Re: OpenBSD as a pentester PC?

[Chris Smith]

On Thu, Nov 26, 2015, at 10:23 PM, Mohammad BadieZadegan wrote:
> Hi every OpenBSD user,
> I have OpenBSD on my Notebook since 2 years ago and I don't want to
> switch
> other OS for my business pentest project.
> I need some pentest tools for my project like metasploit, fuzzers, ..etc
> but I could not find them on OpenBSD package list
> !
> By default does OpenBSD support metasploit installing (or any attack
> tools)
> or defer them for security purpose?
> I want to have one OS on my note book for all purpose(business+home).
> Is that I must switch to other OS? (That I don't like at all!)
> Regards.
> 
> -- 
> [image: ( openbsd.pro  933k.ir )] 
> 

To be honest, some security tools can be so poorly written, or perform
unusual or dangerous operations in their daily usages, that they present
a difficult challenge to properly secure and port to other OS's. You
don't really want them on your "main" system.

As a pentester myself, I usually end up with some very basic tools on my
host system (e.g. nmap, nc, hping etc...) and segregating all of the
other rubbish into a kali or debian virtual machine, which can then be
wiped or rolled back between jobs to ensure both system integrity, and
that jobs do not cross-pollinate data between them.

In my opinion, the best way to advance OpenBSD's use in this area is to
support, test and develop its virtualisation capabilities.

>  I want to have one OS on my note book for all purpose(business+home)

If you're doing this professionally, I really do not recommend this
without proper segregation. Especially if you're handling your customers
sensitive data or functionality (e.g. network connectivity).

Cheers,
Chris.

-current not building

[Chris Smith]

-current not currently building:
==
mandoc -Tlint -Wfatal /usr/src/usr.sbin/ldapd/ldapd.conf.5
cc   -o ldapd ber.o log.o control.o util.o ldapd.o ldape.o conn.o
attributes.o namespace.o btree.o filter.o search.o parse.o auth.o
modify.o index.o ssl.o ssl_privsep.o validate.o uuid.o schema.o
imsgev.o syntax.o matching.o -levent -lssl -lcrypto -lz -lutil
/usr/lib/libssl.so.22.0: undefined reference to `CRYPTO_memcmp'
collect2: ld returned 1 exit status
*** Error 1 in usr.sbin/ldapd (bsd.prog.mk:95 'ldapd')
*** Error 2 in usr.sbin (bsd.subdir.mk:48 'all')
*** Error 2 in . (bsd.subdir.mk:48 'all')
*** Error 2 in /usr/src (Makefile:89 'build')
==

Re: -current not building

[Chris Smith]

Guess I'm missing the point, Downloaded src from scratch and now
getting a different error (on two separate systems) when trying to
build userland:

mandoc -Tlint -Wfatal /usr/src/usr.sbin/ntpd/ntpctl.8
=== usr.sbin/openssl
cc -O2 -pipe  -DMONOLITH -DTERMIOS -DANSI_SOURCE -DOPENSSL_NO_RC5
-DOPENSSL_NO_SSL2 -I/usr/src/usr.sbin/openssl/../../lib/libssl/src
-c /usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c:72:
error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cb'
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c: In
function 'verify_main':
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c:97:
error: 'cb' undeclared (first use in this function)
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c:97:
error: (Each undeclared identifier is reported only once
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c:97:
error: for each function it appears in.)
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c: At top level:
/usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c:311:
error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cb'
*** Error 1 in usr.sbin/openssl (sys.mk:87 'verify.o')
*** Error 1 in usr.sbin (bsd.subdir.mk:48 'all')
*** Error 1 in . (bsd.subdir.mk:48 'all')
*** Error 1 in /usr/src (Makefile:89 'build')

These things built -current fine a week ago.

Chris

On Sun, Apr 13, 2014 at 4:12 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:
 Get new code. A shared library was not cranked correctly.


 -current not currently building:
 ==
 mandoc -Tlint -Wfatal /usr/src/usr.sbin/ldapd/ldapd.conf.5
 cc   -o ldapd ber.o log.o control.o util.o ldapd.o ldape.o conn.o
 attributes.o namespace.o btree.o filter.o search.o parse.o auth.o
 modify.o index.o ssl.o ssl_privsep.o validate.o uuid.o schema.o
 imsgev.o syntax.o matching.o -levent -lssl -lcrypto -lz -lutil
 /usr/lib/libssl.so.22.0: undefined reference to `CRYPTO_memcmp'
 collect2: ld returned 1 exit status
 *** Error 1 in usr.sbin/ldapd (bsd.prog.mk:95 'ldapd')
 *** Error 2 in usr.sbin (bsd.subdir.mk:48 'all')
 *** Error 2 in . (bsd.subdir.mk:48 'all')
 *** Error 2 in /usr/src (Makefile:89 'build')
 ==

Re: -current not building

[Chris Smith]

OK, I'll try again. I do follow the source changes via gmane with a
newsreader but I think there's a bit of delay.

Thanks.

On Sun, Apr 13, 2014 at 11:27 PM, Ted Unangst t...@tedunangst.com wrote:
 On Sun, Apr 13, 2014 at 23:15, Chris Smith wrote:
 Guess I'm missing the point, Downloaded src from scratch and now
 getting a different error (on two separate systems) when trying to
 build userland:

 mandoc -Tlint -Wfatal /usr/src/usr.sbin/ntpd/ntpctl.8
 === usr.sbin/openssl
 cc -O2 -pipe  -DMONOLITH -DTERMIOS -DANSI_SOURCE -DOPENSSL_NO_RC5
 -DOPENSSL_NO_SSL2 -I/usr/src/usr.sbin/openssl/../../lib/libssl/src
 -c /usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c
 /usr/src/usr.sbin/openssl/../../lib/libssl/src/apps/verify.c:72:
 error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cb'

 These things built -current fine a week ago.

 If you're not subscribed to source-changes, you should be. And if you
 are, you should have seen a few dozen commits to libssl recently.

 Do you need to build current? Probably not. That's why we provide
 snapshots.

 Build errors that don't come with patches aren't very interesting
 because by the time you report it, somebody else will have found it
 and fixed it.

Re: upgrades no longer allow ftp for sets

[Chris Smith]

On Thu, Mar 27, 2014 at 1:37 PM, Diana Eichert deich...@wrench.com wrote:
 FWIW, Anyone who is responsible for border firewalls deplores FTP protocol.

And its cousin, FTPS, which, although encrypted, has the same dual
port problem yet not curable via a proxy.

Chris

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

On Thu, Mar 20, 2014 at 7:39 PM, Stuart Henderson s...@spacehopper.org wrote:
 You can uninstall the package if you don't need it, or you can keep it
 if you do need it (for example, for drill or the ldns-* tools).

How about this line added to rc.conf.local when using the package:
 syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log

Is it still needed or should it be removed?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 See the thread unbound dnssec revisited I started on 12/30/2013 for
 some hints. Looks like creating a new directory with the proper
 permissions is the best way to go.

Now fixed in -current with a /var/unbound/db directory. Thanks Stuart!

Chris

Unbound in base, yes, what about ldns?

[Chris Smith]

Great to see Unbound in base, thanks.

But what about ldns? I still have that installed as a package -
removed the unbound package as per the -current instructions, but
shouldn't the ldns package package be removed as well as I believe
unbound requires it and therefore it would have to be built by base as
well. Or am I off-base?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback
kwesterb...@gmail.com wrote:
 The unbound in base has it's own cut down version of ldns. No need for
 the package.

Can I just uninstall the package after the fact or do some files need
to be replaced?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

[Chris Smith]

See the thread unbound dnssec revisited I started on 12/30/2013 for
some hints. Looks like creating a new directory with the proper
permissions is the best way to go.


On Wed, Mar 19, 2014 at 7:01 PM, Атанас Владимиров don.na...@gmail.com wrote:
 Hi,
 Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root
 key with unbound-anchor(8) (needs root) the following error shows up in
 /var/log/messages:

 unbound: [0:0] error: could not open autotrust file for writing,
 /etc/root.key.29136-0: Permission denied

 May be this is because _unbound user has no rights to write to
 /var/unbound/etc/ after chroot.
 Am I correct? Any solutions?

 Best regards,
 Atanas

Re: unreliable connections

[Chris Smith]

I think the source of this reported problem has been found, and
happily fixed (the preliminary results are promising).

Basically I needed to find some way to get the backups to complete
reliably so I started a 20 count ping job a minute before the rsync
job (actually an rsnapshot job which connected twice) which did allow
the backup both backup connections to work (where previously just the
second one connected reliably). In checking the logs for the backup
status, the stats from the ping job were also there and these logs
showed some dup ping packets on a fairly regular basis as well as some
non-answers. As I was then able to get the same inconsistent ping
results from the gateway itself (the inside address of the cable
modem) I asked the ISP (Comcast) to replace the cable modem. They were
fine with that suggestion and the replacement went in today, and I am
so far not able to reproduce the inconsistent ping results to any of
the /29 address, including the gateway. I'll know for sure once I stop
the ping job and the backups still run reliably.

Thanks to all,

Chris

Re: unreliable connections

[Chris Smith]

On Thu, Jan 16, 2014 at 8:26 PM, Stuart Henderson s...@spacehopper.org wrote:
 This could be an MTU or RWIN-related issue.

Could my issue have anything to with the miscounting bug for inbound
with pf on mentioned in the following commit?

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2014/01/23 16:51:29

Modified files:
sys/net: if_bridge.c pf.c
sys/netinet: ip_input.c ip_output.c ip_var.h tcp_input.c
 tcp_var.h udp_usrreq.c udp_var.h
sys/netinet6   : ip6_output.c

Log message:
since the cksum rewrite the counters for hardware checksummed packets
are are lie, since the software engine emulates hardware offloading
and that is later indistinguishable. so kill the hw cksummed counters.
introduce software checksummed packet counters instead.
tcp/udp handles ip  ipvshit, ip cksum covered, 6 has no ip layer cksum.
as before we still have a miscounting bug for inbound with pf on, to be
fixed in the next step.
found by, prodding  ok naddy


And if so was the next step taken and is this miscounting bug fixed?

