Re: 7.5 /var/log/messages - vfprintf %s NULL in "%.*s"

[Alexis]

"Why 42? The lists account."  writes:

Tumbler is something to do with D-Bus and is also a required 
package by/for XFCE.


Yeah, Tumbler / tumblerd is a service, accessible via D-Bus, that 
generates thumbnails for files, e.g. in ~/.cache/thumbnails or 
equivalent.


(But i'm not an XFCE user myself.)


Alexis.

RAID5 softraid inside VMM unable to read disklabel

[jrmu]

I am practicing setting up RAID5 inside a virtual machine running
OpenBSD 7.5 in VMM on OpenBSD 7.4.

I created 3 disks sd0, sd1, sd2, and sd3, and 4 disk devices (the fourth to 
represent the RAID array itself):

Welcome to the OpenBSD/amd64 7.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
# cd /dev/
# sh MAKEDEV sd0 sd1 sd2 sd3
# fdisk -iy sd0
Writing MBR at offset 0.
# fdisk -iy sd1 
Writing MBR at offset 0.
# fdisk -iy sd2 
Writing MBR at offset 0.
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [64] 
size: [41942976] *
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label changes.
# disklabel sd0 > layout
# disklabel -R sd1 layout
# disklabel -R sd2 layout 
# rm layout 
# bioctl -c 5 -l sd0a,sd1a,sd2a softraid0
sd3 at scsibus4 targ 1 lun 0: 
sd3: 40959MB, 512 bytes/sector, 83884800 sectors
softraid0: RAID 5 volume attached as sd3
# dd if=/dev/zero of=/dev/rsd3c bs=1m count=1 
1+0 records in
1+0 records out
1048576 bytes transferred in 0.028 secs (37044791 bytes/sec)

And I verified the RAID5 array is online:

# bioctl sd3
Volume  Status   Size Device  
softraid0 0 Online42949017600 sd3 RAID5 
  0 Online21474533376 0:0.0   noencl 
  1 Online21474533376 0:1.0   noencl 
  2 Online21474533376 0:2.0   noencl 

The rest of the OpenBSD installation proceeds as usual using sd3 as the 
installation disk, but upon reboot, I run into this error:

>> OpenBSD/amd64 BOOT 3.65
open(sr0a:/etc/boot.conf): can't read disk label
boot> 
cannot open sr0a:/etc/random.seed: can't read disk label
booting sr0a:/bsd: open sr0a:/bsd: can't read disk label
 failed(100). will try /bsd

RAID1 worked fine, it's just RAID5 throwing this error at me.

-- 
jrmu
IRCNow (https://ircnow.org)

Re: RAID5 softraid inside VMM unable to read disklabel

[jrmu]

Please ignore, sibiria on IRC clarified to me that boot support is
limited to only RAID1, crypto, and RAID1c disciplines.

-- 
jrmu
IRCNow (https://ircnow.org)

On Tue, Apr 09, 2024 at 03:50:19PM -0700, jrmu wrote:
> I am practicing setting up RAID5 inside a virtual machine running
> OpenBSD 7.5 in VMM on OpenBSD 7.4.
> 
> I created 3 disks sd0, sd1, sd2, and sd3, and 4 disk devices (the fourth to 
> represent the RAID array itself):
> 
> Welcome to the OpenBSD/amd64 7.5 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
> # cd /dev/
> # sh MAKEDEV sd0 sd1 sd2 sd3
> # fdisk -iy sd0
> Writing MBR at offset 0.
> # fdisk -iy sd1 
> Writing MBR at offset 0.
> # fdisk -iy sd2 
> Writing MBR at offset 0.
> # disklabel -E sd0
> Label editor (enter '?' for help at any prompt)
> sd0> a a
> offset: [64] 
> size: [41942976] *
> FS type: [4.2BSD] RAID
> sd0*> w
> sd0> q
> No label changes.
> # disklabel sd0 > layout
> # disklabel -R sd1 layout
> # disklabel -R sd2 layout 
> # rm layout 
> # bioctl -c 5 -l sd0a,sd1a,sd2a softraid0
> sd3 at scsibus4 targ 1 lun 0: 
> sd3: 40959MB, 512 bytes/sector, 83884800 sectors
> softraid0: RAID 5 volume attached as sd3
> # dd if=/dev/zero of=/dev/rsd3c bs=1m count=1 
> 1+0 records in
> 1+0 records out
> 1048576 bytes transferred in 0.028 secs (37044791 bytes/sec)
> 
> And I verified the RAID5 array is online:
> 
> # bioctl sd3
> Volume  Status   Size Device  
> softraid0 0 Online42949017600 sd3 RAID5 
>   0 Online21474533376 0:0.0   noencl 
>   1 Online21474533376 0:1.0   noencl 
>   2 Online21474533376 0:2.0   noencl 
> 
> The rest of the OpenBSD installation proceeds as usual using sd3 as the 
> installation disk, but upon reboot, I run into this error:
> 
> >> OpenBSD/amd64 BOOT 3.65
> open(sr0a:/etc/boot.conf): can't read disk label
> boot> 
> cannot open sr0a:/etc/random.seed: can't read disk label
> booting sr0a:/bsd: open sr0a:/bsd: can't read disk label
>  failed(100). will try /bsd
> 
> RAID1 worked fine, it's just RAID5 throwing this error at me.
> 
> -- 
> jrmu
> IRCNow (https://ircnow.org)

Re: Wireless network with bfwm sometimes works and sometimes doesn't

[Stanislav Syekirin]

 Stefan Sperling  wrote:

Do you have any of iwn/iwm/iwx or another device which could capture
raw 802.11 frames of failed association attempts in monitor mode?


I have a neglected device with Intel Wireless 3160, which is listed on 
the iwm man page. Assuming OpenBSD will run on that device, what do I 
have to do?


Regards
Stanislav Syekirin

ncurses in 7.5

[fro]

Hello,
 
https://www.openbsd.org/plus75.html says:

Updated ncurses and associated libraries (form, panel, menu) to 6.4-20230826.
 
but https://www.openbsd.org/75.html says: 

Ncurses 5.7 
 
Is this an oversight or am I overlooking something?
 
 

newfs fast, but newfs_msdos and newfs_ext2fs very slow

[Stanislav Syekirin]

Hi,

I'm trying to figure out the best way to format a USB stick as FAT32. 
This is what I've tried:


$ time doas newfs_msdos /dev/rsd1c
/dev/rsd1c: 60007944 sectors in 7500993 FAT32 clusters (4096 
bytes/cluster)
bps=512 spc=8 res=32 nft=2 mid=0xf0 spt=63 hds=255 hid=0 bsec=60125184 
bspf=58602 rdcl=2 infs=1 bkbs=2

20m08.34s real  0m00.35s user   0m12.81s system

As you can see, it takes many minutes, and the elapsed time is much 
larger than the CPU time. Looking at top while the command runs shows 
that newfs_msdos has PRI -5, its CPU usage fluctuates around 0.5%, 
STATE is mostly "sleep" with WAIT being "physio".


The same happens if I call newfs_ext2fs -I.

