Re: Issues with TP-Link UE300
Sorry Still connected to USB, I looked it up before replying It looks more like a hardware design issue of the device it is connected to plus many other issues related to the “Dongle” itself. T From: Joel Carnat Sent: 28 September 2020 00:21 To: Torsten Cc: misc@openbsd.org Subject: Re: Issues with TP-Link UE300 Well, this is no wifi device. This is an ethernet dongle. That particular one: https://www.tp-link.com/en/home-networking/computer-accessory/ue300/ Envoyé de mon iPad Le 28 sept. 2020 à 00:55, Torsten mailto:tors...@cnc-london.net> > a écrit : HI As far as I can tell, WiFi is nominal speed, not designated speed Another dominating factors for that would be USB connection type, hardware bus connections, motherboard design, direct processor lanes to where Wifi is what it is, never as good as hard wired 100mb/1000mb or even 10gb connections Best T -Original Message- From: owner-m...@openbsd.org <mailto:owner-m...@openbsd.org> mailto:owner-m...@openbsd.org> > On Behalf Of Joel Carnat Sent: 27 September 2020 22:43 To: misc@openbsd.org <mailto:misc@openbsd.org> Subject: Issues with TP-Link UE300 Hi, I have plugged a TP-Link UE300 on my ThinkPad X260 running OpenBSD -snapshot and it seems I can't get more than 100Mbps. The dongle attaches and get an IP address. But the speed seems limited. Same behaviour when attached to the USB3 port of my APU4D4 (running 6.7). When plugged in a MacBook Pro (running macos), it gets Gbps speed. I have noticed that it gets attached to cdce0; I thought the RTL8153 chipset would give me an ure0 device. Is this expected? Is there something I can do to get Gbps out of this device? Thanks for help, Jo -- OpenBSD 6.8 (GENERIC.MP) #85: Sun Sep 27 13:39:51 MDT 2020 cdce0 at uhub0 port 15 configuration 2 interface 0 "TP-LINK USB 10/100/1000 LAN" rev 3.00/30.00 addr 4 # doas usbdevs -v Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub super speed, self powered, config 1, rev 1.00 driver: uhub0 addr 02: 8087:0a2b Intel, Bluetooth full speed, self powered, config 1, rev 0.01 driver: ugen0 addr 03: 5986:0706 SunplusIT Inc, Integrated Camera high speed, power 500 mA, config 1, rev 0.12 driver: uvideo0 addr 04: 2357:0601 TP-LINK, USB 10/100/1000 LAN super speed, power 64 mA, config 2, rev 30.00, iSerial 0100 driver: cdce0
Re: Issues with TP-Link UE300
HI As far as I can tell, WiFi is nominal speed, not designated speed Another dominating factors for that would be USB connection type, hardware bus connections, motherboard design, direct processor lanes to where Wifi is what it is, never as good as hard wired 100mb/1000mb or even 10gb connections Best T -Original Message- From: owner-m...@openbsd.org On Behalf Of Joel Carnat Sent: 27 September 2020 22:43 To: misc@openbsd.org Subject: Issues with TP-Link UE300 Hi, I have plugged a TP-Link UE300 on my ThinkPad X260 running OpenBSD -snapshot and it seems I can't get more than 100Mbps. The dongle attaches and get an IP address. But the speed seems limited. Same behaviour when attached to the USB3 port of my APU4D4 (running 6.7). When plugged in a MacBook Pro (running macos), it gets Gbps speed. I have noticed that it gets attached to cdce0; I thought the RTL8153 chipset would give me an ure0 device. Is this expected? Is there something I can do to get Gbps out of this device? Thanks for help, Jo -- OpenBSD 6.8 (GENERIC.MP) #85: Sun Sep 27 13:39:51 MDT 2020 cdce0 at uhub0 port 15 configuration 2 interface 0 "TP-LINK USB 10/100/1000 LAN" rev 3.00/30.00 addr 4 # doas usbdevs -v Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub super speed, self powered, config 1, rev 1.00 driver: uhub0 addr 02: 8087:0a2b Intel, Bluetooth full speed, self powered, config 1, rev 0.01 driver: ugen0 addr 03: 5986:0706 SunplusIT Inc, Integrated Camera high speed, power 500 mA, config 1, rev 0.12 driver: uvideo0 addr 04: 2357:0601 TP-LINK, USB 10/100/1000 LAN super speed, power 64 mA, config 2, rev 30.00, iSerial 0100 driver: cdce0
Re: ideas needed for password management
Hi You need a smtpd server which is native to BSD and supports auth backends Have a look here https://www.fehcom.de/sqmail/sqmail.html I use it with dovecot with mysql auth backend, sqlmail basically calls a dovadmin socket to authenticate, so no need for mysql as long as you can login to dovecot pop3 or imap T -Original Message- From: owner-m...@openbsd.org On Behalf Of Roderick Sent: 24 September 2020 14:33 To: Hakan E. Duran Cc: misc@openbsd.org Subject: Re: ideas needed for password management (1) I would separate login to Email (smtp+imap authentication) from any other login (to machine) as many people told you here. (2) Perhaps write a cgi script? But that needs a lot of care due to security. (3) offer a web mailer that has this service? Prayer webmail has this, but it looks very primitive, just calls a program as I remember, and seems not to be mantained. Perhaps other webmail has it? Rod. On Wed, 23 Sep 2020, Hakan E. Duran wrote: > Dear all, > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and Dovecot. The users will be the Unix users on the VPS for simplicity. However, I now have the problem of allowing users setting and modifying their own passwords (perhaps even their usernames) without giving them ssh access to the host. I don't have technical background and training for this type of work; however, I love doing this, please be gentle with me. The mail server is a hobby that is intended for family and a few friends, and is not mission critical. > > I thought something like Webmin could work for this purpose, but without root access of course. However, I am not sure if such a tool exists. Any other ideas are welcome. > > Thank you so much in advance for your suggestions. > > Hakan > >
Re: TCP wrapper alternative?
HI A much simpler option Is D.J. Bernstein's tcpserver in combination with daemontools I use it for all sorts of things including IP black listing into pf's tables The packages are in the ports system T -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Thomas Smith Sent: 09 July 2019 19:04 To: misc@openbsd.org Subject: TCP wrapper alternative? Hi, I'm considering an option to evaluate connecting IPs before they're evaluated by `pf` in order to make some decisions about the "reputation" of a connecting IP. Then if that reputation is low enough, some action could either be taken: in `pf` to protect the associated application (say by blocking the connection); or in the app responsible for the listening port. `pf`, unfortunately, isn't able to make routing decisions based on external factors (insofar as I understand)--I'm hoping to add some additional (very simple) intelligence to that. Just another metric or two for determining if a connection is legitimate. I've been looking into TCP wrappers for OpenBSD but it seems that this functionality was removed in version 5. Is my understanding of that correct? If so, is there an alternate way to achieve what I mentioned? I know I can use something like sshguard or fail2ban, but I'm looking for a much simpler option and one that preferably doesn't rely on tailing log files (if there aren't viable alternatives, I may consider these, however). ~ Tom
Re: packet loss when > 1000 clients connect
> Check with pfctl -si if you reach a limit Thanks, will do. Marc Peters also suggested to check pf state limit, upon digging into that I found https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html and therefore added set limit states 20 to pf.conf.
packet loss when > 1000 clients connect
Hi! Problem description: In a customers network more than 2k clients connect to a server and perform https requests. When in the morning more and more clients become active, the number of connections rises until more and more clients fail to connect to the server. The reason appears to be packet losses. Question: Are we hitting system limits or resource exhaustion that we should have configured higher? Any other idea what to look for? Thanks in advance! T. Findings: Debugging on the production server is not trivial, so we've done some tests on the client side first and those showed that when there's an error, the client sends a tcp SYN but does not receive back a SYN-ACK. Setup, OS: We're using Bernsteins daemontools to start a go (golang) based https server in a chroot running as user www on OpenBSD63. hardware: The server runs as VM on VMWare Esxi 6.5. The above mentioned client ran on the same ESXi server, so there's only one virtual 10GB switch between the client and the server. The issue has been reproduced when the server was running on a different virtualisation host. Network: To redirect port 443 to the high port that the userspace golang code can open, we're using pf: port 443 -> pf -> 8443 -> go-httpd -> 127.0.0.1(Database) pf.conf: #[...] block all #[...] pass in proto tcp from any to any port 443 rdr-to 127.0.0.1 port 8443 keep state Limits: User www is member of login-class daemon. The ulimits for daemon in /etc/login.conf were set to daemon:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-max=8192:\ :openfiles-cur=1024:\ :stacksize-cur=8M:\ :localcipher=blowfish,a:\ :tc=default:
Re: blocking openvpn port scanners
Hi Steve Try to add below to your pf.conf table persist pass in on $ext_if inet proto tcp from any to $ext_if port 1194 \ (max-src-conn 10, max-src-conn-rate 30/5, \ overload flush global) T -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Steve Fairhead Sent: 19 December 2018 21:27 To: misc@openbsd.org Subject: blocking openvpn port scanners I'm probably missing something obvious. Cluebats invited. A few OpenBSD servers I look after have OpenVPN server installed (for homeworkers' access), which means port 1194 is open. Recently they seem to have appeared on some scumbag's "hack this" list, as they're constantly deluged with brute-force hack attacks. A snippet from openvpn.log: >> Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Dec 19 18:28:53 2018 185.81.153.117:55881 TLS Error: TLS handshake failed Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Dec 19 18:28:53 2018 185.81.153.117:64379 TLS Error: TLS handshake failed Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Dec 19 18:28:53 2018 185.81.153.117:27493 TLS Error: TLS handshake failed << (IP addresses obscured to protect the sinner - no, wait...)(and logfile filtered by "failed".) For now, I manually log the above IPs and add them to a badhosts file - no more access of any kind for you, mwahaha. But it's a lot of work, and my logfile is just noise... I already use pf.conf to protect my ssh port against such attacks (rate-limiting). Can I do anything similar with pf for the openvpn port? Don't want to block real users if they screw up once or twice... although they are few enough that I can be super-aggressive in denying access, and sort it out by phone... Maybe I shouldn't even worry about it, but I'd really like to hit back. (See above re "mwahaha".) Steve
Re: Cheaper alternatives for APC UPS
Hi Radek I had a lot of problems such as overheating, and much shorter lifespan of batteries with cheaper brands. I'm not a fan of branded overprices but I need my server to run 24/7 We had some cyberpower for workstations and 2 started leaking battery acid after 8 months R -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Radek Sent: 17 December 2018 20:47 To: misc@openbsd.org Subject: Cheaper alternatives for APC UPS Hello, could you recommend me any UPS brands *cheaper* than APC that are fully supported in OpenBSD? I always use APC, managing them via USB and apcupsd(both servers and clients) and PowerChute(windows clients). It works like a charm. APC is quite expensive brand so I am looking for any cheaper alternatives. Thanks! -- radek
Re: VMWare tools - VM does not shut down
For the archives I'm answering my own question: https://man.openbsd.org/vmt.4: > vmt handles shutdown and reboot requests from the host by signalling > init(8) with SIGUSR2 and SIGINT respectively. We made our own init listen to SIGUSR2 and SIGINT and that solved our problem. > Le 25 septembre 2018 18:22:57 GMT+02:00, Torsten a écrit : >> Hi! >> >> I'm working on a project with a large number of highly customized >> OpenBSD6.3 based appliances. >> >> On each of these machines VMWare reports VMWare tools to be "installed >> and ready". However, when I try to actually do something like shutdown, >> reboot or sleep, there simply is no reaction. The machine remains up >> and >> running. >> >> When I run a standard OpenBSD 6.3 machine on the same hypervisor, >> everything works fine, so in general everything seems to be functional. >> But we must have missed something when building these individual >> appliances. I just cannot figure out what that could be. I read "man >> vmt" but I couldn't figure if vmt would require some service that's >> normally started by rc, which in our appliances is not being started. >> In >> fact, the appliances do not use the OpenBSD init system at all but >> replace them with some custom init. >> >> What are we missing? >> >> Thanks in advance! >> T. > > I just read your message as "we run modified openbsd and it doesn't work, but > official openbsd work" > > It's hard to help you. >
VMWare tools - VM does not shut down
Hi! I'm working on a project with a large number of highly customized OpenBSD6.3 based appliances. On each of these machines VMWare reports VMWare tools to be "installed and ready". However, when I try to actually do something like shutdown, reboot or sleep, there simply is no reaction. The machine remains up and running. When I run a standard OpenBSD 6.3 machine on the same hypervisor, everything works fine, so in general everything seems to be functional. But we must have missed something when building these individual appliances. I just cannot figure out what that could be. I read "man vmt" but I couldn't figure if vmt would require some service that's normally started by rc, which in our appliances is not being started. In fact, the appliances do not use the OpenBSD init system at all but replace them with some custom init. What are we missing? Thanks in advance! T.
