Re: OpenBSD 5.2 AutoFSCK at boot

[Nick Holland]

On 11/24/16 08:48, Markus Hennecke wrote:
> Am 24.11.2016 um 14:31 schrieb Luescher Claude:
>> I have couple of OpenBSD 5.2 vms where I could use automatic file system
>> repair at start. In most other OS'es I have running virtualized
>> (windows, linux) it's not a problem, they automatically repair
>> filesystem inconsistencies and start up but not OpenBSD.
> 
> Is the VM hypervisor a VMWare ESX and you got the paravirtualized SCSI 
> controller set up? If that is the case, switch the controller to the 
> lsilogic parallel and the file systems will be repaired during fsck.
> 
> The problem seems to be that the first write on the paravirtualized 
> controller does not end up on the virtual disk. This is the case for 
> OpenBSD 6.0 and later, don't know about 5.2.

it's been a problem for a long time.

And a cool thing: the change won't break anything, either.  Just works.

Yes, lousy problem report, but I'll bet this is it.

Nick.

Re: Recommendation for firewall appliance running of and OpenBSD

[Joe Crivello]

> As far as I know, Halon cuts the number of IPSec tunnels on free version.


You're paying for ease of use and polish. Software developers aren't free.

Re: IPSec

[mxb]

You should be able to.
As far as I understand ipses.conf gets “translated” to isakmpd.conf

I use both.
What I have in isakmpd.conf is:

[General]
DPD-check-interval = 60

Works fine.

//mxb

> On 24 nov. 2016, at 22:58, Damian McGuckin  wrote:
>
> Can you mix the use of 'isakmpd.conf' and 'ipsec.conf'?
>
> I currently use the former for port 500 stuff. We use both predefined
network-to-networks IPSec links with PreShared Secrets and also dynamic, i.e.
negotiated, network-to-network links. The thought of figuring out how to do
both with IPSec, especially the latter which does not seem to be documented
with examples, fills me with dread.
>
> I have just figured out to allow L2TP/IPSec connections which demands the
use of the latter.
>
> I would love to use both concurrently if I can?
>
> Has anybody got any experience with both working well together?
>
> Thanks - Damian
>
> Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
> Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted
here
> Views & opinions here are mine and not those of any past or present
employer

Re: Recommendation for firewall appliance running of and OpenBSD

[mxb]

As far as I know, Halon cuts the number of IPSec tunnels on free version.


> On 24 nov. 2016, at 21:21, Joe Crivello  wrote:
> 
>> Can somebody please recommend me a firewall appliance that can run OpenBSD
> and
>> pf, and can be upgradeable to the latest version? It would be a great plus
> if
>> the appliance can also be configured as part of CARP firewall group.
> 
> 
> http://securityrouter.org/
> 
> Great product.

IPSec

[Damian McGuckin]

Can you mix the use of 'isakmpd.conf' and 'ipsec.conf'?

I currently use the former for port 500 stuff. We use both predefined 
network-to-networks IPSec links with PreShared Secrets and also dynamic, 
i.e. negotiated, network-to-network links. The thought of figuring out how 
to do both with IPSec, especially the latter which does not seem to be 
documented with examples, fills me with dread.


I have just figured out to allow L2TP/IPSec connections which demands the 
use of the latter.


I would love to use both concurrently if I can?

Has anybody got any experience with both working well together?

Thanks - Damian

Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer

Re: Recommendation for firewall appliance running of and OpenBSD

[Stefan Sperling]

On Fri, Nov 25, 2016 at 04:15:23AM +0800, Tito Mari Francis H. Escaño wrote:
> Hi everyone,
> Can somebody please recommend me a firewall appliance that can run OpenBSD and
> pf, and can be upgradeable to the latest version? It would be a great plus if
> the appliance can also be configured as part of CARP firewall group. pfSense
> with FreeBSD doesn't cut it :)
> 

I'd recommend: Ditch appliances, invest your time into learning OpenBSD
and pf, and be happy forever after (including any future upgrades).

Re: Making sense of ktrace

[Jeff Ross]

On 11/23/16 8:25 PM, Jeremie Courreges-Anglas wrote:

"Andy Bradford"  writes:


Thus said Jeff Ross on Wed, 23 Nov 2016 15:42:08 -0700:


The  stack may  indeed  be too  damaged--I get  the  following but  it
doesn't look very helpful:


More likely the symbols were stripped.

Assuming this was installed from sources,  edit conf-cc and add -g, then
edit conf-ld and remove the -s:

$ head -1 conf-cc
cc -O2 -g
$ head -1 conf-ld
cc


Better add -g here too.


$

Then recompile  and try  again (e.g.  get a  new core  file and  run gdb
again).

Andy




I made the change to conf-cc and conf-ld and indeed, I got a core file 
that showed the source and the point of failure.


