Re: help debug NFS
Hi, James Thank you for the link. Since the problem really exists, the only option is to use a periodical querying the mount point like you recommend or like I did using while-loop. 11.04.2021 21:11, James Stark пишет: Hi Maxim, I ran into the problem with the nfs mounts on linux hanging a few months ago, when the Linux distro that I'm running (Void) on the NFS client dropped UDP NFS mounts. At the time I found this post that explains the situation: http://openbsd-archive.7691.n7.nabble.com/nfsd-hangs-Linux-tcp-clients-after-5-minutes-idle-td402844.html As a work around, I've set up a cron script that stat's the mount point every four minutes. That stops the mount from hanging. I hope that helps. James On Sun, Apr 11, 2021 at 2:04 AM Родин Максим wrote: Hello I have an NFS server on OpenBSD 6.8 stable which exports a folder with default settings. I have a linux mint client which mounts a share from this NFS server with these settings: sudo mount -o wsize=8192,rsize=8192 192.168.1.65:/big /home/user/store which gives a decent speed at about 50-60MB/s both sides which seem ok for me. The problem is: when the mount point is not used for a while (5 minutes and more) the share becomes unresponsive and the only way to unmount the share is to do sudo umount -lf /home/user/store After that I can mount the share once again. When I imitate using the share on client using while :; do ls /home/user/store/ && echo "OK" && sleep 3 ; done; the share remains responsive all the time and shows no problems. What tweaks(settings) on the client(server) am I missing in my setup to keep the mount point responsive? -- Best regards Maksim Rodin -- С уважением, Родин Максим
help debug NFS
Hello I have an NFS server on OpenBSD 6.8 stable which exports a folder with default settings. I have a linux mint client which mounts a share from this NFS server with these settings: sudo mount -o wsize=8192,rsize=8192 192.168.1.65:/big /home/user/store which gives a decent speed at about 50-60MB/s both sides which seem ok for me. The problem is: when the mount point is not used for a while (5 minutes and more) the share becomes unresponsive and the only way to unmount the share is to do sudo umount -lf /home/user/store After that I can mount the share once again. When I imitate using the share on client using while :; do ls /home/user/store/ && echo "OK" && sleep 3 ; done; the share remains responsive all the time and shows no problems. What tweaks(settings) on the client(server) am I missing in my setup to keep the mount point responsive? -- Best regards Maksim Rodin
Split-horizon dns
Hello, Is there a way to do split horizon dns using NSD? I did not find anything similar in man nsd.conf -- Best regards Maksim Rodin
Re: blacklistd analogue
Hello, Why not just use a script that reads auth logs and adds abusive hosts to pf table using some patterns? And you then decide what to do with addresses in that table and how long should they stay in that table. user~$ pfctl -t bad_ips -T show | wc -l 69079 24.03.2021 21:33, jeanpierre пишет: Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon? For the sake of completeness: blacklistd is a daemon that, using pf anchors, blocks connections from abusive hosts to parctiular services (e.g. sshd) until they start behaving themselves again. I find it very useful for timming down log files. Regards, Jean-Pierre -- С уважением, Родин Максим
Aspeed AST2400 integrated video supported?
Hello Is that type of video chip on server motherboard (Supermicro X11SSL) supported? -- Maksim Rodin
Cisco AnyConnect Secure Mobility Client Alternatives with MFA?
