pf_query error
Hi, I'm using pfstat to generate pf statistics for my home firewall. But after upgrading to -current snapshot this error starts to appear. I did run sysmerge and pkg_add -uv after the upgrade. Any ideas how to resolve this issue? Thanks in advance. [x220@OpenBSD.domain.local:~]$ doas pfstat -q -d /var/db/pfstat.db doas (x220@OpenBSD.domain.local) password: ioctl: DIOCGETSTATUS: Permission denied pf_query: query_counters() failed [x220@OpenBSD.domain.local:~]$ Here's the dmesg: OpenBSD 6.1-current (GENERIC) #5: Tue Aug 15 19:29:42 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1056817152 (1007MB) avail mem = 1017929728 (970MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf68f0 (9 entries) bios0: vendor SeaBIOS version " rel-1.10.1-0-g8891697-prebuilt.qemu-project.org" date 04/01/2014 bios0: QEMU Standard PC (i440FX + PIIX, 1996) acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP APIC HPET acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Virtual CPU a7769a6388d5, 2394.81 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,ARAT cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 999MHz ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins acpihpet0 at acpi0: 1 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) "ACPI0006" at acpi0 not configured "PNP0F13" at acpi0 not configured "PNP0700" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "QEMU0002" at acpi0 not configured "ACPI0010" at acpi0 not configured pvbus0 at mainbus0: KVM pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0:ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 iic0 at piixpm0 vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio0: address 56:00:00:7c:b5:7b virtio0: msix shared virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio1 scsibus2 at vioblk0: 2 targets sd0 at scsibus2 targ 0 lun 0: SCSI3 0/direct fixed sd0: 25600MB, 512 bytes/sector, 52428800 sectors virtio1: msix shared virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Memory" rev 0x00 viomb0 at virtio2 virtio2: apic 0 int 10 virtio3 at pci0 dev 6 function 0 "Qumranet Virtio RNG" rev 0x00 viornd0 at virtio3 virtio3: apic 0 int 10 isa0 at pcib0 isadma0 at isa0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 1: density unknown pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 2.00/0.00 addr 2 uhidev0: iclass 3/0 ums0 at uhidev0: 3 buttons, Z dir wsmouse1 at ums0 mux 0 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (2719ba15e0dec7c1.a) swap on sd0b dump on sd0b Regards, Glenn
Re: Question about httpd tls config
Ah. Thank you! :-) tis 15 aug. 2017 kl. 14:06 skrev Ronan Viel: > Hi, > > SSL Labs don’t like 3DES whose key length is considered 112 bits and not > 168 bits because it may be subject to meet-in-the-middle attack. > Remove it by adding the line below to your server definition: > tls cipher "HIGH:!aNULL:!3DES" > > Ronan > > > Le 15 août 2017 à 09:54, Andreas Thulin a > écrit : > > > > Hi! > > > > I run httpd on 6.1-stable (thanks to all of you who make that possible!), > > with a pretty vanilla tls setup. When testing the server on ssllabs.com, > > results say that > > > > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > > > is considered weak. How should I interpret that information, as you see > it? > > And shouldn't default cipher strengths be >= 128? I have probably > > misunderstood something, so any pointers in the right direction would be > > lovely. > > > > Link to my test result: > > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se > > > > My httpd.conf (which I'd like to keep very simple): > > # www.andreasthulin.se - HTTP > > server "www.andreasthulin.se" { > >alias "esoteric.andreasthulin.se" > >hsts subdomains > >listen on * port 80 > >listen on * tls port 443 > >tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" > >tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" > >root "/htdocs/andreasthulin.se" > >location "*.php" { > >fastcgi socket "/run/php-fpm.sock" > >} > >location "/.well-known/acme-challenge/*" { > >root "/acme" > >root strip 2 > >} > >directory { index "index.php" } > > } > > > > BR, Andreas > >