For comparison, `newfs /dev/rsd1c` is almost instantaneous: 0m00.88s 
real 0m00.06s user 0m00.16s system. It doesn't work if the disk is 
already formatted as FAT32, though: I have to call `fdisk -e sd1`, and 
reinit, otherwise I get a "can't rewrite disk label" error; I'm not 
sure why newfs cares and newfs_msdos doesn't, maybe I'm doing it wrong 
somehow.


How can I speed the creation of a FAT32 or Ext2 file system up?

Best regards
Stanislav Syekirin

Re: Minimum viable HW for OpenBSD

[Gabor Nagy]

Nice :)

but rather thanks to j...@carnat.net

Peter J. Philipp  ezt írta (időpont: 2024. ápr. 8.,
Hét 19:05):

> Hi,
>
> I lost the thread in my mutt, so I'm hoping marc.info will adjust it in
> there,
> the thread is here:
> https://marc.info/?l=openbsd-misc=171059471410619=2
>
> Thank you Gabor Nagy!  Here is my RPI zero 2W(H) with working wifi in
> hostap
> mode, and hopefully working GPIO's I'm going to be studying those closer in
> the future when I have some time.
>
> https://mainrechner.de/P4080036.JPG  <-- on my tarot table
>
> Best Regards,
> -pjp
>
> --
> my associated domains:  callpeter.tel|centroid.eu|dtschland.eu|
> mainrechner.de
>
>

Re: Wireless network with bfwm sometimes works and sometimes doesn't

[Stefan Sperling]

On Tue, Apr 09, 2024 at 08:31:50PM +0200, Stanislav Syekirin wrote:
> Yes, it does. I'm not sure whether it's always the case, but this time it
> works. Dmesg output:
> 
> bwfm0: SCAN -> AUTH
> bwfm0: AUTH -> ASSOC
> bwfm0: ASSOC -> RUN
> bwfm0: associated with f0:af:85:9a:e4:22 ssid "Vodafone-7D3A" channel 6
> start 6Mb long preamble long slot time
> bwfm0: missed beacon threshold set to 30 beacons, beacon interval is 100 TU
> bwfm0: received msg 1/4 of the 4-way handshake from f0:af:85:9a:e4:22
> bwfm0: sending msg 2/4 of the 4-way handshake to f0:af:85:9a:e4:22
> bwfm0: received msg 3/4 of the 4-way handshake from f0:af:85:9a:e4:22
> bwfm0: sending msg 4/4 of the 4-way handshake to f0:af:85:9a:e4:22

That looks fine.

No idea why 5 Ghz doesn't work. It's difficult to diagnose issues
on this device without additoional hardware because the firmware
doesn't expose details about management frames to the driver.
Do you have any of iwn/iwm/iwx or another device which could capture
raw 802.11 frames of failed association attempts in monitor mode?

Re: Wireless network with bfwm sometimes works and sometimes doesn't

[Stanislav Syekirin]

Yes, it does. I'm not sure whether it's always the case, but this time 
it works. Dmesg output:


bwfm0: SCAN -> AUTH
bwfm0: AUTH -> ASSOC
bwfm0: ASSOC -> RUN
bwfm0: associated with f0:af:85:9a:e4:22 ssid "Vodafone-7D3A" channel 
6 start 6Mb long preamble long slot time
bwfm0: missed beacon threshold set to 30 beacons, beacon interval is 
100 TU

bwfm0: received msg 1/4 of the 4-way handshake from f0:af:85:9a:e4:22
bwfm0: sending msg 2/4 of the 4-way handshake to f0:af:85:9a:e4:22
bwfm0: received msg 3/4 of the 4-way handshake from f0:af:85:9a:e4:22
bwfm0: sending msg 4/4 of the 4-way handshake to f0:af:85:9a:e4:22

Regards
Stanislav Syekirin

On Di, 9 Apr 2024 19:47:36 +0200
 Stefan Sperling  wrote:

On Tue, Apr 09, 2024 at 07:15:55PM +0200, Stanislav Syekirin wrote:
Thank you so much for the hint, now I understand what the debug 
option does.
I have actually tried it, but, because `man ifconfig` says "this 
turns on
extra console error logging", I incorrectly assumed that it would 
output to
stdout or stderr, not to the system message buffer. Then, calling 
ifconfig
from xterm, I couldn't see any debug output and wondered why the 
option does

nothing.

Anyway, here is the result of `dmesg | grep bwfm0`. Vodafone-7D3A_5G 
is the

one I try to connect to, Vodafone-7D3A is same router but different
frequency


The AP on channel 112 is not responding to the initial AUTH frame.
Given that other devices work fine the AP probably does not receive
the frame, but it is unclear why.

Does bwfm manage to connect to the 7D3A AP on channel 6?

Re: Wireless network with bfwm sometimes works and sometimes doesn't

[Stefan Sperling]

On Tue, Apr 09, 2024 at 07:15:55PM +0200, Stanislav Syekirin wrote:
> Thank you so much for the hint, now I understand what the debug option does.
> I have actually tried it, but, because `man ifconfig` says "this turns on
> extra console error logging", I incorrectly assumed that it would output to
> stdout or stderr, not to the system message buffer. Then, calling ifconfig
> from xterm, I couldn't see any debug output and wondered why the option does
> nothing.
> 
> Anyway, here is the result of `dmesg | grep bwfm0`. Vodafone-7D3A_5G is the
> one I try to connect to, Vodafone-7D3A is same router but different
> frequency

The AP on channel 112 is not responding to the initial AUTH frame.
Given that other devices work fine the AP probably does not receive
the frame, but it is unclear why.

Does bwfm manage to connect to the 7D3A AP on channel 6?

Re: Wireless network with bfwm sometimes works and sometimes doesn't

[Stanislav Syekirin]

Thank you so much for the hint, now I understand what the debug option 
does. I have actually tried it, but, because `man ifconfig` says "this 
turns on extra console error logging", I incorrectly assumed that it 
would output to stdout or stderr, not to the system message buffer. 
Then, calling ifconfig from xterm, I couldn't see any debug output and 
wondered why the option does nothing.


Anyway, here is the result of `dmesg | grep bwfm0`. Vodafone-7D3A_5G 
is the one I try to connect to, Vodafone-7D3A is same router but 
different frequency, as for the others, I assume that they belong to 
my neighbours:


bwfm0 at sdmmc0 function 1
bwfm0: address e4:5f:01:4d:c2:2c
bwfm0: begin active scan
bwfm0: INIT -> SCAN
bwfm0: end active scan
bwfm0: best AP f0:af:85:9a:e4:23 "Vodafone-7D3A_5G" score 77
bwfm0: switching to network "Vodafone-7D3A_5G"
bwfm0: - 4c:09:d4:8b:a1:9d   11  +179 54M   ess  privacy   rsn 
"WLAN-721313"!
bwfm0: - d4:e2:cb:14:d6:a0   11  +180 54M   ess  privacy   rsn 
"Vodafone-D69C"!
bwfm0: - d8:07:b6:ab:34:f24  +182 54M   ess  privacy   rsn 
"TP-LINK_34F2"!
bwfm0: - f0:af:85:9a:e4:226  +195 54M   ess  privacy   rsn 
"Vodafone-7D3A"!
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"
bwfm0: - f2:af:85:9a:e4:126  +197 54M   ess   no!  rsn! 
"Vodafone Hotspot"!
bwfm0: - f2:af:85:9a:e4:326  +195 54M   ess   no!  rsn! 
"Vodafone Homespot"!