Hello, Our employer decided that AnyConnect Secure Mobility Client with multifactor Azure authentication is the only secure option to connect to work. No alternatives, no discussions. There are packages for Windows and Linux only. Did anybody succeed in running vpn clients compatible with all that funny stuff? -- Best regards Maksim Rodin
Re: httpd fastcgi socket option not working as expected
Hello once again! I figured it out. The right syntax is now: fastcgi socket tcp 127.0.0.1 3031 Thank you Adriano! 21.12.2020 14:53, Adriano Barbosa пишет: Hi, I’m not able to read the details of your email right now. Are you on 6.8? httpd(8) changed syntax for fastcgi socket. Em seg., 21 de dez. de 2020 às 06:48, Родин Максим <mailto:a23s4a2...@yandex.ru>> escreveu: Hello. I have a working Django project which can be run by its own http-server using "./manage.py runserver 0.0.0.0:8000 <http://0.0.0.0:8000>" One of the apps is available then on "http://192.168.1.102:8000/it; The same project can be run using uwsgi's own http server by adding the option "http-socket = :8000" to the uwsgi.ini file: The whole file is: [uwsgi] fastcgi-socket = 127.0.0.1:3031 <http://127.0.0.1:3031> http-socket = :8000 chdir = /home/someuser/DJANGO/main_site/ wsgi-file = main_site/wsgi.py master = True max-requests = 5000 processes = 2 threads = 2 stats = 127.0.0.1:9191 <http://127.0.0.1:9191> venv = /home/someuser/work_env touch-reload = /home/someuser/DJANGO/main_site/reload safe-pidfile2 = /home/someuser/DJANGO/main_site/uwsgi.pid logto2 = /tmp/uwsgi.log vacuum = True # daemonize = yes I was able to set up OpenBSD httpd to serve Django applications two years ago. I lost httpd.conf file which was working for me but it did not seem too much complicated. Now I try to reproduce my setup by using the simplest httpd.conf: server "192.168.1.102" { listen on * port 8000 fastcgi socket ":3031" fastcgi socket tcp 127.0.0.1 3031 } Now I start uwsgi after commenting out the option "http-socket = :8000" and it is ready to serve on 127.0.0.1:3031 <http://127.0.0.1:3031>: someuser$ uwsgi uwsgi.ini [uWSGI] getting INI configuration from uwsgi.ini *** Starting uWSGI 2.0.19.1 (64bit) on [Mon Dec 21 13:25:29 2020] *** compiled with version: OpenBSD Clang 10.0.1 on 21 December 2020 07:54:16 os: OpenBSD-6.8 GENERIC#1 nodename: somewebserver machine: amd64 clock source: unix pcre jit disabled detected number of CPU cores: 1 current working directory: /home/someuser/DJANGO/main_site detected binary path: uwsgi and its log: chdir() to /home/someuser/DJANGO/main_site/ your processes number limit is 256 your memory page size is 4096 bytes detected max file descriptor number: 512 lock engine: ipcsem thunder lock: disabled (you can enable it with --thunder-lock) uwsgi socket 0 bound to TCP address 127.0.0.1:3031 <http://127.0.0.1:3031> fd 3 Python version: 3.8.6 (default, Oct 13 2020, 09:04:17) [Clang 10.0.1 ] PEP 405 virtualenv detected: /home/someuser/work_env Set PythonHome to /home/someuser/work_env Python main interpreter initialized at 0xa81c55ec00 python threads support enabled your server socket listen backlog is limited to 100 connections your mercy for graceful operations on workers is 60 seconds mapped 250080 bytes (244 KB) for 4 cores *** Operational MODE: preforking+threaded *** WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0xa81c55ec00 pid: 89605 (default app) *** uWSGI is running in multiple interpreter mode *** spawned uWSGI master process (pid: 89605) spawned uWSGI worker 1 (pid: 70095, cores: 2) writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid spawned uWSGI worker 2 (pid: 17757, cores: 2) writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid *** Stats server enabled on 127.0.0.1:9191 <http://127.0.0.1:9191> fd: 11 *** And this is what httpd shows: user$ httpd -d startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server 192.168.1.102 server_privinit: adding server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 Then I try to access http://192.168.1.102:8000/it/ And than httpd shows: 192.168.1.102 192.168.1.57 - - [21/Dec/2020:13:33:21 +0300] "GET /it/ HTTP/1.1&qu
httpd fastcgi socket option not working as expected
