Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox
Thanks for sharing a much better fix for this issue. I wonder what consequences this option change will have on future web services that make use of asm.js Original Message On Nov 2, 2017, 4:32 PM, Andy Lowton wrote: >> From: r...@protonmail.com >> >> Try this... >> >> javascript.options.asmjs: true >> >> Sent from ProtonMail Mobile > > Changing the value from true to false resolved the issue for me. > > Thank you for that.
Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox
I always kept stable with mtier, although I don't know if it updated to full releases of FF or security patches only. My MacOS/Win7/Debian systems have never had an issue with protonmail and new Firefox versions so I can be quite confident in saying this seems to effect just OpenBSD. In fact tell a lie, noScript add-on broke it recently but that was fixed pretty quick. I did read the pkg-readme for Firefox when I first encountered this 2 weeks ago, but it didn't prove fruitful as I tried the 'create a new profile' recommendation but never solved the issue. I didn't try the '--safe-mode' as the pkg-readme only suggested using that if FF was not opening at all. Och, who knows. I'm sure the issue will crop up for the maintainers at some point when it effects some web service they use so will eventually be rooted out I'm sure. In the mean time, suppose I can just use my other systems for logging on to email. It's not like OpenBSD is absolutely necessary to get on to my email or anything. Thanks for the help/input, mate. Regards. Original Message On Nov 1, 2017, 7:12 PM, Allan Streib wrote: > "tec...@protonmail.com" writes: > >> Do you happen to know what the issue with Firefox is with this website >> on OpenBSD? I mean my guess is that it has to do with JavaScript in >> some way but why now? It wasn't like this on 6.1, so what changed? > > Firefox version went from 52 -> 56 in 6.1 -> 6.2. > > You might peruse the release notes for those firefox releases. > > Allan @protonmail.com>
Re: Cheap 2x NIC OpenBSD device
Interesting, just found this on it: https://www.tedunangst.com/flak/post/OpenBSD-on-ERL Original Message On Nov 1, 2017, 6:50 PM, Peter Faiman wrote: > Do you mean it runs OpenBSD by default, or you can install OpenBSD? I have a > Ubiquiti UniFi and it runs Linux. > > The Edgerouter Lite looks like a cool little piece of hardware, good tip! > >> On Nov 1, 2017, at 11:36 AM, Sean Murphy wrote: >> >> Check out the Ubiquiti Edgerouter Lite. Sub $100 (US), three NICs, >> and runs OpenBSD. >> >> I've used it as a router, firewall, dhcp server, you name it. Versatile >> device. >> >> On Wed, Nov 1, 2017 at 10:27 AM, Alex Waite wrote: >>> I'm deploying a server to a different data center and I don't want to expose >>> the IPMI interface of the machine to their semi-trusted management network. >>> So, I'm planning on putting a simple OpenBSD device in front of it, logging >>> and filtering. >>> >>> Can someone here recommend a relatively cheap (< ~100 EUR) device that runs >>> OpenBSD and has 2 NICs? >>> >>> ---Alex >>> >> > > @waite.eu>@gmail.com>
Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox
Hmm.. Yeah it works thanks. Well, it takes me to log in page. Once I enter my login information it took an age to actually get in to my account.. So much so that an alert box popped up within Firefox asking me if I want to wait or halt the page due to it taking a long time to load. I have never seen that Firefox alert in my puff before and. I have been using since '04. Do you happen to know what the issue with Firefox is with this website on OpenBSD? I mean my guess is that it has to do with JavaScript in some way but why now? It wasn't like this on 6.1, so what changed? Thanks for the temp fix though, much appreciated! Original Message On Nov 1, 2017, 6:22 PM, vincent delft wrote: > Hello, > > Can you try with the safe mode: firefox --safe-mode. > > This should work fine. > > rgds > > On Wed, Nov 1, 2017 at 5:32 PM, tec...@protonmail.com <tec...@protonmail.com> > wrote: > >>> Hello, >>> >>> Can't get to the login page on FF, just see a never ending loop of 'Loading >>> Protonmail...' >>> >>> Damn frustrating. I can confirm this has happened with 3 different >>> installs. >>> >>> Having to use chromium, definitely not a good solution for a Google-hater. >>> >>> Thanks
protonmail.com broken on OpenBSD 6.2-Stable with Firefox
> Hello, > > Can't get to the login page on FF, just see a never ending loop of 'Loading > Protonmail...' > > Damn frustrating. I can confirm this has happened with 3 different installs. > > Having to use chromium, definitely not a good solution for a Google-hater. > > Thanks
Re: MATE Desktop Environment 1.18.0