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +190 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +189 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +192 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +193 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: AUTH -> ASSOC
bwfm0: begin active scan
bwfm0: ASSOC -> SCAN
bwfm0: end active scan
bwfm0: SCAN -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +192 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +190 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +190 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +190 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> SCAN
bwfm0: end active scan
bwfm0: + f0:af:85:9a:e4:23  112  +191 54M   ess  privacy   rsn 
"Vodafone-7D3A_5G"

bwfm0: SCAN -> AUTH
bwfm0: begin active scan
bwfm0: AUTH -> 

Re: Upgrade 7.5 /usr full

[Dan]

If you are by usb sticks you can find maybe useful one of old thread:

https://marc.info/?l=openbsd-misc=169896854913334=2

Please remember to update /etc/fstab accordingly to the new layout of the final 
system
before to reboot.

-Dan

Apr 9, 2024 18:37:39 Stuart Henderson :

> Some options:
> 
> - backup, reinstall with adjusted partition sizes, and restore

Re: Ping blocked by firewall

[list]

Still dont know whats happening because we dont know what those line errors 
mean.

When you changed the macros to tables, did you also update the rules to to 
match?

On April 9, 2024 9:32:06 AM UTC, Karel Lucas  wrote:
>I moved the lines with the martians between the 'block log all' line and the 
>ping lines. Furthermore, I changed the macro 'martians' to a table: table 
> persist file "etc/martians".
>
>Messages during booting:
>/etc/pf.conf:29: syntax error
>/etc/pf.conf:29: macro 'martians' not defined
>/etc/pf.conf:30: macro 'martians' not defined
>/etc/pf.conf:38: syntax error
>/etc/pf.conf:39: syntax error
>/etc/pf.conf:46: syntax error
>
>Op 09-04-2024 om 11:13 schreef Otto Moerbeek:
>> On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
>> 
>>> I defined the table as stated in your book (3rd edition, page 42). However,
>>> that gives an error message. In the lines with that table: macro 'martians'
>>> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
>>> 46, causing the pf lines not to be loaded.
>> How abot showing what you did, showing the actual error messages so
>> people here can actually help you? Just saying "it does not work" does
>> not get you anywhere.
>> 
>>  -Otto
>>> Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:
 On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
> 
> For the first time I tested my new firewall with ping, and it is blocked. 
> I
> don't know what the reason is, you can find the information below. I have 
> a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test 
> the
> upgrade process.
 Upgrading to 7.5 will not affect this particular problem I think.
 
 Still low on caffeine I spot two likely factors - your $localnet range 
 overlaps
 with one of the ranges in $martians (which I anyway would recommend 
 converting
 into a table), and your block referencing $martians comes after the pass 
 rules
 that would have let icmp through. With no previous matching quick, last 
 match
 applies.
 
 - Peter
 
>

Re: Upgrade 7.5 /usr full

[Stuart Henderson]

On 2024-04-09, Ben Jahmine  wrote:
> Dear all.
>
> I just did my unattended upgrade to 7.5. I previously checked the
> available disk space in /usr, as suggested by the upgrade guide. My /usr
> size is 2 GB, as created by the installer. As this is above 1.1 GB I
> started the unattended upgrade using sysupgrade.
>
> The upgrade failed during the extraction of the sets, but managed to
> boot into 7.5. Now /usr ist at 105% capacity due to df.
>
> I assume, this is not supposed to happen? Is this a issue specific to my
> setup? Or should /usr simply have more space?

Nothing in sysupgrade or the installer checks to make sure that enough
space is available and it can fail quite nastily if you run out of
space.

> Looking forward for some help.

That size estimate in the upgrade guide hasn't been updated since
OpenBSD 6.6 and is rather optimistic. After extracting a new install
(assuming that you have a drive large enough that auto defaults
created separate /usr and /usr/X11R6 partitions) you'll have ~1GB 
of files, so an upgrade from an older version with a drive with
1.1GB total is very likely to fail.

2GB for /usr is a bit tight anyway really - newer versions of the
installer auto defaults have taken the other extreme and made it a bit
larger than I'd usually want - though as of 7.5 it should be enough as
long as old files are cleared out.

Some options:

- backup, reinstall with adjusted partition sizes, and restore

- if there's an empty or unwanted partition immediately after /usr on
disk (check disklabel) you could backup, boot an install kernel, drop
to the shell, remove the extra partition, adjust size of /usr to take on
the extra space, and growfs (hopefully you won't need to restore, but it
is best to take precautions)

- you could remove old unneeded files from /usr; the sysclean package
can help identify these - in particular you're likely to find some old
libraries in /usr/lib that are no longer needed and they'll likely be
taking up a reasonable amount of space - sysclean will only list
libraries if no package depends on them. options include rm or
moving them to another filesystem.

if you've gone through a few updates, the list will probably be quite
long - you'll probably want to redirect to a file and view in an editor.



-- 
Please keep replies on the mailing list.

Re: Ping blocked by firewall

[Karel Lucas]

The errors were caused by the word 'log' in lines where it apparently 
did not belong. Those errors have now been resolved. In Peter Hansteen's 
book, the rules are clearly stated on page 91, and there is no 'match' 
in them.


Op 09-04-2024 om 17:12 schreef l...@trungnguyen.me:
Still dont know whats happening because we dont know what those line 
errors mean.


When you changed the macros to tables, did you also update the rules 
to to match?



On April 9, 2024 9:32:06 AM UTC, Karel Lucas  wrote:

I moved the lines with the martians between the 'block log all'
line and the ping lines. Furthermore, I changed the macro
'martians' to a table: table  persist file
"etc/martians". Messages during booting: /etc/pf.conf:29: syntax
error /etc/pf.conf:29: macro 'martians' not defined
/etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38:
syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax
error Op 09-04-2024 om 11:13 schreef Otto Moerbeek:

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:

I defined the table as stated in your book (3rd edition,
page 42). However, that gives an error message. In the
lines with that table: macro 'martians' not defined.
Moreover, I now also have a Syntax error in lines 38, 39
and 46, causing the pf lines not to be loaded. 


How abot showing what you did, showing the actual error
messages so people here can actually help you? Just saying "it
does not work" does not get you anywhere. -Otto

Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:

On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas
wrote:

Hi all, For the first time I tested my new
firewall with ping, and it is blocked. I don't
know what the reason is, you can find the
information below. I have a network with only
regular clients, so no servers. I'm still using
OpenBSD V7.4, and will upgrade once the firewall
is up and running so I can test the upgrade process. 


Upgrading to 7.5 will not affect this particular
problem I think. Still low on caffeine I spot two
likely factors - your $localnet range overlaps with
one of the ranges in $martians (which I anyway would
recommend converting into a table), and your block
referencing $martians comes after the pass rules that
would have let icmp through. With no previous matching
quick, last match applies. - Peter 

Re: Ping blocked by firewall

[Karel Lucas]

In /etc/pf.conf:
table  persist file "/etc/martians"

In /etc/martians:
127.0.0.0/8
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
169.254.0.0/16
192.0.2.0/24
0.0.0.0/8
240.0.0.0/4

Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen:

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:

I defined the table as stated in your book (3rd edition, page 42). However,
that gives an error message. In the lines with that table: macro 'martians'
not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
46, causing the pf lines not to be loaded.