Re: Google abruptly accessed photos on memory card and MUCH more without permission
Sadly you are not in the EU or that would cost google 500K -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Michael Ayres Sent: 19 September 2018 14:48 To: Chris Bennett Cc: misc@openbsd.org Subject: Re: Google abruptly accessed photos on memory card and MUCH more without permission Chrome is banned at my workplace shop, as are pretty much all of Google products. We use DuckDuckGo, or other one-off for search and Firefox or Safari for browsers. Michael Ayres Michael Ayres, MS, CISSP, CSEP, CSM, PMI-ACP, PMP | www.mace-associates.com San Francisco, CA. | 415.999.2049 https://www.linkedin.com/in/michaelmaceayres michael.ay...@yahoo.com > On Sep 19, 2018, at 5:43 AM, Chris Bennett > wrote: > > I travel frequently. Often outside of the US. I decided when in Mexico > that I could possibly lose the tiny notepad so I took photos of my > passwords on it. I did this on a Mexican phone and I have often used > these photos when I couldn't remember rarely used passwords and my > notepad wasn't with me. Seemed like a good idea at the time. > > I also use Google photos and drive since I download a lot of photos of > different beards and moustaches since this is the one thing I can > change to look different (hey it's fun). > > Suddenly, I discovered yesterday, basically by accident, that Google, > on it's own, without asking permission, just decided that it should > backup folders including my photos. > > Now Google has all of my usernames and account numbers and passwords > that are in those photos. > > So today, I have to change every single password and username in those > photos. > Which means I have to drop every single forum, app info, etc. And sign > up again. > > NOTE WELL: > I also discovered that Google is not just storing passwords in Chrome, > but is also monitoring ALL my app activities, passwords AND passing > (selling most likely) my profile info and reviews to companies. Their > wording is deliberately obscure as to what exactly is being stored and > disclosed to others. > > I use JuiceSSH on my Android phone. I like it. > Guess what. Now I can't use it or definitely I may or am getting my > usernames and passwords stolen! > I also do not want my actual activities showing up. You know, like > database passwords,etc. > > I would really appreciate any advice on how to deal with this. > Not being able to use SSH on my phone is a problem. > Yet I see that this is no longer an option. > > Google is now very clearly out of control and violating, against our > will, any level of privacy and not asking permission. > Yet, they also offer some very alluring services such as YouTubeTV, > which I both use and like. It's basically cheap cable that's portable > and has DVR also included. > > I'm going to start another thread right now that is probably a better > place to answer this in, instead of spread over two threads. > > Fahrenheit 451, > Chris Bennett > >
Re: Running your own mail server
I definitely agree to qmail It was a learning curve for me in the late 90's to get it going on Redhat, after that Mandrake and Slackware with finally settling down on FreeBSD and OpenBSD Sadly, there are some concerns about the aging code with various patches available to compensate, but I have not found a viable replacement ever since getting fond of qmails/tcpserver's flexibility with patches and pain to adopt to new encoders and ssl/tls versions Be aware, qmail is not an off the shelf usable software but once you get into it - you may never leave I did not and do not intent until it can't be maintained. -- if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. my 1 cent. On Sat, Sep 8, 2018 at 12:26 PM Ken M wrote: > Just curious how many of you use openbsd to run your own personal > email server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong > the question is more about is it worth it to do yourself. Specifically > I will probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. > Which > basically will forward to a gmail account. The kids accounts don't > really forward anywhere, they are place holders I guess. But they are > getting old enough to use their own accounts for things and not just > through the school which sets them up with google accounts to use through > their chromebook. > > So my wife really doesn't like the idea of setting them loose on their > own email accounts, and I don't necessarily disagree with her, but I > disagree on the way to do it. In a gmail point of view all I can think > of is shared passwords for for the kids. I don't like that because > first of all they could change it, second of all monitoring their > email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts > there, and at the same time instead of reading their email be able to > more specifically block certain senders, but also to scan the email > for troubling words. In my mind that is things like suicide, kill, > etc. > > So I guess the end question, is for protecting the email of minors is > running my own email server, when I have never done it before on any > OS, worth it over some other solution. And yes I am very open to other > suggestions for a solution, even if it is something I have to pay for, > to avoid sharing passwords or grotesque privacy infringement of > literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Re: using installboot to create a custom OpenBSD install on sd1
I spent another three hours on this and now I've come to a point where at least my kernel boots. > Hi! > > In short: > I am trying to use installboot to make a new harddrive bootable that > should contain a custom OpenBSD installation, however, when trying to > boot from that new hd I always get "No O/S". > > > Detailed: > I successfully set up a standard OpenBSD6.3 (machine A) on sd0 using > install.iso. Using custom scripts, I would like to create custom > installations on sd1 to create individual installations (machine B, C > and so on), each on a separate HD that I would swap for sd1 each time. > > On (A) I did: > > fdisk -iy sd1 > echo "a a\n\n2g\n\na b\n\n\n\n\nw\nq\n"|disklabel -E sd1 > newfs /dev/rsd1a > > mount /dev/sd1a /mnt > > cp -R /altroot /mnt/altroot > cp -R /bin /mnt/bin > cp -R /dev /mnt/dev > cp -R /etc /mnt/etc > cp -R /home /mnt/home > cp -R /root /mnt/root > cp -R /sbin /mnt/sbin > cp -R /tmp /mnt/tmp > cp -R /usr /mnt/usr > cp -R /var /mnt/var > cp /bsd* /mnt/ > > cd /mnt/dev > ./MAKEDEV std > > installboot -v sd1 /usr/mdec/biosboot /usr/mdec/boot > > (also tried > installboot -v -r /mnt/ sd1 /usr/mdec/biosboot /usr/mdec/boot > without success) > > > Hints and help will be appreciated! > > Regards, > T. >
using installboot to create a custom OpenBSD install on sd1
Hi! In short: I am trying to use installboot to make a new harddrive bootable that should contain a custom OpenBSD installation, however, when trying to boot from that new hd I always get "No O/S". Detailed: I successfully set up a standard OpenBSD6.3 (machine A) on sd0 using install.iso. Using custom scripts, I would like to create custom installations on sd1 to create individual installations (machine B, C and so on), each on a separate HD that I would swap for sd1 each time. On (A) I did: fdisk -iy sd1 echo "a a\n\n2g\n\na b\n\n\n\n\nw\nq\n"|disklabel -E sd1 newfs /dev/rsd1a mount /dev/sd1a /mnt cp -R /altroot /mnt/altroot cp -R /bin /mnt/bin cp -R /dev /mnt/dev cp -R /etc /mnt/etc cp -R /home /mnt/home cp -R /root /mnt/root cp -R /sbin /mnt/sbin cp -R /tmp /mnt/tmp cp -R /usr /mnt/usr cp -R /var /mnt/var cp /bsd* /mnt/ cd /mnt/dev ./MAKEDEV std installboot -v sd1 /usr/mdec/biosboot /usr/mdec/boot (also tried installboot -v -r /mnt/ sd1 /usr/mdec/biosboot /usr/mdec/boot without success) Hints and help will be appreciated! Regards, T.
Re: stop syslogd from opening port 514 UDP
> it is your test methodology that is broken Well, I said "I want the machine to be invisible", so I don't think there is anything wrong with me testing which ports are open and checking what I can do (besides pf) to close them. Anyway, thanks for your help! Cheers!
Re: stop syslogd from opening port 514 UDP
>> On my OpenBSD 6.2 syslogd is listening to port 514 >> [...] >> prevent syslogd from opening that port in the first place? > If [...] no logging rules exist to send to a remote > host the socket is closed per default since 6.2. Perhaps you are logging > to a remote host? Thank you for you answer, indeed I am logging to a remote host. However, I don't understand why logging to a remote host opens port 514 incoming. Anyway, I understand you're saying that this is intended behaviour and cannot be circumvented other than using pf, right?
stop syslogd from opening port 514 UDP
Hi! On my OpenBSD 6.2 syslogd is listening to port 514, even though it is not started with "-r" (to receive remote syslog messages). It does not actually seem to log anything if I send something to port 514 UDP, however, I want the machine to be invisible when someone is probing for open ports. I know I could use PF as a workaround, but can't I not prevent syslogd from opening that port in the first place? Thanks, T.
Re: Kernel memory leaking on Intel CPUs?
Ps security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0 kern.randompid=$(jot -r 1 ) security.bsd.stack_guard_page=1 > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of torsten > Sent: 05 January 2018 00:59 > To: 'Rupert Gallagher'; 'Daniel Wilkins'; 'Allan Streib' > Cc: 'Alceu R. de Freitas Jr.'; misc@openbsd.org > Subject: Re: Kernel memory leaking on Intel CPUs? > > I wonder how it is in reality for most *BSD users due to 1. hide > processes run by other users 2. disable reading kernel messaging > buffers... > 3. disable kernel messaging debugging by unprivileged users > > And some other tweeks > > What surprises me is the "panic" publication of this because of already > known and in *BSDs addressed concerns about hyper threatening and > shared memory well back since 1994 > > > > -Original Message- > > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf > > Of Rupert Gallagher > > Sent: 04 January 2018 22:22 > > To: Daniel Wilkins; Allan Streib > > Cc: Alceu R. de Freitas Jr.; misc@openbsd.org > > Subject: Re: Kernel memory leaking on Intel CPUs? > > > > https://mobile.twitter.com/misc0110/status/948706387491786752 > > > > On Thu, Jan 4, 2018 at 16:49, Daniel Wilkins <t...@parlementum.net> > > wrote: > > > > > Intel's said that it affects every processor in the last 20+ years > > and that it's "not a big deal for most users" because it's only a > > kernel memory *read*. @yahoo.com.br>
Re: Kernel memory leaking on Intel CPUs?
I wonder how it is in reality for most *BSD users due to 1. hide processes run by other users 2. disable reading kernel messaging buffers... 3. disable kernel messaging debugging by unprivileged users And some other tweeks What surprises me is the "panic" publication of this because of already known and in *BSDs addressed concerns about hyper threatening and shared memory well back since 1994 > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of Rupert Gallagher > Sent: 04 January 2018 22:22 > To: Daniel Wilkins; Allan Streib > Cc: Alceu R. de Freitas Jr.; misc@openbsd.org > Subject: Re: Kernel memory leaking on Intel CPUs? > > https://mobile.twitter.com/misc0110/status/948706387491786752 > > On Thu, Jan 4, 2018 at 16:49, Daniel Wilkins> wrote: > > > Intel's said that it affects every processor in the last 20+ years > and that it's "not a big deal for most users" because it's only a > kernel memory *read*. @yahoo.com.br>
Re: IPMI still requires Java! I'm screwed.
NO, Just download ipmiview from SM and use the build in viewer and all is OK The power can still be managed with the web site. IPMI vire requires java.exe on your PC but rund independently of any browser T -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Chris Bennett Sent: 20 December 2017 21:04 To: misc@openbsd.org Subject: IPMI still requires Java! I'm screwed. I found a new server that uses IPMI and offers using it to setup your own custom OS. So I bought in. Damn thing requires Java. They offered me some pretty worthless advice on using Java. I'm screwed into having to use Windows 7. I've tried the Firefox ESR 32bit that supports Java. Nope. Opera. Nope Edge. Nope Chrome. Nope, including trying to use IEtab Is it actually possible to get any web browser to open a Java applet? I'm using a friends laptop and it can't stay on while in the BIOS or after booting OpenBSD just to the point of running memtest. I'm a bit confused about what to do. They offer IPMI that won't work without Java. Is this even anything more than a scam?? I don't know squat about windows other than it sucks. Serious question: Is it acceptable practice to offer remote access that cannot be used?
