Re: OpenBSD/octeon and "OpenBSD/patches/6.0/common/002_perl.patch.sig"

2017-05-04 Thread Theo de Raadt
>In patch "OpenBSD/patches/6.0/common/002_perl.patch.sig" I've found 
>references to two paths that appear to not exist in OpenBSD/octeon:
>
>* /usr/libdata/perl5/octeon-openbsd/5.20.3/IO
>* /usr/libdata/perl5/octeon-openbsd/5.20.3/IO/Socket
>
>Instead, there are:
>
>* /usr/libdata/perl5/mips64-openbsd/5.20.3/IO
>* /usr/libdata/perl5/mips64-openbsd/5.20.3/IO/Socket
>
>The following change seems to resolve this issue, at least on octeon and 
>i386:
>
>-/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO
>+/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO
>
>-/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO/Socket
>+/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO/Socket

Strange noone else noticed this for so many months.

Anyways, it is not that important.  I won't reroll a 6.0 errata for
something so minor.

We'll keep an eye out for next time.
 



OpenBSD/octeon and "OpenBSD/patches/6.0/common/002_perl.patch.sig"

2017-05-04 Thread Doggie

Hello,

In patch "OpenBSD/patches/6.0/common/002_perl.patch.sig" I've found 
references to two paths that appear to not exist in OpenBSD/octeon:


* /usr/libdata/perl5/octeon-openbsd/5.20.3/IO
* /usr/libdata/perl5/octeon-openbsd/5.20.3/IO/Socket

Instead, there are:

* /usr/libdata/perl5/mips64-openbsd/5.20.3/IO
* /usr/libdata/perl5/mips64-openbsd/5.20.3/IO/Socket

The following change seems to resolve this issue, at least on octeon and 
i386:


-/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO
+/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO

-/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO/Socket
+/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO/Socket

--
Cheers,
Pawel Waga



iked, AES-GCM and certificates

2017-05-04 Thread Jose Marinez
Hi Guys,

While I personally haven't used OpenBSD for almost 20 years, I'm glad it's 
still around and strong when I need it most. Thank you.

Ok, so I have about 45 students and teachers that I would like to create a VPN 
for. I've looked at the alternatives and iked it is.

Our environment is mainly macOS/iOS. 

I'm not by any means an expert in VPNs or crypto for that matter, but I'm a 
software engineer so I think I can figure this out.  With that in mind, I've 
created an etc/iked.conf file that looks like this:

ikev2 "school" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \
 local 7.7.7.7 peer any \
 ikesa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \
 childsa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \
 ecdsa256 config address 192.168.1.0/24 \
 config name-server 192.168.1.1 config access-server 192.168.1.1


Here are my questions:
Strongswan has the concept of virtualips to deal with "road warriors." Would 
the range as I have set it up in my iked.conf deal with road warriors using say 
iPhones with IPs that I can't possibly hardcode?
In other words, will an IP from that range be assigned to the devices 
connecting?

My second question is dealing with certificates and ikectl:
In the ikectl man pages there's an example:
To create the certificate authority:
# ikectl ca vpn create

To create the certificates for the peers:
# ikectl ca vpn certificate 10.1.2.3 create
# ikectl ca vpn certificate 10.1.2.4 create
# ikectl ca vpn certificate 10.1.2.5 create  

Add the host as a VPN peer:
# ikectl ca vpn install
# ikectl ca vpn certificate 10.1.2.3 install

Export the certificate and CAs for the peers:
# ikectl ca vpn certificate 10.2.3.4 export 
 # ikectl ca vpn certificate 10.3.4.5 export

Create the tarballs and extract them to /etc/iked/ 
10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz 
10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz

Questions:
When I create a certificate as in:
# ikectl ca vpn certificate 10.1.2.4 create
Is 10.1.2.4 hypothetically one of the IPs in the range that was used in 
iked.conf?
Last but not least, if I were to change the name of the certificate(s) from say 
10.1.2.4.pem to one more descriptive, say... janesmith.pem, will it still match 
the IKEV2 identity when the device tries to connect?  

