Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
> On 2023-08-14, latin...@vcn.bc.ca wrote: >> Something magic had happend after reboot! lkev2 is working > > iked/isakmpd keys are created at boot if they don't exist. > >> BTW at the >> client i can not use Web Browser?, the ssh connection did not stop >> working. > > Hello Stuart The situation is: that being connected with ikev2 to my server, ssh is not disconnected as with Wireguard, but it is supposed that all traffic should go by ikev2! I am looking on pf.conf, but i can not imagine how to send lo1/enc0 by ikev2. > > If you're able to fetch small pages over http (*not* https), such as > http://www.openbsd.org/grp-tmpl.txt, then you probably have an > MTU (packet size) problem, if so then you could try something > like this near the top of pf.conf to cap the size of TCP packets > as a workaround (make sure you don't use "set skip on enc0" for > this to be used) > > match on enc0 scrub (max-mss 1300 no-df) > > -- > Please keep replies on the mailing list. > No everything goes by normal ip. Not by ikev2. thanks.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
On Mon, Aug 14, 2023 at 05:54:55PM +0530, SOUBHEEK NATH said:
2. Please have a look at the configuration I have implemented.
pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
block in on wg0 proto tcp from any to any port {22 80}
block in quick on bwfm0 proto tcp from any to any port {22 80}
[ snip ]
I. I use the word "quick" in the first line to prevent the "block"
rules in the second line from taking precedence over it.
In general I prefer in my pf ruleset to block first and then explicitly
allow things through. I find this causes far less mistakes. The very
first rule in my ruleset is:
``block log all label "Default block"''
I try to avoid ``quick'' rules unless there is a really good reason to
use them. They can introduce some unintended side-effects if you aren't
careful and if you find yourself using many of them you probably should
re-think your rules. For example, directly after the default block I also
block bogon IP addresse from my WAN interface and I do it with quick so I
don't accidentally unblock them later:
``block drop in quick log on egress inet from to any''
(I have a table populated with bogon addresses)
You may wish to review the PF handbook, the filter section seems a good
place to start.
https://www.openbsd.org/faq/pf/filter.html
--
Please direct replies to the list.
Re: My /usr cleaning campaign..
Here again, I took a spare stick, I did a copy of the system and I did the moving thing as suggested. The biggest available partition was 3gb. I move /usr there and I left /usr/local on the original 10gb partition. Tested the system run fine. My concerns are now on the new /usr partition SizeUsed Avail Capacity Mounted on 3.0G2.6G270M91%/usr I think with this disk layout I'm no more able to do a sysupgrade or I'm wrong? /usr must have almost 1.1gb available by memory? Confirmed this I think better to stay with all my /usr on the 10gb partition as per my original layout? --Daniele Bonini Jan Stary wrote: > On Aug 13 04:37:25, my2...@has.im wrote: > > - /usr/local/share/gtk-doc (=131MB), html doc completed of some vary > > .png files.. I guess this could be not only an endemic problem > > of my stick as gtk-doc is not installed here: I'm not in the need > > of GTK C code documentation > > - /usr/local/share/doc (=118MB) > > So you have /usr/local under the /usr filesystem. > Make /usr/local separate. Chances are that's what's > filling your /usr, which by itself is pretty small. > > > - what about /usr/local/share/gir-1.0 (70M) ? > > If you worry about 70MB dirs, you are wasting your time, > and everyone else's. Just reinstall /usr/local on a separate > 10GB partition and be done with it. It costs almost nothing. > > > I'd like almost to delete ./gtk-doc and move ./doc to eg. /home/ > > (with sensibly more space) with a link to among the toppings.. ;D > > Stop wasting time. >
Re: Mouse not working via KVM switch
The ghost driver for the mouse receiver of your Aten KVM is not supported by OpenBSD, if you want keep the the switch you have to go for a wired mouse. -- Daniele Bonini Aug 14, 2023 19:39:52 Karel Lucas : > HI all, > On a recent install of openBSD I can't get the mouse to work through my KVM > switch. I work with various computers via a KVM switch on 1 monitor with a > keyboard/mouse combination. Only on the PC with openBSD the mouse does not > work, the keyboard on the other hand works fine. Both are connected to the > KVM switch via USB, and the switch via USB to the computers. The brand of the > mouse is Logitech. Does anyone know why the mouse doesn't work, but the > keyboard does?
