Contributing to spamd
Hi devs and all, I have been using spamd for quite a while and have been loving it. I've seen that spamd currently only supports ipv4 and have been wondering if it was possible to extend it to ipv6. I know that workforce is always limited so I wanted to know if there is anyway to contribute help towards this :) I admit I'm not the most knowledgeable about ipv6 so I was wondering if there is any small place to start to contribute to spamd and build up from there. Hoping for some positive response. Thanks a lot for your work and hope you are safe, Aisha
Re: Contributing to spamd
Thanks a lot Ingo. I'm currently looking through spamd.c and trying to learn. I'm way too far behind to send any patches yet, lol. I'll slowly work to it. Much appreciated, Aisha On 4/3/20 9:40 AM, Ingo Schwarze wrote: > Hi Aisha, > > Aisha Tammy wrote on Fri, Apr 03, 2020 at 08:54:22AM -0400: > >> I have been using spamd for quite a while and have been loving it. >> I've seen that spamd currently only supports ipv4 and have been >> wondering if it was possible to extend it to ipv6. I know that workforce >> is always limited so I wanted to know if there is anyway to contribute >> help towards this :) > > The way to contribute to OpenBSD is by sending patches - ideally > small, incremental patches that work and are well tested, but when > you get stuck, you can also send something like: "I hope to do > FOOBAR, and here is what i have so far; the FOO part already seems > to work in my preliminary testing, but i have doubts whether my > approach to the BAR part is ideal. Feedback is welcome." > >> I admit I'm not the most knowledgeable about ipv6 so I was wondering if >> there is any small place to start to contribute to spamd and build up >> from there. >> Hoping for some positive response. > > Being able to learn on your own is among the key qualifications > required to contribute to OpenBSD. Learning by doing is recommended: > First find an issue you would like to fix. Good judgement of your > own abilities is essential here: don't pick a task so much over > your head that you have no chance of ever getting it done. Picking > something *slightly* more difficult than what you have experience > with may be OK if you are willing to learn and can tolerate the > frustration that unavoidably comes with the first try likely not > being good enough for commit yet. Then again, getting used to the > the processes of sending patches, receiving feeback, and improving > and re-sending the patches such that they get ready for commit may > also require some effort, so it is not a bad idea to start with > tasks you are absolutely sure you can easily manage, until you get > used to the processes, then progress to more difficult stuff in order > to learn and grow. > > When asking questions, be as specific as possible, ideally showing > specific patches or specific sequences of commands and asking > specific questions about them. > > Avoid questions similar to "what should i do" or "where should i > start" or "is there a todo list". That depends on what you are > interested in and what your abilities are, and you need to know > that yourself, no one else who doesn't know you personally can help > you with that. > > Sorry that i can't give you specifics about spamd(8), but your > question wasn't very specific anyway. In general, seamless IPv6 > support is welcome in OpenBSD, but i'm not sure about the requirements > of spamd(8) in particular since i never used it nor worked on it. > > Yours, > Ingo >
Re: Contributing to spamd
Oh that is really good to hear :) Thanks a lot phessler! Here is to hoping it can be included in the next release. Thanks a lot again, Aisha On 4/3/20 12:28 PM, Denis Fondras wrote: > On Fri, Apr 03, 2020 at 08:54:22AM -0400, Aisha Tammy wrote: >> Hi devs and all, >> I have been using spamd for quite a while and have been loving it. >> I've seen that spamd currently only supports ipv4 and have been >> wondering if it was possible to extend it to ipv6. I know that workforce >> is always limited so I wanted to know if there is anyway to contribute >> help towards this :) >> I admit I'm not the most knowledgeable about ipv6 so I was wondering if >> there is any small place to start to contribute to spamd and build up >> from there. >> Hoping for some positive response. >> >> Thanks a lot for your work and hope you are safe, >> Aisha >> > > phessler@ did almost all the work. There are still one issue so it did not get > in. >
Re: Wine for OpenBSD?
wooosh wine is not there on openbsd its not going to be there on openbsd reasons are too long for me to write this early in the morning, plz google-fu them On 4/11/20 8:32 AM, Nikita Stepanov wrote: > I mean� > https://en.m.wikipedia.org/wiki/Wine_(software) > 18:30, 11 апреля 2020 г., Peter Nicolai Mathias Hansteen > : > > > > � 11. apr. 2020 kl. 12:15 skrev Nikita Stepanov > : > > � Wine for OpenBSD? > > > > Oh, OpenBSD goes well with most kinds of wine, just don’t overdo > it. Same with beer, liquors as always. > > All the best, > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation > team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 > seconds. >
Comments in source code
Hey devs and all, I'm kind of new to OpenBSD, only working on ports so far so take what I say with chill. I've been reading the source code in GIT and felt a real lack of comments explaining what the code is doing. Is this something encouraged in obsd? I would really like to have something more than super condensed one line explanations like in style(9). Just wanted to express my frustration and also to ask if there is any better way to understand how the code is working? I feel like this would deter a lot of new contributors, me including. Hopefully I don't sound too negative. I'm willing to send patches which just add comments and explanations, if there is any interest from the devs. Best, Aisha
Re: Comments in source code
