relayd DSR carp failover

2017-05-25 Thread Kapetanakis Giannis
Hi, I'm evaluating DSR with route to redirection on relayd on two carped boxes (kvm VMs) with current. Don't jump on me... The project is for a high volume download (http/ftp/rsync) server (mostly mirror/isos, including OpenBSD) and it would be nice if the streams are not get passed back throu

2017/06/29 - vlan(4)/svlan(4) ifconfig(8) changes

2017-06-30 Thread Kapetanakis Giannis
Following current on vlan change from vlan to vnetid, this is in quite some time now right? I see this https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_vlan.c?rev=1.161&content-type=text/x-cvsweb-markup which is Fri Apr 15 04:29:59 2016 Apparently the old configuration vlan N vlandev s

Kernel relink failed

2017-07-03 Thread Kapetanakis Giannis
Hi, I've got this today after applying Jul 2 snapshot sha256: cannot open /var/db/kernel.SHA256: No such file or directory sha256: /bsd does not exist in /var/db/kernel.SHA256 upgrade was "without the install kernel" https://www.openbsd.org/faq/upgrade61.html#NoInstKern G

Re: Kernel relink failed

2017-07-03 Thread Kapetanakis Giannis
On 03/07/17 12:45, Paul de Weerd wrote: > On Mon, Jul 03, 2017 at 11:52:09AM +0300, Kapetanakis Giannis wrote: > | Hi, > | > | I've got this today after applying Jul 2 snapshot > | > | sha256: cannot open /var/db/kernel.SHA256: No such file or directory > | sha256: /bsd

dhcrelay broken after Apr 5

2017-07-04 Thread Kapetanakis Giannis
Hi, Just upgraded a set of my firewalls that also do dhcrelay to -current. The program stopped working ok. Some dhcp requests where being forwarded some not. tcpdump was showing the request on internal interface but I couldn't see the request being forwarded on the external interface. For some

Re: dhcrelay broken after Apr 5

2017-07-05 Thread Kapetanakis Giannis
On 04/07/17 19:09, Reyk Floeter wrote: > First of all, please send a proper bug reports to bugs@, not misc. > "It used to work but now it doesn't" is not very helpful. > > Could you share your actual configuration or, even better, provide a > simplified way to reproduce your problem? rzalamena, m

Re: dhcrelay broken after Apr 5

2017-07-05 Thread Kapetanakis Giannis
On 04/07/17 19:09, Reyk Floeter wrote: > Could you try again with the attached diff? It doesn't change > behavior but it adds some chatty logging when a packet is rejected. > Maybe it helps to find the issue. > > Reyk I've send the bug report as detailed as I could. In a few words, applying you

Re: dhcrelay broken after Apr 5

2017-07-05 Thread Kapetanakis Giannis
On 05/07/17 12:45, Reyk Floeter wrote: > >> On 05.07.2017, at 11:41, Kapetanakis Giannis >> wrote: >> >> On 04/07/17 19:09, Reyk Floeter wrote: >>> Could you try again with the attached diff? It doesn't change >>> behavior but it adds some chat

Re: Separate VLAN from untagged traffic.

2017-07-07 Thread Kapetanakis Giannis
On 07/07/17 15:35, Per-Olov Sjöholm wrote: > Hi > > I have config like this on an internal interface since 5 year back in time > that together with my VLAN enabled Cisco and Zyxel switches route traffic > around in my network. I run OpenBSD 6.0 AMD64 at the moment. > > cat /etc/hostname.em0 >

Re: WireGuard will make OpenIKED obsolete?

2017-07-14 Thread Kapetanakis Giannis
On 14/07/17 02:50, if...@airmail.cc wrote: > Hi, > I have recently read about WireGuard Protocol and it seems really > interesting. Here's a description (from wireguard.io): It's interesting indeed. In advance in their roadmap they say: "Eventually we'll work with OpenBSD to produce a component f

Re: Read sysctl from file

2017-07-20 Thread Kapetanakis Giannis
On 20/07/17 18:48, Consus wrote: On 07:08 Thu 20 Jul, Kai Wetlesen wrote: Because it's a nice way to apply configuration changes made to /etc/sysctl.conf without restarting the whole server? Systemctl doesn't offer hot reload unless the controlled daemon offers the capability in the first place

Re: Open /dev/mem file failed when running as a root priviledge

2017-09-12 Thread Kapetanakis Giannis
On 12/09/17 03:58, Nan Xiao wrote: > Hi all, > > Greetings from me! > > I want to run dmidecode (https://github.com/mirror/dmidecode) on OpenBSD > 6.1, but executing it will report following errors: I also need the output of dmidecode and I do the following in by boxes: /etc/rc.securelevel: if

ping -R causes panic

2017-09-20 Thread Kapetanakis Giannis
I got this panic today after ping -R I don't run pfsync # ping -R www.google.com panic: kernel diagnostic assertion "m0->m_flags & M_PKTHDR" failed: file "/usr/src/sys/kern/uipc_mbuf.c", line 1344splassert: pfsync_update_state: want 1 have 256 pStopped at db_enter+0x5: popq%rbp T

