Re: OpenBSD alternatives to Pi-Hole

2020-06-15 Thread George 



On 2020-06-15 11:52 a.m., Jon Tabor wrote:

On Fri, Jun 12, 2020 at 04:33:08PM -0700, Jordan Geoghegan wrote:


On 2020-06-12 14:01, George wrote:

On 2020-06-12 3:41 p.m., Maurice McCarthy wrote:

You could have a look at
https://www.geoghegan.ca/unbound-adblock.html and
https://www.geoghegan.ca/pfbadhost.html

Simply great! Will definitely try these out.

Merci!

George


Hey there,

I'm the author of those scripts. In response to concerns about
heavyness/memory use of DNS blocklists:  unbound-adblock is pretty light on
memory (~30MB of RAM usage) as we serve NXDOMAIN responses instead of
redirecting to 0.0.0.0 etc. By doing this we save a massive amount of memory
that would otherwise be spent mapping each domain to a black hole address. I
run unbound-adblock on many Edgerouter Lites and havent had any issues.

Regards,

Jordan Geoghegan

I'm using these scripts (or a version of them; I've had them in for a
while), and it's using NXDOMAIN which loads way faster and uses a lot
less memory.  I also slightly tweaked the script I have to include a
whitelist file, as my wife keeps finding sites that simply won't work
properly. It simply calls sed to remove lines from the
unbound-adhosts.conf file

Works great.  I also set up pf to redirect all DNS queries to my local
instance of unbound, so you can't easily bypass it (unless you use DNS
over HTTPS).

Jon Tabor
tab...@obsolete.site


Thanks for sharing, this is good to know!

Re: IKEv2 difference with 6.7

2020-06-15 Thread Daniel Ouellet 
> Probably related to the following change documented in
> https://www.openbsd.org/faq/upgrade67.html:
> 
> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) 
> or
> isakmpd(8) was changed from "use" to "require". This means unencrypted traffic
> matching the flows will no longer be accepted. Flows of type "use" can still 
> be
> set up manually in ipsec.conf(5). 

I have what appear to be similar problem. I used iked form 5.6 all the
way to 6.6 no problem, wel some, but I worked it out. All in archive.

But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
changed, same configuration, just a sysupgrade and that's it.

I read this and I can understand the words, but may be I am think, but I
don't understand what to do with it.

I see the require type modifier in ipsec.conf man page, not into
iked.conf man page.

Do you mean what ever rules we had in iked.conf needs to be in
ipsec.conf now?

I am really sorry if I don't follow the meaning or what you tried to
say, but how can this be fix, or changed?

My guess is that it is simple and I don't think about it properly, but I
am hitting a road block trying to figure it out.

I am a bit at a lost and any clue stick would be greatly appreciated.

Thanks

Daniel

Re: IKEv2 difference with 6.7

2020-06-15 Thread Daniel Ouellet 
On 6/15/20 8:04 PM, Daniel Ouellet wrote:
>> Probably related to the following change documented in
>> https://www.openbsd.org/faq/upgrade67.html:
>>
>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) 
>> or
>> isakmpd(8) was changed from "use" to "require". This means unencrypted 
>> traffic
>> matching the flows will no longer be accepted. Flows of type "use" can still 
>> be
>> set up manually in ipsec.conf(5). 
> 
> I have what appear to be similar problem. I used iked form 5.6 all the
> way to 6.6 no problem, wel some, but I worked it out. All in archive.
> 
> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
> changed, same configuration, just a sysupgrade and that's it.
> 
> I read this and I can understand the words, but may be I am think, but I
> don't understand what to do with it.
> 
> I see the require type modifier in ipsec.conf man page, not into
> iked.conf man page.
> 
> Do you mean what ever rules we had in iked.conf needs to be in
> ipsec.conf now?
> 
> I am really sorry if I don't follow the meaning or what you tried to
> say, but how can this be fix, or changed?
> 
> My guess is that it is simple and I don't think about it properly, but I
> am hitting a road block trying to figure it out.
> 
> I am a bit at a lost and any clue stick would be greatly appreciated.
> 
> Thanks
> 
> Daniel

Just for the records, I just took a copy of iked version 6.6 and used
that instead of 6.7 and all is good. I saved the 6.7 version.

gateway# ls -al /sbin/iked*
-r-xr-xr-x  1 root  bin  436584 Jun 15 20:42 /sbin/iked
-r-xr-xr-x  1 root  bin  448744 May  7 12:52 /sbin/iked.original

So it's definitely nothing else that is stopping it from working.

