Hi folks,
the upgrade guide claims
A detailed cleanup can be done with the aid of the sysclean package.
sysclean lists 4180 files and directories on my home server, including mail
directories, config files of various external packages, generated files, .git
directories, etc. A lot of st
On 2022-04-20 21:25:49, Ryan Kavanagh wrote:
On Wed, Apr 20, 2022 at 08:39:09PM +0200, Harald Dunkel wrote:
sysclean lists 4180 files and directories on my home server
Could you please elaborate how sysclean is going to help me to keep my
openbsd hosts clean? How is the usage model of this
Hi folks,
I think the main problem is pretty easy to describe: OpenBSD loses track
about what it had installed and cannot clean up its own files on a system
upgrade.
Regards
Harri
Hi folks,
would it be possible to add some kind of "fast reboot" to OpenBSD?
* shutdown all userspace
* run boot, using the old kernel to load a new one
* start init again
The "traditional" reboot gives me a downtime of 2 to 3 minutes on
some hosts, before the boot promp
Hi folks,
I've got >20 wgpeer entries in hostname.wg0 on my VPN gateway (OpenBSD
7.5), each for a road-warrior laptop running Linux, MacOS or Windows.
After removing 3 peers on the command line last Thursday (using
ifconfig wg0 -wgpeer 9AQR8zfadzA+fF5UsRCLNHd6Ljs=
for each) some
I would recommend to allocate up to 90% of your SSD in fdisk,
ignore the remaining 10% and don't worry about it again. The
10% should give the SSD firmware sufficient free space for
wear leveling.
Regards
Harri
Hi folks,
I've got a configuration issue with Raidframe: Our
gateway/firewall runs a raid1 for the system disk.
No swap partition.
Recently one of the raid disks (wd0) showed some
problem:
Aug 2 17:22:35 fw01 /bsd: wd0(pciide0:0:0): timeout
Aug 2 17:53:52 fw01 /bsd: type: ata
Aug 2 17:5
Ariane van der Steldt wrote:
Your best bet is to replace the disk. 30 minutes wait time seems a bit
odd though. I have a similar situation where one disk is having
problems, requiring the disk to restart, but that only takes approx. a
minute. You can mark the disk as bad and replace it before th
nothingness wrote:
Presumably this was after a reboot? If so, the trick is to move the
'raidctl -P all' line from /etc/rc to /etc/rc.local and add a '&' so it
runs as a background process.
There was no reboot involved. Before this event the machine was
running for weeks, and it is still runn
Ariane van der Steldt wrote:
On Thu, Aug 07, 2008 at 11:41:59AM +0200, Harald Dunkel wrote:
Ariane van der Steldt wrote:
Your best bet is to replace the disk. 30 minutes wait time seems a bit
odd though. I have a similar situation where one disk is having
problems, requiring the disk to
Stuart Henderson wrote:
With IDE (Integrated Drive Electronics), the controller is *on the
drive*. A failing drive/controller can do all sorts of nasty things
to the host system.
So you mean I should not use IDE disks (PATA or SATA), because
Raidframe cannot support a failsafe operation with
Hi Nick,
I highly appreciate your detailed report about your experiences
with RAID systems. That was cool. Surely I don't expect any
miracles from RAID anymore.
The current plan is to move to a ramdisk based system to get rid
of disk access afap, and to use carp to setup a fallback host.
Logging
Hi Ryan,
These links might help:
http://www.kernel-panic.it/openbsd/vpn/vpn3.html#vpn-3.4
http://www.openbsd.org/cgi-bin/man.cgi?query=enc
Good luck
Harri
Marco Fretz wrote:
Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp
can not handle this by its nature I think. Just place the both bridges
in your LAN and you have your fail-over solution.
Packet Filter still does stateful inspection, even in bridging mode,
AFAIK. So bot
Check the pfsync man page about how pfsync and carp are related
in a failover scenario.
Henning Brauer wrote:
* Harald Dunkel <[EMAIL PROTECTED]> [2008-08-20 09:43]:
Marco Fretz wrote:
Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp
can not handle this by its na
Hi folks,
Question: How can I make sure that "em2" doesn't become "em0"
if my dual-port NIC dies? This would be fatal for my firewall
setup. At least the antispoof rules _must_ be bound to the
network devices.
