Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Jiri B 
On Sat, Oct 10, 2015 at 03:35:02PM -0700, Joel Wir�?mu Pauling wrote:
> You could try using Linux Binary emulation layer to connect using the cisco
> vpnc client. For the old proprietary Cisco IPSec implementation:
> 
> http://www.openbsd.org/papers/slack2k11-on_compat_linux.pdf
> 
> I've recently been using softether for my personal VPN's it's on Github I
> haven't tried to compile it for openBSD - but it's not going to help
> connect to random vendor Firewalls.
> 
> I am unsure if Fortinet have a linux client, I imagine they must.
> 
> OpenVPN works just fine under openbsd.

compat_linux works on i386 only and Cisco's AnyConnect SSL VPN and
Juniper SSL VPN which is now known as Pulse Connect Secure is supported
by openconnect which is in ports.

j.

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Pedro Tender 
They also have a Linux client.
On Oct 11, 2015 12:59 AM, "Jack J. Woehr"  wrote:

> Joel Wirāmu Pauling wrote:
> > I am unsure if Fortinet have a linux client, I imagine they must.
>
> I think just Windows and Mac, thanks.
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl
> Sagan

who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Atanas Vladimirov 

Hi,
I got *who(X): syscall 54* in the last few snapshots.
If you need more info just ask.

~$ ktrace -i who
~$ kdump
 
 16759 who  RET   read 2819/0xb03
 16759 who  CALL  close(4)
 16759 who  RET   close 0
 16759 who  CALL  kbind(0x7f7dcd58,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  kbind(0x7f7dccc8,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  write(1,0x1d987d241000,0x2f)
 16759 who  GIO   fd 1 wrote 47 bytes
   "vladottyp0Oct 11 11:37   (192.168.1.2)
   "
 16759 who  RET   write 47/0x2f
 16759 who  CALL  read(3,0x1d98baae1000,0x4000)
 16759 who  RET   read 0
 16759 who  CALL  kbind(0x7f7dce28,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  kbind(0x7f7dce08,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  
mprotect(0x1d98aa7a1000,0x1000,0x3)

 16759 who  RET   mprotect 0
 16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
 16759 who  RET   mprotect 0
 16759 who  CALL  
mprotect(0x1d98aa7a1000,0x1000,0x3)

 16759 who  RET   mprotect 0
 16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
 16759 who  RET   mprotect 0
 16759 who  CALL  
mprotect(0x1d98aa7a1000,0x1000,0x3)

 16759 who  RET   mprotect 0
 16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
 16759 who  RET   mprotect 0
 16759 who  CALL  munmap(0x1d98aa7a1000,0x1000)
 16759 who  RET   munmap 0
 16759 who  CALL  exit(0)

~$ dmesg
OpenBSD 5.8-current (GENERIC.MP) #1456: Sat Oct 10 21:51:05 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4269342720 (4071MB)
avail mem = 4135829504 (3944MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9f000 (70 entries)
bios0: vendor American Megatrends Inc. version "1.2a" date 06/27/2012
bios0: Supermicro X8SIL
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI SSDT EINJ BERT ERST 
HEST
acpi0: wakeup devices P0P1(S4) P0P3(S4) P0P4(S4) P0P5(S4) P0P6(S4) 
BR1E(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) 
USB5(S4) USB6(S4) GBE_(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.29 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC,SENSOR

cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 7 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 7
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 1 (P0P3)
acpiprt3 at acpi0: bus 2 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
acpiprt5 at acpi0: bus 6 (BR1E)
acpiprt6 at acpi0: bus 3 (BR20)
acpiprt7 at acpi0: bus 4 (BR24)
acpiprt8 at acpi0: bus 5 (BR25)
acpicpu0 at acpi0: !C3(350@17 mwait.1@0x20), !C2(500@17 mwait.1@0x10), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: !C3(350@17 mwait.1@0x20), !C2(500@17 mwait.1@0x10), 
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: !C3(350@17

Re: Using a Wacom (CTH-480) graphic tablet with OpenBSD ?

2015-10-11 Thread nawi 
Hello Stuart !

Thanks for your answer.

> I haven't tried it recently, but it might be worth having a play with
> the config from http://permalink.gmane.org/gmane.os.openbsd.misc/185297
> and see if you get anywhere.