Thanks a lot for responding, I've had some food so am feeling a lot less frustrated :D > On 4/23/20 12:10 PM, Stuart Henderson wrote: > > It's often considered better if code is clear enough to stand by itself, > keeping comments for the less common cases which can't be figured out > from reading the code. And that way you aren't at risk of assuming But like, not all code is simple enough to understand by just reading it. Comments can do more than just explain api, they can help explain how the code itself is working. I have been reading diff, sdiff diff3 and other string algorithms to understand how to make it as fast as their GNU counterparts and they are not the simplest to read, even when knowing the actual string algorithms pretty well. > something which is implied by the comment but isn't actually in the code > (either never was, or the code changed but the comment didn't keep up). > And about comments being left behind in code changing, I feel like that is easily changed by people making sure that they also read comments while coding. I don't think that is a good enough excuse about not commenting. > If you aren't already, you should be looking at commit messages from > where the relevant code was touched. That is often where you'll find the > explanations you seek. > I have been reading them, Commit messages don't explain algorithms very clearly. I agree this is a very specific use case but definitely something that could be improved. Some of the things I've been considering useful (in this specific scenario for diff3) - explanation for merge function, what it does - in merge function, explain how empty for loop is used, as this is a very big loop with a lot of cases IMO, any function with a lot of cases should have a small explanation about what it is doing, so the code is a lot more lit. Cheers, Aisha
Porting Jitsi to OpenBSD
Hey all, I'm hoping to port jitsi and wanted to know if anyone else is already working on a port so that I don't do work that might be unnecessary. Cheers, Aisha
Re: Porting Jitsi to OpenBSD
based af will do On 4/24/20 8:36 AM, Daniel Jakots wrote: > On Fri, 24 Apr 2020 08:25:51 -0400, Aisha Tammy > wrote: > >> Hey all, >> I'm hoping to port jitsi and wanted to know if anyone else is already >> working on a port so that I don't do work that might be unnecessary. > > > This kind of email should go on ports@. > Since misc@ has a very low SNR [1] don't assume anyone seriously > working on OpenBSD is actually reading this particular mailing-list. > > [1]: https://en.wikipedia.org/wiki/Signal-to-noise_ratio > > Cheers, > Daniel >
Re: Sound is good on OpenBSD
On 4/28/20 9:22 AM, David Demelier wrote: > Le 28/04/2020 à 14:01, Yury Grebenkin a écrit : >> OpenBSD gives a better sound experience on my machine than several >> Linux distributions I have used and FreeBSD. Just want to say thank >> you to all the people involved and state the fact that OpenBSD does >> make a difference. > > The audio stack is definitely better as we have the clean and simple sndio > interface while Linux has to deal with ALSA, Jack, PulseAudio and maybe > pipewire at some point. jack is there on openbsd right. Does it provide considerable more benefits? > > That said, I personally have stuttering when playing music on OpenBSD and > doing some CPU “intensive” tasks like many firefox tabs opened. I'd be glad > to see if it works better for you and if you tweak the system to avoid that. >
Re: wireguard on i386
On 5/6/20 9:58 AM, infoomatic wrote: > Hi, > > I realized wireguard is not available as binary package for i386. Since > this is my only 32bit machine I would setup 32bit VM to build the > package. There are two packages wireguard-tools and wireguard-go Both have been recently updated to work on all platforms, if you are running -current you should have them available. I don't think they have been backported to 6.6 Is it possible to compile it from ports for 32bit? (or is the > missing package a sign that it's not available for 32bit architecture?) > Yes, both of them can be compiled manually, take a look at the Makefile[1] to see what the build time dependencies are > thanks, > > infoomatic > [1]https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/wireguard-go/
Re: wireguard on i386
On 5/6/20 12:22 PM, Stuart Henderson wrote: > On 2020-05-06, infoomatic wrote: >> Hi, >> >> I realized wireguard is not available as binary package for i386. Since >> this is my only 32bit machine I would setup 32bit VM to build the >> package. Is it possible to compile it from ports for 32bit? (or is the >> missing package a sign that it's not available for 32bit architecture?) > > Use wiresep, wireguard-go does not build on i386 (but even on archs > where both are available, wiresep has several advantages). > > Ooof, seems like the change for removing ONLY_FOR_ARCHS had to be rolled back. Very unfortunate :(
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 5/7/20 11:11 AM, Kevin Chadwick wrote: > On 2020-05-07 14:10, Consus wrote: >> On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote: >>> Dear OpenBSD fans, >>> >>> Can you please comment negative appraisal from the following website: >>> >>> https://isopenbsdsecu.re/quotes/ >>> >>> I did not want to hurt anyone, just looking for a secure OS and >>> OpenBSD looked very nice to me before I have found this website. >> > > Perhaps you could cite which part as the parts I read should seem without > merit > to anybody? > >> The fun thing to do: offer $50k rewards for code execution >> vulnerabilities and wait for results. >> > > "Apple has lately been slapping proprietary mitigations around like there’s no > tomorrow. But thing is, mitigations are often delicate creatures, with rather > fragile assumptions. Having too many of them in one place can easily make them > break one another, as happened here with execute-only memory vs PAN." > > I am sure that examples of mitigations leveraging and protecting each other, > or > an exploit failing because of multiple mitigations is far more common than > them > hurting each other. > > "I put a lot more faith in privilege separation and reduction than in all the > mitigations. I’d be really impressed by a move to a safe language… most > everyone > is late to that party, so it’s a chance for someone to pull ahead if they > wanted > bragging rights" > > I wouldn't want to read an OS written in Rust and I would love to see secure > developments in C even if it hampers potential performance. Things like Go are > not suitable for an OS with many small programs. > Curious about why... though admittedly I have never written or read rust in great detail. Genuinely curious why, I thought it was supposed to be pretty nice with thread safety and all that jazz. > Also, OpenBSD is one of the pioneers of privilege separation and most Go > programs are not privilege separated at all. > > I quickly lost interest, sorry. IMO, the main thing that causes exploitations > is > carelessness. OpenBSD cares and is careful! > Aisha