Thanks in advance guys,
Jose

Re: syspatch dhcpd

2017-05-04 Thread unk
2017-05-03 17:52 GMT+03:00 Christer Solskogen 
:

> On May 3, 2017 15:34, "Renaud Allard"  wrote:
>
> Hello,
>
> Since I installed all the new patches with syspatch I get this in the logs:
> May  3 15:30:22 isildur dhcpd[79314]: pf pipe closed
> May  3 15:30:22 isildur dhcpd[79314]: pf pipe error: Broken pipe
> May  3 15:30:22 isildur dhcpd[11508]: pf pipe error: Broken pipe
> May  3 15:30:22 isildur dhcpd[79314]: pf pipe error: Broken pipe
> May  3 15:30:22 isildur last message repeated 2 times
>
> This happens many times per second and of course fills the logs partition.
> I don't see anything obvious in the patch code which would cause this
> tough.
>

I got the same problem here. 2Gb of /var/log/ was filled in few seconds.

from /src/usr.sbin/dhcpd/pfutils.c

for (;;) {
pfd[0].fd = pfpipe[0];
pfd[0].events = POLLIN;
if ((nfds = poll(pfd, 1, -1)) == -1)
if (errno != EINTR)
log_warn("poll"); /* Maybe we should break from 
infinite loop??? */

if (nfds > 0 && (pfd[0].revents & POLLHUP))
log_warnx("pf pipe closed");

if (nfds > 0 && (pfd[0].revents & POLLIN)) {
memset(, 0, l);
r = atomicio(read, pfpipe[0], , l);

if (r != l)
log_warn("pf pipe error");


-- 
/unk


Re: DHCP in vmm guest

2017-05-04 Thread Reyk Floeter

> On 04.05.2017, at 16:13, Jiri B  wrote:
> 
> On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote:
>> So you have the VM interface and the host interface on a bridge:
>> dhclient on the host "steals" all DHCP packets via BPF.
>> 
>> Try to pkill dhclient on the host and the VM should be able to get DHCP.
>> 
>> There is currently no solution for that, it is the way our dhclient works,
>> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.
>> 
>> Reyk
> 
> What about using vether with bridge and having host's dhclient using
> vether?
> 
> What about having dhcrelay and relaying VM's dhcp to upstream dhcp server?
> 
> j.



You should also try "local interface" or "-L" with -current.

It doesn't need bridge or vether or dhcpd, just forwarding and pf on the host.

Reyk



Re: DHCP in vmm guest

2017-05-04 Thread Ax0n
This is why I love misc@.

And Francois: If I had known a few days ago what Reyk just said, I would
have noted it. I should probably go back and edit my blog post. I spent 4
or 5 hours myself trying unsuccessfully bridge it. I had it working once in
-CURRENT in October, but never could figure it out once I upgraded to 6.1.
IO must've manually assigned an address back then, whereas I was using
dhclient on bge0 last week.

On Thu, May 4, 2017 at 8:49 AM, Reyk Floeter  wrote:


> dhclient on the host "steals" all DHCP packets via BPF.
>
>


Re: DHCP in vmm guest

2017-05-04 Thread Anders Andersson
On Thu, May 4, 2017 at 4:13 PM, Jiri B  wrote:
> On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote:
>> So you have the VM interface and the host interface on a bridge:
>> dhclient on the host "steals" all DHCP packets via BPF.
>>
>> Try to pkill dhclient on the host and the VM should be able to get DHCP.
>>
>> There is currently no solution for that, it is the way our dhclient works,
>> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.
>
> What about using vether with bridge and having host's dhclient using
> vether?

That is my solution to the same problem. Essentially I've had to make
my "primary" interface into a vether. Without this bug, I could have
used em2 (in this case) directly. Now I use vether and em2 in a
bridge.



Re: DHCP in vmm guest

2017-05-04 Thread Jiri B
On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote:
> So you have the VM interface and the host interface on a bridge:
> dhclient on the host "steals" all DHCP packets via BPF.
> 
> Try to pkill dhclient on the host and the VM should be able to get DHCP.
> 
> There is currently no solution for that, it is the way our dhclient works,
> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.
> 
> Reyk

What about using vether with bridge and having host's dhclient using
vether?

What about having dhcrelay and relaying VM's dhcp to upstream dhcp server?

j.



Re: DHCP in vmm guest

2017-05-04 Thread Reyk Floeter
So you have the VM interface and the host interface on a bridge:
dhclient on the host "steals" all DHCP packets via BPF.

Try to pkill dhclient on the host and the VM should be able to get DHCP.

There is currently no solution for that, it is the way our dhclient works,
you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.