As I can remember, I tried to connect the tablet on a 5.7 installation and
it reports as device only /dev/uhid0. At the moment, I have no machine to
try again a 5.7 so, I tried a -current #1417 which reports in dmesg the
following devices (if a full dmesg is needed, let me know but it is very
long).

Part of dmesg :

uhidev2 at uhub2 port 1 configuration 1 interface 0 "Microsoft
Microsoft\M-. Comfort Mouse 4500" rev 2.00/0.83 addr 8
uhidev2: iclass 3/1, 28 report ids
ums0 at uhidev2 reportid 16: 5 buttons, Z dir
wsmouse0 at ums0 mux 0
uhid1 at uhidev2 reportid 18: input=0, output=0, feature=1
uhid2 at uhidev2 reportid 19: input=1, output=0, feature=0
uhid3 at uhidev2 reportid 22: input=4, output=0, feature=0
uhid4 at uhidev2 reportid 23: input=0, output=0, feature=1
uhid5 at uhidev2 reportid 24: input=0, output=0, feature=1
uhid6 at uhidev2 reportid 28: input=1, output=0, feature=0
uhidev3 at uhub0 port 3 configuration 1 interface 0 "Wacom Co.,Ltd. Intuos
PTS" rev 2.00/1.00 addr 9
uhidev3: iclass 3/0, 192 report ids
uhid7 at uhidev3 reportid 2: input=9, output=0, feature=1
uhid8 at uhidev3 reportid 3: input=0, output=0, feature=1
uhid9 at uhidev3 reportid 4: input=0, output=0, feature=1
uhid10 at uhidev3 reportid 5: input=0, output=0, feature=1
uhid11 at uhidev3 reportid 7: input=0, output=0, feature=9
uhid12 at uhidev3 reportid 16: input=0, output=0, feature=2
uhid13 at uhidev3 reportid 17: input=0, output=0, feature=16
uhid14 at uhidev3 reportid 19: input=0, output=0, feature=1
uhid15 at uhidev3 reportid 20: input=0, output=0, feature=31
uhid16 at uhidev3 reportid 32: input=0, output=0, feature=5
uhid17 at uhidev3 reportid 33: input=0, output=0, feature=1
uhid18 at uhidev3 reportid 34: input=0, output=0, feature=1
uhid19 at uhidev3 reportid 35: input=0, output=0, feature=14
uhid20 at uhidev3 reportid 36: input=0, output=0, feature=31
uhid21 at uhidev3 reportid 37: input=0, output=0, feature=4
uhid22 at uhidev3 reportid 48: input=0, output=0, feature=2
uhid23 at uhidev3 reportid 49: input=0, output=0, feature=255
uhid24 at uhidev3 reportid 50: input=0, output=0, feature=255
uhid25 at uhidev3 reportid 51: input=0, output=0, feature=1
uhid26 at uhidev3 reportid 192: input=9, output=0, feature=0
uhidev4 at uhub0 port 3 configuration 1 interface 1 "Wacom Co.,Ltd. Intuos
PTS" rev 2.00/1.00 addr 9
uhidev4: iclass 3/0, 3 report ids
uhid27 at uhidev4 reportid 2: input=63, output=0, feature=0
uhid28 at uhidev4 reportid 3: input=63, output=0, feature=0
uhidev5 at uhub0 port 3 configuration 1 interface 2 "Wacom Co.,Ltd. Intuos
PTS" rev 2.00/1.00 addr 9
uhidev5: iclass 3/1, 1 report id
ums1 at uhidev5 reportid 1: 5 buttons
wsmouse1 at ums1 mux 0

If I unplugged it, not all devices are detached but, enough to verify,
that it is the tablet (I hope). There is a second block for the real
mouse, which is identified as Microsoft something mouse.

The xorg.conf :

Generated using X and changed the driver as suggested in a blogpost about
UEFI only machines - otherwise X doesn't work on this machine. I used the
device from your link, to see what will happen.

