pf question: IPv6 prefix changed, how to tell pf?

2021-07-23 Thread Harald Dunkel
Hi folks, Deutsche Telekom gives me a new /56 prefix for my internal net and a new /64 prefix for the external connection on every reboot of my modem. The old internal prefix is not routed anymore. Question is, how can I tell pf to use the new prefix? There are a few constants in my pf.conf

Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

2021-06-22 Thread Harald Dunkel
On 6/21/21 5:42 PM, naib+li...@xn--bimann-cta.de wrote: You wrote: since the upgrade to 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. Again, this is just a notification from the server, that no client certificates were sent in

Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

2021-06-21 Thread Harald Dunkel
PS: The peer is very picky wrt TLS, thats why this is an important problem. The peer log file shows : Diagnostic-Code: X-Postfix; TLS is required, but was not offered by host mail.example.de[10.145.142.10] Return-Path: Received: from mout01.posteo.de

Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

2021-06-21 Thread Harald Dunkel
On 6/21/21 12:52 PM, n...@xn--bimann-cta.de wrote: since the upgrade to 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. opensmtpd.conf and the certificate chain Hello. This is because clients are not providing a tls client

6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

2021-06-21 Thread Harald Dunkel
Hi folks, since the upgrade to 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. opensmtpd.conf and the certificate chain hasn't changed. There is only a single MX defined in DNS (for both "example.com" and "example.de"),

Re: 6.9 + 001: uvm_fault

2021-05-26 Thread Harald Dunkel
On 5/17/21 12:27 AM, Antonino Sidoti wrote: Hi, I also have this issue on a fresh install of 6.9 amd64. I reported it as a bug last week to “bugs” mail list with all appropriate information. I can confirm that plugging in a monitor will allow my system to boot. I did not have the 001 patch

6.9 + 001: uvm_fault

2021-05-16 Thread Harald Dunkel
Hi folks, after installing syspatch 001 the reboot showed: : scsibus3 at softraid0: 256 targets root on sd0a (614daaae133f0ac5.a) swap on sd0b dump on sd0b uvm_fault(0x82186300, 0xb8, 0, 1) -> e kernel: page fault trap, code=0 Stopped at i915_ggtt_pin+0x29: movq

Re: 6.9 + 001: uvm_fault

2021-05-16 Thread Harald Dunkel
And another attempt, see attachment. Seems I have to power cycle to make it boot. Regards Harri OpenBSD/amd64 (redgatea.red.aixigo.de) (tty00) login: root Password: Last login: Sun May 16 11:45:27 on ttyp0 from 2a00:fe0:30:60::7a OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021

Re: 6.9 + 001: uvm_fault

2021-05-16 Thread Harald Dunkel
PS: The next power cycle went fine, see attachment. Regards Harri boot> NOTE: random seed is being reused. booting hd0a:/bsd: 14415144+3220488+34+0+1171456 [1008375+128+1145856+866050]=0x1526a80 entry point at 0x81001000 [ using 3021440 bytes of bsd ELF symbol table ] Copyright

Re: 6.9 + 001: uvm_fault

2021-05-16 Thread Harald Dunkel
PPS: I got a similar panic on another host after installing syspatch 001, see attachment. Regards Harri Last login: Sat May 15 21:46:44 on ttyp0 from 2a00:fe0:30:60::7a OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 Welcome to OpenBSD: The proactively secure Unix-like operating

Re: ifconfig problem with >10 wireguard peers

2021-04-08 Thread Harald Dunkel
On 4/7/21 7:44 PM, Stuart Henderson wrote: On 2021-04-07, Harald Dunkel wrote: Do you think it would be possible to increase this limitation to (lets say) 253? I don't see that here: Sorry, my bad. Some lines in my hostname.wg0 were commented out. I didn't notice. We are evaluating

ifconfig problem with >10 wireguard peers

2021-04-07 Thread Harald Dunkel
Hi folks, apparently ifconfig (openbsd 6.8) shows only 10 wireguard peers for wg0, even if hostname.wg0 defines 12 peers. This is pretty painful. Do you think it would be possible to increase this limitation to (lets say) 253? Thank you very much in advance Harri

Re: pflogd write /var/run/mypflogdinstance.pid?

2020-12-13 Thread Harald Dunkel
On 12/13/20 8:32 PM, Theo de Raadt wrote: If a pflogd dies because of a bug, the pid listed in the file may be reused, and then your kill `cat pidfile` will kill the incorrect process. I understand your concern, but as written before, I am not asking to drop pkill support. How about adding

Re: pflogd write /var/run/mypflogdinstance.pid?