Re: ping -R causes panic

2017-09-20 Thread Kapetanakis Giannis
On 20/09/17 19:25, Visa Hankala wrote: On Wed, Sep 20, 2017 at 02:26:56PM +0300, Kapetanakis Giannis wrote: I got this panic today after ping -R I don't run pfsync # ping -R www.google.com panic: kernel diagnostic assertion "m0->m_flags & M_PKTHDR" failed: file "/u

WPA2 and KRACK

2017-10-17 Thread Kapetanakis Giannis
As it seems, WPA2 should be considered broken [1] https://www.krackattacks.com/ [2] https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt according to [1] OpenBSD has silently released a patch G

Re: WPA2 and KRACK

2017-10-17 Thread Kapetanakis Giannis
On 17/10/17 13:27, Christoph R. Murauer wrote: > See https://marc.info/?l=openbsd-misc&m=150814941311682&w=2 > > Use the search box for the mailing list - saves you time. thanks, didn't follow that. G

Re: Dell PowerEdge R430/R440 support

2018-04-25 Thread Kapetanakis Giannis
On 25/04/18 13:22, Jan Vlach wrote: > Hello misc, > > has anybody Dell PowerEdge R430 or E440 running with OpenBSD? Is the > hardware supported? > > I can't really get the exact chipsets from vendor to cross check with > drivers in OpenBSD and I can't find dmesg or mention anywhere. (Checked > d

Re: Syspatches 006 and 007 missing on ftp2.eu.openbsd.org

2018-05-09 Thread Kapetanakis Giannis
On 09/05/18 13:36, Stuart Henderson wrote: > On 2018/05/09 12:06, Jan Vlach wrote: >> Hello Mirrors discuss list, >> >> it seems that ftp2.eu.openbsd.org is missing syspatches 6 and 7 in >> https://ftp2.eu.openbsd.org/pub/OpenBSD/syspatch/6.3/amd64 >> >> Latest snapshot in /pub/OpenBSD/snapshots/a

Re: OpenBSD logo on my private hompage. It is allowed?

2018-06-08 Thread Kapetanakis Giannis
On 08/06/18 02:51, justina colmena wrote: > On June 7, 2018 3:27:30 PM AKDT, Johannes Krottmayer wrote: > " ... it is our intent that anyone be able to use these images to represent > OpenBSD in a positive light -- but do not make profit from them " > > The no-profit clause is new. Sounds l

Re: "Halted" firewall - is it a good idea as feature? or just a fun story

2018-06-08 Thread Kapetanakis Giannis
On 07/06/18 20:04, Kollar Arpad wrote: > Hello, > > http://www.drdobbs.com/halted-firewalls/199101324 > > What do you think of it? :) any similar feature in OpenBSD? :D you might be interested in securelevel(7) G

ospfd network look

2018-06-12 Thread Kapetanakis Giannis
Hi, I'm trying to evaluate a new setup with 4 routers. This test setup is on VMs with Jun/7 snapshot. |--- R2 --- R1 |--- R4 |--- R3 --- See here for better view: https://imgur.com/a/ddyEQPb R2, R3, R4 are on a shared network and do ospf R2, R3 have a static default route to R1 (-p

Re: OpenBSD in qemu freezes randomly

2018-06-19 Thread Kapetanakis Giannis
On 19/06/18 19:47, Stuart Henderson wrote: On 2018-06-19, Leo Unglaub wrote: i have searched the list archive and found some similar reports but none of them found a solution for the problem. (at least not the threads i have found) I run some OpenBSD 6.3 instances in a virtual environment. The

Re: OpenBSD in qemu freezes randomly

2018-06-20 Thread Kapetanakis Giannis
On 20/06/18 17:03, Leo Unglaub wrote: Hey, thank you very much for the link. I have forwarded it to the support staff at the datacenter. I hope they apply it very quickly. I let you know if this fixes the problem. Thanks and greetings Leo On 06/19/18 21:21, Kapetanakis Giannis wrote: They

ospfd feature request

2018-07-13 Thread Kapetanakis Giannis
Thanks for the latest changes on ospfd/ospf6d especially for 'depend on' for v6 While you're there can you please also see if you can add the following change. I've tried to make a diff but failed. bgpd provides fib-priority to set the routing priority which is useful. Would you please add it als

Re: DHCP on several VLANs

2018-09-13 Thread Kapetanakis Giannis
On 13/09/18 16:25, Allan Streib wrote: > I need to set up DHCP for several VLANs. The server has 1 physical > interface (bnx1) available for this. > > My naive thought is I create the vlans with bnx1 as the "parent", e.g. > > /etc/hostname.vlan101: > inet 172.16.101.253 255.255.255.0 NONE parent

