Re: No internet connection (firewall block)
Den fre 12 apr. 2024 kl 20:22 skrev Karel Lucas : > Traceroute still won't work. > Can > anyone give me some starting points here? Put "log" on all your block/pass rules, read the logs (man pflog for help) and see which rule the traceroute packets hit. Adapt and extend your pf.conf accordingly to allow the traffic you want to let through. -- May the most significant bit of your life be positive.
Re: Ping blocked by firewall
Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas : > > Hi all, > > Ping only works partially. For example, this works: ping -c 10 > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect > this has to do with DNS servers, but I don't know where to start > troubleshooting. Can someone help me? If the below pf.conf it your total firewall config, then you are only letting icmp through, and not DNS queries. Perhaps you meant to use the "client_out" macro for a pass rule and forgot it? > /etc/pf.conf: > > ext_if = igc0 # Extern interface > int_if = "{ igc1, igc2 }" # Intern interfaces > localnet = "192.168.2.0/24" > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }" > udp_services = "{ domain, ntp }" > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }" > icmp_types = "{ echoreq, unreach }" > icmp6_types = "{ echoreq, unreach }" > nameservers = "{ 195.121.1.34, 195.121.1.66 }" > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \ > 446, cvspserver, 2628, 5999, 8000, 8080 }" > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > set skip on lo > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > block log all# block stateless traffic > > # Letting ping through: > pass log on inet proto icmp icmp-type $icmp_types > pass log on inet6 proto icmp6 icmp6-type $icmp6_types -- May the most significant bit of your life be positive.
Re: OpenBSD Errata: April 8, 2024 (xserver)
Den tors 4 apr. 2024 kl 07:31 skrev Mizsei Zoltán : > > The webpage https://www.openbsd.org/errata74.html > lists this like "016: SECURITY FIX: April 8, 2024 > " but according to my calendar today is 04.04. > Also it lists 7.5 as affected, but it doesnt even released yet, right? > Whats going on here? The 7.5 files were built weeks ago to allow packages for 7.5 to be built in time for the release, and the 7.5 files contained this bug which now has a fix prepared for it, even before the release is made. -- May the most significant bit of your life be positive.
Re: OPENVAS
> Hi ppl, I'trying to find out how to install OPENVAS in OpenBSD 7.4, not > to succeed yet...I've done it with no problems at all in FBSD...but I > can't get it done in OpenBSD...has anyone sucesfully installed Openvas? > If so...How? Is there any manual/howto? Hint for asking for help: 1. What did you try? 2. What was the expected result? 3. What happened instead? -- May the most significant bit of your life be positive.
Re: Disk encryption cipher
Den ons 6 mars 2024 kl 07:17 skrev ofthecentury : > > Hi. I cannot find what cipher is used for full > disk encryption on OpenBSD. I saw a mention > of salting too, but really no specifics on what > the encryption algorithm is. Is there somewhere > I can read about it? And really, what is the cipher > used? The presentation from 2010: AsiaBSDCon 2010, Mar 11 - 14, 2010, Tokyo, Japan. Marco Peereboom gave talks about softraid -- OpenBSD's virtual HBA, with benefits (paper) says it was AES-256 XTS then at least. -- May the most significant bit of your life be positive.
Re: can't find PID
Den tis 5 mars 2024 kl 14:35 skrev ofthecentury : > > Hi, I'm on a fresh install of OpenBSD 7.4. > I am watching output of tcpdump and > seeing some drops that all reference > UID 0, pid 6504. I cannot find that PID > among running processes. Does anyone > know what is that process and why it's > not running but tcpdump references it? OpenBSD has random pids, so unless you ask about pid 0 or 1, noone can divine what process had pid 6504 on your system at that time. As for this report, it looks like you are tcpdumping pflog in order to see "drops" with pids, but since you didn't mention what you ran, it's hard to tell. Nor did you state how you looked for pids, perhaps not using all the possible options? -- May the most significant bit of your life be positive.
Re: MCU recommendations to program on OpenBSD?
Den sön 3 mars 2024 10:14Sadeep Madurange skrev: > Hello,24 > > I recently switched to OpenBSD and love every bit of it. > > Most of what I do on my workstation is programming MCUs like ESP8266 and > ESP32. However, Espressif toolchain is not OpenBSD friendly. So, I'm > planning to change the vendor. Any recommendations for MCUs with C > language SDKs supported by OpenBSD? > Arduino (ie. AVR) works fine to compile from OpenBSD.
Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?
> > >> Just been to upgrade a rather old system I keep OpenBSD on for fun all > > >> the way up from 6.9, and found bytemark no longer seem to be hosting > > >> any OpenBSD content. > > > > > > That's why they have been removed from the mirrors list since 2022. > > > > Oh hmm, seems I readded them as they had started working again, I'll drop > > them again. > > Since it has crossed my mind that scripting together some sort of "mirror > health" tool would be a fairly easy (yet probably valuable) contribution to > the community, is there currently anything akin to that in use by you or > others when maintaining the mirrors list? A few searches of mine turned up > empty, but it could equally well be that my search skills were lacking. Stuart is already testing listed mirrors. -- May the most significant bit of your life be positive.
Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?
Den tis 27 feb. 2024 kl 17:42 skrev Kirill A. Korinsky : > > On Tue, 27 Feb 2024 14:59:32 +0100, > Kenneth Gober wrote: > > > > Slightly off topic, but does anyone know of any archives that have > > packages for 3.0, 3.1, 3.2, and/or 3.3? Especially 3.0 -- the only > > site I've ever found with 3.0 packages may have been incomplete. > > > > https://mirror.leaseweb.com/pub/OpenBSD > > whcih also has rsync mirror BTW But not the packages for 3.0->3.3 which was what was asked for. -- May the most significant bit of your life be positive.
Re: Single partition fs layout
Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington : > > Is there a disadvantage to having this layout style where everything is on > 1 partition? A few. The partitioning scheme allow certain parts of the filesystem to have different permissions, /dev/sd1a on / type ffs (local) /dev/sd1e on /home type ffs (local, nodev, nosuid) /dev/sd1d on /usr type ffs (local, nodev) /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed) but also if something decides to log like crazy and fills up /var and you have /var ( or /var/log ) as a separate partition, the rest of the system is not affected by it going full and it might be lots easier to recover from it when the rest of the paths work as expected. It's a tradeoff between having to know in advance where data will go or not, versus being able to prevent some nasty issues that could occur if you let someone else run code on your machine. For a throwaway VM that you can reproduce, it would not matter so much. For a box you really care about and is meant to run for yeats, it matters more. -- May the most significant bit of your life be positive.
Re: Improve support of Go
> Good day, > > I'm updating go's syscall table to modern OpenBSD (7.4). > For some architectures it was updated more than decade ago, and a lot of > things > had changed. > To do it I need to run commands like: > > cd src > ulimit -S -d $(ulimit -H -d) > env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash > cd syscall > env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH > ./mkall.sh > > where %ARCH% is one of go's architecutres: > - 386 > - amd64 > - arm > - arm64 > - mips64 > - ppc64 > - riscv64 > > The part with amd64 and 386 was quite easy. But the next parts... well.. > > I stuck with attempt to install OpenBSD into qemu. I can't figure out how to > boot an installer :( > > To move forward I need some help. > > The first way if someone can share the way to boot / install OpenBSD into > qemu. > > And an alternative and simpler way I guess, if someone can grand me shell to > that machine or run commands above on OpenBSD with installed go inside source > tree from this branch: https://github.com/catap/go/tree/opebsd-syscalls I can run them on mips64 for you at least. -- May the most significant bit of your life be positive.
Re: OT: SSH3 proposal
Den mån 5 feb. 2024 kl 08:28 skrev Carlos Lopez : > Hi all, > https://blog.apnic.net/2024/02/02/towards-ssh3-how-http-3-improves-secure-shells/ > > Uhmm ... ssh over http/3? What do you think about it? The concept of using udp (like wireguard and mosh) to get mobility between networks seems nice, quic and tls1.3 also sounds ok in themselves, but there might be some issue with the whole of the internet services converging into "one ip and one usable port" even if a machine may have tens of different services. There is some similarity there with how Microsoft would stick all services onto tcp/445 and then multiplex it on the server, and that makes it weird in terms of wanting to firewall off one service but allow other services to a wider range of clients. I get that they are early in the process and all that, but it looks like there will be a ton of moving parts on the server end to accommodate this alongside with the web stuff, and this part is less nice. -- May the most significant bit of your life be positive.
Re: X11 Configuration for AMD RX 6600
Perhaps it would be easier for someone to help you if you do as this page suggests: https://www.openbsd.org/report.html Den mån 22 jan. 2024 kl 15:24 skrev : > > Hi, I'm trying to get my RX 6600 to work under OpenBSD, and am failing > miserably. > No matter what I put into /etc/X11/xorg.conf, it always says "no devices > found" and "no screens found" > I don't see any GPU-related errors in dmesg, so am I just doing it wrong? -- May the most significant bit of your life be positive.
Re: socket core
Den tis 16 jan. 2024 kl 01:16 skrev Gustavo Rios : > Hi folks. > I have a simple question : How many cores does OBSD support ? amd64 says #define MAXCPUS 64 /* bitmask */ but different arches have different limits. i386 has 32, ppc64 has 48, sparc64 has 256, HP/PA has 4 and so on. /sys/arch//include/cpu.h is where it is set. For amd64, I believe the limit is set so that each cpu can have a bit in a uint64 in various structs used to keep track on the cores without using far larger and more cpu intensive lists or arrays. -- May the most significant bit of your life be positive.
Re: Run VM with 16G or more?
Den mån 1 jan. 2024 kl 21:44 skrev Kirill A. Korinsky : > > Greetings, > How can I run a VM with more than 16G of memory? > A naive approach fails with error: > > vmctl: start vm command failed: Cannot allocate memory > > Yes, the host machine has that memory and much more. Check datasize in ulimits as set by the shell and login.conf for the user that the VM runs as. -- May the most significant bit of your life be positive.
