Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 17:14, schrieb Joseph Borg: Wouldn't something like duplicity work better for you in this case? Regards Sent from my iPad well as far as I understand its just another abstraction layer added to rsync and I don't want to install something that is basically using something I already have. But thanks for the sugession On 19 Aug 2014, at 16:53, Markus Rosjat ros...@ghweb.de wrote: Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: pkg_mgr error: Fatal error: Ustar ... Eror while reading header
On Mon, Aug 18, 2014 at 6:08 PM, Daniel Villarreal yclwebmas...@gmail.com wrote: Sorry. This happens for lots of different programs... just tried to use pkg_mgr to install gif2png --- errors -- Fatal error: Ustar [ http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64/gif2png-2.5.2p1.tgz][share/doc/gif2png/README]: Error while reading header Huh. Off hand, I don't see anything weird in that file that should make the perl Ustar.pm choke. I'm afraid further analysis will have to await espie's return... Philip Guenther
Re: ifconfig command for IPv6 tunnel
Also, do note that this just means that this particular box has ipv6 connectivity. If you want to have clients at home behind this one, you should get another v6 network to use behind this gateway. And I agree with Adam, you got most of it correct. I would add the route command to hostname.gif0 with the ! before so it is used only when gif0 is taken up. 2014-08-20 6:38 GMT+02:00 Adam Thompson athom...@athompso.net: On 14-08-19 10:40 PM, Charles Musser wrote: I'm experimenting with using IPv6 via a tunnel broker provided by an ISP. The tunnel works, but I want to confirm my understanding of the commands they gave me to set it up. These are the commands: ifconfig gif0 tunnel 50.1.94.112 72.52.104.74 ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:204::1 [...] IIRC from my experimentation, you've got it exactly right. Some tunnel brokers give you subnet masks that certain versions of OpenBSD don't like - that turns out to not actually matter, just use whatever ifconfig(8) want. Point in case: HE recommends using /64 for PtP links, but OpenBSD 5.x requires /128. Since HE allocates an entire /64 per tunnel, there is no danger in configuring it more narrowly on the client end. The hostname.if(5) syntax that finally worked for me on 5.4-RELEASE was (slightly anonymized) description HE_TUNNEL_FREMONT tunnel 184.70.48.XXX dest 64.71.128.83 inet6 2001:470::X::2 dest 2001:470::X::1 prefixlen 128 which perhaps adds some clarity, or perhaps confuses, depending on your point of view. I can't remember whether (in the non-BGP case) I added the route command as !route -n add -inet6 default 2001:470:1f04:204::1 to the hostname.gif0 file, or if I added it to /etc/mygate - one or the other should work, anyway. -- -Adam Thompson athom...@athompso.net -- May the most significant bit of your life be positive.
Re: openbgpd ipv6 nexthop
* Mickael Torres cont...@mtorres.fr [2014-08-19 20:16]: I'm using openbgpd on a pair of carped firewall (openbsd 5.5-stable) to announce IPv4 routes to a cisco 7600. send a few extra prefixes, these bad switches from 1999 that marketing painted differently to call it router really like that. trying to do the same for IPv6, the set nexthop statement in the bgpd.conf has no effect. The cisco receives the prefixes with the non-carp IP of each firewall as nexthop. that smells like a bug. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
acpi error running openbsd snapshot 20140820 (amd64)
Hi, Running the install56.fs from an usb key give me the following error : http://pbrd.co/1rWT1Us So i disabled acpi using UKC to be able to install : http://pbrd.co/1rWUqL0 OpenBSD is installed now, but running it with acpi support give me a kernel panic : http://pbrd.co/1rWTCFX trace : http://pbrd.co/1rWTKVS http://pbrd.co/1rWTUws and ps : http://pbrd.co/1rWU1bl Below, dmesg without acpi support : OpenBSD 5.6-current (GENERIC.MP) #336: Tue Aug 19 20:39:19 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1996161024 (1903MB) avail mem = 1934336000 (1844MB) User Kernel Config UKC disable acpi 358 acpi0 disabled UKC quit Continuing... mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfced0 (28 entries) bios0: vendor American Megatrends Inc. version P1.60 date 06/12/2007 acpi at bios0 not configured mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+, 2411.13 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,3DNOWP cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+, 2410.78 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,3DNOWP cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios0: bus 0 is type PCI mpbios0: bus 1 is type PCI mpbios0: bus 2 is type PCI mpbios0: bus 3 is type PCI mpbios0: bus 4 is type PCI mpbios0: bus 5 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins cpu0: PowerNow! K8 2411 MHz: speeds: 2500 2400 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0 NVIDIA MCP61 Memory rev 0xa1 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA MCP61 ISA rev 0xa2 nviic0 at pci0 dev 1 function 1 NVIDIA MCP61 SMBus rev 0xa2 iic0 at nviic0 iic0: addr 0x4c 00=28 01=2f 02=80 03=01 04=06 05=46 06=00 07=46 08=00 10=60 11=00 12=00 13=00 14=00 19=6e 20=55 21=0a bf=06 e0=bb e1=c0 e2=82 e3=bb e4=c0 e5=2f e6=29 e7=68 e8=82 eb=4f ec=02 f1=20 f2=00 f3=10 f4=80 f5=00 f7=00 f8=00 f9=02 fa=00 fb=4c fc=4f fd=37 fe=5c ff=01 words 00=29ff 01=2fff 02=80ff 03=01ff 04=06ff 05=46ff 06=00ff 07=46ff spdmem0 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-6400CL5 iic1 at nviic0 NVIDIA MCP61 Memory rev 0xa2 at pci0 dev 1 function 2 not configured ohci0 at pci0 dev 2 function 0 NVIDIA MCP61 USB rev 0xa2: apic 2 int 5, version 1.0, legacy support ehci0 at pci0 dev 2 function 1 NVIDIA MCP61 USB rev 0xa2: apic 2 int 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 NVIDIA EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 4 function 0 NVIDIA MCP61 rev 0xa1 pci1 at ppb0 bus 1 rl0 at pci1 dev 8 function 0 Realtek 8139 rev 0x10: apic 2 int 11, address 00:50:fc:47:20:a0 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci1 dev 10 function 0 Realtek 8139 rev 0x10: apic 2 int 5, address 00:50:bf:93:3f:78 rlphy1 at rl1 phy 0: RTL internal PHY azalia0 at pci0 dev 5 function 0 NVIDIA MCP61 HD Audio rev 0xa2: apic 2 int 11 azalia0: codecs: Realtek ALC888 audio0 at azalia0 pciide0 at pci0 dev 6 function 0 NVIDIA MCP61 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 ignored (disabled) nfe0 at pci0 dev 7 function 0 NVIDIA MCP61 LAN rev 0xa2: apic 2 int 10, address 00:19:66:3a:de:a4 rlphy2 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1 pciide1 at pci0 dev 8 function 0 NVIDIA MCP61 SATA rev 0xa2: DMA pciide1: using apic 2 int 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3808110AS wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6 atapiscsi0 at pciide1 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: HL-DT-ST, DVD-ROM GDRH20N, 0L02 ATAPI 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 8 function 1 NVIDIA MCP61 SATA rev 0xa2: DMA pciide2: using apic 2 int 10 for native-PCI interrupt ppb1 at pci0 dev 9 function 0 NVIDIA MCP61 PCIE rev 0xa2 pci2 at ppb1 bus 2 ppb2 at pci0 dev 11 function 0
Re: openbgpd ipv6 nexthop
Am Mittwoch, den 20.08.2014, 08:25 +0200 schrieb Henning Brauer: trying to do the same for IPv6, the set nexthop statement in the bgpd.conf has no effect. The cisco receives the prefixes with the non-carp IP of each firewall as nexthop. that smells like a bug. I can confirm that I've seen this behaviour also. Yet I thought the reason would be more of the kind that I did evil things[tm] to bgpd. And maybe stuff like :::10.0.0.1 would somehow not be regarded as a valid next_hop address for IPv6. Mickael, can you confirm that a route towards 2a02:d48:2f:1c::1:4 is in your rtable 0 FIB? -dd -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Strip private AS# from AS-PATH with OpenBGPd
Hi,
While reviewing my BGP filters, i realized I don't filter private AS# in
the AS-PATH.
