How to test radius server
I read the /etc/npppd/npppd.conf
It's ok. except radius:)
"man npppd.conf" say:
authentication RADIUS type radius {
username-suffix "@example.com"
authentication-server {
address 192.168.0.1 secret "hogehoge"
}
}
then, I couldn't find /etc/radiusd.conf
I check the "man -k radius".
"man radiusd.conf" say:
client 192.168.0.0:/24 {
secret "secret"
msgauth-required yes
}
module set radius "secret" "testing123"
Wow, I must chenge the npppd.conf and radiusd.conf.
1.
npppd.conf:
authentication-server {
address 192.168.0.1 secret "hogehoge"
}
radiusd.conf:
client 192.168.0.0:/24 {
secret "secret"
msgauth-required yes
}
module set radius "secret" "hogehoge"
2.
npppd.conf:
authentication-server {
address 192.168.0.1 secret "hogehoge"
}
radiusd.conf:
client 192.168.0.0:/24 {
secret "secret"
msgauth-required yes
}
module set radius "hogehoge" "testing123"
where is in username...
It didn't to see... easy to understanding by "man npppd.conf" "man
radiusd.conf".
these exanmple aren't reciprocal.
good manual is "to see one time, can do it!"
Re: lidsuspend does not work anymore on 5.8 snapshot, garbles screen, zzz suspend works fine (longer)
On Mon, Aug 31, 2015 at 08:59:15PM -0400, Michael McConville wrote: > Michael McConville wrote: > > I'm having a similar issue on today's AMD64 snapshot on a ThinkPad > > X210. > > > > When I opened it the screen stayed black and there were no signs of > > life other than the battery indicator. Pressing keys did nothing. I > > had to power cycle. > > > > The only relevant syslog entry was: > > > > > Jul 29 13:29:22 thinkpad apmd: system suspending > > For what it's worth, I've had this happen once or twice in the past > couple days. I'm running new snapshots. > I also noticed the black screen, but with the 11/15 snapshot. I tried tapping caps lock, which toggled the caps lock LED in the normal manner. I watched for the hard disk LED but did not see activity after watching for a few minutes. I had to power cycle as well. --Aaron
Re: pf change destination port for outgoing traffic
On 2015-11-24, Lampshade wrote: > Does anything changed during these years? > I would like to do the same thing the author of topic wanted. I don't remember the exact syntax but IIRC this can be done with a rule involving "rdr-to", "bitmask", and "0.0.0.0/0".
option DEBUG in sparc64 kernel
Hi Misc@ I'm trying to build a debug kernel for sparc64 but keep getting the following errors in iommu.c: cc -Werror -Wall -Wimplicit-function-declaration -Wno-main -Wno-uninitialized -Wframe-larger-than=2047 -Wa,-Av9b, -mno-fpu -fno-builtin-printf -fno-builtin-snprintf -fno-builtin-vsnprintf -fno-builtin-log -fno-builtin-log2 -fno-builtin-malloc -fno-pie -O2 -pipe -nostdinc -I../../../.. -I. -I../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DPOOL_DEBUG -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DTMPFS -DFUSE -DSOCKET_SPLICE -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DPIPEX -DMROUTING -DMPLS -DBOOT_CONFIG -DSUN4US -DSUN4V -DPCIVERBOSE -DUSER_PCICONF -DAPERTURE -DUSBVERBOSE -DWSEMUL_SUN -DWSEMUL_NO_VT100 -DWSEMUL_DUMB -DWSDISPLAY_COMPAT_RAWKBD -DDEBUG -DONEWIREVERBOSE -DMAXUSERS=64 -D_KERNEL -MD -MP -c ../../../../arch/sparc64/dev/iommu.c cc1: warnings being treated as errors ../../../../arch/sparc64/dev/iommu.c: In function 'iommu_strbuf_flush_done': ../../../../arch/sparc64/dev/iommu.c:569: warning: format '%lx' expects type 'long unsigned int', but argument 4 has type 'time_t' ../../../../arch/sparc64/dev/iommu.c:569: warning: format '%lx' expects type 'long unsigned int', but argument 6 has type 'time_t' ../../../../arch/sparc64/dev/iommu.c: In function 'iommu_dvmamap_load_raw': ../../../../arch/sparc64/dev/iommu.c:1020: warning: format '%ld' expects type 'long int', but argument 5 has type 'int' ../../../../arch/sparc64/dev/iommu.c:1020: warning: format '%lx' expects type 'long unsigned int', but argument 6 has type 'int' ../../../../arch/sparc64/dev/iommu.c:1020: warning: format '%ld' expects type 'long int', but argument 7 has type 'int' ../../../../arch/sparc64/dev/iommu.c: In function 'iommu_dvmamap_validate_map': ../../../../arch/sparc64/dev/iommu.c:1347: warning: format '%llx' expects type 'long long unsigned int', but argument 2 has type 'bus_addr_t' ../../../../arch/sparc64/dev/iommu.c:1352: warning: format '%llx' expects type 'long long unsigned int', but argument 2 has type 'bus_size_t' ../../../../arch/sparc64/dev/iommu.c:1360: warning: format '%llx' expects type 'long long unsigned int', but argument 2 has type 'bus_addr_t' ../../../../arch/sparc64/dev/iommu.c:1360: warning: format '%llx' expects type 'long long unsigned int', but argument 3 has type 'bus_size_t' ../../../../arch/sparc64/dev/iommu.c:1371: warning: format '%llx' expects type 'long long unsigned int', but argument 3 has