The martians example only appears on page 91, and if you had read that book
or other PF references, you would have known full well that the syntax for
defining and referencing macros differs from how you define and reference 
tables.

Please actually read the advice offered by contributors to this thread.

Re: 7.5 /var/log/messages - vfprintf %s NULL in "%.*s"

[Stuart Henderson]

On 2024-04-09, Eivind Eide  wrote:
>>The log message no longer appears after running
>>
>>cp /usr/share/terminfo/x/xterm-256color ~/.terminfo/x/
>
> Indeed! After
>   mkdir -p ~/.terminfo/t/
>   cp /usr/share/terminfo/t/tmux-256color ~/.terminfo/t/
> (and the same for other termcaps used)
> those messages are gone from /var/log/messages.

That shouldn't be necessary.

Given 'if I do "env -i TERM=tmux-256color mutt" mutt opens WITHOUT
triggering the message', that implies that one of the other variables
set would be triggering it, can you either figure out which one or
show the list so someone else can try to replicate it please?


-- 
Please keep replies on the mailing list.

Re: Ping blocked by firewall

[Karel Lucas]

The example I'm referring to is how to define a table (page 42), and I 
applied that to the martians example (page 91).


Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen:

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:

I defined the table as stated in your book (3rd edition, page 42). However,
that gives an error message. In the lines with that table: macro 'martians'
not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
46, causing the pf lines not to be loaded.

The martians example only appears on page 91, and if you had read that book
or other PF references, you would have known full well that the syntax for
defining and referencing macros differs from how you define and reference 
tables.

Please actually read the advice offered by contributors to this thread.

Re: Ping blocked by firewall

[Jacqueline Jolicoeur]

On Apr 09 08:39, Karel Lucas wrote:
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test the
> upgrade process.

I upgraded from OpenBSD 7.4 to OpenBSD 7.5 with zero issues using this
example https://www.openbsd.org/faq/pf/example1.html

Have you considered using that as a baseline?

Re: Ping blocked by firewall

[Peter N. M. Hansteen]

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46, causing the pf lines not to be loaded.

The martians example only appears on page 91, and if you had read that book
or other PF references, you would have known full well that the syntax for
defining and referencing macros differs from how you define and reference 
tables. 

Please actually read the advice offered by contributors to this thread.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: 7.5 /var/log/messages - vfprintf %s NULL in "%.*s"

[Why 42? The lists account.]

On Sat, Apr 06, 2024 at 02:42:25PM +0200, Eivind Eide wrote:
> After upgrading to 7.5 amd64 -stable  (and all ports updated) I get
> these messages in /var/log/messages. This is with bash from ports
> inside tmux over SSH:
> 
> tmux: vfprintf %s NULL in "%.*s"
> bash: vfprintf %s NULL in "%.*s"
> multitail: vfprintf %s NULL in "%.*s"
> vim: vfprintf %s NULL in "%.*s"

FYI, I grepped my messages and saw something similar:
mjoelnir:~ 9.04 14:10:46 % grep printf /var/log/messages
Apr  4 18:22:26 mjoelnir tumblerd: vfprintf %s NULL in "Unable to find part 
with type='%s' for '%s'"
Apr  4 18:22:26 mjoelnir tumblerd: vfprintf %s NULL in "Unable to find part 
with type='%s' for '%s'"
Apr  8 13:57:02 mjoelnir wrapper-2.0: vfprintf %s NULL in "day=%s, sun={%s, %s, 
%s, %s}, moon={%s, %s, %s, %s, %s} "
Apr  8 13:57:02 mjoelnir wrapper-2.0: vfprintf %s NULL in "day=%s, sun={%s, %s, 
%s, %s}, moon={%s, %s, %s, %s, %s} "
Apr  9 13:57:06 mjoelnir wrapper-2.0: vfprintf %s NULL in "day=%s, sun={%s, %s, 
%s, %s}, moon={%s, %s, %s, %s, %s} "
Apr  9 13:57:06 mjoelnir wrapper-2.0: vfprintf %s NULL in "day=%s, sun={%s, %s, 
%s, %s}, moon={%s, %s, %s, %s, %s} "

The "wrapper-2.0" program is, I think, part of XFCE, I see that name in
the desktop panel configuraion. Tumbler is something to do with D-Bus and
is also a required package by/for XFCE.

Cheers,
Robb.


mjoelnir:~ 9.04 14:11:01 % uname -a
OpenBSD mjoelnir.fritz.box 7.5 GENERIC.MP#18 amd64

mjoelnir:~ 9.04 14:10:54 % echo $TERM
rxvt-unicode-256color

mjoelnir:~ 9.04 14:10:50 % locale
LANG=
LC_COLLATE=C
LC_CTYPE=en_US.UTF-8
LC_MONETARY="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_MESSAGES="C"
LC_ALL=

mjoelnir:~ 9.04 14:11:04 % egrep -v '^(#|$)' .xsession
NO_AT_BRIDGE=1 ; export NO_AT_BRIDGE
LC_CTYPE="en_US.UTF-8"; export LC_CTYPE
LC_COLLATE=C; export LC_COLLATE
xrandr --dpi 109
xset +fp /usr/local/share/fonts/Hack
xset +fp /usr/local/share/fonts/terminus
xset +fp /usr/local/share/fonts/victor-mono
/usr/local/bin/startxfce4

Re: Upgrade 7.5 /usr full

[prx]

Check if you have /usr/ports or /usr/src.

Le 9 avril 2024 15:16:17 GMT+02:00, Ben Jahmine  a écrit :
>Dear all.
>
>I just did my unattended upgrade to 7.5. I previously checked the
>available disk space in /usr, as suggested by the upgrade guide. My /usr
>size is 2 GB, as created by the installer. As this is above 1.1 GB I
>started the unattended upgrade using sysupgrade.
>
>The upgrade failed during the extraction of the sets, but managed to
>boot into 7.5. Now /usr ist at 105% capacity due to df.
>
>I assume, this is not supposed to happen? Is this a issue specific to my
>setup? Or should /usr simply have more space?
>
>Looking forward for some help.
>
>Cheers
>
>Ben
>

Upgrade 7.5 /usr full

[Ben Jahmine]

Dear all.

I just did my unattended upgrade to 7.5. I previously checked the
available disk space in /usr, as suggested by the upgrade guide. My /usr
size is 2 GB, as created by the installer. As this is above 1.1 GB I
started the unattended upgrade using sysupgrade.

The upgrade failed during the extraction of the sets, but managed to
boot into 7.5. Now /usr ist at 105% capacity due to df.

I assume, this is not supposed to happen? Is this a issue specific to my
setup? Or should /usr simply have more space?

Looking forward for some help.

Cheers

Ben

Re: Ping blocked by firewall

[Karel Lucas]

I can assure you that I did not use capital letters in the macro names, 
and used the '<' and '>'.


