Re: OpenBGPD not installing routes that happen to originate from the same ASN in another location into the RIB

2014-09-13 Thread Henning Brauer
* Gregory Edigarov ediga...@qarea.com [2014-09-12 20:28]:
 On 09/12/14 19:07, Henning Brauer wrote:
 * Paul S. cont...@winterei.se [2014-08-28 11:19]:
 Earlier today, however, I discovered that routes that I'm announcing under
 the same ASN (in another location) are being received and put into the RIB
 -- but never into the kernel's FIB.
 that's correct behaviour, routes from the same AS aren't supposed to be
 distributed via BGP but your IGP.
 IGP is correct solution in most cases, but it doesn't cover the situation
 when you need to accept a route originated from your remote location or a
 customer connected to your remote location.
 and your remote location is a few AS hops away from you.

That's not how BGP works.

 that's where 'allow-as in' come into play.
 although i would agree that it is a hack.

indeed.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: pfsync and trunk

2014-09-13 Thread Henning Brauer
* Tony Sarendal t...@polarcap.org [2014-09-03 06:48]:
 The initial request disappearing and the firewalls staying demoted
 forever are independent issues.

sure about that? the demotion counter for the interface group pfsyncX
is part of (usually carp) is kept raised until the bulk transfer
finishes. 

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: low power device

2014-09-13 Thread Liviu Daia
On 12 September 2014, Zé Loff zel...@zeloff.org wrote:
 On Fri, Sep 12, 2014 at 05:31:01PM +0200, Martijn van Duren wrote:
  On Fri, 2014-09-12 at 16:22 +0100, Zé Loff wrote:
   On Fri, Sep 12, 2014 at 04:28:46PM +0200, Lars wrote:
On 12.09.2014 15:27, Martijn van Duren wrote:
Hello misc@,
   
Hi,
   
Currently I have an old desktop PC running
as a home server/media center, which runs
OpenBSD. Most of the time it's idling, but does run
(open)ssh/(open)smtp/imap(dovecot)/http(nginx/apache
+subversion)/minidnla, which I want to keep available.

Is there any board/device known which can support these
requirements and is fully (within the requirements) supported
by OpenBSD?

   
As a personal preference I would avoid using ARM boards and
would try to go with x86/amd64 boards instead. I don't know
how well those ARM devices are supported on OpenBSD (I have
only a little experince with running Linux on those), but the
performance was pretty disappointing(with Linux). *I* would
decide for the APU from pcengines. http://pcengines.ch/apu.htm
  
   My first thought too, but it has no video, which is probably
   required by the OP.
 
  Video is not an requirement, since I primarily use it for streaming
  via DLNA, so network and storage are sufficient.

 Oh, in that case, I agree with Lars. I have a APU (the 2Gb) model
 running a bunch of light services for my small lan (pf, dhcpd,
 unbound, nsd, ntpd, wifi AP), and apart from heating a lot (passive
 cooling through the enclosure) it runs fine.
[...]

+1 for APU.1C, it's a nice machine, much faster than ARM boards.
I'd also buy a small mSATA disk for system (pretty much any model would
do, except the Chinese thing sold by PC Engines), and an external 3.5
USB disk with an external power brick for DLNA.  Don't try to mount a
2.5 SATA disk inside the case; it would overheat, and it would need
more power than the power brick that comes with APU.1C can provide.  For
similar reasons, you should probably avoid external disks powered over
USB (that is, most 2.5 external disks these days).  Also make sure to
upgrade to the latest firmware if you want to run OpenBSD.

Regards,

Liviu Daia



Re: PF Tagging

2014-09-13 Thread Henning Brauer
* andy a...@brandwatch.com [2014-09-02 21:12]:
 Hoping this is a pretty dumb question and someone can just shoot me down
 with an instant answer but is there any reason why I can't compare against
 multiple tags?

because list expansion for that case is not implemented in the parser.

not hard to do at all...

