Wallpaper artwork created for OpenBSD
Dear OpenBSD users, developers, contributors, My name is Mingjing a *BSD user and lover from China. My friend and I did some wallpapers for OpenBSD and other opensource project in the free time. For now they are designed only for smart phones. The pictures are 1920*1080. I put them on Github (https://github.com/opensourcecn/wallpapers) and we've packaged them into android APKs on Google Play ( http://bit.ly/2JPetLy and http://bit.ly/2qxX8xU). All the wallpapers released in BSD license that you can do what ever you want. Feel free to use them and give me suggestions if you have. Thanks Mingjing
mail doesn't read mail from /var/mail/root
Hello, I must be missing something obvious, but since installing 6.4-current (on a few versions in a row), I can't get mail to read /var/mail/root. After logging in, I see: >---< OpenBSD 6.4-current (GENERIC.MP) #425: Sun Nov 4 [... skipped ...] You have mail. thor# mail No mail for root thor# mail -f /var/mail/root Mail version 8.1.2 01/15/2001. Type ? for help. "/var/mail/root": 0 messages thor# ls -l /var/mail/root -rw--- 1 root wheel 3.9K Oct 20 00:37 /var/mail/root thor# head /var/mail/root >From dera...@do-not-reply.openbsd.org Sun Nov 1 06:30:00 MDT 2018 Return-Path: root Date: Nov 1 06:30:00 MDT 2018 From: dera...@do-not-reply.openbsd.org (Theo de Raadt) To: root Subject: Welcome to OpenBSD 6.4! This message attempts to describe the most basic initial questions that a system administrator of an OpenBSD box might have. You are urged to save this message for later reference. >--< I also remember that I had this problem since the first time I installed 6.4-current on my new laptop. I do receive local mail (e.g., from crontab) for a non-priveleged user created during setup. Any ideas of what might be going on? Best, ivpgbe
Re: Severe clock problems with OpenBSD VM on OpenBSD Host
Hi, I recently built a new vmm with 6.4 and noticed this morning that it had a clock problem too, however all my other vmm's didn't. kern.timecounter.tick=1 kern.timecounter.timestepwarnings=0 kern.timecounter.hardware=tsc kern.timecounter.choice=i8254(0) tsc(-1000) dummy(-100) These are sysctl settings and on my 6.4 vmm i8254 was set, all the others had tsc set and didn't have this problem. I set it now to tsc, it seems to be more accurate. I don't expect any more tunings. I'm sorry if this is bad advice but it worked for me. Regards, -peter On 11/7/18 7:40 PM, Gareth Ansell wrote: Hi, I can confirm that this is also happening on my VM, also hosted at openbsd.amsterdam. Gareth
Re: performance of intel multithreading
On 11/07/18 11:34, Kihaguru Gathura wrote: > Hi, > > > On Wednesday, November 7, 2018, Nick Holland > wrote: >> On 11/05/18 23:51, Kihaguru Gathura wrote: >>> Hi, >>> >>> From a security standpoint, >>> which platform will offer better performance >> >> huh? What's your priority, security or performance? >> > > Security is the Priority. > >> If you have one and no budget to buy something ...um... modern, use it. > > I have the PrimePower 250 > >> UltraSPARC will probably give them a bigger surprise. > > Please explain further if possible. Most attackers are what we call script kiddies -- they don't know what they are doing, but they have a script, they throw it at a target and it either works and they move in or it doesn't, and they move on to the next target (or often, their magic cracking kit does it for them). For these people, "computers" are all IBM PC descended and all powered by Intel processors. Something not running Windows or Linux and not running on an Intel chip will be a huge deterrent IF they get into your system and try to run their binary tool kits. Now, someone who knows their mouse from their keyboard...no. And a state sponsored attacker that's after YOU personally? No. But they will have to hand you over to the next tier guys. :) The analogy I've used often is much of computer security logic, if applied to your household security, would involve putting the door to your house on a different side than your neighbors's doors and putting the door knob on the opposite sideand maybe painting the door purple. And sure enough, the guy wandering down the street with instructions saying "Door on front of house, color brown, handle on left side" will totally miss the door of your house and your house will be "secure" even if the door is unlocked. And fortunately, 99.9% of the attackers out there are going to be stopped by your oddly placed backwards purple door. The problem is...there are tens of thousands of attackers, so quite a few aren't going to be confused by this. > But if you are >> running web services, you are probably running apps written by someone >> without any idea what they are doing in an interpreted language like >> PHP, and the exact same exploits will take out either platform, because >> the exploits will be at a much higher level than the processor. > > Self written services in C language. Now, who do you think is a better programmer, the people who put together OpenBSD or you? Not to show you any disrespect, but honestly, I'm putting my money on the OpenBSD devs. Most likely, OpenBSD won't be the entry point for your attacker. A lot of the brilliant work that the OpenBSD devs have done may HELP your system survive a flaw in your program, but your program is still more likely to be the entry point (or data exfiltration point) than the OS is, so your Plat X vs. Plat Y decision is probably not the big thing to worry about. Nick.
