L2TP/IPSec via npppd won't work with Android 6.0.1

[Sly Midnight]

Hello,

I don't mean to bring up an old thread, but I was wondering if anyone
else was experiencing issues with OpenBSD 5.8 and Android 6.0.1
(preferably the version on the Nexus line of devices) connecting to
ipsec/l2tp.

I had this working late last year some time and hadn't used it in a few
months.  When I went to use it again a few days ago it didn't work at
all.  After rebooting my phone and even trying it on my tablet that
coincidentally runs the exact same version of stock Android 6.0.1, it
too didn't work there.

I have confirmed some interesting behavior.

First if I tweak the ipsec.conf stanza to something like:

> ike passive esp transport \
> proto udp from X.X.X.X to any port 1701 \
> main auth "hmac-sha2-256" enc "aes-256" group "modp1024" \
> quick auth "hmac-sha2-s256" enc "aes-256" group "modp1024" \
> psk "redacted"

It creates an IPSEC SA and flow as shown by ipsecctl -s all, but npppd
never sees a connection attempt and tcpdumping enc0 shows no traffic and
ultimately the connection fails.

If I modify it to hmac-md5, aes, modp2048 I can get my Chromebook with
latest updates to connect successfully.
If I modify it to hmac-sha2-256, aes-256, modp2048 I can get an iPhone
with iOS 9.3 to connect successfully.
If I modify it to hmac-sha, aes, modp2048 I can get a Windows 10 box to
connect successfully.

If I restore it to hmac-sha1, aes, modp1024 I can get an older Android
tablet (one of my kid's) to connect successfully.

What else can I do to troubleshoot this?  Because I signed up to a free
1 day trial of some Internet based VPN provider and successfully was
able to connect to their IPSEC/L2TP VPN using my Android phone so I know
it works.  It must just be a recent change in Android (or during the
OpenBSD 5.7->5.8) update that is causing this incompatibility that makes
it almost work.  Any help would be greatly appreciated.

Sly

Re: Supermicro X11SSL-F freezes probing USB 3

[Paul B. Henson]

On Mon, Mar 28, 2016 at 03:06:39PM -0400, Sonic wrote:

> If I wait long enough the install will finally finish booting but the
> keyboard (no ps2 ports) doesn't work.

Could I trouble you to be more specific as to the duration of "long
enough" :)? I think my patience ran out after about 15-20 minutes. So it
eventually boots without disabling xhci, but the USB doesn't work in the
end anyway? I'm installing via an IPMI virtual serial port so the lack
of keyboard isn't really an issue for me, I can live without USB but as
the box won't be going live for a few weeks I thought I'd see if any
devs wanted me to try anything on it before I just moved forward without
USB support. I've got -current set up to ready to patch and compile to
test stuff on it if I can. It would be nice to get it working for
situations like yours where it's needed.

I booted a FreeBSD 10.2 livecd on it, and that initialized the xhci
chipset fine and usb devices seem to work ok. I tried to compare the
drivers, they share a bit in common but they're also quite different and
it doesn't help that I'm not really a low level driver guy 8-/. I'm sure
the new Skylake stuff just needs some minor tweak to make it happy.

Thanks...

forwarding sound as well as video

[Ed Ahlsen-Girard]

I sometimes remote to my snapshot desktop from a WIndows laptop and it
would be interesting if sound could come along (I use Putty).

Does anybody so this?

-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL

Re: WAPBL?

[Predrag Punosevac]

Walter Neto wrote:

> 
> Hi,
> 
> I'm not working on it for a while. Sadly I am with no time, but trying
> to escape to return. :(
> 

This is most regrettable. I was following your work on porting WAPBL and
the correspondence on tech@openbsd with great interest. Do you think
that a help from OpenBSD foundation could enable you to resume the work
on porting WAPBL? 


Predrag


> 2016-03-26 16:27 GMT-03:00 Martijn Rijkeboer :
> > Hi,
> >
> > Just out of curiosity, what has happend with WAPBL? There were some
> patches
> > floating around on tech@ in the last months of 2015, but then it
> became
> > quiet. I'm not complaining just curious.
> >
> > Kind regards,
> >
> >
> > Martijn Rijkeboer

Re: Ipsec from OpeBSD to StrongSwan/Linux

[Predrag Punosevac]

Adam Smith wrote:

>
>> I'm trying to set up a VPN connection between two machines, one
>running 
>> StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to
>start 
>> the vpn connection.
>> 
>> Am I doing something wrong? Or is there any thing I missed?
>> Any help would be really appreciated.
>
>For questions about OpenVPN setups, imho, the best place to ask for help
>is the \
>openvpn-users' mailing list. Subscribe to it and you can ask your
>questions there. \
>The main URL is:
>
>https://sourceforge.net/p/openvpn/mailman/
>
>Regards.
>
>Adam

English is not my native tongue so maybe I am missing something in your
message Adam but OP seems to be interested in IPSec connection from an
OpenBSD box to StrongSwan/Linux implementation of IPSec. Why are you
pointing him to OpenVPN mailing list. OpenVPN is unrelated VPN
technology based on OpenSSL. 

