Re: OpenBGPD traps and triggers

[Marco Prause]

Hi Bill,

I don't know, if you saw some lines in the logfile concerning this. But if you 
did, maybe youn can use logfmon or something like this for alerting ?

Marco

Am 30. Juni 2016 20:30:25 MESZ, schrieb Bill Buhler :
>Hi,
>
> 
>
>I've been through the man pages a couple of times and am not seeing
>what I'm
>looking for. I have a couple of OpenBSD machines running BGP sessions
>with
>my ISPs. Yesterday one of the IPv6 sessions went down and I didn't
>notice
>for quite a while..
>
> 
>
>This got me looking for some kind of trigger / trap that would
>automatically
>alert me if a BGP session went down, or was flapping. I couldn't see
>any
>provision in the man page to execute a external script, and no mention
>of
>SNMP. So is there such a feature I missed?
>
> 
>
>I the short term I hacked together a cron job that parses the output
>of:
>bgpctl show status terse to send me email alerts, but I'd prefer to not
>be
>depending on polling if at all possible.
>
> 
>
>Thanks,
>
> 
>
>Bill Buhler
>
>[demime 1.01d removed an attachment of type application/pkcs7-signature
>which had a name of smime.p7s]

Re: Question about NTP server

[Zé Loff]

> On 30/06/2016, at 20:30, Martin Schröder  wrote:
>
> 2016-06-30 21:24 GMT+02:00 Leonardo Santagostini :
>> 1) Is there some calculus for making those ntp boxes efficient in terms of
>> not overstate (sorry, but english is not my mothers tongue) or right size
>> the hardware.
>
> A Rasberry Pi would suffice (but it's not supported by OpenBSD).
> Any old server you have lying around will be more than enough.

Not too old, though. I've had problems with clocks in aging hardware (e.g. a
Pentium II machine about 5 years ago) starting to drift so bad that not even
NTP could keep them in sync. That being said, prices drop fast enough so that
you can find fairly recent machines at very low prices.

>
>> 2) Im wondering also to set up this boxes virtualized using KVM. I know
>> that using RTC its a really pain in the ass, but maybe you can give me
some
>> advice for this config.
>
> Don't virtualize your ntp servers.
>
> Best
>   Martin

Re: DNS lookup utility with port

[Kapetanakis Giannis]

On 30/06/16 21:11, Alexander Hall wrote:

I guess you could play some games with pf(4) for a single occasion:

# ifconfig lo0 127.0.0.2 alias

# in pf.conf:
set skip on none
pass on lo
pass on lo0 from any to 127.0.0.2 port 53 rdr-to 127.0.0.2 port 5678

(and maybe sth more I might be missing)

/Alexander


You can also tell the server running on 127.0.0.1:5678 to also listen on 
127.0.0.2:53 since it's free, but i don't want to go that path.
dig (drill) as well also missing other staff as well so best option is 
to install a more recent version of dig


G

Re: Question about NTP server

[Martin Schröder]

2016-06-30 21:24 GMT+02:00 Leonardo Santagostini :
> 1) Is there some calculus for making those ntp boxes efficient in terms of
> not overstate (sorry, but english is not my mothers tongue) or right size
> the hardware.

A Rasberry Pi would suffice (but it's not supported by OpenBSD).
Any old server you have lying around will be more than enough.

> 2) Im wondering also to set up this boxes virtualized using KVM. I know
> that using RTC its a really pain in the ass, but maybe you can give me some
> advice for this config.

Don't virtualize your ntp servers.

Best
   Martin

Question about NTP server

[Leonardo Santagostini]

Hi @misc, i am about to mount 4 ntp servers.

Main goal is to serve approximately 300 servers and 300 hundreds
workstations

Servers are located at one datacenter and office in other place. I have a
couple of doubts for asking to you.

1) Is there some calculus for making those ntp boxes efficient in terms of
not overstate (sorry, but english is not my mothers tongue) or right size
the hardware.
2) Im wondering also to set up this boxes virtualized using KVM. I know
that using RTC its a really pain in the ass, but maybe you can give me some
advice for this config.