According to OpenBGPd's man page, it is possible to use:
deny from any AS { 64512 64513 65535 }
It would however be quite unmaintainable and not really clean.
Would it be possible to please implement AS ranges ?
Like:
deny from any { AS { 64512 to 65535 }, AS { 42 to 4294967294 } }
Hope I didn't miss an obvious way.
Cheers,
Laurent
Re: troubleshooting carp [solved]
the reason why the second one works, is because the order does matter. you need to configure the device's interesting bits, before you start assigning an IP address to it. On 2014 Aug 19 (Tue) at 19:31:36 -0400 (-0400), Stefan Olsson wrote: :I've pinpointed the issue with my carp setup. Finally! : :It seems like the order of things in hostname.carp0 matters more than :I thought it did.? : :This doesn't work so well: :# cat /etc/hostname.carp0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? :inet 192.168.16.1/24?? :vhid 100 pass blahblah advbase 5 advskew 0 : : :This works however: :# cat /etc/hostname.carp0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? :vhid 100 pass blahblah advbase 5 advskew 0 :inet 192.168.16.1/24 ?? : : : :Both result in exactly this: :# ifconfig carp0 :carp0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 :? ? ? ? lladdr 00:00:5e:00:01:64 :? ? ? ? priority: 0 :? ? ? ? carp: MASTER carpdev em0 vhid 100 advbase 5 advskew 0 :? ? ? ? groups: carp :? ? ? ? status: master :? ? ? ??inet 192.168.16.1 netmask 0xff00 broadcast 192.168.16.255 : : : :-The difference is that with the latter order, carp becomes muted. Although ip-traffic? :and arp passes through fine, there is no sign of carp when I do tcpdump on em0. If :the vhid is added before the ip-address however, carp works as expected and tcpdump can capture :the carp-advertisements going out on em0.? : :-It would be nice if someone with more insight could explain in detail why the second :order in hostname.carp0 doesn't work.? :-I am aware that I could have had it all in one line, but because of readability etc :I chose to split it into two lines.? : -- The sooner all the animals are dead, the sooner we'll find their money. -- Ed Bluestone, The National Lampoon
Re: ifconfig command for IPv6 tunnel
On Tue, 19 Aug 2014, Charles Musser wrote: Hi, I'm experimenting with using IPv6 via a tunnel broker provided by an ISP. The tunnel works, but I want to confirm my understanding of the commands they gave me to set it up. These are the commands: ifconfig gif0 tunnel 50.1.94.112 72.52.104.74 ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:204::1 The first and third commands make sense to me; they set up an IPv4 tunnel interface and a default route for IPv6. After reading the ifconfig(8) man page) I think I sort of understand what the second one does. Side note: the two IPv6 addresses provided by the tunnel broker are defined, in their terminology, as follows: prefix::1 is the server IPv6 address and prefix::2 is the client IPv6 address. Given that, I think the following is true: - prefix::1 is the local address of the interface on the IPv6 network. No, *::2 is local. - The alias parameter is superfluous in this case. I tried it without that and got the same result: an operating tunnel. If it works, ifconfig is being smart, but why not make your intent explicit? The tunnel is across the ip4 addresses; this command adds aliases, or close enough. - Because gif0 is a point-to-point interface, prefix::2 (the server IP) is interpreted as the dest_address parameter mentioned in the ifconfig(8) man page. It's ambiguous when you write the server IP because the remote end of the tunnel is a server, and if you're configuring a router rather than a host then that's a server too. Addr *:2 is local in that it's an address of your gif(4) interface. The ifconfig(8) synopsis is simpler than gif configuration, but yes *::2 is like dest_address. Addr *::1 is remote. Try 'netstat -nvrf inet6 | grep 2001:' and find that *::1 has the G (gateway) flag, and host *::2 has a route to *::1. Also look at something using the interface, maybe ntpd. Look at the address with 'netstat -nvf inet6 | grep 123' (no -r there), and see that *::2 is local. HE likely provided you a /64 prefix for your use, or maybe you have to request it (I have an HE tunnel but don't remember all details; their website is helpful). Those addrs would be in a different /48 than the tunnel addrs. If you're setting up a router your assigned /64 prefix can be assigned to an internal interface with alias like 'inet6 alias /64 net prefix 64'. Then point rtadvd at that interface. -Ed
Re: openbgpd ipv6 nexthop
On 2014-08-20 11:21, David Dahlberg wrote: Am Mittwoch, den 20.08.2014, 08:25 +0200 schrieb Henning Brauer: trying to do the same for IPv6, the set nexthop statement in the bgpd.conf has no effect. The cisco receives the prefixes with the non-carp IP of each firewall as nexthop. that smells like a bug. I can confirm that I've seen this behaviour also. Yet I thought the reason would be more of the kind that I did evil things[tm] to bgpd. And maybe stuff like :::10.0.0.1 would somehow not be regarded as a valid next_hop address for IPv6. Mickael, can you confirm that a route towards 2a02:d48:2f:1c::1:4 is in your rtable 0 FIB? -dd Yes, the output is the same for both firewalls: # netstat -nr -f inet6 | grep 2a02:d48:2f:1c::1:4 2a02:d48:2f:1c::1:400:00:5e:00:01:01 HL 00 - 4 lo0 # and # bgpctl show fib| grep 2a02:d48:2f:1c::1:0 *CN 0 2a02:d48:2f:1c::1:0/125 link#5 # Best regards, Mickael
iked troubles, SA not installed
Hi folks, I am trying to set up an IPSec VPN between my OpenBSD-current laptop and my OpenBSD-current gateway at home. The gateway is connected with plain old ADSL + PPPoE, and the laptop uses my smartphone tethering functions. laptop has a vether(4) with 192.168.55.220/24 configured and up, and gateway has a vether(4) with 192.168.56.1/24 configured and up. Yeah I could do without, but I've mainly seen examples where the tunnel outgoing interface was different from the routed range interface, and wanted to make sure it was not due to some weird address overlap. What goes on is, when I start both iked, negociation completes, but: 1) only the gateway installs the SA and SP, laptop does not 2) I am not able to go beyond the TCP three-way-handshake when connecting from laptop to gateway. I tcpdump'd the traffic on outgoing interfaces: every packet that is sent by one side is received by the other. I can observe traffic on gateway's enc0, but nothing on laptop's enc0 (which makes sense as SA and SP are not installed). both are running a fairly recent -current (no more than 10 days old). Any clues on what might be going ? Cheers, -- Vincent / dermiste ## gateway /etc/iked.conf: ikev2 esp proto icmp \ from 192.168.56.1 to 192.168.55.220 peer 37.160.239.206 \ psk redacted ## laptop /etc/iked.conf: ikev2 active esp proto icmp \ from 192.168.55.220 to 192.168.56.1 peer 79.143.250.153 \ psk redacted ## initial sa state on both machines: $ sudo ipsecctl -sa FLOWS: No flows SAD: No entries ## On gateway: $ sudo tcpdump -ni pppoe0 udp port 500 or 4500 or tcp port 222 tcpdump: listening on pppoe0, link-type PPP_ETHER tcpdump: WARNING: compensating for unaligned libpcap packets 14:57:16.480895 37.160.239.206.20603 79.143.250.153.4500:udpencap: isakmp v2.0 exchange IKE_SA_INIT cookie: 143d03ddc5809c39- msgid: len: 520 14:57:16.531113 79.143.250.153.4500 37.160.239.206.20603:udpencap: isakmp v2.0 exchange IKE_SA_INIT cookie: 143d03ddc5809c39-383ed0522188ecdc msgid: len: 432 14:57:17.226835 37.160.239.206.20603 79.143.250.153.4500:udpencap: isakmp v2.0 exchange IKE_AUTH cookie: 143d03ddc5809c39-383ed0522188ecdc msgid: 0001 len: 272 14:57:17.228337 79.143.250.153.4500 37.160.239.206.20603:udpencap: isakmp v2.0 exchange IKE_AUTH cookie: 143d03ddc5809c39-383ed0522188ecdc msgid: 0001 len: 224 14:57:17.229556 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 2 len 376 (DF) [tos 0x10] 14:57:17.229799 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 3 len 136 (DF) [tos 0x10] 14:57:18.059200 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 4 len 824 (DF) [tos 0x10] 14:57:18.059587 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 5 len 136 (DF) [tos 0x10] 14:57:18.266023 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 6 len 1192 (DF) [tos 0x10] 14:57:19.726565 37.160.239.206.20606 79.143.250.153.222: S 4201433516:4201433516(0) win 16384 mss 1300,sackOK,nop,nop,nop,wscale 3 (DF) 14:57:19.726641 79.143.250.153.222 37.160.239.206.20606: S 918752052:918752052(0) ack 4201433517 win 16384 mss 1452,nop,nop,sackOK,nop,wscale 3 (DF) 14:57:19.826467 37.160.239.206.20606 79.143.250.153.222: . ack 1 win 2048 (DF) 14:57:19.852144 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 7 len 104 (DF) 14:57:19.866853 37.160.239.206.20606 79.143.250.153.222: P 1:22(21) ack 1 win 8000 (DF) 14:57:20.066284 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 8 len 1048 (DF) 14:57:20.266288 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 9 len 1384 (DF) [tos 0x10] 14:57:20.868080 37.160.239.206.20606 79.143.250.153.222: P 1:22(21) ack 1 win 8000 (DF) 14:57:20.868190 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 10 len 88 (DF) 14:57:22.868423 37.160.239.206.20606 79.143.250.153.222: P 1:22(21) ack 1 win 8000 (DF) 14:57:22.868615 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 11 len 88 (DF) 14:57:24.266858 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 12 len 1384 [tos 0x10] 14:57:25.847062 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206 spi 0xba588fdd seq 13 len 1064 (DF) 14:57:26.869638 37.160.239.206.20606 79.143.250.153.222: P 1:22(21) ack 1 win 8000 (DF) 14:57:26.869732 79.143.250.153.4500 37.160.239.206.20603:udpencap: esp 79.143.250.153 37.160.239.206
Re: troubleshooting carp [solved]
This is very interesting. I have the faulty config in 5.5 but it seems to work. But we have it all on 1 line if that matters and we also specify carpdev ---snip--- This doesn't work so well: # cat /etc/hostname.carp0 inet 192.168.16.1/24 vhid 100 pass blahblah advbase 5 advskew 0 This works however: # cat /etc/hostname.carp0 vhid 100 pass blahblah advbase 5 advskew 0 inet 192.168.16.1/24
Re: ifconfig command for IPv6 tunnel
On Aug 19, 2014, at 9:38 PM, Adam Thompson athom...@athompso.net wrote: IIRC from my experimentation, you've got it exactly right. Some tunnel brokers give you subnet masks that certain versions of OpenBSD don't like - that turns out to not actually matter, just use whatever ifconfig(8) want. Point in case: HE recommends using /64 for PtP links, but OpenBSD 5.x requires /128. Since HE allocates an entire /64 per tunnel, there is no danger in configuring it more narrowly on the client end. Thanks for the info. As it happens, I am also using a tunnel provided by HE. The hostname.if(5) syntax that finally worked for me on 5.4-RELEASE was (slightly anonymized) description HE_TUNNEL_FREMONT tunnel 184.70.48.XXX dest 64.71.128.83 inet6 2001:470::X::2 dest 2001:470::X::1 prefixlen 128 which perhaps adds some clarity, or perhaps confuses, depending on your point of view. I can't remember whether (in the non-BGP case) I added the route command as !route -n add -inet6 default 2001:470:1f04:204::1 to the hostname.gif0 file, or if I added it to /etc/mygate - one or the other should work, anyway. I haven't gotten to the point of making this configuration permanent, but the example above makes sense. My initial effort is toward a larger goal of getting a small network of pure IPv6 hosts connected. My current thinking on how to do this is (in admittedly vague and incomplete terms) is: use a machine connected to the tunnel broker as a bridge. Other machines would connect to it and perform address auto configuration, using the prefix of the HE provided network. To accomplish this, the bridge machine would run the daemon that hands out these prefixes, which I think is called rtadvd Comments on this approach (or alternatives) are welcome. Finally, is this the place to discuss these kinds of network setup puzzles? I happen to be using OpenBSD, but this kind of task really is at the intersection of operating system specifics and the more general practice of network design. Chuck
Re: pkg_mgr error: Fatal error: Ustar ... Eror while reading header
I shall wait, ill keep trying different things I have defined PKG_CACHE in my regular user home dir, I'll try unsetting that and other things, and let you know if I get different results ... thanks. Daniel On Wed, Aug 20, 2014 at 2:14 AM, Philip Guenther guent...@gmail.com wrote: On Mon, Aug 18, 2014 at 6:08 PM, Daniel Villarreal yclwebmas...@gmail.com wrote: Sorry. This happens for lots of different programs... just tried to use pkg_mgr to install gif2png --- errors -- Fatal error: Ustar [ http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64/gif2png-2.5.2p1.tgz][share/doc/gif2png/README]: Error while reading header Huh. Off hand, I don't see anything weird in that file that should make the perl Ustar.pm choke. I'm afraid further analysis will have to await espie's return... Philip Guenther
Re: ifconfig command for IPv6 tunnel