Re: Severe clock problems with OpenBSD VM on OpenBSD Host
Hi, I can confirm that this is also happening on my VM, also hosted at openbsd.amsterdam. Gareth
Re: 6.4 - Unable to boot after successfully installed
On Wed, Nov 7, 2018 at 9:29 AM Luthing wrote: > I am partitioning my disk manually like : > ~80% for /root partition > ~20% for swap Try installing again using the default disklabel slice layout. If that works that means your root file system is too big. I rarely make my root partition any larger than 512MB (128MB-256MB is typical for me). If the default slice sizes aren't large enough for you, adjust them as needed. If you need a file system with a ton of space in it, use /home for that, or make an extra slice and mount it where it makes sense (e.g. /var/mariadb if you need a big space for a database). At a minimum, you should have separate partitions for / (root), /usr, /usr/local, /var and /home. In rare circumstances I've made root file systems as large as 16GB. But a 200GB+ root is really too much. -ken
Re: performance of intel multithreading
On Wed, Nov 07, 2018 at 07:34:57PM +0300, Kihaguru Gathura wrote: > Hi, > > > On Wednesday, November 7, 2018, Nick Holland > wrote: > > On 11/05/18 23:51, Kihaguru Gathura wrote: > >> Hi, > >> > >> From a security standpoint, > >> which platform will offer better performance > > > > huh? What's your priority, security or performance? > > > > Security is the Priority. > > > If you have one and no budget to buy something ...um... modern, use it. > > I have the PrimePower 250 > > > UltraSPARC will probably give them a bigger surprise. > > Please explain further if possible. > > But if you are > > running web services, you are probably running apps written by someone > > without any idea what they are doing in an interpreted language like > > PHP, and the exact same exploits will take out either platform, because > > the exploits will be at a much higher level than the processor. > > Self written services in C language. > SPARC64 has thanks to stackghost a good defence against ROP attacks. It is big endian and strict aligned. The IOMMU also give some protection of driver bugs. SUN4U would be able to do execute only pages but SUN4V no longer supports that. In general OpenBSD/sparc64 is a good arch when it comes to being secure. The problem is that there is less and less good hardware around which is beefy enough and so more and more packages fail to build -- there is general less interest in the HW (esp outside OpenBSD). Now OpenBSD/amd64 is also not bad either, fairly important changes were made to make attacks less successful (e.g. Todd Mortimer's LLVM ret-protector). The big benefit of amd64 is that this is the common arch every developer has access to. In the end running OpenBSD gives you as many security features turned on by default as nowhere else. -- :wq Claudio
Re: 6.4 - Unable to boot after successfully installed
Luthing writes: > Hey, > I am partitioning my disk manually like : > ~80% for /root partition > ~20% for swap > > That's all > Any idea? https://www.openbsd.org/faq/faq4.html#Partitioning Allan
xfce4-terminal crash in openbsd 6.4
This happens in OpenBSD 6.4 but I'm fairly confident didn't happen in 6.3 (definitely didn't happen at some point in the recent past; I don't recall if I tried this while I was using snapshots between 6.3 and 6.4): If I start xfce4-terminal (either from xterm or the xfce4 "Run Program" dialog), and if I try to access the menus (either by clicking or alt-__ key combination like alt-e), then xfce4-terminal exits. In the xterm window, I can see that xfce4-terminal has reported this error before exiting: Gtk:ERROR:gtkiconhelper.c:494:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/local/share/icons/Adwaita/16x16/status/image-missing.png: Unrecognized image file format (gdk-pixbuf-error-quark, 3) (Alternatively, if there is a way to do a text search across the scrollback buffer in xterm, that would let me stop my intermittent use of xfce4-terminal, but I haven't found that. I know konsole has that search feature but it has many more binary dependencies that get installed with it.) Ending with my dmesg which includes content farther down indicating the upgrade to 6.4. Thanks much! OpenBSD 6.4-beta (GENERIC.MP) #327: Wed Sep 26 12:52:56 MDT 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 16033533952 (15290MB) avail mem = 15538348032 (14818MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebf90 (49 entries) bios0: vendor American Megatrends Inc. version "204" date 11/20/2014 bios0: ASUSTeK COMPUTER INC. X550ZA acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT ECDT MCFG MSDM HPET UEFI SSDT SSDT CRAT SSDT SSDT SSDT SSDT acpi0: wakeup devices LOM_(S4) SBAZ(S4) ECIR(S4) OHC1(S4) EHC1(S4) OHC2(S4) EHC2(S4) OHC3(S4) EHC3(S4) OHC4(S4) XHC0(S4) XHC1(S4) ODD8(S3) GLAN(S4) LID_(S5) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 16 (boot processor) cpu0: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2496.40 MHz, 15-30-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT cpu0: 96KB 64b/line 3-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 16-way L2 cache cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 17 (application processor) cpu1: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2495.34 MHz, 15-30-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT cpu1: 96KB 64b/line 3-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 16-way L2 cache cpu1: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 18 (application processor) cpu2: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2495.34 MHz, 15-30-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT cpu2: 96KB 64b/line 3-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 16-way L2 cache cpu2: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative cpu2: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 19 (application processor) cpu3: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2495.35 MHz, 15-30-01 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT cpu3: 96KB 64b/line 3-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 16-way L2 cache cpu3:
Re: performance of intel multithreading
Hi, On Wednesday, November 7, 2018, Nick Holland wrote: > On 11/05/18 23:51, Kihaguru Gathura wrote: >> Hi, >> >> From a security standpoint, >> which platform will offer better performance > > huh? What's your priority, security or performance? > Security is the Priority. > If you have one and no budget to buy something ...um... modern, use it. I have the PrimePower 250 > UltraSPARC will probably give them a bigger surprise. Please explain further if possible. But if you are > running web services, you are probably running apps written by someone > without any idea what they are doing in an interpreted language like > PHP, and the exact same exploits will take out either platform, because > the exploits will be at a much higher level than the processor. Self written services in C language. Thanks, Kihaguru.
Re: 6.4 - Unable to boot after successfully installed
Read https://www.openbsd.org/faq/faq14.html about disks and partitions. I use one fdisk disk partition for OpenBSD that disklabel splits into several file system partitions. Regards On 11/7/18 4:03 AM, Luthing wrote: Hey, I am partitioning my disk manually like : ~80% for /root partition ~20% for swap That's all Any idea? -- Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
Re: 6.4 - Unable to boot after successfully installed
Hey, I am partitioning my disk manually like : ~80% for /root partition ~20% for swap That's all Any idea? -- Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
GAMIN question again
Hi all, so as far as I understand now gam_server should be started if a user login (like over imap) but it seems not to work. The Docs mentioned in the /etc/garmin/garminrc file is also not helpful because it only tells to look at fam docs or api refs but I dont want to use the api I want to configure gamin to start gam_server when a user logs in. so in the rc file you see something like fsset ffs none so I thought okay i might change that to fsset ffs notify but no changes, also fsset ffs poll 1 doesnt seem to have an effect so to all out there who are using gamin enligthen me how to configure it please regards -- Markus Rosjatfon: +49 351 8107224mail:ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Reduced network performance since installing 6.4
On 2018-11-05, Tony Sarendal wrote: > Hola, > > Unrelated to wifi, I have seen a dramatic drop in forwarding performance in > 6.4 and later. > I run some basic performance tests to verify the releases before we deploy > them. > For the same test on the same hardware I have this: > > Release, pps > snapshot, 340k > 6.4, 340k > 6.3, 450k > 6.2, 430k > 6.1, 420k > 6.0, 425k > 5.9, 420k > 5.8, 450k > > In this case the OpenBSD boxes are deployed as firewall clusters, 4x IX in > a LACP trunk, with VLAN interfaces. > 6.3 is faster than it looks, in tests like sessions/second it was a lot > faster than 6.2. Also noted here. https://marc.info/?l=openbsd-misc=153862560407151=2
