On Sat, 6 May 2017, Stuart Henderson wrote:
I've seen this once, but wasn't able to trigger it again.
Ditto, but under Gnome on Linux - CentOS 6.6.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolici
STUB-ADDR (of unbound.conf): 127.0.0.1@PORT (fails)
---
I can run NSD on port 8053 on the interface 127.0.0.1 for a domain say
turkeys.com.au
I can then query hat externally (with 'pf' doing an 'rdr' from some
external IP 'rdr'd to 'lo0'
Theo,
On Wed, 26 Jul 2017, Theo de Raadt wrote:
This is due to the socket pledge code, with SOCK_DNS. This area was
damaged during the transition to pledge, and hasn't been repaired.
I am not convinced it is. But I can always be proven wrong and often am.
I think my problem is purely an is
On Wed, 26 Jul 2017, Damian Haehlen wrote:
do-not-query-localhost: no
Damian - that fixed it.
Not that I have a clue what is going on there. The default interface is
127.0.0.1 so I am amazed that it gets into a list that you cannot query
by default.
Yet again - I was doing something wrong.
On Wed, 26 Jul 2017, Amelia A Lewis wrote:
do-not-query-localhost: no
That seems like one of those awkwardly-phrased directives.
The manual says that the default is to assume that
do-not-query-address: localhost
i.e. 'localhost' is added to the do-not-query-address list by default.
Hi,
For the first time ever, we have seen a crashing kernel. Having never
experienced this before on any OpenBSD release for over 20 years, I have
no debugging experience. We have simply reverted to 32bit to see it that
is the issue. The system works flawlessly with 6.3 in 32 bit mode but we
I have a L2TP NPPPD server machine with IP $L2TP sitting behind an OpenBSD
firewall, say FIRET. 'T' for temporary because it will move. $L2TP is an
externally routable IP. $Ext, the external interface of FIRET, allows
traffic into $L2TP. A snippet of pf.conf is
begin snippet-0
ipsecIN =
I changed /etc/ipsec.conf to have 'ike' reflect the external IP
ike passive esp transport \
proto udp from $L2TPX to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "aes" group modp2048 \
psk "MYSECRET"
and restarted i
On Mon, 14 Oct 2019, Stefan Sperling wrote:
On Mon, Oct 14, 2019 at 05:55:58PM +1100, Damian McGuckin wrote:
Because I had a working L2TP server setup on $L2TP, I was not going to
go into its pf.conf, ipsec.conf, or anything else. But here is npppd.conf
ike passive esp transport
On Wed, 16 Oct 2019, Stuart Henderson wrote:
I would srongly recommend switching to IKEv2 if you can, it is far
easier to come up with a config that still gives decent crypto with
mixed client platforms. (Internal client on Apple OS and non-ancient
Windows - strongswan on Android/Linux).
I d
Has anybody created rules such as this and if so, do you have an example?
Stay safe - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of
What is required please?
I am trying to boot this bsd.rd (which is a file 4Mb big) on an old
NET5500 which has 512MBytes of RAM. On a running system,
From the
boot>
prompt, doing
boot> boot bsd.rd
it appears to loads bsd.rd, but then drops straight back into the BIOS
a
Happy apu2 & apu4 user here.
Ditto.
Are there other OpenBSD friendly options?
Same question but qualifying that to add FANLESS and RACKMOUNT.
I am thinking of trying an Intel Ruggest NUC for some scenarios but at
best, they have dual RJ45 ethernets.
Thanks - Damian
On Thu, 4 May 2023, Maksim Rodin wrote:
Is there any problem with fanless x86_64 mini PCs with several NICs,
sold on aliexpress?
Maybe, or give up on the rackmount and buy the R86S, as in
https://www.aliexpress.com/i/1005004765507664.html
An alternative is to buy 3 APU4s now 3 to cov
On Thu, 4 May 2023, Stefan Sperling wrote:
The edgerouter 6p works with OpenBSD/octeon and has a rackmount bracket.