Re: lock X on suspend
Jeremie Courreges-Anglaswrites: Hello, > On Tue, Aug 15 2017, Stuart Henderson wrote: >> On 2017-08-15, Jeremie Courreges-Anglas wrote: >>> On Tue, Aug 15 2017, tomr wrote: >>> I've figured out an effective workaround I think, which is to SIGUSR1 my running xidle(1) process, which works. >>> >>> That's probably less hackish and better on multi-user machines. >> >> fwiw, I sometimes had problems with characters from my password going to >> xterms when I used xidle. I don't know if it was something odd about my >> setup, but something to watch out for if anyone's changing config as a >> result of this thread. I'm stepping in just to mention that I've observed the same behaviour, though I thought it was because of the locking program that I used (slock), not xidle. Since then, I've switched to i3lock and stopped using xidle (I'm locking manualy) and haven't observed this behaviour. I'll give xidle a new try and report here if the problem occurs again. Best. > Duh, thanks for the heads-up. This is a bit scary. > >> I like the hackish way :) > > ;)
Re: lock X on suspend
On Tue, Aug 15 2017, Stuart Hendersonwrote: > On 2017-08-15, Jeremie Courreges-Anglas wrote: >> On Tue, Aug 15 2017, tomr wrote: >> >>> I've figured out an effective workaround I think, which is to SIGUSR1 my >>> running xidle(1) process, which works. >> >> That's probably less hackish and better on multi-user machines. > > fwiw, I sometimes had problems with characters from my password going to > xterms when I used xidle. I don't know if it was something odd about my > setup, but something to watch out for if anyone's changing config as a > result of this thread. Duh, thanks for the heads-up. This is a bit scary. > I like the hackish way :) ;) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: Mastering opensmtpd rules
On Tue, Aug 15, 2017 at 05:10:00PM +0200, Gilles Chehade wrote: > On Tue, Aug 15, 2017 at 01:29:16PM +0200, Walter Alejandro Iglesias wrote: > > > > > > accept from any for any virtual [...] > > > > > > > Besides, after modifying that rule in the file I also had to change the > > order. Since rules below the "catch-all" one never get evaluated, it > > has forcibly to be the last one: > > > >[...] > >accept from local for local alias deliver to mbox > >accept from local sender for any relay > >accept from any for any virtual deliver to mbox > ># End of file > > > > Not a truth written in stone but, usually, having the "from any for any" > rule in a config file is a sign that user failed to write ruleset and is > using this as a fallback. The word "mastering" I used in the subject may lead to confusion. I should've written "starting with" instead. :-) My smtpd.conf is not a finished work. Step by step. > The earliest the rules match the envelope, the > better, as it indicates that the rule was written to match precisely. > My intention was to find the way to support the "postmaster" address, that RFC requires to be supported even *with no domain specification.* I wasn't able to figure out how to solve this while the "domain" table was included in the rule. Without that table now I can add to the "valiases" file this: postmaster myuser s...@site1.com ... s...@site2.com ... To make available any of this addresses: postmaster@[IP_ADDRESS] postmas...@site1.com postmas...@site2.com > Most rulesets should finish with a relay (via?) rule from local for any. That's the way I had it, but I couldn't send mail when preceded by "from any to any" rule. I know my current solution is sloppy, I'll try to study a bit more and improve my configuration. Thank you for your help. > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg
Re: lock X on suspend
