Incoming connection via VLAN
Hello all, My home internet connection (Internode Australia) has recently been "upgraded" and is now delivered via vlan ID 2. Previously had the following configuration which worked without issue: # cat /etc/hostname.em0 up # cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev em0 authproto pap \ authname 'x...@internode.on.net' \ authkey '' up dest 0.0.0.1 inet6 eui64 !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 !/etc/rc.d/dhcp6c restart !/sbin/pfctl -ef /etc/pf.conf After working out the vlan stuff I now have the following: # cat /etc/hostname.em0 up # cat /etc/hostname.vlan2 vnetid 2 parent em0 txprio 1 up # cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ llprio 1 mtu 1440 \ pppoedev vlan2 authproto pap \ authname 'x...@internode.on.net' \ authkey '' up dest 0.0.0.1 inet6 eui64 !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 !/etc/rc.d/dhcp6c restart !/sbin/pfctl -ef /etc/pf.conf I am able to access the internet fine. My problem is incoming connections are unable to access the OBSD router but are able to be redirected to internal hosts just fine. There was no problems with this prior to the vlan stuff. My stripped down pf.conf is: # cat /etc/pf.conf egress = "pppoe0" zappa = "10.0.1.2" set skip on lo set skip on vlan2 set block-policy drop set loginterface $egress queue outq on $egress bandwidth 13M max 13M flows 1024 qlimit 1024 default match in inet all scrub (no-df random-id) match on $egress inet scrub (max-mss 1440) # NAT all outbound IPv4 traffic from the rest of our network match out on $egress inet from !($egress:network) to any nat-to ($egress:0) antispoof quick for lo pass in on $egress proto { tcp udp } from any to ($egress) port { ssh http https } pass in on $egress proto tcp from any to ($egress) port 51022 rdr-to $zappa port ssh Running tcpdump on pppoe0 show ICMP packets but never any SSH (or other TCP) packets coming in on egress. I am confused that rdr-to works but not connections to the router do not. Any help would be greatly appreciated. -felix
Singaporean Mr. Teo En Ming's Refugee Seeking Attempts
Subject: Singaporean Mr. Teo En Ming's Refugee Seeking Attempts In reverse chronological order: [1] Petition to the Government of Taiwan for Refugee Status, 5th August 2019 Monday Photo #1: At the building of the National Immigration Agency, Ministry of the Interior, Taipei, Taiwan, 5th August 2019 Photo #2: Queue ticket at the National Immigration Agency, Ministry of the Interior, Taipei, Taiwan, 5th August 2019 Photo #3: Submission of documents/petition to the National Immigration Agency, Ministry of the Interior, Taipei, Taiwan, 5th August 2019 Photos #4 and #5: Acknowledgement of Receipt for the submission of documents/petition from the National Immigration Agency, Ministry of the Interior, Taipei, Taiwan, 5th August 2019 References: (a) Petition to the Government of Taiwan for Refugee Status, 5th August 2019 Monday (Blogspot) Link: https://tdtemcerts.blogspot.sg/2019/08/petition-to-government-of-taiwan-for.html (b) Petition to the Government of Taiwan for Refugee Status, 5th August 2019 Monday (Wordpress) Link: https://tdtemcerts.wordpress.com/2019/08/23/petition-to-the-government-of-taiwan-for-refugee-status/ [2] Application for Refugee Status at the United Nations Refugee Agency, Bangkok, Thailand, 21st March 2017 Tuesday References: (a) [YOUTUBE] Vlog: The Road to Application for Refugee Status at UNHCR Bangkok Link: https://www.youtube.com/watch?v=utpuAa1eUNI YouTube video Published on March 22nd, 2017 -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE-
Re: VM CPU usage with TSC timecounter
On Thu, Aug 29, 2019 at 10:29:40PM +0100, Oriol Demaria wrote: > I have been following the patching of the TSC. So I don't have problems on > the Ryzen now using TSC with the mouse and so on, but I have a problem with > the vms. The CPU maxes out on the Ryzen 5 (on Intel is fine) when I run a vm > (debian). > > But when I change the timecounter back to acpihpet0 and restart vmd, the CPU > usage is normal again. Does anyone else has this problem? > > Regards. > > -- > Oriol Demaria > 2FFED630C16E4FF8 > 40400 _vmd 100 8195M 505M idle fsleep1:35 1.46% vmd Not here. That's an ubuntu19 vm on Ryzen 7. Does this happen all the time or is it random? We do have a longstanding well known bug where a VM can get stuck and spin to 100%, that's unrelated to TSC though. -ml
