Re: softdep as well as noatime on each partition?
On Tue, Sep 17, 2024 at 10:19:26AM -0300, Ronny Machado wrote: > > I've seen that kind of statement on any laptop install tutorial...but I > wonder (No benchmark done in any case). Is it really necesary on nvme > disks? One of my laptops has an nvme and it seems faster than others I > have with SSD...until I put softdep and noatime on fstab and > remount, again, this is a "perception" thing, no benchmark to back it up... > Could anyone advice on that issue? Are softdep and noatime necessary? On a modern laptop with resonable specs I would be surprised you would be able to tell the difference with or without noatime. For softdep, man mount has this to say: softdepMount an FFS file system using soft dependencies. This option is only supported for compatibility and has no effect on OpenBSD. so that would be definitely skippable. I forget just when it was made into a no-op on OpenBSD, but I think it's been like that for at least a couple of releases. Other followups from people with slightly less rapid-refresh memory than myself may even provide the exact commit. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Pf congestion troubleshooting
Hi, As Tom mentioned, one of the least resource consuming ways to identify sources and volumes of the traffic seen on or in and out of your network is to set up for pflow aka netflow sensors and collectors. Based on the data you collect you can then analyse and make decisions that hopefully reflect the actual traffic patterns you are dealing with. Several sources of useful information are available, Tom already mentioned The Book of PF and the article about tracking down a source of disruption based on netflow data. It is possible that you could find something useful in the slides for the latest "Network Management with the OpenBSD Packet Filter Toolset" tutorial, to be found at https://nxdomain.no/~peter/pf_fullday.pdf (possibly to be updated for the upcoming Dublin event). I would of course be delighted if you do buy The Book of PF, and the article Tom referred to can also be found *without G's trackers* at https://nxdomain.no/~peter/yes_you_too_can_be_an_evil_network_verlord.html (the liberated versions of other blogposts can be found, pre-prettification at https://nxdomain.no/~peter/blogposts/) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpsnBSD on ASUS VivoBook
On Wed, Sep 11, 2024 at 03:24:11PM -0600, nisp1953 wrote: > Have any of you been able to run OpenBSD on an Asus Vivobook? > I am thinking of getting one and thought I would ask. For any newish laptop that comes with Windows, do yourself a favor before you install anything else - use the option to create a recovery boot medium, just in case you do not get it to work and need to return the thing. That said, OpenBSD tends to work rather well on newish hardware. There may be some oddities, but help is usually at hand via bugs@ or here. This writeup https://nxdomain.no/~peter/blog_wild_wild_world_of_windows.html (or prettified with trackers https://bsdly.blogspot.com/2021/07/the-impending-doom-of-your-operating.html) describes some fiddling with ASUS machines back in 2021, with pointers on how to debug and get help if you need it. Good luck! Please do report back on your experiences! All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: The relationship between pf and yubkey(FIDO2) (About OpenSSH)
On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred to me again that the pf.conf I had written might be the problem.
It should not matter whether PF is enabled or not, as long as the loaded rules
allow your SSH traffic to pass. I would suspect the cause lies elsewhere.
Just to make sure: Is that at the end of your message the complete ruleset,
loaded in the normal way (and no scriptery that set network-relevant options
you are not showing here)?
As Ze Loff said, tcpdump with appropriate options at both ends while trying
to authenticate will show the real story.
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
Are we safe to assume that your sshd listens on port 1522?
Once again, it is impossible to offer really useful input unless we have
the entire configuration, at least the complete pf.conf along with any
hostname.vio0 or at least the ifconfig output for the interface.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: You have installed OpenBSD. Now for the daily tasks (blog post)
Hi Reese, On Fri, Sep 06, 2024 at 08:28:40PM -0400, Reese Johnson wrote: > Peter thanks much appreciated. Fan of your blog for many years. I have > learned a lot from it. Thanks! I am happy to hear you found this and other writings of mine useful. As you may have noticed, new blog post go to both nxdomain.no and the blogspot site, and I am in a process of liberating even older items and placing them in https://nxdomain.no/~peter/blogposts/ for now, at a glacial pace in between other things that I need to attend to. It is thinkable I go for some sort of prettification at some point in the future, but don't hold your breath :) All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Freeze
On Fri, Sep 06, 2024 at 02:45:02AM -0400, openbsd_fr...@mail2tor.com wrote: > HIbernation and suspended mode being set in xfce4 freezes my laptop. The probability of finding an actual solution to that and any other problem you encounter using OpenBSD would be infinitely improved if you could be bothered to submit reports with enough information that other people could actually start diagnosing. Please read up on https://www.openbsd.org/faq/faq1.html#Bugs https://www.openbsd.org/report.html and of course man sendbug (also available as https://man.openbsd.org/sendbug right there in your browser) is very useful. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: doas
On Thu, Sep 05, 2024 at 01:59:49PM -0400, openbsd_fr...@mail2tor.com wrote: > Gentlemen! How do I doas my regular user. Please do not assume all contributors here are male. doas needs a valid doas.conf. See man doas and man doas.conf. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: hostname.if
On Thu, Sep 05, 2024 at 02:39:38AM -0400, openbsd_fr...@mail2tor.com wrote: > What should my hostname.if file look like. > Is there a minimum amount of settings I need? The absolute minimum would be something like up but more usefully, for a client system in a wired network, assuming dual stack: inet autoconf inet6 autoconf I would recommend reading the Networking part of the FAQ (https://www.openbsd.org/faq/faq6.html) and to check out at least some of the man pages it references. (and of course I have written the odd piece about this and related things, https://nxdomain.no/~peter/blogposts/recent-and-not-so-recent_changes_in_openbsd_that_make_life_better.html -- or http://bsdly.blogspot.com/2021/08/recent-and-not-so-recent-changes-in.html if you fancy less basic formatting and are OK with Big G tracking your moves -- may be one of the more entertaining ones) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: I wrote this about packages and ports in 2023, hopefully still useful to some who come here
On Tue, Sep 03, 2024 at 10:38:38AM +0300, Ville Valkonen wrote: > Hello Peter, > > how about replacing sudo usage with doas? If I haven't already, that is an oversight I'll fix shortly. Thanks! - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: You have installed OpenBSD. Now for the daily tasks (blog post)
On Mon, Sep 02, 2024 at 11:47:57PM +0200, Kirill Miazine wrote: > > Comments and corrections welcome, as always. > > add a link afterboot(8), perhaps? https://man.openbsd.org/afterboot Yes! Added, thanks! - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
You have installed OpenBSD. Now for the daily tasks (blog post)
You Have Installed OpenBSD. Now For The Daily Tasks. https://nxdomain.no/~peter/openbsd_installed_now_for_the_daily_tasks.html (prettified, tracked: https://bsdly.blogspot.com/2024/09/you-have-installed-openbsd-now-for.html) - Consider this an update with additional explanation over the >10 years old pieces I dug out recently. Comments and corrections welcome, as always. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: I wrote this about packages and ports in 2023, hopefully still useful to some who come here
On Sat, Aug 31, 2024 at 03:01:22PM +0300, Mihai Popescu wrote: > If your intention is/was to help a new OpenBSD user to install > packages, then my feedback is a simple no. This article is far from > helping a beginner to easily install packages. After offering https://marc.info/?l=openbsd-misc&m=172503305621176&w=2, I remembered writing that slightly longer piece, which offers some explanation of how things work in addition to copy-pasteable material. There is room for both approaches. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
I wrote this about packages and ports in 2023, hopefully still useful to some who come here
After answering some too-basic questions about installing packages on OpenBSD earlier earlier here, I remembered that back in 2013 I wrote a piece about ports and packages that looks like it is still mostly usable. Now available untracked as https://nxdomain.no/~peter/youve_installed_it_now_what_packages.html or prettified and G-tracked as https://bsdly.blogspot.com/2013/04/youve-installed-it-now-what-packages.html Comments and corrections welcome, of course there may be parts where things could have happened in the space of 11 years and some months. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: E-mail address openly visible in the WWW
On Fri, Aug 30, 2024 at 05:06:32PM +0200, rfab...@mhsmail.ch wrote: > I have observed the e-mail addresses of the misc@ contributors are > openly visible in the World Wide Web. I'm not sure whether this might > be a privacy hasard. > > Do you recommend using a separate, dedicated e-mail address for > posting in the misc@ list? I would not consider the openbsd-misc archives a higher risk than any other mailing list archives. There are ways to mask addresses in mailing list archives, but whether the people in charge of the archives consider the effort required to set up such a thing worth it is entirely up to them. That said, if you have reason to believe that making your email address available in searchable archives on the Internet, using an alternate address for posting to the list might be a workable option. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD Guide Installing XFCE
On Fri, Aug 30, 2024 at 05:56:32AM -0400, openbsd_fr...@mail2tor.com wrote: > Please ship OpenBSD with XFCE4 pre-built instead of with CWM or both. After a successful install, running pkg_add xfce and following the instructions at the end of the package install will get you there. Also the FAQ about packages is worth reading (https://www.openbsd.org/faq/faq15.html). Actually *all* parts of the faq are worth reading if you are responsible for OpenBSD systems. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Alternative mailing lists
On Thu, Aug 29, 2024 at 05:03:25PM +, Anon Loli wrote: > Hello, OpenBSD friends! > Is there an alternative mailing list, or we can To and CC a bunch of people at > once, I believe. > The problem is that I have been censored plenty of times on @misc, @bugs and > probably also @tech, and although I despise that, it's someone else's servers > so what can I really do about it and should I even, right? :) "I have been censored plenty of times" is a very serious accusation, and one that should not be made lightly. Were messages of yours removed or suppressed? Keep in mind that having your messages ignored on mailing lists is just a normal part of daily life. Perhaps your issue was not interesting to others or simply poorly presented, or perhaps one that is more than adequately covered in the FAQ. But sure, if you feel your needs would be better served by starting a mailing list or other service of your own, there is nobody stopping you from doing just that. I suspect that the effect of the message I am making the utterly poor choice of following up on will be that people who would likely be able to provide valuable input on any OpenBSD relevant issue you might raise will choose to filter away messages from "Anon Loli" so they will not waste any time reading those pieces of text. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Installing from USB
On Mon, Aug 26, 2024 at 10:10:13AM -0400, openbsd_fr...@mail2tor.com wrote: > I cannot install OpenBSD using flash usb media. The installer stops at > (disk, http, nfs etc). After partioning. The install USB boots up and > everythings goes well until I reach the part with the data sets If I remember correctly, choosing disk and if needed then choosing the device name for the USB device you booted from is the way forward. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Options to have relayd add IP to pf?