I use this, with /etc/apm/hibernate as a symlink. $ cat /etc/apm/suspend #!/bin/sh pkill -USR1 -x xidle #EOF and my .Xdefaults have: XIdle.timeout: 300 XLock.grabmouse: on XLock.mode: blank XLock.mousemotion: on XLock.usefirst: yes XLock.lockdelay: 10 XLock.nice: 19 #EOF On 2017 Aug 15 (Tue) at 09:57:39 +1000 (+1000), tomr wrote: :I've been struggling to get X to lock by calling xlock(1) from :/etc/apm/{hibernate,resume,standby,suspend} : :Haven't seen a lot of useful debug output from xlock... : :# xlock -verbose ; echo $? :1 :# xlock -verbose -display :0.0 ; echo $? :No protocol specified :1 :# : :I've figured out an effective workaround I think, which is to SIGUSR1 my :running xidle(1) process, which works. I'm just wondering if there's a :better way to get apmd, running /etc/apm/* as root, to do the same. I :tried calling xlock both as root and as the current X user, no :noticeable difference in results. : -- Academic politics is the most vicious and bitter form of politics, because the stakes are so low. -- Wallace Sayre
Re: Mastering opensmtpd rules
On Tue, Aug 15, 2017 at 01:29:16PM +0200, Walter Alejandro Iglesias wrote: > > > > accept from any for any virtual [...] > > > > Besides, after modifying that rule in the file I also had to change the > order. Since rules below the "catch-all" one never get evaluated, it > has forcibly to be the last one: > >[...] >accept from local for local alias deliver to mbox >accept from local sender for any relay >accept from any for any virtual deliver to mbox ># End of file > Not a truth written in stone but, usually, having the "from any for any" rule in a config file is a sign that user failed to write ruleset and is using this as a fallback. The earliest the rules match the envelope, the better, as it indicates that the rule was written to match precisely. Most rulesets should finish with a relay (via?) rule from local for any. -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: doas /usr/bin/vi best practice
Hello Nam, On Sun 13/08/2017 18:09, Nam Nguyen wrote: If you are trying to avoid that message: /home/just22/.exrc: not sourced: not owned by you It could be that you are in that in your home directory and vi is trying to read the local .exrc script on startup. In vi(1): exrc, ex [off] Read the startup files in the local directory. To turn off this feature, put "set noexrc" into your ~/.exrc I was discussing this point privately with Martijn (in CC) and I ended up with exactly this conclusion. I'm trying to sort out a bit the things and summarize what happens, in the hope one of the developers has the chance to have a look: - enable the exrc option ("set exrc") in ${HOME}/.exrc - from $HOME run: "doas vi " - the message "/home/just22/.exrc: not sourced: not owned by you" appears; - despite the error message, the setting in $HOME/.exrc are present in the vi's window, so it seems that it is sourced two times: in one case all goes well, in the other there is a permission problem. Something weird is happening, but I really don't know where... The key is to understand what configuration files vi looks for when starting up. This is mentioned toward the bottom of vi(1). It seems like the precedence goes (from least to most): /etc/vi.exrc, ~/.exrc, ./.exrc. (For clarity, I am not including ~/.nexrc and ./.nexrc.) I used to have "set exrc" and would get the behavior you are describing, specifically while in my home directory. Disabling that feature with "set noexrc" removes ./.exrc from what vi scans for at startup. This is the setup I currently have. I have /etc/vi.exrc as a system-wide default vi configuration. In $HOME/.exrc I have general vi macros, and in $HOME/.nexrc I have programming language specific macros. Normally, what I will do is update ~/.exrc if I want to add some new features, and copy that to /etc/vi.exrc to have it available system-wide. Another observation I made was that because doas' default behavior is to reset the environment except for HOME, among others, executing `doas vi` gives me access to macros defined in both ~/.exrc ~/.nexrc even though I am root. If I change to root with `su` and then open `vi`, I only get access to /etc/vi.exrc and lose access to macros defined in ~/.nexrc. I have been annoyed by this problem, too, because I had to keep pressing enter to clear that error message, instead of the file instantaneously opening. I could not be bothered to investigate further until you had mentioned it. -- Alessandro DE LAURENZIS [mailto:jus...@atlantide.t28.net] LinkedIn: http://it.linkedin.com/in/delaurenzis