Re: Suppessing logging of arp movement messages
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of OpenBSD > Sent: 08 November 2017 15:44 > To: misc@openbsd.org > Subject: Suppessing logging of arp movement messages > > hello all, > > I have finally build an internet gateway with OpenBSD 6.2 (AMD64), > including pf and IPSec. Great stuff. > Now I am seeing a lot of arp movement, that I know are caused by > Apple's Bonjour Sleep Proxy. > > Nov 8 00:00:27 gatekeeper /bsd: arp info overwritten for 192.168.20.99 > by 00:46:ab:ba:19:87 on vmx0 Nov 8 00:00:58 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > 00:01:57 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > 00:46:ab:ba:19:87 on vmx0 Nov 8 00:02:04 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > 00:02:35 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > 00:46:ab:ba:19:87 on vmx0 Nov 8 00:03:28 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 Nov 8 > 00:03:42 gatekeeper /bsd: arp info overwritten for 192.168.20.99 by > 00:46:ab:ba:19:87 on vmx0 Nov 8 00:04:27 gatekeeper /bsd: arp info > overwritten for 192.168.20.99 by 9c:ab:3b:ca:fe:99 on vmx0 > > These messages are repeating every 15-30 seconds for Apple devices like > laptops that are in standby (sleep mode). > > On pfSense and FreeBSD you have a sysctl: > net.link.ether.inet.log_arp_movements > when set to zero it will no longer log the messages. > > Discussions can be found on internet dating back to 2010, but no > solution has been provided for what I could find. > I have not yet found any sysctl in OpenBSD to do the same. Did I miss > something or does OpenBSD have any trick to not log these messages. > Currently these messages are filling up the logs /var/run/dmesg.boot > and /var/log/messages. > > Marco PC Mi Marco In freebsd is is usually done with sysctl net.link.ether.inet.log_arp_movements=0 and I guess this applies to openbsd too. T
OpenBSD 6.1: httpd.conf macro usage and string concatenation
Hi! I thought I could copy the same static server definition block and only change a unique macro definition at the top of each server. But this is not working: ## # from httpd.conf ## # [...] # macro definition certroot="/etc/ssl/httpd" docroot="/htdocs" domain="domain.tld" server $domain{ listen on * tls port 443 tls certificate $certroot/$domain/$domain.pem tls key $certroot/$domain/$domain.key root $docroot/$domain } domain="anotherdomain.tld" server $domain{ listen on * tls port 443 tls certificate $certroot/$domain/$domain.pem tls key $certroot/$domain/$domain.key root $docroot/$domain } # [...] ## The idea was if you have a lot of server definitions you could keep static the parts that are the same and just change the macro for each server the line above the server block. Because httpd.conf man page says "Macros are not expanded inside quotes." I cannot use 'root "$docroot/$domain"'. But 'root $docroot/$domain' isn't accepted either. Does that mean I cannot use Macros for parts of the config file that reference to files or folders, because Macros are not expanded inside quotes but keywords with file or folder options require enclosing quotes? If that's the case I don't understand what Macros are good for. Thanks in advance! T.
Re: META: Does this list have no moderators?
Freedom of speech and expression is the cause. How could we at the open source community start policing any other then abusive, commercial, racist or political spam. That would make us no better then what we are opposing. I don't want to offend anyone but this is the point, or better, the sole reason of existence, of what we are doing. Regards Torsten > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of Gareth Nelson > Sent: 04 June 2016 22:27 > To: OpenBSD general usage list > Subject: META: Does this list have no moderators? > > I'm sure we're all aware of the individual i'm thinking of when I say > their posts are both inappropriate and annoying. > > The individual in question should be referred privately to mental > health services, but they should also be prohibited from posting > further to this list. > > Thoughts?
Re: META: Does this list have no moderators?
HI I guess I put it clear, now comments are coming though which are excessive or simply not necessary A Yea or Nay will do, sometimes silence is a virtue T > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of ludovic coues > Sent: 04 June 2016 23:18 > To: Gareth Nelson > Cc: OpenBSD general usage list > Subject: Re: META: Does this list have no moderators? > > 2016-06-04 23:26 GMT+02:00 Gareth Nelson: > > I'm sure we're all aware of the individual i'm thinking of when I say > > their posts are both inappropriate and annoying. > > > > The individual in question should be referred privately to mental > > health services, but they should also be prohibited from posting > > further to this list. > > > > Thoughts? > > > > Asking to exclude someone for their supposed mental health is plain > wrong. > If we are thinking to the same person, you can call out their abuse of > cross-list. > > Or as some great people on this list would say, ignore the problem and > watch if it goes away. > > -- > > Cordialement, Coues Ludovic > +336 148 743 42
Re: Small FW boxes for CORP use (was: T40E APU?)
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Josh > Grosse > Sent: 12 March 2016 13:22 > To: misc@openbsd.org > Subject: Re: Small FW boxes for CORP use (was: T40E APU?) > > On Sat, Mar 12, 2016 at 10:34:16AM +, Kapfhammer, Stefan wrote: > > But how would you feed the CAT female jack out of the original > > pcengines enclosure? There are no further mounting holes in it. > > I was thinking of the Alix, where enclosures are not included. I like standard 1u low power equipment and prefer supermicro for it's linux/BSD support, This is no advertising for ebay but I usually get stuff like this http://www.ebay.co.uk/itm/Supermicro-1U-Server-Xeon-X3430-2-4Ghz-Quad-Core-8 GB-RAM-Low-Power-R210-DL120-/291687112072?hash=item43e9e81d88:g:034AAOSwcwhV ON9U then add a dual port NIC, usually HP Intel and off I go. The benefit is the KVM, integrated HDD's and flexibility. MY gateways are proxies, vpn and http servers with port forwarding to internal workstation and servers after authentication for vnc, sql and other
Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Atanas Vladimirov > Sent: 04 March 2016 19:33 > To: misc@openbsd.org > Subject: Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures > > On 04.03.2016 19:55, torsten wrote: > > Hi Atanas, > > It looks like a link speed negotiation error. > > can you set the link speed to 100MB/s and see what happens. I don't > > think it is a driver or server hard ware issue but more and switch > > issue. > > Have you tried another switch or hub > > I use the same board in Servers and Gateways with FreeBSD and OpenBSD > > without any issues. > > Hi Torsten, > Yes, I tried with three switches. > I'm not sure that the problem is link negotiation because on-board Intel NICs > are OK. > Can you send me the output of `ifconfig em hwfeatures` from a server which is > running OpenBSD and has AOC-SG-I2? > Thanks, > Atanas Here is the output in 5.8 This is a multipath gateway setup - very stable - and connected to DELL 1xxx managed switches Dec 20 12:50:20 gate01 /bsd: em0 at pci2 dev 0 function 0 "Intel 82571EB" rev 0x06: apic 2 int 17, address 00:15:17:48:7b:22 Dec 20 12:50:20 gate01 /bsd: em1 at pci2 dev 0 function 1 "Intel 82571EB" rev 0x06: apic 2 int 18, address 00:15:17:48:7b:23 Dec 20 12:50:20 gate01 /bsd: em2 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x05: msi, address 00:25:90:d0:17:11 Dec 20 12:50:20 gate01 /bsd: em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:25:90:d0:17:10 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu 9216 lladdr 00:15:17:48:7b:22 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu 9216 lladdr 00:15:17:48:7b:23 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active em2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu 9216 lladdr 00:25:90:d0:17:11 priority: 0 media: Ethernet autoselect (none) status: no carrier em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu 9216 lladdr 00:25:90:d0:17:10 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.0.238 netmask 0xfc00 broadcast 192.168.3.255
Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures
Hi Atanas, It looks like a link speed negotiation error. can you set the link speed to 100MB/s and see what happens. I don't think it is a driver or server hard ware issue but more and switch issue. Have you tried another switch or hub I use the same board in Servers and Gateways with FreeBSD and OpenBSD without any issues. > -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Atanas Vladimirov > Sent: 04 March 2016 17:04 > To: misc@openbsd.org > Subject: Re: Supermicro AOC-SG-I2 (two ports Intel 82575EB) hwfeatures > > On 27.02.2016 11:42, Atanas Vladimirov wrote: > > Hi, > > I'm running -current on Supermicro X9SCL-F with two on-board Gigabit > > Intel (82579LM and 82574L) and one PCI-e 4x Supermicro AOC-SG-I2 [0] > > (two ports Intel 82575EB). > > The question is why 82575EB doesn't support hwfeatures > > (CSUM_TCPv4,CSUM_UDPv4 and VLAN_HWTAGGING) as 82579LM and 82574L. > > Thanks. > > .. > > [0] http://www.supermicro.com/products/accessories/addon/AOC-SG-I2.cfm > > Hi, > Before my previous email I had a strange issue but back then I didn't know > that it was related to the NIC. > I have a basic ifstated config [1] to monitor my WAN connection (first port on > AOC-SG-I2 was my uplink to my ISP). > At some time ifstated sent me two emails - the link was DOWN and after 9 > (nine) seconds was back ON-Line. > I had a few phone calls with my IPS and they checked the switch a few times. > I started to wonder if the problem was on my side. I plugged the second port > of AOC-SG-I2 to an tp-link wdr4900 which I use as 5 port gigabit switch for my > home LAN and began to observe two ports with a `while` loop: > > [ns]~$ while true; do date; ifconfig emp[1-0] | grep -e "media:" -e "status:"; > sleep 1; done > mon_if_em[1-0] > > Both ports had 2-3 seconds disconnects at the same time (two different > switches). > Here's the question - Could this be a hardware related problem or it's a > driver issue? > Is anyone out there also using Intel 82575EB? > > That's why I asked for hwfeatures in first email because that's the only > difference I saw. > Now I moved the NIC to another (test) server (dmesg and pcdump at the end [2]) > to test the same way. > > em(4) says: > "The em driver supports IPv4 receive IP/TCP/UDP checksum offload and > transmit TCP/UDP checksum offload on all but 82542-based adapters, VLAN > tag insertion and stripping, and jumbo frames on all but 82562V, > 82566DC/82566DM and 82573E/82573L/82573V-based adapters." > > .. > Tue Mar 1 15:52:43 EET 2016 > media: Ethernet autoselect (1000baseT > full-duplex,master,rxpause,txpause) > status: active > Tue Mar 1 15:52:44 EET 2016 > media: Ethernet autoselect (none) > status: no carrier > Tue Mar 1 15:52:45 EET 2016 > media: Ethernet autoselect (none) > status: no carrier > Tue Mar 1 15:52:46 EET 2016 > media: Ethernet autoselect (1000baseT > full-duplex,master,rxpause,txpause) > status: active > .. > Wed Mar 2 08:03:17 EET 2016 > media: Ethernet autoselect (1000baseT > full-duplex,master,rxpause,txpause) > status: active > Wed Mar 2 08:03:18 EET 2016 > media: Ethernet autoselect (none) > status: no carrier > Wed Mar 2 08:03:19 EET 2016 > media: Ethernet autoselect (none) > status: no carrier > Wed Mar 2 08:03:21 EET 2016 > media: Ethernet autoselect (1000baseT > full-duplex,rxpause,txpause) > status: active > .. > > [1] > > [ns]~$ cat /etc/ifstated.conf > # $OpenBSD: ifstated.conf,v 1.6 2005/02/07 06:08:10 david Exp $ # This is a > sample config for a pair of firewalls with two interfaces # init-state auto > peer_up = '( "ping -q -c 4 -i 3 -w 4 XX.87.YY.ZZ > /dev/null" every 20 )' > em0_up = "em0.link.up" > em0_down = "em0.link.down" > > state auto { > if $em0_up { > set-state extif_up > } > if $em0_up && $peer_up { > set-state extif_online > } > if $em0_down { > set-state extif_down > } > } > > state extif_up { > init { > run "echo External interface UP @ `date +%H:%M:%S` | mail -s > 'External Interface UP' vl...@bsdbg.net" > } > if $em0_down { > set-state extif_down > } > if $em0_up && $peer_up { > set-state extif_online > } > } > > state extif_online { > init { > run "echo External interface ON-line @ `date +%H:%M:%S` | mail -s > 'External Interface ON-line' vl...@bsdbg.net" > } > if $em0_up && ! $peer_up { > set-state extif_up > } > if $em0_down { > set-state extif_down > } > } > > state extif_down { > init { > run "echo External interface DOWN @ `date +%H:%M:%S` | mail -s > 'External Interface
Re: Newbie question: Proxy for appearing in Sweden for on demand streaming?
