Re: IPsec IKEv1 accepts non-matching phase 2 parameters
On 2015-12-31, Julian Hsiaowrote: > Hi, > > I've set up two hosts to experiment with IPsec, obsd1 (192.168.0.1) and > obsd2 (192.168.0.2). > > ipsec.conf on obsd1: > > ike passive esp transport \ > from 192.168.0.1 to any \ > main auth hmac-sha2-256 enc aes-128 group modp8192 \ > quick auth hmac-sha2-256 enc aes-128 group modp8192 \ > psk puffy > > ipsec.conf on obsd2: > > ike active esp transport \ > from 192.168.0.2 to 192.168.0.1 \ > main auth hmac-sha2-256 enc aes-128 group modp8192 \ > quick auth hmac-md5 enc blowfish group modp768 \ > psk puffy > > If the phase 1 parameters don't match, then negotiation fails, which is > what I expect. However, isakmpd seems to accept the phase 2 parameters > from the initiating end (obsd2) unconditionally. With the above > config, ipsecctl -s sa prints: > > esp transport from 192.168.0.1 to 192.168.0.2 spi 0x32345f6f auth > hmac-md5 enc blowfish > esp transport from 192.168.0.2 to 192.168.0.1 spi 0x6cf20561 auth > hmac-md5 enc blowfish > > How do I configure isakmpd such that phase 2 parameters must also match > on both ends in order to establish security associations? See isakmpd.policy(5). It's an utter pain but it's necessary in order to secure things with isakmpd. The other "fun" thing a client can do if it's not restricted by keynote policy is to set "their" side of the tunnel to something which diverts the wrong traffic - 0.0.0.0/0 is an obvious example but rather unsubtle.
Re: ddclient won't auto run on OpenBSD 5.8
On 2015-12-31, Jay Hartwrote: > Recently updated a router from 5.2 to 5.8. I had a working ddclient process > connected to and > fully working with DynDNS. Trying to use same config, may have to tweak just > a bit. > > My main issue right now is trying to get the ddclient process to run upon > booting. In 5.2, I had > the following script in rc.local > > if [ -x /usr/local/sbin/ddclient ] ; then > echo -n ' ddclient' > /usr/local/sbin/ddclient -file /etc/ddclient/ddclient.conf > fi > > This ran ddclient upon startup. > > I've tried the same thing in rc.conf.local with no joy, it won't start. I > also commented that > out and tried > > ddclient = "" > > and also > > ddclient = "-file /etc/ddclient/ddclient.conf" > > Upon every reboot ddclient is not running per a 'ps aux |grep dd' command. > Not is there a pid > file in /var/run > > ddclient will start manually. > > Looking for some guidance on getting this running please. > > Either keep the old rc.local fragment or use the new rc.d(8) method by adding this to rc.conf.local: pkg_scripts=ddclient To set flags you can do: ddclient_flags=-file /etc/ddclient/ddclient.conf
Re: bandwidth usage limits with pf, etc.
On 2015-12-31, Mark Carrollwrote: > I was wondering recently what the biggest bandwidth hogs were on my home > network at a certain moment. On Linux I use iftop on the router for > this, but I wonder in OpenBSD if, rather than install the iftop package, > there's something different -- more OpenBSD-ish -- I should be doing > with clients to pflow or whatever to achieve this same near-instanteous > view of machines' Internet usage across the router (which NATs them from > their LAN). Others have mentioned systat for an instantaneous view. Or there are things like darkstat in ports. pflow (in combination with a netflow receiver program) is one way to get historical stats of traffic flows. > Lately I've been reading about CARP and discovering that the packet > filter code has all kinds of cool stuff built in for transparent > load-balancing and failover. And, I like the keep-state stuff that lets > me do things like rate-limit ssh connections. So, I'm thinking that PF > may offer me all manner of wonders. So, I got to thinking today: > > I wondered about my kids' use of YouTube and suchlike, and I wondered if > there's a good way of using PF on the router to give them a weekly > download limit, perhaps cumulative over their devices, after which it > gets limited to a slow crawl or even cut off. Is this (or some variant > thereof) something that PF makes easy (any pointers?), or is tricky but > clearly described in the latest Book of PF, or just not worth the effort > of attempting -- any thoughts? I may have just picked the wrong web > search terms, or maybe this just isn't yet at all easy. The 'counters' flag for PF tables is probably the simplest way to get the data. You may want to cope with it being reset if rules are reloaded or the machine is restarted. You could throttle/block by adding the relevant addresses to a table which is referenced in a suitable rule.