2020-12-13 Thread Harald Dunkel
On 12/13/20 7:10 PM, Theo de Raadt wrote: And I'm suggesting the arguments should look like this: pflogd: [priv] -s 160 -i pflog0 -f /var/log/pflog (pflogd) pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd) That might allow more accurate pkill targetting. Wouldn't you

Re: pflogd write /var/run/mypflogdinstance.pid?

2020-12-13 Thread Harald Dunkel
On 12/7/20 7:19 PM, Theo de Raadt wrote: Yep. It is possible we need a better strategy --- like placing *all* original argv in the [priv] title. If you change the pflogd command line in the process list, what is supposed to happen to the existing code using pkill or pgrep, expecting the

Re: pflogd write /var/run/mypflogdinstance.pid?

2020-12-07 Thread Harald Dunkel
On 12/7/20 7:43 AM, Theo de Raadt wrote: We've put some work into making programs not damage their argv. If you provide a strong set of arguments to the programs you start, you may be able to pkill with a more fullsize pattern, increasing the accuracy. AFAICS pflogd rewrites the command

pflogd write /var/run/mypflogdinstance.pid?

2020-12-06 Thread Harald Dunkel
Hi folks, I have to run several pflogd in parallel. To make pkill (i.e. newsyslog) work it seems to be necessary to create hard links pflogd1, pflogd2 etc., pointing to /sbin/pflogd. Soft links don't work, because they don't show up in the process table. This introduces new problems on the next

Re: pflogd: Corrupted log file, move it away

2020-11-29 Thread Harald Dunkel
Hi folks, On 11/28/20 5:13 PM, Stuart Henderson wrote: It is easy enough to add the filename, but adding that to the log might suggest to users that things are setup to handle multiple pflogd processes and that is not the case. Various parts of the system would need changing in order to

pflogd: Corrupted log file, move it away

2020-11-27 Thread Harald Dunkel
Hi folks, I got a bazillion of error messages in /var/log/daemon : Nov 27 08:33:25 gate6a pflogd[26893]: Corrupted log file. Nov 27 08:33:25 gate6a pflogd[26893]: Invalid/incompatible log file, move it away Nov 27 08:33:25 gate6a pflogd[26893]: Logging suspended: open error Nov 27 08:33:32

address lists in iked.conf?

2020-11-15 Thread Harald Dunkel
Hi folks, would it be possible to support address lists in iked.conf(5), similar to ipsec.conf(5)? Regards Harri

Re: packet filter question

2020-11-13 Thread Harald Dunkel
On 11/13/20 2:06 PM, Harald Dunkel wrote: Hi folks, if it is allowed to ask a question about packet filter here? Found it, please ignore. Harri

packet filter question

2020-11-13 Thread Harald Dunkel
Hi folks, if it is allowed to ask a question about packet filter here? Please take a look at the attached pf.conf file. Problem is that incoming traffic from a host in (internal:network) to an external host port is passed in rule 86 (thats one of the debproxy lines) pass $log0 quick

Re: question about hostname.carp

2020-11-09 Thread Harald Dunkel
On 11/5/20 9:25 AM, Stuart Henderson wrote: but I prefer this multi-line vhid 41 pass secret advbase 1 advskew 0 carpdev em1 inet 10.0.1.1/24 Thats much better. I was using this "one line for all" thing following some ancient examples. Thanx very much Harri

iked vs IPsec failover (carp & sasyncd)

2020-11-08 Thread Harald Dunkel
Hi folks, wrt IPsec failover via sasyncd and carp: sasyncd(8) and iked(8) don't seem to tell, but I would guess that all hosts on the carp interface have to share the private key to support renegotiation. How can I tell iked which private key to use, instead of local.key? Is there a similar

question about hostname.carp

2020-11-04 Thread Harald Dunkel
Hi folks short question about hostname.carp1: Is it inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1 advskew 0 or inet 10.0.1.1 0xff00 vhid 41 pass secret carpdev em1 advbase 1 advskew 0 ? Using ifconfig I get % ifconfig carp1 -inet

6.8: page fault

2020-11-03 Thread Harald Dunkel
Hi folks, after applying the recent 4 syspatches for 6.8 one (of 5) openBSD host ran into the kernel debugger. I missed the error message, but on a reboot there was a page fault. On another reboot there was no problem any more. log is attached. I would be glad to help, but I need some advice