Of course I could buy different hardware for the external and
internal network interfa
Hi Jared,
jared r r spiegel wrote:
On Fri, Aug 22, 2008 at 04:16:38PM +0200, Harald Dunkel wrote:
Hi folks,
Question: How can I make sure that "em2" doesn't become "em0"
if my dual-port NIC dies? This would be fatal for my firewall
setup. At least the antispoof rul
PS: Below is the code, if anybody is interested. Should be run
before /etc/netstart. To use it you should create a file
/etc/ifconfig.xx:xx:xx:xx:xx:xx
for each network device ("xx:xx:xx:xx:xx:xx" is the MAC
address). Each line is run with
ifconfig if $line
Here is a sample
Harri
===
Henning Brauer wrote:
* Harald Dunkel <[EMAIL PROTECTED]> [2008-08-22 16:33]:
Question: How can I make sure that "em2" doesn't become "em0"
if my dual-port NIC dies?
<[EMAIL PROTECTED]> $ dmesg | grep '^em0'
em0 at pci5 dev 0 function 0 "I
Hi folks,
Are the more recent 3ware raid controllers supported, e.g.
the 3Ware 9650SE series? Its not mentioned on the compatibility
list or in the current man page, but maybe (hopefully) it is out
of date?
Regards
Harri
Hi folks,
Short question: Is there some magic in /etc/boot.conf I could
use to reset the terminal before booting?
Here is the problem:
AFAICS the BIOS in my Supermicro board switches to black chars
on a black background before disabling console redirection and
handing off control to the OpenBSD
Hi folks,
Harald Dunkel wrote:
>
> Question: How can I make sure that "em2" doesn't become "em0"
> if my dual-port NIC dies? This would be fatal for my firewall
> setup. At least the antispoof rules _must_ be bound to the
> network devices.
>
S
Peter N. M. Hansteen wrote:
> Harald Dunkel <[EMAIL PROTECTED]> writes:
>
>> Sorry to wake this thread up again, but this problem is a severe
>> security risk. IMHO it is unacceptable that a hardware failure on
>> one NIC of a firewall can put the whole networ
Jussi Peltola wrote:
> I see no problem in setting interface groups based on mac address.
>
> You should be able to hack a suitable script to do that in a few
> minutes.
>
AFAICS brconfig does not support group names.
Regards
Harri
Hi Theo,
Theo de Raadt wrote:
>> This appears to be a fairly simple change. Does it sound reasonable to
>> people with more knowledge of OpenBSD networking?
>
> No, it is not reasonble. You are inventing problems at a very high
> level just because some very low level pci-related bug is making
Metoo. I couldn't grab the screen output yet, but AFAICS the trace
looks the same as in Don's EMail. I could reproduce this on
2 machines. Both work fine with 4.2 (amd64).
Hardware is a Tyan Tomcat H1000S main board, Dual-Core Opteron
(1.8 GHz), 2 GByte RAM.
I could reproduce it with /bsd and /b
PS: Disabling ACPI in the bios didn't work for me. But if I disable
acpi in UKC, then the kernel boots fine (AFAICS).
Surely just a workaround.
Regards
Harri
Hi folks,
I haven't seen this mentioned on the mailing list, and
the man page doesn't tell, either, so hopefully it is
allowed to ask:
Does pciide support hot-swapping hard disks? (I've got a
ServerWorks HT-1000 SATA2 controller and the appropriate
disks.)
Regards
Harri
Maybe VirtualBox-OSE is an option? It explicitly mentions OpenBSD on the
list of supported guests: http://www.virtualbox.org/wiki/Guest_OSes .
Good luck
Harri
GVG GVG wrote:
Dear group,
I would like to assign more than 1 static IPs on the same NIC in order to
bind more than one services on port 443! Is that possible?
I used 'alias' for that but didn't work! Once I bind a service on port 443
for the first static IP then this port is also 'taken' for t
I know the man page for openssl is huge, but the man page for
isakmpd has some nice description about how to setup a local
CA. Maybe this helps as a starting point?