mount_nfs(8) -b option
Dear misc@ readers, From mount_nfs(8): -b If an initial attempt to contact the server fails, fork off a child to keep trying the mount in the background. Useful for fstab(5), where the file system mount is not critical to multiuser operation. My understanding is that, in case the server is not reachable when the command is run (specifically, at boot, if there is a proper entry in fstab(5)), it will be forked and keep trying the mount operation, till when the server is back. I had a look at the code and, if I am not mistaken, the process sleeps for 60s, then retries and so on. Now: this is my fstab: # Blk dev Mount point FS type Mnt optsDump freq Pass no. #/dev/sd0a ff014e14e96d5c40.a / ffs rw,softdep,noatime 2 1 #/dev/sd0b ff014e14e96d5c40.b noneswap sw #/dev/sd0d ff014e14e96d5c40.d /tmpffs rw,softdep,noatime,nodev,nosuid 1 2 #/dev/sd0e ff014e14e96d5c40.e /varffs rw,softdep,noatime,nodev,nosuid 1 2 #/dev/sd0f ff014e14e96d5c40.f /usrffs rw,softdep,noatime,nodev1 2 #/dev/sd0g ff014e14e96d5c40.g /usr/local ffs rw,softdep,noatime,nodev,wxallowed 1 2 #/dev/sd0h ff014e14e96d5c40.h /builds ffs rw,softdep,noatime,nodev,nosuid,wxallowed 1 2 #/dev/sd0i ff014e14e96d5c40.i /home ffs rw,softdep,noatime,nodev,nosuid,wxallowed 1 2 # Network file sharing egeo:/vol/datavol01/nfs/egeo/vol/datavol01 nfs net,rw,-i,-b0 0 egeo:/vol/sys_backup /nfs/egeo/vol/sys_backupnfs net,rw,-i,-b0 0 egeo:/home/export /nfs/egeo/home nfs net,rw,-i,-b0 0 I observe two unexpected behaviors: 1) when I switch on the machine in an environment without any network available, I see the messages "Cannot resolve egeo..." and the boot process goes on; but when the server comes back (I simply make a wifi network available and run "doas sh /etc/netstart" on the client), nothing happens (I was instead expecting that the shares were mounted after a minute or so); 2) when I boot without any network available and removing the "-b" option from the client's fstab, again I see the messages "Cannot resolve egeo...", and again the process continues without lagging... I probably misunderstood the "-b" meaning. Could anyone give me some hints? My goal is to make the NFS shares available as soon as the server is reachable (without using amd(8) and possibly making the entire process as much transparent for the user as possible). All the best -- Alessandro DE LAURENZIS [mailto:jus...@atlantide.t28.net] LinkedIn: http://it.linkedin.com/in/delaurenzis
Re: Pinebook (if anyones up for it)
On Mon, Aug 14, 2017 at 10:08:13PM +0300, valerij zaporogeci wrote: > 2017-08-14 10:21 GMT+03:00, Alex Naumov: > > Hello, > > > > there is one enthusiast, who wants to make it possible: > > http://openbsd-archive.7691.n7.nabble.com/Working-on-support-for-Pinebook-td318562.html > > > > I don't know the current state, but I also have a Pinebook and would > > like to run OpenBSD on it. > > > > > > Some info you can find there: https://www.openbsd.org/arm64.html > > == > > The Pine64 currently requires an image based on a non-redistributable > > boot0 file from Allwinner to be installed on the system disk. This > > will hopefully be resolved by a replacement in a future U-Boot > > release. The install media does not include these boot images or a > > Pine64 device tree. For similar reasons we do not provide install > > media for the Firefly-RK3399 either. > > == Correction: The problem of the boot0 file has been solved thanks to changes in u-boot. Work on install media for the Pine64 is now in progress, without unredistributable blobs. > > > > So, it seems that it's impossible yet. > > > > > > Cheers, > > Alex > > > > this boot0 thing is a part of the firmware. why its redistributability > state should influence an OS support? are x86 BIOS parts all > redistributable? > > Is it obtainable? This is that "security world" thing and it will be > anywhere where the Security Extension is implemented. I have Pine64+ > board and am planning to do my project on it, which is a UEFI > implementation. x^D Will be OpenBSD happy if there were UEFI on it as > a FW and that boot0 thing is a part of UEFI installation? >
