isakmpd fills my log

[martin]

hi all, i use ipsec to replace wep for my wlan so the setup is pretty 
simple and all and everything works. I used this page 
http://www.dietlein.com/requisites/ipsec/ to get it to work and my 
configs are the same as in the guide. The problem is since i switched 
from 3.7 to 3.8 isakmpd fills my /var/log/messages with info that it 
cant connect when my laptop if off.

Like below all around the clock.
How can i stop this the best way ? i start isakmpd in rc.conf with just 

best regards martin

Nov 30 15:15:46 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:15:55 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:16:19 fjuttsi isakmpd[3201]: transport_send_messages: giving 
up on exchange IPsec-ignition-soekris, no response from peer 10.10.10.9:500
Nov 30 15:18:19 fjuttsi isakmpd[3201]: transport_send_messages: giving 
up on exchange IPsec-ignition-soekris, no response from peer 10.10.10.9:500
Nov 30 15:19:46 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:19:55 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:20:19 fjuttsi isakmpd[3201]: transport_send_messages: giving 
up on exchange IPsec-ignition-soekris, no response from peer 10.10.10.9:500

Re: isakmpd fills my log

[martin]

Hans-Joerg Hoexer wrote:


please show us your config files.

On Wed, Nov 30, 2005 at 03:31:27PM +0100, martin wrote:
 

hi all, i use ipsec to replace wep for my wlan so the setup is pretty 
simple and all and everything works. I used this page 
http://www.dietlein.com/requisites/ipsec/ to get it to work and my 
configs are the same as in the guide. The problem is since i switched 
from 3.7 to 3.8 isakmpd fills my /var/log/messages with info that it 
cant connect when my laptop if off.

Like below all around the clock.
How can i stop this the best way ? i start isakmpd in rc.conf with just 

best regards martin

Nov 30 15:15:46 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:15:55 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:16:19 fjuttsi isakmpd[3201]: transport_send_messages: giving 
up on exchange IPsec-ignition-soekris, no response from peer 10.10.10.9:500
Nov 30 15:18:19 fjuttsi isakmpd[3201]: transport_send_messages: giving 
up on exchange IPsec-ignition-soekris, no response from peer 10.10.10.9:500
Nov 30 15:19:46 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:19:55 fjuttsi isakmpd[3201]: sendmsg (7, 0xcfbcab20, 0): Host 
is down
Nov 30 15:20:19 fjuttsi isakmpd[3201]: transport_send_messages: giving 
up on exchange IPsec-ignition-soekris, no response from peer 10.10.10.9:500


   




--
* Stay in touch with www.inMail24.com! Your time-proof mailbox and photoalbum
* Zoner PhotoStudio 7 - Your Photos perfect, shared, organised! www.zoner.com



 


mkay..

isakmpd.conf

[General]
Policy-file=/etc/isakmpd/isakmpd.policy
Retransmits=4
Listen-On=  10.10.10.10

[Phase 1]
10.10.10.9= ISAKMP-peer-ignition

[Phase 2]
Connections=IPsec-ignition-soekris

[ISAKMP-peer-ignition]
Phase=  1
Transport=  udp
Local-Address=  10.10.10.10
Address=10.10.10.9
Configuration=  Default-main-mode
Authentication= 2secret2btrue

[IPsec-ignition-soekris]
Phase=  2
ISAKMP-peer=ISAKMP-peer-ignition
Configuration=  Default-quick-mode
Local-ID=   Addr-fjuttsi
Remote-ID=  Addr-laptop

[Addr-laptop]
ID-type=IPV4_ADDR
Address=10.10.10.9

[Addr-fjuttsi]
ID-type=IPV4_ADDR
Address=10.10.10.10

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


...isakmpd.policy...

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right 
password

Authorizer: POLICY
Licensees: passphrase:2secret2btrue
Conditions: app_domain == IPsec policy 
   esp_present == yes 
   esp_enc_alg == 3des 
   esp_auth_alg == hmac-sha - true;

VIA fanless motherboard - NICS

[martin]

Hello.

I'm looking at a VIA motherboard with the following NICS.

3 x INTEL 82551QM  1x 82540EM (Gigabit)

Any issues with these ?

M
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: VIA fanless motherboard - NICS

[martin]

--- Diana Eichert [EMAIL PROTECTED] wrote:

 On Sat, 17 Dec 2005, martin wrote:
 
  Hello.
 
  I'm looking at a VIA motherboard with the following NICS.
 
  3 x INTEL 82551QM  1x 82540EM (Gigabit)
 
  Any issues with these ?
 
  M
 
 Sounds like a Commell board?  Which VIA processor?

Commell LE-564 - Eden 533MHz
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Unable to build Gateway route

[martin]

Hello.

I've been running other firewalls on this IP address with the same
settings in the past, but am having problems setting up the Gateway
with OpenBSD 3.8.  It comes back with  no route to host and when I do
a nestat -rn, the Gateway is missing even though /etc/mygate exists.

IP - 209.216.76.1
Netmask - 255.255.255.252
GW - 209.216.77.6

Any clues to what is going on ?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Unable to build Gateway route

[martin]

--- Jason Crawford [EMAIL PROTECTED] wrote:


  IP - 209.216.76.1
  Netmask - 255.255.255.252
  GW - 209.216.77.6
 
 Either a typo in your netmask, or a typo in your gateway, since your
 gateway IP does not belong to the current netmask you assigned to
 your
 external IP. I have a feeling it's a typo in the netmask as that's a
 very very small one.
 
 Jason


Jason.

The figures are correct (I wondered about the unusual GW when I first
rx'd it but they said it was correct).  The thing is, I've had this
connection for a couple of years and have run a  number of firewalls
with no issue with these ie. Linux Router Project, Freesco and others I
have tested.  It is running now with a commercial firewall with no
problems.

Can I force it to accept the gateway IP ?

Regards...Martin
Just $16.99/mo. or less. 
dsl.yahoo.com 

multi-port NIC cards

[martin]

Hello.

Can anyone recommend a good multi-port NIC card e.g. 4-port, that works
OK on OpenBSD with a good source supplier.  

Regards...Martin
Just $16.99/mo. or less. 
dsl.yahoo.com 

Re: multi-port NIC cards

[martin]

--- Daniel Ouellet [EMAIL PROTECTED] wrote:

  Can anyone recommend a good multi-port NIC card e.g. 4-port, that
 works
  OK on OpenBSD with a good source supplier.  
 
 
 This question was debated a few times in the archive already. So, far
 
 there isn't one great card that works very well that still available
 to 
 purchase new these days. SK based were best, but not available
 anymore. 
 Intel have the Pro 1000MT, but you need to run the bsd.mp to not get 
 overwhelm by interrupts even on a single processor server. That card 
 works, but not as well as it should really! I would just OK with
 bsd.mp, 
 but not under very heavy load, but will do what you want for lower 
 demanding setup as long as you DO run the bsd.mp kernel.
 
 So, far I haven't found one that is still available to purchase new 
 these days and will provide the same efficiency as older cards were
 able 
 to do! (: Very sad but true!
 
 I sure hope this change soon, but that's where we are now, at a
 minimum, 
 that's where I am anyway.
 
 Daniel
 

Just found this.  

http://www.routerboard.com/rb44.html

Might just buy one and try it out. 

Regards...Martin

APIC

[martin]

Hello.

Does OpenBSD 3.8 use the APIC (Advanced Programmable Interrupt
Controller) ?

Some cards, e,g telephony and framegrabbers have issues with the
limited standard XT 16 IRQ's.

APIC motherboards give you 24 or more (I've seen as many as 101)
interrupts.

Besides doing a dmesg | grep irq, is there another way at seeing the
assigned interrupts.  e.g. For Linux  cat /proc/interrupts  reveals:-

Dell PowerEdge 2850 (dual Xeon)

cat /proc/interrupts
  CPU0   CPU1
 0:6184515 72IO-APIC-edge  timer
 1:  8  1IO-APIC-edge  i8042
 9:  0  0   IO-APIC-level  acpi
12: 65  1IO-APIC-edge  i8042
14: 11  2IO-APIC-edge  ide0
46:  19595  1   IO-APIC-level  megaraid
64:  66366  1   IO-APIC-level  eth0
65:  77045  1   IO-APIC-level  eth1
101: 6113521 1 IO-APIC-level wctdm
NMI: 1 0
LOC: 6184694 6184698
ERR: 0
MIS: 0

Regards...Martin

Re: multi-port NIC cards

[martin]

--- martin [EMAIL PROTECTED] wrote:

Hi.

I just ordered both the Mikrotik Routerboard 44 ($89) and the Soekris
lan1641 ($95).  Both 4-port NIC boards.  I'll let you know how the
perform.

I'm also puzzled by the claims of performance issues and saturating the
bus PCI bus previously mentioned as the original PCI (33MHz) has
approx. 1 Gbit performance and these cards have 4x100 Mbit chips and
therfore will only use 400 Mbits maximum of the 1 Gbit bus.  Is someone
confusing bits and bytes ?

Regards...Martin

Re: Why Linus Torvalds won't donate to OpenSSH

[Martin]

On Wednesday 11 April 2007 03:06, Kernel Monkey wrote:
 On 4/10/07, Damien Miller djm@ wrote:
  Two points:
 
  1. Please don't post private email. (Apologies if you obtained his
permission to post).
 
  2. Who really cares? I'd much rather see contibutions from companies who
ship OpenSSH in their products and list SSH support as a feature on
their glossy brochures than shaking down other free software
  developers.
 
  -d

 No, not my email. I saw it posted on another site. Sorry.


Well stop lying (and trolling) then !!!

You said:-

I recently wrote Linus Torvalds asking why I don't see his name listed
on the OpenBSD donations page (http://www.openbsd.org/donations.html),
since I figured he uses OpenSSH.

This was the reply I got back:

 From: Linus Torvalds [EMAIL PROTECTED]
 Tue, 10 Apr 2007 14:29:56 -0700 (PDT)

 I suspect that OpenSSH would get more funding if it was directed directly
 to OpenSSH, and not OpenBSD, which almost nobody is interested in.

 As it is, how much of any money actually goes to OpenSSH development,
 rather than everything else?

Linus


I thought the reply was funny.

Re: Why Linus Torvalds won't donate to OpenSSH

[Martin]

Nice bounce...

Hi. This is the qmail-send program at chaossolutions.org.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

[EMAIL PROTECTED]:
64.233.167.27 does not like recipient.
Remote host said: 550 5.1.1 No such user f77si15306557pyh
Giving up on 64.233.167.27.

I suppose that says it all.

thin-client

[martin]

Hello.

What are the thin-client options with OpenBSD ?

Something similar to www.ltsp.org

If anyone is using openbsd as a thin-client server. i would be
interested in hearing their experiences.

Regards
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: bad SK NICs ??

[martin]

Ive also had those watchdog problems with sk(4) on 3.9. They did appear 
on 3.8 but not as often. It doesnt seem to matter what i do to get 
those, they are not coming when i use much traffic but they seem to just 
appear at random.


My card is;
skc0 at pci0 dev 15 function 0 3Com 3c940 rev 0x10, Marvell Yukon 
(0x1): irq 10

sk0 at skc0 port A, address 00:0a:5e:5c:58:ec

spamd question

[Martin]

Hello.

I'm using spamd but am noticing that some SPAM is still coming though

It's probably more dev but I don't like posting to the dev/tech lists.  If the 
ideas/info have merit, then perhaps it can be forwarded to that list.

Can (or does) spamd look at the From:, do a MX/A record dns lookup and 
compare. it to the sender IP to see if it's valid during the SMTP 
transaction  ?

(I note if you put in a spamtrap email address it will do a straight IP block)

e.g.

Return-Path: [EMAIL PROTECTED]
 Delivered-To: [EMAIL PROTECTED]
 Received: (qmail 11000 invoked from network); 17 Jan 2007 17:19:49 -
 Received: from host194.skytechinc.com (HELO mail.skytechinc.com) 
(63.111.223.194)
  by felix.chaossolutions.org with ESMTP; 17 Jan 2007 17:19:49 -
 Received: from User ([86.127.117.209]) by mail.skytechinc.com with Microsoft 
SMTPSVC(6.0.3790.1830);
 Tue, 16 Jan 2007 17:51:43 -0500
 Reply-To: [EMAIL PROTECTED]
 From: Town North Bank[EMAIL PROTECTED]
 Subject: Notification from North Town BANK !
 Date: Wed, 17 Jan 2007 00:51:46 +0200


dig mx tnnb.com

SNIP

;; ADDITIONAL SECTION:
mx1.tnnb.com.   3600IN  A   208.217.213.106

So obviously the IP 63.111.223.194 does not belong to a tnnb.com mail server 
and can be blacklisted/tarpitted.

Of course, you may want certain IP ranges whitelisted if they are important to 
you.

You might want to allow/whitelist a specific, or a number of email addresses 
from an IP but greylist/blacklist the rest depending on your requirements.

Can some of the above be discussed/implemented in spamd?

Sorry, I don't program, just do some light scripting, but if I can see obvious 
SPAM's from the headers and a dns MX/A lookup, I would hope that spamd could 
be extended with options to catch and tarpit these people/servers/viruses 
etc.

Regards...Martin

Re: spamd question

[Martin]

On Thursday 18 January 2007 11:48, you wrote:

 This turns out not to be the case. MX records tell you where to send
 mail TO that domain, and have nothing to do with mail FROM that domain.
 While the TO/FROM servers are often the same, they are also often not
 the same, especially for large providers.

 Some domains provide SPF records in dns, and you can incorporate spf
 checks into your MTA, SpamAssassin, etc.


Good points, but the several hundred I have manually checked over the last few 
months, I have easily been able to tell the difference.  
Aghh, but that's because I've only been checking SPAM's, not good emails as 
well.  I have also looked at the IP range assigned when the MX or A didn't 
match.  Yes, so it's more complicated.

The  'road warrior'  issue though could be a problem for some, but not for me 
as I don't use it yet.  I think I'm going to try and do some stuff at the 
tcpserver/rbl level after it passes spamd initially just logging and 
checking.
pop before send or smtp auth could be used for the road people in the future.

I need to spend more time doing scripting anyway...so it could be a good 
learning curve.  I never seem to have the time ordinarily.

Well thanks again for all the responses.  It's appreciated.  Asking questions 
and getting excellent answers is what this list is all about.

Regards...Martin

Re: spamd question

[Martin]

On Thursday 18 January 2007 13:02, you wrote:


 I need to spend more time doing scripting anyway...so it could be a good
 learning curve.  I never seem to have the time ordinarily.


But there again, it looks like it's likely impossible without doing too much 
damage.

At least I understand the issue and pitfalls better than before.

Anyway, instructive.

Best wishes...Martin

Shaping and QOS with multiple IP's on a single NIC in bridge mode

[martin]

Hello.

Does the traffic shaping and QOS work well across multiple public IP's with 
only One network card in bridge mode ?

I haven't come across this issue before, but will very soon.

Anyone have experience with this ?

Thanks...Martin

Re: Unified BSD?

[Martin]

The reason was actually intellectual property based between ATT and the
proprietary BSD/386 if your talking BSD4.4. That was the core reason for
why FreeBSD and NetBSD started.
So really it isn't that crazy, more highly unlikely that your going to get
the core developers of each project to abandon years of work to start again
on a unified BSD.

It is a cool thought, one i have thought about.

Which is why i reckon your far more likely to get support for a new BSD
system that takes the foundation of one of the existing BSD's and create a
project that aims for compatibility between the major BSD players.

At least then its not like restarting.

On Tue, Nov 13, 2012 at 8:36 AM, Justin Mayes jma...@careered.com wrote:

 Yes, your bat crap crazy :-)

 All of these variants inherit from the same unified BSD 4.4 base code as
 far
 as I know. So years ago  there were reasons that groups wanted to spilt off
 and focus on specific goals. Some of these goals are mutually exclusive.
 These BSD variants are not really competing with each other or Linux for
 that matter.


 Justin Mayes


 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
 Robin Björklin
 Sent: Monday, November 12, 2012 2:38 PM
 To: us...@dragonflybsd.org; netbsd-us...@netbsd.org;
 freebsd-c...@freebsd.org; misc@openbsd.org
 Subject: Unified BSD?

 Hi!

 First and foremost I'd like to present myself, I'm a young and naive junior
 sys admin that think people should be able to compromise and see the bigger
 picture and the good of the cause.

 Now over to the reason for my post.

 As all of you probably know there's a lot of buzz around Gnu/Linux these
 days and I'm pretty sure you couldn't care less. What I'm wondering is why
 the BSD community which from what I can gather isn't as big as the Linux
 community have decided to split their resources into several different
 projects/forks/distributions. To me it seems *BSD would be in a more
 competitive shape if all developers would get in under one roof?

 Am I bat crap crazy for thinking it could be good to merge the four largest
 BSD variants out there, take the best bits and pieces out of each and
 create
 a Unified BSD?

 Kind Regards,
 Robin Bjorklin

Re: Unified BSD?