VM CPU usage with TSC timecounter
I have been following the patching of the TSC. So I don't have problems on the Ryzen now using TSC with the mouse and so on, but I have a problem with the vms. The CPU maxes out on the Ryzen 5 (on Intel is fine) when I run a vm (debian). But when I change the timecounter back to acpihpet0 and restart vmd, the CPU usage is normal again. Does anyone else has this problem? Regards. -- Oriol Demaria 2FFED630C16E4FF8
Re: dhcrelay
hiya thanks for the reply > hi eveyone > if i have a dhcp server in subnet A connected to interface em0 (lan) and > subnet B connected to interface iwn0 (wireless zone) on the router > with dhcrelay -i em0 running on the router should the wireless subnet be > able?? to get its dhcp address from the dhcp server on the lan ? > No, you would need to run > >dhcrelay -i iwn0 > > to do that. finally got that sorted, but led me to another question i have two dhcp servers on samba domain controllers, can a second server-ip address be added like this to dhcrelay dhcrelay -i iwn0 i haven't seen any examples like this on the net shadrock
missing PD Prefix 's
hi everyone how do i check if rad is working correctly i have a PD Prefix address on my routers wan interface but not on its lan interface or anywhere on the lan rad is configured with the following cat /etc/rad.conf interface em0 interface em1 interface tun0 i also have dhcpcd configured cat << EOF > /etc/dhcpcd.conf ipv6only noipv6rs duid persistent option rapid_commit require dhcp_server_identifier slaac private nohook resolv.conf, lookup-hostname allowinterfaces bge0 em0 em1 tun0 script "" interface bge0 ia_na 1 ia_pd 2 em0/0 ia_pd 3 em1/1 ia_pd 4 tun0/2
Re: support new
On Thu, 29 Aug 2019 11:43:40 +0200, Ingo Schwarze wrote: > It would no doubt be nice to have a support.html entry for Turkey, > but i'm not convinced i want to add a person who is not even able > to send properly formatted email. The original message was html and got reformatted to text. That doesn't always produce the nicest results. If they were to re-send as plain text that would probably help. - todd
Problems configuring Unbound?
I'm using OpenBSD 6.5 and trying to configure "views" in Unbound. This is the configuration file: === server: interface: 0.0.0.0 access-control: 192.168.0.0/24 allow access-control-view: 192.168.0.0/24 firstview local-zone: "local." static local-data: "cups.local. IN A 192.168.1.1" view: name: "firstview" local-zone: "local." static local-data: "gateway.local. IN A 192.168.0.1" view-first: yes forward-zone: name: "." forward-addr: 8.8.8.8 === The problem is that Unbound will not use the global local-zone tree after no match is found in a view, even though view-first is set to yes. This is output from a client in 192.168.0.0/24 when running Unbound with the above configuration file: === client:~$ host -t cups.local Host cups.local not found: 3(NXDOMAIN) client:~$ host -t gateway.local gateway.local has address 192.168.0.1 === If I remove "access-control-view: 192.168.0.0/24 firstview" and try again from the same client: === client:~$ host -t cups.local cups.local has address 192.168.1.1 client:~$ host -t gateway.local Host gateway.local not found: 3(NXDOMAIN) === What could I be doing wrong? Thanks. Mogens Jensen
Re: What is you motivational to use OpenBSD
I decided to move away from Windows and I needed to setup a web and email server. Trying many different versions of Linux left me unsatisfied. Then I accidentally ran into OpenBSD website. That was exactly what I wanted. As a totally inexperienced guy, I found a server company that could pre-install it. I never looked backed and learned almost everything remotely. I dual booted at home for a while and I use OpenBSD only for a long time now. I have found two intersting things about the mailing lists. 1. Here is what you need to know, how else can I help. 2. RTFM and read the source code yourself. I found read the source code a little frustrating at first. But I have realized that the OpenBSD community is NOT about holding your hand. There is an expectation that you need to put out the effort necessary to at least try to figure it out yourself. If that means learning some C or Perl or other languages, then you will have to do that. I now heartily agree with this. Why should a developer waste time when there are truly more important things that constantly change as the world moves forward. I have never been concerned about missing a few months without checking up on a server. Problems are very very rare! And fixed really really fast! Thanks for giving me a fantastic system and the chance to laugh at the other OS's that think security and bug fixing is an optional concern! Chris Bennett