type 'bus_addr_t' ../../../../arch/sparc64/dev/iommu.c:1371: warning: format '%llx' expects type 'long long unsigned int', but argument 4 has type 'bus_size_t' ../../../../arch/sparc64/dev/iommu.c:1371: warning: format '%llx' expects type 'long long unsigned int', but argument 5 has type 'bus_addr_t' ../../../../arch/sparc64/dev/iommu.c:1371: warning: format '%llx' expects type 'long long unsigned int', but argument 6 has type 'bus_size_t' ../../../../arch/sparc64/dev/iommu.c:1382: warning: format '%llx' expects type 'long long unsigned int', but argument 3 has type 'bus_addr_t' ../../../../arch/sparc64/dev/iommu.c:1382: warning: format '%llx' expects type 'long long unsigned int', but argument 4 has type 'bus_size_t' ../../../../arch/sparc64/dev/iommu.c:1382: warning: format '%llx' expects type 'long long unsigned int', but argument 5 has type 'bus_addr_t' ../../../../arch/sparc64/dev/iommu.c:1382: warning: format '%llx' expects type 'long long unsigned int', but argument 6 has type 'bus_size_t' *** Error 1 in /usr/src/sys/arch/sparc64/compile/psycho (Makefile:837 'iommu.o' What's the best approach for dealing with these warnings, in order to build a debug kernel? thanks Fred
Re: Daily digest, Issue 3641 (37 messages)
On Tue, Nov 24, 2015 at 1:42 PM, Alan Corey wrote: > re: bootable cylinder limit? > > All manner of things seem to have broken when I went from a 500 gig > drive to 1 TB, or maybe it's because I added Linux. For years I've > been using the method that used to be in the OpenBSD FAQ of using dd > to write out the first sector of the partition you want to boot to a > file, copying that into the Windows partition, then setting it up in > Windows boot.ini. It worked this time for a week or so, and only > Linux broke, OpenBSD and Windows still work. > > I used lilo because it was willing to install into the Linux > partition, not the MBR. That might be possible with grub, I'm now > reading http://www.gnu.org/software/grub/manual/grub.html. Seems like > I might need to chain load grub from the Windows bootloader. I wanted > each OS self-contained so as a last resort if I flagged that partition > bootable the OS installed there would boot, or I could link a copied > bootsector from boot.ini. > > I've used lilo (and loadlin) before, not grub. Grub seemingly won't > boot Windows, it has to be the other way around. I did get lilo up by GRUB should be able to boot windows. I've had grub installed to the MBR and used the chainloader command to load the windows bootloader. > putting the Debian install CD back in and it seems limited to LBA32, > not LBA48 as dmesg shows my drive using. Yes, the problem with LBA, > not CHS, is that you need really big (unsigned) integers. > > I hate it when you want to return to a simpler way of life and find it > doesn't work anymore. I have a bootable floppy image from Windows 95 > so I just tried to set that up as the bootable part of a CD (worked > before) so I could run Norton Utilities to look at the MBR. Comes up > not finding command.com. Same thing happens with a Dell Diagnostics > CD I made in 2008. All this fancy crap... > > -- > Credit is the root of all evil. - AB1JX
Re: MacbookPro 11,1
On Tue, Nov 24, 2015 at 05:17:56PM -0500, Bryan C. Everly wrote: > The rsu driver I'm using as an external USB network adapter appears to be a > bit flaky on this hardware (dropping packets and connections entirely > sometimes) so that's been a barrier as well necessitating multiple retries > of pkg_add. I have had excellent success with urtwn(4). I have an Edimax EW-7811Un and also now a TP-Link TL-WN725N v2 that work great. I believe jcs@ uses a urtwn(4) as well. As a bonus, the urtwn(4) devices I have are pretty compact sticking out of the USB port. > The HiDPI support in Gnome 3.18 worked flawlessly and everything looks > "normal". That's good to hear. I'm using spectrwm on my machine. I haven't tried GNOME yet on either of these MacBook Airs. It sounds like acceleration is working well for you in X or GNOME would not run well at all. > tldr; looks pretty promising - thanks to everyone who put in the massive > hard work to get us to this point! Likewise! Thanks to everyone for all the hard work! Bryan
Re: vmm uvm_fault in vmware player/workstation when Intel VT/AMD-v not enabled
On Tue, Nov 24, 2015 at 11:02:30PM +0100, Erwin van Maanen wrote:
> Hello Misc,
>
> I was playing around with the new vmm in the bsd snapshot of Nov 23 under
> VMWare Workstation.
> And when enabling it, i forget to enabled "Virtualize Intel VT-x/EPT or
> AMD-V/RVI" option in VMWare workstation an i get an uvm_fault:
>
> uvm_fault(0xff007f549f00, 0x60, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at vmmioctl+0x18: movl 0x60(%rcx),%r8d
> ddb{3}>
>
> After enabling "Virtualize Intel VT-x/EPT or AMD-V/RVI" all works fine afaik.
