ipsec.conf parsing
As far as I can tell, if a commented line on ipsec.conf ends with \ then the following line will also be considered a comment (if the next line also ends with \ the commenting is propagated). For example #ike esp from A.A.A.A to C.C.C.C \ ike esp from A.A.A.A to B.B.B.B \ srcid foo.example.com dstid bar.example.com is treated as a commented block, instead of setting up a tunnel from A.A.A.A to B.B.B.B. I find this a bit surprising... What should be fixed: the parser, ipsec.conf.5 or my expectations? All the best Zé --
Re: ipsec.conf parsing
On Wed, Mar 19, 2014 at 10:22:43AM +, Zé Loff wrote: As far as I can tell, if a commented line on ipsec.conf ends with \ then the following line will also be considered a comment (if the next line also ends with \ the commenting is propagated). For example #ike esp from A.A.A.A to C.C.C.C \ ike esp from A.A.A.A to B.B.B.B \ srcid foo.example.com dstid bar.example.com is treated as a commented block, instead of setting up a tunnel from A.A.A.A to B.B.B.B. I find this a bit surprising... What should be fixed: the parser, ipsec.conf.5 or my expectations? Don't know what should be fixed, but it's exactly the same thing in pf.conf -- mabla
Re: A small package browser
On 19 March 2014 01:56, marst mario@videotron.ca wrote: Really, nothing out of the ordinary... Been working lately on a simple OpenBSD package browser. No extensive graphics, works from the terminal with navigation similar to vim. I do this for fun. I find it convenient for exploring existing packages. Small description and screenshot available here. http://mariostg.blogspot.ca/2014/03/openbsd-sqlport-browser.html Interesting. There's also pkg_mgr: http://dawn.rhaalovely.net/pkg_mgr/ -- Thomas Adam
Re: OpenBSD email provider
On 2014-03-18, Giancarlo Razzolini grazzol...@gmail.com wrote: But, with a very small ttl on the dns record (I use 60 seconds), this risk can be reduced. you have more trust in ISP DNS servers honouring TTLs than I do. if you can only get a dynamic IP at home and would like to host mail there yourself, in a machine which only you have physical access to, etc. (i.e. do *not* want to keep your email archive on a VPS), you could rent a VPS and use it as a tunnel endpoint instead.
Re: ipsec.conf parsing
On 2014-03-19, Zé Loff zel...@zeloff.org wrote: As far as I can tell, if a commented line on ipsec.conf ends with \ then the following line will also be considered a comment (if the next line also ends with \ the commenting is propagated). For example #ike esp from A.A.A.A to C.C.C.C \ ike esp from A.A.A.A to B.B.B.B \ srcid foo.example.com dstid bar.example.com is treated as a commented block, instead of setting up a tunnel from A.A.A.A to B.B.B.B. I find this a bit surprising... What should be fixed: the parser, ipsec.conf.5 or my expectations? Manpages for all the programs using parse.y were supposed to have unified text about multiline comment handling, but I missed ipsec.conf(5) when I changed the others (back in 2011). ipsec.conf(5) is now fixed, thanks.
Re: obsd pf
On 2014-03-18, Marko Cupać marko.cu...@mimar.rs wrote:
On Tue, 18 Mar 2014 01:15:16 + (UTC)
Stuart Henderson s...@spacehopper.org wrote:
The ruleset is now traversed in order, changes made in match rules
are sticky and affect rules lower down in the ruleset. More
predictable, no more oh this 'nat pass' rule which you included
halfway down the ruleset actually takes effect before the
'block quick' rule right at the top... so besides allowing for
cleaner rulesets, you could say it's a security fix too.
I am using new syntax for years now, and although there are a lot of
improvements, there is also downside.
I have /24 public network, where I need to have one catch all NAT
rule, but also exceptions (smtp servers translate to other public IPs,
vpn clients to their own public IPs etc).
If I have a lot of subnets behind NAT firewall, I need to specify them
all for catch all NAT rule, listing exceptions (this is of course
shortened, actually I need to declare 100 or so networks and dozens of
exceptions):
table catchallnat { 10.20.69.0/24 10.43.26.0/22 \
!10.20.69.15 !10.43.26.29 }
smtp = { 10.20.69.15 }
vpn = { 10.43.26.29 }
...
match out on $ext_if inet from catchallnat to any nat-to $catchallnat
match out on $ext_if inet from $smtp to any nat-to $smtp-nat
match out on $ext_if inet from $vpn to any nat-to $vpn-nat
I don't know if there would be negative consequences for other pf
aspects, but for me it would be better if more specific match rules
overrided more general match rules. This way I would not have to
maintain catchallnat table with list of subnets and exceptions.
