Re: Need advice on “tcp proxy”

[Kasak]

> 3 марта 2024 г., в 00:46, Joel Wirāmu Pauling  написал(а):
> 
> ssh can work in tap VPN mode (ssh -w) and will tunnel udp fine ; I'm not
> sure what you are trying to achieve but perhaps ssh tunnels might be an
> option for your use case. You are probably better off setting up something
> like wireguard, but in a pinch if the target and host already have ssh.
> 
> https://wiki.archlinux.org/title/VPN_over_SSH
> 
No, ssh tunnels is no-go for me. Remote hosts are windows, and they are mostly 
“wild” hosts. 
> 
> 
>> On Sun, 3 Mar 2024 at 07:26, Kasak  wrote:
>> 
>> 
>> 
>>> 2 марта 2024 г., в 21:05, Stuart Henderson 
>> написал(а):
>>> 
>>> On 2024-03-02, Kasak  wrote:
>>>> Hello misc! There is a good manual on OpenBSD faq about redirection and
>> reflection, here it is: https://www.openbsd.org/faq/pf/rdr.html#tcpproxy
>>>> 
>>>> I’m using nginx as tcp and udp proxy, but maybe there is another
>> software, more suitable for this task?
>>>> I need to redirect and reflect near 15 tcp ports and couple of udp.
>>>> I know I can do this with only pf, but I switched to nginx
>> intentionally, because this amount of ports made my pf config hard readable.
>>> 
>>> As far as TCP goes, haproxy is possibly a bit better suited. It
>>> doesn't do UDP though (and unlikely to in a generic way, see
>>> https://github.com/haproxy/haproxy/issues/62).
>>> 
>>> Depending on which UDP protocols are used there might be better
>>> alternatives though - for example if it's DNS then look at dnsdist.
>>> UDP proxying in most cases needs to be protocol-aware.
>>> 
>>> 
>> I’m afraid this is not dns, this is Rustdesk software and antivirus agent,
>> and something else like this.
>> Thank you anyway, I see there is not much options for me
>> 
>> 

Re: Need advice on “tcp proxy”

[Kasak]

> 2 марта 2024 г., в 21:05, Stuart Henderson  
> написал(а):
> 
> On 2024-03-02, Kasak  wrote:
>> Hello misc! There is a good manual on OpenBSD faq about redirection and 
>> reflection, here it is: https://www.openbsd.org/faq/pf/rdr.html#tcpproxy
>> 
>> I’m using nginx as tcp and udp proxy, but maybe there is another software, 
>> more suitable for this task?
>> I need to redirect and reflect near 15 tcp ports and couple of udp.
>> I know I can do this with only pf, but I switched to nginx intentionally, 
>> because this amount of ports made my pf config hard readable.
> 
> As far as TCP goes, haproxy is possibly a bit better suited. It
> doesn't do UDP though (and unlikely to in a generic way, see
> https://github.com/haproxy/haproxy/issues/62).
> 
> Depending on which UDP protocols are used there might be better
> alternatives though - for example if it's DNS then look at dnsdist.
> UDP proxying in most cases needs to be protocol-aware.
> 
> 
I’m afraid this is not dns, this is Rustdesk software and antivirus agent, and 
something else like this. 
Thank you anyway, I see there is not much options for me

Re: Need advice on “tcp proxy”

[Kasak]

> 2 марта 2024 г., в 19:17, Kapetanakis Giannis  
> написал(а):
> 
> On 02/03/2024 16:50, Kasak wrote:
>> 
>>>> 2 марта 2024 г., в 15:21, Kapetanakis Giannis  
>>>> написал(а):
>>> 
>>> On 02/03/2024 12:46, Kasak wrote:
>>>> Hello misc! There is a good manual on OpenBSD faq about redirection and 
>>>> reflection, here it is: https://www.openbsd.org/faq/pf/rdr.html#tcpproxy
>>>> 
>>>> I’m using nginx as tcp and udp proxy, but maybe there is another software, 
>>>> more suitable for this task?
>>>> I need to redirect and reflect near 15 tcp ports and couple of udp.
>>>> I know I can do this with only pf, but I switched to nginx intentionally, 
>>>> because this amount of ports made my pf config hard readable.
>>>> Thank you in advance!
>>>> 
>>>> 
>>> You probably need relayd
>>> 
>>> G
>>> 
>> That was my first idea, but unfortunately relayd does not support udp. Or 
>> I’m wrong?
> 
> I'm load balancing DNS UDP and TCP traffic quite fine with relayd redirects.
> 
> Under the hood, relayd redirects do pf rdr-to but you also have checks for 
> backend servers.
> 
> I'm not using relays which is full proxy, where the load balancer opens a new 
> connection to the backend server.
> 
> G
> 
Can I ask you last question before I ruin my setup? :) redirects do reflection? 
I mean, can local network hosts (lan hosts) use external address? 

Need advice on “tcp proxy”

[Kasak]

Hello misc! There is a good manual on OpenBSD faq about redirection and 
reflection, here it is: https://www.openbsd.org/faq/pf/rdr.html#tcpproxy

I’m using nginx as tcp and udp proxy, but maybe there is another software, more 
suitable for this task? 
I need to redirect and reflect near 15 tcp ports and couple of udp. 
I know I can do this with only pf, but I switched to nginx intentionally, 
because this amount of ports made my pf config hard readable. 
Thank you in advance! 

smtpd and honeypot (rspamd)

[kasak]

Hello misc!
I'm trying to make honeypot with smtpd and rspamd

here is some cut from my smtpd.conf:

table honeypot file:/etc/mail/traps
action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add"
match !from src  for rcpt-to  action "trap"

the table contains some spoiled adresses from my domain,

and in my action I try to feed mails directly to rspamc, but it looks 
like there is a problem here :(


Oct 23 06:38:06 gater smtpd[71376]: 09ca23ebba479031 smtp failed-command 
command="RCPT TO: " result="550 Invalid recipient: 
"


some experiments showed me, that "normal" delivery methods (for example 
maildir) work fine, and problem is probably in my "action" rule.


Maybe someone have ideas about it?

Re: sed and tab

[kasak]

22.08.2023 15:34, Stuart Henderson пишет:

On 2023-08-22, kasak  wrote:

Hello misc!

I'm in trouble with sed!

I need to insert tab in some places, but no luck :(

in linux it works:

[kasak@kasakoff ~]$ echo 'one two three' | sed s/two/\\ttwo/
one     two three

in OpenBSD it just add t:

kasak@OpenBSD:~$ echo 'one two three' | sed s/two/\\ttwo/
one ttwo three

\t in the replacement string is not portable, it's an extension in GNU
sed (https://www.gnu.org/software/sed/manual/html_node/Escapes.html).

alternatives:

echo 'one two three' | sed -e "s/two/`printf '\t'`two/"
echo 'one two three' | perl -p -e s/two/\\ttwo/

or you can use a literal tab character, typed in many shells with ^V tab:

echo 'one two three' | sed 's/two/  two/'


Oh, thanks! I didn't know about that ctrl+v tab feature!

sed and tab

[kasak]

Hello misc!

I'm in trouble with sed!

I need to insert tab in some places, but no luck :(

in linux it works:

[kasak@kasakoff ~]$ echo 'one two three' | sed s/two/\\ttwo/
one     two three

in OpenBSD it just add t:

kasak@OpenBSD:~$ echo 'one two three' | sed s/two/\\ttwo/
one ttwo three

Universal Media Server on OpenBSD

[kasak]

Hello misc!

If somebody interested, i've successfully launched UMS on OpenBSD 7.2.

Here it is:


pkg_add mediainfo mplayer ffmpeg jdk%17

useradd -L daemon -s /sbin/nologin -d /var/ums -m -s /var/empty _ums

ftp 
https://github.com/UniversalMediaServer/UniversalMediaServer/releases/download/13.2.0/UMS-13.2.0-x86_64.tgz


doas tar -xzvf UMS-13.2.0-x86_64.tgz -C /usr/local -s /-13.2.0//

after that, create rc file for headless mode:

/etc/rc.d/ums:

-

#!/bin/ksh

JAVA_HOME="/usr/local/jdk-17"
JAVA="$JAVA_HOME/bin/java"
UMS_MAX_MEMORY=1280M
PMS_JARS="update.jar:ums.jar"
PMS_HOME=/usr/local/ums

daemon="$JAVA -Xmx$UMS_MAX_MEMORY -Xss2048k -Dfile.encoding=UTF-8 
-Djava.net.preferIPv4Stack=true -Djna.nosys=true -classpath $PMS_JARS 
net.pms.PMS console"

daemon_user="_ums"
daemon_execdir="$PMS_HOME"

. /etc/rc.d/rc.subr

rc_bg="YES"
rc_reload="NO"
rc_cmd $1

-


It seems working just fine.

Do we need a port for it? I wanted to create a port, but it is pretty 
difficult to me. Maybe if it is needed, I should dig into it?

Re: do i need to move to veb?

[kasak]

23.01.2023 18:52, Hrvoje Popovski пишет:

On 23.1.2023. 16:24, kasak wrote:

22.01.2023 14:49, David Gwynne пишет:

On Sat, Jan 21, 2023 at 03:41:56PM +0300, kasak wrote:

Hello misc!

I'm using bridge for integrating remote clients to my network with this
simple config:

$ cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

I see in this commit that veb is supposed to replace bridge
https://marc.info/?l=openbsd-cvs=161405102019493=2

Does it make sense to move to veb for me, or not?
There is approximately 150 clients on the "em1" side and 10 on "tap1"

unless you're using pf to filter on em1 and tap1, then moving from
bridge and vether to veb and vport is simple. veb can be a lot faster
than bridge, so maybe that's a reason to try moving?

dlg


I've followed your advice and failed :(

I moved hostname.bridge0 to hostname.veb0, moved hostname.vether0 to
hostname.vport0

and edit hostname.veb0 replacing add vether0 to add vport0

after reboot i cannot reach veb0 network :( ping answer "the network is
down"



Did you put "up" at the end of hostname.veb0 and maybe at the end of
hostname.vport0 ?



Ah! There is was!

I forgot to add "up" to vport!
Now we know that it does not work without it :)

Thanks for help!

Re: do i need to move to veb?

[kasak]

22.01.2023 14:49, David Gwynne пишет:

On Sat, Jan 21, 2023 at 03:41:56PM +0300, kasak wrote:

Hello misc!

I'm using bridge for integrating remote clients to my network with this
simple config:

$ cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

I see in this commit that veb is supposed to replace bridge
https://marc.info/?l=openbsd-cvs=161405102019493=2

Does it make sense to move to veb for me, or not?
There is approximately 150 clients on the "em1" side and 10 on "tap1"

unless you're using pf to filter on em1 and tap1, then moving from
bridge and vether to veb and vport is simple. veb can be a lot faster
than bridge, so maybe that's a reason to try moving?

dlg


I've followed your advice and failed :(

I moved hostname.bridge0 to hostname.veb0, moved hostname.vether0 to 
hostname.vport0


and edit hostname.veb0 replacing add vether0 to add vport0

after reboot i cannot reach veb0 network :( ping answer "the network is 
down"

do i need to move to veb?

[kasak]

Hello misc!

I'm using bridge for integrating remote clients to my network with this 
simple config:


$ cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

I see in this commit that veb is supposed to replace bridge 
https://marc.info/?l=openbsd-cvs=161405102019493=2


Does it make sense to move to veb for me, or not?
There is approximately 150 clients on the "em1" side and 10 on "tap1"

samba maps nodoby as a home share

[kasak]

hello misc!

Just want to share you some interesting samba behavior after update to 7.2

Samba now creates a share named "nobody" when it should not!

The config is very simple:

[global]
    map to guest = Bad User
    server min protocol = NT1

[homes]
    comment = Home Directories
    browseable = No
    read only = No

[share]
    path = /mnt/HDD/share
    read only = No
    guest ok = Yes
    guest only = Yes


I suspect, that samba improperly bind "nobody" as a "homes" share for 
guest user.


I've tried same conf on the fedora machine, with the same version of 
samba (4.16.5) and there is no "nobody" share on it.


So I think this is OpenBSD specific.

Thanks all devs for 7.2!

[kasak]

Thank you all for great work! OpenBSD is the best as it was!

I have some advice for those who will updating this time.

During pkg_add -u there was some problems with samba.

It conflicts with ldb which is also installed. If you experience 
conflict with this port, just delete ldb and install samba.


Also, I had some problems with php81.

it was crashing because libssl.so.52.0 not found. i dunno why, but 
reinstalling all php packs solved the problem.


there is easy way to reinstall php on openbsd. just do

pkg_info -mz | grep -e "php" -e "pecl" > php.install
pkg_delete php
pkg_install -l php.install

also you can reinstall all pkg with
pkg_info -mz > all.install
pkg_delete -X
pkg_add -l all.install

Re: kernel fault after 7.1

[kasak]

18.05.2022 02:28, Stuart Henderson пишет:

On 2022/05/18 01:40, Vitaliy Makkoveev wrote:

On 18 May 2022, at 01:18, Stuart Henderson  wrote:

On 2022-05-17, kasak  wrote:

Can I somehow revert kernel to 7.1-release, to make syspatch working?

Boot bsd.rd and do an 'upgrade' install to 7.1 again. (You can also do
this with sysupgrade if you modify the script).




Or just download bsd.mp kernel from [1], check it with signify(1) and
reboot.

1. https://ftp.openbsd.org/pub/OpenBSD/7.1/amd64/

Doing an 'upgrade' also cleans out any syspatches that were applied
before updating the kernel to -stable and gets things into more of
a known state (that's why I suggested doing it, even though it's a
bit more awkward)


Worked like a charm! Thanks!

Re: kernel fault after 7.1

[kasak]

23.04.2022 15:47, Stuart Henderson пишет:

On 2022-04-23, kasak  wrote:

hello everybody. after upgrading to 7.1 my router started to panic very
often :(( about twice a day.

Please report to b...@openbsd.org, with the information from your mail,
plus dmesg, and an outline of how the machine is configured (what types
of network interface/pseudointerface are involved, a bit about ipsec
config and what software is running, is it iked or isakmpd or static,
is sasyncd running, etc)



This is the information from the screen:

kernel: protection fault trap, code=0

Stopped at    ipsp_ids_gc+0xb4    cmpl $0,0x64(%r14)

ddb{0}> show panic

the kernel did not panic
ddb{0}> trace

ipsp_ids_gc(0) at ipsp_ids_gc+0xb4

softclock_thread(800022baf260) at softclock_thread+0x13b

and trace frame: 0x0, count: -2

ddb{0}> machine ddbcpu 1

Stopped at    x86_ipi_db+0x12:    leave

ddb{1}> trace

x86_ipi_db(800022909ff0) at x86_ipi_db+0x12

x86_ipi_handler() at x86_ipi_handler+0x80

Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

acpicpu_idle() at acpicpu_idle+0x203

sched_idle(800022909ff0) at sched_idle+0x280

end trace frame: 0x0, count -5





I'm so happy that this bug was fixed so quickly, thank's for all 
involved people!


Now I'm using my self compiled 7.1-stable with patches for ipsec, with 
no issues for 20 days.


Can I somehow revert kernel to 7.1-release, to make syspatch working?

Re: SAMBA 4.15 share and compatibility with older Macs

[Kasak]

> 3 мая 2022 г., в 18:39, Riccardo Mottola  
> написал(а):
> 
> Hi,
> 
> I have a samba share which is accessible to both windows (7, 10) and
> Mac, including old Macs (10.5-10.7) which use samba.
> Unix accesses through NFS.
> 
> MacOS uses an old version of Samba, I always had issues. I added this
> section to have everything working on samba 4.14 on OpenBSD 7.0
> 
> # Support older clients
>   server min protocol = NT1
>   ntlm auth = yes
>   lanman auth = yes
> 
> This, from what I undestand makes it about as Windows NT / XP. I wonder
> why I need "server min protocol" since there is autonegotation, but if I
> remove it, login fails with 4.14.
> 
> Now OpenBSD 7.1 comes with 4.15.  "server min protocol" has been
> removed, according to release notes.
It has not been removed, they only removed obsolete parts of smb1 protocol. 
I think problem is somewhere else.
Honestly, I can test only on high sierra. I see no issues here. But i dont have 
older macs
> 
> If I try to connect now to 4.15 on OpenBSD I can authenticate from Mac,
> I see the shares, but cannot see any files, listing fails.
> If I do the same from windows 10, it works - so i guess it is a
> retro-compatibility issue.
> 
> Any ideas?
> 
> Riccardo
> 

Re: rspamd and pyzor

[kasak]

03.05.2022 16:48, Stuart Henderson пишет:

On 2022-05-03, kasak  wrote:

rspamd manual assume, that we should use this construction:

ExecStart=/bin/sh -c '/usr/bin/razor-check && /usr/bin/echo -n "spam" ||
/usr/bin/echo -n "ham"'

The razor-check manual confirm this: "razor-check" terminates with exit
value 0 if the signature for the mail is catalogued on the server (spam)
or 1 if the mail is not catalogued by the server (not a spam).

I don't like this construction, and can't even imagine that we can do
the same with inetd.
Maybe i should put all this to some script and call it from inetd, but
i'm not sure it this a good idea or not.

it may work direct in inetd.conf, but yes that would be neater.
I don't think there's any disadvantage to running it in a shell script
rather than as a "sh -c" construct.

btw keep an eye on how it performs, I haven't used pyzor/razor in a
fairly long time but have used dcc more recently, I found it fairly easy
for some bulk/automated non-spam to get caught up by the checks.
I stopped using it because of this, the biggest problem was mail where
there were a couple of other spam signs (but not enough to trigger
detection by themselves). at least, you really don't want to learn
symbols for Bayesian detection or feed neural network detection from
those mails.


