Re: broadcast relay

2015-11-10 Thread Einfach Jemand 
On Sat, Nov 07, 2015 at 03:33:04PM +, S??bastien Morand wrote:
> > Hi,
> >
> > I'm trying to relay a broadcast message.
> >
> > I've tried the following in pf :
> >
> > pass in quick proto udp from any to vlan1:broadcast port 3121 rdr-to
> > vlan3:broadcast port 3121
> > pass out quick on vlan3 from any to vlan3:broadcast nat-to vlan3
> >
> > with no success any chance to do it with pf?
> >
> > other tools?
> >
> 
> Hi,
> 
> Complementary: can pf rdr to unicast a broadcast packet?
> 
> Thanks by advance,
> Sebastien
> 

Hi,

maybe you could adapt dhcrelay(8) from base
to your needs?
See /usr/src/usr.sbin/dhcrelay

HTH
rru

Re: Making IPv6 NAT prefer privacy address

2015-11-10 Thread Giancarlo Razzolini 
Em 22-09-2015 15:06, Daniel Gillen escreveu:
> Hi
>
> I currently have the following rule to nat traffic out to the internet:
>
> match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)
>
> But this chooses from one of the configures addresses (using round-robin).
>
> Is there a way I can configure pf to prefer the privacy address (the one
> without my MAC in it)?
>
> Thx in advance
>
> Daniel
>
Daniel,

I've managed to accomplish this by using dhcpcd with the slaac
private option. You need first to activate the interface with the inet6
-autoconf option, so you'll get only the link-local address. When you
run dhcpcd it will configure only a private address on the interface
thus solving your issue. You don't need to make pf prefer the privacy
address, because there will only be one address on the interface.

Cheers,
Giancarlo Razzolini

pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used

2015-11-10 Thread Kent Watsen 
Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs

On boot, the consoles shows error about not being able to load pf.conf
because it can't resolve the symbolic names.

http://www.openbsd.org/faq/faq6.html#Setup.activate says:

    "... if you had specified a DNS-resolved symbolic name in any of
     the files, you would probably find it worked as expected after
     reconfigure, but on initial boot, your external resolver may
     not be available, so the configuration will fail."

but I thought that the statement might be limited to `netstat`, and
/etc/rc runs `netstat` before loading the firewall rules.  So I'm not
sure why it's not working...

Anybody run into this before?  - is the fix to add all the symbolic
names to /etc/hosts?

Thanks,
Kent

Re: USB mouse often not detected

2015-11-10 Thread Maurice Janssen 
On Tue, Nov 10, 2015 at 10:47:24AM +0100, Stefan Sperling wrote:
>We need a dmesg from both of you.

OpenBSD 5.8 (GENERIC.MP) #1: Wed Oct 14 19:38:08 CEST 2015

jas...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4160245760 (3967MB)
avail mem = 4030267392 (3843MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb450 (75 entries)
bios0: vendor American Megatrends Inc. version "F22" date 11/14/2013
bios0: Gigabyte Technology Co., Ltd. Z77-D3H
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG HPET SSDT SSDT SSDT DMAR
acpi0: wakeup devices PS2K(S3) PS2M(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) 
USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) 
PXSX(S4) RP03(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.85 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.36 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.36 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz, 3403.36 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus 2 (RP06)
acpiprt8 at acpi0: bus 4 (RP07)
acpiprt9 at acpi0: bus 5 (RP08)
acpiprt10 at acpi0: bus -1 (PEG0)
acpiprt11 at acpi0: bus -1 (PEG1)
acpiprt12 at acpi0: bus -1 (PEG2)
acpiprt13 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 106 degC
acpitz1 at acpi0: critical temperature is 106 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
cpu0: Enhanced SpeedStep 3403 MHz: speeds: 3801, 3800, 3600, 3500, 3300, 3200, 
3000, 2900, 2700, 2500, 2400, 2200, 2100, 1900, 1800, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
inteldrm0: 1280x1024
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)

Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used

2015-11-10 Thread Giancarlo Razzolini 
Em 10-11-2015 13:58, Kent Watsen escreveu:
> Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs
>
> On boot, the consoles shows error about not being able to load pf.conf
> because it can't resolve the symbolic names.