Also recently in an attempt to keep a box at -current there occurred a
kernel/userland mismatch that caused pf not to load on reboot after
installing the kernel (everything was fine after building userland).
I'm fairly certain trying to bring a box dated OpenBSD 5.4-current
(GENERIC.MP) #5: Wed Jan  1 14:21:45 EST 2014 will have the same
issue. If I attempt to do this remotely will I still be able to shell
in in order to update userland (even though with no pf there is no nat
and therefore access to/from the inside network will not be possible)
after rebooting into the new kernel? Or might it be safe to build
userland before rebooting into the new kernel?

Thank you,

Chris

Re: unreliable connections

[Chris Smith]

On Mon, Jan 20, 2014 at 11:31 AM, Chris Smith obsd_m...@chrissmith.org wrote:
 have moved the block all to the beginning of the ruleset to see if
 it will make any difference

Unfortunately no difference. The attempt to rsync the first directory
failed last night, second one worked fine.

Any other ideas?

Thanks,

Chris

Re: unreliable connections

[Chris Smith]

On Wed, Jan 22, 2014 at 12:56 PM, Charles RAPENNE char...@bsd.zplay.euwrote:

 Do you rsync directly to an ip address or are you using avec domain name ?


Not DNS - directly to IP address.

Thanks,

Chris

Re: unreliable connections

[Chris Smith]

On Thu, Jan 16, 2014 at 8:26 PM, Stuart Henderson s...@spacehopper.org wrote:
 Posting the firewall ruleset may possibly help people diagnose this in more 
 detail.

Here's some pertinent pf.conf info:
===
set skip on { lo enc0 }
set block-policy drop
set reassemble yes no-df
set limit { table-entries 50, tables 50, states 128000, src-nodes
3000, frags 4000 }
set loginterface none

block all
pass in quick on $ext_if inet proto tcp from any to $ext_if port ssh
===

Originally I had the pass in quick before the block all but
changed this around to test the theory.

Yes, the rdr for rsync and rdp are not shown but the same problem
randomly occurs (and just did) with a direct ssh to the box itself (no
forwarding or nat needed). And to other OpenBSD firewall/routers I
manage there are no issues, either with a direct shell in or with
redirects to inside boxes (but they are not as up-to-date as the one
that fails).

Chris

Re: unreliable connections

[Chris Smith]

On Thu, Jan 16, 2014 at 8:26 PM, Stuart Henderson s...@spacehopper.org wrote:
 This could be an MTU or RWIN-related issue. One common problem is if the
 firewall state is created from an already-established connection rather
 than a SYN packet, in this case the firewall can't keep track of the
 RWIN value which is set by many modern OS, and needed in order for a
 stateful firewall to track the conection

Makes sense but there are no other connections between said devices
when the problem occurs. Connections only occur when I manually
attempt to connect to the firewall itself (ssh), or an inside system,
plus a cron job that runs at approx. 4am for an rsync backup. The
manual attempts are only bothersome because such random failures don't
happen with any other of my remote networks and I can easily re-try
(which so far has always worked). The backup is another story as some
data doesn't get backed up when the random failure occurs. The rsync
cron job does attempt to backup two different directories and so
connects twice; it's only the first attempt that fails (no matter
which one I attempt to backup first) and so acts just like a failed
ssh attempt to the firewall itself - a new attempt immediately after
always works.

 To avoid the risk of this I usually start pf rulesets with block log

I do use a block all very near the beginning of the ruleset,
although I generally put a 'pass in quick for ssh' before the block
all to make sure I never make a change that prevents a remote shell
in. I can see that the leading 'pass in' isn't all that necessary and
have moved the block all to the beginning of the ruleset to see if
it will make any difference.

Thank you,

Chris

Re: unreliable connections

[Chris Smith]

This issue is still with me. Sporadically the connection will fail,
and a connection attempt immediately after the failure will (so far)
always work. Again the problem is only with this one remote firewall,
all of the others are fine. the hardware is virtually identical,
similar versions of the Supermicro 5015A boxes. Also note that said
problem box was used in another location with an older version of
OpenBSD without said issues.

It's possible the ISP's cable modem might be to blame but I'd like to
have something to go on before I point that finger.

Could really use some ideas on how to troubleshoot this.

Chris

On Sun, Dec 29, 2013 at 9:56 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 I'm having a problem connecting with (and through) one OpenBSD box.
 Both ends are running OpenBSD -current (-current as of last weekend)
 and I've had the issue through a couple of months of various builds of
 -current.

 The problem occurs whether I'm connecting directly to the remote
 OpenBSD box (firewall) or connecting through it via a redirect to an
 inside box.

 The connections attempts are all coming from a Linux box inside my
 network (and i'm running a recent -current as my firewall), and
 connections to and through several other remote OpenBSD boxes
 (although not running a recent -current) all work 100% of the time.

 With the problem box sometimes the connection never completes. After
 the failed connection attempt subsequent connection attempts work
 fine, it's only after some time that the problem may arise again.

 For example if I attempt to ssh to the problem box I'm greeted with a
 blank line:
 
 $ ssh problem_box

 

 And after some minutes, I'l finally receive this:
 
 ssh_exchange_identification: read: Connection timed out
 

 From another terminal I can then shell in (whether or not I kill the
 first attempt). The connection states reported are (all address have
 been munged):
 my local firewall:
 
 all tcp 51.213.211.197:22 - 172.25.12.66:44291   ESTABLISHED:ESTABLISHED
 all tcp 76.112.133.216:54348 (172.25.12.66:44291) - 51.213.211.197:22
   ESTABLISHED:ESTABLISHED
 all tcp 51.213.211.197:22 - 172.25.12.66:44292   ESTABLISHED:ESTABLISHED
 all tcp 76.112.133.216:58306 (172.25.12.66:44292) - 51.213.211.197:22
   ESTABLISHED:ESTABLISHED
 

 the remote firewall:
 
 all tcp 51.213.211.197:22 - 76.112.133.216:54348   SYN_SENT:ESTABLISHED
 all tcp 51.213.211.197:22 - 76.112.133.216:58306   
 ESTABLISHED:ESTABLISHED
 

 The hung connection is the SYN_SENT:ESTABLISHED one and it stays
 that way for some time, although my local firewall believes it to be
 established.

 I've seen the same issue with an RDP connection to an inside Windows
 box via a redirect. Sometimes the first attempt will not connect, if I
 kill it and try again, voila, it works.

 The critical part is that my rsync backup to an internal box fails
 about every third night due to this issue. As I rsync two different
 paths (one and then the other) on the remote daemon the first path
 will fail sporadically, the second path always completes. Have none of
 these issues with other accounts (but as mentioned the OpenBSD
 versions on those firewalls are a bit older).

 Any assistance on resolving this would be much appreciated.

 Thank you,

 Chris

ack! (not ack)

[Chris Smith]

hope they come looking for me next...

http://www.dailykos.com/story/2014/01/09/1267958/-Cartoon-Pufferfish-madness-in-Chagrin-nbsp-Falls?detail=hide

Re: unbound dnssec revisited

[Chris Smith]

Thinking about this further, where would root.key be put if unbound
were not running in a chroot? Probably /var/unbound, and since we
already have a /var/unbound/var then the root.key file (and any others
that the _unbound user may need access to could (and maybe should) go
into /var/unbound/var/unbound (?). If so, this diff works for the
current rc file:
=
--- unbound.origMon Dec 30 11:03:51 2013
+++ unbound Tue Dec 31 09:26:18 2013
@@ -8,6 +8,17 @@
 . /etc/rc.d/rc.subr

 pexp=unbound${daemon_flags:+ ${daemon_flags}}
+
+autotrust() {
+   if ! [[ -d /var/unbound/var/unbound ]]; then
+   mkdir /var/unbound/var/unbound
+   chown _unbound:_unbound /var/unbound/var/unbound
+   chmod 775 /var/unbound/var/unbound
+   fi
+   sudo -u _unbound /usr/local/sbin/unbound-anchor -a
/var/unbound/var/unbound/root.key
+   wait
+}
+
 rc_reload=NO

 rc_pre() {
@@ -16,6 +27,7 @@
-f /var/unbound/etc/unbound_control.pem ]]; then
unbound-control-setup /dev/null 21
fi
+   autotrust
 }

 rc_start() {
=

Also the unbound.conf file must be edited so that the autotrust line reads:
auto-trust-anchor-file: /var/unbound/var/unbound/root.key

Another way would be to keep the current rc file as is and use a
separate rc pkg script to handle grabbing the root key. The user would
place it in rc.conf.local before calling unbound:
pkg_scripts=unbound-anchor unbound

Chris

On Mon, Dec 30, 2013 at 6:45 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 On Mon, Dec 30, 2013 at 6:10 PM, Remi Locherer remi.loche...@relo.ch wrote:
 Having the root.key in a separate directory works.

 Yes, it works. But /var/unbound/etc was the choice during configure
 which means a little more work:
 The autotrust path line in unbound.conf needs to be edited with the
 new root.key path.
 The new autotrust path must be specified when running unbound-anchor
 (or the compiled in default will be used).
 The new autotrust directory must be created with proper permissions.

 It's not a big deal, and it would maybe add a line or two to the
 proposed function addition to the rc file, but it would be better to
 just adjust the configure options when building the package if it's so
 dangerous to provide the daemon write access to its own configuration
 directory. I figured if the package creator compiled in those defaults
 they should be used instead of my original workaround (adding the
 directory, etc.).

 Chris

make obj failing for -current

[Chris Smith]

=== regress/gnu/egcs/gcc-builtins
/bin/sh: cd: /usr/src/regress/gnu/egcs/gcc-builtins - No such file or directory
*** Error 1 in regress/gnu/egcs (bsd.subdir.mk:48 'obj')
*** Error 1 in regress/gnu (bsd.subdir.mk:48 'obj')
*** Error 1 in regress (bsd.subdir.mk:48 'obj')
*** Error 1 in /usr/src (bsd.subdir.mk:48 'obj')

Re: make obj failing for -current

[Chris Smith]

On Tue, Dec 31, 2013 at 12:11 PM, Ingo Schwarze schwa...@usta.de wrote:
 cd /usr/src/regress/gnu/egcs/
 cvs up -dP

 As usual, don't forget the -d.

Ah... thanks. Guess I need to add that -d to my .cvsrc file.

Re: unbound dnssec revisited

[Chris Smith]

On Tue, Dec 31, 2013 at 2:40 PM, Dennis Davis
dennisdavis+openbsd-m...@fastmail.fm wrote:
 It's a while since I looked at this, so the exact details are hazy,
 but is all this necessary?
snip
 Doesn't seem to me that you need to run unbound-anchor as a part of
 /etc/rc.d/unbound.  You just need to run it once as part of setting
 up unbound.  After that a running unbound will periodically check
 the root key.

