Re: Community-driven OpenBSD tutorials wiki?

[Vivek Vinod]

Offtopic -

I installed cowsay and erroneously thought there was an error in the manpage. 
Looked up cowsay in ports and wrote an email to the maintainer. The email 
bounced back. 

Who would one email to in such a case?

Vivek

  Original Message  
From: simplersolut...@gmail.com
Sent: 12 April 2018 6:08 AM
To: pe...@bsdly.net
Cc: misc@openbsd.org
Subject: Re: Community-driven OpenBSD tutorials wiki?

On Fri, Jan 5, 2018 at 8:26 AM, Peter N. M. Hansteen  wrote:

>
> If you think you don't have the seniority to start submitting patches
> when you see a bug (even a typo in a man page or the faq), you're most
> likely wrong. Your first efforts will not be perfect of course, but if
> you put in the effort and are able to learn from constructive criticism,
> it's likely sooner or later you will be adding real value.
>

This.  I once submitted a patch to update THE PUBLIC WEBSITE (I
replaced some broken links with archived versions) and it was approved
without demur and on the website the next day.  If you have a change
to make and a patch to implement it, you can shape OpenBSD's future,
even if it's just to make sure the website has no broken links.
That's what keeps me coming back.

Re: Community-driven OpenBSD tutorials wiki?

[Zeb Packard]

Not a wiki, but if the mailing list is too busy daemon forums
has a community driven Guides and Howtos section.

http://daemonforums.org/forumdisplay.php?f=31

Re: pf: certain recursive macros causing syntax error

[Theo de Raadt]

Aham Brahmasmi  wrote:

> Hello misc,
> 
> Recursive macros which include macros containing certain specific
> characters cause syntax errors.
> 
> Steps
> $ cat pftemp.conf
> forwardslash = "100/10"
> #forwardslashrecursive = $forwardslash
> number = "100"
> numberrecursive = $number
> string = "keep"
> #stringrecursive = $string
> ip = "0.0.0.0"
> iprecursive = $ip
> interface = "em0"
> interfacerecursive = $interface
> 
> pass in on $interfacerecursive proto tcp from $iprecursive \
> $string state \
> (max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)
> 
> $ pfctl -nf pftemp.conf
> 
> The above pf.conf is validated successfully by pfctl. However, removing
> the comments from the recursive versions of forwardslash and string
> macros cause syntax errors upon validation with pfctl.

You are failing to understand the problem.  Let me try to explain it.

In such a grammer, who consumes the "" marks?

Imagine this was the shell.  (I'm saying the shell, as one potential
grammer)

set forwardslash="100/10"
echo $forwardslash
"100/100"

No, what you get is
100/100

OK, if that is what happens, you would get

forwardslashrecursive = $forwardslash
converts to
forwardslashrecursive = 100/100

Which doesn't parse.

It is a question of who consumes the "".  Is it early, or is it late.
there are grammers which has a "string object" which retains the "" until
very late.  This isn't that grammer.

The domain-specific languages used in OpenBSD utilities don't work that
way, sorry.

We could change it 15 years after the fact, but any change we make
will break millions of configurations.

I should have done it differently back in 2001.

Re: Community-driven OpenBSD tutorials wiki?

[Theo de Raadt]

Aaron Mason  wrote:
> On Fri, Jan 5, 2018 at 8:26 AM, Peter N. M. Hansteen  wrote:
> 
> >
> > If you think you don't have the seniority to start submitting patches
> > when you see a bug (even a typo in a man page or the faq), you're most
> > likely wrong. Your first efforts will not be perfect of course, but if
> > you put in the effort and are able to learn from constructive criticism,
> > it's likely sooner or later you will be adding real value.
> >
> 
> This.  I once submitted a patch to update THE PUBLIC WEBSITE (I
> replaced some broken links with archived versions) and it was approved
> without demur and on the website the next day.  If you have a change
> to make and a patch to implement it, you can shape OpenBSD's future,
> even if it's just to make sure the website has no broken links.
> That's what keeps me coming back.