Good luck
Harri
Paul Irofti wrote:
Do the CLI SIP Phone! I wanted to code that for so long, but the SIP
protocol and its friends tend to go so far as time just wasn't enough.
But it would be pretty cool to have that.
http://www.pjsip.org/pjsua.htm ?
Regards
Harri
Hi folks,
I am trying to setup an IPsec connection between OpenBSD
and WindowsXP (NCP IPsec client). ipsec.conf is just a
single line:
ike passive esp from 192.168.5.1 to 192.168.1.249
(192.168.1.249 is the Windows PC.)
Phase I seems to work, but in Phase II isakmpd complains:
Jun 27
Hi Prabhu,
I do get a connection for
ike passive esp from 192.168.5.0/31 to 192.168.1.249
but not for
ike passive esp from 192.168.5.1 to 192.168.1.249
(192.168.1.249 is the remote Windows laptop running NCP IPsec client.)
So I doubt that this is a problem of aes vs 3des. AFA
Mitja Mu>enih wrote:
It is not a problem within isakmpd, it will accept IPV4_ADDR_SUBNET of size
/32.
As I already explained to you in a private mail, ipsecctl will export both
192.168.1.249 and 192.168.1.249/32 into IPV4_ADDR=192.168.1.249 while your
windows client is sending IPV4_ADDR_SUBNET
PS: If I don't define any remote networks in NCP client, then it tries
to send all ip traffic via esp to the OpenBSD gateway, but isakmpd
whoes:
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id
c0a801f9: 192.168.1.249, responder id /: 0.0.0.0/0.0.0.0
Hi folks,
Tinyca allows to export a chain of CA certificates within
one file, but it took me quite some time to recognize that
isakmpd can't handle this. Or can it?
Regards
Harri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
I tried todays installer CD of 4.7. Installation went fine, except
for one problem: It failed to initialize the 1.4 TByte data partition,
and on the first reboot it complained about a file system problem and
entered single user mode.
Surely
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/11/10 21:18, Tomas Bodzar wrote:
> No one canceled RTFM and UTFG
>
> http://www.openbsd.org/faq/faq14.html#LargeDrive
>
I am not talking about the boot partition, but about a data partition
set up at install time.
Not to mention that OpenBSD
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/11/10 22:49, Stuart Henderson wrote:
> On 2010-03-11, Harald Dunkel wrote:
>>
>> I am not talking about the boot partition, but about a data partition
>> set up at install time.
>>
>> Not to mention that O
Hi folks,
my IP provider doesn't support IPv6 yet. What is the
recommended Packet Filter setup on an OpenBSD 4.8 gateway
for this scenario? How do I make sure in pf that this
"ICMPv6 Neighbor solitication" thing works correctly?
Do I have to handle the "ipv6-where" and "ipv6-here"
icmp types (IPv4
Hi Paul,
On 02/10/11 11:22, Paul de Weerd wrote:
> Hi Harald,
>
>
> What are you trying to achieve ? You mention your provider doesn't
> support IPv6 yet but want to make sure neighbour sollicitation works ?
> Why do you want to support neighbour discovery when your ISP doesn't
> do IPv6 ?
>
Hi folks,
what would be the correct way to define network aliases
on a carp interface? Currently I have the code below, but
I see some packet filter problems around route-to that
might be related to a misconfigured carp interface.
em1:
inet 172.12.96.5 255.255.252.0 NONE
inet alias 172.12.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Henning,
On 02/17/11 17:37, Henning Brauer wrote:
>
> your way to configure aliases is correct, however, the masks are not.
> you are screwing up routing. you want an all-ones netmask on each and
> every IP address except one per subnet. alas you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/17/11 23:13, Daniel Ouellet wrote:
>
> Think about it that way may be.
>
> You want an alias IP's, not an alias subnet, so how do you enter a single IP?
> With a /32 subnet.
>
Actually I _do_ want to have alias subnets, as written before:
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
On 02/18/11 03:43, Dan Harnett wrote:
>
> IMHO, it would be better to use a new carp device for each alias. The
> routes will be created and destroyed properly with the status change of
> each carp device.