Hi all! My mom lives in Sweden but spends loads of time in Spain. She likes the public service online TV streaming service, which cannot be watched abroad for various reasons. I thought I'd try to setup a proxy of some sort that she could turn her iPad to, and appear as if in Sweden while in fact in Spain. I live in Sweden and have a 5.8-stable box handy. How would I do that? Can relayd help here? What do I need in terms of network setup etc? Any pointers would be appreciated (except flames). Happy new year! Andreas Hi Andreas I have the same problem while going abroad a lot for work and sometimes with the kids who a hooked on CBBC and I've setup dynDNS and PPTP/sslVPN. It's easy to use from ipads and windoze /other mac clients. I found PPTP give the leased problems and CPU overheads on both ends while ignoring the flaws in encryption. Regards Torsten
Re: build an openbsd router/modem
A quick question, how do these boards with Intel atom CPU's cope with gigabit traffic and sslVPN. I love the look of them. I use the Supermicro Intel i3/E3 midi boards with add-on NIC's at the moment >oh thank u very much, I think it's exactly what I am looking for. 2015-12-22 20:05 GMT+00:00 Joost Runsink: > Some modem (Draytek comes to mind) allow you to set the modem in > bridge mode. At that point it is a atm to ethernet converter. Have a > look at Soekris and Alixboard, used a lot for this exact task. > > On Tue, Dec 22, 2015 at 07:32:57PM +, Frank White wrote: >> Hi, >> Yes I am sorry, I want build a small embedded system with openbsd to >> connect a lan to an adsl line. I want all the devices with openbsd, >> included the adsl modem. So the embedded system must have one or more >> ethernet nic and a modem. >> >> >> >> >> 2015-12-22 19:08 GMT+00:00 Tati Chevron : >> > On Tue, Dec 22, 2015 at 06:45:04PM +, Frank White wrote: >> >> >> >> I want build a router/modem with openbsd. My is that I don't want >> >> anykind of linux code around. I don't have any problems to build a >> >> router, my problem is to have a modem without any linux firmware. >> >> Anyone know if there are any pure modem to use it ? >> >> Or any chip I can connect on any "itx or what u want" motherboard ? >> > >> > >> > Can you be more specific about what you are trying to do? >> > >> > Are you trying to build a small embedded system using OpenBSD, or >> > do you want to configure a normal desktop machine to route data >> > from a, (3g? DSL? Cable internet?), source to other machines on >> > the LAN? >> > >> > -- >> > Tati Chevron >> > Perl and FORTRAN specialist. >> > SWABSIT development and migration department. >> > http://www.swabsit.com
Re: npppd pppx0 VPN Client can access wan but cannot access lan
> I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. > npppd is works fine and clients can connect using windows pptp client. > The Client has the pptp connection set as default gateway and can > access the internet through the vpn gateway but cannot access the LAN network. > Traffic arrives on the pppx0 interface but never get forwarded to the > LAN ip address. Can you see the traffic for the LAN on $int_if or the other physical interfaces? > ## vpn > pass quick log on pppx > match out log on $ext1_if from $vpn_net nat-to ($ext1_if) > match out log on $ext2_if from $vpn_net nat-to ($ext2_if) > match out log on $int_if from $vpn_net nat-to ($int_if) Fist line, "pass quick", becomes the last rule for traffic in/out on the pppx interface since it is "quick". So subsequent rules (including nat) are not applied. --yasuoka I'm used to pf on FreeBSD, the problem was not the quick rule. It looks like that pf or kernel on OpenBSD sets a "block all" on any interface not defined in the pf.conf using skip or pass rules, which is a good thing because this closes unintended security holes. Thanks for your help. The below pf.conf does the trick ### NAT ## int_net match out log on $ext1_if from $int_net nat-to ($ext1_if) match out log on $ext2_if from $int_net nat-to ($ext2_if) ## vpn match out log on $ext1_if from $vpn_net nat-to ($ext1_if) match out log on $ext2_if from $vpn_net nat-to ($ext2_if) match out log on $int_if from $vpn_net nat-to ($int_if) ### FILTER RULES block drop quick inet6 block log all pass out log ## allow ping, traceroute and echo pass in log inet proto icmp all icmp-type $icmp_types ## internal network pass in log on $int_if ## pass connections to vpn server pass in log on pppx pass log proto { gre } from any to any keep state pass in log on $ext1_if proto tcp from any to $ext1_if port 1723 pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
Re: npppd pppx0 VPN Client can access wan but cannot access lan
Hi Is there anyone who can help to resolve the problem i have with pppx, tun and tap using npppd and openVPN not forwarding traffic to ingress but egress works fine. It was my first post to the list and if there is any info or further details required just ask, I would appreciate any help or hints. I know I'm missing something in my config but can't find it. Thanks torsten -Original Message- From: torsten [mailto:tors...@cnc-london.net] Sent: 16 December 2015 23:21 To: 'misc@openbsd.org' Subject: npppd pppx0 VPN Client can access wan but cannot access lan Hi I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. npppd is works fine and clients can connect using windows pptp client. The Client has the pptp connection set as default gateway and can access the internet through the vpn gateway but cannot access the LAN network. Traffic arrives on the pppx0 interface but never get forwarded to the LAN ip address. I have been looking and trying for over 2 weeks now and can't figure that one out. Setting everything to pass in pf.conf and only enabling nat - still no result. Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces equal cost routing (net.inet.ip.multipath=1), 1 LAN interface sysctl.conf net.inet.ip.forwarding=1 net.inet.ip.multipath=1 net.inet.gre.allow=1 net.pipex.enable=1 npptp.conf: set max-session 20 set user-max-session 5 authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel VPN protocol pptp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.219.219.2-10.219.219.100 dns-servers 192.168.0.189 192.168.0.19 nbns-servers 192.168.0.189 192.168.0.19 } interface pppx0 address 10.219.219.1 ipcp IPCP bind tunnel from VPN authenticated by LOCAL to pppx0 pf.conf ### NAT match out log on $ext1_if from $int_net nat-to ($ext1_if) match out log on $ext2_if from $int_net nat-to ($ext2_if) ## vpn pass quick log on pppx match out log on $ext1_if from $vpn_net nat-to ($ext1_if) match out log on $ext2_if from $vpn_net nat-to ($ext2_if) match out log on $int_if from $vpn_net nat-to ($int_if) ### FILTER RULES block log quick inet6 block in log on $ext1_if block in log on $ext2_if ## allow ping, traceroute and echo pass in log inet proto icmp all icmp-type $icmp_types ## pass connections to vpn server pass log proto { gre } from any to any keep state pass in log on $ext1_if proto tcp from any to $ext1_if port 1723 pass in log on $ext2_if proto tcp from any to $ext2_if port 1723 pass in on enc0 from $vpn_net to $int_net keep state (if-bound) pass out on enc0 from $int_net to $vpn_net keep state (if-bound) pass in on pppx from $vpn_net to $int_net keep state (if-bound) pass out on pppx from $int_net to $vpn_net keep state (if-bound) netstat -rn Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaulta.a.a.113 UGSP 0 1073494 - 8 em0 defaultb.b.b.97 UGSP 410294 - 8 em1 10.219.219.1 10.219.219.1 UHl00 - 1 lo0 10.219.219.14 10.219.219.1 UH 0 679 - 8 pppx0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHl14 32768 1 lo0 b.b.b.96/28b.b.b.110 UC 10 - 8 em1 b.b.b.97 bc:16:65:34:33:81 UHLc 10 - 8 em1 b.b.b.110 00:15:17:48:7b:23 HLl00 - 1 lo0 b.b.b.111 b.b.b.110 UHb00 - 1 em1 192.168.0/22 192.168.0.238 UC 90 - 8 em3 192.168.0.400:25:90:7c:40:cf UHLc 04 - 8 em3 192.168.0.500:30:48:7d:7c:64 UHLc 01 - 8 em3 192.168.0.600:25:90:3c:30:67 UHLc 02 - 8 em3 192.168.0.10 f4:6d:04:29:ea:f7 UHLc 04 - 8 em3 192.168.0.19 00:25:90:72:89:1a UHLc 0 8388 - 8 em3 192.168.0.189 00:30:48:d8:f0:0b UHLc 0 9661 - 8 em3 192.168.0.238 00:25:90:d0:17:10 HLl00 - 1 lo0 192.168.0.253 00:25:90:af:5d:0a UHLc 0 154 - 8 em3 192.168.2.167 50:e5:49:e6:c3:3c UHLc 0 2048 - 8 em3 192.168.3.202 00:25:90:af:5d:0a UHLc 1 9329 - L 8 em3 192.168.3.255 192.168.0.238 UHb00 - 1 em3 a.a.a.112/28 a.a.a.126 UC 20 - 8 em0 a.a.a.113 00:00:5e:00:01:0c UHLc 10 - 8 em0 a.a.a.116 00:25:90:af:5d:0b UHLc 234417 - L 8 em0 a.a.a.126 00:15:17:48:7b:22 HLl00 - 1 lo0 a.a.a.127 a.a.a.126 UH
Re: npppd pppx0 VPN Client can access wan but cannot access lan
On Sat, 19 Dec 2015 01:11:40 - "torsten" <tors...@cnc-london.net> wrote: > I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. > npppd is works fine and clients can connect using windows pptp client. > The Client has the pptp connection set as default gateway and can > access the internet through the vpn gateway but cannot access the LAN network. > Traffic arrives on the pppx0 interface but never get forwarded to the > LAN ip address. Can you see the traffic for the LAN on $int_if or the other physical interfaces? > ## vpn > pass quick log on pppx > match out log on $ext1_if from $vpn_net nat-to ($ext1_if) > match out log on $ext2_if from $vpn_net nat-to ($ext2_if) > match out log on $int_if from $vpn_net nat-to ($int_if) Fist line, "pass quick", becomes the last rule for traffic in/out on the pppx interface since it is "quick". So subsequent rules (including nat) are not applied. --yasuoka I will trace it in the morning, looks promising trough Thank you for your reply
npppd pppx0 VPN Client can access wan but cannot access lan
Hi I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. npppd is works fine and clients can connect using windows pptp client. The Client has the pptp connection set as default gateway and can access the internet through the vpn gateway but cannot access the LAN network. Traffic arrives on the pppx0 interface but never get forwarded to the LAN ip address. I have been looking and trying for over 2 weeks now and can't figure that one out. Setting everything to pass in pf.conf and only enabling nat - still no result. Setup: OpenBSD 5.8 with npppd using pppx0 or tun0 and pf 2 WAN interfaces equal cost routing (net.inet.ip.multipath=1), 1 LAN interface sysctl.conf net.inet.ip.forwarding=1 net.inet.ip.multipath=1 net.inet.gre.allow=1 net.pipex.enable=1 npptp.conf: set max-session 20 set user-max-session 5 authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel VPN protocol pptp { listen on 0.0.0.0 } ipcp IPCP { pool-address 10.219.219.2-10.219.219.100 dns-servers 192.168.0.189 192.168.0.19 nbns-servers 192.168.0.189 192.168.0.19 } interface pppx0 address 10.219.219.1 ipcp IPCP bind tunnel from VPN authenticated by LOCAL to pppx0 pf.conf ### NAT match out log on $ext1_if from $int_net nat-to ($ext1_if) match out log on $ext2_if from $int_net nat-to ($ext2_if) ## vpn pass quick log on pppx match out log on $ext1_if from $vpn_net nat-to ($ext1_if) match out log on $ext2_if from $vpn_net nat-to ($ext2_if) match out log on $int_if from $vpn_net nat-to ($int_if) ### FILTER RULES block log quick inet6 block in log on $ext1_if block in log on $ext2_if ## allow ping, traceroute and echo pass in log inet proto icmp all icmp-type $icmp_types ## pass connections to vpn server pass log proto { gre } from any to any keep state pass in log on $ext1_if proto tcp from any to $ext1_if port 1723 pass in log on $ext2_if proto tcp from any to $ext2_if port 1723 pass in on enc0 from $vpn_net to $int_net keep state (if-bound) pass out on enc0 from $int_net to $vpn_net keep state (if-bound) pass in on pppx from $vpn_net to $int_net keep state (if-bound) pass out on pppx from $int_net to $vpn_net keep state (if-bound) netstat -rn Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaulta.a.a.113 UGSP 0 1073494 - 8 em0 defaultb.b.b.97 UGSP 410294 - 8 em1 10.219.219.1 10.219.219.1 UHl00 - 1 lo0 10.219.219.14 10.219.219.1 UH 0 679 - 8 pppx0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHl14 32768 1 lo0 b.b.b.96/28b.b.b.110 UC 10 - 8 em1 b.b.b.97 bc:16:65:34:33:81 UHLc 10 - 8 em1 b.b.b.110 00:15:17:48:7b:23 HLl00 - 1 lo0 b.b.b.111 b.b.b.110 UHb00 - 1 em1 192.168.0/22 192.168.0.238 UC 90 - 8 em3 192.168.0.400:25:90:7c:40:cf UHLc 04 - 8 em3 192.168.0.500:30:48:7d:7c:64 UHLc 01 - 8 em3 192.168.0.600:25:90:3c:30:67 UHLc 02 - 8 em3 192.168.0.10 f4:6d:04:29:ea:f7 UHLc 04 - 8 em3 192.168.0.19 00:25:90:72:89:1a UHLc 0 8388 - 8 em3 192.168.0.189 00:30:48:d8:f0:0b UHLc 0 9661 - 8 em3 192.168.0.238 00:25:90:d0:17:10 HLl00 - 1 lo0 192.168.0.253 00:25:90:af:5d:0a UHLc 0 154 - 8 em3 192.168.2.167 50:e5:49:e6:c3:3c UHLc 0 2048 - 8 em3 192.168.3.202 00:25:90:af:5d:0a UHLc 1 9329 - L 8 em3 192.168.3.255 192.168.0.238 UHb00 - 1 em3 a.a.a.112/28 a.a.a.126 UC 20 - 8 em0 a.a.a.113 00:00:5e:00:01:0c UHLc 10 - 8 em0 a.a.a.116 00:25:90:af:5d:0b UHLc 234417 - L 8 em0 a.a.a.126 00:15:17:48:7b:22 HLl00 - 1 lo0 a.a.a.127 a.a.a.126 UHb00 - 1 em0 224/4 127.0.0.1 URS00 32768 8 lo0