Reyk

> On 04.05.2017, at 14:51, Francois Stephany  wrote:
> 
> Hi,
> 
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> access to the network via tap and bridge. The host uses a wired connection
> and gets its network address with DHCP.
> 
> Here's my /etc/vm.conf:
> 
> switch "vms_switch" {
>interface bridge0
>add bge0
> }
> 
> vm "vm.test" {
>memory 1G
>boot /home/fstephany/bsd.rd
>disk /var/vms/fstephany/vmtest-disk.img
>owner fstephany
>interface tap {
>switch "vms_switch"
>}
>disable
> }
> 
> 
> I've stopped vmd with #rcctl stop vmd
> and started it manually:
> 
> # vmd -dvv
> startup
> /etc/vm.conf:4: switch "vms_switch" registered
> /etc/vm.conf:15: vm "vm.test" registered (disabled)
> vm_priv_brconfig: interface bridge0 description switch1-vms_switch
> vm_priv_brconfig: interface bridge0 add bge0
> vmd_configure: not creating vm vm.test (disabled)
> vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
> vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
> vm_priv_ifconfig: interface bridge0 add tap0
> vm.test: started vm 1 successfully, tty /dev/ttyp1
> loadfile_elf: loaded ELF kernel
> run_vm: initializing hardware for vm vm.test
> virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
> run_vm: starting vcpu threads for vm vm.test
> vcpu_reset: resetting vcpu 0 for vm 5
> run_vm: waiting on events for VM vm.test
> i8259_write_datareg: master pic, reset IRQ vector to 0x20
> i8259_write_datareg: slave pic, reset IRQ vector to 0x28
> vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
> virtio_blk_io: device reset
> virtio_net_io: device reset
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> virtio_net_io: device reset
> 
> 
> Here's what happens when the installer tries to get a network address:
> 
> # vmctl status
>   ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
>1 - 11.0G   -   -fstephany vm.test
> # vmctl start vm.test -c
> Connected to /dev/ttyp1 (speed 9600)
> 
> Copyright (c) 1982, 1986, 1989, 1991, 1993
>The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> 
> OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 1056964608 (1008MB)
> avail mem = 1021235200 (973MB)
> mainbus0 at root
> bios0 at mainbus0
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz
> cpu0:
> FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
> cpu0: 256KB 64b/line 8-way L2 cache
> pvbus0 at mainbus0: OpenBSD
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus0 at vioblk0: 2 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
> sd0: 4096MB, 512 bytes/sector, 8388608 sectors
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address fe:e1:bb:d1:6d:23
> virtio2: irq 7
> virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
> virtio3: no matching child driver; not configured
> isa0 at mainbus0
> com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> com0: console
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on rd0a swap on rd0b dump on rd0b
> 
> erase ^?, werase ^W, kill ^U, intr ^C, status ^T
> 
> Welcome to the OpenBSD/amd64 6.1 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
> At any prompt except password prompts you can escape to a shell by
> typing '!'. Default answers are shown in []'s and are selected by
> pressing RETURN.  You can exit this program at any time by pressing
> Control-C, but this can leave your system in an inconsistent state.
> 
> Terminal type? [vt220]
> System hostname? (short form, e.g. 'foo') vmtest
> 
> Available network interfaces are: vio0 vlan0.
> Which network interface do you wish to configure? (or 

Re: DHCP in vmm guest

2017-05-04 Thread Francois Stephany
That was it. Thanks!

I've set a fixed IP address to bg0 in the host:

# ifconfig bge0 192.168.0.9 255.255.255.0

Now the guest can DHCP:

# vmctl start vm.test -c
Connected to /dev/ttyp1 (speed 9600)

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 1056964608 (1008MB)
avail mem = 1021235200 (973MB)
mainbus0 at root
bios0 at mainbus0
acpi at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.37 MHz
cpu0:
FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
cpu0: 256KB 64b/line 8-way L2 cache
pvbus0 at mainbus0: OpenBSD
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio0
virtio0: irq 3
virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus0 at vioblk0: 2 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 4096MB, 512 bytes/sector, 8388608 sectors
virtio1: irq 5
virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio2: address fe:e1:bb:d1:44:af
virtio2: irq 7
virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
virtio3: no matching child driver; not configured
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
com0: console
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b

erase ^?, werase ^W, kill ^U, intr ^C, status ^T

Welcome to the OpenBSD/amd64 6.1 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
At any prompt except password prompts you can escape to a shell by
typing '!'. Default answers are shown in []'s and are selected by
pressing RETURN.  You can exit this program at any time by pressing
Control-C, but this can leave your system in an inconsistent state.

Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') vmtest

Available network interfaces are: vio0 vlan0.
Which network interface do you wish to configure? (or 'done') [vio0]
IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp]
DHCPDISCOVER on vio0 - interval 1
DHCPOFFER from 192.168.0.1 (6c:b0:ce:3f:2e:b7)
DHCPREQUEST on vio0 to 255.255.255.255
DHCPACK from 192.168.0.1 (6c:b0:ce:3f:2e:b7)
bound to 192.168.0.13 -- renewal in 1800 seconds.
IPv6 address for vio0? (or 'autoconf' or 'none') [none]


Do you have any idea how to avoid this issue?



