Incoming connection via VLAN

[Felix Hanley]

Hello all,

My home internet connection (Internode Australia) has recently been
"upgraded" and is now delivered via vlan ID 2. Previously had the
following configuration which worked without issue:

# cat /etc/hostname.em0
up

# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev em0 authproto pap \
authname 'x...@internode.on.net' \
authkey '' up
dest 0.0.0.1
inet6 eui64
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
!/etc/rc.d/dhcp6c restart
!/sbin/pfctl -ef /etc/pf.conf

After working out the vlan stuff I now have the following:

# cat /etc/hostname.em0
up

# cat /etc/hostname.vlan2
vnetid 2 parent em0 txprio 1
up

# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
llprio 1 mtu 1440 \
pppoedev vlan2 authproto pap \
authname 'x...@internode.on.net' \
authkey '' up
dest 0.0.0.1
inet6 eui64
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
!/etc/rc.d/dhcp6c restart
!/sbin/pfctl -ef /etc/pf.conf

I am able to access the internet fine. My problem is incoming
connections are unable to access the OBSD router but are able to be
redirected to internal hosts just fine. There was no problems with this
prior to the vlan stuff. My stripped down pf.conf is:

# cat /etc/pf.conf
egress = "pppoe0"
zappa = "10.0.1.2"

set skip on lo
set skip on vlan2
set block-policy drop
set loginterface $egress

queue outq on $egress bandwidth 13M max 13M flows 1024 qlimit 1024 default

match in inet all scrub (no-df random-id)
match on $egress inet scrub (max-mss 1440)
# NAT all outbound IPv4 traffic from the rest of our network
match out on $egress inet from !($egress:network) to any nat-to ($egress:0)

antispoof quick for lo

pass in on $egress proto { tcp udp } from any to ($egress) port { ssh
http https }
pass in on $egress proto tcp from any to ($egress) port 51022 rdr-to
$zappa port ssh

Running tcpdump on pppoe0 show ICMP packets but never any SSH (or other
TCP) packets coming in on egress. I am confused that rdr-to works but
not connections to the router do not.

Any help would be greatly appreciated.

-felix

Singaporean Mr. Teo En Ming's Refugee Seeking Attempts

[Turritopsis Dohrnii Teo En Ming]

Subject: Singaporean Mr. Teo En Ming's Refugee Seeking Attempts

In reverse chronological order:

[1] Petition to the Government of Taiwan for Refugee Status, 5th August 2019 
Monday

Photo #1: At the building of the National Immigration Agency, Ministry of the 
Interior, Taipei, Taiwan, 5th August 2019

Photo #2: Queue ticket at the National Immigration Agency, Ministry of the 
Interior, Taipei, Taiwan, 5th August 2019

Photo #3: Submission of documents/petition to the National Immigration Agency, 
Ministry of the Interior, Taipei, Taiwan, 5th August 2019

Photos #4 and #5: Acknowledgement of Receipt for the submission of 
documents/petition from the National Immigration Agency, Ministry of the 
Interior, Taipei, Taiwan, 5th August 2019

References:

(a) Petition to the Government of Taiwan for Refugee Status, 5th August 2019 
Monday (Blogspot)

Link: 
https://tdtemcerts.blogspot.sg/2019/08/petition-to-government-of-taiwan-for.html

(b) Petition to the Government of Taiwan for Refugee Status, 5th August 2019 
Monday (Wordpress)

Link: 
https://tdtemcerts.wordpress.com/2019/08/23/petition-to-the-government-of-taiwan-for-refugee-status/

[2] Application for Refugee Status at the United Nations Refugee Agency, 
Bangkok, Thailand, 21st March 2017 Tuesday

References:

(a) [YOUTUBE] Vlog: The Road to Application for Refugee Status at UNHCR Bangkok

Link: https://www.youtube.com/watch?v=utpuAa1eUNI

YouTube video Published on March 22nd, 2017





-BEGIN EMAIL SIGNATURE-

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: 
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html



Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-END EMAIL SIGNATURE-

Re: VM CPU usage with TSC timecounter

[Mike Larkin]

On Thu, Aug 29, 2019 at 10:29:40PM +0100, Oriol Demaria wrote:
> I have been following the patching of the TSC. So I don't have problems on
> the Ryzen now using TSC with the mouse and so on, but I have a problem with
> the vms. The CPU maxes out on the Ryzen 5 (on Intel is fine) when I run a vm
> (debian).
> 
> But when I change the timecounter back to acpihpet0 and restart vmd, the CPU
> usage is normal again. Does anyone else has this problem?
> 
> Regards.
> 
> -- 
> Oriol Demaria
> 2FFED630C16E4FF8
> 

40400 _vmd  100 8195M  505M idle  fsleep1:35  1.46% vmd

Not here. That's an ubuntu19 vm on Ryzen 7.

Does this happen all the time or is it random? We do have a longstanding
well known bug where a VM can get stuck and spin to 100%, that's unrelated
to TSC though.

-ml

VM CPU usage with TSC timecounter

[Oriol Demaria]

I have been following the patching of the TSC. So I don't have problems 
on the Ryzen now using TSC with the mouse and so on, but I have a 
problem with the vms. The CPU maxes out on the Ryzen 5 (on Intel is 
fine) when I run a vm (debian).


But when I change the timecounter back to acpihpet0 and restart vmd, the 
CPU usage is normal again. Does anyone else has this problem?


Regards.

--
Oriol Demaria
2FFED630C16E4FF8

Re: dhcrelay

[shadrock uhuru]

hiya
thanks for the reply
> hi eveyone
> if i have a dhcp server in subnet A connected to interface em0 (lan) and
> subnet B connected to interface iwn0 (wireless zone) on the router
> with dhcrelay -i em0 running on the router should the wireless subnet be
> able?? to get its dhcp address from the dhcp server on the lan ?
> No, you would need to run 
>
>dhcrelay -i iwn0 
>
> to do that.
finally got that sorted,
but led me to another question
i have two dhcp servers on samba domain controllers,
can a second server-ip address be added like this to dhcrelay

dhcrelay -i iwn0  

i haven't seen any examples like this on the net
shadrock

missing PD Prefix 's

[shadrock uhuru]

hi everyone

how do i check if rad is working correctly
i have a PD Prefix address on my routers wan interface
but not on its lan interface or anywhere on the lan
rad is configured with the following
cat /etc/rad.conf
interface em0
interface em1
interface tun0

i also have dhcpcd configured
cat << EOF > /etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier
slaac private
nohook resolv.conf, lookup-hostname
allowinterfaces bge0 em0 em1 tun0
script ""

interface bge0
  ia_na 1
  ia_pd 2 em0/0
  ia_pd 3 em1/1
  ia_pd 4 tun0/2
 

Re: support new

[Todd C . Miller]

On Thu, 29 Aug 2019 11:43:40 +0200, Ingo Schwarze wrote:

> It would no doubt be nice to have a support.html entry for Turkey,
> but i'm not convinced i want to add a person who is not even able
> to send properly formatted email.

The original message was html and got reformatted to text.  That
doesn't always produce the nicest results.

If they were to re-send as plain text that would probably help.

 - todd

Problems configuring Unbound?

[Mogens Jensen]

I'm using OpenBSD 6.5 and trying to configure "views" in Unbound.

This is the configuration file:

===
server:
interface: 0.0.0.0

access-control: 192.168.0.0/24 allow
access-control-view: 192.168.0.0/24 firstview

local-zone: "local." static
local-data: "cups.local. IN A 192.168.1.1"

view:
name: "firstview"
local-zone: "local." static
local-data: "gateway.local. IN A 192.168.0.1"
view-first: yes

forward-zone:
name: "."
forward-addr: 8.8.8.8
===

The problem is that Unbound will not use the global local-zone tree
after no match is found in a view, even though view-first is set to
yes.