> It would be nice to get a little error saying, Intel VT/AMD-V not available
> or something like that instead of the above.
>
> Erwin
Known issue. I'll be fixing this shortly.
-ml
>
> -- dmesg --
> OpenBSD 5.8-current (GENERIC.MP) #1652: Mon Nov 23 11:46:59 MST 2015
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 2130640896 (2031MB)
> avail mem = 2061979648 (1966MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (556 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 05/20/2014
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
> S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
> S12F(S3) S13F(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.99 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 65MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.55 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.50 MHz
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.45 MHz
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xf000, bus 0-127
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpicpu2 at acpi0: C1(@1 halt!)
> acpicpu3 at acpi0: C1(@1 halt!)
> acpibat0 at acpi0: BAT1 not present
> acpibat1 at acpi0: BAT2 not present
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: LID_
> pvbus0 at mainbus0: VMware
> vmt0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
> configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 0 drive 0:
> wd0: 64-sector PIO, LBA, 12288MB, 25165824 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0: ATAPI
> 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Po
Re: MacbookPro 11,1
So I got a usable Gnome3 desktop on this machine! Trying to install gnome was a bit of a pain due to a library version mismatch with the snapshot I grabbed. However, after building /usr/ports/devel/harfbuzz and /usr/ports/graphics/exiv2 from source (amazing how fast that build went on this hardware), I managed to get everything installed. The rsu driver I'm using as an external USB network adapter appears to be a bit flaky on this hardware (dropping packets and connections entirely sometimes) so that's been a barrier as well necessitating multiple retries of pkg_add. The HiDPI support in Gnome 3.18 worked flawlessly and everything looks "normal". The acid test for me will be to reformat the drive, get OSX installed again and document each step along the way so I can be certain that I can reproduce the end state. tldr; looks pretty promising - thanks to everyone who put in the massive hard work to get us to this point! Thanks, Bryan On Mon, Nov 23, 2015 at 6:39 PM, Bryan Vyhmeister wrote: > On Mon, Nov 23, 2015 at 06:28:04PM -0500, Bryan Everly wrote: > > I only had to bless my thumb drive so the keyboard worked. Everything > > else is native when booting from the hard drive afaik. > > Very good. I didn't think about "blessing" the thumb drive. Good idea. > > Bryan
vmm uvm_fault in vmware player/workstation when Intel VT/AMD-v not enabled
Hello Misc,
I was playing around with the new vmm in the bsd snapshot of Nov 23 under
VMWare Workstation.
And when enabling it, i forget to enabled "Virtualize Intel VT-x/EPT or
AMD-V/RVI" option in VMWare workstation an i get an uvm_fault:
uvm_fault(0xff007f549f00, 0x60, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at vmmioctl+0x18: movl 0x60(%rcx),%r8d
ddb{3}>
After enabling "Virtualize Intel VT-x/EPT or AMD-V/RVI" all works fine afaik.
It would be nice to get a little error saying, Intel VT/AMD-V not available or
something like that instead of the above.
Erwin
-- dmesg --
OpenBSD 5.8-current (GENERIC.MP) #1652: Mon Nov 23 11:46:59 MST 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130640896 (2031MB)
avail mem = 2061979648 (1966MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (556 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 05/20/2014
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.99 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.55 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.50 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, 3391.45 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpicpu2 at acpi0: C1(@1 halt!)
acpicpu3 at acpi0: C1(@1 halt!)
acpibat0 at acpi0: BAT1 not present
acpibat1 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: LID_
pvbus0 at mainbus0: VMware
vmt0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 64-sector PIO, LBA, 12288MB, 25165824 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus disabled
"VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
mpi0 at pci0 dev 16 function 0 "Symbios
Re: pf change destination port for outgoing traffic
Does anything changed during these years? I would like to do the same thing the author of topic wanted. I want it because I am playing with relayd, privoxy and pf. I have done chain Firefox -> relayd1-> privoxy -> relayd2, but relayd2 seems to try estabilish tls connection to 80 port rather than 443 after line "forward with tls to destination" - if I debug problem correctly . This topic about chain is connected with "Re: TLS intercepting proxy [MitM]".
Re: WLAN Card AP feature
On Tue, Nov 24, 2015 at 12:20:31PM -0700, bluesun08 wrote: > In FreeBSD there is the command "ifconfig list caps". This displays > the adaptor's capabilities, including the operating modes supported. > > 1) Is there a similar command in OpenBSD? See "ifconfig media" for some of that information. > 2) Is there a WLAN-USB-Stick which can act as access point? "apropos wireless" is your friend here. A quick perusal shows that rum(4) and ural(4) are USB and provide Host AP modes. I have personally used rum(4) as an access point briefly but wireless is limited to 802.11g for now in general and rum(4) and ural(4) are 802.11a/b/g and 802.11b/g respectively. Work is ongoing to add 802.11n support to OpenBSD starting with iwm(4). Bryan
WLAN Card AP feature
In FreeBSD there is the command "ifconfig list caps". This displays the adaptor's capabilities, including the operating modes supported. 1) Is there a similar command in OpenBSD? 2) Is there a WLAN-USB-Stick which can act as access point? Regards Alex -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/WLAN-Card-AP-feature-tp283685.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: diff man page typo
On Tue, Nov 24, 2015 at 09:47:20AM -0500, Donald Allen wrote: > In the 'Output Style' section, the diff man page says > > "XXdYYAt line XX delete the line. The value YY tells to which > line the change would bring file1 in line with file1." > > I think what is meant is > > "XXdYYAt line XX delete the line. The value YY tells to which > line the change would bring file1 in line with file2." > fixed, thanks. jmc
Re: Hitting the bootable cylinder limit?