Re: Question about httpd tls config
On 08/15/17 09:54, Andreas Thulin wrote: Hi! I run httpd on 6.1-stable (thanks to all of you who make that possible!), with a pretty vanilla tls setup. When testing the server on ssllabs.com, results say that TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is considered weak. How should I interpret that information, as you see it? And shouldn't default cipher strengths be >= 128? I have probably misunderstood something, so any pointers in the right direction would be lovely. Link to my test result: https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se at least httpd on current doesn't include any 3DES cipher suites by default. I am also not aware of any TLS clients which are TLS 1.2-only and would prefer any 3DES cipher suite at the same time. In case your server is not required to be interoperable with some very old TLS 1.0-based legacy clients, you should simply exclude 3DES cipher suites. From a security perspective, although probably still sufficient for the foreseeable future, the 112-bit security level of 3DES looks like the weakest link in your specific setup. However, the much bigger problem is 3DES's 64-bit block length which is inherently prone to collisions (so-called SWEET32 attack). In order to mitigate this problem, the upcoming recommendation from NIST is to frequently change the key (every 2^20 64-bit data blocks -- see http://csrc.nist.gov/publications/drafts/800-67r2/sp800-67r2-draft.pdf ). In the context of libssl, BIO_set_ssl_renegotiate_bytes() (see BIO_f_ssl(3)) seems to be intended for this purpose. However, it doesn't seem to be called anywhere in OpenBSD's src repository. In case any developer is reading this -- does libssl/libtls/httpd somehow ensure that session keys will be refreshed after a cipher suite's maximum key lifetime (or, alternatively, the session gets terminated)? Although the recommended limit on the number of TLS records, which could be handled with the same session key, is much higher for AES-GCM (i.e., 2^32 records), there still is a limit. Best regards Andreas
Re: Clarification on ksh(1) nohup mechanism
Anyone? On Sat 12/08/2017 18:36, Alessandro DE LAURENZIS wrote: Dear misc@ readers, I'm lost with the subject... From the man page I see that, differently from standard ksh, OpenBSD implementation by default do *not* send SIGHUP signals to child processes when a SIGHUP is received by the parent shell and that this mechanism can be changed through: set +o nohup So far, so good; now: [snip] $ sleep 30 & [1] 46318 $ pgrep -fl sleep 46318 sleep 30 $ pgrep -fl sleep 46318 sleep 30 [snip] As expected, the sleep process is still there. But: [snip] set +o nohup $ sleep 30 & [1] 83071 $ pgrep -fl sleep 83071 sleep 30 $ pgrep -fl sleep 83071 sleep 30 [snip] Even after having cleared the shell option, the process is not killed. Just in case, I also tried with: set -o nohup observing the same behavior. Could you please give me some hints? All the best -- Alessandro DE LAURENZIS [mailto:jus...@atlantide.t28.net] LinkedIn: http://it.linkedin.com/in/delaurenzis -- Alessandro DE LAURENZIS [mailto:jus...@atlantide.t28.net] LinkedIn: http://it.linkedin.com/in/delaurenzis
Re: lock X on suspend
On 2017-08-15, Jeremie Courreges-Anglaswrote: > On Tue, Aug 15 2017, tomr wrote: > >> I've figured out an effective workaround I think, which is to SIGUSR1 my >> running xidle(1) process, which works. > > That's probably less hackish and better on multi-user machines. fwiw, I sometimes had problems with characters from my password going to xterms when I used xidle. I don't know if it was something odd about my setup, but something to watch out for if anyone's changing config as a result of this thread. I like the hackish way :)
Re: x40 users?
