Re: dhcpleased losing route
On 2023-05-10, David Diggles wrote:
> My ISP provides connection via DHCP.
>
> Every 5 minutes or so when dhcpleased is renewing the lease,
> my default route disappears for a few seconds.
That isn't supposed to happen. I just checked on a machine which has
10 minute leases and I don't see that problem or those log messages.
I'd run dhcpleased in the foreground with debug logging and collect a
couple of cycle's worth to see if that gives any clues. Saving a
packet capture might be useful too ("tcpdump -i cnmac2 -s1500 -w
/tmp/dhcp.pcap port 67 or 68").
> Definitely I'll be looking at requesting a longer lease by
> putting a setting in /etc/dhclient.conf but is there any way
> I can stop the default route disappearing with each renew event?
dhcpleased doesn't support this yet though it would certainly be a
feature that's useful to have.
Re: dhcpleased losing route
On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > > Just to update, I've added the following to dhclient.conf but > it's still renewing every 5 minutes (approximately) and the > default route is disappearing for a couple of seconds. :( > > send dhcp-lease-time 86400; dhcpleased does not use dhclient.conf, it used dhcpleased.conf, which does not have a way to influence the lease time requested (if that is a thing). -Otto > > On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: > > My ISP provides connection via DHCP. > > > > Every 5 minutes or so when dhcpleased is renewing the lease, > > my default route disappears for a few seconds. > > > > Definitely I'll be looking at requesting a longer lease by > > putting a setting in /etc/dhclient.conf but is there any way > > I can stop the default route disappearing with each renew event? > > > > The route didn't disappear when I tested with NetBSD and Linux. > > > > This seems like I'm missing a setting in dhclient.conf to make > > the default route sticky? I can't see any obvious answers in > > the man page for dhclient.conf unfortunately. > > > > (IP fudged log snippet below) > > > > May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > > cnmac2 (lease from x.x.x.1) > > May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to > > cnmac2 (lease from x.x.x.1) > > May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > > cnmac2 (lease from x.x.x.1) > > May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to > > cnmac2 (lease from x.x.x.1) > > May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > > cnmac2 (lease from x.x.x.1) > > May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to > > cnmac2 (lease from x.x.x.1) > > May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > > cnmac2 (lease from x.x.x.1) > > May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to > > cnmac2 (lease from x.x.x.1) > > May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding nameservers > > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > > >
Re: Asymmetric file encryption… use gnupg from ports or is there something else?
On Tue, 9 May 2023 13:36:07 -0600 Zack Newman wrote: > Personally, I don't think this makes all that much sense. E-mail is not > very secure. If you can't guarantee communication is E2EE, then this seems > like false security/privacy to me. Not only does the other recipient > likely use a service like Gmail which means your communication is in > Google's hands; but unless you strictly enforce encryption in transit- > most MTAs only use _opportunistic_ encryption-every device your e-mail > traversed possibly has access to the content as well. This is why > applications like Signal are gaining popularity especially in the > crypto/infosec crowd. Well, this is true… for the ultimate guarantee, you use end-to-end encryption tools like S/MIME and OpenPGP. This is a more "can it be done" exercise. If it proves to "not be that secure", then so be it. It's a case of nothing ventured, nothing gained. > Last, if you are worried about the "remote server"; then why not just > host the MTA at your house along with your "home mail server"? If you check the MX records of my present email domain, you'll see that's exactly what I'm doing. The email is hosted at my house (on a Linux VM) behind an OpenBSD router/firewall which is directly connected to this country's glorious NBN. Now, those who know anything about Australia's NBN will know that it is utterly useless in a power outage and can have bouts of unreliability. (I run HFC NBN. NTD is on back-up 12V power, but the infrastructure in the street is not, so in a black-out, the NTD sits there blinking useless asking: "where's my network?!?!") If the NBN goes down, or I'm doing maintenance… MX is down and out. If I'm away from home when it goes down, it might be days before I can get back there to fix it. I'd like my emails to just safely sit somewhere under my control until they can be collected. I could just store them on the server clear-text and use UUCP for delivery. I've certainly coaxed Taylor UUCP to work over SSH in the past, and it does work just fine. Not sure if OpenBSD has a built-in UUCP, but that is an option. It'd solve my immediate problem… but I figure if they're going to sit there any length of time, I might as well protect them from prying eyes if possible. The aim here is not to defend against every possible attack, it's to defend against the most probable ones and keep people honest. Regards, -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: dhcpleased losing route
Just to update, I've added the following to dhclient.conf but it's still renewing every 5 minutes (approximately) and the default route is disappearing for a couple of seconds. :( send dhcp-lease-time 86400; On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: > My ISP provides connection via DHCP. > > Every 5 minutes or so when dhcpleased is renewing the lease, > my default route disappears for a few seconds. > > Definitely I'll be looking at requesting a longer lease by > putting a setting in /etc/dhclient.conf but is there any way > I can stop the default route disappearing with each renew event? > > The route didn't disappear when I tested with NetBSD and Linux. > > This seems like I'm missing a setting in dhclient.conf to make > the default route sticky? I can't see any obvious answers in > the man page for dhclient.conf unfortunately. > > (IP fudged log snippet below) > > May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) >
dhcpleased losing route
My ISP provides connection via DHCP. Every 5 minutes or so when dhcpleased is renewing the lease, my default route disappears for a few seconds. Definitely I'll be looking at requesting a longer lease by putting a setting in /etc/dhclient.conf but is there any way I can stop the default route disappearing with each renew event? The route didn't disappear when I tested with NetBSD and Linux. This seems like I'm missing a setting in dhclient.conf to make the default route sticky? I can't see any obvious answers in the man page for dhclient.conf unfortunately. (IP fudged log snippet below) May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2)
Re: Asymmetric file encryption… use gnupg from ports or is there something else?