[Martin]

No offense Ignatios Souvatzis but your reference to Minix being a 7th BSD
distro is like saying FreeBSD (or any of the other major BSDs) is another
Linux because of its inter-compatibility for certain user-land components
and various shared code. Minix has a minimal amount of NetBSD code and most
of it being userland tools and package management. The actual core of Minix
is totally different to NetBSD; MINIX is a microkernel and NetBSD is a
monolithic kernel being a major difference. Mac OS X i can understand but
again the core of OSX is based of Mach 3, FreeBSD and OPENSTEP, with a lot
of modified code (more like BSD's 2nd or 3rd cousin).
Although with that i suppose it depends on how you are defining what
classifies as a BSD distribution. If your going of whether they have used
any source from BSD then your going to be hard-pressed to classify one that
isn't BSD. However, i was assuming you were going of the core of the system
(i.e. how much source if any is used in kernel space).

Which brings be back to what i was talking about in an earlier post. If you
want to make a unified BSD, it would be easier to create a new BSD which
at the core (i.e. memory management, IPC, I/O, etc...) is based of per-say
NetBSD, i only chose NetBSD because it has what i believe is cleaner code
than the others, and is structured in a way that would make it easier to
modify and move components.
Sure it wouldn't be true to the roots of an actual unified BSD that is
based of 4.4BSD lite and has a mesh core of OpenBSD, FreeBSD  NetBSD, but
my point isn't about 4.4BSD lite or creating a true unified BSD down to
the core (where all BSD developers work on one project).
My point is about the possibility of creating a new BSD project (with
separate developers) that aims for 100% compatibility with at least
FreeBSD, NetBSD, OpenBSD and maybe DragonflyBSD.

Your suggestion i would think is possible, but only by being realistic
about it. Using an already stable kernel and then modifying it where
necessary to make it compatible.

lol, that's just my 2-cents about it.

Hell the idea is more possible with the BSDs than it is with Linux. I
wouldn't even consider trying to create a unified Linux. Linux is such a
jumbled mess, that i wouldn't want to go anywhere near a project trying to
un-jumble it with a 10ft pole, as it would take about as long to un-jumble
it as it would to finish the same idea on BSD. I like Linux but if your
talking about a project/s being unified, BSD is leaps and bounds ahead of
Linux. So while Linux is doing better in terms of popularity, BSD has a far
greater potential for more than Linux, just because each project has made
such a strong base foundation and is so well organized. :D

On Tue, Nov 13, 2012 at 9:45 PM, Ignatios Souvatzis ignat...@cs.uni-bonn.de
 wrote:

 On Tue, Nov 13, 2012 at 10:08:08AM +0100, Joost van de Griek wrote:
  On 12 Nov 2012, at 21:37 , Robin  Björklin robin.bjork...@gmail.com
 wrote:
 
   Am I bat crap crazy for thinking it could be good to merge the four
 largest BSD variants out there, take the best bits and pieces out of each
 and create a Unified BSD?
 
 
  You'd end up creating a fifth.

 At least a sixth, IIRC. You left out MirBSD from your distribution list.
 Also, you could argue that Minix, with its NetBSD compatibility,
 is a seventh and MacOS-X, with its partially (Free-/Net-)BSD compatible
 userland, an eighth.

 -is

Re: how to , apache's ' AuthType Basic '

[martin]

Tuyosi Takesima nakajin.fu...@gmail.com wrote:

 hi ,all .
 
 in arch linux , apache's 'AuthType Basic' is easy .
 
 i follow
 http://www.atmarkit.co.jp/flinux/rensai/linuxtips/698apachebasic.html  as a
 whole.
 detail is a little different .  the following .
 
 # ls -l /srv/http/
 -rw-r--r-- 1 root root   28 12??? 10 12:03 index.html
 drwxr-xr-x 2 root root 4096 12??? 10 13:09 member
 
 
 # head /etc/httpd/conf/httpd.conf
 Directory /srv/http/member
 AuthType Basic
 AuthName Secret Zone
 AuthUserFile /etc/httpd/.htpasswd
 Require user secret
 /Directory
 
 
 htpasswd  -c /etc/httpd/.htpasswd secret
 
 
 but openbsd's apache is defferent .
 this method is out .
 
 there is little iformation on iternet about openbsd's 'AuthType Basic' .
 what should i do ?
 
 the newest is not best . the best is best .

You have not adequately explained your problem, but I will try to
answer.

First I will note that you want to look for material in English. I
cannot verify this first-hand, because I do not understand Japanese
writings, but I feel that there is not going to be much on OpenBSD in
Japanese. There is no official Japanese documentation. The project
originates from an English-speaking part of the world, and there is
simply not enough manpower to keep international documentation up to
date.

The best documentation is the manuals that come with the system and the
FAQ on http://www.openbsd.org/faq/. This is the only official
documentation. It is always kept up to date, unlike the tutorials you
may find elsewhere.

As for the immediate question, OpenBSD base had a fork of Apache 1.x
prior to 5.6. This was removed in 5.6 and is no longer available. In 5.6
the Apache 1.x httpd was replaced with a OpenBSD-specific httpd. OpenBSD
base also contains nginx. It is also possible to install Apache 2.x on
OpenBSD from ports.

OpenBSD httpd does not support authentication. So that will not work
for you. Your options are to learn to configure nginx or to install
Apache 2.x and configure it.

If you install Apache 2.x it will work just like any other installation
of Apache.

-- Martin

Re: urtwn device timeout

[martin]

Marko Cupa?? marko.cu...@mimar.rs wrote:

 Hi,
 
 I have occasional device timeout from urtwn on my ThinkPad T440 with usb
 wifi dongle.
 
 All I get in dmesg is:
 urtwn0: device timeout
 
 
 ifconfig still shows it as associated:
 urtwn0: flags=28c43UP,BROADCAST,RUNNING,OACTIVE,SIMPLEX,MULTICAST,NOINET6 
 mtu 1500
   lladdr 6c:19:8f:b3:98:02
   priority: 4
   groups: wlan egress
   media: IEEE802.11 autoselect (OFDM54 mode 11g)
   status: active
   ieee80211: nwid somessid chan 6 bssid 24:a4:3c:65:ca:f7 180dB wpakey 
 not displayed wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp 
 wpagroupcipher tkip
   inet 10.90.7.15 netmask 0xff80 broadcast 10.90.7.127
 
 I can ping local IP address, but nothing else.
 
 Little blue light on the adapter is on during times of outage.
 netstart restores the connection for a few seconds, after which it
 drops again.
 
 Re-inserting usb dongle followed by netstart re-estabilishes
 connection for a longer period. I noticed that dongle was quite
 hot when I removed it.
 
 I don't know if it is related, but I had similar problem with
 integrated wifi adapter on linux with iwlwifi driver. It would
 wander off to AP with worse signal, or just stop transmitting.
 I'd have to turn adapter off and on in order to restore the
 connection.
 
 Any good people out there to help me out with this?
 -- 
 Marko Cupa??
 https://www.mimar.rs/

I have the same problem with 5.6 on a ThinkPad x120e but not with
-current on a MacBook. I thought it had gotten better and that was that,
but the other replies here indicate that xhci makes it worse.

-- Martin

Re: Openbsd broke my hard drive twice! Getting frustrated

[martin]

Henrique Lengler henriquel...@openmailbox.org wrote:

 On 2014-12-23 00:50, Edgar Pettijohn III wrote:
  Have you tried installing something other than OpenBSD since you ran
  into this issue?
 
 Since I ran into this issue I can't even access my bios with the HDD 
 sata connected.
 -- 
 Henrique Lengler

It would be exceedingly odd for OpenBSD to be able to break that.

Has anything ever been installed successfully on this machine? Perhaps
the motherboard or power supply causes damage after extended use.

-- Martin

Re: Openbsd broke my hard drive twice! Getting frustrated

[martin]

Henrique Lengler henriquel...@openmailbox.org wrote:

 On 2014-12-23 01:08, mar...@martinbrandenburg.com wrote:
  Has anything ever been installed successfully on this machine? Perhaps
  the motherboard or power supply causes damage after extended use.
  
  -- Martin
 
 Yes, my motherboard and power supply have 1 year of use, it every 
 worked, and still
 working good. The evidence is that after try to install OpenBSD by the 
 second time, I did
 a test, I reboot my system three times, accessed bios and everything 
 worked.
 -- 
 Henrique Lengler

Does the disk that you claim OpenBSD damaged still work in a different
computer?

I was being nice when I said exceedingly odd. It's more like impossible.
You come here with an impossible problem and no information. You haven't
even said what type of computer this is. I realize a dmesg is impossible
when it won't boot (though you could unplug the offending disk and get a
dmesg from the CD), but some information would be nice.

-- Martin

Re: Purpose of what(1)

[martin]

Adam Wolk adam.w...@koparo.com wrote:

 Hi misc@
 
 I have a question regarding the what(1) command. In one interview I saw
 Theo mentioning the what(1) utility:
 
  Two numbers exist for every component of OpenBSD. One number is the release 
  that the piece came in, ie. 2.8.
 
  The other number exists in each source file that was built. And that number 
  is also in each binary that was built 
  from those files. You can use the what(1) command to determine the 
  revisions of source files which make up 
  each binary.
 
 The way I understood this I could use the what utility on a binary file
 in the base OpenBSD system to see exactly which CVS revisions of
 specific files composed into the resulting binary.
 
 I tried using the tool on several base utilities like ssh, adventure, ls
 etc. None of them produced any output except the executable name itself.
 
 I took a look at the source and the manpage and saw that what this
 utility really does is stepping through the binary in search of the
 revision markup then printing out the stuff it found.
 
 I tried the utility on all the files in /usr/bin/*, /bin/* and
 /usr/lib/* and found that the only ones producing output (actual
 revision markers and source files) are plain text shell scripts.
 Additionally output is also produced for the kernel files (/bsd,
 /bsd.sp, /bsd.rd).
 
 From the manpage
 
  The what utility is compliant with the X/Open System Interfaces option of 
  the IEEE Std 1003.1-2008 (???POSIX.1???) specification.
 
 I understand that this is part of POSIX but my question is: Is standard
 compliance the sole purpose of the existence of this tool or was it
 actually able to produce output for regular system binaries back in the
 old days? In case of the latter - is there some kind of additional
 stripping or a build step change that causes the information no longer
 being embedded in the executables?
 
 I'm not saying that something is broken, but really interested to know
 what changed. Especially after seeing this URL
 http://prefetch.net/blog/index.php/2005/05/17/fix-for-solaris-ssh-client-hangs/
 showing the output of what(1) ran against OpenSSH on Solaris.
 
 In case this matters. I'm running a i386 snapshot from 27-Dec-2014.
 
 Regards,
 -- 
   Adam Wolk
   adam.w...@koparo.com

The tools work as you found, but there's nothing in the binaries to find
anymore.

They went through and removed the RCS/SCCS strings. See the commit
message here


http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/bin/cat/cat.c?rev=1.20content-type=text/x-cvsweb-markup

Though CVS does still update the RCS string in the comment at the top of
the file.

I don't know what use what(1)/ident(1) still have in base other than
historically being there.

-- Martin

Re: integrity of commercial CD set

[martin]

Enos D'Andrea temp4282138...@edlabs.it wrote:

 On 14/01/2015 12:24, Stefan Sperling wrote:
 
  Bootstrapping trust is always going to be hard no matter what we do
  and how hard we try. [...] Now the answer has become buy a CD
  and cross-check it with signify and it's still not enough. [...]
 
 paranoia
 
 Buying a CD in my case includes a 5.000 mile trip through multiple
 five-eyes nations, whose overzealous three letter agencies officially
 intercept physical shipments to install backdoors and hardware implants.
 
 Cross-checking of OpenBSD commercial CD sets at present can only be
 partial, as no official full checksums seem to be provided. Even
 cross-checking *all* files referenced by the ISO filesystem would still
 allow a malicious boot sector to directly reference unallocated space.
 
 Let's call a spade a spade: the worst-case scenario is an APT
 intercepting the shipment of a commercial CD set, substitute one or more
 CDs and repackage it. Extremely unlikely for the average person,
 not-so-much for IT security consultants with important clients.
 
 /paranoia
 
 
 Regards
 
 -- 
 Enos D'Andrea

Where have you heard that? Intercepting physical mail secretly is really
hard, especially if you don't want the post office to know about it.
Think of everyone who would need to know. Anyone who doesn't know would
be trying to get the package correctly delivered. Best case you plant
somebody (multiple people; imagine if your plant was assigned to
something else on the critical day) in the destination post office.

It's extremely unlikely for anyone. Travel to Canada and receive it
there. Oh wait, Canada is really friendly with all the governments
you're scared of. Hopefully you don't live in one of these nations. Why
are you not scared of your own government? They pose the greatest threat
to your liberty.

And since this software is developed out of Canada, how do you know it
can be trusted to begin with? Why do you trust Theo exactly? He seems
like a nice guy, and he's done a very good job with OpenBSD, but you
don't know him. If he were a secret agent, that would be exactly what
he'd want you to think.

No, you trust Theo and OpenBSD because you have no better option. Don't
pretend you increase your security by proving the software came from a
source you can't prove is trustworthy.

You'd do better to audit the source.

Security is about pushing attacks out of your attackers' ability or
price range. If your attackers' ability and price range is greater than
what you're willing to expend on security, you're compromised. Are you
willing to go to the effort that defending against your outlined attack
requires? Probably not. Unless you're very very important, you eliminate
the possibility of distribution attack by getting signify keys of CDs.

-- Martin

Re: integrity of commercial CD set

[martin]

Christian Weisgerber na...@mips.inka.de wrote:

 On 2015-01-14, mar...@martinbrandenburg.com mar...@martinbrandenburg.com 
 wrote:
 
  Buying a CD in my case includes a 5.000 mile trip through multiple
  five-eyes nations, whose overzealous three letter agencies officially
  intercept physical shipments to install backdoors and hardware implants.
 
  Where have you heard that?
 
 Part of the Snowden revelations.  Have you been living under a rock
 for the past 18 months?
 
 -- 
 Christian naddy Weisgerber  na...@mips.inka.de

They are not regularly intercepting CD shipments and replacing the CDs.
It would not be unusual for an intelligence agency to attempt to intercept
particular mails for particular people, but they can't do it at scale
secretly.

-- Martin

Re: resolv.conf.head

[martin]

Libertas liber...@mykolab.com wrote:

 I'm relatively new to OpenBSD, so please correct any mistakes below.
 
 As you may know, resolv.conf.tail is appended to resolv.conf. This is
 convenient because the last 'search' and 'domain' keywords listed are used.
 
 However, nameservers are queried in the order they are listed. This
 means (if I understand correctly) that if DHCP adds a nameserver to your
 resolv.conf, it will supersede anything you include in resolv.conf.tail.
 Wanting to specify the nameserver is common, because many of us are
 otherwise sending all of our DNS queries to lovely companies like
 Comcast and Verizon.
 
 Nameserver overrides be done with dhclient.conf, but it seems more clear
 and Unixy to just have a resolv.conf.head counterpart to
 resolv.conf.tail. It already exists in a certain other Unix-like
 operating system of great popularity.
 
 Is this a good idea? If so, I can try writing a patch.

The things you want to go at the top can go in dhclient.conf as prepend or
supersede options. Other settings like family in resolv.conf can go at the
bottom just fine.

And you realize that your ISP (like Comcast or Verizon) can see your DNS 
queries even if you point them at another nameserver. Granted I've met enough
ISP nameservers which return advertising instead of NXDOMAIN, and that is
annoying.

-- Martin

Re: Spanish discussion list

[martin]

agrquinonez agrquino...@agronomos.ca wrote:

 Hello
 
 Is there someone interested having a discussion list in Spanish?
 
 I have a OBSD server running current (httpd, smtpd, ftp), and i would
 like having a discussion list in Spanish, it could have blogs, foro, or
 any other related things. For now i have it at home, but i might pay for
 a dedicated site on a OBSD housing. The main idea is to make it easier
 for Spanish speakers, keeping the friendly environment of OpenBSD list.
 
 Thanks for your attention.

I don't speak Spanish, but the mailing lists page on the website

http://www.openbsd.org/mail.html

says there is already a Spanish list.

-- Martin Brandenburg

Re: S-nail, ssh, and vi

[martin]

> From owner-misc+M164041=martin=martinbrandenburg@openbsd.org Sat Apr 22 
> 21:43:17 2017
> Date: Sat, 22 Apr 2017 21:42:55 -0400
> From: Predrag Punosevac <punoseva...@gmail.com>
> To: misc@openbsd.org
> Subject: S-nail, ssh, and vi
>
> Can anybody help me understand what am I seeing. Namely I am trying to 
> send an e-mail using S-nail 14.8.12 (the last one which cleanly compiles
> on OpenBSD). Actual package is 14.8.9. Ever since I upgraded to 6.1 I
> noticed that if I try to use ~v in order to load my e-mail into vi from
> the base for editing I have normal behaviour if the existing message is
> empty but if I had started typing I see
>
>
> ~v [LogLevel VERBOSE]
> ~v [LogLevel DEBUG]

You never saw this before 6.1?  It's been this way for years.

It's coming from ssh.  If you type an escape sequence immediately after
a newline ssh might recognize it.  Type return followed by ~? in ssh for
more information.

~v/~V won't be of much use unless you're debugging ssh, but you'll wonder
how you ever lived without some of them.

~. will kill a stuck session.
~C will let you set up and tear down -L/-R/-D forwardings
~^Z will send ssh to the background
and ~~ will let you type ~ which is most useful for typing this list

In short, type ~~v for vi when running mail in ssh.

