Re: IPv6 on AWS fails after 30 seconds

[Jordan Geoghegan]

I just realized I forgot to include my dhcpcd log info. Please see below.

Any insight or advice would be much appreciated.

Jordan


Mar 13 18:46:18 ip-172-31-6-187 dhcpcd[96180]: main: pidfile_lock: Permission 
denied
Mar 13 18:46:23 ip-172-31-6-187 dhcpcd[83900]: DUID 
00:04:2a:fe:2b:ec:35:48:74:74:11:0b:1a:22:a4:5d:90:db
Mar 13 18:46:23 ip-172-31-6-187 dhcpcd[83900]: xnf0: IAID 63:26:e3:9c
Mar 13 18:46:23 ip-172-31-6-187 dhcpcd[83900]: xnf0: soliciting an IPv6 router
Mar 13 18:46:35 ip-172-31-6-187 dhcpcd[83900]: xnf0: no IPv6 Routers available
Mar 13 18:46:45 ip-172-31-6-187 dhcpcd[83900]: received SIGINT, stopping
Mar 13 18:46:45 ip-172-31-6-187 dhcpcd[83900]: xnf0: removing interface
Mar 13 18:46:45 ip-172-31-6-187 dhcpcd[83900]: dhcpcd exited
Mar 13 20:56:03 ip-172-31-6-187 dhcpcd[22976]: DUID 
00:04:2a:fe:2b:ec:35:48:74:74:11:0b:1a:22:a4:5d:90:db
Mar 13 20:56:03 ip-172-31-6-187 dhcpcd[22976]: xnf0: IAID 63:26:e3:9c
Mar 13 20:56:04 ip-172-31-6-187 dhcpcd[22976]: xnf0: soliciting an IPv6 router
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: Router Advertisement from 
fe80::478:22ff:fe9e:1c56
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: adding route to 
2600:1f11:2f7:c100::/64
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: adding default route via 
fe80::478:22ff:fe9e:1c56
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: soliciting a DHCPv6 lease
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: ADV 
2600:1f11:2f7:c100:89b:330e:88b3:603/128 from fe80::478:22ff:fe9e:1c56
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: REPLY6 received from 
fe80::478:22ff:fe9e:1c56
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: adding address 
2600:1f11:2f7:c100:89b:330e:88b3:603/128
Mar 13 20:56:05 ip-172-31-6-187 dhcpcd[22976]: xnf0: renew in 75, rebind in 
120, expire in 450 seconds
Mar 13 20:56:06 ip-172-31-6-187 dhcpcd[22976]: forked to background, child pid 
31031
Mar 13 21:05:59 ip-172-31-6-187 dhcpcd[57086]: DUID 
00:04:2a:fe:2b:ec:35:48:74:74:11:0b:1a:22:a4:5d:90:db
Mar 13 21:05:59 ip-172-31-6-187 dhcpcd[57086]: xnf0: IAID 63:26:e3:9c
Mar 13 21:05:59 ip-172-31-6-187 dhcpcd[57086]: xnf0: soliciting an IPv6 router
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: Router Advertisement from 
fe80::478:22ff:fe9e:1c56
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: adding route to 
2600:1f11:2f7:c100::/64
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: adding default route via 
fe80::478:22ff:fe9e:1c56