On Thu, May 4, 2017 at 3:27 PM, trondd  wrote:

> On Thu, May 4, 2017 8:51 am, Francois Stephany wrote:
> > Hi,
> >
> > I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> > access to the network via tap and bridge. The host uses a wired
> connection
> > and gets its network address with DHCP.
> >
> > Here's my /etc/vm.conf:
> >
> > switch "vms_switch" {
> > interface bridge0
> > add bge0
> > }
> >
> > vm "vm.test" {
> > memory 1G
> > boot /home/fstephany/bsd.rd
> > disk /var/vms/fstephany/vmtest-disk.img
> > owner fstephany
> > interface tap {
> > switch "vms_switch"
> > }
> > disable
> > }
> >
> >
> > I've stopped vmd with #rcctl stop vmd
> > and started it manually:
> >
> > # vmd -dvv
> > startup
> > /etc/vm.conf:4: switch "vms_switch" registered
> > /etc/vm.conf:15: vm "vm.test" registered (disabled)
> > vm_priv_brconfig: interface bridge0 description switch1-vms_switch
> > vm_priv_brconfig: interface bridge0 add bge0
> > vmd_configure: not creating vm vm.test (disabled)
> > vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
> > vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
> > vm_priv_ifconfig: interface bridge0 add tap0
> > vm.test: started vm 1 successfully, tty /dev/ttyp1
> > loadfile_elf: loaded ELF kernel
> > run_vm: initializing hardware for vm vm.test
> > virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
> > run_vm: starting vcpu threads for vm vm.test
> > vcpu_reset: resetting vcpu 0 for vm 5
> > run_vm: waiting on events for VM vm.test
> > i8259_write_datareg: master pic, reset IRQ vector to 0x20
> > i8259_write_datareg: slave pic, reset IRQ vector to 0x28
> > vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
> > virtio_blk_io: device reset
> > virtio_net_io: device reset
> > vionet queue notify - no space, dropping packet
> > vionet queue notify - no space, dropping packet
> > vionet queue notify - no space, dropping packet
> > vionet queue notify - no space, dropping packet
> > vionet queue notify - no space, dropping packet
> > virtio_net_io: device reset

Incorrect file destination when logging with syslogd

2017-05-04 Thread Paolo Aglialoro
Hi all,

I have an internal LAN syslogd server (recently upgraded to 6.1) since a
couple of years. It was successfully logging an old 2611XM cisco router,
now logs a dell switch and the new 2851 cisco router which swapped the old
one.

PROBLEM: while the dell switch correctly logs in the designated file, the
new cisco router logs on /var/log/messages instead of writing in its
designated file.

Relevant config on C2851:
logging trap debugging
logging facility local1
logging 10.0.0.234

Relevant config in /etc/rc.conf.local:
# rcctl get syslogd
syslogd_class=daemon
syslogd_flags=-u -a /var/spool/postfix/dev/log
syslogd_rtable=0
syslogd_timeout=30
syslogd_user=root

Relevant config in /etc/syslog.conf
#local0.debug   /var/log/c2611xm.log
local1.debug/var/log/c2851.log
local2.debug/var/log/switch.log

Output of /etc/pf.conf:
set skip on lo
pass in quick inet proto udp from {10.0.0.100, 10.0.0.101} to any port 514
# syslog
pass in quick inet from any to any port 123
pass
block return in on ! lo0 proto tcp to port 6000:6010


What could the problem with local1.debug be?
Thanks


Re: DHCP in vmm guest

2017-05-04 Thread Francois Stephany
The dhcp is running on the modem/router provided by my ISP.
That makes me think that I've setup a rule in its web interface so the
OpenBSD host always get the same IP address.

On Thu, May 4, 2017 at 3:27 PM, Jiri B  wrote:

> > I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> > access to the network via tap and bridge. The host uses a wired
> connection
> > and gets its network address with DHCP.
>
> where is dhcpd running? on the host? have you tried tcpdump to see if dhcp
> discover traffic is visible there?
>
> j.
>


Re: DHCP in vmm guest

2017-05-04 Thread Jiri B
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> access to the network via tap and bridge. The host uses a wired connection
> and gets its network address with DHCP.

where is dhcpd running? on the host? have you tried tcpdump to see if dhcp
discover traffic is visible there?

j.