Wow. And it has a serial port. with an RJ45 connector. Hopefully the RS232
pinouts are nicely documented somewhere. Cannot seem to find those details
right now.
I wonder whether
I will try and summarize the replies succinctly. As Stuart mentioned, by
wanting fanless AND rackmount, I was certainly limiting my choices.
Thanks - Damian
Is anybody using this configuration, i.e. not OpenSMTPD?
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present e
Can you mix the use of 'isakmpd.conf' and 'ipsec.conf'?
I currently use the former for port 500 stuff. We use both predefined
network-to-networks IPSec links with PreShared Secrets and also dynamic,
i.e. negotiated, network-to-network links. The thought of figuring out how
to do both with IPSe
Hi Stuart,
On Mon, 28 Nov 2016, Stuart Henderson wrote:
ipsec.conf isn't required for this (or anything that you can do with
ipsec.conf; though not all of it is documented in the isakmpd.conf
manual, i.e. NAT-ID).
With the kind help of 'mxb' with a Swedish email address, I learned that.
Min
Hi Stuart,
On Mon, 28 Nov 2016, Stuart Henderson wrote:
For completeness of description, for the latter I use
ike passive esp transport \
proto udp from egress to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick aut
Robert,
On Mon, 5 Dec 2016, Robert Szasz wrote:
I'm testing with the following setup
Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)
Do you mean?
Win10 ->obsd5.9(firewall doing nat)->{INTERNET}->obsd5.9(IPSEC)
The connection process fails at stage 2 with the error message b
On Tue, 6 Dec 2016, Robert Szasz wrote:
I'll try it, but that would be a problem if I have to add the local
address for any machine that wants to connect. I assume there is a way
to work through NAT because picked up nat-t and works for phase 1. I was
hoping I had just missed a parameter in th
While everybody is talking about hardware, I noticed that some of you
have flicked your Soekris Net 5501 boards.
We are upgrading from 20Mbps links to 100Mbps links and as a result of
this discussion, I am wondering whether it would be a wise move on or part
to consider replacing them. Rock sol
I apologise if it has already been said but we have heaps of clients with
Office 365 where Microsoft do not control the DNS. The client does but you
need special TXT records. Then again, none are charities with that special
$1/month/user deal.
Regards - Damian
Pacific Engineering Systems Inter
To answer some of my own questions, and after wise guidance from the list,
I have noticed that all our firewall hardware using 'vr' ethernet ports
hit a wall somewhere between 65Mbps->69Mbps. This is the case with the
Geodes in a net5501 and various VIA x86 CPUs in VIA embedded systems,
I am t
Not that I can help but I can confirm that problem.
On Tue, 10 Jan 2017, Steve Williams wrote:
The BIOS prompts work fine, I get the "boot>" prompt in OpenBSD, but right
after the "entry point" line prints out, the system reboots.
Yes. I have seen this 3 times on a fit-PC4 Eco which is an AMD
On Tue, 10 Jan 2017, Raf Czlonka wrote:
Anyway, the box is running live now so I cannot reboot for a while to get
the 'dmesg'. Sorry.
Try /var/run/dmesg.boot
You would think so. But:
No such file or directory
I am not getting senile - yet. That's next year's project.
Regards - Dam
With the advent of NSD which in normal operations would be configured to
not even use port 53, and a dilemma (noted below), I had a need to try and
query NSD directly on a port other than port 53.
I could not do such tests from an OpenBSD machine because in 6.0, the port
command on 'nslookup'
On Mon, 16 Jan 2017, Stuart Henderson wrote:
In normal operations NSD _does_ run on port 53.
Yes. But if you want both NSD and UNBOUND running on the same box, things
need to change.