This is output from a client in 192.168.0.0/24 when running Unbound
with the above configuration file:

===
client:~$ host -t cups.local
Host cups.local not found: 3(NXDOMAIN)
client:~$ host -t gateway.local
gateway.local has address 192.168.0.1
===

If I remove "access-control-view: 192.168.0.0/24 firstview" and try
again from the same client:

===
client:~$ host -t cups.local
cups.local has address 192.168.1.1
client:~$ host -t gateway.local
Host gateway.local not found: 3(NXDOMAIN)
===

What could I be doing wrong?

Thanks.

Mogens Jensen

Re: What is you motivational to use OpenBSD

[Chris Bennett]

I decided to move away from Windows and I needed to setup a web and
email server. Trying many different versions of Linux left me
unsatisfied. Then I accidentally ran into OpenBSD website.
That was exactly what I wanted.
As a totally inexperienced guy, I found a server company that could
pre-install it. I never looked backed and learned almost everything
remotely. I dual booted at home for a while and I use OpenBSD only for
a long time now.

I have found two intersting things about the mailing lists.
1. Here is what you need to know, how else can I help.
2. RTFM and read the source code yourself.

I found read the source code a little frustrating at first.
But I have realized that the OpenBSD community is NOT about holding your
hand. There is an expectation that you need to put out the effort
necessary to at least try to figure it out yourself. If that means
learning some C or Perl or other languages, then you will have to do
that.
I now heartily agree with this. Why should a developer waste time when
there are truly more important things that constantly change as the
world moves forward. I have never been concerned about missing a few
months without checking up on a server. Problems are very very rare!
And fixed really really fast!

Thanks for giving me a fantastic system and the chance to laugh at the
other OS's that think security and bug fixing is an optional concern!

Chris Bennett

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[trondd]

On Thu, August 29, 2019 8:55 am, Muhammad Kaisar Arkhan wrote:
> Hi Tom,
>
>> listen  on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls
>
> I've tried this before, it just results in this:
>
> /etc/relayd.conf:33: cannot load certificates for relay https2:443
>
> I'm not sure why it does this despite the fact I have clearly
> indicated which TLS certificates to use in relayd.conf with the
> new "tls keypair" feature.
>
> % cat /etc/relayd.conf
>
> log connection
>
> table  { 127.0.0.1 }
> table  { 127.0.0.1 }
> table  { 127.0.0.1 }
>
> http protocol "reverse_proxy" {
> return error
>
> match header set "X-Forwarded-For" value "$REMOTE_ADDR"
> match header set "X-Forwarded-By" value
> "$SERVER_ADDR:$SERVER_PORT"
>
> match request header "Host" value "znc.yukiisbo.red" \
> forward to 
>
> tls keypair "yukiisbo.red"
> tls keypair "arkhan.io"
> tls keypair "znc.yukiisbo.red"
> }
>

Are the certificate and key files named correctly and placed in the
appropriate locations as specified in the manpage?

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[Muhammad Kaisar Arkhan]

Hi Tom,

> listen  on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls

I've tried this before, it just results in this:

/etc/relayd.conf:33: cannot load certificates for relay https2:443

I'm not sure why it does this despite the fact I have clearly 
indicated which TLS certificates to use in relayd.conf with the
new "tls keypair" feature.

% cat /etc/relayd.conf

log connection

table  { 127.0.0.1 }
table  { 127.0.0.1 }
table  { 127.0.0.1 }

http protocol "reverse_proxy" {
return error

match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"

match request header "Host" value "znc.yukiisbo.red" \
forward to 

tls keypair "yukiisbo.red"
tls keypair "arkhan.io"
tls keypair "znc.yukiisbo.red"
}

relay "https" {
listen on vio0 port 443 tls
listen on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls

protocol "reverse_proxy"

forward to  port 80
forward to  port 
}

protocol "znc" {
tls keypair "znc.yukiisbo.red"
}

relay "irc" {
listen on vio0 port 6697 tls
listen on 2a03:6000:9106::50f7:f07a:d1cc port 6697 tls

protocol "znc"
forward to  port 
}

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[Tom Smyth]

try

listen  on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls

and see if that works

On Thu, 29 Aug 2019 at 13:37, Muhammad Kaisar Arkhan 
wrote:

> > can  you run
> > ifconfig interfacename
> > route -n show
>
> % ifconfig vio0
>
> vio0:
> flags=408b43
> mtu 1500
> lladdr xx:xx:xx:xx:xx:xx
> index 1 priority 0 llprio 3
> groups: egress
> media: Ethernet autoselect
> status: active
> inet 46.23.92.126 netmask 0xff00 broadcast 46.23.92.255
> inet6 fe80::fce1:bbff:fed3:5b04%vio0 prefixlen 64 scopeid 0x1
> inet6 2a03:6000:9106::50f7:f07a:d1cc prefixlen 64
>
> % route -n show
>
> Routing tables
>
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio
> Iface
> default46.23.92.1 UGS   23 66128822 - 8
> vio0
> ...
>
> Internet6:
> DestinationGatewayFlags
>  Refs  Use   Mtu  Prio Iface
> default2a03:6000:9106::1  UGS
>   021655 - 8 vio0
> ...
>
>
> Thanks.
>


-- 
Kindest regards,
Tom Smyth.

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[Muhammad Kaisar Arkhan]

> can  you run
> ifconfig interfacename
> route -n show

% ifconfig vio0

vio0: 
flags=408b43
 mtu 1500
lladdr xx:xx:xx:xx:xx:xx
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 46.23.92.126 netmask 0xff00 broadcast 46.23.92.255
inet6 fe80::fce1:bbff:fed3:5b04%vio0 prefixlen 64 scopeid 0x1
inet6 2a03:6000:9106::50f7:f07a:d1cc prefixlen 64

% route -n show

Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default46.23.92.1 UGS   23 66128822 - 8 vio0
...

Internet6:
DestinationGatewayFlags   Refs  
Use   Mtu  Prio Iface
default2a03:6000:9106::1  UGS0  
  21655 - 8 vio0
...


Thanks.

Re: OpenBSD 6.6 snapshot #262 - no USB mouse

[Stefan Sperling]

Kernel #262 is known to be broken.
Compile your own from -current sources or wait for the next snapshot.

Re: pppoe only connects if tcpdump is running?!

[Mara Toni]

Hello,

problem solved: I tried with another Gbit PCI card! it worked instantly.

about the BAD PCI Gbit card, where pppoe only works when tcpdump is running:


on the chip:

Pulse
H5007NL
1842 CHINA

on the board of the NIC:

94V-0 SR-01
E258603
DW-RTL8111-17 VER A




> Sent: Sunday, August 25, 2019 at 3:24 PM
> From: "Mara Toni" 
> To: misc@openbsd.org
> Subject: pppoe only connects if tcpdump is running?!
>
> Hello!
>
> I got myself a new PCI ethernet card instead of an old USB3 to ethernet in a 
> "router" named desktop machine.
>
> in short:
> But pppoe doesn't connects via the new PCI card. Only if I start a tcpdump on 
> it!?
>
>
> longer:
> #
> # THE CONFIG
>
> router# cat /etc/hostname.re1
> up lladdr xx:xx:xx:xx:xx:xx
> router#
> router# cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE pppoedev re1 authproto pap debug authname 
> 'censored' authkey 'censored' up
> dest 0.0.0.1
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> router#
>
> OpenBSD 6.5 amd64
>
> #
> # THE STATE
>
> router# ifconfig re1
> re1: flags=8843 mtu 1500
> lladdr xx:xx:xx:xx:xx:xx
> index 2 priority 0 llprio 3
> media: Ethernet 100baseTX full-duplex
> status: active
> router#
> router# ifconfig pppoe0
> pppoe0: flags=8855 mtu 1492
> index 5 priority 0 llprio 3
> dev: re1 state: PADI sent
> sid: 0x0 PADI retries: 5 PADR retries: 0
> sppp: phase establish authproto pap authname "censored"
> groups: pppoe egress
> status: no carrier
> inet 0.0.0.0 --> 0.0.0.1 netmask 0x
> router#
>
> router# dmesg|grep re1
> re1 at pci3 dev 0 function 0 "Realtek 8168" rev 0x07: RTL8168E/8111E-VL 
> (0x2c80), msi, address xx:xx:xx:xx:xx:xx
> rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 5
> router#
>
> #
> # I TRIED:
>
> - rebooting, waiting for many minutes
> - pap or chap
> - mac filtering is OK, that is the MAC, what is in the hostname.re1
> - doing: ifconfig re1 media "10baseT" - thinking of cable issue
> - tried to plug in to the pci eth card via a Gbit switch, still no pppoe
> - "ifconfig pppoe0 down" and "up" gives only these debug messages:
>
> down:
> Aug 24 15:15:06 router /bsd: pppoe0: lcp close(starting)
> Aug 24 15:15:06 router /bsd: pppoe0: lcp starting->initial
> Aug 24 15:15:06 router /bsd: pppoe0: phase dead
>
> up:
> Aug 24 15:15:11 router /bsd: pppoe0: lcp close(initial)
> Aug 24 15:15:11 router /bsd: pppoe0: lcp open(initial)
> Aug 24 15:15:11 router /bsd: pppoe0: lcp initial->starting
> Aug 24 15:15:11 router /bsd: pppoe0: phase establish
> Aug 24 15:15:11 router /bsd: pppoe0 (8863) state=1, session=0x0 output -> 
> ff:ff:ff:ff:ff:ff, len=18
>
> #
> # INTERESTING THING:
>
> if I plug back my old USB3 to ethernet, it works instantly (via the usb3 eth):
>
> router# mv /etc/hostname.re1 /etc/hostname.cdce0
> router# sed -i 's/re1/cdce0/g' /etc/hostname.pppoe0
> +puting the ISP cable to cdce0.
> then "reboot"
> it works... gets IP:
>
> router# ifconfig cdce0
> cdce0: flags=8843 mtu 1500
> lladdr xx:xx:xx:xx:xx:xx
> index 5 priority 0 llprio 3
> router#
> router# ifconfig pppoe0
> pppoe0: flags=8855 mtu 1492
> index 6 priority 0 llprio 3
> dev: cdce0 state: session
> sid: 0x5eb PADI retries: 0 PADR retries: 0 time: 00:00:20
> sppp: phase network authproto pap authname "censored"
> groups: pppoe egress
> status: active
> inet yy.yy.yyy.yyy --> 10.0.0.1 netmask 0x
> router#
>
> #
>
> a funny thing happened. I wanted to do a tcpdump on the pci ethernet re1, and 
> during tcpdump, pppoe connected:
>
> router# tcpdump -i re1
> ...
> pppoe0: flags=8855 mtu 1492
> index 6 priority 0 llprio 3
> dev: re1 state: session
> sid: 0x16f4 PADI retries: 9 PADR retries: 0 time: 00:01:24
> sppp: phase network authproto pap authname "censored"
> groups: pppoe egress
> status: active
> inet yy.yy.yy.yyy --> 10.0.0.1 netmask 0x
>
> So it ONLY successfully connects via pppoe if tcpdump is running for re1! Why?
>
> I can 100% reproduce it. If I stop the tcpdump, the public IP stays, but 
> there is no internet connection to the world.
>
> is this a bug? or a flag is set by tcpdump for the nic?
>
> #
>
> What am I missing? Why can't I connect via pppoe with the PCI ethernet card 
> without running tcpdump on it?
>
> Thanks.
>
>

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[Tom Smyth]

can  you run
ifconfig interfacename
route -n show

On Thu, 29 Aug 2019 at 12:03, Muhammad Kaisar Arkhan 
wrote:

> Hi Tom,
>
> > In any case... just specifiy the interface manually, on the config line
> >
> > --listen on egress port 443 tls
> >
> > ++listen on vio0 port 443 tls
> >
> > replace vio0  with your actual  "egress" interface name
>
> I tried it. Sadly it doesn't work, it still only listens to IPv4.
>
> % cat /etc/relayd.conf
>
> ...
> relay "https" {
>  listen on vio0 port 443 tls
> ...
> }
>
> % netstat -nat | grep LISTEN | grep '.443'
> tcp  0  0  46.23.92.126.443   *.*LISTEN
>
> Thanks.
>


-- 
Kindest regards,
Tom Smyth.