>
I tried this together with He
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
How comes that all group names set in /etc/hostname.tun0 get lost
(except for "tun", as it seems), if using OpenVPN on this interface?
What would you suggest to keep the defined group names?
Any helpful comment would be highly appreciated.
Hi folks,
pf.conf(5) says
In the example below, packets bound for one specific server, as well as
those generated by the sysadmins are not proxied; all other connections
are.
match in on $int_if proto { tcp, udp } from any to any port 80 \
rdr-to 127.0.0.1
On 01/18/11 19:06, Henning Brauer wrote:
>> Harald Dunkel wrote on Tue, Jan 18, 2011 at 04:41:39PM +0100:
>>
>>> pf.conf(5) says
>>>
>>> In the example below, packets bound for one specific server, as well as
>>> those generated by the
Hi folks,
In the example for the rdr-to and nat-to combination in
the pf FAQs it seems that the http traffic is redirected
back through the incoming interface:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 \
rdr-to $server
pass out on $int_if proto tcp to $server port 80 \
Hi folks,
are the rdr-to and nat-to options in "pass" rules as sticky
as for "match" rules?
Sample:
pass in on $ext_if from any to 1.2.3.0/24 port 80 tag MYTAG rdr-to $host_a
pass in on $ext_if from any to 1.2.3.42 port 80
AFAIU traffic to 1.2.3.42 port 80 would be tagged with "MYTAG".
Would i
On 01/20/11 12:39, Henning Brauer wrote:
> * Harald Dunkel [2011-01-20 11:55]:
>
>> Of course I checked the man page, but it didn't tell.
>
> blasphemia. of course it does.
>
> match
>The packet is matched. This mechanism is used to p
Hi Wes,
On 01/20/11 12:27, OpenBSD Geek wrote:
> Hi,
>
> I use OpenBSD 4.7, and so Sendmail MTA 8.14.3
> I enabled TLS using good manpages : starttls. It's ok.
> But now, i want to enable AUTH for smtp.
> How can i achieve that ?
> Thank you very much.
>
Maybe this helps:
http://www.dsrw.org/~
Hi folks,
Problem: For rotating pflog log files I need the PID
of the appropriate pflogd. For 4.3 I could rely
upon "pflogd -p pflogd4.pid", but for 4.8 the -p
is not allowed anymore :-(. The man page still points
to newsyslog, but thats all.
Of course this can be solved by messing around
with pg
On 01/27/11 14:01, Otto Moerbeek wrote:
>
> -p is prone to race conditions.
A race condition on writing a pid file in main()?
It would be very interesting to get more details
about this.
Regards
Harri
On 01/27/11 15:37, Otto Moerbeek wrote:
>
> in genreal, when things go wrong, a pid file might remain. That file
> does not reflect the pid of a pflogd daemon. You might be sending a
> HUP to the wrong process. A race condition occurs when pflogd is
> restarted, and in the meantime a process reads
Hi folks,
If I add "antispoof quick for self" to my pf.conf to enable
antispoofing on all interfaces, then I get these additional
rules:
block drop in quick on ! self inet from <__automatic_3df3184e_0> to any
block drop in quick on ! self inet6 from ::1 to any
block drop in quick inet6 from ::1 t
Hi folks,
from a previous thread on this list I learned that
"keep state (no-sync)" should be added to all rules
concerning either a local service or local client
running on the gateway itself.
Esp. when you do nat this becomes pretty error-prone.
Its easy to forget.
AFAICS something like
Hi folks,
is there some hidden feature to tell iked to show the proposals of both peers
in the log file, esp if phase 1 or 2 fails with "no proposal chosen"? That would
help a lot.
By now I have tried iked -d -v -v -v in vain.
Thank you very much
Harri
District Court Aachen - HRB 8057
Management
[58866]: spi=0x025c1289fdf74141: sa_free: no
proposal chosen (IKE SA)
For -v -v -v it gets more verbose, but only if you actually use these flags and
don't forget to restart iked. Sorry, my bad.
From: Tobias Heider
Sent: Monday, January 6, 2025 23:40
201 - 260 of 260 matches
Mail list logo