Hello. I have a working Django project which can be run by its own http-server using "./manage.py runserver 0.0.0.0:8000" One of the apps is available then on "http://192.168.1.102:8000/it; The same project can be run using uwsgi's own http server by adding the option "http-socket = :8000" to the uwsgi.ini file: The whole file is: [uwsgi] fastcgi-socket = 127.0.0.1:3031 http-socket = :8000 chdir = /home/someuser/DJANGO/main_site/ wsgi-file = main_site/wsgi.py master = True max-requests = 5000 processes = 2 threads = 2 stats = 127.0.0.1:9191 venv = /home/someuser/work_env touch-reload = /home/someuser/DJANGO/main_site/reload safe-pidfile2 = /home/someuser/DJANGO/main_site/uwsgi.pid logto2 = /tmp/uwsgi.log vacuum = True # daemonize = yes I was able to set up OpenBSD httpd to serve Django applications two years ago. I lost httpd.conf file which was working for me but it did not seem too much complicated. Now I try to reproduce my setup by using the simplest httpd.conf: server "192.168.1.102" { listen on * port 8000 fastcgi socket ":3031" } Now I start uwsgi after commenting out the option "http-socket = :8000" and it is ready to serve on 127.0.0.1:3031: someuser$ uwsgi uwsgi.ini [uWSGI] getting INI configuration from uwsgi.ini *** Starting uWSGI 2.0.19.1 (64bit) on [Mon Dec 21 13:25:29 2020] *** compiled with version: OpenBSD Clang 10.0.1 on 21 December 2020 07:54:16 os: OpenBSD-6.8 GENERIC#1 nodename: somewebserver machine: amd64 clock source: unix pcre jit disabled detected number of CPU cores: 1 current working directory: /home/someuser/DJANGO/main_site detected binary path: uwsgi and its log: chdir() to /home/someuser/DJANGO/main_site/ your processes number limit is 256 your memory page size is 4096 bytes detected max file descriptor number: 512 lock engine: ipcsem thunder lock: disabled (you can enable it with --thunder-lock) uwsgi socket 0 bound to TCP address 127.0.0.1:3031 fd 3 Python version: 3.8.6 (default, Oct 13 2020, 09:04:17) [Clang 10.0.1 ] PEP 405 virtualenv detected: /home/someuser/work_env Set PythonHome to /home/someuser/work_env Python main interpreter initialized at 0xa81c55ec00 python threads support enabled your server socket listen backlog is limited to 100 connections your mercy for graceful operations on workers is 60 seconds mapped 250080 bytes (244 KB) for 4 cores *** Operational MODE: preforking+threaded *** WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0xa81c55ec00 pid: 89605 (default app) *** uWSGI is running in multiple interpreter mode *** spawned uWSGI master process (pid: 89605) spawned uWSGI worker 1 (pid: 70095, cores: 2) writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid spawned uWSGI worker 2 (pid: 17757, cores: 2) writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid writing pidfile to /home/someuser/DJANGO/main_site/uwsgi.pid *** Stats server enabled on 127.0.0.1:9191 fd: 11 *** And this is what httpd shows: user$ httpd -d startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_privinit: adding server 192.168.1.102 server_privinit: adding server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 server_launch: configuring server 192.168.1.102 server_launch: running server 192.168.1.102 Then I try to access http://192.168.1.102:8000/it/ And than httpd shows: 192.168.1.102 192.168.1.57 - - [21/Dec/2020:13:33:21 +0300] "GET /it/ HTTP/1.1" 500 0 server 192.168.1.102, client 1 (1 active), 192.168.1.57:34196 -> 192.168.1.102:8 000, No such file or directory (500 Internal Server Error) No change on uwsgi.log No change on uwsgi stdout netstat -naf inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp 0 0 127.0.0.1.3031 *.*LISTEN tcp 0 0 *.8000 *.*LISTEN httpd does not seem to use the fastcgi socket it is pointed to or is it my annoying mistake? -- Best regards Maksim Rodin
Re: OpenSMTPD-extras manual