Predrag

Re: Ipsec from OpeBSD to StrongSwan/Linux

[Victor Medina]

Hi Adam!

I'm using ipsec, not openvpn my friend.
On Mar 28, 2016 8:40 PM, "Adam Smith"  wrote:

> >--- victor.med...@cloudvoice.io wrote:
> >
> >From: Victor E Medina M 
> >To: misc@openbsd.org
> >Subject: Ipsec from OpeBSD to StrongSwan/Linux
> >Date: Mon, 28 Mar 2016 17:35:02 -0430
> >
> >
> >First of all thanks for such a nice OS!
> >It's my first post, I'm from Venezuela.
>
> Bienvenido to our mailing list.
>
> Yes, OpenBSD has been recommended by the EU as one of the FOSS to use.
>
> >I'm trying to set up a VPN connection between two machines, one running
> >StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to start
> >the vpn connection.
> >
> >Am I doing something wrong? Or is there any thing I missed?
> >Any help would be really appreciated.
>
> For questions about OpenVPN setups, imho, the best place to ask for help
> is the openvpn-users' mailing list. Subscribe to it and you can ask your
> questions there. The main URL is:
>
> https://sourceforge.net/p/openvpn/mailman/
>
> Regards.
>
> Adam
> http://www.DCpages.com

Re: Octeon - Rhino Labs SDNA

[Chris Cappuccio]

Chris Jones [cjo...@autonomic.ca] wrote:
> Good evening,
> 
> Just wondering if any of the OpenBSD devs on the list could provide any
> feedback about these network appliances based on the Octeon III 7xxx
> processors. Are these devices something that may be supported with the
> current Octeon port?
> 
> http://www.rhinolabsinc.com/category/network-appliances/
> 

I don't think Octeon II systems are fully supported yet, ethernet isn't
finished yet. It's likely that Octeon III will leave similar issues.

Re: OS is leaking DNS

[Adam Smith]

>--- chr...@openbsd.org wrote:
>
>From: Christopher Zimmermann 
>To: "Adam Smith" 
>Subject: Re: OS is leaking DNS
>Date: Mon, 28 Mar 2016 21:58:09 +0200
>
>Hi Adam,

Guten Tag, Christoph

>I am Christopher from Tübingen, Germany.

Tübingen? Wow... it used to be the place where most avant-garde theologians of 
the (Christian) Bible hail from and whose views the Vatican and 
ultra-conservative Protestants have consistently labeled as heresies.

I wonder if the Tübingen of the 21st century still produces eminent theologians?

>What you need to fix the "DNS
>leakage" to your ISP is a line like this in dhclient.conf:
>
>supersede domain-name-servers 8.8.4.4, 85.214.20.141, 213.73.91.35;

Danke schoen fur Ihre Hilfe.

>But note that DNS traffic is usually not encrypted; so if you mistrust
>your ISP, you'll need a proxy. Since you list openvpn, you are probably
>using it to connect to a proxy?

I don't know the differences between a proxy and a VPN gateway/server. Some use 
the two terms interchangeably.

I bought a subscription from a commercial VPN vendor. A comparative chart of 
the various VPN vendors can be found at 
https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/htmlview?pref=2&pli=1&sle=true#gid=0

The contributor's username on Reddit is ThatOnePrivacyGuy

Regards,

Adam
http://www.DCpages.com

Re: Ipsec from OpeBSD to StrongSwan/Linux

[Adam Smith]

>--- victor.med...@cloudvoice.io wrote:
>
>From: Victor E Medina M 
>To: misc@openbsd.org
>Subject: Ipsec from OpeBSD to StrongSwan/Linux
>Date: Mon, 28 Mar 2016 17:35:02 -0430
>
>
>First of all thanks for such a nice OS!
>It's my first post, I'm from Venezuela.

Bienvenido to our mailing list.

Yes, OpenBSD has been recommended by the EU as one of the FOSS to use.

>I'm trying to set up a VPN connection between two machines, one running 
>StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to start 
>the vpn connection.
>
>Am I doing something wrong? Or is there any thing I missed?
>Any help would be really appreciated.