Op 09-04-2024 om 11:58 schreef Peter N. M. Hansteen:

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:

I defined the table as stated in your book (3rd edition, page 42). However,
that gives an error message. In the lines with that table: macro 'martians'
not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
46, causing the pf lines not to be loaded.

macro names are case sensitive, to wit

peter@kapet:~$ cat martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
   10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
   0.0.0.0/8, 240.0.0.0/4 }"

block from $martians
peter@skapet:~$ doas pfctl -vnf martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,   10.0.0.0/8, 
169.254, 0.0/16, 192.0.2.0/24,   0.0.0.0/8, 240.0.0.0/4 }"
martians:5: macro 'martians' not defined
martians:5: syntax error

for conversion to tables, keep in mind that references need the
surrounding '<' and '>'.

Re: Ping blocked by firewall

[Karel Lucas]

I managed to get ping through. The error was the "log" words in the 
lines. But this is just the beginning. Now I have another problem with 
traceroute, as well as with all the normal internet traffic that has to 
go through it. In the traceroute rules I replaced "$ext_if" with 
"egress", but that makes very little difference. Creating a table for 
the martians doesn't work either. I have restored the old situation, so 
that it does not cause an error message.

Re: OpenBSD 7.5 bsd.upgrade hangs after sysupgrade

[Страхиња Радић]

Дана 24/04/08 06:56PM, Nick Holland написа:
> My 100% guess is that you have a machine that's very dependent upon
> ACPI, and the install kernel's ACPI support is very minimal, or
> has a funny UEFI system.  Or a funny BIOS.  Some machines work better
> as UEFI, some work better running BIOS.  A firmware upgrade may
> change that (which could suck).
> 
> There are other ways, though...
> 
> First, I would verify that the 7.5 kernel boots -- copy it to /bsd75,
> for example, then "boot bsd75 -s" (the -s is so it doesn't try to go
> multi-user with a mixed new kernel/old userland/packages).  If that
> seems happy, just do a "remote upgrade", using the "Manual Upgrade
> (without the install kernel)" process in
> https://www.openbsd.org/faq/upgrade75.html.

Hi Nick, just to report that I managed to upgrade to 7.5, although the process 
was definitely not straightforward.

The laptop in question is dual-booted (using rEFInd) with Windows 10, which 
supports the built-in Qualcomm Atheros QCA6174 WiFi card, not supported by 
OpenBSD. In order for OpenBSD 7.4 to have network access, I had to use Realtek 
802.11n USB WiFi adapter. I recalled what happened when I rebooted into Windows 
while leaving the USB WiFi adapter in the USB slot: the similar thing as in 
bsd.upgrade or the installation kernel - keyboard and mouse were completely 
unresponsive, and I had to power off by holding the power button.

Someone more knowledgeable in the internals of OpenBSD and relevant hardware 
can probably offer a better explanation; I can only theorize that this doesn't 
happen in installed OpenBSD because the Atheros card is switched off in some 
way or at least rendered inactive, so it doesn't interfere with the USB WiFi 
adapter. OpenBSD kernel from the install media seems to behave more similar to 
Windows 10 in this regard - the device(s) report errors, and the system hangs.

So, my successful idea was to:

1. dd install75.img to a USB flash disk from the working 7.4.

2. doas ifconfig urtwn0 down, then physically unplug the USB WiFi adapter and 
   the USB flash with install75.img from OpenBSD 7.5.

3. **This is a necessary step (tested)!**

   Reboot into Windows 10, then insert the USB flash installation medium and 
   reboot again from Windows 10.

   Theory: it is likely that Windows 10 drivers somehow interact with/reset the 
   built-in Atheros card, enabling the boot loader from the installation medium 
   to boot, and not hang.

4. Boot from the installation medium. The familiar "(I)nstall, (U)pgrade..." 
   prompt appears. However, what's really weird is that the installer seems to 
   be stuck in some kind of infinite loop trying to write to / (which is the 
   installation filesystem, so it fails -- some kind of autoinstall script?), 
   writing that error message and **then writing the prompt again.** Typing 
   half-blindly "u"  etc, I managed to upgrade to OpenBSD 7.5 (the 
   infinite loop stopped once the installer started unpacking sets.

* * *

EPILOGUE: if there was ever a fund or a crowdfunding made specifically to 
create Qualcomm Atheros WiFi drivers for OpenBSD, I would gladly donate to it.

Re: Libressl verify failure with 3.9.0

[Ted Wynnychenko]

Thanks for the suggestion.
The workaround does work, and creates (essentially) the same certificate,
but one that does not fail verification with the new libressl.
I did notice the option of not have the leading "20" for dates before 2050,
but I did not know enough to try doing that.
 
Ted
 
 
> -Original Message-
> > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On
> Behalf
> > Of Theo Buehler
> > Sent: Monday, April 08, 2024 6:45 AM
> > To: Ted Wynnychenko
> > Cc: 'OpenBSD misc'; b...@openbsd.org; js...@openbsd.org
> > Subject: Re: Libressl verify failure with 3.9.0
> >
> > On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote:
> > > Hello,
> > >
> > > I recently updated to -current (about a week ago).
> > >
> > > I see that Libressl is at 3.9.1 just now, but I hope that won't be
> an
> > issue
> > > (I did not see anything in the release notes that would impact my
> > question).
> > > ---
> > > $ openssl version
> > > LibreSSL 3.9.0
> > > ---
> > >
> > > Over the years, I have made certificates for personal
> > servers/resources on
> > > my home network.  This is just for me, so I do some things that
> would
> > be
> > > frowned on (although, technically, there is nothing "wrong" with
> > them).
> > >
> > > In this case, since I have Apple iOS devices that I want to connect
> > to
> > > https, I backdate any certificates I create to 1/2/2019.  Apple has
> > imposed
> > > a 300 or 800 day time limit on the validity for certificates
> created
> > after
> > > (about) 7/1/2019.  Since I don't want to constantly make new
> > certificates
> > > for my personal/home network, I have just been setting the
> > certificates'
> > > "not before" date to early 2019.
> > >
> > > Anyway, this had worked fine.
> > > In fact, earlier this year (Jan 2024), I created a new certificate,
> > and all
> > > is good.
> > >
> > > A few weeks ago, I added a new thing to the network - a raspberry
> pi
> > (I got
> > > as a gift about 2013 and installed a linux image from 2019 on it)
> > that is
> > > connected to the home alarm system.
> > >
> > > Since I was annoyed that my browser was constantly giving me self-
> > signed
> > > certificate warnings, I decided to make a certificate for the nginx
> > running
> > > on this appliance.
> > >
> > > I created a key, made a csr, and then signed it with:
> > > openssl ca -startdate 2019010200Z -in pi.csr -out pi.pem -
> config
> > > /etc/ssl/openssl.cnf
> >
> > As a workaround, try using '-startdate 19010200Z' instead. I
> think
> > this is fallout from this commit:
> >
> >
> https://github.com/openbsd/src/commit/3feee4c53fbd67a4a480080d8ef5ae835
> > d3fbf82
> >
> > ASN1_TIME_set_string_X509() is documented as
> >
> >  In LibreSSL, ASN1_TIME_set_string() and
> > ASN1_TIME_set_string_X509()
> >  behave identically and always set the time object to a valid
> value
> > to use
> >  in an X.509 certificate.
> >
> > It seems to me that this is just wrong (it is true that both behave
> > identically because RFC5280 is defined to 0), but they do not set the
> > time object to "a valid value to use in an X.509 certificate".
> >
> > Confusingly, ASN1_TIME_adj_internal() actually honours its RFC5280
> > parameter by behaving the expected way whereas its meaning in
> > ASN1_TIME_set_string_internal() is different.
> >
> > I am unsure if the bug is in my commit above or in our version of
> > ASN1_TIME_set_string_X509() (or both).
> >
> > >
> > > This all works fine, and a certificate is created
> > >
> > > When I check with:
> > > openssl x509 -text -noout -in pi.pem
> > >
> > > everything seems as expected, including the not before/after dates:
> > >
> > > Validity
> > > Not Before: Jan  2 00:00:00 2019 GMT
> > > Not After : Apr  7 15:39:59 2054 GMT
> > >
> > > (yes, it is valid for 35 years - as I said before, if someone
> breaks
> > into my
> > > house to secretly do things, I have way bigger problems)
> > >
> > > But, if I try to verify this on the openbsd system, I get:
> > >
> > > # openssl verify pi.pem
> > > C = US, ST = Illinois, L = ***, O = ***, OU = ***, CN = ***
> > > error 20 at 0 depth lookup:unable to get local issuer certificate
> > > pi.pem: verification failed: 20 (unable to get local issuer
> > certificate)
> > > ---
> > >
> > > But, if I install this on the raspberry pi, which has a much older
> > version
> > > of openssl on it:
> > > $ openssl version
> > > OpenSSL 1.1.1c  28 May 2019
> > >
> > > The certificate verifies without an issue:
> > > $ openssl verify pi.pem
> > > pi.pem: OK
> > >
> > > The last time I created a certificate was in January of this year
> > > (1/22/2024).
> > > I am thinking the openbsd system was using Libressl 3.8.2 at that
> > point.
> > >
> > > I created that certificate in the exact same way, backdating the
> > start date:
> > > openssl ca -startdate 2019010200Z -in 54.csr -out 54.pem -
> config
> > > /etc/ssl/openssl.cnf
> > >
> > > This previously created 