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
On Thu, August 29, 2019 8:55 am, Muhammad Kaisar Arkhan wrote: > Hi Tom, > >> listen on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls > > I've tried this before, it just results in this: > > /etc/relayd.conf:33: cannot load certificates for relay https2:443 > > I'm not sure why it does this despite the fact I have clearly > indicated which TLS certificates to use in relayd.conf with the > new "tls keypair" feature. > > % cat /etc/relayd.conf > > log connection > > table { 127.0.0.1 } > table { 127.0.0.1 } > table { 127.0.0.1 } > > http protocol "reverse_proxy" { > return error > > match header set "X-Forwarded-For" value "$REMOTE_ADDR" > match header set "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > > match request header "Host" value "znc.yukiisbo.red" \ > forward to > > tls keypair "yukiisbo.red" > tls keypair "arkhan.io" > tls keypair "znc.yukiisbo.red" > } > Are the certificate and key files named correctly and placed in the appropriate locations as specified in the manpage?
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
Hi Tom, > listen on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls I've tried this before, it just results in this: /etc/relayd.conf:33: cannot load certificates for relay https2:443 I'm not sure why it does this despite the fact I have clearly indicated which TLS certificates to use in relayd.conf with the new "tls keypair" feature. % cat /etc/relayd.conf log connection table { 127.0.0.1 } table { 127.0.0.1 } table { 127.0.0.1 } http protocol "reverse_proxy" { return error match header set "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header "Host" value "znc.yukiisbo.red" \ forward to tls keypair "yukiisbo.red" tls keypair "arkhan.io" tls keypair "znc.yukiisbo.red" } relay "https" { listen on vio0 port 443 tls listen on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls protocol "reverse_proxy" forward to port 80 forward to port } protocol "znc" { tls keypair "znc.yukiisbo.red" } relay "irc" { listen on vio0 port 6697 tls listen on 2a03:6000:9106::50f7:f07a:d1cc port 6697 tls protocol "znc" forward to port }
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
try listen on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls and see if that works On Thu, 29 Aug 2019 at 13:37, Muhammad Kaisar Arkhan wrote: > > can you run > > ifconfig interfacename > > route -n show > > % ifconfig vio0 > > vio0: > flags=408b43 > mtu 1500 > lladdr xx:xx:xx:xx:xx:xx > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect > status: active > inet 46.23.92.126 netmask 0xff00 broadcast 46.23.92.255 > inet6 fe80::fce1:bbff:fed3:5b04%vio0 prefixlen 64 scopeid 0x1 > inet6 2a03:6000:9106::50f7:f07a:d1cc prefixlen 64 > > % route -n show > > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio > Iface > default46.23.92.1 UGS 23 66128822 - 8 > vio0 > ... > > Internet6: > DestinationGatewayFlags > Refs Use Mtu Prio Iface > default2a03:6000:9106::1 UGS > 021655 - 8 vio0 > ... > > > Thanks. > -- Kindest regards, Tom Smyth.
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
> can you run > ifconfig interfacename > route -n show % ifconfig vio0 vio0: flags=408b43 mtu 1500 lladdr xx:xx:xx:xx:xx:xx index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect status: active inet 46.23.92.126 netmask 0xff00 broadcast 46.23.92.255 inet6 fe80::fce1:bbff:fed3:5b04%vio0 prefixlen 64 scopeid 0x1 inet6 2a03:6000:9106::50f7:f07a:d1cc prefixlen 64 % route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default46.23.92.1 UGS 23 66128822 - 8 vio0 ... Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface default2a03:6000:9106::1 UGS0 21655 - 8 vio0 ... Thanks.