Re: Shotwell
Rafael, Thanks for replying about this. I have already set the permissions and uploading pictures to shotwell (which apparently uses libgphoto) used to work. However, I discovered a workaround. On the phone when setting up the usb connection, first click "no file transfer" then click " file transfer" and shotwell then loads the pictures. This may be a peculiarity of Pixel phones or Android 13 which libgphoto doesn't understand -- some initialization issue. Dave Raymond On 8/7/23, Rafael Sadowski wrote: > On Sun Jul 30, 2023 at 03:06:26PM -0600, Raymond, David wrote: >> Hello, >> >> I am trying to import photos using Shotwell over a usb connection with >> the file transfer option. When I connect my phone to the usb port with >> Shotwell running and select this option, Shotwell recognizes the phone >> but says that there are no photos to transfer. The transfer works on >> Arch Linux. >> >> Am I missing something? Some kind of permissions? The phone is a >> Pixel 7 and I am running openbsd 7.3 stable. I had the problem with >> 7.2 as well, but things worked before (I think with an earlier pixel >> phone). >> >> -- >> David J. Raymond >> david.raym...@nmt.edu >> http://kestrel.nmt.edu/~raymond >> > > I'm not a Shotwell user but it works with libgphoto. You may wish to > read /usr/local/share/doc/pkg-readmes/libgphoto > > Rafael > -- David J. Raymond david.raym...@nmt.edu http://kestrel.nmt.edu/~raymond
Re: Unable to add packages
Hi, On 8/14/2023 7:21 PM, Karel Lucas wrote: Hi all, Entered on a fresh install of openBSD : pkg_add bash. I got the following error: ftp: ftp.nluug.nl/pub/OpenBSD: no address associated with name. Does your Internet access (including DNS resolution) work correctly? Did you try another mirror? Best regards, Gábor
Mouse not working via KVM switch
HI all, On a recent install of openBSD I can't get the mouse to work through my KVM switch. I work with various computers via a KVM switch on 1 monitor with a keyboard/mouse combination. Only on the PC with openBSD the mouse does not work, the keyboard on the other hand works fine. Both are connected to the KVM switch via USB, and the switch via USB to the computers. The brand of the mouse is Logitech. Does anyone know why the mouse doesn't work, but the keyboard does?
Unable to add packages
Hi all, Entered on a fresh install of openBSD : pkg_add bash. I got the following error: ftp: ftp.nluug.nl/pub/OpenBSD: no address associated with name. Not too long ago I did this on another machine and it worked. The correct site is listed in /etc/installurl: https://ftp.nluug.nl/pub/OpenBSD. Can someone give me a tip on how to solve this?
Re: My /usr cleaning campaign..
On Aug 13 04:37:25, my2...@has.im wrote: > - /usr/local/share/gtk-doc (=131MB), html doc completed of some vary > .png files.. I guess this could be not only an endemic problem of my > stick as gtk-doc is not installed here: I'm not in the need of GTK C > code documentation > - /usr/local/share/doc (=118MB) So you have /usr/local under the /usr filesystem. Make /usr/local separate. Chances are that's what's filling your /usr, which by itself is pretty small. > - what about /usr/local/share/gir-1.0 (70M) ? If you worry about 70MB dirs, you are wasting your time, and everyone else's. Just reinstall /usr/local on a separate 10GB partition and be done with it. It costs almost nothing. > I'd like almost to delete ./gtk-doc and move ./doc to eg. /home/ (with > sensibly more space) with a link to among the toppings.. ;D Stop wasting time.
Re: Assistance Needed with Wireguard VPN Configuration and pf Rules on OpenBSD 7.3
Hello,
The solution you both provided, worked well.
1. I do not use nano! I use the vi editor for my tasks.
2. Please have a look at the configuration I have implemented.
pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
block in on wg0 proto tcp from any to any port {22 80}
block in quick on bwfm0 proto tcp from any to any port {22 80}
This configuration is functioning well and your suggestions have
greatly assisted me in achieving it.
I would like to discuss my insights on this configuration and would
appreciate your feedback on it.
I. I use the word "quick" in the first line to prevent the "block"
rules in the second line from taking precedence over it.
II. The second line effectively prevents any devices in the wireguard
network from accessing ports 22 and 80. However, because the 'quick'
command is used in the first line, the rule in the first line takes
precedence and allows access to ports 22 and 80 for the machine with
IP address 10.0.8.3.
III. The third line is used to prevent any devices outside of the
wireguard network from accessing ports 22 and 80.
I appreciate the time and effort you dedicated to this. Thank you so
much.
--
Soubheek Nath
Fifth Estate
Kolkata, India
soubheekn...@gmail.com
On Mon, Aug 14, 2023 at 7:35 AM lain. wrote:
>
> On 2023年08月13日 12:17, Stuart Henderson wrote:
> > >https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
> >
> > what a mess of things from the base OS and unneeded third-party tools.
> >
> List of tools:
> wireguard-tools (required), nano (vim would have been enough), and the
> rest is everything OpenBSD ships with.
> Oh the horror, that's far too much, the sky is falling!
>
> > > On Sun, Aug 13, 2023 at 7:04 AM lain. wrote:
> > >>
> > >> I failed to come up with reasons for using a preshared key, so I've let
> > >> ChatGPT generate reasons for me:
> >
> > oh $deitt please do not.
> >
> What matters is not who or what answered, what matters is the answer,
> and the answer it provided is good, but I guess autists gonna autist.
Re: [SPAM] Re: re-create certs server/laptop both OpenBSD 7.3
On 2023-08-14, latin...@vcn.bc.ca wrote: > Something magic had happend after reboot! lkev2 is working iked/isakmpd keys are created at boot if they don't exist. > BTW at the > client i can not use Web Browser?, the ssh connection did not stop > working. If you're able to fetch small pages over http (*not* https), such as http://www.openbsd.org/grp-tmpl.txt, then you probably have an MTU (packet size) problem, if so then you could try something like this near the top of pf.conf to cap the size of TCP packets as a workaround (make sure you don't use "set skip on enc0" for this to be used) match on enc0 scrub (max-mss 1300 no-df) -- Please keep replies on the mailing list.