For questions about OpenVPN setups, imho, the best place to ask for help is the 
openvpn-users' mailing list. Subscribe to it and you can ask your questions 
there. The main URL is:

https://sourceforge.net/p/openvpn/mailman/

Regards.

Adam
http://www.DCpages.com

ThinkPad X260 or other Skylake Laptop

[Bryan Vyhmeister]

I am considering purchasing a ThinkPad X260 for OpenBSD use. I am aware
that inteldrm(4) does not yet support Skylake chips (Broadwell support
is not perfect yet either). I presume wsfb(4) should work decently at
least but I am wondering if anyone currently has an X260 and is using it
for OpenBSD. Is there a way screen brightness can still be adjusted in
some form even with wsfb(4)? I know my X230 has hardware methods for
adjusting brightness but lots has changed with the X240, X250, and X260.
I am also aware that the Intel 8260 wireless chipset does not yet work
(perhaps support could be added to iwm(4) or maybe I can replace the
8260 with a 7260) but I am more concerned about the reports of problems
with xhci(4) with Skylake systems. Has anyone had any experience with a
Skylake laptop and OpenBSD? Thank you.

Bryan

Ipsec from OpeBSD to StrongSwan/Linux

[Victor E Medina M]

Hi guys!

First of all thanks for such a nice OS!
It's my first post, I'm from Venezuela.

I'm trying to set up a VPN connection between two machines, one running 
StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to start 
the vpn connection.


This is the setup:


OpenBSD|--->| LINUX/StrongSwan 5
10.0.1.240 || 10.0.1.220 NET/INTER:192.168.100.0/29

I'm seeing the connection established but I can't ping to a machine 
behind Linux network.


My ipsec.conf

ike esp from 10.0.1.240/32 to 192.168.100.0/29 peer 10.0.1.220 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "zRmzouKsYEBMYrKMX16bkwazXV21cV8zFIA6LHzt"

My pf.conf

set skip on lo

block return# block stateless traffic
pass# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

pass on enc0


Output from "ipsecctl -s all"
FLOWS:
flow esp in from 192.168.100.0/29 to 10.0.1.240 peer 10.0.1.220 srcid 
10.0.1.240/32 dstid 10.0.1.220/32 type use
flow esp out from 10.0.1.240 to 192.168.100.0/29 peer 10.0.1.220 srcid 
10.0.1.240/32 dstid 10.0.1.220/32 type require


SAD:
esp tunnel from 10.0.1.220 to 10.0.1.240 spi 0x99442db4 auth hmac-sha1 
enc 3des-cbc
esp tunnel from 10.0.1.240 to 10.0.1.220 spi 0xc15117e3 auth hmac-sha1 
enc 3des-cbc


My ipsec.conf (linux side just in case)

conn openbsd-test
left=10.0.1.220
leftsubnet=192.168.100.0/29
leftid=10.0.1.220
leftfirewall=yes
right=10.0.1.240
rightid=10.0.1.240
ike=3des-sha-modp1024!
esp=3des-sha-modp1024!
auto=add


Am I doing something wrong? Or is there any thing I missed?
Any help would be really appreciated.

Victor Medina.

Re: Supermicro X11SSL-F freezes probing USB 3

[Sonic]

On Mon, Mar 28, 2016 at 2:36 PM, Sonic  wrote:
> Exact same problem here with a Dell PowerEdge R230 and snapshot
> downloaded today.

If I wait long enough the install will finally finish booting but the
keyboard (no ps2 ports) doesn't work.

Disabling xhci via UKC on boot also kills the keyboard.

Chris

Re: Supermicro X11SSL-F freezes probing USB 3

[Sonic]

On Mon, Mar 7, 2016 at 12:48 AM, Paul B. Henson  wrote:
 xhci probe won
> xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x31: msi
 probing for usb*
 usb probe returned 1
 usb probe won
> usb0 at xhci0: USB revision 3.0
 probing for uhub*
 uhub probe returned 10
 uhub probe won
> uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
> [system freezes here]

Exact same problem here with a Dell PowerEdge R230 and snapshot
downloaded today.

Chris

Re: OS is leaking DNS

[Adam Smith]

>From:  
>   Sebastien Marie 
>To:Adam Smith 
>Cc:misc@openbsd.org
>Received-On:   Today 09:17
>Subject:   Re: OS is leaking DNS
>More...
>

Hi Sebastien,

>without seeing any configuration files it is a bit complex to be sure...