Re: suggestion for the installer

2020-10-30 Thread Harald Dunkel
On 10/29/20 3:38 PM, Nick Holland wrote: On 2020-10-29 08:00, Harald Dunkel wrote: Hi folks, do you think it would be possible for the installer to show an eye-catching warning, if "ifconfig" reports "no carrier" for the network port to configure? Just a suggestion, o

suggestion for the installer

2020-10-29 Thread Harald Dunkel
Hi folks, do you think it would be possible for the installer to show an eye-catching warning, if "ifconfig" reports "no carrier" for the network port to configure? Just a suggestion, of course Harri

Re: sysupgrade --download ?

2020-10-23 Thread Harald Dunkel
Hi Theo, sorry, I missed that. I have associated "-n" with dry-run mode. Thanx for the hint Harri

sysupgrade --download ?

2020-10-23 Thread Harald Dunkel
Hi folks, I stumbled over a bad mirror for sysupgrade. Would it be possibe to add an option "-d" to sysupgrade, to just download and verify the required files? A subsequent call without "-d" should verify the signatures in the download directory again and proceed. I would like to make sure

Re: Inphi CS4223 for 4x 10GbE SFP+

2020-10-23 Thread Harald Dunkel
Hi folks, below you can find the summary of "openssl speed" on the network appliance. Speed is not amazing, but AFAIU "openssl speed" is single-threaded. The CPU has 8 cores (no hyperthreading). Assuming IPsec encryption/decryption is running in kernel space, I wonder if the OpenBSD kernel can

Re: Inphi CS4223 for 4x 10GbE SFP+

2020-10-21 Thread Harald Dunkel
On 10/19/20 4:40 PM, Stuart Henderson wrote: On 2020-10-19, Harald Dunkel wrote: Hi folks, I am about to order 2 network appliances, providing an "Inphi CS4223 for 4x 10GbE SFP+". dmesg would be of interest :) See attachment. Product web site: https://www.ibase.com.

Re: Inphi CS4223 for 4x 10GbE SFP+

2020-10-20 Thread Harald Dunkel
On 10/19/20 9:46 PM, Stuart Henderson wrote: On 2020-10-19, Harald Dunkel wrote: What would these bypass problems look like? Hopefully the bypass feature can be turned off/ignored. If there are problems then possibly 2 of the ports either won't work or will be connected directly to 2

Re: Inphi CS4223 for 4x 10GbE SFP+

2020-10-19 Thread Harald Dunkel
On 10/19/20 4:36 PM, Stuart Henderson wrote: On 2020-10-19, Tom Smyth wrote: Hi Harald, check the Atom processor and make sure that it is not one of those ones that fail after a while (some electrical issue) ... It isn't. Anyway, some more precise information about the affected models

Re: Inphi CS4223 for 4x 10GbE SFP+

2020-10-19 Thread Harald Dunkel
On 10/19/20 4:40 PM, Stuart Henderson wrote: I can't say for sure but I think there's a high chance that the 10G will work, and at least some of the 1G will work, but you might run into problems with the 1G "bypass" ports. dmesg would be of interest :) Of course. The host are already on

Inphi CS4223 for 4x 10GbE SFP+

2020-10-19 Thread Harald Dunkel
Hi folks, I am about to order 2 network appliances, providing an "Inphi CS4223 for 4x 10GbE SFP+". Does this ring a bell? Is this already supported by 6.8? Other technical specs can be found on https://www.ibase.com.tw/english/ProductDetail/NetworkAppliance/FWA8506 BTW, congratulations to the

Re: Router advertisements for dynamic IPv6 prefix

2020-10-15 Thread Harald Dunkel
On 10/14/20 10:18 AM, Stuart Henderson wrote: On 2020-10-11, Henrik Friedrichsen wrote: Hey, my ISP provides connectivity via PPPoE. An IPv6 prefix is handed out via DHCPv6 PD, which my OpenBSD gateway passes on to clients with the help of router advertisements using rad. This works fine

sasyncd questions about shared secret

2020-10-14 Thread Harald Dunkel
Hi folks, question about sasyncd, because the man page doesn't tell: (Please excuse if I am too blind to see.) Do all sasync daemons on all peers have to share the same secret, or is it just the sasync daemons on the same carp interface? Where would I have to look for error messages indicating

spamd vs IPv6

2020-07-01 Thread Harald Dunkel
Hi folks, spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. Looking on Google for "openbsd spamd ipv6" gives me some entries of 2015 and 2016, but no up-to-date information. Please excuse if I am too blind to see. I am a big fan of spamd, but I wonder is spamd in a dead-end

net.inet.ip6.forwarding=1 ?

