Re: bind dhcpd to IP address

[Ralf Horstmann]

Hi Valdrin,

that setup works fine. You would use "ip helper-address" on the Ciscos to
forward the DHCP requests to your OpenBSD box. The forwarded requests use the
specified helper address as unicast destination. No need to have the VLANs
present on your OpenBSD box.

I'm running dhcpd without -u for that. dhcpd will pickup all packets with
destination port 67 on the specified interface via bpf. No need to bind to a
specific IP.

I understand your last question as: Can dhcpd provide leases for subnets when
the dhcpd box has no IP addresses within the range? The answer is yes. You will
need subnet declarations for all pools in dhcpd.conf though.

Regards,
Ralf

* Valdrin MUJA  [2021-06-09 23:45]:
> Hi misc,
> 
> 
> I have 5 vlans terminated in Cisco switch as Layer 3.
> 
> So the users' gateway is Cisco switch.
> 
> The default gateway of Cisco switch is OpenBSD 6.9, which works as an office 
> firewall.
> 
> The switch also works as a dhcp server. However, I want OpenBSD office 
> firewall to also act as a dhcp server.
> 
> Is this possible while OpenBSD has no vlans on it? Only static routes for 
> these ip networks are installed.
> 
> 
> I would set dhcp relay on the Cisco switch side, but when I looked at 
> dhcpd(8), I was not entirely sure.
> 
> I see that dhcpd can listen on an ip address with the -u[bind_address] 
> parameter, but these lines confused me:
> 
> ''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet 
> interfaces such as tun(4) or pppx(4)’’
> 
> What I understand from above is; if I configure -u for a physical (em0) 
> interface’s ip address it will not bind to em0’s IP address.
> 
> It will use 255.255.255.255 instead of this. So it will not work; right?
> 
> 
> One last and probably related question:
> 
> Can OpenBSD be configured to distribute ip pools which it doesn’t have?
> 
> Thanks for reading…​
> 

web server security

[Gustavo Rios]

Hi folks!

I am planning a web serve using openbsd as the os and using php. My
question is: how to avoid any given user from implement an php script that
will read some else file, since everything will run as the web server user
and group ?

thanks a lot.

-- 
The lion and the tiger may be more powerful, but the wolves do not perform
in the circus

bind dhcpd to IP address

[Valdrin MUJA]

Hi misc,


I have 5 vlans terminated in Cisco switch as Layer 3.

So the users' gateway is Cisco switch.

The default gateway of Cisco switch is OpenBSD 6.9, which works as an office 
firewall.

The switch also works as a dhcp server. However, I want OpenBSD office firewall 
to also act as a dhcp server.

Is this possible while OpenBSD has no vlans on it? Only static routes for these 
ip networks are installed.


I would set dhcp relay on the Cisco switch side, but when I looked at dhcpd(8), 
I was not entirely sure.

I see that dhcpd can listen on an ip address with the -u[bind_address] 
parameter, but these lines confused me:

''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet 
interfaces such as tun(4) or pppx(4)’’

What I understand from above is; if I configure -u for a physical (em0) 
interface’s ip address it will not bind to em0’s IP address.

It will use 255.255.255.255 instead of this. So it will not work; right?


One last and probably related question:

Can OpenBSD be configured to distribute ip pools which it doesn’t have?

Thanks for reading…​

Re: disklabel partition auto allocation problem

[ITwrx]

On 6/9/21 11:40 AM, electronmuontau neutrino wrote:
> disklabel in OpenBSD 6.9 doesn't seem to be allocating partition sizes
> correctly according to the actual size of my OpenBSD partition.  
maybe this will help you: http://daemonforums.org/showthread.php?t=11748

Re: disklabel partition auto allocation problem

[electronmuontau neutrino]

I forgot to include my physical memory size:
# sysctl hw.physmem
hw.physmem=16897085440

On Wed, Jun 9, 2021 at 12:40 PM electronmuontau neutrino <
emtneutr...@gmail.com> wrote:

> disklabel in OpenBSD 6.9 doesn't seem to be allocating partition sizes
> correctly according to the actual size of my OpenBSD partition.  I dual
> booted my ThinkPad X1 Carbon 5th gen laptop with Windows 10 and OpenBSD.  I
> allocated about half the disk space to OpenBSD.  When I installed OpenBSD,
> it allocated partitions as if my disk size was > 2.5 GB instead of >= 10 GB
> as shown in the disklabel man page.  It allocated 2GB to /, 256M to swap,
> 3G to /usr, 2G to /home and apparently did not allocate the rest of the
> free space.  I've included the output of disklabel, fdisk and dmesg below.
> I haven't tried installing OpenBSD 6.8 to see if it does the same thing.  I
> believe auto allocation worked fine in OpenBSD 6.7.  If I'm not including
> any info that might help diagnose this problem, if it really is a problem,
> please let me know.
>
> 
> # disklabel sd0
>
> # /dev/rsd0c:
> type: SCSI
> disk: SCSI disk
> label: SAMSUNG MZVLB1T0
> duid: 9a51a841a90239b3
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 124519
> total sectors: 2000409264
> boundstart: 1002668032
> boundend: 1998360576
> drivedata: 0
>
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a:  4194304   1002668032  4.2BSD   2048 16384 12960 # /
>   b:   524288   1006862336swap# none
>   c:   20004092640  unused
>   d:  6291456   1007386624  4.2BSD   2048 16384 12960 # /usr
>   e:  4194304   1013678080  4.2BSD   2048 16384 12960 # /home
>   i:   532480 2048   MSDOS
>   j:32768   534528 unknown
>   k:   1002100736   567296   MSDOS
>   l:  2048000   1998360576 unknown
>
>
> 
> # fdisk sd0
>
> Disk: sd0   Usable LBA: 34 to 2000409230 [2000409264 Sectors]
>#: type [   start: size ]
> 
>0: EFI Sys  [2048:   532480 ]
>1: e3c9e316-0b5c-4db8-817d-f92df00215ae [  534528:32768 ]
>2: FAT12[  567296:   1002100736 ]
>3: OpenBSD  [  1002668032:995692544 ]
>4: Win Recovery [  1998360576:  2048000 ]
>
>
> 
> # dmesg
>
> OpenBSD 6.9 (GENERIC.MP) #3: Mon Jun  7 08:21:26 MDT 2021
> r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/
> GENERIC.MP
> real mem = 16897085440 (16114MB)
> avail mem = 16369602560 (15611MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x9f0e1000 (62 entries)
> bios0: vendor LENOVO version "N1MET65W (1.50 )" date 04/19/2021
> bios0: LENOVO 20HRCTO1WW
> acpi0 at bios0: ACPI 5.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT
> BOOT BATB SLIC SSDT SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM ASF! FPDT UEFI
> acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4)
> RP02(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4) RP10(S4)
> RP11(S4) RP12(S4) RP13(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 2399 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz, 2692.98 MHz, 06-8e-09
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 24MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz, 2692.85 MHz, 06-8e-09
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC

disklabel partition auto allocation problem

[electronmuontau neutrino]

disklabel in OpenBSD 6.9 doesn't seem to be allocating partition sizes
correctly according to the actual size of my OpenBSD partition.  I dual
booted my ThinkPad X1 Carbon 5th gen laptop with Windows 10 and OpenBSD.  I
allocated about half the disk space to OpenBSD.  When I installed OpenBSD,
it allocated partitions as if my disk size was > 2.5 GB instead of >= 10 GB
as shown in the disklabel man page.  It allocated 2GB to /, 256M to swap,
3G to /usr, 2G to /home and apparently did not allocate the rest of the
free space.  I've included the output of disklabel, fdisk and dmesg below.
I haven't tried installing OpenBSD 6.8 to see if it does the same thing.  I
believe auto allocation worked fine in OpenBSD 6.7.  If I'm not including
any info that might help diagnose this problem, if it really is a problem,
please let me know.