man table-socketmap is interesting but confusing: __ """DESCRIPTION This manual page documents the file format of "socketmap" tables used by the smtpd(8) mail daemon. The format described here applies to tables as defined in smtpd.conf(5). SOCKETMAP TABLE A "socketmap" table uses a simple protocol. The client sends a single- line request and the server sends a single-line reply. The table may be used for any kind of key-based lookup and replies are expected to follow the formats described in table(5). """ __ This table type could be just an experimental useless table type like ldap tables or a universal key to any userdata(password) storage if one manages to make a middleware which is able to make requests to any userdata storage and return a needed value in proper format to smtpd server through socketmap. But again no clear manual entry makes it useless. No hint in the manual how to configure this type of table access 20.12.2020 01:34, Ingo Schwarze пишет: Hi Maksim & Edgar, Edgar Pettijohn wrote on Sat, Dec 19, 2020 at 03:37:22PM -0600: On Sat, Dec 19, 2020 at 08:02:19PM +0300, ?? wrote: Where can I find any manuals and examples regarding OpenSMTPD-extras? Try: $ man -k ^table- $ man table-passwd table-socketmap table-sqlite table-redis Which table types are supported and do not have status "experimental" like ldap tables? E.g. what is opensmtpd-extras-python and how can I use it? Not sure about thise questions. Your best bet is to git clone the repository and search for the tables, etc you are interested in. That would be unusual with OpenBSD; when possible, we try to include documentation in user-installable packages and not only in source distributions. Strangely, in this case, there are files table-postgres.5 table-mysql.5 in the source tarballs but not in the respective packing lists. Strangely, the tarball also contains three empty README files. If there is a manual simply `mandoc file | less`. Not the best advice ever... :-/ Manually piping mandoc(1) output to less(1) is never needed. If you have a manual page in the current directory - say, table-sqlite.5 - then just $ man -l table-sqlite.5 is sufficient, and if it's properly installed, as the opensmtpd-extras package does it, then just $ man table-sqlite does the job without even needing to worry about the current directory. Unfortunantly there aren't manuals for all of the `extras`. Hmm, you may be right about that one, for example a table-python(5) manual page doesn't appear to exist. Yours, Ingo -- С уважением, Родин Максим
OpenSMTPD-extras manual
Hello. Where can I find any manuals and examples regarding OpenSMTPD-extras? Which table types are supported and do not have status "experimental" like ldap tables? E.g. what is opensmtpd-extras-python and how can I use it? -- Best regards Maksim Rodin
OpenSMTPD and ldap+tls
Hello Is there a way to make opensmtpd work with ldap aliases over a secure connection? I do not know where to find working examples of this My current /etc/mail/ldap.conf look like this: 1 url>>--->---ldap://ldap1.mydomain.ru 2 basedn>->--->---dc=mydomain,dc=ru 3 username>--->---cn=service,dc=mydomain,dc=ru 4 password>--->---passpasspass 5 6 domain_filter>-->---(&(objectClass=domain)(dc=%s)) 7 domain_attributes>--dc 8 9 credentials_filter>-(&(objectClass=posixAccount)(uid=%s)) 10 credentials_attributes>-uid,userPassword 11 12 userinfo_filter>>---(&(objectClass=posixAccount)(uid=%s)) 13 userinfo_attributes>uid,uidNumber,gidNumber,homeDirectory 14 15 alias_filter>--->---(&(objectClass=nisMailAlias)(cn=%s)) 16 alias_attributes>---rfc822MailMember ldapd daemon is set up on another host to work over tls and ssl and working correctly. If I change url to ldaps://ldap1.mydomain.ru or to ldap+tls://ldap1.mydomain.ru then smtpd -dv shows: """ _ vdomains[50952]: warn: ldap_parse_url fail vdomains[50952]: warn: ldap_connect error vdomains[50952]: fatal: failed to connect """ _ -- Best Regards Maksim Rodin
Re: incorrect pf rule?
It turns out that my caring ISP really has a free firewall service which is enabled by default. I asked my ISP to disable it completely and now everything is OK. Thank you! 29.11.2020 13:08, Stuart Henderson пишет: On 2020-11-29, Родин Максим wrote: The problem is that only port 80 seems to be open from the outside. I used several online port scanners to check this. All of them tell: port 80 OPEN port 443 CLOSED Could it be blocked by your ISP? Do you receive packets on your external interface at all when you test port 443? -- С уважением, Родин Максим
Re: incorrect pf rule?