On Fri, Aug 23, 2024 at 12:54:20PM +0200, Joel Carnat wrote: > I have a server which gets flooded with unsolicited HTTP requests. So far, I > use relayd filters to identify those requests and block them, at relayd > level. It works as they never reach the web server but relayd is still > working to block them. > > I thought of parsing relayd logs to get those IPs and add them to a pf block > table, using an automated script. If the problem is that there are a lot of requests from the same hosts coming in rapid-fire, it is possible that state tracking rules with overloading could be the thing to try. The other thing that comes to mind is to put together something that parses the logs and adds offenders to a table of addresses that PF will block. Something along the lines of what is described in https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html (also prettified but tracked at https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html) could be what you need (some assembly required, obviously). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD equivalent to FreeBSD hw.uart.console boot setting
On Fri, Aug 16, 2024 at 08:31:50AM +, Laura Smith wrote: > Is there an OpenBSD equivalent to the below flag which is set in > /boot/loader.conf.local on FreeBSD ? > > > hw.uart.console="mm:0xfedc9000,rs:2" > In order to get useful responses it is always a good idea to give some context on what it is you are trying to do. For things to do with the OpenBSD console, I would recommend starting with the "Keyboard and Display Controls" part of the FAQ, https://www.openbsd.org/faq/faq7.html, and a simple web search on obvious keywords reveals a number of useful writeups such as Paul de Weerd's writeup on installing OpenBSD via a serial console http://www.weirdnet.nl/openbsd/serial/. For the details such as which flag or option corresponds to which in each of the systems, it is likely useful to follow the man page links in the FAQ and Paul's writeup. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: WIFI
On Wed, Jul 03, 2024 at 12:23:49AM -0400, openbsd_fr...@mail2tor.com wrote: > Dear users! > > How do I get wifi working for desktop use? the general instructions in the FAQ, in particular https://www.openbsd.org/faq/faq6.html and https://www.openbsd.org/faq/faq6.html#Wireless should be helpful If you're new to OpenBSD, you will likely be returning to the FAQ and the man pages a lot to find info. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
EuroBSDCon 2024 Dublin, Ireland September 19-22, Call for papers open until June 15
EuroBSDCon 2024 Dublin, Ireland September 19-22, 2024 https://2024.eurobscon.org/ Call for Papers runs until June 15, 2024 https://2024.eurobsdcon.org/cfp/index.html Submit at https://events.eurobsdcon.org/ #dublin #freebsd #openbsd #netbsd #development #devops #sysadmin #networking -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Open Source / BSD License Copyright infringements
On Fri, Jun 07, 2024 at 07:48:45PM +1000, Stuart Longland wrote: > > BSD means they don't have to share the changes they made, or even the > original code. The only thing they cannot legally do, is change the > copyright on the code, which as some have pointed out, is a tough thing to > prove. Modifying code and keeping it secret is fair game. I tend to summarize along the lines of "BSD licensed means you can do whatever you damned well please with the code except claim that you wrote it all yourself" as in, to legally change the copyright of a piece of work in most jurisdictions (possibly all) requires that you have replaced the original content in its entirety. Making changes to BSD licensed code and distributing binaries while keeping the changes to yourself is in fact allowed. Not an overly nice thing to do and it might make maintaining the thing harder, but definitely legal. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Q: Problems forwarding traffic using pf ...
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: > pfctl reports: > # pfctl -vvs rules | grep @ > @0 block return log all > @1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP > @2 pass out log on ure0 all flags S/SA tagged UDP > > I see that rule 1 is matched, but never rule 2. E.g. > ... > May 23 10:32:06.602759 rule 0/(match) block in on em0: 192.168.178.179.5353 > > 224.0.0.251.5353: 46[|domain] (DF) > May 23 10:32:06.603963 rule 0/(match) block in on em0: > fe80::4434:8bff:fecd:b116.5353 > ff02::fb.5353: 46[|domain] [flowlabel > 0xbaff9] > May 23 10:32:09.700212 rule 0/(match) block in on em0: 192.168.178.254 > > 224.0.0.1: igmp query [len 12] (DF) [tos 0xc0] [ttl 1] > May 23 10:32:13.267374 rule 1/(match) pass in on em0: 192.168.178.166.56334 > > 192.168.178.11.54321: udp 7 So this last one never leaves, right? what does the gateway's routing table say about how to reach the destination network? also relevant, what is the configuration of the interfaces involved? I'm thinking this could be down to using RFC1918 addresses and not being extra careful about netmasks and routes, but we need more info on the actual configuration to be sure. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Q: Problems forwarding traffic using pf ...