You are making life unnecessarily difficult for yourself, even apart from running multi boot (mind, I have multi boot here on various legacy systems, but not for anything serious). Install Windows first, although I would note a 32GB boot partition is not large enough to properly maintain any recent version without being careful. >From Windows add a new, small partition of no more than a GB or so - this will be your Linux root partition. Then add two further partitions, encompassing the size of your OpenBSD install. The first of the two partitions will be the size of your root partition. Beyond the OpenBSD partitions, add partition entries for Linux swap and any other Linux or Windows partitions you need. When in the OpenBSD installation program, note the positions of the partitions to be dedicated to OpenBSD. Expand the sectors used by the disklabel to contain both partitions. Ideally allocate the sectors used by / to the sectors used by the first partition dedicated to OpenBSD. Don't write OpenBSD's boot code to the MBR. Use BCDEdit/EasyBCD in Windows to add the OpenBSD partition. Install Linux, again using Windows as partition manager. You could use Lilo/Grub, but if Windows is installed I prefer to use it. You can now safely update both OpenBSD and Linux, without worrying that the boot files will move beyond the bootable limit. As to how to know the limit - I use a different, very specific method : my pentium 2 multiboot system is for retro gaming and uses DOS, OS/2, Linux (mostly for Flashrom) and OpenBSD (just because, nethack etc.). OS/2 uses its own boot manager partition when installed, its limits are based on the BIOS. In the OS/2 installation program, use fdisk to add partitions and note where it refuses to set a partition as 'installable'. The point where a partition extended over a certain length stops being installable is your BIOS limit. Partition based on that. Any system with a limit is legacy at this point. My Core 2 systems are now getting on somewhat, but they have no problem booting well beyond the 128GB limit the earlier PCs and Powermacs have, and other BIOS limits before then. On 23 November 2015 at 16:52, Alan Corey wrote: > It seems like there should be a better way to detect this other than > trial and error. I put a new 1 TB drive in my laptop (Seagate > ST1000LM024) about a month ago. Being aware there was such a limit I > made small boot partitions at the beginning of the drive (I thought): > 32 GB Windows, 64 GB OpenBSD, 32 GB Linux. As predicted everything > worked at first, then installing MeTV keys made my Linux unbootable > with an error from Lilo about the key file being corrupt and I suspect > it's related to this limit. The original position of the file was > probably OK, the new file got made in an unreachable position. > > So I've probably got some storage-only partitions that won't boot, but > I want to avoid the same thing happening when I put a 1 TB drive > (Seagate > ST31000340AS) in my laptop machine (Dell Optiplex GX270) because I > really would like Linux working somewhere since I want to play with > Android stuff. I need to be able to build kernels for my phones and > use Android Studio. > > So on the laptop: > Disk: wd0 geometry: 121601/255/63 [1953525168 Sectors] > Offset: 0 Signature: 0xAA55 > Starting Ending LBA Info: > #: id C H S - C H S [ start:size ] > > --- > *0: 0C 0 1 1 - 4079 254 63 [ 63:65545137 ] Win95 > FAT32L > 1: A6 4080 0 1 - 12365 254 63 [65545200: 133114590 ] OpenBSD > 2: 83 12366 0 1 - 16444 254 63 [ 198659790:65529135 ] Linux > files* > 3: 05 16445 0 62 - 121600 254 63 [ 264188986: 1689331079 ] > Extended DOS > Offset: 264188986 Signature: 0xAA55 > Starting Ending LBA Info: > #: id C H S - C H S [ start:size ] > > --- > 0: 0B 16445 1 1 - 20524 254 63 [ 264188988:65545137 ] Win95 > FAT-32 > 1: 05 20525 0 1 - 24604 254 63 [ 329734125:65545200 ] > Extended DOS > 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused > 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused > Offset: 329734125 Signature: 0xAA55 > Starting Ending LBA Info: > #: id C H S - C H S [ start:size ] > > --- > 0: 0B 20525 1 1 - 24604 254 63 [ 329734188:65545137 ] Win95 > FAT-32 > 1: 05 24605 0 1 - 25114 254 63 [ 395279325: 8193150 ] > Extended DOS > 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused > 3: 00 0 0 0 - 0 0 0 [
Re: NSD/Unbound clarifications
On Mon, Nov 23, 2015 at 12:24:53PM +0100, Alessandro Baggi wrote: > Hi list, > I've switched from Obsd 5.3 from Pfsense to try it. Now I want come back to > Obsd. I prefer it. > Great choice. [snip] > Now today I've nsd and unbound that I can use on my firewall. > I don't need authoritative server, and I should use unbound. > nsd and unbound have similar syntax and I reading from web I can resolve dns > with each of them. > > Now I'm confused...who use? Correct me if I'm wrong: > > 1) I must use only nsd for authoritative server (internet exposed) for my > ipotetic zone (I can use it in my lan for dns resolver?). > > 2) I can use only unbound for lan dns resolving/caching/validating with > zones if not needed an authoritative domain. > > 3) I can use nsd for authoritative server (internet exposed) and for lan use > unbound as recursive/cache