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 5/7/20 7:02 PM, Aaron Mason wrote: > On Fri, May 8, 2020 at 2:30 AM jeanfrancois wrote: >> >> As long as there's no material published it's worth just any other word. >> > > To quote Douglas Adams on whether you can trust people on the > internet, "of course not, it's just people talking". > wait a minute. you are on the internet, I am on the internet. I CAN"T TRUST ANYONE. MY LIFE IS FALLING APART. but then I shouldn't trust what you said too. Ah, okok, i'll not trust what you said *promptly goes to the nearest zebra crossing to get killed* (sorry I just had to)
Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose
On 5/8/20 3:16 PM, Martin wrote: > Which 'quantum' resistant algorithms can be used right now to prevent data > decryption in future by 'quantum' computers (when they can do this) of > currently collected data flows? this is so dumb. worry about this when there are computers which can actually add two numbers quantoonly. aisha > > Martin >
Re: fde nightmare
On 5/15/20 5:00 AM, fossfo...@unixism.xyz wrote: > Well as it turns out, my key was intact :) > > As it turns out, my passphrase didn't actually change at all, and > every time I tried to enter it, I was in dvorak mode, where I typed > it in qwerty originally. This will doubtlessly be my embarrassment > of the year, but it does feel like a mountain has been lifted from > my shoulders. > > Phew. Fossforus > I'm really glad for you :) Aisha (epsilonKNOT)
LDAP database choice
Hi all, Is there any particular reason why ldapd has its own version of btree.c instead of using the db.h standard btree ? Aisha
Re: Disabling OpenBSD Login Prompt
On 6/10/20 10:46 AM, Steve Williams wrote: > Hi, > > Do you have the proper ioctls to set baud rate, parity, start bits, stop bits > so that the serial port is configured correctly? > > What about flow control? rts/cts, xon/xoff. > > Dealing with a serial port is it's own art. > Wow, this is really interesting. I'm curious, do the display managers like gdm/xdm, etc also have to handle this? I'm asking cuz I'm porting a display manager for linux (nothing to do with openbsd, but this discussion was very related). I'm in a very similar position where the simplest answer would be to disable a getty at one of the tty's and start the login prompt there (its a visual prompt). link to display manager, if my writing wasn't clear https://git.sr.ht/~kennylevinsen/greetd Aisha > Cheers, > Steve W. > > On 10/06/2020 3:03 a.m., Valdrin MUJA wrote: >> Hi Misc, >> >> I want to disable OpenBSD Login prompt at startup -and also after logging >> out-. Because I want to run my external program instead of ksh. There is an >> login prompt also in my program and I want to use it. >> >> I updated the /etc/ttys ; >> >> valdrin# cat /etc/ttys >> # >> # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ >> # >> # name getty type status comments >> # >> console "/usr/libexec/getty std.9600" vt220 off secure >> ttyC0 "/usr/libexec/getty std.9600" vt220 on secure >> ttyC1 "/usr/libexec/getty std.9600" vt220 on secure >> ttyC2 "/usr/libexec/getty std.9600" vt220 on secure >> ttyC3 "/usr/libexec/getty std.9600" vt220 on secure >> ttyC4 "/usr/libexec/getty std.9600" vt220 off secure >> ttyC5 "/usr/libexec/getty std.9600" vt220 on secure >> ttyC6 "/usr/libexec/getty std.9600" vt220 off secure >> ttyC7 "/usr/libexec/getty std.9600" vt220 off secure >> ttyC8 "/usr/libexec/getty std.9600" vt220 off secure >> ttyC9 "/usr/libexec/getty std.9600" vt220 off secure >> ttyCa "/usr/libexec/getty std.9600" vt220 off secure >> ttyCb "/usr/libexec/getty std.9600" vt220 off secure >> tty00 "/root/myprogram" vt220 on secure >> tty01 "/usr/libexec/getty std.9600" unknown off >> tty02 "/usr/libexec/getty std.9600" unknown off >> tty03 "/usr/libexec/getty std.9600" unknown off >> tty04 "/usr/libexec/getty std.9600" unknown off >> tty05 "/usr/libexec/getty std.9600" unknown off >> tty06 "/usr/libexec/getty std.9600" unknown off >> tty07 "/usr/libexec/getty std.9600" unknown off >> >> I'm connected the device with com0 port so I updated the tty00 to run my >> external program. However; system is stucking after date appears on startup. >> >> >> starting network >> reordering libraries: done. >> starting early daemons: syslogd ntpd. >> starting RPC daemons:. >> savecore: no core dump >> checking quotas: done. >> clearing /tmp >> kern.securelevel: 0 -> 1 >> creating runtime link editor directory cache. >> preserving editor files. >> starting network daemons: sshd. >> starting local daemons: cron. >> Wed Jun 10 10:27:04 +03 2020 >> >> >> Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. >> How can I overcome this issue? >> >> Thanks.. >> >
Re: Disabling OpenBSD Login Prompt
On 6/10/20 1:10 PM, Steve Williams wrote: > On 10/06/2020 10:31 a.m., Aisha Tammy wrote: >> On 6/10/20 10:46 AM, Steve Williams wrote: >>> Hi, >>> >>> Do you have the proper ioctls to set baud rate, parity, start bits, stop >>> bits so that the serial port is configured correctly? >>> >>> What about flow control? rts/cts, xon/xoff. >>> >>> Dealing with a serial port is it's own art. >>> >> Wow, this is really interesting. >> I'm curious, do the display managers like gdm/xdm, etc also have >> to handle this? >> I'm asking cuz I'm porting a display manager for linux (nothing to >> do with openbsd, but this discussion was very related). >> I'm in a very similar position where the simplest answer would be >> to disable a getty at one of the tty's and start the login prompt >> there (its a visual prompt). >> >> link to display manager, if my writing wasn't clear >> https://git.sr.ht/~kennylevinsen/greetd >> >> Aisha > The baud rate, etc is only applicable to things running over serial RS-232 > (and 422) ports. The original poster specified it is running on "com0". > > A display manager would not (typically) be talking over a serial port > natively. In the old days, X might be talking over a serial port using SLIP > or some such technology, but that has all gone the way of the dodo bird. > Cool, got it. Thanks a lot! Aisha > Cheers, > Steve W. > > > >> >>> Cheers, >>> Steve W. >>> >>> On 10/06/2020 3:03 a.m., Valdrin MUJA wrote: >>>> Hi Misc, >>>> >>>> I want to disable OpenBSD Login prompt at startup -and also after logging >>>> out-. Because I want to run my external program instead of ksh. There is >>>> an login prompt also in my program and I want to use it. >>>> >>>> I updated the /etc/ttys ; >>>> >>>> valdrin# cat /etc/ttys >>>> # >>>> # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ >>>> # >>>> # name getty type status comments >>>> # >>>> console "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyC0 "/usr/libexec/getty std.9600" vt220 on secure >>>> ttyC1 "/usr/libexec/getty std.9600" vt220 on secure >>>> ttyC2 "/usr/libexec/getty std.9600" vt220 on secure >>>> ttyC3 "/usr/libexec/getty std.9600" vt220 on secure >>>> ttyC4 "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyC5 "/usr/libexec/getty std.9600" vt220 on secure >>>> ttyC6 "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyC7 "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyC8 "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyC9 "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyCa "/usr/libexec/getty std.9600" vt220 off secure >>>> ttyCb "/usr/libexec/getty std.9600" vt220 off secure >>>> tty00 "/root/myprogram" vt220 on secure >>>> tty01 "/usr/libexec/getty std.9600" unknown off >>>> tty02 "/usr/libexec/getty std.9600" unknown off >>>> tty03 "/usr/libexec/getty std.9600" unknown off >>>> tty04 "/usr/libexec/getty std.9600" unknown off >>>> tty05 "/usr/libexec/getty std.9600" unknown off >>>> tty06 "/usr/libexec/getty std.9600" unknown off >>>> tty07 "/usr/libexec/getty std.9600" unknown off >>>> >>>> I'm connected the device with com0 port so I updated the tty00 to run my >>>> external program. However; system is stucking after date appears on >>>> startup. >>>> >>>> >>>> starting network >>>> reordering libraries: done. >>>> starting early daemons: syslogd ntpd. >>>> starting RPC daemons:. >>>> savecore: no core dump >>>> checking quotas: done. >>>> clearing /tmp >>>> kern.securelevel: 0 -> 1 >>>> creating runtime link editor directory cache. >>>> preserving editor files. >>>> starting network daemons: sshd. >>>> starting local daemons: cron. >>>> Wed Jun 10 10:27:04 +03 2020 >>>> >>>> >>>> Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt >>>> appears.. How can I overcome this issue? >>>> >>>> Thanks.. >>>> >
SSL error wth dovecot + roundcube
I'm trying to get roundcube setup on my server and everytime I try to connect to dovecot, it gives a weird error on roundcubes side, in errors.log: [08-Jul-2020 21:34:18 +]: <6q9plqno> IMAP Error: Login failed for ai...@aisha.cc against imap.aisha.cc from 10.7.0.1(X-Forwarded-For: 98.109.25.191). Could not connect to ssl://imap.aisha.cc:993: Unknown reason in /roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login) On the interface I get: Connection to storage server failed On dovecots side, I get: Jul 8 20:28:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=98.109.25.191, lip=108.61.81.40, TLS handshaking: SSL_accept() failed: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca: SSL alert number 48, session= I think this might be some error with either ssl lib things in php or something similar. (An unlikelier scenario is that I have some errors with my dovecot imap ssl, but every other client, thunderbird/fairmail/k-9 mail are authenticating fine) Would love to get this fixed :( Thanks Aisha
Re: SSL error wth dovecot + roundcube
OK I found the error, the error is definitely something on our side of the port and not because of roundcube/dovecot When I turn peer verification off, roundcube is continues and establishes connection. I think that the reason for this is that roundcube needs to access the CA cert files which are not inside the chroot /var/www/ I fixed the issue by copying the /etc/ssl/cert.pem file into the chroot location and pointing the ca-cert config options to the proper place I really think this should be added to the README of the port. I can send a diff later but hopefully the maintainer can just add a small note? Aisha On 7/8/20 8:57 PM, Aisha Tammy wrote: > I'm trying to get roundcube setup on my server and everytime I try to connect > to dovecot, it gives a weird error on roundcubes side, in errors.log: > > [08-Jul-2020 21:34:18 +]: <6q9plqno> IMAP Error: Login failed for > ai...@aisha.cc against imap.aisha.cc from 10.7.0.1(X-Forwarded-For: > 98.109.25.191). Could > not connect to ssl://imap.aisha.cc:993: Unknown reason in > /roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST > /?_task=login&_action=login) > > On the interface I get: > Connection to storage server failed > > On dovecots side, I get: > Jul 8 20:28:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 > secs): user=<>, rip=98.109.25.191, lip=108.61.81.40, TLS handshaking: > SSL_accept() > failed: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown > ca: SSL alert number 48, session= > > I think this might be some error with either ssl lib things in php or > something similar. > (An unlikelier scenario is that I have some errors with my dovecot imap ssl, > but every other client, thunderbird/fairmail/k-9 mail are authenticating fine) > > > Would love to get this fixed :( > > Thanks > Aisha >
How do I expose wireguard peer with global static IPv6 without binat
The basic question is per the subject line, filling in the details here
I have wireguard working with each peer having ipv4 and ipv6 addresses
and all of them are able to ping each other and also to the WAN through
the central peer.
The central peer is a vultr VPS and has a /64 prefix ipv6.
What I want to do:
- give each peer their own global ipv6/128 address
- use case
anyone on those peers can host their own simple services
e.g. nextcloud, syncthing, rubywarden, etc
So currently my solution is to do a binat to each wireguard peer
by using pf binat-to
Given that one of the best uses ipv6 is to remove NAT, I'd like to
know how to do this without using binat-to.
I'm attaching my pf and wireguard configuration files
/etc/pf.conf -
##
open_tcp="{ 80, 443 }" # 6942 is ssh port
flood_tcp="{ 6942, 42069 }"
open_udp="{ 161 }" # use 161 for wireguard
# stop bruteforce attackers that try to hug of death
table persist
table persist file "/etc/pf-badhost.txt"
# options for pf performance
set loginterface egress
set block-policy drop
set syncookies adaptive (start 25%, end 12%)
set skip on {lo, wg0}
block in quick on egress from
block out quick on egress from
block in quick on egress from
block out quick on egress to
block drop
pass in on wg0
pass proto icmp
pass proto icmp6
pass in on egress proto tcp from any to any port $flood_tcp \
flags S/SA keep state \
(max-src-conn-rate 1/3, \
overload flush global)
pass in on egress proto tcp from any to any port $open_tcp