Martin

Re: protonmail on misc@openbsd.org

[martin]

> From r...@protonmail.com Wed Aug  9 12:56:08 2017
> Date: Wed, 09 Aug 2017 06:11:56 -0400
> To: "misc@openbsd.org" 
> From: Rupert Gallagher 
> Reply-To: Rupert Gallagher 
> Subject: protonmail on misc@openbsd.org
>
> QSBub3RlIHRvIHBvc3RtYXN0ZXIgb24gdGhlIHByb2JsZW0gb2YgZm9sZGVk
> IHF1b3RlZCB0ZXh0IGFuZCBjb2RlIGluIG1pbWUtYXR0YWNobWVudC4gSXQg
> dHVybnMgb3V0IHRoYXQgb3RoZXIgbWFpbGluZyBsaXN0cyBkbyBub3QgZm9s
> ZC4gVGhlIHByb2JsZW0gc2VtcyBsb2NhbCB0byB5b3VyIGxpc3QgbWFuYWdl
> bWVudCBzb2Z0d2FyZS4KClNlbnQgZnJvbSBQcm90b25NYWlsIE1vYmlsZQ==
>
>
>

A note to sender on the problem of crazy encodings.  It turns out that
other user agents do not send crazy encodings.  The problem seems to be
your mail user agent.

Sent from mail(1).

Re: Full disk encryption questions

[martin]

> From meun...@ccs.neu.edu Mon Aug 21 15:08:32 2017
> Date: Sat, 19 Aug 2017 15:42:27 -0400
> From: Philippe Meunier <meun...@ccs.neu.edu>
> To: Ted Unangst <t...@tedunangst.com>
> Subject: Re: Full disk encryption questions
>
> Ted Unangst wrote:
> >Philippe Meunier wrote:
> >> - is the panic intended (well, known to the developers and considered
> >> normal; I hesitate to call it a feature) or is it an oversight?
> >
> >no, nothing bioctl does should kill init like that.
>
> Well, it does, and it's reproducible.

I randomly stumbled upon this same issue when I ran bioctl -d on the
wrong disk last night.

> >> - I would have thought that, once the softraid volume has been created, its
> >> metadata wouldn't need to change (unless the passphrase is changed, or the
> >> volume is roaming, as seen above). Any idea why part of it gets trashed?
> >
> >that's true, but maybe a stray write killed it?
>
> It happens even in single-user mode when only / is mounted read-only and
> only init and a shell are running.

I am going to dump the first few hundred sectors of my disk before
attempting to fix this with installboot.  Hopefully I can see what
changes.

> I don't know whether the "cross-device install" message is supposed to be
> just informative or indicates an error...
> Anyway, upon rebooting the machine, I still get the same
> "open(hd0a:/etc/boot.conf): Invalid argument" error message.
>
> Philippe

Try boot sr0a:bsd.  That works for me.  It looks like something causes
it not to attempt booting sr0 first.

Martin

Re: Full disk encryption questions

[martin]

> From meun...@ccs.neu.edu Mon Aug 21 15:08:32 2017
> Date: Sat, 19 Aug 2017 15:42:27 -0400
> From: Philippe Meunier <meun...@ccs.neu.edu>
> To: Ted Unangst <t...@tedunangst.com>
> Subject: Re: Full disk encryption questions
>
> >> - is there a way to get the computer to boot again, short of wiping the
> >> disk with dd and starting from scratch again?
> >
> >you can run installboot. use the softraid disk name.
>
> I tried, from the install USB:
>
> # installboot wd0
> installboot: /usr/mdec/biosboot: No such file or directory
> # mount -t ffs /dev/sd0a /mnt
> # cd /
> # gzip -d -c /mnt/6.1/amd64/base61.tgz | tar xfv - ./usr/mdec/biosboot
> ./usr/mdec/biosboot
> # installboot wd0
> installboot: open /usr/mdec/boot: No such file or directory
> # gzip -d -c /mnt/6.1/amd64/base61.tgz | tar xfv - ./usr/mdec/boot
> ./usr/mdec/boot
> # installboot wd0
> installboot: cross-device install
> #
>

As semarie@ told me in IRC, this is wrong.  You need to use the
"decrypted" device such as

sd2 at scsibus4 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed

I ran (after mounting /mnt and /mnt/usr) installboot -v -r /mnt sd2 and
can now boot.

Now here are the differences

First the raw disk:

$ diff -u 0.sd0a.h 1.sd0a.h | more
--- 0.sd0a.hWed Aug 23 14:07:01 2017
+++ 1.sd0a.hWed Aug 23 14:07:43 2017
@@ -499,16 +499,16 @@
 1fd0  58 c6 2b c6 97 c1 70 21  ea 31 5d 6a 66 92 c1 cf  |X.+...p!.1]jf...|
 1fe0  c5 97 1b a8 e9 8f 7e f8  da 0e 4e b2 d4 f6 15 db  |..~...N.|
 1ff0  21 f0 c7 a0 83 f9 f7 55  8c b2 32 8f b3 47 ff 09  |!..U..2..G..|
-2000  6d 61 72 63 43 52 41 4d  06 00 00 00 04 00 00 00  |marcCRAM|
+2000  6d 61 72 63 43 52 41 4d  06 00 00 00 0c 00 00 00  |marcCRAM|
 2010  5b 20 d2 31 20 bc 4c f4  8b 4f d6 89 f2 3c 3c a9  |[ .1 .L..O...<<.|
 2020  01 00 00 00 00 00 00 00  02 00 00 00 00 02 00 00  ||
 2030  00 00 00 00 43 00 00 00  c0 d0 42 25 00 00 00 00  |C.B%|
 2040  4f 50 45 4e 42 53 44 00  53 52 20 43 52 59 50 54  |OPENBSD.SR CRYPT|
 2050  4f 00 00 00 00 00 00 00  30 30 36 00 00 00 00 00  |O...006.|
-2060  67 d6 66 ae 3f 30 4c ba  ee a7 7d df 40 1c af 13  |g.f.?0L...}.@...|
+2060  1a 0e e7 03 2a 5c ca bc  71 07 09 30 9f 3d b5 b7  |*\..q..0.=..|
 2070  73 64 32 00 00 00 00 00  00 00 00 00 00 00 00 00  |sd2.|
 2080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
-2090  01 00 00 00 10 02 00 00  f2 00 00 00 00 00 00 00  ||
+2090  01 00 00 00 10 02 00 00  f3 00 00 00 00 00 00 00  ||
 20a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 20b0  73 64 30 61 00 00 00 00  00 00 00 00 00 00 00 00  |sd0a|
 20c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
@@ -15323,7 +15323,7 @@
 000562e0  e4 6b 63 69 35 80 29 26  56 1f ef 01 0e b1 57 85  |.kci5.)|
 000562f0  2b c2 3c 6a 72 67 47 1b  04 79 4e 90 77 0d c1 2f  |+...Y|

And the crypto disk:

$ diff -u 0.sd2a.h 1.sd2a.h | more 
--- 0.sd2a.hWed Aug 23 14:07:19 2017
+++ 1.sd2a.hWed Aug 23 14:08:01 2017
@@ -656,7 +656,7 @@
 c2e0  00 00 00 00 00 00 00 00  00 00 00 00 e8 1f 41 e7  |..A.|
 c2f0  23 00 00 00 23 00 00 00  00 00 00 00 00 00 00 00  |#...#...|
 c300  ed 41 2f 00 00 00 00 00  00 08 00 00 00 00 00 00  |.A/.|
-c310  fd c2 9d 59 f1 c5 6b 23  7d d7 9c 59 4e 2c d5 30  |...Y..k#}..YN,.0|
+c310  32 c3 9d 59 08 ba 65 26  7d d7 9c 59 4e 2c d5 30  |2..Y..e&}..YN,.0|
 c320  7d d7 9c 59 4e 2c d5 30  71 06 00 00 00 00 00 00  |}..YN,.0q...|
 c330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 *
@@ -3430,7 +3430,7 @@
 000185e0  00 00 00 00 00 00 00 00  60 06 00 00 94 2e 73 61  |`.sa|
 000185f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 00018600  a4 81 01 00 00 00 00 00  ca 01 00 00 00 00 00 00  ||
-00018610  fd c2 9d 59 60 3d fa 29  42 52 4c 59 17 93 71 33  |...Y`=.)BRLY..q3|
+00018610  32 c3 9d 59 1c d5 91 2a  42 52 4c 59 17 93 71 33  |2..Y...*BRLY..q3|
 00018620  48 52 4c 59 a3 f1 dd 2f  11 4b 00 00 00 00 00 00  |HRLY.../.K..|
 00018630  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 *

On sd0a:
marcCRAM is the softraid magic number

0x200c is ssd_vol_flags from struct sr_metadata
0x2060 is a MD5 checksum
0x2098 is ssd_ondisk

ssd_vol_flags 0x04 is BIOC_SCNOAUTOASSEMBLE
ssd_vol_flags 0x08 is BIOC_SCBOOTABLE whose absence is suspicious

But I don't have any theory on how it got that way to begin with.
BIOC_SCBOOTABLE is set right now while my system is on.

Martin

Re: ksh ^R vs EDITOR=vi

[martin]

> From andreas.kah...@nbis.se Mon Aug 28 09:27:40 2017
> Date: Mon, 28 Aug 2017 10:53:45 +0200
> From: Andreas Kusalananda =?iso-8859-1?B?S+Ro5HJp?= <andreas.kah...@nbis.se>
> To: Jan Stary <h...@stare.cz>
> Subject: Re: ksh ^R vs EDITOR=vi
>
> ^R is for searching backwards in the command line history in Emacs mode
> while Vi mode uses / (just like in the Vi editor).

^R was for reprint as you see in stty -a.  Useful for remembering what
you've already typed when some background program clobbers your input.

I think it changed in 5.9 or 6.0.  Bash has done the history search
thing as long as I can remember.

I often type EDITOR=vi svn commit since svn defaults to an error message
instead of some fallback editor.  This has the unfortunate side effect
of breaking all the keybindings until I remember to type set -o emacs.

What works is to set EDITOR in your profile, then set -o emacs.  The other
order will result in the shell changing to vi mode.

Or we could all set EDITOR to ed, the STANDARD text editor.

Martin

Re: anoncvs instructions

[martin]

> The following instructions state to unpack the Xenocara sources in
> /usr, but should be done instead from the /usr/xenocara directory as
> the preceding directory for contents is ./ (whereas ports.tar.gz
> unpacks into ports/)?
>
> The following commands assume you have followed these instructions
> to give a non-root
> user write access to the src, ports and xenocara directories.
>
> $ cd /usr/src
> $ tar xzf /tmp/src.tar.gz
> $ tar xzf /tmp/sys.tar.gz
> $ cd /usr
> $ tar xzf /tmp/ports.tar.gz
> $ tar xzf /tmp/xenocara.tar.gz

Funny.  I've been running 6.3 since it was released and never noticed I
had extracted (by my script) right into /usr.  Guess I haven't needed to
look at X source since April...

Those instructions worked pre-6.3.

Martin

$ ftp http://ftp.usa.openbsd.org/pub/OpenBSD/6.3/xenocara.tar.gz
Trying 192.43.244.161...
Requesting http://ftp.usa.openbsd.org/pub/OpenBSD/6.3/xenocara.tar.gz
  0% |  |   896 KB07:05 
ETA^C
http fetch aborted.
$ tar tzf xenocara.tar.gz | head -3   
.
./CVS
./CVS/Root
gzip: stdin: Input/output error
tar: End of archive volume 1 reached
$ ftp http://ftp.usa.openbsd.org/pub/OpenBSD/6.2/xenocara.tar.gz 
Trying 192.43.244.161...
Requesting http://ftp.usa.openbsd.org/pub/OpenBSD/6.2/xenocara.tar.gz
  0% |  |  1152 KB05:32 
ETA^C
http fetch aborted.
$ tar tzf xenocara.tar.gz | head -3  
xenocara
xenocara/CVS
xenocara/CVS/Root
gzip: stdin: Input/output error
tar: End of archive volume 1 reached

Re: Removing FUSE would theoretically make a system more secure?

[martin]

> afaik if I would remove the lines that contains "FUSE" and "fuse" from 
> /sys/conf/GENERIC and re-compile the kernel, that would mean, there will be 
> no more FUSE support in my kernel after reboot.
>
> If so, would this step help to make my system more secure? Ex.: from a future 
> FUSE related security issue? 
>
> just asking theoretically, since I don't use FUSE related stuff, so thinking 
> of that is unneeded. 
>
> or it would just create an unsupported kernel which didn't had any tests 
> regarding the missing fuse and maybe cause bigger issues and security issues 
> vs. if I wouldn't touched it? 

I daresay that removing FUSE support will make you invulnerable to any
kind of bug in FUSE.  jca has already given you an outline of the
reasons to believe such a bug, if it exists, is rather unlikely to be
exploitable.

You had better consider what you're giving up when you make this change.
You won't be able to use FUSE.  You won't be able to use syspatch.  I'm
not sure how it affects kernel relinking.  You'll have to build your
kernels yourself on all architectures you run for each release and every
kernel-related erratum.  You'll have to maintain your changes.  You
can't just say "I'm not sure" as I just did.  You'll have to take
responsibility for the possibility that running a non-standard
configuration may introduce bugs.

And what are you defending against?  Somebody has to get root or a way
to mount filesystems without root.  We'll assume he's got a way to mount
filesystems without root, because if he had a way to get root, he
wouldn't need bother with anything else.  Then he's got to have his FUSE
exploit which gives him root.  Since he probably doesn't have an account
on your system, he's got to have a third exploit to start running code
to begin with.

Defense in depth is good, but this isn't worth the effort on your part.

Your security need only be good enough to require an attacker spend more
than he's willing to spend.

Martin

Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is more data-safe and fast?

[martin]

> From tom.sm...@wirelessconnect.eu Thu Feb  8 23:37:59 2018
> From: Tom Smyth <tom.sm...@wirelessconnect.eu>
> Date: Thu, 8 Feb 2018 19:40:23 +
> Subject: Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is
>  more data-safe and fast?
> To: Tinker <t1...@protonmail.ch>
>
> Also use  noatime  mount option so whe reading files you are not updating
> access time

But then don't complain when your favorite software package either
doesn't work or does unexpected things.

Martin

Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is more data-safe and fast?

[martin]

> From tom.sm...@wirelessconnect.eu Sat Feb 10 11:28:46 2018
> From: Tom Smyth <tom.sm...@wirelessconnect.eu>
> Date: Sat, 10 Feb 2018 09:10:30 +
> Subject: Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is
>  more data-safe and fast?
> To: mar...@martinbrandenburg.com
>
> Hi Martin... can you give a specific case where you have experienced
> negative impacts from thevmount options i suggested...
> It would be good to know...

Well I don't run noatime, so I can't give specific examples.

The point I was making is that noatime is a tradeoff.  You give up
adherence to POSIX and historical Unix behavior in exchange for
performance and less disk wear.

Now I will admit that programs that rely on atime updates are few and
far between.  It was always a bit niche.  Nowadays, most software is
written on Linux, and most Linux systems use relatime.

It might be an acceptable tradeoff.  To use the examples from the
manpage, if you know you're not going run any programs that need it and
that you'll never leave your laptop up for seven days or if you know
your news server doesn't need it, go ahead and disable it.

Just don't forget to consider it as a potential problem if you run into
trouble.

Here are some lines from /etc/daily.  Without atime updates, it could
delete files.  (Some of these might get more frequent mtime or ctime
updates which would bump the atime under noatime.)

The second set might be uncommented on a big multiuser system to clear
out /tmp since users don't.  They might be a little irritated when the
file they've been reading for the last day gets deleted.

next_part "Removing scratch and junk files:"
if [ -d /tmp -a ! -L /tmp ]; then
cd /tmp && {
find -x . \
\( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
-o -path './tmux-*' \) \
-prune -o -type f -atime +7 -execdir rm -f -- {} \; 2>/dev/null
find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
! -path ./.ICE-unix ! -name . \
-execdir rmdir -- {} \; >/dev/null 2>&1; }
fi

# Additional junk directory cleanup would go like this:
#if [ -d /scratch -a ! -L /scratch ]; then
#   cd /scratch && {
#   find . ! -name . -atime +1 -execdir rm -f -- {} \;
#   find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
#   >/dev/null 2>&1; }
#fi

Martin

Re: Bluetooth Support

[martin]

> From s...@spacehopper.org Tue Oct 30 19:32:56 2018
> To: misc@openbsd.org
> From: Stuart Henderson 
> Subject: Re: Bluetooth Support
> Date: Tue, 30 Oct 2018 23:24:04 + (UTC)
>
> On 2018-10-30, Marco Menne  wrote:
> > Hello there,
> >
> > I installed OpenBSD 6.4 on an old iMac from 2010 and nearly everything
> > works fine. The sound is cruel but this is a minor problem.
> > The Apple has a Bluetooth keyboard and I do not find a way to get it
> > working. I read in some forum that Bluetooth is not supported in OpenBSD.
> > Is this true?
> > I can use an USB-Keyboard, of course, but the Apple keyboard is fine and it
> > would be a little bit sad, if I had to change to an usb one.
> >
> > Greetings, Marco
> > - - -
> > Marco Menne
> > marco.menn...@gmail.com
> > GnuPG-Public-Key:
> > https://keyserver.ubuntu.com/pks/lookup?op=get=0x96A01AB59F6F7ECF
> >
>
> AIUI the firmware on some Apples does actually present a Bluetooth
> keyboard as a standard keyboard, but I suspect this one will be too
> old for this and would need an OS that has its own Bluetooth support.
>
>

Way back in 2012, I ran OpenBSD on a 2008 MacBook Pro with a Bluetooth
keyboard and it presented as USB and worked fine.