Just a new requirement for iked to use this new way and so far I am
coming short as to how to get this done right.

How enable TouchScreen on Laptop Hp Envy x360

2020-06-15 Thread T 
Dear OpenBSD community,
i'm unable to get Touchscrren of my laptop working, can someone please
point me in the right direction? I saw something about
Touchscreen Yes HID-over-I2C, supported by ims
. from https://jcs.org/2020/05/15/surface_go2but
it doesn't make any sense, Thankyou so much!!
Yours Sincerely - an Openbsd newbie
Tony

-- 
Best regards,

Tony

Touchscreen on Hp Envy laptop Screen

2020-06-15 Thread T 
Dear OpenBSD community, i'm unable to get Touchscrren of my laptop working,
can someone please point me in the right direction? I saw something about
Touchscreen Yes HID-over-I2C, supported by ims
. from https://jcs.org/2020/05/15/surface_go2but
it doesn't make any sense, Thankyou so much!!
Yours Sincerely - an Openbsd newbie
Tony

-- 
Best regards,

Tony

Re: mpd: failed to open default sndio device

2020-06-15 Thread James 

Did you find a solution to this? Copying ~/.sndio/cookie into _mpd's
home directory did not fix this error for me.

On Fri, Oct 18, 2019 at 02:34:48PM +0300, Кирилл wrote:

Hello.
After install mpd:
$ mpc play
Antimatter - Over Your Shoulder
[paused]  #1/7   0:00/4:41 (0%)
volume:100%   repeat: off   random: off   single: off   consume: off
ERROR: Failed to open "sndio output" (sndio); Failed to open default sndio
device

dmesg:
https://pastebin.com/y5A81Cqh

Re: OpenBSD alternatives to Pi-Hole

2020-06-15 Thread Jon Tabor 
On Fri, Jun 12, 2020 at 04:33:08PM -0700, Jordan Geoghegan wrote:
> 
> 
> On 2020-06-12 14:01, George wrote:
> > 
> > On 2020-06-12 3:41 p.m., Maurice McCarthy wrote:
> > > You could have a look at
> > > https://www.geoghegan.ca/unbound-adblock.html and
> > > https://www.geoghegan.ca/pfbadhost.html
> > 
> > Simply great! Will definitely try these out.
> > 
> > Merci!
> > 
> > George
> > 
> 
> Hey there,
> 
> I'm the author of those scripts. In response to concerns about
> heavyness/memory use of DNS blocklists:  unbound-adblock is pretty light on
> memory (~30MB of RAM usage) as we serve NXDOMAIN responses instead of
> redirecting to 0.0.0.0 etc. By doing this we save a massive amount of memory
> that would otherwise be spent mapping each domain to a black hole address. I
> run unbound-adblock on many Edgerouter Lites and havent had any issues.
> 
> Regards,
> 
> Jordan Geoghegan

I'm using these scripts (or a version of them; I've had them in for a
while), and it's using NXDOMAIN which loads way faster and uses a lot
less memory.  I also slightly tweaked the script I have to include a
whitelist file, as my wife keeps finding sites that simply won't work
properly. It simply calls sed to remove lines from the
unbound-adhosts.conf file

Works great.  I also set up pf to redirect all DNS queries to my local
instance of unbound, so you can't easily bypass it (unless you use DNS
over HTTPS).

Jon Tabor
tab...@obsolete.site

Re: www unreachable

2020-06-15 Thread Henrik Krysteli Semark 
It's not working i DK either.