Good question - I've wondered if it was all necessary as well.
Although I see it as probably useful. For one, it keeps the user
involved housekeeping to a minimum. And my other thought was that in
case of a server that was retired for a time and brought back into
service that it would be proper for an updated root.key to be
installed at startup and without some automation the onus again falls
on the user for additional housekeeping.

unbound dnssec revisited

[Chris Smith]

I've been working on using dnssec with the unbound package and viewing
some of the threads here on the list regarding this.

Enabling autotrust and the validator module in unbound.conf and
running unbound-anchor before starting unbound will enable dnssec but
eventually will log errors of:

could not open autotrust file for writing

This is apparently because the _unbound user or group does not have
write privileges to the directory, running unbound-anchor with sudo
-u _unbound doesn't change the directory perms.

I'm using the following diff to make this all work (you can all
probably improve on it, and please do):

===
--- unbound.origMon Dec 30 11:03:51 2013
+++ unbound Mon Dec 30 11:38:19 2013
@@ -8,6 +8,14 @@
 . /etc/rc.d/rc.subr

 pexp=unbound${daemon_flags:+ ${daemon_flags}}
+
+autotrust() {
+   chgrp _unbound /var/unbound/etc
+   chmod 775 /var/unbound/etc
+   sudo -u _unbound /usr/local/sbin/unbound-anchor
+   wait
+}
+
 rc_reload=NO

 rc_pre() {
@@ -16,6 +24,7 @@
-f /var/unbound/etc/unbound_control.pem ]]; then
unbound-control-setup /dev/null 21
fi
+   autotrust
 }

 rc_start() {
===

If the autotrust function is run (it can be commented out if desired)
it retrieves the root.key and gives the _unbound group write
privileges to the /var/unbound/etc directory thereby preventing the
above log errors.

I must admit that I'm not sure about the use of wait in the added
autotrust function but if I don't use it unbound will not start the
first time (if there is no root.key file), but will on all subsequent
attempts (seems unbound will try to start before the key is
retrieved).

Also discovered that unbound-anchor can retrieve the root.key without
added DNS support which was a concern posted in an earlier thread. For
example on the box I've been working with Unbound is the DNS provider
and resolve.conf points directly (127.0.0.1) and only to it, but yet
with unbound stopped and no DNS support unbound-anchor will retrieve
the key.

Whether or not to run the autotrust function could also be made more
automatic by testing the unbound.conf file (as was previously posted
in another thread).

And to strongly reiterate that it would be supper to have this product
in base as then it would properly start up before the dhcpd daemon so
that addresses could be assigned via hostnames instead of duplicating
the dotted quad work - if one uses hostname lookups in dhcpd then it
will not start if DNS is not up, workarounds notwithstanding.

Chris

Re: unbound dnssec revisited

[Chris Smith]

On Mon, Dec 30, 2013 at 12:10 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 And to strongly reiterate that it would be supper to have this product
 in base

Er.. that it would be SUPER to have this product in base

Re: unbound dnssec revisited

[Chris Smith]

On Mon, Dec 30, 2013 at 3:22 PM, Ted Unangst t...@tedunangst.com wrote:
 More simply, can that file be moved to another location? Then we can
 enable write permissions to /var/unbound/etc/autotrust/files/... or
 something, without giving away the keys to the whole kingdom.

Actually that was close to my first solution, creating and using the
/var/unbound/etc/autotrust directory. But then I thought that it might
be a bit convoluted.

Re: unbound dnssec revisited

[Chris Smith]

On Mon, Dec 30, 2013 at 6:10 PM, Remi Locherer remi.loche...@relo.ch wrote:
 Having the root.key in a separate directory works.

Yes, it works. But /var/unbound/etc was the choice during configure
which means a little more work:
The autotrust path line in unbound.conf needs to be edited with the
new root.key path.
The new autotrust path must be specified when running unbound-anchor
(or the compiled in default will be used).
The new autotrust directory must be created with proper permissions.

It's not a big deal, and it would maybe add a line or two to the
proposed function addition to the rc file, but it would be better to
just adjust the configure options when building the package if it's so
dangerous to provide the daemon write access to its own configuration
directory. I figured if the package creator compiled in those defaults
they should be used instead of my original workaround (adding the
directory, etc.).

Chris

unreliable connections

[Chris Smith]

I'm having a problem connecting with (and through) one OpenBSD box.
Both ends are running OpenBSD -current (-current as of last weekend)
and I've had the issue through a couple of months of various builds of
-current.

The problem occurs whether I'm connecting directly to the remote
OpenBSD box (firewall) or connecting through it via a redirect to an
inside box.

The connections attempts are all coming from a Linux box inside my
network (and i'm running a recent -current as my firewall), and
connections to and through several other remote OpenBSD boxes
(although not running a recent -current) all work 100% of the time.

With the problem box sometimes the connection never completes. After
the failed connection attempt subsequent connection attempts work
fine, it's only after some time that the problem may arise again.

For example if I attempt to ssh to the problem box I'm greeted with a
blank line:

$ ssh problem_box



And after some minutes, I'l finally receive this:

ssh_exchange_identification: read: Connection timed out


From another terminal I can then shell in (whether or not I kill the
first attempt). The connection states reported are (all address have
been munged):
my local firewall:

all tcp 51.213.211.197:22 - 172.25.12.66:44291   ESTABLISHED:ESTABLISHED
all tcp 76.112.133.216:54348 (172.25.12.66:44291) - 51.213.211.197:22
  ESTABLISHED:ESTABLISHED
all tcp 51.213.211.197:22 - 172.25.12.66:44292   ESTABLISHED:ESTABLISHED
all tcp 76.112.133.216:58306 (172.25.12.66:44292) - 51.213.211.197:22
  ESTABLISHED:ESTABLISHED


the remote firewall:

all tcp 51.213.211.197:22 - 76.112.133.216:54348   SYN_SENT:ESTABLISHED
all tcp 51.213.211.197:22 - 76.112.133.216:58306   ESTABLISHED:ESTABLISHED


The hung connection is the SYN_SENT:ESTABLISHED one and it stays
that way for some time, although my local firewall believes it to be
established.

I've seen the same issue with an RDP connection to an inside Windows
box via a redirect. Sometimes the first attempt will not connect, if I
kill it and try again, voila, it works.

The critical part is that my rsync backup to an internal box fails
about every third night due to this issue. As I rsync two different
paths (one and then the other) on the remote daemon the first path
will fail sporadically, the second path always completes. Have none of
these issues with other accounts (but as mentioned the OpenBSD
versions on those firewalls are a bit older).

Any assistance on resolving this would be much appreciated.

Thank you,

Chris

Re: netstat segfault on -current

[Chris Smith]

On Mon, Dec 23, 2013 at 11:51 PM, Kenneth R Westerback
kwesterb...@gmail.com wrote:
 It is a real issue, due to errors I made replacing CIRCLEQ with TAILQ.

 A fix is being worked on, and a workaround probably sooner than that.

Looks like the recent updates have resolved the issue. Thanks!

Re: netstat segfault on -current

[Chris Smith]

On Mon, Dec 23, 2013 at 11:51 PM, Kenneth R Westerback
kwesterb...@gmail.com wrote:
 It is a real issue, due to errors I made replacing CIRCLEQ with TAILQ.

 A fix is being worked on, and a workaround probably sooner than that.

Thanks. I knew it wasn't a userland/kernel sync problem.

netstat segfault on -current

[Chris Smith]

Two systems running -current (x86_64) cannot run netstat:

OpenBSD 5.4-current (GENERIC.MP) #3: Sat Dec 21 17:05:25 EST 2013

# netstat
Segmentation fault

Re: netstat segfault on -current

[Chris Smith]

On Mon, Dec 23, 2013 at 5:10 PM, Alexey E. Suslikov
alexey.susli...@gmail.com wrote:
 blind guess - you have kernel and userland out of sync.

Not so.

Re: dhcpd: rejecting bogus offer

[Chris Smith]

Yes, that does help it all make sense.

Thanks to all.

On Tue, Dec 10, 2013 at 11:43 PM, Ted Unangst t...@tedunangst.com wrote:
 On Tue, Dec 10, 2013 at 22:16, Chris Smith wrote:
 On Tue, Dec 10, 2013 at 8:04 PM, Chris Smith obsd_m...@chrissmith.org
 wrote:
 Dec 10 16:19:46 firewall dhcpd[29710]: Many bogus options seen in offers.

 In particular the above line: Many bogus options seen in offers.
 Doesn't the server make the offer? If so, why would the OpenBSD
 dhcpd server create bogus options? Or am I misreading the intent of
 the log message?

 The option parsing code was at one time shared between dhclient and
 dhcpd. (ironically, our dhclient no longer contains that message.)

 It's worded strangely for a server warning message, but client
 requests are allowed to specify options to the server. Just replace
 the word offers with requests and it all makes sense.

Re: dhcpd: rejecting bogus offer

[Chris Smith]

On Mon, Dec 9, 2013 at 3:01 PM, Kenneth R Westerback
kwesterb...@rogers.com wrote:
 Malicious or confused. Or truncated packets. The log message
 means that the option length as given in the packet would run
 the option data outside the received packet. The confusion
 might have started in an earlier option, unless you are
 actually providing Novell Service Location Protocol info?

Nothing like that. Pretty ordinary setup. Got a really strange one today:

Dec 10 16:19:46 firewall dhcpd[29710]: option nds-context (97) larger
than buffer.
Dec 10 16:19:46 firewall dhcpd[29710]: Many bogus options seen in offers.
Dec 10 16:19:46 firewall dhcpd[29710]: Taking this offer in spite of bogus
Dec 10 16:19:46 firewall dhcpd[29710]: options - hope for the best!

??

Re: dhcpd: rejecting bogus offer

[Chris Smith]

On Tue, Dec 10, 2013 at 8:04 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 Dec 10 16:19:46 firewall dhcpd[29710]: Many bogus options seen in offers.

In particular the above line: Many bogus options seen in offers.
Doesn't the server make the offer? If so, why would the OpenBSD
dhcpd server create bogus options? Or am I misreading the intent of
the log message?

dhcpd: rejecting bogus offer

[Chris Smith]

What might be the implications of the following messages in the log?