pass in on egress proto udp from any to any port $open_udp
pass out
pass out on egress inet from wg0:network to any nat-to vio0
# nat to wireguard peers
anchor "wireguard/nat"
load anchor "wireguard" from "/etc/pf.conf.anchor.wireguard"
pf.conf.anchor.wireguard -
##
anchor "nat" {
pass on egress inet6 from fc00::6942:1 to any binat-to
2001:19f0:5:5cd5::1
pass on egress inet6 from fc00::6942:2 to any binat-to
2001:19f0:5:5cd5::2
}
/etc/hostname.wg0 -
##
inet alias 10.7.0.17 255.255.255.0 10.7.0.255
inet6 alias fc00::6942:17 112
inet6 alias 2001:19f0:5:5cd5::4269 64
mtu 1420
up
!route -n add -inet6 fc00::6942:1/128 -iface fc00::6942:17
!route -n add -inet6 fc00::6942:2/128 -iface fc00::6942:17
/etc/hostname.vio0 -
##
dhcp
inet6 autoconf -autoconfprivacy -soii
inet6 alias 2001:19f0:5:5cd5::17 64
inet6 alias 2001:19f0:5:5cd5::1 64
inet6 alias 2001:19f0:5:5cd5::2 64
/etc/wireguard/bsdac-wg-central.conf (central peer file) -
##
[Interface]
PrivateKey = MCdzcLt9EZ8ej5vQTHq9Ig6UM4L3C38aXgLebLIxyGw=
#Address = 10.7.0.17/24,fc00::6942:17/112
ListenPort = 161
[Peer]
PublicKey =
PresharedKey =
AllowedIps = 10.7.0.1/32,fc00::6942:1/128
[Peer]
PublicKey =
PresharedKey =
AllowedIps = 10.7.0.2/32,fc00::6942:2/128
/etc/wireguard/bsdac-wg-peer.conf -
##
[Interface]
PrivateKey =
Address = 10.7.0.1/32,fc00::6942:1/128
ListenPort = 161
[Peer]
# WireGuard server public key
PublicKey =
PresharedKey =
Endpoint =
AllowedIPs = 10.7.0.0/24,fc00::6942:0/112
PersistentKeepalive = 25
routing ipv6 over wireguard
Hi all, I'm having some trouble getting wireguard to work nicely. Goal: Try to give public ipv6 addresses to my wireguard peers. How I've tried to tackle it is by giving the ip6 to the peer and then adding a route to the peer for the ipv6. My vps (peer A) has ipv6 subet - 2001:19f0:5:5cd5::0/64 And I give peer A on wg0 the address - 2001:19f0:5:5cd5::6942:6/112 I give peer B has been given ipv6 - 2001:19f0:5:5cd5::6942:6/128 I've used wg-quick for now so when I try to get the route (peer A)$ route get 2001:19f0:5:5cd5::6942:6 route to: 2001:19f0:5:5cd5::6942:6 destination: 2001:19f0:5:5cd5::6942:6 mask: ::::::: interface: wg0 if address: 2001:19f0:5:5cd5::6942:17 priority: 8 (static) flags: use mtuexpire 15 0 0 Everything seems fine for now, as I am also able to ping peer B from peer A! But when I ping from any computer from outside the wireguard network I don't get any pings back. When I try to do some debugging via tcpdump on vio0 (egress interface) (peer A)$ tcpdump -inet6 -i vio0 icmp6 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: neighbor sol: who has 2001:19f0:5:5cd5::6942:6 (a lot of such lines) I am not sure what is happening here. Is adding a route to peer B on peer A not enough? Am unsure how to go about getting this to work >.< Any help would be nice. Thanks, Aisha
Re: routing ipv6 over wireguard
On 8/25/20 3:27 PM, Aisha Tammy wrote: > Hi all, > I'm having some trouble getting wireguard to work nicely. > > Goal: Try to give public ipv6 addresses to my wireguard peers. > > How I've tried to tackle it is by giving the ip6 to the peer and > then adding a route to the peer for the ipv6. > > My vps (peer A) has ipv6 subet - 2001:19f0:5:5cd5::0/64 > > And I give peer A on wg0 the address - 2001:19f0:5:5cd5::6942:6/112 Small correction, peer A was given the address - 2001:19f0:5:5cd5::6942:17/112 > I give peer B has been given ipv6 - 2001:19f0:5:5cd5::6942:6/128 > > I've used wg-quick for now so when I try to get the route > > (peer A)$ route get 2001:19f0:5:5cd5::6942:6 >route to: 2001:19f0:5:5cd5::6942:6 > destination: 2001:19f0:5:5cd5::6942:6 >mask: ::::::: > interface: wg0 > if address: 2001:19f0:5:5cd5::6942:17 >priority: 8 (static) > flags: > use mtuexpire > 15 0 0 > > Everything seems fine for now, as I am also able to ping peer B from peer A! > > But when I ping from any computer from outside the wireguard network > I don't get any pings back. > > When I try to do some debugging via tcpdump on vio0 (egress interface) > > (peer A)$ tcpdump -inet6 -i vio0 icmp6 > 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: neighbor > sol: who has 2001:19f0:5:5cd5::6942:6 > > (a lot of such lines) > > I am not sure what is happening here. > Is adding a route to peer B on peer A not enough? > Am unsure how to go about getting this to work >.< > Any help would be nice. > > Thanks, > Aisha >
Re: routing ipv6 over wireguard
On 8/27/20 7:07 AM, Simon Fryer wrote: > All, > > On Thu, 27 Aug 2020 at 08:17, Alarig Le Lay wrote: > >> Hi, >> >> On Tue 25 Aug 2020 15:27:27 GMT, Aisha Tammy wrote: >>> (peer A)$ tcpdump -inet6 -i vio0 icmp6 >>> 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: >>> neighbor sol: who has 2001:19f0:5:5cd5::6942:6 >>> >>> (a lot of such lines) >> >> It seems that you have been provided a *connected* /64, so the router >> tried to do NDP for your peer, which isn’t possible because the peer >> isn’t on the same L2. >> >> You have ask your provider to *route* you a range. Then, it will be your >> VM that will manage it. >> > > Thank you very much. I have been struggling with exactly the same problem > but with an Iked created IPSec tunnel. Off to raise a query with my > provider. > > Thanks again. > > Simon. > I found this out too when talking with ncon@ on irc. He has sent a patch which should allow us to use ndp with wg, am not sure if ndp works with (or is even designed to work with) ipsec ipv6. My knowledge of network layers is on demand wikipedia/google, which I assume is also most people attempting to set up tunnels XD So these behaviours put me in a twist. Should get solved soon though. Aisha.
Re: Any experience with 10Gbe?
On 10/15/20 5:52 AM, Stuart Henderson wrote: > On 2020-10-14, Rafael Possamai wrote: >>> I'm supporting a small business who needs more bandwidth due to the >>> work-from-home >situation. They've asked me to help them do the upgrade to >>> 10Gbe. I'd preferto keep them on an >OpenBSD router, since I love how >>> liuttle maintenance it needs, but I can't find any accounts of >someone >>> actually managing to get close to line speed above 1 Gbe. >>> >>> I don't want to just buy expensive hardware and hope that it works. Has >>> anyone here been able >to get close to 10 Gb/s networking with OpenBSD? I >>> don't need to be able to have more than a >few pf-rules. >> >> There is a talk on YouTube about using a few OpenBSD boxes with 10gb, maybe >> this helps somewhat. https://www.youtube.com/watch?v=veqKM4bHesM > > 10Gb ports work fine, passing full 10Gb of traffic on those ports not so > much, and we're nowhere near passing 10Gb of small size packets. (the > limit is more to do with packets per second than speed). > > "do the upgrade to 10GbE" isn't specific enough as to what's needed to be > able to give much usrful advice. > > > Is there anything non technical that users can help with? I know donating hardware is one but I don't know if thats what is needed in this case? Aisha