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[Muhammad Kaisar Arkhan]

Hi Tom,

> In any case... just specifiy the interface manually, on the config line
> 
> --listen on egress port 443 tls
> 
> ++listen on vio0 port 443 tls
> 
> replace vio0  with your actual  "egress" interface name

I tried it. Sadly it doesn't work, it still only listens to IPv4.

% cat /etc/relayd.conf

...
relay "https" {
 listen on vio0 port 443 tls
...
}

% netstat -nat | grep LISTEN | grep '.443'
tcp  0  0  46.23.92.126.443   *.*LISTEN

Thanks.

Re: Package -stable updates

[Andreas Kusalananda Kähäri]

On Thu, Aug 29, 2019 at 09:50:48AM +0200, Andre Stoebe wrote:
> On 29.08.2019 01:59, Steven Shockley wrote:
> > So, many thanks to everyone who put together the new -stable updates for
> > packages.  Is there a command I can put in the crontab that will only
> > output if there are updates?  Similar to what syspatch or openup does.
> > I tried pkg_add -unx, but that still tells me to delete old files and
> > prints the quirks line even if there are no updates.
> 
> Hi Steven,
> 
> here's what I came up with in my /etc/daily.local file...
> 
> (pkg_add -suv | sed -En 's/^Adding (.+)\(pretending\)/\1/p') 2>&1 \
> | grep -v ': Requesting'
> 
> Initially I didn't use the verbose option and a simpler sed expression,
> but I eventually found that pkg_add's output differs whether a terminal
> is attached or not. So that's what works for me.
> 
> Regards
> Andre

You could also do as sysupgrade(8) does and download the SHA256 file,
compare it to a locally stored copy of it. If it is different, there
are new packages and you can try running "pkg_add -u" when you have
the inclination to do so (or immediately from the same script). Then
update the locally stored copy of the SHA256 file with the version just
downloaded.

This is my script (note: I'm following snapshots rather than -stable, so
some slight tweaking will be neccesary).  I'm running it with my
unprivilegied user from the command line to upgrade everything (the
first "doas sysupgrade" is not commented out in my version):

#!/bin/sh -eux

# doas sysupgrade  # to also make sure that the system is up-to-date

tmpfile=$(mktemp)
stamp=$HOME/.sha256.ports

trap 'rm -f "$tmpfile"' EXIT

read installurl 

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[Tom Smyth]

Hi Muhammad,

Check your Ipv6 routing table is there a default route on your V6 Routing
Table...
If I understand egress correctly  (it is the external interface) which at a
guess is chosen by  the
interface that the default route in your routing table  would use.

In any case... just specifiy the interface manually, on the config line

--listen on egress port 443 tls

++listen on vio0 port 443 tls

replace vio0  with your actual  "egress" interface name

On Thu, 29 Aug 2019 at 10:58, Muhammad Kaisar Arkhan 
wrote:

> Hi misc@,
>
> I have relayd running on my -current machine which does reverse proxies
> along
> with TLS relays for various programs and it seems when using "listen on
> egress",
> it only listens to IPv4 and doesn't listen to IPv6.
>
> In httpd, this is not the case, when using "listen on egress" it listens
> to both
> IPv4 and IPv6.
>
> Since I require SNI, I'm using the new "tls keypair" feature and it
> seems if I
> have multiple listens it results in the following error:
>
> /etc/relayd.conf:33: cannot load certificates for relay https2:443
>
> Even though there's "tls keypair" clearly indicating which certificates
> to use.
>
> My -current system is dated 25-08-2019.
>
> Here's some more relevant information:
>
> % dmesg | head
>
> OpenBSD 6.6-beta (GENERIC) #236: Sun Aug 25 13:46:21 MDT 2019
>  dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
>
> % cat /etc/relayd.conf
>
> ...
> relay "https" {
>listen on egress port 443 tls
>
>protocol "reverse_proxy"
>
>forward to  port 80
> ...
> }
> ...
>
> % netstat -nat | grep LISTEN
>
> ...
> tcp 0 0 xx.xx.xx.xx.443 *.* LISTEN
> ...
>
> Thanks.
>
>

-- 
Kindest regards,
Tom Smyth.