Re: Bridging firewall and ntpd
Den tis 19 dec. 2023 kl 23:57 skrev Karel Lucas : > > Hi all, > > I am creating a bridging firewall, and am wondering if it is possible to > use the ntp daemon to ensure that all log files are timed correctly. Is > there a way to achieve that despite the fact that the network > connections do not have an IP address? > I did some of that in the early 2000s, and it wasn't as good an idea as I had imagined it to be. We put an extra eth interface on the box, and had that one on the inside network range, so it could log and be administered via it, then had some rules that allowed certain outside ips to traverse the bridging fw to the inside, and then reach the inside of the fw. But all in all, that was just a workaround for a bad network setup where we got a /24 from our ISP, but not a transport network for our outside of the fw. I would not do it like that again, I noticed how nice it actually is to be able to use layer-3 tools like ping and traceroute and so on, even if it felt secretive and hip to have an "invisible" fw. I think most people that have tried L2 firewalling end up moving away from it if they can, just because of the poor visibility you get when you run firewalls on top of bridges. -- May the most significant bit of your life be positive.
Re: gre over carp
Den ons 13 dec. 2023 kl 04:15 skrev All : > > >I'd like to add sasyncd in the mix and a 2nd router for higher > availability. > Don't do it. sasyncd is known not to work properly in failover scenarios. > When I ran it it did work fine for the first fail-over, but seldom (or perhaps never?) on fail-back when the master returned, so it was ok for giving me nice redundancy if the current carp master died, then I could choose a suitable time after fixing this node when to take a the hit of a new tunnel-setup as I flipped back. Never knew why it would only work one-way for me, but we had certain issues with broadcom bnx(4) cards and multicast at the time, so it could have been related to that. > >Will gre over carp work? > I think you can just try out in a vm. Don't see the reason why it would > not. > But perhaps there are some features that CARP interface doesn't support > for gre. > Do mind that carp on software-defined switch networks might need some settings in order to allow the virtual eth cards to send out frames with "bogus" mac-addresses, since some hypervisors keep good track of which macs they have given to a VM and drop ethernet frames sent with not-those mac-addresses as source. But to add to the original reply, I would probably go for two gre's towards the non-carp ips, since you are using ospf anyhow, you might just tell ospfd that one gre has a slightly higher cost than the other, and let it deal with the new network map when one of them fails. -- May the most significant bit of your life be positive.
Re: OBS-Studio 26.1.0 and later
Den ons 13 dec. 2023 kl 03:17 skrev hammer2_zfs : > >OBS-Studio has never been in the ports tree. You must have been using a > >third party build or self-built binaries. > > Maybe, OpenBSD 7.1/snapshots packages have OBS-Studio 26.1.0. > https://newreleases.io/project/github/obsproject/obs-studio/release/26.1.0 > > No, you can look for it at https://ftp.eu.openbsd.org/pub/OpenBSD/7.1/packages/amd64/ https://ftp.eu.openbsd.org/pub/OpenBSD/7.1/packages/i386/ and see that it is not there. I'm also fairly certain that Stuart checked the ports cvs history and did not find it there, in order to claim "it was never in the ports tree". If it wasn't ever in the ports tree, then it was never available as a package, at least not made by the OpenBSD project. So there is no 'maybe'. If there was a precompiled binary for OpenBSD, it was made by someone else and not reachable via pkg_* tools. said "Added OpenBSD support [grayed]". > https://undeadly.org/cgi?action=article;sid=20210113072623 > > Might be worth your time to read all of that rather short article. > When I was tried pkg_mgr and pkg_info -Q obs-studio, pkg_add obs-studio on > 2021. > recently. I tried these commands and get a "obs-studio is not found". > It is "not found" for the reasons you already have been told. -- May the most significant bit of your life be positive.
Re: OpenBSD on M1 Mac using VMware Fusion 13
Den sön 26 nov. 2023 kl 09:03 skrev Tito Mari Francis Escaño : > > Hi misc, > I want to run OpenBSD on company issued M1 Mac through VMware Fusion 13, > for experiments and development. > I tried to use the ARM64 image but it does not seem to work, it's my first > time to use non-X86 machine. This part needs far more attention from your side, you can't just leave it at "doesn't work". Computers, emulators, operating systems can Not-Work in literally millions of ways. What hardware did VMWare emulate, what were the errors, at which point did it stop? > Has anyone here been able to run OpenBSD on M1 Mac through VMware Fusion > before? > Much as I want to run it on the hardware, since this a company-issued > laptop, I opted to use VMware instead. > Hope somebody can point me in the right direction on this one. Both UTM and qemu can run openbsd-aarch64 guests, even if you can't get VMWare to work. https://nomnp.com/plaintext/utmopenbsd or a little longer, https://codeofconnor.com/running-an-arm64-openbsd-virtual-machine-on-apple-silicon-with-qemu/ might help you get an openbsd VM running on your M1 Mac. -- May the most significant bit of your life be positive.
Re: shmmax
> As my system is still fast and running properly after this tweak I need > to ask if you think that sysupgrade requires or will (I doubt) any > special value for shmmax? If it required a special setting, it would set that special setting. -- May the most significant bit of your life be positive.
Re: shmmax
> I'm here asking what > it is exactly the meaning for 'shared memory' here, and if implying > that it is eventually the max memory allocable to the graphic card is > correct. No. This is not related to graphics card memory -- May the most significant bit of your life be positive.
Re: How to break and smash things
Den tors 26 okt. 2023 kl 07:51 skrev Maria Morisot : > But I really want to help the project. I like the idea of trying to break > things and get them to malfunction in order to expose bugs that have been > overlooked. > > I have a pretty good understanding of randomness and know about the > concept of fuzzing. I've done testing in my software courses and know a > little about writing code for explicit bad cases. But my schooling was very > lax and was easy to get A's so I didn't put much effort in. > https://undeadly.org/cgi?action=article;sid=20150121093259 -- May the most significant bit of your life be positive.
Re: What could cause high CPU load averages (no actual CPU usage)?
> > > I process that is started every 5 seconds and exits after 10ms > > computation can cause the load to go up by 1. It just matters if it runs > > during the sampling time or not. This is why the load avarage is not > > accurate, it is an indication and if the value is below the number of > CPUs > > you may well see quantization errors. > > > > So yes, maybe there is something going on but even top -s .1 -I will > have a > > hard time to show it to you. It may be too h interestingsmall of a blib > to spot. > > Ah, interesting. Any idea on how to measure/catch something like that? How > would one find such a process? > If you have such a process (and see "load 1.0" in top) you don't have a load problem on this computer, so "finding" it becomes irrational. This means that you are chasing a symptom but where you lack an actual problem. If your cpu is busy 10ms every 5 seconds it is basically idle, and the small percentage you see is totally within measurement error margins. But load is a very bad measurement tool as previously stated in this thread. -- May the most significant bit of your life be positive.
Re: xfce
Den ons 25 okt. 2023 kl 13:22 skrev Maria Morisot : > I know for a fact that something is broken in either xenocara or the main > system, I can reproduce a kernel panic by running xfce, I've enountered it > many times. But I don't know how to trap it before it faults in order to > see what is going on. > https://www.openbsd.org/report.html might give a few hints. > My solution was just to ignore it and run cwm but I want to try to fix it. > I don't know how though. > If no details in any report are visible, then the chances of the bug being fixed seems very low. -- May the most significant bit of your life be positive.
Re: reorder_kernel: failed
Den tis 17 okt. 2023 kl 16:49 skrev Karel Lucas : > Hi all, > > After a new installation of openBSD 7.4 I received the following > message: "reorder_kernel: failed -- see > /usr/share/relink/kernel/GENERIC.MP/relink.log". That turns out to be a > zlib compressed data file, and I don't know how to unpack or read it. > Does anyone know how I can do that? > > > If it actually is a zlib compressed file, then "zcat" or "zless" should work fine. -- May the most significant bit of your life be positive.
Re: groups new
Den tors 5 okt. 2023 kl 09:43 skrev Matti : > It's not official, and I am trying to gain visibility by having it on the > openbsd site. I am the first member. > Perhaps try to help getting the HelBUG restarted again, there should be some people there who like BSD. http://helbug.fi/ https://twitter.com/helbsdusergroup -- May the most significant bit of your life be positive.
Re: OpenBSD 7.3 found a process with PID 0
> > How could be that there is a process with PID 0 before init? > Probably I'm missing something about OpenBSD core. > As for this small part of the mystery, even init starts out as a skeleton process created early by the kernel, which then does an exec() of /sbin/init so that whatever program lies there on disk replaces the skeleton and retains its pid. When you know that part, it would not be unimaginable to have the kernel create another process (the swapper in this case) even before that happens. After init-from-disk runs, all other processes must in some way be a descendant of it, but that "rule" does not cover the first two pids at least, which you can later see are the only ones without randomized pids. For the rest of your questions, others have chipped in already. -- May the most significant bit of your life be positive.
Re: Speed: dump/restore vs rsync
Den fre 22 sep. 2023 kl 20:17 skrev vitmau...@gmail.com : > Hi, > > I used the command "cd /SRC && dump 0f - . | (cd /DST && restore -rf - )" > as suggested by the "Disk Setup" section of the FAQ to transfer everything > from one of my old hard disks to the one that should replace it. However, > I'm stuck with something around 35 megabytes/s of speed transfer (measured > using "systat -h io") following this path. If I use rsync, I get something > around 70 megabytes/s (measured by both the "--progress" option and > systat). Am I missing something? Is this to be expected? > While I can't comment on the actual numbers, one thing one could consider when restoring (from any medium/type) into a new empty file system is that you can mount the destination fs async during the restore in order to speed it up a bit. While running with async all the time is not a good idea, the reasoning here is that if you get a half-restore (from some error you can fix) you would want to restart the restore fully anyhow, so in that case async isn't a problem while restoring. Then you need to remount or unmount the async so that you are really sure it flushes all writes before you start running on it, or rebooting. -- May the most significant bit of your life be positive.
Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header
Den sön 17 sep. 2023 kl 09:19 skrev Andrew Lemin : > Hi, > > I have been testing the Wireguard implementation on OpenBSD and noticed > that the ToS field is not being copied from the inner unencrypted header to > the outer Wireguard header, resulting in ALL packets going into the same PF > Prio / Queue. > I think the original wireguard implementation defines it as a feature: You can see the lines at https://github.com/WireGuard/wireguard-linux/blob/stable/drivers/net/wireguard/send.c#L373 they skip bringing it along to not leak that information to the outside. -- May the most significant bit of your life be positive.
Re: desire for journaled filesystem
Den fre 8 sep. 2023 kl 03:47 skrev Steve Litt : > > My main computer is Void Linux. If I had to restore from backup every > time the disks became mildly messed up, all my time would be spent > backing up and restoring. > > I remember back in the 90's and early 00's before journalling every > system crash was grounds for an ulcer. Then again, ext2-3-4 run in asynch mode for all operations, which is why e2fsck takes such a long time, the act of creating a new file needs at least four operations (allocating space for contents, adding filename entry to directory, creating inode for metadata and writing out the actual contents). If you run async file systems, these can happen in any random order, and if you have a crash while files are being created (and deleted) any of these may or may not have happened. BSD ffs does these mostly in order (where softdep can change/delay some of them) which means that fsck for ffs can know that if step 3 isn't done, step 4 will not have started either. For e2fsck, all possible combinations must be explored. Adding to this, ext filesystems don't seem to have any kind of way to express "I found an unchecked error so I am in need of a detailed fsck", which is why dists using ext2 would have "magic" files like touching /autofsck and removing said file in order to indicate if last shutdown was good or bad. Even with this simplistic method, they would STILL force fsck every 100 days or 58 reboots, because well, you can't tell if there ever was an error during the last 100 days, since there is no method to mark the known-broken fs as needing fsck. In the light of this, the need for a journal (even at the cost of slightly more IO at times) becomes obvious. The fine folks over at the penguin camp will rather write to a journal "I am about to create /tmp/tmp.FSGSGRg3", then send those four operations, then clear the journal entry again, just so the middle 4 ops can be async, than "suffer" some ordering in the file system operations. Now, bsd can run softdep which speeds some writes up, at some cost and some added risk, and you can certainly mount async and have really large risks added, but for each of those two steps, I would make very sure that I had either useless data, or (as suggested) good backups in place. As Nick wrote, bsd people tend to like the fact that when your IO subsystem says "the data is on the disk", it actually is there. Ext4 had a nice period* when "on the disk" meant "it will be on disk in 2 and a half minutes" even for atomic operations. You can imagine how many people managed to have issues or lose power in the span of 150 seconds. I think they shortened the time, but the amount of tears needed for the "go fast even if you go in the wrong direction" crowd to change their minds was quite large. To me, it is like usb writing speeds. OpenBSD will have dog slow speed. But it will also allow you to unmount the device when the write is finished. Other common OSes will tell you "done!" in a few seconds, then the stick is still blinking, and you ask to unmount and then it still takes this long amount of time because it was just lying to you about the writes being finished. If I am to wait 30 seconds to write a large ISO to my stick, I'd rather have the computer show me it is working, instead of hoping I would write the file in "three" seconds and then read comics for 27 seconds before unmounting so I don't notice the discrepancy. *) https://www.pointsoftware.ch/2014/02/05/linux-filesystems-part-4-ext4-vs-ext3-and-why-delayed-allocation-is-bad/ -- May the most significant bit of your life be positive.
Re: desire for journaled filesystem
Den tis 5 sep. 2023 kl 20:53 skrev John Holland : > > I have a backup that is at least 2 days old offsite at a friend’s house. It > would be a bit of a pain to go retrieve it, but I could do that. > > Short of that, I have 4000+ files in lost+found with names like #1094827. > What can I do with those? I tried running “file” on the first 50 via xargs > and they mostly at least purport to be some sort of intact file. How can I > determine what they are? Please don’t suggest that I manually use “file” and > then an appropriate program to examine each one in turn > Those "files" are fragments of files, named after the inode number, which you get when fsck finds a not-complete chain of directory-entry/filename -> inode -> linked list of file-contents. While fsck can't figure out the filename and where in the directory structure it is meant to belong, or possibly if it is only some part of a whole file, it will give you a chance to recover at least partial contents from the lost+found folder. Sometimes this might be awesome if you can dig out some key or pw needed for something super important, sometimes you get half of a database file and that is probably close to zero usefulness. That said, if it was (as written later) browser cache and partial downloads, it is not very surprising that data files exist which are not yet linked during the download, or temp files unlinked for later deletion by the FS, had the computer not crashed. If you had something like zfs, those half-written or half-deleted files might just have been totally missing instead of ending up in lost+found, since they represent a point-in-time in which the FS is not in a consistent state, so the end result would mostly have been the same, this data is not visible under your home account after the crash. Journaling has some great advantages, like write aggregation if your journal can be placed on a faster device and when it comes to quick checkups after crashes, an empty journal often means the fs was not in a broken state and probably needs less or no total checkup by fsck tools, which is nice. It will not fix a half-downloaded ISO or unlinked temp files that you for some reason want to look at afterwards, nor will the journal fix any kind of broken sectors, though checksumming file systems will of course help you find the errors before handing the bad sectors over to your applications. -- May the most significant bit of your life be positive.
Re: Bind address for wireguard
Den tis 29 aug. 2023 kl 17:10 skrev Samuel Jayden : > Is it possible to bind source address on wireguard as the source address of > the connection? > Thanks. There isn't such an option now, outgoing udp will choose the interface which currently is deemed "best" on which the destination IP can be reached. If you search with google, you will find similar questions on the wireguard mail list from many years ago, and similar answers. -- May the most significant bit of your life be positive.
Re: Supporting the OpenBSD Project through a Registered Charity
Den tis 29 aug. 2023 kl 13:45 skrev Katherine Mcmillan : > I'm wondering if there are any registered charities (in Canada, or frankly, > any country!) dedicated to promoting/supporting OpenBSD? > https://www.openbsdfoundation.org/ -- May the most significant bit of your life be positive.
Re: IPsec over PPPoE
> > 5) There is note in FAQ, that Native WireGuard support is also > available. As both IPsec and WireGuard are new to me, may wg(4) be an > option? > Yes, it should be a good option for site2site tunnels. -- May the most significant bit of your life be positive.
Re: support update
Den fre 16 juni 2023 kl 04:46 skrev Duncan Hart : > M dun...@appliedopenbsd.com > U https://www.appliedopenbsd.com/ > www. doesn't resolve using many public resolvers (8.8.8.8, 1.1.1.1, 9.9.9.9) but it did resolve at 4.2.2.4 so there is something fishy going on there. The bare domain appliedopenbsd.com does resolve to several A-records on all the public ones. -- May the most significant bit of your life be positive.
Re: Setting up a Transparent Tor Proxy on OpenBSD 7.3 with pf(4)
> > > "pfctl -f /etc/pf.conf" does not spit out any warnings or errors either, > so I first assumed it would work just as flawlessly then, but apparently > it doesnt, because I cant ping any domain or wget any webpage, when I > If you add "log" rules to your pf.conf and the watch the pflog device (man pflogd and man pflog for examples) you can see which rule blocks your wget/ping/dns, which might help in solving this particular part of your problems. -- May the most significant bit of your life be positive.
Re: tmux only possible as root and not as normal user in 7.3?
Den fre 9 juni 2023 kl 09:44 skrev sa...@sarag.net : > Ah, sorry, forgot to mention that: no, neither root nor user have any > config file, this is directly after fresh install, so system defaults > should have been used… > > >> I have three new installed machines, that show the same strange > behaviour: tmux is only startable as root, if I want to start it with > command "tmux" as normal user (which is in wheel group, btw), I get the > error "no sessions", if I try to start it with command "tmux start-server", > the error is "no server running on /tmp/tmux-1000/default". > This looks a lot like it is running "tmux attach" and not "tmux" when that message appears. Are you sure you are not using some kind of shell alias that makes it go "tmux a" instead? -- May the most significant bit of your life be positive.
Re: Wg description ifconfig change removed -wgpsk in head?
> > Seems like it, > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/ifconfig/ifconfig.c.diff?r1=1.464=1.465=h and this would add it back: Index: ifconfig.c === RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v retrieving revision 1.466 diff -u -p -u -r1.466 ifconfig.c --- ifconfig.c 7 Jun 2023 18:42:40 - 1.466 +++ ifconfig.c 9 Jun 2023 06:26:14 - @@ -631,6 +631,7 @@ const structcmd { { "wgkey", NEXTARG,A_WIREGUARD,setwgkey}, { "wgrtable", NEXTARG,A_WIREGUARD,setwgrtable}, { "-wgpeer",NEXTARG,A_WIREGUARD,unsetwgpeer}, + { "-wgpsk", 0, A_WIREGUARD,unsetwgpeerpsk}, { "-wgdescription", 0, A_WIREGUARD,unsetwgpeerdesc}, { "-wgdescr", 0, A_WIREGUARD,unsetwgpeerdesc}, { "-wgpeerall", 0, A_WIREGUARD,unsetwgpeerall}, -- May the most significant bit of your life be positive.
Re: Wg description ifconfig change removed -wgpsk in head?
Seems like it, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/ifconfig/ifconfig.c.diff?r1=1.464=1.465=h Den fre 9 juni 2023 kl 00:09 skrev Bradley Latus : > > Hi, > > > Looks like recent diff adding wgdesc accidentally removed -wgpsk entry. > > Noticed while looking over recent commits > > > Cheers -- May the most significant bit of your life be positive.