Hi, apmd -A I didn't try the other one you mentioned though and it's too late for me to try unfortunately. > On Sat, Oct 28, 2017 at 06:12:33PM -0400, tec...@protonmail.com wrote: > >> A little off topic.. but.. >> I haven't tried MATE, but I have the same laptop (T430) and can report that >> XFCE works very well without major issue ..although I did find that some >> problems with over-heating and constant fan use resulting in faster battery >> drain. >> >> Are you running the laptop with "sysctl hw.perfpolicy=auto" or "apm -A"? >> >> Gnome3 didn't perform well on my T430 - had to remove it after just a couple >> of hours. The performance difference between Gnome3 on OpenBSD and Gnome3 on >> Debian is like night and day. >> Anyway, just thought I'd share some stuff I've noticed with having the same >> machine. >> >>> Original Message >>> Subject: MATE Desktop Environment 1.18.0 >>> Local Time: October 28, 2017 9:33 PM >>> UTC Time: October 28, 2017 8:33 PM >>> From: oregn...@riseup.net >>> To: misc@openbsd.org >>> Hi, >>> I'm currently using MATE Desktop with OpenBSD / amd64 6.2 -stable on a >>> Lenovo ThinkPad T430. >>> I want to report some errors encountered during its use. >>> Have you ever encountered these errors and possibly found a solution? >>> gnome-keyring-daemon[31733]: couldn't access control socket: >>> /var/run/user/1000/keyring/control: No such file or directory >>> gnome-keyring-daemon[31733]: The PKCS#11 component was already initialized >>> gnome-keyring-daemon[31733]: The Secret Service was already initialized >>> console-kit-daemon[49025]: WARNING: Error waiting for native console 1 >>> activation: Permission denied >>> console-kit-daemon[49025]: WARNING: Error waiting for native console 2 >>> activation: Permission denied >>> console-kit-daemon[49025]: WARNING: Error waiting for native console 3 >>> activation: Permission denied >>> console-kit-daemon[49025]: WARNING: Error waiting for native console 4 >>> activation: Permission denied >>> mate-session[53962]: WARNING: Unable to find provider '' of required >>> component 'dock' >>> ** (mate-settings-daemon:59867): WARNING **: Error opening directory >>> /etc/xrdb: No such file or directory >>> [system] Activating service >>> name='org.mate.SettingsDaemon.DateTimeMechanism' (using servicehelper) >>> [system] Activated service 'org.mate.SettingsDaemon.DateTimeMechanism' >>> failed: Launch helper exited with unknown return code 1 >>> pulseaudio[87536]: [(null)] authkey.c: Failed to open cookie file >>> '/home/loginname/.config/pulse/cookie': No such file or directory >>> pulseaudio[87536]: [(null)] authkey.c: Failed to load authentication key >>> '/home/loginname/.config/pulse/cookie': No such file or directory >>> pulseaudio[87536]: [(null)] authkey.c: Failed to open cookie file >>> /home/loginname/.pulse-cookie': No such file or directory >>> pulseaudio[87356]: [(null)] authkey.c: Failed to load authentication key >>> '/home/loginname/.pulse-cookie': No such or directory >>> pulseaudio[87536]: [(null)] core-util.c: Failed to create secure directory >>> (/var/run/user/1000/pulse): No such file or directory >>> DEBUG (42951): glibtop_open_p () >>> LibGTop-Server(c=42951): [ERROR] kvm_open: Operation not permitted >>> glibtop(c=57092/s=42951): [ERROR] read 8 bytes: Resource temporarily >>> unavailable >>> (marco:5367): Gdk-ERROR **: The program 'marco' received an X Window >>> System error. >>> This probably reflets a bug in the program. >>> The error was 'BadRegion (invalid Region parameter)'. >>> (Details: serial 116413 error_code 140 request_code 138 (XFIXES) >>> minor_code 10) >>> Thank you for your help. >>> >>> - Olivier Regnier >>> >>> -- >>> Juan Francisco Cantero Hurtado http://juanfra.info
Re: MATE Desktop Environment 1.18.0
A little off topic.. but.. I haven't tried MATE, but I have the same laptop (T430) and can report that XFCE works very well without major issue ..although I did find that some problems with over-heating and constant fan use resulting in faster battery drain. Gnome3 didn't perform well on my T430 - had to remove it after just a couple of hours. The performance difference between Gnome3 on OpenBSD and Gnome3 on Debian is like night and day. Anyway, just thought I'd share some stuff I've noticed with having the same machine. > Original Message > Subject: MATE Desktop Environment 1.18.0 > Local Time: October 28, 2017 9:33 PM > UTC Time: October 28, 2017 8:33 PM > From: oregn...@riseup.net > To: misc@openbsd.org > > Hi, > > I'm currently using MATE Desktop with OpenBSD / amd64 6.2 -stable on a > Lenovo ThinkPad T430. > I want to report some errors encountered during its use. > Have you ever encountered these errors and possibly found a solution? > > gnome-keyring-daemon[31733]: couldn't access control socket: > /var/run/user/1000/keyring/control: No such file or directory > gnome-keyring-daemon[31733]: The PKCS#11 component was already initialized > gnome-keyring-daemon[31733]: The Secret Service was already initialized > > console-kit-daemon[49025]: WARNING: Error waiting for native console 1 > activation: Permission denied > console-kit-daemon[49025]: WARNING: Error waiting for native console 2 > activation: Permission denied > console-kit-daemon[49025]: WARNING: Error waiting for native console 3 > activation: Permission denied > console-kit-daemon[49025]: WARNING: Error waiting for native console 4 > activation: Permission denied > > mate-session[53962]: WARNING: Unable to find provider '' of required > component 'dock' > > ** (mate-settings-daemon:59867): WARNING **: Error opening directory > /etc/xrdb: No such file or directory > > [system] Activating