Med Venlig Hilsen / Best Regards
Henrik Krysteli Semark
Mobil: +45 2633 1701

On 15/06/2020 13.01, Chris Bennett wrote:
> On Mon, Jun 15, 2020 at 12:19:09PM +0200, Anders Andersson wrote:
>> Are you saying it's working for you? Maybe you have a different route
>> to the website because it seems to be down on the Canadian side. I
>> presume you're in the US based on your domain name. :)
> No, it's not working for me either.
> I'm in Austin, TX and not working from my server in Chicago either.
>
> Chris Bennett
>
>

Re: OpenBSD Readonly File System

2020-06-15 Thread Nick Holland 
On 2020-06-13 12:56, Todd C. Miller wrote:
> On Sat, 13 Jun 2020 12:12:05 -0400, Nick Holland wrote:
> 
>> On 2020-06-11 12:07, Strahil Nikolov wrote:
>> > I always thought that 'sync' mount option  is enough  to avoid
>> > corruption of the FS. Am I just "fooling" myself  ?
>>
>> As "sync" is the default...yes, I think you are.
> 
> Actually, by default only metadata is written synchronously.  The
> "sync" mount option causes data to be written synchronously too.
> Of course, the disk *itself* has a cache so even with synchronous
> writes you can't be sure the data has actually made it to the platter.
> 
> So yes, I agree that sync mounts are not really enough to help here.
> You are probably correct that softdep is better for this kind of
> thing since it does a better job of keeping the filesystem in a
> consistent state, at the cost of missing data when there is an
> unclean shutdown.  In theory, the on-device cache can still cause
> issues when you lose power though.

Thanks for the correction!  The really embarrassing thing is I even
checked the man page, but started from the incorrect assumption that
"async" and "sync" were the only two choices and read what I expected,
not what is actually on the page. 

Nick.

Re: www unreachable

2020-06-15 Thread Chris Bennett 
On Mon, Jun 15, 2020 at 12:19:09PM +0200, Anders Andersson wrote:
> 
> Are you saying it's working for you? Maybe you have a different route
> to the website because it seems to be down on the Canadian side. I
> presume you're in the US based on your domain name. :)

No, it's not working for me either.
I'm in Austin, TX and not working from my server in Chicago either.

Chris Bennett

Re: www unreachable

2020-06-15 Thread Rasmus Liland 
On 2020-06-15 10:53 +0100, Tom Smyth wrote:
> 
> It is not accessible from virgin media in Ireland either,
> not connecting on 80 or 443 TCP ... via telnet...
> dns is resolving

Not from Oslo, Norway either ...

traceroute to openbsd.org (129.128.5.194), 30 hops max, 60 byte packets
 8  nix-ix.core1.osl1.he.net (185.1.55.90)  1.117 ms  1.082 ms  1.117 ms
 9  100ge8-1.core1.sto1.he.net (184.105.64.229)  7.741 ms  7.704 ms  
7.706 ms
10  100ge8-2.core1.ams1.he.net (184.105.65.125)  26.893 ms  27.931 ms  
27.855 ms
11  100ge16-1.core1.lon2.he.net (72.52.92.213)  39.193 ms  32.692 ms  
32.658 ms
12  * * 100ge13-2.core1.nyc4.he.net (72.52.92.166)  101.286 ms
13  100ge14-1.core1.tor1.he.net (184.105.80.10)  111.240 ms  110.175 ms 
 110.727 ms
14  100ge6-1.core1.ywg1.he.net (184.105.64.102)  131.352 ms  130.307 ms 
 129.769 ms
15  100ge5-2.core1.yxe1.he.net (184.104.192.70)  140.816 ms  138.105 ms 
 141.801 ms
16  100ge11-2.core1.yeg1.he.net (72.52.92.61)  145.821 ms  145.975 ms  
145.742 ms
17  * university-of-alberta-sms.10gigabitethernet2-2.core1.yeg1.he.net 
(184.105.18.50)  149.379 ms  147.342 ms
18  cabcore-esqgw.corenet.ualberta.ca (129.128.255.35)  146.425 ms 
katzcore-esqgw.corenet.ualberta.ca (129.128.255.41)  147.156 ms  148.021 ms
19  * * *
20  * * *
21  * * *
22  obsd3.srv.ualberta.ca (129.128.5.194)  858.107 ms  743.906 ms  
743.194 ms