Re: support of thinkpad arm
> Hello > > I wish to know if the last thinkpad arm will be supported by openbsd > before buying one. > > here the computer: > https://www.lenovo.com/fr/fr/p/laptops/thinkpad/thinkpadx/thinkpad--x13s-(13-inch-snapdragon)/len101t0019 The commit history contains quite a lot of things related to X13s, https://marc.info/?l=openbsd-cvs=2=1=x13s=b so it is being worked on. Can't say usability at this point, but I think one can say there is interest in that box. The 7.2 release notes had: Added support for Lenovo ThinkPad x13s and other machines using the Qualcomm Snapdragon 8cx Gen 3 (SC8280XP) SoC. -- May the most significant bit of your life be positive.
Re: Problem with WireGuard on OpenBSD 7.3
Den tors 4 maj 2023 kl 15:08 skrev Odd Martin Baanrud : > inet 10.0.6.1 0xfgffgf00 NONE up !/usrlocal/bin/wg setconf wg0 > /etc/wireguard/wg0.conf While multiple slashes combine into one, having /usr... seems like a weird thing to put in the config. Apart from that, you either use /usr/local/bin/wg(-quick) to set up your wireguard interface OR hostname.wg0 not calling one from the other. If you go for hostname.wg0, read up on the "man ifconfig" section about wireguard tunnels and skip the wg0.conf. If you go for wg/wg-quick, you can call it from rc.local or something. > Accourding to hostname.if(5), !-commands must work in single-user mode, if > they should be executed. > If this is the case, why is ‘wg’ in /usr/local/bin? ..which solves this "mystery" too. -- May the most significant bit of your life be positive.
Re: pf - traffic flow through 2 routers
> I’m stuck setting up this configuration - 2 OpenBSD 7.3 boxes > connected via a private network 192.168.2.0/24. > The clients connected to box 1 on 192.168.1.0/24 should be able to reach the > server > on 192.168.2.0/24 with ip 192.168.2.2 on port 1234 tcp > The communication between clients and server needs to go through the > 192.168.2.0/24 network > Box 1 can communicate with the server but the clients can not reach the > server. > Any pointers? Use tcpdump to figure out where those packets go and where they stop going, so you know on which machine to look for the issue. If you use PF, enable logging on rules (man pflog) and see which rule those packets hit. -- May the most significant bit of your life be positive.
Re: Minimum install size
Den fre 28 apr. 2023 kl 06:12 skrev Yoshihiro Kawamata : > > In the OpenBSD FAQ, in the Installation Guide section, it says > "OpenBSD can be installed in as little as 512MB, but using a device > that small is something for advanced users". > https://www.openbsd.org/faq/faq4.html#Partitioning > > In fact, the installation of only the kernel and base73.tgz required > 629MB for i386 and 1GB for amd64. > > For example, if I delete the files under /usr/share/relink, I can > get within 512MB, but this is not a desirable installation method, is > it? Do not assume "desireable" and "possible" are always the same. -- May the most significant bit of your life be positive.
Re: login string size
Den mån 17 apr. 2023 kl 23:01 skrev Gustavo Rios : > > i meant not the time, but it's length: strlen(login). /usr/include/pwd.h will help here I guess. -- May the most significant bit of your life be positive.
Re: OpenBSD Comparable Technologies
Den sön 9 apr. 2023 kl 11:56 skrev : > > Hello, I am new to OpenBSD in terms of using it as a home router/firewall. Im > trying to implement the OpenBSD equivalent or similar way of doing things > like I did on my Linux Router. Are there are equivalent ways/programs for the > following: > > 1. Reverse Path Filter (Like on Linux). PF antispoof and urpf is available. "man pf.conf" > 2. Protection against DHCP Starvation attacks. Give the important machines static entries, if you are concerned that hundreds or thousands of boxes/macs will eat up all dynamic ranges. Or use ipv6. Or perhaps 802.1x "authentication" where the mac is the password for radius so that unknown/undesired entries get the "wrong" network, if your switches support 802.1x. > 3. DHCP Snooping > > 4. Reply-Only ARP system with features like(automatically adding arps for > leases) that keep people from setting a static ip on the network and > bypassing the queueing done by pf. You can have dhcpd add handed out entries to a list, for which PF later can block. "man dhcpd" for the various lists it populates. > P.S.: If there are any ways of doing these options above can you point me to > the right documentation as I have tried to research but couldn’t find any > thing on these subjects listed above. -- May the most significant bit of your life be positive.
Re: Creating a "multicast bridge"?
> On Thu, Apr 06, 2023 at 04:17:26PM +0200, Martin Schröder wrote: > > > I'd like to create a "bridge" between two IP networks which will pass > > > only multicast info. / traffic. > The goal is to create a single "multicast domain" between the networks > i.e. to allow multicast communication betweeen applications running in > each of the networks ... > > Does that make sense? Well, the part where you don't allow unicast and only allow multicast sounds strange still. -- May the most significant bit of your life be positive.
Re: OpenBSD 7.2 on Oracle Cloud
Den tors 6 apr. 2023 kl 12:57 skrev Fabio Martins : > Try to add an entry in grub like in this article: > > https://raby.sh/installing-openbsd-on-ovhs-vps-2016-kvm-machines.html That is very much not the same issue. The arm64 instances on Oracle finds the correct kernel and boots it, it just crashes at or after the scsi attachment. -- May the most significant bit of your life be positive.
Re: Mtr prob request
Den mån 27 feb. 2023 kl 12:18 skrev Daniele B. : > I recently found the newbee of myself asked to install and > probe my VPS installing and use MTR in both ways. > Indeed we are all veterans (and probably indians too) but > MTR is it all that secure stuff that merits to be included in > OpenBSD? It has been in ports/packages since 1999, it will stay there. -- May the most significant bit of your life be positive.
Re: Yubikey detection by non-root user
> and saw that the latter couldn't access /dev/usb0 and /dev/ugen1.00 > I modified the permissions and I can now use the Yubikey. > > My question is: > Is this way of solving the problem correct in terms of security > or best practices? If not, do you have any recommendations as how > to do this correctly? Perhaps check "man fbtab"? While usb device numbering is slightly random, if you are not often inserting random usb sticks, this might be a decent option. Perhaps a script for hotplugd(8) can recognize it better than just "first usb device" and then chown/chmod on demand for you? -- May the most significant bit of your life be positive.
Re: hw.ncpuonline
Den ons 1 feb. 2023 kl 03:08 skrev Justin Muir : > I've got an AMD A10 with 4 cores and only 2 are online. I'm not sure how to > enable the other 2. > > hw.ncpufound=4 btw > Any ideas out there? OpenBSD disables hyperthreading (or symmetric multithreading, smt), so if your "4-core" cpu is actually 2 real cores and 2 hyperthreads, then this sounds perfectly reasonable. For example, this box of mine (not the same cpu, but still), it looks like this: hw.ncpufound=8 hw.smt=0 hw.ncpuonline=4 so I get the 4 real cores running out of possibly 8. -- May the most significant bit of your life be positive.
Re: Live stick / cd from official sources
Den tis 31 jan. 2023 kl 08:03 skrev Daniele B. : > Thank you for the courtesy, Janne. > I KINDLY reply in three points that maybe you are missing: > > 1) I just paid 216€, by MY wallet, to a german shop for a minipc > that was set "delivered" to me without being tested by an > "official livecd" that doesn't exist. Those money you spent went to... > 2) Since 2015 I'm and unpaid worker like you, I'm really starving > and I pray to make me a donation: http://5md.at/l/dona1 Still doesn't allow you to make demands of openbsd devs. > 3) Since 2012 I'm classified as an OpenBSD user. Still doesn't allow you to make demands of openbsd devs. 3 points on why life is tough for you, and 0 on why anyone else should do work for you. -- May the most significant bit of your life be positive.
Re: Live stick / cd from official sources
Den mån 30 jan. 2023 kl 21:21 skrev my25mb : >Ok, I did read all your observations and I want to thank you for your >time.Like an openbsd user I do not think particularly enthusiast of >your >opinion aboutnot having a "rentable" live image to test [openbsd-boot: ok] >anyway I remain optimist you can change your mind by >ie. a sudden >lightning fingers crossedMeanwhile let's see if this reply is readable >;-) You seem to be totally missing the point. The people that do all the unpaid work to produce OpenBSD have decided to not produce what you think you need. Some of them have offered alternate working solutions that are quick for you to run through, but you still ask for the unpaid workers to do more unpaid work for you. You can hope all you want, but your chances of succeeding seems rather low by now, after some 50+ releases and no "live cd" having been made so far. -- May the most significant bit of your life be positive.
Re: premature end of data for lang/go package (mips64)
Den sön 11 dec. 2022 kl 17:42 skrev void : > Alternatively, is it feasible to build an amd64 vm and cross-compile > there, for mips64/octeon? I think it is. I think I have tried it for simpler stuff but unless I am very mistaken you just set GOARCH and fire off the build, then move the binary over. -- May the most significant bit of your life be positive.
Re: 2FA VPNs
Perhaps have authpf add clients to a PF table which allows them to vpn in? The ssh part could have all kinds of S/Key and certificate additions if need be. Or have people wireguard into the bastion host first, then use authpf to be let further into the network, since wg is far more silent when it comes to port knockers and scans. Den ons 2 nov. 2022 kl 03:07 skrev Stuart Henderson : > > If anyone's got any good suggestions on how to do VPNs with 2FA > on an OpenBSD gateway for non-technical users to access (iOS, Android, > Windows clients) I'd love to hear them. > > I could bodge something together with openvpn and TOTP but it doesn't > exactly spark joy. > > -- May the most significant bit of your life be positive.
Re: Problems with LDAP authorization against OpenLDAP server
> Why is bash a bad idea on OpenBSD? Not bash in itself, but having it in /bin. If you installed it from packages/ports it would end up under /usr/local/bin instead, so the users shell would point to the wrong place. -- May the most significant bit of your life be positive.