If your resolver can't be accessed, this will happen.

>
> http://www.openbsd.org/faq/faq6.html#Setup.activate says:
>
> Â Â Â  "... if you had specified a DNS-resolved symbolic name in any of
> Â  Â Â  the files, you would probably find it worked as expected after
> Â Â  Â  reconfigure, but on initial boot, your external resolver may
> Â  Â Â  not be available, so the configuration will fail."
>
> but I thought that the statement might be limited to `netstat`, and
> /etc/rc runs `netstat` before loading the firewall rules.  So I'm not
> sure why it's not working...

As a general rule you should avoid using dns names on anything that
might cause the boot process to fail. Even more, you should really avoid
using names on hostname.if files.

>
> Anybody run into this before?  - is the fix to add all the symbolic
> names to /etc/hosts?

Well, if the hosts have fixed addresses, you'd be better using macros on
pf.conf that translate to their IP address. This way you won't run into
boot issues (or reload issues, in case your resolver is down). This has
the added inconvenience that you need to update your pf.conf file
manually every time one address changes.

Now, if you really, really need to use fqdn's on pf.conf, my suggestion
is that you use ifstated to detected if your link is up and your
resolver working, and them load the rules into an anchor afterwards.
Also, you can update the anchor to reflect any uplink unavailability. Or
you can use unbound with local-zones or a unbound + nsd combo, if you
also need authoritative. I think you'll need to hack your /etc/rc file
to load them before your pf.conf is loaded.

Cheers,
Giancarlo Razzolini

Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used

2015-11-10 Thread Adam Thompson 

On 15-11-10 01:45 PM, Giancarlo Razzolini wrote:
As a general rule you should avoid using dns names on anything that 
might cause the boot process to fail. Even more, you should really 
avoid using names on hostname.if files.

Anybody run into this before?  - is the fix to add all the symbolic
names to /etc/hosts?

Well, if the hosts have fixed addresses, you'd be better using macros on
pf.conf that translate to their IP address. This way you won't run into
boot issues (or reload issues, in case your resolver is down). This has
the added inconvenience that you need to update your pf.conf file
manually every time one address changes.

Now, if you really, really need to use fqdn's on pf.conf, my suggestion
is that you use ifstated to detected if your link is up and your
resolver working, and them load the rules into an anchor afterwards.
Also, you can update the anchor to reflect any uplink unavailability. Or
you can use unbound with local-zones or a unbound + nsd combo, if you
also need authoritative. I think you'll need to hack your /etc/rc file
to load them before your pf.conf is loaded.



FWIW, yes, putting the entries into /etc/hosts *will* work, and it 
avoids the need to use pf.conf macros, ifstated, etc.


However, it now means that you have to ensure /etc/hosts remains 100% 
accurate... although I shudder to think of using ifstated and anchors to 
do this, it does avoid the /etc/hosts maintenance problem.  And make no 
mistake: you *will* eventually forget to update /etc/hosts.  Absolutely, 
100% guaranteed.


-Adam

Re: USB mouse often not detected

2015-11-10 Thread Paco Willers 
Hi,


I reinstalled OpenBSD 5.8 and updated to stable again, so I now have a
clean install. The only thing I configured manually is: I added
'apmd_flags="-A"' in /etc/rc.conf.local to do CPU frequency scaling while
I'm not sure my system supports it.

It seems a randomly occuring problem. My mouse: "vendor 0x USB OPTICAL
MOUSE". It's wholesale cheap stuff. Other OSes don't show the problem, and
that makes me believe the mouse is doing alright. I happen to have two of
them, so to be certain I'll swap it and test this new configuration in a
few days. I'll keep you informed. I wouldn't be surprised if this cheap
piece of hardware would have some minor incompatibility that only a correct
OS's (OpenBSD) driver would crash upon. :-) (That doesn't explain Maurice's
identical problem using a Logitech mouse. Also, to my knowledge a crashed
driver would raise an error message which I didn't see.)