Thank you all,

Best regards/Saludos.-
Leonardo Santagostini

Re: httpd. chroot, security and user homepage

[Alexander Hall]

On Thu, Jun 30, 2016 at 08:21:12PM +0200, Johan Tärnklint wrote:
> Ok thank you.
> 
> If I understod you right here is what I have done
> 
> From my user.
> 
> ls -all

(second 'l' is excessive)

> 
> lrwxr-xr-x  1 root   empty   27 Jun 30 20:11 domain1 ->
> /var/www/users/domain1
> lrwxr-xr-x  1 root   empty   24 Jun 30 20:11 domain2 ->
> /var/www/users/domain2
> 
> From root
> 
> #/var/www/users/
> # ls -all
> total 16
> drwxr-xr-x   4 root   daemon  512 Jun 30 20:09 .
> drwxr-xr-x  10 root   daemon  512 Jun 30 20:09 ..
> drwxr-x---   3 empty  www 512 Jun 30 20:12 domain1
> drwxr-x---   3 empty  www 512 Jun 30 20:09 domain2
> 
> There it is. Works just fine. Permissions are correct and secure(I hope)

Assuming your user is called 'empty' and the ownership and permissions
on files in the domain* directories follow the same pattern as the
directories, I'd say so.

> 
> Johan
> 
> 
> > 30 juni 2016 kl. 19:54 skrev Alexander Hall :
> >
> > On Wed, Jun 29, 2016 at 09:37:36PM +0200, Stefan Sperling wrote:
> >> On Wed, Jun 29, 2016 at 08:15:35PM +0200, Johan Tärnklint wrote:
> >>> Seeking advice / security tips.
> >>>
> >>> Is it safe to create /var/www/htdocs/user1 and symlink to their home
> folder?
> >>>
> >>> Then set permissions to user1:www on /var/www/htdocs/user1 ?
> >>>
> >>> Does it break the chroot? Is it safe? Better solution?
> >>
> >> It won't work. httpd in chroot cannot read files outside of /var/www,
> >> so it cannot access /home/user1.
> >>
> >> Allowing web access to the full home directory of a user is not a good
> >> idea anyway. There are configuration files in there, some of which may
> >> contain sensitive information. Users may make errors while configuring
> >> permissions for sensitive files, accidentally exposing private
> information.
> >>
> >> Instead, you could do it the other way around: Create a symlink in the
> >> user's home dir which points to the user's dir in /var/www:
> >>
> >>  /home/user1/public_html -> /var/www/htdocs/user1
> >>
> >> Now users can place files they want to expose to the web into
> ~/public_html
> >> and the web server will be able to read them.
> >>
> >
> > I'm not entirely sure you guys are describing different things. :-)
> >
> > - Actual directiry somewhere under /var/www, writable by $USER
> > - Symlink as whatever (public_html, www, ...) in $HOME/, pointing at
> >  above directory
> >
> > If the actual directory is within the chroot, it certainly won't break
> > no matter how many symlinks you point at it.
> >
> > /Alexander

OpenBGPD traps and triggers

[Bill Buhler]

Hi,

 

I've been through the man pages a couple of times and am not seeing what I'm
looking for. I have a couple of OpenBSD machines running BGP sessions with
my ISPs. Yesterday one of the IPv6 sessions went down and I didn't notice
for quite a while..

 

This got me looking for some kind of trigger / trap that would automatically
alert me if a BGP session went down, or was flapping. I couldn't see any
provision in the man page to execute a external script, and no mention of
SNMP. So is there such a feature I missed?

 

I the short term I hacked together a cron job that parses the output of:
bgpctl show status terse to send me email alerts, but I'd prefer to not be
depending on polling if at all possible.

 

Thanks,

 

Bill Buhler

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: httpd. chroot, security and user homepage

[Johan Tärnklint]

Ok thank you.