Re: Ping blocked by firewall

[Peter N. M. Hansteen]

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46, causing the pf lines not to be loaded.

macro names are case sensitive, to wit

peter@kapet:~$ cat martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
  10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
  0.0.0.0/8, 240.0.0.0/4 }"

block from $martians
peter@skapet:~$ doas pfctl -vnf martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,   
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24,   0.0.0.0/8, 240.0.0.0/4 
}"
martians:5: macro 'martians' not defined
martians:5: syntax error

for conversion to tables, keep in mind that references need the
surrounding '<' and '>'.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Packages upgrade failure after upgrading to 7.5

[Ioan Samarul]

On Mon, Apr 8, 2024 at 2:38 PM Stuart Henderson
 wrote:
>
> On 2024-04-08, Ioan Samarul  wrote:
> > Hello to you all!
> >
> > I upgraded without problem to 7.5, everything went smooth as always,
> > except when I tried to upgrade the packages.
> >
> > This are the errors of `doas pkg_add -uV` (there is no version of
> > firefox installed, if that helps)
> >
> > No pkgname in packing-list for .libs1-firefox-esr-91.13.0
> > No pkgname in packing-list for .libs1-firefox-esr-102.13.0
> > No pkgname in packing-list for .libs-firefox-esr-91.13.0
> > Warning: couldn't read packing-list from installed package firefox-119.0
> > File /var/db/pkg/firefox-119.0/+CONTENTS does not exist
> > Error: firefox-119.0 missing from installation
>
> You have some corruption in /var/db/pkg. I would try pkg_check and allow
> it to fix things.

Thank you so much! Everything went smooth after the check. Never new
about pgk_check.

> > to_install:
> > lcms2-2.15 => //lcms2-2.15/
> > updatedb-0p0 => //updatedb-0p0/
> > xz-5.4.5 => //xz-5.4.5/
> > zstd-1.5.5 => //zstd-1.5.5/
> > tiff-4.6.0 => //tiff-4.6.0/
> > quirks-7.14 => //quirks-7.14/
> > jpeg-3.0.2v0 => //jpeg-3.0.2v0/
> > ImageMagick-6.9.12.96 => ImageMagick-6.9.12.96/ImageMagick-6.9.12.88p0//
> > lz4-1.9.4 => //lz4-1.9.4/
> > libxml-2.12.5 =>
> > libxml-2.12.5/libxml-2.11.5p0,.libs2-libxml-2.10.4,.libs2-libxml-2.9.13p2,.libs-libxml-2.9.13p2,.libs4-libxml-2.11.5p0,.libs1-libxml-2.10.4,.libs1-libxml-2.9.13p2,.libs3-libxml-2.10.4,.libs3-libxml-2.9.13p2,.libs7-libxml-2.11.5p0,.libs2-libxml-2.11.5p0,.libs-libxml-2.10.4,.libs8-libxml-2.11.5p0,.libs6-libxml-2.11.5p0,.libs-libxml-2.11.5p0,.libs1-libxml-2.11.5p0,.libs3-libxml-2.11.5p0,.libs5-libxml-2.11.5p0//
> > libiconv-1.17 => //libiconv-1.17/
> > to_update:
> > hwdata-0.374 => /hwdata-0.374//
> > libebml-1.4.4 => /libebml-1.4.4//
> > libjxl-0.8.2 => /libjxl-0.8.2//
> > qtlocation-5.15.10 => /qtlocation-5.15.10//
> > poppler-data-0.4.12 => /poppler-data-0.4.12//
> > libavif-0.11.1p0 => /libavif-0.11.1p0//
> > .libs5-libxml-2.11.5p0 =>
> > libxml-2.12.5/libxml-2.11.5p0,.libs2-libxml-2.10.4,.libs2-libxml-2.9.13p2,.libs-libxml-2.9.13p2,.libs4-libxml-2.11.5p0,.libs1-libxml-2.10.4,.libs1-libxml-2.9.13p2,.libs3-libxml-2.10.4,.libs3-libxml-2.9.13p2,.libs7-libxml-2.11.5p0,.libs2-libxml-2.11.5p0,.libs-libxml-2.10.4,.libs8-libxml-2.11.5p0,.libs6-libxml-2.11.5p0,.libs-libxml-2.11.5p0,.libs1-libxml-2.11.5p0,.libs3-libxml-2.11.5p0,.libs5-libxml-2.11.5p0//
> > pkglocatedb-1.5 => /pkglocatedb-1.5//
> > universal-ctags-6.0.0 => /universal-ctags-6.0.0//
> > py3-packaging-23.1 => /py3-packaging-23.1//
> > texlive_base-2022p0 => /texlive_base-2022p0//
> > py3-ifaddr-0.2.0 => /py3-ifaddr-0.2.0//
> > xclip-0.13p1 => /xclip-0.13p1//
> > ffmpeg-4.4.4p2v1 => /ffmpeg-4.4.4p2v1//
> > aspell-ro-3.3.2v1 => /aspell-ro-3.3.2v1//
> > py3-regex-2023.6.3 => /py3-regex-2023.6.3//
> > lua-5.2.4p1 => /lua-5.2.4p1//
> > aom-3.8.1 => /aom-3.8.1//
> > xfce4-mailwatch-1.3.1p1 => /xfce4-mailwatch-1.3.1p1//
> > libvidstab-1.1.0 => /libvidstab-1.1.0//
> > libev-4.33 => /libev-4.33//
> > http-parser-2.9.4 => /http-parser-2.9.4//
> > polybar-3.6.3p0 => /polybar-3.6.3p0//
> > lua-compat53-0.9 => /lua-compat53-0.9//
> > texlive_mktexlsr-2022p0 => /texlive_mktexlsr-2022p0//
> > libheif-1.16.2p0 => /libheif-1.16.2p0//
> > py3-autocommand-2.2.2 => /py3-autocommand-2.2.2//
> > libcares-1.19.1 => /libcares-1.19.1//
> > openal-1.23.1v0 => /openal-1.23.1v0//
> > tesseract-ron-4.1.0v0 => /tesseract-ron-4.1.0v0//
> > py3-jaraco.collections-3.8.0 => /py3-jaraco.collections-3.8.0//
> > gtk+3-3.24.38 => /gtk+3-3.24.38//
> > p5-Pango-1.227p3 => /p5-Pango-1.227p3//
> > py3-socks-1.7.1p5 => /py3-socks-1.7.1p5//
> > sqlite3-3.44.2 => /sqlite3-3.44.2//
> > libunbound-1.19.1 => /libunbound-1.19.1//
> > xfwm4-themes-4.10.0p0 => /xfwm4-themes-4.10.0p0//
> > .libs3-libxml-2.9.13p2 =>
> > libxml-2.12.5/libxml-2.11.5p0,.libs2-libxml-2.10.4,.libs2-libxml-2.9.13p2,.libs-libxml-2.9.13p2,.libs4-libxml-2.11.5p0,.libs1-libxml-2.10.4,.libs1-libxml-2.9.13p2,.libs3-libxml-2.10.4,.libs3-libxml-2.9.13p2,.libs7-libxml-2.11.5p0,.libs2-libxml-2.11.5p0,.libs-libxml-2.10.4,.libs8-libxml-2.11.5p0,.libs6-libxml-2.11.5p0,.libs-libxml-2.11.5p0,.libs1-libxml-2.11.5p0,.libs3-libxml-2.11.5p0,.libs5-libxml-2.11.5p0//
> > xfce4-appfinder-4.18.1 => /xfce4-appfinder-4.18.1//
> > gvfs-1.50.6 => /gvfs-1.50.6//
> > libvpx-1.13.1v0 => /libvpx-1.13.1v0//
> > gmp-6.3.0 => /gmp-6.3.0//
> > json-glib-1.6.6p1 => /json-glib-1.6.6p1//
> > py3-MarkupSafe-2.1.3 => /py3-MarkupSafe-2.1.3//
> > .libs-libxml-2.11.5p0 =>
> > 