service > name='org.mate.SettingsDaemon.DateTimeMechanism' (using servicehelper) > [system] Activated service 'org.mate.SettingsDaemon.DateTimeMechanism' > failed: Launch helper exited with unknown return code 1 > > pulseaudio[87536]: [(null)] authkey.c: Failed to open cookie file > '/home/loginname/.config/pulse/cookie': No such file or directory > pulseaudio[87536]: [(null)] authkey.c: Failed to load authentication key > '/home/loginname/.config/pulse/cookie': No such file or directory > pulseaudio[87536]: [(null)] authkey.c: Failed to open cookie file > /home/loginname/.pulse-cookie': No such file or directory > pulseaudio[87356]: [(null)] authkey.c: Failed to load authentication key > '/home/loginname/.pulse-cookie': No such or directory > > pulseaudio[87536]: [(null)] core-util.c: Failed to create secure directory > (/var/run/user/1000/pulse): No such file or directory > > DEBUG (42951): glibtop_open_p () > LibGTop-Server(c=42951): [ERROR] kvm_open: Operation not permitted > glibtop(c=57092/s=42951): [ERROR] read 8 bytes: Resource temporarily > unavailable > > (marco:5367): Gdk-ERROR **: The program 'marco' received an X Window > System error. > This probably reflets a bug in the program. > The error was 'BadRegion (invalid Region parameter)'. > (Details: serial 116413 error_code 140 request_code 138 (XFIXES) > minor_code 10) > > Thank you for your help. > > - Olivier Regnier
Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?
I will have a look into this tonight and see if I can figure it out with that. Thank you > Original Message > Subject: Re: Running OpenVPN as a client breaks SSH access into same box? Is > it a problem with default route being changed? > Local Time: 24 October 2017 10:28 PM > UTC Time: 24 October 2017 20:28 > From: danj+o...@chown.me > To: misc@openbsd.org > > On Tue, 24 Oct 2017 16:25:08 -0400, > ["tec...@protonmail.com](mailto:%22tec...@protonmail.com)" > tec...@protonmail.com wrote: > >> It's currently a bit tricky for me getting into the box physically. >> If only I had SSH access ha! >> I'm almost 100% certain that returning packets are being routed over >> the tun0 (new default route) interface instead of em0. >> >> http://man.openbsd.org/pf.conf#reply-to should help you >> >>> Original Message >>> Subject: Re: Running OpenVPN as a client breaks SSH access into >>> same box? Is it a problem with default route being changed? Local >>> Time: 24 October 2017 10:13 PM UTC Time: 24 October 2017 20:13 >>> From: kgo...@gmail.com >>> To: tec...@protonmail.com tec...@protonmail.com >>> you are more likely to receive help if you post the output of >>> "ifconfig -a" and "netstat -nr" commands. >>> On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com >>> tec...@protonmail.com wrote: >>> >>>> Hi, >>>> I have a very very basic setup. Not using any other pf rules other >>>> than what comes default with 6.2-Release and almost every other >>>> release. Running OpenVPN works without a problem - able to connect >>>> as a client to a remote OpenVPN server. Everything is properly >>>> routing, verified by checking my IP. Problem is that as soon as >>>> OpenVPN is running, I cannot SSH in to my OpenBSD machine from any >>>> other machine on the Lan. Now, I'm guessing this has something to >>>> do with the default route being changed automatically by OpenVPN >>>> but I am still a total newbie with routing and pf so I have not a >>>> clue how to fix this, especially in any sort of manner which I can >>>> safely assume it to be the correct way. Can someone tell me how to >>>> resolve this? Thank
Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?
It's currently a bit tricky for me getting into the box physically. If only I had SSH access ha! I'm almost 100% certain that returning packets are being routed over the tun0 (new default route) interface instead of em0. Thanks > Original Message > Subject: Re: Running OpenVPN as a client breaks SSH access into same box? Is > it a problem with default route being changed? > Local Time: 24 October 2017 10:13 PM > UTC Time: 24 October 2017 20:13 > From: kgo...@gmail.com > To: tec...@protonmail.com <tec...@protonmail.com> > > you are more likely to receive help if you post the output of > "ifconfig -a" and "netstat -nr" commands. > > On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com > tec...@protonmail.com wrote: > >> Hi, >> I have a very very basic setup. Not using any other pf rules other than what >> comes default with 6.2-Release and almost every other release. Running >> OpenVPN works without a problem - able to connect as a client to a remote >> OpenVPN server. Everything is properly routing, verified by checking my IP. >> Problem is that as soon as OpenVPN is running, I cannot SSH in to my OpenBSD >> machine from any other machine on the Lan. Now, I'm guessing this has >> something to do with the default route being changed automatically by >> OpenVPN but I am still a total newbie with routing and pf so I have not a >> clue how to fix this, especially in any sort of manner which I can safely >> assume it to be the correct way. >> Can someone tell me how to resolve this? Thanks
Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?