It turns out that my caring ISP really has a free firewall service which is enabled by default. I asked my ISP to disable it completely and now everything is OK. Thank you! 29.11.2020 14:30, Stuart Henderson пишет: On 2020-11-29, Stuart Henderson wrote: On 2020-11-29, Родин Максим wrote: The problem is that only port 80 seems to be open from the outside. I used several online port scanners to check this. All of them tell: port 80 OPEN port 443 CLOSED Could it be blocked by your ISP? Do you receive packets on your external interface at all when you test port 443? Or...if this is behind nat, do you need to add a port-forwarding on your ISP router? -- С уважением, Родин Максим
incorrect pf rule?
Hello I have a small 5 year old home router (upgraded to OpenBSD 6.8 stable) with a static white IP from my internet provider (gotten by dhcp) and a simple http/https server (OpenBSD httpd) in my network using VirtualBox VM (OpenBSD 6.8) which has a static IP 192.168.1.102. The http server is available from the internal network on http and https ports when 192.168.1.102 is used. To make the http server work from outside I'm trying to use the following PF rule on my router: ... web_server = "192.168.1.102" web_ports = "{ http https }"... ... # Web-server pass in log on egress inet proto tcp \ from ! to (egress) port $web_ports \ rdr-to $web_server The problem is that only port 80 seems to be open from the outside. I used several online port scanners to check this. All of them tell: port 80 OPEN port 443 CLOSED The whole ruleset is below: __ """ router root ~ # grep -v '^#' /etc/pf.conf int_if = "{ vether1 em1 em3 athn0 }" beeline_tv = "{ em0 em2 }" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.2.0/24 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ } table persist file "/etc/pf/bad_ip" asterisk_server = "192.168.1.101" web_server = "192.168.1.102" web_ports = "{ http https }" block log all set block-policy drop set skip on lo match in all scrub (no-df random-id max-mss 1440) match out on egress inet from (vether1:network) to any nat-to (egress:0) pass out quick inet pass in on $int_if inet pass on $beeline_tv allow-opts pass in on egress inet proto tcp from ! \ to (egress) port 22 keep state \ (max-src-conn 2, max-src-conn-rate 2/300, \ overload flush global) pass in on egress inet proto udp from ! \ to (egress) port 5060 keep state \ (max-src-states 1) rdr-to $asterisk_server pass in on $int_if inet proto udp from (vether1:network) \ to (egress) port 5060 \ rdr-to $asterisk_server pass in on egress inet proto udp from ! \ to (egress) port 1:2 keep state \ (max-src-states 1) rdr-to $asterisk_server pass in on $int_if inet proto udp from (vether1:network) \ to (egress) port 1:2 \ rdr-to $asterisk_server pass in on egress inet proto { tcp udp } from ! \ to (egress) port { 5 } rdr-to 192.168.1.65 pass in log on egress inet proto tcp from ! \ to (egress) port $web_ports \ rdr-to $web_server """ I added some log options to try to understand which rule can be blocking access to https port from the outside but the log shows the following: """ router root ~ # tcpdump -n -e -ttt -i pflog0 port 80 or port 443 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Nov 29 08:28:44.602109 rule 23/(match) pass in on vether0: 5.101.123.139.40470 > 89.179.243.222.80: S 2282440086:2282440086(0) win 29200 (DF) [tos 0x28] """ Access to port http is logged successfully but access to port https is nowhere There are other rdr-to rules in my ruleset and all of them work as expected e.g.: port 5060 udp and port range 1:2 udp are redirected to VirtualBox VM (Asterisk) as expected. -- Best regards Maksim Rodin
ldapd.conf certificate directive not working?