multiple certificates in httpd
Hi! man httpd.conf says: [tls option] "Set the TLS configuration for the server." I assumed that "the server" would mean that every (virtual) server can have its own tls options (and certificates). Otherwise it would have said "Set the TLS configuration for httpd and all virtual servers." Is that wrong? Can I only have ONE key and ONE cert and the cert must be a multi domain certificate? I tried this: ext_addr="*" prefork 3 server "domaina.com" { alias "www.domaina.com" listen on $ext_addr tls port 443 tls dhe "auto" root "/htdocs/domaina" } server "domainb.com" { alias "www.domainb.com" listen on $ext_addr tls port 443 tls dhe "auto" tls certificate "/etc/ssl/domainb.crt" tls key "/etc/ssl/private/domainb.key" root "/htdocs/domainb" } You see in domaina.com there is no certificate specification. According to the documentation the default values should be used. And they are. On OpenBSD 5.7 I get the cert from the default files when I try to access https://www.domaina.com On OpenBSD5.7 I also get the certificate for domaina when I access domainb.com, which results in a certificate error. On OpenBSD5.8 it's the other way round: when accessing domainb the browser reports the correct certificate. When accessing domaina I get the certificate of domainb (and the corresponding cert error). I started httpd -d - on OpenBSD5.7 to check the output and found that the messages server_tls_load_keypair: using certificate /etc/ssl/cert.pem server_tls_load_keypair: using private key /etc/ssl/private/server.key only appear for those two files. So the httpd obviously does not read the other certificates. T.
Re: httpd, SlowCGI, POST_MAX and 413 Payload Too Large
Check the httpd.conf(5) man page for max request body, which defaults to 1M. Thx, got it.
Re: httpd client certificate authentication in OpenBSD5.8
| Will httpd in OpenBSD 5.8 support client certificates At least not until LibreSSL's libtls supports it. See https://github.com/reyk/httpd/issues/23 Thanks for the hint! For my purpose Client Cert authentication is mandatory and therefore I'm desperate. But now I have hope! Reyk wrote: Once libtls supports things like SNI or client certificates with an easy-to-use interface, we can review such features. On the 21. August 2015, so just a couple of days ago, markokr submitted a patch to libressl-portable which added this feature: https://github.com/libressl-portable/openbsd/pull/41 So there is hope that this will become available in the (near?) future. However, probably not in OpenBSD 5.8 T.
httpd client certificate authentication in OpenBSD5.8
Hi! Will httpd in OpenBSD 5.8 support client certificates for authentication? It was announced (see http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf) but I http://www.openbsd.org/58.html does not mention it. T.
httpd, SlowCGI, POST_MAX and 413 Payload Too Large
Hi! OpenBSD 5.7, httpd, slowcgi upload.pl CGI: # [...] $CGI::POST_MAX = 1024 * 1024 * 20; #20MB # [...] But when I try to upload a file I get 413 Payload Too Large if the file is larger than 1MB. Help will be appreciated! T.
Re: fastcgi (without slowcgi)
Paul, thank you so much for taking the time to write such detailed answer. script needs to be able to create a file in its /run directory Thanks to your hints I might have been able to narrow it down a bit, but I'm still not there. The fastcgi directive from httpd.conf defaults to /run/slowcgi.sock (http://www.openbsd.org/papers/httpd-asiabsdcon2015.pdf). So I removed the socket file which might be there from previous starts of slowcgi: # rm /var/run/slowcgi.sock I tried this to tell perl about which socket to use: # cat cgi-bin/fcgi.fcgi ## #!/usr/bin/perl use FCGI; my $socket = FCGI::OpenSocket( /run/slowcgi.sock, 5 ); my $request = FCGI::Request( \*STDIN, \*STDOUT, \*STDERR, \%ENV, $socket ); my $count; while( $request-Accept() = 0 ) { print Content-type: text/html\r\n\r\n; print ++$count; } FCGI::CloseSocket( $socket ); ## # rcctl start httpd httpd(ok) I still get 500 Internal Server Error but: # ls -ld /var/www/run/slowcgi.sock ls: /var/www/run/slowcgi.sock: No such file or directory So the socket file is not being created when the script was started from httpd. Now I try to start the very same script without any change, but instead letting httpd start the script, I will start it manually, using the (presumably) same credentials: # chroot -g www -u www /var/www /cgi-bin/fcgi.fcgi The script does not return, which is probably because of the while loop waiting for a new connection. However, in a second shell I can see that this time the socket was created: # ls -ld /var/www/run/slowcgi.sock srwxr-xr-x 1 www www 0 May 24 13:46 /var/www/run/slowcgi.sock Can anyone explain this to me? How is httpd starting the script in a different way than I do with that chroot command? Help will be appreciated! Regards, T.
Re: fastcgi (without slowcgi)
Paul, thanks a lot again! I got something working but I don't have the time today to do further tests. Just wanted you to know that thanks to your help (and the help of another friend of mine who brought me OpenBSD 13 years ago) I think I know what my mistake was and what needed to be done. I'll post a brief description of what I did to get it working in the next days to get this into the archives. Regards, T.
fastcgi (without slowcgi)
Hi! I am trying to use fastcgi in OpenBSD 5.7 httpd but keep getting 500 Internal Server Error. httpd.conf: ## ext_addr=* server www.domain.com { listen on $ext_addr tls port 443 tls dhe auto connection { max requests 500, timeout 3600 } location /cgi-bin/* { fastcgi socket /run/fcgi.socket root / } root /htdocs/www.domain.com } ## /var/www/cgi-bin/fcgi-test.cgi: ## #!/usr/bin/perl use CGI::Fast; $ENV{FCGI_SOCKET_PATH} = /run/fcgi.socket; $ENV{FCGI_LISTEN_QUEUE} = 100; my $cnt=0; while ($q = new CGI::Fast) { print Content-type: text/html\r\n\r\n; print head\ntitleFastCGI Demo Page (perl)/title\n/head\n; print h1FastCGI Demo Page (perl)/h1\n; print This is coming from a FastCGI server.\nBR\n; $cnt++; print This is connection number $cnt\n; } ## I was able to start a simple cgi (print hello world\n;) by using slowcgi so I believe my perl environment in chroot is more or less OK. Also the script itself seems to be OK: # chroot /var/www /usr/bin/perl -c /cgi-bin/fcgi2.cgi /cgi-bin/fcgi2.cgi syntax OK Things that might be part of the problem: - No socket file /run/fcgi.socket is being created when I start httpd. - Nothing was ever written to /var/www/logs/error.log, not even when I tried to start httpd with a boguous httpd.conf. However, /var/www/logs/access.log has logs from access to static html. Any hints about where to find out more about the 500 Internal Server Error? I have no more hints to follow and I could not find one single example of a working httpd.conf along with a perl fastcgi example in the web. All discussions seem to explain how to use cgi with slowcgi instead. But that's not what I'm looking for. Thanks in advance! T.
pf: multiple reply-to rules; could it be done more simple?
Dear List, my network is connected to the internet by three different DSL connections. At connection my ISP provides always the same IP addresses, so that they are effectively configured with a fix IP address each. These connections are managed by my external firewall. Outbound traffic is load balanced via round robin on the three mpath default routes. Since I run several services on my system (e.g. openvpn, which is actually served by my internal firewall), I have to ensure, that inbound traffic will be returned to exactly that connection the request came from. This is done by the following pf rules (openvpn handling as an example among others): #--- ext_if0 = tun0 ext_if1 = tun1 ext_if2 = tun2 int_fw = # my internal firewall's address ... pass in quick on $ext_if0 proto udp from any to any port 1194 \ rdr-to $int_fw port 1194 reply-to ( $ext_if0 $ext_if0:peer ) pass in quick on $ext_if1 proto udp from any to any port 1194 \ rdr-to $int_fw port 1194 reply-to ( $ext_if1 $ext_if1:peer ) pass in quick on $ext_if2 proto udp from any to any port 1194 \ rdr-to $int_fw port 1194 reply-to ( $ext_if2 $ext_if2:peer ) #--- May there be any trick that avoids this rule definition for each connection? I am trying to get the rules more simple and also looking for a rule, that is independent of the actual connection state (if one of the connections is broken, pfctl complains about an unreacheable peer of course). Has anyone tried somthing like this using pf anchors? Thank you for advice and thanks to the openbsd Team for their great work! Torsten -- Dr.-Ing. Torsten Finke torsten.fi...@igh-essen.com Tel.: +49 201 / 36014-17 Ingenieurgemeinschaft IgH Gesellschaft für Ingenieurleistungen mbH Heinz-Bäcker-Str. 34 D-45356 Essen Amtsgericht Essen HRB 11500 USt-Id.-Nr.: DE 174 626 722 Geschäftsführung: - Dr.-Ing. T. Finke, - Dr.-Ing. W. Hagemeister Tel.: +49 201 / 360-14-0 http://www.igh-essen.com GnuPG-Key: 1024D/8F2300D8 Fingerprint: B929 7FA5 4D2E E9B6 C55C 8A0B 7DF4 86E9 8F23 00D8
Defining two vpn's in ipsec.conf wich different crypto
hi, I've setup a roadwarrior ipsec/l2tp (undeadly guide) that worked fine until I made some new rules in ipsec.conf in order to get a vpn-connection to a FreeBSD machine to work. My ipsec.conf looks like this. When connecting from a roadwarrior ip I still goes to the crypto that it supposed to be for the obsd-fbsd connection.Is it possible two have two different crypto definitions like this? # cat /etc/ipsec.conf# macros#ext_if = em0local_net = 10.11.12.0/24remote_gw = 85.23.19.11remote_nets = 192.168.1.0/24 #win7 android etc.ike passive esp transport \proto udp from 98.10.x.x to any port 1701 \main auth hmac-sha1 enc 3des group modp2048 \ quick auth hmac-sha1 enc aes \psk lamas #obsd-freebsdike esp from $local_net to $remote_nets peer $remote_gw \ main auth hmac-sha1 enc aes-256 group modp2048 \quick auth hmac-sha2-256 enc aes-256 group modp2048 best regards
remotely provide entropy
Hi! I have a couple of machines that run as VM and are lacking good entropy data. I was wondering if there is a way of feeding the local random number pool of a VM with entropy that was generated on a hardware random number generator on a physical machine. I thought the hardware random number generator could constantly fill up its own pool and whenever a VM needs entropy, it could connect to the hardware, retrieve some randomness (fill up its own random number pool). I can set up the hardware random number generator but I don't know how to fill OpenBSDs own entry data stack. It's not as easy as cat randomnumbersfile/dev/random, is it? Thanks in advance! T.