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: confirming prior DHCPv6 
lease
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: REPLY6 received from 
fe80::478:22ff:fe9e:1c56
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: adding address 
2600:1f11:2f7:c100:89b:330e:88b3:603/128
Mar 13 21:06:06 ip-172-31-6-187 dhcpcd[57086]: xnf0: renew in 75, rebind in 
120, expire in 450 seconds
Mar 13 21:06:07 ip-172-31-6-187 dhcpcd[57086]: forked to background, child pid 
30274
Mar 13 21:19:52 ip-172-31-6-187 dhcpcd[2325]: sending commands to master dhcpcd 
process
Mar 13 21:19:52 ip-172-31-6-187 dhcpcd[30274]: control command: dhcpcd -6
Mar 13 21:20:08 ip-172-31-6-187 dhcpcd[30274]: received SIGTERM, stopping
Mar 13 21:20:08 ip-172-31-6-187 dhcpcd[30274]: xnf0: removing interface
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: DUID 
00:04:2a:fe:2b:ec:35:48:74:74:11:0b:1a:22:a4:5d:90:db
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: xnf0: IAID 63:26:e3:9c
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: xnf0: soliciting a DHCP lease
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: xnf0: offered 172.31.6.187 from 
172.31.0.1
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: xnf0: leased 172.31.6.187 for 
3600 seconds
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: xnf0: adding route to 
172.31.0.0/20
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: xnf0: adding default route via 
172.31.0.1
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[48104]: forked to background, child pid 
7891
Mar 13 21:20:09 ip-172-31-6-187 dhcpcd[7891]: xnf0: soliciting an IPv6 router
Mar 13 21:20:16 ip-172-31-6-187 dhcpcd[7891]: xnf0: Router Advertisement from 
fe80::478:22ff:fe9e:1c56
Mar 13 21:20:16 ip-172-31-6-187 dhcpcd[7891]: xnf0: adding route to 
2600:1f11:2f7:c100::/64
Mar 13 21:20:16 ip-172-31-6-187 dhcpcd[7891]: xnf0: adding default route via 
fe80::478:22ff:fe9e:1c56
Mar 13 21:20:16 ip-172-31-6-187 dhcpcd[7891]: xnf0: confirming prior DHCPv6 
lease
Mar 13 21:20:17 ip-172-31-6-187 dhcpcd[7891]: xnf0: REPLY6 received from 
fe80::478:22ff:fe9e:1c56
Mar 13 21:20:17 ip-172-31-6-187 dhcpcd[7891]: xnf0: adding address 
2600:1f11:2f7:c100:89b:330e:88b3:603/128
Mar 13 21:20:17 ip-172-31-6-187 dhcpcd[7891]: xnf0: renew in 75, rebind in 120, 
expire in 450 seconds
Mar 13 21:21:55 ip-172-31-6-187 dhcpcd[7891]: received SIGTERM, stopping
Mar 13 21:21:55 ip-172-31-6-187 dhcpcd[7891]: xnf0: removing interface
Mar 13 21:21:55 ip-172-31-6-187 dhcpcd[7891]: dhcpcd exited
Mar 13 21:23:18 ip-172-31-6-187 dhcpcd[47479]: 