On 14-08-20 09:12 AM, Charles Musser wrote: Thanks for the info. As it happens, I am also using a tunnel provided by HE. I know - I could tell by the addresses you provided :-). My current thinking on how to do this is (in admittedly vague and incomplete terms) is: use a machine connected to the tunnel broker as a bridge. Other machines would connect to it and perform address auto configuration, using the prefix of the HE provided network. To accomplish this, the bridge machine would run the daemon that hands out these prefixes, which I think is called rtadvd Comments on this approach (or alternatives) are welcome. Basically, yes. Although you have a router (does things with IP packets), not a bridge (does things with Ethernet frames) - that's a huge difference. I don't think I've ever relied on address autoconfig - it looks very nice in theory but has some limitations in practice. I would test everything using static IPs and static routes first, and then move on to rtadvd. HE assigns two blocks of addresses with every tunnel - the point-to-point tunnel addresses and the Routed IPv6 Prefixes. You want to use the IPv6 Tunnel Endpoints on the gif0 tunnel, which is presumably built on top of $external_if , and you want to use the Routed IPv6 Prefixes on $internal_if. Note that is perfectly valid to have public IPv6 addresses running on the same subnet as private (RFC1918) IPv4 addresses - IPv4 traffic gets NAT'd, IPv6 traffic merely gets routed. Do beware that your pf ruleset must pass IPv6 traffic without NAT'ing it... I think this is the default now, not sure. If you're like 99% of the IPv6-using population today, your router will probably become 2001:470::::1/64 (on $internal_if), and clients on the internal network will then become 2001:470::::2/64 to 2001:470::::254/64. There may well be better ways, but that naive approach will work. Oh, you'll have to enable net.inet6.ip6.forwarding on the router, I think it's off by default. Finally, is this the place to discuss these kinds of network setup puzzles? I happen to be using OpenBSD, but this kind of task really is at the intersection of operating system specifics and the more general practice of network design. Someone will tell you to go away, don't worry... The fact that you understand this makes answering you a lot more pleasant than the usual run-of-the-mill I deal with (elsewhere) where impossibly-bad network design somehow translates into the firewall must be broken when things don't work. I suggest you try google - the second hit for openbsd ipv6, at least for me, is a SANS Institute guide to setting up an IPv6 firewall using OpenBSD v3.0(!) which appears to mostly still be applicable. The docs for SixS aren't bad as long as you ignore the bits about their ~proprietary client software. Beware following guides that are too old - I see some old material referencing transition mechanisms (like FAITH - did anyone ever actually use that?), which probably aren't what you want to be looking at now. -- -Adam Thompson athom...@athompso.net
Re: acpi error running openbsd snapshot 20140820 (amd64)
On Wed, Aug 20, 2014 at 12:34:24PM +0400, Wesley MOUEDINE ASSABY wrote: Hi, Running the install56.fs from an usb key give me the following error : http://pbrd.co/1rWT1Us So i disabled acpi using UKC to be able to install : http://pbrd.co/1rWUqL0 OpenBSD is installed now, but running it with acpi support give me a kernel panic : http://pbrd.co/1rWTCFX trace : http://pbrd.co/1rWTKVS http://pbrd.co/1rWTUws and ps : http://pbrd.co/1rWU1bl So you expect us to help you when: 1. You've been randomly disabling code in the kernel. 2. You're claiming the bug is somehow related to acpi and yet you've provided us with no acpidump. What would your mechanic say if you took your car to the garage and said My engine is making a strange sound, but I'm not going to tell you what sound it's making. By the way, I've unplugged some random wires somewhere in the engine compartment. -ml Below, dmesg without acpi support : OpenBSD 5.6-current (GENERIC.MP) #336: Tue Aug 19 20:39:19 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1996161024 (1903MB) avail mem = 1934336000 (1844MB) User Kernel Config UKC disable acpi 358 acpi0 disabled UKC quit Continuing... mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfced0 (28 entries) bios0: vendor American Megatrends Inc. version P1.60 date 06/12/2007 acpi at bios0 not configured mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+, 2411.13 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,3DNOWP cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+, 2410.78 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,3DNOWP cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios0: bus 0 is type PCI mpbios0: bus 1 is type PCI mpbios0: bus 2 is type PCI mpbios0: bus 3 is type PCI mpbios0: bus 4 is type PCI mpbios0: bus 5 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins cpu0: PowerNow! K8 2411 MHz: speeds: 2500 2400 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0 NVIDIA MCP61 Memory rev 0xa1 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA MCP61 ISA rev 0xa2 nviic0 at pci0 dev 1 function 1 NVIDIA MCP61 SMBus rev 0xa2 iic0 at nviic0 iic0: addr 0x4c 00=28 01=2f 02=80 03=01 04=06 05=46 06=00 07=46 08=00 10=60 11=00 12=00 13=00 14=00 19=6e 20=55 21=0a bf=06 e0=bb e1=c0 e2=82 e3=bb e4=c0 e5=2f e6=29 e7=68 e8=82 eb=4f ec=02 f1=20 f2=00 f3=10 f4=80 f5=00 f7=00 f8=00 f9=02 fa=00 fb=4c fc=4f fd=37 fe=5c ff=01 words 00=29ff 01=2fff 02=80ff 03=01ff 04=06ff 05=46ff 06=00ff 07=46ff spdmem0 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-6400CL5 iic1 at nviic0 NVIDIA MCP61 Memory rev 0xa2 at pci0 dev 1 function 2 not configured ohci0 at pci0 dev 2 function 0 NVIDIA MCP61 USB rev 0xa2: apic 2 int 5, version 1.0, legacy support ehci0 at pci0 dev 2 function 1 NVIDIA MCP61 USB rev 0xa2: apic 2 int 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 NVIDIA EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 4 function 0 NVIDIA MCP61 rev 0xa1 pci1 at ppb0 bus 1 rl0 at pci1 dev 8 function 0 Realtek 8139 rev 0x10: apic 2 int 11, address 00:50:fc:47:20:a0 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci1 dev 10 function 0 Realtek 8139 rev 0x10: apic 2 int 5, address 00:50:bf:93:3f:78 rlphy1 at rl1 phy 0: RTL internal PHY azalia0 at pci0 dev 5 function 0 NVIDIA MCP61 HD Audio rev 0xa2: apic 2 int 11 azalia0: codecs: Realtek ALC888 audio0 at azalia0 pciide0 at pci0 dev 6 function 0 NVIDIA MCP61 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 ignored (disabled) nfe0 at pci0 dev 7 function 0 NVIDIA MCP61 LAN rev 0xa2: apic 2 int 10, address 00:19:66:3a:de:a4 rlphy2 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1 pciide1 at pci0 dev 8 function 0 NVIDIA MCP61 SATA rev 0xa2: DMA pciide1: using apic 2 int 10 for native-PCI interrupt wd0
Re: acpi error running openbsd snapshot 20140820 (amd64)
On 20.08.2014 19:27, Mike Larkin wrote: On Wed, Aug 20, 2014 at 12:34:24PM +0400, Wesley MOUEDINE ASSABY wrote: Hi, Running the install56.fs from an usb key give me the following error : http://pbrd.co/1rWT1Us So i disabled acpi using UKC to be able to install : http://pbrd.co/1rWUqL0 OpenBSD is installed now, but running it with acpi support give me a kernel panic : http://pbrd.co/1rWTCFX trace : http://pbrd.co/1rWTKVS http://pbrd.co/1rWTUws and ps : http://pbrd.co/1rWU1bl So you expect us to help you when: 1. You've been randomly disabling code in the kernel. I can't install it with acpi support as i mentioned. The error with acpi at install process : Running the install56.fs from an usb key give me the following error : http://pbrd.co/1rWT1Us 2. You're claiming the bug is somehow related to acpi and yet you've provided us with no acpidump. If you look the error message : http://pbrd.co/1rWT1Us How can i get the acpidump if there 's no ddb prompt ? :) What would your mechanic say if you took your car to the garage and said My engine is making a strange sound, but I'm not going to tell you what sound it's making. By the way, I've unplugged some random wires somewhere in the engine compartment. Criticism is easy :) ==wma