Dec  6 15:09:39 firewall dhcpd[29710]: option option-79 (119) larger
than buffer.
Dec  6 15:09:39 firewall dhcpd[29710]: rejecting bogus offer.

Dec  9 12:15:35 firewall dhcpd[29710]: option tftp-server-name (111)
larger than buffer.
Dec  9 12:15:35 firewall dhcpd[29710]: rejecting bogus offer.


Besides the bogus offer entries I'm seeing other things like:

Dec  5 16:02:11 firewall dhcpd[29710]: IP address 172.28.65.139
answers a ping after sending a release
Dec  5 16:02:11 firewall dhcpd[29710]: Possible release spoof - Not
releasing address 172.28.65.139
Dec  5 23:03:36 firewall dhcpd[29710]: Abandoning IP address
172.28.65.121 for 3600 seconds: pinged before offer
Dec  6 09:09:41 firewall dhcpd[29710]: Abandoning IP address
172.28.65.123 for 3600 seconds: pinged before offer


Possible network issues? Malicious client? Or?

Thank you,

Chris

Re: DNS problem

[Chris Smith]

Turns out the problem was with the Internet Guide service. If the IP
address from which the query was sent was on the subscriber list then
the incorrect info was sent. That's why it worked from one of my
networks but not the others.

Thanks to all.

Chris

DNS problem

[Chris Smith]

This falls under the category When in doubt, ask the OpenBSD guys
(and as all of my firewalls are running OpenBSD I hope this isn't too
off topic).

Basically, four of my networks are not getting an answer for a
specific mx query from dyn.com's DNS server. Yet every other DNS cache
I've queried works just fine (Google, Level3, Hurricane Electric,
Comcast, etc.) and dyn's support claims there is no problem on their
end and all of their tests return the proper answer just as one of my
networks does.

Results from the four non-working networks (two are on Comcast, one is ATT):
=
dig @216.146.35.35 lwtitle.com mx

;  DiG 9.4.2-P2  @216.146.35.35 lwtitle.com mx
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 5502
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;lwtitle.com.   IN  MX

;; Query time: 29 msec
;; SERVER: 216.146.35.35#53(216.146.35.35)
;; WHEN: Fri Dec  6 11:18:05 2013
;; MSG SIZE  rcvd: 29
=
Consequently mail fails to get sent to the lwtitle.com domain.

I should note that if I dig with +trace the proper answer does show up:
=
dig @216.146.35.35 lwtitle.com mx +trace

;  DiG 9.4.2-P2  @216.146.35.35 lwtitle.com mx +trace
; (1 server found)
;; global options:  printcmd
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  b.root-servers.net.
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  d.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  m.root-servers.net.
;; Received 228 bytes from 216.146.35.35#53(216.146.35.35) in 34 ms

com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
;; Received 489 bytes from 202.12.27.33#53(m.root-servers.net) in 116 ms

lwtitle.com.172800  IN  NS  ns21.domaincontrol.com.
lwtitle.com.172800  IN  NS  ns22.domaincontrol.com.
;; Received 113 bytes from 192.12.94.30#53(e.gtld-servers.net) in 115 ms

lwtitle.com.3600IN  MX  0
lwtitle-com.mail.protection.outlook.com.
lwtitle.com.3600IN  NS  ns22.domaincontrol.com.
lwtitle.com.3600IN  NS  ns21.domaincontrol.com.
;; Received 133 bytes from 208.109.255.11#53(ns22.domaincontrol.com) in 32 ms
=
Although this doesn't help normal resolution.

So I'm baffled. Any clues?

Thanks,

Chris

Re: DNS problem

[Chris Smith]

On Fri, Dec 6, 2013 at 11:54 AM, Peter N. M. Hansteen pe...@bsdly.net wrote:
 but, say

 $ dig @216.146.35.35 bsdly.net mx

 works?

 Or do you get no answer for any queries?

It's just that one particular query and the same domain's TXT record.
There may be others but this one was found because one of my clients
needed to email that company. All other queries seem to work - even
the A record for that domain. And yet from one of the 4 networks I do
work for the query works just fine.

Re: DNS problem

[Chris Smith]

On Fri, Dec 6, 2013 at 12:07 PM, Giancarlo Razzolini
grazzol...@gmail.com wrote:
   I do not know if it is the case, but many isp's today use dns
 transparent proxying.

 You can try using the site www.dnsleaktest.com to see if it is your
 case.

The lwtitle.com mx and lwtitle.com txt queries both fail for me here
and I run unbound as a resolver on my firewall and I pass the DNS leak
test.

The one network of the 4 that I do get a proper answer on has an older
version of OpenBSD on its firewall (4.9) while all the ones that are
failing for me run a fairly current (or even -current) version.

And if my ISP, and a couple of the others, were doing dns proxy and
that was messing up the results it would surely mess them up for all
of the DNS caches I tested.

=
dig @216.146.35.35 lwtitle.com mx +noall +answer

;  DiG 9.4.2-P2  @216.146.35.35 lwtitle.com mx +noall +answer
; (1 server found)
;; global options:  printcmd
=
dig @8.8.8.8 lwtitle.com mx +noall +answer

;  DiG 9.4.2-P2  @8.8.8.8 lwtitle.com mx +noall +answer
; (1 server found)
;; global options:  printcmd
lwtitle.com.3600IN  MX  0
lwtitle-com.mail.protection.outlook.com.
=
dig @209.244.0.3 lwtitle.com mx +noall +answer

;  DiG 9.4.2-P2  @209.244.0.3 lwtitle.com mx +noall +answer
; (1 server found)
;; global options:  printcmd
lwtitle.com.3600IN  MX  0
lwtitle-com.mail.protection.outlook.com.
=
dig @198.153.192.40 lwtitle.com mx +noall +answer

;  DiG 9.4.2-P2  @198.153.192.40 lwtitle.com mx +noall +answer
; (1 server found)
;; global options:  printcmd
lwtitle.com.3600IN  MX  0
lwtitle-com.mail.protection.outlook.com.
=
etc.

Only those specific queries from some places to dyn's internet guide fail.

From the network running 4.9:
=
dig @216.146.35.35 lwtitle.com mx +noall +answer

;  DiG 9.4.2-P2  @216.146.35.35 lwtitle.com mx +noall +answer
; (1 server found)
;; global options:  printcmd
lwtitle.com.2181IN  MX  0
lwtitle-com.mail.protection.outlook.com.
=

-- 
Chris

Re: DNS problem

[Chris Smith]

On Fri, Dec 6, 2013 at 1:38 PM, Patrik Lundin
patrik.lundin@gmail.com wrote:
 Just out of curiosity: If you are running unbound on the firewall, why
 are you querying the troublesome resolver directly? Do you get the same
 result when querying the local unbound?

Same results from Unbound. That's why I started digging.

 Are you running dig from the firewall or a client behind the firewall?

Have done both. Same results with NLNet's  drill utility as well.

 How about tcpdumping the traffic on all affected interfaces and comparing
 the results between the working location and a non-working one in order
 to see if anything funky is happening on the wire?

I did that also. I see nothing funky. One packet sent, one returned.

Re: DNS problem

[Chris Smith]

On Fri, Dec 6, 2013 at 2:35 PM, Patrik Lundin
patrik.lundin@gmail.com wrote:
 Sorry if I'm missing something, but what lead you to suspect the
 216.146.35.35 machine in the first place?

Some of my clients use that service and for them Unbound doesn't act
as a validator, just an iterator that forwards non-local queries to
Dyn's Internet Guide service.

Chris

Re: smtpd config issue

[Chris Smith]

On Thu, Nov 28, 2013 at 7:53 PM, Ted Unangst t...@tedunangst.com wrote:
 I just needed to do the same (smtpd would elect to use ipv6, but i only
 have ipv4 spf records). The man page kind of says it's a table name, but
 it's not. Try this instead:

 accept from local for any relay source a.b.c.d

Thank you, but I already moved to Postfix for this box, was already
quite familiar with it.

Re: smtpd config issue

[Chris Smith]

On Tue, Nov 26, 2013 at 12:46 PM, Christopher Zimmermann
christop...@gmerlin.de wrote:
 what's $alias1 in your pf.conf? Can't you paste just your whole
 pf.conf? What do you mean by smtpip = $alias1.
 You seem to do a on $alias1. so $alias1 seems to be an interface?

It's just a macro for one of the alias address on the external interface.

 I notice several addresses with /32 netmasks on the same subnet as your
 primary address.
 I'd guess your default gateway is not reachable via any of the /32
 aliases, since it is not on their subnet. Then ping -I x.y.z.194
 8.8.8.8 would fail with a similar error.

It's the standard setup for alias address in OpenBSD, AFAIK.
As mentioned pinging and shelling in via the alias addresses works fine.

 What are you actually trying to accomplish? Have you tried to give /29
 netmasks to your aliases?

I don't think that's proper.

The issue is solved via a workaround - I installed Postfix as the MTA.
Always liked it, never liked Sendmail. Was willing to give SMTPD a go,
but for now I needed a working box.

Chris

smtpd config issue

[Chris Smith]

Hello,

Trying to use smtpd on a particular interface alias (for sending only,
not for listening) and am not finding a way to do so. It seems to
default sending out via the :0 address.

Chris

Re: smtpd config issue

[Chris Smith]

On Mon, Nov 25, 2013 at 12:33 PM, Giancarlo Razzolini
grazzol...@gmail.com wrote:
   Taking a look on the smtpd.conf(5) man page, there is the source
 directive, which does what you are trying to accomplish.

Don't know what I'm doing wrong as I can't get it to work here.

Using these rules works fine for the :0  address:
pf: pass out quick on $ext_if proto tcp from self to any port smtp
smtpd: accept from local for any relay

Using these rules does not:
pf: pass out quick on $alias1 proto tcp from self to any port smtp
smtpd: table smtpip { w.x.y.z }
smtpd: accept from local for any relay source smtpip
(inline table defines smtpip as the same address as $alias1)

I get a No valid route to destination error.