Hello When I use the following directive in ldapd.conf: 1) ... listen on em0 ldaps ... or ... listen on em0 tls ... and the certificate (em0.crt) and key (em0.key) files are in /etc/ldap/certs, then "ldapd -n" shows OK. When I use: 2) ... listen on em0 ldaps certificate "/etc/ldap/certs/em0.crt" or listen on em0 ldaps certificate "/etc/ldap/certs/em0" ... or ... listen on em0 tls certificate "/etc/ldap/certs/em0.crt" or listen on em0 tls certificate "/etc/ldap/certs/em0" ... then "ldapd -n" shows the following: "/etc/ldapd.conf:10: cannot load certificate: /etc/ldap/certs/em0.crt /etc/ldapd.conf:11: cannot load certificate: /etc/ldap/certs/em0.crt" or "/etc/ldapd.conf:10: cannot load certificate: /etc/ldap/certs/em0 /etc/ldapd.conf:11: cannot load certificate: /etc/ldap/certs/em0" man ldapd.conf says: "If no certificate name is specified, the /etc/ldap/certs directory is searched for a file named by joining the interface name with a .crt extension, e.g. /etc/ldap/certs/fxp0.crt." This works OK But the following: "If the certificate name is an absolute path, a .crt and .key extension are appended to form the certificate path and key path respectively." This part does not seem to work at all. Neither it tries to search certificates using the absolute path nor it tries to append .crt or .key extension to the absolute path when no extension is used in config. Or I do it completely wrong? -- Maksim Rodin
Re: Help debugging slow nfs (40kB/s); linux client
Hello, Try these options: sudo mount.nfs -o wsize=8192,rsize=8192 IPADDRESS:/shara /home/myuser/shara/ Play with wsize and rsize to achieve better speed. These are mines. 18.04.2020 02:31, Nathan Clement пишет: Hello, I am trying to get an Intel atom mini itx board running as an OpenBSD 6.6 NAS. I've got the necessary daemons running on the mini itx board: doas rcctl ls started cron httpd mountd nfsd ntpd pflogd portmap slaacd smtpd sndiod sshd syslogd and exports is set up: cat /etc/exports /home/nathan/shared -alldirs -ro I am mounting this from my laptop which runs on arch linux at the moment. On the linux client machine, this is the relevant line from mount: 192.168.1.4:/home/nathan/shared on /home/nathan/mnt type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.4,mountvers=3,mountport=997,mountproto=udp,local_lock=none,addr=192.168.1.4) I can copy small files over nfs, but anything large takes way too long. I've read rsync isn't necessarily the best way to gauge transfer speed, but rsync shows I'm getting about 38kB/s transfer speed. For comparison, I tried using sshfs to mount the same directory on the itx to the same location on the linux system and I get ~1.1MB/s, wow! Even that isn't great, but I'm the laptop is on wifi and I figure I can get to more tuning later. It seems clear I'm not (just) dealing with hardware limitations in this nfs mount. What else can I do to debug this? Thanks, Nathan -- С уважением, Родин Максим
Re: Does Intel driver supports Intel g31?
Clearly Russia is guilty of everything in this world. But Kazakhstan is not Russia. And your post shows that stupid people live not only in Kazakhstan. 11.04.2020 18:24, m brandenberg пишет: On Sat, 11 Apr 2020, Nikita Stepanov wrote: Does Intel driver supports Intel g31? Clearly, Russia's GRU has been tasked with killing Theo by aneurism. -- Monty Brandenberg -- Maksim Rodin
IPTV handling on OpenBSD soft router
Hello, I am trying to set up an IPTV-box behind a soft router. When my internet (iptv) provider installed the IPTV box he said that I need a switch before my soft router to let IPTV stream successfully pass to the IPTV box. I thought that a virtual bridge interface would be enough for this purpose. I created a bridge0 interface and added three interfaces to it: em0 - a physical one which delivers internet and iptv from my provider. em2 - a physical one to which the IPTV-box is connected and which receives a mac binded ip address from the local network of my provider (100.65.129.0/24). vether0 - a virtual one which receives an external ip address from dhcp server of my provider (it therefore belongs to egress group) and through which my home computers access the internet using NAT ({ vether1 em1 em3 athn0 }). When PF is disabled the IPTV-box is working. When PF is enabled the IPTV box works for several seconds and then the picture freezes. When I change to another TV channel it works again for several seconds