Did you mean the configuration file of *.ovpn? Well, the contents of my *.ovpn 
file are as follows:

start of config file--
remote 50.149.115.121 1194 tcp-client
client
tls-client
dev tun
auth-user-pass auth.txt
resolv-retry infinite
mute-replay-warnings
nobind
persist-key
persist-tun
ns-cert-type server
verb 1
remote-cert-tls server
setenv CLIENT_CERT 0

-BEGIN CERTIFICATE-
{{{suppressed on request by VPN vendor}}}
-END CERTIFICATE-


end of config file--

>with my magic hat, my interpretation is:
> - you don't configure specific options in dhclient.conf, so when your
>   ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf

Thanks for telling me that. I know it now.

> - you added your preferred public DNS servers in resolv.conf.tail, so
>   these addresses will be *at bottom*

I see

>  - your /etc/resolv.conf should look like:
>
>nameserver ISP-DNS-address
>nameserver preferred-public-DNS-address

According to your above example, my ISP will handle DNS resolutions and if it 
is unable to do it, then my preferred DNS resolvers will take over the job, is 
that correct?

>I think what you want is to override the DNS addresses provided by your
>ISP. It could be done using dhclient.conf, with the following line for
>example:
>
>  supersede domain-name-servers 8.8.8.8;

My question: if I override/supercede my ISP's DNS servers, how will I be able 
to surf or ping websites the very first time I try to connect to the internet? 
You know, as in, for example, like after booting up OpenBSD, I launch Firefox 
browser and try to surf to www.unhcr.org

>Take a look at dhclient.conf(5) man page for more information.
>
> supersede option option-value;
>   Use option-value for the given option, regardless of the value
>   supplied by the server.

I did read that man page at least three times and am still clueless. I wish to 
let you know that I don't have formal training in IT and English is not my 
native language.

Regards.

Adam
http://www.DCpages.com

Re: OS is leaking DNS

[Adam Smith]

Thanks for your explanation, Michael.

Regards.

Adam

--- mm...@mykolab.com wrote:

From: Michael McConville 
To: Adam Smith 
Cc: misc@openbsd.org
Subject: Re: OS is leaking DNS
Date: Mon, 28 Mar 2016 03:02:12 -0400

Adam Smith wrote:
> Relevant info:
> 
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of
>5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and
>dated March 27, 2016
>(installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning
>my machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
> 
> After my computer is connected to VPN tunnel, I start Firefox and surf
> to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on
> the button that says "Test My DNS".
> 
> The IP address of my ISP appears in the results. It means that OpenBSD
> operating system leaks DNS.
> 
> How to fix the problem, please?

See resolv.conf.tail(5). Its contents are *appended* to
/etc/resolv.conf, so if your DHCP lease suggests a DNS server, your
system will try that one before those listed in /etc/resolv.conf.tail.
http://www.DCpages.com

Re: OS is leaking DNS

[Adam Smith]

>From:  
>   Adam Thompson 
>To:ken...@dcemail.com
>Received-On:   Today 08:43
>Subject:   Re: OS is leaking DNS
>More...
>
>dhclient(8) is writing the ISP-supplied nameservers into resolv.conf 
>*before* your local options in resolv.conf.tail.

Thanks for your explanation. I did consult the man page on dhclient.conf and 
owing to my lack of IT knowledge and English not being my native language, I 
have difficulty in understanding what it states.

>You can override this behaviour in dhclient.conf(5).  See the example in 
>the manpage for a way to prepend or override "domain-name-servers" 
>instead of using resolv.conf.tail.

I read the man page on dhclient.conf (URL: 
http://man.openbsd.org/OpenBSD-current/man5/dhclient.conf.5) and I am still 
clueless.

Based on the example given on that webpage, I adapted it into two samples which 
are the following:

Sample #1

backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;

interface "em0"
 {
  prepend domain-name-servers 127.0.0.1;
  request subnet-mask,
  broadcast-address,
  routers,
  domain-name,
  domain-name-servers,
  host-name;
  require routers,
  subnet-mask,
  domain-name-servers;
 }


Sample #2

backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;

interface "em0"
 {
  prepend domain-name-servers 50.116.40.226 107.170.95.180;
  request subnet-mask,
  broadcast-address,
  routers,
  domain-name,
  domain-name-servers,
  host-name;
  require routers,
  subnet-mask,
  domain-name-servers;
 }


My questions:

(A) Sample #1 is essentially the same as resolving DNS requests via DHCP, isn't 
it? For a standalone computer, 127.0.0.1 resolves via the DNS resolver of my 
ISP, yes?

(B) In Sample #2, how is my computer able to connect to 50.116.40.226 without 
first going through my ISP's DNS resolver? I am sorry if my question is 
somewhat noobish. I have very limited knowledge of networking and DNS 
resolution.