dns with the authoritative server. > > 4) I can use unbound as authoritative server and for recursing and other. > > > 5) NSD is the best for authoritative and unbound for other things. As others have said: unbound is a recursive resolver that can forward dns queries upstream. It can perform in a limited role as an authoritative server using local-zone but the configuration there is cumbersome if you have more than a handful of hosts. nsd is an authoritative server that's flexible enough to easily replace bind as your authoritative server if that what you need. You can combine the forwarding capabilities of unbound with the authoritative capabilities of nsd to do everything that bind did. I'm assuming the advantage of this setup is that the combination of unbound and nsd has a smaller footprint or is more secure or more than likely not both. The configuration isn't that difficult but there are some gotcha's. In my example I needed to be authoritative for a domain so I configured nsd to serve the domain. The man pages for nsd explained this well and it's quite simple. The trick is to have nsd serve the domain on localhost only and not on port 53. Then I configured unbound to be a recursive resolver that forwarded requests for "example.com" to the local nsd. Here's the configuration snippet. In my example the network is running at 192.168.10.0 so I forwarded two zones: ## server: ... ## This setting is critical. Without it unbound won't forward ## requests to nsd running on localhost. do-not-query-localhost: no ... forward-zone: name: "example.com." forward-addr: 127.0.0.1@5300 forward-zone: name: "168.192.in-addr.arpa." forward-addr: 127.0.0.1@5300 ## forward-zone: ## name: "." # use for ALL queries ## forward-addr: 8.8.8.8 ## forward-addr: 8.8.4.4 ## If you can setup bind then you shouldn't have problems setting up and testing nsd to serve forward and reverse for a domain. Configuring nsd on a alternate port is pretty simple. The config snippet about redirects unbound to the local nsd. That's probably answers more than you wanted. But I could see this combination of nsd and unbound being popular among people looking for a lighter weight alternative to bind. -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com] [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Daily digest, Issue 3641 (37 messages)
re: bootable cylinder limit? All manner of things seem to have broken when I went from a 500 gig drive to 1 TB, or maybe it's because I added Linux. For years I've been using the method that used to be in the OpenBSD FAQ of using dd to write out the first sector of the partition you want to boot to a file, copying that into the Windows partition, then setting it up in Windows boot.ini. It worked this time for a week or so, and only Linux broke, OpenBSD and Windows still work. I used lilo because it was willing to install into the Linux partition, not the MBR. That might be possible with grub, I'm now reading http://www.gnu.org/software/grub/manual/grub.html. Seems like I might need to chain load grub from the Windows bootloader. I wanted each OS self-contained so as a last resort if I flagged that partition bootable the OS installed there would boot, or I could link a copied bootsector from boot.ini. I've used lilo (and loadlin) before, not grub. Grub seemingly won't boot Windows, it has to be the other way around. I did get lilo up by putting the Debian install CD back in and it seems limited to LBA32, not LBA48 as dmesg shows my drive using. Yes, the problem with LBA, not CHS, is that you need really big (unsigned) integers. I hate it when you want to return to a simpler way of life and find it doesn't work anymore. I have a bootable floppy image from Windows 95 so I just tried to set that up as the bootable part of a CD (worked before) so I could run Norton Utilities to look at the MBR. Comes up not finding command.com. Same thing happens with a Dell Diagnostics CD I made in 2008. All this fancy crap... -- Credit is the root of all evil. - AB1JX
Re: Recognizing USB plug-ins
On 23 Nov 2015, Mihai Popescu wrote: >> OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015 > > First suggestion is to try the latest snapshot - development is going > on. Unfortunately latest is a hard thing to come back from. I can try current again though! > For the ignorant one, you can always see the OpenBSD FAQ, it is an > evolving part, too and it explains in details many common tasks in > OpenBSD. > http://www.openbsd.org/faq/index.html Thanks! Yes, it's from this that I originally found out some of the USB-related stuff, unfortunately nothing bearing on my actual question here. Still, if it is indeed unexpected that a USB drive plugged in after boot would not appear among devices listed by usbdevs, sysctl hw.disknames, etc. then that is already useful information, thank you: I had worried that I simply just didn't realize the OpenBSD way of doing these things. -- Mark
Re: opensmtpd
Yes, I don't want auth for other mail servers, I wan't to only authorization for sening mail from my server mail. On 24.11.2015 17:19, Jason Barbier wrote: > read the man page a bit more carfully around how the auth keyword works. > you probably dont want auth on that line.