Re: smtpd config issue

[Chris Smith]

On Mon, Nov 25, 2013 at 2:35 PM, Christopher Zimmermann
christop...@gmerlin.de wrote:
 Now I'd be looking at 'route -n show -inet', 'ifconfig $ext_if' and
 'ifconfig $alias1'

ifconfig doesn't understand pf macros (as far as i can tell)

==
# route -n show -inet |head -n 14
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaultx.y.z.198 UGS  667 23969677 - 8 em1
x.y.z.192/29  link#2 UC 20 - 4 em1
x.y.z.193 00:25:90:08:4d:b5  UHLc   0   21 - 4 lo0
x.y.z.194/32  link#2 UC 00 - 4 em1
x.y.z.195/32  link#2 UC 00 - 4 em1
x.y.z.196/32  link#2 UC 00 - 4 em1
x.y.z.197/32  link#2 UC 00 - 4 em1
x.y.z.198 44:94:fc:cd:2d:14  UHLc   10 - 4 em1
127/8  127.0.0.1  UGRS   00 33144 8 lo0
127.0.0.1  127.0.0.1  UH 1 1088 33144 4 lo0

# ifconfig em1
em1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
lladdr 00:25:90:08:4d:b5
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet x.y.z.193 netmask 0xfff8 broadcast x.y.z.199
inet x.y.z.194 netmask 0x
inet x.y.z.195 netmask 0x
inet x.y.z.196 netmask 0x
inet x.y.z.197 netmask 0x
==

I can ping and remotely shell into all of the alias addresses.

mongodb

[Chris Smith]

Mentioned previously:

On Tue, Oct 22, 2013 at 12:29 PM, Stuart Henderson s...@spacehopper.org wrote:
 Note that the mongodb port is currently broken (and has been since 5.3-ish 
 iirc).

Wondering if mongodb is operational with -current?

Thank you,

Chris

Re: Blocking facebook.com: PF or squid?

[Chris Smith]

On Fri, Oct 18, 2013 at 8:24 PM, Clint Pachl pa...@ecentryx.com wrote:
 Running your own own DNS resolver is the best solution to deny the whole
 network facebook access. With Unbound this is simple:

 # This will block facebook.com and all subdomains.
 local-zone: facebook.com redirect
 local-data: facebook.com A 127.0.0.1

I use:
local-zone: facebook.com. refuse
local-zone: fb.me. refuse

Of course if the client system has secondary DNS servers configured
AND has access to them Unbound's refusal wont help much. But that is
simply stopped at the firewall (no outbound DNS except via the
server).

Using refuse vs redirect could also be useful if you want guests to be
able to access the refused domains - have the DHCP server assign the
guest pool a secondary public DNS and allow that pool to pass outbound
DNS to the secondary servers.

Chris

Occasionally connected mail access

[Chris Smith]

Hi,

I'm currently running a simple OpenSMTPD/procmail/mutt setup on the end
of a hosted machine on 5.3. To access mail, I'm SSH'ing into
the box and firing up mutt. However I need to get occasionally 
connected mail working on my laptop so I can read/respond to it there
and deliver back to the hosted machine. I'm using mbox as the mailbox
format at the moment. I may be offline for 2-3 days at a time.

I'm considering doing the following things:

* Move to maildir at both ends.
* Set up OpenSMTPD on the laptop and set it to pause mta while 
  disconnected. Also set it up to relay through the hosted machine
  via auth+TLS.
* Write a script that will (when I know I'm connected):
  1. unpause the MTA and flush the queues, then pause it again.
  2. rsync (over SSH) the maildir from the hosted machine.

Can anyone see any flaws in this plan or know of a better solution?

For ref, I really don't want to bother with a whole Cyrus/Fetchmail/
IMAP/dovecot stack of turtles. It's too much pain to keep running.

Any help appreciated!

--
Chris Smith
* 
* 

updating -current fail

[Chris Smith]

/usr/bin/Mail - /usr/bin/mail
/usr/bin/mailx - /usr/bin/mail
=== usr.bin/make
install -c -S -s  -o root -g bin  -m 555 make /usr/bin/make
install -c -o root -g bin -m 444  /usr/src/usr.bin/make/make.1
/usr/share/man/man1/make.1
=== usr.bin/man
make: unknown option -- P

Re: updating -current fail

[Chris Smith]

On Fri, Jul 19, 2013 at 3:51 PM, Marc Espie es...@nerim.net wrote:
 So, don't run make -P...

OK, thanks.

Re: setting ttl

[Chris Smith]

On Wed, Jun 19, 2013 at 6:43 AM, Henning Brauer lists-open...@bsws.de wrote:
 no

Thanks.

Any plans to implement this?

egress group no longer auto assigned after -current update

[Chris Smith]

Updated -current recently which left my internal network unusable. The
system was forwarding packets but not doing NAT. Turns out the problem
was that the external interface, which is a dhcp assigned (via the
ISP) interface was no longer being assigned to the egress group. And
my NAT rule is:


match out on egress inet from !(egress:network) to any nat-to (egress:0)


Which has worked for a very long time. It still works if a manually
assign the interface to the egress group, but it was always automatic
previously and there's no change in the docs to indicate this still
shouldn't be the case.

Chris

setting ttl

[Chris Smith]

Seems that pf can enforce a min-ttl but can it explicitly set the ttl
on packets leaving an interface?

match and nat-to

[Chris Smith]

Looking for a bit of clarification on match and nat-to. At one point
(and maybe still so?) nat rules were first matching as opposed to
the 'normal' case of last matching but match rules are sticky until
overridden.

With:
match out on $ext_if inet from !($ext_if) to any nat-to ($ext_if)
match out on $ext_if inet from $gamer to any nat-to ($ext_if) static-port

Followed by a pass rule:
pass in on $int_if inet proto { tcp, udp } from em0:network

Does the system $gamer (it is a system on the internal network) get
static-port natted? Or should those rules be reordered? Or should
something different be done?

What happens when $gamer wants to use a port that's already in use?

As a note the particular system in question is running an older version:
OpenBSD 5.1-current (GENERIC.MP) #1: Thu May 31 18:31:17 EDT 2012
in case the answer(s) might different.

Thanks,

Chris

Re: dhclient could not allocate memory

[Chris Smith]

On Thu, Feb 28, 2013 at 12:58 PM, Marc Peters m...@mpeters.org wrote:
 dhclient

I've noticed a lot of dhclient changes in cvs over the past few
weeks.You might try a newer snapshot.

Chris

Re: problem compiling userland in -current

[Chris Smith]

On Mon, Feb 25, 2013 at 1:03 AM, Mike Korbakov mike-...@yandex.ru wrote:
 May be, your host system too old, and in -current system header files has 
 changed significantly.
 Compare files in /usr/include/sys and /usr/src/sys/sys (check other headers 
 too)
 Or download and install -current as host for building.

It was a 5.2 snapshot when originally installed and I did a full build
to -current several times with the last one not even two weeks ago.

Re: problem compiling userland in -current

[Chris Smith]

On Mon, Feb 25, 2013 at 3:39 AM, Stuart Henderson s...@spacehopper.org wrote:
 Is /usr/obj clean? Also, if you're building outside of make build
 make sure you use make -f Makefile.bsd-wrapper. I built the nsd update
 successfully on amd64 i386 macppc and vax before I committed it and
 there have been various snapshots produced since then.

Yes, /usr/obj was clean (every time). Wasn't trying to build anything
outside of a normal system build, the unbound and ldns are package
installs. It does seem to be a problem with nsd but there are no
special instructions on http://www.openbsd.org/faq/current.html which
I also check when updating.

Re: problem compiling userland in -current

[Chris Smith]

On Mon, Feb 25, 2013 at 11:18 AM, Chris Smith obsd_m...@chrissmith.org wrote:
 I use a .cvsrc file with:
 =
 cvs -q -danon...@anoncvs3.usa.openbsd.org:/cvs
 diff -up
 update -Pd
 checkout -P
 =

I do not checkout the ports or xenocara trees as the system has no X
and I have no ports installed (just packages and I always pkg_add
-ui after a sysmerge). I assume this is OK??

problem compiling userland in -current

[Chris Smith]

make
echo #include config.h  zlexer.c
echo #include \configyyrename.h\  configlexer.c
/usr/bin/yacc -d -o configparser.c /usr/src/usr.sbin/nsd/configparser.y
flex -i -t /usr/src/usr.sbin/nsd/zlexer.lex  zlexer.c
flex -i -t /usr/src/usr.sbin/nsd/configlexer.lex  configlexer.c
/usr/bin/yacc -d -o zparser.c /usr/src/usr.sbin/nsd/zparser.y
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c
/usr/src/usr.sbin/nsd/compat/pselect.c -o pselect.o
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/dns.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c zlexer.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c zparser.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c
/usr/src/usr.sbin/nsd/compat/b64_pton.c -o b64_pton.o
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c
/usr/src/usr.sbin/nsd/compat/b64_ntop.c -o b64_ntop.o
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/zonec.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/xfrd-tcp.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c
/usr/src/usr.sbin/nsd/xfrd-notify.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/xfrd-disk.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/xfrd.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/util.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c
/usr/src/usr.sbin/nsd/tsig-openssl.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/tsig.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/server.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/rrl.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c
/usr/src/usr.sbin/nsd/region-allocator.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/rdata.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/rbtree.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/query.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/packet.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/options.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/nsec3.c
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/nsd-xfer.c
/usr/src/usr.sbin/nsd/nsd-xfer.c:175: error: static declaration of
'tsig_get_algorithm_by_id' follows non-static declaration
/usr/src/usr.sbin/nsd/tsig.h:161: error: previous declaration of
'tsig_get_algorithm_by_id' was here
*** Error 1 in target 'nsd-xfer.o'
*** Error 1 in usr.sbin/nsd/obj (Makefile:330 'nsd-xfer.o')
*** Error 2 in usr.sbin/nsd (Makefile.bsd-wrapper:39 'gnu')
*** Error 2 in usr.sbin (bsd.subdir.mk:48 'all')
*** Error 2 in . (bsd.subdir.mk:48 'all')
*** Error 2 in /usr/src (Makefile:85 'build')

Re: problem compiling userland in -current

[Chris Smith]

On Sun, Feb 24, 2013 at 4:10 PM, Stuart Henderson s...@spacehopper.org wrote:
 It seems your tree is not clean, the tsig_get_algorithm_by_id prototype
 which it's complaining about was removed in tsig.h r1.1.1.3.

I re-ran cvs up which was clean (no changes) and did a make build
(after the other steps) instead of make -j3 -B -P build in case that
would matter and still get:
===
cc -I. -I/usr/src/usr.sbin/nsd -O2 -pipe   -c /usr/src/usr.sbin/nsd/nsd-xfer.c
/usr/src/usr.sbin/nsd/nsd-xfer.c:175: error: static declaration of
'tsig_get_algorithm_by_id' follows non-static declaration
/usr/src/usr.sbin/nsd/tsig.h:161: error: previous declaration of
'tsig_get_algorithm_by_id' was here
*** Error 1 in usr.sbin/nsd/obj (Makefile:330 'nsd-xfer.o')
===

A week or so ago there was no problem with my -current upgrade.