We rarely commit the proposed fixes that people didn't submit.
Good to keep in mind.

On the other hand, we do get flooded.  Keep that in mind also.

Re: Community-driven OpenBSD tutorials wiki?

[Aaron Mason]

On Fri, Jan 5, 2018 at 8:26 AM, Peter N. M. Hansteen  wrote:

>
> If you think you don't have the seniority to start submitting patches
> when you see a bug (even a typo in a man page or the faq), you're most
> likely wrong. Your first efforts will not be perfect of course, but if
> you put in the effort and are able to learn from constructive criticism,
> it's likely sooner or later you will be adding real value.
>

This.  I once submitted a patch to update THE PUBLIC WEBSITE (I
replaced some broken links with archived versions) and it was approved
without demur and on the website the next day.  If you have a change
to make and a patch to implement it, you can shape OpenBSD's future,
even if it's just to make sure the website has no broken links.
That's what keeps me coming back.

pf: certain recursive macros causing syntax error

[Aham Brahmasmi]

Hello misc,

Recursive macros which include macros containing certain specific
characters cause syntax errors.

Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
iprecursive = $ip
interface = "em0"
interfacerecursive = $interface

pass in on $interfacerecursive proto tcp from $iprecursive \
$string state \
(max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)

$ pfctl -nf pftemp.conf

The above pf.conf is validated successfully by pfctl. However, removing
the comments from the recursive versions of forwardslash and string
macros cause syntax errors upon validation with pfctl.

Interestingly, not all macros containing number+character combinations
and strings get rejected by pfctl. In the above example, ip and
interface macros can be successfully used in a recursive macro.

Am I correct in drawing these conclusions? If yes, is there a listing
of these specific characters, which are allowed in recursive macros?

Regards,
ab
-|-|-|-|-|-|-|--

Fwd: httpd - serving index.html & index.php at the same time

[Tom Smyth]

Hi Mischa
 directory index "index.*"

To allow serving of index.php if its in the directory or index.html if that
is in the directory
When both are present in a directory im not sure what would happen though

On Wed 11 Apr 2018, 21:55 Mischa,  wrote:

>
> > On 11 Apr 2018, at 22:53, Tom Smyth 
> wrote:
> >
> > Mischa
> > Hows it going ?
> > have you tried index.* for both html and php index support ?
> >
> > I have been bailed out by the * before on php apps with seo friendly urls
>
> Hey Tom!
> Doing well man... looking forward to see you again at EuroBSD!
>
> Not sure what you mean.
>
>
> >
> > On Wed 11 Apr 2018, 21:50 Mischa,  wrote:
> >
> >>
> >>> On 11 Apr 2018, at 22:40, Bryan Harris  wrote:
> >>>
> >>> I'll ask a dumb question. Why do you need extra root directives? Can't
> >> you
> >>> do this?
> >>>
> >>> location "^/phpapp/*" {
> >>> directory index "index.php"
> >>> }
> >>> location "*.php" {
> >>> fastcgi socket "/run/php-fmp.sock
> >>> }
> >>>
> >>> Bryan
> >>>
> >>
> >> Not a dumb question and good suggestion. When location is in the same
> root
> >> as defined you can indeed.
> >> When it's not you have to define an alternative root.
> >>
> >> Also when you want to "rewrite" certain URLs to index.php for example,
> you
> >> have to define it as well.
> >>
> >> Mischa
> >>
> >>> On Wed, Apr 11, 2018 at 10:32 AM, Mischa  wrote:
> >>>
> > On 11 Apr 2018, at 12:14, Gregory Edigarov 
> wrote:
> >
> > On 11.04.18 11:40, Mischa wrote
> >> Ok, good to know. It doesn't work as written. The only thing I see
> in
>  the error.log is the fact that the PHP script is not found.
> >>
> >> Access to the script '/htdocs/s/' has been denied (see
>  security.limit_extensions)
> >>
> >> Which tells me index.php is not requested.
> >>
> >> Browser tells me: File not found
> >>
> >> Running in debug mode it shows the following
> >>
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/
> >> HTTP/1.1"
>  404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
>  Gecko/20100101 Firefox/58.0"
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " "
> 408
> >> 0
>  "" ""
> >> server default, client 1 (1 active), 46.xx.xx.xx:4824 ->
> xx.xx.xx.xx,
>  timeout (408 Request Timeout)
> >> Primary script unknown
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/
> >> HTTP/1.1"
>  404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
>  Gecko/20100101 Firefox/58.0"
> >>
> >> Not sure what else to look at. :((
> > Did some tests.
> > here's how it works:
> >
> >   location "/test" {
> >   block return 301 "/test/"
> >   }
> >   location "/test/" {
> >   root strip 1
> >   root "/htdocs/phpapp"
> >   directory index "test.php"
> >   }
> >
> > note "root strip 1" directive.
> 
>  I had tried with strip 1 as well, it seems problem is with: fastcgi
> >> socket
>  "/run/php-fpm.sock"
>  The working end result is something like:
> 
>  server "default" {
>    listen on $ext_addr port 80
>    root "/htdocs/default"
>    location "^/phpapp/*" {
>    root { "/htdocs/phpapp", strip 1 }
>    directory index "index.php"
>    }
>    location match "^/phpapp/[%l%u%d]+$" {
>    root "/htdocs/phpapp/index.php"
>    fastcgi socket "/run/php-fpm.sock"
>    }
>    location "/*.php*" {
>    fastcgi socket "/run/php-fpm.sock"
>    }
>  }
> 
>  Thank you very much for your response and testing. Really appreciate
> it.
> 
>  Mischa
> 
> 
> >>>
> >>>
> >>> --
> >>> So the HP guy comes up to me and he says, 'If you say nasty things like
> >>> that to vendors you're not going to get anything'. I said 'no, in eight
> >>> years of saying nothing, we've got nothing, and I'm going to start
> saying
> >>> nasty things, in the hope that some of these vendors will start giving
> me
> >>> money so I'll shut up'.
> >>>
> >>> -Theo De Raadt
> >>
> >>
>
>

Re: httpd - serving index.html & index.php at the same time

[Mischa]

> On 11 Apr 2018, at 22:53, Tom Smyth  wrote:
> 
> Mischa
> Hows it going ?
> have you tried index.* for both html and php index support ?
> 
> I have been bailed out by the * before on php apps with seo friendly urls

Hey Tom!
Doing well man... looking forward to see you again at EuroBSD!

Not sure what you mean.


> 
> On Wed 11 Apr 2018, 21:50 Mischa,  wrote:
> 
>> 
>>> On 11 Apr 2018, at 22:40, Bryan Harris  wrote:
>>> 
>>> I'll ask a dumb question. Why do you need extra root directives? Can't
>> you
>>> do this?
>>> 
>>> location "^/phpapp/*" {
>>> directory index "index.php"
>>> }
>>> location "*.php" {
>>> fastcgi socket "/run/php-fmp.sock
>>> }
>>> 
>>> Bryan
>>> 
>> 
>> Not a dumb question and good suggestion. When location is in the same root
>> as defined you can indeed.
>> When it's not you have to define an alternative root.
>> 
>> Also when you want to "rewrite" certain URLs to index.php for example, you
>> have to define it as well.
>> 
>> Mischa
>> 
>>> On Wed, Apr 11, 2018 at 10:32 AM, Mischa  wrote:
>>> 
> On 11 Apr 2018, at 12:14, Gregory Edigarov  wrote:
> 
> On 11.04.18 11:40, Mischa wrote
>> Ok, good to know. It doesn't work as written. The only thing I see in
 the error.log is the fact that the PHP script is not found.
>> 
>> Access to the script '/htdocs/s/' has been denied (see
 security.limit_extensions)
>> 
>> Which tells me index.php is not requested.
>> 
>> Browser tells me: File not found
>> 
>> Running in debug mode it shows the following
>> 
>> default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/
>> HTTP/1.1"
 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
 Gecko/20100101 Firefox/58.0"
>> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408
>> 0
 "" ""
>> server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx,
 timeout (408 Request Timeout)
>> Primary script unknown
>> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/
>> HTTP/1.1"
 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
 Gecko/20100101 Firefox/58.0"
>> 
>> Not sure what else to look at. :((
> Did some tests.
> here's how it works:
> 
>   location "/test" {
>   block return 301 "/test/"
>   }
>   location "/test/" {
>   root strip 1
>   root "/htdocs/phpapp"
>   directory index "test.php"
>   }
> 
> note "root strip 1" directive.
 