Re: Multiple ISP-connections/Routing/Packet filtering
Dear Ken, On Thu, Jan 12, 2012 at 01:05:10PM -0500, Kenneth Gober wrote: On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke torsten.fi...@igh-essen.com wrote: On my firewall I have TWO different internet connections. It is simple to forward - for instance ssh - from both connections to an internal machine. Now this machine answers and the firewall sends the reply back. How can I force the firewall to send the reply over exactly that interface the request came in? The problem is that the client anywhere on the internet expects the answer from the very address it had contacted. If now the reply comes from another address, it will get lost. I am doing this using OpenBSD 4.6, without any apparent problems, using the following syntax: pass in log quick on $pri inet proto tcp to ($pri) port 1194 pass in log quick on $sec reply-to $sec inet proto tcp to ($sec) port 1194 great! I thought it to this simple. May I ask about your routing? For this to work I consider you should have multipath routing. You call your interfaces $pri and $sec. Are they configured differently? The pf.conf(5) man page says, that reply-to is useful only in rules that create state. Do you manage state by some other rule before? Unfortunately, the pf.conf syntax has changed since v4.6 and while I do plan to upgrade my own firewall to v5.0 (I've bought the CD already) I haven't yet had time to perform the upgrade. As a result, I haven't worked out what the equivalent 'modern' syntax would be, but you might be able to get some hints from what I'm using in v4.6. Yes! Concerning syntax I did some tests. The follwing rule is syntactically correct (in the sense that it is accepted by pf, at least on 4.8): pass in on $vpn_if inet proto udp from any to any port 1194 \ keep state reply-to ( $vpn_if $vpn_if:peer ) I think this can be done simpler. Thanks a lot for your advice Torsten -ken -- Dr.-Ing. Torsten Finke torsten.fi...@igh-essen.com Tel.: +49 201 / 36014-17 Ingenieurgemeinschaft IgH Gesellschaft f|r Ingenieurleistungen mbH Heinz-Bdcker-Str. 34 D-45356 Essen Amtsgericht Essen HRB 11500 USt-Id.-Nr.: DE 174 626 722 Geschdftsf|hrung: - Dr.-Ing. S. Rotthduser, - Dr.-Ing. T. Finke, - Dr.-Ing. W. Hagemeister Tel.: +49 201 / 360-14-0 http://www.igh-essen.com
Re: Multiple ISP-connections/Routing/Packet filtering
Hello Russell, On Wed, Jan 11, 2012 at 07:46:59AM -0500, Russell Garrison wrote: Have you considered routing domains? no I have not. According to your hint I started to study their concept, but have not found a description that would meet my situation. Thanks for your idea and best regards Torsten On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke torsten.fi...@igh-essen.com wrote: Hello Jorge, I read again your mail and now i'm lost ! You Wrote: How can I force my Extl. FW to reply on exactly the same interface it had been requested on? For example I am running OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I would appretiate SSH-portforwarding from Internet to the Intl. FW. SSH port forwarding from internet to Internal server is something like : ext_if=vr0 ext_ip=1.2.3.4 Spvt= 4.5.6.7 match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt pass in on $ext_if proto tcp from any to $Spvt port 22 pass out on $int_if proto tcp from any to $Spvt port 22 The above line redirects all traffic coming from any place in internet to my external IP ( 1.2.3.4) to the server 4.5.6.7 which is located in my internal lan, in other words the packet comes in on external interface , goes out on internal interface .. These works on OpenBSD 4.8 or newer ! Is this what you need ? no. Obviously I have not explained clearly what my problem is. On my firewall I have TWO different internet connections. It is simple to forward - for instance ssh - from both connections to an internal machine. Now this machine answers and the firewall sends the reply back. How can I force the firewall to send the reply over exactly that interface the request came in? The problem is that the client anywhere on the internet expects the answer from the very address it had contacted. If now the reply comes from another address, it will get lost. Best regards Torsten On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke torsten.fi...@igh-essen.com wrote: Hello Jorge, If i understood you well, the answer to your question is here ! http://www.openbsd.org/faq/pf/pools.html Under the section Load Balancing outgoing traffic, or take a look at: http://www.openbsd.org/faq/faq6.html#Multipath There are good examples there ! I hope this can help ! thank you for this. The FAQ on pools has nice examples but none of them really faces my problem. It discusses load balancing of incoming traffic to several servers as well as load balancing of outgoing traffic. I cannot figure out how to dispatch replies to incoming requests over different connections. The FAQ on multipath has helped me very well to set up multiple default routes - this works very well. Best regards Torsten Dear List, Here I show my network topology. Maybe it seems quite typical. My internal network is located behind an Intl/Extl Firewall which is connected to the Internet(IN) via pppoe/ppp(8). On the other side I run different systems, for instance a home office network, a mobile laptop, and several customers. +---+ +---+ | A | | B | (PC) +-+-+ +-+-+ | | +-+ --+-+---| Intl FW |---(DMZ)---+ (LAN/int) +-+ | | +---+ | +---+ | | Z | (PC) | () +---+ | +-+ pppoe/ppp(8) +---+ () ++| | | |--| DSL-Modem |--()--| GW |+- | | | rl0/tun0 +---+ () ++ (HomeOffice) +--| Extl FW | ( IN ) +--+ | | pppoe/ppp(8) +---+ ()--| Customer | | |--| DSL-Modem |--() +--+ +-+ rl1/tun1 +---+ () ++ OpenBSD 4.8 ()--| Mobile | ++ My question is about the setup of routing and packet filtering on the External Firewall: How can I force my Extl. FW to reply on exactly the same interface it had been requested on? For example I am running OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I would appretiate SSH-portforwarding from Internet to the Intl. FW. I tried using route-to and reply-to, but that did not work - PF.CONF(5
Multiple ISP-connections/Routing/Packet filtering
Dear List, Here I show my network topology. Maybe it seems quite typical. My internal network is located behind an Intl/Extl Firewall which is connected to the Internet(IN) via pppoe/ppp(8). On the other side I run different systems, for instance a home office network, a mobile laptop, and several customers. +---+ +---+ | A | | B | (PC) +-+-+ +-+-+ | | +-+ --+-+---| Intl FW |---(DMZ)---+ (LAN/int) +-+ | | +---+ | +---+ | | Z | (PC) | () +---+ | +-+ pppoe/ppp(8) +---+ () ++| | | |--| DSL-Modem |--()--| GW |+- | | | rl0/tun0 +---+ () ++ (HomeOffice) +--| Extl FW | ( IN ) +--+ | | pppoe/ppp(8) +---+ ()--| Customer | | |--| DSL-Modem |--() +--+ +-+ rl1/tun1 +---+ () ++ OpenBSD 4.8 ()--| Mobile | ++ My question is about the setup of routing and packet filtering on the External Firewall: How can I force my Extl. FW to reply on exactly the same interface it had been requested on? For example I am running OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I would appretiate SSH-portforwarding from Internet to the Intl. FW. I tried using route-to and reply-to, but that did not work - PF.CONF(5) says this should do, but I could not figure out, how. I did not not understand how route-to and reply-to actually work (could not find any explanation, though I have tried hard to search for). Everything else (NAT, outbound load balancing, filtering) works just fine. My routing is: default XXX.X.XX.XXXUGSP 2 101853 - 8 tun0 default XXX.X.XX.XXXUGSP 0 988 - 8 tun1 I manage my multipath routes (net.inet.ip.multipath=1) via - ppp.linkup: MYADDR: shell route add -mpath default HISADDR - ppp.linkdown MYADDR: shell route delete -mpath default HISADDR What I tried in pf.conf is: pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) Asking PF statistics (pfctl -v -s rules) shows that no packet has been operated by those reply-to rules. Since I consider PF a brilliant concept I would really appretiate any hint that would help. Thanks to all OpenBSD developers for their great work and thanks for any advice. Best regards Torsten -- Torsten Finke f...@igh-essen.com
Re: Multiple ISP-connections/Routing/Packet filtering
Hello Jorge, If i understood you well, the answer to your question is here ! http://www.openbsd.org/faq/pf/pools.html Under the section Load Balancing outgoing traffic, or take a look at: http://www.openbsd.org/faq/faq6.html#Multipath There are good examples there ! I hope this can help ! thank you for this. The FAQ on pools has nice examples but none of them really faces my problem. It discusses load balancing of incoming traffic to several servers as well as load balancing of outgoing traffic. I cannot figure out how to dispatch replies to incoming requests over different connections. The FAQ on multipath has helped me very well to set up multiple default routes - this works very well. Best regards Torsten Dear List, Here I show my network topology. Maybe it seems quite typical. My internal network is located behind an Intl/Extl Firewall which is connected to the Internet(IN) via pppoe/ppp(8). On the other side I run different systems, for instance a home office network, a mobile laptop, and several customers. +---+ +---+ | A | | B | (PC) +-+-+ +-+-+ | | +-+ --+-+---| Intl FW |---(DMZ)---+ (LAN/int) +-+ | | +---+ | +---+ | | Z | (PC) | () +---+ | +-+ pppoe/ppp(8) +---+ () ++| | | |--| DSL-Modem |--()--| GW |+- | | | rl0/tun0 +---+ () ++ (HomeOffice) +--| Extl FW | ( IN ) +--+ | | pppoe/ppp(8) +---+ ()--| Customer | | |--| DSL-Modem |--() +--+ +-+ rl1/tun1 +---+ () ++ OpenBSD 4.8 ()--| Mobile | ++ My question is about the setup of routing and packet filtering on the External Firewall: How can I force my Extl. FW to reply on exactly the same interface it had been requested on? For example I am running OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I would appretiate SSH-portforwarding from Internet to the Intl. FW. I tried using route-to and reply-to, but that did not work - PF.CONF(5) says this should do, but I could not figure out, how. I did not not understand how route-to and reply-to actually work (could not find any explanation, though I have tried hard to search for). Everything else (NAT, outbound load balancing, filtering) works just fine. My routing is: default XXX.X.XX.XXXUGSP 2 101853 - 8 tun0 default XXX.X.XX.XXXUGSP 0 988 - 8 tun1 I manage my multipath routes (net.inet.ip.multipath=1) via - ppp.linkup: MYADDR: shell route add -mpath default HISADDR - ppp.linkdown MYADDR: shell route delete -mpath default HISADDR What I tried in pf.conf is: pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) Asking PF statistics (pfctl -v -s rules) shows that no packet has been operated by those reply-to rules. Since I consider PF a brilliant concept I would really appretiate any hint that would help. Thanks to all OpenBSD developers for their great work and thanks for any advice. Best regards Torsten -- Torsten Finke f...@igh-essen.com -- Cordialmente, 00110111 00111011 -- Torsten Finke f...@igh-essen.com
Re: Multiple ISP-connections/Routing/Packet filtering