I'm using the Boulder, CO anon cvs.

Re: problem compiling userland in -current

[Chris Smith]

On Sun, Feb 24, 2013 at 4:10 PM, Stuart Henderson s...@spacehopper.org wrote:
 It seems your tree is not clean, the tsig_get_algorithm_by_id prototype
 which it's complaining about was removed in tsig.h r1.1.1.3.

I have plenty of tsig.h files:
===
locate tsig.h
/usr/local/include/ldns/tsig.h
/usr/src/usr.sbin/bind/lib/dns/include/dns/tsig.h
/usr/src/usr.sbin/nsd/tsig.h
/usr/src/usr.sbin/unbound/ldns/ldns/tsig.h
===

Not sure whether or not the packaged unbound (AFAIK it isn't yet being
built in userland) with its corresponding ldns might be causing a
conflict.

Re: problem compiling userland in -current

[Chris Smith]

On Sun, Feb 24, 2013 at 6:04 PM, Alexander Hall alexan...@beard.se wrote:
 $ cvs up -dAP

That didn't help :-(

Re: dhcp and dns

[Chris Smith]

On Sat, Feb 2, 2013 at 11:56 PM, bofh goodb...@gmail.com wrote:
 I'm running 5.2.  And starting to have more and more things that need
 IP addresses pop in and out of the house.  Rather than hardcoding
 everything into dhcpd.conf, I thought I'd check with you guys to see
 what you use to have new devices register into DNS?

I'm just trying to figure out why the need for DNS entries for such
ad-hoc things that pop in and out of the house. They get an IP
config from DHCP and they just work. What am I missing?

Chris

Re: dhcpd not starting

[Chris Smith]

On Tue, Jan 1, 2013 at 7:59 AM, MERIGHI Marcus mcmer-open...@tor.at wrote:
 I could not figure out which dhcp option(s) you are referring to. Please
 specify option number and RFC number.

 For options with names see:
 dhcp-options(5) (beeing reworked currently)
 /usr/src/usr.sbin/dhcpd/tables.c

 For options without names use e.g. ``option-252''

 thereby keeping the created *_ip_tables more

 Do you mean pf.conf(5) tables here? Or dhcp leases table
 (/var/db/dhcpd.leases)?

 up-to-date. Option space is also good for preventing some of the WPAD
 nonsense and assisting in NetBIOS configurations.

 Could you be more specific, please?

Hopefully this commented section of dhcpd.conf I normally use will help:
=
#windoze
option space windoze;
option windoze.nbt  code 1 = unsigned integer 32;
option windoze.release  code 2 = unsigned integer 32;
option windoze.metric   code 3 = unsigned integer 32;
# 1 = enable NetBIOS over TCP
# 2 = disable NetBIOS over TCP
option windoze.nbt 1;
# 1 = send DHCPRELEASE on shutdown
option windoze.release 1;
# default route cost metric
option windoze.metric 1;
#/windoze
option wpad-url code 252 = text;
option wpad-url \n\000;
#option wpad-url http://192.168.99.123/proxy.pac\n;;

if substring (option vendor-class-identifier, 0, 8) = MSFT 5.0 {
vendor-option-space windoze;
option netbios-node-type 8;
}
=

Is any of this available in base dhcpd? Maybe I'm just missing it.

Thanks,

Chris

dhcpd not starting

[Chris Smith]

Maybe it's a problem due to Unbound being a package and not part of
the core system, but a normal configuration such as:

host hostname.example.com  {
  hardware ethernet 00:1a:80:f4:75:ad;
  fixed-address hostname.example.com;
  }

has to be rewritten as:

host hostname.example.com  {
  hardware ethernet 00:1a:30:64:75:bc;
  fixed-address 172.38.202.17;
  }

thereby duplicating efforts or dhcpd will not start on reboot since
pkg scripts start after everything else and Unbound has not yet been
started.

Also as nice as it is to have the core dhcpd create pf tables it has
otherwise very limited functionality, such as lack of support for
option space, which can be used to request a system release it's
lease on shutdown thereby keeping the created *_ip_tables more
up-to-date. Option space is also good for preventing some of the WPAD
nonsense and assisting in NetBIOS configurations.

Using the packaged dhcpd would most likely eliminate the startup issue
and provide the missing dhcpd functionality but one would also lose
the tight pf integration.

Re: cvs up failing on -current

[Chris Smith]

That works fine. Thanks!

On Sat, Dec 29, 2012 at 7:47 PM, Philip Guenther guent...@gmail.com wrote:
 Whoops, the obj directory got added to cvs.  It'll cause problems for
 cvs up -d until we can verify that the mirrors won't be broken when
 we remove it.  For you, for now, the following steps should fix your
 check out:

cvs up failing on -current

[Chris Smith]

Trying to keep -current and am getting this message when doing a cvs up:

cvs [update aborted]: could not chdir to regress/misc/sse2/foo/obj/:
No such file or directory


It's there:

# ls regress/misc/sse2/foo/obj
regress/misc/sse2/foo/obj


But it is a symlink:

# ls -al regress/misc/sse2/foo/obj
lrwxr-xr-x  1 root  wsrc  30 Dec 24 13:47 regress/misc/sse2/foo/obj -
/usr/obj/regress/misc/sse2/foo

# ls -al regress/misc/sse2/foo/
total 20
drwxr-xr-x  3 root  wsrc  512 Dec 24 13:47 .
drwxr-xr-x  5 root  wsrc  512 Dec 24 12:58 ..
drwxr-xr-x  2 root  wsrc  512 Dec 24 13:25 CVS
-rw-r--r--  1 root  wsrc  315 Dec 24 12:58 Makefile
-rw-r--r--  1 root  wsrc  429 Dec 24 12:58 foo.c
lrwxr-xr-x  1 root  wsrc   30 Dec 24 13:47 obj - /usr/obj/regress/misc/sse2/foo


How to solve?

Thanks,

Chris

Re: ftps?

[Chris Smith]

On Fri, Nov 30, 2012 at 7:47 AM, Stuart Henderson s...@spacehopper.org wrote:
 Not exactly, but you might be able to do something with this, *before*
 your ftp-proxy rule:

 pass out quick proto tcp to 0.0.0.0/0 port 8821 rdr-to 0.0.0.0/0 port 21 
 bitmask

 Then if you tell your ftp client to connect to port 8821 it would get
 redirected to port 21 and skip ftp-proxy. You would still need rules to
 permit data connections as of course the commands in the control
 connection cannot be inspected (though changing active/passive may help
 there).

Creative! Unfortunately the client side runs some embedded script so
changing the outbound port is not possible. But I like the idea.

Thanks,

Chris

Re: ftps?

[Chris Smith]

On Wed, Nov 28, 2012 at 12:48 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 Looks like skipping ftp-proxy for that target address works. Thanks!

Is there any way to make this work automagically for ftps?
Right now I'm doing this:

anchor ftp-proxy/*
pass in quick on $int_if inet proto tcp from int_net to !$ftps_srvr
port ftp rdr-to 127.0.0.1 port 8021

Which works around using ftp-proxy for that particular ftps server.
But is there a way to recognize an ftps attempt and skip ftp-proxy
dynamically? Then one would not need to know the ftps servers IP
address in advance.

Thanks,

Chris

Re: ftps?

[Chris Smith]

On Wed, Nov 28, 2012 at 7:29 AM, Stuart Henderson s...@spacehopper.org wrote:
 If the control connection is encrypted as with ftp+tls, then ftp-proxy
 *cannot* work, as it cannot read the commands. So, if this is with NAT,
 you can't rely on ftp-proxy to fix things up, you will need ftp+tls
 software where you can manually set the external address.

Yes, it's ftp+tls.
This works with a standard home router (don't know what they're doing
to allow it and ftp to work fine), but not with the OpenBSD firewall.
It is only one server that I have to deal with so if I skip ftp-proxy
for that one target address should it work OK then?

Thanks,

Chris

Re: ftps?

[Chris Smith]

On Wed, Nov 28, 2012 at 1:43 PM, Hugo Osvaldo Barrera
h...@osvaldobarrera.com.ar wrote:
 Since you say this works with a standard home router, have you checked
 if maybe the server software uses nat pmp or something similar for port
 redirection?

I tested it with an Asus RT-AC66U with its UPnP feature disabled and
it worked fine, as does standard ftp. But no outbound ports were being
blocked.

Bypassing ftp-proxy for the target server seems to work for the
OpenBSD box. Although I needed the extra ports open.

ftps?

[Chris Smith]

Having some issues with a client system attempting to use a product called
MoveItFreely to connect to server via FTPS (FTP with TLS). The firewall is
running a snapshot from April, 3 2011 of version 4.9.

I have added a pass rule for the additional (to port 21) requested ports of
989, 990, and 5:52000 but still having connection problems. Just
wondering if the ftp-proxy would be interfering this. Also wonder why
anyone in their right mind would use FTPS!?

Thanks,

Chris

Ubiquiti EdgeMax

[Chris Smith]

The Edge Router Lite looks to be a sweet box:

http://www.ubnt.com/edgemax

Dual-core MIPS64 processor with hardware acceleration for packet
processing and encryption/decryption.

Only 99 USD, wonder if OpenBSD can run on it and take advantage of the
hardware acceleration.

Re: OpenBSD is just an OS, not a firewall...

[Chris Smith]

On Sat, Jun 9, 2012 at 11:52 PM, Lars Hansson romaby...@gmail.com wrote:
 Hmm..I get  This post could not be found.

Apparently the original post has been deleted by its author. His
prerogative, but I think it's in bad taste to create such history
gaps.

Re: OpenBSD is just an OS, not a firewall...

[Chris Smith]

On Sun, Jun 10, 2012 at 1:58 PM, Ted Unangst t...@tedunangst.com wrote:
 The original post had nothing to do with OpenBSD, some nitwit hijacked
 the comment thread.  I don't think the author has any obligation to
 play host to a battleground.

The original post was about IPv6, someone commented that he couldn't
do IPv6 because of problems with his pfSense firewall. I suggested he
switch to OpenBSD to ameliorate the issue and that's when he shot off
that it isn't a firewall, blah, blah, blah. I saw the comment thread
as more of a segue than a hijack.

