Re: Upgrade old 6.2 but 6.3 SHA256.sig on mirror different

[Johan Mellberg]

> 22 juli 2020 kl. 17:29 skrev Christian Weisgerber :
> 
> "Theo de Raadt":
> 
>> Johan Mellberg  wrote:
> 
>>> and https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig
>>> (Canada, as I like to take them from different sources). I then ran:
>> 
>> The format of the .sig files was changed in a very small way, intentionally,
>> way back then.  You are hitting that issue. 
> 
> Sorry, no, the file is corrupted.  I just downloaded
> https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig
> and it contains only nul bytes.
> 
> 

Aha. I thought it looked suspicious! Thanks for confirming. I assume other 
files on https://ftp.openbsd.org/ could also be corrupted then. 

/Johan



> 

Upgrade old 6.2 but 6.3 SHA256.sig on mirror different

[Johan Mellberg]

Hi,

before my question, note that I have already decided to make a clean
install, not actually upgrade. Will be more efficient, but wanted to pose
the question anyway.

So, I was initially planning on upgrading a VM step by step from 6.2 up to
6.7. Downloaded https://ftp.eu.openbsd.org/pub/OpenBSD/6.3/amd64/bsd.rd
(Norway mirror) and https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig
(Canada, as I like to take them from different sources). I then ran:

signify -C -p /etc/signify/openbsd-63-base.pub -x SHA256.sig bsd.rd

which failed with "signify: invalid comment in SHA256.sig; must start with
'untrusted comment: '".

If I download https://ftp.eu.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig,
signify is happy (also tried the version over at the heanet.ie mirror).

Is anyone aware of this? Is it perhaps a case of bit rot on the canadian
server?

Thanks,
Johan

Re: Advice on Security Cameras

[Johan Mellberg]

> 1 jan. 2019 kl. 18:46 skrev Elias M. Mariani :
> 
> Hi list,
> I'm thinking in installing some cameras in my private home, I have
> been looking for solutions, my concern is that I wish to be able to
> look the videos from outside the house and I'm a little paranoid about
> the quality of the software that the different vendors use. I have
> seen clusters of camaras that only work over ActiveX...
> I know that is a little off-topic but maybe someone knows about a good
> brand of cameras.
> Of-course one can always set a VPN tunnel trough OpenBSD for the
> security matter, OpenVPN works on Android so is easy to access from a
> smartphone. But I would prefer to have a single secure service running
> that adding a layer of complexity with the VPN.
> 
> I'm looking for:
> - Not overpriced cameras.
> - They don't need to be "external cameras", they will be covered under a roof.
> - I need to set at least 4, so I need them to be accessible from a
> single platform.
> - Android / Browser friendly (not only IE plz...)
> - WiFi is not needed, I have a 12v supply and Ethernet connections for
> each camera.
> - Good video quality but I'm not looking for anything super great...
> - the ability to centralize recording and access to view the cameras is a 
> must.
> 
> Again, sorry for the off-topic but were would I find a better place to
> ask about surveillance and security ? :D
> 
> Cheers and happy new year.
> Elias.
> 

Hi,

I don't know much about available options but I personally like the Netatmo 
Presence cameras although those are WiFi-only and might not be suitable for 
your requirements (as far as I know you HAVE to use their smartphone app for 
example, and set up an account to control your camera). I’d otherwise suggest 
having a look at Zoneminder if you want centralised recording. They seem to 
support lots of cameras and I think they have some recommendations on supported 
hardware. Haven’t had time to dig in myself though. 

/Johan

Re: SSH server immediately closes connection

[Johan Mellberg]

> 14 dec. 2018 kl. 14:14 skrev Nick Holland :
> 
>> On 12/14/18 00:27, Максим wrote:
>> Hello,
>> I've got a PC running OpenBSD current.
>> After the latest upgrade I cannot ssh to it.
>> 
>> When I run "ssh 10.26.5.70"
>> I get this:
>> "Connection to 10.26.5.70 closed by remote host.
>> Connection to 10.26.5.70 closed."
>> As an SSH client I use another OpenBSD box and a Linux machine
>> with the same result.
>> When I run "ssh -vvv 10.26.5.70"
>> the last messages are:
>> 
>> "debug3: receive packet: type 52
>> debug1: Authentication succeeded (publickey).
>> Authenticated to 10.26.5.70 ([10.26.5.70]:22).
>> debug1: channel 0: new [client-session]
>> debug3: ssh_session2_open: channel_new: 0
>> debug2: channel 0: send open
>> debug3: send packet: type 90
>> debug1: Requesting no-more-sessi...@openssh.com
>> debug3: send packet: type 80
>> debug1: Entering interactive session.
>> debug1: pledge: network
>> debug3: send packet: type 1
>> debug1: channel 0: free: client-session, nchannels 1
>> debug3: channel 0: status: The following connections are open:
>>  #0 client-session (t3 nr0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1)
>> 
>> debug3: fd 1 is not O_NONBLOCK
>> Connection to 10.26.5.70 closed by remote host.
>> Connection to 10.26.5.70 closed.
>> Transferred: sent 2644, received 1932 bytes, in 0.0 seconds
>> Bytes per second: sent 1085498.2, received 793185.5
>> debug1: Exit status -1"
>> 
>> 
>> No errors in /var/log/daemon
>> No errors in /var/log/authlog
>> 
>> The result doesn't depend on the user which I use to login.
> 
> I just happened to have upgraded a system last night to the most recent
> snapshot, I am NOT having any such problem.
> OpenBSD 6.4-current (GENERIC.MP) #510: Thu Dec 13 06:20:42 MST 2018
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> So ... Doesn't appear to be a systemic problem, most likely either a
> knob you twisted before the upgrade or something about your upgrade process.
> 
> You need to provide more details about what you did...both before and
> during the upgrade...and some indication of what platform you are
> running and the snapshot you upgraded to.
> 
> Nick.
> 
Do you have a modified sshd_config with a reduced set of algorithms?

Re: Pkg_add

[Johan Mellberg]

Den sön 16 sep. 2018 kl 09:40 skrev Solène Rapenne :
>
> Le 2018-09-16 03:33, Michael Ayres a écrit :
> > Thanks to everyone who has replied in helping me. I have read up on
> > the man pages and I understand what I need; it is:
> >
> > 1) I want to install some packages on OpenBSD 6.0 which I have
> > operational on a Parallels VM on my precious MacBookPro High Sierra.
>
> are you using 6.0? If so, it's no longer supported and packages are not
> available anymore.

Sure they are, but it can depend on the mirror. See for example
http://ftp.eu.openbsd.org/pub/OpenBSD/6.0/packages/i386/.