Re: ikev2 and road warriors setup
Yesterday I tried this scenario: Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed VPN_IKEv2 - A.B.C.77/23, not NATed I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time. Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine. When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809. Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything. Another thing: I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED? Any idea? On Tue, 6 Nov 2018 11:21:52 +0100 Radek wrote: > Hello Kim, > > > My question was concerning the VPN_server, is the server NATed? > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > I only have switches in my building. > All routers/firewalls of my network are in another building, I do not know > the whole network structure, devices, security policies... but I have never > noticed that any ports were blocked. > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works > like a charm. > https://community.riocities.com/openike_openbsd.html > But I can not setup a VPN_server for road warriors. > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it > is not any Router/FW problem. > > On Tue, 6 Nov 2018 07:48:37 +0100 > Kim Zeitler wrote: > > > Good morning Radek, > > > > I have a suspicion ... > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter > > > if warrior has public IP or it is behind NAT). The rest of the world > > > fails to connect the VPN_server. > > My question was concerning the VPN_server, is the server NATed? > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > > > Cheers, > > Kim > > > > > > > -- > radek -- radek
Re: ldap search fails with Let's Encrypt certificate
On 2018-11-06, Joel Carnat wrote: > Looks like I'll have to wait until Synology upgrades OpenSSL. > I don't fancy modifying ldap(1) to lower security. I'll just use it to > search on local slapd. Since there's a valid need to perform ldap queries against all sorts of machines, including ones with quite old TLS implementations, having similar options to the TLS-related ones in nc(1)'s -T would seem useful..
Re: [OpenIKED] Is it impossible to differentiate the policies by dstid?
On Tue, Nov 06, 2018 at 05:42:08PM -0500, Daniel Ouellet wrote: > The source ID does default yes, but I have a tunnel gateway for multiple > VPN and I HAD to specify the dstid on the passive side as well or ONLY > the last rule was picked up for the 0.0.0.0/0 of some of them as an > example for all the traffic flowing via the VPN. > > Any overlapping routes where not going as one might think if not dstid > specified. > > example: > > ikev2 "test1-flow" passive from 0.0.0.0/0 to 1.2.3.4/28 peer any dstid > test1.example.com > > ikev2 "test2-flow" passive from 0.0.0.0/0 to 1.3.3.4/28 peer any dstid > test2.example.com > > ikev2 "test3-flow" passive from 0.0.0.0/0 to 1.4.3.4/28 peer any dstid > test3.example.com > > ..etc > > If no dstid was specified, then you didn't have all 3 above as an > example working. > > May be it is suppose to, that I can't say for sure as the idea of it, > but it sure wasn't and isn't if I remove the dstid with everything else > staying the same. > > So what he suggested to you was valid and true. > > But it is your setup and you sure can do as you see fit. This only works if the rules are the same. The problem is that part of the lookups during the handshake are done without dstid and so at start the last rule will match and is used but later on the real rule (with correct dstid) matches. In general you can not mix different auth types because the missmatch happens during auth exchange. Fixing this is not trivial and maybe not even possible. > On 11/6/18 3:16 PM, 雷致强 wrote: > > Thanks for the input, however, I think srcid defaults to the hostname when > > it’s omitted. Explicitly setting it didn’t give me any luck. > > > >> On Nov 7, 2018, at 2:33 AM, J Evans <3...@startmail.com> wrote: > >> > >> I am by no means an expert, but for my setup, in order to get multiple > >> policies working, I had to specify both srcid and dstid for each policy on > >> the passive peer. And then I set srcid and dstid for the policies on the > >> active peers. > >> > > -- :wq Claudio