Just put your catchall rule *after* the others.
| Subsequent rules will see packets as they look
| after any addresses and ports have been translated.
^
Re: ipsec.conf parsing
On 3/19/14 6:22 AM, Zé Loff wrote: As far as I can tell, if a commented line on ipsec.conf ends with \ then the following line will also be considered a comment (if the next line also ends with \ the commenting is propagated). For example #ike esp from A.A.A.A to C.C.C.C \ ike esp from A.A.A.A to B.B.B.B \ srcid foo.example.com dstid bar.example.com is treated as a commented block, instead of setting up a tunnel from A.A.A.A to B.B.B.B. I find this a bit surprising... What should be fixed: the parser, ipsec.conf.5 or my expectations? All the best Zé In my totally-not-in-depth analysis (I don't have much time before I need to run to class), it seems to be because lgetc (src/sbin/pfctl/parse.y line 5556) pastes \\\n together, which happens before lines are evaluated for comments in yylex on line 5655, which calls the not-comment-aware lgetc which just blindly joins lines ending with \ making it appear to the comment-evaluating code that the whole thing is indeed one line that begins with a comment. I'm not sure if that's the desired behavior. fparseln(3) behaves in the way you probably expected, so I'm inclined to say that it isn't.
Setup a RAID
Hi! Have a 5.4 currently installed in sd0 and want to build a softraid1 to use the disk in conjunction with a secondary sd1. I know a way to build the raid at installation point, but not sure how to do it after the installation without reinstalling. Is possible? Thanks, Matias.-
Re: Setup a RAID
On 03/19/14 09:30, Matias Moreno Meringer wrote: Hi! Have a 5.4 currently installed in sd0 and want to build a softraid1 to use the disk in conjunction with a secondary sd1. I know a way to build the raid at installation point, but not sure how to do it after the installation without reinstalling. Is possible? Thanks, Matias.- depends...if you left unallocated disk space sufficient to build a new RAID partition and copy your data over, sure. Otherwise, it is rebuild from scratch. Nick.
Re: Setup a RAID
On 2014-03-19 09:31, Matias Moreno Meringer wrote: Hi! Have a 5.4 currently installed in sd0 and want to build a softraid1 to use the disk in conjunction with a secondary sd1. I know a way to build the raid at installation point, but not sure how to do it after the installation without reinstalling. Is possible? You cannot convert an existing FFS filesystem into a softraid(4) array without backup and restore steps, because the array stores its metadata in the leading sectors. The FFS filesystem within a RAID virtual sd(4) device has a different LBA starting sector on the backing storage.
Re: Setup a RAID
On Wed, Mar 19, 2014 at 10:48 AM, Josh Grosse j...@jggimi.homeip.netwrote: On 2014-03-19 09:31, Matias Moreno Meringer wrote: Hi! Have a 5.4 currently installed in sd0 and want to build a softraid1 to use the disk in conjunction with a secondary sd1. I know a way to build the raid at installation point, but not sure how to do it after the installation without reinstalling. Is possible? You cannot convert an existing FFS filesystem into a softraid(4) array without backup and restore steps, because the array stores its metadata in the leading sectors. The FFS filesystem within a RAID virtual sd(4) device has a different LBA starting sector on the backing storage. Get it. Thanks.-
Trouble with connect to www.aeroflot.ru
Hi folks, I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? -- Aleksey Leonov
Re: Trouble with connect to www.aeroflot.ru
gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 15:07 (CET): I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? OpenBSD 5.5-beta (GENERIC.MP) #284: Mon Feb 3 07:57:32 MST 2014 ftp -o aeroflot.html www.aeroflot.ru Trying 195.8.62.76... Connected to www.aeroflot.ru. 421 Service not available, remote server has closed connection. Bye, Marcus
Re: Trouble with connect to www.aeroflot.ru
On 19.03.2014 20:32, Marcus MERIGHI wrote: gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 15:07 (CET): I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? OpenBSD 5.5-beta (GENERIC.MP) #284: Mon Feb 3 07:57:32 MST 2014 ftp -o aeroflot.html www.aeroflot.ru Trying 195.8.62.76... Connected to www.aeroflot.ru. 421 Service not available, remote server has closed connection. Bye, Marcus Thank you Marcus! I try http, not ftp. http connect from openbsd to aeroflot.ru end with timout. In tcpdump i see sync, but not get ack from aeroflot.ru. From windows i can get aeroflot.ru. -- Aleksey Leonov