Am Fri, 11 Aug 2017 19:50:05 -0400 schrieb "Ted Unangst": > anyone using an x40? what have you set machdep.apmhalt to? Hi Ted, I have several old ThinkPads running OpenBSD here. The X40 has the default setting: root@x40:~# sysctl machdep.apmhalt machdep.apmhalt=0 You probably want to know, if "halt -p" is working. It works. Even root@x40:~# sysctl machdep.apmhalt=1 machdep.apmhalt: 0 -> 1 works. APM power down code correction isn't necessary for my X40. Michael root@x40:~# dmesg OpenBSD 6.1-current (GENERIC) #50: Fri Aug 11 21:37:40 MDT 2017 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.40GHz ("GenuineIntel" 686-class) 1.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,EST,TM2,PERF real mem = 1063665664 (1014MB) avail mem = 1029935104 (982MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 01/07/05, BIOS32 rev. 0 @ 0xfd740, SMBIOS rev. 2.33 @ 0xe0010 (56 entries) bios0: vendor IBM version "1UETA5WW (1.55 )" date 01/07/2005 bios0: IBM 2371Y29 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT TCPA APIC BOOT acpi0: wakeup devices LID_(S3) SLPB(S3) UART(S3) PCI0(S3) PCI1(S4) DOCK(S4) USB0(S3) USB1(S3) USB2(S3) AC9M(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PCI1) acpiprt2 at acpi0: bus -1 (DOCK) acpicpu0 at acpi0 C1: unknown FFH class 0: !C3(250@85 io@0x1015), !C2(500@1 io@0x1014), C1(@1 halt!), PSS acpipwrres0 at acpi0: PUBS, resource for USB0, USB1, USB7 acpitz0 at acpi0: critical temperature is 95 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB "IBM3780" at acpi0 not configured "PNP0400" at acpi0 not configured "IBM0071" at acpi0 not configured acpibat0 at acpi0: BAT0 model "IBM-COMPATIBLE" serial 2 type LION oem "SLN" acpiac0 at acpi0: AC unit online acpithinkpad0 at acpi0 "IBM007A" at acpi0 not configured acpidock0 at acpi0: GDCK docked (15) acpivideo0 at acpi0: VID_ bios0: ROM list: 0xc/0xc800! 0xcc800/0x1000 0xcd800/0x1000 0xdc000/0x4000! 0xe/0x1 cpu0: Enhanced SpeedStep 1396 MHz: speeds: 1400, 1300, 1200, 1100, 1000, 900, 800, 600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82855GM Host" rev 0x02 "Intel 82855GM Memory" rev 0x02 at pci0 dev 0 function 1 not configured "Intel 82855GM Config" rev 0x02 at pci0 dev 0 function 3 not configured inteldrm0 at pci0 dev 2 function 0 "Intel 82855GM Video" rev 0x02 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0xe000, size 0x800 inteldrm0: apic 1 int 16 error: [drm:pid0:i9xx_set_fifo_underrun_reporting] *ERROR* pipe A underrun inteldrm0: 1024x768, 32bpp wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 82855GM Video" rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: apic 1 int 16 uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: apic 1 int 19 uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: apic 1 int 18 ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: apic 1 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81 pci1 at ppb0 bus 2 2:0:0: mem address conflict 0xb000/0x1000 cbb0 at pci1 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0x8d: apic 1 int 16 sdhc0 at pci1 dev 0 function 1 "Ricoh 5C822 SD/MMC" rev 0x13: apic 1 int 17 sdhc0: SDHC 1.0, 33 MHz base clock sdmmc0 at sdhc0: 4-bit em0 at pci1 dev 1 function 0 "Intel 82541GI" rev 0x00: apic 1 int 20, address 00:0a:e4:2f:3b:93 iwi0 at pci1 dev 2 function 0 "Intel PRO/Wireless 2200BG" rev 0x05: apic 1 int 21, address 00:12:f0:05:e4:d8 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0 ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01 pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 38088MB, 78006265 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 "Intel 82801DB
Re: DNSSEC solution
On Tue, Aug 15, 2017 at 09:03:26AM +0200, Thuban wrote: > Hi > since we have nsd and unbound included in base, I was wondering what > tool you use to deal with DNSSEC and sign your zone ? > I use zkt, but your advices would be nice. > > Regards > -- > thuban I use powerdns from ports as a hidden signer. This also seems relevant: https://dnsreactions.tumblr.com/post/162546373232/adding-useless-cron-jobs-to-an-already-fine-signer -- I'm not entirely sure you are real.