2020-05-19 Thread Harald Dunkel
Hi folks, congrats to the new release. Question about https://www.openbsd.org/faq/upgrade67.html: Shouldn't it be net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 Thats what I found in my sysctl.conf (before upgrade). Regards Harri

Re: sysupgrade (Was: Re: Kernel crash in OpenBSD 6.5)

2019-08-01 Thread Harald Dunkel
On 8/1/19 2:33 PM, Maurice McCarthy wrote: In the past it was not uncommon for non-X programs in base to have dependencies in Xenocara. Are you certain that this is no longer so? Yup

sysupgrade (Was: Re: Kernel crash in OpenBSD 6.5)

2019-08-01 Thread Harald Dunkel
Hi folks, On 7/30/19 3:08 PM, Hrvoje Popovski wrote: try to update both boxes to latest snapshot at least because in snapshot you have excellent tool called sysupgrade ... you will love it :) with this tool you can upgrade os to latest snapshot without any problem over ssh :) This is cool.

6.5: rc.firsttime failed, how to restart?

2019-05-18 Thread Harald Dunkel
Hi folks, after the upgrade to 6.5 rc.firsttime was lucky to send me an EMail: Path to firmware: http://firmware.openbsd.org/firmware/6.5/ Installing: inteldrm-firmware intel-firmware vmm-firmware rtwn-firmware http://firmware.openbsd.org/firmware/6.5/: ftp: firmware.openbsd.org: no address

Re: 6.5 on EdgeRouter Lite: 1 CPU offline?

2019-04-25 Thread Harald Dunkel
Hi Tobias, On 4/25/19 7:45 PM, Tobias Ulmer wrote: > On Thu, Apr 25, 2019 at 06:14:04PM +0200, Harald Dunkel wrote: >> >> Next it seems that one CPU is offline somehow. ??? >> >> chester# sysctl -a | grep -i cpu >> kern.ccpu=1948 >>

6.5 on EdgeRouter Lite: 1 CPU offline?

2019-04-25 Thread Harald Dunkel
There is a suspicious message dev/ksyms: Symbol table not valid. Next it seems that one CPU is offline somehow. ??? chester# sysctl -a | grep -i cpu kern.ccpu=1948 hw.ncpu=1 hw.cpuspeed=500 hw.ncpufound=2 hw.ncpuonline=1 Regards Harri

OpenBSD on Macbook 12" 2017?

2019-03-15 Thread Harald Dunkel
Hi folks, does it work, OpenBSD on a 12" Macbook 2017? I tried Linux once, but keyboard and trackpad were not working, so I kept MacOS. Looking on Google I found just Macbook Airs and Pros. Hopefully I wasn't too blind to see. Every helpful comment is highly appreciated Harri

Re: is pfsync loosing data on reboot?

2019-02-05 Thread Harald Dunkel
Hi folks, On 2/1/19 1:00 PM, Sebastian Benoit wrote: Janne Johansson(icepic...@gmail.com) on 2019.02.01 12:49:53 +0100: Yes, it will get a full dump since it has zero pre-existing knowledge of the current situation regarding states. I think carp will delay itself until the sync is done, so

is pfsync loosing data on reboot?

2019-01-31 Thread Harald Dunkel
Hi folks, I have a question about pfsync protocol in a master-backup firewall configuration (OpenBSD 6.3 and 6.4): If I reboot (let's say) the backup host, will it receive the whole set of state information again, when it gets back online? Hopefully I am not too blind to see, but pfsync(4)

Re: 6.3 just died (not for the first time)

2018-05-22 Thread Harald Dunkel
Hi Peter, please check the threads on the b...@openbsd.org mailing list. The patch posted by Martin Pieuchot seemst to help. Its running on my hosts for 5 days without any hiccup. Hope this helps Harri

6.3 just died (not for the first time)

2018-05-15 Thread Harald Dunkel
Hi folks, 6.3 just died. Last words: login: kernel: protection fault trap, code=0 Stopped at export_sa+0x5c: movl0(%rcx),%ecx ddb{0}> show panic the kernel did not panic ddb{0}> trace export_sa(10,800033445e70) at export_sa+0x5c pfkeyv2_expire(813d4c00,813d4c00) at

netstat: IPv6 addresses are cut off

2018-05-14 Thread Harald Dunkel
Hi folks, netstat cuts off the IPv6 addresses. Sample: # netstat -f inet6 -ln | cat Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 2001:db8:30:7e::.25*.*LISTEN tcp6 0

packet filter: table of tables ?