Hi, I have a very very basic setup. Not using any other pf rules other than what comes default with 6.2-Release and almost every other release. Running OpenVPN works without a problem - able to connect as a client to a remote OpenVPN server. Everything is properly routing, verified by checking my IP. Problem is that as soon as OpenVPN is running, I cannot SSH in to my OpenBSD machine from any other machine on the Lan. Now, I'm guessing this has something to do with the default route being changed automatically by OpenVPN but I am still a total newbie with routing and pf so I have not a clue how to fix this, especially in any sort of manner which I can safely assume it to be the correct way. Can someone tell me how to resolve this? Thanks
6.2-Release - Firefox and Codeblocks Issues
Hi, Firefox / Firefox-ESR I can not access my protonmail.com email account on both of these versions as I can't get to the login screen (it hangs on the loading screen) - this is evident by going to https://mail.protonmail.com/login. I have experienced this same issue on two different installs, so I believe anyone trying to access this site or some others will face the same issue. My guess is that it is due to the JavaScript functions it is running on this page. Chromium works without issue and shows the login form. Problem is, I really despise Chromium and actively try to stay away from all Google services. ### Codeblocks This crashes as soon as I open it. I can briefly see the codeblocks graphic before it does so. $ codeblocks Starting Code::Blocks Release 16.01 rev 10692 Oct 2 2017, 19:06:03 - wx2.8.12 (OpenBSD, unicode) - 64 bit Initialize EditColourSet . Initialize EditColourSet: done. Abort trap (core dumped) $ gdb (gdb) core codeblocks.core Core was generated by `codeblocks'. Program terminated with signal 6, Aborted. #0 0x0f1d99cdb2da in ?? ()
Anyone else running 6.2 on a T430 - Experiencing issues with overheating and battery drain / fan noise?
Hi, To see if this would help my laptop - but nope. I'm not sure what exactly is going on here but fan is running at full pelt, and it's uncomfortably hot. The strange thing is my laptop is mostly sitting pretty idle: A very average / typical output of top: CPU0 states: 1.2% user, 0.0% nice, 1.0% system, 1.0% interrupt, 96.8% idle CPU1 states: 5.2% user, 0.0% nice, 1.2% system, 0.0% interrupt, 93.6% idle CPU2 states: 4.0% user, 0.0% nice, 1.4% system, 0.0% interrupt, 94.6% idle CPU3 states: 1.8% user, 0.0% nice, 2.2% system, 0.0% interrupt, 96.0% idle I have tried enabling apmd to see if it will sort this out for me: apmd_flags="-A" But it doesn't, or at least if it does it is not noticeable to me. I haven't really been using OpenBSD other than on my desktop - so installing on this Thinkpad is pretty new. I am used to Debian on this, and maybe I'm comparing or something but this doesn't really seem right. I am reluctant to think this is a hardware issue just due to the timing of just switching from Debian. I have an SSD in this Thinkpad - putting a regular spinner HDD in Debian would make it go like this, fans / heat / quicker battery drain. I just don't want to take OpenBSD off of this cause I have a nice setup with XFCE (Gnome is my ultimate favourite with Debian - but the performance of it on this machine with OpenBSD is nowhere near as snappy or responsive as I am used to) If anyone has any experience with this issue and can maybe help in some way, I'll be very appreciative. Here's my dmesg: OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017 r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8256528384 (7874MB) avail mem = 7999270912 (7628MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdae9c000 (68 entries) bios0: vendor LENOVO version "G1ETB2WW (2.72 )" date 01/31/2017 bios0: LENOVO 23493A4 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC TCPA SSDT SSDT SSDT HPET APIC MCFG ECDT FPDT ASF! UEFI UEFI POAT SSDT SSDT DMAR UEFI DBG2 acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.58 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 2594582720 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.11 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.11 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 2594.11 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 2 (EXP1) acpiprt3 at acpi0: bus 3 (EXP2) acpiprt4 at acpi0: bus 4 (EXP3) acpicpu0 at acpi0: C2(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C2(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0:
I'm stuck with pf - can someone with some experience check my rules please? Thanks