Prior to the change to make -p an error, but after the dns pledge was
added, -p was allowed but ignored with
On Mon, 16 Jan 2017, Sebastien Marie wrote:
On my OpenBSD 5.1 system, '-p' was still allowed, and it had a pledge list
of "stdio dns". When 'rpath' was added to the pledge list, it was at this
time at which '-p' was effectively disabled.
The implementation of "dns" promise has been refined wit
On Mon, 16 Jan 2017, Theo de Raadt wrote:
There's a small piece some people have missed. pledge doesn't
block port 53. It is blocked unless you use SOCK_DNS. That was
a step taken seperate "hostname/dns lookup" pieces of code from
"internet speaking" pieces of code. That step allowed pledge
On Mon, 16 Jan 2017, Stuart Henderson wrote:
On 2017/01/16 15:37, Damian McGuckin wrote:
On Mon, 16 Jan 2017, Stuart Henderson wrote:
In normal operations NSD _does_ run on port 53.
Yes. But if you want both NSD and UNBOUND running on the same box, things
need to change.
Not necessarily
Sorry, lots of good ideas got thrown up while I was asleep.
On Mon, 16 Jan 2017, Stuart Henderson wrote:
In that case, unbound bound to an internal address, and NSD not bound to a
specific address, or bound to external and 127.0.0.1.
I did the last of these. Which still needs 'rdr-to' on the
On Mon, 16 Jan 2017, Nick Holland wrote:
So. You can run a recursive resolver, an authoritative server, and a few
(or a lot) selectively poisoned forwarding resolvers (for DNS
filtering), each on their own 127/8 address, and use PF or unbound to
select which one a particular user gets access t
What is the recommended most portable way to force memory alignment for a
datum of any type, assuming one has a pointer say
char *x
I currently use something like
char *xany = aligntonext(x, sizeof(long))
where I use my own function 'aligntionext' which is defined below and I
On Sat, 28 Jan 2017, Kyoung Jae Seo wrote:
Maybe posix_memalign(3) is API you are looking for.
No. This allocates memory.
I already have the buffer. I am trying to use space within it.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571
Theo, Stuart, +
On Mon, 20 Feb 2017, Theo de Raadt wrote:
It replaces optimised(?) .S versions of memcpy with the shared C
code that contains the test & syslog_r & abort.
There's got to be a performance cost, not using the .S versions.
What is the average size of the copy please?
Years
Maybe we need a list of recommended serial port add-on cards although the
thrust of other's arguments is to simply buy a good USB->serial adapter.
I just bought a little VIA box with serial ports which I hope will act as
a nice way to connect to the consolves my ALIX boxes which will arrive in
t
On Tue, 7 Mar 2017, Ingo Schwarze wrote:
Regarding your task at hand:
If you want to run MS Word, your best bet is running MS Windows.
If you want to run binary-only Linux software, your best bet is
running Linux. Ideally, on dedicated hardware that is not
connected to the Internet.
We use O
On Tue, 7 Mar 2017, Stefan Wollny wrote:
Yes - I will (again) contact SoftMaker trying to persuade them to
provide an OpenBSD-version of their office suite. But they seem to have
none with some decent Unix/OpenBSD-knowledge, just Linux. Sigh...
I would buy SoftMaker on OpenBSD.
Regards - Dami
Has anybody achieved an installation of OpenBSD on this yet please?
Just curious whether it is worth the effort to try.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views
On Sun, 23 Apr 2017, Jonathan Gray wrote:
http://man.openbsd.org/printf.9
Is the use of '%b' an addressing-out-of-bounds bug waiting to happen or is
there some sort of inbuilt protection that I cannot see?
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe
On Tue, 25 Apr 2017, Marc Espie wrote:
On Thu, Apr 20, 2017 at 11:14:24PM +0200, Heiko wrote:
Thank you for the info. So you expect a lower time in future.
If we eventually remove gcc 4.2.1, yes, the time will go down from
clang+gcc to clang without gcc :)
Apparently, it seems that lld might
43 matches
Mail list logo