Re: What is you motivational to use OpenBSD

[Magnus Wild]

On 8/28/19 4:32 PM, Mohamed salah wrote:

I wanna put something in discussion, what's your motivational to use
OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work
fine on openbsd and you love this os so much what will do?



I enjoy using it because of it's clean design. It's a fairly simple 
system, with sane default configuration and it "just works" on most 
laptops that I've used it on.


I use a lot of Linux at work and in other environments as well, and the 
application support is naturally better. But the things I really care 
about works on OpenBSD, and as such, I tend to come back to it when 
using computers in my free time.

relayd: "listen on egress" only listens to IPv4 and not IPv6

[Muhammad Kaisar Arkhan]

Hi misc@,

I have relayd running on my -current machine which does reverse proxies 
along
with TLS relays for various programs and it seems when using "listen on 
egress",

it only listens to IPv4 and doesn't listen to IPv6.

In httpd, this is not the case, when using "listen on egress" it listens 
to both

IPv4 and IPv6.

Since I require SNI, I'm using the new "tls keypair" feature and it 
seems if I

have multiple listens it results in the following error:

/etc/relayd.conf:33: cannot load certificates for relay https2:443

Even though there's "tls keypair" clearly indicating which certificates 
to use.


My -current system is dated 25-08-2019.

Here's some more relevant information:

% dmesg | head

OpenBSD 6.6-beta (GENERIC) #236: Sun Aug 25 13:46:21 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

% cat /etc/relayd.conf

...
relay "https" {
  listen on egress port 443 tls

  protocol "reverse_proxy"

  forward to  port 80
...
}
...

% netstat -nat | grep LISTEN

...
tcp 0 0 xx.xx.xx.xx.443 *.* LISTEN
...

Thanks.

Re: support new

[Ingo Schwarze]

Hello Ibrahim,

Ibrahim Topbasi wrote on Thu, Aug 29, 2019 at 12:04:39PM +0300:

> 0C TURKEYP AnkaraT CankayaZ 06510A 2139. Street 2/11O Rakort Information
> TechnologiesI Ibrahim TopbasiM open...@rakort.comu http://www.rakort.comB
> 90-850-460-10-58X 90-850-460-10-58N More than 5 years, OpenBSD
> setup/installation/remote administration. Network engineering, software
> development(C/Python/PHP/PostgreSQL/MySQL). Also experienced with Solaris
> and Linux.We specialize in providing solid open source solutions for
> businesses using OpenBSD, ? and Linux. MCSE, CCNA, RHCE certifications,
> VPNs, firewalls, wireless, DNS, squidGuard, mail - even training with
> OpenBSD.

It would no doubt be nice to have a support.html entry for Turkey,
but i'm not convinced i want to add a person who is not even able
to send properly formatted email.

Then, i consider using "OpenBSD OpenBSD" as the comment in the From:
Header of outgoing email pretentious, maybe even offensive.
A serious business would put the real name of a real person in that
place and additionally use the Reply-To: header.

Besides, while i guess it is OK that the website is in Turkish
language only, it doesn't appear to even mention OpenBSD, so i think
this request ought to be disregarded.