Re: Ping blocked by firewall

[Karel Lucas]

I moved the lines with the martians between the 'block log all' line and 
the ping lines. Furthermore, I changed the macro 'martians' to a table: 
table  persist file "etc/martians".


Messages during booting:
/etc/pf.conf:29: syntax error
/etc/pf.conf:29: macro 'martians' not defined
/etc/pf.conf:30: macro 'martians' not defined
/etc/pf.conf:38: syntax error
/etc/pf.conf:39: syntax error
/etc/pf.conf:46: syntax error

Op 09-04-2024 om 11:13 schreef Otto Moerbeek:

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:


I defined the table as stated in your book (3rd edition, page 42). However,
that gives an error message. In the lines with that table: macro 'martians'
not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
46, causing the pf lines not to be loaded.

How abot showing what you did, showing the actual error messages so
people here can actually help you? Just saying "it does not work" does
not get you anywhere.

-Otto

Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:

On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:

Hi all,

For the first time I tested my new firewall with ping, and it is blocked. I
don't know what the reason is, you can find the information below. I have a
network with only regular clients, so no servers. I'm still using OpenBSD
V7.4, and will upgrade once the firewall is up and running so I can test the
upgrade process.

Upgrading to 7.5 will not affect this particular problem I think.

Still low on caffeine I spot two likely factors - your $localnet range overlaps
with one of the ranges in $martians (which I anyway would recommend converting
into a table), and your block referencing $martians comes after the pass rules
that would have let icmp through. With no previous matching quick, last match
applies.

- Peter

Re: Ping blocked by firewall

[Otto Moerbeek]

On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:

> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46, causing the pf lines not to be loaded.

How abot showing what you did, showing the actual error messages so
people here can actually help you? Just saying "it does not work" does
not get you anywhere.

-Otto
> 
> Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:
> > On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> > > Hi all,
> > > 
> > > For the first time I tested my new firewall with ping, and it is blocked. 
> > > I
> > > don't know what the reason is, you can find the information below. I have 
> > > a
> > > network with only regular clients, so no servers. I'm still using OpenBSD
> > > V7.4, and will upgrade once the firewall is up and running so I can test 
> > > the
> > > upgrade process.
> > Upgrading to 7.5 will not affect this particular problem I think.
> > 
> > Still low on caffeine I spot two likely factors - your $localnet range 
> > overlaps
> > with one of the ranges in $martians (which I anyway would recommend 
> > converting
> > into a table), and your block referencing $martians comes after the pass 
> > rules
> > that would have let icmp through. With no previous matching quick, last 
> > match
> > applies.
> > 
> > - Peter
> > 
> 

Re: Ping blocked by firewall

[Karel Lucas]

I defined the table as stated in your book (3rd edition, page 42). 
However, that gives an error message. In the lines with that table: 
macro 'martians' not defined. Moreover, I now also have a Syntax error 
in lines 38, 39 and 46, causing the pf lines not to be loaded.


Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:

On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:

Hi all,

For the first time I tested my new firewall with ping, and it is blocked. I
don't know what the reason is, you can find the information below. I have a
network with only regular clients, so no servers. I'm still using OpenBSD
V7.4, and will upgrade once the firewall is up and running so I can test the
upgrade process.

Upgrading to 7.5 will not affect this particular problem I think.

Still low on caffeine I spot two likely factors - your $localnet range overlaps
with one of the ranges in $martians (which I anyway would recommend converting
into a table), and your block referencing $martians comes after the pass rules
that would have let icmp through. With no previous matching quick, last match
applies.

- Peter

Re: 7.5: Fatal errors from eigrpd

[Claudio Jeker]

This is most probably fallout from the imsg / ibuf API changes done
in 7.5. I need to setup a test system to see if I can figure out what goes
wrong.