Thanks Andy and Jeremie!

Jeff

Re: Recommendation for firewall appliance running of and OpenBSD

[ilyes aiouaz - gmail]

https://www.esdenera.com/

By our friend reyk floeter

Le 24/11/2016 à 21:15, Tito Mari Francis H. Escaño a écrit :
> Hi everyone,
> Can somebody please recommend me a firewall appliance that can run OpenBSD and
> pf, and can be upgradeable to the latest version? It would be a great plus if
> the appliance can also be configured as part of CARP firewall group. pfSense
> with FreeBSD doesn't cut it :)

Re: Recommendation for firewall appliance running of and OpenBSD

[Joe Crivello]

> Can somebody please recommend me a firewall appliance that can run OpenBSD
and
> pf, and can be upgradeable to the latest version? It would be a great plus
if
> the appliance can also be configured as part of CARP firewall group.


http://securityrouter.org/

Great product.

Recommendation for firewall appliance running of and OpenBSD

[Tito Mari Francis H . Escaño]

Hi everyone,
Can somebody please recommend me a firewall appliance that can run OpenBSD and
pf, and can be upgradeable to the latest version? It would be a great plus if
the appliance can also be configured as part of CARP firewall group. pfSense
with FreeBSD doesn't cut it :)

Re: Disable Laptops Keyboard in OpenBSD

[Boudewijn Dijkstra]

Op Tue, 22 Nov 2016 10:24:16 +0100 schreef pasta  
:
Hi, I can't figure out how to disable my laptops keyboard so I can only  
use my USB one.

xinput doesn't list each keyboard as in Linux I believe.
I could write a xorg.conf but what if I dont have my keyboard with  
myself then?

wsconsctl can't disable a keyboard, can it?


Have you tried wsconscfg(8)?


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: OpenBSD 5.2 AutoFSCK at boot

[Peter N. M. Hansteen]

On 11/24/16 14:31, Luescher Claude wrote:
> I have couple of OpenBSD 5.2 vms where I could use automatic file system
> repair at start. In most other OS'es I have running virtualized
> (windows, linux) it's not a problem, they automatically repair
> filesystem inconsistencies and start up but not OpenBSD.
> 
> With this the boot either completely stucks or it mounts up the fs to
> read-only mode and I always have to connect to the VM console reboot it
> to single user mode with boot -s then fsck -y all partitions then boot
> it back.
> 
> Did anyone come up with a solution for this?
> Is this feature added to the new versions?

You're not giving us a lot to work with here (exactly which
virtualization technology, which version and so on would be extremely
useful for meaningful feedback), but anyway -

As far as I can remember, OpenBSD does indeed run a file system check at
boot if there are indications that the system did not shut down cleanly.
I don't think the system has changed very much in that respect at all
for a very long time.

But then OpenBSD 5.2 has been out of support for years already. I'd try
with a supported release (5.9 or 6.0) with similar application load and
see if your problem persists.

Next, look into what caused those file systems to go bad in the first
place. The problem doesn't have to be an OpenBSD one - back in the day
IIRC virtualbox had bugs that showed up as memory corruption in guests,
that for some reason bit OpenBSD guests more frequently than others. But
again, we don't have sufficient information to help you diagnose.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: OpenBSD 5.2 AutoFSCK at boot

[Markus Hennecke]

Am 24.11.2016 um 14:31 schrieb Luescher Claude:

I have couple of OpenBSD 5.2 vms where I could use automatic file system
repair at start. In most other OS'es I have running virtualized
(windows, linux) it's not a problem, they automatically repair
filesystem inconsistencies and start up but not OpenBSD.


Is the VM hypervisor a VMWare ESX and you got the paravirtualized SCSI 
controller set up? If that is the case, switch the controller to the 
lsilogic parallel and the file systems will be repaired during fsck.


The problem seems to be that the first write on the paravirtualized 
controller does not end up on the virtual disk. This is the case for 
OpenBSD 6.0 and later, don't know about 5.2.


VMWare Workstation wasn't affected AFAIR.

Kind regards
Markus

Re: OpenBSD 5.2 AutoFSCK at boot

[Otto Moerbeek]

On Thu, Nov 24, 2016 at 02:31:24PM +0100, Luescher Claude wrote:

> Hello List,
> 
> I have couple of OpenBSD 5.2 vms where I could use automatic file system
> repair at start. In most other OS'es I have running virtualized (windows,
> linux) it's not a problem, they automatically repair filesystem
> inconsistencies and start up but not OpenBSD.
> 
> With this the boot either completely stucks or it mounts up the fs to
> read-only mode and I always have to connect to the VM console reboot it to
> single user mode with boot -s then fsck -y all partitions then boot it back.
> 
> Did anyone come up with a solution for this?
> Is this feature added to the new versions?
> 
> Thx

OpenBSD does repair filesystems at the start. But for some reason in
your setup it doesn't succeed. Try to find out why. But first upgrade
to a supported system (6.0).