>
> > 2) I want to set a environmental variable PKG_PATH to the ftp site to
> > get packages.
> >   2.a) I am trying to set it to
> > https://ftp.openbsd.org/pub/OpenBSD/6.3/packages/i386/
> > , which has an
> > index of packages I might want to get. I will later put that
> > PKG_PATH in the start up file so it is always set each time I boot up
> > OpenBSD.

Why are you trying to set the PKG_PATH to use 6.3 packages when you
are according to the above using 6.0? To install 6.3 packages you
first need to upgrade the system to 6.3, one step at a time; 6.0-6.1,
6.1-6.2, 6.2-6.3. Start here:
http://www.openbsd.org/faq/upgrade61.html

Or just reinstall.

>
> > 3) My PKG_PATH string [
> > https://ftp.openbsd.org/pub/OpenBSD/6.3/packages/i386/
> >  ] does not
> > seem to work. An example I refer to includes some wild cards, “%”,
> > which I can’t seem to get right.k The example I am working from is at:
> > https://linux-audit.com/updating-all-openbsd-packages-with-pkg_add/
> > 
> > and one example it uses is passing a variable for name and arch -s,
> > which I have not set.
>
> http://man.openbsd.org/installurl
>
> https://ftp.openbsd.org/pub/OpenBSD is a right content for the file

But that was not introduced until 6.1 and there seems to be some
confusion on which release he is using. If he is using 6.0 installurl
is not available.

>
> >
> >
> > 4) What is a correct string i should use to set my PKG_PATH variable
> > to get packages from location at 2a above?
> >
>
> use /etc/installurl instead of PKG_PATH
>

The PKG_PATH environment variable could for example be set in root's
.profile, which is read when logging in as root (or doing su -) as in
the instructions you pasted earlier:
export PKG_PATH="http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname
-r)/packages/$(arch -s)/"

The $(uname -r) and the $(arch -s) could be replaced with your literal
version and architecture respectively, in your case 6.0 and i386 (if
that is what you are using, please verify, by logging in and issuing
the two commands one after the other, ie. uname -r and arch -s).
Verify that you are installing the same version of packages as your
installed system. Test it on the command line first, works with or
without the quotation marks.

On a fresh install of 6.3 (6.1 or later), /etc/installurl will be
automatically populated during installation. If you are upgrading you
will need to create the file. Note that at some release the url should
be changed to use https, see the upgrade instructions if you go down
that route.

/Johan

Re: New laptop recommendations

[Johan Mellberg]

Hmm. I have that one and there’s something fishy with the graphics, when I boot 
the installer (6.3) I just get “static” on the built in screen. No problem with 
any other OS. I just tried booting OpenBSD as a test so have not investigated 
further, but consider it a potential issue, it might be just my specimen but 
then again, maybe not. 

Mvh, Johan
—
Smartphone. Ja... just det. 

> 20 juni 2018 kl. 21:36 skrev Patrick Harper :
> 
> HP EliteBook 745 G2?
> 
> -- 
>  Patrick Harper
>  paia...@fastmail.com
> 
>> On Wed, 20 Jun 2018, at 09:01, Thomas Frohwein wrote:
>> No AMD laptop recommendations in this day and age? Also buying used or
>> refurbished laptops on eBay is a security risk from the outset - ask
>> yourself how well you would be at spotting if someone had tampered e.g.
>> with the webcam or the firmware? With new hardware, you have at least a
>> reasonable expectation that the package hasn't been opened between
>> manufacturer and you...
>> 
> 

Re: Pf syntax, need help understanding an example

[Johan Mellberg]

2018-06-06 13:55 GMT+02:00 Stuart Henderson :
> On 2018-06-06, Johan Mellberg  wrote:



> with ext_if="re0", $ext_if expands to re0.
>
> If this if used in place of an address in a PF rule, re0's address is
> looked up when pfctl is run and that is used.
>
> If "(re0)" is used instead, that lookup is done when the firewall state
> is created rather than during rule load. So if you have an address which
> does *not* change, using () is unnecessary overhead at runtime for every
> new state which has to evaluate this.
>
Got it, thanks. I guessed something like that, just did not get the
further expansion from interface name to IP address.


>
> () is only for places which take an address. "set skip" takes an "ifspec"
> instead. The interface name itself is valid but "set skip on (em0)" is not.
Ah! Thank you! That clears it up for me.

>
> I realise this is just testing but will mention just in case: you don't
> usually want to set skip on the external *or* internal interface.
>
>
Heh, yes. That was why I was just testing the syntax, I never actually
loaded the file. I could have used another file to play with, but I
was lazy - and the test lines have been removed. Also, it's being
tested in a VM running on a laptop that is usually connected to known
and sort of trusted networks so it's not terribly exposed. And it will
probably be deleted when I'm done practising.

Many thanks (to all who replied),
/Johan

Pf syntax, need help understanding an example

[Johan Mellberg]

Hi,

I am working my way through "The Book of Pf" and got hung up on the
example on page 31 of edition 3 (I am reading edition 2 but the
example seems to be identical in edition 3):

ext_if = "re0" # macro for external interface - use tun0 or pppoe0 for PPPoE
int_if = "re1" # macro for internal interface
localnet = $int_if:network
# ext_if IPv4 address could be dynamic, hence ($ext_if)
match out on $ext_if inet from $localnet nat-to ($ext_if) # NAT, match IPv4 only
block all
pass from { self, $localnet

So, what it does is not a problem, I understand that, but that set of
parentheses around $ext_if confuses me. The explanation states that
the IPv4 address could be dynamic (which is clear...) but I look at
that example and as far as I understand, $ext_if should expand to
"re0", not an IP address - right?

Just to test I tried a simple line in my own pf.conf (on OpenBSD 6.3):

ext_if = "em0"
set skip on $ext_if

and tested with pfctl -nvf /etc/pf.conf

That worked so then I put parentheses around $ext_if:

set skip on ($ext_if)

and tested again. This time I got a syntax error!

So could someone please explain this to me? I don't think this is an
error in the book because there is a small paragraph apart from the
comment in the example specifically pointing out the value of these
parentheses - but I can't wrap my head around it. Any help
appreciated!

Sincerely, Johan

Re: Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

[Johan Mellberg]

> 19 jan. 2018 kl. 17:29 skrev Oliver Marugg :
> 
> hi
> 
> check: which device does nat for you. On that device configure portforwarding 
> from external to internal, eg external ip:port to your internal host:port. 
> test it from outside.
> 
> ip forwarding on your OpenBSD laptop isnt necessary here, your laptop doesnt 
> act as a router in your homesetup.
> 
> -om
> 

And, check if your ISP is providing you with a public IP address. If your 
router’s external address is in one of the RFC1918-defined ranges you will not 
be able to reach it from the general internet. 