Here are my dmesg outputs that might help. Of course if you want to see
more files, I'd be happy to provide them. Also if you come up with some
ideas I could test, let me know. (I won't be available for a few days
however.)

My dmesg detecting the mouse:

OpenBSD 5.8-stable (GENERIC.MP) #0: Tue Nov 10 19:15:31 CET 2015
r...@test.example.com:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,xTPR,PERF
real mem  = 2675343360 (2551MB)
avail mem = 2609262592 (2488MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 06/16/04, BIOS32 rev. 0 @ 0xeb560, SMBIOS rev. 2.3
@ 0xeeae0 (63 entries)
bios0: vendor Hewlett-Packard version "786C1 v01.05" date 06/16/2004
bios0: Hewlett-Packard HP Compaq dc7100 SFF(DX878AV)
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC ASF! MCFG
acpi0: wakeup devices PCI0(S4) PEG1(S4) PCX1(S4) PCX2(S4) PCX4(S4) HUB_(S4)
COM1(S4) COM2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3) PBTN(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,xTPR,PERF
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpimcfg0 at acpi0 addr 0xd000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 32 (PCX1)
acpiprt2 at acpi0: bus 64 (PCX2)
acpiprt3 at acpi0: bus -1 (PCX4)
acpiprt4 at acpi0: bus 5 (HUB_)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpibtn0 at acpi0: PBTN
bios0: ROM list: 0xc/0xa800! 0xca800/0x1000 0xcb800/0x2000
0xe9c00/0x6400!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04
vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04
intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1
drm0 at inteldrm0
inteldrm0: 1024x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 82915G Video" rev 0x04 at pci0 dev 2 function 1 not configured
ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03
pci1 at ppb0 bus 32
ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03: apic 1 int 17
pci2 at ppb1 bus 64
bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" rev 0x01, BCM5750 A1
(0x4001): apic 1 int 17, address 00:12:79:67:d1:01
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: apic 1 int 20
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: apic 1 int 18
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: apic 1 int 21
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: apic 1 int 22
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: apic 1 int 20
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3
pci3 at ppb2 bus 5
auich0 at pci0 dev 30 function 2 "Intel 82801FB AC97" rev 0x03: apic 1 int
21, ICH6 AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA,
channel 0 configured to compatibility, channel 1 configured to

Re: USB mouse often not detected

2015-11-10 Thread Maurice Janssen 

Paco Willers schreef op 2015-11-10 07:53:

Hi,


When using a PS/2 mouse everything worked fine. I swapped it for a USB
mouse, but this mouse isn't always detected while booting my 
(386-based)
OpenBSD 5.8-stable system. Replugging the mouse when the system is 
running
usually solves the problem: the mouse is detected and works fine. 
Sometimes
this replugging needs to be done several times on different USB ports 
for

it to have effect.

Before sending this message I checked whether the mouse itself is the
problem because it's a cheap one, so I tried other OSes (Debian Linux 
8.2,
NetBSD 7.0 and FreeBSD 10.2) and the problem was gone, so my mouse 
looks
OK. Possibly the problem is in the combination of my hardware with 
OpenBSD.

However I would like to use OpenBSD. :)

Is this a known problem? I saw some people on this mailing list having
trouble with USB mouses periodically reconnecting, but that's not my
problem: most of the time it isn't detected at all.


I have the same issue, but much less frequent.  I guess it happens one 
out of 20 or 30 times I start the machine and replugging it once (in the 
same port) always makes it work.  And once it works, it keeps working 
without any further issues.
I run 5.8-stable/amd64, but this also happened on 5.7-stable (and I 
think also on older versions).


Maurice

Re: USB mouse often not detected

2015-11-10 Thread Paco Willers 
Sure, I'll post it when I'm at home. :)


2015-11-10 10:47 GMT+01:00 Stefan Sperling :

>
> We need a dmesg from both of you.