>I don't know what the OpenVPN client does to resolv.conf, but likely 
>something similar.

The source code for OpenVPN client (Community Edition) is available for 
inspection. The URL to download it is 
https://swupdate.openvpn.org/community/releases/openvpn-2.3.10.zip

>But I know its config files let you override DNS 
>server settings, too, because I've had to do so myself.

Please show me how you do it. Thanks in advance.

>Override instead of appending to get the 
>desired behaviour.  (Netflix, I assume?  )

Wrong assumption. From time to time my job requires me to work for a few weeks 
in an authoritarian regime where even a cursory visit to a website can get me 
in trouble with their laws, the penalty for which is jail time or deportation.

>Any two machines 
>connected to each other (e.g. your PC and your cable modem) constitute 
>"a network".

See what I mean? You yourself have shown that I am null where IT knowledge is 
concerned.

>Given the complexities you are causing yourself, I would suggest running 
>something like dnsmasq (in ports, IIRC) as your local recursing 
>nameserver, then having all three of the above components merely point 
>to 127.0.0.1.  Then configure dnsmasq correctly.  If you have dbus (also 
>in ports, *sigh*) installed and dnsmasq built with dbus control option, 
>you can dynamically change its behaviour on the fly (e.g. what upstream 
>nameserver to forward queries to). Or you could just restart it manually 
>each time.

Terms like "local recursing nameserver" are technical jargon to me. Even if I 
understood what it meant, I wouldn't know how to configure the three components 
to point to 127.0.0.1

By the way, which three components were you referring to? I saw only two: 
dhclient, nameservers

Would you be so kind as to show me how to do the stuff you described above, 
viz.:

- run dnsmasq as my local recursing nameserver
- three components point to 127.0.0.1
- configure dnsmasq correctly
- how to tell if my dnsmasq is built with dbus control option
- how to dynamically change its behaviour on the fly

Thanks in advance.

Adam
http://www.DCpages.com

Re: WAPBL?

[Walter Neto]

Hi,

I'm not working on it for a while. Sadly I am with no time, but trying
to escape to return. :(

2016-03-26 16:27 GMT-03:00 Martijn Rijkeboer :
> Hi,
>
> Just out of curiosity, what has happend with WAPBL? There were some patches
> floating around on tech@ in the last months of 2015, but then it became
> quiet. I'm not complaining just curious.
>
> Kind regards,
>
>
> Martijn Rijkeboer

Re: patch: fix usage of mkstemp() in rdistd

[Todd C. Miller]

On Mon, 28 Mar 2016 10:19:12 +0200, Paul Kelly wrote:

> On 03/28/16 04:05, Todd C. Miller wrote:
>  > I think it's best to just check the parent directories first and
>  > then create the temp name.
>  >
>  >   - todd
> 
> This works for me and avoids my hacking around with new. I added a few 
> extra destination directories and it seems to hold up OK. Thanks!

Another option is to just open the file directly after creating the
intermediate directories.  This is effectively what used to happen
before mkstemp(3) was changed to return an error when no Xs are
found in the format.  That way you still save a stat call when there
directories already exist (the common case).

 - todd

Index: server.c
===
RCS file: /cvs/src/usr.bin/rdistd/server.c,v
retrieving revision 1.40
diff -u -p -u -r1.40 server.c
--- server.c22 Dec 2015 08:48:39 -  1.40
+++ server.c28 Mar 2016 12:35:53 -
@@ -752,7 +752,7 @@ recvfile(char *new, opt_t opts, int mode
 */
if ((f = mkstemp(new)) < 0) {
if (errno != ENOENT || chkparent(new, opts) < 0 ||
-   (f = mkstemp(new)) < 0) {
+   (f = open(new, O_CREAT|O_EXCL|O_RDWR, S_IRUSR|S_IWUSR)) < 
0) {
error("%s: create failed: %s", new, SYSERR);
return;
}
@@ -1163,7 +1163,7 @@ recvlink(char *new, opt_t opts, int mode
 */
if (mktemp(new) == NULL || symlink(dbuf, new) < 0) {
if (errno != ENOENT || chkparent(new, opts) < 0 ||
-   mktemp(new) == NULL || symlink(dbuf, new) < 0) {
+   symlink(dbuf, new) < 0) {
error("%s -> %s: symlink failed: %s", new, dbuf,
SYSERR);
return;

Re: Tcpdump on pflow0 failed, understanding (or not) the pflow0 pseudo device

[Eike Lantzsch]