softraid(4)/bioctl(8) vs. non-512-byte sectors disks
Reference: ``Softraid 3TB Problems'' http://marc.info/?l=openbsd-miscm=136225193931620 Difference: My HDDs show up as 4096 bytes/sector in dmesg. Short: Are there any options for disks that come with 4096 bytes/sector to use with softraid(4)/bioctl(8)? Long: So I got these lovely large disks: DMESG (full one at the end): umass4 at uhub5 port 4 configuration 1 interface 0 Intenso USB 3.0 Device rev 2.10/1.00 addr 9 umass4: using SCSI over Bulk-Only scsibus5 at umass4: 2 targets, initiator 0 sd5 at scsibus5 targ 1 lun 0: Intenso, USB 3.0 Device, 0 SCSI4 0/direct fixed serial.174c55aa22DF sd5: 2861588MB, 4096 bytes/sector, 732566646 sectors I suppose right above is my problem? FDISK: Disk: sd5 geometry: 45600/255/63 [732566646 4096-byte Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 2 - 45599 254 63 [ 64: 732563936 ] OpenBSD DISKLABEL: # /dev/rsd5c: type: SCSI disk: SCSI disk label: whoknows duid: 470974d3647801b8 flags: bytes/sector: 4096 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 45600 total sectors: 732566646 boundstart: 64 boundend: 732564000 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:732563936 64RAID c:7325666460 unused BIOCTL output $ sudo bioctl -h -v -c C -l /dev/sd3a softraid0 softraid0: sd3a has unsupported sector size (4096) softraid0: invalid metadata format Thanks in advance, Marcus DMESG FULL: This is -current with a patch from brad@ to get the NICs (re) working. OpenBSD 5.5-current (GENERIC.MP) #3: Tue Mar 11 14:18:33 CET 2014 r...@fofo.fifi.at:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4161052672 (3968MB) avail mem = 4041580544 (3854MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb530 (73 entries) bios0: vendor American Megatrends Inc. version 1.03 date 08/09/2013 bios0: Shuttle Inc. DS47D acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SLIC HPET SSDT SSDT SSDT acpi0: wakeup devices P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU 847 @ 1.10GHz, 1097.67 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) CPU 847 @ 1.10GHz, 1097.51 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus 2 (RP02) acpiprt4 at acpi0: bus 3 (RP03) acpiprt5 at acpi0: bus 4 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: Failed to read resource settings acpicpu0 at acpi0: C1, PSS acpicpu1 at acpi0: C1, PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at acpi0: FN02, resource for FAN2 acpipwrres3 at acpi0: FN03, resource for FAN3 acpipwrres4 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 101 degC acpitz1 at acpi0: critical temperature is 101 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at
Re: Trouble with connect to www.aeroflot.ru
On Wed, Mar 19, 2014, at 09:07 AM, Leonov Aleksey wrote: Hi folks, I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? Right now according to http://isup.me/aeroflot.ru it's down for everyone. -- Shawn K. Quinn skqu...@rushpost.com
Re: Trouble with connect to www.aeroflot.ru
gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 16:18 (CET): On 19.03.2014 20:32, Marcus MERIGHI wrote: gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 15:07 (CET): I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? OpenBSD 5.5-beta (GENERIC.MP) #284: Mon Feb 3 07:57:32 MST 2014 ftp -o aeroflot.html www.aeroflot.ru Trying 195.8.62.76... Connected to www.aeroflot.ru. 421 Service not available, remote server has closed connection. I try http, not ftp. http connect from openbsd to aeroflot.ru end Ooops on my side. I did not mean to test ftp but just use a different client (OpenBSD's ftp(1) handles http as well) and forgot the http://: ftp -o aeroflot.html http://www.aeroflot.ru Trying 195.8.62.75... Trying 195.8.62.76... ftp: connect: connection timed out There was a thread recently on that problem that I cannot find anymore. But it boilt down to the user agent your client reports. Try to change that... Bye, Marcus
Re: Trouble with connect to www.aeroflot.ru
Odd. Just tried it. Works on Linux, doesn't on OpenBSD. Not related to user agent; it seems to not respond to SYN. Perhaps their running PF and filtering us!