 I had tried with strip 1 as well, it seems problem is with: fastcgi
>> socket
 "/run/php-fpm.sock"
 The working end result is something like:
 
 server "default" {
   listen on $ext_addr port 80
   root "/htdocs/default"
   location "^/phpapp/*" {
   root { "/htdocs/phpapp", strip 1 }
   directory index "index.php"
   }
   location match "^/phpapp/[%l%u%d]+$" {
   root "/htdocs/phpapp/index.php"
   fastcgi socket "/run/php-fpm.sock"
   }
   location "/*.php*" {
   fastcgi socket "/run/php-fpm.sock"
   }
 }
 
 Thank you very much for your response and testing. Really appreciate it.
 
 Mischa
 
 
>>> 
>>> 
>>> --
>>> So the HP guy comes up to me and he says, 'If you say nasty things like
>>> that to vendors you're not going to get anything'. I said 'no, in eight
>>> years of saying nothing, we've got nothing, and I'm going to start saying
>>> nasty things, in the hope that some of these vendors will start giving me
>>> money so I'll shut up'.
>>> 
>>> -Theo De Raadt
>> 
>> 

Re: httpd - serving index.html & index.php at the same time

[Tom Smyth]

Mischa
Hows it going ?
 have you tried index.* for both html and php index support ?

I have been bailed out by the * before on php apps with seo friendly urls

On Wed 11 Apr 2018, 21:50 Mischa,  wrote:

>
> > On 11 Apr 2018, at 22:40, Bryan Harris  wrote:
> >
> > I'll ask a dumb question. Why do you need extra root directives? Can't
> you
> > do this?
> >
> > location "^/phpapp/*" {
> >  directory index "index.php"
> > }
> > location "*.php" {
> >  fastcgi socket "/run/php-fmp.sock
> > }
> >
> > Bryan
> >
>
> Not a dumb question and good suggestion. When location is in the same root
> as defined you can indeed.
> When it's not you have to define an alternative root.
>
> Also when you want to "rewrite" certain URLs to index.php for example, you
> have to define it as well.
>
> Mischa
>
> > On Wed, Apr 11, 2018 at 10:32 AM, Mischa  wrote:
> >
> >>> On 11 Apr 2018, at 12:14, Gregory Edigarov  wrote:
> >>>
> >>> On 11.04.18 11:40, Mischa wrote
>  Ok, good to know. It doesn't work as written. The only thing I see in
> >> the error.log is the fact that the PHP script is not found.
> 
>  Access to the script '/htdocs/s/' has been denied (see
> >> security.limit_extensions)
> 
>  Which tells me index.php is not requested.
> 
>  Browser tells me: File not found
> 
>  Running in debug mode it shows the following
> 
>  default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/
> HTTP/1.1"
> >> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
> >> Gecko/20100101 Firefox/58.0"
>  default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408
> 0
> >> "" ""
>  server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx,
> >> timeout (408 Request Timeout)
>  Primary script unknown
>  default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/
> HTTP/1.1"
> >> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
> >> Gecko/20100101 Firefox/58.0"
> 
>  Not sure what else to look at. :((
> >>> Did some tests.
> >>> here's how it works:
> >>>
> >>>location "/test" {
> >>>block return 301 "/test/"
> >>>}
> >>>location "/test/" {
> >>>root strip 1
> >>>root "/htdocs/phpapp"
> >>>directory index "test.php"
> >>>}
> >>>
> >>> note "root strip 1" directive.
> >>
> >> I had tried with strip 1 as well, it seems problem is with: fastcgi
> socket
> >> "/run/php-fpm.sock"
> >> The working end result is something like:
> >>
> >> server "default" {
> >>listen on $ext_addr port 80
> >>root "/htdocs/default"
> >>location "^/phpapp/*" {
> >>root { "/htdocs/phpapp", strip 1 }
> >>directory index "index.php"
> >>}
> >>location match "^/phpapp/[%l%u%d]+$" {
> >>root "/htdocs/phpapp/index.php"
> >>fastcgi socket "/run/php-fpm.sock"
> >>}
> >>location "/*.php*" {
> >>fastcgi socket "/run/php-fpm.sock"
> >>}
> >> }
> >>
> >> Thank you very much for your response and testing. Really appreciate it.
> >>
> >> Mischa
> >>
> >>
> >
> >
> > --
> > So the HP guy comes up to me and he says, 'If you say nasty things like
> > that to vendors you're not going to get anything'. I said 'no, in eight
> > years of saying nothing, we've got nothing, and I'm going to start saying
> > nasty things, in the hope that some of these vendors will start giving me
> > money so I'll shut up'.
> >
> > -Theo De Raadt
>
>