Re: relayd and radius

2018-10-22 Thread Kapetanakis Giannis
On 19/10/18 21:01, Shawn Southern wrote: > So apparently this works... I was expecting relayd to listen on those ports, > but I'm guessing that since it hooks through pf, that's not necessary. > > -Original Message- > From: owner-m...@openbsd.org On Behalf Of Shawn > Southern > Sent: Oc

bind and error sending response: would block

2018-11-16 Thread Kapetanakis Giannis
Hi, after upgrading one of my bind (cache resolver) machines to 6.4 (release) I'm getting these errors quite often: Nov 16 15:55:14 server named[30616]: client: warning: client @0x6591da02440 xxx.xxx.xxx.xxx#39702 (a1928.d.akamai.net): error sending response: would block https://kb.isc.org/doc

Re: bind and error sending response: would block

2018-11-19 Thread Kapetanakis Giannis
On 19/11/2018 12:30, Stuart Henderson wrote: > On 2018-11-16, Kapetanakis Giannis wrote: >> Hi, >> >> after upgrading one of my bind (cache resolver) machines to 6.4 (release) >> I'm getting these errors quite often: >> >> Nov 16 15:55:14

Re: upgrade 6.6 -> 6.7

2020-05-20 Thread Kapetanakis Giannis
On 20/05/2020 11:23, Henrik Krysteli Semark wrote: > Did the same on my edge firewalls two days ago, with sysupgrade. > > It just works flawlessly! > +1 G

Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

2020-05-29 Thread Kapetanakis Giannis
On 28/05/2020 07:16, Quantum Robin wrote: Hi, While surfing on the Google to learn more about OpenBSD, I encountered this one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure ( https://aboutthebsds.wordpress.com/2013/01/25/20/) Is the author telling the truth? Or just yet another anti

6.7 upgrade problem

2020-06-09 Thread Kapetanakis Giannis
Hi, I'm trying to update a Fujitsu RX200 S6 server from  6.6->6.7 and I'm having problems. via sysupgrade boot of upgrade kernel stops (no hung, no ddb) at com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pcppi0 at isa0 port 0x61 Wit

Re: 6.7 upgrade problem

2020-06-09 Thread Kapetanakis Giannis
iide1: using apic 0 int 17 for native-PCI interrupt atapiscsi0 at pciide1 channel 1 drive 0 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "Int

Re: Disabling OpenBSD Login Prompt

2020-06-10 Thread Kapetanakis Giannis
On 10/06/2020 12:03, Valdrin MUJA wrote: > Hi Misc, > > I want to disable OpenBSD Login prompt at startup -and also after logging > out-. Because I want to run my external program instead of ksh. There is an > login prompt also in my program and I want to use it. > > I updated the /etc/ttys ; > >

Re: Ynt: Disabling OpenBSD Login Prompt

2020-06-10 Thread Kapetanakis Giannis
On 10/06/2020 12:52, Valdrin MUJA wrote: > Sorry for lack of information, > > Firstly, my program is a kind of interactive shell which has own login > prompt. What I want to do is run my program on startup and do not use OpenBSD > login prompt.  > > When I use "chsh", firstly OpenBSD Login Prompt

relayd multiple listen on same redirect

2020-07-03 Thread Kapetanakis Giannis
Hi, My setup in relayd is like this: redirect radius { listen on $radius_addr udp port radius interface $ext_if pftag RELAYD_radius sticky-address forward to mode least-states check icmp demote carp } redirect radacct { listen on $radius_addr udp port radacct interface $ext_if

Re: relayd multiple listen on same redirect

2020-07-04 Thread Kapetanakis Giannis
On 04/07/2020 14:59, Brian Brombacher wrote: On Jul 3, 2020, at 3:34 AM, Kapetanakis Giannis wrote: Hi, My setup in relayd is like this: redirect radius { listen on $radius_addr udp port radius interface $ext_if pftag RELAYD_radius sticky-address forward to mode least-states check

Re: Fixed IP address for vmd dedicated VMs from dhcpd every boot/reboot

2020-07-25 Thread Kapetanakis Giannis
On 25/07/2020 11:28, Martin wrote: Hi, Sometimes dedicated VMs need fixed (the same) IP address assigned by dhcpd every run. I don't know how to achieve this by dhcpd configured. Every VM reboot it gets different IP. OpenBSD guests changes their IPs even without reboot, right in runtime. For

Re: 6.7 upgrade problem

2020-07-30 Thread Kapetanakis Giannis
I've managed to track this a little bit further. Boot stop and waits until I connect to the server's java console on the iRMC. Upon connect, even with wrong username/password virtual keyboard is attached and boot continues. There seems to be some kind of infinite loop... I've checked various op

relayd feature request

2019-08-01 Thread Kapetanakis Giannis
Hi, Today I found out that I was able to disable/enable hosts by name instead of id :) It would be nice if it worked when a host is mentioned in multiple redirects/tables (ie different ports): Id  Type    Name    Avlblty Status 3   redirect    mx-smt