Thanks for the warning, I'll monitor it!

Re: rspamd and pyzor

[kasak]

03.05.2022 11:38, Stuart Henderson пишет:

On 2022-05-02, kasak  wrote:

Hello misc!

I have some information for rspamd users, and one question.

As you may know, rspamd not using pyzor by directly calling pyzor binary.

Instead, they say, you need to create special systemd socket, and call
pyzor through it.

It is described on rspamd manuals:
https://rspamd.com/doc/modules/external_services.html#pyzor-specific-details

OpenBSD does not has systemd, but it has inetd.

This is simple way to create socket similar to systemd:

127.0.0.1:5953    stream    tcp    nowait    root
/usr/local/bin/pyzor    pyzor check

It actually works, but you may notice, that i'm using "root" here.

I've tried to use _rspamd user, but for some reason it drops an error

rspamd[90054]: <9ef568>; lua; pyzor.lua:134: error parsing response:
ERROR [Errno 13] Permission denied: '/root/.pyzor'.\\0a

Can somebody explain to me, what is happening here? Why socket, runned
as _rspamd try to access root home instead of _rspamd home ?

I bet inetd is not resetting HOME in the environment and just passes through
the environment it was running under itself.

Simplest / most efficient fix is probably to just use pyzor's --homedir flag.


Thanks for clarification! As always, you are absolutely right!

here is working config:

127.0.0.1:5953    stream    tcp    nowait    _rspamd 
/usr/local/bin/pyzor    pyzor --homedir=/var/rspamd/pyzor check





And of course, maybe someone have an idea how to implement the same for
the razor-agents?

Same but with -home?


rspamd manual assume, that we should use this construction:

ExecStart=/bin/sh -c '/usr/bin/razor-check && /usr/bin/echo -n "spam" || 
/usr/bin/echo -n "ham"'


The razor-check manual confirm this: "razor-check" terminates with exit 
value 0 if the signature for the mail is catalogued on the server (spam) 
or 1 if the mail is not catalogued by the server (not a spam).


I don't like this construction, and can't even imagine that we can do 
the same with inetd.


Maybe i should put all this to some script and call it from inetd, but 
i'm not sure it this a good idea or not.

Re: rspamd and pyzor

[Kasak]

> 3 мая 2022 г., в 09:08, Michael Hekeler  написал(а):
> 
> Am 02.05.22 19:06 schrieb kasak:
>> Hello misc!
>> 
>> I have some information for rspamd users, and one question.
>> 
>> As you may know, rspamd not using pyzor by directly calling pyzor binary.
>> 
>> Instead, they say, you need to create special systemd socket, and call pyzor
>> through it.
>> 
>> It is described on rspamd manuals:
>> https://rspamd.com/doc/modules/external_services.html#pyzor-specific-details
>> 
>> OpenBSD does not has systemd, but it has inetd.
>> 
>> This is simple way to create socket similar to systemd:
>> 
>> 127.0.0.1:5953streamtcpnowaitroot /usr/local/bin/pyzor   
>> pyzor check
>> 
>> It actually works, but you may notice, that i'm using "root" here.
>> 
>> I've tried to use _rspamd user, but for some reason it drops an error
>> 
>> rspamd[90054]: <9ef568>; lua; pyzor.lua:134: error parsing response: ERROR
>> [Errno 13] Permission denied: '/root/.pyzor'.\\0a
>> 
>> Can somebody explain to me, what is happening here? Why socket, runned as
>> _rspamd try to access root home instead of _rspamd home ?
> 
> I don't know what this pyzor so I became curious and take a look...
> Their doc say clearly that default homedir is ~/.pyzor
> So if your instance of pyzor tries to access /root/.pyzor than it is a
> strong indication that you are running pyzor as root, no?

Exactly! But it should work as _rspamd. That is what I’m trying to explore.
> 
> To debug this I would suggest to start pyzor manually with the user you
> want it to run (see su(1)).

With su, it work as expected, calling /var/rspamd/.pyzor in my case.
> It's been ages ago when I used inetd thats why I cant help with that.
> But are you sure that you need it for pyzor?!?!?!?
> 
I need it to connect pyzor to rspamd.

rspamd and pyzor

[kasak]

Hello misc!

I have some information for rspamd users, and one question.

As you may know, rspamd not using pyzor by directly calling pyzor binary.

Instead, they say, you need to create special systemd socket, and call 
pyzor through it.


It is described on rspamd manuals: 
https://rspamd.com/doc/modules/external_services.html#pyzor-specific-details


OpenBSD does not has systemd, but it has inetd.

This is simple way to create socket similar to systemd:

127.0.0.1:5953    stream    tcp    nowait    root 
/usr/local/bin/pyzor    pyzor check


It actually works, but you may notice, that i'm using "root" here.

I've tried to use _rspamd user, but for some reason it drops an error

rspamd[90054]: <9ef568>; lua; pyzor.lua:134: error parsing response: 
ERROR [Errno 13] Permission denied: '/root/.pyzor'.\\0a


Can somebody explain to me, what is happening here? Why socket, runned 
as _rspamd try to access root home instead of _rspamd home ?


And of course, maybe someone have an idea how to implement the same for 
the razor-agents?

kernel fault after 7.1

[kasak]

hello everybody. after upgrading to 7.1 my router started to panic very 
often :(( about twice a day.


This is the information from the screen:

kernel: protection fault trap, code=0

Stopped at    ipsp_ids_gc+0xb4    cmpl $0,0x64(%r14)

ddb{0}> show panic

the kernel did not panic
ddb{0}> trace

ipsp_ids_gc(0) at ipsp_ids_gc+0xb4

softclock_thread(800022baf260) at softclock_thread+0x13b

and trace frame: 0x0, count: -2

ddb{0}> machine ddbcpu 1

Stopped at    x86_ipi_db+0x12:    leave

ddb{1}> trace

x86_ipi_db(800022909ff0) at x86_ipi_db+0x12

x86_ipi_handler() at x86_ipi_handler+0x80

Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

acpicpu_idle() at acpicpu_idle+0x203

sched_idle(800022909ff0) at sched_idle+0x280

end trace frame: 0x0, count -5

Re: sysupgrade fails due to "CHECK AND RESET DATE" ?

[Kasak]

> 7 апр. 2022 г., в 17:13, Jan Stary  написал(а):
> 
> 
>> 
>> It seems that problem is not having any display device during sysupgrade
>> process.
> 
> I don't think sysupgrade has any requirements regarding a display device:
> headless machines get sysupgraded regularly
Yes. I have some another headless machines, but this pc not updating without 
display.
And some guys on reddit also had this issue

Re: sysupgrade fails due to "CHECK AND RESET DATE" ?

[kasak]

19.10.2021 10:14, kasak пишет:


18.10.2021 23:18, kasak пишет:

Hello everyone!

I have one mini router, made from gigabyte GB-SBCAP4200 barebone

It has nothing special. Just base openbsd, without any additional 
packages and modifications.


for some reason, sysupgrade does not upgrade this system.
It successfully boot new kernel, but do not process the upgrade, Just 
load 6.9 back.


This is dmesg from loading 7.0 and further:

OpenBSD 7.0 (RAMDISK_CD) #219: Thu Sep 30 14:32:42 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8415617024 (8025MB)
avail mem = 8156545024 (7778MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x79db7000 (50 entries)
bios0: vendor American Megatrends Inc. version "F1" date 06/11/2018
bios0: Gigabyte Technology Co., Ltd. Default string
acpi0 at bios0: ACPI 6.0
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT 
PRAM WSMT SSDT SSDT SSDT SSDT SSDT SSDT SSDT UEFI TPM2 WDAT

acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N4200 @ 1.10GHz, 1097.47 MHz, 06-5c-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu0: 1MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus 3 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
"PNP0C0C" at acpi0 not configured
aplgpio0 at acpi0 GPO0 uid 1 addr 0xd0c5/0x76c irq 14, 78 pins
aplgpio1 at acpi0 GPO1 uid 2 addr 0xd0c4/0x764 irq 14, 77 pins
aplgpio2 at acpi0 GPO2 uid 3 addr 0xd0c7/0x674 irq 14, 47 pins
aplgpio3 at acpi0 GPO3 uid 4 addr 0xd0c0/0x654 irq 14, 43 pins
"INT33A1" at acpi0 not configured
"MSFT0101" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Apollo Lake Host" rev 0x0b
"Intel HD Graphics 505" rev 0x0b at pci0 dev 2 function 0 not configured
"Intel Apollo Lake HD Audio" rev 0x0b at pci0 dev 14 function 0 not 
configured
"Intel Apollo Lake TXE" rev 0x0b at pci0 dev 15 function 0 not 
configured
ahci0 at pci0 dev 18 function 0 "Intel Apollo Lake AHCI" rev 0x0b: 
msi, AHCI 1.3.1

ahci0: PHY offline on port 0
ahci0: port 1: 6.0Gb/s
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 1 lun 0:  
naa.50026b7783a249ed

sd0: 228936MB, 512 bytes/sector, 468862128 sectors, thin
ppb0 at pci0 dev 19 function 0 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 19 function 1 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G 
(0x4c00), msi, address e0:d5:5e:e7:50:4f

rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb3 at pci0 dev 19 function 3 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci4 at ppb3 bus 4
re1 at pci4 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G 
(0x4c00), msi, address e0:d5:5e:e7:50:51

rgephy1 at re1 phy 7: RTL8251 PHY, rev. 0
xhci0 at pci0 dev 21 function 0 "Intel Apollo Lake xHCI" rev 0x0b: 
msi, xHCI 1.0

usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 
3.00/1.00 addr 1
"Intel Apollo Lake LPC" rev 0x0b at pci0 dev 31 function 0 not 
configured
"Intel Apollo Lake SMBus" rev 0x0b at pci0 dev 31 function 1 not 
configured

isa0 at mainbus0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
efifb at mainbus0 not configured
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP 


real mem = 8415617024 (8025MB)
avail mem = 8145182720 (7767MB)
random: g

Re: rspamd and empty "mail from" header

[kasak]

18.02.2022 14:26, Claus Assmann пишет:

On Fri, Feb 18, 2022, kasak wrote:


But, is this correct behavior of "mail from" header? Maybe the header

What is a ``"mail from" header''?
Do you mean the mail header
From:
or are you referring to the SMTP MAIL command
MAIL From:


should have "<>" in it?

You can check the fine RFCs (e.g., 5322 for headers, 5321 for SMTP)
-- AFAICT an empty address is not valid for the "From:" header
and certainly not for the MAIL command.


I am referring to smtp "mail from" command.

As I see in rfc5321:

A MAIL command with a null
   reverse-path appears as follows:

  MAIL FROM:<>

And Vsevolod, developer of rspamd, mentioned that mails coming to rspamd 
from opensmtpd appear to have no "<>"


Honestly, I'm far from developing and I can't understand where the 
brackets gone. I just want to help solve problem that maybe


some other users can face.

rspamd and empty "mail from" header

[kasak]

Hello misc! I have mailed this message at m...@opensmtpd.org at first, 
but nobody answered, maybe someone help here?


I have a question about opensmtpd and rspamd.
I'm using opensmtp and rspamd as a relay server with spam checking.
The spam check is done with help of opensmtpd-filter-rspamd.
The os is OpenBSD 7.0

I have noticed, that all DSN messages coming to or from internal mail
server, are marked as spam, because rspamd adds BROKEN HEADERS for
this messages.
First of all, I tried to research this issue but with no luck, i've
created this issue on rspamd github repo
https://github.com/rspamd/rspamd/issues/3983
And we found that messages with "broken headers" have empty "mail
from" header, where rspamd expect it as "<>"

The patch to workaround this was added to rspamd side.
But, is this correct behavior of "mail from" header? Maybe the header
should have "<>" in it?

Need help for fixing ruby gem for diaspora

[kasak]

hello misc! I'm now trying to deploy diaspora on openbsd.

I was almost sucessfull, the only problem is:

i can't build 'eye' gem, what requires 'kostya-sigar' gem, and 
'kostya-sigar' is failing to build.


At first i created an issue on github 
https://github.com/kostya/sigar/issues/12 but owner of repo could not 
help me.


Maybe some of openbsd devs can.

Without any edits, gem does not build because lack of "sys/dkstat.h":

compiling darwin_sigar.c
darwin_sigar.c:55:10: fatal error: 'sys/dkstat.h' file not found
#include 
 ^~

I've tried to replace sys/dkstat.h with sys/sched.h

and now build fails with this errors:

compiling darwin_sigar.c
darwin_sigar.c:1080:21: error: no member named 'kp_eproc' in 'struct 
kinfo_proc'

    if (proc[i].KI_FLAG & P_SYSTEM) {
    ~~~ ^
darwin_sigar.c:227:17: note: expanded from macro 'KI_FLAG'
#define KI_FLAG kp_eproc.e_flag
    ^
darwin_sigar.c:1080:31: error: use of undeclared identifier 'P_SYSTEM'
    if (proc[i].KI_FLAG & P_SYSTEM) {
  ^
darwin_sigar.c:1083:21: error: no member named 'kp_proc' in 'struct 
kinfo_proc'

    if (proc[i].KI_PID == 0) {
    ~~~ ^
darwin_sigar.c:212:17: note: expanded from macro 'KI_PID'
#define KI_PID  kp_proc.p_pid
    ^
darwin_sigar.c:1087:54: error: no member named 'kp_proc' in 'struct 
kinfo_proc'