Re: httpd - serving index.html & index.php at the same time

[Mischa]

> On 11 Apr 2018, at 22:40, Bryan Harris  wrote:
> 
> I'll ask a dumb question. Why do you need extra root directives? Can't you
> do this?
> 
> location "^/phpapp/*" {
>  directory index "index.php"
> }
> location "*.php" {
>  fastcgi socket "/run/php-fmp.sock
> }
> 
> Bryan
> 

Not a dumb question and good suggestion. When location is in the same root as 
defined you can indeed.
When it's not you have to define an alternative root.

Also when you want to "rewrite" certain URLs to index.php for example, you have 
to define it as well.

Mischa

> On Wed, Apr 11, 2018 at 10:32 AM, Mischa  wrote:
> 
>>> On 11 Apr 2018, at 12:14, Gregory Edigarov  wrote:
>>> 
>>> On 11.04.18 11:40, Mischa wrote
 Ok, good to know. It doesn't work as written. The only thing I see in
>> the error.log is the fact that the PHP script is not found.
 
 Access to the script '/htdocs/s/' has been denied (see
>> security.limit_extensions)
 
 Which tells me index.php is not requested.
 
 Browser tells me: File not found
 
 Running in debug mode it shows the following
 
 default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/ HTTP/1.1"
>> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
>> Gecko/20100101 Firefox/58.0"
 default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408 0
>> "" ""
 server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx,
>> timeout (408 Request Timeout)
 Primary script unknown
 default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/ HTTP/1.1"
>> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
>> Gecko/20100101 Firefox/58.0"
 
 Not sure what else to look at. :((
>>> Did some tests.
>>> here's how it works:
>>> 
>>>location "/test" {
>>>block return 301 "/test/"
>>>}
>>>location "/test/" {
>>>root strip 1
>>>root "/htdocs/phpapp"
>>>directory index "test.php"
>>>}
>>> 
>>> note "root strip 1" directive.
>> 
>> I had tried with strip 1 as well, it seems problem is with: fastcgi socket
>> "/run/php-fpm.sock"
>> The working end result is something like:
>> 
>> server "default" {
>>listen on $ext_addr port 80
>>root "/htdocs/default"
>>location "^/phpapp/*" {
>>root { "/htdocs/phpapp", strip 1 }
>>directory index "index.php"
>>}
>>location match "^/phpapp/[%l%u%d]+$" {
>>root "/htdocs/phpapp/index.php"
>>fastcgi socket "/run/php-fpm.sock"
>>}
>>location "/*.php*" {
>>fastcgi socket "/run/php-fpm.sock"
>>}
>> }
>> 
>> Thank you very much for your response and testing. Really appreciate it.
>> 
>> Mischa
>> 
>> 
> 
> 
> -- 
> So the HP guy comes up to me and he says, 'If you say nasty things like
> that to vendors you're not going to get anything'. I said 'no, in eight
> years of saying nothing, we've got nothing, and I'm going to start saying
> nasty things, in the hope that some of these vendors will start giving me
> money so I'll shut up'.
> 
> -Theo De Raadt