Re: acpi error running openbsd snapshot 20140820 (amd64)
On 2014 Aug 20 (Wed) at 19:47:57 +0400 (+0400), Wesley MOUEDINE ASSABY wrote: :On 20.08.2014 19:27, Mike Larkin wrote: :On Wed, Aug 20, 2014 at 12:34:24PM +0400, Wesley MOUEDINE ASSABY wrote: :Hi, : :Running the install56.fs from an usb key give me the following error : :http://pbrd.co/1rWT1Us : :So i disabled acpi using UKC to be able to install : :http://pbrd.co/1rWUqL0 : :OpenBSD is installed now, but running it with acpi support give me a :kernel panic : :http://pbrd.co/1rWTCFX : :trace : :http://pbrd.co/1rWTKVS :http://pbrd.co/1rWTUws : :and ps : :http://pbrd.co/1rWU1bl : :So you expect us to help you when: : :1. You've been randomly disabling code in the kernel. : :I can't install it with acpi support as i mentioned. :The error with acpi at install process : : :Running the install56.fs from an usb key give me the following error : :http://pbrd.co/1rWT1Us : :2. You're claiming the bug is somehow related to acpi :and yet you've provided us with no acpidump. : :If you look the error message : :http://pbrd.co/1rWT1Us : :How can i get the acpidump if there 's no ddb prompt ? :) : you run the command. :What would your mechanic say if you took your car to the garage and said :My engine is making a strange sound, but I'm not going to tell you what :sound it's making. By the way, I've unplugged some random wires somewhere :in the engine compartment. : :Criticism is easy :) : I applaud you for insulting the guy that could actually fix acpi bugs. Good job. :==wma : -- Expense Accounts, n.: Corporate food stamps.
Re: acpi error running openbsd snapshot 20140820 (amd64)
On Wed, Aug 20, 2014 at 07:47:57PM +0400, Wesley MOUEDINE ASSABY wrote: On 20.08.2014 19:27, Mike Larkin wrote: On Wed, Aug 20, 2014 at 12:34:24PM +0400, Wesley MOUEDINE ASSABY wrote: Hi, Running the install56.fs from an usb key give me the following error : http://pbrd.co/1rWT1Us So i disabled acpi using UKC to be able to install : http://pbrd.co/1rWUqL0 OpenBSD is installed now, but running it with acpi support give me a kernel panic : http://pbrd.co/1rWTCFX trace : http://pbrd.co/1rWTKVS http://pbrd.co/1rWTUws and ps : http://pbrd.co/1rWU1bl So you expect us to help you when: 1. You've been randomly disabling code in the kernel. I can't install it with acpi support as i mentioned. The error with acpi at install process : Running the install56.fs from an usb key give me the following error : http://pbrd.co/1rWT1Us 2. You're claiming the bug is somehow related to acpi and yet you've provided us with no acpidump. If you look the error message : http://pbrd.co/1rWT1Us How can i get the acpidump if there 's no ddb prompt ? :) man acpidump What would your mechanic say if you took your car to the garage and said My engine is making a strange sound, but I'm not going to tell you what sound it's making. By the way, I've unplugged some random wires somewhere in the engine compartment. Criticism is easy :) Asking for help and providing a substandard bug report is easier.
OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
Hello everbody, I'm from FreeBSD and I wanted to give OpenBSD a (new) try. I would like to have a full disk encryption (as I've seen it's possible now with OpenBSD 5.5) and use a smart card to decrypt the volumes at boot, instead of having to type a password, which seems less secure. I read a lot of articles to see how it works using bioctl but none are talking about using a smart card as a keydisk, only USB drive. If I understood correctly, when using bioctl -k /path/of/RAID/keydisk, the key is created automatically and the encrypted RAID volume is associated to that USB RAID partition keydisk. So the system can now boot only if the BIOS/UEFI finds that particular USB RAID partition. My questions are: 1) How to do the same thing using a Smart Card instead of a USB drive? 2) Is it possible to copy the image of the USB key disk to a Smart Card (or inversely) to be able to boot using either the USB or the Smart Card? 3) If the Smart card is used as a key disk to boot the system. Is it possible to configure that same smart card to access my home computer using SSH? (As if it was ONLY possible to SSH to my computer using that smartcard). Thank you very much for your help, I'm pretty new with those kind of things. Julien M
Re: acpi error running openbsd snapshot 20140820 (amd64)
How can i get the acpidump if there 's no ddb prompt ? :) man acpidump Reading FAQ, there's no acpidump informations...the same for acpi(4) I will post the dump. Thank you very much. What would your mechanic say if you took your car to the garage and said My engine is making a strange sound, but I'm not going to tell you what sound it's making. By the way, I've unplugged some random wires somewhere in the engine compartment. Criticism is easy :) Asking for help and providing a substandard bug report is easier. +1 :)
Re: ifconfig command for IPv6 tunnel
On Aug 20, 2014, at 7:43 AM, Adam Thompson athom...@athompso.net wrote: I know - I could tell by the addresses you provided :-). So much for *my* anonymity... ;-) Basically, yes. Although you have a router (does things with IP packets), not a bridge (does things with Ethernet frames) - that's a huge difference. I don't think I've ever relied on address autoconfig - it looks very nice in theory but has some limitations in practice. I would test everything using static IPs and static routes first, and then move on to rtadvd. HE assigns two blocks of addresses with every tunnel - the point-to-point tunnel addresses and the Routed IPv6 Prefixes. You want to use the IPv6 Tunnel Endpoints on the gif0 tunnel, which is presumably built on top of $external_if , and you want to use the Routed IPv6 Prefixes on $internal_if. Note that is perfectly valid to have public IPv6 addresses running on the same subnet as private (RFC1918) IPv4 addresses - IPv4 traffic gets NAT'd, IPv6 traffic merely gets routed. rtadvd: Yes, one thing at a time. Static IPs first. router vs. bridge: good point. Because I those routed IPv6 Prefixes are available, there are two networks in play, so it's routing and not bridging. I was initially operating under the assumption that there was one network for both the tunnel endpoint and the other hosts, so I thought bridge!. But that isn't the case. Do beware that your pf ruleset must pass IPv6 traffic without NAT'ing it... I think this is the default now, not sure. This, I will have to dig into. I wasn't aware that PF was enabled. But I suspect you can't get very far in these setups without it. Another responder provided some PF rules to try, so I can study those.