    proclist->data[proclist->number++] = proc[i].KI_PID;
 ~~~ ^
darwin_sigar.c:212:17: note: expanded from macro 'KI_PID'
#define KI_PID  kp_proc.p_pid
    ^
darwin_sigar.c:1118:29: error: use of undeclared identifier 'KERN_PROC2'
    int mib[] = { CTL_KERN, KERN_PROC2, KERN_PROC_PID, 0, 
sizeof(*sigar->pinfo), 1 };

    ^
darwin_sigar.c:1118:65: error: invalid application of 'sizeof' to an 
incomplete type 'bsd_pinfo_t' (aka 'struct kinfo_proc2')
    int mib[] = { CTL_KERN, KERN_PROC2, KERN_PROC_PID, 0, 
sizeof(*sigar->pinfo), 1 };

^~~
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1122:24: error: invalid application of 'sizeof' to an 
incomplete type 'bsd_pinfo_t' (aka 'struct kinfo_proc2')

    size_t len = sizeof(*sigar->pinfo);
   ^~~
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1139:21: error: invalid application of 'sizeof' to an 
incomplete type 'int []'

    if (sysctl(mib, NMIB(mib), sigar->pinfo, , NULL, 0) < 0) {
    ^
darwin_sigar.c:115:26: note: expanded from macro 'NMIB'
#define NMIB(mib) (sizeof(mib)/sizeof(mib[0]))
 ^
darwin_sigar.c:1299:15: error: incomplete definition of type 'struct 
kinfo_proc2'
    (pinfo->p_vm_tsize + pinfo->p_vm_dsize + pinfo->p_vm_ssize) * 
sigar->pagesize;

 ~^
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1299:35: error: incomplete definition of type 'struct 
kinfo_proc2'
    (pinfo->p_vm_tsize + pinfo->p_vm_dsize + pinfo->p_vm_ssize) * 
sigar->pagesize;

 ~^
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1299:55: error: incomplete definition of type 'struct 
kinfo_proc2'
    (pinfo->p_vm_tsize + pinfo->p_vm_dsize + pinfo->p_vm_ssize) * 
sigar->pagesize;

 ~^
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1301:30: error: incomplete definition of type 'struct 
kinfo_proc2'

    procmem->resident = pinfo->p_vm_rssize * sigar->pagesize;
    ~^
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1305:34: error: incomplete definition of type 'struct 
kinfo_proc2'

    procmem->minor_faults = pinfo->p_uru_minflt;
    ~^
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1306:34: error: incomplete definition of type 'struct 
kinfo_proc2'

    procmem->major_faults = pinfo->p_uru_majflt;
    ~^
../../src/os/darwin/sigar_os.h:49:16: note: forward declaration of 
'struct kinfo_proc2'

typedef struct kinfo_proc2 bsd_pinfo_t;
   ^
darwin_sigar.c:1330:27: error: incomplete definition of type 'struct 
kinfo_proc2'

    proccred->uid  = 

Re: proper way to grow softraid partition

[kasak]

29.10.2021 15:33, Nick Holland пишет:

On 10/27/21 1:11 PM, kasak wrote:

Hello misc!

I want to replace my two 2TB hdd, joined in raid1.

I have two 4TB drives, and I want to replace smaller drives with them.

it wouldn't be a problem, if i had some spare sata ports, but in my pc i
have only one left.

So, I can attach only one of this 4 tb drives at the same time.


I think, maybe I can attach new 4 tb drive to old raid as a third
volume, wait for it "repair",


Unfortunately, unless something changed when I wasn't looking, you can't
change the number of drives in a softraid RAID1 after creation.  I really
wish you could.


and then remove 2 tb drives, add one more 4 tb and "repair" raid again.

I don't know, will this operation actually grow my partition, or it is a
bad idea from the beginning?


nope, you would end up with a 2T RAID partition on a 4G drive. Which is
fine, except you didn't achieve your goal.


Alternate, can i create raid 1 volume from just one drive, rsync files
between raids and after add another disk?


Again, you can't change the number of drives in a softraid RAID1 set 
after

creation.  And you can't change the size of a softraid partition.

What I would (and have) done is this, assuming this is your only computer
available:
* extract both your 2T drives.
* insert both 4T drives, build a RAID1 set.
* Insert ONE of the old 2T drives and ONE of the 4T drives into your 
system.
On boot, you end up with two degraded arrays...but that will work for 
your

purposes!
* Copy the data from the old disks to the new disks
* Change fstab
* Remove the old 2T disk, and replace with the 4T disk left over, rebuild
the degraded array onto the 4T disk.
* DONE!

Now...since you have ONE spare port still, I'd actually cheat and remove
one 2T disk, and put both new disks in place, build the array, and copy
over. Fix fstab, remove the old 2T disk, done.


Thank you very much for detailed explanation!
I will go this way!
HOWEVER, something else to consider -- from later messages, sounds 
like you
have a non-RAID boot drive and RAID data drives.  I SUSPECT you could 
build
out your new 4T array as a bootable softraid and move your boot drive 
data
AND the 2T of old data all to the one 4T array and still have a lot of 
new

space (a basic OpenBSD install is barely noticeable in a 4T disk!).  Now
you have redundancy in both boot and data, and one less disk, which 
will be

a small power reduction, and one less point of failure.

Nick.

Re: proper way to grow softraid partition

[kasak]

27.10.2021 20:41, cho...@jtan.com пишет:

It's easier by far not to muck about trying to resize partitions.

If you can mount each drive (old and new) in an operating system
that isn't using them then that's your best bet and that's not so
hard to arrange. Mount the old partition structure in /old, create
new larger partitions on the new drive mounted on /new and rsync
-a /old/ /new/ (note the trailing /). After that you will need to
install the boot code if the drive is used for booting which it
probably is. I can't remember how to do that but it's no doubt
performed in https://cvsweb.openbsd.org/src/distrib/miniroot/install.sub
or its machine-dependent counterpart install.md (location varies).

It's also in the manpages. installboot(8) looks promising. Sorry
but I'm not going to provide instructions to do something I don't
remember how to do and haven't tested.

If you want to set up RAID or don't want to figure out how to install
the boot blocks, install anew on the new larger possibly-RAIDed
drives, install the same set of packages and copy /home and a few
files from /etc to get a practically-identical installation.

Matthew


The raid is not used for booting.

And the main goal that raid must stay.

I think, I have third option, to remove one old drive,
make raid from two new drives and rsync data from old drive.

This is what you suggest i should do?

proper way to grow softraid partition

[kasak]

Hello misc!

I want to replace my two 2TB hdd, joined in raid1.

I have two 4TB drives, and I want to replace smaller drives with them.

it wouldn't be a problem, if i had some spare sata ports, but in my pc i 
have only one left.


So, I can attach only one of this 4 tb drives at the same time.


I think, maybe I can attach new 4 tb drive to old raid as a third 
volume, wait for it "repair",


and then remove 2 tb drives, add one more 4 tb and "repair" raid again.

I don't know, will this operation actually grow my partition, or it is a 
bad idea from the beginning?



Alternate, can i create raid 1 volume from just one drive, rsync files 
between raids and after


add another disk?

Re: sysupgrade fails due to "CHECK AND RESET DATE" ?

[kasak]

18.10.2021 23:18, kasak пишет:

Hello everyone!

I have one mini router, made from gigabyte GB-SBCAP4200 barebone

It has nothing special. Just base openbsd, without any additional 
packages and modifications.


for some reason, sysupgrade does not upgrade this system.
It successfully boot new kernel, but do not process the upgrade, Just 
load 6.9 back.


This is dmesg from loading 7.0 and further:

OpenBSD 7.0 (RAMDISK_CD) #219: Thu Sep 30 14:32:42 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8415617024 (8025MB)
avail mem = 8156545024 (7778MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x79db7000 (50 entries)
bios0: vendor American Megatrends Inc. version "F1" date 06/11/2018
bios0: Gigabyte Technology Co., Ltd. Default string
acpi0 at bios0: ACPI 6.0
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT 
PRAM WSMT SSDT SSDT SSDT SSDT SSDT SSDT SSDT UEFI TPM2 WDAT

acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N4200 @ 1.10GHz, 1097.47 MHz, 06-5c-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu0: 1MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus 3 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
"PNP0C0C" at acpi0 not configured
aplgpio0 at acpi0 GPO0 uid 1 addr 0xd0c5/0x76c irq 14, 78 pins
aplgpio1 at acpi0 GPO1 uid 2 addr 0xd0c4/0x764 irq 14, 77 pins
aplgpio2 at acpi0 GPO2 uid 3 addr 0xd0c7/0x674 irq 14, 47 pins
aplgpio3 at acpi0 GPO3 uid 4 addr 0xd0c0/0x654 irq 14, 43 pins
"INT33A1" at acpi0 not configured
"MSFT0101" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Apollo Lake Host" rev 0x0b
"Intel HD Graphics 505" rev 0x0b at pci0 dev 2 function 0 not configured
"Intel Apollo Lake HD Audio" rev 0x0b at pci0 dev 14 function 0 not 
configured

"Intel Apollo Lake TXE" rev 0x0b at pci0 dev 15 function 0 not configured
ahci0 at pci0 dev 18 function 0 "Intel Apollo Lake AHCI" rev 0x0b: 
msi, AHCI 1.3.1

ahci0: PHY offline on port 0
ahci0: port 1: 6.0Gb/s
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 1 lun 0:  
naa.50026b7783a249ed

sd0: 228936MB, 512 bytes/sector, 468862128 sectors, thin
ppb0 at pci0 dev 19 function 0 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 19 function 1 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G 
(0x4c00), msi, address e0:d5:5e:e7:50:4f

rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb3 at pci0 dev 19 function 3 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci4 at ppb3 bus 4
re1 at pci4 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G 
(0x4c00), msi, address e0:d5:5e:e7:50:51

rgephy1 at re1 phy 7: RTL8251 PHY, rev. 0
xhci0 at pci0 dev 21 function 0 "Intel Apollo Lake xHCI" rev 0x0b: 
msi, xHCI 1.0

usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 
3.00/1.00 addr 1

"Intel Apollo Lake LPC" rev 0x0b at pci0 dev 31 function 0 not configured
"Intel Apollo Lake SMBus" rev 0x0b at pci0 dev 31 function 1 not 
configured

isa0 at mainbus0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
efifb at mainbus0 not configured
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP 


real mem = 8415617024 (8025MB)
avail mem = 8145182720 (7767MB)
random: good seed from bootblocks
mpath0 a

Re: sysupgrade fails due to "CHECK AND RESET DATE" ?

[kasak]

19.10.2021 09:41, Otto Moerbeek пишет:

On Tue, Oct 19, 2021 at 09:30:47AM +0300, kasak wrote:


19.10.2021 08:45, Otto Moerbeek пишет:

On Mon, Oct 18, 2021 at 11:18:20PM +0300, kasak wrote:


Hello everyone!

I have one mini router, made from gigabyte GB-SBCAP4200 barebone

It has nothing special. Just base openbsd, without any additional packages
and modifications.

for some reason, sysupgrade does not upgrade this system.
It successfully boot new kernel, but do not process the upgrade, Just load
6.9 back.

This is dmesg from loading 7.0 and further:

OpenBSD 7.0 (RAMDISK_CD) #219: Thu Sep 30 14:32:42 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8415617024 (8025MB)
avail mem = 8156545024 (7778MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x79db7000 (50 entries)
bios0: vendor American Megatrends Inc. version "F1" date 06/11/2018
bios0: Gigabyte Technology Co., Ltd. Default string
acpi0 at bios0: ACPI 6.0
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT PRAM
WSMT SSDT SSDT SSDT SSDT SSDT SSDT SSDT UEFI TPM2 WDAT
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N4200 @ 1.10GHz, 1097.47 MHz, 06-5c-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus 3 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
"PNP0C0C" at acpi0 not configured
aplgpio0 at acpi0 GPO0 uid 1 addr 0xd0c5/0x76c irq 14, 78 pins
aplgpio1 at acpi0 GPO1 uid 2 addr 0xd0c4/0x764 irq 14, 77 pins
aplgpio2 at acpi0 GPO2 uid 3 addr 0xd0c7/0x674 irq 14, 47 pins
aplgpio3 at acpi0 GPO3 uid 4 addr 0xd0c0/0x654 irq 14, 43 pins
"INT33A1" at acpi0 not configured
"MSFT0101" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Apollo Lake Host" rev 0x0b
"Intel HD Graphics 505" rev 0x0b at pci0 dev 2 function 0 not configured
"Intel Apollo Lake HD Audio" rev 0x0b at pci0 dev 14 function 0 not
configured
"Intel Apollo Lake TXE" rev 0x0b at pci0 dev 15 function 0 not configured
ahci0 at pci0 dev 18 function 0 "Intel Apollo Lake AHCI" rev 0x0b: msi, AHCI
1.3.1
ahci0: PHY offline on port 0
ahci0: port 1: 6.0Gb/s
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 1 lun 0: 
naa.50026b7783a249ed
sd0: 228936MB, 512 bytes/sector, 468862128 sectors, thin
ppb0 at pci0 dev 19 function 0 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 19 function 1 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G
(0x4c00), msi, address e0:d5:5e:e7:50:4f
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb3 at pci0 dev 19 function 3 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci4 at ppb3 bus 4
re1 at pci4 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G
(0x4c00), msi, address e0:d5:5e:e7:50:51
rgephy1 at re1 phy 7: RTL8251 PHY, rev. 0
xhci0 at pci0 dev 21 function 0 "Intel Apollo Lake xHCI" rev 0x0b: msi, xHCI
1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev
3.00/1.00 addr 1
"Intel Apollo Lake LPC" rev 0x0b at pci0 dev 31 function 0 not configured
"Intel Apollo Lake SMBus" rev 0x0b at pci0 dev 31 function 1 not configured
isa0 at mainbus0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
efifb at mainbus0 not configured
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/

Re: sysupgrade fails due to "CHECK AND RESET DATE" ?

[kasak]

19.10.2021 08:45, Otto Moerbeek пишет:

On Mon, Oct 18, 2021 at 11:18:20PM +0300, kasak wrote:


Hello everyone!

I have one mini router, made from gigabyte GB-SBCAP4200 barebone

It has nothing special. Just base openbsd, without any additional packages
and modifications.

for some reason, sysupgrade does not upgrade this system.
It successfully boot new kernel, but do not process the upgrade, Just load
6.9 back.

This is dmesg from loading 7.0 and further:

OpenBSD 7.0 (RAMDISK_CD) #219: Thu Sep 30 14:32:42 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8415617024 (8025MB)
avail mem = 8156545024 (7778MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x79db7000 (50 entries)
bios0: vendor American Megatrends Inc. version "F1" date 06/11/2018
bios0: Gigabyte Technology Co., Ltd. Default string
acpi0 at bios0: ACPI 6.0
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT PRAM
WSMT SSDT SSDT SSDT SSDT SSDT SSDT SSDT UEFI TPM2 WDAT
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N4200 @ 1.10GHz, 1097.47 MHz, 06-5c-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus 3 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
"PNP0C0C" at acpi0 not configured
aplgpio0 at acpi0 GPO0 uid 1 addr 0xd0c5/0x76c irq 14, 78 pins
aplgpio1 at acpi0 GPO1 uid 2 addr 0xd0c4/0x764 irq 14, 77 pins
aplgpio2 at acpi0 GPO2 uid 3 addr 0xd0c7/0x674 irq 14, 47 pins
aplgpio3 at acpi0 GPO3 uid 4 addr 0xd0c0/0x654 irq 14, 43 pins
"INT33A1" at acpi0 not configured
"MSFT0101" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Apollo Lake Host" rev 0x0b
"Intel HD Graphics 505" rev 0x0b at pci0 dev 2 function 0 not configured
"Intel Apollo Lake HD Audio" rev 0x0b at pci0 dev 14 function 0 not
configured
"Intel Apollo Lake TXE" rev 0x0b at pci0 dev 15 function 0 not configured
ahci0 at pci0 dev 18 function 0 "Intel Apollo Lake AHCI" rev 0x0b: msi, AHCI
1.3.1
ahci0: PHY offline on port 0
ahci0: port 1: 6.0Gb/s
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 1 lun 0: 
naa.50026b7783a249ed
sd0: 228936MB, 512 bytes/sector, 468862128 sectors, thin
ppb0 at pci0 dev 19 function 0 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 19 function 1 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G
(0x4c00), msi, address e0:d5:5e:e7:50:4f
rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb3 at pci0 dev 19 function 3 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci4 at ppb3 bus 4
re1 at pci4 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G
(0x4c00), msi, address e0:d5:5e:e7:50:51
rgephy1 at re1 phy 7: RTL8251 PHY, rev. 0
xhci0 at pci0 dev 21 function 0 "Intel Apollo Lake xHCI" rev 0x0b: msi, xHCI
1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev
3.00/1.00 addr 1
"Intel Apollo Lake LPC" rev 0x0b at pci0 dev 31 function 0 not configured
"Intel Apollo Lake SMBus" rev 0x0b at pci0 dev 31 function 1 not configured
isa0 at mainbus0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
efifb at mainbus0 not configured
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8415617024 (8025MB)
avail mem = 8145182720 (7767MB)
rando

sysupgrade fails due to "CHECK AND RESET DATE" ?

[kasak]

Hello everyone!

I have one mini router, made from gigabyte GB-SBCAP4200 barebone

It has nothing special. Just base openbsd, without any additional 
packages and modifications.


for some reason, sysupgrade does not upgrade this system.
It successfully boot new kernel, but do not process the upgrade, Just 
load 6.9 back.


This is dmesg from loading 7.0 and further:

OpenBSD 7.0 (RAMDISK_CD) #219: Thu Sep 30 14:32:42 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8415617024 (8025MB)
avail mem = 8156545024 (7778MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x79db7000 (50 entries)
bios0: vendor American Megatrends Inc. version "F1" date 06/11/2018