If I understod you right here is what I have done

>From my user.

ls -all

lrwxr-xr-x  1 root   empty   27 Jun 30 20:11 domain1 ->
/var/www/users/domain1
lrwxr-xr-x  1 root   empty   24 Jun 30 20:11 domain2 ->
/var/www/users/domain2

>From root

#/var/www/users/
# ls -all
total 16
drwxr-xr-x   4 root   daemon  512 Jun 30 20:09 .
drwxr-xr-x  10 root   daemon  512 Jun 30 20:09 ..
drwxr-x---   3 empty  www 512 Jun 30 20:12 domain1
drwxr-x---   3 empty  www 512 Jun 30 20:09 domain2

There it is. Works just fine. Permissions are correct and secure(I hope)

Johan


> 30 juni 2016 kl. 19:54 skrev Alexander Hall :
>
> On Wed, Jun 29, 2016 at 09:37:36PM +0200, Stefan Sperling wrote:
>> On Wed, Jun 29, 2016 at 08:15:35PM +0200, Johan Tärnklint wrote:
>>> Seeking advice / security tips.
>>>
>>> Is it safe to create /var/www/htdocs/user1 and symlink to their home
folder?
>>>
>>> Then set permissions to user1:www on /var/www/htdocs/user1 ?
>>>
>>> Does it break the chroot? Is it safe? Better solution?
>>
>> It won't work. httpd in chroot cannot read files outside of /var/www,
>> so it cannot access /home/user1.
>>
>> Allowing web access to the full home directory of a user is not a good
>> idea anyway. There are configuration files in there, some of which may
>> contain sensitive information. Users may make errors while configuring
>> permissions for sensitive files, accidentally exposing private
information.
>>
>> Instead, you could do it the other way around: Create a symlink in the
>> user's home dir which points to the user's dir in /var/www:
>>
>>  /home/user1/public_html -> /var/www/htdocs/user1
>>
>> Now users can place files they want to expose to the web into
~/public_html
>> and the web server will be able to read them.
>>
>
> I'm not entirely sure you guys are describing different things. :-)
>
> - Actual directiry somewhere under /var/www, writable by $USER
> - Symlink as whatever (public_html, www, ...) in $HOME/, pointing at
>  above directory
>
> If the actual directory is within the chroot, it certainly won't break
> no matter how many symlinks you point at it.
>
> /Alexander

Re: DNS lookup utility with port

[Alexander Hall]

On Thu, Jun 30, 2016 at 01:01:58PM +, Stuart Henderson wrote:
> On 2016-06-30, Kapetanakis Giannis  wrote:
> > Hi,
> >
> > a) I'm asking if there is any program in base for dns lookups that support 
> > port for name server.
> 
> Not in base, you will need packages.

I guess you could play some games with pf(4) for a single occasion:

# ifconfig lo0 127.0.0.2 alias

# in pf.conf:
set skip on none
pass on lo
pass on lo0 from any to 127.0.0.2 port 53 rdr-to 127.0.0.2 port 5678

(and maybe sth more I might be missing)

/Alexander

> 
> > b) would a patch for this in src/usr.sbin/bind/ be accepted or is
> > there a reason for this to be out (except for the ancient version)?
> 
> It was disabled so that tighter pledge(2) restrictions could be used.

Re: httpd. chroot, security and user homepage

[Alexander Hall]

On Wed, Jun 29, 2016 at 09:37:36PM +0200, Stefan Sperling wrote:
> On Wed, Jun 29, 2016 at 08:15:35PM +0200, Johan Tärnklint wrote:
> > Seeking advice / security tips.
> > 
> > Is it safe to create /var/www/htdocs/user1 and symlink to their home 
> > folder? 
> > 
> > Then set permissions to user1:www on /var/www/htdocs/user1 ?
> > 
> > Does it break the chroot? Is it safe? Better solution?
> 
> It won't work. httpd in chroot cannot read files outside of /var/www,
> so it cannot access /home/user1.
> 
> Allowing web access to the full home directory of a user is not a good
> idea anyway. There are configuration files in there, some of which may
> contain sensitive information. Users may make errors while configuring
> permissions for sensitive files, accidentally exposing private information.
> 
> Instead, you could do it the other way around: Create a symlink in the
> user's home dir which points to the user's dir in /var/www:
> 
>   /home/user1/public_html -> /var/www/htdocs/user1
> 
> Now users can place files they want to expose to the web into ~/public_html
> and the web server will be able to read them.
> 

I'm not entirely sure you guys are describing different things. :-)

- Actual directiry somewhere under /var/www, writable by $USER
- Symlink as whatever (public_html, www, ...) in $HOME/, pointing at
  above directory

If the actual directory is within the chroot, it certainly won't break
no matter how many symlinks you point at it.

/Alexander

Re: Killer board

[Kevin Chadwick]

> You are assuming people in this mailing list aren't capable of
> objective thinking.
> 

Sorry, perhaps I was a bit hasty.