OpenBSD is just an OS, not a firewall...

[Chris Smith]

... if you really want a firewall you need pfSense.

Also if you  walk into any security experts convention and claim that
raw OpenBSD is a firewall, you will get laughed out of the room for
lack of clue.

Guess I've been wrong all these years: see the comments to
https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe

Re: Unbound

[Chris Smith]

On Fri, May 25, 2012 at 2:37 PM, Geoff Steckel g...@oat.com wrote:
 Thanks very much! I think using NSD for the outward facing authoritative
 service makes sense. Retaining BIND is probably best for the internal
 service
 since I see no way to add the local domains, etc. to unbound/nsd while
 retaining recursive search of external servers. It may be possible.
 I just can't see how to do it without truly complex setup.

At least in the simple cases I use it's pretty straightforward.

NSD is pure authoritative. Unbound is resolver/cache plus it can serve
up local data, that is data that we configure it serve up, it does
not retrieve it from elsewhere. The local data has some limitations (I
don't believe it serves up all record types for one) but it can be
sufficient in many cases. If one needs more complicated authoritative
data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC
authoritative service then use a stub-zone.

You can run NSD for the outside world, and Unbound can serve up the
local data or you can run another copy of NSD for your inside data if
your needs are greater than Unbound's local data (I don't serve
authoritative data to the outside world so I only use one copy of NSD
- could probably get away with Unbound only these days as its local
data serving has really improved).

Quick overview:

Unbound serves local data directly:
==
local-data: host10.myinternal.com. A 192.168.1.10
local-data: host11.myinternal.com. A 192.168.1.11
==

Unbound gets data from NSD:
==
private-domain: myinternal.com
(above necessary if you want to serve up RFC1918 address from the stub zone)
stub-zone:
   name: myinternal.com
   stub-addr: 127.0.0.1 (here NSD is running on localhost)
OR
   stub-addr: 192.168.1.1@5353 (here NSD is on alt port)
==

Unbound forward requests to another cache for a specific domain:
==
forward-zone:
   name: zapster.example
   forward-addr: 172.34.78.1
==

Breifly (and a bit too simplistically) anything not in local-zone,
local-data, stub-zone or forward-zone will get resolved via root
servers.

If you use a DNS service such as OpenDNS, Google Public DNS, etc. you
can forward all queries not previously defined by:
==
forward-zone:
   name: .
   forward-addr: 8.8.8.8
   forward-addr: 8.8.4.4
==

Let's say you appreciate the domain blocking that something like
OpenDNS provides but you don't like the way it hijacks some domains,
such as google.com. Order your forward zones like so:
==
forward-zone:
   name: google.com
   forward-addr: 8.8.8.8
   forward-addr: 8.8.4.4

forward-zone:
   name: .
   forward-addr: 208.67.222.222
   forward-addr: 208.67.220.220
==

Using local-zone you can easily block domains as well:
==
local-zone: facebook.com. refuse
local-zone: fb.me. refuse
==
One way to keep facebook from tracking you :)

Use it to stop the isatap and wpad nonsense:
==
local-zone: isatap.myinternal.com. refuse
local-zone: wpad.myinternal.com. refuse
local-zone: wpad.com. refuse
local-zone: wpad. refuse
==
(working in a Windows wonderland)

Just trying to give you an idea how flexible it really is. Between
local-zones, local-data, stub-zones, forward-zones and resolving you
may find it fits in nicely.

Chris

strange dmesg/log entries

[Chris Smith]

Running -current (updated 5/19/12) and saw these entries today:
=
pf: pfi_table_update: cannot set 1 new addresses into table fxp1:0: 12
pf: pfi_table_update: cannot set 1 new addresses into table fxp1:network: 12
pf: pfi_table_update: cannot set 1 new addresses into table fxp1: 12
=

fxp1 is my external interface, I get one dynamic IP address from my
cable provider (although it hasn't changed in months).

Any clues?

Thanks,

Chris

Re: Unbound

[Chris Smith]

On Mon, May 21, 2012 at 3:30 PM, Geoff Steckel g...@oat.com wrote:
 My site needs both split horizon and pretty complete authoritative support.
 Does anyone have suggestions about BIND replacement(s) for this scenario?

NSD for authoritative and Unbound (both from NLnet Labs of Amsterdam)
for caching resolver should do just fine. NSD is used on the RIPE root
nameserver so I'm guessing it can handle your environment. And Unbound
is its resolver/cache counterpart. Check out the NSD and Unbound
websites; they both have mailing lists as well.

The setup is (logically) not unlike djbdns if you're familiar with it,
where tinydns was the authoritative server and dnscache was the
resolver/cache.

NSD uses BIND style zonefiles which may ease the change.

Chris

Re: unbound

[Chris Smith]

On Sat, May 19, 2012 at 5:05 PM, Stuart Henderson s...@spacehopper.org wrote:
 I'll try and find time to properly review the diff to add it to
 the system infrastructure (/etc/rc and /etc/rc.d parts etc) in the
 next week or so. I am pretty confident in unbound itself but
 the system integration is less well-tested so it needs a more
 careful look.

Great. Thanks!

unbound

[Chris Smith]

As unbound is now in base but not yet built by default how is it built
in order to test it (is it a simple 'make install' or is more
involved)? How to add it to the list the gets built with a make
build of userland (or is this even safe)? Or is it simply best to use
packages or ports at this time?

Thank you,

Chris

VPN questions

[Chris Smith]

Would like to tunnel the net traffic from my (android) cell phone (and
tablet if I ever get one) through my soho OpenBSD firewall/router when
I'm connected to untrusted and/or open wifi. My outside/public IP is
not fixed (cable) but it rarely changes and I do have a ddns hostname.
Is this possible? Or do I need a second outside IP address? Any
tutorials if it is doable?

Thanks,

Chris

Static or dynamic code analysis software

[Chris Smith]

Hi,

Are there any dynamic or static C code analysis tools available for
OpenBSD? I've historically used valgrind on Linux and whilst I know it
is not compatible with OpenBSD, I'd still like to be able to check that
I've not made any hideous cock-ups in my code.

A few minutes of poking around the Internet returned nothing useful
unfortunately.

Best Regards,

Chris Smith

Re: OpenBSD/amd64 runs on computers equipped with AMD Athlon64

[Chris Smith]

On Tue, Dec 13, 2011 at 7:32 AM,  sc...@web.de wrote:
 It is no discovery, I continously change the computer. Right now searching
 for an old one that do not consume much electricity. The best is a Siemens
 with a celeron, 800mhz, the whole machine consumes 32w when idle, but goes
 to 42w or more when I do a little thing like starting the browser.

I've built up several of the Supermicro SYS-5015A-EHF boxes (1U rack,
dual core 1.66G Atom, dual Gb Intel LAN, IPMI) with 4GB and an SSD,
uses less than 25w at idle and less than 30w doing a-j3 userland build
(according to my cheap little wattage testing device).

Re: af-to error?

[Chris Smith]

On Tue, Dec 6, 2011 at 12:50 PM, Stuart Henderson s...@spacehopper.org wrote:
 in the meantime, adding inet to the line is likely to help.

Indeed, thank you.

af-to error?

[Chris Smith]

Having some issues with -current.

This line in pf.conf:
match out on $ext_if from my_net to any nat-to $ext_ad0

Generates the following error:
# pfctl -n -f /etc/pf.conf
/etc/pf.conf:41: af-to is not supported on match rules
/etc/pf.conf:41: skipping rule due to errors
/etc/pf.conf:41: rule expands to no valid combination

However in an earlier release (a not so current version of 4.9
-current) the syntax works fine.

And so far I have been unable to get:
match out on $ext_if from $my_if to any nat-to $ext_ad0
or
match out on $ext_if from $my_if:network to any nat-to $ext_ad0
to actually work although they parse properly.

man pf.conf has no entry for af-to

Re: USB mouse

[Chris Smith]

On Wed, Oct 26, 2011 at 7:22 PM, Zantgo zan...@gmail.com wrote:
 WTF? I use OpenBSD and hate the other operating systems

Don't listen to those posts - clearly you need the Windows 7 drivers
if you're running -current.

Re: Quad-Gigabit 1U mini-itx board recommendations?

[Chris Smith]

On Sat, Oct 1, 2011 at 11:18 AM, Joe S js.li...@gmail.com wrote:
 Since I don't actually need 4 NICs, I'm looking at the new Intel
 S1200KP (mini-itx 1155 board with dual intel nics). I can put a g620t
 and get the same power consumption rates as an atom d525, for the same
 prices as the Soekris. Plus I can always upgrade my processor down the
 line.

Looks pretty sweet. Ran across this while checking out those items:
http://www.xbitlabs.com/articles/cpu/display/core-i5-2500t-2390t-i3-2100t-pentium-g620t.html

Re: -current userland not building

[Chris Smith]

On Fri, Sep 23, 2011 at 11:34 AM, Amit Kulkarni amitk...@gmail.com wrote:
 Yes, it happens when you start out. Look Nick added this because of you :-)
 http://www.openbsd.org/faq/current.html#20110919

Thank you Nick :)

However, I just realized that:
http://www.openbsd.org/faq/current.html#20110919

is not the same as:
http://openbsd.org/faq/current.html#20110919

The site at http://openbsd.org is not in sync with http://www.openbsd.org/.

Chris

Re: -current userland not building

[Chris Smith]

On Wed, Sep 28, 2011 at 3:00 PM, Amit Kulkarni amitk...@gmail.com wrote:
 The site at http://openbsd.org is not in sync with http://www.openbsd.org/.

 yes they are different. its addressed already in the archives multiple times.

Found a thread from 2007 where Theo states www.openbsd.org is a
mirror on a good network connection but is this still the case? Can
one have a mirror that is more up-to-date than the source?

Re: -current userland not building

[Chris Smith]

On Wed, Sep 28, 2011 at 3:59 PM, Nick Holland
n...@holland-consulting.net wrote:
 quit using the site without the www's. :)

Yes, I've made a mental note to that effect and already edited my bookmarks.

 nowww.openbsd.org is not the source and never was (at least in the ten
 years I've been on the project).

That 'splains it :)

Thanks.

Re: -current userland not building

[Chris Smith]

On Fri, Sep 23, 2011 at 3:56 AM, Tomas Bodzar tomas.bod...@gmail.com wrote:
 Mmmm are you on alpha or landisk that you follow those instructions?