> 
>> On 19 Jan 2018, at 15:55, Michel von Behr wrote:
>> 
>> Hi - rookie question: I have ADSL internet at home, distributed to local
>> hosts via a cheap modem/router provided by the ISP. And connected as one of
>> the network nodes is an old laptop running OpenBSD. I want to use that
>> laptop as a webserver, ftp server, etc. I can connect to the laptop
>> internally, from within the local network (192.168.15.11) via http, ssh,
>> ftp, etc, but I can't see it from external hosts. I already tried different
>> configurations in the router/modem related to port forwarding, NAT, but
>> without success, so I'm starting to think that it might be something I'm
>> missing on OpenBSD network config (PF maybe?).
>> 
>> I tried enabling ip forwarding in sysctl but I still can't see it from
>> outside hosts.
>> 
>> Specifically, my question would be this: if I can see my laptop from within
>> the local network, would that be enough to guarantee that I should be able
>> to detect it externally? If not, what configuration should I be looking to
>> adjust?
>> 
>> httpd.conf is accepting connections from any IP address, as far as I
>> understand this:
>> 
>> # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
>> 
>> #
>> # Macros
>> #
>> ext_addr="*"
>> 
>> #
>> # Global Options
>> #
>> # prefork 3
>> 
>> 
>> #
>> # Servers
>> #
>> 
>> # A minimal default server
>> server "default" {
>>listen on $ext_addr port 80
>>listen on $ext_addr port 8080
>>listen on $ext_addr port 50080
>>root "/htdocs/"
>>directory {
>>no index
>>}
>> 
>>location "*.php" {
>>fastcgi socket "/run/php-fpm.sock"
>>}
>> }
>> 
>> As for ssh_config the only change I made to the default config file was to
>> include port 50022 (trying to avoid any blocking to port 22 that my ISP
>> might be enforcing).
>> 
>> Any pointing to the right direction would be appreciated...
>> 
>> Kind regards,
>> 
>> Michel
> 

Re: Can I use OpenBSD as a desktop system?

[Johan Mellberg]

Yes.

2017-06-09 21:39 GMT+02:00 SOUL_OF_ROOT 55 :

> Can I use OpenBSD as a desktop system?
>

Re: 5.8 EOL

[Johan Mellberg]

Skickat från min "enhet" :-)
> 1 dec. 2016 kl. 15:59 skrev Alessandro Baggi :
>
> Hi list,
> I've installed some years ago OpenBSD 5.8 on apu with 3 nics.
> I've tried to search but no look. What is the EOL for OpenBSD 5.8?
>
> Thanks in advance.
>

Not sure that "end of life" is the way to put it, but OpenBSD developers
support the current and the previous releases (see picture on
http://www.openbsd.org/faq/faq5.html).  So 5.8 was "EOL:ed" when 6.0 was
released.
/Johan

Re: Failure to get unbound to talk to nsd on the same server (Solved)

[Johan Mellberg]

Hi all,

thanks for all the suggestions. However it turned out that all I needed to do 
was to add

domain-insecure: "my.domain"

to unbound.conf so that unbound would ignore the lack of DNSSEC of my internal 
domain. I have not paid much attention to DNSSEC until now, but it seems I may 
need to.

So, problem solved, onto the next one! ;-)

/Johan

On Wed, Oct 12, 2016 at 04:18:39PM +0300, Kapetanakis Giannis wrote:
> Hi, 
> 
> Haven't followed the whole thread and by just looking at the topic,
> I have a similar setup (carped as well) for caching DNS.
> 2 servers, 2 carped IPs.
> 
> This is how it works:
> 
> unbound.conf:
> interface: 127.0.0.1
> port: 53
> outgoing-interface: ext_ip
> access-control: local_networks
> do-not-query-localhost: no
> include: "/var/unbound/etc/stub_zones_insecure"
> include: "/var/unbound/etc/stub_zones"
> 
> stub_zones:
> stub-zone:
> name: "foo.example.com."
> stub-addr: 127.0.0.1@5678
> 
> stub_zones_insecure:
> domain-insecure: "foo.example.com."
> 
> insecure is for when you have network problems to be able to resolv
> otherwrise it hungs at DNSSEC (if you have it enabled). This is for local 
> zones only.
> 
> resolv.conf:
> nameserver 127.0.0.1
> 
> nsd.conf:
> ip-address: 127.0.0.1@5678
> zone:
>name: foo.example.com
>zonefile: /var/nsd/zones/slave/%s
>request-xfr: master_DNS_IP NOKEY
>allow-notify: master_DNS_IP NOKEY
> 
> pf.conf:
> # requests from local dns server (unbound)
> pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53 
> modulate state (if-bound, no-sync) nat-to ($dns1_if)
> pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state 
> (if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if)
> pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53 
> modulate state (if-bound, no-sync) nat-to ($dns2_if)
> pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state 
> (if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if)
> 
> # requests from clients (unbound)
> pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to 
> ($dns1_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if
> pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to 
> ($dns2_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if
> pass in quick on $dns1_if proto {tcp,udp} from  to ($dns1_carp) 
> port 53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw)
> pass in quick on $dns2_if proto {tcp,udp} from  to ($dns2_carp) 
> port 53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw)
> pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to 
> ($dns1_carp)
> pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to 
> ($dns2_carp)
> 
> # nsd 
> pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678 
> keep state rdr-to 127.0.0.1 reply-to $dns1_if
> 
> hope these help. For me they work the last 2 years. They only problem I 
> haven't solved so far which requires a different setup is when you make a 
> change on the master and the unbound has the previous entry in the cache... 
> the cache has to expire.
> 
> 
> G

Re: Failure to get unbound to talk to nsd on the same server

[Johan Mellberg]

So as to how it flies, here's my line of thought:

Unbound should serve my network including the dns server machine
itself with DNS, hence the external IP address in resolv.conf. dig and
nslookup run on the dns server itself both use this with no problem
and the rest of my network seems happy as well. It should also respond
to queries for my internal zone by querying NSD on a local address. To
me it then looks like there is no need for Unbound to bind to
127.0.0.1.

NSD should only serve Unbound's queries for my.domain. Thus it does
not as I understand it need to bind to any address except
localhost/127.0.0.1. And, since NSD is non-recursive this also means
that having the nameserver 127.0.0.1 line in /etc/resolv.conf would
cause all queries to fail except the ones for which it is
authoritative.