Re: inaccuracy in the faq regarding ntpd
Den mån 26 sep. 2022 kl 12:28 skrev Marc Beste : > > Dear Sir or Madam, > > when writing a script to check if my local NTP server is providing the > time to my network I have noticed a slight inaccuracy in the FAQ > regarding the status of ntpd in logs. > > https://www.openbsd.org/faq/faq10.html#OpenNTPD > > Where it says: > 'a "clock now synced" message will appear in /var/log/daemon' > > it should say: > 'a "clock is now synced" message will appear in /var/log/daemon' > > I have observed this on OpenBSD 7.1 amd64. > Thank you very much for your time and effort. > > Best regards, Marc > For convenience: Index: faq10.html === RCS file: /cvs/www/faq/faq10.html,v retrieving revision 1.298 diff -u -p -u -r1.298 faq10.html --- faq10.html 22 Dec 2021 17:14:13 - 1.298 +++ faq10.html 26 Sep 2022 10:30:26 - @@ -261,7 +261,7 @@ When you have https://man.openb other machines may not be able to synchronize their clocks right away. This is because time information won't be served until the local clock is synced with a reasonable level of stability. -Once this level is reached, a "clock now synced" message will appear in +Once this level is reached, a "clock is now synced" message will appear in /var/log/daemon. -- May the most significant bit of your life be positive.
Re: lddtree on OpenBSD?
> > Unless I misremember, OpenBSD requires you to add all needed libraries > > while linking the main program, so there is no tree to be listed. > > Not any more, we no longer have static-only archs. Ah, I see. Thanks for the clarification. -- May the most significant bit of your life be positive.
Re: lddtree on OpenBSD?
Den tors 15 sep. 2022 kl 09:10 skrev : > Dear list, > is there any tool that would help me to see hierarchical dependencies > of (shared) libraries on OpenBSD? > > I have compiled a program and when I run it (or use ldd) it shows > that it depends on, eg, several versions of libX11 (which it should > not, as far as I understand). I would like to understand what brings > in the various versions. Unless I misremember, OpenBSD requires you to add all needed libraries while linking the main program, so there is no tree to be listed. -- May the most significant bit of your life be positive.
Re: Swap on SSD's (with softraid 1+C)
> (Follow up question as for swap sizing: In the age of 32+ GB RAM, do > you people really follow the recommendations on having swap at least > twice the amount of RAM? I'm hoping for 72GB RAM and that would steal > 144GB of my 525GB disks, something that seems ridiculous.) That advice is ridiculous for such a machine, yes. Depending on if you want to have a full crash dump done to swap and/or hibernate to swap, you might be forced to have it at RAM-size plus some extra, but for the ordinary run of the machine it should not be needed to have a large swap at all, unless you run 40+G worth of applications all the time. If you did have 72G swap and actually used half of it, waiting for a normal drive to un-swap that amount would be sad and boring. -- May the most significant bit of your life be positive.
Re: Non-Disclosure Agreement
> My team in Dell Technologies are looking to use your software OpenSSH Client > 9 and OpenSSH Server 8. To do this our Cyber Security department require that > we sign a Non-Disclosure Agreement with you. Who would be the best person to > reach out to regarding this request? While you have already gotten a correct reply on this request, I am still curious as to which direction you intended this NDA to work? Is it so that you will not tell OpenSSH people about secrets or did you expect it to work the other way around? If one department is putting pressure on another inside Dell, how do you think it would affect OpenSSH which is already being given away for any purpose to anyone? I would understand this to some degree if you were to try to dangle a ridiculous amount of money in front of someone in order to have them bind themselves legally to you (or your cyber team) but this suggestion above sounds like a weird and bad deal for the other party, apart from the slightly obvious "we do not understand open source" hints from your end. Doing 3 minutes of research shows that Dell already uses openssh for iDrac which can be seen here: https://opensource.dell.com/releases/idrac9/3.36.36.36/LICENSES.html so go talk to those people internally on how to make it work without bothering the OpenSSH developers with silly requests. -- May the most significant bit of your life be positive.
Re: Additional information required for cputime
> Is there any other information or examples about that parameter ? > > SO far if found : `cputime = pp->p_rtime_sec + ((pp->p_rtime_usec + 50) > / 100);` > implying this parameters is in seconds, and the kernel will send a SIGXCPU > if the process is not finished after that time ? This is consumed cpu time and not wall time. If you set this on gzip, those might get close to 1:1, but for a process that sleeps a lot, a cpu second may well take minutes, hours or days. This is the TIME column in top, if you want to take a quick peek at how much time a process consumes, compared to wall time. -- May the most significant bit of your life be positive.
Re: Blocking ping scan
Den lör 18 juni 2022 kl 11:17 skrev Cristian Danila : > Good day! Does anyone know if OpenBSD(7.1) has the capability to be hidden > against a pingscan(nmap -sn xxx.xxx.xxx.xxx)? > In PF I have only 2 rules to block everything: > block in quick all > block out quick all > > This is a fresh OpenBSD7.1 with no other configuration in place. > The only thing set is the default interface vic0 to allow dhcp > > By running a test with nmap -sn 192.168.121.131 I see this: > Starting Nmap 7.92(https://nmap.org)at 2022-06-18 11:52 GTB Daylight Time > Nmap scan report for 192.168.121.131 > Host is up (0.00s latency). > MAC Address: 00:0C:29:C3:D9:A7 (VMware) > Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds > > On scanned host I see this by running tcpdump -i vic0 > 09:51:40.913770 arp who-has 192.168.121.131 tell 192.168.121.1 > 09:51:40.913795 arp reply 192.168.121.131 is-at 00:0c:29:c3:d9:a7 arp is done "outside" of pf, that is why you see the arp exchange. nmap lists this as "I know things about the hosts" and while it calls it a "ping scan", it really hasn't got much in common with icmp pings, but rather does an arp request and says that all hosts that respond are "up". I'm sure a box can be all kinds of broken and still send out arp replies, so you have to adapt your expectations of what "up" means here. (first sentence on 'man nmap' on the part where it says what -sn does is informative I guess?) So while you can see an ethernet device with a mac and an IP does exist on the local network, that is all you get. Then if you have "block in all" in PF no icmp, no tcp, no udp from any host will get to the targets ip stack. The arp resolution is only visible for boxes on the same network, so if I was to nmap from remote (assuming your gateway/router/fw allowed the traffic) then the entity doing arp would be your gateway/router/fw and not my box. Hence, I would not learn anything at all about your machine except that it looks down from remote, but your gateway/router/firewall would "learn" the info shown above in the nmap output. If you REALLY wanted to not be visible even on the local ethernet, then down the ethernet interface and do not put an ip on it. It would also not be usable, but this is more or less what your PF config is saying anyhow. > I am thinking(please correct me if I am wrong) that not all the traffic > passes through pf hence this is why is not blocked. Sort of. arp is more like being on a lower level than the later ip traffic for which pf will block all. > I would appreciate if someone could provide me a technical answer on this, > even recommend me a book to read or docs regarding it. https://en.wikipedia.org/wiki/Address_Resolution_Protocol -- May the most significant bit of your life be positive.
Re: best place to put export variables
> > I want to export XDG_CACHE_HOME variable used by Xorg. > > What is the best place (file or ?) to export this variable? > > I remember i used some file to export a long time ago PS1 variable. > > Should I use ~/.login file or is it a better way to export this xorg > > variable? > Everywhere online (Linux users mainly) were saying to put it in > .profile, which did not work on OpenBSD. What ended up working for me > is putting it in .xsession. So I assume that is a good place for any > export command like this. Well, .profile is a shell init file setting, so if you read advice from people who are running another shell than you are, then their solutions will not work. It is not (primarily) about what OS you are using, but which shell you have, and which files it will read and parse at startup. .xsession will also work, in the graphical environments, and for QT that might be implied of course. -- May the most significant bit of your life be positive.
Re: Historical Reasons For Default NAT Source Port Modification
Den mån 16 maj 2022 kl 10:35 skrev Elias Carter : > OpenBSD/PF defaults to randomizing the source port whereas > Linux/IPTables defaults to trying to keep the source port. > > I have found that preserving the source port if possible works better > out of the box when hosting publicly accessable UDP applications > within a private network. Randomizing the source port of UDP replies > will most likely cause the reply to be blocked by the requestor's > network. Of course you can create a PF rule for your UDP application > with `static-port`, but it requires a more in depth understanding of > how NAT and UDP applications interact to get it to work. > > One possible advantage of randomizing source ports is that it helps > prevent fingerprinting of the devices behind the NAT? Are there any > other reasons? I don't know the original thought, but if the source UDP port has strict requirements, then you should really handle it strictly and not just "bet" on the first consumer to have it work, and the second,third and so on will fail. Lets take old IKEv1 as an example, it wants to make the phase 1 negotiations to UDP destination port 500, while some IKE daemons implement a check that the source UDP port is also 500. In case the NAT tries to use the same port, the first client to ipsec against a remote host will succeed, but a second client running at the same time would get a source port from the "pool" of random UDP ports, and hence stop working. I think this would cause even bigger issues than having both get random ports to begin with, so that you can act on it immediately (setting NAT-T or something else in this case) and not when the service starts to become used by more than your first test laptop. While I can see the appeal of trying, it still means the service is not really made to work for more than one client from that same NAT pool. Might be fine if you aim for "bill and bob and jenny who works from home" coming in from separate home broadband connections or whatever, but it quickly breaks down for any larger cases than that. It is rather uncommon for UDP services to make demands of the source port and for them to have expectations about the ports, so when this happens I think one needs to see and act on it right away, and that would not happen if it "sometimes work" based on luck or timing or "I was first into the office so I got todays slot at 08.01 to 08.02 before the udp session times out in the fw". -- May the most significant bit of your life be positive.
Re: OpenBSD and multitasking
Den tis 26 apr. 2022 kl 22:50 skrev Mihai Popescu : > $ time dd if=/dev/zero of=test10g.dat bs=1m count=10240 conv=fsync > 10737418240 bytes transferred in 260.289 secs (41251827 bytes/sec) > $ time dd if=/dev/zero of=test10g.dat bs=1m count=10240 conv=fsync > 10737418240 bytes transferred in 24.006 secs (447266094 bytes/sec) > > The test is done using a mechanical disk and a ssd one. I think the > dude telling that some entry level ssd have the same performance like > mechanical disks is the same with the one telling ssd will wear very > fast. My mistake to believe it without testing. Even if the best-case transfer speeds were the same, the zero seek times of ssds will make a huge difference when dealing with all other kinds of IO than "super large linear writes", which is basically 99.9% of all IO you do when using the computer. -- May the most significant bit of your life be positive.