Section "ServerLayout"
Identifier "X.org Configured"
Screen  0  "Screen0" 0 0
InputDevice"Keyboard0" "CoreKeyboard"
InputDevice"w_stylus" "SendCoreEvents"
InputDevice"w_eraser" "SendCoreEvents"
EndSection

Section "ServerFlags"
Option "AllowMouseOpenFail" "True"
Option "DontZap" "True"
EndSection

Section "Files"
ModulePath   "/usr/X11R6/lib/modules"
FontPath "/usr/X11R6/lib/X11/fonts/misc/"
FontPath "/usr/X11R6/lib/X11/fonts/TTF/"
FontPath "/usr/X11R6/lib/X11/fonts/OTF/"
FontPath "/usr/X11R6/lib/X11/fonts/Type1/"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/"
EndSection

Section "Module"
Load  "glx"
EndSection

Section "InputDevice"
Identifier  "Keyboard0"
Driver  "kbd"
EndSection

Section "InputDevice"
Identifier  "Mouse0"
Driver  "mouse"
Option  "Protocol" "wsmouse"
Option  "Device" "/dev/wsmouse"
Option  "ZAxisMapping" "4 5 6 7"
EndSection

Section "InputDevice"
Identifier "w_stylus"
Driver "usbtablet"
Option "Type" "stylus"
Option "Device" "/dev/uhid0"
Option "Mode" "Absolute"
Option "Threshold" "10"
EndSection

Section "InputDevice"
Identifier "w_eraser"
Driver "usbtablet"
Option "Type" "eraser"
Option "Device" "/dev/uhid0"
Option "Mode" "Absolute"
EndSection

Section "Monitor"
Identifier   "Monitor0"
VendorName   "Monitor Vendor"
ModelName"Monitor Model"

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Pedro Tender 
In the fortinet firmware (yes, firmware...)  downloads iirc.
On Oct 11, 2015 3:55 PM, "Jack J. Woehr"  wrote:

> Pedro Tender wrote:
>
>>
>> They also have a Linux client.
>>
>>
>>
> I've looked for it, any tips where it might be found?
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Jack J. Woehr 

Pedro Tender wrote:


They also have a Linux client.




I've looked for it, any tips where it might be found?


--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Sebastien Marie 
On Sun, Oct 11, 2015 at 11:53:10AM +0300, Atanas Vladimirov wrote:
> Hi,
> I got *who(X): syscall 54* in the last few snapshots.
> If you need more info just ask.

syscall 54 is for ioctl syscall.

> ~$ ktrace -i who
> ~$ kdump
>  
>  16759 who  RET   read 2819/0xb03
>  16759 who  CALL  close(4)
>  16759 who  RET   close 0
>  16759 who  CALL  kbind(0x7f7dcd58,0x18,0x962191a9ce60cd08)
>  16759 who  RET   kbind 0
>  16759 who  CALL  kbind(0x7f7dccc8,0x18,0x962191a9ce60cd08)
>  16759 who  RET   kbind 0
>  16759 who  CALL  write(1,0x1d987d241000,0x2f)
>  16759 who  GIO   fd 1 wrote 47 bytes
>"vladottyp0Oct 11 11:37   (192.168.1.2)
>"
>  16759 who  RET   write 47/0x2f
>  16759 who  CALL  read(3,0x1d98baae1000,0x4000)
>  16759 who  RET   read 0
>  16759 who  CALL  kbind(0x7f7dce28,0x18,0x962191a9ce60cd08)
>  16759 who  RET   kbind 0
>  16759 who  CALL  kbind(0x7f7dce08,0x18,0x962191a9ce60cd08)
>  16759 who  RET   kbind 0
>  16759 who  CALL
> mprotect(0x1d98aa7a1000,0x1000,0x3)
>  16759 who  RET   mprotect 0
>  16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
>  16759 who  RET   mprotect 0
>  16759 who  CALL
> mprotect(0x1d98aa7a1000,0x1000,0x3)
>  16759 who  RET   mprotect 0
>  16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
>  16759 who  RET   mprotect 0
>  16759 who  CALL
> mprotect(0x1d98aa7a1000,0x1000,0x3)
>  16759 who  RET   mprotect 0
>  16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
>  16759 who  RET   mprotect 0
>  16759 who  CALL  munmap(0x1d98aa7a1000,0x1000)
>  16759 who  RET   munmap 0
>  16759 who  CALL  exit(0)

This ktrace showed a process that exit(0). This process wasn't killed
by pledge(2).

