Re: An OpenBSD Consumer Gateway Launch
On 14/06/2021 08.15, Stuart Longland wrote: Secondly, isn't it a bit late to tell me _now_ that your email is confidential _after_ I have read the body in full? I don't know how people read emails in the European Union, but here in Australia, I start at the top and read to the bottom, not bottom to top (maybe that explains the business world's like for top-posting). Maybe you were the intended recipient and he assumed you read emails upside down. Being in Australia and all. :) (I'm sorry about this email but I just had to :) /T
Re: search contains unknown domain in resolv.conf
On 27/10/2020 12.32, Andreas X wrote: Greetings. On OpenBSD 6.8, I have unbound enabled in my server, (server gets its IP via DHCP from my server provider) In resolv.conf I have a "search your-server.de" line and I don't know what hostname is that. My own hostname is something different. That seems the older hostname during setup (I forgot to set hostname during installation). I changed hostname, removed it from resolv.conf, rebooted, it's back again (DHCP - generated by re0 dhclient) How can I remove/change that line? P.S: I have unbound enabled, therefore I created dhclient.conf and added: supersede domain-name-servers 127.0.0.1, my.server.provider.IP; openbsdl# cat /etc/resolv.conf # Generated by re0 dhclient search your-server.de This tells me you run on Hetzner and their default domain names for VMs is just that. "search" is not your hostname it is the search domain. This might be something they push since you're in their environment. But you probably need to log into the portal and change it there. Also don't forget the PTR/Reverse DNS record. Or just configure your IP and hostname statically. Hope this helps. nameserver 127.0.0.1 lookup file bind Thanks. /T
Re: pf.conf parser/lint
On 04/09/2020 18.07, Brian Brombacher wrote: Well, let’s say a Linter doesn’t exist and you can’t invest time to make one. Do you have a lower environment, mirror-exact ideally, to run tests on the pre-receive hook? It’s an interesting issue you’re trying to solve ;) I didn't say I can't invest time. I just wondered if somebody else knew of a solution before would try to dabble with it.. I do have a lab env where stuff could be run but it would be very un-efficient.. also openbsds interface names are based on the drivers so I can't try stuff out in virtual machines since the interface names would differ. I guess I could do some macros for those and change them but this would be overkill for what I want to achieve. Also I do have a lot of different setups and setting up test machines all of them would cost a ton of money which is not worth it. And not what I was after. We do have a simple script in place that checks for some keywords now which I would like to expand that's all. /T
Re: pf.conf parser/lint
On 04/09/2020 17.40, Brian Brombacher wrote: On Sep 4, 2020, at 11:28 AM, Brian Brombacher wrote: On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote: Hi there misc! Is there an external pfctl linter? we have bunch pf firwalls for which we generate rules but also write some manual ones that get merged. Would be nice if we could lint the rules before committed to vcs.. (yes we test before they are applied on the machines as well but that is way too late in a sane pipeline imho) Sane pipeline... :) Developer machine: can that securely run pfctl -n? Linter is great... but there’s a ton more involved. Don't get too caught up on my wording :) What is the ton that would be involved? It would be to catch the most stupid typo/syntax issues not to check if the full config is valid on a specific machine. My more exact use case would be a pre-recieve hook or a check before merging to the production branch. /T
Re: pf.conf parser/lint
On 04/09/2020 17.24, Brian Brombacher wrote: On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen wrote: Hi there misc! Is there an external pfctl linter? we have bunch pf firwalls for which we generate rules but also write some manual ones that get merged. Would be nice if we could lint the rules before committed to vcs.. (yes we test before they are applied on the machines as well but that is way too late in a sane pipeline imho) Problem is that pfctl expects that all interfaces and everything is correct (which makes sense for pfctl before loading). BUT it is hard to run on a build machine or my laptop to get a general idea on where I'm at (unless I'm missing some tricks somewhere) Can the build machine securely request each server run pfctl -n -f temp_config ? That would verify it’ll load for sure on said server. This would not be practical for many reasons and is exactly what I want to avoid doing hence the original question. /T
pf.conf parser/lint
Hi there misc! Is there an external pfctl linter? we have bunch pf firwalls for which we generate rules but also write some manual ones that get merged. Would be nice if we could lint the rules before committed to vcs.. (yes we test before they are applied on the machines as well but that is way too late in a sane pipeline imho) Problem is that pfctl expects that all interfaces and everything is correct (which makes sense for pfctl before loading). BUT it is hard to run on a build machine or my laptop to get a general idea on where I'm at (unless I'm missing some tricks somewhere) So I've been looking into parse.y in pfctl. It's been a long time since I've messed around with very simple yacc stuff so kind of lost. Has anyone done anything like this? Would be good to know before I sink more time into this (and probably fail) :) /T
Re: Setting permanent neighbor entry
On 26/05/2020 15.34, Kanto Andria wrote: Hello, man ndp is probably another solution This is the correct way since it is v6 :) /T
Re: Setting permanent neighbor entry
On 26/05/2020 11.38, Demi M. Obenour wrote: What is the OpenBSD equivalent to this Linux command? ip neighbor add 2001:db8::1 dev xnf0 lladdr fe:ff:ff:ff:ff:ff router nud permanent It doesn’t need to be a single command. If the existing userspace tooling does not support this, is it possible to do it via the kernel APIs? man arp
Re: @OpenBSD_src Twitter 140char limit?