signature.asc
Description: PGP signature

Re: www unreachable

2020-06-15 Thread Anders Andersson 
On Mon, Jun 15, 2020 at 11:45 AM Chris Bennett
 wrote:
>
> On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote:
> > Hello,
> >
> > http://www.openbsd.org is unreachable.
> >
> > I wanted to know what's new in the current snapshots ?
> >
>
> I'm not sure about the website. You might have local DNS problems.
> Use dig to get the IP address (from a big nameserver like 8.8.8.8)
> and skip that problem.
>
> If you mean the current -release, yes the website is simplest in
> general terms only.
>
> If you mean -current, then the mailing lists and CVS are the right
> places to look. misc@ isn't very helpful, but tech@, etc. are excellent.
>
>
> DNS has problems in some places in the world. Usually just for hours.
> Annoying, but sites like OpenBSD have stable IP's and knowing that
> solves the problem quickly.
> If the site has a problem, someone else can clarify that.
>
> Chris Bennett

Are you saying it's working for you? Maybe you have a different route
to the website because it seems to be down on the Canadian side. I
presume you're in the US based on your domain name. :)

Re: www unreachable

2020-06-15 Thread Paco Esteban 
On Mon, 15 Jun 2020, Chris Bennett wrote:

> On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote:
> > Hello,
> > 
> > http://www.openbsd.org is unreachable.
> > 
> > I wanted to know what's new in the current snapshots ?
> > 
> 
> I'm not sure about the website. You might have local DNS problems.
> Use dig to get the IP address (from a big nameserver like 8.8.8.8)
> and skip that problem.
> 
> If you mean the current -release, yes the website is simplest in
> general terms only.
> 
> If you mean -current, then the mailing lists and CVS are the right
> places to look. misc@ isn't very helpful, but tech@, etc. are excellent.
> 
> 
> DNS has problems in some places in the world. Usually just for hours.
> Annoying, but sites like OpenBSD have stable IP's and knowing that
> solves the problem quickly.
> If the site has a problem, someone else can clarify that.
> 
> Chris Bennett

It seems to be non-reachable indeed.  As far as I can see is not a DNS
issue.  And most likely whoever needs to know already knows.

If you need to access the website you have 2 easy options:

* clone the www cvs source repository and serve it locally (via local
  httpd or just a simple `python3 -m http.server`).  Best option in my
  opinion.

* use a mirror.  Recently solene@ built one for circumstances like this:
https://perso.pw/www.openbsd.org/
  And here's another one managed by clematis:
https://openbsd.clemat.is/

Keep in mind that those mirrors are not official and may be out of sync.

Cheers,

-- 
Paco Esteban.
0x5818130B8A6DBC03

Re: www unreachable

2020-06-15 Thread Tom Smyth 
It is not accessible from virgin media in Ireland either,
not connecting on 80 or 443 TCP ... via telnet...
dns is resolving
Tracing route to openbsd.org [129.128.5.194]
over a maximum of 30 hops:
  4 8 ms 5 ms 7 ms  109.255.249.254
  528 ms23 ms22 ms  84.116.239.10
  617 ms17 ms16 ms  84.116.238.62
  7 *** Request timed out.
  816 ms17 ms18 ms  84.116.135.46
  923 ms21 ms20 ms  84.116.135.69
 1019 ms19 ms34 ms  216.66.80.117
 1185 ms85 ms82 ms  72.52.92.166
 1295 ms95 ms97 ms  184.105.80.10
 13   115 ms   117 ms   115 ms  184.105.64.102
 14   122 ms   122 ms   123 ms  184.104.192.70
 15   133 ms   134 ms   131 ms  72.52.92.61
 16   130 ms   130 ms   130 ms  184.105.18.50
 17   135 ms   128 ms   129 ms  129.128.255.41
 18 *** Request timed out.
 19 *** Request timed out.
 20 *** Request timed out.
 21   133 ms   189 ms   741 ms  129.128.5.194