I have been reading through the Book of PF (3rd edition) and other resources on the web (FAQ), so far so good but I'm hitting some roadblocks. This router I have built is also acting as a client to an external VPN server, it works and my client is getting a connection just fine. The problem is that whenever OpenVPN is active I cannot SSH in from a specific subnet - my pf rules aren't right. Is there some obvious issue with my rules standing out to you? I appreciate you looking, thanks. Topology: [pfSense Router: 192.168.1.1] (wifi lan subnet 192.168.2.0/24 / ethernet lan subnet 192.168.1.0/24) -- Unmanaged Switch -- [OpenBSD router : 192.168.1.100] (ethernet lan subnet 10.0.0.0/24) What doesn't work: pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router (when OpenVPN is active on the OpenBSD router) My pf.conf: # Macros for interfaces wan_interface = "re0" lan_interface = "em0" vpn_interface = "tun0" # Macros for subnets wan_subnet = "re0:network" lan_subnet = "em0:network" wifi_subnet = "192.168.2.0/24" # Macros for outgoing tcp_services_out = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }" udp_services_out = "{ domain }" # Macros for management management_services = "{ ssh }" # Macros for incoming tcp_services_in = "{ ssh }" udp_services_in = "{ domain }" ### set skip on lo block log all set block-policy drop set loginterface egress match in all scrub (no-df max-mss 1440 random-id reassemble tcp) # NAT match out on $vpn_interface from $lan_subnet nat-to ($vpn_interface:0) # Stop Non-VPN Access from lan subnet block out quick log on egress from $lan_subnet to any # Rules for egress network (re0) # Diagnostics pass out on egress inet proto udp to port 33433:33626 pass inet proto icmp from $wan_subnet keep state # Management pass quick proto tcp from $wan_subnet to $wan_interface port $management_services keep state # Regular pass quick inet proto tcp from $wan_interface to port $tcp_services_out keep state pass quick inet proto udp from $wan_interface to port $udp_services_out keep state ## # Rules for VPN network (tun0) # Regular pass quick inet proto tcp from ($vpn_interface:network) to port $tcp_services_out keep state pass quick inet proto udp from ($vpn_interface:network) to port $udp_services_out keep state # # Rules for LAN network (em0) # Diagnostics pass inet proto icmp from $lan_subnet keep state # Management pass quick proto tcp from $lan_subnet to $wan_interface port $management_services keep state # Regular pass proto tcp from $lan_subnet to any port $tcp_services_out keep state pass proto udp from $lan_subnet to any port $udp_services_out keep state ### # Rules for WIFI subnet # Diagnostics pass quick inet proto icmp from $wifi_subnet keep state # Management pass quick proto tcp from $wifi_subnet to $wan_interface port $management_services keep state
Just starting out with pf (building a router / VPN) - issues connecting to SSH whilst VPN is active - cannot figure it out
Hello people, I have been reading through the 3rd edition of pf and other resources on the web, so far so good but I'm hitting some roadblocks. This router I have built is acting as a client to an external VPN server, it works and my client is getting a connection just fine. The problem is that whenever OpenVPN is active I cannot SSH in from a specific subnet - my pf rules aren't right. Can someone do me a massive favour and check this out - see what stupid thing I'm doing is? Thank you so much in advance! p.s. Running latest snapshot and pf rules included! Topology: [pfSense Router: 192.168.1.1] (wifi lan subnet 192.168.2.0/24 / ethernet lan subnet 192.168.1.0/24) --> Unmanaged Switch --> [OpenBSD router : 192.168.1.100] (ethernet lan subnet 10.0.0.0/24) What works: pfSense clients on ethernet lan subnet SSH'ing in to the OpenBSD router (whether OpenVPN is active or not on the OpenBSD router) pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router (when OpenVPN is NOT active on the OpenBSD router) What doesn't work: pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router (when OpenVPN is active on the OpenBSD router) My rules: # Macros for interfaces wan_interface = "re0" lan_interface = "em0" vpn_interface = "tun0" # Macros for subnets wan_subnet = "re0:network" lan_subnet = "em0:network" wifi_subnet = "192.168.2.0/24" # Macros for outgoing tcp_services_out = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }" udp_services_out = "{ domain }" # Macros for management management_services = "{ ssh }" # Macros for incoming tcp_services_in = "{ ssh }" udp_services_in = "{ domain }" ### set skip on lo block log all set block-policy drop set loginterface egress match in all scrub (no-df max-mss 1440 random-id reassemble tcp) # NAT match out on $vpn_interface from $lan_subnet nat-to ($vpn_interface:0) # Stop Non-VPN Access from lan subnet block out quick log on egress from $lan_subnet to any # Rules for egress network (re0) # Diagnostics pass out on egress inet proto udp to port 33433:33626 pass inet proto icmp from $wan_subnet keep state # Management pass quick proto tcp from $wan_subnet to $wan_interface port $management_services keep state # Regular pass quick inet proto tcp from $wan_interface to port $tcp_services_out keep state pass quick inet proto udp from $wan_interface to port $udp_services_out keep state ## # Rules for VPN network (tun0) # Regular pass quick inet proto tcp from ($vpn_interface:network) to port $tcp_services_out keep state pass quick inet proto udp from ($vpn_interface:network) to port $udp_services_out keep state # # Rules for LAN network (em0) # Diagnostics pass inet proto icmp from $lan_subnet keep state # Management pass quick proto tcp from $lan_subnet to $wan_interface port $management_services keep state # Regular pass proto tcp from $lan_subnet to any port $tcp_services_out keep state pass proto udp from $lan_subnet to any port $udp_services_out keep state ### # Rules for WIFI subnet # Diagnostics pass quick inet proto icmp from $wifi_subnet keep state # Management pass quick proto tcp from $wifi_subnet to $wan_interface port $management_services keep state
Re: Excited for 6.2 - C'mon and release this bad boy!