Error loading pf rules: Device busy
Hi all, I have a strange problem. Every time that I try to reload my pf rules I see the following error message: pfctl: DIOCADDRULE: Device busy. I am using OpenBSD 5.8 amd64 fully patched. Any idea??
Re: Connect to OpenVPN from OpenBSD
On Sat, Jan 02, 2016 at 08:55:35PM +0500, ? ??? wrote: > Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without > installing openvpn client to OpenBSD? No, you need OpenVPN package as it uses its own homemade SSL-VPN protocol. > I don't understand all this vpn-technologies very well, but know that > OpenBSD has built-in vpn-services/clients, so I don't want to install > openvpn-client if it possible to use software distributed/developed > with/by OpenBSD. OpenBSD supports IPSec etc... j.
Connect to OpenVPN from OpenBSD
Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without installing openvpn client to OpenBSD? I don't understand all this vpn-technologies very well, but know that OpenBSD has built-in vpn-services/clients, so I don't want to install openvpn-client if it possible to use software distributed/developed with/by OpenBSD. I've tried googling but all results are OpenVPN-client to OpenVPN-server. Thanks.
Re: Connect to OpenVPN from OpenBSD
On Sat, Jan 02, 2016 at 08:55:35PM +0500, art.istom wrote: > Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without > installing openvpn client to OpenBSD? No. OpenVPN servers require OpenVPN clients. > I don't understand all this vpn-technologies very well, but know that > OpenBSD has built-in vpn-services/clients, so I don't want to install > openvpn-client if it possible to use software distributed/developed > with/by OpenBSD. The "built-in" VPN technology is IPSec, which is not used by OpenVPN. > I've tried googling but all results are OpenVPN-client to OpenVPN-server. > > Thanks.
Re: Error loading pf rules: Device busy
On 01/02/2016 08:33 AM, C. L. Martinez wrote: Hi all, I have a strange problem. Every time that I try to reload my pf rules I seethe following error message: pfctl: DIOCADDRULE: Device busy. I am using OpenBSD 5.8 amd64 fully patched. Any idea?? Sorry for the noise. There was an error in a customized anchor's rules. Thanks.
Re: Add Bay Trail EHCI controller to pcidevs
> acpi0 at bios2: rev 2, ACPI control unavailable The diff below should fix that issue and get rid of the can't map interrupt issues. Index: acpi.c === RCS file: /cvs/src/sys/dev/acpi/acpi.c,v retrieving revision 1.297 diff -u -p -r1.297 acpi.c --- acpi.c 23 Nov 2015 00:10:53 - 1.297 +++ acpi.c 2 Jan 2016 17:53:09 - @@ -852,6 +852,7 @@ acpi_attach(struct device *parent, struc struct device *dev; #endif /* SMALL_KERNEL */ paddr_t facspa; + uint16_t pm1; int s; sc->sc_iot = ba->ba_iot; @@ -912,8 +913,9 @@ acpi_attach(struct device *parent, struc /* * Check if we are able to enable ACPI control */ - if (sc->sc_fadt->smi_cmd && - (!sc->sc_fadt->acpi_enable && !sc->sc_fadt->acpi_disable)) { + pm1 = acpi_read_pmreg(sc, ACPIREG_PM1_CNT, 0); + if ((pm1 & ACPI_PM1_SCI_EN) == 0 && + (sc->sc_fadt->smi_cmd == 0 || sc->sc_fadt->acpi_enable == 0)) { printf(", ACPI control unavailable\n"); return; } @@ -997,7 +999,7 @@ acpi_attach(struct device *parent, struc * This may prevent thermal control on some systems where * that actually does work */ - if (sc->sc_fadt->smi_cmd) { + if ((pm1 & ACPI_PM1_SCI_EN) == 0) { if (acpi_enable(sc)) { printf(", can't enable ACPI\n"); return;
Question about urndis_decap invalid buffer len 1 < minimum header 44