2018-05-13 Thread Harald Dunkel
Hi folks, how can I combine tables into large tables, instead of using inefficient variables? AFAIU I can modify tables using the pfctl command line, but something like this in pf.conf would be nice table const persist { 172.12.127.0/24 172.12.124.0/24 172.12.120.0/24

Re: What would you like to see in upcoming PF tutorials?

2017-12-18 Thread Harald Dunkel
Hi Peter, On 12/14/17 9:27 PM, Peter N. M. Hansteen wrote: If you have thoughts on what you would like to see in a tutorial session and would like to share them either with me or the list, we would love to hear from you. What are the risks of ICMP and ICMP6? Is it reasonable to filter these

6.1, opensmtpd: unable to verify the first certificate

2017-11-09 Thread Harald Dunkel
Hi folks, opensmtpd problem on openbsd 6.1: smtpd.conf says xname = "mail.example.de" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname certificate "/etc/ssl/public/mail.example.de.pem" ca $xname certificate "/etc/ssl/public/DigiCertCA.crt" limit mta inet4 listen on lo0 tls pki

newsyslog refused to work

2017-07-14 Thread Harald Dunkel
Hi folks, Apparently newsyslog refuses to rotate any file, if there is a single bad line in newsyslog.conf, e.g. newsyslog: /etc/newsyslog.conf:7: unknown user: uucp I would suggest to ignore the bad line, but rotate the other log files as usual. Regards Harri

Re: inet6 packet filter question: link local address vs antispoof

2017-06-20 Thread Harald Dunkel
Hi Martin, the host I had used for testing is off, so I had to switch. After disabling the packet filter I see: # tcpdump -i re0 -env icmp6 tcpdump: listening on re0, link-type EN10MB 20:58:08.865529 20:cf:30:e8:0d:58 52:54:00:2e:f3:25 86dd 118: fe80::22cf:30ff:fee8:d58 >

bug tracking system for OpenBSD

2017-06-19 Thread Harald Dunkel
Hi folks, would it be possible to establish a real bug tracking system for OpenBSD? Something with bug owner, severity, attachments, assignee, and (very important) some reliable response time and a databse to search for known problems? Currently I have the impression that you have to be very

Re: openvpn multihome on OpenBSD?

2017-06-18 Thread Harald Dunkel
Hi Stuart, On 06/17/17 17:09, Stuart Henderson wrote: > > It's trying to use a single socket for v4 and v6. That is never going > to work on OpenBSD. > > Try "bind ipv6only" and see if that helps. > Currently I have 2 openvpn servers listening on either IPv4 or IPv6, each with its own address

openvpn multihome on OpenBSD?

2017-06-17 Thread Harald Dunkel
Hi folks, AFAICS the openvpn 2.4.2 man page recommends a "multihome" feature for dual stack setups, but I can't make it work on OpenBSD (the openvpn server) in this case. The logfile on the client shows Sat Jun 17 15:13:40 2017 OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]

inet6 packet filter question: link local address vs antispoof

2017-06-11 Thread Harald Dunkel
Hi folks, pf.conf on my gateway (6.1) says bash-4.4# pfctl -sr | egrep -i icmp\|block block return log all : : pass quick inet proto icmp all keep state (if-bound) pass quick inet6 proto ipv6-icmp all keep state (if-bound) Problem is, a ping6 to the gateway's link local address is not answered.

Re: inet6 packet filter question: link local address vs antispoof

2017-06-11 Thread Harald Dunkel
PS #1: Outgoing traffic to a link-local address initiated by the gateway is not corrupted. PS #2: It seems that OpenBSD 6.0 doesn't show this problem. Regards Harri

net.inet.tcp.ecn=1 on a gateway?

2017-06-02 Thread Harald Dunkel
Hi folks, for dummies, what is the purpose of net.inet.tcp.ecn=0? Should I set it to 1 on a gateway? Is there some way to support ecn for ip level? I am running 6.1 stable (amd64) using the unmodified GENERIC.MP. Every helpful comment or recommendation is highly appreciated Harri

tinc on openBSD?