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote: > I need to quickly create a solution for forwarding multicast traffic > between two systems, so I though perhaps I could use pf to do just that > by writing some rules along the lines of: > > 1. pass in on iface A proto UDP ... tag mcast > 2. pass out on iface B tagged mcast > > And another pair of rules for the reverse direction B -> A. > > (Obviously I'd add more options to filter specific addresses, etc.) Possibly stupid question, but did you set the sysctl(s) to enable forwarding? $ sysctl net.inet.ip.forwarding and $ sysctl net.inet6.ip6.forwarding will provide the answer (as in, if those values are not 1, forwarding between interfaces is not enabled) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: My PC is crashing
On Fri, May 10, 2024 at 08:48:56AM +0200, Anders Andersson wrote: > Missing from the FAQ is IMO step 0: Run memtest over night to rule out > hard to debug hardware problems. It won't catch everything of course, > but it usually finds RAM issues which is its main job. That is a very valid point. Bad RAM could very well be the cause of the problems described. And on a side note, given that the memory allocation in OpenBSD is different than what some other systems do, it is not unlikely that other systems never or only rarely would hit the failing memory location while OpenBSD would, more often. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: My PC is crashing
Hi Daniel, On Fri, May 10, 2024 at 07:57:31AM +0200, Daniel Hejduk wrote: > Hello, > I installed OBSD on my IdeaPad. > Install went fine I installed offline using .iso file. > But after rebooting it works for ~30 seconds and after that it shutdowns, > without any errors kernel panics nothing. > > How can I debug it? I will send you more info if I found something. The FAQ has a reasonable description of how to debug and report observed problems at https://www.openbsd.org/report.html That said, I would start with looking at the output of dmesg and any traces of what happened immediately before the incidents in the log files such as /var/log/messages (and any other possibly relevant log files). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: obsd wifi
On Sat, May 04, 2024 at 03:01:54PM -0300, Gustavo Rios wrote: > I have just installed OpenBSD in my brand new notebook. It is a dell > notebook that came with just a wifi NIC. How do i discover the name o my > wifi nic ? ifconfig with no arguments should list all network interfaces the kernel has recognized. There is a catch, though. For wifi interfaces it is likely that the interface can not be configured until the device's firmware is installed. If that is the situation, a common workaround is to use some device that *is* configurable (most USB Ethernet dongles I have encountered Just Work), configure that, then run fw_update. Once the firmware is in place, the rest should be straightforward. Good luck! - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Desktop performance
On Sat, May 04, 2024 at 03:41:28PM +0200, Manfred Koch wrote: > These specifications origin from a website > > I could need your judgments to these settings, so that I can use it. It would be interesting to hear which website recommended those settings, just for reference. It's hard to come up with actually generally valid answers to this kind of question. It really depends on what you want to do with your system. I remember some packages (chrome comes to mind) that have instructions in the package readme file to tweak some of the login.conf parameters. If the software you want to use comes with instructions of that kind, it may be a good idea to follow those suggestions. Otherwise I would as a general rule leave things at the defaults unless you find a specific reason not to. Hm. Back in the day I did some conference tutorials on "transition to the most recent OpenBSD release", with some desktop/laptop oriented tweaks I had found useful myself. Some of those tweaks may still apply, but some are likely to be outdated or just plain wrong to start with. But perhaps an updated version would be useful to somebody? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
USB keyboard quirks may not be properly catered to in bsd.rd kernels (was: Re: bad first impression of OpenBSD at install time)
On Fri, Apr 26, 2024 at 06:52:38AM +0200, Lourens wrote: > I too experienced this issue during installation. > I simply plugged in an old Logitech keyboard to complete the installation > and after rebooting the previously 'problematic' keyboard was detected and > fully usable. Summing up, this sounds like the kernel configuration that was shoehorned into amd64 installer images (and possibly other platforms?) lacks some of the code that caters to the quirks that show up in certain (newer) USB keyboards. What is not clear to me is how common those keyboards are, as in is there significant risk that new users would encounter this in the wild, with a probability large enough that it would be useful to add a note about this to say https://www.openbsd.org/faq/faq4.html#bsd.rd somewhere? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: bad first impression of OpenBSD at install time
On Thu, Apr 25, 2024 at 05:46:04PM +0200, Harald Dunkel wrote: > > I posted this before, without any response from the community: > > At the boot> prompt of the installer image my USB keyboard still works, > but at the install prompt the keyboard is ignored. I cannot press "i" > to actually install OpenBSD. I remember vaguely something that matches the description, and I think the feedback then too was that more information about the hardware involved would be needed in order to help. Preferably full sendbug output, but a dmesg (preferably from OpenBSD but even from some other unixlike like Linux will do). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: syntax error in httpd.conf file
On Sat, Apr 20, 2024 at 08:47:23AM -0600, deich...@placebonol.com wrote: > continuing with man page recommendations, when you read entirely to the end > of a man page you will see reference to related man pages. At the end of > httpd man there are several references, including httpd.conf this can not ever be over emphasised or over amplified. On OpenBSD, you can expect man pages to be complete and informative and to contain references to other useful resources. Anyone learning OpenBSD or with OpenBSD should be using 'apropos' and 'man' quite intensively. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: syntax error in httpd.conf file
On Sat, Apr 20, 2024 at 12:58:34PM +1000, Alexis wrote: > > and a bit surprinsigly - at least to me - chatgpt didn't get the syntax > > right either, no matter how detailed my prompt was. > > Not at all surprising to me, given that ChatGPT and other LLM-based 'AI' > systems - essentially Markov chains / glorified autocorrect - are > increasingly known for 'hallucinations' and confidently making false claims. Here's the story of my asking it to write a PF.conf - https://nxdomain.no/~peter/chatgpt_writes_pf.conf.html or with nicer formatting and trackers https://bsdly.blogspot.com/2023/06/i-asked-chatgpt-to-write-pfconf-to-spec.html so in this context, near totally useless, likely due to insufficient volume of actually useful configurations in the data it was trained on. This other piece has it come up with some only tangentially related gibberish, but the thing partially redeems itself by offering up that poem at the end - https://nxdomain.no/~peter/chatgpt_on_ipv6_and_openbsd_poetry.html (or again with nicer formatting but G's trackers https://bsdly.blogspot.com/2023/03/chatgpt-opines-on-ipv6-procastination.html) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
I give up. The obviously incomplete, hand edited ifconfig output shows three interfaces that are (or appear to be, judging from the excerpts that we are given) not configured with IP addresses, two of which have a link, while the last does not. For reasons unknown these three are joined in a three-way bridge. >From the tiny crumbs of information you have deigned to reveal to us, it is not at all clear what it is you are trying to achieve. That this configuration does not do anything useful is however no surprise at all. Once you can describe what it is your Rube Goldberg contraption is supposed to do, competent people here might offer some advice on how to make things work properly. Until that happens, I for one will simply ignore anything from that source. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote: > This gives the following error messages when booting: > no IP address found for igc1:network > /etc/pf.conf:41: could not parse host specification > no IP address found for igc2:network > /etc/pf.conf:42: could not parse host specification This sounds to me like those interfaces either do not exist or have not been correctly configured. Are those interfaces configured, as in do they have IP addresses? the output of ifconfig igc1 and ifconfig igc2 will show you. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote: > They both give a syntax error by booting. > > Op 14-04-2024 om 17:45 schreef Zé Loff: > > pass in on $int_if proto udp to port 53 > > pass in on $int_if proto udp to $nameservers port 53 You're not giving us a lot to work with here. Off the top of my head, seeing that your int_if macro is a list of two interfaces, that may well be your problem (or one of them). The rule syntax is not really intended to deal with a list of interfaces following 'on'. It is likely more useful to treat the two interfaces separately. The other option - if your network layout is such that it makes sense to treat them to the same rule criteria - would be to make an interface group with both interfaces as members, then use the interface group name in your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD Installation Doesn't Detect NVMe SSD, but Detects My USB Drives
On Mon, Apr 15, 2024 at 08:29:21AM +0200, aliyu...@tutanota.com wrote: > > I'm currently trying to install OpenBSD on my laptop, and I'm coming > across a problem. The installation only detects my installation drive > and my other USB flash drive that I use for data storage, but not my > NVMe SSD I want to do an installation on. > > This same problem also occurs in NetBSD, but not FreeBSD. The UEFI > setup acknowledges my drive as a Non-RAID disk, and Linux also shows > it as nvme0n1, so there isn't any problems with the drive itself. As Brian mentioned, it would generally be useful to have dmesg output from a system where the drive works as well as from the OpenBSD config where the drive is not recognized. That said, I would recommend looking into the BIOS options to see whether there is a setting for the storage controller mode. In an ASUS laptop I bought a little while back, the options were somewhat non-intuitive: "The option turned out to live in the BIOS' Advanced menu, labeled VMD setup menu, where you set the Enable VMD controller option to Disabled." which made the drive visible to OpenBSD. (the fuller story is at https://nxdomain.no/~peter/blog_wild_wild_world_of_windows.html or with nicer formatting and trackers https://bsdly.blogspot.com/2021/07/the-impending-doom-of-your-operating.html) In your case, the relevant option (if it exists) may be labeled something completely different. But it's likely worth checking for. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall setup
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly? To get started simply, I created a new pf.conf file, see
> below.
I'd put this somewhere after your block rules:
pass inet proto { tcp, udp } from igc1:network to port $client_out
pass inet proto { tcp, udp } from igc2:network to port $client_out
- that way you will actually use the macro. But the macro sitll references
the invalid service nportntp (you probably want ntp instead), and I would
think that the services "446, cvspserver, 2628, 5999, 8000, 8080" are unlikely
to be useful unless you *know* you need to pass traffic for those.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Sat, Apr 13, 2024 at 06:18:46AM +0200, Janne Johansson wrote: > Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas : > > > > Hi all, > > > > Ping only works partially. For example, this works: ping -c 10 > > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect > > this has to do with DNS servers, but I don't know where to start > > troubleshooting. Can someone help me? > > If the below pf.conf it your total firewall config, then you are only > letting icmp through, and not DNS queries. > Perhaps you meant to use the "client_out" macro for a pass rule and forgot it? As Janne hints at here, your pass criteria are too narrow to be practical for the needs you appear to have. Not an uncommon problem while learning to write rulesets. And of course I have written about that too - https://home.nuug.no/~peter/pf/en/basicgw.html#GWPITFALLS (That is in the piece that evolved into The Book of PF, and likely something similar appears somewhere in the book too) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: No internet connection (firewall block)
On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote:
> > pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> >
> > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> > to port $udp_services
> > pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> > pass log on $ext_if inet proto tcp from $localnet to port $client_out
> > pass log out proto tcp to port $tcp_services # establish keep-stat
> > pass log log proto udp to port $udp_services # Establish keep-state
>
> If I read this correctly, you are not allowing any "in" traffic, except
> for the two "Letting ping through lines", which are just for ICMP, and
> on the first two rules on the last part ("...$icmp_types" and
> "...$client_out"). I am assuming "log log" on the last rule is a typo,
> and it is actually "log out".