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: TCP checksum problems with NAT (maybe vlans/tun)

2014-09-13 Thread Henning Brauer
* Matt Hamilton ma...@netsight.co.uk [2014-09-06 14:11]:
 Based on the info above it would seem that the routing table thinks
 the packet should be routed to bnx0 based on the IP address. bnx0
 supports HW tcp checksums, so the OS does not create the checksum
 itself.
 
 But the packet never goes out bnx0, it is picked up by the bridge and
 sent down tun0 instead. tun interfaces do no recompute the tcp
 checksum and so by the time the packet gets to my laptop the checksum
 has never been correctly calculated and my laptop ignores the packet.

 So what do we need to do to fix this? Is getting the tun interface to
 calculate the checksums the way to go?

seems like you manage to hit a case where the %*#^(*@!^(_! bridge
confuzzles interfaces. AGAIN.

did I mention the bridge has to die?

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: pf: reassemble tcp

2014-09-13 Thread Henning Brauer
* Sonic sonicsm...@gmail.com [2014-09-05 17:12]:
 On Fri, Sep 5, 2014 at 4:42 AM, Kapetanakis Giannis
 bil...@edu.physics.uoc.gr wrote:
  yeah, don't use reassemble tcp. it's not perfect.
 Isn't that default behavior?

hell, no.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: pf: reassemble tcp

2014-09-13 Thread Henning Brauer
* Kapetanakis Giannis bil...@edu.physics.uoc.gr [2014-09-06 00:50]:
 I'm asking about reassemble tcp.
 
 According to some 2010's threads in misc@ it used to cause problems to some
 users.
 I'm wondering what's the status now.

unchanged.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: How to disable the mouse cursor in FVWM?

2014-09-13 Thread Thomas Adam
On 12 September 2014 19:18,  somelooser3...@hushmail.com wrote:
 Hello,

 we are using OpenBSD 5.5 with FVWM.

 How can we disable the mouse cursor?

 So we shouldn't see the mouse cursor if we push the mouse a little.

 Is the solution somewhere here? :

Not via FVWM directly.  You might be able to use unclutter to always
hide the pointer though.

-- Thomas Adam



Re: How to disable keyboard+mouse input in FVWM?

2014-09-13 Thread Thomas Adam
On 12 September 2014 19:22,  somelooser3...@hushmail.com wrote:
 Still didn't found a way to disable the mouse and keyboard.

 Any hints please?

I asked you before what you meant by this, and suggested:

Style * NeverFocus

Is that not what you're after?  It's a pretty odd request.  Are you
trying to build some kind of kiosk?  I've written about such things in
the past.

-- Thomas Adam



Re: pf: reassemble tcp

2014-09-13 Thread Kapetanakis Giannis

On 13/09/14 11:55, Henning Brauer wrote:

* Kapetanakis Giannis bil...@edu.physics.uoc.gr [2014-09-06 00:50]:

I'm asking about reassemble tcp.

According to some 2010's threads in misc@ it used to cause problems to some
users.
I'm wondering what's the status now.

unchanged.



Thanks for the reply

G



Re: Has anyone gotten qemu to install a Linux vm on OpenBSD5.5, 64bit?

2014-09-13 Thread Brett Mahar
On Fri, 12 Sep 2014 21:15:59 -0400
Steve Litt sl...@troubleshooters.com wrote:

| Hi all,
| 
| Has anyone gotten qemu to install a Linux vm on OpenBSD5.5, 64bit?

Hi Steve,

There's a readme that is installed when you install the qemu package, you 
should check that out. I had opensuse running a while ago (lots of the other 
linux distributions would not work). What I did was:

After creating .img file:

$ ulimit -d 200

$ qemu -m 1300 -no-acpi -monitor stdio -no-fd-bootchk -hda virtual.img -cdrom 
openSUSE-11.4-GNOME-LiveCD-i686.iso -boot d

Then when you get to the installer screen, select f4[kernel version]safe mode; 
F3[graphics]vesa

Once installed and virtual disk compressed, normal booting works with:

$ qemu -m 1300 -no-acpi -no-fd-bootchk -hda virtual.img

then selecting failsafe mode to boot into a console (no x11) desktop. If you 
want a graphical desktop
environment, choose failsafe mode and then delete nomodeset x11 failsafe from 
the boot arguments.