Re: DHCP in vmm guest

2017-05-04 Thread trondd
On Thu, May 4, 2017 8:51 am, Francois Stephany wrote:
> Hi,
>
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> access to the network via tap and bridge. The host uses a wired connection
> and gets its network address with DHCP.
>
> Here's my /etc/vm.conf:
>
> switch "vms_switch" {
> interface bridge0
> add bge0
> }
>
> vm "vm.test" {
> memory 1G
> boot /home/fstephany/bsd.rd
> disk /var/vms/fstephany/vmtest-disk.img
> owner fstephany
> interface tap {
> switch "vms_switch"
> }
> disable
> }
>
>
> I've stopped vmd with #rcctl stop vmd
> and started it manually:
>
> # vmd -dvv
> startup
> /etc/vm.conf:4: switch "vms_switch" registered
> /etc/vm.conf:15: vm "vm.test" registered (disabled)
> vm_priv_brconfig: interface bridge0 description switch1-vms_switch
> vm_priv_brconfig: interface bridge0 add bge0
> vmd_configure: not creating vm vm.test (disabled)
> vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
> vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
> vm_priv_ifconfig: interface bridge0 add tap0
> vm.test: started vm 1 successfully, tty /dev/ttyp1
> loadfile_elf: loaded ELF kernel
> run_vm: initializing hardware for vm vm.test
> virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
> run_vm: starting vcpu threads for vm vm.test
> vcpu_reset: resetting vcpu 0 for vm 5
> run_vm: waiting on events for VM vm.test
> i8259_write_datareg: master pic, reset IRQ vector to 0x20
> i8259_write_datareg: slave pic, reset IRQ vector to 0x28
> vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
> virtio_blk_io: device reset
> virtio_net_io: device reset
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> virtio_net_io: device reset
>
>
> Here's what happens when the installer tries to get a network address:
>
> # vmctl status
>ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
> 1 - 11.0G   -   -fstephany vm.test
> # vmctl start vm.test -c
> Connected to /dev/ttyp1 (speed 9600)
>
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
>
> OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 1056964608 (1008MB)
> avail mem = 1021235200 (973MB)
> mainbus0 at root
> bios0 at mainbus0
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz
> cpu0:
> FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
> cpu0: 256KB 64b/line 8-way L2 cache
> pvbus0 at mainbus0: OpenBSD
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus0 at vioblk0: 2 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
> fixed
> sd0: 4096MB, 512 bytes/sector, 8388608 sectors
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address fe:e1:bb:d1:6d:23
> virtio2: irq 7
> virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
> virtio3: no matching child driver; not configured
> isa0 at mainbus0
> com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> com0: console
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on rd0a swap on rd0b dump on rd0b
>
> erase ^?, werase ^W, kill ^U, intr ^C, status ^T
>
> Welcome to the OpenBSD/amd64 6.1 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
> At any prompt except password prompts you can escape to a shell by
> typing '!'. Default answers are shown in []'s and are selected by
> pressing RETURN.  You can exit this program at any time by pressing
> Control-C, but this can leave your system in an inconsistent state.
>
> Terminal type? [vt220]
> System hostname? (short form, e.g. 'foo') vmtest
>
> Available network interfaces are: vio0 vlan0.
> Which network interface do you wish to configure? (or 'done') [vio0]
> IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp]
> DHCPDISCOVER on vio0 - interval 1
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> No acceptable DHCPOFFERS received.
> No working leases in persistent database - sleeping.
> 

problem with external disk on 6.1

2017-05-04 Thread Kirill
Hello!
There is a problem with my WD external disk on 6.1. on 6.0 there are no
problems.