2017-04-26 Thread Harald Dunkel
Hi folks, AFAICS tinc is included in the packages for 6.1, but surely that doesn't mean its safe to use without looking. Are there security concerns against running tinc on an OpenBSD gateway as an alternative to IPsec and openvpn in a +50 road warriors setup? What is your impression of this

Re: howto show IPv6 address lifetime?

2017-04-20 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Florian, On 04/20/17 12:45, Florian Ermisch wrote: > Hi Harri, > > until someone in the know replies you could take a look at the DHCPv6 traffic > to see if a lifetime is included in the replies (and maybe keep them handy > for a dev to look

Re: howto show IPv6 address lifetime?

2017-04-20 Thread Harald Dunkel
On 04/19/17 15:38, Dimitris Papastamos wrote: > > You don't seem to have any autoconfigured addresses. > Try ifconfig vether0 inet6 autoconf first. > Here is the output of ifconfig on my gateway: # ifconfig re1 re1: flags=8843 mtu 1500 lladdr

Re: howto show IPv6 address lifetime?

2017-04-19 Thread Harald Dunkel
> On Apr 19, 2017, at 10:43, Eric Huiban wrote: > > Hi, > > Give a try to ifconfig as regarde privacy policy lifetime : pltime & vltime > if i'm still right. You can also preset this two counters using the same > command. ??? Sorry, but I don't understand this first

Re: Adding default IPv6 route fails on 6.1

2017-04-19 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/18/17 17:05, Stuart Henderson wrote: > > Mine is in the pkg-readme. > > A pkg-readme? Is this included in the binary package? # find / -iname \*readme\* -print | grep -i dhcp # echo $? 1 Regards Harri -BEGIN PGP SIGNATURE-

howto show IPv6 address lifetime?

2017-04-19 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, AFAIR IPv6 addresses have a lifetime and some other attributes. Is there some way to show? "sysctl -a", "ifconfig -a" and netstat don't. Probably I am just missing the right command. Every helpful hint is highly appreciated. Harri

Re: pf.conf: best practice for IP address lookup?

2017-04-16 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Florian, sorry to say, but you missed the point. The IP address of *another* host inside my LAN changes, e.g. a mail server, a http proxy, etc. The interface identifier of each host is surely stable. The prefix is not. Using the old prefix in

Re: 6.1: dnsmasq unresponsive?

2017-04-16 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/15/17 23:39, Stuart Henderson wrote: > > It's the same version of dnsmasq. The thing that changed is that we now have > IP_SENDSRCADDR. > > Needs fixing, but you can use -z on the dnsmasq command line as a workaround > for now. > Seems

pf.conf: best practice for IP address lookup?

2017-04-15 Thread Harald Dunkel
Hi folks, Since I don't get a static IPv6 prefix from Deutsche Telekom, but a different prefix on every new pppoe connection, I have to rely upon some lookup service for pf.conf. pf.conf(5) doesn't mention dynamic IP addresses at all (except for its own interfaces), so I wonder what is best

Re: building release without noperm?

2017-04-14 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/14/17 09:21, Theo de Raadt wrote: >> AFAICS there is no way to build a release without upgrading the base system >> first, i.e. you have to have root privileges. >> >> To keep things simple, I wonder if it would be possible to use these >>

building release without noperm?

2017-04-14 Thread Harald Dunkel
Hi folks, AFAICS there is no way to build a release without upgrading the base system first, i.e. you have to have root privileges. To keep things simple, I wonder if it would be possible to use these privileges to avoid the noperm partition? Regards Harri

6.1: dnsmasq unresponsive?

2017-04-13 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, is it just me, or is the new dnsmasq unresponsive? dig @127.0.0.1 heise.de A +short gets stuck. Moving back to the old dnsmasq provided for 6.0 there is no such problem. dnsmasq.conf: server=8.8.4.4 Every helpful

Re: Adding default IPv6 route fails on 6.1

2017-04-13 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Sterling, On 04/12/17 01:20, Sterling Archer wrote: > Hello everyone. > > After upgrading to 6.1 about an hour ago, I noticed that I didn't have an > IPv6 connection anymore. > > I use dhcpcd over a pppoe session, which worked fine in

IPv6 and netstat -r: larger columns, please?

2017-04-10 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, would it be possible to adjust the column size for the IPv6 output of "netstat -r", similar to "netstat -nr"? Its pretty much useless, if the interface identifier is cut off. The usual workaround "netstat -r | cat" doesn't work, either.

how is IPv6 over pppoe supposed to work?