Re: opensmtpd
This is my config file…with Maildir /var/mail/ and DKIMproxy
$ cat /etc/mail/smtpd.conf
queue compression
queue encryption key xxx ->(your_key_numbers)
table aliases db:/etc/mail/aliases.db
table domains file:/etc/mail/domains
table users file:/etc/mail/users
table blacklist-recipients file:/etc/mail/blacklist-recipients
pki mail.gianlucamuscelli.it key "/etc/ssl/private/mail.example.it.key"
pki mail.gianlucamuscelli.it certificate "/etc/ssl/mail.example.it.crt"
max-message-size 50M
listen on egress pki mail.example.it tls-require hostname example.it
listen on egress pki mail.example.it smtps auth hostname example.it
accept from any \
recipient ! \
for domain \
virtual \
deliver to maildir "/var/mail/%{user.username}/Inbox"
accept \
recipient ! \
for local alias \
deliver to maildir "/var/mail/%{user.username}/Inbox"
listen on lo0 hostname example.it
listen on lo0 port 10028 tag DKIM hostname example.it
accept tagged DKIM \
for any \
relay \
hostname example.it
accept from local \
for any \
relay via smtp://127.0.0.1:10027
Gianluca D.Muscelli
i...@gianlucamuscelli.it
Il giorno 24/nov/2015, alle ore 17:13, Krzysztof Strzeszewski
ha scritto:
> Hello,
>
> when I use in smtpd.conf:
> .
> ..
> ...
> listen on egress secure pki nroot.pl auth
> ...
> ..
> .
>
> mail sending to me can't reach:
>
> smtp-in: Failed command on session 14529d46237222d5: "MAIL
> FROM: SIZE=1599" =>530 5.5.1 Invalid command: Must issue
> an AUTH command first
>
>
> when I use in smtpd.conf
>
> .
> ..
> ...
> listen on egress secure pki nroot.pl
> ...
> ..
> .
>
>
> is ok, mail from world can reach to me, but then smtpd server is open
> for send mail for each.
> How to use auth for only sending mail from my client?
>
>
> Regards,
> Krzych
>
>
> my smtpd.conf:
>
#
> listen on lo0
>
> table aliases db:/etc/mail/aliases.db
> table secrets db:/etc/mail/secrets.db
> pki exaple.com certificate "/etc/ssl/mail.crt"
> pki exaple.com key "/etc/ssl/private/mail.key"
>
> listen on egress secure pki exaple.com auth
> accept from any for domain "exaple.com" alias deliver to maildir
>
> accept for local alias userbase deliver to maildir
> accept from local for any relay
> accept from any for any relay
>
#
Re: opensmtpd
read the man page a bit more carfully around how the auth keyword works. you probably dont want auth on that line. -- Jason Barbier | E: jab...@serversave.us GPG Key-ID: B5F75B47(http://kusuriya.devio.us/pubkey.asc) On Tue, Nov 24, 2015, at 08:13 AM, Krzysztof Strzeszewski wrote: > Hello, > > when I use in smtpd.conf: > . > .. > ... > listen on egress secure pki nroot.pl auth > ... > .. > . > > mail sending to me can't reach: > > smtp-in: Failed command on session 14529d46237222d5: "MAIL > FROM: SIZE=1599" =>530 5.5.1 Invalid command: Must issue > an AUTH command first > > > when I use in smtpd.conf > > . > .. > ... > listen on egress secure pki nroot.pl > ... > .. > . > > > is ok, mail from world can reach to me, but then smtpd server is open > for send mail for each. > How to use auth for only sending mail from my client? > > > Regards, > Krzych > > > my smtpd.conf: > # > listen on lo0 > > table aliases db:/etc/mail/aliases.db > table secrets db:/etc/mail/secrets.db > pki exaple.com certificate "/etc/ssl/mail.crt" > pki exaple.com key "/etc/ssl/private/mail.key" > > listen on egress secure pki exaple.com auth > accept from any for domain "exaple.com" alias deliver to > maildir > > accept for local alias userbase deliver to maildir > accept from local for any relay > accept from any for any relay > #
opensmtpd
Hello, when I use in smtpd.conf: . .. ... listen on egress secure pki nroot.pl auth ... .. . mail sending to me can't reach: smtp-in: Failed command on session 14529d46237222d5: "MAIL FROM: SIZE=1599" =>530 5.5.1 Invalid command: Must issue an AUTH command first when I use in smtpd.conf . .. ... listen on egress secure pki nroot.pl ... .. . is ok, mail from world can reach to me, but then smtpd server is open for send mail for each. How to use auth for only sending mail from my client? Regards, Krzych my smtpd.conf: # listen on lo0 table aliases db:/etc/mail/aliases.db table secrets db:/etc/mail/secrets.db pki exaple.com certificate "/etc/ssl/mail.crt" pki exaple.com key "/etc/ssl/private/mail.key" listen on egress secure pki exaple.com auth accept from any for domain "exaple.com" alias deliver to maildir accept for local alias userbase deliver to maildir accept from local for any relay accept from any for any relay #
Re: TLS intercepting proxy [MitM]
Thanks Uwe Werler! I have not yet estabilished chain described in first message, but it is due to lack of time I didn't tried. Firefox runs as firefox user. I have actually MitM on relayd *using divert* with this pf-magic: cat /etc/pf_kop.conf ext_if="bge0" int_if="lo0" set state-policy floating pass out quick log on $ext_if inet proto tcp to any port 443 user firefox route-to lo0 pass in quick log on lo0 inet proto tcp to any port 443 divert-to 127.0.0.1 port 8443 pass in pass out Thanks for all, especially Uwe Werler! I am going to try make chain described in first message in day or two.
diff man page typo
In the 'Output Style' section, the diff man page says "XXdYYAt line XX delete the line. The value YY tells to which line the change would bring file1 in line with file1." I think what is meant is "XXdYYAt line XX delete the line. The value YY tells to which line the change would bring file1 in line with file2."