Hello ! Could someone tell me please, where I could find more informations about the following message in /var/log/messages ? Jan 3 00:48:38 thinkpad-w541 /bsd: urndis0: urndis_decap invalid buffer len 1 < minimum header 44 Jan 3 00:49:13 thinkpad-w541 last message repeated 8 times The ThinkPad is connected over USB with a TP-Link M7350 LTE modem. Internet is configured using /etc/hostname.urndis0 which contains only the line dhcp. /etc/pf.conf is unmodified and, kept as after installing 5.8 -release. Thanks for answers. OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 33939300352 (32367MB) avail mem = 32906813440 (31382MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7cd2d000 (68 entries) bios0: vendor LENOVO version "GNET73WW (2.21 )" date 03/12/2015 bios0: LENOVO 20EFS00B00 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI POAT ASF! BATB FPDT UEFI acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.92 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 2, package 0 cpu6 at mainbus0: apid 6 (application processor) cpu6: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu6:
Re: wle200nx WiFi card on apu2b4 - athn0: Device timeout
Hello, first of all I want to wish everyone on the list a happy new year and best wishes. I have now checked hardware: card has contact and ground, removed sma cabling, checked for defective contacts on sma and antennas. Everything seems ok. Installed fresh 5.9-current (2015-12-28) Installed cat6 network cable from homerouter to APU2 at em0 Left network config off 10.3.12.45 homerouter as default gw and nameserver 10.3.12.70 APU2 em0 fixed IP 10.10.10.1 APU2 athn0 wifi hostap IP Did echo "pf=\"NO\"" > /etc/rc.conf.local pfctl -d ifconfig em0 inet 10.3.12.70 netmask 255.255.255.0 up route add default 10.3.12.45 echo nameserver 10.3.12.45 > /etc/resolv.conf ping 10.3.12.45 works traceroute google.de works Did ifconfig athn0 inet 10.10.10.1 netmask 255.255.255.0 \ media autoselect mediaopt hostap nwid APU2TestNet \ wpakey my-Socks!are-GREY chan 1 up Result: athn0: Device timeout ifconfig athn0 switches between chan 1 (status: active) and chan 36 (status: no network) ifconfig athn0 debug shows athn0: creating ibss athn0: synchronized with 04:f0:21:14:ca:c0 ssid "APU2TestNet" channel 1 start 1Mb short preamble long slot time Is the card, sma cabling or the antennas defect? Driver problem? Anyone else with this problem? Friendly regards, Stefan -Ursprüngliche Nachricht- Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von Kapfhammer, Stefan Gesendet: Mittwoch, 30. Dezember 2015 21:22 An: Mihai Popescu; misc@openbsd.org Betreff: Re: wle200nx WiFi card on apu2b4 - athn0: Device timeout Hello Mihai, I installed the current snapshot 2015-12-28 and the corresponding athn-firmware for 5.9 Here is the output from dmesg and the debug output from 'ifconfig athn0 debug' 'ifconfig athn0 scan' got result 'none' but I am connected with my BlackBerry Classic and my notebook (Toshiba Portege Z930-12J). The scan with my NB shows 7 active AP's. I got the same error 'athn0: Device timeout' with -current. Here are the outputs. Friendly regards, Stefan --dmesg-- OpenBSD 5.9-beta (GENERIC.MP) #1783: Sun Dec 27 17:08:42 MST 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4261076992 (4063MB) avail mem = 4127813632 (3936MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries) bios0: vendor coreboot version "APU2A_20150928-13-gdfdf4a2-dirty" date 11/06/2015 bios0: PC Engines apu2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S2 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD GX-412TC SOC, 998.25 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU S H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP C NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AM C R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1 cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD GX-412TC SOC, 998.14 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU S H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP C NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AM C R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1 cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD GX-412TC SOC, 998.14 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU S H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP C NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AM C R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1 cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD GX-412TC SOC, 998.14 MHz cpu3:
Intel S5000PSL with recent OpenBSD
Hello, I have 2 servers with an Intel S5000PSL motherboard and dual Intel Xeon L5420 CPU. When I boot a "recent" OpenBSD (>4.4) it hangs on "wskbd0 at pckbd0: console keyboard, using wsdisplay1". I tried to disable xhci and acpi without luck. I have the latest BIOS. Anything I could try ? Thank you in advance, Denis dmesg from 4.4 : OpenBSD 4.4 (RAMDISK_CD) #114: Tue Aug 12 17:28:42 MDT 2008 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 2666741760 (2543MB) avail mem = 2583240704 (2463MB) RTC BIOS diagnostic error 9 mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9fa32000 (69 entries) bios0: vendor Intel Corporation version "S5000.86B.15.00.0101.110920101604" date 11/09/2010 bios0: Rackable Systems Inc. S5000PSL acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG SSDT SSDT SSDT acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 12 (PC32) acpiprt2 at acpi0: bus 11 (PEX0) acpiprt3 at acpi0: bus -1 (PEX1) acpiprt4 at acpi0: bus -1 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus 1 (PCIE) acpiprt7 at acpi0: bus 5 (PCIX) acpiprt8 at acpi0: bus 2 (PCIW) acpiprt9 at acpi0: bus 3 (PCIO) acpiprt10 at acpi0: bus -1 (PCIP) acpiprt11 at acpi0: bus 4 (PCIQ) acpiprt12 at acpi0: bus 7 (PCIF) acpiprt13 at acpi0: bus 8 (PCIG) acpiprt14 at acpi0: bus 9 (PCIH) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2494.09 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 "Intel 5000P Host" rev 0xb1 ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE x8" rev 0xb1 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci2 dev 2 function 0 "Intel 6321ESB PCIE" rev 0x01 pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 "Intel PRO/1000 PT (80003ES2)" rev 0x01: irq 5, address 00:15:17:c1:71:fc em1 at pci4 dev 0 function 1 "Intel PRO/1000 PT (80003ES2)" rev 0x01: irq 11, address 00:15:17:c1:71:fd ppb4 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01 pci5 at ppb4 bus 5 ppb5 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0xb1 pci6 at ppb5 bus 6 ppb6 at pci0 dev 4 function 0 "Intel 5000 PCIE x8" rev 0xb1 pci7 at ppb6 bus 7 ppb7 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0xb1 pci8 at ppb7 bus 8 ppb8 at pci0 dev 6 function 0 "Intel 5000 PCIE x8" rev 0xb1 pci9 at ppb8 bus 9 ppb9 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0xb1 pci10 at ppb9 bus 10 pchb1 at pci0 dev 16 function 0 "Intel 5000 Error Reporting" rev 0xb1 pchb2 at pci0 dev 16 function 1 "Intel 5000 Error Reporting" rev 0xb1 pchb3 at pci0 dev 16 function 2 "Intel 5000 Error Reporting" rev 0xb1 pchb4 at pci0 dev 17 function 0 "Intel 5000 Reserved" rev 0xb1 pchb5 at pci0 dev 19 function 0 "Intel 5000 Reserved" rev 0xb1 pchb6 at pci0 dev 21 function 0 "Intel 5000 FBD" rev 0xb1 pchb7 at pci0 dev 22 function 0 "Intel 5000 FBD" rev 0xb1 ppb10 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x09: irq 10 pci11 at ppb10 bus 11 uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x09: irq 11 uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x09: irq 5 uhci2 at pci0 dev 29 function 2 "Intel 6321ESB USB" rev 0x09: irq 11 uhci3 at pci0 dev 29 function 3 "Intel 6321ESB USB" rev 0x09: irq 5 ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x09: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb11 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd9 pci12 at ppb11 bus 12 vga1 at pci12 dev 12 function 0 "ATI ES1000" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) "Intel 6321ESB LPC" rev 0x09 at pci0 dev 31 function 0 not configured pciide0 at pci0 dev 31 function 1 "Intel 6321ESB IDE" rev 0x09: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) ahci0 at pci0 dev 31 function 2 "Intel 6321ESB AHCI" rev 0x09: irq 10, AHCI 1.1 scsibus0 at ahci0: 32 targets, initiator 32 "Intel 6321ESB SMBus" rev 0x09 at pci0 dev 31 function 3 not configured usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at