Re: LDAP tls: handshake failure

2019-10-23 Thread Kapetanakis Giannis
On 23/10/2019 19:14, Predrag Punosevac wrote: > Hi Misc, > > I just upgraded a LDAP server from 6.5 to 6.6 running authorization and > authentication services for a 100 some member university research group. > It appears TLS handshake is broken. This worked perfectly on 6.5 and > earlier. > > titan

Re: route an IPv4 /32 to a different interface

2019-12-15 Thread Kapetanakis Giannis
On 15/12/2019 21:57, Denis Fondras wrote: Hi, I have this setup : em3: flags=8843 mtu 1500 lladdr index 4 priority 0 llprio 3 media: Ethernet autoselect (1000baseSX full-duplex) status: active inet6 fe80::aa9:b803:8a7a:ca72%em3 prefixlen 64 scopeid 0

6.6 pflow IPFIX removed?

2020-03-04 Thread Kapetanakis Giannis
Hi, Is IPFIX removed  from pflow in 6.6? # ifconfig pflow0 pflowproto 10 ifconfig: SIOCSETPFLOW: Can't assign requested address pflow(4) still mentions it. regards, Giannis

Re: 6.6 pflow IPFIX removed?

2020-03-05 Thread Kapetanakis Giannis
On 04/03/2020 18:35, Florian Obser wrote: > The ifconfig option parser is... special. > You must set flowdst as well as pflowproto. my bad. the problem was the src IP which was changed and the change wasn't reflected in the hostname.pflow0 sorry for the noise G

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Kapetanakis Giannis
On 05/10/15 14:35, David Coppa wrote: On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez wrote: Hi all, I have installed an openbsd vm to works as a hostap for tablets and smartphones (android and iOS). All it is working ok: pf, hostapd and dhcpd server. All tablets and smartphones that I have

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Kapetanakis Giannis
On 05/10/15 16:26, laudarch wrote: I made a custom implementation and a diff to authpf, will share that later just in case anyone wants it. I hope this helps you, it pretty simple http://bastienceriani.fr/?p=70 That's nice, but how do you log-out inactive users/IPs? There is no such option in

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Kapetanakis Giannis
On 06/10/15 01:04, Abel Abraham Camarillo Ojeda wrote: That's nice, but how do you log-out inactive users/IPs? There is no such option in pf a) expire after a certain amount of time and/or pfctl -t loggedusers -T expire 3600 # expire after one hour, regardless of activity you're right on this.

Re: Captive portal with OpenBSD as a hostap

2015-10-08 Thread Kapetanakis Giannis
On 08/10/15 23:17, Predrag Punosevac wrote: Somebody will correct me if I am wrong but the way that Authpf works (I have configured it in the past) is to load a new set of PF rules after successful ssh login. My understanding is that by default the traffic remains unencrypted unless we use more P

pf table counters

2015-10-09 Thread Kapetanakis Giannis
Hi, Is there a problem with table counters and NAT? I don't have any counters at all. I have a table which has counters enabled # pfctl -sT -v|grep nat_users --a-r-C nat_users I also have pf rules that reference this table. @100 pass out quick on vlan123 inet proto tcp from port > 1023 to

Re: serious watchdog timeout issues with em driver

2015-12-08 Thread Kapetanakis Giannis
On 20/11/15 15:12, Martin Pieuchot wrote: I just committed a revert to 1.305 keeping the API changes needed for the driver to build. This should bring your stability back, please let us know if that's not the case. I'm sorry for your troubles. Hi, I've upgraded yesterday to Dec 6 snapshot an

Re: serious watchdog timeout issues with em driver

2015-12-08 Thread Kapetanakis Giannis
On 08/12/15 19:39, Chris Cappuccio wrote: Kapetanakis Giannis [bil...@edu.physics.uoc.gr] wrote: On 20/11/15 15:12, Martin Pieuchot wrote: I just committed a revert to 1.305 keeping the API changes needed for the driver to build. This should bring your stability back, please let us know if

Re: serious watchdog timeout issues with em driver

2015-12-09 Thread Kapetanakis Giannis
On 08/12/15 21:47, Kapetanakis Giannis wrote: The event happened only once and it's network recovered after a few seconds. no reboot. G Well that didn't last long. Today I found the server hanged at ddb after a new watchdog timeout on em0. Keyboard was not working so I could n

Re: kerberos

2015-12-09 Thread Kapetanakis Giannis
On 09/12/15 15:13, Friedrich Locke wrote: What is/are the alternative(ies) for kerberos on openbsd ? (Since is was removed from the distribution). Thanks. Don't know if you can compile it, but the commit-remove msg is all time classic :) http://marc.info/?l=openbsd-cvs&m=139816103911227&w=2