Re: Logging removal of dependent packages - disregard please
On Tue, 24 Nov 2015 01:01:59 +0200 Mihai Popescu wrote: > Too bad, pkg_* suite is using perl, if i remember ... Woenderful guest art awe ditto. Mass the Reading compression now your will. Not heart that must bee.
relayd ssl interception and certificate subject
Hello, I'm just testing ssl interception and noticed the following problem. Sometimes the Subject/Subject Alternative Name of the cert is altered with a different name than the one the original cert has: The faked cert: # X.509 Certificate Information: Version: 3 Serial Number (hex): 051f332aed0c96 Issuer: C=DE,ST=Saxony,L=Dresden,O=Retiolum,OU=WEB,CN=SUB_CA,EMAIL=uwe.wer...@retiolum.eu Validity: Not Before: Wed Jan 28 03:58:40 UTC 2015 Not After: Fri Jan 29 14:31:49 UTC 2016 Subject: C=DE,CN=blog.b1-systems.de,EMAIL=postmas...@b1-systems.de Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) ... Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE Key Usage (not critical): Digital signature. Key encipherment. Key agreement. Key Purpose (not critical): TLS WWW Server. Subject Key Identifier (not critical): 47c3adafb6c9b8d26507975d444b07c30a85f020 Authority Key Identifier (not critical): eb4234d098b0ab9ff41b6b08f7cc642eef0e2c45 Subject Alternative Name (not critical): --> DNSname: blog.b1-systems.de --> DNSname: b1-systems.de Certificate Policies (not critical): 2.23.140.1.2.1 1.3.6.1.4.1.23223.1.2.3 URI: http://www.startssl.com/policy.pdf Note: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. CRL Distribution points (not critical): URI: http://crl.startssl.com/crt1-crl.crl Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.startssl.com/sub/class1/server/ca Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://aia.startssl.com/certs/sub.class1.server.ca.crt Issuer Alternative Name (not critical): URI: http://www.startssl.com/ Signature Algorithm: RSA-SHA1 # The original cert: X.509 Certificate Information: Version: 3 Serial Number (hex): 0813002129d4f6 Issuer: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Validity: Not Before: Thu Sep 24 15:20:33 UTC 2015 Not After: Sun Sep 24 23:00:39 UTC 2017 Subject: C=DE,ST=Bayern,L=Vohburg,O=B1 Systems GmbH,CN=www.b1-systems.de,EMAIL=postmas...@b1-systems.de Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) Modulus (bits 4096): ... Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE Key Usage (not critical): Digital signature. Key encipherment. Key agreement. Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Subject Key Identifier (not critical): 2c6fafda29839f35c51c0ccde681e036168b10a9 Authority Key Identifier (not critical): 11db2345fd54cc6a716f848a03d7bef7012f2686 Subject Alternative Name (not critical): --> DNSname: www.b1-systems.de --> DNSname: b1-systems.de Certificate Policies (not critical): 2.23.140.1.2.2 1.3.6.1.4.1.23223.1.2.3 URI: http://www.startssl.com/policy.pdf Note: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. CRL Distribution points (not critical): URI: http://crl.startssl.com/crt2-crl.crl Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.startssl.com/sub/class2/server/ca Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://aia.startssl.com/certs/sub.class2.server.ca.crt Issuer Alternative Name (not critical): URI: http://www.startssl.com/ Signature Algorithm: RSA-SHA256 # In this case the DNS name www.b1-systems.de is removed from the cert what leads to an error message in the webbrowser. apu01$ dig @8.8.8.8 +short www.b1-systems.de b1-systems.de. 84.200.69.202 apu01$ dig @8.8.8.8 +short blog.b1-systems.de spacelords.systems.b1-systems.de. 84.200.69.202 apu01$ dig @8.8.8.
Re: TLS intercepting proxy [MitM]
Am 24.11.2015 14:52:58, schrieb Jiri B: > > With a little bit pf-magic this works like this: > > pass out log on $ext_if proto tcp to any port 443 route-to lo0 > > pass out log on > > $ext_if proto tcp to any port 443 user _relayd > > pass in log on lo0 proto tcp to > > any port 443 divert-to 127.0.0.1 port 8443 > Have you actually tested this? The traffic source is the > box itself, don't forget, thus not forwarding between two > ifaces. > > Yep. 'cause I tested relayd from within my box itself.