Re: Trouble with connect to www.aeroflot.ru
On 19.03.2014 21:52, Marcus MERIGHI wrote: gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 16:18 (CET): On 19.03.2014 20:32, Marcus MERIGHI wrote: gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 15:07 (CET): I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? OpenBSD 5.5-beta (GENERIC.MP) #284: Mon Feb 3 07:57:32 MST 2014 ftp -o aeroflot.html www.aeroflot.ru Trying 195.8.62.76... Connected to www.aeroflot.ru. 421 Service not available, remote server has closed connection. I try http, not ftp. http connect from openbsd to aeroflot.ru end Ooops on my side. I did not mean to test ftp but just use a different client (OpenBSD's ftp(1) handles http as well) and forgot the http://: ftp -o aeroflot.html http://www.aeroflot.ru Trying 195.8.62.75... Trying 195.8.62.76... ftp: connect: connection timed out There was a thread recently on that problem that I cannot find anymore. But it boilt down to the user agent your client reports. Try to change that... Bye, Marcus I can open it with lynx from gentoo: lynx aeroflot.ru Your browser does not support JavaScript Proceed to Standard version Proceed to Mobile version When I try lynx aeroflot.ru in openbsd i see this in tcpdump: 11:53:09.245726 188.73.161.89.6418 195.8.62.75.80: S [tcp sum ok] 3096898439:3096898439(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 55000, len 48) 11:53:15.252624 188.73.161.89.6418 195.8.62.75.80: S [tcp sum ok] 3096898439:3096898439(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 962, len 48) 11:53:27.280919 188.73.161.89.6418 195.8.62.75.80: S [tcp sum ok] 3096898439:3096898439(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 7153, len 48) 11:53:51.339320 188.73.161.89.6418 195.8.62.75.80: S [tcp sum ok] 3096898439:3096898439(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 56148, len 48) 11:54:09.195767 188.73.161.89.15154 195.8.62.76.80: S [tcp sum ok] 3396116582:3396116582(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 62, len 48) 11:54:15.211455 188.73.161.89.15154 195.8.62.76.80: S [tcp sum ok] 3396116582:3396116582(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 52599, len 48) 11:54:27.244335 188.73.161.89.15154 195.8.62.76.80: S [tcp sum ok] 3396116582:3396116582(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 21934, len 48) 11:54:51.305478 188.73.161.89.15154 195.8.62.76.80: S [tcp sum ok] 3396116582:3396116582(0) win 16384 mss 1460,nop,nop,sackOK (DF) (ttl 64, id 52307, len 48) and Unable to connect to remote host. I think what they filtered traffic from non windows or linux machine. -- Aleksey Leonov I
Re: Trouble with connect to www.aeroflot.ru
Marcus MERIGHI wrote: gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 16:18 (CET): On 19.03.2014 20:32, Marcus MERIGHI wrote: gimliandcomp...@gmail.com (Leonov Aleksey), 2014.03.19 (Wed) 15:07 (CET): I can`t connect to www.aeroflot.ru from lynx on openbsd 5.4. I can connect from gentoo, windows. Anybody can connect to wwe.aeroflot.ru from openbsd 5.4? OpenBSD 5.5-beta (GENERIC.MP) #284: Mon Feb 3 07:57:32 MST 2014 ftp -o aeroflot.html www.aeroflot.ru Trying 195.8.62.76... Connected to www.aeroflot.ru. 421 Service not available, remote server has closed connection. I try http, not ftp. http connect from openbsd to aeroflot.ru end Ooops on my side. I did not mean to test ftp but just use a different client (OpenBSD's ftp(1) handles http as well) and forgot the http://: ftp -o aeroflot.html http://www.aeroflot.ru Trying 195.8.62.75... Trying 195.8.62.76... ftp: connect: connection timed out It's not an OpenBSD/Lynx specific problem. I just tried connecting with SeaMonkey (on /2), and I get a time-out also. Best regards, Mikkel C. Simonsen
Re: OpenBSD email provider
Em 19-03-2014 09:41, Stuart Henderson escreveu: you have more trust in ISP DNS servers honouring TTLs than I do. if you can only get a dynamic IP at home and would like to host mail there yourself, in a machine which only you have physical access to, etc. (i.e. do *not* want to keep your email archive on a VPS), you could rent a VPS and use it as a tunnel endpoint instead. I don't. I do not use any of my ISP's dns servers. Also, in this case, I have to trust the other mta's dns servers honoring TTL's, not mine. This approach of using a VPS with a VPN is a possibility. But until we develop a new email system, you'll have to rely on a flawed network to deliver you mail. -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: softraid(4)/bioctl(8) vs. non-512-byte sectors disks