I ran it for a while actually before I realized and had to ask myself
how in the world this even works.

Marco, you can test this easily without installing simply by checking to
see if you can type at the bootloader prompt.

Re: No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

[Martin]

I can even ping any internet host from road warrior's LAN interface when iked 
is connected:

$ ping -I 192.168.0.1 remote_host.com -> works as should be

But no any traffic from 192.168.0.10 host except successful DNS 
queries/responses from/to Road Warrior's local DNS resolver.

$ telnet remote_host.com 80 -> from 192.168.0.10 LAN host is always fail. I can 
see ACKs from remote_host.com 80 from IPsec virtual 10.0.1.2 to 
192.168.0.10:80, but no connection.

All traffic goes trough Road Warrior's global VPN NAT rule when VPN is 
connected:

match out log on enc0 inet all nat-to 10.0.1.2

OR trough egress when VPN is disconnected:

match out log on egress from {lo0, 192.168.0.0/24} to any nat-to (egress:0)

# Outgoing www, https traffic
pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
port {www, https} modulate state
pass out on enc0 inet proto tcp from 10.0.1.2 to any \
port {www, https} flags S/SA modulate state
pass out on (egress) inet proto tcp from (egress) to any \
port {www, https} flags S/SA modulate state

When Road Warrior's VPN is disconnected, any LAN client can connect any 
internet host as usual.

Please advice.

Martin

‐‐‐ Original Message ‐‐‐
On Monday, February 3, 2020 9:03 PM, Martin Got  
wrote:

> OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 
> based road warrior -
> client with dynamic IP. VPN works stable even using a link behind ISP NAT 
> with ping latency from
> ~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue 
> because all the tests
> with disconnected/connected VPN have been made on the same ISP channel.
>
> Any of the hosts from LAN (192.168.0.0/24) connected to the road warrior can 
> reach external Internet
> hosts with disconnected VPN only.
>
> If VPN is connected, no one host from road warrior's LAN can reach any 
> internet host.
> But any of LAN host can connect to road warrior's local services listening on 
> lo0 even with VPN is
> connected or not.
>
> So I can't ping any Internet host from road warrior's LAN host if VPN is 
> connected, but I can ping
> outside Internet hosts from road warriors' localhost itself. In PF ICMP set 
> from any to any and ping
> works to any Internet host if VPN is disabled. I think it can't be bound to 
> firewall rules, maybe
> timeouts of PF connection states. I'm completely not sure about it.
>
> When VPN is connected, all roadwarrior's LAN traffic is disabled for some 
> reason, tcpdump shows
> requests and replies to LAN's host on enc0 but initiator (192.168.0.5) don't 
> receive any replies. I
> don't know why?
>
> $ tcpdump -en -i pflog0
> 10:12:43.598785 rule 4/(match) match out on enc0: 10.0.1.2 > 8.8.8.8: icmp: 
> echo request
> 10:12.43.598814 rule 563/(match) pass out on enc0: 10.0.1.2 > 8.8.8.8: icmp: 
> echo request
> 10.12.44.277267 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: 
> icmp: echo reply
> 10.12.47.277848 rule 4/(match) match out on enc0: 10.0.1.2 > 192.168.0.5: 
> icmp: echo reply
>
> LAN clients' can reach road warrior's localhost bound services like DNS, 
> proxy and it doesn't matter
> if VPN enabled or not, but no any outbound traffic with enabled VPN.
>
> Road warrior client has one NAT in PF to transmit packets from it's local IP 
> address when VPN is
> disabled, and second NAT rule to transmit packets when IKEv2 VPN is connected 
> like:
>
> $ pf.conf (client)
>
> ---NAT
>
> ===
>
> match out log on enc0 inet all nat-to 10.0.1.2
> match out log on rdomain 0 from {lo0, 192.168.0.0/24} to any nat-to (egress:0)
>
> ---ICMP
>
> 
>
> pass in log quick on 192.168.0.1 inet proto icmp all icmp-type \
> echoreq, timex, paramprob, unreach code needfrag keep state
> pass out log inet proto icmp all
>
> ---Web
>
> ===
>
> pass in on 192.168.0.1 inet proto tcp from 192.168.0.0/24 to any \
> port {www, https} modulate state
> pass out on enc0 inet proto tcp from 10.0.1.2 to any \
> port {www, https} flags S/SA modulate state
> pass out on (egress) inet proto tcp from (egress) to any \
> port {www, https} flags S/SA modulate state
>
> ---IPsec
>
> =
>
> pass in log on (egress) inet proto esp from any to (egress) port {isakmp, 
> ipsec-nat-t}
> pass out log on (egress) inet proto udp from (egress) to any port {isakmp, 
> ipsec-nat-t} keep state
>
> pass in log on enc0 inet proto ipencap from any to (egress) keep state 
> (if-bound)
> pass out log on enc0 inet proto ipencap from (egress) to any keep state 
> (if-bound)
>
> pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
> pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
>
> ---
>
> 

Re: OpenBSD 6.6-current shutter about one time every 1-3 seconds

[Martin]

I removed all the pkg_scripts from loading on 6.6-current and tried to test the 
system under full load (150Gb database reindexing) with apm -H. Stutters are 
present, but have minimal possible visual affect to foreground programs. apm -A 
works as expected, by rising CPU frequency to high value when db reindexed.

apm -L rises shutter effect significantly.

In most cases of testing, it looks like some system process(es), possible disk 
I/O procedures case bumbles.

The last test was dd urandom data directly to external USB3.0 disk. Stutters 
increase their visibility to console applications like ncurses based visualizer 
or simply USB keyboard symbols input.

I think ktrace will be good tool to analyze it or what tool can be used?

Martin

‐‐‐ Original Message ‐‐‐
On Wednesday, March 11, 2020 6:25 PM, Peter J. Philipp  wrote:

> On Wed, Mar 11, 2020 at 06:12:44PM +0000, Martin wrote:
> 
>
> > Peter, can you share which software you started in /etc/rc.conf.local
> > by
> > pkg_scripts="imapd..."
> > I'll try to find some correlation.
> > Martin
>
> pkg_scripts="isc_named cyrus_imapd saslauthd"
>
> along with apmd -A, vmd, sndiod -f rsnd/0 -f rsnd/1, portmap, nfsd, mountd,
> unwind, rad, tftpd, xenodm, dhcpd
>
> It's just the workstation I power up every day when I'm home.
>
> Hope that helps,
> -peter

OpenBSD 6.6-current shutter about one time every 1-3 seconds

[Martin]

Hello list,

After upgrade from 6.5 to 6.6-current amd64 (all the latest patches installed) 
system stutters. It affects on all visible and background activity. For 
instance, when typing USB keyboard skip symbols, disk write operations bumble 
as well, voip RTP traffic interrupts for less then a second.

What the best way to determine the cause of this behavior? Currently looking 
some ways to diagnose the problem reason.

Martin

Re: OpenBSD 6.6-current shutter about one time every 1-3 seconds

[Martin]

I use significantly slower hardware than yours, AMD SOC with ordinary 2.5" 
7200rpm HDD (bioctl encrypted). The same HDD has been installed on the same 
platform when OpenBSD was 6.5-current with the same encryption level.

Cyrus imapd implementations don't present in my setup. 
Dovecot+opensmtpd+PostgresSQL are working in production and I don't see any 
activity of them which can cause stutters.

I think it can be USB2/3 issues, but I don't know how to diagnose it.

Hope somebody give an advice regarding diagnose on system level of the 6.6 
itself and 3rd party software behavior.

Peter, can you share which software you started in /etc/rc.conf.local
by
pkg_scripts="imapd..."

I'll try to find some correlation.

Martin

‐‐‐ Original Message ‐‐‐
On Wednesday, March 11, 2020 5:40 PM, Peter J. Philipp  wrote:

> On Wed, Mar 11, 2020 at 05:28:11PM +, Martin wrote:
>
> > Hello list,
> > After upgrade from 6.5 to 6.6-current amd64 (all the latest patches 
> > installed) system stutters. It affects on all visible and background 
> > activity. For instance, when typing USB keyboard skip symbols, disk write 
> > operations bumble as well, voip RTP traffic interrupts for less then a 
> > second.
> > What the best way to determine the cause of this behavior? Currently 
> > looking some ways to diagnose the problem reason.
> > Martin
>
> Hi Martin,
>
> I get that too, it started when I moved cyrus imapd to my local system a year
> or more ago. I've learned to live with it. To elaborate, something cyrus
> imapd does is when a mail comes in via fetchmail that mplayer which plays
> flac's or streams from an icecast starts stuttering. The combination of
> cyrus, thunderbird, and fetchmail may be to blame too, dunno. It may be
> disk related? I have a Samsung SSD. My workstation is a 2014 Xeon E3-1275
> with 32 GB RAM.
>
> Regards,
> -peter

Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic

[Martin]

I know about vultr, but they are filtering 25, 465 for sure and some other 
ports. Especially, I need 25 port open for mail server I'm going to implement.

I mostly interesting in a small hoster with soft customer policies for long 
term OpenBSD VPS hosting. It can be any ISP based VPS hoster or any.

Martin

‐‐‐ Original Message ‐‐‐
On Friday, April 10, 2020 10:59 AM, Dumitru Moldovan  wrote:

> On Fri, Apr 10, 2020 at 09:51:41AM +0000, Martin wrote:
>
> > I'm looking for relatively cheap VPS with OpenBSD installation support and 
> > with ~1Tb of unfiltered traffic. In any words all in/out VPS ports must be 
> > opened by default.
> > Any recommendations?
>
> Vultr is close to that. Last time I created a new VPS with them, I
> think they filtered port 25, but it was no big deal to get rid of that.
>
> Still running 2 productions VMs on Vultr, they are cheap, have great
> support, and reasonable uptimes. Not OpenBSD-based unfortunately, even
> though they support it officially.

OpenBSD VPS hoster with unlimited/limited nonfiltered traffic

[Martin]

I'm looking for relatively cheap VPS with OpenBSD installation support and with 
~1Tb of unfiltered traffic. In any words all in/out VPS ports must be opened by 
default.
Any recommendations?

Martin.

Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic

[Martin]

Do you know any clock fix for Debian guest like kern.timecounter.hardware=tsc + 
NTPd for OBSD guests?

Martin

‐‐‐ Original Message ‐‐‐
On Sunday, April 19, 2020 4:15 PM, j3s  wrote:

> > Will I encounter the same issue with clock > synchronization on VMM based
>
> Unfortunately you will, the clock issues aren’t quite worked out yet.

Re: BGP spamd AS working addresses to have realtime list updates

[Martin]

Hello, Peter.

How can I help you to maintain EU server in a good shape? I think spam related 
AS is really good tool to all the people in the community who use spamd engine.

Martin

‐‐‐ Original Message ‐‐‐
On Sunday, April 19, 2020 4:40 PM, Peter Hessler  wrote:

> Hi Martin
>
> The eu.bgp-spamd.net server is no longer available. I have not had any
> time for maintanence of these systems for several years, so do not
> expect many future updates.
>
> -peter
>
> On 2020 Apr 19 (Sun) at 14:39:08 + (+), Martin wrote:
> :I'm going to have spamdb updates from AS using BGP as configured.
> :But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address 
> according to ping:
> :
> :ping eu.bgp-spamd.net
> :217.31.80.170
> :ping rs.bgp-spamd.net
> :217.31.80.170
> :
> :Which system can be used for redundancy? Any other spamd-AS online?
> :
> :$ cat /etc/bgpd.conf
> :AS 65xxx
> :fib-update no
> :
> :group "spam" {
> : remote-as 65066
> : multihop 64
> : export none
> : neighbor 64.142.121.62 {
> : descr "rs.bgp-spamd.net"
> : }
> : neighbor 217.31.80.170 {
> : descr "eu.bgp-spamd.net"
> : }
> :}
> :...
> :
> :Martin
>
> ---
>
> Did you know ...
>
> That no-one ever reads these things?

Re: UNIX crash course

[Martin]

People recommend me these books https://www.openbsd.org/books.html for 
programming starting point. Here is a list of admin. related books too. Very 
comprehensive and useful books listed.

Martin

‐‐‐ Original Message ‐‐‐
On Sunday, April 19, 2020 7:15 PM, Chris Zakelj  wrote:

> Looking to the list for suggestions on becoming at least a
> semi-competent admin.  Long-time members may remember my trial-by-fire
> 15+ years ago when the boss ordered a T1 and the carrier's tech
> "helpfully" pointed the dmz interface at the (already outdated) NT4 file
> server.  My current situation is nothing like that, but thanks to all
> the recent trolls, I discovered that following the IEEE's transition
> from their email service being little more than a .forward alias into a
> full-fledged GMail suite, that Google wasn't forwarding emails it deemed
> spammy and caused the partial loss of nearly seven months' worth of
> mail.  Since I don't trust Google or pretty much any "free" provider at
> this point, that means doing it myself.  Some steps (registering a
> domain, ordering business-class service or a static IP, etc) are
> self-evident.  But after that, there's a lot I really need to learn
> beyond what's in the man pages, and my copy of 'Absolute OpenBSD' is
> quite dated at this point.  I've also got that misbehaving ARC-1200B
> card, so if dlg@ or another team member in the US/Canada has interest in
> figuring out what's going sideways, I'll pay for shipping both ways.

BGP spamd AS working addresses to have realtime list updates

[Martin]

I'm going to have spamdb updates from AS using BGP as configured.
But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address 
according to ping:

ping eu.bgp-spamd.net
217.31.80.170
ping rs.bgp-spamd.net
217.31.80.170

Which system can be used for redundancy? Any other spamd-AS online?

$ cat /etc/bgpd.conf
AS 65xxx
fib-update no

group "spam" {
   remote-as 65066
   multihop 64
   export none
  neighbor 64.142.121.62 {
  descr "rs.bgp-spamd.net"
  }
  neighbor 217.31.80.170 {
  descr "eu.bgp-spamd.net"
      }
}
...

Martin

Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic

[Martin]

Thanks all of you guys for suggestions.

Just one question to OpenBSD VMM based VPS hosters. I use vmd with OBSD 6.6 and 
Debian guests locally just for testing and stuck with clock synchronization 
issue with both guests.

Will I encounter the same issue with clock synchronization on VMM based VPSes?

Martin


‐‐‐ Original Message ‐‐‐
On Saturday, April 18, 2020 12:20 AM, j3s  wrote:

> On 4/10/20 4:51 AM, Martin wrote:
>
> > I'm looking for relatively cheap VPS with OpenBSD installation support and 
> > with ~1Tb of unfiltered traffic. In any words all in/out VPS ports must be 
> > opened by default.
> > Any recommendations?
>
> Ohai. Co-founder of Cyberia Computer Club here - we're a US-based
> nonprofit - part of our deal is providing good & open services.
>
> We host our own hardware in a US datacenter, and offer OpenBSD VMs for
> decent prices. You can see the whole shtick at https://capsul.org
>
> No filtering or snooping, you just get a box on a public IPv4 and that's it.
>
> Just wanted to toss my own hat in the ring!
>
> j3s

Keeping distfiles actual with port tree and cleaning old distfiles from storage automatically

[Martin]

I'm looking for a way to keep distfiles up-to-date locally with auto remove 
'old' ones in sync with actual ports tree.

Martin

Ajust or set OpenIKED renegotiation timeout manually if remote ISP reset connections

[Martin]

Remote VPS hoster reset connections after some amount of data has been 
transferred to/from remote VPS.

May I adjust OpenIKED renegotiation timeout down to 1-2s in some way? Currently 
it takes ~3-4m to reconnect.
Right after each 'connection reset' issued by VPS hoster I can restart iked 
manually by "rcctl restart iked" and iked renegotiate the link immediately 
after it.

The question is how to automate it to have minimal connection loss?

Martin

Any console SIP client from ports or packages?

[Martin]

I'm looking for lightweight console SIP client to perform calls right from 
OpenBSD console with asterisk.

Please suggest.

Martin

Re: Any console SIP client from ports or packages?

[Martin]

This one is exactly I'm looking for.

Thanks

‐‐‐ Original Message ‐‐‐
On Thursday, April 2, 2020 9:31 PM, Mihai Popescu  wrote:

> pjsua
>
> It has audio only, no video part ported yet. I didn't use it with asterisk
> but was fine with iptel.org.

Re: nmea0 huge timedelta while system clock is in sync

[Martin]

Still can't find a solution. I'm suspect backup battery.