Re: USB mouse often not detected

2015-11-10 Thread Stefan Sperling 
On Tue, Nov 10, 2015 at 08:28:24AM +0100, Maurice Janssen wrote:
> Paco Willers schreef op 2015-11-10 07:53:
> >Hi,
> >
> >
> >When using a PS/2 mouse everything worked fine. I swapped it for a USB
> >mouse, but this mouse isn't always detected while booting my (386-based)
> >OpenBSD 5.8-stable system. Replugging the mouse when the system is running
> >usually solves the problem: the mouse is detected and works fine.
> >Sometimes
> >this replugging needs to be done several times on different USB ports for
> >it to have effect.
> >
> >Before sending this message I checked whether the mouse itself is the
> >problem because it's a cheap one, so I tried other OSes (Debian Linux 8.2,
> >NetBSD 7.0 and FreeBSD 10.2) and the problem was gone, so my mouse looks
> >OK. Possibly the problem is in the combination of my hardware with
> >OpenBSD.
> >However I would like to use OpenBSD. :)
> >
> >Is this a known problem? I saw some people on this mailing list having
> >trouble with USB mouses periodically reconnecting, but that's not my
> >problem: most of the time it isn't detected at all.
> 
> I have the same issue, but much less frequent.  I guess it happens one out
> of 20 or 30 times I start the machine and replugging it once (in the same
> port) always makes it work.  And once it works, it keeps working without any
> further issues.
> I run 5.8-stable/amd64, but this also happened on 5.7-stable (and I think
> also on older versions).
> 
> Maurice

We need a dmesg from both of you.

Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used

2015-11-10 Thread Craig Skinner 
Hi Kent,

On 2015-11-10 Tue 10:58 AM |, Kent Watsen wrote:
> 
> Anybody run into this before??  - is the fix to add all the symbolic
> names to /etc/hosts?
> 

Yes, use /etc/hosts.

Same for hostnames in /etc/syslog.conf if using localhost unbound as the
only nameserver in /etc/resolv.conf.

Then also:

1) have a daily script that updates /etc/hosts' IP addresses.
   But you must remember to add/remove the names manually.

2) reload pf's rules in /etc/rc.local - for when /etc/hosts is wrong...

Cheers.
-- 
The reason computer chips are so small is computers don't eat much.

Ipsec tunnel not starting after update to recent snapshot

2015-11-10 Thread Theodore Wynnychenko 
(( I have been trying to send this message all day - this is my third attempt --
I am sorry if it appears multiple times suddenly, but not sure why it is not
posting to the list... ))

Hello

I recently updated to the 11-9 amd64 snapshot.
I had started following current, and, in general, seem to be doing fine.

But, after this last update, an IPSEC tunnel that I have been using for
months/years all of a sudden is not coming up with a system reboot.

I have not changed the ipsec.conf files in a really long time.  So, I did not
included them, but can if necessary.  The important point (I think) is that I am
using some FQDN with dynamic ip's.

What I have noticed is that the "dynamic" side of the tunnel seems to be trying
to connect, but the "passive" side refuses to accept the connection.

On the passive side, I get this:
...
Nov 10 10:21:46 xxx isakmpd[12622]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Nov 10 10:21:46 xxx isakmpd[12622]: message_negotiate_sa: no compatible proposal
found
Nov 10 10:21:46 xxx isakmpd[12622]: dropped message from a.b.c.d port 500 due to
notification type NO_PROPOSAL_CHOSEN
...
So, I understand this is because isakmpd is "falling back" to a default 3DES
setting, and the AES proposal from the dynamic side of the tunnel is being
rejected.

This led me to the dmesg on the passive host:
...
starting early daemons: syslogd pflogd ntpd isakmpd.
no IP address found for ipsec1.FQDN.com /etc/ipsec.conf: 40: could not parse
host specification
no IP address found for ipsec1.FQDN.com /etc/ipsec.conf: 41: could not parse
host specification
no IP address found for ipsec2.FQDN.com /etc/ipsec.conf: 42: could not parse
host specification
no IP address found for ipsec2.FQDN.com /etc/ipsec.conf: 43: could not parse
host specification
ipsecctl: Syntax error in config file: ipsec rules not loaded
...

So, I reload the ipsec.conf file manually - "ipsecctl -f /etc/ipsec.conf" - and
the tunnel goes up.