On 2023-05-09, Stuart Henderson wrote: Ed25519 is used for signing not encrypting. But Ed25519 keys can be converted and used for encryption; "age" has convenience support for doing this with Ed25519 ssh keys, and might generally be something that works for your use case. It's not in base though. https://words.filippo.io/using-ed25519-keys-for-encryption/ Another possibility is libsodium's crypto_box API but will need more self-assembly as afaik there's no standard CLI tool using this. That doesn't meet their requirements. They want to avoid storing any private key material on the "remote server", and Diffie-Hellman (which is what X25519 is based on) requires access to the private key. Personally, I don't think this makes all that much sense. E-mail is not very secure. If you can't guarantee communication is E2EE, then this seems like false security/privacy to me. Not only does the other recipient likely use a service like Gmail which means your communication is in Google's hands; but unless you strictly enforce encryption in transit- most MTAs only use _opportunistic_ encryption-every device your e-mail traversed possibly has access to the content as well. This is why applications like Signal are gaining popularity especially in the crypto/infosec crowd. Last, if you are worried about the "remote server"; then why not just host the MTA at your house along with your "home mail server"? Simply configure the "remote server" to be a router that routes traffic through a WireGuard tunnel to your house. Then your e-mails will be "at rest" at your house. As an added benefit, you can route local traffic destined to your MTA to be routed directly to your server and avoid the traffic from ever leaving your house. Zack
Re: Problem to set a printer with cups and foo2zjs documentation not up to date for foo2zjs
I have a HP Office Jet 6970 (ink jet) and all I did was install cups and hplip (which is in ports). To get lpr to work without cups is a little more adventurous. The three scripts below should get you started. They depend on unix2dos (I forget which tools bundle this is from) and gs (which is in ghostscript). Printing just PS is pretty straight forward. However you should be aware that firefox and friends are hard coded to use a cups defined printer. At least I haven't figured out how to fool their print dialog box. Follow the man pages for setting up lpd. You need to create an /etc/printcap entry similar to to: lp|hp_prt:\ :lp=9100@hp_prt:\ :sh:\ :mx#0:\ :sd=/var/spool/lpd/hp_prt:\ :if=/usr/local/libexec/f_smart:\ :lf=/var/log/lpd-errs: And f_smart is: #!/bin/sh # # sfif - Print PDF or PostScript or plain text on a PCL printer # IFS="" read -r first_line first_two_chars=`expr "$first_line" : '\(..\)'` case "$first_two_chars" in %!|\033%%|%P) # %! or ESC% or %P : PostScript or ? or PDF job, convert it to PCL. ( echo "$first_line" ; cat ) | /usr/local/libexec/f_ps2pcl && exit 0 exit 2 ;; *) # otherwise just print it followed by a form feed to eject page ( echo "$first_line" ; cat ) | \ /usr/local/bin/unix2dos && printf "\f" && exit 0 exit 2 ;; esac And f_ps2pcl: #!/bin/sh /usr/local/bin/gs -dSAFER -dNOPAUSE -q -sDEVICE=ljet4 -sOutputFile=- - BESSOT Jean-Michel writes: > Hello > > I have a hp P1005 ( I know hp) and I try to install it on opennbsd. So I > installed cups and foo2zjs but foo2zjs download an img file and I don't > know what to do with it. There is no mention of img file in the INSTALL > file. > > What do I need to do to make the printer work with the openbsd lpr or cups ? > > Bye
Re: alias issue with snapshot #1175
On Tue, May 9, 2023 at 2:24 AM Stuart Henderson wrote: > The only strange thing in there that I'm seeing is > > inet 10.68.73.1 255.255.255.248 > ... > !route add -inet /24 10.68.73.1 > !route add -inet /24 10.68.73.1 > > i.e. adding a route pointing at the local machine for those various > networks, but that's not relating to the address where you mentioned > having the problem. I guess it might be better to point the route to the peer. Works either way. > Perhaps diffing ifconfig -A (or maybe netstat -rn) between the working > and non-working state will give a clue. I just eyeballed it and they look the same but I'll run a diff to make sure. Was able to test another system with a /29 and had no issues leaving out an alias and having all the other addresses work fine, but in this case there was no 3rd party device connected to the cable modem utilizing that unused address. Hopefully by this weekend I can do some testing by unplugging the 3rd party device and see what transpires. Thanks! Chris
Re: alias issue with snapshot #1175
On Tue, May 9, 2023 at 12:35 AM Navan Carson wrote: > Do you have names that depend on DNS in pf.conf? No.