‐‐‐ Original Message ‐‐‐
On Sunday, March 22, 2020 9:12 PM, Otto Moerbeek  wrote:

> On Sun, Mar 22, 2020 at 08:26:25PM +0000, Martin wrote:
>
> > Hello Otto,
> > I can't share any coordinates, but after analyzing NMEA messages from 
> > receiver I see the correct UTC time in first field of $GPGGA, $PQXFI 
> > (Qualcomm extended fix information), $GNSNS sentences. In repeating 
> > sentences time data changes every second as it should be. System's time in 
> > sync with NTP pool currently, so it has minimum delta possible.
> > $GPGGA,194359.00,coordinates,.
> > $PQXFI,194359.00,coordinates,.
> > $GNSNS,194359.00,coordinates,.
> > ...
> > $GPRMC,194359.00,coordinates,.
> > ...
> > $GPGGA,194400.00,coordinates,.
> > $PQXFI,194400.00,coordinates,.
> > $GNSNS,194400.00,coordinates,.
> > ...
> > $GPRMC,194400.00,coordinates,.
>
> Double sigh. The datestamp in the $GPRMC message is important.
>
> But I give up, you are only making things difficult.
>
> -Otto
>
> > Any way to perform manual 'reset' timedelta to any 'default' value?
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> > On Sunday, March 22, 2020 3:28 PM, Otto Moerbeek o...@drijf.net wrote:
> >
> > > On Sun, Mar 22, 2020 at 03:22:40PM +, Martin wrote:
> > >
> > > > The position is absolutely correct. I forgot to mention I changed 
> > > > Latitude and Longitude by different values.
> > > > The timedelta is incorrect and it's only the question why.
> > > > I missed a moment when huge time skew appeared. Just system clock was 
> > > > changed significantly to incorrect value. Now ntpd.conf set to NTP 
> > > > pool, but hope I can fix radioclocks.
> > > > Martin
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Sunday, March 22, 2020 12:54 PM, Otto Moerbeek o...@drijf.net wrote:
> > > >
> > > > > On Sun, Mar 22, 2020 at 12:19:39PM +, Martin wrote:
> > > > >
> > > > > > hw.sensors.nmea0.indicator0=On (Signal), OK
> > > > > > hw.sensors.nmea0.timedelta0=619313970.981246 secs (GPS autonomous), 
> > > > > > OK, Sun Mar 22 12:47:08.981
> > > > > > ^^
> > > > > > hw.sensors.nmea0.angle0=10.0 degrees (Latitude), OK
> > > > > > hw.sensors.nmea0.angle1=20.0 degrees (Longitude), OK
> > > > > > hw.sensors.nmea0.distance0=30.0 m (Altitude), OK
> > > > > > hw.sensors.nmea0.velocity0=0.000 m/s (Ground speed), OK
> > > > > > It works for about two years before like a charm, but now timedelta 
> > > > > > 619313970.981246 secs.
> > > > > > Tried to change GPS receiver, no effect.
> > > > > > Martin
> > > > >
> > > > > You position is also suspect. Can you run cu on the port the GPS is
> > > > > atteched to and get a snippet of the output?
> > > > > -Otto
> > >
> > > Sigh, you are making troubleshooting this harder than needed by
> > > editing output without saying so. Also, I asked for an NMEA output
> > > log.
> > > Uncomment your ldattach line in /etc/ttys
> > > kill -1 1
> > > cu -l ttyXX -s 4800
> > > (Change speed to match your device). Without log I cannot help.
> > > -Otto

Start system daemon after postgresql/mysql database from packages using rc.conf.local

[Martin]

I need to change system daemon (smptd) start order during system boot to have 
it connected to a database which started from package scripts 
/etc/rc.conf.local.

Now /etc/rc.conf is untouched, database runs from /etc/rc.conf.local
pkg_scripts="postgresql"
smtpd starts first from rc.conf and crash because no database loaded from 
rc.conf.local script to fetch users.

Please suggest any workaround.

Martin

IPv4 traffic over IPv6 tunnel approach

[Martin]

I have IPv6 unidirectional tunnel between two machines. One of them is gateway, 
another one is a client.
The goal is to route IPv4 packets over IPv6 tunnel from client to gateway and 
NAT IPv4 packet to egress on gateway machine.

May I use gif(4) for it or what is the best approach to traverse IPv4 packets 
over IPv6 tun?

Martin

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

[Martin]

Some time ago Google bought 2000qbit version from D-wave and confirmed it is a 
quantum computer bla bla bla... but cluster consists of eight qbit blocks to 
build advertised capacity if I understand googles papers right.

My question was about decrypting currently generated and accumulated encrypted 
traffic after five - ten years on quantim computers if they were available. And 
which crypto algo. I have to use right now to prevent decryption in post 
quantum computing era.

Martin

‐‐‐ Original Message ‐‐‐
On Saturday, May 9, 2020 2:34 PM,  wrote:

> D-waves has too uncoupled qubits if I understand it correctly, it is nothing 
> to do about qubits quantity as we used to think about it. Like a "cluster" of 
> completely isolated hosts (which is already not a cluster or course).

nmea0 huge timedelta while system clock is in sync

[Martin]

hw.sensors.nmea0.indicator0=On (Signal), OK
hw.sensors.nmea0.timedelta0=619313970.981246 secs (GPS autonomous), OK, Sun Mar 
22 12:47:08.981
   ^^
hw.sensors.nmea0.angle0=10.0 degrees (Latitude), OK
hw.sensors.nmea0.angle1=20.0 degrees (Longitude), OK
hw.sensors.nmea0.distance0=30.0 m (Altitude), OK
hw.sensors.nmea0.velocity0=0.000 m/s (Ground speed), OK

It works for about two years before like a charm, but now timedelta 
619313970.981246 secs.
Tried to change GPS receiver, no effect.

Martin

Re: nmea0 huge timedelta while system clock is in sync

[Martin]

The position is absolutely correct. I forgot to mention I changed Latitude and 
Longitude by different values.
The timedelta is *incorrect* and it's only the question why.

I missed a moment when huge time skew appeared. Just system clock was changed 
significantly to incorrect value. Now ntpd.conf set to NTP pool, but hope I can 
fix radioclocks.

Martin

‐‐‐ Original Message ‐‐‐
On Sunday, March 22, 2020 12:54 PM, Otto Moerbeek  wrote:

> On Sun, Mar 22, 2020 at 12:19:39PM +0000, Martin wrote:
>
> > hw.sensors.nmea0.indicator0=On (Signal), OK
> > hw.sensors.nmea0.timedelta0=619313970.981246 secs (GPS autonomous), OK, Sun 
> > Mar 22 12:47:08.981
> > ^^
> > hw.sensors.nmea0.angle0=10.0 degrees (Latitude), OK
> > hw.sensors.nmea0.angle1=20.0 degrees (Longitude), OK
> > hw.sensors.nmea0.distance0=30.0 m (Altitude), OK
> > hw.sensors.nmea0.velocity0=0.000 m/s (Ground speed), OK
> > It works for about two years before like a charm, but now timedelta 
> > 619313970.981246 secs.
> > Tried to change GPS receiver, no effect.
> > Martin
>
> You position is also suspect. Can you run cu on the port the GPS is
> atteched to and get a snippet of the output?
>
> -Otto

Re: nmea0 huge timedelta while system clock is in sync

[Martin]

Hello Otto,

I can't share any coordinates, but after analyzing NMEA messages from receiver 
I see the correct UTC time in first field of $GPGGA, $PQXFI (Qualcomm extended 
fix information), $GNSNS sentences. In repeating sentences time data changes 
every second as it should be. System's time in sync with NTP pool currently, so 
it has minimum delta possible.

$GPGGA,194359.00,_coordinates_,.
$PQXFI,194359.00,_coordinates_,.
$GNSNS,194359.00,_coordinates_,.
...
$GPRMC,194359.00,_coordinates_,.
...
$GPGGA,194400.00,_coordinates_,.
$PQXFI,194400.00,_coordinates_,.
$GNSNS,194400.00,_coordinates_,.
...
$GPRMC,194400.00,_coordinates_,.

Any way to perform manual 'reset' timedelta to any 'default' value?

Martin

‐‐‐ Original Message ‐‐‐
On Sunday, March 22, 2020 3:28 PM, Otto Moerbeek  wrote:

> On Sun, Mar 22, 2020 at 03:22:40PM +0000, Martin wrote:
>
> > The position is absolutely correct. I forgot to mention I changed Latitude 
> > and Longitude by different values.
> > The timedelta is incorrect and it's only the question why.
> > I missed a moment when huge time skew appeared. Just system clock was 
> > changed significantly to incorrect value. Now ntpd.conf set to NTP pool, 
> > but hope I can fix radioclocks.
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> > On Sunday, March 22, 2020 12:54 PM, Otto Moerbeek o...@drijf.net wrote:
> >
> > > On Sun, Mar 22, 2020 at 12:19:39PM +, Martin wrote:
> > >
> > > > hw.sensors.nmea0.indicator0=On (Signal), OK
> > > > hw.sensors.nmea0.timedelta0=619313970.981246 secs (GPS autonomous), OK, 
> > > > Sun Mar 22 12:47:08.981
> > > > ^^
> > > > hw.sensors.nmea0.angle0=10.0 degrees (Latitude), OK
> > > > hw.sensors.nmea0.angle1=20.0 degrees (Longitude), OK
> > > > hw.sensors.nmea0.distance0=30.0 m (Altitude), OK
> > > > hw.sensors.nmea0.velocity0=0.000 m/s (Ground speed), OK
> > > > It works for about two years before like a charm, but now timedelta 
> > > > 619313970.981246 secs.
> > > > Tried to change GPS receiver, no effect.
> > > > Martin
> > >
> > > You position is also suspect. Can you run cu on the port the GPS is
> > > atteched to and get a snippet of the output?
> > > -Otto
>
> Sigh, you are making troubleshooting this harder than needed by
> editing output without saying so. Also, I asked for an NMEA output
> log.
>
> Uncomment your ldattach line in /etc/ttys
> kill -1 1
> cu -l ttyXX -s 4800
>
> (Change speed to match your device). Without log I cannot help.
>
> -Otto

Re: nmea0 huge timedelta while system clock is in sync

[Martin]

But NMEA datestamp is incorrect:

$GPGGA,194458.00,_coordinates_,..,..,060800,0.0,E,A*35
  ^^^
Martin


‐‐‐ Original Message ‐‐‐
On Sunday, March 22, 2020 3:28 PM, Otto Moerbeek  wrote:

> On Sun, Mar 22, 2020 at 03:22:40PM +0000, Martin wrote:
>
> > The position is absolutely correct. I forgot to mention I changed Latitude 
> > and Longitude by different values.
> > The timedelta is incorrect and it's only the question why.
> > I missed a moment when huge time skew appeared. Just system clock was 
> > changed significantly to incorrect value. Now ntpd.conf set to NTP pool, 
> > but hope I can fix radioclocks.
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> > On Sunday, March 22, 2020 12:54 PM, Otto Moerbeek o...@drijf.net wrote:
> >
> > > On Sun, Mar 22, 2020 at 12:19:39PM +, Martin wrote:
> > >
> > > > hw.sensors.nmea0.indicator0=On (Signal), OK
> > > > hw.sensors.nmea0.timedelta0=619313970.981246 secs (GPS autonomous), OK, 
> > > > Sun Mar 22 12:47:08.981
> > > > ^^
> > > > hw.sensors.nmea0.angle0=10.0 degrees (Latitude), OK
> > > > hw.sensors.nmea0.angle1=20.0 degrees (Longitude), OK
> > > > hw.sensors.nmea0.distance0=30.0 m (Altitude), OK
> > > > hw.sensors.nmea0.velocity0=0.000 m/s (Ground speed), OK
> > > > It works for about two years before like a charm, but now timedelta 
> > > > 619313970.981246 secs.
> > > > Tried to change GPS receiver, no effect.
> > > > Martin
> > >
> > > You position is also suspect. Can you run cu on the port the GPS is
> > > atteched to and get a snippet of the output?
> > > -Otto
>
> Sigh, you are making troubleshooting this harder than needed by
> editing output without saying so. Also, I asked for an NMEA output
> log.
>
> Uncomment your ldattach line in /etc/ttys
> kill -1 1
> cu -l ttyXX -s 4800
>
> (Change speed to match your device). Without log I cannot help.
>
> -Otto

Re: IPv4 traffic over IPv6 tunnel approach

[Martin]

Thanks for confirmation.

Hope I understand gif(4) functionality right from its configuration. Can I set 
/etc/hostname.gif0 from client's side only like below:

/etc/hostname.gif0
tunnel 10.20.30.40 195.203.212.221
inet6 alias 2001:05a8::0001::::8542 128
dest 2001:05a8::0001::::8541

where
tunnel 10.20.30.40 is client's address, 195.203.212.221 gateway machine egress 
IPv4
inet6 alias is the same IPv6 address of client's IPv6 local interface or an 
IPv6 address in the same subnet.
dest IPv6 is a destination IPv6 interface address of gateway machine.

Do I need to setup gif0 on gateway machine to have encapsulation working?

Martin

‐‐‐ Original Message ‐‐‐
On Friday, May 8, 2020 1:43 PM, Kristjan Komlosi  
wrote:

> gif(4) should work fine, as it's designed to do what you described. The
> best approach depends on the level of security you want to achieve. IPIP
> tunnels aren't encrypted...
>
> regards, kristjan
>
> On 5/8/20 3:32 PM, Martin wrote:
>
> > I have IPv6 unidirectional tunnel between two machines. One of them is 
> > gateway, another one is a client.
> > The goal is to route IPv4 packets over IPv6 tunnel from client to gateway 
> > and NAT IPv4 packet to egress on gateway machine.
> > May I use gif(4) for it or what is the best approach to traverse IPv4 
> > packets over IPv6 tun?
> > Martin

'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

[Martin]

Which 'quantum' resistant algorithms can be used right now to prevent data 
decryption in future by 'quantum' computers (when they can do this) of 
currently collected data flows?

Martin

Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic

[Martin]

Good choice. Do they provide IP addresses from data-center's pool where VPSes 
located or from ISP range?

Martin

‐‐‐ Original Message ‐‐‐
On Friday, May 8, 2020 5:51 PM, Rich Kulawiec  wrote:

> (This is a cut-and-paste of something I sent in response to a similar
> question about FreeBSD last month.)
>
> I've been a customer of Panix (panix.com) for years and they're terrific.
> Inexpensive, flexible, responsive support, VERY high clue level, and
> proactive about patches/fixes. (There have been multiple instances
> in which they've fixed something before I knew it was a problem.
> They're fast, but deliberate: I don't think I've observed any instances
> where they had to back out a change.)
>
> They're also good about supporting pretty much whatever distribution you
> ask for: if there's customer demand/requests for it, they'll make it happen.
>
> ---rsk

Re: IPv4 traffic over IPv6 tunnel approach

[Martin]

Last thing I have to understand about gif(4) and IPv6 tunneling.

Should I set gif(4) 'inet6 alias' = the same IPv6 of the local end of IPv6 
tunnel interface or just set 'inet6 alias' for gif(4) in tunnel's IPv6 subnet?

Martin

‐‐‐ Original Message ‐‐‐
On Friday, May 8, 2020 4:41 PM, Tom Smyth  wrote:

> Hi Martin,
> If I understand your question correctly
>
> you need 2 endpoints to the tunnel...
>
> for gif(4) or any gre((4) based tunnel
> you need the interface setup on both the client and the server (gateway)
>
> if you have a gateway serving multiple clients... then you need one
> interface per client that you intend to connect
> Thanks
> Tom Smyth
>
> On Fri, 8 May 2020 at 17:38, Martin martin...@protonmail.com wrote:
>
> > Thanks for confirmation.
> > Hope I understand gif(4) functionality right from its configuration. Can I 
> > set /etc/hostname.gif0 from client's side only like below:
> > /etc/hostname.gif0
> > tunnel 10.20.30.40 195.203.212.221
> > inet6 alias 2001:05a8::0001::::8542 128
> > dest 2001:05a8::0001::::8541
> > where
> > tunnel 10.20.30.40 is client's address, 195.203.212.221 gateway machine 
> > egress IPv4
> > inet6 alias is the same IPv6 address of client's IPv6 local interface or an 
> > IPv6 address in the same subnet.
> > dest IPv6 is a destination IPv6 interface address of gateway machine.
> > Do I need to setup gif0 on gateway machine to have encapsulation working?
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> > On Friday, May 8, 2020 1:43 PM, Kristjan Komlosi kristjan.koml...@gmail.com 
> > wrote:
> >
> > > gif(4) should work fine, as it's designed to do what you described. The
> > > best approach depends on the level of security you want to achieve. IPIP
> > > tunnels aren't encrypted...
> > > regards, kristjan
> > > On 5/8/20 3:32 PM, Martin wrote:
> > >
> > > > I have IPv6 unidirectional tunnel between two machines. One of them is 
> > > > gateway, another one is a client.
> > > > The goal is to route IPv4 packets over IPv6 tunnel from client to 
> > > > gateway and NAT IPv4 packet to egress on gateway machine.
> > > > May I use gif(4) for it or what is the best approach to traverse IPv4 
> > > > packets over IPv6 tun?
> > > > Martin
>
> --
>
> Kindest regards,
> Tom Smyth.