Re: OpenBSD 6.6 snapshot #262 - no USB mouse
Kernel #262 is known to be broken. Compile your own from -current sources or wait for the next snapshot.
Re: pppoe only connects if tcpdump is running?!
Hello, problem solved: I tried with another Gbit PCI card! it worked instantly. about the BAD PCI Gbit card, where pppoe only works when tcpdump is running: on the chip: Pulse H5007NL 1842 CHINA on the board of the NIC: 94V-0 SR-01 E258603 DW-RTL8111-17 VER A > Sent: Sunday, August 25, 2019 at 3:24 PM > From: "Mara Toni" > To: misc@openbsd.org > Subject: pppoe only connects if tcpdump is running?! > > Hello! > > I got myself a new PCI ethernet card instead of an old USB3 to ethernet in a > "router" named desktop machine. > > in short: > But pppoe doesn't connects via the new PCI card. Only if I start a tcpdump on > it!? > > > longer: > # > # THE CONFIG > > router# cat /etc/hostname.re1 > up lladdr xx:xx:xx:xx:xx:xx > router# > router# cat /etc/hostname.pppoe0 > inet 0.0.0.0 255.255.255.255 NONE pppoedev re1 authproto pap debug authname > 'censored' authkey 'censored' up > dest 0.0.0.1 > !/sbin/route add default -ifp pppoe0 0.0.0.1 > router# > > OpenBSD 6.5 amd64 > > # > # THE STATE > > router# ifconfig re1 > re1: flags=8843 mtu 1500 > lladdr xx:xx:xx:xx:xx:xx > index 2 priority 0 llprio 3 > media: Ethernet 100baseTX full-duplex > status: active > router# > router# ifconfig pppoe0 > pppoe0: flags=8855 mtu 1492 > index 5 priority 0 llprio 3 > dev: re1 state: PADI sent > sid: 0x0 PADI retries: 5 PADR retries: 0 > sppp: phase establish authproto pap authname "censored" > groups: pppoe egress > status: no carrier > inet 0.0.0.0 --> 0.0.0.1 netmask 0x > router# > > router# dmesg|grep re1 > re1 at pci3 dev 0 function 0 "Realtek 8168" rev 0x07: RTL8168E/8111E-VL > (0x2c80), msi, address xx:xx:xx:xx:xx:xx > rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 5 > router# > > # > # I TRIED: > > - rebooting, waiting for many minutes > - pap or chap > - mac filtering is OK, that is the MAC, what is in the hostname.re1 > - doing: ifconfig re1 media "10baseT" - thinking of cable issue > - tried to plug in to the pci eth card via a Gbit switch, still no pppoe > - "ifconfig pppoe0 down" and "up" gives only these debug messages: > > down: > Aug 24 15:15:06 router /bsd: pppoe0: lcp close(starting) > Aug 24 15:15:06 router /bsd: pppoe0: lcp starting->initial > Aug 24 15:15:06 router /bsd: pppoe0: phase dead > > up: > Aug 24 15:15:11 router /bsd: pppoe0: lcp close(initial) > Aug 24 15:15:11 router /bsd: pppoe0: lcp open(initial) > Aug 24 15:15:11 router /bsd: pppoe0: lcp initial->starting > Aug 24 15:15:11 router /bsd: pppoe0: phase establish > Aug 24 15:15:11 router /bsd: pppoe0 (8863) state=1, session=0x0 output -> > ff:ff:ff:ff:ff:ff, len=18 > > # > # INTERESTING THING: > > if I plug back my old USB3 to ethernet, it works instantly (via the usb3 eth): > > router# mv /etc/hostname.re1 /etc/hostname.cdce0 > router# sed -i 's/re1/cdce0/g' /etc/hostname.pppoe0 > +puting the ISP cable to cdce0. > then "reboot" > it works... gets IP: > > router# ifconfig cdce0 > cdce0: flags=8843 mtu 1500 > lladdr xx:xx:xx:xx:xx:xx > index 5 priority 0 llprio 3 > router# > router# ifconfig pppoe0 > pppoe0: flags=8855 mtu 1492 > index 6 priority 0 llprio 3 > dev: cdce0 state: session > sid: 0x5eb PADI retries: 0 PADR retries: 0 time: 00:00:20 > sppp: phase network authproto pap authname "censored" > groups: pppoe egress > status: active > inet yy.yy.yyy.yyy --> 10.0.0.1 netmask 0x > router# > > # > > a funny thing happened. I wanted to do a