2017-04-03 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, AFAICT adding 2 lines to hostname.pppoe0 (as shown in the man page) doesn't give you a full featured IPv6 subnet yet. Is there some support for IPV6CP (RFC 5072) in OpenBSD? Google mentioned some "dhcp6c", but its not in 6.0, is it?

Re: pppoe takes 3 or 4 minutes to come up

2017-04-03 Thread Harald Dunkel
Hi Stuart, On 04/02/17 12:42, Stuart Henderson wrote: > > Problem is that the pppoedev ethernet interface comes down too soon and > the pppoe disconnect message can't be sent. A fix for this was being > discussed but late for 6.1. "ifconfig pppoe0 down" in rc.shutdown should > help that

Re: pppoe takes 3 or 4 minutes to come up

2017-04-03 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, On 04/02/17 11:48, Bryan Linton wrote: > On 2017-04-02 10:47:41, Konstantin Schukraft wrote: > > "man 4 pppoe" explains this better than I could. To wit: > > 8<--- > > KERNEL OPTIONS

Re: pppoe takes 3 or 4 minutes to come up

2017-04-03 Thread Harald Dunkel
On 04/02/17 11:46, Kapfhammer, Stefan wrote: > Harald, could you please post > the full output of 'ifconfig pppoe0'‎? > After successful established connection. > > Of course without credentials :) > Sure: # ifconfig pppoe0 pppoe0: flags=8851 mtu 1500

pppoe takes 3 or 4 minutes to come up

2017-04-02 Thread Harald Dunkel
Hi folks, I am using pppoe on OpenBSD 6.0 stable to setup a connection to Deutsche Telekom (VDSL). Problem: Usually it takes 3 or 4 minutes to establish the connection. Is this as expected? See below for the hostname.??? files. Using the default mtu doesn't make a difference. Any helpful

pf: warning on duplicate table?

2017-03-01 Thread Harald Dunkel
Hi folks, I spent way too much time on a table defined twice by accident in my pf.conf file. Do you think it would be possible to throw a warning if there are 2 table definitions with the same name? Probably table : : table const persist { 172.22.32.0/24

Re: spamd: howto blacklist hosts in greylisting mode?

2017-01-16 Thread Harald Dunkel
On 01/16/17 13:58, Boudewijn Dijkstra wrote: > Op Mon, 16 Jan 2017 11:08:06 +0100 schreef Harald Dunkel > <harald.dun...@aixigo.de>: >> >> But spamd's blacklisting (without "-b") lacks proper documen- >> tation. spamd-setup(8) says that it sends blackli

spamd: howto blacklist hosts in greylisting mode?

2017-01-16 Thread Harald Dunkel
Hi folks, I am running spamd for greylisting on my MTA for several years. I also know how to use spamd for blacklist-only mode and how to configure pf.conf accordingly (even though I never tried). But spamd's blacklisting (without "-b") lacks proper documen- tation. spamd-setup(8) says that it

ports 6.0: zabbix-agent-3.0.3 appears to be broken

2016-11-27 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, zabbix_agent.conf in zabbix-agent-3.0.3 (amd64) appears to be broken: After the upgrade from 5.9 to 6.0 I found a shared object instead of a config file in /etc. # file /etc/zabbix/zabbix_agent.conf /etc/zabbix/zabbix_agent.conf: ELF

ntpd.conf: how to do IPv6 in a carp setup?

2016-11-24 Thread Harald Dunkel
Hi folks, I am running a carp environment on my gateway. Due to lack of routable IPv4 addresses the em0 interface provides IPv6 only, the carp0 interface defines both IPv4 and IPv6 addresses. The internal interfaces em1 and carp1 provide both IPv4 and IPv6. ntpd works fine on the master, but on

Re: tw_cli support

2016-10-31 Thread Harald Dunkel
On 10/29/16 22:00, Stuart Henderson wrote: > > No, you won't able able to. I don't think this card is supported at all > (and those 3ware cards which are supported, don't support management on > OpenBSD). > Since 3ware was bought by LSI, and LSI was bought by Avago I wonder if the newer Avago

Re: PPPoE (5.9 still): https gets stuck

2016-09-20 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Stuart, On 09/16/16 14:08, Stuart Henderson wrote: > On 2016-09-14, Harald Dunkel <ha...@afaics.de> wrote: >> >> AFAIU setting the max-mss affects TCP traffic only (e.g. HTTPS). It defines >> the maximum pa