Re: IPv4 traffic over IPv6 tunnel approach

[Martin]

I have IPv6 point to point connection. Going to transmit IPv4 inside IPv6 
tunnel.

client has IPv6 ::::2
gateway has IPv6 ::::1

Martin

‐‐‐ Original Message ‐‐‐
On Friday, May 8, 2020 8:55 PM, Brian Brombacher  wrote:

> From your description, you want to pass IPv4 inside a tunnel that has an 
> outer protocol of IPv6. Your resulting hostname.gif0 looks like the exact 
> opposite of your description (IPv6 inside the tunnel with IPv4 outer).
>
> Clarify what you need please. Provide your existing hostname.if files for the 
> other interfaces if you need to.
>
> > On May 8, 2020, at 3:09 PM, Martin martin...@protonmail.com wrote:
> > Last thing I have to understand about gif(4) and IPv6 tunneling.
> > Should I set gif(4) 'inet6 alias' = the same IPv6 of the local end of IPv6 
> > tunnel interface or just set 'inet6 alias' for gif(4) in tunnel's IPv6 
> > subnet?
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> >
> > > > On Friday, May 8, 2020 4:41 PM, Tom Smyth tom.sm...@wirelessconnect.eu 
> > > > wrote:
> > > > Hi Martin,
> > > > If I understand your question correctly
> > > > you need 2 endpoints to the tunnel...
> > > > for gif(4) or any gre((4) based tunnel
> > > > you need the interface setup on both the client and the server (gateway)
> > > > if you have a gateway serving multiple clients... then you need one
> > > > interface per client that you intend to connect
> > > > Thanks
> > > > Tom Smyth
> > > > On Fri, 8 May 2020 at 17:38, Martin martin...@protonmail.com wrote:
> > > > Thanks for confirmation.
> > > > Hope I understand gif(4) functionality right from its configuration. 
> > > > Can I set /etc/hostname.gif0 from client's side only like below:
> > > > /etc/hostname.gif0
> > > > tunnel 10.20.30.40 195.203.212.221
> > > > inet6 alias 2001:05a8::0001::::8542 128
> > > > dest 2001:05a8::0001::::8541
> > > > where
> > > > tunnel 10.20.30.40 is client's address, 195.203.212.221 gateway machine 
> > > > egress IPv4
> > > > inet6 alias is the same IPv6 address of client's IPv6 local interface 
> > > > or an IPv6 address in the same subnet.
> > > > dest IPv6 is a destination IPv6 interface address of gateway machine.
> > > > Do I need to setup gif0 on gateway machine to have encapsulation 
> > > > working?
> > > > Martin
> > > > ‐‐‐ Original Message ‐‐‐
> > > >
> > > > > On Friday, May 8, 2020 1:43 PM, Kristjan Komlosi 
> > > > > kristjan.koml...@gmail.com wrote:
> > > > > gif(4) should work fine, as it's designed to do what you described. 
> > > > > The
> > > > > best approach depends on the level of security you want to achieve. 
> > > > > IPIP
> > > > > tunnels aren't encrypted...
> > > > > regards, kristjan
> > > > > On 5/8/20 3:32 PM, Martin wrote:
> > > > >
> > > > > > I have IPv6 unidirectional tunnel between two machines. One of them 
> > > > > > is gateway, another one is a client.
> > > > > > The goal is to route IPv4 packets over IPv6 tunnel from client to 
> > > > > > gateway and NAT IPv4 packet to egress on gateway machine.
> > > > > > May I use gif(4) for it or what is the best approach to traverse 
> > > > > > IPv4 packets over IPv6 tun?
> > > > > > Martin
> > > > > > --
> > > > > > Kindest regards,
> > > > > > Tom Smyth.

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

[Martin]

This one 
https://www.tomshardware.com/news/d-wave-5000-qubit-first-sale,40470.html
is the most powerful 5000qbits quantum computer sells nowadays.

Moreother, D-Wave opened online service to access 5000qbit remotely for solving 
'special' tasks which can be accelerated using quantum architecture.

In 2016 Google tested some encryption sub-layer in Chrome browser to test 
quantum resistant encryption algo.

According to current online data collecting practices, after six years most of 
'old' algorithms will possible to decrypt directly from storage by 'modern' 
quantum computers.

Martin

‐‐‐ Original Message ‐‐‐
On Saturday, May 9, 2020 5:05 AM,  wrote:

> According to Damien Miller:
>
> > this is pretty much possible now, by enabling the experimental support
>
> for the XMSS PQ signature algorithm
>
> in the SSH

Re: Switching layout in vmm linux guest on OpenBSD host with english layout only

[Martin]

Hi,

Linux Guest has virtual dummy video card to emulate video hardware. Linux Guest 
has TightVNC server running also. It automatically starts on boot. Guest has 
two layouts.

The _same_ Guest *.qcow2 image is running on both Linux host and OpenBSD vmm 
host.

1. When I connected from Linux host by TightVNC with EN layout only to Guest, I 
can switch layout and I see symbols when input.
2. When I connected from OpenBSD host by ssvnc with only EN layout present, I 
can switch layout in Guest but no symbols input. Any pressed key shows nothing, 
like keyboard is absent at all.

Any fresh idea can help.

Martin

‐‐‐ Original Message ‐‐‐
On Friday, October 2, 2020 7:34 AM, Stuart Henderson  
wrote:

> On 2020-09-30, Martin martin...@protonmail.com wrote:
>
> > Graphical mode of vmm
>
> vmm has no graphical mode ..
>
> > and qemu
>
> and has no interaction with qemu.
>
> If you're using qemu on OpenBSD then it's emulating a cpu in software,
> not managing a VM on your real cpu.
>
> > Layout switching works fine in qemu on Debian host even the host has single 
> > english layout.
> > But layout switching doesn't work in vmm and can't be changed in any way. 
> > OpenBSD host uses single english layout as Debian host.
> > Looking any solution on how to fix it. Please suggest.
>
> Which vnc client are you using? AFAIK you want one which supports the
> extension to use raw keycodes rather than keysyms for things to work
> properly, I believe tigervnc's version of vncviewer does this.

bioctl -cC -l /dev/sd1a softraid0 for encryption two disks RAID1 mirrored

[Martin]

Hi misc,

I'd like to have two encrypted 1TB disks in RAID 1 mirror mode (no hardware 
RAID installed). Is it possible to use bioctl for that purpose or do I need to 
use HW RAID and encrypt mirrored disks with bioctl -cC -l /dev/sd1a softraid0 ?

Please advice.

Martin

Re: Switching layout in vmm linux guest on OpenBSD host with english layout only

[Martin]

TightVNC marked as Attic in ports/net/tightvnc CVS source tree. May I update it 
and return it back to the tree in order to have layout switching functionality?

Martin

‐‐‐ Original Message ‐‐‐
On Thursday, October 8, 2020 9:35 AM, Stuart Henderson  
wrote:

> On 2020/10/07 23:11, Mike Larkin wrote:
>
> > On Tue, Oct 06, 2020 at 02:28:54PM +, Martin wrote:
> >
> > > Hi,
> > > Linux Guest has virtual dummy video card to emulate video hardware. Linux 
> > > Guest has TightVNC server running also. It automatically starts on boot. 
> > > Guest has two layouts.
> > > The same Guest *.qcow2 image is running on both Linux host and OpenBSD 
> > > vmm host.
> > >
> > > 1.  When I connected from Linux host by TightVNC with EN layout only to 
> > > Guest, I can switch layout and I see symbols when input.
> > > 2.  When I connected from OpenBSD host by ssvnc with only EN layout 
> > > present, I can switch layout in Guest but no symbols input. Any pressed 
> > > key shows nothing, like keyboard is absent at all.
> > >
> > > Any fresh idea can help.
> > > Martin
> >
> > Whatever your issue is, it's not with vmm(4)/vmd(8) as we don't emulate a
> > keyboard at all. So it would sorta be hard to mess up the layout on a device
> > we don't even say we have.
>
> yep.
>
> > Go talk to the TightVNC or ssvnc people, the issue is in one of those two
> > products.
>
> ssvnc is old and doesn't have the keycodes extension.
>
> I suggest trying tigervnc's version of vncviewer first which I think
> supports it, otherwise try getting tightvnc built on OpenBSD.
>
> > > ‐‐‐ Original Message ‐‐‐
> > > On Friday, October 2, 2020 7:34 AM, Stuart Henderson s...@spacehopper.org 
> > > wrote:
> > >
> > > > On 2020-09-30, Martin martin...@protonmail.com wrote:
> > > >
> > > > > Graphical mode of vmm
> > > >
> > > > vmm has no graphical mode ..
> > > >
> > > > > and qemu
> > > >
> > > > and has no interaction with qemu.
> > > > If you're using qemu on OpenBSD then it's emulating a cpu in software,
> > > > not managing a VM on your real cpu.
> > > >
> > > > > Layout switching works fine in qemu on Debian host even the host has 
> > > > > single english layout.
> > > > > But layout switching doesn't work in vmm and can't be changed in any 
> > > > > way. OpenBSD host uses single english layout as Debian host.
> > > > > Looking any solution on how to fix it. Please suggest.
> > > >
> > > > Which vnc client are you using? AFAIK you want one which supports the
> > > > extension to use raw keycodes rather than keysyms for things to work
> > > > properly, I believe tigervnc's version of vncviewer does this.

Re: smtpd returns 'TempFail' and 'No route to destination' when using localhost as source behind NAT

[Martin]

As I know, table sources is needed to bind smtpd to an interface while mail 
sending, but table helonames is for session IP=name. sorces != helonames in my 
particular configuration. So it doesn't work for me.

smtpd should bind to local interface like localhost or another interface on 
local system, but smtpd should expose its external address in heloname of 
remote system from which mail actually send.

Any ideas?

Martin

‐‐‐ Original Message ‐‐‐
On Saturday, August 15, 2020 2:27 PM, Kastus Shchuka  wrote:

> On Sat, Aug 15, 2020 at 07:49:28AM +0000, Martin wrote:
>
> > It is worth to mention smtpd works absolutely fine for outgoing/incoming 
> > mail if local machine has static IP address when:
> > ...
> > table sources {1.2.3.4} equivalent to
> > table helonames {1.2.3.4 = smtp.domain.tld}
> > ...
> > And yes, I have exactly the same action in /etc/mail/smtpd.conf
> > ...
> > table sources {127.0.0.1}
> > table helonames {1.2.3.4 = smtp.domain.tld}
>
> Your helonames table does not have an entry for 127.0.0.1, that is why it 
> cannot find helo string for it.

Re: smtpd returns 'TempFail' and 'No route to destination' when using localhost as source behind NAT

[Martin]

It is worth to mention smtpd works absolutely fine for outgoing/incoming mail 
if local machine has static IP address when:
...
table sources {1.2.3.4} equivalent to
table helonames {1.2.3.4 = smtp.domain.tld}
...

And yes, I have exactly the same action in /etc/mail/smtpd.conf

...
table sources {127.0.0.1}
table helonames {1.2.3.4 = smtp.domain.tld}
...
action "outbound" relay src  helo-src 
...

It looks like a bug or misconfiguration.

Martin

‐‐‐ Original Message ‐‐‐
On Thursday, August 13, 2020 1:28 PM, Kastus  wrote:

> On Thu, Aug 13, 2020 at 10:35:32AM +, Martin wrote:
>
> > OpenSMTPd 6.7.0 OpenBSD 6.7-current on local machine. All machine's traffic 
> > redirected trough iked IPsec VPN to remote gateway machine and uses PF NAT 
> > rule first:
> > match out log on enc0 from 0.0.0.0/0 to 0.0.0.0/0 nat-to 10.100.0.2
> > where 10.100.0.2 is virtual IP to NAT all local machine's traffic right 
> > into IPsec VPN tunnel.
> > Other local machine's services successfully connect to their destinations 
> > using NAT from local machine's localhost by IPsec VPN.
> > Logically, smtpd should bind on 127.0.0.1 local machine and expose its 
> > external remote gateway machine's IP in heloname as configured:
> >
> > cat /etc/mail/smtpd.conf
> >
> > =
> >
> > ...
> > table sources {127.0.0.1}
> > table helonames {1.2.3.4 = smtp.domain.tld}
> > ...
>
> You don't show how you use these tables in action definitions in your config.
>
> You need to have something like
>
> action dxxx relay src  helo-src 

Encrypted notepad software suggestions

[Martin]

Hi there!

I'm looking for some notepad with encryption of notes/files created. Simply 
Text File encryption is suitable too to hide some info from plain text files I 
have.

Please advice.

Martin

Switching layout in vmm linux guest on OpenBSD host with english layout only

[Martin]

I'm running headless Debian guest with two keyboard layouts. *.qcow2 qemu image 
has been imported from Debian host.
Graphical mode of vmm and qemu with Debian guest access using vncviewer for 
both hosts. The guest itself has vncserver to share screen using headless setup.

Layout switching works fine in qemu on Debian host even the host has single 
english layout.

But layout switching doesn't work in vmm and can't be changed in any way. 
OpenBSD host uses single english layout as Debian host.

Looking any solution on how to fix it. Please suggest.

Martin

Should I download 'distfiles/by_cipher ' or 'rsysnc --exlude by_chipher' ?

[Martin]

Do I need 'distfiles/by_cipher' in mirrored repo?

Or may I exclude 'rsysnc --exlude by_cipher' while mirroring repository without 
negative effects possible?

Martin

Re: OpenBSD 6.7-current VM on vmd collectd timesync problem

[Martin]

Does anyone hit this on 6.7-current?

Martin

‐‐‐ Original Message ‐‐‐
On Thursday, July 30, 2020 11:18 PM, Martin  wrote:

> I tried kern.timecounter.hardware=tsc, no effect.
>
> ‐‐‐ Original Message ‐‐‐
> On Thursday, July 30, 2020 10:46 PM, Brian Brombacher br...@planetunix.net 
> wrote:
>
> > Are you using: kern.timercounter.hardware=tsc ?
> > I’m on 6.7 release and no issue with collectd.
> >
> > > On Jul 30, 2020, at 4:53 PM, Martin martin...@protonmail.com wrote:
> > > I can test it on 6.7-current only, and I haven't tested collectd on 6.6 - 
> > > 6.7 -stable. TSC looks synchronized, ntpd corrects small amount of time 
> > > skew ~1s or less.
> > > VM time looks stable, but not enougth for time-series measurements.
> > > Do you know any command to check TSC is "synchronized"?
> > > Martin
> > > ‐‐‐ Original Message ‐‐‐‐‐‐‐
> > >
> > > > On Thursday, July 30, 2020 8:40 PM, Chris Cappuccio ch...@nmedia.net 
> > > > wrote:
> > > > Martin [martin...@protonmail.com] wrote:
> > > >
> > > > > VM using NTP protocol to fine tune clock from the OpenBSD 6.7-current 
> > > > > host, but collectd complain about clock skew in the past.
> > > > > Any ideas?
> > > >
> > > > Does this happen with 6.6 or 6.7 as well? 6.7-current uses the TSC 
> > > > directly
> > > > to gather timestamps, but it should only do this if the TSC are 
> > > > "synchronized".

smtpd returns 'TempFail' and 'No route to destination' when using localhost as source behind NAT

[Martin]

OpenSMTPd 6.7.0 OpenBSD 6.7-current on local machine. All machine's traffic 
redirected trough iked IPsec VPN to remote gateway machine and uses PF NAT rule 
first:

match out log on enc0 from 0.0.0.0/0 to 0.0.0.0/0 nat-to 10.100.0.2

where 10.100.0.2 is virtual IP to NAT all local machine's traffic right into 
IPsec VPN tunnel.

Other local machine's services successfully connect to their destinations using 
NAT from local machine's localhost by IPsec VPN.

Logically, smtpd should bind on 127.0.0.1 local machine and expose its external 
remote gateway machine's IP in heloname as configured:

# cat /etc/mail/smtpd.conf
...
table sources {127.0.0.1}
table helonames {1.2.3.4 = smtp.domain.tld}
...

But any attempt to send mail returns errors as shown below and no messages are 
sent to their destinations in result.

smtpd [95677]: smtp-out: Error on 127.0.0.1 <-> 199.185.178.25 
(mail.openbsd.org): Failed to retrieve helo string
smtpd [95677]: smtp-out: Disabling route 127.0.0.1 <-> 199.185.178.25 
(mail.openbsd.org) for 15s
smtpd [95677]:  mta delivery evpid=9f2a1cf3a8e83deb 
from= to= rcpt=<-> source"-" 
relay="openbsd.org" delay=6m42s result="TempFail" stat="No valid route to 
destionatin"
smtpd [95677]: smtp-out: Enabling route 127.0.0.1 <-> 199.185.178.25 
(mail.openbsd.org)

Telnet connects from local machine to 199.185.178.25 successfully.

# telnet 199.185.178.25 25
Trying 199.185.178.25...
Connected to 199.185.178.25
Escape character is '^]'.
220 mail.openbsd.org ESMTP mail.openbsd.org; Thu Aug 13 04:26:10 2020


Please advice what I did wrong in configuring smtpd?
Can smtpd send messages in any way stays behind IPsec VPN NAT?