bios0: Gigabyte Technology Co., Ltd. Default string
acpi0 at bios0: ACPI 6.0
acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 DBGP HPET LPIT APIC NPKT 
PRAM WSMT SSDT SSDT SSDT SSDT SSDT SSDT SSDT UEFI TPM2 WDAT

acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N4200 @ 1.10GHz, 1097.47 MHz, 06-5c-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

cpu0: 1MB 64b/line 16-way L2 cache
cpu0: apic clock running at 19MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.4.2.1.1, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 1 (RP03)
acpiprt4 at acpi0: bus 2 (RP04)
acpiprt5 at acpi0: bus 3 (RP05)
acpiprt6 at acpi0: bus 4 (RP06)
acpiec0 at acpi0: not present
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
"PNP0C0C" at acpi0 not configured
aplgpio0 at acpi0 GPO0 uid 1 addr 0xd0c5/0x76c irq 14, 78 pins
aplgpio1 at acpi0 GPO1 uid 2 addr 0xd0c4/0x764 irq 14, 77 pins
aplgpio2 at acpi0 GPO2 uid 3 addr 0xd0c7/0x674 irq 14, 47 pins
aplgpio3 at acpi0 GPO3 uid 4 addr 0xd0c0/0x654 irq 14, 43 pins
"INT33A1" at acpi0 not configured
"MSFT0101" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Apollo Lake Host" rev 0x0b
"Intel HD Graphics 505" rev 0x0b at pci0 dev 2 function 0 not configured
"Intel Apollo Lake HD Audio" rev 0x0b at pci0 dev 14 function 0 not 
configured

"Intel Apollo Lake TXE" rev 0x0b at pci0 dev 15 function 0 not configured
ahci0 at pci0 dev 18 function 0 "Intel Apollo Lake AHCI" rev 0x0b: msi, 
AHCI 1.3.1

ahci0: PHY offline on port 0
ahci0: port 1: 6.0Gb/s
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 1 lun 0:  
naa.50026b7783a249ed

sd0: 228936MB, 512 bytes/sector, 468862128 sectors, thin
ppb0 at pci0 dev 19 function 0 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 19 function 1 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 19 function 2 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G 
(0x4c00), msi, address e0:d5:5e:e7:50:4f

rgephy0 at re0 phy 7: RTL8251 PHY, rev. 0
ppb3 at pci0 dev 19 function 3 "Intel Apollo Lake PCIE" rev 0xfb: msi
pci4 at ppb3 bus 4
re1 at pci4 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G 
(0x4c00), msi, address e0:d5:5e:e7:50:51

rgephy1 at re1 phy 7: RTL8251 PHY, rev. 0
xhci0 at pci0 dev 21 function 0 "Intel Apollo Lake xHCI" rev 0x0b: msi, 
xHCI 1.0

usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 
3.00/1.00 addr 1

"Intel Apollo Lake LPC" rev 0x0b at pci0 dev 31 function 0 not configured
"Intel Apollo Lake SMBus" rev 0x0b at pci0 dev 31 function 1 not configured
isa0 at mainbus0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
efifb at mainbus0 not configured
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
WARNING: CHECK AND RESET THE DATE!
OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8415617024 (8025MB)
avail mem = 8145182720 (7767MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x79db7000 (50 entries)
bios0: vendor American Megatrends Inc. version "F1" date 06/11/2018
bios0: Gigabyte Technology Co., Ltd. Default string
acpi0 

Re: ssh with keyboard-interactive failing

[kasak]

17.10.2021 15:07, Stuart Henderson пишет:

On 2021-10-17, kasak  wrote:

17.10.2021 13:48, Stuart Henderson пишет:

On 2021-10-17, kasak  wrote:

Hello everybody! I somehow broke authorization with password in 7.0

All this started after update to 7.0.

I have installed default /etc/ssh/sshd_config with sysmerge.

After this, i just wanted to disable password auth, to use
keyboard-interactive

ahh What are you expecting keyboard-interactive to do?

It isn't normally used on OpenBSD.
Honestly, I thought that keyboard-interactive is the same as password, 
but with bells and wistles.

The only thing i changed in conf is this line:

PasswordAuthentication no

After restart i cannot connect to this host for some reason. It just
don't ask for any password and quit

Here is log:

$ ssh -v host

That's the client-side, but what is logged on the server?

I'm afraid I cannot find out :) Server is not near.

When I just send my first mail, I remembered, that I maybe also set
MaxAuthTries to 3.
Maybe this done the trick? If so, is there any way to force client to
use keyboard-interactive first, and not to try absent pubkeys?


OpenSSH_8.8, LibreSSL 3.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to host [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.

Oh, you have no keys, these would show a type other than -1 if you did:


debug1: identity file /home/kasak/.ssh/id_rsa type -1
debug1: identity file /home/kasak/.ssh/id_rsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_dsa type -1
debug1: identity file /home/kasak/.ssh/id_dsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519 type -1
debug1: identity file /home/kasak/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_xmss type -1
debug1: identity file /home/kasak/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x0400
debug1: Authenticating to host:22 as 'kasak'
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC:
 compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC:
 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:CcikFZvpvKUQM1NqPBCkEVGwhkQVszJMb8NVxG1pX9Q
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'host' is known and matches the ED25519 host key.
debug1: Found key in /home/kasak/.ssh/known_hosts:30
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/kasak/.ssh/id_rsa
debug1: Will attempt key: /home/kasak/.ssh/id_dsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/kasak/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kasak/.ssh/id_rsa
debug1: Trying private key: /home/kasak/.ssh/id_dsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/kasak/.ssh/id_ed25519
debug1: Trying private key: /home/kasak/.ssh/id_ed25519_sk
debug1: Trying private key: /home/kasak/.ssh/id_xmss

And these would show the key fingerprint if keys were present.
So you don't have keys to offer anyway so they aren't tried so I don't
think this is anything to do with MaxAuthTries.


debug1: Next authentication method: keyboard-interactive

Re: ssh with keyboard-interactive failing

[kasak]

17.10.2021 13:48, Stuart Henderson пишет:

On 2021-10-17, kasak  wrote:

Hello everybody! I somehow broke authorization with password in 7.0

All this started after update to 7.0.

I have installed default /etc/ssh/sshd_config with sysmerge.

After this, i just wanted to disable password auth, to use
keyboard-interactive

The only thing i changed in conf is this line:

PasswordAuthentication no

After restart i cannot connect to this host for some reason. It just
don't ask for any password and quit

Here is log:

$ ssh -v host

That's the client-side, but what is logged on the server?


I'm afraid I cannot find out :) Server is not near.

When I just send my first mail, I remembered, that I maybe also set 
MaxAuthTries to 3.
Maybe this done the trick? If so, is there any way to force client to 
use keyboard-interactive first, and not to try absent pubkeys?



OpenSSH_8.8, LibreSSL 3.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to host [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/kasak/.ssh/id_rsa type -1
debug1: identity file /home/kasak/.ssh/id_rsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_dsa type -1
debug1: identity file /home/kasak/.ssh/id_dsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519 type -1
debug1: identity file /home/kasak/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_xmss type -1
debug1: identity file /home/kasak/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x0400
debug1: Authenticating to host:22 as 'kasak'
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC:
 compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC:
 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:CcikFZvpvKUQM1NqPBCkEVGwhkQVszJMb8NVxG1pX9Q
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'host' is known and matches the ED25519 host key.
debug1: Found key in /home/kasak/.ssh/known_hosts:30
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/kasak/.ssh/id_rsa
debug1: Will attempt key: /home/kasak/.ssh/id_dsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/kasak/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kasak/.ssh/id_rsa
debug1: Trying private key: /home/kasak/.ssh/id_dsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/kasak/.ssh/id_ed25519
debug1: Trying private key: /home/kasak/.ssh/id_ed25519_sk
debug1: Trying private key: /home/kasak/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
kasak@host: Permission denied (publickey,keyboard-interactive).

ssh with keyboard-interactive failing

[kasak]

Hello everybody! I somehow broke authorization with password in 7.0

All this started after update to 7.0.

I have installed default /etc/ssh/sshd_config with sysmerge.

After this, i just wanted to disable password auth, to use 
keyboard-interactive


The only thing i changed in conf is this line:

PasswordAuthentication no

After restart i cannot connect to this host for some reason. It just 
don't ask for any password and quit


Here is log:

$ ssh -v host

OpenSSH_8.8, LibreSSL 3.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to host [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/kasak/.ssh/id_rsa type -1
debug1: identity file /home/kasak/.ssh/id_rsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_dsa type -1
debug1: identity file /home/kasak/.ssh/id_dsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519 type -1
debug1: identity file /home/kasak/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_xmss type -1
debug1: identity file /home/kasak/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x0400
debug1: Authenticating to host:22 as 'kasak'
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file 
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or 
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or 
directory

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 
SHA256:CcikFZvpvKUQM1NqPBCkEVGwhkQVszJMb8NVxG1pX9Q
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file 
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or 
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or 
directory

debug1: Host 'host' is known and matches the ED25519 host key.
debug1: Found key in /home/kasak/.ssh/known_hosts:30
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/kasak/.ssh/id_rsa
debug1: Will attempt key: /home/kasak/.ssh/id_dsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/kasak/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: 
server-sig-algs=

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kasak/.ssh/id_rsa
debug1: Trying private key: /home/kasak/.ssh/id_dsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/kasak/.ssh/id_ed25519
debug1: Trying private key: /home/kasak/.ssh/id_ed25519_sk
debug1: Trying private key: /home/kasak/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
kasak@host: Permission denied (publickey,keyboard-interactive).

Re: Bridging OpenVPN and LAN

[Kasak]

> 5 сент. 2021 г., в 21:53, Andrei  написал(а):
> 
> 
>> On 05.09.2021., at 15:58, kasak  wrote:
>> I've should correct myself in last message. You actually may try to proxy 
>> dhcp answers to vpn, adding option
>> 
>> server-bridge
>> 
>> to server config without pool definition. Please respond if it works. I'm 
>> really curious about it.
>> 
>> I use similar configuration, but with manual pool definition in server-bridge
>> 
> 
> This results in the same behaviour - the client gets no IP. When I do however 
> make it say:
> 
> server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110
> 
I made a typo. Mask should be 255.255.255.0
I highly recomend not just copying what i say but correcting it to match your 
configuration
> as you said this works but the DHCP is not issuing that IP (+ I'm having some 
> weird errors saying
> 
> 2021-09-05 20:44:45 /sbin/ifconfig tap0 10.70.0.100 netmask 255.225.255.0 mtu 
> 1500
> ifconfig: 255.225.255.0: non-contiguous mask
> 
> but that's another topic :).

Re: Bridging OpenVPN and LAN

[kasak]

05.09.2021 16:31, Andrei пишет:

Hello,

I am trying to setup an OpenVPN server on OpenBSD 6.9 that's bridged to my LAN.
The topology looks like this: 10.70.0.1 (gateway) - 10.70.0.118 (server, on 
em1).

I've set-up the em1 interface as DHCP and it get's the expected address. Next 
up I
created a tap0 and bridge0 devices like this:

ifconfig tap0 create
ifconfig bridge0 create
ifconfig bridge0 add em1
ifconfig bridge0 add tap0

The ifconfig output looks like this now:

lo0: flags=8049 mtu 32768
 index 4 priority 0 llprio 3
 groups: lo
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
 inet 127.0.0.1 netmask 0xff00
em0: flags=8843 mtu 1500
 lladdr 00:0c:29:0f:74:62
 index 1 priority 0 llprio 3
 groups: egress
 media: Ethernet autoselect (1000baseT full-duplex,master)
 status: active
 inet 10.20.0.108 netmask 0xff00 broadcast 10.20.0.255
em1: flags=8b43 mtu 
1500
 lladdr 00:0c:29:0f:74:6c
 index 2 priority 0 llprio 3
 media: Ethernet autoselect (1000baseT full-duplex,master)
 status: active
 inet 10.70.0.118 netmask 0xff00 broadcast 10.70.0.255
enc0: flags=0<>
 index 3 priority 0 llprio 3
 groups: enc
 status: active
pflog0: flags=141 mtu 33136
 index 5 priority 0 llprio 3
 groups: pflog
tap0: flags=8902 mtu 1500
 lladdr fe:e1:ba:d0:6a:1c
 index 6 priority 0 llprio 3
 groups: tap
 status: no carrier
bridge0: flags=0<>
 index 7 llprio 3
 groups: bridge
 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
 em1 flags=3
 port 2 ifpriority 0 ifcost 0
 tap0 flags=3
 port 6 ifpriority 0 ifcost 0

In my OpenVPN config I have:

port 1194
proto udp
dev tap0
dev-type tap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpnserver.crt
key /etc/openvpn/vpnserver.key
dh /etc/openvpn/dh.pem
tls-server
tls-auth /etc/openvpn/vpn-ta.key 0
push "route 10.70.0.0 255.255.255.0 10.70.0.1"
cipher AES-256-CBC
comp-lzo
ping-timer-rem
keepalive 10 60
user _openvpn
group _openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


You should add ip pool for bridge in server config.

like this:

server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110

Your dhcpd will not write ip's to vpn even it is on bridge



And the client has:

client
dev tap
proto udp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

The client connects OK, but it never gets a DHCP address from the router that's 
in
charge for 10.70.0.0/24 and running the DHCP server.

Is the issue in my OpenBSD configuration, OpenVPN, or on my router? I'm having
trouble debugging this...

Thank you,
Andrei

Re: Bridging OpenVPN and LAN

[kasak]

05.09.2021 16:31, Andrei пишет:

Hello,

I am trying to setup an OpenVPN server on OpenBSD 6.9 that's bridged to my LAN.
The topology looks like this: 10.70.0.1 (gateway) - 10.70.0.118 (server, on 
em1).

I've set-up the em1 interface as DHCP and it get's the expected address. Next 
up I
created a tap0 and bridge0 devices like this:

ifconfig tap0 create
ifconfig bridge0 create
ifconfig bridge0 add em1
ifconfig bridge0 add tap0

The ifconfig output looks like this now:

lo0: flags=8049 mtu 32768
 index 4 priority 0 llprio 3
 groups: lo
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
 inet 127.0.0.1 netmask 0xff00
em0: flags=8843 mtu 1500
 lladdr 00:0c:29:0f:74:62
 index 1 priority 0 llprio 3
 groups: egress
 media: Ethernet autoselect (1000baseT full-duplex,master)
 status: active
 inet 10.20.0.108 netmask 0xff00 broadcast 10.20.0.255
em1: flags=8b43 mtu 
1500
 lladdr 00:0c:29:0f:74:6c
 index 2 priority 0 llprio 3
 media: Ethernet autoselect (1000baseT full-duplex,master)
 status: active
 inet 10.70.0.118 netmask 0xff00 broadcast 10.70.0.255
enc0: flags=0<>
 index 3 priority 0 llprio 3
 groups: enc
 status: active
pflog0: flags=141 mtu 33136
 index 5 priority 0 llprio 3
 groups: pflog
tap0: flags=8902 mtu 1500
 lladdr fe:e1:ba:d0:6a:1c
 index 6 priority 0 llprio 3
 groups: tap
 status: no carrier
bridge0: flags=0<>
 index 7 llprio 3
 groups: bridge
 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
 em1 flags=3
 port 2 ifpriority 0 ifcost 0
 tap0 flags=3
 port 6 ifpriority 0 ifcost 0

In my OpenVPN config I have:

port 1194
proto udp
dev tap0
dev-type tap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpnserver.crt
key /etc/openvpn/vpnserver.key
dh /etc/openvpn/dh.pem
tls-server
tls-auth /etc/openvpn/vpn-ta.key 0
push "route 10.70.0.0 255.255.255.0 10.70.0.1"
cipher AES-256-CBC
comp-lzo
ping-timer-rem
keepalive 10 60
user _openvpn
group _openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

And the client has:

client
dev tap
proto udp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

The client connects OK, but it never gets a DHCP address from the router that's 
in
charge for 10.70.0.0/24 and running the DHCP server.

Is the issue in my OpenBSD configuration, OpenVPN, or on my router? I'm having
trouble debugging this...

Thank you,
Andrei



I've should correct myself in last message. You actually may try to 
proxy dhcp answers to vpn, adding option


server-bridge

to server config without pool definition. Please respond if it works. 
I'm really curious about it.


I use similar configuration, but with manual pool definition in 
server-bridge

cannot perform sysupgrade "CHECK AND RESET THE DATE"

[kasak]

hello all. I have one mini pc Gigabyte GA-SBCAP4200.

It has no special configuration and packages. It runs nearly default 
OpenBSD 6.8, and strange, I cannot perform sysupgrade to 6.9