Now, on the dynamic host, there is no issue loading ipsec at boot - dmesg for
the dynamic host:
...
starting early daemons: syslogd pflogd ntpd isakmpd.
starting RPC daemons:.
...

As I said, no changes to ipsec.conf, and it was working last week before the
current snapshot.
I don't see anything in 'following current' about changes to ipsec
configuration.

Also, both ends of the tunnel point to the same resolver (openDNS) during the
boot up process.  If it was an issue with the resolver, I would have expected a
problem on both ends of the tunnel.

The confusing thing to me is why a line like: "ike passive esp from $local_ip to
$remote_gw srcid $local_id dstid $remote_id"
is failing during boot with "could not parse host specification."

But, a line like: "ike dynamic esp from $local_ip to $remote_gw srcid $local_id
dstid $remote_id"
works without an issue.

So, am I missing something, or is this a bug?  And, if so, what should I do?

Thanks
Ted W.

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: Firewall rules and features

2015-11-10 Thread Stuart Henderson 
On 2015-11-10, sven falempin  wrote:
> Ok , I agree, and thank you for the accurate answer.
>
>
> OTOH the server was rejecting  all the other request, (i do not think it
> was badly configure)
> and it ended up rejecting the good one also (after a lng time of use)
> I first look in nsd manpages to see if i could figure why and found nothing
> ( a log like i reject packet because ...)
> I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD
> version 3.2.5 )
> I wanted to have a workaround, of course there is another authoritative to
> answer,
> therefore i ended up filtering content.
>

Sounds like you should first update, then if the problem persists work on
tracking down the problem you see with NSD. Or outsource it (maybe run your
server as a "hidden master" and use a DNS provider that will secondary from
you, http://efball.com/dns/ lists free-of-charge ones).

> If i run authoritative server can i filter to answer to only certain IP
> addresses ?
> Like a list of public/root DNS ?

You are missing some knowledge of how DNS works. The root servers don't
send queries, they answer them. There is no such list of addresses (and it
wouldn't help anyway - lots of queries from different places for various
"random".whatever.com will still give you problems.

> My next step was to look at dnssec, which would be nice to have anyway.

That is not going to make this any better.

> On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland 
> wrote:
>
>> > with iptables i was able to add
>> > <-m string --hex-string whatever|03|com>
>> > in the  rules.
>> >
>> > So i only accept DNS request that matters to me.

L7 filtering to remove DNS attack traffic can be useful, but mostly
where it's done it is to carefully remove specific packets (e.g. if you
have a bunch of spoofed queries trying to use you as a bouncer/amplifier
and you can identify them from certain bits in the query)

>> > Is there a way ? (something simpler than diverting to a
>> > sort of grep -v ).
>>
>> I'd call that a wrong way to do it, definitely.
>>
>> If your name server is configured properly, it should be ignoring domain
>> requests it isn't authoritative for.  Not a problem.

It should be returning REFUSED rather than just ignoring so it is still
sending out packets (possibly to an unwitting victim). It can be a problem
on the dns server or firewall too, e.g. if it fills PF state table.

Re: pfctl -f /etc/pf.conf fails on boot when DNS-resolved symbolic names are used

2015-11-10 Thread Nick Holland 
On 11/10/15 10:57, Kent Watsen wrote:
> Precondition: /etc/pf.conf contains scr_addr/dst_addr set to FQDNs
> 
> On boot, the consoles shows error about not being able to load pf.conf
> because it can't resolve the symbolic names.
> 
> http://www.openbsd.org/faq/faq6.html#Setup.activate says:
> 
> Â Â Â  "... if you had specified a DNS-resolved symbolic name in any of
> Â  Â Â  the files, you would probably find it worked as expected after
> Â Â  Â  reconfigure, but on initial boot, your external resolver may
> Â  Â Â  not be available, so the configuration will fail."
> 
> but I thought that the statement might be limited to `netstat`, and
> /etc/rc runs `netstat` before loading the firewall rules.  So I'm not
> sure why it's not working...
> 
> Anybody run into this before?  - is the fix to add all the symbolic
> names to /etc/hosts?

adding yet another voice, though somewhat different answer: don't use
symbolic names.