dmesg:
nightlord@work:[~]% dmesg
OpenBSD 6.1 (GENERIC.MP) #5: Thu Apr 13 11:26:43 MSK 2017
r...@work.nightbbs.ru:/usr/obj/sys/arch/amd64/compile/GENERIC.MP
real mem = 2056990720 (1961MB)
avail mem = 1990025216 (1897MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe9f80 (85 entries)
bios0: vendor Hewlett-Packard version "786G1 v01.08" date 08/25/2008
bios0: Hewlett-Packard HP Compaq dc7900 Small Form Factor
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC HPET DMAR
acpi0: wakeup devices COM1(S4) PCI0(S4) PEG1(S4) PEG2(S4) IGBE(S4)
PCX1(S4) PCX2(S4) PCX5(S4) PCX6(S4) HUB_(S4) USB1(S3) USB2(S3) USB3(S3)
USB4(S3) USB5(S3) USB6(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz, 3159.08 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 332MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz, 3158.73 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf400, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG1)
acpiprt2 at acpi0: bus -1 (PEG2)
acpiprt3 at acpi0: bus 32 (PCX1)
acpiprt4 at acpi0: bus -1 (PCX2)
acpiprt5 at acpi0: bus 48 (PCX5)
acpiprt6 at acpi0: bus -1 (PCX6)
acpiprt7 at acpi0: bus 7 (HUB_)
acpicpu0 at acpi0: !C2(500@17 mwait.3@0x10), C1(1000@1 mwait.1)
acpicpu1 at acpi0: !C2(500@17 mwait.3@0x10), C1(1000@1 mwait.1)
"PNP0F13" at acpi0 not configured
"PNP0303" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0700" at acpi0 not configured
"PNP0003" at acpi0 not configured
acpibtn0 at acpi0: PBTN
"PNP0C14" at acpi0 not configured
cpu0: unknown Enhanced SpeedStep CPU, msr 0x0616492206004922
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 3159 MHz: speeds: 24333, 2000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel Q45 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel Q45 Video" rev 0x03 at pci0 dev 2 function 1 not configured
"Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: DMA
(unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide0: using apic 1 int 18 for native-PCI interrupt
pciide0: channel 0 ignored (not responding; disabled or no drives?)
pciide0: channel 1 ignored (not responding; disabled or no drives?)
puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 1 com
com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo
com4: probed fifo depth: 15 bytes
em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi,
address 00:23:7d:4e:a2:5c
uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20
uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21
uhci2 at pci0 dev 26 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22
ehci0 at pci0 dev 26 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 82801JD HD Audio" rev 0x02: msi
azalia0: codecs: Analog Devices AD1884A
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801JD PCIE" rev 0x02: msi
pci1 at ppb0 bus 32
ppb1 at pci0 dev 28 function 4 "Intel 82801JD PCIE" rev 0x02: msi
pci2 at ppb1 bus 48
uhci3 at pci0 dev 29 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20
uhci4 at pci0 dev 29 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21
uhci5 at pci0 dev 29 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22
ehci1 at pci0 dev 29 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 20
usb1 at ehci1: USB revision 2.0
uhub1 at 

Re: syspatch on diskless fails (stat -qf %Sd / issue)

2017-05-04 Thread Andreas Kusalananda Kähäri
On Wed, May 03, 2017 at 07:37:11PM +0200, Andreas Kusalananda Kähäri wrote:
> On Wed, May 03, 2017 at 11:54:13AM +0200, Antoine Jacoutot wrote:
> > On Wed, May 03, 2017 at 11:39:48AM +0200, Andreas Kusalananda Kähäri wrote:
> > > Hi,
> > > 
> > > syspatch seems to work fine for keeping my ordinary server and router on
> > > -stable, thanks!
> > > 
> > > However, on my diskless workstation it doesn't work so well:
> > > 
> > > Get/Verify syspatch61-001_dhcpd.tgz 100% |*| 71733   
> > > 00:00
> > > Installing patch 001_dhcpd
> > > /usr/sbin/syspatch: ??=1147776: not found
> > 
> > The error message could be improved but syspatch does the right thing here.
> > It properly aborts because it's not designed to work on a diskless system.
> > 
> [cut]
> > > How may I apply the binary patch on the diskless system, alternatively,
> > > how do I apply it to the diskless system's files on its file server?
> 
> Ok, so that is fine.
> 
> I then tried to run syspatch in a chroot on the diskless client's
> fileserver, which is a complete 6.1-release installation.
> 
> This resulted in syspatch exiting without an error, but also without
> doing anything.
> 
> After a bit of investigation, I found that it was becasuse the unpriv
> shell function generated an error upon invoking su:
> 
> su: approval failure: Undefined error: 0

It turned out this was because of not properly re-mounting the partition
with the "suid" mount option.

Kudos to Antoine Jacoutot for spending time to reproduce this and
getting back to me.  Sorry for my confusion about this, I should have
spotted my mistake.  All sorted now.

Regards,
Kusalananda



DHCP in vmm guest

2017-05-04 Thread Francois Stephany
Hi,

I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
access to the network via tap and bridge. The host uses a wired connection
and gets its network address with DHCP.