the only log i see in messages is this: WARNING: CHECK AND RESET THE DATE!

I cannot try manual upgrade because it is remote pc.

Here is messages log of sysupgrade started and failed:

May  3 19:08:47 panki sysupgrade: installed new /bsd.upgrade. Old kernel 
version: OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 
r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

May  3 19:08:47 panki reboot: rebooted by kasak
May  3 19:08:48 panki syslogd[80591]: exiting on signal 15
May  3 19:10:04 panki syslogd[16012]: start
May  3 19:10:04 panki /bsd: syncing disks... done
May  3 19:10:04 panki /bsd: rebooting...
May  3 19:10:04 panki /bsd: OpenBSD 6.9 (RAMDISK_CD) #456: Mon Apr 19 
10:47:37 MDT 2021
May  3 19:10:04 panki /bsd: 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD

May  3 19:10:04 panki /bsd: real mem = 8411521024 (8021MB)
May  3 19:10:04 panki /bsd: avail mem = 8152571904 (7774MB)
May  3 19:10:04 panki /bsd: random: good seed from bootblocks
May  3 19:10:04 panki /bsd: mainbus0 at root
May  3 19:10:04 panki /bsd: bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xec6a0 
(50 entries)
May  3 19:10:04 panki /bsd: bios0: vendor American Megatrends Inc. 
version F1 date 06/11/2018
May  3 19:10:04 panki /bsd: bios0: Gigabyte Technology Co., Ltd. Default 
string

May  3 19:10:04 panki /bsd: acpi0 at bios0: ACPI 6.0
May  3 19:10:04 panki /bsd: acpi0: tables DSDT FACP FPDT FIDT MCFG DBG2 
DBGP HPET LPIT APIC NPKT PRAM WSMT SSDT SSDT SSDT SSDT SSDT SSDT SSDT 
UEFI TPM2 WDAT

May  3 19:10:04 panki /bsd: acpihpet0 at acpi0: 1920 Hz
May  3 19:10:04 panki /bsd: acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
May  3 19:10:04 panki /bsd: cpu0 at mainbus0: apid 0 (boot processor)
May  3 19:10:04 panki /bsd: cpu0: Intel(R) Pentium(R) CPU N4200 @ 
1.10GHz, 1097.86 MHz, 06-5c-09
May  3 19:10:04 panki /bsd: cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN

May  3 19:10:04 panki /bsd: cpu0: 1MB 64b/line 16-way L2 cache
May  3 19:10:04 panki /bsd: cpu0: apic clock running at 19MHz
May  3 19:10:04 panki /bsd: cpu0: mwait min=64, max=64, 
C-substates=0.2.0.2.4.2.1.1, IBE

May  3 19:10:04 panki /bsd: cpu at mainbus0: not configured
May  3 19:10:04 panki last message repeated 2 times
May  3 19:10:04 panki /bsd: ioapic0 at mainbus0: apid 1 pa 0xfec0, 
version 20, 120 pins

May  3 19:10:04 panki /bsd: acpiprt0 at acpi0: bus 0 (PCI0)
May  3 19:10:04 panki /bsd: acpiprt1 at acpi0: bus -1 (RP01)
May  3 19:10:04 panki /bsd: acpiprt2 at acpi0: bus -1 (RP02)
May  3 19:10:04 panki /bsd: acpiprt3 at acpi0: bus 1 (RP03)
May  3 19:10:04 panki /bsd: acpiprt4 at acpi0: bus 2 (RP04)
May  3 19:10:04 panki /bsd: acpiprt5 at acpi0: bus 3 (RP05)
May  3 19:10:04 panki /bsd: acpiprt6 at acpi0: bus 4 (RP06)
May  3 19:10:04 panki /bsd: acpiec0 at acpi0: not present
May  3 19:10:04 panki /bsd: acpipci0 at acpi0 PCI0: 0x 
0x0011 0x0001

May  3 19:10:04 panki /bsd: acpicmos0 at acpi0
May  3 19:10:04 panki /bsd: PNP0C0C at acpi0 not configured
May  3 19:10:04 panki /bsd: aplgpio0 at acpi0 GPO0 uid 1 addr 
0xd0c5/0x76c irq 14, 78 pins
May  3 19:10:04 panki /bsd: aplgpio1 at acpi0 GPO1 uid 2 addr 
0xd0c4/0x764 irq 14, 77 pins
May  3 19:10:04 panki /bsd: aplgpio2 at acpi0 GPO2 uid 3 addr 
0xd0c7/0x674 irq 14, 47 pins
May  3 19:10:04 panki /bsd: aplgpio3 at acpi0 GPO3 uid 4 addr 
0xd0c0/0x654 irq 14, 43 pins

May  3 19:10:04 panki /bsd: INT33A1 at acpi0 not configured
May  3 19:10:04 panki /bsd: MSFT0101 at acpi0 not configured
May  3 19:10:04 panki /bsd: PNP0C0B at acpi0 not configured
May  3 19:10:04 panki /bsd: acpicpu at acpi0 not configured
May  3 19:10:04 panki /bsd: acpipwrres at acpi0 not configured
May  3 19:10:04 panki /bsd: acpitz at acpi0 not configured
May  3 19:10:04 panki /bsd: pci0 at mainbus0 bus 0
May  3 19:10:04 panki /bsd: pchb0 at pci0 dev 0 function 0 Intel 
Apollo Lake Host rev 0x0b
May  3 19:10:04 panki /bsd: Intel HD Graphics 505 rev 0x0b 
at pci0 dev 2 function 0 not configured
May  3 19:10:04 panki /bsd: Intel Apollo Lake HD Audio rev 
0x0b at pci0 dev 14 function 0 not configured
May  3 19:10:04 panki /bsd: Intel Apollo Lake TXE rev 0x0b 
at pci0 dev 15 function 0 not configured
May  3 19:10:04 panki /bsd: vendor Intel, unknown product 
0x5a9c (class communications subclass miscellaneous, rev 0x0b) at pci0 
dev 15 function 1 not configured
May  3 19:10:04 panki /bsd: vendor Intel, unknown product

Re: Samba server issue with Windows file properties

[kasak]

hello.

You should look the option "store dos attributes"

quote: When this parameter is set it will override the parameters map 
hidden, map system, map archive and map readonly and they will behave as 
if they were set to off.


this option is by default ENABLED in samba 4.9. And when it is enabled, 
samba will try to store dos attributes in


extended attributes of filesystem.

OpenBSD ffs does not have support or extended attributes.

And your "map" options does not work, because "store dos attributes" is 
set.


Try to add "store dos attributes = no" to share definition.

07.04.2021 11:39, jeanfrancois пишет:

Good day,


Sorry to bother with this issue, if someone has a few minutes to check 
for hint that'd be very helpful.


Thank you.


After trying everything I could think of, still samba doesn't seem to 
properly work with windows special properties:


map archive
map ...

From windows's properties, the Unix properties don't map the archive, 
... states, now can we change them.


Changing for example a file or folder to "hidden" from windows results 
in error request not supported.


Changing the Unix property in the OpenBSD file system don't result in 
showing proper states in Windows.



Do you have hints, does enable the samba map need something else be 
setup in samba configuration or specific to OpenBSD ?



I note the "Archive" should be on by default but don't work, I think 
the issue may not be in samba configuration.



Here are few configuration files:


fstab


/dev/wd1a /home/pub/ ffs rw 1 2


smb.conf


[global]

workgroup = WORKGROUP
server string = %h server

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
SO_RCVBUF=8192 SO_SNDBUF=8192


log file = /var/log/samba/smbd.%m
max log size = 1024
syslog = 1
log level = 3

dns proxy = no

domain master = yes
netbios name = sambaserver
local master = yes

map to guest = Bad User
invalid users = root
unix password sync = yes
domain logons = no
usershare allow guests = yes

#== Share Definitions 

[localshare]
    browseable = yes
    path = /home/pub
    writeable = yes
    guest ok = yes
    valid users = localshare
    create mask = 0755
    directory mask = 0755

    map readonly = yes
    map archive = yes
    map hidden = yes
    map system = yes


Le 24/03/2021 à 17:00, Kenneth Gober a écrit :
On Mon, Mar 22, 2021 at 9:11 AM jeanfrancois > wrote:


    It has sometimes error messages when copy which I tracked to being
    from
    Windows network to the Samba server where source files or folders's
    properties are not supported (like archiving option).

    Has someone a fix for this, or can point out what I may have 
missed ?



Consult the smb.conf man page ("man smb.conf") and read about the
"map readonly", "map archive", "map hidden" and "map system" options.
These may help you.

-ken

Re: pf filtering on bridge totally blown my mind

[kasak]

27.11.2020 13:04, kasak пишет:


27.11.2020 12:58, Zé Loff пишет:

On Fri, Nov 27, 2020 at 12:05:49PM +0300, kasak wrote:

Mine configuration requires to use a brigde:

I have files:

cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

files hostname.em1 and tap1 just contain "up"

and file hostname.vether0 contain:

inet 172.16.0.1 255.240.0.0 NONE description "LAN Link"

this is ifconfig:

em1: 
flags=8b43 mtu

1500
 lladdr 68:05:ca:22:d8:d3
 index 3 priority 0 llprio 3
 media: Ethernet autoselect (1000baseT full-duplex)
 status: active
bridge0: flags=41
 index 6 llprio 3
 groups: bridge
 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 
proto rstp

 tap1 flags=3
     port 7 ifpriority 0 ifcost 0
 em1 flags=3
     port 3 ifpriority 0 ifcost 0
 vether0 flags=3
     port 8 ifpriority 0 ifcost 0
tap1: flags=8943 mtu 
1500

 lladdr fe:e1:ba:d0:c5:d9
 index 7 priority 0 llprio 3
 groups: tap
 status: active
vether0: flags=8943 
mtu 1500

 lladdr fe:e1:ba:d1:e5:18
 description: LAN Link
 index 8 priority 0 llprio 3
 groups: vether
 media: Ethernet autoselect
 status: active
 inet 172.16.0.1 netmask 0xfff0 broadcast 172.31.255.255

The only option i wanted is to redirect ntp packets to router local
interface:

gater:~$ doas pfctl -sr
block return all
pass all flags S/SA
block drop in on em0 all
pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to
212.233.112.10
pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port 
= 123

flags S/SA rdr-to 127.0.0.1
pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port 
= 123

rdr-to 127.0.0.1

But this rule just not working, and i cannot fix it.
I've tryed to change "bridge0" to "em0", it doen't change anything. 
pflog

doesn't log anything too.

This is from the client:

[kasak@kasakoff ~]$ ntpdate -q pool.ntp.org
server 195.3.254.2, stratum 2, offset +0.004216, delay 0.03334
server 192.36.143.130, stratum 1, offset +0.88, delay 0.04488
server 193.192.36.3, stratum 3, offset -0.07, delay 0.04155
server 80.240.216.155, stratum 2, offset +0.000807, delay 0.02821
27 Nov 12:04:17 ntpdate[155506]: adjust time server 192.36.143.130 
offset

+0.88 sec
[kasak@kasakoff ~]$ ntpdate -q 172.16.0.1
server 172.16.0.1, stratum 4, offset -0.000107, delay 0.02589
27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset
-0.000107 sec

Is there some secret, I've failed to found in man?


Are you sure you mean em0 and not em1 in your pf rules?


em0 is my external interface, em1 is lan interface.

I see typo in my message.

I've tried to change "bridge0" to "em1", it doen't change anything.

Also i forgot to mention, 172.16.0.5 is not client address, it is 
another server.


anyway, i tried from any to any too, it does not help either :(



I finally get it working!

I've changed bridge0 to vether0!

pass in on vether0 inet proto {tcp,udp} from any to any port ntp rdr-to lo

and now this what i have from client:

[kasak@kasakoff ~]$ ntpdate -q pool.ntp.org
server 89.110.32.178, stratum 4, offset +0.000171, delay 0.02608
27 Nov 15:18:43 ntpdate[159576]: adjust time server 89.110.32.178 offset 
+0.000171 sec

[kasak@kasakoff ~]$ ntpdate -q 172.16.0.1
server 172.16.0.1, stratum 4, offset +0.92, delay 0.02614
27 Nov 15:18:46 ntpdate[159581]: adjust time server 172.16.0.1 offset 
+0.92 sec


perfect!

Re: pf filtering on bridge totally blown my mind

[kasak]

27.11.2020 12:58, Zé Loff пишет:

On Fri, Nov 27, 2020 at 12:05:49PM +0300, kasak wrote:

Mine configuration requires to use a brigde:

I have files:

cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

files hostname.em1 and tap1 just contain "up"

and file hostname.vether0 contain:

inet 172.16.0.1 255.240.0.0 NONE description "LAN Link"

this is ifconfig:

em1: flags=8b43 mtu
1500
     lladdr 68:05:ca:22:d8:d3
     index 3 priority 0 llprio 3
     media: Ethernet autoselect (1000baseT full-duplex)
     status: active
bridge0: flags=41
     index 6 llprio 3
     groups: bridge
     priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
     tap1 flags=3
         port 7 ifpriority 0 ifcost 0
     em1 flags=3
         port 3 ifpriority 0 ifcost 0
     vether0 flags=3
         port 8 ifpriority 0 ifcost 0
tap1: flags=8943 mtu 1500
     lladdr fe:e1:ba:d0:c5:d9
     index 7 priority 0 llprio 3
     groups: tap
     status: active
vether0: flags=8943 mtu 1500
     lladdr fe:e1:ba:d1:e5:18
     description: LAN Link
     index 8 priority 0 llprio 3
     groups: vether
     media: Ethernet autoselect
     status: active
     inet 172.16.0.1 netmask 0xfff0 broadcast 172.31.255.255

The only option i wanted is to redirect ntp packets to router local
interface:

gater:~$ doas pfctl -sr
block return all
pass all flags S/SA
block drop in on em0 all
pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to
212.233.112.10
pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port = 123
flags S/SA rdr-to 127.0.0.1
pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port = 123
rdr-to 127.0.0.1

But this rule just not working, and i cannot fix it.
I've tryed to change "bridge0" to "em0", it doen't change anything. pflog
doesn't log anything too.

This is from the client:

[kasak@kasakoff ~]$ ntpdate -q pool.ntp.org
server 195.3.254.2, stratum 2, offset +0.004216, delay 0.03334
server 192.36.143.130, stratum 1, offset +0.88, delay 0.04488
server 193.192.36.3, stratum 3, offset -0.07, delay 0.04155
server 80.240.216.155, stratum 2, offset +0.000807, delay 0.02821
27 Nov 12:04:17 ntpdate[155506]: adjust time server 192.36.143.130 offset
+0.88 sec
[kasak@kasakoff ~]$ ntpdate -q 172.16.0.1
server 172.16.0.1, stratum 4, offset -0.000107, delay 0.02589
27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset
-0.000107 sec

Is there some secret, I've failed to found in man?


Are you sure you mean em0 and not em1 in your pf rules?


em0 is my external interface, em1 is lan interface.

I see typo in my message.

I've tried to change "bridge0" to "em1", it doen't change anything.

Also i forgot to mention, 172.16.0.5 is not client address, it is 
another server.


anyway, i tried from any to any too, it does not help either :(

pf filtering on bridge totally blown my mind

[kasak]

Mine configuration requires to use a brigde:

I have files:

cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

files hostname.em1 and tap1 just contain "up"

and file hostname.vether0 contain:

inet 172.16.0.1 255.240.0.0 NONE description "LAN Link"

this is ifconfig:

em1: flags=8b43 
mtu 1500

    lladdr 68:05:ca:22:d8:d3
    index 3 priority 0 llprio 3
    media: Ethernet autoselect (1000baseT full-duplex)
    status: active
bridge0: flags=41
    index 6 llprio 3
    groups: bridge
    priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
    tap1 flags=3
        port 7 ifpriority 0 ifcost 0
    em1 flags=3
        port 3 ifpriority 0 ifcost 0
    vether0 flags=3
        port 8 ifpriority 0 ifcost 0
tap1: flags=8943 mtu 1500
    lladdr fe:e1:ba:d0:c5:d9
    index 7 priority 0 llprio 3
    groups: tap
    status: active
vether0: flags=8943 mtu 1500
    lladdr fe:e1:ba:d1:e5:18
    description: LAN Link
    index 8 priority 0 llprio 3
    groups: vether
    media: Ethernet autoselect
    status: active
    inet 172.16.0.1 netmask 0xfff0 broadcast 172.31.255.255

The only option i wanted is to redirect ntp packets to router local 
interface:


gater:~$ doas pfctl -sr
block return all
pass all flags S/SA
block drop in on em0 all
pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to 
212.233.112.10
pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port = 
123 flags S/SA rdr-to 127.0.0.1
pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port = 
123 rdr-to 127.0.0.1


But this rule just not working, and i cannot fix it.
I've tryed to change "bridge0" to "em0", it doen't change anything. 
pflog doesn't log anything too.


This is from the client:

[kasak@kasakoff ~]$ ntpdate -q pool.ntp.org
server 195.3.254.2, stratum 2, offset +0.004216, delay 0.03334
server 192.36.143.130, stratum 1, offset +0.88, delay 0.04488
server 193.192.36.3, stratum 3, offset -0.07, delay 0.04155
server 80.240.216.155, stratum 2, offset +0.000807, delay 0.02821
27 Nov 12:04:17 ntpdate[155506]: adjust time server 192.36.143.130 
offset +0.88 sec

[kasak@kasakoff ~]$ ntpdate -q 172.16.0.1
server 172.16.0.1, stratum 4, offset -0.000107, delay 0.02589
27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset 
-0.000107 sec


Is there some secret, I've failed to found in man?

Re: samba macos epic fail

[kasak]

23.11.2020 00:45, Lyndon Nerenberg пишет:

Somebody please tell me what the hell I am doing wrong here.

OpenBSD 6.8, samba 4.9.18 via pkg_add, MacOS 10.15.7 fully patched.

My main goal is to get Time Machine backups running, but I keep getting
all sorts of inscrutable errors about file permissions.  The backup manages
to create a few directories before it blows up:

   : root@broken:/dump/tm; find . -ls
   27641856   32 drwxr-xr-x3 lyndon   wheel 512 Nov 22 13:27 .
   276418570 -rwxr--r--1 lyndon   wheel   0 Nov 22 13:27 
./.com.apple.timemachine.supported-d865743e-fb2-4a68-b0e7-10857c459e5c
   276418580 -rwxr--r--1 lyndon   wheel   0 Nov 22 13:27 
./.com.apple.timemachine.supported-64bebc6e-ed10-4c41-9f21-301de558be49
   27641859   32 drwx--3 lyndon   wheel 512 Nov 22 13:27 
./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle
   27641860   32 -rw-r--r--1 lyndon   wheel 502 Nov 22 13:27 
./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/Info.plist
   27641861   32 -rw-r--r--1 lyndon   wheel 502 Nov 22 13:27 
./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/Info.bckup
   27641862   32 drwx--2 lyndon   wheel 512 Nov 22 13:27 
./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/bands
   276418630 -rwx--1 lyndon   wheel   0 Nov 22 13:27 
./30228818-9C9E-5DBF-8F9B-36F186FA68BF.sparsebundle/token
   : root@broken:/dump/tm; ls -ld
   drwxr-xr-x  3 lyndon  wheel  512 Nov 22 13:27 .
   : root@broken:/dump/tm;

There's nothing magic about the /dump mount:
   
   fd71e51011d0eabf.c /dump ffs rw,softdep,nodev,nosuid 0 2