Alas, softraid only supports 512 byte block devices at the moment. Ken On Mar 19, 2014 11:36 AM, Marcus MERIGHI mcmer-open...@tor.at wrote: Reference: ``Softraid 3TB Problems'' http://marc.info/?l=openbsd-miscm=136225193931620 Difference: My HDDs show up as 4096 bytes/sector in dmesg. Short: Are there any options for disks that come with 4096 bytes/sector to use with softraid(4)/bioctl(8)? Long: So I got these lovely large disks: DMESG (full one at the end): umass4 at uhub5 port 4 configuration 1 interface 0 Intenso USB 3.0 Device rev 2.10/1.00 addr 9 umass4: using SCSI over Bulk-Only scsibus5 at umass4: 2 targets, initiator 0 sd5 at scsibus5 targ 1 lun 0: Intenso, USB 3.0 Device, 0 SCSI4 0/direct fixed serial.174c55aa22DF sd5: 2861588MB, 4096 bytes/sector, 732566646 sectors I suppose right above is my problem? FDISK: Disk: sd5 geometry: 45600/255/63 [732566646 4096-byte Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] - -- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 2 - 45599 254 63 [ 64: 732563936 ] OpenBSD DISKLABEL: # /dev/rsd5c: type: SCSI disk: SCSI disk label: whoknows duid: 470974d3647801b8 flags: bytes/sector: 4096 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 45600 total sectors: 732566646 boundstart: 64 boundend: 732564000 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:732563936 64RAID c:7325666460 unused BIOCTL output $ sudo bioctl -h -v -c C -l /dev/sd3a softraid0 softraid0: sd3a has unsupported sector size (4096) softraid0: invalid metadata format Thanks in advance, Marcus DMESG FULL: This is -current with a patch from brad@ to get the NICs (re) working. OpenBSD 5.5-current (GENERIC.MP) #3: Tue Mar 11 14:18:33 CET 2014 r...@fofo.fifi.at:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4161052672 (3968MB) avail mem = 4041580544 (3854MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb530 (73 entries) bios0: vendor American Megatrends Inc. version 1.03 date 08/09/2013 bios0: Shuttle Inc. DS47D acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SLIC HPET SSDT SSDT SSDT acpi0: wakeup devices P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU 847 @ 1.10GHz, 1097.67 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE ,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) CPU 847 @ 1.10GHz, 1097.51 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE ,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus 2 (RP02) acpiprt4 at acpi0: bus 3 (RP03) acpiprt5 at acpi0: bus 4 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: Failed to read resource settings acpicpu0 at acpi0: C1, PSS acpicpu1 at acpi0: C1, PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at acpi0: FN02, resource for FAN2 acpipwrres3 at acpi0: FN03, resource for FAN3 acpipwrres4 at acpi0:
Re: file system and memory limitation
On 16/03/2014 4:24 AM, Friedrich Locke wrote: Hi folks, i wonder what are the limitations on main memory and file system sizes ! Thanks a lot. gustavo. How long is a piece of string?
npppd can't open /dev/pppx1
I set up an L2TP VPN with npppd recently using pppx, and other than some routing issues with ospfd it works great. I'm trying to add a second VPN connection, but that doesn't seem to work using pppx. With this config: interface pppx0 address 10.128.120.1 ipcp IPCP_admin interface pppx1 address 10.128.120.129 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL_admin to pppx0 bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx1 npppd won't start: # npppd -d 2014-03-19 14:08:27:NOTICE: Starting npppd pid=28792 version=5.0.0 2014-03-19 14:08:27:WARNING: pptpd GRE protocol not allowed 2014-03-19 14:08:27:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2014-03-19 14:08:27:INFO: pppx0 Started pppx 2014-03-19 14:08:27:ERR: pppx1 open(/dev/pppx1) failed: No such file or directory If I switch to tun instead of pppx: interface tun0 address 10.128.120.1 ipcp IPCP_admin interface tun1 address 10.128.120.129 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL_admin to tun0 bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun1 it works fine: # npppd -d 2014-03-19 14:14:28:NOTICE: Starting npppd pid=3355 version=5.0.0 2014-03-19 14:14:28:WARNING: pptpd GRE protocol not allowed 2014-03-19 14:14:28:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2014-03-19 14:14:28:INFO: tun0 Started ip4addr=10.128.120.1 2014-03-19 14:14:28:INFO: tun1 Started ip4addr=10.128.120.129 Is there any way to make two VPN connections work with pppx, or are you stuck with tun for that scenario? Thanks...