Now, I don't mind the other scenario, where NSD binds to
127.0.0.1@5300 (or 42 or whatever), and Unbound binds to 192.168.x.91
and 127.0.0.1, in which case I could put nameserver 127.0.0.1 in
/etc/resolv.conf - but I don't see why it would be necessary?

And using tcpdump I could see Unbound sending a query, which was
immediately answered - but Unbound just said SERVFAIL...

There is something weird here that I don't quite see/understand so I
very much appreciate the input so far. Experimenting with the various
settings proposed, good stuff.

/Johan

2016-10-11 9:41 GMT+02:00 Paul de Weerd <we...@weirdnet.nl>:
> I run a similar setup, NSD serving my local zones (on ::1@54) and
> unbound querying those local zones there.  Comparing your config with
> mine, I didn't spot an obvious explanation for why it wouldn't work
> for you, but I do note that your unbound isn't configured to listen on
> 127.0.0.1, whilst your NSD *is* set to listen there.  Not sure how
> that flies with your resolv.conf setup.
>
> With the below config, unbound listens on localhost (v4 and v6) and my
> local interface (v4 and v6).  NSD only listens on the ::1 and at an
> alternative port (54).
>
> Hope that helps.
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> --- nsd configuration 
> server:
> hide-version: yes
> ip-address: ::1@54
> verbosity: 1
> database: "" # disable database
>
> remote-control:
> control-enable: yes
>
> zone:
> name: "168.192.in-addr.arpa"
> zonefile: "168.192.in-addr.arpa"
>
> zone:
> name: "domain.tld"
> zonefile: "domain.tld"
> server:
> interface: 127.0.0.1
> interface: ::1
> interface: 192.168.34.1
> interface: 2001:xxx:3af::1
>
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow
> access-control: 192.168.34.0/23 allow
> access-control: 192.168.36.0/24 allow
> access-control: ::0/0 refuse
> access-control: ::1 allow
> access-control: 2001:xxx:3af::/64 allow
> access-control: 2001:xxx:3af:20::/64 allow
>
> hide-identity: yes
> hide-version: yes
>
> do-not-query-localhost: no
>
> local-zone: "168.192.in-addr.arpa." nodefault
>
> stub-zone:
> name: domain.tld
> stub-addr: ::1@54
>
> stub-zone:
> name: 34.168.192.in-addr.arpa
> stub-addr: ::1@54
> --
>
> On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote:
> | Hi all,
> |
> | I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
> | home network with DNS. I have a custom zone (only for LAN use) set up
> | and previously used BIND successfully (but that VM crashed and its
> | disk was hosed...) both as authoritative and caching/resolving.
> |
> | So now I am trying to learn to set up NSD to be authoritative for my
> | small zone and Unbound to serve the LAN with all other queries. But
> | there is a problem:
> |
> | 1. Unbound successfully responds to queries and provides lookup to the
> | LAN machines for "the internet".
> | 2. NSD successfully responds to queries for the custom zone.
> | 3. But I cannot get Unbound to get a reply from NSD...
> |
> | I have tried multiple combinations of ports and interface bindings and
> | I suspect that I am missing something simple here. Currently I have
> | set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> | so there should not be a conflict. In fact it works fine if I use dig
> | @localhost  and dig @192.168.x.91 
> | respectively, but the second version only provides an answer-less
> | response if asked for a LAN hostname.
> |
> | Unbound is

Re: Failure to get unbound to talk to nsd on the same server

[Johan Mellberg]

(Resending to list)
Yes, I thought of and tried that too with similar lack of success. But
as I could see from the tcpdump (see reply to Raimo's mail) NSD
responds so it's probably an Unbound issue. The forward-zone directive
can be used but it expects the forward-addr to be able to provide
recursion so it should not be used in my case (although it should work
since recursion is not needed).

2016-10-11 8:51 GMT+02:00 mxb <m...@alumni.chalmers.se>:
>
> Try to use forward-zone instead of stub-zone in unbound.conf
>
> forward-zone:
> name: “abc.com"
> forward-addr: 127.0.0.1
>
>
>> On 10 okt. 2016, at 23:42, Johan Mellberg <johan.mellb...@gmail.com>
wrote:
>>
>> Hi all,
>>
>> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
>> home network with DNS. I have a custom zone (only for LAN use) set up
>> and previously used BIND successfully (but that VM crashed and its
>> disk was hosed...) both as authoritative and caching/resolving.
>>
>> So now I am trying to learn to set up NSD to be authoritative for my
>> small zone and Unbound to serve the LAN with all other queries. But
>> there is a problem:
>>
>> 1. Unbound successfully responds to queries and provides lookup to the
>> LAN machines for "the internet".
>> 2. NSD successfully responds to queries for the custom zone.
>> 3. But I cannot get Unbound to get a reply from NSD...
>>
>> I have tried multiple combinations of ports and interface bindings and
>> I suspect that I am missing something simple here. Currently I have
>> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
>> so there should not be a conflict. In fact it works fine if I use dig
>> @localhost  and dig @192.168.x.91 
>> respectively, but the second version only provides an answer-less
>> response if asked for a LAN hostname.
>>
>> Unbound is set to ask localhost for the stub zones, forward and reverse.
>>
>> And, yes, I could of course use Unbound to serve my local zone and
>> drop NSD - but that would be giving up... It's supposed to work from
>> all I read! :-)
>>
>> I have also tried having NSD listen on 127.0.0.1@5353, and telling
>> unbound to use that as the stub-address, while then having Unbound
>> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
>> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
>> can't test NSD with dig as it can't use an alternative port.
>>
>> A possibly related question: I can't seem to be able to use
>> shortnames. The domain part should be picked up from the host name as
>> given in /etc/myname, but that does not seem to work as I expect, I
>> always have to provide the FQDN. Again something I have missed
>> perhaps?
>>
>> Anyway, I am staring blindly at the config files now and really need
>> help figuring it out. I have removed all that is commented, otherwise
>> it's the default except for changes of course.
>>
>> Thanks for any clue bats coming my way...
>> /Johan
>>
>> * resolv.conf
>> lookup file bind
>> nameserver 192.168.x.91
>>
>> # cat /etc/myname
>> dns03.my.domain
>>
>> # cat /etc/hosts
>> 127.0.0.1   localhost
>> ::1 localhost
>> 192.168.x.91   dns03.my.domain dns03
>>
>> # cat /var/unbound/etc/unbound.conf
>> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
>>
>> server:
>>interface: 192.168.x.91
>>interface: ::1
>>do-not-query-localhost: no
>>
>>access-control: 192.168.x.64/24 allow
>>access-control: 127.0.0.0/8 allow
>>access-control: 0.0.0.0/0 refuse
>>access-control: ::0/0 refuse
>>access-control: ::1 allow
>>
>>hide-identity: yes
>>hide-version: yes
>>
>># Uncomment to enable DNSSEC validation.
>>#
>>auto-trust-anchor-file: "/var/unbound/db/root.key"
>>
>>root-hints: /var/unbound/etc/root.hints
>>
>> remote-control:
>>control-enable: yes
>>control-use-cert: no
>>control-interface: /var/run/unbound.sock
>>
>> stub-zone:
>>name: "my.domain"
>>stub-addr: 127.0.0.1
>> stub-zone:
>>name: "x.168.192.in-addr.arpa"
>>stub-addr: 127.0.0.1
>>
>> # cat /var/nsd/etc/nsd.conf
>> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
>>
>> server:
>>hide-version: yes
>>verbosity: 1
>>database: "" # disable database
>>
>> ## bind to a specific address/port
>>ip-address: 127.0.0.1
>>
>> remote-control:
>>control-enable: yes
>>
>> zone:
>>name: "my.domain"
>>zonefile: "master/my.domain"
>> zone:
>>name: "x.168.192.in-addr.arpa"
>>zonefile: "master/192.168.x.rev"