Re: How to monitor class usage/limits?

[Joel Carnat]

On Fri 15/03 15:47, Stuart Henderson wrote:
> On 2019-03-14, Joel Carnat  wrote:
> > Hi,
> >
> > The Internet is full of "OpenBSD desktop works better when rising
> > datasize/maxproc/openfiles/stacksize in login.conf". One thing I can't
> > manage to find is how you can monitor those values?
> >
> > I'm Ok to set arbitrary recommended values depending on system
> > configuration and general usecases (like using Firefox/Chrome etc). But
> > I would like to check for my current used values. Like looking at top
> > or vmstat to know how much resources I'm actually using. And how often
> > the system raises the 75% threshold.
> >
> > Is there a way to monitor these usage numbers to set adequate limits?
> >
> > TIA,
> >  Jo
> >
> >
> 
> It doesn't show you everything, but you can check memory in 'maximum
> resident set size':
> 
> $ \time -l chrome
> 
Thanks Stuart. This is needed for each command I run and want to be
monitored, right?

Reading the manpage for ps(1) once again, I ended wondering if that wasn't
the answer to my initial question...

# ps -ax -o pid,lim,rsz,dsiz,ssiz,tsiz,vsz,command | sed '2,/firefox/d'
  PID LIMRSZ   DSIZ SSIZ TSIZVSZ COMMAND
69866 5875588   7072   3352   16   32   3400 /usr/local/libexec/gvfsd
74573 5875588 104524 188200   80  196 188476 /usr/local/lib/firefox/firefox 
(...)
67248 5875588 199444 263132  140  196 263468 /usr/local/lib/firefox/firefox 
(...)
 5430 5875588 215532 291920  164  196 292280 /usr/local/lib/firefox/firefox 
(...)
59826 5875588 116908 190948  128  196 191272 /usr/local/lib/firefox/firefox 
(...)

Does this indicates the values I'm looking for?

Thanks.

Re: How to monitor class usage/limits?

[Stuart Henderson]

On 2019-03-14, Joel Carnat  wrote:
> Hi,
>
> The Internet is full of "OpenBSD desktop works better when rising
> datasize/maxproc/openfiles/stacksize in login.conf". One thing I can't
> manage to find is how you can monitor those values?
>
> I'm Ok to set arbitrary recommended values depending on system
> configuration and general usecases (like using Firefox/Chrome etc). But
> I would like to check for my current used values. Like looking at top
> or vmstat to know how much resources I'm actually using. And how often
> the system raises the 75% threshold.
>
> Is there a way to monitor these usage numbers to set adequate limits?
>
> TIA,
>  Jo
>
>

It doesn't show you everything, but you can check memory in 'maximum
resident set size':

$ \time -l chrome

Re: OpenBSD on Macbook 12" 2017?

[joshua stein]

On Fri, 15 Mar 2019 at 09:18:02 +0100, Harald Dunkel wrote:
> Hi folks,
> 
> does it work, OpenBSD on a 12" Macbook 2017? I tried Linux once,
> but keyboard and trackpad were not working, so I kept MacOS.

The keyboard and touchpad are connected over SPI now, so they 
require a new Intel SPI controller driver and then two custom 
drivers for the keyboard and touchpad.

So no, the device does not work on OpenBSD unless you use a USB 
keyboard/mouse.

Re: OpenBSD on Macbook 12" 2017?

[jcmdln]

> does it work, OpenBSD on a 12" Macbook 2017? I tried Linux once,
> but keyboard and trackpad were not working, so I kept MacOS.

I'm running a snapshot of OpenBSD on an 8th gen Intel laptop (not a
mac) without issue. I would suggest using dmesg to examine your
hardware requirements and read over the FAQ, especially the networking
section.

https://www.openbsd.org/faq/index.html

Re: XSS vuln in cvsweb

[Marc Espie]

On Fri, Mar 15, 2019 at 12:16:06PM -, Stuart Henderson wrote:
> On 2019-03-15, Peter J. Philipp  wrote:
> > Hi all,
> >
> > I have been notified by a wonderful security researcher that my site was
> > vulnerable to XSS attacks.  The first one was on software I wrote, and the
> > second one was on software I got from OpenBSD ports.  Not sure if I should
> > be writing this to the ports mailing list though.
> > 
> > I have written Marc Espie with a patch that I produced for cvsweb, but
> > haven't heard from him in 11 hours so I want to get this out to everyone.
> 
> Yes, it should go to the ports mailing list. Check the "maintainer" line
> in "pkg_info cvsweb". I don't know why you would send it to espie@.
> 

Last person to have touched the Makefile.

You know, last time I did an infrastructure sweep...

Re: XSS vuln in cvsweb

[Stuart Henderson]

On 2019-03-15, Peter J. Philipp  wrote:
> Hi all,
>
> I have been notified by a wonderful security researcher that my site was
> vulnerable to XSS attacks.  The first one was on software I wrote, and the
> second one was on software I got from OpenBSD ports.  Not sure if I should
> be writing this to the ports mailing list though.
> 
> I have written Marc Espie with a patch that I produced for cvsweb, but
> haven't heard from him in 11 hours so I want to get this out to everyone.

Yes, it should go to the ports mailing list. Check the "maintainer" line
in "pkg_info cvsweb". I don't know why you would send it to espie@.