ciss driver status
Hello guys, It says in the man ciss: CAVEATS For purposes of status monitoring, the current code only supports one logical volume per controller. Is this still true? If I make more than one array with one controller and type bioctl ciss0 - what will it show me? -- Best regards, Boris mailto:bo...@twopoint.com
Re: npppd can't open /dev/pppx1
D'oh, I finally realized I needed to go to /dev and MAKEDEV pppx1 8-/. Now it's working fine. I had thought pppx was one of those magic clonable devices that you didn't need to explicitly create, I guess I was mistaken. When I was testing the vpn, there were pppx1 and pppx2 interfaces that showed up in ifconfig for the clients, which I guess led me to believe I didn't have to do anything special to use pppx1 in the npppd config. Thanks, and sorry for the noise. On Wed, Mar 19, 2014 at 02:29:35PM -0700, Paul B. Henson wrote: I set up an L2TP VPN with npppd recently using pppx, and other than some routing issues with ospfd it works great. I'm trying to add a second VPN connection, but that doesn't seem to work using pppx. With this config: interface pppx0 address 10.128.120.1 ipcp IPCP_admin interface pppx1 address 10.128.120.129 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL_admin to pppx0 bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx1 npppd won't start: # npppd -d 2014-03-19 14:08:27:NOTICE: Starting npppd pid=28792 version=5.0.0 2014-03-19 14:08:27:WARNING: pptpd GRE protocol not allowed 2014-03-19 14:08:27:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2014-03-19 14:08:27:INFO: pppx0 Started pppx 2014-03-19 14:08:27:ERR: pppx1 open(/dev/pppx1) failed: No such file or directory If I switch to tun instead of pppx: interface tun0 address 10.128.120.1 ipcp IPCP_admin interface tun1 address 10.128.120.129 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL_admin to tun0 bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun1 it works fine: # npppd -d 2014-03-19 14:14:28:NOTICE: Starting npppd pid=3355 version=5.0.0 2014-03-19 14:14:28:WARNING: pptpd GRE protocol not allowed 2014-03-19 14:14:28:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2014-03-19 14:14:28:INFO: tun0 Started ip4addr=10.128.120.1 2014-03-19 14:14:28:INFO: tun1 Started ip4addr=10.128.120.129 Is there any way to make two VPN connections work with pppx, or are you stuck with tun for that scenario? Thanks...
Unbound in base, yes, what about ldns?
Great to see Unbound in base, thanks. But what about ldns? I still have that installed as a package - removed the unbound package as per the -current instructions, but shouldn't the ldns package package be removed as well as I believe unbound requires it and therefore it would have to be built by base as well. Or am I off-base? Thanks, Chris
Re: Unbound in base, yes, what about ldns?
On 19 March 2014 18:09, Chris Smith obsd_m...@chrissmith.org wrote: Great to see Unbound in base, thanks. But what about ldns? I still have that installed as a package - removed the unbound package as per the -current instructions, but shouldn't the ldns package package be removed as well as I believe unbound requires it and therefore it would have to be built by base as well. Or am I off-base? Thanks, Chris The unbound in base has it's own cut down version of ldns. No need for the package. ... Ken
PPTP after removing of userland ppp(8)
Hi, I was running PPTP client pptp-1.7.2p4 with userland ppp(8). It was a basic setup from pptp(8) manual page and specifically PPTP on a router example. What are my alternatives to run PPTP to connect to Microsoft VPN server? May I use ppp(4) and pppd(8) and if so can you point me to the right direction. Thanks for your time. Atanas
Re: Unbound in base, yes, what about ldns?
On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback kwesterb...@gmail.com wrote: The unbound in base has it's own cut down version of ldns. No need for the package. Can I just uninstall the package after the fact or do some files need to be replaced? Thanks, Chris
Re: Unbound in base, yes, what about ldns?