# disklabel sd0

# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: SAMSUNG MZVLB1T0
duid: 9a51a841a90239b3
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 124519
total sectors: 2000409264
boundstart: 1002668032
boundend: 1998360576
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  a:  4194304   1002668032  4.2BSD   2048 16384 12960 # /
  b:   524288   1006862336swap# none
  c:   20004092640  unused
  d:  6291456   1007386624  4.2BSD   2048 16384 12960 # /usr
  e:  4194304   1013678080  4.2BSD   2048 16384 12960 # /home
  i:   532480 2048   MSDOS
  j:32768   534528 unknown
  k:   1002100736   567296   MSDOS
  l:  2048000   1998360576 unknown



# fdisk sd0

Disk: sd0   Usable LBA: 34 to 2000409230 [2000409264 Sectors]
   #: type [   start: size ]

   0: EFI Sys  [2048:   532480 ]
   1: e3c9e316-0b5c-4db8-817d-f92df00215ae [  534528:32768 ]
   2: FAT12[  567296:   1002100736 ]
   3: OpenBSD  [  1002668032:995692544 ]
   4: Win Recovery [  1998360576:  2048000 ]



# dmesg

OpenBSD 6.9 (GENERIC.MP) #3: Mon Jun  7 08:21:26 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/
GENERIC.MP
real mem = 16897085440 (16114MB)
avail mem = 16369602560 (15611MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x9f0e1000 (62 entries)
bios0: vendor LENOVO version "N1MET65W (1.50 )" date 04/19/2021
bios0: LENOVO 20HRCTO1WW
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT
BOOT BATB SLIC SSDT SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM ASF! FPDT UEFI
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) RP02(S4)
RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4) RP10(S4) RP11(S4)
RP12(S4) RP13(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz, 2692.98 MHz, 06-8e-09
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz, 2692.85 MHz, 06-8e-09
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, pac

Re: use tablet interface under vm running linux / pressure on wacom

[Rudolf Sykora]

Dear list,


Stuart Henderson  writes:

> On 2018-12-04, rsyk...@disroot.org  wrote:
>> I am running OpenBSD desktop, but I need to use my usb-connected
>> tablet wacom Intuos3, which, under OpenBSD, cannot be used together
>> with pressure sensitivity.
>>
>> Thus, I thought I could install, say, Alpine linux under vm, and
>> use the tablet via linux. I have Alpine running in vm now. But
>> I don't know how to make the tablet accessible to the linux, so that
>> the requested functionality would be available (i.e., probably use
>> drivers from linux for the tablet).
>>
>
> You would need some kind of device passthrough for this approach
> to work, but vmd doesn't support that, and adding that is probably
> much trickier than improving usbtablet(4).

I just want to check if, perhaps, there is something new about the
possibility of the mentioned 'device passthrough' in vmd.

Regarding the option to improve usbtablet(4), I asked Frank Groeneveld,
the author of wacom drivers on OpenBSD, about that in 2017:

> Dear Frank,
>
> I noticed you are the author of wacom drivers
> for openbsd. I also noticed, in the caveats part
> of the related man page, that no pressure sensitivity
> is implemented. Do you plan to add it at some point?
> Would it be difficult?
>
> (I have an Intuos3 tablet, and the lack of pressure
> sensitivity on openbsd is one reason I still have
> to use linux.)

and he answered:

> Yes, I wrote the driver to use the tablet as mouse replacement. Reading
> the sensitivity is not difficult in the kernel driver, however, I
> believe that the X mouse driver doesn't support sensitivity eithet,.
> That means we would also need to write a new X driver or extend an
> existing one. I have no experience doing that.

Is he right about the X mouse driver, or not? Ie., in the end, would it
be necessary to modify sth. else apart from usbtablet(4), or the
improvement in the latter would suffice to bring pressure sensitivity
(then I would perhaps try to modify it).



Thanks for any comments!

Ruda

Re: use tablet interface under vm running linux / pressure on wacom

[Dave Voutila]

Rudolf Sykora  writes:

> I just want to check if, perhaps, there is something new about the
> possibility of the mentioned 'device passthrough' in vmd.

Nope. I recommend either finding a device that works as required with
OpenBSD or improving the existing driver to make your device work.