Hello Jorge, I read again your mail and now i'm lost ! You Wrote: How can I force my Extl. FW to reply on exactly the same interface it had been requested on? For example I am running OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I would appretiate SSH-portforwarding from Internet to the Intl. FW. SSH port forwarding from internet to Internal server is something like : ext_if=vr0 ext_ip=1.2.3.4 Spvt= 4.5.6.7 match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt pass in on $ext_if proto tcp from any to $Spvt port 22 pass out on $int_if proto tcp from any to $Spvt port 22 The above line redirects all traffic coming from any place in internet to my external IP ( 1.2.3.4) to the server 4.5.6.7 which is located in my internal lan, in other words the packet comes in on external interface , goes out on internal interface .. These works on OpenBSD 4.8 or newer ! Is this what you need ? no. Obviously I have not explained clearly what my problem is. On my firewall I have TWO different internet connections. It is simple to forward - for instance ssh - from both connections to an internal machine. Now this machine answers and the firewall sends the reply back. How can I force the firewall to send the reply over exactly that interface the request came in? The problem is that the client anywhere on the internet expects the answer from the very address it had contacted. If now the reply comes from another address, it will get lost. Best regards Torsten On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke torsten.fi...@igh-essen.com wrote: Hello Jorge, If i understood you well, the answer to your question is here ! http://www.openbsd.org/faq/pf/pools.html Under the section Load Balancing outgoing traffic, or take a look at: http://www.openbsd.org/faq/faq6.html#Multipath There are good examples there ! I hope this can help ! thank you for this. The FAQ on pools has nice examples but none of them really faces my problem. It discusses load balancing of incoming traffic to several servers as well as load balancing of outgoing traffic. I cannot figure out how to dispatch replies to incoming requests over different connections. The FAQ on multipath has helped me very well to set up multiple default routes - this works very well. Best regards Torsten Dear List, Here I show my network topology. Maybe it seems quite typical. My internal network is located behind an Intl/Extl Firewall which is connected to the Internet(IN) via pppoe/ppp(8). On the other side I run different systems, for instance a home office network, a mobile laptop, and several customers. +---+ +---+ | A | | B | (PC) +-+-+ +-+-+ | | +-+ --+-+---| Intl FW |---(DMZ)---+ (LAN/int) +-+ | | +---+ | +---+ | | Z | (PC) | () +---+ | +-+ pppoe/ppp(8) +---+ () ++| | | |--| DSL-Modem |--()--| GW |+- | | | rl0/tun0 +---+ () ++ (HomeOffice) +--| Extl FW | ( IN ) +--+ | | pppoe/ppp(8) +---+ ()--| Customer | | |--| DSL-Modem |--() +--+ +-+ rl1/tun1 +---+ () ++ OpenBSD 4.8 ()--| Mobile | ++ My question is about the setup of routing and packet filtering on the External Firewall: How can I force my Extl. FW to reply on exactly the same interface it had been requested on? For example I am running OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I would appretiate SSH-portforwarding from Internet to the Intl. FW. I tried using route-to and reply-to, but that did not work - PF.CONF(5) says this should do, but I could not figure out, how. I did not not understand how route-to and reply-to actually work (could not find any explanation, though I have tried hard to search for). Everything else (NAT, outbound load balancing, filtering) works just fine. My routing is: default XXX.X.XX.XXXUGSP 2 101853 - 8 tun0 default XXX.X.XX.XXXUGSP 0 988 - 8 tun1 I manage my multipath routes (net.inet.ip.multipath=1) via - ppp.linkup: MYADDR: shell
Re: how to find dependencies when building a new kernel
dmesg is the lazy way to get this info, the same info is written to /var/log/messages during boot. Are you saying your system is so stripped down you don't even log anything? Yep. And because the only persistent memory is Flash (32MB, which quickly dies if you permanently write to it), the whole system runs inside a RAMDISK only. And there is no terminal or ssh. Modifying the system means setting up a new system with modified /sbin/init each time. Hard to believe, I know, but what people do with OpenBSD is sometimes quite different from what you know from usual systems. I said it's embedded stuff. I said hardware cannot be changed. I said I cannot easily provide this info. There certainly is a way, but it's not worth the effort. I can provide a dmesg from a virtual machine that we use for testing purposes, but obviously that's not the same as the system that the kernel is going to be running on later in production environment. But, hey, yet, I haven't been able to compile the kernel on this testing machine, either. I explain this so elaborately because I know I'd otherwise get replies like: What did you tell us about having little memory and such, this is a usual virtual machine and therefor you've got no need to use a custom kernel... ;-) You know what I mean... My goal is to have kernel config files that will do on both, the virtual machine for testing and the production environment. Being able to compile a custom kernel on this VM would be a good first step. From there on I could add the drivers I need on the production machine and that way get closer to a final solution... I'm very curious how dmesg will help... OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,SSSE3,CX16,SSE4.1 real mem = 267907072 (255MB) avail mem = 253472768 (241MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/22/09, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (98 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 09/22/2009 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U (S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P1(S3) S1F0(S3) S2F 0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z0 11(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P2(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S 9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P3(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) PE40(S3) S1F0(S3) PE50(S3 ) S1F0(S3) PE60(S3) S1F0(S3) PE70(S3) S1F0(S3) PE80(S3) S1F0(S3) PE90(S3) S1F0(S3) PEA0(S3) S1F0(S3) PEB0(S3) S1F0(S3) PEC0(S3) S1F0(S3) PED0(S3) S1F0(S3) PEE0(S3) S1F0(S3) PE41(S 3) S1F0(S3) PE42(S3) S1F0(S3) PE43(S3) S1F0(S3) PE44(S3) S1F0(S3) PE45(S3) S1F0(S3) PE46(S3) S1F0(S3) PE47(S3) S1F0(S3) PE51(S3) S1F0(S3) PE52(S3) S1F0(S3) PE53(S3) S1F0(S3) PE54( S3) S1F0(S3) PE55(S3) S1F0(S3) PE56(S3) S1F0(S3) PE57(S3) S1F0(S3) PE61(S3) S1F0(S3) PE62(S3) S1F0(S3) PE63(S3) S1F0(S3) PE64(S3) S1F0(S3) PE65(S3) S1F0(S3) PE66(S3) S1F0(S3) PE67 (S3) S1F0(S3) PE71(S3) S1F0(S3) PE72(S3) S1F0(S3) PE73(S3) S1F0(S3) PE74(S3) S1F0(S3) PE75(S3) S1F0(S3) PE76(S3) S1F0(S3) PE77(S3) S1F0(S3) PE81(S3) S1F0(S3) PE82(S3) S1F0(S3) PE8 3(S3) S1F0(S3) PE84(S3) S1F0(S3) PE85(S3) S1F0(S3) PE86(S3) S1F0(S3) PE87(S3) S1F0(S3) PE91(S3) S1F0(S3) PE92(S3) S1F0(S3) PE93(S3) S1F0(S3) PE94(S3) S1F0(S3) PE95(S3) S1F0(S3) PE 96(S3) S1F0(S3) PE97(S3) S1F0(S3) PEA1(S3) S1F0(S3) PEA2(S3) S1F0(S3) PEA3(S3) S1F0(S3) PEA4(S3) S1F0(S3) PEA5(S3) S1F0(S3) PEA6(S3) S1F0(S3) PEA7(S3) S1F0(S3) PEB1(S3) S1F0(S3) P EB2(S3) S1F0(S3) PEB3(S3) S1F0(S3) PEB4(S3) S1F0(S3) PEB5(S3) S1F0(S3) PEB6(S3) S1F0(S3) PEB7(S3) S1F0(S3) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock
Re: how to find dependencies when building a new kernel
Would you be able to use TFTP to try booting test kernels off a remote machine? Nope. I try every attempt with a hardware flash drive which I generate for that test machine. But I've got to get the kernel basically running on my test VM, then another not that damn small hardware. Once this is working, I just need to add one more network driver or so and that should be it. At least it it worked for me in the past.
Re: how to find dependencies when building a new kernel
welcome to the ignore list of many developers. You aren't even following directions on how to hurt yourself properly without wasting people's time. I always found that people waste my time when they write explanations and tons of bla bla that does not have to do with the issue itself, instead of just writing about what the problem really is. Because of the permanent repeating of USE THE GENERIC KERNEL instead of answering any questions that have to do with my problem: Total available disk space on the target system: 32MB The GENERIC Kernel of OpenBSD 5.0 is 8MB. I really do a lot to save every bit I can. I delete all programs that are not constantly needed from disk and compress seldom used programs and have wrappers that unzip these compressed in case they are needed. And so on. I don't want to bore you with details, but just take this: I need it and ... I probably have a lesser machine in production. I'd go for that bet! And pllleeaeee don't come up now with use different hardware!!! There are hundreds of things to think about when it comes to the hardware you'd be using for a certain purpose. And please don't make me explain why exactly this hardware is needed for this purpose. I've got all that running perfectly since OpenBSD 3.5. I've used custom kernels with success ever since, but with always spending a lot of time fiddling with which driver to use and which to get rid of. Now I'd like to find a more convenient way to generally solve this issue. If you guys say that there is no convenient way of solving this problem but to really dig into this and completely understand the architecture - then I still believe that I'll find a working config by fiddling around and trying this and that until I succeed. I just hoped I'd get a hint how to ease this process. T.
Which drivers are required for proper system functioning? (was: how to find dependencies when building a new kernel)
So why don't you show us the dmesg of the most recent kernel that worked for you? Because I don't see what that has to do with the issue. I'm not looking for that one line that's missing in my current config files. I'm not hoping for someone to tell me that I should include line #5 and then it will work. Instead I was hoping to learn a way how to find out myself which lines must be included (and which in my case don't need to). Quite what Andres Perera explained in his first reply. Just that Adres' explanation obviously cannot be the complete answer or at least I didn't fully understand it. To really get a minimal kernel, I'm going bottom up, not top down. I'm not deleting lines from GENERIC but I'm copying lines from GENERIC to an empty file. So there is no go back one step to where it worked the last time. Though it might be a lot of work, there must be a solution to this issue. The npx driver is required for proper system functioning regardless of whether or not an NPX is present. so there's no 1:1 mapping between the devices you have and the ones you may need included in the kernel config. could potentially apply to other drivers, so why waste time figuring out which ones fall under this category and which ones don't? To me it seems like this is the real question that I'm facing: To which drivers does this apply? Anyway, thanks to you all for your patience and attempts to help. Also please understand that it will not help if I explained why there is no way to use GENERIC and why the hardware cannot be changed. That would be a long story which in the end would lead to nothing... except wasting time.
Re: Thanks Jacek Artymiak: Book PDF's
Mark Smith schrieb: On Thu, Apr 15, 2010 at 5:10 PM, Bill Dunshie gho...@suddenlink.net wrote: A huge Thanks to Jacek Artymiak for the PDF's of Building Firewalls with OpenBSD and PF, 3rd ed. and The OpenBSD Command-LineCompanion. The wait was worth it !!! Link or didn't happen. @mark: sorry for the pm http://www.devguide.net/books/bfwoap3 but there is no contact with jacek artymiak, i've paid for the pdf and didnt get the book. thanks paypal i've get my money back while jacek or devguide.net (it's jacek, too) didn't reply on my mails. so i will not buy this record, because it's scratched. german: ACHTUNG: Der Kontakt zum Verlag ist derzeit vC6llig abgebrochen. Daher kC6nnen wir leider derzeit nicht ermitteln, ob und wann dieses Buch erscheinen soll. http://www.lob.de/cgi-bin/work/framesetneu?flag=newframe=yesid=4bd15dfd6b119
Re: Hardware recommendation for firewalls (more than 4 NICs)
On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco [EMAIL PROTECTED] wrote: Hi misc, I'm currently looking for hardware alternatives for firewalls that should have more than four NICs. Currently we are buying R200s from Dell, but we have the 4 NIC limitation. We could tell Dell to install a quad port NIC (in addition to the two-port onboard card), but I haven't read good things about the way they work. I've also looked into soekris, but they don't seem to have enough CPU for what we want (this is pure speculation) as we also have intense IPSec traffic on some of these firewalls (I've seen that some of them could have encryption boards added to increase performance, but I don't know if it works for any kind of protocol, or at what rate). In any case, what I would like to have is firewalls with multiple NICs (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at ~50Mbps (internal backbone firewalls). The multiple NICs are to use trunk, pfsync, real network interfaces, etc. Thanks, Martmn. We run a pair of dell 1950s and have been generally happy with them. We run one dual port intel card and the two build in ports, no problem pushing about 400mbit. The intel cards have worked ok for us for years now in various versions. You can configure the box with two dual nics or two quad nics on the dell web.