Re: signify and ftp.eu.openbsd.org

[Peter J. Philipp]

On Wed, Apr 11, 2018 at 10:20:37PM +0200, Paul de Weerd wrote:
> ftp doesn't do this itself, but the error detection in tcp and ssl
> (ok, so that's linked into the ftp binary) do.
> 
> The file is unlikely to have been changed in flight.

OK, odd. What I find odd is that the SHA256.sig file I got (which was 
downloaded after the .iso) differs from the very first time I made contact with 
ftp.eu
today with the SHA256.sig that I downloaded to verify.  Could this be an
atomicity thing with the FTP mirror?



> | 4. Is it possible that there was an attack on the OpenBSD network 
> infrastructure?
> 
> Unlikely.  Probably, the bytes you got match 1:1 with the file I got,
> minus those last 4096 bytes.  There's probably nothing all that
> interesting in those last 4K of the ISO, so my guess would be that
> everything would still be fine.  You can verify that by checking the
> contents of the mounted file system against the SHA256 file.
> 
> | 5. Or mine?
> 
> Also unlikely.  Could the download have been interrupted at the last
> moment?

Not by me with any signals, I let the download finish.  Theo does want me to
investigate this box because it has problems waking/sleeping, and I was going
to do that tonight but now it's too late, this signature anomaly wasted my
time for tonight.  It's entirely possible the drive is dying on it.  After
swapping SATA cables I think I'll put an SSD in it.

Thanks Paul (and everyone else in this thread).

-peter

> Cheers,
> 
> Paul

Re: httpd - serving index.html & index.php at the same time

[Bryan Harris]

I'll ask a dumb question. Why do you need extra root directives? Can't you
do this?

location "^/phpapp/*" {
  directory index "index.php"
}
location "*.php" {
  fastcgi socket "/run/php-fmp.sock
}

Bryan

On Wed, Apr 11, 2018 at 10:32 AM, Mischa  wrote:

> > On 11 Apr 2018, at 12:14, Gregory Edigarov  wrote:
> >
> > On 11.04.18 11:40, Mischa wrote
> >> Ok, good to know. It doesn't work as written. The only thing I see in
> the error.log is the fact that the PHP script is not found.
> >>
> >> Access to the script '/htdocs/s/' has been denied (see
> security.limit_extensions)
> >>
> >> Which tells me index.php is not requested.
> >>
> >> Browser tells me: File not found
> >>
> >> Running in debug mode it shows the following
> >>
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/ HTTP/1.1"
> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
> Gecko/20100101 Firefox/58.0"
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408 0
> "" ""
> >> server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx,
> timeout (408 Request Timeout)
> >> Primary script unknown
> >> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/ HTTP/1.1"
> 404 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0)
> Gecko/20100101 Firefox/58.0"
> >>
> >> Not sure what else to look at. :((
> > Did some tests.
> > here's how it works:
> >
> > location "/test" {
> > block return 301 "/test/"
> > }
> > location "/test/" {
> > root strip 1
> > root "/htdocs/phpapp"
> > directory index "test.php"
> > }
> >
> > note "root strip 1" directive.
>
> I had tried with strip 1 as well, it seems problem is with: fastcgi socket
> "/run/php-fpm.sock"
> The working end result is something like:
>
> server "default" {
> listen on $ext_addr port 80
> root "/htdocs/default"
> location "^/phpapp/*" {
> root { "/htdocs/phpapp", strip 1 }
> directory index "index.php"
> }
> location match "^/phpapp/[%l%u%d]+$" {
> root "/htdocs/phpapp/index.php"
> fastcgi socket "/run/php-fpm.sock"
> }
> location "/*.php*" {
> fastcgi socket "/run/php-fpm.sock"
> }
> }
>
> Thank you very much for your response and testing. Really appreciate it.
>
> Mischa
>
>