On Mon, 15 Jun 2020 at 10:50, Chris Bennett 
wrote:

> On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote:
> > Hello,
> >
> > http://www.openbsd.org is unreachable.
> >
> > I wanted to know what's new in the current snapshots ?
> >
>
> I'm not sure about the website. You might have local DNS problems.
> Use dig to get the IP address (from a big nameserver like 8.8.8.8)
> and skip that problem.
>
> If you mean the current -release, yes the website is simplest in
> general terms only.
>
> If you mean -current, then the mailing lists and CVS are the right
> places to look. misc@ isn't very helpful, but tech@, etc. are excellent.
>
>
> DNS has problems in some places in the world. Usually just for hours.
> Annoying, but sites like OpenBSD have stable IP's and knowing that
> solves the problem quickly.
> If the site has a problem, someone else can clarify that.
>
> Chris Bennett
>
>
>

-- 
Kindest regards,
Tom Smyth.

Re: www unreachable

2020-06-15 Thread Chris Bennett 
On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote:
> Hello,
> 
> http://www.openbsd.org is unreachable.
> 
> I wanted to know what's new in the current snapshots ?
> 

I'm not sure about the website. You might have local DNS problems.
Use dig to get the IP address (from a big nameserver like 8.8.8.8)
and skip that problem.

If you mean the current -release, yes the website is simplest in
general terms only.

If you mean -current, then the mailing lists and CVS are the right
places to look. misc@ isn't very helpful, but tech@, etc. are excellent.


DNS has problems in some places in the world. Usually just for hours.
Annoying, but sites like OpenBSD have stable IP's and knowing that
solves the problem quickly.
If the site has a problem, someone else can clarify that.

Chris Bennett

Re: Thoughts or links on optimally secure defaults for pf.conf and fstab, whilst aiming to minimise support issues.

2020-06-15 Thread Stuart Henderson 
On 2020-06-14, Kevin Chadwick  wrote:
> We are basing the server part of our products on OpenBSD.
>
> We care more about reducing support issues than say performance.
>
> We will have batteries but I hope to deploy some kind of root partition
> redundancy, for upgrades.

You'll need to cope with /usr for upgrades too, OpenBSD breaks binary
compatibility fairly often (mostly system call changes - at a guess roughly 
every
2-3 releases - and some other things like the arm and aarch64 abi change last
autumn). You can't expect an old kernel to work with new userland and 
vice-versa.

> However, Is sync or softdep a better default for the best chance of avoiding
> manual fsck/support issues?

Probably softdep, but it brings its own issues. Transient storage io
faults (disk slow to respond) which might correct themselves without
softdep often cause the machine to crash with softdep, and it has to
store the filesystem changes in memory before it writes them out, which
can be a problem if memory is already tight.

> Turns out the issue that I had on pkg_add/ftp, that seemed to be eliminated by
> switching to 3g was somehow, a short lived reprieve and was more to do with
> re-assembly settings that had worked for me flawlessly, for years on a 
> landline.
>
> I believe scrub had no-df before and I am now using without issue, so far.
>
> set reassemble yes no-df
> match scrub (random-id max-mss 1389)
>
> Should I drop the no-df from set reassemble? Any other recommendations 
> welcome?

If you have mixed MTUs (e.g. forwarding packets from an ethernet interface over
some ppp/vpn/encapsulated links which can't handle 1500 byte packets) then for
some traffic (connecting to sites with broken firewalls that block all ICMP)
you may need no-df on the scrub rule.

>From the description in pf.conf(5) no-df on "set reassemble" is something else,
can't say I've ever needed to use that.

> Any thoughts or links on the most secure pf.conf that remains being compatible
> with any network?

"block" :)

www unreachable

2020-06-15 Thread Thomas de Grivel 
Hello,

http://www.openbsd.org is unreachable.

I wanted to know what's new in the current snapshots ?

-- 
 Thomas de Grivel
 kmx.io