On 11/05/2020 21.23, Stuart Henderson wrote: On 2020-05-11, Tommy Nevtelen wrote: On 10/05/2020 23.30, Isak Holmström wrote: I do believe it's using the "new" limit introduced 2017 :) my $default_maxlen = 280; I found this on GitHub. Though there a reference in the code to 140. Yes.. I might not have counted the characters actually used and assumed it was 140 since it says: It definitely uses 280, check the tweets. Yes yes, that was what I meant. I did count them before I sent the last mail, but not the first one :) So only an update to the description would be needed, just to make it correct. -- TN
Re: @OpenBSD_src Twitter 140char limit?
On 10/05/2020 23.30, Isak Holmström wrote: > I do believe it's using the "new" limit introduced 2017 :) > > my $default_maxlen = 280; > > I found this on GitHub. Though there a reference in the code to 140. Yes.. I might not have counted the characters actually used and assumed it was 140 since it says: "OpenBSD Commit messages in 140 characters or less. Just commits to the src module. For more see @OpenBSD_src" -- TN
@OpenBSD_CVS Twitter 140char limit?
Hi there! Does anybody on this list manage @OpenBSD_CVS? Would be nice to lift the message truncation from the old 140char limit to the new 280char limit. Super annoying when I can't read an interesting commit message that is just a little longer :) -- TN
Re: What's up with bluhms perf tests?
On 10/12/2019 01.12, Todd C. Miller wrote: That was probably the following commit: https://www.mail-archive.com/source-changes@openbsd.org/msg111985.html which has since been reverted: https://www.mail-archive.com/source-changes@openbsd.org/msg112279.html Great! Thanks for the info, hope it shows up in the next run. I'm following it for eventual performance increases for router usage. Kind of hoping for some soon otherwise openbsd might have to go in our networks ); /T
What's up with bluhms perf tests?
Hi there misc I can see that there is a big drop in the throughput graphs, is something wrong with the data or was there a change that set performance = false? http://bluhm.genua.de/perform/results/perform.html -- Tommy
Re: fw_update long timeout, how to specify mirror
On 22/10/2019 18.01, Theo de Raadt wrote: The firmwares are intentionally kept out of the standard download zone. I'll talk to some people and see if there is a way we can shift things around, to make slight improvements. However, I don't see how anything we do would fix your problem. Whatever new other storage location we select, it won't contain the files you need, because you would not have copied the entire pile of firmwares to that place. I do have a mirror of firmware.openbsd.org and it works if I specify the location with fw_update -p http://mymirror.lol/openbsd/firmware/6.6/ This leads me to believe that if there was a question about firmware mirror in the installer and an "/etc/firmwareurl" or some such it would solve the problem with the sysupgrade as well. Until then the DNS hack would be the ugly work around as Claus suggested. /T
fw_update long timeout, how to specify mirror
Hi! I have some systems without access to the Internets and with internal mirrors for packages and fw_update packages. But when openbsd does a sysupgrade or a new install it runs fw_update against firmware.openbsd.org. The problem here is that it will hang until the timeout is reached. # time fw_update http://firmware.openbsd.org/firmware/6.6/: ftp: connect: No route to host http://firmware.openbsd.org/firmware/6.6/: empty Couldn't find updates for intel-firmware-20190514p0v0 vmm-firmware-1.11.0p1 5m04.55s real 0m00.36s user 0m02.30s system We are able to do "fw_update -p" but is there a way to change it in sysupgrade or at new installs (we do use siteXX.tgz). It's not using /etc/installurl :( /T
Re: bgpd acting up, dropping connected/static network statements
On 24/05/2019 12.25, open...@kene.nu wrote: Hello, I finally got to testing this and the bug seems to be fixed. What is the recommended way of implementing this fix into a critical production environment? Should we wait for a syspatch (will one be made available for this bug)? It is possible to deploy it via hacks in automation tools but it would be nice to know if there was an "official" way of doing it or plans for one. On Linux distros you can have additional repos that override the official packages if the ones in there are newer and trusted. Is it possible to have multiple repos like that? Also not sure how it would work to update base since packages in there are not really distributed via the normal repo. Since everything is signed I don't see how we could do it in a nice way. Unless there is support to add additional trusted keys. /T
Re: 40G ixl nics
