirect a given URL to another server based on its query 
parameters.


Example:

http://company.website/products/?id=1

redirect to:  "http://newcompany.website/products;

http://company.website/products/?id=2

redirect to: "http://newcompany.website/contact;


I think the problem is that everything after the "?" is not taking into 
account by the httpd redirect logic (because by definition it's not part 
of the path?). But is there a way to achieve this with httpd?


Thanks a lot,
Thomas