Re: serious watchdog timeout issues with em driver

2015-12-14 Thread Kapetanakis Giannis
On 09/12/15 10:42, Kapetanakis Giannis wrote: On 08/12/15 21:47, Kapetanakis Giannis wrote: The event happened only once and it's network recovered after a few seconds. no reboot. G Well that didn't last long. Today I found the server hanged at ddb after a new watchdog timeo

Re: OpenBSD help

2015-12-15 Thread Kapetanakis Giannis
On 15/12/15 18:07, Alessandro Baggi wrote: Hi list, I've a firewall on an apu1D running OpenBSD. Today during a simple management, I've noticed that the system is up since 1 day and 23 hours. Running "cat authlog" I see that the last two logged session are: Dec 2 at 12 and today. Running "las

Re: serious watchdog timeout issues with em driver

2015-12-21 Thread Kapetanakis Giannis
Hi, Problem is still here with Dec 16 snapshot. Dec 17 13:08:20 server /bsd: OpenBSD 5.8-current (GENERIC.MP) #1494: Wed Dec 16 12:13:03 MST 2015 Dec 17 13:08:20 server /bsd: dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP Dec 17 13:08:20 server /bsd: cpu0: Intel(R) Pentium(

states by rule

2016-01-11 Thread Kapetanakis Giannis
Hi, Is there a quick way to find the exact states or state number created by a specific rule(s) without parsing the whole state table (pfctl -ss -vv)? I've tried loading the rules I'm concerned about in a separate anchor but that didn't work pfctl -a foo -ss thanks G

Re: states by rule

2016-01-11 Thread Kapetanakis Giannis
On 11/01/16 13:27, Stuart Henderson wrote: On 2016-01-11, Kapetanakis Giannis wrote: Hi, Is there a quick way to find the exact states or state number created by a specific rule(s) without parsing the whole state table (pfctl -ss -vv)? I've tried loading the rules I'm concerned

igmp option 148 (RA)

2016-01-21 Thread Kapetanakis Giannis
Hi, I'm constantly seeing this on my pf router. rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] Rule 61 is: @61 pass quick inet proto igmp from $ext_if:network to 224.0.0.1 keep state (no-sync) tcpdump on $ext_if shows: $ext_gw > 224.0.0.1: igmp qu

Re: igmp option 148 (RA)

2016-01-21 Thread Kapetanakis Giannis
On 21/01/16 12:40, Stefan Sperling wrote: On Thu, Jan 21, 2016 at 12:27:06PM +0200, Kapetanakis Giannis wrote: Hi, I'm constantly seeing this on my pf router. rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] Rule 61 is: @61 pass quick inet pr

Re: igmp option 148 (RA)

2016-01-21 Thread Kapetanakis Giannis
On 21/01/16 13:15, Stuart Henderson wrote: See pf.conf(5) "allow-opts". thanx Stuart :) that did the trick G

Re: vlan on trunk member not permitted

2016-02-10 Thread Kapetanakis Giannis
On 10/02/16 09:45, Marc Peters wrote: Hi list, for my laptop, i created a trunk(4) interface with em0 and iwn0 as members. IPv6 is provided on a separate vlan for now. Without trunking the interfaces, the vlan interface comes up and everything's working fine: ~ $ sudo /bin/sh /etc/netstart vla

dhcrelay: send_packet: No buffer space available

2016-02-12 Thread Kapetanakis Giannis
Hi, I have a carped firewall which is using dhcrelay to forward dhcp requests to another carped dhcp server. After upgrade to Feb 4 snapshot I'm seeing these in my logs: Feb 8 21:00:04 dhcrelay: send_packet: No buffer space available Feb 9 16:47:02 dhcrelay: send_packet: No buffer space a

Re: dhcrelay: send_packet: No buffer space available

2016-02-13 Thread Kapetanakis Giannis
On 12/02/16 18:56, Stuart Henderson wrote: On 2016-02-12, Kapetanakis Giannis wrote: Hi, I have a carped firewall which is using dhcrelay to forward dhcp requests to another carped dhcp server. After upgrade to Feb 4 snapshot I'm seeing these in my logs: What version were you running b

Re: dhcrelay: send_packet: No buffer space available

2016-02-18 Thread Kapetanakis Giannis
On 12/02/16 18:56, Stuart Henderson wrote: On 2016-02-12, Kapetanakis Giannis wrote: Hi, I have a carped firewall which is using dhcrelay to forward dhcp requests to another carped dhcp server. After upgrade to Feb 4 snapshot I'm seeing these in my logs: What version were you running b