OpenSMTP - Wrong user for Dovecot LMTP
Hi, I just upgraded to 6.8 and the upgrade process has been super cool and simple :) Unfortunately I seem to have hit some weird issue in OpenSMTPD where it has stopped delivering the mail using Dovecots LMTP due to sending as wrong user. osmtpd tries to send the mail as *_smtpd* even when configured to send as a different user *excision* Relevant parts of the error output from the command smtpd -dv -T stat -T lookup -T expand -T mproc -T rules debug: mda: got message fd 21 for session 27dfd8470fcf834f evpid 1140e2ecd415316b debug: mda: querying mda fd for session 27dfd8470fcf834f evpid 1140e2ecd415316b mproc: pony -> parent : 6168 IMSG_MDA_FORK debug: smtpd: forking mda for session 27dfd8470fcf834f: excision as _smtpd mproc: parent -> pony : 8 IMSG_MDA_FORK debug: mda: got mda fd 22 for session 27dfd8470fcf834f evpid 1140e2ecd415316b debug: smtpd: mda process done for session 27dfd8470fcf834f: exited abnormally debug: mda: io disconnected on session 27dfd8470fcf834f mproc: parent -> pony : 35 IMSG_MDA_DONE mproc: pony -> queue : 53 IMSG_MDA_DELIVERY_TEMPFAIL 27dfd846f9575079 mda delivery evpid=1140e2ecd415316b from= to= rcpt= use r=excision delay=2h10m40s result=TempFail stat=Error (temporary failure: "mail.lmtp: connect: Permission denied") debug: mda: session 27dfd8470fcf834f done mproc: pony -> control : 46 IMSG_STAT_DECREMENT debug: mda: user "excision" becomes runnable mproc: pony -> control : 45 IMSG_STAT_DECREMENT debug: mda: all done for user ":excision" mproc: pony -> control : 42 IMSG_STAT_DECREMENT mproc: queue -> control : 57 IMSG_STAT_INCREMENT ramstat: decrement: mda.envelope ramstat: mda.envelope (0xe29944762c1): 1 -> 0 ramstat: decrement: mda.running ramstat: mda.running (0xe29d4a91c41): 1 -> 0 ramstat: decrement: mda.user ramstat: mda.user (0xe298f729481): 1 -> 0 mproc: queue -> control : 59 IMSG_STAT_INCREMENT mproc: queue -> scheduler : 441 IMSG_QUEUE_DELIVERY_TEMPFAIL ramstat: increment: queue.evpcache.load.hit mproc: scheduler -> control : 61 IMSG_STAT_INCREMENT ramstat: queue.evpcache.load.hit (0xe2a74f72f81): 111 -> 112 mproc: scheduler -> control : 61 IMSG_STAT_DECREMENT ramstat: increment: queue.evpcache.update.hit ramstat: queue.evpcache.update.hit (0xe29d4a91c41): 52 -> 53 ramstat: increment: scheduler.delivery.tempfail ramstat: scheduler.delivery.tempfail (0xe2a74f72981): 45 -> 46 ramstat: decrement: scheduler.envelope.inflight ramstat: scheduler.envelope.inflight (0xe2a74f72281): 1 -> 0 mproc: pony -> lka : 28 IMSG_GETNAMEINFO mproc: pony -> control : 46 IMSG_STAT_INCREMENT This is happening as the lmtp socket only has minimal permissions srw-rw 1 excision excision 0B Oct 18 20:03 lmtp= Relevant parts of my smtpd.conf ... action "dovecot-lmtp" \ lmtp "/var/dovecot/lmtp" rcpt-to \ virtual ... # # accept mail from outside sent to our # BUT not those who are coming for key-submission match from any \ for domain \ !rcpt-to \ action "dovecot-lmtp" ... Relevant parts of my virtuals table ai...@aisha.cc excision ... open...@aisha.ccai...@aisha.cc ... I've also attached the full files if needed and a larger log as well. It's possible I've made some error, but then it was working until yesterday. Current workaround: chmod 666 /var/dovecot/lmtp to allow _smtpd user to also write to the socket. Very insecure, I know... Hopefully, it is just me making a stupid error in the config :x Thanks, Aisha ai...@aisha.cc excision postmas...@aisha.cc ai...@aisha.cc ab...@aisha.cc ai...@aisha.cc n...@aisha.cc ai...@aisha.cc secur...@aisha.cc ai...@aisha.cc hostmas...@aisha.cc ai...@aisha.cc use...@aisha.cc ai...@aisha.cc n...@aisha.cc ai...@aisha.cc webmas...@aisha.cc ai...@aisha.cc dmarcrepo...@aisha.cc ai...@aisha.cc tlsrepo...@aisha.cc ai...@aisha.cc ansim...@aisha.cc ai...@aisha.cc gen...@aisha.cc ai...@aisha.cc open...@aisha.ccai...@aisha.cc n...@aisha.cc ai...@aisha.cc faceb...@aisha.cc ai...@aisha.cc enigm...@aisha.cc ai...@aisha.cc testu...@aisha.cc ai...@aisha.cc e...@aisha.cc ai...@aisha.cc st...@aisha.cc ai...@aisha.cc git...@aisha.cc ai...@aisha.cc n...@aisha.cc ai...@aisha.cc m...@aisha.cc ai...@aisha.cc freen...@aisha.cc ai...@aisha.cc r...@aisha.cc ai...@aisha.cc lez...@aisha.cc
Re: OpenSMTP - Wrong user for Dovecot LMTP
On 10/19/20 12:20 AM, Kastus Shchuka wrote: On Sun, Oct 18, 2020 at 08:55:16PM -0400, Aisha Tammy wrote: Hi, I just upgraded to 6.8 and the upgrade process has been super cool and simple :) Unfortunately I seem to have hit some weird issue in OpenSMTPD where it has stopped delivering the mail using Dovecots LMTP due to sending as wrong user. osmtpd tries to send the mail as *_smtpd* even when configured to send as a different user *excision* Could it be this change: https://marc.info/?t=15878902902&r=1&w=2 ? Well damn... That would indeed cause this error. I guess a simple fix would be to add _smtpd to the socket group or change socket group to _smtpd. Another fix would be to have the whole virtual user system also be done using _smtpd but I feel that keeping things with separate users is better. Thanks a lot for the answer! Aisha
Re: OpenSMTP - Wrong user for Dovecot LMTP