Those are as far as I can tell correct observations. There appears to be
no rule allowing traffic other than the selected icmp types to pass from
anywhere but the local host.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: 7.5 /var/log/messages - vfprintf %s NULL in "%.*s"
On Thu, Apr 11, 2024 at 09:41:47AM +0200, Eivind Eide wrote: > > HOME="/home/eivind" > > That's the environmental variable that triggers the message if an > empty ~/.terminfo/ directory is present in my home. It is possible that I have missed important context here, but with a bare environment with only essentials like $HOME defined and no ~/.terminfo directory (as opposed to an empty one), do the odd messages still appear? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: No internet connection (firewall block)
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote: > > With the new firewall I am setting up I cannot connect to the internet. That > starts with traceroute, so let's start there. Ping works fine. Below I have > listed my pf.conf file. This sounds like you have a link to somewhere, at least. The first question would be, when you say "I cannot connect to the internet", where is this in relation to the host with the ruleset you quote? Start with the basics - is the gateway set up to forward packets? The output of $ sysctl net.inet | grep forward will reveal the truth there. And looking at the quoted ruleset, I find it rather unlikely that it will actually load -- you will get a "macro 'martians' not defined" and "unknown port nportntp" and likely a few "syntax error" messages as well. I would advise to take a few steps back, start from the basics and add only the things you know you need. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Wed, Apr 10, 2024 at 11:01:18PM +0200, Peter N. M. Hansteen wrote: > Another gentle introduction can be found in the latest PF tutorial, > the slides for the AsiaBSDCon 2024 version can be found as > https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has > references to various useful resources. and I should add that the labs referenced there are almost certainly not available at the moment. They tend to be turned on specifically for the sessions and are generally only left running for a few days. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Wed, Apr 10, 2024 at 04:41:58PM -0400, Steve Litt wrote: > I found out where to buy your book, and will buy it once I have the > "for dummies" level of knowledge. In the meantime, what other PF > references do you recommend? I know just enough PF to be dangerous, but > want to make my own BSD/PF firewall/router. The Book of PF was meant to be accessible to people with only basic networking knowledge, but anyway - I'd start with the official PF user guide at https://www.openbsd.org/faq/pf/index.html and look up the relevant man pages. Another gentle introduction can be found in the latest PF tutorial, the slides for the AsiaBSDCon 2024 version can be found as https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has references to various useful resources. And of course, this mailing list tends to be receptive to reasonably formulated questions. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: > I defined the table as stated in your book (3rd edition, page 42). However, > that gives an error message. In the lines with that table: macro 'martians' > not defined. Moreover, I now also have a Syntax error in lines 38, 39 and > 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46, causing the pf lines not to be loaded.
macro names are case sensitive, to wit
peter@kapet:~$ cat martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block from $martians
peter@skapet:~$ doas pfctl -vnf martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4
}"
martians:5: macro 'martians' not defined
martians:5: syntax error
for conversion to tables, keep in mind that references need the
surrounding '<' and '>'.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > Hi all, > > For the first time I tested my new firewall with ping, and it is blocked. I > don't know what the reason is, you can find the information below. I have a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test the > upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: 7.5 NO hard drive?
On Sun, Apr 07, 2024 at 05:17:25PM +0200, Wolfgang Pfeiffer wrote: > > > > The problem was with the BIOS, it needs IHCH or something like that to be > > recognized! > > But it is working now as a xfce Desktop! > > Seems to be (not only) a DELL thing: Some time ago I tried an Openbsd > installer on an Alienware computer, ~10 years old, which was sold by > DELL: In UEFI, IIRC, I had to change sata mode from "raid" to "ahci" > to let openbsd detect hard disks on that computer. > > Seems to an older issue: > https://daemonforums.org/showthread.php?t=10228 > https://www.mail-archive.com/misc@openbsd.org/msg153583.html Adding to that list, my experience with an ASUS laptop where it would be physically impossible to fit more than one storage device, but the storage controller anyway was set to "Raid" mode by default. Fortunately it was possible to choose the other options and have the device turn up as a regular NMVe device: https://nxdomain.no/~peter/blog_wild_wild_world_of_windows.html (or with incrementally nicer formatting at the cost of G's trackers, https://bsdly.blogspot.com/2021/07/the-impending-doom-of-your-operating.html) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: wifi hotspot workaround
On Thu, Apr 04, 2024 at 07:22:01PM +0500, ofthecentury wrote: > Okkk, device hangups still occur. But there's some > statistics at least in FreeBSD, by running > `sysctl dev.ath`...anything like that in OpenBSD? netstat -I $devicename with your choice of options will reveal at least some information. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: need help to access my machine after upgrade -- system immediately logs me out
On Tue, Apr 02, 2024 at 12:44:01AM +0530, Sandeep Gupta wrote: > Hello, > > I need to access my desktop local machine after I did a sysupgrade -s (I > had reasons to do so because some rust libraries were too old for some > applications). > Sysupgrade seems to have gone fine. Disk is healthy no issues reported. > > However when i tried to log from the console -- the login message shows but > the system logs me out immediately. > On the desktop gui too, with only root I was able to login. But running > xterm from the fvwm menu fails. This sounds very much like a situation where the base system and packages are out seriously of sync AND your user is et up with a default shell from packages (I am guessing bash). The solution would likely be to log in as root, run pkg_add -D snap -u to get the latest snapshot packages, then try to log in as your regular user. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
I DEMAND TO KNOW (re recent activity)
Friends, Some recent activity here (you will remember the threads) had me want to post this earlier, but I was bowled over by a stomach bug and only found the reference again now - https://mastodon.social/deck/@danielbowen/112173051434619556 which reads: Daniel Bowen @danielbowen@mastodon.social >From a tweet of mine from 2011, but evergreen: I DEMAND TO KNOW WHY YOUR GROUP OF OVERWORKED VOLUNTEERS, WHICH I AM NOT A MEMBER OF, IS NOT PURSUING MY PERSONAL GRIEVANCE. Mar 28, 2024, 12:22 PM -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: wifi hotspot workaround
On Sat, Mar 30, 2024 at 08:59:49PM +0500, ofthecentury wrote: > And now something else happened, which seems like a big > bug. > athn0 sent a reason 6 deauthentication to my wifi client > after I cycled the athn0 wifi interface! > Reason 6 death is class 2 frame received from a nonauthenticated > station. Correct me if I'm wrong, but this sounds like a major > bug in the driver. Or shitty hardware with a helping of possibly not-too-great firmware. With a bit of luck, any errors from the card itself should be possible to glean from dmesg output. (on a side note, I am on the list, the Cc:s are not necessary and in fact a bit annoying) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: wifi hotspot workaround
On Sat, Mar 30, 2024 at 05:44:32PM +0500, ofthecentury wrote: > On Sat, Mar 30, 2024 at 5:29 PM Peter N. M. Hansteen wrote: > > > > why? > > I got "disassoc"s events in the log. disassociations can happen for a number of different reasons. The event should log a reason code, which you can look up with a simple web search. In order to debug properly it would likely help to have ifconfig debug output from both sides (access point and client both). I would suspect banal radio interference by such things as improperly shielded equipment somewhere close by, but with no actual data it's only guesswork from here. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: wifi hotspot workaround
On Sat, Mar 30, 2024 at 04:19:31PM +0500, ofthecentury wrote: > I have an athn0 wifi hotspot going. > I think I get wifi dissassoc attacks. why? > I actually don't understand why cycling > the interface gets my wifi device back > online. Maybe it's actually a problem with > the athn0? The logs sometimes say > "athn0 device timeout" or mention > something about going into IBSS mode > WHILE ifconfig still shows it's in hostap > mode. Is there a way to interrogate the > interface's function to make sure it's > in hostap mode and test it's performing > that function? I'm just trying to > troubleshoot. The option to make the driver output more information is debug Add that to whatever options the configuration for the interface already contains, then restart the interface. That will produce significantly more information in your system logs. That said, it would have been a lot easier to help you out if you had provided your actual configuration (with any secrets shrouded as appropriate) and at least a dmesg. Keep in mind that wireless connections are in fact quite brittle in nature and subject to all sorts of radio interference that's essentially background noise -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
lcamtuf on the recent xz debacle
While this issue does not in fact affect OpenBSD, I think it will still be of interest to OpenBSD users -- a lot of us deal with Linux in our dayjobs, after all. This is one of the best explanations of the matter I have seen so far: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor and it leads in with a quote to remember - "This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." Enjoy! -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Thu, Mar 28, 2024 at 09:16:45PM +, Dan wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) OH PUH-LEEZE. No. You send to a mailing list, people are supposed to reply to the mailing list. A select few may have their mail clients configured so the author of the message will receive a courtesy copy (aka Cc:). If I seem unresponsive to any followups to this thread, a likely reason will be that I will not see messages with your From: without putting in some extra effort. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: CLI program to download OpenBSD ISO images