OpenBSD on Macbook 12" 2017?

[Harald Dunkel]

Hi folks,

does it work, OpenBSD on a 12" Macbook 2017? I tried Linux once,
but keyboard and trackpad were not working, so I kept MacOS.

Looking on Google I found just Macbook Airs and Pros. Hopefully
I wasn't too blind to see.


Every helpful comment is highly appreciated
Harri

Re: TLS suddenly not working over IKED site-to-site - SOLVED?

[Janne Johansson]

Den tors 14 mars 2019 kl 21:51 skrev Zhi-Qiang Lei :

> Mine is resolved by applying a smaller max-mss in pf and disabling ipcomp.
> Only disabling ipcomp didn’t work.
>
> > On Thu, Dec 20, 2018 at 6:54 PM Theodore Wynnychenko 
> wrote:
> >> Then, I took the advice above, and disable ipcomp on the tunnel, and,
> BAHM, https (and imaps) were working without an issue from openbsd, Windows
> 7, and Macs!
>

I ran into something similar a while ago, and even if "fixing" https/imaps
works with mss clamping, it will still cause
issues with fragmented UDP and large icmp, since those will not care about
mss, only TCP does.

The problem is still there, its just a tcp-only workaround to lower mss
in-flight for a problem that is mostly visible
when doing *s services since they ship long lists of preferred algorithms
which causes large packets to be sent,
whereas simple ldap lookups or ntp/dns/http get by with less info sent and
hence send smaller packets.

Still, large non-tcp ip will see unexpected drops in such scenarios where
you only lower mss and not the MTU
on some in-between L3 interface so it correctly fragments when needed.

-- 
May the most significant bit of your life be positive.

Call for Talk and Presentation Proposals for EuroBSDCon 2019 is open

[Peter Nicolai Mathias Hansteen]

EuroBSDcon 2019: Lillehammer, Norway

The Call for Talk and presentation proposals for EuroBSDCon 2019 is now open.

EuroBSDcon is the European technical conference for users and developers of 
BSD-based systems. The conference will take place September 19-22 2019 in 
Lillehammer, Norway. The tutorials will be held on Thursday and Friday to 
registered participants and the talks are presented to conference attendees on 
Saturday and Sunday.

The Call for Talk and Presentation proposals period will close on May 26th, 
2019.  Prospective speakers will be notified of accepteance or otherwise by 
June 3rd, 2019.


Call for Talk and Presentation Proposals (CFP)

The EuroBSDcon program committee is inviting BSD developers and users to submit 
innovative and original talk proposals not previously presented at other 
European conferences. Topics of interest to the conference include, but are not 
limited to applications, architecture, implementation, performance and security 
of BSD-based operating systems, as well as topics concerning the economic or 
organizational aspects of BSD use. Presentations are expected to be 45 minutes 
and are to be delivered in English.


Call for Tutorial Proposals

The EuroBSDcon program committee is also inviting qualified practitioners in 
their field to submit proposals for half or full day tutorials on topics 
relevant to development, implementation and use of BSD-based systems.

Half-day tutorials are expected to be 2.5 to 3 hours and full-day tutorials 5 
to 6 hours. The tutorials and talks are to be held in English.

Submissions

Proposals should be sent through the registration system at 
https://registration.eurobsdcon.org.

They should contain a short and concise text description in about 100 words as 
well as a short speaker bio. Speakers who will be applying for travel funding 
should also submit an estimate of expected travel expenses.

Please also note that due to visa issues in the past, we would like to know as 
early as possible of any visa requirements for speakers. Please check the 
Norwegian Directorate of Immigration (UDI) web site 
https://www.udi.no/en/want-to-apply/visit-and-holiday/ for guidance.

While Osem offers the option of adding a commercial and/or avatar to your 
proposal this is not expected (or supported at the moment).