> If you want Theo opinion on the ARM architecture, I'm pretty sure it's
> already somewhere in misc@. From memory, wimpy board, lacking mmu or
> something like that.
> 
> Also, the opposite discussion took place last week on misc@. Someone
> asked where is ARM support and the discussion quickly moved to x86 and
> AMD64 board able to do the same job.

>> OpenBSD is quite a bit ahead on amd64 vs. armv7. I'd choose amd64 every
>> time, right now. I suspect this situation will change a bit in the
>> coming years for armv7 (and possibly also armv8, which currently is
>> not supported.)

Ya, I figured as much but wondered if my understanding was still current
and if something like:

http://www.arm.com/products/processors/technologies/trustzone/

helped to tip the scales back etc.

-- 

KISSIS - Keep It Simple So It's Securable

Re: Killer board

[Chris Cappuccio]

Kevin Chadwick [m8il1i...@gmail.com] wrote:
> 
> Perfect is a strong word which got me thinking, assuming the ARM
> boards are stable enough now and considering the price margin between
> ARM and AMD64 is getting closer. It would be useful to understand how
> the processors compare in relation to current OpenBSD support: security
> wise (ignoring DDOS for the purpose of this discussion, (personally i
> tend to ignore the security triangle and put DDOS under integrity
> separate from security even if DDOS may reveal some insecurities or hide
> exploitation of insecurities))?
> 

OpenBSD is quite a bit ahead on amd64 vs. armv7. I'd choose amd64 every
time, right now. I suspect this situation will change a bit in the
coming years for armv7 (and possibly also armv8, which currently is
not supported.)

Chris

pf / queuing / multiple ISP

[Dewey Hylton]

hi all. queueing question here ...

what i have is an openbsd 5.9 firewall with one physical external interface
and one physical internal interface. i have two vlans on the external
interface, each connecting to a different ISP. each ISP provides different
bandwidth.

in an attempt to provide a bit of qos, i've created queues and am assigning
conversations to those queues based on the their simple rules (eg. pass in
quick log proto tcp from  to any port ssh queue ssh). however,
the queues are created on the external physical interface, which means the
queue definitions apply to both ISP connections but only properly fit one of
them.

how would i go about correcting this?

if i create separate queues for each vlan interface to fit the different ISP
connections, it seems i would have to create multiple separate (and more
specific) rules for each allowed conversation. surely there is a smarter way ...

suggestions are welcomed.

Re: Issue with numbers of pty

[Ted Unangst]

Oriol Demaria wrote:
> Trying tmuxinator here I have noticed that I ran out of pty, according
> to man pty(4) there is a kernel parameter specifiying the max
> number. I'm running a snapshot from last Friday, and I don't seem to
> have kern.tty.maxptys.
> 
> Is this a documentation error? Or that setting is not the one to look
> for?

The sysctl was removed. The maximum is 992 and does not change.

Issue with numbers of pty

[Oriol Demaria]

Trying tmuxinator here I have noticed that I ran out of pty, according
to man pty(4) there is a kernel parameter specifiying the max
number. I'm running a snapshot from last Friday, and I don't seem to
have kern.tty.maxptys.

Is this a documentation error? Or that setting is not the one to look
for?

Thanks in advance.

-- 
Oriol Demaria
0x58415679

Re: bluetooth audio device

[Thuban]

* Lars Noodén  le [30-06-2016 16:56:01 +0300]:
> On 6/30/16, Thuban  wrote:
> > Hello,
> > I'm trying to connect an audio device via bluetooth, but can't find any
> > intructions to do so on OpenBSD.
> > Do you have any advices/links?
> >
> > Regards,
> >
> > --
> > /Thuban/
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature
which
> > had a name of signature.asc]
>
> http://marc.info/?l=openbsd-cvs=140511572108715=2
>
> and
>
> http://www.openbsd.org/plus56.html
>
> Regards,
> Lars

ok, this answer my question.