On 03/02/2019 19.09, Tony Sarendal wrote: Good evening, We inserted a 2x40G NIC into one of our old franken-pc's, and got this: ixl0 at pci2 dev 0 function 0 "Intel XL710 QSFP+" rev 0x02: port 0, FW 5.0.40043 API 1.5, msi, address 0c:c4:7a:5e:f9:c8 ixl0: unable to query phy types ixl1 at pci2 dev 0 function 1 "Intel XL710 QSFP+" rev 0x02: port 1, FW 5.0.40043 API 1.5, msi, address 0c:c4:7a:5e:f9:c9 ixl1: unable to query phy types NIC: https://www.supermicro.com/manuals/other/datasheet-AOC-S40G-i1Q_i2Q.pdf Any ideas ? Sorry, nope. But I don't think that there is support for any Intel NICs above 10G. I would like to have some 25/40/50G action going too. /T
Re: Redistributing between bgpd and ospfd
On Tue, Oct 16, 2018 at 10:21:37AM +0200, Claudio Jeker wrote: > On Tue, Oct 16, 2018 at 09:13:20AM +0200, open...@kene.nu wrote: > > Hello, > > > > Only relying on OSPF hellos effectively makes it mimic BGP with its > > keepalives. I will ponder the value of transporting the underlay in > > OSPF, effectively transporting loopback peering addresses for BGP in > > OSPF. I am not sure that it will make my life easier but will consider > > it. > > OSPF is generally faster at converging after reroute and it is possible to > set the router-dead-time to minimal which will give you a 1 second > timeout. Also the default of 40sec is lower than the 90sec of BGP. > Additionally OSPF may give you multipath routes so the failover for BGP > may be not noticable. Also GRE has a way to emulate link state but to be > honest if I use OSPF on a GRE link I will not turn it on (unless > requested). I guess the brewing BFD support would speed this up for BGP when it arrives and make OSPF less useful if speed is the thing that needs to be solved. Also I've been thinking about the following config in ospfd rtlabel label external-tag number Map route labels to external route tags and vice versa. The external route tag is a non-negative 32-bit number attached to AS-external OSPF LSAs. What exactly does this mean? As I understand it is to map rtlabels to LSA Type 5 tags. But what do you do with it then? Could this be used for what this thread is talking about or is it totally off? -- Tommy Nevtelen
Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available
On 2018-08-30 22:11, Jon Tabor wrote: > > > Yep, right there with ya. So, ah...what's everyone using for mail > filtering these days? Spamassassin? ClamAV? Something else entirely? > I tag my mail as spam with rspamd and then filter it with sieve in dovecot. Additionally I use a sieve script which sorts mailing lists into their own folders automagically based on different headers. Could share it if there is any interest. -- T
Re: isakmpd and iked on the same box
On 2018-08-31 10:44, Daniel Polak wrote: Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very good for SLAs which complicates things. Or am I missing something? Would it work for you to add a separate VPN gateway with iked next to the VPN gateway running isakmpd? If you do that you can then set routes to direct traffic for networks that have migrated to ikev2 to the iked gateway. Sure, there are many solutions. But that is kind of a lot of work and investment in hardware compared to just running both at the same time right? -- Tommy
Re: isakmpd and iked on the same box
On 2018-08-30 22:06, Daniel Polak wrote: > On 30/08/2018 17:39, Philipp Buehler wrote: >> I was not following development too closely, but I think that on the >> kernel side >> things have not changed. Which means iked and isakmpd will happily >> "toe tap" >> on each others SADB in the kernel (even if there is *some* PID >> handling). >> >> Would like to hear if kernel side has "improved" lately, but the >> overall standpoint >> looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in >> iked some "months ago"). > Why would IKEv1 be dead if the stubs were removed from iked? There is > still isakmpd and that works pretty well. > > Also I see many companies that still use IKEv1 and it would be > unpleasant if there was no way to connect to them with OpenBSD. We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very good for SLAs which complicates things. Or am I missing something? -- Tommy
Re: Flow Tools
On 03/14/2018 10:06 AM, Gregory Edigarov wrote: > Sorry, if I hijack the thread, but what do you guys use for netflow > analysis? This looks quite interesting https://github.com/robcowart/elastiflow I have not tried it but would like to when time allows. -- Tommy Nevtelen
Re: Forum software
On 2017-10-24 20:47, Jay Williams wrote: > Discourse is a popular option used by a number of open source projects. > > https://www.discourse.org That is probably a good choice but here is a list of different alternatives that might be worth to look at: https://github.com/Kickball/awesome-selfhosted/blob/master/README.md#social-networks-and-forums It's a pretty nice repo with cool projects other than forums as well. -- Tommy Nevtelen
Re: Any update on the current status of BFD?