Martin

Re: Alpine-virt vmd guest tsc directive

[Martin]

Dave,

After build kernel+vmd+vmctl sources from -current I have an issue with 
installing a system from *.iso images.
The command below works fine before update, but not now

$ doas vmctl start -m 1G -c -n vmlan -b /home/iso/install67.iso -d 
/home/vmm/guest.qcow2 guest

Martin

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:14 PM, Dave Voutila  wrote:

> On Mon, Jun 29, 2020 at 10:57 AM Martin martin...@protonmail.com wrote:
>
> > Hi Dave,
> > Alpine kernel 5.4.43-1-virt guest openbsd 6.7 stable host. Try to compile 
> > vmd from -current to improve linux guests stability.
>
> Are you also running a -current kernel? vmm(4) is in the OpenBSD
> kernel...vmd(8) is in base.
>
> > set clocksource=tsc in /etc/update-extlinux.conf
> > run update-extlinux to install boot loader.
> > Next boot getting this in dmesg:
> > ...
> > [Frimware Bug]: TSC doesn't count with P0 frequency!
> > tsc: Fast TSC calibration failed
> > tsc: Unable to calibrate against PIT
> > tsc: No referece (HPET/PMTIMER) available
> > tsc: Marking TSC unstable due to could not calculate TSC khz
> > ...
>
> Honestly, chasing Linux tsc issues will waste your time. If you're
> using a -current snapshot, build https://github.com/voutilad/vmm_clock
> and load it as a Linux kernel module and give up chasing tsc
> calibration issues for now unless you want to get intimately familiar
> with the Linux kernel.
>
> > Dave, I've never asked about qcow2 or raw disks in any of my previous email.
>
> Apologies...saw another Martin (mar...@sukany.cz) reply to the same
> subject and thought you were the same Martin :-)
>
> -Dave

Re: Alpine-virt vmd guest tsc directive

[Martin]

Setting up Debian as vmm guest is not a trivial procedure and require Debian 
Linux host with KVM installed first to install your guest with screen connected.

Once you have your host ready with KVM run a command to set iso up:

qemu-img create -f qcow2 linux.qcow2 128G

kvm -enable-kvm -vnc 127.0.0.1:0 -k en-us -monitor pty -m 2048 -net nic -net 
user -soundhw all -cdrom debian-linux.iso -boot -d -name linux -hda linux.qcow2

Install it and run the machine with VNC connection

kvm -enable-kvm -vnc 127.0.0.1:0 -k en-us -nographic -monitor pty -m 2048 -net 
nic -net user -soundhw all -boot -d -name linux -hda linux.qcow

Onece you do it please mail me back, I'll share next steps somewhere.

Martin

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 7:53 PM, George  wrote:

> On 2020-06-29 12:54 p.m., Martin wrote:
>
> > George, thanks for your feedback!
> > I'd prefer OpenBSD in 99% of situations, but now I need to roll out Docker. 
> > Docker = linux. So I have to solve all the major issues, especially with 
> > clock, and run it for a project using OpenBSD host of course.
>
> Work is an imposed 'choice' ;) and yes that is where virtualization
> shines a little light in the tunnel.
>
> > I set vmd Debian desktop guest a year ago with 5.2.x kernel which boots 
> > headless on vmd. Virtual framebuffer used for VNC connection from the same 
> > OpenBSD host by vnc viewer. Works perfectly, except clock...
>
> I would be interested in any instructions you might have on setting that up.
>
> > Currently, rebuilt kernel and vmd from -current. Going to make 5.4.x 
> > related vmm_clock module for minimalist Alpine-virt Linux guest. I'll 
> > report about results once done.
>
> That would be great.
>
> Thanks.
>
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, June 29, 2020 4:21 PM, George g.lis...@nodeunit.com wrote:
> >
> > > On 2020-06-29 8:51 a.m., Martin Sukany wrote:
> > >
> > > > Hi George,
> > > > did you solved the issue? I remember that I faces similar thing when I 
> > > > installed headless ubuntu as a guest … My issue was related to the fact 
> > > > that I used ‚boot cdrom‘ directive inside my configuration (seems that 
> > > > there is a bit inconsistency between the man page and the real 
> > > > configuration).
> > > > This is is a relevant piece of my config:
> > > > vm "ubuntu" {
> > > > memory 2G
> > > > cdrom /data/vms/_iso/mini-serial.iso
> > > > disk /data/vms/ubuntu.raw
> > > > interface tap { switch "uplink" }
> > > > disable
> > > > }
> > > > I had bad experience with usage of qcow2 disk format for Linux based 
> > > > guests — especially when you’re trying to do dozens of I/O operations — 
> > > > several disk containers crashed before I migrated them to raw format.
> > > > if you have more than 4 vms, don’t forget to create another /dev/tap 
> > > > device, otherwise you could expect the unexpectable behaviour :)
> > > > M>
> > > > Hello Martin,
> > >
> > > Thanks for the pointers. I abandoned my Linux efforts, too many issue
> > > and things to learn no time now. My goals could be satisfied by an
> > > OpenBSD VM and it is much better than most Linuxes ;). I have been
> > > swimming against the current (read using things/software/apis/os/tools
> > > etc. when people said it is not what is supposed to be done) but as of
> > > late I find it more relaxing going with it ;).
> > > Virtualization is such a ... mess which like everything else in our
> > > lives nowadays is designed to cover another mess ... I want to run Linux
> > > software on OpenBSD because I don't want to dedicate a machine to Linux
> > > and want to upgrade or run the version I want until I want ... I should
> > > be free to make that choice because of "I", sarcastic here, problem is
> > > CPU vendors and OS developers have to jump some hoops and add some
> > > features to make it happen ... and then things happen that the I does
> > > not like.
> > > Thanks for adding this info albeit to the wrong thread, I read it
> > > because I like Alpine and was thinking of it myself, but they don't have
> > > a ready console install version do they?
> > > Cheers,
> > > George
> > >
> > > > > > Hi guys,
> > > > > > I apologize if this maybe out of topic even though it is truly 
> > > > > > related
> > > > > > to VMM than Debian.
>

Re: Alpine-virt vmd guest tsc directive

[Martin]

About a year ago I set Debian by difficult way from official distribution 
without modifying official iso and preconfigured console output.

As Mike wrote, it is significantly better to find iso with virtio driver.

Martin

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 9:53 PM, Mike Larkin  wrote:

> On Mon, Jun 29, 2020 at 08:25:19PM +0000, Martin wrote:
>
> > Setting up Debian as vmm guest is not a trivial procedure and require 
> > Debian Linux host with KVM installed first to install your guest with 
> > screen connected.
>
> Why do you believe this? Setting up debian in vmm is not any harder than 
> setting
> up any other distribution. You just need to make sure to use their install iso
> that includes virtio. I think I used the minimal install iso (can't recall the
> name, might have even been the netinst one).
>
> > Once you have your host ready with KVM run a command to set iso up:
> > qemu-img create -f qcow2 linux.qcow2 128G
> > kvm -enable-kvm -vnc 127.0.0.1:0 -k en-us -monitor pty -m 2048 -net nic 
> > -net user -soundhw all -cdrom debian-linux.iso -boot -d -name linux -hda 
> > linux.qcow2
> > Install it and run the machine with VNC connection
> > kvm -enable-kvm -vnc 127.0.0.1:0 -k en-us -nographic -monitor pty -m 2048 
> > -net nic -net user -soundhw all -boot -d -name linux -hda linux.qcow
>
> You don't need to do any of this.
>
> -ml
>
> > Onece you do it please mail me back, I'll share next steps somewhere.
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, June 29, 2020 7:53 PM, George g.lis...@nodeunit.com wrote:
> >
> > > On 2020-06-29 12:54 p.m., Martin wrote:
> > >
> > > > George, thanks for your feedback!
> > > > I'd prefer OpenBSD in 99% of situations, but now I need to roll out 
> > > > Docker. Docker = linux. So I have to solve all the major issues, 
> > > > especially with clock, and run it for a project using OpenBSD host of 
> > > > course.
> > >
> > > Work is an imposed 'choice' ;) and yes that is where virtualization
> > > shines a little light in the tunnel.
> > >
> > > > I set vmd Debian desktop guest a year ago with 5.2.x kernel which boots 
> > > > headless on vmd. Virtual framebuffer used for VNC connection from the 
> > > > same OpenBSD host by vnc viewer. Works perfectly, except clock...
> > >
> > > I would be interested in any instructions you might have on setting that 
> > > up.
> > >
> > > > Currently, rebuilt kernel and vmd from -current. Going to make 5.4.x 
> > > > related vmm_clock module for minimalist Alpine-virt Linux guest. I'll 
> > > > report about results once done.
> > >
> > > That would be great.
> > > Thanks.
> > >
> > > > Martin
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Monday, June 29, 2020 4:21 PM, George g.lis...@nodeunit.com wrote:
> > > >
> > > > > On 2020-06-29 8:51 a.m., Martin Sukany wrote:
> > > > >
> > > > > > Hi George,
> > > > > > did you solved the issue? I remember that I faces similar thing 
> > > > > > when I installed headless ubuntu as a guest … My issue was related 
> > > > > > to the fact that I used ‚boot cdrom‘ directive inside my 
> > > > > > configuration (seems that there is a bit inconsistency between the 
> > > > > > man page and the real configuration).
> > > > > > This is is a relevant piece of my config:
> > > > > > vm "ubuntu" {
> > > > > > memory 2G
> > > > > > cdrom /data/vms/_iso/mini-serial.iso
> > > > > > disk /data/vms/ubuntu.raw
> > > > > > interface tap { switch "uplink" }
> > > > > > disable
> > > > > > }
> > > > > > I had bad experience with usage of qcow2 disk format for Linux 
> > > > > > based guests — especially when you’re trying to do dozens of I/O 
> > > > > > operations — several disk containers crashed before I migrated them 
> > > > > > to raw format.
> > > > > > if you have more than 4 vms, don’t forget to create another 
> > > > > > /dev/tap device, otherwise you could expect the unexpectable 
> > > > > > behaviour :)
> > > > > > M>
> > > > > > Hello Martin,
> > > > >
> > > > > Thanks for the pointers. I abandoned my Linux efforts,

Re: Alpine-virt vmd guest tsc directive

[Martin]

According to man vmctl for both: -current and 6.7 -b should be used for base 
images. -b works just before kernel+vmm+vmctl -current update.

Please check https://man.openbsd.org/vmctl.8

Can it be a bug?

Martin

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 8:28 PM, Dave Voutila  wrote:

> On Mon, Jun 29, 2020 at 4:05 PM Martin martin...@protonmail.com wrote:
>
> > After build kernel+vmd+vmctl sources from -current I have an issue with 
> > installing a system from *.iso images.
> > The command below works fine before update, but not now
> > $ doas vmctl start -m 1G -c -n vmlan -b /home/iso/install67.iso -d 
> > /home/vmm/guest.qcow2 guest
>
> I don't believe that syntax was ever correct for vmctl(8). Check your use of 
> -b.

Re: Alpine-virt vmd guest tsc directive

[Martin]

Thanks, found mistake. Works like a charm!

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 8:51 PM, Dave Voutila  wrote:

> On Mon, Jun 29, 2020 at 4:46 PM Martin martin...@protonmail.com wrote:
>
> > According to man vmctl for both: -current and 6.7 -b should be used for 
> > base images. -b works just before kernel+vmm+vmctl -current update.
>
> Re-read it. You're mixing the`vmctl start` and `vmctl create`
> commands. They reuse options but the -b options have nothing to do
> with each other and even with `vmctl start` it's a flag for a kernel
> or custom bios...not an iso.
>
> > Please check https://man.openbsd.org/vmctl.8
> > Can it be a bug?
>
> No.
>
> -Dave

Re: Alpine-virt vmd guest tsc directive

[Martin]

Dave,

Alpine 3.12 works excellent with your kernel drivers. Absolutely amazing!

I've just built all of them and solve ton of time without experimenting with 
tsc kernel options.

virtio_vmmci
virtio_pci_obsd
vmm_clock

I followed all of your recommendations except adding tsc options to 
/etc/update-extlinux.conf
tsc=reliable
tsc=noirqtime

>From first view clock works excellent without any tsc kernel options.
'vmcl stop linux' command shut it down gracefully!

Thanks for your work. Great job!

Martin


‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 8:51 PM, Dave Voutila  wrote:

> On Mon, Jun 29, 2020 at 4:46 PM Martin martin...@protonmail.com wrote:
>
> > According to man vmctl for both: -current and 6.7 -b should be used for 
> > base images. -b works just before kernel+vmm+vmctl -current update.
>
> Re-read it. You're mixing the`vmctl start` and `vmctl create`
> commands. They reuse options but the -b options have nothing to do
> with each other and even with `vmctl start` it's a flag for a kernel
> or custom bios...not an iso.
>
> > Please check https://man.openbsd.org/vmctl.8
> > Can it be a bug?
>
> No.
>
> -Dave

Cleaning system's old ibraries/files after update to next -release or -current

[Martin]

After system update I found lots of 'old' libraries versions and possibly 
binaries from previous releases.

Does anybody know an automated method to remove it after update? For instance 
previous libs before update to -current.

Martin

Re: Alpine-virt vmd guest tsc directive

[Martin]

George, thanks for your feedback!

I'd prefer OpenBSD in 99% of situations, but now I need to roll out Docker. 
Docker = linux. So I have to solve all the major issues, especially with clock, 
and run it for a project using OpenBSD host of course.

I set vmd Debian desktop guest a year ago with 5.2.x kernel which boots 
headless on vmd. Virtual framebuffer used for VNC connection from the same 
OpenBSD host by vnc viewer. Works perfectly, except clock...


Currently, rebuilt kernel and vmd from -current. Going to make 5.4.x related 
vmm_clock module for minimalist Alpine-virt Linux guest. I'll report about 
results once done.

Martin

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 4:21 PM, George  wrote:

> On 2020-06-29 8:51 a.m., Martin Sukany wrote:
>
> > Hi George,
> > did you solved the issue? I remember that I faces similar thing when I 
> > installed headless ubuntu as a guest … My issue was related to the fact 
> > that I used ‚boot cdrom‘ directive inside my configuration (seems that 
> > there is a bit inconsistency between the man page and the real 
> > configuration).
> > This is is a relevant piece of my config:
> > vm "ubuntu" {
> > memory 2G
> > cdrom /data/vms/_iso/mini-serial.iso
> > disk /data/vms/ubuntu.raw
> > interface tap { switch "uplink" }
> > disable
> > }
> > I had bad experience with usage of qcow2 disk format for Linux based guests 
> > — especially when you’re trying to do dozens of I/O operations — several 
> > disk containers crashed before I migrated them to raw format.
> > if you have more than 4 vms, don’t forget to create another /dev/tap 
> > device, otherwise you could expect the unexpectable behaviour :)
> > M>
>
> Hello Martin,
>
> Thanks for the pointers. I abandoned my Linux efforts, too many issue
> and things to learn no time now. My goals could be satisfied by an
> OpenBSD VM and it is much better than most Linuxes ;). I have been
> swimming against the current (read using things/software/apis/os/tools
> etc. when people said it is not what is supposed to be done) but as of
> late I find it more relaxing going with it ;).
>
> Virtualization is such a ... mess which like everything else in our
> lives nowadays is designed to cover another mess ... I want to run Linux
> software on OpenBSD because I don't want to dedicate a machine to Linux
> and want to upgrade or run the version I want until I want ... I should
> be free to make that choice because of "I", sarcastic here, problem is
> CPU vendors and OS developers have to jump some hoops and add some
> features to make it happen ... and then things happen that the I does
> not like.
>
> Thanks for adding this info albeit to the wrong thread, I read it
> because I like Alpine and was thinking of it myself, but they don't have
> a ready console install version do they?
>
> Cheers,
>
> George
>
> > > > Hi guys,
> > > > I apologize if this maybe out of topic even though it is truly related
> > > > to VMM than Debian.
> > > > I am trying to setup a VMM Debian based guest but I'm not able to get it
> > > > to work. I found some description on the web about which settings to
> > > > edit in grub.cfg to enable the serial console and created a VM with 10.3
> > > > in qcow2 disk format in KVM. Now I am trying to start the same on
> > > > OpenBSD 6.7 but keep getting the connected message and then just
> > > > "Rebooting " after I hit some keyboard keys seems like baud rate issue
> > > > but not sure.
> > > > After messing with it for a while now I am getting a new error:
> > > > vmctl: could not open disk image(s)
> > > > even thought the disk is there and readable to the user I have setup in
> > > > vm.conf in fact I have another VM with the same configuration and disk
> > > > with the same permissions and in the same location that works (it is
> > > > OpenBSD based).
> > > > I would greatly appreciate it if someone has gone this path and can
> > > > share some config info with me.
> > > > Cheers and thanks in advance,
> > > > George

Re: Alpine-virt vmd guest tsc directive

[Martin]

Alpine has minimalist console ready install on ~40Mb *.iso initially if you 
chose -virt release. Can be installed out of the box for headless environment. 
With some additional env. binaries and configs + docker it grow up to 780Mb in 
*.qcow2 image. I suppose it will be a bit higher after additional kernel module 
build...