Thanks

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Clean OpenBSD's httpd logs

[C. L. Martinez]

On Thu 30.Jun'16 at 15:21:05 +0200, Thuban wrote:
> * C. L. Martinez  le [30-06-2016 12:50:36 +]:
> > Hi all,
> >
> >  Sorry if this question sounds stupid, but how can I avoid this type of
> entry in OpenBSD's httpd access.log:
> >
> > 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
> [/favicon.ico]
> >
> 
> Hi,
> in httpd.conf :
> 
> server "yourdomain.com" {
> ...
> no log
> }
> 
> 
> You might want to keep access log. Separate errors in another file :
> 
> 
> server "yourdomain.com" {
> ...
> log access "yourdomain.access.log"
> log error "yourdomain.errors.log"
> }
> 
> 
> see man httpd.conf for more :)
> 
> 
> --
> /Thuban/
> 

Thanks Thuban, but I want to log all requests to this web server :)

-- 
Greetings,
C. L. Martinez

uefi

[Friedrich Locke]

Hi folks,

i would like to know if there is anyone in this list that is running
Windows and OBSD 5.9 amd 64 on the same machine with UEFI and doing,
naturally, multiboot.

Thanks a lot for your answer.

[]s fried.

Re: Clean OpenBSD's httpd logs

[andrew fabbro]

Create a favicon.ico file, or ignore the error.

httpd is just reporting that the user's browser is trying to fetch
/favicon.ico and apparently it doesn't exist.  Logging that as a 404 is
standard behavior.  You don't have one so httpd reports a 404.

There are ways of telling the browser to not expect a favicon.ico or
telling it that it exists somewhere else (that perhaps doesn't exist), but
httpd in this case is really doing nothing wrong.  The wisdom of favicons
is a different story but they are standard.

http://stackoverflow.com/questions/1321878/how-to-prevent-favicon-ico-requests

One could argue that perhaps the web server shouldn't log favicon-related
404s...but then there will be someone trying to figure out why his/her
favicons aren't showing up and will be looking at logs.



On Thu, Jun 30, 2016 at 8:50 AM, C. L. Martinez 
wrote:

> Hi all,
>
>  Sorry if this question sounds stupid, but how can I avoid this type of
> entry in OpenBSD's httpd access.log:
>
> 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
> [/favicon.ico]
>
>  ??
>
>  Thanks.
> --
> Greetings,
> C. L. Martinez
>
>


-- 
andrew fabbro
and...@fabbro.org

Re: Clean OpenBSD's httpd logs

[trondd]

On Thu, June 30, 2016 8:50 am, C. L. Martinez wrote:
> Hi all,
>
>  Sorry if this question sounds stupid, but how can I avoid this type of
> entry in OpenBSD's httpd access.log:
>
> 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
> [/favicon.ico]
>
>  ??
>

Put a favicon.ico there?

The web server has no idea if an attempt to get a missing file shouldn't
be logged in some cases and not others.  And all the major web browsers
automatically look for /favicon.ico so it's going to happen.

You might be able to redirect to an existing page but I think those might
get logged anyway.

Tim.

Re: DNS lookup utility with port

[Kapetanakis Giannis]

On 30/06/16 16:16, Kapetanakis Giannis wrote:

> understood and thanks for the reply.
> 
> Would you think to add libldns/drill in base or is it out of question?
> 
> G


forget that I asked. Even linbldns seems abandoned an drill does not have what 
I need (apart from -p)
dig from newer bind package seems the best solution.

G

bluetooth audio device

[Thuban]

Hello,
I'm trying to connect an audio device via bluetooth, but can't find any
intructions to do so on OpenBSD.
Do you have any advices/links?

Regards,

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Clean OpenBSD's httpd logs

[Thuban]

* C. L. Martinez  le [30-06-2016 12:50:36 +]:
> Hi all,
>
>  Sorry if this question sounds stupid, but how can I avoid this type of
entry in OpenBSD's httpd access.log:
>
> 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
[/favicon.ico]
>

Hi,
in httpd.conf :

server "yourdomain.com" {
...
no log
}


You might want to keep access log. Separate errors in another file :


server "yourdomain.com" {
...
log access "yourdomain.access.log"
log error "yourdomain.errors.log"
}


see man httpd.conf for more :)


--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: DNS lookup utility with port

[Kapetanakis Giannis]

On 30/06/16 16:01, Stuart Henderson wrote:
> On 2016-06-30, Kapetanakis Giannis  wrote:
>> Hi,
>>
>> a) I'm asking if there is any program in base for dns lookups that support 
>> port for name server.
> 
> Not in base, you will need packages.
> 
>> b) would a patch for this in src/usr.sbin/bind/ be accepted or is
>> there a reason for this to be out (except for the ancient version)?
> 
> It was disabled so that tighter pledge(2) restrictions could be used.

understood and thanks for the reply.