On Sun, Mar 24, 2024 at 05:32:20PM -0300, Alceu Rodrigues de Freitas Junior wrote: > > Is there any CLI program for OpenBSD that implements the steps described at > https://www.openbsd.org/faq/faq4.html#Download to download and check the ISO > images? > > I wasn't able to find anything relevant after a quick check on DuckDuckGo. > > I implemented a simple Perl script that implements those steps, but is > basically forking wget and signify to really get the job done. ftp(1) is in base and can do the fetching for you. sha256(1) and signify(1), both in base, will do the integrity checking. If you *want* to have a script that wraps both actions into one, that's fine. But I would have wanted to make life easier by sticking to the tools that are available in a default install. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Personal Information Notice - Bright Data
I assume those with the proper means to LART these jokers properly will do so. The rest of us are better off ingoring the whole thing. On a somewhat offtopic side note, total number of Mastodon accounts has just broken 15 million, which must be some kind of indicator of going mainstream since I was just notified that two different obvious pr0n spam sources followed my account. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Unable to get ip6 address
On Fri, Mar 15, 2024 at 06:38:14PM +0100, Peter N. M. Hansteen wrote: > least the content of your configuration files -- /etc/hostmhame.* and the > output that should of course have been /etc/hostname.* but would be obvious? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Unable to get ip6 address
Please keep this on the list unless you want me to start writing invoices. On Fri, Mar 15, 2024 at 05:02:27PM +, Pencilgon wrote: > Sorry for earlier email, I left you some details. > > First of all I don't think ip6 work at all, well in theory inet6 autoconf > should > work and grant me internet access but it doesn't, I don't get a ip6 address at > all. > > Second I am unable to get ip4 address even on wifi. This sounds like your wifi interface is not in fact properly configured. For this to produce anything even resembling useful results, we need to see at least the content of your configuration files -- /etc/hostmhame.* and the output of ifconfig for the relevant interfaces (if need be with stuff like IP addresses and passwords masked). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Unable to get ip6 address
On Fri, Mar 15, 2024 at 03:32:48PM +, Pencilgon wrote: > I recently installed openbsd got everything working wifi etc. The problem > arises > when I tried to connect ip6 network to it using wifi. I connected sucessfully > but was unable to get ip6 address. My wifi worked fine with ip4 address. If your network offers IPv6 connectivity and you have IPv4 working, simply adding inet6 autoconf to the hostname.$if file for the interface and running /etc/netstart $if *should* take care of things. There are any number of other possible variations, but you do need some 'inet6' settings in there. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: USB peripherals hang, nothing in messages
Messages like this are worse than useless for actually diagnosing the issue. Basically, we have no idea what hardware you are running on, or for that matter what software you are trying out. If there is a real issue, please learn how to use sendbug (https://man.openbsd.org/sendbug) or at least provide some actually relevant information besides log messages that you fail to interpret. On Wed, Mar 13, 2024 at 05:12:29PM +0500, ofthecentury wrote: > My USB mouse and keyboard hang intermittently. > > Very weird things happen, i.e. my mouse's red LED > light begins to flicker in a very weird fashion, or my > keyboard stops responding and my sound output > is suddenly muted by itself (I don't even touch sound). > > This was in the /var/log/messages regarding sound: > wrapper-2.0: vfprintf %s NULL in "[xfce-mixer-plugin. > c:374 xfce_mixer_plugin_set_property]: could not > set sound-card to '%s', trying the default card instead" > wrapper-2.0: vfprintf %s NULL in "%s: muted" > > Nothing else to show up in /var/log/messages. Is there > a more detailed log? > > How do I gather info about this from the system? > -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Is this a security issue?
On Wed, Mar 13, 2024 at 05:01:57PM +0500, ofthecentury wrote: > Just saw this in my /var/log/messages: > > '/bsd: drm:pid1338:intel_pipe_update_start *ERROR* > [drm] *ERROR* Potential atomic update failure on pipe B' > > Intel_pipe_update??? > A fairly simple web search would have provided potetially useful information such as https://marc.info/?l=openbsd-bugs&w=2&r=1&s=Potential+atomic+update+failure&q=b Try fw_update (possibly after reading its man page) and see if it makes a difference. Also, *complete* dmesg output would have told anyone trying to help diagnose the issue a lot more. As somebody (sorry, I forget who) posted earlier, https://idownvotedbecau.se/ is actually worth reading. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: files are going missing
On Mon, Mar 11, 2024 at 05:24:43PM -, beecdadd...@danwin1210.de wrote: > what system log files? my first port of call would be /var/log/messages including any rotated older ones (as in /var/log/messages.?.gz) but grep and zgrep for any device name related to your storage in /var/log/ would be my next step. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: files are going missing
On Mon, Mar 11, 2024 at 12:43:58PM -, beecdadd...@danwin1210.de wrote: > I have a problem where files recently downloaded go missing and it > happened over 3 times and on patition/s with enough available space > I want to verify it 1 more time before knowing hdd is failing for sure Did you perhaps download these files to somewhere under /tmp or /var/tmp or somewwhere else volatile like a memory file system and then reboot before trying to access those downloads? In general, files do not go missing unless someone explicitly delete them, but there is a possibility that you stumbled into one of the scenarios where either a cleanup script or the volatile nature of the location you were playing with did away with the data. > so what gives? > is hdd failing? but how do entire files go missing? > maybe hdd metadata/header corruption of some kind? If a drive is failing, more likely than not you would be seeing messages in system log files or possibly even in dmesg output. Totally silent failures are not very common. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: USB ethernet ure0 not working
On Wed, Mar 06, 2024 at 12:43:28PM +0500, ofthecentury wrote: > I'm stumped. Pls help. > I plug a TPLink USB ethernet dongle in, it > is identified by OpenBSD, and I get a ure0 > interface. It says ure0 is up and running. I > give it the ip address, default route, but > nothing happens, I don't get connectivity. > I do everything the same for the USB dongle > as for the inbuilt ethernet (which works fine). > Dmesg says some additional interface rlphy0 > is added or something, but the only interface > I see in ifconfig is ure0. `route show` gives > nothing. ENOACTUALINFO The actual output of those commands (censored of any not-to-be-revealed information if need be) would be crucial in helping diagnose the problem. dmesg showing rlphy0 and possibly rgephy0 is to be expected, see man ure Hopefully the actual problem is a trivial one, easy to spot for a separate set of eyes. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
EuroBSDCon 2024 Call for Talk and Presentation proposals for EuroBSDCon 2024 is now open.
EuroBSDCon 2024, Dublin, September 2024 The Call for Talk and Presentation proposals for EuroBSDCon 2024 is now open. EuroBSDCon is the European technical conference for users and developers of BSD-based systems. The conference is scheduled to take place September 19-22 2024 in Dublin, Ireland or as an all-online event if COVID-19 developments dictate. The tutorials will be held on Thursday and Friday to registered participants and the talks are presented to conference attendees on Saturday and Sunday. The Call for Talk and Presentation proposals period will close on May 15th, 2024. Prospective speakers will be notified of acceptance or otherwise by May 22nd, 2024. This document is available at https://2024.eurobsdcon.org/cfp/. Call for Talk and Presentation Proposals (CfP) The EuroBSDCon program committee is inviting BSD developers and users to submit innovative and original talk proposals not previously presented at other European conferences. Topics of interest to the conference include, but are not limited to applications, architecture, implementation, performance and security of BSD-based operating systems, as well as topics concerning the economic or organizational aspects of BSD use. Presentations are expected to be 45 minutes and are to be delivered in English. Call for Tutorial Proposals The EuroBSDCon program committee is also inviting qualified practitioners in their field to submit proposals for half or full day tutorials on topics relevant to development, implementation and use of BSD-based systems. Half-day tutorials are expected to be 2.5 to 3 hours and full-day tutorials 5 to 6 hours. The tutorials and talks are to be held in English. Submissions Proposals should be sent through the registration system at https://events.eurobsdcon.org. Proposals should contain a short and concise text description in about 100 words as well as a short speaker bio. Accepted papers and presentations will be published on the conference web site as soon as feasible during or after the conference. We encourage the submitter to consider writing up a formal paper for this purpose in addition to making a presentation. While we urge prospective speakers to seek funding from employers or other benevolent sources, the conference does have a budget for covering reasonable travel and accommodation expenses for speakers, with accommodation to the extent possible provided at the primary speaker hotel (see the Travel page on the conference website). Speakers who will be applying for travel funding should also submit an estimate of expected travel expenses. Please see the Speaker Reimbursement Policy for details. Please also note that due to visa issues in the past, we would like to know as early as possible of any visa requirements for speakers. Please check the Ireland visa application requirements site at https://www.dfa.ie/travel/visas/visas-for-ireland/ for guidance. NOTE: If conditions dictate that the conference move to an all-online format, further instructions on how to access the conference for both speakers and attendees will be forwarded by email and posted on the conference website. As such we are especially interested in proposals that would work well in a virtual format, such as panel discussions. Please also include your timezone and expected available times with your proposals. Due to known and unknown unknowns, the format of the conference has not yet been decided at this writing. If the format of the conference, on-site versus online has consequences for your ability to present, please let us know in the notes on your submission. Contact If you have any questions, please feel free to contact us by sending an email to p...@eurobscon.org
Re: SoGo for OpenBSD?