Problem to set a printer with cups and foo2zjs documentation not up to date for foo2zjs
Hello I have a hp P1005 ( I know hp) and I try to install it on opennbsd. So I installed cups and foo2zjs but foo2zjs download an img file and I don't know what to do with it. There is no mention of img file in the INSTALL file. What do I need to do to make the printer work with the openbsd lpr or cups ? Bye
Re: 'bgpctl show rib in neighbor $peer' no longer shows unfiltered received routes
On Tue, May 09, 2023 at 09:49:18AM +0200, Rogier Krieger wrote:
> Thanks for the rapid response and proposal.
> I'd wanted to test yesterday but had to postpone.
>
> On Mon, May 8, 2023 at 12:18 PM Claudio Jeker
> wrote:
> > Here is a possible solution where a perfect match aborts the detection
> > loop. Now this only works if the labels are in the right order ("in"
> > before "invalid").
>
> This is similar to what I had in mind, but shorter than what I'd thought of.
> I'll test on -current first and report back. After, I'll adapt for
> -release after (i.e. the equivalent of r1.124 for parser.c [1]).
>
>
> > I wonder if chaning "invalid" to "notvalid" or "noteligible" would be a
> > better fix for now...
>
> Personally, I like the flexibility of keyword freedom, given the small
> one-time price to pay of sorting.
> Sorting may make maintenance a little easier too; at least I've seen
> several recent commits elsewhere to that end.
Right now I favour to rename the keyword since it is simpler. The idea is
to use "disqualified" as keyword. This has some additional benefits since
invalid is rather overloaded (ovs, avs use invalid and then there is error
which is a different kind of invalid).
The routes 'bgpctl show rib invalid' displays are Loc-RIB entries which
can not be selected in the decision process because of various reasons.
--
:wq Claudio
Re: 'bgpctl show rib in neighbor $peer' no longer shows unfiltered received routes
Thanks for the rapid response and proposal.
I'd wanted to test yesterday but had to postpone.
On Mon, May 8, 2023 at 12:18 PM Claudio Jeker wrote:
> Here is a possible solution where a perfect match aborts the detection
> loop. Now this only works if the labels are in the right order ("in"
> before "invalid").
This is similar to what I had in mind, but shorter than what I'd thought of.
I'll test on -current first and report back. After, I'll adapt for
-release after (i.e. the equivalent of r1.124 for parser.c [1]).
> I wonder if chaning "invalid" to "notvalid" or "noteligible" would be a
> better fix for now...
Personally, I like the flexibility of keyword freedom, given the small
one-time price to pay of sorting.
Sorting may make maintenance a little easier too; at least I've seen
several recent commits elsewhere to that end.
Best regards,
Rogier
Re: Asymmetric file encryption… use gnupg from ports or is there something else?
On 2023-05-08, Stuart Longland wrote: > Silly question… is there a tool for encrypting files with asymmetric > keys on OpenBSD? I'm aware of GnuPG in ports, and I'm fine with using > that, however I'm curious to know what other options there are out > there, especially options that are part of the base system. > > I know OpenSSL (and likely LibreSSL) can do RSA for this purpose, > although its CLI is more of a debugging tool than an actual encryption > tool. to be fair, gpg's CLI seems more like a debugging tool too ;) >I'd also like to use ECC keys (ideally ED25519) for future > proofing, since RSA is getting quite long in the tooth now. Ed25519 is used for signing not encrypting. But Ed25519 keys can be converted and used for encryption; "age" has convenience support for doing this with Ed25519 ssh keys, and might generally be something that works for your use case. It's not in base though. https://words.filippo.io/using-ed25519-keys-for-encryption/ Another possibility is libsodium's crypto_box API but will need more self-assembly as afaik there's no standard CLI tool using this.
Re: alias issue with snapshot #1175
On 2023/05/08 10:48, Sonic wrote: > On Mon, May 8, 2023 at 9:24 AM Stuart Henderson > wrote: > > There's not enough information really. /etc/hostname.* and maybe results > > of ifconfig -A and netstat -rn might give more clues. > > Here's that info - hopefully not munged beyond use. > Note that this is after the interface has been restarted (so the .45 > is working) but everything appeared normal before (ifconfig, etc.) > although I won't be able to verify until late tonight when I can > reboot the system. The only strange thing in there that I'm seeing is inet 10.68.73.1 255.255.255.248 ... !route add -inet /24 10.68.73.1 !route add -inet /24 10.68.73.1 i.e. adding a route pointing at the local machine for those various networks, but that's not relating to the address where you mentioned having the problem. Perhaps diffing ifconfig -A (or maybe netstat -rn) between the working and non-working state will give a clue.