On Saturday 26 March 2016 18:54:25 Kapetanakis Giannis wrote:
> On 26/03/16 17:02, Eike Lantzsch wrote:
> > Hi:
> > 
> > For learning purposes I want to set up collecting NetFlow data from my
> > small office router (5.8 release on a PC-Engines Alix 2D13 device).
> > I'm trying to follow
> > http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html
> > and I have Peter N. M. Hansteen's fine Book of PF (3) at hand - chapter 9
> > "Collecting NetFlow Data with pflow(4)".
> > However I seem to have a hard time to understand some details.
> > 
> > I set up
> > /etc/pf.conf
> > # options:
> > set state-defaults pflow
> > 
> > and
> > /etc/hostname.pflow0
> > 
> > and get this:
> > 
> > # ifconfig pflow0
> > pflow0: flags=41 mtu 1448
> > 
> >  priority: 0
> >  pflow: sender: 192.168.12.1 receiver: 192.168.12.31:9995 version:
> >  10
> >  groups: pflow
> > 
> > 192.168.12 is my internal small network. I plan to set up a collector on
> > 192.168.12.31, which is an OpenBSD-vm on my work station.
> > (Did I get this right? Or should I use the address which I get from my ISP
> > as a souce address?)
> > 
> > However
> > # tcpdump -nettti pflow0
> > tcpdump: Failed to open bpf device for pflow0: Device not configured
> > 
> > In /dev/ I got bpf0 up to bpf9
> > 
> > I did not set up a collector right now - just wanted to see if I get any
> > NetFlow data.
> > 
> > What did I miss setting up the pflow pseudo-device?
> 
> Try
> tcpdump -i vr0 host 192.168.12.31 and port 9995
> if vr0 is the interface to 192.168.1.31
> 
> G
Thank you Giannis!
That interface would be vether0, vr0 is facing my ISP. No, there are no UDP 
packets for 192.168.12.31:9995.
Does pflow have a problem with virtual ethernet interfaces?
I bridged vr1, athn0 and vether0
I will try to use vr2 for pflow, using another network just for that purpose.
There is another NIC available in the computer with the VM with the collector 
so that I will be able to catch the data later on - if I ever get the sensor 
to work ...

Eike

Re: libc issues on last snapshot

[arrowscript]

Solved for me on build 1459134312. Thanks.

Re: patch: fix usage of mkstemp() in rdistd

[Paul Kelly]

On 03/28/16 04:05, Todd C. Miller wrote:
> I think it's best to just check the parent directories first and
> then create the temp name.
>
>   - todd

This works for me and avoids my hacking around with new. I added a few 
extra destination directories and it seems to hold up OK. Thanks!


paul@tiger:~/workspace/push/cm: /usr/bin/rdist -L syslog=all -d 
HOST=aspireone

aspireone: updating host aspireone
aspireone: ./scripts: installing
aspireone: scripts: mkdir
aspireone: ./scripts/util: installing
aspireone: ./scripts/install: installing
aspireone: ./scripts/files: installing
aspireone: ./hosts/aspireone/etc/doas.conf: installing
aspireone: staging: mkdir
aspireone: staging/etc: mkdir
aspireone: staging/etc/one: mkdir
aspireone: staging/etc/one/two: mkdir
aspireone: staging/etc/one/two/three: mkdir
aspireone: ./hosts/aspireone/etc/rc.conf.local: installing
aspireone: cmdspecial "./scripts/install"




> Index: server.c
> ===
> RCS file: /cvs/src/usr.bin/rdistd/server.c,v
> retrieving revision 1.40
> diff -u -p -u -r1.40 server.c
> --- server.c   22 Dec 2015 08:48:39 -  1.40
> +++ server.c   28 Mar 2016 02:01:32 -
> @@ -750,12 +750,9 @@ recvfile(char *new, opt_t opts, int mode
>/*
> * Create temporary file
> */
> -  if ((f = mkstemp(new)) < 0) {
> -  if (errno != ENOENT || chkparent(new, opts) < 0 ||
> -  (f = mkstemp(new)) < 0) {
> -  error("%s: create failed: %s", new, SYSERR);
> -  return;
> -  }
> +  if (chkparent(new, opts) < 0 || (f = mkstemp(new)) < 0) {
> +  error("%s: create failed: %s", new, SYSERR);
> +  return;
>}
>
>/*
> @@ -1161,13 +1158,10 @@ recvlink(char *new, opt_t opts, int mode
>/*
> * Make new symlink using a temporary name
> */
> -  if (mktemp(new) == NULL || symlink(dbuf, new) < 0) {
> -  if (errno != ENOENT || chkparent(new, opts) < 0 ||
> -  mktemp(new) == NULL || symlink(dbuf, new) < 0) {
> -  error("%s -> %s: symlink failed: %s", new, dbuf,
> -  SYSERR);
> -  return;
> -  }
> +  if (chkparent(new, opts) < 0 || mktemp(new) == NULL ||
> +  symlink(dbuf, new) < 0) {
> +  error("%s -> %s: symlink failed: %s", new, dbuf, SYSERR);
> +  return;
>}
>
>/*