> ~$ dmesg
> OpenBSD 5.8-current (GENERIC.MP) #1456: Sat Oct 10 21:51:05 MDT 2015
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Could you try to rebuild who(1) ? You will need to add `abort' in all
pledge calls in order to generate a coredump, and obtain a
fullbacktrace.

$ grep -FRn 'pledge(' /usr/src/usr.bin/who/
/usr/src/usr.bin/who/who.c:77:  if (pledge("stdio rpath getpw tty", NULL) == -1)
/usr/src/usr.bin/who/who.c:293: if (pledge("stdio rpath getpw", NULL) 
== -1)
/usr/src/usr.bin/who/who.c:296: if (pledge("stdio getpw", NULL) == -1)

For example, line 77: if (pledge("stdio rpath getpw tty abort", NULL) == -1)

When you get a who.core, you can use gdb to extract the backtrace:
$ gdb who who.core 
(gdb) bt

Thanks.
-- 
Sebastien Marie

Re: match rules and priorities

2015-10-11 Thread Christer Solskogen 
On Thu, Oct 8, 2015 at 4:34 PM, Giancarlo Razzolini
 wrote:

> You are mixing things. First of all, ftp goes through OpenBSD's
> ftp-proxy. So you should prioritize packets leaving it, not coming from
> the machines. Fortunately, ftp-proxy can apply a tag to its packets, so
> it should be easy to set a priority on them. Port 3129 is some proxy,
> I'm betting on squid, right? Same issue as the ftp-proxy, you should
> prioritize the packets leaving it. Perhaps by using the user directive
> of pf?
>

Hm, good catch. I'll take a look at it.
Thanks!

-- 
chs

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Atanas Vladimirov 

On 11.10.2015 18:54, Sebastien Marie wrote:

On Sun, Oct 11, 2015 at 11:53:10AM +0300, Atanas Vladimirov wrote:

Hi,
I got *who(X): syscall 54* in the last few snapshots.
If you need more info just ask.


syscall 54 is for ioctl syscall.


~$ ktrace -i who
~$ kdump
 
 16759 who  RET   read 2819/0xb03
 16759 who  CALL  close(4)
 16759 who  RET   close 0
 16759 who  CALL  kbind(0x7f7dcd58,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  kbind(0x7f7dccc8,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  write(1,0x1d987d241000,0x2f)
 16759 who  GIO   fd 1 wrote 47 bytes
   "vladottyp0Oct 11 11:37   (192.168.1.2)
   "
 16759 who  RET   write 47/0x2f
 16759 who  CALL  read(3,0x1d98baae1000,0x4000)
 16759 who  RET   read 0
 16759 who  CALL  kbind(0x7f7dce28,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL  kbind(0x7f7dce08,0x18,0x962191a9ce60cd08)
 16759 who  RET   kbind 0
 16759 who  CALL
mprotect(0x1d98aa7a1000,0x1000,0x3)
 16759 who  RET   mprotect 0
 16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
 16759 who  RET   mprotect 0
 16759 who  CALL
mprotect(0x1d98aa7a1000,0x1000,0x3)
 16759 who  RET   mprotect 0
 16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
 16759 who  RET   mprotect 0
 16759 who  CALL
mprotect(0x1d98aa7a1000,0x1000,0x3)
 16759 who  RET   mprotect 0
 16759 who  CALL  mprotect(0x1d98aa7a1000,0x1000,0x1)
 16759 who  RET   mprotect 0
 16759 who  CALL  munmap(0x1d98aa7a1000,0x1000)
 16759 who  RET   munmap 0
 16759 who  CALL  exit(0)


This ktrace showed a process that exit(0). This process wasn't killed
by pledge(2).


~$ dmesg
OpenBSD 5.8-current (GENERIC.MP) #1456: Sat Oct 10 21:51:05 MDT 2015

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


Could you try to rebuild who(1) ? You will need to add `abort' in all
pledge calls in order to generate a coredump, and obtain a
fullbacktrace.

$ grep -FRn 'pledge(' /usr/src/usr.bin/who/
/usr/src/usr.bin/who/who.c:77:  if (pledge("stdio rpath getpw tty", 
NULL) == -1)

/usr/src/usr.bin/who/who.c:293: if (pledge("stdio rpath
getpw", NULL) == -1)
/usr/src/usr.bin/who/who.c:296: if (pledge("stdio getpw", NULL) 
== -1)


For example, line 77: if (pledge("stdio rpath getpw tty abort", NULL) 
== -1)


When you get a who.core, you can use gdb to extract the backtrace:
$ gdb who who.core
(gdb) bt

Thanks.