-dv

Re: reposync:host key verification failed

[Avon Robertson]

On Tue, Jun 08, 2021 at 11:11:15AM +1200, Avon Robertson wrote:
> On Mon, Jun 07, 2021 at 08:21:24PM -, Stuart Henderson wrote:
> > On 2021-06-07, Avon Robertson  wrote:
> > > $ make obj
> > >===> ssh
> > > /usr/src/usr.bin/ssh/ssh/obj -> /usr/obj/usr.bin/ssh/ssh
> > > mkdir: /usr/obj/usr.bin: Permission denied
> > > *** Error 1 in ssh (:61 'obj': @cd /usr/src/usr.bin/ssh/ssh;
> > > umask 007;  here=`/bin/pwd`; bsdsrcdir=`cd /usr/src; /bin/pwd`;  s...)
> > > *** Error 2 in /usr/src/usr.bin/ssh (:48 'obj': @for
> > > entry in ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server
> > > ssh-keys...)
> > >
> > > Mmmm. So looked first at permission in and below /usr/src. Found
> > > permissions to be 700 with owner and group being aer:wsrc. As root,
> > > # chmod -R 775 /usr/src
> > > and tried 'make obj' again. The same error as above was output.
> > 
> > The "permission denied" is on /usr/obj.
> > 
> > > I do not rule out the possibility that my local /cvs repository has
> > > been inadvertently corrupted by me.
> > 
> > unlikely.
> > 
> > > Theo, I am willing to install (not update) a later snapshot and try to
> > > build a test kernel for you tomorrow; if you belief it likely my /cvs
> > > repo is ok. If you think it likely that my repo is corrupt, I will
> > > remove it and reinstall a local repo from scratch before trying to
> > > build a test kernel for you.
> > 
> > I think at this point the best thing to do is simply update to a newer
> > snapshot and try reposync again. (Update is fine, no need to reinstall).
> > No need to build a kernel.
> > 
> > If there is still a failure then adjust permissions or group membership
> > so you can write to /usr/obj (there are various methods that will work),
> > and confirm that it works with a build of ssh fresh from cvs. But if I got
> > my testing right then I think this is now working.
> > 
> > 
> Many thanks Stuart.
> Will do as you have suggested.
> 
> Regards Avon
> -- 
> 

Hello Stuart and misc@,
Installed new snaphot:
$ uname -prsv
OpenBSD 6.9 GENERIC.MP#58 amd64

My script failed again with error:
reposync: host key verification failed - see
/var/db/reposync/known_hosts

After executing
$ cd /usr/src/usr.bin/ssh
$ cvs up
$ make obj
$ make
$ doas make install
my script is working again without error.

Thank you all for your help.

Regards Avon

Re: openbgpd "depend on"

[Claudio Jeker]

On Wed, Jun 09, 2021 at 09:57:32AM +0200, open...@kene.nu wrote:
> Hello,
> 
> Just a question and maybe a suggestion. I am implementing a few DCs that
> use vxlan symmetric routing and hence, layer2 redundancy protocols like
> CARP (and VRRP/HSRP) do not work as intended due to evpn layer2 being the
> technology of choice to announce ARP entries.
> 
> This led me to try out the "depend on carp" functionality that is available
> on openbgpd. It does what I want, partially. It would be much more usable
> if you cold define what this functionality does in case of a CARP backup
> state. Currently it puts the bgp neighbor into Idle state. However, it
> would be better if one could define that it should as-path prepend and/or
> add a metric (MED) instead. This way, carp failovers would not rely on the
> tedious and relatively time consuming process of setting up a BGP session
> and announcing prefixes before it can truly be carp master.
> 
> WDYT?

The 'depend on' feature was added to use a CARP cluster as a BGP border
router (e.g. at an IXP that only gives one IP/port). In that case the
backup carp interface is not able to open a TCP session. The backup carp
interface is not reachable and the session would conflict with the master
session.

What you would like is to add depend on on announcements (network
10.0.0.0/24 depend on carp0) or probably as a filter (match to group
uplinks depend on carp set med 100). At least this is how I understand
your request.

-- 
:wq Claudio

openbgpd "depend on"

[openbsd]

Hello,

Just a question and maybe a suggestion. I am implementing a few DCs that
use vxlan symmetric routing and hence, layer2 redundancy protocols like
CARP (and VRRP/HSRP) do not work as intended due to evpn layer2 being the
technology of choice to announce ARP entries.

This led me to try out the "depend on carp" functionality that is available
on openbgpd. It does what I want, partially. It would be much more usable
if you cold define what this functionality does in case of a CARP backup
state. Currently it puts the bgp neighbor into Idle state. However, it
would be better if one could define that it should as-path prepend and/or
add a metric (MED) instead. This way, carp failovers would not rely on the
tedious and relatively time consuming process of setting up a BGP session
and announcing prefixes before it can truly be carp master.

WDYT?