This would need to be adjusted for newer qemu, command line options I used 
recently with pcbsd were:

$ qemu-system-x86_64 -m 256 -cdrom 
PCBSD10.0.2-RELEASE-06-20-2014-x64-DVD-USB.iso pcbsd-qemu.img 

launch:
$ qemu-system-x86_64 -m 1200 -display gtk -vga std -sdl -hda pcbsd-qemu.img

Brett.

PS whatever you run it will be slow.



Re: pf block return sends rst through wrong interface

2014-09-13 Thread Sebastian Benoit
Hi Thomas,

A possible solution to your problem might be to put ext_if1 into its own
rdomain with its default route out through ext_if1.

/Benno

Henning Brauer(hb-open...@ml.bsws.de) on 2014.09.12 18:10:26 +0200:
 * Thomas Pfaff tpf...@tp76.info [2014-08-28 13:51]:
  I have a router with two external interfaces, ext_if1 and ext_if2,
  where everything gets routed through ext_if2 by default (gateway)
  except for a few daemons on ext_if1.
  
 pass in on $ext_if1 inet proto tcp from any to $ext_if1 \
port ssh reply-to ($ext_if1 $ext_gw1)
  
  This seems to work as expected, sending return traffic through
  ext_if1 rather than the default gateway.
  
  The problem is when a connection attempt is made on $ext_if1 to
  a blocked port (set block-policy return).  RST is sent through
  ext_if2 rather than ext_if1, thus showing up at the destination
  with the wrong source address.
  
  I'm unable to find a rule that will get the router to send RST
  through the correct interface, so other than using block-policy
  drop to not send RST, is there a way to make it send through
  the correct interface (ext_if1 in this case)?
 
 pf-generated packets like these RSTs bypass the ruleset, thus never
 hit your reply-to.
 
 I'm not aware of a solution.
 
 (route-to and reply-to are stupid to begin with. Avoid at all cost.)
 
 -- 
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services GmbH, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully 
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/
 

-- 



LibreSSL Post-Quantum World, NTRU

2014-09-13 Thread why not
hello

Besides NTRU is having a GPL licence, what are the obstacles that need to be 
overcome to have it in LibreSSL?

https://github.com/NTRUOpenSourceProject/ntru-crypto

https://www.youtube.com/results?search_query=NTRU+crypto

https://crypto.stackexchange.com/questions/11629/public-key-cryptosystems-without-poly-time-quantum-attacks

https://www.youtube.com/results?search_query=Quantum%20Computing%20Cryptography

It would survive in a Post-Quantum computing era (10-20 years?), while other 
PKI systems would fail. 

have a great day,



Re: Has anyone gotten qemu to install a Linux vm on OpenBSD5.5, 64bit?

2014-09-13 Thread Stefan Berger
On Sat, Sep 13, 2014 at 10:18:31PM +1000, Brett Mahar wrote:
 On Fri, 12 Sep 2014 21:15:59 -0400
 Steve Litt sl...@troubleshooters.com wrote:
 
 | Hi all,
 | 
 | Has anyone gotten qemu to install a Linux vm on OpenBSD5.5, 64bit?
 
 Hi Steve,
 
 There's a readme that is installed when you install the qemu package, you 
 should check that out. I had opensuse running a while ago (lots of the other 
 linux distributions would not work). What I did was:
 
 After creating .img file:
 
 $ ulimit -d 200
 
 $ qemu -m 1300 -no-acpi -monitor stdio -no-fd-bootchk -hda virtual.img -cdrom 
 openSUSE-11.4-GNOME-LiveCD-i686.iso -boot d
 
 Then when you get to the installer screen, select f4[kernel version]safe 
 mode; F3[graphics]vesa
 
 Once installed and virtual disk compressed, normal booting works with:
 
 $ qemu -m 1300 -no-acpi -no-fd-bootchk -hda virtual.img
 
 then selecting failsafe mode to boot into a console (no x11) desktop. If you 
 want a graphical desktop
 environment, choose failsafe mode and then delete nomodeset x11 failsafe 
 from the boot arguments.
 