Re: dhcrelay: send_packet: No buffer space available

2016-02-18 Thread Kapetanakis Giannis
On 18/02/16 13:22, Peter Hessler wrote: On 2016 Feb 18 (Thu) at 12:25:07 +0200 (+0200), Kapetanakis Giannis wrote: :On 12/02/16 18:56, Stuart Henderson wrote: :>On 2016-02-12, Kapetanakis Giannis wrote: :>>Hi, :>> :>>I have a carped firewall which is using dhcrelay to for

Re: dhcrelay: send_packet: No buffer space available

2016-02-19 Thread Kapetanakis Giannis
On 18/02/16 15:52, Kapetanakis Giannis wrote: On 18/02/16 13:22, Peter Hessler wrote: How many bpf devices do you have? You may need to create more. I have 20 bpf devices, 27 vlan interfaces, 27 carp interfaces, 17 dhcrelay processes. wasn't there a message when bpf devides were

Re: dhcrelay: send_packet: No buffer space available

2016-02-20 Thread Kapetanakis Giannis
On 20/02/16 13:52, Stuart Henderson wrote: Are the carp interfaces "up" (i.e. master) when you see these messages? Yes always. On both firewalls I have net.inet.carp.log=3 and I haven't logged any carp up/down - MASTER/BACKUP transition messages. On the other hand, on backup firewall I just

Re: Is there an option switch to lower minimum DH strength in SSH client?

2017-11-03 Thread Kapetanakis Giannis
On 03/11/17 15:27, Jacob Leifman wrote: >> KexAlgorithms +diffie-hellman-group1-sha1 >> Ciphers +aes128-cbc >> >> Regards >> > > Hi, > > Not quite, I have the converse problem -- using the modern ssh client and > being unable to connect to an older embedded ssh server. But your solution > indica

Re: bug tracking system for OpenBSD

2017-12-22 Thread Kapetanakis Giannis
On 22/12/17 17:36, Stuart Henderson wrote: > The important part is the data itself. > ... > IMHO if anything is going to happen with this it's going to come > from someone who just gets on and does it. Maybe someone who just > throws a spreadsheet or something together to keep track of > tech@/bug

Re: bug tracking system for OpenBSD

2017-12-23 Thread Kapetanakis Giannis
On 23/12/17 12:24, Stuart Henderson wrote: Forwarded? No way! Same for bugs@ as tech@. It needs manual work to triage, identify what is a bug, follow up with the reporter to make sure the report is accurate and has enough information to be useful. Same whatever the entry point is. If reporters ca

i7 vs Xeon forwarding performance

2018-01-09 Thread Kapetanakis Giannis
Hi, Has anyone tested newer i7 vs Xeon E5 performance comparison on forwarding? All tests I've seen (mainly by Hrvoje Popovski) are on Xeon cpus. I know that things are a moving target with UNLOCKing taking place but it would be interesting to share any results if there are available. regards,

Re: Bitmask for 224.0.0.0 in Martians PF table entry

2018-01-11 Thread Kapetanakis Giannis
On 10/01/18 20:55, Aham Brahmasmi wrote: > Hi, > > What is the correct bitmask for the 224.0.0.0 Martian table entry in > pf.conf? > > There are two bitmasks in two links on this page - > http://www.team-cymru.org/bogon-reference-http.html. /3 in the The Text > Bogon List, Aggregated and /4 in IP

nat-to (least-states / round-robin) problem

2018-01-23 Thread Kapetanakis Giannis
Hi, I've discovered something that looks like a bug in nat translation with least-states or round-robin Instead of using the nat-pool is uses wrong IPs # pfctl -sr -R0 pass out log quick on vlan123 inet from xx.xx.xx.xx to 188.113.88.193 flags S/SA tagged from_internal nat-to xx.xx.yy.24/29 le

Re: nat-to (least-states / round-robin) problem

2018-01-23 Thread Kapetanakis Giannis
On 23/01/18 11:08, Kapetanakis Giannis wrote: > Hi, > > I've discovered something that looks like a bug in nat translation with > least-states or round-robin > > Instead of using the nat-pool is uses wrong IPs > > # pfctl -sr -R0 > pass out log quick on

Re: nat-to (least-states / round-robin) problem

2018-01-26 Thread Kapetanakis Giannis
On 23/01/18 11:54, Kapetanakis Giannis wrote: > On 23/01/18 11:08, Kapetanakis Giannis wrote: >> Hi, >> >> I've discovered something that looks like a bug in nat translation with >> least-states or round-robin >> >> Instead of using the nat-pool is uses

Re: OpenBSD and IPMI

2018-03-09 Thread Kapetanakis Giannis
On 09/03/18 15:11, Denis wrote: > By reading this article > blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/ my hair > raised. > > How to OpenBSD security withstands against IPMI holed solution from top > hardware vendors? > > Best ways to prevent potential risks for OpenBSD over

relayd clients on same network with servers

2018-03-19 Thread Kapetanakis Giannis
Hi, I'm designing a new setup with relayd and multiple pools. I'm using redirects with forward. The problem I have is that all the real server as in the same VLAN. In advance the servers in one pool need to access the servers in another pool, through the load balancer, thus having a problem wit