Re: Question about urndis_decap invalid buffer len 1 < minimum header 44
On 01/02/16 18:03, Christoph R. Murauer wrote: Hello ! Could someone tell me please, where I could find more informations about the following message in /var/log/messages ? Jan 3 00:48:38 thinkpad-w541 /bsd: urndis0: urndis_decap invalid buffer len 1 < minimum header 44 I think its due to an ethernet header not being of the correct size. Jan 3 00:49:13 thinkpad-w541 last message repeated 8 times The ThinkPad is connected over USB with a TP-Link M7350 LTE modem. Internet is configured using /etc/hostname.urndis0 which contains only the line dhcp. /etc/pf.conf is unmodified and, kept as after installing 5.8 -release. Thanks for answers. OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 33939300352 (32367MB) avail mem = 32906813440 (31382MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7cd2d000 (68 entries) bios0: vendor LENOVO version "GNET73WW (2.21 )" date 03/12/2015 bios0: LENOVO 20EFS00B00 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI POAT ASF! BATB FPDT UEFI acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) EXP3(S4) XHCI(S3) EHC1(S3) EHC2(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.92 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 cpu4 at mainbus0: apid 4 (application processor) cpu4: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 2, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 1, core 2, package 0 cpu6 at mainbus0: apid 6 (application processor) cpu6: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz cpu6:
filter-spamassassin
I finally got around to trying out filter-spamassassin. It appears to work correctly. However, I was trying to change the default action from accept to reject. I've tried everything I can think of but continue to get syntax errors. I assumed something like this would work: filter spam spamassassin -s reject listen on egress filter spam But it didn't. Any help is appreciated. Edgar Pettijohn
Re: IPsec IKEv1 accepts non-matching phase 2 parameters
On 2016-01-02 13:18:15 +, Stuart Henderson said: See isakmpd.policy(5). It's an utter pain but it's necessary in order to secure things with isakmpd. Right, I eventually figured that out by having isakmpd dump out the isakmpd.conf(5) equivalent config. Turns out "ike passive [...]" is transformed into "Passive-connections", and in isakmpd.conf(5): Passive-connections A list of IPsec "connection" names we recognize and accept initiations for. [...] Currently only the Local-ID and Remote-ID tags are looked at in those sections, as they are matched against the IDs given by the initiator. Meaning that the Configuration parameter, which links to the remaining phase 2 options, are totally ignored! FWIW, I worked out that the following policy will (mostly) enforce the phase 2 parameters I wanted: Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_auth_alg == "hmac-sha2-256" && esp_enc_alg == "aes" && esp_group_desc == "18" && pfs == "yes" -> "true"; This is a pretty serious gotcha with using ipsecctl(8) / ipsec.conf(5) IMO, especially since the latter suggests you run isakmpd with -K option. The other "fun" thing a client can do if it's not restricted by keynote policy is to set "their" side of the tunnel to something which diverts the wrong traffic - 0.0.0.0/0 is an obvious example but rather unsubtle. I'm not sure I completely follow. Do you mean that the client has "from any to $SERVER_IP" instead of "from $CLIENT_IP to $SERVER_IP", resulting the client routing all its traffic to the server? Incidentally, do you know if iked(8) (IKEv2) suffers from similar gotchas? Thanks. Julian Hsiao