I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I can't 
find who.core.
Meanwhile I got syscall 54 every 5 min. Is it possible another 
process/daemon to generate this errors?

How can I find it?

~$ tail /var/log/messages
Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
Oct 11 20:34:37 ns /bsd: who(20946): syscall 54

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Theo de Raadt 
> I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
> Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I can't 
> find who.core.
> Meanwhile I got syscall 54 every 5 min. Is it possible another 
> process/daemon to generate this errors?
> How can I find it?
> 
> ~$ tail /var/log/messages
> Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
> Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
> Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
> Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
> Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
> Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
> Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
> Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
> Oct 11 20:34:37 ns /bsd: who(20946): syscall 54

I have no explanation for this.  You'll have to keep digging to find
it.

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Theo de Raadt 
> Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?

Yes, people do it all the time.

Please -- what KIND of VPN are you asking about.

Is conversational precision that difficult?  There are more than two
handfuls of technologies that create something which is considered "a VPN".

As a result, this conversation about VPN's is super low quality;
there is no point implying OpenBSD is weak at doing these things,
it is the inexact people walking around acting lost...

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Jack J. Woehr 

Dimitris Papastamos wrote:

I use vpnc regularly on -current without any special configuration and it
works fine with my network.

My config is as follows:

IPSec gateway vpn.example.net
IPSec ID FOO
IPSec obfuscated secret BAR
Xauth username BAZ
DPD idle timeout (our side) 0


Yeah, that's mine too. Seems to work. But no traffic goes through.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Gregor Best 
On Sun, Oct 11, 2015 at 12:08:00PM -0700, Danny Nguyen wrote:
> Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?
> [...]

Yes. As of right now, I have

$ ps aux | grep openvpn | wc -l
8
$ ipsecctl -sa | wc -l
8

and a tinc tunnel. Tinc is not in ports, but there's a WIP port I sent
to ports@ a year or two ago.

It really depends on what you mean by "a vpn" because there's a lot of
technologies to do that. In my experience, openvpn is the easiest choice
if you want everything to work automagically on almost every platform
there is. Tinc is nice if you don't want a central node as a single
point of failure and IPsec is awesome on OpenBSD because it's extremely
easy to set up and in base.

> There are very few options on the market for that unfortunately.
> [...]

See above. There's also PPTP and what not.

-- 
Gregor

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Jack J. Woehr 

Jiri B wrote:
c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as Pulse Connect Secure is supported by 
openconnect which is in ports.


I found vpnc in ports/net and that almost works.

It connects and shows it is adding the correct routes that I would expect.

And then no traffic comes through. 'route show' looks correct but nothing seems 
to be going back and forth.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Dimitris Papastamos 
On Sun, Oct 11, 2015 at 12:47:42PM -0600, Jack J. Woehr wrote:
> Jiri B wrote:
> >c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as
> >Pulse Connect Secure is supported by openconnect which is in ports.
> 
> I found vpnc in ports/net and that almost works.
> 
> It connects and shows it is adding the correct routes that I would expect.
> 
> And then no traffic comes through. 'route show' looks correct but nothing 
> seems to be going back and forth.

I use vpnc regularly on -current without any special configuration and it
works fine with my network.

My config is as follows:

IPSec gateway vpn.example.net
IPSec ID FOO
IPSec obfuscated secret BAR
Xauth username BAZ
DPD idle timeout (our side) 0

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Danny Nguyen 
Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8? That is the
next step in my architecture to create a "more" secure environment. There
are very few options on the market for that unfortunately.

On Sun, Oct 11, 2015 at 11:47 AM, Jack J. Woehr  wrote:

> Jiri B wrote:
>
>> c Cisco's AnyConnect SSL VPN and Juniper SSL VPN which is now known as
>> Pulse Connect Secure is supported by openconnect which is in ports.
>>
>
> I found vpnc in ports/net and that almost works.
>
> It connects and shows it is adding the correct routes that I would expect.
>
> And then no traffic comes through. 'route show' looks correct but nothing
> seems to be going back and forth.
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
>


-- 
danny nguyen
linkedIn

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Jack J. Woehr 

Dimitris Papastamos wrote:


Dimitris Papastamos wrote:

On Sun, Oct 11, 2015 at 01:06:58PM -0600, Jack J. Woehr wrote:
I am not sure what's wrong. I guess you see traffic leaving your external 
interface but not getting any replies?