On Mon, Apr 08, 2024 at 08:15:52PM +0200, Mark Leonard wrote:
> (Gah!  Here's the post again in plaintext.  Apologies.)
> 
> Hello all,
> 
> I'm running eigrpd in a VMWare environment and after upgrading to 7.5 from
> 7.4 I'm noticing eigrpd is failing with a couple different errors.  In 7.4
> and prior I never had any problems.
> 
> I tried to include everything that I thought might be relevant but if
> there's any other information I can provide please let me know.
> 
> Has anyone else come across anything similar?
> 
> Thanks,
> Mark
> 
> 
> 
> examples:
> 
> test1# eigrpd -dv
> startup
> eigrp_if_start: lo1 as 1 family ipv4
> eigrp_if_start: em0 as 1 family ipv4
> if_join_ipv4_group: interface em0 addr 224.0.0.10
> rt_new: prefix aa.bb.cc.1/32
> route_new: prefix aa.bb.cc.1/32 via connected distance (28160/0)
> rt_new: prefix 198.18.101.0/24
> route_new: prefix 198.18.101.0/24 via connected distance (28160/0)
> fatal in eigrpe: send_packet: get hdr failed
> rt_del: prefix aa.bb.cc.1/32
> route_del: prefix aa.bb.cc.1/32 via connected
> rt_del: prefix 198.18.101.0/24
> route_del: prefix 198.18.101.0/24 via connected
> route decision engine exiting
> kernel routing table decoupled
> waiting for children to terminate
> terminating
> 
> and
> 
> RouterTest# eigrpd -dv
> startup
> eigrp_if_start: em1 as 1 family ipv4
> if_join_ipv4_group: interface em1 addr 224.0.0.10
> rt_new: prefix 198.18.101.0/24
> route_new: prefix 198.18.101.0/24 via connected distance (28160/0)
> rt_del: prefix 198.18.101.0/24
> route_del: prefix 198.18.101.0/24 via connected
> route decision engine exiting
> kernel routing table decoupled
> waiting for children to terminate
> eigrp engine terminated; signal 11
> terminating
> 
> 
> This is happening on two of two upgraded VMs.
> 
> SHA256 (/usr/sbin/eigrpd) =
> 3b85d7ac155afe4edd355f8b1d8c81f77c6254d96410af8b22f4018b756282a6
> (just in case)
> 
> I've tried with net.inet.tcp.tso=0 and net.inet.tcp.tso=1.  Same result.
> 
> test1# uname -a
> OpenBSD test1.local 7.5 GENERIC.MP#82 amd64
> 
> The configs I'm running are pretty basic:
> 
> RouterTest# eigrpd -n
> configuration OK
> RouterTest# eigrpd -nv
> 
> 
> router-id 198.18.101.1
> fib-update yes
> rdomain 0
> fib-priority-internal 28
> fib-priority-external 28
> fib-priority-summary 28
> 
> 
> address-family ipv4 {
> autonomous-system 1 {
> k-values 1 0 1 0 0 0
> active-timeout 3
> maximum-hops 100
> maximum-paths 4
> variance 8
> default-metric 10 10 255 1 1500
> 
> 
> interface em1 {
> hello-interval 5
> holdtime 15
> delay 10
> bandwidth 10
> split-horizon yes
> }
> }
> }
> 
> 
> address-family ipv6 {
> 
> }

-- 
:wq Claudio

Re: Ping blocked by firewall

[Peter J. Philipp]

On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
> 
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test the
> upgrade process.
> 
> /etc/pf.conf:
> ext_if = igc0 # Extern interface
> int_if = "{ igc1, igc2 }" # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> ?? ?? ?? ?? 446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> ?? ?? ?? 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> ?? ?? ?? 0.0.0.0/8, 240.0.0.0/4 }"
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> block log all?? ?? ?? ?? # block stateless traffic
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> # Allow out the default range for traceroute(*):
> # "base+nhops*nqueries-1" (3434+64*3-1)
> pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4
> pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6
> pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> ?? ?? to port $udp_services
> pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> pass log on $ext_if inet proto tcp from $localnet to port $client_out
> block log in quick on $ext_if from $martians to any
> block log out quick on $ext_if from any to $martians
> pass log out proto tcp to port $tcp_services # establish keep-stat
> pass log log proto udp to port $udp_services # Establish keep-state
> 
> /var/log/pflog:
> tcpdump: WARNING: snaplen raised from 116 to 160
> Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 2
> group record(S) [hlim 1]
> apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 2
> group record(S) [hlim 1]

Hi Karel,

Hope you're well!  Here is what you should add to your IPv6 icmp_types:

pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbradv

This allows the NDP protocol to converse (it's similar to the IPv4 ARP).

I didn't see you had the problem with only IPv6, but the way I tested it, the
IPv4 worked fine.  It was IPv6 that had the missing neighbour solicititation
and advertising.

Best Regards,
-pjp

-- 
my associated domains:  callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de

Re: 7.5 /var/log/messages - vfprintf %s NULL in "%.*s"

[Eivind Eide]

>The log message no longer appears after running
>
>cp /usr/share/terminfo/x/xterm-256color ~/.terminfo/x/

Indeed! After
  mkdir -p ~/.terminfo/t/
  cp /usr/share/terminfo/t/tmux-256color ~/.terminfo/t/
(and the same for other termcaps used)
those messages are gone from /var/log/messages.


-- 



Eivind Eide

"ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD"
- Oceania Association of Autonomous Astronauts

Re: Wireless network with bfwm sometimes works and sometimes doesn't

[Stefan Sperling]

On Mon, Apr 08, 2024 at 11:30:07PM +0200, Stanislav Syekirin wrote:
> This is my /etc/hostname.bwfm0:

Please add a line saying 'debug' at the top if hostname.bwfm0:

  debug
> join NETWORK_IN_QUESTION_5G wpakey PASSWORD
> inet6 autoconf
> inet autoconf
> 
> I would appreciate any suggestions.

Show us what is printed in dmesg with debug enabled when it fails to connect.

Among other info it shows scan results. Does your AP appear in the list?

Re: Ping blocked by firewall

[Peter N. M. Hansteen]

On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
> 
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test the
> upgrade process.

Upgrading to 7.5 will not affect this particular problem I think.

Still low on caffeine I spot two likely factors - your $localnet range overlaps 
with one of the ranges in $martians (which I anyway would recommend converting 
into a table), and your block referencing $martians comes after the pass rules
that would have let icmp through. With no previous matching quick, last match
applies. 

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Ping blocked by firewall

[Karel Lucas]

Hi all,

For the first time I tested my new firewall with ping, and it is 
blocked. I don't know what the reason is, you can find the information 
below. I have a network with only regular clients, so no servers. I'm 
still using OpenBSD V7.4, and will upgrade once the firewall is up and 
running so I can test the upgrade process.


/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern interfaces
localnet = "192.168.2.0/24"
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
                446, cvspserver, 2628, 5999, 8000, 8080 }"
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
            10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
            0.0.0.0/8, 240.0.0.0/4 }"
set skip on lo
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
block log all                # block stateless traffic
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
# Allow out the default range for traceroute(*):
# "base+nhops*nqueries-1" (3434+64*3-1)
pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4
pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6
pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
        to port $udp_services
pass log on $ext_if inet proto icmp all icmp-type $icmp_types
pass log on $ext_if inet proto tcp from $localnet to port $client_out
block log in quick on $ext_if from $martians to any
block log out quick on $ext_if from any to $martians
pass log out proto tcp to port $tcp_services   # establish keep-stat
pass log log proto udp to port $udp_services   # Establish keep-state

/var/log/pflog:
tcpdump: WARNING: snaplen raised from 116 to 160
Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 
2 group record(S) [hlim 1]
apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 
2 group record(S) [hlim 1]