Re: Hardware recommendation for firewalls (more than 4 NICs)
Never done the quad in my maxchines. I havent heard anyone getting fired over it either though. A quick check on dells web indicates you have two pci-e slots in those r200s, why not get two dual nics. On Mon, Jul 14, 2008 at 8:28 PM, Martmn Coco [EMAIL PROTECTED] wrote: Thanks! Have you tried the quad nics on those Dells? We do have a couple of R200s, 860s and 850s running with 2 dual port cards no problem, but we have never tried the quad ports. Torsten Frost escribis: On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco [EMAIL PROTECTED] wrote: Hi misc, I'm currently looking for hardware alternatives for firewalls that should have more than four NICs. Currently we are buying R200s from Dell, but we have the 4 NIC limitation. We could tell Dell to install a quad port NIC (in addition to the two-port onboard card), but I haven't read good things about the way they work. I've also looked into soekris, but they don't seem to have enough CPU for what we want (this is pure speculation) as we also have intense IPSec traffic on some of these firewalls (I've seen that some of them could have encryption boards added to increase performance, but I don't know if it works for any kind of protocol, or at what rate). In any case, what I would like to have is firewalls with multiple NICs (at least 6 NICs) *and* sufficient CPU to let IPSec work alright at least at ~50Mbps (internal backbone firewalls). The multiple NICs are to use trunk, pfsync, real network interfaces, etc. Thanks, Martmn. We run a pair of dell 1950s and have been generally happy with them. We run one dual port intel card and the two build in ports, no problem pushing about 400mbit. The intel cards have worked ok for us for years now in various versions. You can configure the box with two dual nics or two quad nics on the dell web.
Re: scsi disk i/o hanging 4.3 system
I have a few machines with the same behavior. The boxes run fine unless you tax them with things like unpacking ports, du on a large tree or dd'ng some /dev/zero to disk. The 1950 can route 400mbit ethernet with no problems for weeks if you don't mess with the disks, so i guess the hardware is reasonably unbroken. Broken hardware or some driver/chipset issue? Dell 1950 with a PERC5 raid1 SATA 160gb mirror. 4.2-RELEASE A 300mb dd write makes an unkillable process. Outputs a few sd0: not queued, error 5 lines. Recently flashed the card to the latest firmware. Behaves somewhat better. Happens with a single drive too. Needs rebooting to be able to write to the drive after it has started to behave. Takes forever to unpack ports.tar.gz, i aborted the unpacking after 20 minutes and about 100mb unpacked. Is at least stable, doesn't die, just writes to the disk really slow. Like previous poster, unkillable processes and weird behaviour. Needs rebooting to be able to write to the drive after it has started to behave. - Dell 1750 scsi Our two 1750 scsi boxes works good though. Doesn't seem to crash from dd. -
Re: scsi disk i/o hanging 4.3 system
I guess the previous message got garbled somehow. Dell 1950 with a PERC5 raid1 SATA 160gb mirror. 4.2-RELEASE A 300mb dd write makes an unkillable process. Outputs a few sd0: not queued, error 5 lines. Recently flashed the card to the latest firmware. Behaves somewhat better. Happens with a single drive too. Needs rebooting to be able to write to the drive after it has started to behave. Takes forever to unpack ports.tar.gz, i aborted the unpacking after 20 minutes and about 100mb unpacked. Is atleast stable, doesn't die, just writes to the disk really slow. Like previous poster, unkillable processes and weird behaviour. Needs rebooting to be able to write to the drive after it has started to behave. - Dell 1750 scsi Our two 1750 scsi boxes works good though. Doesn't seem to crash from dd. -
Solved: cron - setusercontext failed for root
The system is VERY much stripped down to the absolute necessary files only. Then it's no longer OpenBSD It can be discussed if an OS where I delete certain files cannot be called by its original name anymore. Anyway, I found that cron needs /etc/login.conf though that file is not mentioned in any documentation.
Re: Solved: cron - setusercontext failed for root
Are you serious? You break things by removing an essential, documented file and then complain? It's obvious that I must be dumb. I wasn't smart enough to find out that running a program by schedule (which cron does) _must_ have something to do with the _login_ process, which login.conf is obviously related to!!! As if that wasn't obvious!!! ;-) Stupid as I am I thought that documentation of cron would point to the files that cron relies upon. Or at least, if it finds a file missing, it would tell me which one it is. Stupid me! ;-) Please stop wasting our time. And after not finding a solution by reading documentation and trying all sorts of debugging options, I was so stupid to ask this ML if someone has an idea which files cron would need. I'm so sorry to have wasted your precious time! Again: stupid me! I apologize. Anyway, I'm glad Stuart Henson was kind enough to point an obvious idiot like me also to setusercontext (3), which finally led me to find cron is missing login.conf. @Stu: Thx alot!
Re: Solved: cron - setusercontext failed for root
If you start breaking stuff by removing files without the knowledge how things work, you should expect harsh treatment from this list. What's next, sombody complaining he cannot login because he removed the passwd file? Without any irony: I'm sorry if I didn't make things clear enough! The problem here is that you understood I'd be complaining, which I really wasn't! I was just asking! And I still think I asked questions that are somewhat valid, though I must admit, not in normal situations. My project is an embedded system which has certain requirements that do not meet in a normal setup. So, yes, there may come up very special requirements where I could even imagine that /etc/passwd must be removed (not that I'm about to do that). I don't see why it shouldn't be valid to ask which files a certain program relies upon. Anyway: I got you.
Re: Solved: cron - setusercontext failed for root
Yes, it is *totally* obvious if you actually know what you're doing. Well, I didn't say I know exactly what I'm doing. If everybody always knew exactly what they're doing, this ML would be obsolete, wouldn't it? Thanks a lot for your explanations (no irony! I've learned from it!)!!! That helps me asking less stupid questions in the future. You don't have to know about it, but if you start deleting Well I didn't tell yet, the idea is the other way round. I build up this embedded system from scratch by putting the files that I need together, not by deleting files from a full install. So I didn't delete anything, I just didn't copy enough files together. That's not stupid at all, it's a design-question. The design is as minimalistic as can be, it says that the resulting system should not have _any_ obsolete files at all. So that's why I set it up this way. I know it's not common and I know it's not pure OpenBSD anymore, but there's nothing non-OpenBSD in it. And yes: It's my lack of knowledge and I didn't mean to hide that at any time. If you don't know what you're doing, don't do it. The world would be better if everybody would admit to this. But wouldn't this be boring? ;-) cron also relies on the dynamic linker and its related files. You didn't delete those, did you ? No, when I first tried to use a program that missed a lib, it told me so and I could go and copy that file to my target system. It's easy when a program tells you why it is in trouble. What should we do with the next guy that deletes this stuff thinking he doesn't need it and neglects to tell us when he comes here asking for help ? Try to help him. What else? Why would you read this ML if not to help others that don't get along with whatever they do with OpenBSD? You guys helped me, too: Stuards hint indirectly pointed me to login.conf. If you don't want to help, then just don't do it. So I don't see any problem here. You didn't know the importance of login.conf and you burn your fingers deleting it. Don't blame others for it, I didn't intend to blame anybody. I'm pretty aware that what I do is not the usual way. But I still think it's a valid way to do things. and don't play the hey, I got mistreated-card either. Nah, come on, how could I react to don't waste my time! if not by a little irony? ;-) I'd be a lamer if I took everything too seriously! It just makes you look lame. I'm sorry that's what you think about me. Anyway, in my age, it's not so important anymore if a few people think you're lame. Maybe I am. Who cares? But let's no abuse this ML for personal discussions. I think I got you and I'm willing to do my best to provide the correct complete information that are in relation to my problem, next time I bother you here on this ML. OK?
cron - setusercontext failed for root
I'm setting up an embedded system from scratch with OpenBSD. The system is VERY much stripped down to the absolute necessary files only. I have troubles using cron: in /etc/crontab I have: --- SHELL=/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin HOME=/tmp/log */1 * * * * root /bin/sh -c echo DEBUGMARKER/tmp/console --- I have an entry for root in /etc/passwd (and master.passwd respectively). Nevertheless, when cron starts, I get this: --- # /usr/sbin/cron -n -x sch debug flags enabled: sch [9538] cron started [9538] GMToff=7200 [9538] Target time=1209315180, sec-to-wait=28 [9538] tick(53,16,26,3,0) user [root:0:0:...] cmd=/bin/sh -c echo DEBUGMARKER/tmp/console [9538] Target time=1209315240, sec-to-wait=60 log_it: (root 14005) CMD (/bin/sh -c echo DEBUGMARKER/tmp/console) setusercontext failed for root log_it: (root 20135) MAIL (mailed 31 bytes of output but got status 0x0001) [9538] Target time=1209315240, sec-to-wait=59 --- The problem seems to be: setusercontext failed for root Why is this so and what can I do to solve this? A little more explanation: I'm not using std init-procedure, the kernel loads a custom init-script which does the things the system is designed to do. One task in the init-script is to start crond which is just there to do some cleanups regularly. Help will be appreciated! T.
Re: chroot issues with accessing /dev/ entries
I am setting up an embedded system that's supposed to run from RAMDISK only. You really should not do this. The RAMDISK kernel uses the SMALL_KERNEL option, and this can have all sorts of unknown effects. I appreciate you comment, but it seems I'm missing something or there's a misunderstanding. I don't see the connection between using mount_mfs and the ramdisk kernel. I don't think I'm using a ramdisk kernel. I'm using a self compiled standard kernel, only I am creating a ramdisk with mount_mfs in my init-script, copy my stuff into that ramdisk and chroot to it. I don't see there's anything wrong with this?
Solved: Re: chroot issues with accessing /dev/ entries
OK, thank you, that got me onto the right track, now I think I know what the problem is: mount_mfs. /sbin/mount_mfs -s 9 swap /mnt Is there a way to have devices under that mountpoint? Of course, just mknod(8) them (each time after creating the mfs), Thanks everybody for your help. For whatever reason it did not work (for me) to just copy (pax) the /dev/* files from / to my ramdisk-mountpoint (/mnt). The files were there but always caused a failed to open error when used from within the chrooted environment. It also did not work to first chroot and then (within the chroot environment) create the files with mknod. What worked was first creating the files with mknod and then chroot. I don't know why this is so, but I'm happy with it.
chroot issues with accessing /dev/ entries
I am setting up an embedded system that's supposed to run from RAMDISK only. Therefore I create a ramdisk, copy everything into it and then chroot. I encounter problems when accessing pcap-libs (or devices in /dev generally) as soon as I actually chroot: # ls -l /dev/bpf0 crw--- 1 root wheel 23, 0 Sep 27 2006 /dev/bpf0 # ls -l /tmp/chroot/dev/bpf0 crw--- 1 root wheel 23, 0 Sep 28 2006 /tmp/chroot/dev/bpf0 # tcpdump tcpdump: listening on fxp0, link-type EN10MB [...] 60 packets received by filter 0 packets dropped by kernel # chroot /tmp/chroot/ /bin/ksh: No controlling tty (open /dev/tty: Device not configured) /bin/ksh: warning: won't have full job control # tcpdump tcpdump: Failed to open bpf device for fxp0: Device not configured tcpdump is just an example. Other programs access bpf0 (exactly) correctly when in the native system and fail to access bpf0 when in chrooted environment. What am I missing? And why is there this tty warning message? The tty device entry is in the chrooted /dev just like it is in the source system. Help will be appreciated! T.
Re: chroot issues with accessing /dev/ entries
# tcpdump tcpdump: Failed to open bpf device for fxp0: Device not configured Is /tmp mounted nodev? OK, thank you, that got me onto the right track, now I think I know what the problem is: mount_mfs. This is how I set up the ramdisk: /sbin/mount_mfs -s 9 swap /mnt Is there a way to have devices under that mountpoint?
MP kernel doesn't update kernel.cp_time on interrupt load
Im running some throughput testing using OpenBSD as the router OS. Running the GENERIC.MP kernel im not seeing any system load despite the NIC's generating about 40 000 interrupts in vmstat. Running the same test on a GENERIC kernel results in 80% system utilization. Checking with sysctl confirms that a pure interrupt based load from the NIC's doesn't update kern.cp_time. A userspace load like compiling the src tree however does show the expected behaviour and updates kern.cp_time. Im seeing this on both of my Dell machines. Dell 1750 with 4.0 MP kernel. Single core xeon. Runs MP to get APIC. Dell 1950 with -CURRENT as of yesterday. Dual core xeon.