 This would need to be adjusted for newer qemu, command line options I used 
 recently with pcbsd were:
 
 $ qemu-system-x86_64 -m 256 -cdrom 
 PCBSD10.0.2-RELEASE-06-20-2014-x64-DVD-USB.iso pcbsd-qemu.img 
 
 launch:
 $ qemu-system-x86_64 -m 1200 -display gtk -vga std -sdl -hda pcbsd-qemu.img
 
 Brett.

Thanks a lot.  I will try that too because I had problems with 
Linux distributions too.  Maybe, this 'Damn Small Linux' thing might be 
usable... .  Gentoo booted, too (the install iso), but I don't want to 
waste my entire life compiling linux stuff inside qemu. 

However, I got MINIX up and running within qemu (the system compiles 
inside the qemu box without any problems) and of course, OpenBSD runs 
inside qemu, too.  



Re: pfsync and trunk

2014-09-13 Thread Tony Sarendal
On Sat, Sep 13, 2014 at 10:17 AM, Henning Brauer hb-open...@ml.bsws.de
wrote:

 * Tony Sarendal t...@polarcap.org [2014-09-03 06:48]:
  The initial request disappearing and the firewalls staying demoted
  forever are independent issues.

 sure about that? the demotion counter for the interface group pfsyncX
 is part of (usually carp) is kept raised until the bulk transfer
 finishes.


Looks like separate issues.

I have done more testing since, using 5.5. In all cases the demote
counter restores after the bulk transfer completes, or after pfsync
gives up after 12 retries. I have a few 5.4 where I can't explain the
33 demote counter, but I can't replicate it when testing.

I could replicate the problem with the initial request disappearing when
using trunk.
The sleep solves it, I can live with that.

On our heavier firewalls bulk transfer never completes, but carp restores
after
the 12 retries, close to 29h after reboot.

/T



Re: LibreSSL Post-Quantum World, NTRU

2014-09-13 Thread Daniel Cegiełka
2014-09-13 19:27 GMT+02:00 why not whynot1...@safe-mail.net:
 hello

 Besides NTRU is having a GPL licence,

https://github.com/NTRUOpenSourceProject/ntru-crypto/issues/4
https://github.com/tbuktu/libntru

but:

http://blog.cr.yp.to/20140213-ideal.html

Daniel



OpenBSD 5.5: ICMP port unreachable to DHCP relay agent...

2014-09-13 Thread Andrew Lester
Hi All,

Previously I sent out a very long e-mail about this and I didn't get any 
responses,
so this is my second attempt which will be much shorter. Basically, I am having 
a problem
with the included version of dhcpd in OpenBSD 5.5 stable, and I'm not sure if 
it's an
issue with OpenBSD, or my configuration. I suspect the latter.

I have OpenBSD acting as the DHCP server for my private LAN. I have two subnets
declared in dhcpd.conf. The first subnet is for a network directly served by 
the OpenBSD
server (clients and OpenBSD server in same L3 broadcast domain). The subnet has 
fixed
assignments for all the clients based on their MAC address, and this is no 
problem.

The second subnet is for a network that is not directly connected to the OpenBSD
box, instead there is a static route to reach it. Routing between the two 
networks works
perfectly, and in fact the OpenBSD box is the DNS server for the clients in 
this remote
network. I cannot, however, get DHCP working for those clients. Only when I 
give a client
a static IP address does it work. The L3 switch which serves the clients (it is 
their
default gateway) is configured to act as a DHCP relay, and forwards the DHCP 
traffic
from the clients to the OpenBSD box.

Here's the failure:

1. Client broadcasts DHCP Discover
2. L3 switch relays the DHCP discover to the OpenBSD box as a unicast to UDP 
port 67.
3. OpenBSD box receives the relayed unicast DHCP Discover, and responds with an 
ICMP
unreachable message for UDP port 67, which is received by the L3 switch.