Re: Failure to get unbound to talk to nsd on the same server

[Johan Mellberg]

Thanks.

Here's the output of the various dig commands and the tcpdump where
relevant. pf is unchanged and there is no difference whether disabled
with pfctl -d or not. The tcpdump is interesting since apparently the
query reached NSD and it replies - but Unbound does not see/accept it
(?). Could it be that it refuses replies on the port it used to send
the query?

The first dig command is run on another host in the lan (chief), the
others are run on the dns server itself (dns03). Note that the
successful replies refer to another dns server, but at the moment it
does not exist. No machines are configured to use that, it's only in
the zone files for now.

### Run on chief (192.168.x.95) ###

[johan@chief ~]$ dig @192.168.x.91 ericsson.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @192.168.x.91 ericsson.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32640
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ericsson.com.  IN  A

;; ANSWER SECTION:
ericsson.com.   28800   IN  A   193.180.16.203

;; Query time: 51 msec
;; SERVER: 192.168.x.91#53(192.168.x.91)
;; WHEN: tis okt 11 13:40:10 CEST 2016
;; MSG SIZE  rcvd: 57

### Run on dns03 (192.168.x.91) ###
$ dig aftonbladet.se

; <<>> DiG 9.4.2-P2 <<>> aftonbladet.se
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5621
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aftonbladet.se.IN  A

;; ANSWER SECTION:
aftonbladet.se. 300 IN  A   52.50.97.124
aftonbladet.se. 300 IN  A   52.30.21.46
aftonbladet.se. 300 IN  A   52.50.100.254

;; Query time: 66 msec
;; SERVER: 192.168.x.91#53(192.168.x.91)
;; WHEN: Tue Oct 11 13:42:40 2016
;; MSG SIZE  rcvd: 80

$ dig chief.my.domain

; <<>> DiG 9.4.2-P2 <<>> chief.my.domain
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chief.my.domain.  IN  A

;; Query time: 442 msec
;; SERVER: 192.168.x.91#53(192.168.x.91)
;; WHEN: Tue Oct 11 13:43:45 2016
;; MSG SIZE  rcvd: 38

While running the above query the following tcpdump was captured:

#  tcpdump -i lo0 net 127 and port 53
tcpdump: listening on lo0, link-type LOOP
13:59:57.145012 localhost.39240 > localhost.domain: 10949% [1au] A?
chief.my.domain. (49)
13:59:57.145478 localhost.domain > localhost.39240: 10949*- 1/2/3 A
192.168.x.95 (137)

$ dig @localhost chief.my.domain

; <<>> DiG 9.4.2-P2 <<>> @localhost chief.my.domain
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36657
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;chief.my.domain.  IN  A

;; ANSWER SECTION:
chief.my.domain.   86400   IN  A   192.168.x.95

;; AUTHORITY SECTION:
my.domain. 86400   IN  NS  dns03.my.domain.
my.domain. 86400   IN  NS  dns04.my.domain.

;; ADDITIONAL SECTION:
dns03.my.domain.   86400   IN  A   192.168.x.91
dns04.my.domain.   86400   IN  A   192.168.x.92

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 11 13:44:10 2016
;; MSG SIZE  rcvd: 126

And here's the tcpdump of that query:

#  tcpdump -i lo0 net 127 and port 53
tcpdump: listening on lo0, link-type LOOP
14:01:28.099979 localhost.30023 > localhost.domain: 51528+ A?
chief.my.domain. (38)
14:01:28.100456 localhost.domain > localhost.30023: 51528*- 1/2/2 A
192.168.x.95 (126)


$ dig @localhost chief

; <<>> DiG 9.4.2-P2 <<>> @localhost chief
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64595
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;chief. IN  A

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 11 13:47:55 2016
;; MSG SIZE  rcvd: 23

2016-10-11 8:29 GMT+02:00 Raimo Niskanen <raimo+open...@erix.ericsson.se>:
> Please give more details on which dig commands you used on which machine(s)
> and paste their exact results.  Otherwise hard to tell since your setup
> seems about right.  Does pf get in your way?
>
> And -l Port to dig selects a non-default port.
>
> Anything interesting in your system logs on the DNS server?
>
>

Failure to get unbound to talk to nsd on the same server

[Johan Mellberg]

Hi all,

I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
home network with DNS. I have a custom zone (only for LAN use) set up
and previously used BIND successfully (but that VM crashed and its
disk was hosed...) both as authoritative and caching/resolving.

So now I am trying to learn to set up NSD to be authoritative for my
small zone and Unbound to serve the LAN with all other queries. But
there is a problem:

1. Unbound successfully responds to queries and provides lookup to the
LAN machines for "the internet".
2. NSD successfully responds to queries for the custom zone.
3. But I cannot get Unbound to get a reply from NSD...

I have tried multiple combinations of ports and interface bindings and
I suspect that I am missing something simple here. Currently I have
set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
so there should not be a conflict. In fact it works fine if I use dig
@localhost  and dig @192.168.x.91 
respectively, but the second version only provides an answer-less
response if asked for a LAN hostname.

Unbound is set to ask localhost for the stub zones, forward and reverse.

And, yes, I could of course use Unbound to serve my local zone and
drop NSD - but that would be giving up... It's supposed to work from
all I read! :-)

I have also tried having NSD listen on 127.0.0.1@5353, and telling
unbound to use that as the stub-address, while then having Unbound
listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
can't test NSD with dig as it can't use an alternative port.