Martin

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 4:21 PM, George  wrote:

> On 2020-06-29 8:51 a.m., Martin Sukany wrote:
>
> > Hi George,
> > did you solved the issue? I remember that I faces similar thing when I 
> > installed headless ubuntu as a guest … My issue was related to the fact 
> > that I used ‚boot cdrom‘ directive inside my configuration (seems that 
> > there is a bit inconsistency between the man page and the real 
> > configuration).
> > This is is a relevant piece of my config:
> > vm "ubuntu" {
> > memory 2G
> > cdrom /data/vms/_iso/mini-serial.iso
> > disk /data/vms/ubuntu.raw
> > interface tap { switch "uplink" }
> > disable
> > }
> > I had bad experience with usage of qcow2 disk format for Linux based guests 
> > — especially when you’re trying to do dozens of I/O operations — several 
> > disk containers crashed before I migrated them to raw format.
> > if you have more than 4 vms, don’t forget to create another /dev/tap 
> > device, otherwise you could expect the unexpectable behaviour :)
> > M>
>
> Hello Martin,
>
> Thanks for the pointers. I abandoned my Linux efforts, too many issue
> and things to learn no time now. My goals could be satisfied by an
> OpenBSD VM and it is much better than most Linuxes ;). I have been
> swimming against the current (read using things/software/apis/os/tools
> etc. when people said it is not what is supposed to be done) but as of
> late I find it more relaxing going with it ;).
>
> Virtualization is such a ... mess which like everything else in our
> lives nowadays is designed to cover another mess ... I want to run Linux
> software on OpenBSD because I don't want to dedicate a machine to Linux
> and want to upgrade or run the version I want until I want ... I should
> be free to make that choice because of "I", sarcastic here, problem is
> CPU vendors and OS developers have to jump some hoops and add some
> features to make it happen ... and then things happen that the I does
> not like.
>
> Thanks for adding this info albeit to the wrong thread, I read it
> because I like Alpine and was thinking of it myself, but they don't have
> a ready console install version do they?
>
> Cheers,
>
> George
>
> > > > Hi guys,
> > > > I apologize if this maybe out of topic even though it is truly related
> > > > to VMM than Debian.
> > > > I am trying to setup a VMM Debian based guest but I'm not able to get it
> > > > to work. I found some description on the web about which settings to
> > > > edit in grub.cfg to enable the serial console and created a VM with 10.3
> > > > in qcow2 disk format in KVM. Now I am trying to start the same on
> > > > OpenBSD 6.7 but keep getting the connected message and then just
> > > > "Rebooting " after I hit some keyboard keys seems like baud rate issue
> > > > but not sure.
> > > > After messing with it for a while now I am getting a new error:
> > > > vmctl: could not open disk image(s)
> > > > even thought the disk is there and readable to the user I have setup in
> > > > vm.conf in fact I have another VM with the same configuration and disk
> > > > with the same permissions and in the same location that works (it is
> > > > OpenBSD based).
> > > > I would greatly appreciate it if someone has gone this path and can
> > > > share some config info with me.
> > > > Cheers and thanks in advance,
> > > > George

Alpine-virt vmd guest tsc directive

[Martin]

Hi list,

I'm using Alpine-virt linux (headless linux with 40Mb initial *.iso size) which 
has tsc issues. Alpine uses syslinux lightweight boot loader by default. In 
order to enable tsc I've added tsc=reliable tsc=noirqtime to 
/etc/update-extlinux.conf before console=ttyS0,115200 and updated it 
accordingly.

It seems no changes in tsc usage prior to /dev/rtc0 as boot log shows:
...
* Setting system clock using the hardware clock [UTC] ...hwclock: select() to 
/dev/rtc0 to wait for clock tick timed out
* Failed to set the system clock
...

Does somebody know some way how set tsc as default clock source in Alpine 
5.4.43-1-virt guest?

Martin


‐‐‐ Original Message ‐‐‐
On Wednesday, June 10, 2020 6:36 PM, George  wrote:

> Hi guys,
>
> I apologize if this maybe out of topic even though it is truly related
> to VMM than Debian.
>
> I am trying to setup a VMM Debian based guest but I'm not able to get it
> to work. I found some description on the web about which settings to
> edit in grub.cfg to enable the serial console and created a VM with 10.3
> in qcow2 disk format in KVM. Now I am trying to start the same on
> OpenBSD 6.7 but keep getting the connected message and then just
> "Rebooting " after I hit some keyboard keys seems like baud rate issue
> but not sure.
>
> After messing with it for a while now I am getting a new error:
>
> vmctl: could not open disk image(s)
>
> even thought the disk is there and readable to the user I have setup in
> vm.conf in fact I have another VM with the same configuration and disk
> with the same permissions and in the same location that works (it is
> OpenBSD based).
>
> I would greatly appreciate it if someone has gone this path and can
> share some config info with me.
>
> Cheers and thanks in advance,
>
> George

Re: Alpine-virt vmd guest tsc directive

[Martin]

Hi Dave,

Alpine kernel 5.4.43-1-virt guest openbsd 6.7 stable host. Try to compile vmd 
from -current to improve linux guests stability.

set clocksource=tsc in /etc/update-extlinux.conf
run update-extlinux to install boot loader.

Next boot getting this in dmesg:

...
[Frimware Bug]: TSC doesn't count with P0 frequency!
tsc: Fast TSC calibration failed
tsc: Unable to calibrate against PIT
tsc: No referece (HPET/PMTIMER) available
tsc: Marking TSC unstable due to could not calculate TSC khz
...

Dave, I've never asked about qcow2 or raw disks in any of my previous email.

Martin


‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 2:11 PM, Dave Voutila  wrote:

> On Mon, Jun 29, 2020 at 7:23 AM Martin martin...@protonmail.com wrote:
>
> > Hi list,
> > I'm using Alpine-virt linux (headless linux with 40Mb initial *.iso size) 
> > which has tsc issues. Alpine uses syslinux lightweight boot loader by 
> > default. In order to enable tsc I've added tsc=reliable tsc=noirqtime to 
> > /etc/update-extlinux.conf before console=ttyS0,115200 and updated it 
> > accordingly.
>
> You don't mention which Alpine and kernel version you're using. Also,
> you don't mention which OpenBSD version...-current or 6.7? Some major
> fixes just went into -current and look like they were in last night's
> amd64 snapshots.
>
> > It seems no changes in tsc usage prior to /dev/rtc0 as boot log shows:
> > ...
> >
> > -   Setting system clock using the hardware clock [UTC] ...hwclock: 
> > select() to /dev/rtc0 to wait for clock tick timed out
> > -   Failed to set the system clock
>
> /dev/rtc0 has nothing to do with the tsc or clocksource. This looks
> like a separate issue and your guest isn't properly using the emulated
> mc146818 device. I'm guessing there are bigger issues here.
>
> > ...
> > Does somebody know some way how set tsc as default clock source in Alpine 
> > 5.4.43-1-virt guest?
>
> Add the linux boot arg: clocksource=tsc
>
> But in all honesty, if you want better Linux guest stability, you'll
> need to use a -current snapshot.
>
> Regarding your comment about disks in your other email...what you saw
> with qcow2 vs raw probably has nothing to do with the emulated disks
> and everything to do with the stability improvements now in -current.
>
> -Dave

OpenSMTPd can't sent mail behind IKEv2 NAT

[Martin]

I have working smtp server on OBSD 6.6 which did it's job successfully using 
egress server's IP before IPsec iked tunnel has been implemented.

/etc/mail/smtpd.conf
...
# smptd bound on server's egress interface (early setup with clearnet IP config 
without IPsec)
table sources {1.2.3.4}
table helonames {1.2.3.4 = smtp.domain.tld}
...

Now all server's traffic goes trough IKEv2 gateway with NAT, and smtpd runs on 
the same server, but now behind IPsec NAT.

The goal is that smtpd should send/receive mail trough IPsec tunnel. smtpd 
receives mail successfully but can't send mail trough IPsec tunnel.

Once mail is sent by mail agent, mailq reports "No valid route to destination". 
I tried to bind smtpd to localhost and IPsec server's local NAT interface in 
smtpd.conf but unsuccessfully:
...
table sources {127.0.0.1}
table helonames {4.3.2.1 = smtp.another-domain.tld}
...

I suppose smtpd uses system default routing table for delivering mail, instead 
of using IPsec gateway. And binding smtpd to localhost or IPsec NAT interface 
can't solve the problem.

Any suggestions what can be missed or misconfigured?

Martin

Re: Fixed IP address for vmd dedicated VMs from dhcpd every boot/reboot

[Martin]

Thanks guys, this helps!

Martin

‐‐‐ Original Message ‐‐‐
On Saturday, July 25, 2020 8:41 AM, Kapetanakis Giannis 
 wrote:

> On 25/07/2020 11:28, Martin wrote:
>
> > Hi,
> > Sometimes dedicated VMs need fixed (the same) IP address assigned by dhcpd 
> > every run. I don't know how to achieve this by dhcpd configured. Every VM 
> > reboot it gets different IP. OpenBSD guests changes their IPs even without 
> > reboot, right in runtime.
> > For instance I need to assign these IP addresses to VMs every run to 
> > dedicated VMs by dhcpd:
> > OpenBSD obsd0.qcow2 10.0.1.12
> > OpenBSD obsd1.qcow2 10.0.1.13
> > OpenBSD obsd2.qcow2 10.0.1.14
> > Linux lin0.qcow2 10.0.1.22
> > Linux lin1.qcow2 10.0.1.23
> > It looks like MAC of guests changed every boot, so dhcpd assigned different 
> > IP address from the pool every boot/reboot.
> > Please advice any way how to fix it.
> > Thank you for answer in advance.
> > Martin
>
> Not familiar at all with VMM but vm.conf(5) says:
>
> [locked] lladdr [etheraddr]
> Change the link layer address (MAC address) of the
> interface on the VM guest side. If not specified, a
> randomized address will be assigned by vmd(8). If the
> locked keyword is specified, vmd(8) will drop packets
> from the VM with altered source addresses.
>
> dhcpd.conf(5) also has examples on how to assign same IP per host MAC
>
> G

Fixed IP address for vmd dedicated VMs from dhcpd every boot/reboot

[Martin]

Hi,

Sometimes dedicated VMs need fixed (the same) IP address assigned by dhcpd 
every run. I don't know how to achieve this by dhcpd configured. Every VM 
reboot it gets different IP. OpenBSD guests changes their IPs even without 
reboot, right in runtime.

For instance I need to assign these IP addresses to VMs every run to dedicated 
VMs by dhcpd:

OpenBSD obsd0.qcow2 10.0.1.12
OpenBSD obsd1.qcow2 10.0.1.13
OpenBSD obsd2.qcow2 10.0.1.14

Linux lin0.qcow2 10.0.1.22
Linux lin1.qcow2 10.0.1.23

It looks like MAC of guests changed every boot, so dhcpd assigned different IP 
address from the pool every boot/reboot.

Please advice any way how to fix it.

Thank you for answer in advance.

Martin

Re: OpenBSD 6.7-current VM on vmd collectd timesync problem

[Martin]

I can test it on 6.7-current only, and I haven't tested collectd on 6.6 - 6.7 
-stable. TSC looks synchronized, ntpd corrects small amount of time skew ~1s or 
less.

VM time looks stable, but not enougth for time-series measurements.

Do you know any command to check TSC is "synchronized"?

Martin

‐‐‐ Original Message ‐‐‐
On Thursday, July 30, 2020 8:40 PM, Chris Cappuccio  wrote:

> Martin [martin...@protonmail.com] wrote:
>
> > VM using NTP protocol to fine tune clock from the OpenBSD 6.7-current host, 
> > but collectd complain about clock skew in the past.
> > Any ideas?
>
> Does this happen with 6.6 or 6.7 as well? 6.7-current uses the TSC directly
> to gather timestamps, but it should only do this if the TSC are 
> "synchronized".

Re: OpenBSD 6.7-current VM on vmd collectd timesync problem

[Martin]

I tried kern.timecounter.hardware=tsc, no effect.

‐‐‐ Original Message ‐‐‐
On Thursday, July 30, 2020 10:46 PM, Brian Brombacher  
wrote:

> Are you using: kern.timercounter.hardware=tsc ?
>
> I’m on 6.7 release and no issue with collectd.
>
> > On Jul 30, 2020, at 4:53 PM, Martin martin...@protonmail.com wrote:
> > I can test it on 6.7-current only, and I haven't tested collectd on 6.6 - 
> > 6.7 -stable. TSC looks synchronized, ntpd corrects small amount of time 
> > skew ~1s or less.
> > VM time looks stable, but not enougth for time-series measurements.
> > Do you know any command to check TSC is "synchronized"?
> > Martin
> > ‐‐‐ Original Message ‐‐‐
> >
> > > On Thursday, July 30, 2020 8:40 PM, Chris Cappuccio ch...@nmedia.net 
> > > wrote:
> > > Martin [martin...@protonmail.com] wrote:
> > >
> > > > VM using NTP protocol to fine tune clock from the OpenBSD 6.7-current 
> > > > host, but collectd complain about clock skew in the past.
> > > > Any ideas?
> > >
> > > Does this happen with 6.6 or 6.7 as well? 6.7-current uses the TSC 
> > > directly
> > > to gather timestamps, but it should only do this if the TSC are 
> > > "synchronized".

OpenBSD 6.7-current VM on vmd collectd timesync problem

[Martin]

Log messages from collectd installed on OpenBSD 6.7-current VM:

2020-07-30T12:42:08+00:00 192.168.20.15 collectd[75320]: Not sleeping because 
the next interval is 0.689 second in the past!
2020-07-30T12:42:25+00:00 192.168.20.15 collectd[75320]: Not sleeping because 
the next interval is 0.069 second in the past!

Setting 'Interval 5' or 10 in /etc/collectd.conf has no effect.

collectd sends UDP packets to syslog-ng on the host system anyway. And UDP 
packets arrive safely.

VM using NTP protocol to fine tune clock from the OpenBSD 6.7-current host, but 
collectd complain about clock skew in the past.

Any ideas?

Martin

Re: relayd and stateless UDP traffic

[Martin]

TCP conns works excellent using relayd.

The final goal is to make OpenVPN UDP connection as below:

PC 10.0.20.3 -> relayd -> NAT to egress (IPsec) -> Internet

But UDP redirection rule seems to work only for incoming UDP connections. I'm 
not sure about this.

I've tried:

redirect udp-pass {
  listen on 10.0.20.1 udp port 1:65535
  forward to nat lookup
}

# rcctl -d restart relayd
returns config error.

Any suggestions how to redirect UDP stateless from PC in local network to 
system wide NAT to egress (IPsec).

Martin

‐‐‐ Original Message ‐‐‐
On Sunday, November 22, 2020 2:54 PM, Stuart Henderson  
wrote:

> On 2020-11-22, Martin martin...@protonmail.com wrote:
>
> > I'm looking for a solution to handle stateless UDP traffic by relayd from 
> > various apps which use UDP. For now relayd configured to forward TCP 
> > connections only.
> > The goal is to use OpenVPN UDP connection trough relayd proxy.
> > Any suggestions/examples for would help find a solution.
> > Martin
>
> See relayd.conf(5), the second paragraph of the PROTOCOLS section.

relayd and stateless UDP traffic

[Martin]

I'm looking for a solution to handle stateless UDP traffic by relayd from 
various apps which use UDP. For now relayd configured to forward TCP 
connections only.

The goal is to use OpenVPN UDP connection trough relayd proxy.

Any suggestions/examples for would help find a solution.

Martin

go-1.16.2 out of memory when building Go written program

[Martin]

Hi list,

I try to build terraform-provider-aws and terraform-provider-google.

$ go build

produces an error "out of memory" .

May it be malloc related issue or how to fix it in other way?

Thank you for answer in advance.

Martin

Re: go-1.16.2 out of memory when building Go written program

[Martin]

I've set ulimit -d 400

All builds have been done fine once changed.

Martin


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Wednesday, June 23, 2021 6:15 PM, Sven F.  wrote:

> On Wed, Jun 23, 2021 at 2:03 PM Martin martin...@protonmail.com wrote:
>
> > Hi list,
> > I try to build terraform-provider-aws and terraform-provider-google.
> > $ go build
> > produces an error "out of memory" .
> > May it be malloc related issue or how to fix it in other way?
> > Thank you for answer in advance.
> > Martin
>
> man login.conf
>
> -
>
> --
>
> ---
>
> Knowing is not enough; we must apply. Willing is not enough; we must do

Re: VMM 6.9amd64 host video acceleration

[Martin]

By the way,

While running Firefox on OpenBSD host I have repeatedly appearing console 
messages like below:

###!!! [Parent][MessageChannel] Error: 
(msgtype=0x6A0008,name=PMessagePort::Msg___delete__) Channel closing: too late 
to send/recv, messages will be lost

###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, 
messages will be lost

LibGl error: MESA-LOADER: failed to open radeonsi (search path 
/usr/X11R6/lib/modules/dri
LibGl error: failed to load driver: radeonsi
LibGl error: MESA-LOADER: failed to open swrast (search path 
/usr/X11R6/lib/modules/dri)
LibGl error: failed to load driver: swrast

Any advice is this normal or not?

Martin

‐‐‐ Original Message ‐‐‐
On Wednesday, May 12, 2021 1:43 PM, Dave Voutila  wrote:

> Martin writes:
>
> > Hi list,
> > Just wonder how to enable video acceleration on VMM guest's side (Debian) 
> > if it was possible. Maybe PCIe passthru should be present for that purpose?
>
> There is nothing to accelerate: vmd(8) doesn't emulate a display or
> video device. vmm(4) doesn't support pass-through to host hardware
> either.
>
> -dv