It's as if port 67 is not listening on the OpenBSD system. I have verified 
dhcpd is set
to listen on all interfaces. I found that netstat never displays an open socket 
for
port 67, but I have since come to learn dhcpd does not use sockets, but BPF 
which
apparently there is no way I can find to see open connections. This is not a 
firewall
issue, I have tried with pf totally disabled, and in fact I also learned pf 
can't
restrict traffic from a BPF connection to begin with.

But port 67 is clearly open. The clients in the same broadcast domain which 
send their
UDP DHCP Discovers to 255.255.255.255 port 67 work perfectly.

Does anybody know why the OpenBSD system would be sending ICMP port unreachable
messages to the DHCP relay agent in response to its relayed DHCP discovers? The 
DNS
queries from these clients to the OpenBSD system (same IP as the dhcp server) 
on port 53
all work perfectly. Unlike dhcpd, I can verify with netstat that BIND is 
listening on port 53
for DNS queries.


Warm regards,

Andrew



no zlib from zlib.net

2014-09-13 Thread Tito Mari Francis Escaño
Good day,
I'm planning to experiment modifying FirefoxOS to be based on OpenBSD
instead of the default Linux kernel, and it seems we don't have the
corresponding zlib from www.zlib.net. I checked on Ubuntu and they use
zlib 1.2.8, this is the latest version as per zlib homepage. Can
somebody please advise me on this?
Thanks.



Re: no zlib from zlib.net

2014-09-13 Thread Josh Grosse
On Sun, Sep 14, 2014 at 10:13:42AM +0800, Tito Mari Francis Esca??o wrote:
 Good day,
 I'm planning to experiment modifying FirefoxOS to be based on OpenBSD
 instead of the default Linux kernel, and it seems we don't have the
 corresponding zlib from www.zlib.net. I checked on Ubuntu and they use
 zlib 1.2.8, this is the latest version as per zlib homepage. Can
 somebody please advise me on this?
 Thanks.
 
OpenBSD's zlib is 1.2.3, the associated ChangeLog in src/lib/libz 
states this version wa released in 2005.

The Makefile's CVS log shows sustaining engineering to OpenBSD's 
libz, with the last commit in 2012.



Re: npppd Ipsec L2TP mtu issues.

2014-09-13 Thread YASUOKA Masahiko
Hi,

On Sun, 7 Sep 2014 21:00:31 +0200
Jens Hansen jensh...@gmail.com wrote:
 I can successfully connect to my opensbsd 5.5. isakmpd / npppd IPSEC L2TP
 vpn setup.
 But (not knowing too much about netwoking) i think i'm having a mtu
 problem. I can do low volume traffic fine, but transmitting larger files
 stalls. I've tried as per suggested by others around the  web the
 following.
 Added scrub on enc0 with an max mss of the pppx0 mtu.

scrub should be used for the VPN tunnel internal packets.  They pass
through on pppx0, pppx1,...pppxN.  (pppx creates a new clone for each
VPN session.)  pppx interface group should be used.

  match on pppx scrub ( max-mss 1410 )

 Tried with and without tcp-mss-adjust set to yes in npppd.conf.

At first, I think you should set mru not to fragment L2TP/IPsec
packets on your network and it also is used to fragment properly for
the packets inside the VPN links.  Also tcp-mss-adjust yes may be
useful if you want to avoid the PMTU-D blackhole problem.

--yasuoka



dwb questions

2014-09-13 Thread Zoran Kolic
I was quite happy, seeing dwb browser included in packages
for lattest current. Since I found no name of porter, I'd
like to ask few questions to the list.

When the process starts, it issues an error message:

dwb:/usr/local/lib/libestdc++.so.16.0: /usr/lib/libstdc++.so.57.0 : WARNING: 
symbol(_ZN11__gnu_debug17_S_debug_messagesE) size mismatch, relink your program

Nothing to be worry about, dwb works even with it.
I added extensions: adblock_subscriptions and cookies. Now, in top,
I see new processes, that do not go away, when I close dwb:

at-spi-bus-launc
at-spi2-registry

Somebody knows what they are?

Also, if anyone could point me to the info about adding
noscript/flashblock extension, it would be even better.
I am aware that it must be possible to disable js and
to block cookies, but cannot find the way.

Best regards

Zoran