On 2017-08-24 10:44, Peter Hessler wrote: > The update is that it was blocking efforts to unlock the network stack. > We decided to disable BFD so everyone could benefit from the performance > boosts. > > It looks like the blocking parts have been addressed and fixed. I still > need to fix a few bugs before we can consider enabling it. > Good to know. Thanks for the quick update Peter :) -- Tommy Nevtelen
Any update on the current status of BFD?
Hi! Last year on EuroBSDcon I got my hopes up for BFD but unfortunately it looks like some issues popped up. Is there a lot of work left or does it just need more testing? Maybe phessler@ just can't find the time to work on it? Does anyone know the current status of it? Would be nice to get a small update :) -- Tommy Nevtelen
Re: Issue with pxebooting on HP DL360 G7
On 2017-06-10 05:25, Edgar Pettijohn wrote: > > > On 06/09/17 11:18, Tommy Nevtelen wrote: >> On 2017-06-09 17:46, Tommy Nevtelen wrote: >> >>> Hello misc! >>> >>> I'm chain-loading pxeboot symlinked to auto_install from ipxe. >> So I tried to remove ipxe and specify pxeboot directly in the dhcp >> filename, that worked. >> But with that said I still don't understand why it works on a VM but not >> on my hardware. >> >> Could somebody clarify what that error means? >> > It is an issue with the reply packet from the DHCP server. It delves > into assembly from there and I'd rather not purposefully give myself a > headache, so thats the best I can do for you. > Thanks for looking! It helped a little when I read the second forum post here http://forum.ipxe.org/showthread.php?tid=6989 Quoting Sedorox for completeness: - .pxe is an image designed to be chain loaded, unloading both the underlying PXE and UNDI code sections - .kpxe is a PXE image that keeps UNDI loaded and unloads PXE - .kkpxe is a PXE image that keeps PXE+UNDI loaded and return to PXE (instead of int 18h) Most often, you will want either .pxe, .kkpxe (for when you are using cached credentials, iirc), and .kkkpxe (usually the last two are in combination with pxelinux). I managed to make the error go away by using the undionly.kpxe. But pxeboot still stops at, just before when it's supposed to get the network up. disk: fd0 fd1 hd0+ I will try undionly.kkpxe and that might help since it's used for pxelinux there might be some similarities. -- Tommy Nevtelen
Re: Issue with pxebooting on HP DL360 G7
On 2017-06-09 17:46, Tommy Nevtelen wrote: > Hello misc! > > I'm chain-loading pxeboot symlinked to auto_install from ipxe. So I tried to remove ipxe and specify pxeboot directly in the dhcp filename, that worked. But with that said I still don't understand why it works on a VM but not on my hardware. Could somebody clarify what that error means? -- Tommy Nevtelen
Issue with pxebooting on HP DL360 G7
Hello misc! I'm chain-loading pxeboot symlinked to auto_install from ipxe. This works all fine and dandy in a kvm virtual machine. But when i run a HP DL360 G7 against the same dhcp/tftp-server I get the following: Starting OpenBSD 6.1 tftp://boot1.example.com/openbsd/auto_install... ok probing: px0 com0 pxe![2.1] pxeinfo: PXENV_GET_CACHED_INFO failed: 0x60 mem[578K 3444M 639M a20=on] disk: fd0 fd1 hd0+ Then it hangs there until I reboot the machine. HALP! ); -- Tommy Nevtelen