-Otto

OpenBSD 5.2 AutoFSCK at boot

[Luescher Claude]

Hello List,

I have couple of OpenBSD 5.2 vms where I could use automatic file system 
repair at start. In most other OS'es I have running virtualized 
(windows, linux) it's not a problem, they automatically repair 
filesystem inconsistencies and start up but not OpenBSD.


With this the boot either completely stucks or it mounts up the fs to 
read-only mode and I always have to connect to the VM console reboot it 
to single user mode with boot -s then fsck -y all partitions then boot 
it back.


Did anyone come up with a solution for this?
Is this feature added to the new versions?

Thx

Re: jdk-1.7.0 and jdk-1.8.0 Abort trap (core dumped) GDB core trace provided

[Denis Lapshin]

Now works great. Thanks.


On 24.11.2016 11:40, David Coppa wrote:

On Thu, Nov 24, 2016 at 9:32 AM, Denis Lapshin  wrote:

Hello All,

There is a problem with starting jdk from packages on AMD64 platform. It
doesn't matter what versions of jdk installed: jdk-1.7.0 or jdk-1.8.0. The
same issue is present on both.

# java
Abort trap (core dumped)

# gdb /usr/local/jdk-1.7.0/bin/java java.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd6.0"...(no debugging
symbols found)

Core was generated by `java'.
Program terminated with signal 6, Aborted.
Reading symbols from /usr/lib/libpthread.so.22.0...done.
Loaded symbols for /usr/lib/libpthread.so.22.0
Loaded symbols for /usr/local/jdk-1.7.0/bin/java
Reading symbols from /usr/lib/libz.so.5.0...done.
Loaded symbols for /usr/lib/libz.so.5.0
Symbols already loaded for /usr/lib/libpthread.so.22.0
Reading symbols from /usr/lib/libc.so.88.0...done.
Loaded symbols for /usr/lib/libc.so.88.0
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
Reading symbols from
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
Reading symbols from /usr/lib/libstdc++.so.57.0...done.
Loaded symbols for /usr/lib/libstdc++.so.57.0
Reading symbols from /usr/lib/libm.so.9.0...done.
Loaded symbols for /usr/lib/libm.so.9.0
Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so
Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so
Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so
#0  0x12b62e14c0ca in mprotect () at :2
2   : No such file or directory.
 in 
(gdb) where
#0  0x12b62e14c0ca in mprotect () at :2
#1  0x12b65861b5c8 in os::pd_commit_memory () from

Your '/usr/local' filesystem does not have the "wxallowed" mount option.

Read the mount(8) manual page.

Ciao!
David


--
Denis Lapshin
mailto: den...@mindall.org

ntpd.conf: how to do IPv6 in a carp setup?

[Harald Dunkel]

Hi folks,

I am running a carp environment on my gateway. Due to lack
of routable IPv4 addresses the em0 interface provides IPv6
only, the carp0 interface defines both IPv4 and IPv6 addresses.
The internal interfaces em1 and carp1 provide both IPv4 and
IPv6.

ntpd works fine on the master, but on the backup host ntpd
complains " peer not valid " and "sendto: Network is
unreachable". "ntpctl -s peers" shows *no* IPv6 addresses
(on master and backup), even though there seems to be some
IPv6 support in the code.

The workaround is clear, but I wonder how comes?

ntpd.conf:

# grep -v ^\# /etc/ntpd.conf

listen on 10.100.0.1
listen on 10.100.0.3
listen on 2001:db8:30:fff0::1
listen on 2001:db8:30:fff0::3

servers pool.ntp.org
servers ntp.eu.sixxs.net

The packet filter allows ntp as well:

pass out log quick proto udp from (self) to any port ntp keep state 
(no-sync)

There is no nat-to for (self).


Every helpful comment is highly appreciated.
Harri

Re: jdk-1.7.0 and jdk-1.8.0 Abort trap (core dumped) GDB core trace provided

[Stuart Henderson]

On 2016-11-24, Denis Lapshin  wrote:
> Hello All,
>
> There is a problem with starting jdk from packages on AMD64 platform. It 
> doesn't matter what versions of jdk installed: jdk-1.7.0 or jdk-1.8.0. 
> The same issue is present on both.

You forgot to include dmesg which would make things more clear. But
most likely you upgraded to 6.0 and need to follow the first step in
"Configuration and syntax changes".