I've got it, thanks! I forgot to do the sysctls necessary to let the packets 
thru:

sysctl net.inet.esp.enable=0
sysctl net.inet.esp.udpencap=0

Thanks for your help, and to everyone who tried to help this confused soul :)

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Atanas Vladimirov 

On 11.10.2015 21:18, Theo de Raadt wrote:

I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I 
can't

find who.core.
Meanwhile I got syscall 54 every 5 min. Is it possible another
process/daemon to generate this errors?
How can I find it?

~$ tail /var/log/messages
Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
Oct 11 20:34:37 ns /bsd: who(20946): syscall 54


I have no explanation for this.  You'll have to keep digging to find
it.
I think that I found it - Nagios. Now the question is how to debug it 
further?

Re: Private cloud hosting recommendations

2015-10-11 Thread Etienne 

On 2015-10-09 16:04, Martín Ferco wrote:

I'm looking for alternatives to host our OpenBSD web frontends 
off-site. Up

[...]
vcloud air, but haven't heard from him yet, and was starting to take a 
look

at virtustream -- they seem to offer ESXi hypervisors as well as VMware
vloud air.


My two cents: http://buyvm.net

I have seen a few issues with their network in Europe, and they consider 
you crazy for running any BSD, but they provide you with OpenBSD images, 
and they're cheap.


--
Étienne

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Jack J. Woehr 

Atanas Vladimirov wrote:

I think that I found it - Nagios. Now the question is how to debug it further?

lsof?

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

PF tables -- anchors and scope

2015-10-11 Thread Jacob L. Leifman 
Can anyone confirm whether it is possible to modify a global table 
within an anchor? If so, what is the proper syntax for referencing it?

I have a dynamic table of addresses to block declared and updated in 
the main body of pf.conf. I would like to update the same table using 
'overload' operator within an anchor, however, I get "namespace 
collision" warning message and a distinctly separate table created when 
I try that. Interestingly, I can use global tables as the source or 
destination address in any rule inside an anchor, i.e. it does work in 
read-only mode (unless an anchor-local table is created per above).

This firewall is currently running 5.6 with upgrade to 5.8 being 
planned for the near future.

Thank you,
-Jacob.

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Danny Nguyen 
What are the different kinds of VPNs?

I have no idea what computers do so I'm the dumbest guy in this city and
definitely this mailing list. VPN stands for virtual private network but
when I think about what that is I think of a VPN as essentially a local
network that allows incoming connections but has certain protocols ( not
sure which) that allows it to be more secure than ssh maybe? I'd like
to be able
to monitor traffic and users with logging functionality and passwords so
when I'm developing an application I can't ensure with a reasonable level
of certainty that my infrastructure and software is somewhat protected from
malicious or curious authors.

I'm not implying OpenBSD is weak. I've arrived to this community because
the group is so obsessive about security (aslr, randomness, checksums,
etc). I ruled out everyone else including Linux/Ubuntu, Google cloud,
Amazon, and even co-location because of how these businesses operate and
how they treat users data. I've even looked into freeBSD but it has come up
short in its vision for my purposes with privacy and security.

I barely know what a VPN is and I have only installed openbsd and started
on port forwarding but smart people have mentioned that I should look into
a VPN. I want my whole data center infrastructure to be run
off Openbsd because it's what I think is the most responsible operating
system to date ( even considering SEL4 by General dynamics that is only a
kernel at this point).

On Sun, Oct 11, 2015 at 12:14 PM, Theo de Raadt 
wrote:

> > Has anyone succesfully created a VPN with OpenBSD v5.7 or 5.8?
>
> Yes, people do it all the time.
>
> Please -- what KIND of VPN are you asking about.
>
> Is conversational precision that difficult?  There are more than two
> handfuls of technologies that create something which is considered "a VPN".
>
> As a result, this conversation about VPN's is super low quality;
> there is no point implying OpenBSD is weak at doing these things,
> it is the inexact people walking around acting lost...
>
>


-- 
danny nguyen
linkedIn

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Theo de Raadt 
> What are the different kinds of VPNs?

https://www.google.ca/search?q=diferent+types+of+vpn

Sorry Danny, not going to read the rest of the blah blah blah from
someone who can't take the first step.