Re: ifconfig command for IPv6 tunnel
On Aug 20, 2014, at 4:15 AM, Ed Hynan eh_l...@optonline.net wrote: On Tue, 19 Aug 2014, Charles Musser wrote: - prefix::1 is the local address of the interface on the IPv6 network. No, *::2 is local. Ah, yes. Despite my best efforts at copyediting, I had the meanings of *::1 and *::2 reversed. - The alias parameter is superfluous in this case. I tried it without that and got the same result: an operating tunnel. If it works, ifconfig is being smart, but why not make your intent explicit? The tunnel is across the ip4 addresses; this command adds aliases, or close enough. Stated another way: the alias keyword doesn't do any harm here, but using it makes things harder to understand because this isn't actually an alias; it's a local address and a remote address and this pair comprises the endpoints of a point-to-point link. It's ambiguous when you write the server IP because the remote end of the tunnel is a server, and if you're configuring a router rather than a host then that's a server too. Addr *:2 is local in that it's an address of your gif(4) interface. The ifconfig(8) synopsis is simpler than gif configuration, but yes *::2 is like dest_address. Just to clarify, this setup is currently a host, not a router. Given all that, ::2 is the local address and ::1 is remote. Doesn't that make ::1 the dest_address? Note: possible beating of dead horse here. Feel free to say: stop obsessing over the syntax of this command, dummy. Addr *::1 is remote. Try 'netstat -nvrf inet6 | grep 2001:' and find that *::1 has the G (gateway) flag, and host *::2 has a route to *::1. Output of that is: default2001:470:1f04:204::1 UGS6 146 - 8 gif0 2001:470:1f04:204::1 2001:470:1f04:204::2 UH 1 0 - 4 gif0 2001:470:1f04:204::2 link#6 UHL0 0 - 4 lo0 This is different than what you describe, but it makes sense. I think. Also look at something using the interface, maybe ntpd. Look at the address with 'netstat -nvf inet6 | grep 123' (no -r there), and see that *::2 is local. Output is: Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 2001:470:1f04:204::2.32069 2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED tcp6 0 0 2001:470:1f04:204::2.7 2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED tcp6 0 0 2001:470:1f04:204::2.30221 2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED tcp6 0 0 2001:470:1f04:204::2.3173 2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED tcp6 0 0 2001:470:1f04:204::2.27980 2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED tcp6 0 0 2001:470:1f04:204::2.48945 2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED This seems to confirm what you said. The local endpoint is indeed *::2.
Re: OpenBSD 5.5-STABLE: Full Disk Encryption (bioctl) and Smard Cards
On Wed, Aug 20, 2014 at 18:11, Julien Meister wrote: Hello everbody, I'm from FreeBSD and I wanted to give OpenBSD a (new) try. I would like to have a full disk encryption (as I've seen it's possible now with OpenBSD 5.5) and use a smart card to decrypt the volumes at boot, instead of having to type a password, which seems less secure. I read a lot of articles to see how it works using bioctl but none are talking about using a smart card as a keydisk, only USB drive. If I understood correctly, when using bioctl -k /path/of/RAID/keydisk, the key is created automatically and the encrypted RAID volume is associated to that USB RAID partition keydisk. So the system can now boot only if the BIOS/UEFI finds that particular USB RAID partition. My questions are: 1) How to do the same thing using a Smart Card instead of a USB drive? 2) Is it possible to copy the image of the USB key disk to a Smart Card (or inversely) to be able to boot using either the USB or the Smart Card? 3) If the Smart card is used as a key disk to boot the system. Is it possible to configure that same smart card to access my home computer using SSH? (As if it was ONLY possible to SSH to my computer using that smartcard). This would depend a lot on your smart card. Does it show up as a disk, like sd1 or sd2, like USB drives do? If so, then you do exactly what you'd do with a USB drive. If not, then it's not supported.
Re: pkg_mgr error: Fatal error: Ustar ... Eror while reading header
Hello Daniel, please see my answers inline. On 19 August 2014 04:08, Daniel Villarreal yclwebmas...@gmail.com wrote: Sorry. This happens for lots of different programs... just tried to use pkg_mgr to install gif2png --- errors -- Fatal error: Ustar [ http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64/gif2png-2.5.2p1.tgz][share/doc/gif2png/README]: Error while reading header in root's .profile... *PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/$(uname http://ftp.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -m)/* Afaik. * shouldn't be the last char. # cat /etc/pkg.conf installpath=http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64 Missing '/' char from the end. Thanks, Daniel -- Cheers, Ville
carp preempt
Hi Misc, Now I seem to have issues with carp preemption. If I have net.inet.carp.preempt=1 and take down carp0 on the Master with ifconfig carp0 down, isn't the idea for carp7 on the same firewall to have carpdemote set to 128 or similar? -According to tcpdump it doesn't change carpdemote at all. I have two firewalls, Right and Left (pf not currently enabled since I am testing carp) em0 + carp0 is on internal network on both firewalls em7 + carp7 is on external network on both firewalls Right # sysctl net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=7 Left # sysctl net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=7
named does not start?
OpenBSD 5.6-current (GENERIC.MP) #336: Tue Aug 19 20:39:19 MDT 2014 starting network daemons: sshd dhcpd(failed) smtpd nginx ftpproxy tftpd sndiod. But in /etc/rc.conf.local I have: named_flags= A bug perhaps?
Re: named does not start?
On Wed, Aug 20, 2014 at 3:08 PM, Christer Solskogen christer.solsko...@gmail.com wrote: named_flags= Try named_flags= I had the same issue with httpd in 5.5. It seems that ntpd lets you have blank afer =, but not httpd Not running named on this system so dunno : ntpd_flags= # enabled during install httpd_flags= # for normal use: -- Don't eat anything you've ever seen advertised on TV - Michael Pollan, author of In Defense of Food
Re: pkg_mgr error: Fatal error: Ustar ... Eror while reading header
Ville, I will do those corrections shortly. I really appreciate your help. FYI, the `installpath=http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64` part I got directly from the CD-set liner notes. I still need to listen to the songs on discs 1 and 2. kind regards, Daniel Villarreal .. [stuff deleted] in root's .profile... *PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/$(uname http://ftp.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -m)/* Afaik. * shouldn't be the last char. # cat /etc/pkg.conf installpath=http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64 Missing '/' char from the end. ...
Re: named does not start?
On Wed, Aug 20, 2014 at 9:23 PM, Alan McKay alan.mc...@gmail.com wrote: On Wed, Aug 20, 2014 at 3:08 PM, Christer Solskogen christer.solsko...@gmail.com wrote: named_flags= Try named_flags= I had the same issue with httpd in 5.5. It seems that ntpd lets you have blank afer =, but not httpd Not running named on this system so dunno : ntpd_flags= # enabled during install httpd_flags= # for normal use: It might also have something do with that named is not in base anymore (I figured that out now) -- chs
Re: ifconfig command for IPv6 tunnel
On Wed, 20 Aug 2014, Charles Musser wrote:
On Aug 20, 2014, at 4:15 AM, Ed Hynan eh_l...@optonline.net wrote:
On Tue, 19 Aug 2014, Charles Musser wrote:
- prefix::1 is the local address of the interface on the IPv6
network.
No, *::2 is local.
Ah, yes. Despite my best efforts at copyediting, I had the meanings of *::1 and
*::2 reversed.
- The alias parameter is superfluous in this case. I tried it without
that and got the same result: an operating tunnel.
If it works, ifconfig is being smart, but why not make your intent
explicit? The tunnel is across the ip4 addresses; this command adds
aliases, or close enough.
Stated another way: the alias keyword doesn't do any harm here, but
using it makes things harder to understand because this isn't actually an
alias; it's a local address and a remote address and this pair comprises
the endpoints of a point-to-point link.