—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP

Re: cannot install iozone

[Antoine Jacoutot]

On Fri, Mar 15, 2019 at 09:17:32AM +0300, Максим wrote:
> Hello.
> I cannot install iozone though it is shown using command pkglocate
> $ pkglocate iozone
> iozone-3.465:benchmarks/iozone:/usr/local/bin/iozone
> iozone-3.465:benchmarks/iozone:/usr/local/man/man1/iozone.1
> 
> $ pkg_info -Q iozone
> shows nothing
> 
> $ doas pkg_add -i iozone
> quirks-3.107 signed on 2019-03-14T12:02:09Z
> Can't find iozone
> 
> I don't understand what wrong with that package is.
> OpenBSD 6.5 GENERIC.MP#758 amd64

$ cd /usr/ports/benchmarks/iozone/ && make show=PERMIT_PACKAGE_FTP
incomplete/bad license

-- 
Antoine

cannot install iozone

[Максим]

Hello.
I cannot install iozone though it is shown using command pkglocate
$ pkglocate iozone
iozone-3.465:benchmarks/iozone:/usr/local/bin/iozone
iozone-3.465:benchmarks/iozone:/usr/local/man/man1/iozone.1

$ pkg_info -Q iozone
shows nothing

$ doas pkg_add -i iozone
quirks-3.107 signed on 2019-03-14T12:02:09Z
Can't find iozone

I don't understand what wrong with that package is.
OpenBSD 6.5 GENERIC.MP#758 amd64

-- 
Best Regards
Maksim Rodin

XSS vuln in cvsweb

[Peter J. Philipp]

Hi all,

I have been notified by a wonderful security researcher that my site was
vulnerable to XSS attacks.  The first one was on software I wrote, and the
second one was on software I got from OpenBSD ports.  Not sure if I should
be writing this to the ports mailing list though.

I have written Marc Espie with a patch that I produced for cvsweb, but
haven't heard from him in 11 hours so I want to get this out to everyone.
The vuln was noticeable with this http string (but it's patched now):

https://centroid.eu/cgi-bin/cvsweb/aim64/pci/vgafb.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Similarily I have picked an arbitrary location on OpenBSD's source tree and put
the same string on it, you'll get an XSS vuln block in chrome for this:

https://cvsweb.openbsd.org/src/sbin/clri/clri.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Now for the patch I have written, it took me about 2 hours yesterday to get any
decent results, as I don't usually use perl and have written little in it.  But
here it is.  I have applied this directly on the cvsweb cgi, but really it
should be in the port's patches section.  I'm hoping someone can help me with
that when there is concensus that this patch is right.

->

--- cvsweb.orig Thu Mar 14 18:30:06 2019
+++ cvsweb  Thu Mar 14 20:15:56 2019
@@ -2612,7 +2612,7 @@
sprintf(
'%s/%s?annotate=%s%s', $scriptname,
urlencode($where), $_,
-   $barequery
+   htmlquote($barequery)
)
);
}
@@ -2625,7 +2625,7 @@
'[select for diffs]',
sprintf(
'%s?r1=%s%s', $scriptwhere,
-   $_,   $barequery
+   $_,   
htmlquote($barequery)
)
);
} else {
@@ -2828,7 +2828,7 @@
 
foreach (@stickyvars) {
printf('', $_,
-   $input{$_})
+   htmlquote($input{$_}))
if (defined($input{$_})
&& ((!defined($DEFAULTVALUE{$_})
|| $input{$_} ne $DEFAULTVALUE{$_}) && $input{$_} ne ""));
@@ -3267,7 +3267,7 @@
join ('', $scriptname,
urlencode($wherepath),
(!$last || $lastslash ? '/' : ''),
-   $query,
+   htmlquote($query),
(!$last || $lastslash ? "#dirlist" : "")
));
} else {# do not make a link to the current dir
@@ -3508,6 +3508,7 @@
# Special Characters; RFC 1866
s/&//g;
s/\"//g;
+   s/%22//g;
s///g;
 

<-

Best Regards,
-peter