Thanks for the link, looks like my suspicions were right. Good stuff. > Original Message > Subject: Re: Excited for 6.2 - C'mon and release this bad boy! > Local Time: 6 October 2017 3:22 PM > UTC Time: 6 October 2017 15:22 > From: gp...@mailbox.org > To: tec...@protonmail.com <tec...@protonmail.com>, misc@openbsd.org > <misc@openbsd.org> > > I think you should wait at least a couple of days. > > https://www.openbsd.org/62.html > > On 10/06/2017 06:12 PM, tec...@protonmail.com wrote: >> This month marks 6 months since 6.1 released, and I have a sneaky feeling >> 6.2 could be coming out any day now.. well, I hope so. >> >> Looking forward to this! >>
Excited for 6.2 - C'mon and release this bad boy!
This month marks 6 months since 6.1 released, and I have a sneaky feeling 6.2 could be coming out any day now.. well, I hope so. Looking forward to this!
Re: OpenBSD's HTTPD troubles AGAIN - Can't find any man page that explains how to properly set up directory authentication.
Yeah, I'm not great at explaining stuff sometimes - but your spot on. Regards > Michael Hekelerwrites: > >> Whats wrong with the manpage? >> >> [no] authenticate [realm] with htpasswd >> Authenticate a remote user for realm by checking the >> credentials against the user authentication file htpasswd. >> The file name is relative to the chroot and must be >> readable by the www user. Use the no authenticate directive >> to disable authentication in a location. >> Authenticate a remote user for realm by checking the >> credentials against the user authentication file htpasswd. >> The file name is relative to the chroot and must be readable >> by the www user. Use the no authenticate directive to disable >> authentication in a location. >> >> >> >>> I read it totally differently, that the htpasswd is a location to a >>> file and not just a declaration to look for a file in the current dir >>> named htpasswd etc. >> >> The htpasswd IS a file: >> location "/*" { authenticate with "/htpasswd" } >> >> In this example the passwordfile is named "htpasswd" and is in /var/www >> (Note that httpd(8) is chrooted by default) > > I think he meant possible confusion over whether "htpasswd" is the > literal/only name of the file, or a stand-in name for "any file name I > choose" e.g. if my password file was named "foo" then the directive > would be > > authenticate [realm] with foo. > > I could see it being interpreted that way, anyway. > > Allan
Re: OpenBSD's HTTPD troubles AGAIN - Can't find any man page that explains how to properly set up directory authentication.
Thanks for the reply. This issue was worked out already thanks to another user on the misc board. I appreciate the info on the RFC, I never looked that up - I never even thought to tbh as was just trying to do it from the man page. Well, who knows - I just read that section of the man page quite differently - a rewritten version from another guy made me understand it properly. Some man pages are just confusing and some are clear and simple, with excellent examples to explain something. Anyway, that is some good info on the realm stuff - I'll look into that. Regards. > Am Sat, 16 Sep 2017 08:35:59 -0400 > schrieb "tec...@protonmail.com" <tec...@protonmail.com>: > >> You are a legend. Got it working with that! >> >> Thank you so much, saved me a bigger headache! >> >> p.s. Still, looking at the man page that really is not obvious where >> it mentions [realm] and [htpasswd]. > > Whats wrong with the manpage? > > [no] authenticate [realm] with htpasswd > Authenticate a remote user for realm by checking the > credentials against the user authentication file htpasswd. > The file name is relative to the chroot and must be > readable by the www user. Use the no authenticate directive > to disable authentication in a location. > Authenticate a remote user for realm by checking the > credentials against the user authentication file htpasswd. > The file name is relative to the chroot and must be readable > by the www user. Use the no authenticate directive to disable > authentication in a location. > >> I read it totally differently, that the htpasswd is a location to a >> file and not just a declaration to look for a file in the current dir >> named htpasswd etc. > > The htpasswd IS a file: > location "/*" { authenticate with "/htpasswd" } > > In this example the passwordfile is named "htpasswd" and is in /var/www > (Note that httpd(8) is chrooted by default) > >> I wonder where did "Secure Area" came from too, >> "realm" is mentioned but I had not a clue what it even was. I still >> don"t. > > From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced > by HTTP/1.1): > The realm attribute (case-insensitive) is required for all > authentication schemes which issue a challenge. The realm value > (case-sensitive), in combination with the canonical root URL of the > server being accessed, defines the protection space. These realms allow > the protected resources on a server to be partitioned into a set of > protection spaces, each with its own authentication scheme and/or > authorization database. The realm value is a string, generally assigned > by the origin server, which may have additional semantics specific to > the authentication scheme. > > In short, pages in the same realm should share credentials. If your > credentials work for a page with the realm "My Realm", it should be > assumed that the same username and password combination should work for > another page with the same realm. > >> I cannot stand the man page for httpd.conf - so much >> frustration for me. > > If you have concrete questions then ask. > My experience is that someone on the list will try to help. > But by now: ... what is your question?
Re: OpenBSD's HTTPD troubles AGAIN - Can't find any man page that explains how to properly set up directory authentication.