Hi, Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root key with unbound-anchor(8) (needs root) the following error shows up in /var/log/messages: unbound: [0:0] error: could not open autotrust file for writing, /etc/root.key.29136-0: Permission denied May be this is because _unbound user has no rights to write to /var/unbound/etc/ after chroot. Am I correct? Any solutions? Best regards, Atanas
Re: PPTP after removing of userland ppp(8)
On Thu, Mar 20, 2014 at 12:39:50AM +0200, Атанас Владимиров wrote: Hi, I was running PPTP client pptp-1.7.2p4 with userland ppp(8). It was a basic setup from pptp(8) manual page and specifically PPTP on a router example. What are my alternatives to run PPTP to connect to Microsoft VPN server? May I use ppp(4) and pppd(8) and if so can you point me to the right direction. Thanks for your time. Atanas ppp(8) used net/pptp as a pseudo-device via pipes to a pptp process. With pppd(8) I don't think there is support for using a pipe to a separate process as a device. Perhaps there is another way to make pptp work with pppd. I don't know. npppd supports PPTP but I believe it's currently server-side only. One possible path forward would be PPTP-client support in npppd. I don't know if there are any plans for this and I don't have any such plans myself. Even though I'm still listed as maintainer of net/pptp I haven't used it in a long time. If net/pptp goes away I won't miss it.
Re: Unbound in base, yes, what about ldns?
See the thread unbound dnssec revisited I started on 12/30/2013 for some hints. Looks like creating a new directory with the proper permissions is the best way to go. On Wed, Mar 19, 2014 at 7:01 PM, Атанас Владимиров don.na...@gmail.com wrote: Hi, Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root key with unbound-anchor(8) (needs root) the following error shows up in /var/log/messages: unbound: [0:0] error: could not open autotrust file for writing, /etc/root.key.29136-0: Permission denied May be this is because _unbound user has no rights to write to /var/unbound/etc/ after chroot. Am I correct? Any solutions? Best regards, Atanas
npppd with two pppx interfaces causes kernel panic
After successfully setting up an L2TP VPN with npppd and pppx, I tried
to add a second VPN subnet with a different authentication base. I was
working remotely, and after starting npppd in debug mode:
bash-4.2# npppd -d
2014-03-19 14:41:50:NOTICE: Starting npppd pid=32407 version=5.0.0
2014-03-19 14:41:50:WARNING: pptpd GRE protocol not allowed
2014-03-19 14:41:51:NOTICE: Load configuration
from='/etc/npppd/npppd.conf' successfully.
2014-03-19 14:41:51:INFO: pppx0 Started pppx
2014-03-19 14:41:51:INFO: pppx1 Started pppx
2014-03-19 14:41:51:INFO: Listening /var/run/npppd_ctl (npppd_ctl)
2014-03-19 14:41:51:INFO: ipcp=IPCP_admin pool
dyn_pool=[10.128.120.0/25] pool=[10.128.120.0/25]
2014-03-19 14:41:51:INFO: ipcp=IPCP pool dyn_pool=[10.128.120.128/25]
pool=[10.128.120.128/25]
2014-03-19 14:41:51:INFO: Loading pool config successfully.
the box stopped responding :(. When I got on site, it was frozen and
nonresponsive. I rebooted, and on the way back up it panic'd when
starting npppd:
starting early daemons: syslogd pflogd named ntpd isakmpd npppd.
uvm_fault(0xfe812f620e00, 0x30, 0, 1) - e
fatal page fault in supervisor mode
trap type 6 code 0 rip 81385b40 cs 8 rflags 10257 cr2 30 cpl 0
rsp 8000221fdd38
panic: trap type 6, code=0, pc=81385b40
Starting stack trace...
panic() at panic+0xf5
trap() at trap+0x7f1
--- trap (number 6) ---
mtx_enter() at mtx_enter
VOP_KQFILTER() at VOP_KQFILTER+0x2b
kqueue_register() at kqueue_register+0x332
sys_kevent() at sys_kevent+0x115
syscall() at syscall+0x249
--- syscall (number 270) ---
end of kernel
end trace frame: 0x11be0a5e, count: 250
0x11be006eca6a:
It then said Syncing disks and sat there for 30 minutes, at which
point I gave up, booted in single user, and disabled npppd.