and then it freezes again. My pf settings are listed below (I used some of the config in PF user's guide) I do no filtering on the ports needed (em0, em2) When I do: tcpdump -n -e -i pflog0 not ifname vether0 It shows no blocked packets What am I missing? "" router root ~ # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf int_if = "{ vether1 em1 em3 athn0 }" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } table persist file "/etc/pf/bad_ip" block log all set block-policy drop set loginterface egress set skip on lo match out on egress inet from (vether1:network) to any nat-to (egress:0) block in quick on egress from to any block return out quick on egress from any to pass out quick inet pass in on $int_if inet # IPTV pass on em2 pass on em0 # pass in on egress inet proto tcp from ! to (egress) port 22 pass in on egress inet proto tcp from ! to (egress) port 80 pass in on egress inet proto { tcp udp } from any to (egress) port { 51413 22034 6890:6999 6881 } rdr-to 192.168.1.4 pass in on egress inet proto { tcp udp } from any to (egress) port { 5 } rdr-to 192.168.1.65 #block return # block stateless traffic #pass # establish keep-state # By default, do not permit remote connections to X11 #block return in on ! lo0 proto tcp to port 6000:6010 """ -- Best regards Maksim Rodin
Re: Django + httpd + relayd
Django + httpd is explained here: https://uwsgi.readthedocs.io/en/latest/OpenBSDhttpd.html?highlight=openbsd 30.03.2019 17:22, Michael Joy пишет: Apologies in advance for the noobish question. Does anyone have a tutorial or example of a working configuration for a Django app being served with httpd and relayd? Beating my head off the wall with it at this point. -- С уважением, Родин Максим
Re: SSH server immediately closes connection
Hello, That was my fault. I misconfigured my login.conf last time. 14.12.2018 16:14, Nick Holland пишет: On 12/14/18 00:27, Максим wrote: Hello, I've got a PC running OpenBSD current. After the latest upgrade I cannot ssh to it. When I run "ssh 10.26.5.70" I get this: "Connection to 10.26.5.70 closed by remote host. Connection to 10.26.5.70 closed." As an SSH client I use another OpenBSD box and a Linux machine with the same result. When I run "ssh -vvv 10.26.5.70" the last messages are: "debug3: receive packet: type 52 debug1: Authentication succeeded (publickey). Authenticated to 10.26.5.70 ([10.26.5.70]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Requesting no-more-sessi...@openssh.com debug3: send packet: type 80 debug1: Entering interactive session. debug1: pledge: network debug3: send packet: type 1 debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t3 nr0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1) debug3: fd 1 is not O_NONBLOCK Connection to 10.26.5.70 closed by remote host. Connection to 10.26.5.70 closed. Transferred: sent 2644, received 1932 bytes, in 0.0 seconds Bytes per second: sent 1085498.2, received 793185.5 debug1: Exit status -1" No errors in /var/log/daemon No errors in /var/log/authlog The result doesn't depend on the user which I use to login. I just happened to have upgraded a system last night to the most recent snapshot, I am NOT having any such problem. OpenBSD 6.4-current (GENERIC.MP) #510: Thu Dec 13 06:20:42 MST 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP So ... Doesn't appear to be a systemic problem, most likely either a knob you twisted before the upgrade or something about your upgrade process. You need to provide more details about what you did...both before and during the upgrade...and some indication of what platform you are running and the snapshot you upgraded to. Nick. -- С уважением, Родин Максим
Re: How to make the cwm window manager reread new config
Thank you very much, it works. I always thought this would restart my whole session and I would loose all my open windows. 15.09.2018 21:38, Antoine Jacoutot пишет: On Sat, Sep 15, 2018 at 08:41:52PM +0300, Родин Максим wrote: Hello, May be a silly question, how can I make the cwm window manager reread its config file without loosing my working session? From cwmrc(5): BIND FUNCTION LIST restart Restart the running cwm(1). And from cwm(1): cwm rereads its configuration file when it receives a hangup signal, SIGHUP, by executing itself with the name and arguments with which it was started. This is equivalent to the restart function. -- Maksim
Re: Deploy Django app - strategy?