You are a legend. Got it working with that! Thank you so much, saved me a bigger headache! p.s. Still, looking at the man page that really is not obvious where it mentions [realm] and [htpasswd]. I read it totally differently, that the htpasswd is a location to a file and not just a declaration to look for a file in the current dir named htpasswd etc. I wonder where did "Secure Area" came from too, 'realm' is mentioned but I had not a clue what it even was. I still don't. I cannot stand the man page for httpd.conf - so much frustration for me. > Original Message > > You may find this helpful: > https://marc.info/?l=openbsd-arm=149507490119056=2 > > On 9/16/17, tec...@protonmail.com <tec...@protonmail.com> wrote: >> Hello, >> >> Can someone with knowledge of OpenBSD"s HTTPD please tell me how to properly >> set up a password protected directory and where you found ALL of the >> information to do so. I am really struggling to find enough information >> within the man pages to even make it work corrctly. I want to love the man >> pages, I really do, but.. Yeah, you get the drift - frustration. >> >> Thanks and regards. >> > > [snip]
OpenBSD's HTTPD troubles AGAIN - Can't find any man page that explains how to properly set up directory authentication.
Hello, Can someone with knowledge of OpenBSD's HTTPD please tell me how to properly set up a password protected directory and where you found ALL of the information to do so. I am really struggling to find enough information within the man pages to even make it work corrctly. I want to love the man pages, I really do, but.. Yeah, you get the drift - frustration. Thanks and regards. p.s. Here is everything I've tried so far which doesn't work... # I found this authentication stuff a year ago some place, no idea where the person got these instructions from but I'm sure they said it was meant for the new httpd in OpenBSD. Looks like Apache stuff to me? That right? Anyway, it works kinda, except a never ending loop of putting user/password in through the browser and no access - GARBAGE. $ cat /var/www/htdocs/download/htpasswd AuthType Basic AuthName "Restricted Access" # This is relative to the chroot but my chroot is disabled so place absolute path AuthUserFile /var/www/htpasswd Require user admin $ chown www /var/www/htdocs/download/htpasswd $ chmod 640 /var/www/htdocs/download/htpasswd # Create the username:hashed pass: $ htpasswd /var/www/htpasswd admin $ chmod 640 /var/www/htpasswd # This is placed within my httpd.conf : authenticate with htpasswd # Reload all changed to httpd.conf rcctl reload httpd.conf # Test access -> Never ending authentication screen, password and/or user is always wrong
Re: httpd.conf - access denied error whilst trying to auto index a location
Ok, I got it to work. Strangely, it required closing my browser down and starting it again. I can't think why that would have caused an 'Access Denied' error but it's gone now. Who knows. > On September 15, 2017 4:06:37 AM GMT+02:00, "tec...@protonmail.com" > <tec...@protonmail.com> wrote: >>Hello, >> >>I"m using 6.1 + all updates (system and packages) >> >>I am trying to list a particular directory exactly as shown within the >>https://www.jp.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf >>presentation: >> >>location "/download/*" { >>directory auto index >>log style combined >>} >> >>This just results in an error from the browser - "Access Denied". I >>have checked the permissions of the "download" directory, even given >>them permissions of 777 just to see if I can get this to work but nope. > > 1. I"m not convinced this will Target the directory itself > 2. Did you check the permissions on all intermediate directories? > > /Alexander > >> Same error. >> >>My http.conf file: >> >>ext_addr="192.168.1.2" >> >>types { include "/usr/share/misc/mime.types" } >> >>chroot "/" >>logdir "/var/www/logs" >> >>server "default" { >> >> listen on $ext_addr port 80 >> >> location "*.php" { >> fastcgi socket "/var/www/run/php-fpm.sock" >> } >> >> location "/phpMyAdmin*" { >> root { "/var/www/htdocs/phpMyAdmin", strip 1 } >> } >> >> location "/download/*" { >> directory auto index >> log style combined >> } >> >> root "/var/www/htdocs/" >> >> directory index "index.php" >> >> location "*/db_structure.xml" { block } >> location "*/.ht*" { block } >> location "*/README" { block } >> location "*/data*" { block } >> location "*/config*" { block } >> location "*/*.php.*" { block } >> >>} >> >># ls -alht /var/www/htdocs/download >>total 12 >>drwxr-xr-x 5 root daemon 512B Sep 15 03:49 .. >>drwxrwxrwx 2 root daemon 512B Sep 15 03:07 . >>-rwxr-xr-x 1 root daemon 8B Sep 15 03:07 notes.txt >> >># cat /var/www/logs >>default 192.168.1.3 - - [15/Sep/2017:03:51:21 +0200] "GET /download/ >>HTTP/1.1" 403 0 >> >>Everything else runs smoothly on my server, but I cannot get a listing >>of the files for some reason when I go to 192.168.1.2/download. I can >>access the notes.txt file though through the browser at >>http://192.168.1.2/download/notes.txt >> >>I just can"t figure it out, restarted the server so many times and now >>I"ve given up and looking to see if anyone knows what the problem could >>be. More than likely I"m doing something silly here. Before someone >>points out that I have disabled the chroot, yes I know.. and I have >>done this for a very specific reason so please don"t even bother asking >>me reasons why I have done this, okay? Okay. >> >>Any help will be massively appreciated, thanks for reading!