tcpdump on the pci ethernet re1, and > during tcpdump, pppoe connected: > > router# tcpdump -i re1 > ... > pppoe0: flags=8855 mtu 1492 > index 6 priority 0 llprio 3 > dev: re1 state: session > sid: 0x16f4 PADI retries: 9 PADR retries: 0 time: 00:01:24 > sppp: phase network authproto pap authname "censored" > groups: pppoe egress > status: active > inet yy.yy.yy.yyy --> 10.0.0.1 netmask 0x > > So it ONLY successfully connects via pppoe if tcpdump is running for re1! Why? > > I can 100% reproduce it. If I stop the tcpdump, the public IP stays, but > there is no internet connection to the world. > > is this a bug? or a flag is set by tcpdump for the nic? > > # > > What am I missing? Why can't I connect via pppoe with the PCI ethernet card > without running tcpdump on it? > > Thanks. > >
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
can you run ifconfig interfacename route -n show On Thu, 29 Aug 2019 at 12:03, Muhammad Kaisar Arkhan wrote: > Hi Tom, > > > In any case... just specifiy the interface manually, on the config line > > > > --listen on egress port 443 tls > > > > ++listen on vio0 port 443 tls > > > > replace vio0 with your actual "egress" interface name > > I tried it. Sadly it doesn't work, it still only listens to IPv4. > > % cat /etc/relayd.conf > > ... > relay "https" { > listen on vio0 port 443 tls > ... > } > > % netstat -nat | grep LISTEN | grep '.443' > tcp 0 0 46.23.92.126.443 *.*LISTEN > > Thanks. > -- Kindest regards, Tom Smyth.
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
Hi Tom, > In any case... just specifiy the interface manually, on the config line > > --listen on egress port 443 tls > > ++listen on vio0 port 443 tls > > replace vio0 with your actual "egress" interface name I tried it. Sadly it doesn't work, it still only listens to IPv4. % cat /etc/relayd.conf ... relay "https" { listen on vio0 port 443 tls ... } % netstat -nat | grep LISTEN | grep '.443' tcp 0 0 46.23.92.126.443 *.*LISTEN Thanks.
Re: Package -stable updates
On Thu, Aug 29, 2019 at 09:50:48AM +0200, Andre Stoebe wrote: > On 29.08.2019 01:59, Steven Shockley wrote: > > So, many thanks to everyone who put together the new -stable updates for > > packages. Is there a command I can put in the crontab that will only > > output if there are updates? Similar to what syspatch or openup does. > > I tried pkg_add -unx, but that still tells me to delete old files and > > prints the quirks line even if there are no updates. > > Hi Steven, > > here's what I came up with in my /etc/daily.local file... > > (pkg_add -suv | sed -En 's/^Adding (.+)\(pretending\)/\1/p') 2>&1 \ > | grep -v ': Requesting' > > Initially I didn't use the verbose option and a simpler sed expression, > but I eventually found that pkg_add's output differs whether a terminal > is attached or not. So that's what works for me. > > Regards > Andre You could also do as sysupgrade(8) does and download the SHA256 file, compare it to a locally stored copy of it. If it is different, there are new packages and you can try running "pkg_add -u" when you have the inclination to do so (or immediately from the same script). Then update the locally stored copy of the SHA256 file with the version just downloaded. This is my script (note: I'm following snapshots rather than -stable, so some slight tweaking will be neccesary). I'm running it with my unprivilegied user from the command line to upgrade everything (the first "doas sysupgrade" is not commented out in my version): #!/bin/sh -eux # doas sysupgrade # to also make sure that the system is up-to-date tmpfile=$(mktemp) stamp=$HOME/.sha256.ports trap 'rm -f "$tmpfile"' EXIT read installurl