You barely know what a VPN is, you only started running openbsd, and
you are talking about SEL4.  You look like a troll.

Re: OpenBSD <> Commercial VPNs

2015-10-11 Thread Danny Nguyen 
Thank you for the constructive feedback. Working on getting through
absolute Openbsd by michael lucas. Hopefully, I'll be able to ask
meaningful questions in the near future.

On Sun, Oct 11, 2015 at 6:36 PM, Theo de Raadt 
wrote:

> > What are the different kinds of VPNs?
>
> https://www.google.ca/search?q=diferent+types+of+vpn
>
> Sorry Danny, not going to read the rest of the blah blah blah from
> someone who can't take the first step.
>
> You barely know what a VPN is, you only started running openbsd, and
> you are talking about SEL4.  You look like a troll.
>
>
>
>


-- 
danny nguyen
linkedIn

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Sebastien Marie 
On Mon, Oct 12, 2015 at 12:44:08AM +0300, Atanas Vladimirov wrote:
> On 11.10.2015 21:18, Theo de Raadt wrote:
> >>I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
> >>Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I can't
> >>find who.core.
> >>Meanwhile I got syscall 54 every 5 min. Is it possible another
> >>process/daemon to generate this errors?
> >>How can I find it?
> >>
> >>~$ tail /var/log/messages
> >>Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
> >>Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
> >>Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
> >>Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
> >>Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
> >>Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
> >>Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
> >>Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
> >>Oct 11 20:34:37 ns /bsd: who(20946): syscall 54
> >
> >I have no explanation for this.  You'll have to keep digging to find
> >it.
> I think that I found it - Nagios. Now the question is how to debug it
> further?
> 

deraadt@ has committed two fix:
  - on kernel: src/sys/kern/sys_generic.c (rev 1.107)
  - on userland: src/usr.bin/who/who.c (rev 1.25)

could you check it corrects the problem on your side ?

thanks.
-- 
Sebastien Marie

Re: who(XXXXX): syscall 54 in the last few snapshots

2015-10-11 Thread Liviu Daia 
On 12 October 2015, Atanas Vladimirov  wrote:
> On 11.10.2015 21:18, Theo de Raadt wrote:
> >> I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
> >> Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I 
> >> can't
> >> find who.core.
> >> Meanwhile I got syscall 54 every 5 min. Is it possible another
> >> process/daemon to generate this errors?
> >> How can I find it?
> >> 
> >> ~$ tail /var/log/messages
> >> Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
> >> Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
> >> Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
> >> Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
> >> Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
> >> Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
> >> Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
> >> Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
> >> Oct 11 20:34:37 ns /bsd: who(20946): syscall 54
> > 
> > I have no explanation for this.  You'll have to keep digging to find
> > it.
> I think that I found it - Nagios. Now the question is how to debug it 
> further?

I get something similar without nagios:

$ grep syscall /var/log/messages
Oct 10 07:50:26 router /bsd: tty(2446): syscall 54
Oct 10 07:50:33 router /bsd: tty(29826): syscall 54
Oct 10 07:54:15 router /bsd: tty(10733): syscall 54
Oct 10 07:54:15 router /bsd: tty(19344): syscall 54
Oct 10 07:58:59 router /bsd: tty(5574): syscall 54
Oct 10 07:59:05 router /bsd: tty(14634): syscall 54
Oct 10 08:02:47 router /bsd: tty(12313): syscall 54
Oct 10 08:02:47 router /bsd: tty(5281): syscall 54
Oct 10 08:06:23 router /bsd: tty(9186): syscall 54
Oct 10 08:06:23 router /bsd: tty(9710): syscall 54
Oct 11 01:30:01 router /bsd: tty(6080): syscall 54
Oct 12 01:30:01 router /bsd: tty(15518): syscall 54

$ uname -a
OpenBSD router.lcd047.linkpc.net 5.8 GENERIC.MP#1449 amd64


I'd tentatively correlate most of them with login(1) run in a serial
console.  But the last two entries seem to be triggered by /etc/daily.

Regards,

Liviu Daia