Here's my /etc/vm.conf:

switch "vms_switch" {
interface bridge0
add bge0
}

vm "vm.test" {
memory 1G
boot /home/fstephany/bsd.rd
disk /var/vms/fstephany/vmtest-disk.img
owner fstephany
interface tap {
switch "vms_switch"
}
disable
}


I've stopped vmd with #rcctl stop vmd
and started it manually:

# vmd -dvv
startup
/etc/vm.conf:4: switch "vms_switch" registered
/etc/vm.conf:15: vm "vm.test" registered (disabled)
vm_priv_brconfig: interface bridge0 description switch1-vms_switch
vm_priv_brconfig: interface bridge0 add bge0
vmd_configure: not creating vm vm.test (disabled)
vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
vm_priv_ifconfig: interface bridge0 add tap0
vm.test: started vm 1 successfully, tty /dev/ttyp1
loadfile_elf: loaded ELF kernel
run_vm: initializing hardware for vm vm.test
virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
run_vm: starting vcpu threads for vm vm.test
vcpu_reset: resetting vcpu 0 for vm 5
run_vm: waiting on events for VM vm.test
i8259_write_datareg: master pic, reset IRQ vector to 0x20
i8259_write_datareg: slave pic, reset IRQ vector to 0x28
vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
virtio_blk_io: device reset
virtio_net_io: device reset
vionet queue notify - no space, dropping packet
vionet queue notify - no space, dropping packet
vionet queue notify - no space, dropping packet
vionet queue notify - no space, dropping packet
vionet queue notify - no space, dropping packet
virtio_net_io: device reset


Here's what happens when the installer tries to get a network address:

# vmctl status
   ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
1 - 11.0G   -   -fstephany vm.test
# vmctl start vm.test -c
Connected to /dev/ttyp1 (speed 9600)

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 1056964608 (1008MB)
avail mem = 1021235200 (973MB)
mainbus0 at root
bios0 at mainbus0
acpi at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz
cpu0:
FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
cpu0: 256KB 64b/line 8-way L2 cache
pvbus0 at mainbus0: OpenBSD
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio0
virtio0: irq 3
virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus0 at vioblk0: 2 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 4096MB, 512 bytes/sector, 8388608 sectors
virtio1: irq 5
virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio2: address fe:e1:bb:d1:6d:23
virtio2: irq 7
virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
virtio3: no matching child driver; not configured
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
com0: console
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b

erase ^?, werase ^W, kill ^U, intr ^C, status ^T

Welcome to the OpenBSD/amd64 6.1 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
At any prompt except password prompts you can escape to a shell by
typing '!'. Default answers are shown in []'s and are selected by
pressing RETURN.  You can exit this program at any time by pressing
Control-C, but this can leave your system in an inconsistent state.

Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') vmtest

Available network interfaces are: vio0 vlan0.
Which network interface do you wish to configure? (or 'done') [vio0]
IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp]
DHCPDISCOVER on vio0 - interval 1
DHCPDISCOVER on vio0 - interval 2
DHCPDISCOVER on vio0 - interval 2
DHCPDISCOVER on vio0 - interval 2
DHCPDISCOVER on vio0 - interval 2
DHCPDISCOVER on vio0 - interval 2
No acceptable DHCPOFFERS received.
No working leases in persistent database - sleeping.
IPv6 address for vio0? (or 'autoconf' or 'none') [none]


Here's ifconfig when the VM is running. The bridge is there with bge0 and
tap0:

# ifconfig
lo0: flags=8049 mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128

Re: After applying patches, kernel version is slower?

2017-05-04 Thread C. L. Martinez
On Thu, May 04, 2017 at 07:49:04AM +, Stuart Henderson wrote:
> On 2017-05-04, C. L. Martinez  wrote:
> > Hi all,
> >
> >  I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
> > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:
> >
> > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64
> >
> >  .. and in an OpenBSD 6.1 host with patches applied:
> >
> > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64
> >
> >  Any idea why??
> >
> 
> They're built on a different machine. (The number after GENERIC# shows
> how many builds were done in that directory since it was cleaned.)
> 
> Check the date in "sysctl kern.version".
> 

Ahh ... Ok, many thanks for the info Stuart.

-- 
Greetings,
C. L. Martinez



Relayd: session timeout

2017-05-04 Thread Maxim Bourmistrov
Hey list,

I have following relay configured on two-node setup. Each node acts as MASTER 
for one IP and BACKUP for another.
The opposite on the second node.


tcp protocol tcp_proto {
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
}

relay rabbitmq {
listen on $VIP1 port 5672
listen on $VIP2 port 5672
protocol tcp_proto
#   session timeout 10800
forward to  port 5672 mode roundrobin check tcp
forward to  port 5672 mode roundrobin check tcp
}

Default timeout is 600s (10 min).

In my test I have a client requesting data from a machine(web1) sitting behind 
this relay(node1).
web1 has its def gw pointed to node1, e.g. NAT:ed.
node1, obviously, have EXT and INT interfaces, VIP1 and VIP2 been external ones.