Yours,
  Ingo

-- 
Ingo Schwarze 
http://www.openbsd.org/   
http://mandoc.bsd.lv/ 

support new

[OpenBSD OpenBSD]

0C TURKEYP AnkaraT CankayaZ 06510A 2139. Street 2/11O Rakort Information
TechnologiesI Ibrahim TopbasiM open...@rakort.comu http://www.rakort.comB
90-850-460-10-58X 90-850-460-10-58N More than 5 years, OpenBSD
setup/installation/remote administration. Network engineering, software
development(C/Python/PHP/PostgreSQL/MySQL). Also experienced with Solaris
and Linux.We specialize in providing solid open source solutions for
businesses using OpenBSD, � and Linux. MCSE, CCNA, RHCE certifications,
VPNs, firewalls, wireless, DNS, squidGuard, mail - even training with
OpenBSD.

Re: Package -stable updates

[Andre Stoebe]

On 29.08.2019 01:59, Steven Shockley wrote:
> So, many thanks to everyone who put together the new -stable updates for
> packages.  Is there a command I can put in the crontab that will only
> output if there are updates?  Similar to what syspatch or openup does.
> I tried pkg_add -unx, but that still tells me to delete old files and
> prints the quirks line even if there are no updates.

Hi Steven,

here's what I came up with in my /etc/daily.local file...

(pkg_add -suv | sed -En 's/^Adding (.+)\(pretending\)/\1/p') 2>&1 \
| grep -v ': Requesting'

Initially I didn't use the verbose option and a simpler sed expression,
but I eventually found that pkg_add's output differs whether a terminal
is attached or not. So that's what works for me.

Regards
Andre

Re: Package -stable updates

[Michael Hoertnagl]

On 29.08.19 01:59, Steven Shockley wrote:
> Is there a command I can put in the crontab that will only
> output if there are updates?

I've come up with:

pkg_add -u -n -I -v 2>&1 | grep 'Adding' | sort -u | sed -e 's/.*Adding
\(.*\)(pretending.*/\1/'

this will print
 -  -> 

Suggestions for something simpler/better that gives above information is
highly appreciated.

Best,
Michael

Re: Package -stable updates

[Consus]

On 09:29 Thu 29 Aug, Florian Obser wrote:
> On Thu, Aug 29, 2019 at 09:39:40AM +0300, Consus wrote:
> > On 19:59 Wed 28 Aug, Steven Shockley wrote:
> > > So, many thanks to everyone who put together the new -stable updates for
> > > packages.  Is there a command I can put in the crontab that will only
> > > output if there are updates?  Similar to what syspatch or openup does.
> > > I tried pkg_add -unx, but that still tells me to delete old files and
> > > prints the quirks line even if there are no updates.
> > 
> > I use
> > 
> > 0 7 * * * pkg_add -un | grep -v 'signed on'
> > 
> > and it works okay, no warnings about deleting old files.
> > 
> > Though removing quirks line would be nice.
> > 
> 
> I thought you had moved on since stable packages are one or two
> decades too late?

Eh?

Re: Package -stable updates

[Florian Obser]

On Thu, Aug 29, 2019 at 09:39:40AM +0300, Consus wrote:
> On 19:59 Wed 28 Aug, Steven Shockley wrote:
> > So, many thanks to everyone who put together the new -stable updates for
> > packages.  Is there a command I can put in the crontab that will only
> > output if there are updates?  Similar to what syspatch or openup does.
> > I tried pkg_add -unx, but that still tells me to delete old files and
> > prints the quirks line even if there are no updates.
> 
> I use
> 
>   0 7 * * * pkg_add -un | grep -v 'signed on'
> 
> and it works okay, no warnings about deleting old files.
> 
> Though removing quirks line would be nice.
> 

I thought you had moved on since stable packages are one or two
decades too late?

-- 
I'm not entirely sure you are real.

Re: Package -stable updates

[Consus]

On 19:59 Wed 28 Aug, Steven Shockley wrote:
> So, many thanks to everyone who put together the new -stable updates for
> packages.  Is there a command I can put in the crontab that will only
> output if there are updates?  Similar to what syspatch or openup does.
> I tried pkg_add -unx, but that still tells me to delete old files and
> prints the quirks line even if there are no updates.

I use

0 7 * * * pkg_add -un | grep -v 'signed on'

and it works okay, no warnings about deleting old files.

Though removing quirks line would be nice.