Re: IKEV2 two devices can connect but only one can make traffic
Den tis 12 apr. 2022 kl 15:30 skrev Łukasz Moskała : > I remember talking with network engineer at one company I used to work at. > We used fortigate firewalls, and I asked why are we using SSLVPN instead of > ipsec-based vpn, as both were supported. > He said something along the lines of "ipsec does not work when there are two > devices connecting from the same IP so this would be issue for us when two > admins were on the same public wifi, or lived together" > I don't know if this is specific to fortinet's implementation, or if it's > issue with ipsec itself, as I never used ipsec in anything else than > site-to-site connection. Some ipsec implementations require that IKE (v1?) negotiation comes with source udp port 500, and since two clients behind one NAT can't both map their outgoing packets (or even one of them) to this single port, it is not possible to have two nat'ed clients behind same external IP. -- May the most significant bit of your life be positive.
Re: pf documentation
Den tors 7 apr. 2022 kl 11:12 skrev Steve Litt : > > Hi all, > > I need some easy beginner's pf documentation as well as some > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > haven't done this in ten years, and imagine pf and the process of > turning OpenBSD into a firewall have changed in that time. Might be worth looking around the OpenBSD webpage, perhaps it has a section with Frequently Asked Questions that contain PF information one might learn from? -- May the most significant bit of your life be positive.
Re: BOGUS behavior on 6.9 Spark vs. 6.9 amd64
Den tis 5 apr. 2022 kl 13:46 skrev Duncan Patton a Campbell : > I have 6.9 installed on an amd64 and a sparc64. On the amd tar/gzip etc. > work as > always, producing .gz files that can be uncompressed with gunzip. > > But on the sparc64, things go sideways. Instead of calling the gzip it is > invoking xz (which is a bogon of another era). Why is this? How can > I return the sparc to normal behavior? I suggest checking the PATH and "which gzip" to see if the sparc is calling out to a non-system binary when you run "gzip". -- May the most significant bit of your life be positive.
Re: How to track system changes?
Den tis 5 apr. 2022 kl 03:20 skrev Eric Thomas : > Very valuable insights. That’s a great idea. > The rysnc script was ksh/bash or cron? Ideally I’d like to use Python to > tackle something like this but I’m not against learning shell. Sounds a lot like rsnapshot (available in ports), the end result should be the same on the remote, and there you can look for changed entries. > > Something I came up with which worked out really well at my employer was > > a backup system that used rsync and the --link-dest option to make a useful -- May the most significant bit of your life be positive.
Re: openbsd, softraid recovery (I have password)
Den sön 3 apr. 2022 kl 15:58 skrev harold : For anyone else that wants to experiment with dual/triple-booting: > I lost data due to misunderstanding > I tell you more : > a/ I had windows and linux mint 18 (gpt/efi) > b/ I add openbsd to these double systems. Now three. Grub2 manages it. [ skipping a bit in the middle ] > password, recognize it. Slice looks empty. Df shows only few kb files. > Data is gone. No backup. If you are doing weird triple OS-on-same-harddrive experiments, either 1) do not stash important data at all on any of them and just use it to learn something or 2) make very sure you have working backups of everything important to you There is very little in between, apart from tears when people skip this advice. 8-( No, I can't help get this data back, but I can at least hope to tell just one user more, that tested backups are very important, *especially* when doing experimental setups with the disk and partitions around it. -- May the most significant bit of your life be positive.
Re: Cross-build ARM64 on AMD64. Any starting pointers?
Den fre 25 mars 2022 kl 09:23 skrev Slava Voronzoff : > Hello, I want to build ARM64 on my OpenBSD/amd64 machine. Any suggestions > on there to start with? I spent some time in qemu-aarch64, but while it is > working it is obviously pretty slow. http://www.openbsd.org/faq/faq5.html search for "cross" -- May the most significant bit of your life be positive.
Re: who is writing to a deleted file?
Den fre 18 mars 2022 kl 16:29 skrev Harald Dunkel : > something on my gateway (7.0) is hiding disk space, AFAICS: > > # du -hs / > 3.4G/ > # df -h / > Filesystem SizeUsed Avail Capacity Mounted on > /dev/sd0a 31.5G5.6G 24.3G19%/ > > How can I find out which process is eating up disk space, without > killing it, of course? fstat(8) can help, # fstat | sort -n -k 9 to get the largest open file at the bottom, third column is the PID. -- May the most significant bit of your life be positive.
Re: Cannot pass the OpenBSD bridge.
Den fre 11 mars 2022 kl 10:23 skrev T K : > Hi list > Please forgive me my incompetence, but I have no further idea > how to manage setup I try to arrange. > I have fujitsu futro box with 2 ethetnet cards, OpenBSD 7.0. > I would like to set that box up as a filtering bridge. > I guess it is quite common schema: > Lan boxes(windows) > network switch>>network > switch>host1,host2,host3 etc. > Config is made according to manuals, the book of pf and so on: > /etc/hostname.bridge0: add re0 add bge0 blocknonip re0 blocknonip em0 em0 ? -- May the most significant bit of your life be positive.
Re: boot and ddb
Den tors 10 mars 2022 kl 09:57 skrev rtw0 dtw0 : > Hi, > (reboot) after install opens dbb > showing UID 0 as loading is halted. > > Where may I find info for debugging with ddb? http://man.openbsd.org/crash and https://www.openbsd.org/ddb.html might be of some help to get started, http://man.openbsd.org/ddb.4 on how to manage ddb itself. -- May the most significant bit of your life be positive.
Re: disk i/o test
Den sön 6 mars 2022 kl 16:41 skrev Mihai Popescu : > > Since this thread is moving slowly in another direction, let me True > reiterate my situation again: I am running a browser (mostly chromium) > and the computer slows down on downloads. Since I've checked the > downloads rates, I observed they are slow than my maximum 500Mbps for > the line. > I can reach 320Mbps maximum, but mostly it stays at 280Mbps and the > Chromium has 30 seconds delays in everything i do. I would make sure it is not some kind of DNS thing, 30 second delays sounds A LOT like trying a "dead" resolver 3 times with 10 secs in between, before moving to a "working" one. -- May the most significant bit of your life be positive.
Re: disk i/o test
Den tors 3 mars 2022 kl 18:10 skrev Mihai Popescu : > > > https://openports.pl/path/benchmarks/fio > > To test perf on many small IO (measuring iops basically) run: > > > > fio --name=random-write --rw=write --bs=4k --numjobs=2 --size=1g > > --iodepth=16 --runtime=60 --time_based --end_fsync=1 > > Run status group 0 (all jobs): > WRITE: bw=12.5MiB/s (13.1MB/s), 6370KiB/s-6438KiB/s > (6523kB/s-6592kB/s), io=754MiB (791MB), run=60305-60305msec > > > > To test large-IO perf: > > > > fio --name=random-write --rw=write --bs=1M --numjobs=1 --size=1g > > --iodepth=1 --runtime=60 --time_based --end_fsync=1 > WRITE: bw=18.9MiB/s (19.8MB/s), 18.9MiB/s-18.9MiB/s > (19.8MB/s-19.8MB/s), io=1138MiB (1193MB), run=60364-60364msec > > > > > Look for the result in the post-run report, > > for small IO it can be > > write: IOPS=37.8k, BW=148MiB/s (155MB/s) > > and for larger writes > > write: IOPS=253, BW=253MiB/s (266MB/s) > > > > Not really like your report, did you run it on another OS or cited from > memory? No, ran it on an openbsd VM. Still, there would have been absolutely zero chance that my random setup would match yours exactly so it was not meant as a measuring stick on what is everyones acceptable level, only how to interpret differences between large IO throughput and small IO latency/iops values. > Besides this, are my values too low or just the expected ones? It seems the throughput is bad. The small IO test showed good numbers for iops, but the second test (and I guess other people's suggestion to try dd from /dev/zero) will show that you seem to have a "thin wire" from the drive to the computer, it seeks fast but transfers data slowly. You might want to test the large IO test again with iodepth 1 and only one thread just to see if it is caused by the drive jumping between serving data from different places, so asking for a single stream might give you the "optimal" transfer speed for a non-busy drive. The numbers you did get were somewhat like when I bought an IDE->CompactFlash adapter for my firewalls. The CF disk had "zero" seek times which is good for cvs updates and so on, but still a low ovreall transfer speed since CFs were just not anything like modern ssd/nvme flash drives. Also, IDE being what it is puts limits on concurrency when it comes to IO. -- May the most significant bit of your life be positive.
Re: disk i/o test
Den tors 3 mars 2022 kl 14:02 skrev Mihai Popescu : > I am trying to test some disk i/o speeds and I am stumbled on two questions: > 1. Does it matter if I set in BIOS Legacy or AHCI for the drive, > regarding the read/write performance? Probably yes. AHCI will be better if it works. > 2. Can you suggest a sane disk I/O benchmark, writing from RAM to disk > (i.e. cp /dev/null )? > https://openports.pl/path/benchmarks/fio To test perf on many small IO (measuring iops basically) run: fio --name=random-write --rw=write --bs=4k --numjobs=2 --size=1g --iodepth=16 --runtime=60 --time_based --end_fsync=1 To test large-IO perf: fio --name=random-write --rw=write --bs=1M --numjobs=1 --size=1g --iodepth=1 --runtime=60 --time_based --end_fsync=1 Look for the result in the post-run report, for small IO it can be write: IOPS=37.8k, BW=148MiB/s (155MB/s) and for larger writes write: IOPS=253, BW=253MiB/s (266MB/s) > I am on snapshots for amd64 and I think i have a really slow writing > to disk on OpenBSD only. Might be worth testing mount flags like softdep or (shudder) async if the data is backed up and not very important. -- May the most significant bit of your life be positive.