Below is my smbd.conf in full.  I'm hoping somebody can point out the
stupidly obvious mistake I'm making :-P  Note that by now I have tried
every sample smbd.conf that exists on the web, so I'd really like to
hear from somebody who *actually has this working*.

--lyndon

---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

[global]
   min protocol =  SMB2
   ea support = yes
   inherit acls = yes
   #create mask = 0640
   #directory mask = 0750
   workgroup = BITSEA
   server role = standalone server
   log file = /var/log/samba/smbd.%m
   max log size = 200

# Shares
[homes]
comment = Home Directories
browseable = no
writable = yes

[public]
comment = Public Stuff
path = /pub
public = yes
writable = no
printable = no

# Time Machine
[timemachine]
   comment = Time Machine Backups
   path = /dump/tm
   browseable = yes
   writeable = yes
   vfs objects = catia fruit streams_xattr
   fruit:aapl = yes
   fruit:time machine = yes
   fruit:metadata = stream
   fruit:model = MacSamba
   fruit:posix_rename = yes
   fruit:veto_appledouble = no
   fruit:advertise_fullsync = true

The one thing you should know about, is fact, that OpenBSD doesn't 
support extended attributes.


So, basically, you cannot use streams_xattr module.

Anyway, I tried to use streams_depot instead, but it doesn't work too.

So, I am using netatalk for myself. It just works. But you must use 
apple double to store extended attributes.

Re: A new race condition in OpenVPN and Unbound services

[Kasak]

> 21 нояб. 2020 г., в 07:24, Predrag Punosevac  
> написал(а):
> 
> 
> Hi Misc,
> 
> Has anybody else noticed a new race condition causing Unbound to fail
> due to the fact that OpenVPN interface is not available. 
> 
> Since a few releases ago I have this in my rc.conf.local to start
> openvpn server and unbound
> 
> openvpn_flags=--config /etc/openvpn/server.conf
> pkg_scripts=sshguard collectd smartd openvpn
> sensorsd_flags=
> snmpd_flags=
> syslogd_flags="-h"
> unbound_flags=
> 
> Previously I was starting OpenVPN server via 
> /etc/hostname.tun0 
> 
> file
> 
> up link0
> !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf
> 
> I noticed this morning after upgrading 2 of my OpenVPN servers that
> unbound is failing to start because tun0 is not available on time. If I
> go back to start OpenVPN server from /etc/hostname.tun0 file everything
> works as expected.
> 
> Cheers,
> Predrag
> 
I can advice you not to bind unbound on tun(tap) interface. You can bind it to 
phisycal nic or virtual nic, and just allow recursion for vpn network. Of 
cource you should turn on net.inet.ip.forwarding on sysctl

Re: help me to create hostname.wg

[kasak]

30.10.2020 19:18, Josh Grosse пишет:

On Fri, Oct 30, 2020 at 07:05:51PM +0300, kasak wrote:

hello misc. I'm trying to create wg interface, but have no luck.

Here is my /etc/hostname.wg0:

$ cat /etc/hostname.wg0
inet 10.0.0.1/24
wgkey 
wgpeer  wgaip 10.0.0.2

after running doas sh /etc/netstart wg0 i have:

$ ifconfig wg0

wg0: flags=80c3 mtu 1420
?? index 6 priority 0 llprio 3
?? wgport 9022
?? groups: wg
?? inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255

and:

$ wg showconf wg0
[Interface]
ListenPort = 9022

why the keys is not configured?

The keys only show in ifconfig(8) output when you run it as the superuser.

Brilliant! It works! Thank you :)

help me to create hostname.wg

[kasak]

hello misc. I'm trying to create wg interface, but have no luck.

Here is my /etc/hostname.wg0:

$ cat /etc/hostname.wg0
inet 10.0.0.1/24
wgkey 
wgpeer  wgaip 10.0.0.2

after running doas sh /etc/netstart wg0 i have:

$ ifconfig wg0

wg0: flags=80c3 mtu 1420
    index 6 priority 0 llprio 3
    wgport 9022
    groups: wg
    inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255

and:

$ wg showconf wg0
[Interface]
ListenPort = 9022

why the keys is not configured?

Re: l2ip + ipsec question

[kasak]

21.07.2020 11:43, Stuart Henderson пишет:


most endpoints cope wigh slightly less terrible crypto, you can try
something like

ike passive esp transport \
 proto udp from my.external.ip to any port 1701 \
 main auth "hmac-sha1" enc "aes-256" group modp2048 \
 quick auth "hmac-sha2-256" enc "aes-256" \
 psk "0s5jTDcMziOVw3DXZqaGOVlEZyoe8I9c"

(psk generated randomly from "openssl rand -base64 (length)", use
something complex if you can copy-and-paste to the other devices)


Yep, mod2048 works, thanks!

2) ipsec.conf man, says that "esp" is default. But if I omit this
option, it stops working with error like: PAYLOAD_MALFORMED.

3) and the most difficult for me to understand: Why does all howto's use
this fragment:

proto udp from my.ga.te.ip to any port 1701 ??

the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port
dport]

so, this line declare a tunnel, where our gate use any port, and our
expected remote client use port 1701?? why does this even work?

Thank you in advance for help!




It relies on the fact that l2tp uses a fixed source port, iirc you can
use "from my.gate.ip port 1701 to any port 1701" if you want.

btw I strongly recommend avoiding l2tp+ipsec if you have another choice.
Plain ipsec (ikev1 or ikev2) or other protocols like wireguard/openvpn
cope better if you end up on a natted network.


i'm sorry but i still do not understand. I have fired up tcpdump on enc0

and what's that I see there:

12:20:01.791795 (authentic,confidential): SPI 0x0e3e51b6: 
212.233.112.12.l2tp > mx.kasakoff.net.59516: 
l2tp:[LS](14/9936)Ns=13,Nr=65535[hdlc|][|l2tp]
12:20:01.894911 (authentic,confidential): SPI 0x0e3e51b6: 
212.233.112.12.l2tp > mx.kasakoff.net.59516: 
l2tp:[LS](14/9936)Ns=14,Nr=65535[hdlc|][|l2tp]
12:20:05.066256 (authentic,confidential): SPI 0xd5815d86: 
mx.kasakoff.net.59516 > 212.233.112.12.l2tp: l2tp:[L](83/7415)[hdlc|][|l2tp]
12:20:06.073233 (authentic,confidential): SPI 0xd5815d86: 
mx.kasakoff.net.59516 > 212.233.112.12.l2tp: l2tp:[L](83/7415)[hdlc|][|l2tp]


Here, 212.233.112.12 is my gateway ip, and mx.kasakoff.net is the client.

As I can see, the client side does not use 1701 port.

But either

"from 212.233.112.12 port l2tp to any"

or

"from 212.233.112.12 to any port l2tp" works!

I can't fully understand why.

l2ip + ipsec question

[kasak]

Hello misc.
Recently, i needed to setup l2tp-ipsec for some ip phones to reach my 
network.


so, the l2tp part is not trouble at all with npppd, but, the ipsec part 
is harder to understand.


after reading ipsec and ipsec.conf man,

i tryed to add just one line:

ike passive from my.ga.te.ip to any psk "mykey"

but this didn't work.

after some googling, i have found this line:

ike passive esp transport \
proto udp from 1.2.3.4 to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "password"

it was found on undeadly.org

I need help to understand how it even works.

1) why does somebody use "transport" here and somebody use "tunnel"? I 
myself tryed "transport" and it works. than, what is the difference for 
l2tp?


2) ipsec.conf man, says that "esp" is default. But if I omit this 
option, it stops working with error like: PAYLOAD_MALFORMED.


3) and the most difficult for me to understand: Why does all howto's use 
this fragment:


proto udp from my.ga.te.ip to any port 1701 ??

the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port 
dport]


so, this line declare a tunnel, where our gate use any port, and our 
expected remote client use port 1701?? why does this even work?


Thank you in advance for help!

Re: dynamic dns updates for clients in my home network?

[kasak]

OpenBSD dhcpd and unbound does not support dynamic dns.
The easyest way is to install isc-dhcp-server and isc-bind  from 
packages. There are pretty much howtos for this setup.


25.04.2020 22:00, bofh пишет:

Hi,
I searched through the archives and saw a couple of discussions about using
Dnsmasq from a long time ago.

Is that the best way to let the stuff in my home to have valid dns entries
in my home network?

How difficult is it to get the OpenBSD provided dhcpd and unbound to do
this?

Thanks.

Re: Samba on obsd

[kasak]

25.03.2020 02:06, Lars Bonnesen пишет:

Hi. I am having a project on setting up Samba to work as a replacement for
MS AD.

I would prefer to do it on OpenBSD, but how is the implementation of Samba
on OpenBSD? Is it enhanced in a way that will cause any known problems that
would not be on say... CentOS?

Regards, Lars.


samba ad is not working on OpenBSD because ffs has no ea support.

centos is bad choise too, because of permanently outdated version of samba.

You should try arch linux or freebsd for this project, both of them has

nearly latest version of samba.

Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers

[kasak]

Stuart Henderson писал 2019-06-05 17:10:

On 2019-06-05, Frank Groeneveld  wrote:

On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote:

After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD
servers cannot be reached over HTTPS anymore. The error produced is
SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers,
but also with https://cvsweb.openbsd.org/
Anybody know what is going on? Chromium and openssl s_client on the
same system works fine and the same Firefox version in Ubuntu, Mac OS
and Windows don't have this problem.

Thanks in advance.


Sorry for the noise, apparently there is a bug in the Fedora side when 
connecting with newer versions of LibreSSL. Related bug report: 
https://bugzilla.redhat.com/show_bug.cgi?id=1713777


The bug is server-side not client, looks like it would have been 
introduced

around January, and fixed in lib/libssl/ssl_tlsext.c r1.49


revision 1.49
date: 2019/05/29 17:28:37;  author: jsing;  state: Exp;  lines: +2 -5;
 commitid: DLpHk0vyoFEK0Baa;
Relax parsing of TLS key share extensions on the server.

The RFC does not require X25519 and it also allows clients to send an 
empty
key share when the want the server to select a group. The current 
behaviour
results in handshake failures where the client supports TLS 1.3 and 
sends a

TLS key share extension that does not contain X25519.

Issue reported by Hubert Kario via github.

ok tb@



Excuse me, can this issue also break dovecot and latest thunderbird?
With the latest thunderbird 60.7.0 (on fedora) my dovecot (and 
opensmtpd) suddenly refuse to log me in.

Dovecot shows something like this in logs:

TLS handshaking: SSL_accept() failed: error:140270E3:SSL 
routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext


I found workarond for this, by switching from "STARTTLS" to SLL/TLS for 
imap. But OpenSMTPD still not working.
As I said, this behavior appeared in latest thunderbird 60.7.0. Older 
versions of thunderbird work.

Re: Software caused connection abort (53) squid 4.6 on OpenBSD 6.5

[Kasak]

Have you seen this https://github.com/squid-cache/squid/pull/404 ?

> 23 мая 2019 г., в 18:12, Marcus MERIGHI  написал(а):
> 
> Hello, 
> 
> same here.
> 
> I guess bugs@ or ports@ would be better.
> 
> w...@wootsie.com (w...@wootsie.com), 2019.05.23 (Thu) 14:36 (CEST):
>> I have been running into a repeatable error reported by squid 4.6 from
>> packages once the system has been under a steady load for ~12 hours.
> 
> I would not call it repeatable because I can't repeat it at will.
> I did not notice the 12 hours interval. But I have by far less users
> behind squid.
> 
>> Example squid cache.log entry:
>> 2019/05/22 15:03:41 kid1| oldAccept  FD 18, 0.0.0.0 [ job2]: (53) Software
>> caused connection abort
> 
> 2019/05/23 11:51:43 kid1| oldAccept  FD 18, 0.0.0.0 [ job4]: (53)
>  Software caused connection abort
> 
> I see this on one machine with windows clients (max. 4) behind it. 
> I do not see this on another machine with an OpenBSD client (just 1)
> behind it. 
> 
> Both are pcengines APUs, but different versions. dmesgs below. 
> 
> Both setups are up for years, the problem on one of the machines showed
> right after upgrading last week. 
> 
> Marcus
> 
> the machine that does *not* show the symptom:
> 
> OpenBSD 6.5 (GENERIC.MP) #0: Wed Apr 24 23:38:54 CEST 2019
>
> r...@syspatch-65-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4246003712 (4049MB)
> avail mem = 4107694080 (3917MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdf16d820 (7 entries)
> bios0: vendor coreboot version "4.0" date 09/08/2014
> bios0: PC Engines APU
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT
> acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) 
> PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3) UOH3(S3) 
> UOH4(S3) UOH5(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpihpet0 at acpi0: 14318180 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD G-T40E Processor, 1000.14 MHz, 14-02-00
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 16-way L2 cache
> cpu0: 8 4MB entries fully associative
> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 200MHz
> cpu0: mwait min=64, max=64, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD G-T40E Processor, 1000.00 MHz, 14-02-00
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 16-way L2 cache
> cpu1: 8 4MB entries fully associative
> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
> acpiprt0 at acpi0: bus -1 (AGPB)
> acpiprt1 at acpi0: bus -1 (HDMI)
> acpiprt2 at acpi0: bus 1 (PBR4)
> acpiprt3 at acpi0: bus 2 (PBR5)
> acpiprt4 at acpi0: bus 3 (PBR6)
> acpiprt5 at acpi0: bus -1 (PBR7)
> acpiprt6 at acpi0: bus 5 (PE20)
> acpiprt7 at acpi0: bus -1 (PE21)
> acpiprt8 at acpi0: bus -1 (PE22)
> acpiprt9 at acpi0: bus -1 (PE23)
> acpiprt10 at acpi0: bus 0 (PCI0)
> acpiprt11 at acpi0: bus 4 (PIBR)
> acpicpu0 at acpi0: C2(0@100 io@0x841), C1(@1 halt!), PSS
> acpicpu1 at acpi0: C2(0@100 io@0x841), C1(@1 halt!), PSS
> acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
> acpicmos0 at acpi0
> acpibtn0 at acpi0: PWRB
> cpu0: 1000 MHz: speeds: 1000 800 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "AMD AMD64 14h Host" rev 0x00
> ppb0 at pci0 dev 4 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
> pci1 at ppb0 bus 1
> re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E 
> (0x2c00), msi, address 00:0d:b9:3f:78:18
> rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
> ppb1 at pci0 dev 5 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
> pci2 at ppb1 bus 2
> re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E 
> (0x2c00), msi, address 00:0d:b9:3f:78:19
> rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
> ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
> pci3 at ppb2 bus 3
> re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E 
> (0x2c00), msi, address 00:0d:b9:3f:78:1a
> rgephy2 at re2 phy 7: 

Re: need docs about udp buffer size

[kasak]

16.05.2019 16:51, Claudio Jeker пишет:

On Thu, May 16, 2019 at 12:18:53PM +0300, kasak wrote:

Hello! I have a litle problem with my unbound:

unbound: notice: sendto failed: No buffer space available

I think, I should increase net.inet.udp.sendspace, but I don't really
understand what size do i need.

Is there any information about calculating needed buffer space?

It is probably not net.inet.udp.sendspace since that value only affects
how big a packet you can send per UDP. The send buffer is only used to
move the packet to the kernel and is empty after every send.
Please check a) if there are any failures to allocate mbufs (netstat -m
and vmstat -m) and b) interface errors (netstat -i)


I don't really know what all this numbers mean,

netstat -m:

749 mbufs in use:
    571 mbufs allocated to data
    97 mbufs allocated to packet headers
    81 mbufs allocated to socket names and addresses
20/2232 mbuf 2048 byte clusters in use (current/peak)
485/2565 mbuf 2112 byte clusters in use (current/peak)
0/1080 mbuf 4096 byte clusters in use (current/peak)
0/432 mbuf 8192 byte clusters in use (current/peak)
0/112 mbuf 9216 byte clusters in use (current/peak)
0/90 mbuf 12288 byte clusters in use (current/peak)
0/64 mbuf 16384 byte clusters in use (current/peak)
0/80 mbuf 65536 byte clusters in use (current/peak)
9708/27000/524288 Kbytes allocated to network (current/peak/max)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

vmstat -m it pretty long. The one string that has "fail" counter is pfstate:

pfstate  328 78561518 90858   11156 92096 90849  1247 4167 0 
8    0


and here is netstat:

em1 1500    68:05:ca:22:d8:d3 1671803452 128 2136354673    
21 0

em1 1500  172.16/12   gater 1671803452   128 2136354673 21 0

i have unbound binded to em1

Does this mean something?

need docs about udp buffer size

[kasak]

Hello! I have a litle problem with my unbound:

unbound: notice: sendto failed: No buffer space available

I think, I should increase net.inet.udp.sendspace, but I don't really 
understand what size do i need.


Is there any information about calculating needed buffer space?

Re: ulpt vs kernel relinking

[kasak]

10.05.2019 8:37, Thuban пишет:

Hi,
I have a printer that require ulpt to be disabled
as mentionned in /usr/local/share/doc/pkg-readmes/cups. And it works.

# config -fe /bsd
disable ulpt
quit

After a reboot, I can notice :

reorder_kernel: kernel relinking failed; see 
/usr/share/relink/kernel/GENERIC.MP/relink.log

Ok, so I run, as mentioned in the above file :

sha256 -h /var/db/kernel.SHA256 /bsd

However, at next reboot, ulpt is reenabled.

How can I still have KARL and use my printer ?


My machine doesn't boot with pcppi enabled, so, to use patched kernel I do

config -e -o /bsd.nopcppi /bsd

and create /etc/boot.conf with this:

boot bsd.nopcppi

Re: boot problems, nvme?

[kasak]

01.02.2019 14:00, Kapetanakis Giannis пишет:

On 31/01/2019 15:57, kasak wrote:

31.01.2019 15:18, Kapetanakis Giannis пишет:

Hi,

I've just installed current as well 6.4 on a new pc and I have problems booting 
it.

Although I can boot bsd.rd and install system fine I cannot boot the normal 
kernel.
Boot hungs after
wskbd0 at pckbd0: console keyboard, using wsdisplay1

In bsd.rd next line is
softraid0 at root

I couldn't transfer the dmesg from bsd.rd so I took pictures of it.
Maybe someone can have a look?
https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu

thanks

G

I can advice you to try to disable pcppi driver.

boot -c

disable pcppi

quit

What motherboard you own?


Thanks that worked.
hw.vendor=Gigabyte Technology Co., Ltd.
hw.product=Z370 HD3P

is this a bug?

G


Maybe. I have Asus Z170-K with similar problem.

also here is another post 
http://openbsd-archive.7691.n7.nabble.com/pcppi-hangs-td338060.html

Re: boot problems, nvme?

[kasak]

31.01.2019 15:18, Kapetanakis Giannis пишет:

Hi,

I've just installed current as well 6.4 on a new pc and I have problems booting 
it.

Although I can boot bsd.rd and install system fine I cannot boot the normal 
kernel.
Boot hungs after
wskbd0 at pckbd0: console keyboard, using wsdisplay1

In bsd.rd next line is
softraid0 at root

I couldn't transfer the dmesg from bsd.rd so I took pictures of it.
Maybe someone can have a look?
https://nefeli.cc.uoc.gr/index.php/s/ce6hAZzTWPcNOLu

thanks

G


I can advice you to try to disable pcppi driver.

boot -c

disable pcppi

quit

What motherboard you own?

Re: pcppi boot hang

[kasak]

No, I don't have speaker connected.

Do you think, connecting speaker can solve the problem?


29.10.2018 11:28, Katherine Rohl пишет:

I have that same motherboard and I don’t have any problems with pcppi...

Do you have a PC speaker hooked up? I’d just disable the driver completely if 
not.


On Oct 29, 2018, at 3:47 AM, kasak  wrote:

hello everybody!

i have ASUS Z170-K board with i7-6700 CPU.

It has a problem, it hangs on boot when probing pcppi0.

Every time when i have to reboot i enter UKC and disable pcppi, only after that 
i can boot.

Is there any workaround to this ?

pcppi boot hang

[kasak]

hello everybody!

i have ASUS Z170-K board with i7-6700 CPU.

It has a problem, it hangs on boot when probing pcppi0.

Every time when i have to reboot i enter UKC and disable pcppi, only 
after that i can boot.


Is there any workaround to this ?

please, help me on new smtpd.conf

[kasak]

Hello. I have just updated to 6.4 and afraid of making mistakes on mail 
server. Please look at my conf:


pki kasakoff.net cert "/etc/ssl/kasakoff.net.fullchain.pem"
pki kasakoff.net key "/etc/ssl/private/kasakoff.net.key"


listen on lo0
listen on lo port 10028 tag DKIM

listen on egress inet4 tls pki kasakoff.net auth-optional
listen on egress inet4 port submission tls pki kasakoff.net auth

table aliases file:/etc/mail/aliases

table domains { kasakoff.net, koskina.ru }

action "mbox" mbox alias 
action "mda" mda "/usr/local/bin/procmail" alias 
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027

match for local action "mbox"
match from any for domain  action "mda"
match tag DKIM for any action "relay"
match auth from any for any action "relay_dkim"

smtp max-message-size 100M

This is my logic:

1) I need to put messages from local system to local user mboxes.

2) Next I want all mails to kasakoff.net and koskina.ru be delivered to 
procmail.


3) Last two matches is for dkim. I want to sign unsigned mails before 
they are send to external servers.


My questions are:

I noticed that "from any" in second match is required? without it smtpd 
answer "invalid recipient"


Again, in 4th match, "from any" is required too, without it i can't send 
mail anywhere.


But as I can see, in third match "from any" is not required, dkim signed 
messages are relaying successfully.


Also "from any" is not required in first match rule?

Why is that so?

Second, how can I limit mta to use only ipv4? in 6.3 there was line 
"limit mta inet4"


And third. Is my config composed correctly?

May be this is more secure to change 4th match to

"match auth from domain  for any action "relay_dkim""?

For example, if user be compromised, this will prevent spammer to send 
mails from random sender, am I right? Will this work?



P.S.

Thank you in advance for your response! Also thank's to all developers 
for job you doing! OpenBSD is best system ever created!

Re: Not able to boot from softraid :(

[kasak]

24.07.2018 15:58, Zé Loff пишет:

This is a more or less well known issue.  At the bootloader prompt issue
boot -c and then

   UKC> disable pcppi
   UKC> exit

And it'll (hopefully) boot properly.  I have the same problem with an
ASUS H270-PRO mainboard + Intel i7-7700K


On Tue, Jul 24, 2018 at 03:13:10PM +0300, kasak wrote:


24.07.2018 14:30, kasak пишет:


24.07.2018 14:18, Otto Moerbeek пишет:

On Tue, Jul 24, 2018 at 02:07:15PM +0300, kasak wrote:


24.07.2018 10:24, kasak пишет:

Hello everybody.

I'm trying to install OpenBSD 6.3 on softraid.

My configuration is simple:

Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external
vga or other cards, just this.

I have 2 similar 750 gb disks.

I have succesfully booted bsd.rd in uefi mode, then with shell i did:

cd /dev

sh MAKEDEV sd1 sd2

fdisk -iy -g -b 960 sd0

fdisk -iy -g -b 960 sd1

then with disklabel -E sd0 i created layout with one RAID
type partition.

then cloned this layout to second drive.

After that i have created

bioctl -c 1 -l sd0a,sd1a softraid0

sd2 was created successfully.

i than type "exit" and installed openbsd on sd2 disk, using gpt.

The installed system boots, but the last line i see is:

wskbd0 at pckbd0: console keyboard, using wsdisplay0

that's all. my keyboard not working and boot process stops.

I have tried to boot without inteldrm but nothing changed except
resolution.

Is there i done something wrong?


I have tried to install in CSM mode, with mbr partition table
and get the
same result, so looks like it is not uefi problem

What makes you think it is softraid related? Did you try a single sd
disk install as a test?

 -Otto


You were right! I just tried to install on single disk and the result is
the same!


i've tried to boot in verbose mode and it looks like that system hang when
probing for pcppi0.


Yep, it works!

Re: Not able to boot from softraid :(

[kasak]

24.07.2018 14:30, kasak пишет:



24.07.2018 14:18, Otto Moerbeek пишет:

On Tue, Jul 24, 2018 at 02:07:15PM +0300, kasak wrote:



24.07.2018 10:24, kasak пишет:

Hello everybody.

I'm trying to install OpenBSD 6.3 on softraid.

My configuration is simple:

Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external
vga or other cards, just this.

I have 2 similar 750 gb disks.

I have succesfully booted bsd.rd in uefi mode, then with shell i did:

cd /dev

sh MAKEDEV sd1 sd2

fdisk -iy -g -b 960 sd0

fdisk -iy -g -b 960 sd1

then with disklabel -E sd0 i created layout with one RAID type 
partition.


then cloned this layout to second drive.

After that i have created

bioctl -c 1 -l sd0a,sd1a softraid0

sd2 was created successfully.

i than type "exit" and installed openbsd on sd2 disk, using gpt.

The installed system boots, but the last line i see is:

wskbd0 at pckbd0: console keyboard, using wsdisplay0

that's all. my keyboard not working and boot process stops.

I have tried to boot without inteldrm but nothing changed except
resolution.

Is there i done something wrong?

I have tried to install in CSM mode, with mbr partition table and 
get the

same result, so looks like it is not uefi problem

What makes you think it is softraid related? Did you try a single sd
disk install as a test?

-Otto

You were right! I just tried to install on single disk and the result 
is the same!


i've tried to boot in verbose mode and it looks like that system hang 
when probing for pcppi0.

Re: Not able to boot from softraid :(

[kasak]

24.07.2018 14:18, Otto Moerbeek пишет:

On Tue, Jul 24, 2018 at 02:07:15PM +0300, kasak wrote:



24.07.2018 10:24, kasak пишет:

Hello everybody.

I'm trying to install OpenBSD 6.3 on softraid.

My configuration is simple:

Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external
vga or other cards, just this.

I have 2 similar 750 gb disks.

I have succesfully booted bsd.rd in uefi mode, then with shell i did:

cd /dev

sh MAKEDEV sd1 sd2

fdisk -iy -g -b 960 sd0

fdisk -iy -g -b 960 sd1

then with disklabel -E sd0 i created layout with one RAID type partition.

then cloned this layout to second drive.

After that i have created

bioctl -c 1 -l sd0a,sd1a softraid0

sd2 was created successfully.

i than type "exit" and installed openbsd on sd2 disk, using gpt.

The installed system boots, but the last line i see is:

wskbd0 at pckbd0: console keyboard, using wsdisplay0

that's all. my keyboard not working and boot process stops.

I have tried to boot without inteldrm but nothing changed except
resolution.

Is there i done something wrong?


I have tried to install in CSM mode, with mbr partition table and get the
same result, so looks like it is not uefi problem

What makes you think it is softraid related? Did you try a single sd
disk install as a test?

-Otto

You were right! I just tried to install on single disk and the result is 
the same!

Re: Not able to boot from softraid :(

[kasak]

24.07.2018 10:24, kasak пишет:

Hello everybody.

I'm trying to install OpenBSD 6.3 on softraid.

My configuration is simple:

Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external 
vga or other cards, just this.


I have 2 similar 750 gb disks.

I have succesfully booted bsd.rd in uefi mode, then with shell i did:

cd /dev

sh MAKEDEV sd1 sd2

fdisk -iy -g -b 960 sd0

fdisk -iy -g -b 960 sd1

then with disklabel -E sd0 i created layout with one RAID type partition.

then cloned this layout to second drive.

After that i have created

bioctl -c 1 -l sd0a,sd1a softraid0

sd2 was created successfully.

i than type "exit" and installed openbsd on sd2 disk, using gpt.

The installed system boots, but the last line i see is:

wskbd0 at pckbd0: console keyboard, using wsdisplay0

that's all. my keyboard not working and boot process stops.

I have tried to boot without inteldrm but nothing changed except 
resolution.


Is there i done something wrong?



I have tried to install in CSM mode, with mbr partition table and get 
the same result, so looks like it is not uefi problem

Re: Not able to boot from softraid :(

[kasak]

24.07.2018 10:32, Indunil Jayasooriya пишет:

This may help you.

http://www.bsdnow.tv/tutorials/raid




On Tue, Jul 24, 2018 at 12:54 PM, kasak  wrote:


Hello everybody.

I'm trying to install OpenBSD 6.3 on softraid.

My configuration is simple:

Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external vga
or other cards, just this.

I have 2 similar 750 gb disks.

I have succesfully booted bsd.rd in uefi mode, then with shell i did:

cd /dev

sh MAKEDEV sd1 sd2

fdisk -iy -g -b 960 sd0

fdisk -iy -g -b 960 sd1

then with disklabel -E sd0 i created layout with one RAID type partition.

then cloned this layout to second drive.

After that i have created

bioctl -c 1 -l sd0a,sd1a softraid0

sd2 was created successfully.

i than type "exit" and installed openbsd on sd2 disk, using gpt.

The installed system boots, but the last line i see is:

wskbd0 at pckbd0: console keyboard, using wsdisplay0

that's all. my keyboard not working and boot process stops.

I have tried to boot without inteldrm but nothing changed except
resolution.

Is there i done something wrong?






Nope, this manual explain how to install with MBR, and my install use 
UEFI boot.
I have followed native documentation: 
http://www.openbsd.org/faq/faq14.html#softraid

Not able to boot from softraid :(

[kasak]

Hello everybody.

I'm trying to install OpenBSD 6.3 on softraid.

My configuration is simple:

Asus z170-k motherboard, with i7-6700 cpu, and 16 gb ram. no external 
vga or other cards, just this.


I have 2 similar 750 gb disks.

I have succesfully booted bsd.rd in uefi mode, then with shell i did:

cd /dev

sh MAKEDEV sd1 sd2

fdisk -iy -g -b 960 sd0

fdisk -iy -g -b 960 sd1

then with disklabel -E sd0 i created layout with one RAID type partition.

then cloned this layout to second drive.

After that i have created

bioctl -c 1 -l sd0a,sd1a softraid0

sd2 was created successfully.

i than type "exit" and installed openbsd on sd2 disk, using gpt.

The installed system boots, but the last line i see is:

wskbd0 at pckbd0: console keyboard, using wsdisplay0

that's all. my keyboard not working and boot process stops.

I have tried to boot without inteldrm but nothing changed except 
resolution.


Is there i done something wrong?

Re: samba at snapshots

[kasak]

11.07.2018 18:04, Tuyosi T пишет:

hi all .

it is supprising openbsd snapshots runs samba .
and
windows 10 accesses "OpenSamba" .

but this may contain some errors .
then please point them .

1)/etc/samba/smb.conf

[global]
workgroup = WORKGROUP
server string = SAMBA SERVER Version %v
netbios name = OpenSamba
security = user
passdb backend = tdbsam
dos charset = CP932
unix charset = UTF-8
wins support = yes
load printers = no
disable spoolss = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[Share]
comment = Share Folder for All Users
path = /home/share/
browsable = yes
writable = yes
read only = no

2)
/etc/rc.d/samba restart
nmbd(ok)
smbd(ok)
smbd(ok)
nmbd(ok)

3) testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (128) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[Share]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

Global parameters
[global]
disable spoolss = Yes
dos charset = CP932
load printers = No
netbios name = OPENSAMBA
security = USER
server string = SAMBA SERVER Version %v
wins support = Yes
idmap config * : backend = tdb

[homes]
browseable = No
comment = Home Directories
inherit acls = Yes
read only = No
valid users = %S %D%w%S

[Share]
comment = Share Folder for All Users
path = /home/share/
read only = No

---
regards



Please explain your problem more clearly. It's nothing wrong with config.
Litle remark: you have

writable = yes
read only = no

In your "Share" definition. This is the inverted synonim of each other. You can 
delete one of them.
Also i probably guess that you are trying to write with guest user to directory 
/home/share.
For doing so you need to add option
Map to guest = Bad user to "global" section and do in shell:
chown -R nobody:nogroup /home/share

Re: 6.3 amd64 in VirtualBox - keyboard

[kasak]

05.04.2018 01:55, Will Backman пишет:
Anyone else seeing an unresponsive keyboard with 6.3 release amd64 
when running in VirtualBox?
bsd.rd installer works. After install, cannot log in because keyboard 
won't accept input.

6.2 works fine.
Installed current (as of 4/4) and keyboard works.

I had unresponsive keyboard in bsd.rd, when i was updating to 6.3 with 
asus ikvm. Luckily, the soft keyboard worked.

Re: IPMI still requires Java! I'm screwed.

[kasak]

> 21 дек. 2017 г., в 12:16, Maxim Bourmistrov <m...@alumni.chalmers.se> 
> написал(а):
> 
> 
> Even X10 can be upgraded to get in html5.
> 
>> 21 dec. 2017 kl. 06:50 skrev kasak <ka...@kasakoff.net>:
>> 
>> 
>>> 21 дек. 2017 г., в 0:03, Chris Bennett <webmas...@bennettconstruction.us> 
>>> написал(а):
>>> 
>>> I found a new server that uses IPMI and offers using it
>>> to setup your own custom OS. So I bought in.
>>> 
>>> Damn thing requires Java.
>>> They offered me some pretty worthless advice on using
>>> Java.
>>> 
>>> I'm screwed into having to use Windows 7.
>>> I've tried the Firefox ESR 32bit that supports Java.
>>> Nope.
>>> Opera. Nope
>>> Edge. Nope
>>> Chrome. Nope, including trying to use IEtab
>>> 
>>> Is it actually possible to get any web browser to 
>>> open a Java applet?
>>> 
>>> I'm using a friends laptop and it can't stay on while
>>> in the BIOS or after booting OpenBSD just to the point
>>> of running memtest.
>>> 
>>> I'm a bit confused about what to do.
>>> They offer IPMI that won't work without Java.
>>> 
>>> Is this even anything more than a scam??
>>> I don't know squat about windows other than it sucks.
>>> 
>>> 
>>> Serious question:
>>> Is it acceptable practice to offer remote access that
>>> cannot be used?
>>> 
>>> 
>>> 
>> Look at the newest servers with aspeed ast2500, such as supermicro x11 
>> platforms, they are manageable through html5. If you still need to manage 
>> your server try jdk-1.8.0.144v0.tgz package from ports
>> 
> 
Just by updating firmware?  What a pity, Asus hasn’t upgraded firmwares to 
support html5, I have some of them in usage with p10 platforms

Re: IPMI still requires Java! I'm screwed.

[kasak]

> 21 дек. 2017 г., в 0:03, Chris Bennett  
> написал(а):
> 
> I found a new server that uses IPMI and offers using it
> to setup your own custom OS. So I bought in.
> 
> Damn thing requires Java.
> They offered me some pretty worthless advice on using
> Java.
> 
> I'm screwed into having to use Windows 7.
> I've tried the Firefox ESR 32bit that supports Java.
> Nope.
> Opera. Nope
> Edge. Nope
> Chrome. Nope, including trying to use IEtab
> 
> Is it actually possible to get any web browser to 
> open a Java applet?
> 
> I'm using a friends laptop and it can't stay on while