On 10/19/20 1:18 PM, Chris Bennett wrote: On Mon, Oct 19, 2020 at 06:24:47AM -0400, Aisha Tammy wrote: On 10/19/20 12:20 AM, Kastus Shchuka wrote: On Sun, Oct 18, 2020 at 08:55:16PM -0400, Aisha Tammy wrote: Hi, I just upgraded to 6.8 and the upgrade process has been super cool and simple :) Unfortunately I seem to have hit some weird issue in OpenSMTPD where it has stopped delivering the mail using Dovecots LMTP due to sending as wrong user. osmtpd tries to send the mail as *_smtpd* even when configured to send as a different user *excision* Could it be this change: https://marc.info/?t=15878902902&r=1&w=2 ? Well damn... That would indeed cause this error. I guess a simple fix would be to add _smtpd to the socket group or change socket group to _smtpd. Another fix would be to have the whole virtual user system also be done using _smtpd but I feel that keeping things with separate users is better. Thanks a lot for the answer! Aisha Are you using Maildir and IMAP from dovecot? I am. I've setup using vmail as the user for dovecot. Something similar to your virtual user files, except that I have three files: vdomains, vaddr and vusers. vusers has the table you are using, except moving to user vmail instead of excision, which doesn't matter. vdomains are the domains getting mail. vaddr are just the plain addresses used. action a01 lmtp "/var/dovecot/lmtp" rcpt-to alias action a02 lmtp "/var/dovecot/lmtp" rcpt-to virtual match from any for local action a01 match from any for domain rcpt-to action a02 This works really well. I'm also using PostgreSQL for the users, passwords and home folders for dovecot, which solves the upcoming removal of bsdauth in dovecot. However, unrelated I'm having trouble setting up auth for sending. There are many conflicting examples which I can't sort out. I'll look over what you've posted to see if that can work for me. I have four mail domains on this server and I'm definitely missing some small piece of the puzzle. Regards, Chris Bennett Yea, take a look at my config, it allows senders to send from any of their allowed aliases. like no...@domain1.com has an alias anothern...@domain2.org. Then no...@domain1.com can both send and receive mails for anothernoob. You have a create the virtuals table, and a reverse virtuals table, called in my config. Though I don't use postgresql or anything... I just cooked up a small homegrown scheme using openssh and passwd file format storage for users and passwords. Everyone supports that, don't think its gonna be killed anytime soon :D Aisha
List of files to remove for upgrade
Hi, I'm wondering why the upgrade guide at https://www.openbsd.org/faq/upgrade68.html doesn't contain more list of files to remove. Sysclean gives out a lot more names, but I haven't removed them yet cuz I trust the upgrade guide more as it is crosschecked by humans. But was still curious why this is much smaller than 66->67. Aisha
Re: panic "locking against myself"
On 11/29/20 7:09 PM, Ed Ahlsen-Girard wrote: > I've had a couple of panics: > > mtx(something) (address) > locking against myself > > > in the last > couple of days. The most recent address was 0x821c63c8 > > How do this get tracked down? No core files from anything in the > applicable time window. dmesg below signature. > Was fixed in latest snapshot During boot select bsd.rd and sysupgrade. Should be fine.
Re: OpenSMTPD and ldap+tls
On 12/1/20 1:31 AM, Martijn van Duren wrote:
> Hello,
>
> There is table_ldap in the opensmtpd-extras package, but I've never used
> it, it's undocumented and I've heard that the author sees it as a proof
> of concept only at this point. So no idea how far this will take you,
> but it's your best shot. :-)
>
> A quick look through the source shows me the following snippet of the
> config parser:
>
> else if (!strcmp(key, "username"))
> read_value(&username, key, value);
> else if (!strcmp(key, "password"))
> read_value(&password, key, value);
> else if (!strcmp(key, "basedn"))
> read_value(&basedn, key, value);
> else if (!strcmp(key, "alias_filter"))
> read_value(&queries[LDAP_ALIAS].filter, key, value);
> else if (!strcmp(key, "alias_attributes")) {
> ldap_parse_attributes(&queries[LDAP_ALIAS],
> key, value, 1);
> } else if (!strcmp(key, "credentials_filter"))
> read_value(&queries[LDAP_CREDENTIALS].filter, key,
> value);
> else if (!strcmp(key, "credentials_attributes")) {
> ldap_parse_attributes(&queries[LDAP_CREDENTIALS],
> key, value, 2);
> } else if (!strcmp(key, "domain_filter"))
> read_value(&queries[LDAP_DOMAIN].filter, key, value);
> else if (!strcmp(key, "domain_attributes")) {
> ldap_parse_attributes(&queries[LDAP_DOMAIN],
> key, value, 1);
> } else if (!strcmp(key, "userinfo_filter"))
> read_value(&queries[LDAP_USERINFO].filter, key,
> value);
> else if (!strcmp(key, "userinfo_attributes")) {
> ldap_parse_attributes(&queries[LDAP_USERINFO],
> key, value, 3);
> } else if (!strcmp(key, "mailaddr_filter"))
> read_value(&queries[LDAP_MAILADDR].filter, key,
> value);
> else if (!strcmp(key, "mailaddr_attributes")) {
>
> Hope this works for you.
>
> martijn@
>
> On Tue, 2020-12-01 at 09:02 +0300, Родин Максим wrote:
>> Hello
>> Is there a way to make opensmtpd work
>> with ldap aliases over a secure connection?
>>
>> I do not know where to find working examples of this
>> My current /etc/mail/ldap.conf look like this:
>> 1 url>>--->---ldap://ldap1.mydomain.ru
>> 2 basedn>->--->---dc=mydomain,dc=ru
>> 3 username>--->---cn=service,dc=mydomain,dc=ru
>> 4 password>--->---passpasspass
>> 5
>> 6 domain_filter>-->---(&(objectClass=domain)(dc=%s))
>> 7 domain_attributes>--dc
>> 8
>> 9 credentials_filter>-(&(objectClass=posixAccount)(uid=%s))
>> 10 credentials_attributes>-uid,userPassword
>> 11
>> 12 userinfo_filter>>---(&(objectClass=posixAccount)(uid=%s))
>> 13 userinfo_attributes>uid,uidNumber,gidNumber,homeDirectory
>> 14
>> 15 alias_filter>--->---(&(objectClass=nisMailAlias)(cn=%s))
>> 16 alias_attributes>---rfc822MailMember
>>
>> ldapd daemon is set up on another host to work over tls and ssl and
>> working correctly.
>>
>> If I change url to ldaps://ldap1.mydomain.ru
>> or to ldap+tls://ldap1.mydomain.ru
>> then smtpd -dv shows:
>> """
>> _
>> vdomains[50952]: warn: ldap_parse_url fail
>> vdomains[50952]: warn: ldap_connect error
>> vdomains[50952]: fatal: failed to connect
>> """
>> _
>>
>
Is the table-procexec a viable alternative?
You can create shell wrappers to call ldap functions
and then call the shell wrappers from procexec with
the correct parameters.
This seems very possible, assuming table-procexec is usable.
Last time I checked, procexec didn't have a lot of documentation.
Best,
Aisha
Making a portable version of imsg - where to find regression tests?
Hi, I was trying to create a small standalone portable version of the imsg utilities for linux and I managed to get it compiling (yea!!) and have put it on github [1]. It is also working with trivial test cases that I manually generated. For completeness, I was also trying to find regression tests for imsg but I couldn't find them in the source code (in fact, couldn't find them for whole of libutil, make regress just does nothing). Could anyone point to where I should look for these regression tests (if they exist?) Cheers, Aisha PS: thanks a lot to all of the creators of imsg :D [1] https://github.com/bsd-ac/imsg-compat
Re: Making a portable version of imsg - where to find regression tests?