Re: What happened to www/art on CVSWeb? Why is it empty?
Aren't they under images/ ? Den tors 10 feb. 2022 17:53Marc Espie skrev: > On Thu, Feb 10, 2022 at 11:25:40AM -0500, Nick Holland wrote: > > On 2/10/22 6:34 AM, Kacper Wilgus wrote: > > > I tried to download some artwork from these pages: > > > > > > https://www.openbsd.org/art1.html > > > https://www.openbsd.org/art2.html > > > https://www.openbsd.org/art3.html > > > > > > But only the first one has an image, the rest of them give me 404 > > > errors and I swear they used to be there just a year ago. And the > > > wayback machine proves this. Was it an error, or copyright issues? > > > It seems wierd it was just snapped out of existence without any > warning. > > > > > > > art[123].html hasn't been referenced from the main page since OpenBSD 5.8 > > (see the removal in version 1.686 of index.html, and they are not > currently > > referenced in any page on the website other than art[123].html so I think > > it is safe to say it was not being maintained and deleted at some point. > > > > I have no other info than it looks like the "problem" is more the > > continued existence of art[123].html more than the missing images. > > > > Nick. > > > > > A quick look at the full cvs repository shows a few .jpg and QUITE a few > .gif in the Attic. > > Just saying ;) > >
Re: Are there any OpenBSD Kernel/Architecture Books?
Den tis 21 dec. 2021 kl 02:14 skrev Thomas Windisch : > What resources would be a good primer on the OpenBSD kernel and general > architecture and give me a good understanding of the internals? > > FreeBSD has this: > > https://docs-legacy.freebsd.org/doc/13.0-RELEASE/usr/local/share/doc/freebsd/en_US.ISO8859-1/books/arch-handbook/book.html > > I understand that in OpenBSD there is the mantra that source code is > documentation. But as a beginner I'm afraid that I do need something > explicit that would allow me read the source code in an effective manner. For general kernel code, The Design and Implementation of the 4.4BSD Operating System, and for network/driver code, Stevens TCP/IP Illustrated Volume 2 is a really good choice. Even if it doesn't match 100%, when you "get" those books and how code is/was written, it will be far easier to get into the OpenBSD codebase. -- May the most significant bit of your life be positive.
Re: how to recover a corrupted disk
Den ons 1 dec. 2021 kl 11:09 skrev Sandeep Gupta : > @Peter, @Janne: Thanks for the infos. Newfs seemed promising but it > seems like the disk is beyond repair :(. > I did newfs -N and got quite a few location of superblocks: > Then I tried > fsck_ffs -b #blockid /dev/rsd1c You should *NOT* newfs or fsck against the "C" partition. -- May the most significant bit of your life be positive.
Re: how to recover a corrupted disk
Den ons 1 dec. 2021 kl 09:12 skrev Sandeep Gupta : > I am running OpenBSD 7.0 on RPi4. I accidentally removed the usb > cable connecting the sata ssd to the RPi4. > Well OpenBSD froze and upon reboot I got the very comforting > Synchronous Exception message. > Thankfully, I have another RPi4 running OpenBSD. I can mount the > corrupted disk ( did the necessary backups). I did fsck on all the > partitions. > All partitions except for /dev/rsd1c and /dev/rsd1i are clean. > For /dev/rsd1c , I get "BAD SUPER BLOCK: MAGIC NUMBER WRONG". The "c" partition is not meant to hold filesystems, it is the device used to talk to "the whole disk" for fdisk and such tools. > For /dev/rsd1i, I get "UNEXPECTED INCONSISTENCY". If you had any non-bsd filesystems (like a small MSDOS/FAT partition for booting/firmware/arm blob stuff), it will end up as sdXi (and j,k,l, and so on if you have more than one foreign fs), so if that is the case, then it is not unexpected to see FFS' fsck have issues with FAT filesystems. -- May the most significant bit of your life be positive.
Re: running a process under nologin user
Den mån 22 nov. 2021 kl 06:27 skrev Sandeep Gupta : > The httpd server runs under user www. In my web deployment setup, the > httpd server communicates over uWSGI/gunicorn server over unix domain > sockets. > I am not able to launch uwsgi (or gunicorn) server under www user. > The command > "doas -u www " gives error > "operation not permitted". As root, trying to lauch a shell "su www > -l /bin/bash" returns "The account is currently not available". > Whats the recommended way to launch process under www? machine# su -s /bin/sh www machine$ id uid=67(www) gid=67(www) groups=67(www) machine$ -- May the most significant bit of your life be positive.
Re: How does bsd.upgrade work?
https://marc.info/?l=openbsd-tech=138829898720574=2 and https://marc.info/?l=openbsd-tech=139013674405106=2 might help. Den tors 21 okt. 2021 kl 14:26 skrev Raul Miller : > > A couple minutes of looking things up suggest > https://marc.info/?l=openbsd-tech=141807224826859 as a plausible > starting point for that kind of inquiry. > > Take care, > > -- > Raul > > On Thu, Oct 21, 2021 at 8:15 AM wrote: > > > > On Tue, Oct 19, 2021 at 09:32:21PM +0100, Stuart Henderson wrote: > > >> That's intentional. > > > > > >OK. Since you didn't realise this breaks sysupgrade you might also > > >not realise it weakens RNG initialisation, it is not recommended > > > > Where can I read more about this? > > > -- May the most significant bit of your life be positive.
Re: How does bsd.upgrade work?
> >For an unusual setup you may need to look into how the > >install/upgrade script works, see /usr/src/distrib/miniroot. > > /usr/src/ is empty on my machine. > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/ helps with that, if you don't want to install sources but still need to see them. -- May the most significant bit of your life be positive.
Re: Question about cryptography software compatibility on OpenBSD
> > > 3) Providers of public digital signatures offer software (a > > > one-size-fits-all Java “blob”) that should add cryptography capabilities > > to > > > the operating system. > > > > This is important. Thank you. Let me rephrase my wild guess: > > 3.1) An OS (OpenBSD or other) may have cryptography capabilities included > in the kernel. Yes. > 3.2) An OS that doesn't have cryptography capabilities included in the > kernel may provide cryptography software, not being included in the kernel, > fit and apt for use on the specific OS. This is where you seem to be missing that LOTS AND LOTS of programs use crypto from external libraries. They call openssl, they use NSS/NSPR, programs link against gnutls, java code use java libs, go code use go crypto and so on. > 3.3) Forcing the blind use of proprietary > java-crypto-one_size_fits_all-blob is technically possible, but it is a bad > practice since: > 3.3.1) it may downgrade crypto functionality existing in an OS as described > under 3.1 and 3.2 > 3.3.2) it may compromise and expose to the attacks not only the digital > signature, but the operating system itself > 3.3.3) for a number of other reasons (updates, licensing issues, etc.) Those last subpoints work both ways. A brought-along crypto primitive can be controlled by the person installing the program in ways you can't with the OS, so it is, like so much else, a tradeoff. If you don't control the OS and what crypto primitives it has, bringing along your own might be "safer" than to trust some OS to have a stable interface forever and ever. -- May the most significant bit of your life be positive.
Re: Question about cryptography software compatibility on OpenBSD
Den fre 15 okt. 2021 kl 11:01 skrev soko.tica : > Hello list, > I have a question about cryptography software compatibility on OpenBSD. > I have a wild guess about the answer, but I need it to be more reliable. > The target audience are lawyers, since I want to launch a legal battle in Then you need lawyer-speak, not answers from technical people. Those two overlap very little. > My wild guess is as follows: > 1) OpenBSD includes cryptography capabilities/software in its kernel. yes, some. > 2) Most other operating systems had not included cryptography > capabilities/software in its kernel. Depends on when "had" is in time. Nowadays, they probably all do. > 3) Providers of public digital signatures offer software (a > one-size-fits-all Java “blob”) that should add cryptography capabilities to > the operating system. No, they don't add it to the OS, they expose crypto functionality to other programs. Big difference. I know of no OS that would reach out to java in order to get crypto inside the kernel, and if it's not in the kernel, then any other random program would not necessarily pick up that there is a bad/evil blob installed somewhere that gives you poor crypto unless it actively looks for it, so just by adding java-crypto-something in a folder it might not be used by anything else that doesn't specifically ask for exactly this. > 4) OpenBSD doesn’t allow such technically inferior software to meddle with > its superior cryptography capabilities included in kernel. Value added statement, and mostly irrelevant to court cases I guess. > 5) The proper technical solution would be that providers of public digital > signatures offer digital signatures adjusted to OpenBSD technical > solutions, including offering software not being under the minimal > cryptography standards of OpenBSD. (A side note, hash function of all > offered public digital signatures in Serbia are SHA-1.) > Am I somewhere wrong in my wild guess? Yes, you are assuming too much in the last part. It is not impossible for other OSes to have better,faster,more-formally-verified,more-legal-where-I-am-located crypto routines in their OSes which might be a preferred solution somewhere. While openbsd has the crypto it requires for its needs, those needs are not guaranteed to (always) overlap with all the other requirements that are set in different places around the world. One example could be russian computers wanting certain algorithms like GOST in various forms, or US computers needing FIPS-140 validation even if that in certain cases lowers the overall security (hard to get fixes and patches into such a setup) -- May the most significant bit of your life be positive.
Re: Kernel dump and secure boot with KARL
Den tis 5 okt. 2021 kl 06:35 skrev Arka Sharma : > Also suppose we have a crash and dump is generated, how does KARL impact > gdb when the core file is opened ? It would not affect this at all. It is exactly as hard or as easy to debug a core file from something compiled with cc -o bsd obj1.o obj2.o obj3.o as with something compiled with cc -o bsd obj2.o obj3.o obj1.o The relinking is done so that exploit code that knows how to find an address inside obj1 will not be able to jump into obj2 by taking the obj1 address and adding 83743 bytes to it and expect to land at a certain place in obj2. In the first case it would work, in the second it would not. -- May the most significant bit of your life be positive.