Would you think to add libldns/drill in base or is it out of question?

G

Re: Killer board

[Kevin Chadwick]

>  Personally, I think a
> small ARM SBC would be perfect as a home router if it has 2 (or more)
> Ethernet ports

Perfect is a strong word which got me thinking, assuming the ARM
boards are stable enough now and considering the price margin between
ARM and AMD64 is getting closer. It would be useful to understand how
the processors compare in relation to current OpenBSD support: security
wise (ignoring DDOS for the purpose of this discussion, (personally i
tend to ignore the security triangle and put DDOS under integrity
separate from security even if DDOS may reveal some insecurities or hide
exploitation of insecurities))?

-- 

KISSIS - Keep It Simple So It's Securable

Re: mount cifs share on OpenBSD 5.9

[Rashad Kanavath]

On Wed, Jun 29, 2016 at 9:08 PM, Marcus MERIGHI 
wrote:

> mohammedrasha...@gmail.com (Rashad Kanavath), 2016.06.29 (Wed) 19:18
> (CEST):
> > I tried to mount a network drive using shlight. But it is not working.
> Here
> > is the command with verbose output.
> >
> > using smbclient -L ... , I can list the drive. so this must be something
> > else.
>
> I haven't tested this lately, this is just what I could find quickly.
>
> Last time I tried I couldn't make it work, too. I turned to:
>
> sysutils/usmb
>
> mount SMB shares from userland via FUSE
>
> Description:
> usmb lets you mount SMB shares as unprivileged users via FUSE, in the
> vein of Windows' Map Network Drive facility. It differs from the other
> FUSE SMB filesystems (fusesmb, SMB for FUSE) in that it doesn't have
> Network Neighbourhood functionality: this means that you can mount
> shares that you can't see via NetBIOS browsing.
>
> (Note: unprivileged mounting requires both kern.usermount=1 and access
> to /dev/fuse0).
>
>
> The last sentence apparently did not work for me. I did not try too
> hard, though, iirc.
>
> My ~/.usmb.conf (with file permissions for root, since I was running
> this via doas):
>
> 
> 10.10.10.254
> WiFiDisk1_Volume1
> /mnt
> 
> 
>
> And in ~/.kshrc:
> alias wlandisk="doas usmb wd"
>

Thanks Markus. It worked for me.  However I miss the option allow_other to
have read and write without root  privilages. I see there are some options
in the doc. But I didn't looked it properly. will test this later and
report back if any issues.


> Bye, Marcus
>
> > !DSPAM:577402f7267669153224385!
>



-- 
Regards,
   Rashad

Re: DNS lookup utility with port

[Stuart Henderson]

On 2016-06-30, Kapetanakis Giannis  wrote:
> Hi,
>
> a) I'm asking if there is any program in base for dns lookups that support 
> port for name server.

Not in base, you will need packages.

> b) would a patch for this in src/usr.sbin/bind/ be accepted or is
> there a reason for this to be out (except for the ancient version)?

It was disabled so that tighter pledge(2) restrictions could be used.

DNS lookup utility with port

[Kapetanakis Giannis]

Hi,

a) I'm asking if there is any program in base for dns lookups that support port 
for name server.

# dig -p 5678 example.com @127.0.0.1
;; Error, only port 53 supported

# nslookup 
> set port=5678
The port command has been disabled.

host(1) never had anything similar

Is there any other tool I don't know or do I have to install drill/isc_bind 
from packages?

b) would a patch for this in src/usr.sbin/bind/ be accepted or is there a 
reason for this to be out (except for the ancient version)?

c) maybe adding libldns+drill in base would also be an option since both 
unbound/nsd are in now?

best,

Giannis

Clean OpenBSD's httpd logs

[C. L. Martinez]

Hi all,
 
 Sorry if this question sounds stupid, but how can I avoid this type of entry 
in OpenBSD's httpd access.log:

172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/] 
[/favicon.ico]

 ??

 Thanks.
-- 
Greetings,
C. L. Martinez