What I see in tcpdump running on both EXT and INT interfaces is a tcp stream 
between 
client and web1 via node1 - PUSH ACK. At some point (600s) node1 cuts the 
connection (FIN seen in tcpdump).

Question is this expected behavior?
As states in PF are updated due to continuous tcp stream, session shouldn’t be 
cut, right?
Any clues?

node1 runs 6.0-stable

Br
mxb




Re: After applying patches, kernel version is slower?

2017-05-04 Thread Stuart Henderson
On 2017-05-04, C. L. Martinez  wrote:
> Hi all,
>
>  I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
> strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:
>
> OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64
>
>  .. and in an OpenBSD 6.1 host with patches applied:
>
> OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64
>
>  Any idea why??
>

They're built on a different machine. (The number after GENERIC# shows
how many builds were done in that directory since it was cleaned.)

Check the date in "sysctl kern.version".




Re: Pf with secondary DNS resolution

2017-05-04 Thread Janne Johansson
2017-05-04 1:56 GMT+02:00 Luke Small :

> Four words Peter..."dynamic IP address". I'm sure that there are folks that
> ssh into machines that are on a dynamic IP address that don't have a modem
> on a power backup, or even possibly on an ISP that may down, possibly when
> they are out of town. I don't know if it is possible or already done, but
> you could have a computer check into a target machine that often changes
> the ip address or system while the firewall is locked down to only send
> messages to that remote machine and if it is compromised, can't send it
> anywhere else. Or you ssh into the machine and it only accepts incoming
> port 22 requests from a machine that has a dynamic url and listed in your
> pf.conf. maybe you could even signify in the pf.conf that the url will
> often have a different ip address and it could request that ip address
> every time it gets a hit on that rule or a maximum upperbound.
>

Also, if the problem really is "I need to log in from a remote machine on
an unknown ip and strict rules on not letting others in" then you have more
or less described a roadwarrior ipsec setup, so get some kind of VPN going
there with certs and secrets and you can travel around the world and know
that only your machine with the correct magic can connect to the stationary
resource(s).
That problem was solved a long time ago.

-- 
May the most significant bit of your life be positive.


Re: Pf with secondary DNS resolution

2017-05-04 Thread Peter N. M. Hansteen
The main problem you need to solve or work around is the situation where the 
name you want to resolve doesn't at *ruleset load* and you end up with an 
invalid 
ruleset. In sane setups, the system would then run with either the default rules
(check /etc/rc) or the previous version of your ruleset.

The easiest way to compensate for IP addresses that may change and avoid 
reloading
the rules is to stick the possibly-changing addresses into tables that your 
rules
reference, and run a script that resolves the names you're interested in and 
updates (replaces) table contents with the result of that script at whatever 
intervals you need (this is what cron was made for). That script could even 
put the results into files that you can then use as source for the initial 
values for table contents.

Basically I think your scenario is easily solved with a reasonably structured
set of PF rules and some fairly straightforward scripting involving host and
pfctl commands.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



After applying patches, kernel version is slower?

2017-05-04 Thread C. L. Martinez
Hi all,

 I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a 
strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns:

OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64

 .. and in an OpenBSD 6.1 host with patches applied:

OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64

 Any idea why??

-- 
Greetings,
C. L. Martinez



Re: Pf with secondary DNS resolution

2017-05-04 Thread Florian Ermisch


Am 4. Mai 2017 08:39:51 MESZ schrieb Janne Johansson :
>I would make those rules have a table, and a cronjob to feed the table
>with
>the current ips that these hostnames resolve to.

Same here.

>But of course, that implies you trust the replies you get all the time
>from
>that cronjob.
>
Is there no DNSsec enabled dynamic DNS
service? ;)
When you can't trust your (upstream) DNS 
server a whole new world of ugly hacks will 
open up.
How about sharing signed files via 
SyncThing? ^^

Regards, Florian 
>
>2017-05-03 22:16 GMT+02:00 Luke Small :
>
>> Is it worthwhile to set up a hook for pf to load rules that have URLs
>after
>> the network services that can resolve them come into effect?
>>



Re: Pf with secondary DNS resolution

2017-05-04 Thread Janne Johansson
I would make those rules have a table, and a cronjob to feed the table with
the current ips that these hostnames resolve to.
But of course, that implies you trust the replies you get all the time from
that cronjob.


2017-05-03 22:16 GMT+02:00 Luke Small :

> Is it worthwhile to set up a hook for pf to load rules that have URLs after
> the network services that can resolve them come into effect?
>



-- 
May the most significant bit of your life be positive.