Re: PPPoE (5.9 still): https gets stuck

2016-09-14 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, On 09/13/2016 02:58 PM, Stuart Henderson wrote: > > See "MTU/MSS ISSUES" in pppoe(4). > indeed, its documented, but its also a little bit misleading. Reading the man page I had the first impression that modifying the mtu and max-mss are

Re: PPPoE (5.9 still): https gets stuck

2016-09-13 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Markus, On 09/13/16 13:07, Harald Dunkel wrote: > Hi Markus, > > On 09/13/2016 12:42 PM, Markus Hennecke wrote: >> >> Damn. Of course without this line it won't work: >> >> match out on $ext_if all scr

Re: PPPoE (5.9 still): https gets stuck

2016-09-13 Thread Harald Dunkel
Hi Markus, On 09/13/2016 12:42 PM, Markus Hennecke wrote: >> >> I use the same VDSL modem with Deutsche Telekom and can reach >> https://telekom.de/ >> The only MTU related setting in pf.conf seems to be this: >> >> ext_if = pppoe0 >> match in on $ext_if all scrub (no-df max-mss 1440) >> >> It is

Re: PPPoE (5.9 still): https gets stuck

2016-09-13 Thread Harald Dunkel
Hi Daniel, On 09/13/2016 12:00 PM, Daniel Gillen wrote: > > I had a similar problem. In my case it had to do with Path MTU issues. > > This site f.ex.: http://test-ipv6.com/ will check for that. > > The solution for me was to switch to "jumbo" frames below the pppoe > device (1508 bytes if I

Re: PPPoE (5.9 still): https gets stuck

2016-09-13 Thread Harald Dunkel
Hi Peter, On 09/13/2016 12:13 PM, Peter J. Philipp wrote: > > can try this: > > T-Online uses vlan tag 7, IP-TV uses vlan tag 8. So it depends on your > plan I guess? I'd appreciate if someone told me if this information is > outdated but I'm probably going to have to ask in february again >

PPPoE (5.9 still): https gets stuck

2016-09-13 Thread Harald Dunkel
Hi folks, I am using an openbsd (5.9) box as gateway/firewall to the internet. ISP is Deutsche Telekom. In between is a Vigor 130 VDSL2 modem, configured to PPPoE passthrough. The PPPoE connection is initiated on the openbsd box. Problem: https via the tunnel gets stuck for some sites, e.g.

Re: Building OpenBSD 6.0 -stable - Error

2016-09-12 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/04/16 04:35, STeve Andre' wrote: > On 09/03/16 11:32, Harald Dunkel wrote: >> On 09/03/16 12:40, Ted Unangst wrote: >>> there's some repo surgery in progress. it should be fixed eventually. >>> >

Re: Building OpenBSD 6.0 -stable - Error

2016-09-03 Thread Harald Dunkel
On 09/03/16 12:40, Ted Unangst wrote: > Teno Deuter wrote: >> installed a fresh 6.0 AMD64 and tried to build 'stable' from source. >> >> Here is what I did as 'root' (as described in: >> http://www.openbsd.org/stable.html): >> >> export CVSROOT=anon...@anoncvs1.ca.openbsd.org:/cvs >> cd /usr; cvs

spamd with ipv6 support

2016-02-14 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, last information I have about spamd with IPv6 support is WIP. Is there any code I could try? Maybe I can help, at least in running tests? Please mail Harri iQEcBAEBCAAGBQJWwJVyAAoJEAqeKp5m04HLJxMH/jF6nBeBn0gYe5HQj73vDgWL

Re: ftp-proxy man page out of date?

2016-01-18 Thread Harald Dunkel
On 01/05/2016 04:35 PM, Sonic wrote: > > Divert-to is the proper way to send the packets to the proxy, but the > dynamic rules that the proxy creates use rdr-to which is why the man > page may appear a bit confusing at first reading. > I see, my mistake. Thanx very much for your support. Harri

ftp-proxy man page out of date?

2016-01-04 Thread Harald Dunkel
Hi folks, Would it be possible to update ftp-proxy(8) wrt "divert-to"? I had the impression that rdr-to is out of date in this context; see http://www.openbsd.org/faq/upgrade50.html. Thanx very much. Best season's greetings Harri

Re: 5.8 freezes on Shuttle DS87, anybody else?

2015-12-01 Thread Harald Dunkel
I migrated this openBSD setup to a 5 years old network appliance. Its running for more than a week without problems. This means I don't have a test setup to chase the problem anymore. Regards Harri

  1   2   3   >