On Fri, Feb 16, 2024 at 04:05:21PM +0300, Mark wrote: > > Is there any hero here, to explain/forward me a working tutorial (never > found one) for installation of SoGo (for its webmail) on an OpenBSD mail > server? I must admit I had never heard of the thing before reading your message, but there appears to be a www/sogo port, so "doas pkg_add sogo" and proceed to any configuration steps the docs specify should be a possible way forward. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Log files, OpenBSD and Zero click exploits
On Tue, Feb 13, 2024 at 08:29:59AM +, jonathon575 wrote: > Kindly find below log entries generated from tcpdump of the pflog. The is a > fresh install & updated openbsd 7.4, with bare-minimum installation > configured for a firewall. There are no x* programs installed. > > Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xdd6a56bc > Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x963acc89 > Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x93d9508d > Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x112cf65b > Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x639ed21a > Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 > Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x8ae84cca > Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xcbb881b7 > Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x612a28f8 > Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x49f595ec > > wan-ip is my wan static ip address. > > What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? These log entries mean that your system blocked attempts from 69.166.225.73 access to whatever wan-ip is. Your system recognized the traffic as attempts to initiate a WireGuard (a sort of vpn, see https://man.openbsd.org/wg and links therein). The attempts were blocked. The rest of your questions can be answered relatively easily by familiarizing yourself with the tools at hand, such as the tcpdump you have already encountered. Do read up on how syslog classfies messages and how to report which levels and so forth. Some of the things you mention may require specialized tools, but please invest some time in learning to properly interpret the output of the basic tools first. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
BSDCan 2024 submissions period runs until 2024-02-12
BSDCan 2024 will be held 31 May - 1 June (Fri-Sat), 2024 in Ottawa, at the University of Ottawa. It will be preceded by two days of tutorials on 29-30 May (Wed-Thu). Also: do not miss out on the Goat BOF on Tuesday 28 May. For the safety of speakers and attendees, this conference will again follow the mask policy outlined at https://bsdcan.org. We are now accepting proposals for talks. The talks should be designed for a technical audience, and may be intended for a variety of experience levels. Proposals of a business development or marketing nature are not appropriate for this venue. We have tended to group the sessions into the following categories or tracks: - Development - System Administration - Experiences - Security - Tutorials - BOFs (Birds-of-a-Feather sessions) and we may add further categories as needed, depending on the nature of the submissions. See http://www.bsdcan.org/2024/ If you are doing something interesting with a BSD operating system, please submit a proposal. Whether you are developing a very complex system using BSD as the foundation, or helping others and have a story to tell about how BSD played a role, we want to hear about your experience. People using BSD as a platform for research are also encouraged to submit a proposal. Possible topics include: * How we manage a giant installation with respect to handling spam * and/or sysadmin * and/or networking * Cool new stuff in BSD * Tell us about your project which runs on BSD * other topics (see next paragraph) >From the BSDCan website, the Archives section will allow you to review the wide variety of past BSDCan presentations as further examples. Both users and developers are encouraged to share their experiences. The schedule is: 26 Dec 2023 Proposal acceptance begins 12 Feb 2024 Proposal acceptance ends 19 Feb 2024 Confirmation of accepted proposals The conference will be primarily an in-person one. We are hoping to offer other ways to participate, but the details have not been worked out, so if you can only present remotely, please indicate this in your submission notes. See also http://www.bsdcan.org/2024/papers.php Instructions for submitting a proposal to BSDCan 2024 are available from: http://www.bsdcan.org/2024/submissions.php The BSDCan Program Commitee
Re: mountd
On Tue, Jan 09, 2024 at 10:13:56AM +0300, 4 wrote: > i'm trying to solve the problem of which port need to open on the pf. the > variant of processing rpcinfo output with script and then putting a rules > into an anchor is not very pretty. especially considering that this is not > enough, and i still need to repeat this action by cron. this variant works, > but it's not even close to how it should work %\ why i should solve such the > task at a time when humanity is flying to conquer Mars? In my possibly very traditinal thinking I would suggest that if you need to mount file systems located on the other side of a firewall, it would be useful to consider whether your network design is in fact fit for the purpose. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ProtectLi w/ OpenBSD
On Wed, Jan 03, 2024 at 06:21:03AM +, Kenneth Hendrickson wrote: > Is there any newer information than this: > https://OpenBsdMailBox.blogspot.com/2023/05/protectli-vp2420-with-dasharo.html > > Looking for a newer faster firewall ... > > Want headless, and obviously OpenBSD. > > So is CoreBoot not an option? Or is there a way to make it work? That post is from May 2023. Since then we have had another release (7.4) and significant work in most areas since then. My main suggestion would be to try with 7.4 or if you are more adventurous, a snapshot and if there are any problems use the mailing lists, including bugs@ (see man sendbug) and follow up on any response from developers. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: pf queues
On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote: > > "cbq can entirely be expressed in it" ok. so how do i set priorities for > queues in hfsc for my local(not for a router above that knows nothing about > my existence. tos is an absolutely unviable concept in the real world) > pf-router? i don't see a word about it in man pf.conf > In my reply to the initial message in this thread, I gave you the references that spell this out fairly clearly. And you're dead wrong about the pf.conf man page. Unless of course you are trying to look this up on a system that still runs something that is by now roughly a decade out of date. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: pf queues
On Thu, Nov 30, 2023 at 02:57:23PM +0300, 4 wrote: > so what happened to cbq? why such the powerful and useful thing was removed? > or Theo delete it precisely because it was too good for obsd? %D Actually, the new queueing system was done by Henning, planned as far back as (at least) 2012 (https://quigon.bsws.de/papers/2012/bsdcan/), finally available to the general public in OpenBSD 5.5 two years later. ALTQ support was removed from OpenBSD in time for the OpenBSD 5.6 release (November 2014). So, it's been a while and whatever you were running most certainly needed an upgrade anyway. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: pf queues
On Wed, Nov 29, 2023 at 12:12:02AM +0300, 4 wrote: > i haven't used queues for a long time, but now there is a need. previously, > queues had not only a hierarchy, but also a priority. now there is no > priority, only the hierarchy exists. i was surprised, but i thought that this > is quite in the way of Theo, and it is possible to simplify the queue > mechanism only to the hierarchy, meaning that if a queue standing higher in > the hierarchy, and he priority is higher. but in order for it to work this > way, it is necessary to allow assigning packets to any queue, and not just to > the last one, because when you assign only to the last queue in the > hierarchy, then in practice it means that you have no hierarchy and no > queues. and although the rule with the assignment to a queue above the last > one is not syntactically incorrect, but in practice the assignment is not > performed, and the packets fall into the default(last) queue. am i missing > something or is it really idiocy that humanity has not seen yet? > How long ago is it that you did anything with queues? the older ALTQ system was replaced by a whole new system back in OpenBSD 5.5 (or actually, altq lived on as oldqeueue through 5.6), and the syntax is both very different and in most things much simpler to deal with. The most extensive treatment available is in The Book of PF, 3rd edition (actually the introduction of the new queues was the reason for doing that revision). If for some reason the book is out of reach, you can likely glean most of the useful information from the relevant slides in the PF tutorial https://home.nuug.no/~peter/pftutorial/ with the traffic shaping part starting at https://home.nuug.no/~peter/pftutorial/#68 -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: bsd.re-config syntax
On Fri, Nov 24, 2023 at 08:23:48AM +0100, Capitan Cloud wrote: > Thnx Peter, please can you point me out the path of cvsweb where > to find the resources that you are meaning? the machine-independent GENERIC config is at https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/conf/GENERIC?rev=1.291&content-type=text/plain, while what I assume is the most common machine dependent one would be https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/conf/GENERIC.MP?rev=1.16&content-type=text/x-cvsweb-markup Lots more under src/sys/arch/$arch/conf where $arch is your architecture. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: bsd.re-config syntax
On Fri, Nov 24, 2023 at 01:14:06AM +0100, Nowarez Market wrote: > I'm in the need to know if /etc/bsd.re-config accepts > comment starting with "#" as normally other file.conf do. It's a kernel configuration file. There are numerous examples in the source tree. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: GoCD on OpenBSD (?)