Re: relayd clients on same network with servers

2018-03-19 Thread Kapetanakis Giannis
On 19/03/18 13:51, Mischa wrote: > Hi Giannis, > > From my experience dealing with a lot of load balancers in my time, and also > working for different vendors, the easiest is to use source-nat. > This is just configuration on the relayd itself without making "major" > changes in the rest of the

Re: OpenBSD vs Linux KVM Guest Performance and Stability

2018-04-16 Thread Kapetanakis Giannis
On 16/04/18 18:40, Claudio Jeker wrote: really depends on the KVM/linux version Don't forget to set "options kvm-intel preemption_timer=0" for modprobe on newer linux kernels. After that it seems to work nicely. This module option (according to lists) is about timing issues with kvm and o

Re: OpenBSD vs Linux KVM Guest Performance and Stability

2018-04-17 Thread Kapetanakis Giannis
On 17/04/18 10:28, Daniel Santos wrote: > On 2018-04-16 23:00, Claudio Jeker wrote: >> On Mon, Apr 16, 2018 at 11:10:46PM +0300, Kapetanakis Giannis wrote: >>> On 16/04/18 18:40, Claudio Jeker wrote: >>> > >>> >>really depends on the KVM/linux version

Re: carp ssh setup

2018-04-17 Thread Kapetanakis Giannis
On 17/04/18 02:06, jungle Boogie wrote: > Hi All, > > I have a very simple carp setup - basically I want ssh access if the > master goes offline. > In theory, this are functioning correctly. In practice, it seems the > backup is taking over way too often - the backup takes over way too > often, ev

upgrade 6.2 snapshots to 6.3 release

2018-04-19 Thread Kapetanakis Giannis
Hi, since more and more of my servers have been migrated to OpenBSD :) and I'm getting a bit lazy, I want to upgrade some of my 6.2 snapshots to 6.3 release and use syspatch for upgrading them in the future. What was the date of code lock/freeze so I can safely put 6.3 on top? Thanks, G

Re: upgrade 6.2 snapshots to 6.3 release

2018-04-19 Thread Kapetanakis Giannis
On 19/04/18 13:54, Sebastian Benoit wrote: > Kapetanakis Giannis(bil...@edu.physics.uoc.gr) on 2018.04.19 13:37:24 +0300: >> Hi, >> >> since more and more of my servers have been migrated to OpenBSD :) and I'm >> getting a bit lazy, I want to upgrade some of my 6.2

Re: upgrade 6.2 snapshots to 6.3 release

2018-04-20 Thread Kapetanakis Giannis
On 19/04/18 23:46, Sebastian Benoit wrote: > Correct. And between Mar 14 and Mar 24, there is i believe nothing (like rm > commands etc) in the upgrade63.html that you need to do, just do the update > and run sysmerge and syspatch and pkg_add -u. Thanks for the answers. Last question: What's the

6.8 openldap and SSL/TLS problem after upgrade

2020-12-22 Thread Kapetanakis Giannis
Hi, After upgrading to 6.8-release I can no longer connect to my ldap server with openldap and SSL/TLS. I'm using a self signed root CA to sign LDAP server's certificate. /etc/openldap/ldap.conf has: TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT demand # /usr/local/bin/ldapsearch -d9 -x (open

Re: 6.8 openldap and SSL/TLS problem after upgrade

2020-12-22 Thread Kapetanakis Giannis
eeBSD. And yes, no additional setting seem to help this. With kindest regards, Kostya Berger On Tuesday, 22 December 2020, 17:52:48 GMT+3, Kapetanakis Giannis wrote: Hi, After upgrading to 6.8-release I can no longer connect to my ldap server with openldap and SSL/TLS. I'm using

Re: 6.8 openldap and SSL/TLS problem after upgrade

2020-12-23 Thread Kapetanakis Giannis
On 23/12/2020 03:53, Stuart Henderson wrote: On 2020-12-22, Kapetanakis Giannis wrote: Hi, After upgrading to 6.8-release I can no longer connect to my ldap server with openldap and SSL/TLS. I'm using a self signed root CA to sign LDAP server's certificate. /etc/openldap/lda

osp6d p2p send_ls_update

2020-12-29 Thread Kapetanakis Giannis
Hi, I've changed today my config from broadcast to p2p for both ipv4 and ipv6. In ospf6d I get this quite often: Dec 29 17:39:00 ospf6d[40695]: send_packet: error sending packet on interface vlanX: Network is unreachable Dec 29 17:39:00 ospf6d[40695]: send_ls_update: Network is unreachable deb