Re: patch: fix usage of mkstemp() in rdistd

[Paul Kelly]

I had a request for more information about how to replicate this. Here's 
a stripped back example that demonstrates the problem.


paul@tiger:~/workspace/push/cm: cat ./distfile
./hosts/aspireone/etc/doas.conf -> ${HOST}
install staging/etc ;


paul@tiger:~/workspace/push/cm: cat ./hosts/aspireone/etc/doas.conf
# This is a dummy file.


First attempt fails to create a file if two new directories have been 
created:


paul@tiger:~/workspace/push/cm: /usr/bin/rdist -L syslog=all -d 
HOST=aspireone

aspireone: updating host aspireone
aspireone: ./hosts/aspireone/etc/doas.conf: installing
aspireone: staging: mkdir
aspireone: staging/etc: mkdir
aspireone: REMOTE ERROR: staging/etc/rdist9lu2tvqg: create failed: 
Invalid argument

aspireone: updating of aspireone finished


Second pass succeeds:

paul@tiger:~/workspace/push/cm: /usr/bin/rdist -L syslog=all -d 
HOST=aspireone

aspireone: updating host aspireone
aspireone: ./hosts/aspireone/etc/doas.conf: installing
aspireone: updating of aspireone finished



dmesg from the remote machine:

OpenBSD 5.8-stable (GENERIC.MP) #1: Thu Nov 12 09:27:53 CET 2015
paul@buildbox:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 80
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 
1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MO

VBE,LAHF,PERF,SENSOR
real mem  = 1596956672 (1522MB)
avail mem = 1552547840 (1480MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 10/06/08, SMBIOS rev. 2.4 @ 0xe9180 (32 entries)
bios0: vendor Acer version "v0.3309" date 10/06/2008
bios0: Acer AOA150
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT HPET APIC MCFG ASF! SLIC BOOT
acpi0: wakeup devices P32_(S4) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) 
ECHI(S3) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) AZAL(S0) MODM(S0)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.0.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 
1.60 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MO

VBE,LAHF,PERF,SENSOR
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 4
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 5 (P32_)
acpiprt2 at acpi0: bus 1 (EXP1)
acpiprt3 at acpi0: bus 2 (EXP2)
acpiprt4 at acpi0: bus 3 (EXP3)
acpiprt5 at acpi0: bus 4 (EXP4)
acpiec0 at acpi0
acpicpu0 at acpi0: !C3(100@57 io@0x416), !C2(500@1 io@0x414), C1(1000@1 
halt), PSS
acpicpu1 at acpi0: !C3(100@57 io@0x416), !C2(500@1 io@0x414), C1(1000@1 
halt), PSS

acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
acpibat0 at acpi0: BAT1 not present
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: OVGA
bios0: ROM list: 0xc/0xec00!
cpu0: Enhanced SpeedStep 1596 MHz: speeds: 1600, 1333, 1066, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GME Host" rev 0x03
vga1 at pci0 dev 2 function 0 "Intel 82945GME Video" rev 0x03
intagp0 at vga1
agp0 at intagp0: aperture at 0x6000, size 0x1000
inteldrm0 at vga1
drm0 at inteldrm0
inteldrm0: 1024x600
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
azalia0: codecs: Realtek ALC268
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 4 int 16
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 4 int 17
pci2 at ppb1 bus 2
2:0:0: mem address conflict 0xfffe/0x2
re0 at pci2 dev 0 function 0 "Realtek 8101E" rev 0x02: RTL8102EL 
(0x2480), msi, address 00:1e:68:cc:c0:06

rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev. 1
ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 4 int 18
pci3 at ppb2 bus 3
wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: 
msi, MoW1, address 00:1c:bf:a9:21:f8

ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 4 int 19
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 4 int 16
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 4 int 17
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 4 int 18
uhci3 at pci0 dev 29

About STABLE ports

[danilo.walterino]

hello, I would submit to you the problem I encounter when compiling 
firefox-ESR. 
I'm running OpenBSD 5.8-stable (GENERIC.MP) #1, and my port tree is sync with 
STABLE. 
I would add that before compiling firefox-esr, all other software were 
installed in binary form (pkg_add). 
I tried 2 times to compile unsuccessfully with the same error message. 
Here is an extract of my log file : 
 
Do I have first to reinstall all my software from ports ?? 
 