A possibly related question: I can't seem to be able to use
shortnames. The domain part should be picked up from the host name as
given in /etc/myname, but that does not seem to work as I expect, I
always have to provide the FQDN. Again something I have missed
perhaps?

Anyway, I am staring blindly at the config files now and really need
help figuring it out. I have removed all that is commented, otherwise
it's the default except for changes of course.

Thanks for any clue bats coming my way...
/Johan

* resolv.conf
lookup file bind
nameserver 192.168.x.91

# cat /etc/myname
dns03.my.domain

# cat /etc/hosts
127.0.0.1   localhost
::1 localhost
192.168.x.91   dns03.my.domain dns03

# cat /var/unbound/etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
interface: 192.168.x.91
interface: ::1
do-not-query-localhost: no

access-control: 192.168.x.64/24 allow
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow

hide-identity: yes
hide-version: yes

# Uncomment to enable DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"

root-hints: /var/unbound/etc/root.hints

remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock

stub-zone:
name: "my.domain"
stub-addr: 127.0.0.1
stub-zone:
name: "x.168.192.in-addr.arpa"
stub-addr: 127.0.0.1

# cat /var/nsd/etc/nsd.conf
# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $

server:
hide-version: yes
verbosity: 1
database: "" # disable database

## bind to a specific address/port
ip-address: 127.0.0.1

remote-control:
control-enable: yes

zone:
name: "my.domain"
zonefile: "master/my.domain"
zone:
name: "x.168.192.in-addr.arpa"
zonefile: "master/192.168.x.rev"

Re: home keys in tmux

[Johan Mellberg]

We'll see if this gets to the list, sending from a phone.

Anyway, screen steals C-a so to jump to the start of a line, hit C-a, then a
again.

Might work for you.


> 2 dec. 2015 kl. 18:43 skrev Jack J. Woehr :
>
> Ax0n wrote:
>> Do you have anything in your .tmux.conf?
>>
> Ha, I have a funny problem in tmux that thwarts me. I changed the prefix key
to C-a but the sequence C-a C-a doesn't work like C-b C-b,
> the C-a doesn't ever seem to get sent to the shell. Which means I can't jump
to head-of-line Emacs-style like I'm used to. Maybe I could
> figure this out with a hour of study but maybe somebody on the list knows
;)
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl
Sagan

Re: mediatomb , limits folda to be seen

[Johan Mellberg]

I used to use mediatomb but I no longer do so don't remember the details,
but I remember that that is an issue of the web management UI, it exposes
the whole file system so that you can decide what to share, theoretically
no limitations (although the mediatomb user may not have read access to
everything). IIRC however the database view is what will be shown to UPNP
endpoints, you should just have to configure that. Check the mediatomb web
site as the documentation is fairly complete: http://mediatomb.cc.

2015-08-06 3:09 GMT+02:00 Tuyosi Takesima nakajin.fu...@gmail.com:

 Hi all .
 i installed mediatomb and sqlite with pkg_add .
 it works well .

 but all folds is seen by filesystem of mediatomb.

 i want than  /MOVIES only is seen by filesystem  of mediatomb .
 what should i do ?

 ---
 tuyosi

Following -stable, sources downloaded from mirror

[Johan Mellberg]

Hi,

I want to start following -stable so I have read
http://www.openbsd.org/anoncvs.html and
http://www.openbsd.org/faq/faq5.html#BldGetSrc as well as looking through
the mailing list archives
​ for cvs from preloaded source​
.

I thought that I'd preload the sources so downloaded all of sys, src, ports
and xenocara and put them in /usr as per instructions.

No problem, but I am left with one unclear issue
​ (complete cvs noob). On http://www.openbsd.org/anoncvs.html
​ ​
it says

NOTE: If you are updating a source tree that you initially fetched from a
different server, or from a CD, you must add the -d [cvsroot] option to cvs.

# cd /usr/src
# cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd

​I do not understand what version I then end up with, because on ​
http://www.openbsd.org/faq/faq5.html#BldGetSrc
​ and above the quoted section it says to add -rOPENBSD_5_6 to get -stable
(for 5.6) when checking out from scratch. But I am not sure since​ this is
the only example for updating preloaded files. IF I run that there is
updating of course, but there's no Tag that tells me if it is HEAD or
whatever. If I add -rOPENBSD_5_6 I get the Tag file of course but what
version do I get without it?!? And how should I update the next time?

Thanks/Johan

Following -stable, preloaded src

[Johan Mellberg]

Hi,

I want to start following -stable so I have read
http://www.openbsd.org/anoncvs.html and
http://www.openbsd.org/faq/faq5.html#BldGetSrc as well as looking
through the mailing list archives​ for cvs from preloaded source​.

I thought that I'd preload the sources so downloaded all of sys, src,
ports and xenocara and put them in /usr as per instructions.

No problem, but I am left with one unclear issue​ (I am a complete cvs
noob). On http://www.openbsd.org/anoncvs.html it says.

NOTE: If you are updating a source tree that you initially fetched from
a different server, or from a CD, you must add the -d [cvsroot] option
to cvs.

# cd /usr/src
# cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd

​I do not understand what version I then end up with, because on ​
http://www.openbsd.org/faq/faq5.html#BldGetSrc​ and above the quoted
section it says to add -rOPENBSD_5_6 to get -stable (for 5.6) when
checking out from scratch. But I am not sure since​ this is the only
example for updating preloaded files. IF I run that there is updating of
course, but there's no Tag that tells me if it is HEAD or whatever. If
I add -rOPENBSD_5_6 I get the Tag file of course but what version do I
get without it?!? And how should I update the next time?

Thanks/Johan

Re: Following -stable, sources downloaded from mirror

[Johan Mellberg]

dan mclaughlin skrev den 2015-04-11 10:55:
 On Sat, 11 Apr 2015 10:27:19 +0200 Johan Mellberg johan.mellb...@gmail.com 
 wrote:
 Hi,

 I want to start following -stable so I have read
 http://www.openbsd.org/anoncvs.html and
 http://www.openbsd.org/faq/faq5.html#BldGetSrc as well as looking through
 the mailing list archives
 ​ for cvs from preloaded source​
 .

 I thought that I'd preload the sources so downloaded all of sys, src, ports
 and xenocara and put them in /usr as per instructions.

 No problem, but I am left with one unclear issue
 ​ (complete cvs noob). On http://www.openbsd.org/anoncvs.html
 ​ ​
 it says

 NOTE: If you are updating a source tree that you initially fetched from a
 different server, or from a CD, you must add the -d [cvsroot] option to cvs.