Re: amd and 2GB limit
Could be amd(8) and nfsv2 limits too.. Den lör 3 juli 2021 11:23Stuart Longland skrev: > On Sat, 3 Jul 2021 01:28:17 -0300 > Gustavo Rios wrote: > > > Is there this limit yet in amd ? > > … on AMD64? > … on RAM? > … on disk? > Maximum or minimum? > > I've got an AMD64 machine here that's got more than 2GB of both RAM and > disk… so no if there's a maximum limit, it's a lot bigger than that. > Limiting RAM or disk to 2GB in 2021 would be ludicrous, so I'm a bit > confused by your question. > > Please be less vague. > -- > Stuart Longland (aka Redhatter, VK4MSL) > > I haven't lost my mind... > ...it's backed up on a tape somewhere. > >
Re: OpenBSD 6.9 ports upgrade failures
Den ons 12 maj 2021 kl 11:29 skrev Артём Мазуров : > Hello. > I'm trying to upgrade ports after upgrading os to 6.9, but I get a lot > >|library ssl.48.2 not found > >| /usr/lib/libssl.so.48.1 (system): minor is too small > >| /usr/lib/libssl.so.49.0 (system): bad major This usually means the pkg_add URL is wrong, perhaps because you have something version-specific in PKG_PATH or /etc/installurl that points to the wrong place, compared to your OS version. -- May the most significant bit of your life be positive.
Re: Remote wipe software
Den tis 27 apr. 2021 kl 11:44 skrev Oliver Leaver-Smith : > Hello misc@ > I wonder if anyone could recommend remote wipe software for OpenBSD, should > someone want to start using it in an enterprise setting where such features > are a requirement? > Thanks in advance, Regardless of OS, the "easiest" setup is where you encrypt the drives and wipe by "forgetting" the keys. Then you can dd the disks if it makes someone else happy but having FDE and changing the key to something random that you don't store, and then doing a normal wipe in the simplest of terms would cover a lot of the practical attacks. For the ones concerned with theoretical and imaginary enemies, PXE-booting into a DBAN.iso or similar wiping solutions is probably the next step. Also OS-independent. -- May the most significant bit of your life be positive.
Re: Technical Documentation - CARP
Den tis 13 apr. 2021 kl 10:29 skrev jannick Weiss : > Hello,my name is Jannick Weiss and i am currently in the process of taking > my education as a datatechnician. As part of my education i have to do a > presentation on a self-elected subject and i have chosen to talk about CARP. > > It is my understanding that it is you (OpenBSD) that have developed CARP. > I am having trouble finding information about CARP, such as the different > states the protocol goes through or how the election of the master node > works specifically. > If you can provide any documentation on CARP it would be greatly > appreciated. https://www.openbsd.org/events.html lists a few talks some 15 years ago which focused on PF and Carp, those might help. Googling "openbsd carp design" turned this PDF up, https://core.ac.uk/download/pdf/17210042.pdf from 2006 which perhaps dives a bit deeper. -- May the most significant bit of your life be positive.
Re: Default partitions allocate only 1GB to /
Den sön 28 feb. 2021 kl 14:51 skrev : > I deleted the file and `pkg_add libreoffice` worked as expected. > Post-install I still have 746MB free in /, according to `df -h`. > > This makes little sense to me. Why should deleting a 20MB file on a > filesystem with >700MB free space be sufficient for the install to go > through? Especially when the install obviously doesn't need that much > space on the filesystem in question? > > (space available in /usr/local went from 11.4G, pre-install, to 10.8G, > post-install... was `pkg_add` trying to stage files in /, even though > /tmp is a separate filesystem?) Is /var a filesystem of its own? Otherwise it could be /var/tmp or some other place under /var which is used for unpacking packages. -- May the most significant bit of your life be positive.
Re: Bootable USB stick using dd on OpenBSD
Den tis 26 jan. 2021 kl 14:11 skrev Ivan : > I wonder why I have to make of=... being equal to some partition instead of > the whole memstick? > Why does man page example tells to use of=/dev/rsd1c but not of=/dev/rsd1? > And why does it use exactly 'c' partition but not 'a', does that matter? http://www.openbsd.org/faq/faq14.html#intro -- May the most significant bit of your life be positive.
Re: www.openbsd.org unreachable for a few days
Den tis 15 dec. 2020 kl 13:00 skrev Ottavio Caruso < ottavio2006-usenet2...@yahoo.com>: > Hi, > I asked on Freenode#OpenBSD and apparently it's only me, but I haven't > been able to access www.openbsd.org for a few days. > > $ traceroute 129.128.5.194 > traceroute to 129.128.5.194 (129.128.5.194), 30 hops max, 60 byte packets > > ... > 11 40ge1-3.core1.lon2.he.net (195.66.224.21) 35.068 ms > 100ge4-1.core1.nyc4.he.net (72.52.92.166) 101.075 ms 86.105 ms I heard a similar complaint elsewhere and that was going over he.net also, whereas I could reach it in the mean time, going over shawn to ualbert.ca and onwards, so I guess he.net is presently bad at routing to the correct places. -- May the most significant bit of your life be positive.
Re: support new
Hint to Ingo, the "vpn" section. ;) Den mån 14 dec. 2020 kl 15:15 skrev porte, su : > 0 > C Brazil > P Ceará > T FORTALEZA > Z 60410442 > O MDFSoftware > I Oliveira Filho, D. A. > A Av. Eduardo Girão 355 > M supo...@mdfsoftware.com.br > U http://www.mdfsoftware.com.br/ > B +55-85-9-89739017 > X +55-85-9-96110010 > N Auditoria, Desenvolvimento, Suporte comercial para FreeBSD e > OpenBSD, gateways de Internet, firewalls em cluster, sistemas de > deteco de intruso e VPNs. > > -- May the most significant bit of your life be positive.
Re: support new
There is some, "We offer the server management service. We work on the deployment and management of servers with open source technologies such as CentOS, Debian, FreeBSD, OpenBSD and Ubuntu Server." Den ons 9 dec. 2020 kl 13:03 skrev Ingo Schwarze : > Hi, > > AMG Labs wrote on Tue, Dec 08, 2020 at 03:55:52PM -0300: > > > 0 > > C Brazil > > P RS > > T Santo Antonio da Patrulha > > Z 95500-000 > > O AMG Labs > > I Angelito Monteiro Goulart > > A Av. Cel Victor Villa Verde 126/301 > > M cont...@amglabs.net > > U https://www.amglabs.net/ > > B +55 51 92000 7613 > > X > > N We are a software development and server management company > > operating in the market since 2014. We work with the development of > > customized web systems and the deployment and management of servers > > based on open source technologies such as CentOS, Debian, FreeBSD, > > OpenBSD and Ubuntu Server. > > Unless i'm mistaken, there is no mention of OpenBSD on your website. > > The web hosting offers appear to be for Linux and Windows only, and > dedicated servers seem to be offered with Linux, Windows, and MacOS X. > > Yours, > Ingo > > -- May the most significant bit of your life be positive.
Re: PayPal pool for developer M1 Mac mini for OpenBSD port
Den tors 3 dec. 2020 kl 02:21 skrev Mihai Popescu : > I have only good wishes for the project, but I still don't get one thing: > why do some people start to behave oddly whenever Apple comes into > discussion. > It could also be that if it becomes operable, it is quite a useful machine, whereas sticking to Pine64 experiment boards and FruityPi clones does quite limit the usefulness even if they are all aarch64s. -- May the most significant bit of your life be positive.
Re: pf filtering on bridge totally blown my mind
Den fre 27 nov. 2020 kl 10:08 skrev kasak : > Mine configuration requires to use a brigde: > I have files: > > gater:~$ doas pfctl -sr > block return all > pass all flags S/SA > block drop in on em0 all > pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to > 212.233.112.10 > pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port = > 123 flags S/SA rdr-to 127.0.0.1 > pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port = > 123 rdr-to 127.0.0.1 > > pflog doesn't log anything too > > Is there some secret, I've failed to found in man? > > Put the "log" keyword on all pass and block rules, the missing packets will be hitting some rule, and perhaps not the one you did not expect. -- May the most significant bit of your life be positive.
Re: gcc: error trying to exec 'cc1': execvp: no such file or directory
Den fre 20 nov. 2020 kl 15:09 skrev Roderick : > > obsolete even on your 6.7 install.. i386 has been a default clang arch > > since OpenBSD /6.2/. > > Clang was default, gcc may be obsolete, but /usr/bin/gcc is till now > there, broken. In the upgrade instructions is not mentioned to delete > it: > Regardless of when and how defaults changed, the openbsd system compiler is and was always "cc". Used to be gcc 2, then 3, then 4, then clang and no one had to change anything as long as use cc and not calling gcc/clang directly. The system makes sure the correct stuff is called if you use cc at all times. -- May the most significant bit of your life be positive.
Re: openssl s_client gives "called a function you should not call"
Den tors 12 nov. 2020 kl 22:15 skrev Paul de Weerd : > While trying to debug my smtpd setup, I got the error "called a > function you should not call" from openssl s_client: > > $ openssl s_client -starttls smtp -connect localhost:587 > > EHLO > > RCPT TO: > RENEGOTIATING > > Is this something openssl s_client doesn't support? I notice that > "RENEGOTIATING" only comes after sending the RCPT TO: command to the > server. Futzing around with other commands before sending RCPT TO: > didn't get to RENEGOTIATING. Am I doing something wrong? Should I be > using some other tool? > I think anything starting with capital R in that case (s_client) gets parsed as RENEGOTIATING. As for why openssl complains about it is unknown to me, but that gotcha is old at least. from 2012: https://serverfault.com/questions/336617/postfix-tls-over-smtp-rcpt-to-prompts-renegotiation-then-554-5-5-1-error-no-v -- May the most significant bit of your life be positive.