> in the BIOS or after booting OpenBSD just to the point
> of running memtest.
> 
> I'm a bit confused about what to do.
> They offer IPMI that won't work without Java.
> 
> Is this even anything more than a scam??
> I don't know squat about windows other than it sucks.
> 
> 
> Serious question:
> Is it acceptable practice to offer remote access that
> cannot be used?
> 
> 
> 
Look at the newest servers with aspeed ast2500, such as supermicro x11 
platforms, they are manageable through html5. If you still need to manage your 
server try jdk-1.8.0.144v0.tgz package from ports

something wrong with softraid

[kasak]

please help, I just noticed this strange thing:

$ df -h
Filesystem Size    Used   Avail Capacity  Mounted on
/dev/sd0a 1005M   1004M  -49.6M   105%    /
/dev/sd0k 26.0G    2.3G   22.4G 9%    /home
/dev/sd0d  3.9G    138K    3.7G 0%    /tmp
/dev/sd0f  2.0G    795M    1.1G    42%    /usr
/dev/sd0g 1005M    215M    740M    23%    /usr/X11R6
/dev/sd0h  6.8G    799M    5.7G    12%    /usr/local
/dev/sd0j  2.0G    2.0K    1.9G 0%    /usr/obj
/dev/sd0i  1.9G    2.0K    1.8G 0%    /usr/src
/dev/sd0e  6.3G    1.1G    4.9G    18%    /var
/dev/sd4a  1.8T    1.3T    375G    79%    /bigdisk

look at /dev/sd0a

i've done some inspection and found this:

$ ls -alh /dev/rsd4
-rw-r--r--  1 root  wheel   913M Nov 14 20:58 /dev/rsd4

sd4 is my raid, bioctl shows nothing strange:

$ doas bioctl sd4
Volume  Status   Size Device
softraid0 0 Online  2000396018176 sd4 RAID1
  0 Online  2000396018176 0:0.0   noencl 
  1 Online  2000396018176 0:1.0   noencl 

How this can be?

just in case here is my fstab:

$ cat /etc/fstab
98afe66b05b9c528.b none swap sw
98afe66b05b9c528.a / ffs rw 1 1
98afe66b05b9c528.k /home ffs rw,nodev,nosuid 1 2
98afe66b05b9c528.d /tmp ffs rw,nodev,nosuid 1 2
98afe66b05b9c528.f /usr ffs rw,nodev 1 2
98afe66b05b9c528.g /usr/X11R6 ffs rw,nodev 1 2
98afe66b05b9c528.h /usr/local ffs rw,nodev,wxallowed 1 2
98afe66b05b9c528.j /usr/obj ffs rw,nodev,nosuid 1 2
98afe66b05b9c528.i /usr/src ffs rw,nodev,nosuid 1 2
98afe66b05b9c528.e /var ffs rw,nodev,nosuid 1 2
e642bdec5dc6a630.a /bigdisk ffs rw,nodev,nosuid,softdep 1 2
52dba8d6fdf64014.a /altroot ffs xx 0 0

Re: Hot Spare in Softraid?

[kasak]

12.08.2017 22:02, Federico Giannici пишет:

On 08/12/17 20:48, noah pugsley wrote:

On Sat, Aug 12, 2017 at 10:55 AM, Federico Giannici
 wrote:

Is it possible to set a "Hot Spare" chunk for a RAID1 Softraid?
From the "bioctl" man page seems that this functionality is 
available for

"RAID controllers" only.
Is it correct?

Thanks.



I don't know about that, but from softraid(4) I know that:

"RAID 1
A mirroring discipline. It copies data across more than one chunk to
provide for data loss. Read performance is increased, though at the
cost of write speed. Unlike traditional RAID 1, softraid supports the
use of more than two chunks in a RAID 1 setup."

So, why not a 3 disk mirror?


Good point, but now I have two more questions:

1) What about the "cost of write speed"? Will writing times increase 
further with another disk? Is it negligible?


2) What happens when one of the three disk goes bad? Is it signaled in 
any way? The softraid goes "degraded" or remains "Online" (I suppose 
the latter)?


Thanks




From bioctl(8):

"Configure softraid0 with 4 special devices (/dev/sd2e, /dev/sd3e,
/dev/sd4e, /dev/sd5e) and a RAID level of 1:

# bioctl -c 1 -l /dev/sd2e,/dev/sd3e,/dev/sd4e,/dev/sd5e softraid0"

-N




You can use sensorsd to monitor raid status. Like this:

/etc/sensorsd.conf:
hw.sensors.softraid0.drive0:command=echo "Raid state: %t %2" | mail -s 
"Sensor %t changed" -r nore...@kasakoff.net ka...@kasakoff.net


sysctl hw.sensors output:
hw.sensors.softraid0.drive0=online (sd4), OK

is it possible to speed up network to 1 Gb ?

[kasak]

Hello everybody.

I know that speed does not matter this days, and security matter.

But i want an advice, i have xeon computer with fresh disks, they work 
pretty fast,


and also i have 1 gbit switch and 1gbit intel nic on both side, here is 
iperf test:


$ doas iperf -s

Server listening on TCP port 5001
TCP window size: 16.0 KByte (default)

[  4] local 192.168.0.1 port 5001 connected with 192.168.0.77 port 57972
[ ID] Interval   Transfer Bandwidth
[  4]  0.0-10.0 sec  1.04 GBytes   893 Mbits/sec

but when i try to upload something via samba or ftp speed is slower :(

the fastest speed i have is between linux and openbsd ftp server, speed 
reaches 85 MBytes/sec


samba between linux and openbsd is 45 Mbytes/sec

I also have old imac with core2duo, and network perfomance between linux 
and mac is faster, i can achieve speeds of 110-115 mbytes/sec.


I have not tried to tweak speed somehow, so this is default system 
perfomance.


Is there any chance to speed up my networking?

Thanks!

Re: can't make to work rdr-to rule

[kasak]

> On 2017-02-20, kasak<ka...@kasakoff.net>  wrote:
> > hello everybody!
> >
> > Recently i saw this trick on
> >http://www.tedunangst.com/flak/post/turn-your-network-inside-out-with-one-pfconf-trick
> >
> > I decided it was a great idea, and tried to add this rule to my
> > firewall, but it doesn't work.
> >
> > Look, I placed this line immediately after nat-to rule
> >
> > #Enable NAT
> > pass out on $ext_if inet from $lan_net to any nat-to $ext_if keep state
> > (pflow)
> >
> > #ntp and domain redirection
> > pass in on $int_if proto {tcp,udp} from !192.168.2.65 to any port
> > {domain,ntp} rdr-to lo
> >
> > So it expand to this rules:
> >
> > pass in on em1 inet proto tcp from ! 192.168.2.65 to any port = 53 flags
> > S/SA rdr-to 127.0.0.1
> > pass in on em1 inet proto tcp from ! 192.168.2.65 to any port = 123
> > flags S/SA rdr-to 127.0.0.1
> > pass in on em1 inet proto udp from ! 192.168.2.65 to any port = 53
> > rdr-to 127.0.0.1
> > pass in on em1 inet proto udp from ! 192.168.2.65 to any port = 123
> > rdr-to 127.0.0.1
> >
> > 192.168.2.65 is my local domain and ntp server, it must be able to
> > access world to work properly.
> >
> > em1 is my LAN interface
> >
> > Anyway this rule doesn't work and i don't know why :(
> >
> > $ doas tcpdump -i em1 port ntp
> > tcpdump: listening on em1, link-type EN10MB
> > 11:07:35.594706 192.168.3.119.4662 > clock.via.net.ntp: v1 client strat
> > 0 poll 0 prec 0
> > 11:07:35.594804 clock.via.net.ntp > 192.168.3.119.4662: v1 server strat
> > 2 poll 0 prec -6 [tos 0x10]
> > 11:07:40.131132 192.168.2.75.45003 > mail.sonur.ru.ntp: v4 client strat
> > 0 poll 0 prec 0 (DF)
> > 11:07:40.136985 mail.sonur.ru.ntp > 192.168.2.75.45003: v4 server strat
> > 2 poll 0 prec -6 [tos 0x10]
>
> This tcpdump trace doesn't directly show whether or not it works - the
> packet source address of return packets is rewritten due to the PF rdr-to
> rule.
>
> However if I query mail.sonur.ru myself it reports that it is stratum 1,
> and since you see stratum 2, and identical return values from the 2 servers,
> I suspect the redirect probably *is* working. For extra confirmation use
> tcpdump -v and look at the ttl and extra fields. Compare these with and
> without this rule in place.
>
> Regarding the DNS side of this - careful with this if you want to do
> authoritative DNS lookups from machines on your network - it isn't
> always appropriate to forward to a recursive resolver in this way.
> Really, you only want to redirect queries with the RR flag (which you
> can't do from PF), and even then this will mess you up if you're trying
> to debug certain problems.
Oh, thank you! Now I see, that all answers from all ntp servers have 
stratum of my server.
And about dns, i have to do this because of some hard infected windows 
clients.
I don't really think that i need to do recursive lookups from clients, 
but it can help to solve problems with windows clients, where viruses 
replace "dhcp offered" dns servers with bad "hacker offered".

I have tried to lookup my own server from 192.168.2.65 and from client 
and that's what I have:
 From 2.65:

$ nslookup kasakoff.net 91.210.228.4
Server: 91.210.228.4
Address:91.210.228.4#53

Name:   kasakoff.net
Address: 91.210.228.4

 From client:

kasak@mint ~ $ nslookup kasakoff.net 91.210.228.4
Server:91.210.228.4
Address:91.210.228.4#53

Non-authoritative answer:
Name:kasakoff.net
Address: 91.210.228.4

So it proves that redirect works! Thank you very much for explanations!

can't make to work rdr-to rule

[kasak]

hello everybody!

Recently i saw this trick on 
http://www.tedunangst.com/flak/post/turn-your-network-inside-out-with-one-pfconf-trick


I decided it was a great idea, and tried to add this rule to my 
firewall, but it doesn't work.


Look, I placed this line immediately after nat-to rule

#Enable NAT
pass out on $ext_if inet from $lan_net to any nat-to $ext_if keep state 
(pflow)


#ntp and domain redirection
pass in on $int_if proto {tcp,udp} from !192.168.2.65 to any port 
{domain,ntp} rdr-to lo


So it expand to this rules:

pass in on em1 inet proto tcp from ! 192.168.2.65 to any port = 53 flags 
S/SA rdr-to 127.0.0.1
pass in on em1 inet proto tcp from ! 192.168.2.65 to any port = 123 
flags S/SA rdr-to 127.0.0.1
pass in on em1 inet proto udp from ! 192.168.2.65 to any port = 53 
rdr-to 127.0.0.1
pass in on em1 inet proto udp from ! 192.168.2.65 to any port = 123 
rdr-to 127.0.0.1


192.168.2.65 is my local domain and ntp server, it must be able to 
access world to work properly.


em1 is my LAN interface

Anyway this rule doesn't work and i don't know why :(

$ doas tcpdump -i em1 port ntp
tcpdump: listening on em1, link-type EN10MB
11:07:35.594706 192.168.3.119.4662 > clock.via.net.ntp: v1 client strat 
0 poll 0 prec 0
11:07:35.594804 clock.via.net.ntp > 192.168.3.119.4662: v1 server strat 
2 poll 0 prec -6 [tos 0x10]
11:07:40.131132 192.168.2.75.45003 > mail.sonur.ru.ntp: v4 client strat 
0 poll 0 prec 0 (DF)
11:07:40.136985 mail.sonur.ru.ntp > 192.168.2.75.45003: v4 server strat 
2 poll 0 prec -6 [tos 0x10]

Re: need help with ipv6

[kasak]

> On 2016-07-29, kasak <ka...@kasakoff.net> wrote:
> > Hello everybody. I have a strange issue with ipv6 on my router. I have a
> > HE.net tunnel on gif0:
> >
> > here is my hostname.gif0:
> >
> > $ cat /etc/hostname.gif0
> > tunnel 91.210.228.4 216.66.86.114
> > inet6 alias 2001:470:6c:12d::2 128
> > dest 2001:470:6c:12d::1
> > !route -n add -inet6 default 2001:470:6c:12d::1
> >
> > my routable net is  2001:470:6d:12d::
> >
> > I have added address  2001:470:6d:12d::e1 on my em1 (lan) interface and
> > can successfully ping it from lan network
> >
> > but if I add  2001:470:6d:12d::e0 to em0 interface none of my lan
> > computers can ping it. disabling of pf doesn't solve issue.
> >
> > I have rtadvd enabled on em1. here is hostname.em1:
> >
> > inet 192.168.0.1 255.255.255.0
> > inet6 2001:470:6d:12d::e1 64
> >
> > Does somebody know what I am doing wrong?
> >
> >
>
> You need more subnets. What you are doing now is like having
> 10.0.0.1/24 on one interface and 10.0.0.2/24 on another separate
> interface. Machines on a network attached to one interface can't
> resolve the address by ARP (in the case of IPv4) or NDP (in the
> case of IPv6) for the address on the other interface.
>
> I'm not too familiar with he.net's setup any more, but it's
> fairly common for a tunnel broker to give you a /48 which you
> can divide up yourself.
Thank you very much! It was so simple!

need help with ipv6

[kasak]

Hello everybody. I have a strange issue with ipv6 on my router. I have a 
HE.net tunnel on gif0:


here is my hostname.gif0:

$ cat /etc/hostname.gif0
tunnel 91.210.228.4 216.66.86.114
inet6 alias 2001:470:6c:12d::2 128
dest 2001:470:6c:12d::1
!route -n add -inet6 default 2001:470:6c:12d::1

my routable net is  2001:470:6d:12d::

I have added address  2001:470:6d:12d::e1 on my em1 (lan) interface and 
can successfully ping it from lan network


but if I add  2001:470:6d:12d::e0 to em0 interface none of my lan 
computers can ping it. disabling of pf doesn't solve issue.


I have rtadvd enabled on em1. here is hostname.em1:

inet 192.168.0.1 255.255.255.0
inet6 2001:470:6d:12d::e1 64

Does somebody know what I am doing wrong?

Re: Cannot understand iked

[kasak]

04.05.2016 10:25, Andreas Karlsson пишет:

On 05/03/2016 10:23 PM, kasak wrote:

Hello everybody. I hope somebody can help me with iked.

I have 2 gates, both can ping each other. One has this iked.conf:

ikev2 from 212.233.112.10 to 192.168.1.0/24 \
from 192.168.2.0/23 to 192.168.1.0/24 \
local 212.233.112.10 srcid 212.233.112.10

Another has:

ikev2 active \
from 77.220.137.168 to 192.168.2.0/23 \
from 192.168.1.0/24 to 192.168.2.0/23 \
peer 212.233.112.10 srcid 77.220.137.168

And the problem is: local lan clients can reach remote lan, but local 
gate itself cannot reach. Look:


$ ping -c 2 -I 192.168.2.10 192.168.1.240
PING 192.168.1.240 (192.168.1.240): 56 data bytes
64 bytes from 192.168.1.240: icmp_seq=0 ttl=63 time=2.987 ms
64 bytes from 192.168.1.240: icmp_seq=1 ttl=63 time=2.243 ms
--- 192.168.1.240 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss

but

$  ping -c 2  192.168.1.240
PING 192.168.1.240 (192.168.1.240): 56 data bytes
--- 192.168.1.240 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
Please check with tcpdump on the enc0 interface what kind of traffic 
is sent when doing the ping.

# tcpdump -nvi enc0 icmp
(authentic,confidential): SPI 0xcc1509c7: 212.233.112.10 > 
77.220.137.168: 212.233.112.10 > 192.168.1.240: icmp: echo request 
(id:7a30 seq:5) [icmp cksum ok] (ttl 255, id 62517, len 84) (ttl 64, id 
21070, len 104, bad ip cksum 0! -> bcc)




Both ping commands sent from same gate.

Here is ipsecctl -sa from one of gates:

FLOWS:
flow esp in from 192.168.1.0/24 to 212.233.112.10 peer 77.220.137.168 
srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 type use
flow esp out from 212.233.112.10 to 192.168.1.0/24 peer 
77.220.137.168 srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 
type require
flow esp in from 192.168.1.0/24 to 192.168.2.0/23 peer 77.220.137.168 
srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 type use
flow esp out from 192.168.2.0/23 to 192.168.1.0/24 peer 
77.220.137.168 srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 
type require

flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 212.233.112.10 to 77.220.137.168 spi 0x22dd1b34 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 77.220.137.168 to 212.233.112.10 spi 0xd1abf711 auth 
hmac-sha2-256 enc aes-256


I have the same issue on my boxes that has to contact remote networks. 
I've solved this by translating my outgoing
traffic from my gateway over ipsec to the remote network to a internal 
interface. See example below.


/etc/pf.conf:
...
match out log on enc0 from (egress) to 10.10.0.0/24 nat-to (em2) # 
where em2 is my LAN interface

...

I have discovered with tcpdump that on remote gateway the echo request 
is still on enc0 interface, but echo reply is on em0 (egress)

here is cut from tcpdump of em0 on remote gateway:
21:11:28.593541 192.168.1.240 > 212.233.112.10: icmp: echo reply

But I can't catch any icmp reply on my pinging gate, nothing on enc0 and 
em0. So I think that packet going to 212.233.112.10 must go to the enc0 
but it comes to em0 from em1.

Here is the cut from tcpdump em1 on remote gate:
21:12:08.293106 212.233.112.10 > 192.168.1.240: icmp: echo request
21:12:08.293453 192.168.1.240 > 212.233.112.10: icmp: echo reply

Packet that must go to enc0 but goes to em0. Maybe this is some routing 
issue? Both enc0 and em0 have ability to reach 212.233.112.10 and gate 
choose em0 instead of enc0 ?

Cannot understand iked

[kasak]

Hello everybody. I hope somebody can help me with iked.

I have 2 gates, both can ping each other. One has this iked.conf:

ikev2 from 212.233.112.10 to 192.168.1.0/24 \
from 192.168.2.0/23 to 192.168.1.0/24 \
local 212.233.112.10 srcid 212.233.112.10

Another has:

ikev2 active \
from 77.220.137.168 to 192.168.2.0/23 \
from 192.168.1.0/24 to 192.168.2.0/23 \
peer 212.233.112.10 srcid 77.220.137.168

And the problem is: local lan clients can reach remote lan, but local 
gate itself cannot reach. Look:


$ ping -c 2 -I 192.168.2.10 192.168.1.240
PING 192.168.1.240 (192.168.1.240): 56 data bytes
64 bytes from 192.168.1.240: icmp_seq=0 ttl=63 time=2.987 ms
64 bytes from 192.168.1.240: icmp_seq=1 ttl=63 time=2.243 ms
--- 192.168.1.240 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss

but

$  ping -c 2  192.168.1.240
PING 192.168.1.240 (192.168.1.240): 56 data bytes
--- 192.168.1.240 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Both ping commands sent from same gate.

Here is ipsecctl -sa from one of gates:

FLOWS:
flow esp in from 192.168.1.0/24 to 212.233.112.10 peer 77.220.137.168 
srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 type use
flow esp out from 212.233.112.10 to 192.168.1.0/24 peer 77.220.137.168 
srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 type require
flow esp in from 192.168.1.0/24 to 192.168.2.0/23 peer 77.220.137.168 
srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 type use
flow esp out from 192.168.2.0/23 to 192.168.1.0/24 peer 77.220.137.168 
srcid IPV4/212.233.112.10 dstid IPV4/77.220.137.168 type require

flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 212.233.112.10 to 77.220.137.168 spi 0x22dd1b34 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 77.220.137.168 to 212.233.112.10 spi 0xd1abf711 auth 
hmac-sha2-256 enc aes-256