Although this is a little more complex on gif than e.g. an ethernet interface,
alias is at least similar. On a more straightforward type interface, alias
is used adding additional addresses (BTW, not OpenBSD specific, the alias
keyword is similar for {Net,Free}BSD; and, apparently dissimilar on Linux).
Think of the IPv6 addrs as 'additional' after IPv4 tunnel addrs for
conceptual satisfaction.
It's ambiguous when you write the server IP because the remote end
of the tunnel is a server, and if you're configuring a router rather
than a host then that's a server too. Addr *:2 is local in that it's
an address of your gif(4) interface. The ifconfig(8) synopsis is
simpler than gif configuration, but yes *::2 is like dest_address.
Just to clarify, this setup is currently a host, not a router. Given all that,
::2 is the local address and ::1 is remote. Doesn't that make ::1 the
dest_address?
Note: possible beating of dead horse here. Feel free to say: stop
obsessing over the syntax of this command, dummy.
grin Yes, *::1 is like dest_address; I miswrote and should have said
*::2 is like address in the synopsis (had just woke up). IAC *::2
is local, software on the machine may have that as source address,
not *::1.
Addr *::1 is remote. Try 'netstat -nvrf inet6 | grep 2001:' and find
that *::1 has the G (gateway) flag, and host *::2 has a route to *::1.
Output of that is:
default2001:470:1f04:204::1 UGS6
146 - 8 gif0
2001:470:1f04:204::1 2001:470:1f04:204::2 UH 1
0 - 4 gif0
2001:470:1f04:204::2 link#6 UHL0
0 - 4 lo0
This is different than what you describe, but it makes sense. I think.
Is it different? Your output shows what I intended to describe.
Line 1 with G flag shows that 'gateway' addr *::1 is default route
and line 2 with H flag shows 'host' addr *::2 has/is a route to *::1
(didn't I suggest that clearly on my 1st coffee? I think I did).
Also look at something using the interface, maybe ntpd. Look at the
address with 'netstat -nvf inet6 | grep 123' (no -r there), and
see that *::2 is local.
Output is:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address(state)
tcp6 0 0 2001:470:1f04:204::2.32069
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.7
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.30221
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.3173
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.27980
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.48945
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
This seems to confirm what you said. The local endpoint is indeed *::2.
Looks good. Since this is a host never mind rtadvd (I had mentioned
that). You'll want to handle IPv6 in pf generally. Since you
didn't mention it I suppose you're not strictly firewalling; you
would have mentioned allowing proto 41 for the ip4 remote endpoint
or maybe you've got that all set.
-Ed
--
Today's weirdness is tomorrow's reason why.
-- Hunter S. Thompson
Re: Strip private AS# from AS-PATH with OpenBGPd
On 2014-08-20, Laurent CARON lca...@unix-scripts.info wrote:
While reviewing my BGP filters, i realized I don't filter private AS# in
the AS-PATH.
According to OpenBGPd's man page, it is possible to use:
deny from any AS { 64512 64513 65535 }
It would however be quite unmaintainable and not really clean.
That would deny (reject) routes, it would not strip private ASN from the
AS-path, openbgp doesn't have a way to do that.
If you actually mean rejecting the routes (not modifying the path on
routes which you want to permit), and if it's customers (or possibly
peers) that you're talking about, explicitly permit what you expect to
see, deny all others. it's the only sane way. (Obviously make use of IRR
or other automated means to setup filters, if appropriate).
Re: ifconfig command for IPv6 tunnel
Forgot to reply-all yesterday (only sent to Charles) to keep the
thread in-sync with the rest of the conversation (don't nuke me for
stating the obvious + added the rtadvd/route6d)
On 20 August 2014 13:40, Charles Musser cmus...@sonic.net wrote:
ifconfig gif0 tunnel 50.1.94.112 72.52.104.74
ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen
128
route -n add -inet6 default 2001:470:1f04:204::1
Spot on there Chuck. That is how I have mine set up.
Don't forget to change in your /etc/sysctl.conf file:
net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
(note the removal of the comment #)
You will also need to tweek your /etc/pf.conf rule set. Here is a
rough guide, mileage may vary:
icmp6_types={ unreach, timex, paramprob, echoreq, routeradv,
routersol, neighbradv, neighbrsol } # Only want these ICMP6 types
block return# default that probably exists in your environment -
nothing to come in unless explicitly defined below (IPv4 and IPv6)
pass out on gif0 inet6# Allow for all ICMP6 traffic
out - you may not want to do this but whatever works for you
pass inet6 proto icmp6 icmp6-type $icmp6_types # Allow
ICMP6 of types defined above to move in and out freely
pass on vmx0 inet6# Allowing traffic in and out of internal network.
Then you'll need to setup the rtadvd daemon to hand out your /64 to
your internal clients (/etc/rtadvd.conf):
default:\
:rdnss=ipv6 of your internal DNS server or server
that you use:\
:dnssl=search domain:
vmx0:\ # This is my internal interface, yours may be different
:addr=your /64 subnet prefix:::prefixlen#64:tc=default:
Now enable all that to serve your internal clients (/etc/rc.conf.local):
rtadvd_flags=vmx0
route6d_flags=
That should be about it.
--
Roads? Where we're going, we don't need roads - Emmett Doc Brown
Re: APU.1C
On 2014-08-19, Stan Gammons sg063...@gmail.com wrote: Anyway. Did you have to sign a NDA to get the datasheet? I see on the RealTek website where they say it supports jumbo frames to 9K. Wonder if RealTek would answer some questions about the register config for jumbo frames? I just found it on google, didn't take long and it's easier now you have the strings from my previous mail to search for :) It's probably not too horrible to find in another OS's driver if there's one known to support it (as opposed to the vendor's own driver which was a right mess last time I looked). Probably easier than finding a vendor contact willing and able to give out information.
Xrdp network times out
I am running snapshot from 8th of August (amd64 and i386 versions). I need to work on a remote location. The access to remote center is provided via combination of OpenVPN and Xrdp. 1. OpenVPN tunnel via tap interface. 2. Connecting to Xrdp server which appears to use VNC as a back end as it runs on a clone of Red Hat. However documentation requires RDP client and network traffic is happening on TCP/UDP 3389 which indicates RDP backends so I am confused. OpenVPN tunnel appears to be rock stable. Only tricky part was editing configuration file with dev tun0 dev-type tap to use tap interface. However connecting to Xrdp server is a mixed bag. I tried Remmina but it dumps core both on amd64 and i386 when trying to use RDP protocol (as suggested by their documentation and the fact that I nailed network traffic to TCP/UDP port 3389). rdesktop works well on amd64 but on i386 I get reproducible freezes which are due to rdesktop (after little bit of trouble shooting). Rdesktop post freeze message (after I kill it) reveals network times out. I have ZERO experience connecting to Xrdp servers. My first hunch was that rdesktop was running out of memory so I monkey little bit with /etc/login.conf increasing the following default options :datasize-max=512M:\ :datasize-cur=512M:\ :maxproc-max=256:\ :maxproc-cur=128:\ :openfiles-cur=512:\ It didn't help. Is there an alternative client for Xrdp which I can try. Does this indicate poorly configured Xrdp server? What else could cause such a big difference between amd64 and i386 experience. Most Kind Regards, Predrag
Re: [Bulk] Re: Access Point Section of the faq
On 2014-08-19, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: So sthen unless you need 802.11n perhaps it's worth a look at OpenBSD again. I know I am far happier with an OpenBSD access point than a Linux one and the time to set it up is amasingly quick when it works especially compared to a Linux Install rather than router. For wlan, I need boxes that I can buy, strap up outdoors, and have them connect with a reasonable range with a wide variety of devices. I also need WDS in some cases (for multi device client bridge) and multi SSID (bridged to multi vlans) in some cases. Even if I could do this with OpenBSD, compatible hardware is about 10x the size and weight of what I often use (and about 4x the price). Yes I'd be happier if I could run OpenBSD on these but since I can't make that happen myself I go with what works.