Here's the thing: PF works on IP addresses.  NOT DNS names.  While you
might argue DNS names resolve to IP addresses, they do NOT do a 1:1
correlation.  You will end up with problems someday that might take a
bit of investigation to figure out.

Long long ago, a company I used to work for had a firewall that Wasn't
My Problem.  Or so I thought.  It would block various sites management
didn't want people going to; the user would just end up at a friendly
site saying, "we don't want you to go here".

Management decided that webmail was not something they wanted people
going to, so they blocked most of the known major webmail services.  But
every once in a while, when someone would go to Google, they would get
the "Blocked!" message.  It was rare, but definitely happening, and it
could happen all over the company.  And half an hour later...problem is
gone...only to appear later on someone else's computer.

Maybe you are ahead of me.  If so, congratulate yourself, I puzzled over
this for a few weeks.  Turned out the way this firewall blocked SITES
was by resolving the name, and adding redirections for those addresses.
 Someone entered "gmail.google.com" into that table, and it quickly got
lost among all the other entries.  On boot, the firewall would resolve
gmail.google.com, and put the one or five or whatever entries in the
block/redirect table, and forget about it.

Well...you see, google uses a massive front-end infrastructure for most
or all of their  services, and the requested name would dictate the
route through the load balancers.  So...this firewall was blocking
probably one or five of the HUNDREDS or THOUSANDS of IP addresses Google
would return for ANY of its services.  So once in a while,
gmail.google.com was blocked, but sometimes so was www.google.com.

The point is...if you put in a DNS name, odds are you are going to end
up thinking you are blocking/passing/redirecting a DNS name..when in
reality, you are whatevering JUST the IP address that it resolves to at
the time the firewall rules were loaded.  You may have missed a lot, or
it may move.

IF you are really in a situation where the only things you are trying to
manage with DNS names are simple 1:1 name:ip mappings, an easy solution
would be to have your pf.conf file a "stub" with enough to let the
system come up, then a post boot and periodic (re)load of the "real"
rules in a separate file.

Nick.

Re: Rspamd with smtpd

2015-11-10 Thread Joerg Jung 
> Am 11.11.2015 um 05:44 schrieb Daniel Ouellet :
> 
> Does anyone use this port yet Rspamd.
> 
> I saw Stuart + a few helpers making a port of Rspamd. Only on current
> now, so I install current on a server and try to run it.
> 
> But anyone have any clue stick to provide on how to actually plug it
> with smtpd?

I do not use it, but I guess you can use it in LDA mode 
with "... deliver to mda rspamc..."  in smtpd.conf,
as described here https://rspamd.com/doc/integration.html

> Looks like Rspamd accept only input via the http standard.
> 
> I have to say google provide me more questions, then answers.
> 
> I thought that may be relay to the rspamd port 11333 where it is
> listening at would work, but well, it's not coming back on port 11334
> that appear to definitely listening for http request
> 
> In any case, either ports doesn't do it.
> 
> It appear to be a nice port to use and fast, but well, can't fugue out
> how to use it yet...
> 
> # telnet 127.0.0.1 11333
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> EHLO home.ouellet.biz
> Connection closed by foreign host.
> 
> # telnet 127.0.0.1 11334
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> EHLO home.ouellet.biz
> HTTP/1.1 14 (NULL)
> Connection: close
> Server: rspamd/1.0.9
> Date: Wed, 11 Nov 2015 04:43:20 GMT
> Content-Length: 38
> Content-Type: text/plain
> 
> HTTP parser error: invalid HTTP methodConnection closed by foreign host.
> 
> So, how one can or would use this if I would like to try it?

Rspamd with smtpd

2015-11-10 Thread Daniel Ouellet 
Does anyone use this port yet Rspamd.

I saw Stuart + a few helpers making a port of Rspamd. Only on current
now, so I install current on a server and try to run it.

But anyone have any clue stick to provide on how to actually plug it
with smtpd?

Looks like Rspamd accept only input via the http standard.

I have to say google provide me more questions, then answers.