Re: TLS intercepting proxy [MitM]
> With a little bit pf-magic this works like this: > pass out log on $ext_if proto tcp to any port 443 route-to lo0 > pass out log on > $ext_if proto tcp to any port 443 user _relayd > pass in log on lo0 proto tcp to > any port 443 divert-to 127.0.0.1 port 8443 Have you actually tested this? The traffic source is the box itself, don't forget, thus not forwarding between two ifaces. j.
Re: TLS intercepting proxy [MitM]
Em 24-11-2015 11:17, Lampshade escreveu: > I know that relayd can decrypt traffic, then log, then encrypt. You know that this ain't the only thing it can do, right? > The thing is that I want to > send decrypted traffic to another process (privoxy), and then re-encrypt it. Now this, I don't think is possible. At least not without hacking privoxy itself. But hey, if you are gonna hack privoxy, why not hack it to work with divert and do the mitm itself? > I have also problem with Reyk's config because I can not divert outgoing > traffic using pf. > I have tried with rdr-to and nat-to, but it removes destination IP address in > packets. > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? How are you writing the rules? I think it can be done using the self keyword. You can also have success using the user directive. Cheers, Giancarlo Razzolini
Re: TLS intercepting proxy [MitM]
Am 24.11.2015 14:17:41, schrieb Lampshade: > Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to > send decrypted traffic to another process (privoxy), and then re-encrypt it. > I have also problem with Reyk's config because I can not divert outgoing traffic using pf. > I have tried with rdr-to and nat-to, but it removes destination IP address in packets. > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? > With a little bit pf-magic this works like this: pass out log on $ext_if proto tcp to any port 443 route-to lo0 pass out log on $ext_if proto tcp to any port 443 user _relayd pass in log on lo0 proto tcp to any port 443 divert-to 127.0.0.1 port 8443
Re: TLS intercepting proxy [MitM]
Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to send decrypted traffic to another process (privoxy), and then re-encrypt it. I have also problem with Reyk's config because I can not divert outgoing traffic using pf. I have tried with rdr-to and nat-to, but it removes destination IP address in packets. I want to intercept and alter traffic on the same box that I run Firefox. Is this possible using pf and relayd or I must use something else?
Re: TLS intercepting proxy [MitM]
On Tue, Nov 24, 2015 at 02:17:41PM +0100, Lampshade wrote: > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? IIRC this is not possible. j.
Re: list Hackfest 2015 videos in events.html
Committed, thanks! On Tue, Nov 24, 2015 at 10:05:47AM +0100, Daniel Jakots wrote: > Hi, > > Hackfest videos of mlarkin@ and deraadt@ were published yesterday. > > Cheers, > Daniel > > Index: events.html > === > RCS file: /cvs/www/events.html,v > retrieving revision 1.1014 > diff -u -p -r1.1014 events.html > --- events.html 20 Nov 2015 09:32:13 - 1.1014 > +++ events.html 24 Nov 2015 09:01:31 - > @@ -62,8 +62,10 @@ A https://ripe71.ripe.net/archi > > http://hackfest.ca";>Hackfest 2015, > Nov 6-7, 2015, Quebec City, Canada. > -Mike Larkin presented href="http://www.openbsd.org/papers/hackfest2015-w-xor-x.pdf";>Kernel W^X > Improvements In OpenBSD. > +Mike Larkin presented href="http://www.openbsd.org/papers/hackfest2015-w-xor-x.pdf";>Kernel W^X > Improvements In OpenBSD. > +A https://www.youtube.com/watch?v=A7vtAAeW6zo";>video is > available. > Theo de Raadt presented pledge() - a > new mitigation mechanism. > +A https://www.youtube.com/watch?v=F_7S1eqKsFk";>video is > available. > > >
Re: NSD/Unbound clarifications
On 2015-11-23 Mon 12:24 PM |, Alessandro Baggi wrote: > > In my last valid OBSD config, I used named for my lan (not exposed on > internet) only for lan dns serving, not exposed, with recursion and > forwarder. > unbound can fill this role for you Alessandro. Search for 'local-zone' in unbound.conf(5). You probably want the _static_ . For recursion, you can choose to forward to your ISP's resolvers (could fail on a roaming laptop), public resolvers, or the root servers. See 'Forward Zone Options' in the man page.
Re: TLS intercepting proxy [MitM]
On Tue, Nov 24, 2015 at 01:05:34AM +0100, Stefan Wollny wrote: > Am 11/23/15 um 23:41 schrieb Lampshade: > >Hello, > >I would like to use privoxy to scrub/delete > >some informations in application layer (HTTP) going out from my PC. > >Problem is that a lot of connections are secured with TLS, so privoxy can > >not filter them. > >Is there any way to do something like that: > >Firefox -> decrypt [MitM] -> privoxy -> encrypt securely -(NIC)-> Internet? > >It is my PC, so I can install new certificate or something like that, > >but neverthless I don't know how to achieve that result. > >Is this possible using relayd? > >Is it possible with other tool in ports or something that I can compile from > >source? > > > It is about 2 years old but should give you a starting poing: > http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception > "There are some known limitations:" ... I didn't know about vendors and their own CAs with pre-installed private keys at this point. This makes it useable for everyone! When superfish was found, I published the following gist: https://gist.github.com/reyk/4b42858d1eab3825f9bc Something similar should work with #eDellRoot as well. Reyk