On Wed, Nov 22, 2023 at 01:46:28AM +0100, Nowarez Market wrote: > Just to drop the hint that GoCD at the moment (Nov 2023) > among the Unix "wrappers" FreeBSD, AIX, HP-UX, Solaris > miss the wrapper for OpenBSD and GoCD server immediately hangs > pointing to the missing resources. Did you actually want somebody to help you get the thing running? If that was your intention, something at least resembling steps to reproduce and actual output would help immensely. https://gocd.org does not list OpenBSD as a supported platform, so it is reasonable to expect some steps not already automated in the package will be required. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
Hi, Please keep this on the list. On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote: > Hi thank you, I will try to change my rules accordingly. Also some questions: > 1. I saw you talked about the block all rule. Does this cover traffic between > vlans/networks as I’m trying to isolate vlans/networks 6,10,20,30 as well as > my admin network which is em2 interface in this case. Unless you have explicitly excluded interfaces from filtering (set skip on $interface) "block drop log all" will drop packets that do not match any pass rules following. > 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6 > won’t get out either from my internal networks. Literally nothing from > internal networks gets out except icmpv4 to gateway, icmp from internal lan > to internal lan, icmp from internal lan to firewall itself. Other than that > there’s no DNS, HTTP, etc getting out. Would I need additional rules for > those explicitly or would I just need a pass out all rule that done a certain > way could work?(I have also tried this and it still doesn’t work)? Please take a look at the resources I pointed to. The tutorial slides will clear up most of if not all of those questions. And please keep any followups on the list. All the best, Peter PS: The PF tutorial slides: https://home.nuug.no/~peter/pftutorial/ -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
On Fri, Nov 17, 2023 at 08:52:19AM -0800, Lewis Ingraham wrote:
> Hello i am trying to configure OpenBSD as a firewall but I can't get it to
> ping outside the firewall and subsequently unable to reach the internet
> with devices behind the firewall. I tried changing my pf.conf to match the
> FAQ (as best as i could) and still cant get it to work. I am currently
> trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell
> me what I am doing wrong?
You have a number of "block quick" that seem to be already covered by the
seeming default
block drop log all # block stateless traffic
but the only mention of ICMP (which is what ping uses) in your pf.conf is
pass in on egress inet6 proto icmp6 all icmp6-type { routeradv neighbrsol
neighbradv }
so IPv4 icmp will not be let through at all.
This is covered somewhat extensively in that book I wrote
(https://nostarch.com/pf3)
and you should be able to find the relevant examples in the oft-repeated
tutorial
at https://home.nuug.no/~peter/pftutorial/
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: pf logging in ascii and send to remote syslog
On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote: > what would be best way to log pf logs in ascii and sent it to remote > syslog ? I'm aware of pflow but I need ascii pf logs on remote syslog > server. something like the good old https://home.nuug.no/~peter/pf/newest/log2syslog.html should still work, I think. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD_one_site_web_hosting_software_recommendation
On Thu, Nov 09, 2023 at 12:38:27PM +0100, soko.tica wrote: > I have a task to launch from scratch one site web hosting google cloud > instance. > > I know OpenBSD does have httpd web server, but I couldn't have found > neither wordpress nor joomla software neither in packages nor in ports (7.4 > -stable). > > Is there a possibility to launch wordpress or joomla on such an instance on > OpenBSD? Which manpages should I read? You're probably right that those systems do not come pre-packaged for OpenBSD. But simple web search on "wordpress on openbsd httpd" and "joomla on openbsd httpd" yields enough seemingly relevant hits that I strongly suspect both are doable. I have not tried either myself, though. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Jumbo frame, just a little late..
On Tue, Nov 07, 2023 at 10:21:35AM +0100, Daniele B. wrote: > About OpenBSD (7.3 stable) the only thing I need to ask explanation > for is the reason of the error "wrong MTU value" popping up by setting > jumbo frame directly via hostame.mynicdevice; when the setting go > smoothly up via ifconfig manually or by rc.local. Is the nic device > initialization dependent on a sane 1500 MTU value, maybe? try "ifconfig $device hwfeatures" and look for the "hardmtu" value. On the systems I sampled randomly here, it looks like the em device on this box has "hardmtu 9216" so it should handle jumbo frames just fine. On the other hand the iwx in the laptop over there has "hardmtu 1500", so setting the MTU to anything higher than that would simply fail. it is possible whatever mynicdevice is does not actually support jumbo frames. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: The Book of PF: Physical copies to be available again soon
On Sat, Nov 04, 2023 at 10:52:01AM -0400, Jay Hart wrote: > > Peter, > > Any plans to update it? Questions of the type "Are you working on a new edition of your book about ?" or the more general "Are you working on a book about ?" or even "When is your next book coming out?" are never going to be answered truthfully, or at all, by any writer or publisher unless a definite publication date has been set and they are confident that all the myriad factors that determine the outcome of the project are firmly under control. If the real question is, "Would it be safe for me to start writing a PF book?" My answer is no. There is no guarantee that the effort you put in will give satisfactory-to-you returns in any form or fashion. Writing is a time sink and publishers may or may not be interested. On the other hand if you are asking, "Should I start writing a book on PF or a related subject?", my take is, please do, if you feel that it is a thing worth doing. But again, keep in mind that writing a book and getting it published will eat up several significantly more than bite-sized chunks of your time, but if you feel that your book needs to be written, please go ahead. The reason The Book of PF exists is that I had a general idea of what kind of PF book I would like to see existing, and a work in progress manuscript existed that I showed to anyone interested. Fortunately enough people relevant to getting the book actually published (and revised twice so far) agreed that this book needed to happen. When I get to the point that a new edition of The Book of PF or any other book relevant to OpenBSD that I am able to write is certain to be published at a specific time, this mailing list will be one of the first public forums that will receive notification. That much I will promise. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD 7.4
On Thu, Oct 12, 2023 at 07:54:04PM +0200, Karel Lucas wrote: > Is it already known when openBSD 7.4 will be released? I would like to know > that, because of a project I am working on. The exact date will not be generally known until it happens if recent releases are anything to go by. That said, you can be quite sure that the project has planned for a specific date. Traditionally the release dates have been November 1st and May 1st, but several times the release has been earlier, up to a couple of weeks in some cases. So my advice would be to plan for November 1st as a time that release will be available. And anyway it will be useful to move any not yet upgraded systems to 7.3 ahead of that date, since 7.2 will join the ranks of no longer supported releases the moment 7.4 becomes generally available. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD 7.3 latest snaphots
On Tue, Oct 10, 2023 at 07:00:36AM +, jonathon575 wrote: > > How to get the latest openbsd 7.3 snapshot?! On the website, the snapshots > are showing for 7.4 beta version. > > Also would the security patches and bugs be integrated in the openbsd 7.3 > latest snapshots. This sounds like you are misunderstanding what the snapshots are about. If you want the latest 7.3-stable, install 7.3 and run syspatch. The snapshots were past 7.3 by some measure even at the time 7.3 was released, and the latest 7.3-something tagged snapshots are in fact closer to 7.4-release than to 7.3-stable. The first couple of paragraphs of https://www.openbsd.org/faq/current.html explains fairly well how this works. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: syslogd in 7.4 no longer likes self signed certificates for TLS remote logging
You are aware that OpenBSD 7.4 has not been released yet, right? On Mon, Oct 09, 2023 at 06:42:02PM +0200, Noth wrote: > > This wasn't covered in http://www.openbsd.org/plus74.html . I have a setup > where various OpenBSD instances log via TLS to a central logger, using self > signed certificates I generated locally (10 year validity). Both the server > and the clients verify each other using the -c & -s options for syslogd on > the clients and -K for the server. > > I upgraded to 7.4 via CVS on my VMs but not my routers (yet). The 7.3 > routers are still able to connect via TLS but the 7.4 VMs can't as they > don't like the self signed certs. It'd be nice if this was in the > upgrade74.html with some explanation of why this changed. Actually, if you built from source from a recent -current (HEAD) checkout, what you got was just that: something that is close to what will be 7.4-release, (a matter of weeks if not days), but not actually 7.4-release or -stable. > Is my path to getting all this working again the way it was to use Let's > Encrypt certificates? It's hard to tell the exact cause of your problem since you do not provice crucial data such as any error messages that would appear in a log somewhere. We also do not know much about your configuration or what requirements the setup is supposed to fill. But sure, in quite a number of situations auto-reneweing Let's Encrypt certificates would be a serviceable solution. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Problems with HD
On Thu, Oct 05, 2023 at 04:08:34AM +, Maria Morisot wrote: > I have an Asus Vivobook (1400EA), > and the hard drive is not recognized > by OpenBSD. I have the same problem > on some distros of Linux, but on others > it shows up fine. My Asus ZenBook had a similar issue, which was resolved by diving into the BIOS "Advanced" section and setting the storage controller to something other than the pseudo-RAID mode. It may we worth checking whether there is such an option available. (as cronicled a little way down the page in https://bsdly.blogspot.com/2021/07/the-impending-doom-of-your-operating.html or trackerless with only the most basic formatting at https://nxdomain.no/~peter/blog_wild_wild_world_of_windows.html) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ROP Exploitation in openbsd-64 Programs After Removing ROP Gadgets
On Fri, Sep 22, 2023 at 12:50:37PM +0800, Nan ZoE wrote: > Because, as far as I understand, these ROP mitigation mechanisms seem to > have been updated only in the three versions of OpenBSD, namely 6.3 to 6.5 > <https://www.openbsd.org/65.html>. Of course, I have also studied some > programs under OpenBSD 6.5, and many of them still seem to have the > potential to be bypassed. I would not take the lack of explicit mention on the release page (or for that matter lack of conference presentations or undeadly.org articles) on a specific item as proof of absence of activity. Improvements happen all the time, and changes that are not explicitly marked as being ROP-related may very well have an effect on the phenomenon anyway. By focusing on versions that have been unsupported for years you mainly ensure that the people who could have addressed any issuse you find will not bother. If you actually want what you find to matter, for your own good please shift your focus to -current or at least one or both of the still supported releases. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Update from 6.5 to 7.3
On Fri, Sep 08, 2023 at 10:01:45AM +0200, Alessandro Baggi wrote: > I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This > is a firewall. > The problem is that I cannot find older ISO of OpenBSD. Can someone point me > in the right direction? If you are planning to go the supported route and upgrade from release to release, you have eight rounds of upgrading ahead. If this is a firewall that does not do anything else, I would join a few of the other posters here in recommending that you back up the tiny number of files that could differ from a default install do a fresh reinstall, only editing in the things you need from your old /etc/ such as (likely most of) pf.conf. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: heck of a long time
On Wed, Aug 23, 2023 at 01:41:31PM +0200, Peter J. Philipp wrote: > > If this is a sensitive topic I apologize ahead of time. > > I'm wondering... can we have a change in the OpenBSD front page (to say): > > "Only two remote holes in the default install, in more than 26 years!" With a value that specific (26 years) there might be nagging for updates every two releases (once per year). So a less maintenance intensive version might be "Only two remote holes in the default install, in more than a quarter century!" Then again, this is entirely up to those who maintain the website. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Recognition Of Linux LVMs
For the several wished-for things here to happen, primarily somebody would need to write the code (or port existing code) to support those features. The reasons why this has not been done for each of those differ, but generally boil down to (in no particular order) * No developer has been motivated to spend sufficient effort on the problem -- for example, anything that has to do with multibooting seems to be not really a priority. * a variation of previous, some features require a *lot* of work to go anywhere, so things that would be desirable in principle have not (yet) happened because getting them done would require more work than there are hands (and brains) available to get done to project quality standards. * Legal issues. For the ZFS case, the first hurdle is the CDDL (see https://en.wikipedia.org/wiki/Common_Development_and_Distribution_License), and if those complications were not enough, the code is affected by if I remember correctly at least a couple of dozen patent claims that have been subject to lawsuits and a few sealed settlements. And of course, some developer may well have started working on something but life happens (including some licensing kerfuffles, including IIRC one that lead to the abandonment of at least one attemtpt at supporting a certain class of BroadCom wifi parts). Generally, searching on the obvious keywords such as the device name and operating system name will give some clues. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ksh bug or just normal behaviour?