 # cd /usr/src
 # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd

 ​I do not understand what version I then end up with, because on ​
 http://www.openbsd.org/faq/faq5.html#BldGetSrc
 ​ and above the quoted section it says to add -rOPENBSD_5_6 to get -stable
 (for 5.6) when checking out from scratch. But I am not sure since​ this is
 the only example for updating preloaded files. IF I run that there is
 updating of course, but there's no Tag that tells me if it is HEAD or
 whatever. If I add -rOPENBSD_5_6 I get the Tag file of course but what
 version do I get without it?!? And how should I update the next time?

 Thanks/Johan

 
 the version you get without any tag is -current, the latest version, lagging
 by only a few hours at most from what the devs commit, depending on the
 server.
 
Ah, thanks! I suspected that, but as I said was not sure. I'll add the
-rversion from now on. Would it perhaps be something to add to the web
page then, in the interest of absolute clarity?

Also, if I have updated to  -current as per above what is the result if
I rerun the update, but with the tag? I have tried it and while I do get
the Tag file (saying TOPENBSD_5_6) I again do not quite understand
what I should expect in that case.

Re: Following -stable, sources downloaded from mirror

[Johan Mellberg]

dan mclaughlin skrev den 2015-04-11 12:16:
 On Sat, 11 Apr 2015 11:59:14 +0200 Johan Mellberg johan.mellb...@gmail.com 
 wrote:
 dan mclaughlin skrev den 2015-04-11 10:55:
 On Sat, 11 Apr 2015 10:27:19 +0200 Johan Mellberg 
 johan.mellb...@gmail.com wrote:
 Hi,

 I want to start following -stable so I have read
 http://www.openbsd.org/anoncvs.html and
 http://www.openbsd.org/faq/faq5.html#BldGetSrc as well as looking through
 the mailing list archives
 ​ for cvs from preloaded source​
 .

 I thought that I'd preload the sources so downloaded all of sys, src, ports
 and xenocara and put them in /usr as per instructions.

 No problem, but I am left with one unclear issue
 ​ (complete cvs noob). On http://www.openbsd.org/anoncvs.html
 ​ ​
 it says

 NOTE: If you are updating a source tree that you initially fetched from a
 different server, or from a CD, you must add the -d [cvsroot] option to 
 cvs.

 # cd /usr/src
 # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd

 ​I do not understand what version I then end up with, because on ​
 http://www.openbsd.org/faq/faq5.html#BldGetSrc
 ​ and above the quoted section it says to add -rOPENBSD_5_6 to get 
 -stable
 (for 5.6) when checking out from scratch. But I am not sure since​ this 
 is
 the only example for updating preloaded files. IF I run that there is
 updating of course, but there's no Tag that tells me if it is HEAD or
 whatever. If I add -rOPENBSD_5_6 I get the Tag file of course but what
 version do I get without it?!? And how should I update the next time?

 Thanks/Johan


 the version you get without any tag is -current, the latest version, lagging
 by only a few hours at most from what the devs commit, depending on the
 server.

 Ah, thanks! I suspected that, but as I said was not sure. I'll add the
 -rversion from now on. Would it perhaps be something to add to the web
 page then, in the interest of absolute clarity?

 Also, if I have updated to  -current as per above what is the result if
 I rerun the update, but with the tag? I have tried it and while I do get
 the Tag file (saying TOPENBSD_5_6) I again do not quite understand
 what I should expect in that case.

 
 really not sure what would happen, never used the tags myself (i just run
 -current). to be on the safe side though, you could just grab the src.tar.gz
 for 5.6 as a starting point and run the update again with the stable tag.
 
Yup, that is what I'll do, I was just curious. Thanks!
/Johan

Re: Gnome and OpenBSD 5.4

[Johan Mellberg]

My emails do not often get to the list for some reason so that is why you get 
this reply to you own address as well. 

Anyway, why don't you try using ports, which should be better than trying to 
adapt information valid for a three-year old, unsupported version? There is an 
effort ongoing to try to get gnome working better:

http://undeadly.org/cgi?action=articlesid=20140219085851

/Johan

Sent from a smartphone of some sort. Damn you autocorrect.

 2 apr 2014 kl. 05:53 skrev Nex6|Bill n6gh...@yahoo.com:
 
 I am trying to get Gnome to work, and its giving me fits. I tryed to follow
 this link:
 Tutorial: Install Gnome Desktop and Gnome Display Manager on
 OpenBSD 4.8 - GabSoftware
 
 
 for the most part, but now instead of boot to gdm
 or xdm it boots to the console and when I startx. it 
 says file
 /root/.serverauth does not exist. 
 
 any ideas? on what i missed?
 
 -Nex6

Re: reach a remote LAN through IPSEC from the router

[Johan Mellberg]

 10 feb 2014 kl. 16:10 skrev Aurelien Martin 01aurel...@gmail.com:
 
 Hi Mitja,
 
 When I add the route manually it's working like a charm.
 
 But after that, all machines of my LAN ping with this following form 
 (Redirect Host). What does it mean ? For me the router rewrite the 
 destination that create an overhead.
 
 
 $ ping 192.168.10.1
 PING 192.168.10.1 (192.168.10.1): 56 data bytes
 36 bytes from 192.168.20.254: Redirect Host(New addr: 192.168.20.254)
 Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
 4  5  00 0054 85ff   0   40  01 4b56 192.168.30.2 192.168.10.1

I had a similar problem and it turned out that I had to allow redirects on my 
OpenBSD and Linux servers. I did this on OpenBSD by modifying /etc/sysctl.conf:

net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects

I believe there are smarter ways, but this was the easy way for me. 

 
 
 Cheers,Aurelien
 
 
 Le 02/10/2014 04:03 PM, Mitja Muženič a écrit :
 A simple trick is to add a manual route for the remote LAN to the internal
 interface of your router.
 
 
 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf
 Of Aurelien Martin
 Sent: Monday, February 10, 2014 3:59 PM
 To: misc@openbsd.org
 Subject: reach a remote LAN through IPSEC from the router
 
 Dear all,
 
 I'm linked to another LAN trough IPSEC. Everything is working except,
 if
 I try to reach the remote LAN from my OpenBSD router.
 
 In this case, the router use the default interface (wan) instead of the
 IPSEC tunneling.
 
 I would like to be able to reach the remote LAN due to a service on the
 router that need to reach it
 
 Please follow the log in attachment (schema-and-logs.txt +
 ipsec-pf-route.txt)
 
 Any idea ?
 