Thanks for your help !! 
 
Building package for cmake-3.2.3p1 
Create /usr/ports/packages/amd64/all/cmake-3.2.3p1.tgz 
Error: Libraries in packing-lists in the ports tree and libraries from 
installed packages don't match 
 
Error 1 in /usr/ports/devel/cmake 
(/usr/ports/infrastructure/mk/bsd.port.mk:3244 'wantlib-args') 
*** Error 1 in /usr/ports/devel/cmake 
(/usr/ports/infrastructure/mk/bsd.port.mk:1956 
'/usr/ports/packages/amd64/all/cmake-3.2.3p1.tgz') 
*** Error 1 in /usr/ports/devel/cmake 
(/usr/ports/infrastructure/mk/bsd.port.mk:2508 '_internal-package') 
*** Error 1 in /usr/ports/devel/cmake 
(/usr/ports/infrastructure/mk/bsd.port.mk:2488 'package') 
*** Error 1 in /usr/ports/devel/cmake 
(/usr/ports/infrastructure/mk/bsd.port.mk:1969 
'/var/db/pkg/cmake-3.2.3p1/+CONTENTS') 
*** Error 1 in /usr/ports/devel/cmake 
(/usr/ports/infrastructure/mk/bsd.port.mk:2488 'install') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:2112 
'/usr/ports/pobj/llvm-3.5.20140228/.dep-STEM-ge-3.2.3p1-devel-cmake') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:2575 
'/usr/ports/pobj/llvm-3.5.20140228/.extract_done') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:1952 
'/usr/ports/packages/amd64/all/llvm-3.5.20140228p34.tgz') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:2508 '_internal-package') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:2488 'package') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:1969 
'/var/db/pkg/llvm-3.5.20140228p34/+CONTENTS') 
*** Error 1 in /usr/ports/devel/llvm 
(/usr/ports/infrastructure/mk/bsd.port.mk:2488 'install') 
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2112 
'/usr/ports/pobj/firefox-esr-38.7.1/.dep-STEM-ge-3.5.20140228p27-devel-llvm') 
*** Error 1 in /usr/ports/www/firefox-esr 
(/usr/ports/infrastructure/mk/bsd.port.mk:2488 'all') 

Re: OS is leaking DNS

[Sebastien Marie]

On Sun, Mar 27, 2016 at 11:12:38PM -0700, Adam Smith wrote:
> Hi,
> 
> Relevant info:
> 
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of 
> 5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and dated 
> March 27, 2016
> (installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning my 
> machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
> 
> After my computer is connected to VPN tunnel, I start Firefox and surf to 
> https://www.dns-oarc.net/oarc/services/dnsentropy where I click on the button 
> that says "Test My DNS".
> 
> The IP address of my ISP appears in the results. It means that OpenBSD 
> operating system leaks DNS.

I tend to saying that OpenBSD does what you ask for :)

> How to fix the problem, please?

without seeing any configuration files it is a bit complex to be sure...

with my magic hat, my interpretation is:
  - you don't configure specific options in dhclient.conf, so when your
ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf

  - you added your preferred public DNS servers in resolv.conf.tail, so
these addresses will be *at bottom*

  - your /etc/resolv.conf should look like:

nameserver ISP-DNS-address
nameserver preferred-public-DNS-address

  - so when a program asks for resolving an address, libc works as
documented in resolv.conf:

"If there are multiple servers, the resolver library queries them in
the order listed".

as resolv.conf.tail is at bottom, these DNS addresses are used when
the first (ISP DNS) addresses failed.


I think what you want is to override the DNS addresses provided by your
ISP. It could be done using dhclient.conf, with the following line for
example:

   supersede domain-name-servers 8.8.8.8;

Take a look at dhclient.conf(5) man page for more information.

  supersede option option-value;
Use option-value for the given option, regardless of the value
supplied by the server.

I hope it helps.
-- 
Sebastien Marie

Re: OS is leaking DNS

[Michael McConville]

Adam Smith wrote:
> Relevant info:
> 
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of
>5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and
>dated March 27, 2016
>(installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning
>my machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
> 
> After my computer is connected to VPN tunnel, I start Firefox and surf
> to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on
> the button that says "Test My DNS".
> 
> The IP address of my ISP appears in the results. It means that OpenBSD
> operating system leaks DNS.
> 
> How to fix the problem, please?

See resolv.conf.tail(5). Its contents are *appended* to
/etc/resolv.conf, so if your DHCP lease suggests a DNS server, your
system will try that one before those listed in /etc/resolv.conf.tail.