Re: compiling pmacct on obsd6.8

2021-01-12 Thread Kapetanakis Giannis
On 12/01/2021 10:25, Stuart Henderson wrote: > On 2021-01-12, Masato Asou wrote: >> Hi, >> >> From: Salvatore Cuzzilla >> Date: Mon, 11 Jan 2021 17:40:21 +0100 >> >>> I'm having some troubles with compiling the latest version of pmacct >>> (https://github.com/pmacct/pmacct) on obsd6.8 . >>> >>> I

disk boot delay and high cpu

2021-01-12 Thread Kapetanakis Giannis
Has anyone seen this before? I'm experiencing disk stalls while doing sysupgrade. OpenBSD 6.7 -> 6.8, which is a test VM running on KVM RHEL7/RHEL8. VM storage is LVM on top of 10Gbps iSCSI with multipath. Disk and network are on virtio. Installation is fine (iso image stored locally on node).

Re: CARP load balancing problems under KVM

2021-01-12 Thread Kapetanakis Giannis
Check that you have mac spoofing filter disabled on that interface. G On 12/01/2021 15:30, Carlos Lopez wrote: Hi David and misc@, Sorry to disturb with this.I have realized several tests this morning with two OpenBSD 6.8 carp'ed firewalls (fully patched) as kvm guests and result is the same

Re: CARP load balancing problems under KVM

2021-01-12 Thread Kapetanakis Giannis
On 12/01/2021 18:58, Carlos Lopez wrote: Thanks Gianni, but about what interface ? KVM bridges? In theory, MAC spoofing is avoided using this option: bridge.ageing-time: 300 On 12/1/21, 17:47, "owner-m...@openbsd.org on behalf of Kapetanakis Giannis" wrote:

Re: ospf on wg(4)

2021-01-30 Thread Kapetanakis Giannis
On 29/01/2021 23:32, Bastien Durel wrote: Le 29/01/2021 à 17:44, Olivier Cherrier a écrit : Hi, I'm trying to setup OSPF on a working Wireguard VPN using 6.8 amd64 machines. This is what I get: # ospfd -dvvv id = "172.26.1.1" startup kr_init: priority filter enabled orig_rtr_lsa: area 0.0.

Re: ospf on wg(4)

2021-01-30 Thread Kapetanakis Giannis
On 30/01/2021 10:50, Bastien Durel wrote: Hello, IFAIK, wgaip is not routing, using wgaip 0.0.0.0/0 does not add a default route on interface. Regards, Cool. At least on linux it adds routes by default, which is not always desirable. Although reading the manual now, there is an option to

Re: relayd + pfsync

2021-02-01 Thread Kapetanakis Giannis
On 02/02/2021 05:18, Jordan Geoghegan wrote: Hello, I had a question about using relayd with pfsync. I have a small gateway/load-balancer set up with relayd, carp and pfsync plus BGPd for IP failover, and everything is working great. I was pleasantly surprised at how easy it was to get pfsync

Re: blacklistd analogue

2021-03-25 Thread Kapetanakis Giannis
How about a distributed setup? Has anyone thought of a way getting IPs from various servers (say linux & fail2ban) to the central OpenBSD (pf) firewall? Ideally with history in order to punish more the frequent abusers. I had plans on looking to bgp to distribute the IPs around but maybe the

Re: PF rate limiting options valid for UDP?

2023-07-19 Thread Kapetanakis Giannis
On 18/07/2023 23:59, Stuart Henderson wrote: > PF's state-tracking options are only for TCP. (Blocking an IP > based on number of connections from easily spoofed UDP is a good > way to let third parties prevent your machine from communicating > with IPs that may well get in the way i.e. trigger a "

Re: PF rate limiting options valid for UDP?

2023-07-19 Thread Kapetanakis Giannis
On 19/07/2023 13:31, Stuart Henderson wrote: > On 2023-07-19, Kapetanakis Giannis wrote: >> Maybe even better, can it run under relayd (redirect) on top of carp? > That's just rdr-to behind the scenes, no problem with that, though if > you want to do per IP rate lim

Re: relayd ssl termination advice

2023-10-09 Thread Kapetanakis Giannis
On 08/10/2023 04:00, Courtney wrote: > Ultimately, I want to serve a handful of services on 80/443 that are > easily accessible internally and externally, and I don't want to have > unencrypted traffic between relayd and my server for the services that > are passing sessions and such. Then don't

Re: AAAA entry for openbsd.org

2023-10-23 Thread Kapetanakis Giannis
If you're looking for a mirror to install/update ftp.cc.uoc.gr runs on both IPv4/IPv6 and is listed in official mirrors. http://ftp.cc.uoc.gr/mirrors/OpenBSD/ G On 23/10/2023 08:58, Armin Jenewein wrote: > No idea what you perceive here as a "rant", my apologies if that seemed > like one to you

  1   2   3   4   5   >