On Wed, Aug 02, 2023 at 11:35:39AM +, Ioan Samarul wrote:
> Can you please tell me if this is a bug or it is considered normal?
>
> $ set -A test a b c d e f g h i
> $ echo ${test[07]}
> h
> $ echo ${test[08]}
> ksh: 08: bad number `08'
> $ echo ${test[8]}
> i
I strongly suspect you stumbled on to a case of the old convention "numerals
with
leading zeroes are interpreted as octal notation" (but do check the underlying
code to make sure).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Installing openBSD
On Mon, Jul 31, 2023 at 07:52:02AM -0400, Nick Holland wrote: > > IF you want to multiboot, just don't until you can answer questions like > this yourself. Multibooting is very complicated, and requires a mastery > of the boot process of ALL the OSs installed. People often consider it > a way to "learn" a new OS, I disagree, it is a good way to get massively > frustrated and lose a lot of data. I could not agree more. Unless you are specifically interested in learning how to develop bootloaders and that is something that yo consider essential to your career plan going forward, please do not mess with multibooting. If your plan is to learn anything besides bootloader internals, please do the sane thing and either run the one you are trying to learn on bare hardware (the best you can afford) or if you are comfortable with a virtualization platform, use that. Multibooting will always be a painful distraction unless bootloaders and their interactions with OSes and random hardware is what you want to spend the bulk of your time on. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Routing multiple IPv4 blocks
On Fri, Jul 28, 2023 at 10:09:31PM +0100, Polarian wrote: > I do have one question, if anyone is willing to answer it, so I have on and > off specified "keep state" depending on when I wrote the rule, but the > following specifies it is the default: > https://www.openbsd.org/faq/pf/filter.html > > So why do a lot of examples I see specify keep state if it is the default, > is there any benefit of specifying it which I am missing? I would guess that some of the examples are based on something that was written long enough ago that "keep state" was not the default. I personally only add "keep state" when I also need to add state options such as pflow or state tracking options. If you do a "pfctl -vnf /etc/pf.conf" and compare the output to the stored file, you will see that "keep state" and possibly other defaults will be appened (and things like lists of ports generating several rules and so on). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: APCI on old Thinkpad
On Mon, Jul 03, 2023 at 01:36:10PM +0200, Michael Hekeler wrote: > oh dear I have forgotten the model number - Sorry! > > It is Thinkpad 570 I had to look this up, since I had forgotten that Thinkpads used to come with model numbers not prefixed and/or postfixed with letters. I think one of several issues you will bump into is that the machine is almost a quarter century old (released April 1999 if Wikipedia is to be trusted), and you may be one of fairly few people who have kept one around this long. This means in practice that in all likelihood, recent versions of any now-useful software has been only lightly tested (if at all) on that vintage hardware. If you can get someone with the right skillset interested (as in, not me, by any measure) it is conceivable that a fix is within reach. That said, however, I suspect that improving support for more current hardware would tend to take priority when developers decide what to spend their time on. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ftp.openbsd.org currently unreachable
On Tue, Jun 20, 2023 at 05:30:20PM -0400, Alex Gaynor wrote: > > I'm writing to provide a heads up that ftp.openbsd.org appears to > currently be unreachable. It looks to be back now, so it was likely a temporary problem somewhere along the likely multi-hop way. That said, unless you are running a mirror, the general recommendation is to find a mirror reasonably close to you network-wise (which may rougly correspond to geographical positions) and stick to those. The sites listed at https://www.openbsd.org/ftp.html are synced often enough that you probably won't miss out on much for long. - Peter PS cross-posting to several OpenBSD mailing lists is generally frowned upon. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
EuroBSDCon 2023 open for Coimbra, Portugal 14-17 September 2023
Registration for @eurobsdcon 2023 is open. Check out the program at https://2023.eurobsdcon.org/program/, then go to https://registration.eurobsdcon.org/ and register. Early bird rates apply before July 15th, 2023. Go register! See you in #Coimbra, #Portugal September 14-17, 2023! #eurobsdcon #bsd #openbsd #freebsd #netbsd #unix #development -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Setting up a Transparent Tor Proxy on OpenBSD 7.3 with pf(4)
On Thu, Jun 15, 2023 at 07:17:45AM -, distantp...@danwin1210.de wrote: > > Thats it, "rcctl start tor" works flawlessly, "sh /etc/netstart" too, and > "pfctl -f /etc/pf.conf" does not spit out any warnings or errors either, Yes, at first blush by visual inspection the file you present is a sytactically valid ruleset. > so I first assumed it would work just as flawlessly then, but apparently > it doesnt, because I cant ping any domain or wget any webpage, when I > start the webbrowser it says it cant resolve the domain. Because all of > that I thought I might have set the DNSPort settings wrong, so I changed > it to 5353, but it didnt work either. I couldnt find any working > configuration for that matter and I would really appreciate it if somebody > took the time and helped me. I am not at all sure about what magic is needed for name resolution to work in your environment, but your ruleset has no mention of icmp, which is likely why ping does not work. But then as JJ said already, instrument your rules with log or log(all) and spend some time getting to know our friend tcpdump(8) as applied to PF logging. For further reference, please see the pf.conf man page, the PF user Guide or even my own tutorials or the Book of PF for working examples. All the best, Peter N. M. Hansteen -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
ChatGPT writes a pf.conf by spec, earns an "F" grade
Prompted by a followup on Mastodon, I was enticed to see what feeding a prose spec for a pf.conf to ChatGPT would produce. TL;DR: it failed miserably, but in a way that would have lead the gullible to try it out raw, leading them down a route that would lead to loads of misery and frustration. Recorded at https://nxdomain.no/~peter/chatgpt_writes_pf.conf.html for those who would be interested. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
The EuroBSDCon 2023 Call for proposals ends this week (May 26th, 2023), get your submission in now!
This year's EuroBSDCon conference is set in Coimbra, Portugal September 14-17, 2023. The conference (or rather the conference program committee) will accept submissions for consideration for inclusion in the program, talks, lightning talks or tutorials until the end of day (in any time zone) May 26th, 2023. The full Call for proposals can be found at https://2023.eurobsdcon.org/call-for-papers-is-now-open/, where you will also find the link to the submissions system. If you are mulling a submission, mull no more! Get your submission in as soon as possible and at the latest May 26th. We aim to finalize selection and to publish the initial version of the conference program on or before June 1st, 2023. Hoping to see you in Coimbra this September! For the EuroBSDCon 2023 program committee, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