No, but I think a landshark was knocking at the door at the time and
interrupted my train of thought :)

In reality, the instructions weren't labelled for any particular
architecture and I blindly followed them.

But I am thinking that something else is wrong as apparently userland
should build with gcc-3.x (yes?) and I see the same failure now, with
gcc-4.x, after installing the comp set from a snapshot.

Chris

Re: -current userland not building

[Chris Smith]

It seems I've followed the instructions labelled 2011/09/19 - thread
model posix enabled for gcc 3 at
http://openbsd.org/faq/current.html#20110919 and mistakenly so which
is probably why userland wont build as that process has replaced
gcc-4.x with gcc-3.x.

If indeed that is the case, the question is, how do I get gcc-4.x back ?

Thanks,

Chris

On Wed, Sep 21, 2011 at 12:01 PM, Chris Smith obsd_m...@chrissmith.org
wrote:
 Problems building -current userland:
 ==
 === libcurses
 cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses B  B -c codes.c -o codes.o
 cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses B  B -c comp_captab.c -o
 comp_captab.o
 cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses B  B -c expanded.c -o
expanded.o
 cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses B  B -c fallback.c -o
fallback.o
 cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses B  B -c lib_gen.c -o lib_gen.o
 lib_gen.c:27: error: conflicting types for `addchnstr'
 /usr/src/lib/libcurses/curses.h:531: error: previous declaration of
`addchnstr'
 lib_gen.c:34: error: conflicting types for `addchstr'
 /usr/src/lib/libcurses/curses.h:532: error: previous declaration of
`addchstr'
 lib_gen.c:41: error: conflicting types for `addnstr'
 /usr/src/lib/libcurses/curses.h:533: error: previous declaration of
`addnstr'
 lib_gen.c:48: error: conflicting types for `addstr'
 snip
 lib_gen.c:1522: error: conflicting types for `waddwstr'
 /usr/src/lib/libcurses/curses.h:1483: error: previous declaration of
`waddwstr'
 lib_gen.c:1558: error: conflicting types for `wins_wstr'
 /usr/src/lib/libcurses/curses.h:1499: error: previous declaration of
`wins_wstr'
 *** Error code 1

 Stop in /usr/src/lib/libcurses (line 92 of /usr/share/mk/sys.mk).
 *** Error code 1

 Stop in /usr/src/lib (line 48 of /usr/share/mk/bsd.subdir.mk).
 *** Error code 1

 Stop in /usr/src (line 80 of Makefile).
 ==

 Clues please.

 Chris

Re: -current userland not building

[Chris Smith]

On Thu, Sep 22, 2011 at 7:26 PM, Brynet bry...@gmail.com wrote:
 you may be able to extract the comp set

I did extract the comp set from the latest snapshot and gcc-4.x was returned.
However, once again the kernel compiled fine but received the same
error with the userland,

Chris

-current userland not building

[Chris Smith]

Problems building -current userland:
==
=== libcurses
cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses-c codes.c -o codes.o
cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses-c comp_captab.c -o
comp_captab.o
cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses-c expanded.c -o expanded.o
cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses-c fallback.c -o fallback.o
cc -O2 -pipe -g -I. -I/usr/src/lib/libcurses-c lib_gen.c -o lib_gen.o
lib_gen.c:27: error: conflicting types for `addchnstr'
/usr/src/lib/libcurses/curses.h:531: error: previous declaration of `addchnstr'
lib_gen.c:34: error: conflicting types for `addchstr'
/usr/src/lib/libcurses/curses.h:532: error: previous declaration of `addchstr'
lib_gen.c:41: error: conflicting types for `addnstr'
/usr/src/lib/libcurses/curses.h:533: error: previous declaration of `addnstr'
lib_gen.c:48: error: conflicting types for `addstr'
snip
lib_gen.c:1522: error: conflicting types for `waddwstr'
/usr/src/lib/libcurses/curses.h:1483: error: previous declaration of `waddwstr'
lib_gen.c:1558: error: conflicting types for `wins_wstr'
/usr/src/lib/libcurses/curses.h:1499: error: previous declaration of `wins_wstr'
*** Error code 1

Stop in /usr/src/lib/libcurses (line 92 of /usr/share/mk/sys.mk).
*** Error code 1

Stop in /usr/src/lib (line 48 of /usr/share/mk/bsd.subdir.mk).
*** Error code 1

Stop in /usr/src (line 80 of Makefile).
==

Clues please.

Chris

pf table creation query

[Chris Smith]

Searching for a method to create a table based on the contents a file
but slightly modified without needing to modify the file itself.

Non-modified example is:
table fromfile persist file /mypath/assortedaddresses

Yet, attempts to modify do not work:
table fromfile persist { !x.x.x.x/y, file /mypath/assortedaddresses }
or:
table fromfile persist { file /mypath/assortedaddresses, !x.x.x.x/y }
generating:
/etc/pf.conf:25: syntax error

Also tried to create a new table by modifying the old one:
table modfromfile persist { fromfile, !x.x.x.x/y }
or:
table modfromfile persist { !x.x.x.x/y, fromfile }
and get:
/etc/pf.conf:25: tables cannot contain tables

Am I missing the proper syntax or is this not currently possible?

Tanks,

Chris

PCIe wireless cards

[Chris Smith]

Hello,

I'm not seeing any PCIe wireless devices listed under amd64 supported
hardware. Does anyone know of any g/n PCIe cards that work in host AP
mode?

Thank you,

Chris

Re: em0: watchdog timeout with -current

[Chris Smith]

Breakage happens with revision 1.258 (the MSI one), rev 1.257 and
earlier work fine. Thanks to all who helped.

Chris

On Sun, Jul 3, 2011 at 8:41 PM, Theo de Raadt dera...@cvs.openbsd.org
wrote:
 Between a working kernel and a non-working kernel these two commits to
 the em driver were made:

 Then tell us which it is. B You've got the hardware.

 
 CVSROOT: B  B  B /cvs
 Module name: B src
 Changes by: B  kette...@cvs.openbsd.org B  B  B  B 2011/06/03 07:06:06

 Modified files:
 B  B  B  sys/dev/pci B  B : if_em.c

 Log message:
 Fix em_write_pci_cfg() and em_read_pci_cfg() to avoid unaligned access,
and
 make em_write_pci_cfg() do a proper read/modify/write cycle, to avoid
changing
 the neighbouring 16 bits. B Also remove the comment in em_pci_set_mwi()
and
 em_pci_clear_mwi(); writting 0 to the status bits in the command/status
word
 is the right thing to do. B Fixes a panic on sparc64 and other strict
alignment
 architectures.

 ok deraadt@
 
 CVSROOT: B  B  B /cvs
 Module name: B src
 Changes by: B  kette...@cvs.openbsd.org B  B  B  B 2011/06/16 07:21:00

 Modified files:
 B  B  B  sys/dev/pci B  B : if_em.c

 Log message:
 Enable MSI on newish PCIe hardware, essentially everything handled by the
Linux
 e1000e driver (which enables MSI as well), leaving everything handled by
the
 old Linux e1000 driver (which doesn't enable MSI) use legacy interrupts.

 tested by many; ok jsg@
 

 Have no idea if it is a driver issue but if it is this info. might assist.

 Thanks,

 Chris

 On Sun, Jul 3, 2011 at 5:08 PM, Chris Smith obsd_m...@chrissmith.org
wrote:
  System is hanging and I'm getting these errors after upgrading to
-current:
  ==
  em0: watchdog timeout -- resetting
  em0: watchdog timeout -- resetting
  ==
 
  I can still boot and run with the old kernel but the new one is not
working.
 
  From dmesg:
  ==
  bios0 at mainbus0: AT/286+ BIOS, date 06/27/03, BIOS32 rev. 0 @
  0xf0010, SMBIOS rev. 2.3 @ 0xfc940 (62 entries)
  bios0: vendor Intel Corp. version LY84510A.86A.0043.P17.0306270645
  date 06/27/2003
  bios0: Intel Corporation D845GLAD
  acpi0 at bios0: rev 0
  acpi0: sleep states S0 S1 S4 S5
  acpi0: tables DSDT FACP APIC ASF!
  acpi0: wakeup devices P0P1(S4) UAR1(S4) USB0(S4) USB1(S4) USB2(S4)
  USB3(S4) AC97(S4) SLPB(S4)
  acpitimer0 at acpi0: 3579545 Hz, 24 bits
  acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
  cpu0 at mainbus0: apid 0 (boot processor)
  cpu0: apic clock running at 99MHz
  ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
  acpiprt0 at acpi0: bus 0 (PCI0)
  acpiprt1 at acpi0: bus 1 (P0P1)
  acpicpu0 at acpi0
  acpipwrres0 at acpi0: URP1
  acpipwrres1 at acpi0: URP2
  acpipwrres2 at acpi0: FDDP
  acpipwrres3 at acpi0: LPTP
  acpibtn0 at acpi0: SLPB
  snip
  em0 at pci1 dev 2 function 0 Intel PRO/1000MT (82540EM) rev 0x02:
  apic 1 int 18, address 00:07:e9:01:67:1b
  ==

em0: watchdog timeout with -current

[Chris Smith]

System is hanging and I'm getting these errors after upgrading to -current:
==
em0: watchdog timeout -- resetting
em0: watchdog timeout -- resetting
==

I can still boot and run with the old kernel but the new one is not working.

From dmesg:
==
bios0 at mainbus0: AT/286+ BIOS, date 06/27/03, BIOS32 rev. 0 @
0xf0010, SMBIOS rev. 2.3 @ 0xfc940 (62 entries)
bios0: vendor Intel Corp. version LY84510A.86A.0043.P17.0306270645
date 06/27/2003
bios0: Intel Corporation D845GLAD
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC ASF!
acpi0: wakeup devices P0P1(S4) UAR1(S4) USB0(S4) USB1(S4) USB2(S4)
USB3(S4) AC97(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpicpu0 at acpi0
acpipwrres0 at acpi0: URP1
acpipwrres1 at acpi0: URP2
acpipwrres2 at acpi0: FDDP
acpipwrres3 at acpi0: LPTP
acpibtn0 at acpi0: SLPB
snip
em0 at pci1 dev 2 function 0 Intel PRO/1000MT (82540EM) rev 0x02:
apic 1 int 18, address 00:07:e9:01:67:1b
==