Re: httpd.conf - access denied error whilst trying to auto index a location
The permissions on directories are fine. I have achieved this before with no problems, but it was on 5.7 / 5.8 / 5.9. Is this a bug introduced by changing the chroot? I mean I'm following the creators own slides on this, except for the fact I have disabled the chroot in mines. Thanks for reading. > On September 15, 2017 4:06:37 AM GMT+02:00, "tec...@protonmail.com" > <tec...@protonmail.com> wrote: >>Hello, >> >>I"m using 6.1 + all updates (system and packages) >> >>I am trying to list a particular directory exactly as shown within the >>https://www.jp.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf >>presentation: >> >>location "/download/*" { >>directory auto index >>log style combined >>} >> >>This just results in an error from the browser - "Access Denied". I >>have checked the permissions of the "download" directory, even given >>them permissions of 777 just to see if I can get this to work but nope. > > 1. I"m not convinced this will Target the directory itself > 2. Did you check the permissions on all intermediate directories? > > /Alexander > >> Same error. >> >>My http.conf file: >> >>ext_addr="192.168.1.2" >> >>types { include "/usr/share/misc/mime.types" } >> >>chroot "/" >>logdir "/var/www/logs" >> >>server "default" { >> >> listen on $ext_addr port 80 >> >> location "*.php" { >> fastcgi socket "/var/www/run/php-fpm.sock" >> } >> >> location "/phpMyAdmin*" { >> root { "/var/www/htdocs/phpMyAdmin", strip 1 } >> } >> >> location "/download/*" { >> directory auto index >> log style combined >> } >> >> root "/var/www/htdocs/" >> >> directory index "index.php" >> >> location "*/db_structure.xml" { block } >> location "*/.ht*" { block } >> location "*/README" { block } >> location "*/data*" { block } >> location "*/config*" { block } >> location "*/*.php.*" { block } >> >>} >> >># ls -alht /var/www/htdocs/download >>total 12 >>drwxr-xr-x 5 root daemon 512B Sep 15 03:49 .. >>drwxrwxrwx 2 root daemon 512B Sep 15 03:07 . >>-rwxr-xr-x 1 root daemon 8B Sep 15 03:07 notes.txt >> >># cat /var/www/logs >>default 192.168.1.3 - - [15/Sep/2017:03:51:21 +0200] "GET /download/ >>HTTP/1.1" 403 0 >> >>Everything else runs smoothly on my server, but I cannot get a listing >>of the files for some reason when I go to 192.168.1.2/download. I can >>access the notes.txt file though through the browser at >>http://192.168.1.2/download/notes.txt >> >>I just can"t figure it out, restarted the server so many times and now >>I"ve given up and looking to see if anyone knows what the problem could >>be. More than likely I"m doing something silly here. Before someone >>points out that I have disabled the chroot, yes I know.. and I have >>done this for a very specific reason so please don"t even bother asking >>me reasons why I have done this, okay? Okay. >> >>Any help will be massively appreciated, thanks for reading!
httpd.conf - access denied error whilst trying to auto index a location
Hello, I'm using 6.1 + all updates (system and packages) I am trying to list a particular directory exactly as shown within the https://www.jp.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf presentation: location "/download/*" { directory auto index log style combined } This just results in an error from the browser - 'Access Denied'. I have checked the permissions of the 'download' directory, even given them permissions of 777 just to see if I can get this to work but nope. Same error. My http.conf file: ext_addr="192.168.1.2" types { include "/usr/share/misc/mime.types" } chroot "/" logdir "/var/www/logs" server "default" { listen on $ext_addr port 80 location "*.php" { fastcgi socket "/var/www/run/php-fpm.sock" } location "/phpMyAdmin*" { root { "/var/www/htdocs/phpMyAdmin", strip 1 } } location "/download/*" { directory auto index log style combined } root "/var/www/htdocs/" directory index "index.php" location "*/db_structure.xml" { block } location "*/.ht*" { block } location "*/README" { block } location "*/data*" { block } location "*/config*" { block } location "*/*.php.*" { block } } # ls -alht /var/www/htdocs/download total 12 drwxr-xr-x 5 root daemon 512B Sep 15 03:49 .. drwxrwxrwx 2 root daemon 512B Sep 15 03:07 . -rwxr-xr-x 1 root daemon 8B Sep 15 03:07 notes.txt # cat /var/www/logs default 192.168.1.3 - - [15/Sep/2017:03:51:21 +0200] "GET /download/ HTTP/1.1" 403 0 Everything else runs smoothly on my server, but I cannot get a listing of the files for some reason when I go to 192.168.1.2/download. I can access the notes.txt file though through the browser at http://192.168.1.2/download/notes.txt I just can't figure it out, restarted the server so many times and now I've given up and looking to see if anyone knows what the problem could be. More than likely I'm doing something silly here. Before someone points out that I have disabled the chroot, yes I know.. and I have done this for a very specific reason so please don't even bother asking me reasons why I have done this, okay? Okay. Any help will be massively appreciated, thanks for reading!