On 12/12/20 6:18 PM, Ingo Schwarze wrote: > Hi Aisha, > > Aisha Tammy wrote on Sat, Dec 12, 2020 at 05:40:14PM -0500: > >> I was trying to create a small standalone portable version of the >> imsg utilities for linux and I managed to get it compiling (yea!!) >> and have put it on github [1]. > > I freely admit i didn't look at that. > >> It is also working with trivial test cases that I manually generated. >> For completeness, I was also trying to find regression tests for imsg >> but I couldn't find them in the source code (in fact, couldn't find >> them for whole of libutil, make regress just does nothing). > > OpenBSD never mixes regression tests into the main directories of the > src tree. All regression tests are in /usr/src/regress/. In particular, > those for libutil are in /usr/src/regress/lib/libutil/. > >> Could anyone point to where I should look for these regression tests > > If somebody wrote any regression tests for imsg, the place to put them > would be /usr/src/regress/lib/libutil/imsg/. > >> (if they exist?) > > It doesn't appear there are any automated tests for imsg right now. > Several parts of OpenBSD have regression tests, but not all have. > > Yours, > Ingo > Awesome, thanks a lot Inigo :D That's very informative. Cheers, Aisha
Global IPv4 with ARP and wireguard peers
Hi all,
I'm trying to give my wireguard peer a global IPv4 and IPv6.
The IPv6 is working fine, but the IPv4 doesn't work.
My VPS host (frantech) has provided me with two IPv4s,
198.98.53.194 (main IP through dhcp) and 198.98.61.217
which I can get on my vio0 interface with the configuration
/etc/hostname.vio0:
inet autoconf
inet alias 198.98.61.217 255.255.255.0 198.98.61.1
inet6 alias 2605:6400:10:c0::6942 48
inet6 alias 2605:6400:819e::6942 48
!route -n add -inet6 default 2605:6400:10::1
The above configuration works nicely if I want my VPS to get
both the IPs. But I want the 198.98.61.217 to go to my wireguard
peer. So I commented out the second line to get
inet autoconf
#inet alias 198.98.61.217 255.255.255.0 198.98.61.1
inet6 alias 2605:6400:10:c0::6942 48
inet6 alias 2605:6400:819e::6942 48
!route -n add -inet6 default 2605:6400:10::1
and in my wireguard config I have
/etc/hostname.wg0:
inet 10.42.69.1 255.255.255.255 10.42.69.1
inet6 alias 2605:6400:819e:4269:::4269 80
mtu 1420
wgkey wgport 6969
wgpeer wgpsk wgaip 198.98.61.217/32 wgaip
2605:6400:819e:4269:::1/80
up
!route -n add -inet 198.98.61.217/32 -iface 10.42.69.1
!route -n add -inet6 2605:6400:819e:4269:::/80 -iface
2605:6400:819e:4269:::4269
After starting both the interfaces and wireguard interface on the peer,
I am able to ping the peers global IPv6 from a different VPS on vultr,
but not the IPv4. I am able to ping the peers IPv4 from the frantech VPS
but I assume that is because I have a route set up.
So for this I tried adding an arp proxy entry, but that gives an error
$ arp -n -s 198.98.61.217 $(ifconfig vio0 | grep lladdr | awk '{print
$2; }') pub
set: proxy entry exists for non 802 device
Now I tried to do weirder things, (1) I destroyed the wg0 interface, (2)
added the arp entry, (3) deleted the arp entry, (4) started the wg0
interface - and now I can ping the IPv4 from outside!!! But this
only stays for ~10-15 minutes and after which it again stops working??
$ ifconfig wg0 destroy
$ arp -n -s 198.98.61.217 $(ifconfig vio0 | grep lladdr | awk '{print
$2; }') pub
$ arp -n -d 198.98.61.217
$ sh /etc/netstart wg0
Has anyone tried to get something like this to work?
I dont get why it works for a while and then suddenly stops working!?
At least the fact that it is working for a while means it should be
possible to do this but my networking knowledge falls short, maybe I'm
missing something obvious, so I'd appreciate the help.
Thanks!
Aisha
Re: spamd IPv6 listener 6.9amd64
afaik spamd(8) does not support ipv6 (yet). I also do not know if there is any ongoing effort for ipv6 to be added. On 5/12/21 9:24 AM, Martin wrote: Hi list, I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Martin
Re: Global IPv4 with ARP and wireguard peers
On 5/13/21 3:14 PM, Rafael Possamai wrote: Has anyone tried to get something like this to work? I dont get why it works for a while and then suddenly stops working!? Not with hacky ARP entries. I'd see if Frantech can get you a routed /30 or /29 with your main v4 address as next hop. It's essentially same thing with v6, they route a /48 to your v6 address after you set it to next hop in the routed subnet settings (and configure the VM with that v6 address). Yes, that would've been nice. But turns out that the problem is on OpenBSD's end, as the same configuration works on Alpine. Seems like openbsd.amsterdam has seen a similar issue - https://openbsd.amsterdam/known.html#Connectivity Their solution to ping the gateway works for my case too, which is a better solution than adding/deleting ips/arp entries. So it seems like this bug is still open. Hope this helps some other person who comes looking :D Aisha
Re: OpenSMTPd: Ignoring /etc/hosts file?
Has been reported previously - https://github.com/OpenSMTPD/OpenSMTPD/issues/1115 The link also contains a workaround which may be useful for you. Best, Aisha On 9/12/21 5:28 PM, Simon Hoffmann wrote: Hey yall, in my smtpd.conf file I have "relay smtps://host.domain.tld" host.domain.tld does resolve to a public IP, and this needs to be a public IP on public DNS. However, OpenSMTPd needs to relay to the local IP address of the smarthost. Since I have no DNS server running on that network, and i dont want to setup a DNS server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the local IP to the FQDN. When i ping the FQDN it correctly resolves to the internal IP of the smarthost. However, OpenSMTPd ignores the entry in /etc/hosts and still tries to connect to the public IP of the host. Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on Debian? Is there a workaround? Specifying "relay smtps://192.168.158.1" will not work, as the private IP is not part of the Cert. Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking for the smarthost? Thanks! System details: root@mx01:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description:Debian GNU/Linux 11 (bullseye) Release:11 Codename: bullseye root@mx01:~# smtpd -h version: OpenSMTPD 6.8.0p2 usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace] root@mx01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug ens192 iface ens192 inet dhcp Any info else you need? Cheers, Simon