Unfortunately I don't have a serial console logger at the moment, so
while I assume it did the same panic when I was working remotely I don't
have logs for it. This is a 5.4 box with a generic kernel, other than
using config -e to enable ipmi and change the irq for com2.
Any thoughts on this? Here is the npppd config that causes it to blow
up:
authentication LOCAL_admin type local {
users-file /etc/npppd/npppd-users
username-suffix @admin
}
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 96.251.22.154
# l2tp-require-ipsec yes # buggy, doesn't work currently
}
ipcp IPCP_admin {
pool-address 10.128.120.0/25
dns-servers 10.128.0.4
allow-user-selected-address no
}
ipcp IPCP {
pool-address 10.128.120.128/25
dns-servers 10.128.0.4
allow-user-selected-address no
}
interface pppx0 address 10.128.120.1 ipcp IPCP_admin
interface pppx1 address 10.128.120.129 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL_admin to pppx0
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx1
Re: Trouble with connect to www.aeroflot.ru
On 3/19/2014 12:22 PM, Leonov Aleksey wrote: I think what they filtered traffic from non windows or linux machine. I think this is the case. I'm behind a transparent http proxy (Squid) on OpenBSD, and from Windows http://www.aeroflot.ru times out, and https://www.aeroflot.ru (which bypasses the proxy) works.
Re: PPTP after removing of userland ppp(8)
On Thu, 20 Mar 2014 00:39:50 +0200 Атанас Владимиров don.na...@gmail.com wrote: I was running PPTP client pptp-1.7.2p4 with userland ppp(8). It was a basic setup from pptp(8) manual page and specifically PPTP on a router example. What are my alternatives to run PPTP to connect to Microsoft VPN server? May I use ppp(4) and pppd(8) and if so can you point me to the right direction. I think having good ppp client implementation and l2tp client in base is the good direction. I myself will try to do my best for that direction. --yasuoka
Re: npppd with two pppx interfaces causes kernel panic
On Wed, 19 Mar 2014 16:45:46 -0700 Paul B. Henson hen...@acm.org wrote: After successfully setting up an L2TP VPN with npppd and pppx, I tried to add a second VPN subnet with a different authentication base. I was working remotely, and after starting npppd in debug mode: pppx will be fixed. You can use tun(4) instead if you want to use multiple interfaces for that purpose. --yasuoka
Re: Trouble with connect to www.aeroflot.ru
Claus Assmann wrote: On Wed, Mar 19, 2014, Steve Shockley wrote: On 3/19/2014 12:22 PM, Leonov Aleksey wrote: I think what they filtered traffic from non windows or linux machine. I think this is the case. I'm behind a transparent http proxy (Squid) on Just for the fun of it: it works from FreeBSD 8.x and SunOS 5.10 too, so maybe it's more like only OpenBSD can't connect? If you read my previous reply, you'll see that /2 is blocked also :) Best regards, Mikkel C. Simonsen
Re: npppd with two pppx interfaces causes kernel panic
On Thu, Mar 20, 2014 at 10:22:51AM +0900, YASUOKA Masahiko wrote: pppx will be fixed. Great :). This is a known bug then? Should I just keep an eye on the changelog for mention of pppx changes to tell when it's safe to try again? You can use tun(4) instead if you want to use multiple interfaces for that purpose. Yes, I switched to tun for now pending the ability to have multiple pppx interfaces defined. It was a rather big surprise for the box to disappear on me while I was working with it, I don't have any out of band access to it so it was offline until I got to it sigh. Thanks...
Re: npppd with two pppx interfaces causes kernel panic
On Wed, 19 Mar 2014 21:05:35 -0700 Paul B. Henson hen...@acm.org wrote: On Thu, Mar 20, 2014 at 10:22:51AM +0900, YASUOKA Masahiko wrote: pppx will be fixed. Great :). This is a known bug then? It's new for me. I had not even try MAKEDEV pppx1 yet. Should I just keep an eye on the changelog for mention of pppx changes to tell when it's safe to try again? Sorry I cannot understand the point of this question. You can use tun(4) instead if you want to use multiple interfaces for that purpose. Yes, I switched to tun for now pending the ability to have multiple pppx interfaces defined. It was a rather big surprise for the box to disappear on me while I was working with it, I don't have any out of band access to it so it was offline until I got to it sigh. Sorry too. I cannot see the problem you entered. --yasuoka