Re: relayd: "listen on egress" only listens to IPv4 and not IPv6
Hi Muhammad, Check your Ipv6 routing table is there a default route on your V6 Routing Table... If I understand egress correctly (it is the external interface) which at a guess is chosen by the interface that the default route in your routing table would use. In any case... just specifiy the interface manually, on the config line --listen on egress port 443 tls ++listen on vio0 port 443 tls replace vio0 with your actual "egress" interface name On Thu, 29 Aug 2019 at 10:58, Muhammad Kaisar Arkhan wrote: > Hi misc@, > > I have relayd running on my -current machine which does reverse proxies > along > with TLS relays for various programs and it seems when using "listen on > egress", > it only listens to IPv4 and doesn't listen to IPv6. > > In httpd, this is not the case, when using "listen on egress" it listens > to both > IPv4 and IPv6. > > Since I require SNI, I'm using the new "tls keypair" feature and it > seems if I > have multiple listens it results in the following error: > > /etc/relayd.conf:33: cannot load certificates for relay https2:443 > > Even though there's "tls keypair" clearly indicating which certificates > to use. > > My -current system is dated 25-08-2019. > > Here's some more relevant information: > > % dmesg | head > > OpenBSD 6.6-beta (GENERIC) #236: Sun Aug 25 13:46:21 MDT 2019 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC > > % cat /etc/relayd.conf > > ... > relay "https" { >listen on egress port 443 tls > >protocol "reverse_proxy" > >forward to port 80 > ... > } > ... > > % netstat -nat | grep LISTEN > > ... > tcp 0 0 xx.xx.xx.xx.443 *.* LISTEN > ... > > Thanks. > > -- Kindest regards, Tom Smyth.
Re: What is you motivational to use OpenBSD
On 8/28/19 4:32 PM, Mohamed salah wrote: I wanna put something in discussion, what's your motivational to use OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work fine on openbsd and you love this os so much what will do? I enjoy using it because of it's clean design. It's a fairly simple system, with sane default configuration and it "just works" on most laptops that I've used it on. I use a lot of Linux at work and in other environments as well, and the application support is naturally better. But the things I really care about works on OpenBSD, and as such, I tend to come back to it when using computers in my free time.
relayd: "listen on egress" only listens to IPv4 and not IPv6
Hi misc@, I have relayd running on my -current machine which does reverse proxies along with TLS relays for various programs and it seems when using "listen on egress", it only listens to IPv4 and doesn't listen to IPv6. In httpd, this is not the case, when using "listen on egress" it listens to both IPv4 and IPv6. Since I require SNI, I'm using the new "tls keypair" feature and it seems if I have multiple listens it results in the following error: /etc/relayd.conf:33: cannot load certificates for relay https2:443 Even though there's "tls keypair" clearly indicating which certificates to use. My -current system is dated 25-08-2019. Here's some more relevant information: % dmesg | head OpenBSD 6.6-beta (GENERIC) #236: Sun Aug 25 13:46:21 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC % cat /etc/relayd.conf ... relay "https" { listen on egress port 443 tls protocol "reverse_proxy" forward to port 80 ... } ... % netstat -nat | grep LISTEN ... tcp 0 0 xx.xx.xx.xx.443 *.* LISTEN ... Thanks.