I deploy my django app using uwsgi and venv in my home dir uWSGi starts on its default port and httpd server uses this port to handle my app requests. Everything just like in the official manual of uwsgi. 26.08.2018 23:41, Chris Narkiewicz пишет: On 26/08/2018 21:01, Paul de Weerd wrote: Use python3 -m venv /path/to/venv to create a virtualenv using python3 and be done with it. Yeah, it did the trick. I'm going to deplrecate use of virtualenv, since it's no longer needed with Python 3.6. That will use a symlink to the actual python3 binary in /usr/local, so no issues with the lack of wxallowed on /var. However, you'll have to deal with the chroot implications there... I guess it's a non-starter with Django... I guess it'd be easier to simply run it in Docker. What webserver are you using? It's pretty standard stack: * postgresql on localhost * uwsgi on localhost with http/fastcgi protocol * httpd on egress Best regards, Chris -- С уважением, Родин Максим
How to make the cwm window manager reread new config
Hello, May be a silly question, how can I make the cwm window manager reread its config file without loosing my working session? -- Maksim
Re: Different sound sources interfere with each other
May be the system becomes ... too busy to serve these actions simultaneously? It seemed to me that any task which made decent use of computer resources was able to cause that behavior. 18.06.2018 18:22, Maxim Tarasov пишет: Hi, I was able to find another trigger for this sound glitch: dd if=/dev/zero of=/tmp/test bs=1m count=256 rm /tmp/test Sound sometimes interrupts in the middle of dd(1) call, and always interrupts at the time of rm(1) call on files larger than 200 Mb. It looks like in case of dd/rm not only sound is affected, but mouse cursor controlled by USB mouse also stops responding. unlink(2) call seem to take a long time: $ dd if=/dev/zero of=test bs=1m count=1024 && ktrace rm test && kdump -R | grep unlink 1024+0 records in 1024+0 records out 1073741824 bytes transferred in 2.265 secs (473858546 bytes/sec) 24666 rm 0.01 CALL unlink(0x7f7bb91b) 24666 rm 0.431070 RET unlink 0 Can anybody provide any pointers on how to debug this further or suggestions on what the problem might be? -- С уважением, Родин Максим
Re: 4-ports router under $150
https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone-mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop-Computer/32769767156.html This is what I bought for similar purposes. It has 4 Intel Gigabit ports and their efficiency is 99%. 08.04.2018 00:59, Anatoli пишет: Hi All! I'm looking for a modest 4-5 ports router under $150 that works well with OpenBSD. I don't need WiFi, USB or console port, and the throughput don't need to exceed 100Mbps. The ideal device would be EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at this moment and probably never will be. EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of ERPOE-5 are not yet supported. ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP NIC for one of my devices and I'm not sure it's supported as the octeon page says ER PRO SFP ports are not supported yet. Also it's a bit expensive ($190). Banana Pi R2 would be great too, but I couldn't find if it's supported by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7). Are there 4-5 port devices that are known to work well with OpenBSD? Thanks, Anatoli -- С уважением, Родин Максим
Re: 4-ports router under $150
https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone-mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop-Computer/32769767156.html This is what I bought for similar purposes. It has 4 Intel Gigabit ports and their efficiency is 99%. 08.04.2018 00:59, Anatoli пишет: Hi All! I'm looking for a modest 4-5 ports router under $150 that works well with OpenBSD. I don't need WiFi, USB or console port, and the throughput don't need to exceed 100Mbps. The ideal device would be EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at this moment and probably never will be. EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of ERPOE-5 are not yet supported. ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP NIC for one of my devices and I'm not sure it's supported as the octeon page says ER PRO SFP ports are not supported yet. Also it's a bit expensive ($190). Banana Pi R2 would be great too, but I couldn't find if it's supported by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7). Are there 4-5 port devices that are known to work well with OpenBSD? Thanks, Anatoli -- С уважением, Родин Максим
webcam in browser not seen
Hello, I have a laptop with OpenBSD 6.3 64bit installed. There is a webcam on the laptop which is detected in dmesg as uvideo0 device. The problem is that the webcam is not seen in browser. I tried to setup a Google Meet session. Audio and mic seem to have been detected (after I installed gstreamer1-plugins-good and gstreamer1-plugins-libav). The webcam section shows that there is no webcam in the system. -- Best regards Maxim Rodin