Re: APU.1C
On 08/20/14 17:24, Stuart Henderson wrote: On 2014-08-19, Stan Gammons sg063...@gmail.com wrote: Anyway. Did you have to sign a NDA to get the datasheet? I see on the RealTek website where they say it supports jumbo frames to 9K. Wonder if RealTek would answer some questions about the register config for jumbo frames? I just found it on google, didn't take long and it's easier now you have the strings from my previous mail to search for :) It's probably not too horrible to find in another OS's driver if there's one known to support it (as opposed to the vendor's own driver which was a right mess last time I looked). Probably easier than finding a vendor contact willing and able to give out information. Ok. I have another APU.1C that I can experiment with now. Guess I could try one of the other BSDs to see about jumbo frames and the link LED issue. Stan
Re: ifconfig command for IPv6 tunnel
On Aug 20, 2014, at 2:25 PM, Ed Hynan eh_l...@optonline.net wrote:
Although this is a little more complex on gif than e.g. an ethernet interface,
alias is at least similar. On a more straightforward type interface, alias
is used adding additional addresses (BTW, not OpenBSD specific, the alias
keyword is similar for {Net,Free}BSD; and, apparently dissimilar on Linux).
Think of the IPv6 addrs as 'additional' after IPv4 tunnel addrs for
conceptual satisfaction.
OK, got it. I am at peace.
Output of that is:
default2001:470:1f04:204::1 UGS
6 146 - 8 gif0
2001:470:1f04:204::1 2001:470:1f04:204::2 UH
10 - 4 gif0
2001:470:1f04:204::2 link#6 UHL
00 - 4 lo0
This is different than what you describe, but it makes sense. I think.
Is it different? Your output shows what I intended to describe.
Line 1 with G flag shows that 'gateway' addr *::1 is default route
and line 2 with H flag shows 'host' addr *::2 has/is a route to *::1
(didn't I suggest that clearly on my 1st coffee? I think I did).
Upon reflection, it does match what you said. My coffee consumption, or
lack thereof, influenced my comprehension here.
Looks good. Since this is a host never mind rtadvd (I had mentioned
that). You'll want to handle IPv6 in pf generally. Since you
didn't mention it I suppose you're not strictly firewalling; you
would have mentioned allowing proto 41 for the ip4 remote endpoint
or maybe you've got that all set.
I don't now, but that's the goal. At this point, I need to forage for some
hardware to try building a router. I had a perfectly good beige box with
numerous interfaces that I threw out recently. Party foul. Once I get
that, then I probably will have PF-specific questions.
Re: foomatic-rip 'f' exited =?US-ASCII?Q?(retcode=3D9)?=
On Tue, Aug 19, 2014 at 11:25 PM, Predrag Punosevac simple printcap file for printing using lpd and foomatic-rip for about seven years now but since past release it stop working predrag@oko$ uname -a OpenBSD oko.bagdala2.net 5.6 GENERIC.MP#333 amd64 lp|HP|HP Photosmart 5250:\ :lp=/dev/ulpt0:\ :af=/etc/foomatic/HP-PhotoSmart_C5200.ppd:\ :if=/usr/local/bin/foomatic-rip:\ l sent to user predrag about job by daemon with permission 664. Spooling directory has correct permission. This is the only thing I see in log files Aug 19 23:10:16 oko lpd[15224]: lp: filter 'f' exited (retcode=9) Aug 19 23:10:16 oko lpd[15224]: m/etc/foomatic/lpd/lp.ppd:\ :sd=/var/spo stdin on printer lp ((null)) Aug 19 23:10:16 oko lpd[15224]: lp: job could not be printed (cfA002oko.bagdala2.net) However /tmp/foomatic-rip-mF6GXB.log is a bit more punoseva...@gmail.com wrote: I 1.0.54 running... :sh:sd=/var/spool/output:\ :lf=/var/log/lpd-errs: I am of course in the daemon group and /etc/ulpt0 is own so long time ago. The above is obviously caused by options passed to foomatic-rip. I also dislike the fact that one of the paths involve CUPS. Can somebody point to me what am I doing wrong here. I noticed that /etc/foomatic is no longer created automatically. Also filter.conf file is no longer needed? Thanks! Predrag It appears that I can print spool-lessly with foomatic-rip -P HP-PhotoSmart_C5200 --ppd HP-PhotoSmart_C5200.ppd /dev/ulpt0 so it seems that problem is that somehow I have to pass printer Id=HP-PhotoSmart_C5200 to cups filter via printcap which coincide with log outpu. Predrag
report(boot openbsd by puppy's grub4dos)
i make little progress , so report it . I install openbsd first in HDD. then I install puppy linux . 1) use puppy' fdisk ,then # fdisk /dev/sda Device Boot Start End Blocks Id System /dev/sda1 *204810487807 5242880 83 Linux -puppy /dev/sda2104878085583052722671360 83 Linux -ext2 /dev/sda3558305287814015911154816 a6 OpenBSD i will want to use this ext2 from puppy and openbsd . 2)puppy's grub4dos controls ' boot proess openbsd or puppy ' menu.lst in sda1 is next. title OpenBSD chainloader (hd0,2)+1 rootnoverify (hd0,2) boot 3)in openbsd disklabel wd0 is next #size offset fstype [fsize bsize cpg] a: 19426368 56886176 4.2BSD 2048 163841 # / b: 1055637 55830528swap # none c: 781401600 unused namely , ext2 is not shown . because i make ext2 after i install openbsd . therefore i must 'disklabel -e' details is next. good Material is in openbsd's 'fdisk wd0' #fdisk wd0 Disk: wd0 geometry: 4864/255/63 [78140160 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- *0: 83 0 32 33 -652 213 9 [2048:10485760 # # # ] # # Linux files* 1: 83652 213 10 - 3475 73 54 [10487808:45342720 # ] Linux files* 2: A6 3475 73 55 - 4863 254 63 [55830528:22309632 # ] OpenBSD 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused # # # # i remember 10487808 45342720 then command disklabel -e wd0 and then vi editor come up . following openbsd FAQ , i add 'o: line' . see below #size offset fstype [fsize bsize cpg] a: 19426368 56886176 4.2BSD 2048 163841 # / b: 1055637 55830528swap # none c: 781401600 unused o: 45342720 10487808 ext2fs and at last mount_ext2fs /dev/wd0o /EXT2 but this same method 'disklabel -e' donot go well in USB memory . so i boot openbsd and puppy on USB by openbsd's grub . see http://openbsd-akita.blogspot.jp/2014/06/openbsad-runs-on-usb-memory-no-need-hdd.html mis - tuyosi