Re: DNSSEC solution
On mar. 15 août 09:03:26 2017, Thuban wrote: > Hi > since we have nsd and unbound included in base, I was wondering what > tool you use to deal with DNSSEC and sign your zone ? > I use zkt, but your advices would be nice. > > Regards > -- > thuban Hi, You clould use OpenDNSSEC. It’s written by the same authors than nsd and unbound. I wrote an article about this (in french, sorry, but it seems that you speak it): https://www.swordarmor.fr/gestion-automatique-de-dnssec-avec-opendnssec-et-nsd.html -- alarig signature.asc Description: PGP signature
Re: Question about httpd tls config
Hi, SSL Labs don’t like 3DES whose key length is considered 112 bits and not 168 bits because it may be subject to meet-in-the-middle attack. Remove it by adding the line below to your server definition: tls cipher "HIGH:!aNULL:!3DES" Ronan > Le 15 août 2017 à 09:54, Andreas Thulina écrit : > > Hi! > > I run httpd on 6.1-stable (thanks to all of you who make that possible!), > with a pretty vanilla tls setup. When testing the server on ssllabs.com, > results say that > > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > is considered weak. How should I interpret that information, as you see it? > And shouldn't default cipher strengths be >= 128? I have probably > misunderstood something, so any pointers in the right direction would be > lovely. > > Link to my test result: > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se > > My httpd.conf (which I'd like to keep very simple): > # www.andreasthulin.se - HTTP > server "www.andreasthulin.se" { >alias "esoteric.andreasthulin.se" >hsts subdomains >listen on * port 80 >listen on * tls port 443 >tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" >tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" >root "/htdocs/andreasthulin.se" >location "*.php" { >fastcgi socket "/run/php-fpm.sock" >} >location "/.well-known/acme-challenge/*" { >root "/acme" >root strip 2 >} >directory { index "index.php" } > } > > BR, Andreas
Re: Mastering opensmtpd rules
> > accept from any for any virtual [...] > Besides, after modifying that rule in the file I also had to change the order. Since rules below the "catch-all" one never get evaluated, it has forcibly to be the last one: [...] accept from local for local alias deliver to mbox accept from local sender for any relay accept from any for any virtual deliver to mbox # End of file
Re: Mastering opensmtpd rules
Hi Gilles, On Tue, Aug 15, 2017 at 11:15:32AM +0200, Gilles Chehade wrote: > On Tue, Aug 15, 2017 at 09:22:41AM +0200, Walter Alejandro Iglesias wrote: > > Hello everyone, > > > > I'd appreciate experienced opensmtpd users tell me if I'm understanding > > well the mechanism in the following rule. > > > > Currently, in my smtpd.conf I have this line: > > > > accept from any for domain virtual deliver to mbox > > > > But since all keys in my "valiases" table are full email addresses, in > > the form: > > > > u...@example.org user > > > > I'm thinking the use of "vdomains" table is redundant. I could safely > > simplify the rule to: > > > > accept from any for any virtual deliver to mbox > > > > > > Am I wrong in this assumption? > > > > kind of, smtpd.conf being a first match ruleset it is impossible to make > this kind of analysis without having your other rules too. Sorry, I should've added it's the only "from any" rule I have: # /etc/mail/smptd.conf egress_int="em0" server="server.roquesor.com" table aliases file:/etc/mail/aliases table valiases file:/etc/mail/valiases table vdomains file:/etc/mail/vdomains table addresses file:/etc/mail/addresses table users file:/etc/mail/users pki $server certificate "/etc/ssl/server.crt" pki $server key "/etc/ssl/private/server.key" listen on lo0 listen on $egress_int port 25 tls pki $server listen on $egress_int port 465 smtps pki $server auth \ senders masquerade accept from local for local alias deliver to mbox accept from any for domain virtual deliver to mbox accept from local sender for any relay # End of file > > in this case, this may or may not give the desired behavior depending on > rules following it because envelope matching happens _before_ virtual is > even evaluated. > > with: > > accept from any for domain [...] > > you will only match envelopes for the domains in , it allows a > different rule to match other domains: > > accept from any for domain [...] > accept from any for domain foobar.org [...] > > with: > > accept from any for any [...] > > you will match all envelopes so you're essentially creating a catch-all. > > > virtual happens AFTER a rule has been matched so if you recipient is not > found the RCPT will be rejected, smtpd will not search for another rule. If I'm understanding you well then it's what I want. My question was if the "virtual" entry in the rule is enough to reject not matching recipients. For example, having this rule: accept from any for any virtual [...] and a "valiases" file containing only this line: l...@foobar.org user will messages sent to i.e. l...@foobar2.org or l...@foobar3.org be rejected? > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg
Re: Mastering opensmtpd rules
On Tue, Aug 15, 2017 at 09:22:41AM +0200, Walter Alejandro Iglesias wrote: > Hello everyone, > > I'd appreciate experienced opensmtpd users tell me if I'm understanding > well the mechanism in the following rule. > > Currently, in my smtpd.conf I have this line: > > accept from any for domain virtual deliver to mbox > > But since all keys in my "valiases" table are full email addresses, in > the form: > > u...@example.orguser > > I'm thinking the use of "vdomains" table is redundant. I could safely > simplify the rule to: > > accept from any for any virtual deliver to mbox > > > Am I wrong in this assumption? > kind of, smtpd.conf being a first match ruleset it is impossible to make this kind of analysis without having your other rules too. in this case, this may or may not give the desired behavior depending on rules following it because envelope matching happens _before_ virtual is even evaluated. with: accept from any for domain [...] you will only match envelopes for the domains in , it allows a different rule to match other domains: accept from any for domain [...] accept from any for domain foobar.org [...] with: accept from any for any [...] you will match all envelopes so you're essentially creating a catch-all. virtual happens AFTER a rule has been matched so if you recipient is not found the RCPT will be rejected, smtpd will not search for another rule. -- Gilles Chehade https://www.poolp.org @poolpOrg
Question about httpd tls config
Hi! I run httpd on 6.1-stable (thanks to all of you who make that possible!), with a pretty vanilla tls setup. When testing the server on ssllabs.com, results say that TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is considered weak. How should I interpret that information, as you see it? And shouldn't default cipher strengths be >= 128? I have probably misunderstood something, so any pointers in the right direction would be lovely. Link to my test result: https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se My httpd.conf (which I'd like to keep very simple): # www.andreasthulin.se - HTTP server "www.andreasthulin.se" { alias "esoteric.andreasthulin.se" hsts subdomains listen on * port 80 listen on * tls port 443 tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" root "/htdocs/andreasthulin.se" location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } directory { index "index.php" } } BR, Andreas
Mastering opensmtpd rules
Hello everyone, I'd appreciate experienced opensmtpd users tell me if I'm understanding well the mechanism in the following rule. Currently, in my smtpd.conf I have this line: accept from any for domain virtual deliver to mbox But since all keys in my "valiases" table are full email addresses, in the form: u...@example.org user I'm thinking the use of "vdomains" table is redundant. I could safely simplify the rule to: accept from any for any virtual deliver to mbox Am I wrong in this assumption?
DNSSEC solution
Hi since we have nsd and unbound included in base, I was wondering what tool you use to deal with DNSSEC and sign your zone ? I use zkt, but your advices would be nice. Regards -- thuban signature.asc Description: PGP signature