Re: jdk-1.7.0 and jdk-1.8.0 Abort trap (core dumped) GDB core trace provided

[David Coppa]

On Thu, Nov 24, 2016 at 9:32 AM, Denis Lapshin  wrote:
> Hello All,
>
> There is a problem with starting jdk from packages on AMD64 platform. It
> doesn't matter what versions of jdk installed: jdk-1.7.0 or jdk-1.8.0. The
> same issue is present on both.
>
> # java
> Abort trap (core dumped)
>
> # gdb /usr/local/jdk-1.7.0/bin/java java.core
> GNU gdb 6.3
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "amd64-unknown-openbsd6.0"...(no debugging
> symbols found)
>
> Core was generated by `java'.
> Program terminated with signal 6, Aborted.
> Reading symbols from /usr/lib/libpthread.so.22.0...done.
> Loaded symbols for /usr/lib/libpthread.so.22.0
> Loaded symbols for /usr/local/jdk-1.7.0/bin/java
> Reading symbols from /usr/lib/libz.so.5.0...done.
> Loaded symbols for /usr/lib/libz.so.5.0
> Symbols already loaded for /usr/lib/libpthread.so.22.0
> Reading symbols from /usr/lib/libc.so.88.0...done.
> Loaded symbols for /usr/lib/libc.so.88.0
> Reading symbols from /usr/libexec/ld.so...done.
> Loaded symbols for /usr/libexec/ld.so
> Reading symbols from
> /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so...done.
> Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
> Reading symbols from /usr/lib/libstdc++.so.57.0...done.
> Loaded symbols for /usr/lib/libstdc++.so.57.0
> Reading symbols from /usr/lib/libm.so.9.0...done.
> Loaded symbols for /usr/lib/libm.so.9.0
> Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so...done.
> Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so
> Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so...done.
> Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so
> Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so...done.
> Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so
> #0  0x12b62e14c0ca in mprotect () at :2
> 2   : No such file or directory.
> in 
> (gdb) where
> #0  0x12b62e14c0ca in mprotect () at :2
> #1  0x12b65861b5c8 in os::pd_commit_memory () from

Your '/usr/local' filesystem does not have the "wxallowed" mount option.

Read the mount(8) manual page.

Ciao!
David

jdk-1.7.0 and jdk-1.8.0 Abort trap (core dumped) GDB core trace provided

[Denis Lapshin]

Hello All,

There is a problem with starting jdk from packages on AMD64 platform. It 
doesn't matter what versions of jdk installed: jdk-1.7.0 or jdk-1.8.0. 
The same issue is present on both.


# java
Abort trap (core dumped)

# gdb /usr/local/jdk-1.7.0/bin/java java.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd6.0"...(no debugging 
symbols found)


Core was generated by `java'.
Program terminated with signal 6, Aborted.
Reading symbols from /usr/lib/libpthread.so.22.0...done.
Loaded symbols for /usr/lib/libpthread.so.22.0
Loaded symbols for /usr/local/jdk-1.7.0/bin/java
Reading symbols from /usr/lib/libz.so.5.0...done.
Loaded symbols for /usr/lib/libz.so.5.0
Symbols already loaded for /usr/lib/libpthread.so.22.0
Reading symbols from /usr/lib/libc.so.88.0...done.
Loaded symbols for /usr/lib/libc.so.88.0
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
Reading symbols from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so...done.

Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
Reading symbols from /usr/lib/libstdc++.so.57.0...done.
Loaded symbols for /usr/lib/libstdc++.so.57.0
Reading symbols from /usr/lib/libm.so.9.0...done.
Loaded symbols for /usr/lib/libm.so.9.0
Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libverify.so
Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libjava.so
Reading symbols from /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so...done.
Loaded symbols for /usr/local/jdk-1.7.0/jre/lib/amd64/libzip.so
#0  0x12b62e14c0ca in mprotect () at :2
2   : No such file or directory.
in 
(gdb) where
#0  0x12b62e14c0ca in mprotect () at :2
#1  0x12b65861b5c8 in os::pd_commit_memory () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#2  0x12b65861b5f0 in os::pd_commit_memory () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#3  0x12b658619cf7 in os::commit_memory () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#4  0x12b6587a3236 in VirtualSpace::expand_by () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#5  0x12b6587a34d8 in VirtualSpace::initialize () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#6  0x12b658366cab in CodeHeap::reserve () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#7  0x12b658214726 in CodeCache::initialize () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#8  0x12b6583829fa in init_globals () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#9  0x12b658750afd in Threads::create_vm () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so
#10 0x12b6583f04ce in JNI_CreateJavaVM () from 
/usr/local/jdk-1.7.0/jre/lib/amd64/server/libjvm.so

#11 0x12b397d0303c in JavaMain () from /usr/local/jdk-1.7.0/bin/java
#12 0x12b643b6031e in _rthread_start (v=Variable "v" is not available.
) at /usr/src/lib/librthread/rthread.c:115
#13 0x12b62e141a2b in __tfork_thread () at 
/usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75

#14 0x in ?? ()
Current language:  auto; currently asm
(gdb)

Please let me know what I can do to make it in working order.

Thanks