I thought that may be relay to the rspamd port 11333 where it is
listening at would work, but well, it's not coming back on port 11334
that appear to definitely listening for http request

In any case, either ports doesn't do it.

It appear to be a nice port to use and fast, but well, can't fugue out
how to use it yet...

# telnet 127.0.0.1 11333
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
EHLO home.ouellet.biz
Connection closed by foreign host.

# telnet 127.0.0.1 11334
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
EHLO home.ouellet.biz
HTTP/1.1 14 (NULL)
Connection: close
Server: rspamd/1.0.9
Date: Wed, 11 Nov 2015 04:43:20 GMT
Content-Length: 38
Content-Type: text/plain

HTTP parser error: invalid HTTP methodConnection closed by foreign host.

So, how one can or would use this if I would like to try it?

Fwd: USB mouse often not detected

2015-11-10 Thread Notofsoundmind . 
-- Forwarded message --
From: Notofsoundmind . 
Date: Tue, Nov 10, 2015 at 5:47 PM
Subject: Re: USB mouse often not detected
To: Paco Willers 


Hello everyone,
I am having a similar problem with USB.  At times I can attach a
device (mouse, keyboard, external HDD) and the machine will
recognize it immediately.  Other times this is not the case, and I
have to unplug and replug multiple times for it to work.  Also these
devices will randomly disconnect, and I get the message
"ehci_sync_hc: tsleep() = 35".  After much thought I assumed the
problem may be related to the nVidia hardware on the motherboard
so I ordered another motherboard without nVidia components..

My dmesg as follows:

OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056636928 (1007MB)
avail mem = 1020821504 (973MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf906f (4 entries)
bios0: vendor American Megatrends Inc. version "P2.40" date 07/16/2007
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC OEMB
acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) USB0(S4) MAC_(S5) AC97(S4)
USB1(S4) USB2(S4) P0P1(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) 64 Processor 3000+, 2010.03 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: AMD erratum 89 present, BIOS upgrade may be required
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (P0P1)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpipwrres0 at acpi0: ISAV, resource for IDE0
acpibtn0 at acpi0: PWRB
cpu0: Cool'n'Quiet K8 2010 MHz: speeds: 2000 1800 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "NVIDIA nForce3 250 PCI Host" rev 0xa1
agp at pchb0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA nForce3 250 ISA" rev 0xa2
nviic0 at pci0 dev 1 function 1 "NVIDIA nForce3 250 SMBus" rev 0xa1
iic0 at nviic0
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
iic1 at nviic0
ohci0 at pci0 dev 2 function 0 "NVIDIA nForce3 250 USB" rev 0xa1: apic 1
int 9, version 1.0, legacy support
ohci1 at pci0 dev 2 function 1 "NVIDIA nForce3 250 USB" rev 0xa1: apic 1
int 5, version 1.0, legacy support
ehci0 at pci0 dev 2 function 2 "NVIDIA nForce3 250 USB" rev 0xa2: apic 1
int 3
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "NVIDIA EHCI root hub" rev 2.00/1.00 addr 1
nfe0 at pci0 dev 5 function 0 "NVIDIA nForce3 LAN" rev 0xa2: apic 1 int 9,
address 00:19:66:54:59:33
rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1
auich0 at pci0 dev 6 function 0 "NVIDIA nForce3 250 AC97" rev 0xa1: apic 1
int 9, nForce3 AC97
ac97: codec id 0x414c4790 (Avance Logic ALC850 rev 0)
audio0 at auich0
pciide0 at pci0 dev 8 function 0 "NVIDIA nForce3 250 IDE" rev 0xa2: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI
5/cdrom removable
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 10 function 0 "NVIDIA nForce3 250 SATA" rev 0xa2: DMA
pciide1: using apic 1 int 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 11 function 0 "NVIDIA nForce3 250 AGP" rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA GeForce FX 5500" rev 0xa1
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 14 function 0 "NVIDIA nForce3 250" rev 0xa2
pci2 at ppb1 bus 2
rl0 at pci2 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 9, address
00:e0:52:9d:a1:08
rlphy1 at rl0 phy 0: RTL internal PHY
pchb1 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00
pchb2 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00
kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head,