 I already try to add a dirty route that's working, but create overhead
 
 $ ping 192.168.10.1
 PING 192.168.10.1 (192.168.10.1): 56 data bytes
 36 bytes from 192.168.20.254: Redirect Host(New addr:
 192.168.20.254)
 Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
   4  5  00 0054 85ff   0   40  01 4b56 192.168.20.2
 192.168.10.1
 
 
 
 Have a good day
 Cheers,Aurelien

Re: cvsync, rsync

[Johan Mellberg]

 20 sep 2013 kl. 14:51 skrev hru...@gmail.com:
 
 and developers of OpenBSD have here a strange standpoint that they
 defend without sound argumentation, including asking the one that
 expresses the critics that he goes away.

But have you understood why?

You claim that what most people here know about hashes is wrong. 

You do not provide sound arguments for this (except for fluffy statements that 
maybe could be taken from a set theory text book). 

You persist in ignoring arguments that refute your claim. 

Don't you at least wonder a bit why a large group of seemingly smart and 
logical people do not agree with you at all? That maybe you are wrong? That 
maybe your argumentative skills could be improved?

If you can prove your theory in the domain of application we'll listen. But you 
can't or you would already have done so. 

Your error in thinking is that if we have an extremely large set of strings, a 
very large set is mapped to each hash value. Therefore you reason that a 
collision is very likely. But if you are comparing two specific strings, the 
likelihood of them hashing to the same value is EXTREMELY small (other people 
replying have provided the numbers). Thus, if hash(A)=hash(B), A=B quite a bit 
more often than not. 

You are right in that many possible strings have the same hash, but there are 
many, many, many more that have a different one.  

 
 If you read rsync(1) and other documentation, you do not find any mention 
 of the last check and backtracking, but you read:
 
 Rsync is widely used for backups and mirroring and as an improved copy 
 command for everyday use.
 
 This is like the first answer I got, from Kenneth R Westerback:
 
 People use cvsync or rsync to create/maintain a local copy or copies
 of the repository. I use cvsync to sync one repository with an
 external source and then run cvsyncd on that box if I want repositories
 on other local machines. 
 
 Or also like:
 
 Coca Cola is healthy, most people in the World drink Coca Cola.  

No, that last one is nothing like the first two. 

 
 Rodrigo.
 
/Johan

Re: cvsync, rsync

[Johan Mellberg]

Rodrigo,

 20 sep 2013 kl. 14:51 skrev hru...@gmail.com:
 
 and developers of OpenBSD have here a strange standpoint that they
 defend without sound argumentation, including asking the one that
 expresses the critics that he goes away.

But have you understood why?

You claim that what most people here know about hashes is wrong. 

You do not provide sound arguments for this (except for fluffy statements that 
maybe could be taken from a set theory text book). 

You persist in ignoring arguments that refute your claim. 

Don't you at least wonder a bit why a large group of seemingly smart and 
logical people do not agree with you at all? That maybe you are wrong? That 
maybe your argumentative skills could be improved?

If you can prove your theory in the domain of application we'll listen. But you 
can't or you would already have done so. 

Your error in thinking is that if we have an extremely large set of strings, a 
very large set is mapped to each hash value. Therefore you reason that a 
collision is very likely. But if you are comparing two specific strings, the 
likelihood of them hashing to the same value is EXTREMELY small (other people 
replying have provided the numbers). Thus, if hash(A)=hash(B), A=B quite a bit 
more often than not. 

You are right in that many possible strings have the same hash, but there are 
many, many, many more that have a different one.  

/Johan

Re: More detailed information about last commands executed than lastcomm

[Johan Mellberg]

16 sep 2013 kl. 11:38 skrev Wiesław Kielas wieslaw.kie...@bluemedia.pl:

 Dear misc@,
 
 Is there any way to get information about last commands executed on a
 OpenBSD machine? I'm interested in getting the command name along with
 arguments passed to it.
 
 From what I gathered so far, lastcomm can't show command arguments - is
 there any way/other tool which can do that?

history 

Might do the trick? But maybe you want  a system-wide audit log / recording? 
There are (super-expensive) things like Cyber-Ark that does ssh session 
recording, maybe it could be made to work with local log-in as well. 

 
 -- 
 regards, 
 
 Wiesław Kielas

Re: AuthenticationMethods skey, passwd: howto syntax?

[Johan Mellberg]

2013/9/3 Didier Wiroth didier.wir...@mesr.etat.lu

 Yes I did.
 Skey and password currently work (as standalone authentication) with sshd
 and of course on the console (via username:skey syntax).
 But If I try to use skey  password authentication together (via the
 AuthenticationMethods) in sshd it doesn't work.


Ok.

 Hello,

  (I'm running  5.4-current)
  I would like to use multiple authentication in sshd :
  2) skey
  2) and passwd (as further authentication)
 
  I tried many different settings but I can't find the correct syntax
  for the AuthenticationMethod parameter.
 


It is hard to know what to suggest that you have not already tried...

But (without having tried so no guarantees) here is what I would try:

AuthenticationMethods   keyboard-interactive:skey password

Note the space, the comma signifies alternatives, space means a new list,
one method from each list is required. New since OpenSSH 6.2 I think?

This is if I read the sshd_config man page correctly.

/Johan

Re: AuthenticationMethods skey, passwd: howto syntax?

[Johan Mellberg]

2 sep 2013 kl. 22:53 skrev Didier Wiroth didier.wir...@mesr.etat.lu:

 Hello,
 (I'm running  5.4-current)
 I would like to use multiple authentication in sshd :
 2) skey
 2) and passwd (as further authentication)

 I tried many different settings but I can't find the correct syntax
 for the AuthenticationMethod parameter.

 How does AuthenticationMethod have to be configured in sshd_config to
 authenticate a user with skey and passwd (as further authentication)?
 (f.ex: abviously this doesn't work: AuthenticationMethods skey,password)
 The following message is logged in authlog: error: Unknown authentication
method skey in list

 Many thanks!!!
 Didier

Did you even try to read the FAQ? http://www.openbsd.org/faq/faq8.html#SKey

Good luck.

Re: www.openbsd.org down?

[Johan Mellberg]

Weird. Works from here (Sweden).

==

25 jun 2013 kl. 11:43 skrev Alan Cheng bsdp...@gmail.com:

 I can't access www.openbsd.org right now.
 http://www.downforeveryoneorjustme.com/www.openbsd.org shows it's down.

Re: www.openbsd.org down?

[Johan Mellberg]

25 jun 2013 kl. 12:53 skrev Nenhum_de_Nos math...@eternamente.info:

 On Tue, June 25, 2013 06:56, Yusof Khalid - FreeBSD / OpenBSD wrote:
 Yeah can't access from here (Kuala Lumpur, MY)
 
 Can't access from Brazil.
 
 matheus
 
 -- 
 
Ok, now it's down from Sweden too.