Re: support new
Hello Ibrahim, Ibrahim Topbasi wrote on Thu, Aug 29, 2019 at 12:04:39PM +0300: > 0C TURKEYP AnkaraT CankayaZ 06510A 2139. Street 2/11O Rakort Information > TechnologiesI Ibrahim TopbasiM open...@rakort.comu http://www.rakort.comB > 90-850-460-10-58X 90-850-460-10-58N More than 5 years, OpenBSD > setup/installation/remote administration. Network engineering, software > development(C/Python/PHP/PostgreSQL/MySQL). Also experienced with Solaris > and Linux.We specialize in providing solid open source solutions for > businesses using OpenBSD, ? and Linux. MCSE, CCNA, RHCE certifications, > VPNs, firewalls, wireless, DNS, squidGuard, mail - even training with > OpenBSD. It would no doubt be nice to have a support.html entry for Turkey, but i'm not convinced i want to add a person who is not even able to send properly formatted email. Then, i consider using "OpenBSD OpenBSD" as the comment in the From: Header of outgoing email pretentious, maybe even offensive. A serious business would put the real name of a real person in that place and additionally use the Reply-To: header. Besides, while i guess it is OK that the website is in Turkish language only, it doesn't appear to even mention OpenBSD, so i think this request ought to be disregarded. Yours, Ingo -- Ingo Schwarze http://www.openbsd.org/ http://mandoc.bsd.lv/
support new
0C TURKEYP AnkaraT CankayaZ 06510A 2139. Street 2/11O Rakort Information TechnologiesI Ibrahim TopbasiM open...@rakort.comu http://www.rakort.comB 90-850-460-10-58X 90-850-460-10-58N More than 5 years, OpenBSD setup/installation/remote administration. Network engineering, software development(C/Python/PHP/PostgreSQL/MySQL). Also experienced with Solaris and Linux.We specialize in providing solid open source solutions for businesses using OpenBSD, � and Linux. MCSE, CCNA, RHCE certifications, VPNs, firewalls, wireless, DNS, squidGuard, mail - even training with OpenBSD.
Re: Package -stable updates
On 29.08.2019 01:59, Steven Shockley wrote: > So, many thanks to everyone who put together the new -stable updates for > packages. Is there a command I can put in the crontab that will only > output if there are updates? Similar to what syspatch or openup does. > I tried pkg_add -unx, but that still tells me to delete old files and > prints the quirks line even if there are no updates. Hi Steven, here's what I came up with in my /etc/daily.local file... (pkg_add -suv | sed -En 's/^Adding (.+)\(pretending\)/\1/p') 2>&1 \ | grep -v ': Requesting' Initially I didn't use the verbose option and a simpler sed expression, but I eventually found that pkg_add's output differs whether a terminal is attached or not. So that's what works for me. Regards Andre
Re: Package -stable updates
On 29.08.19 01:59, Steven Shockley wrote: > Is there a command I can put in the crontab that will only > output if there are updates? I've come up with: pkg_add -u -n -I -v 2>&1 | grep 'Adding' | sort -u | sed -e 's/.*Adding \(.*\)(pretending.*/\1/' this will print - -> Suggestions for something simpler/better that gives above information is highly appreciated. Best, Michael
Re: Package -stable updates
On 09:29 Thu 29 Aug, Florian Obser wrote: > On Thu, Aug 29, 2019 at 09:39:40AM +0300, Consus wrote: > > On 19:59 Wed 28 Aug, Steven Shockley wrote: > > > So, many thanks to everyone who put together the new -stable updates for > > > packages. Is there a command I can put in the crontab that will only > > > output if there are updates? Similar to what syspatch or openup does. > > > I tried pkg_add -unx, but that still tells me to delete old files and > > > prints the quirks line even if there are no updates. > > > > I use > > > > 0 7 * * * pkg_add -un | grep -v 'signed on' > > > > and it works okay, no warnings about deleting old files. > > > > Though removing quirks line would be nice. > > > > I thought you had moved on since stable packages are one or two > decades too late? Eh?
Re: Package -stable updates
On Thu, Aug 29, 2019 at 09:39:40AM +0300, Consus wrote: > On 19:59 Wed 28 Aug, Steven Shockley wrote: > > So, many thanks to everyone who put together the new -stable updates for > > packages. Is there a command I can put in the crontab that will only > > output if there are updates? Similar to what syspatch or openup does. > > I tried pkg_add -unx, but that still tells me to delete old files and > > prints the quirks line even if there are no updates. > > I use > > 0 7 * * * pkg_add -un | grep -v 'signed on' > > and it works okay, no warnings about deleting old files. > > Though removing quirks line would be nice. > I thought you had moved on since stable packages are one or two decades too late? -- I'm not entirely sure you are real.