-- 
So the HP guy comes up to me and he says, 'If you say nasty things like
that to vendors you're not going to get anything'. I said 'no, in eight
years of saying nothing, we've got nothing, and I'm going to start saying
nasty things, in the hope that some of these vendors will start giving me
money so I'll shut up'.

 -Theo De Raadt

Re: signify and ftp.eu.openbsd.org

[Paul de Weerd]

On Wed, Apr 11, 2018 at 09:52:41PM +0200, Peter J. Philipp wrote:
| So I re-downloaded this file on another machine.  It turned out to have your
| checksum (sha256 -b) and upon downloading another SHA256.sig it signify'ed 
| correctly.  But this leads me to ask questions:
| 
| 1. doesn't the https mode ftp use some sort of authentication/integrity 
| checking while it's downloading?  It's encrypted and anyone with a bit of
| knowledge knows that if encryption is changed in-flight it will flip bits,
| but with a MAC/HMAC/GMAC it should detect any anomalies.  Does ftp not check
| for this?

ftp doesn't do this itself, but the error detection in tcp and ssl
(ok, so that's linked into the ftp binary) do.

The file is unlikely to have been changed in flight.

| 2. I use quite recently a new unencrypted wifi network but I have IPSEC 
enabled
| which uses aes-256 and auth hmac-sha2-256:
| 
| SAD:
| esp tunnel from fd43:5602:29bd:16:0:dead:beef:16 to 
fd43:5602:29bd:16:0:dead:beef:1 spi 0x6ab04db8 auth hmac-sha2-256 enc aes-256
| esp tunnel from fd43:5602:29bd:16:0:dead:beef:1 to 
fd43:5602:29bd:16:0:dead:beef:16 spi 0x780a14d0 auth hmac-sha2-256 enc aes-256
| 
| It is entirely possible that my IPSEC was off minutely and the gif tunnel 
inside it was not protected, but there was still the https...

This is probably also not relevant to the result you got.

| 3. The argument that this may have been modified by ftpmirror (or similar 
software) is good but I stat'ed the file and it's larger than what was 
downloaded by
| us on the second try.  A cmp -l shows a lot of differences... here is the 
stat:
| theta$ touch test
| theta$ date
| Wed Apr 11 21:45:16 CEST 2018
| theta$ stat test
| 1034 8616981 -rw-r--r-- 1 pjp pjp 0 0 "Apr 11 21:45:15 2018" "Apr 11 21:45:15 
2018" "Apr 11 21:45:15 2018" 32768 0 0 test
| theta$ stat install63.iso
| 1034 8616961 -rw-r--r-- 1 pjp pjp 34424768 355905536 "Apr 11 20:59:23 2018" 
"Apr 11 19:33:47 2018" "Apr 11 19:33:47 2018" 32768 695360 0 install63.iso

That's actually *smaller* than what I have here.  The install63.iso I
got is 355909632 bytes in size.  Your file is missing 4096 bytes.

| I did mount this iso with vnconfig is it possible that it was modified then?  
| (and grew?).

No, vnd's don't grow in size during mount.  Their atime may change,
but I don't think much else will (not in the case of ISOs, which are
read-only by nature).

| 4. Is it possible that there was an attack on the OpenBSD network 
infrastructure?

Unlikely.  Probably, the bytes you got match 1:1 with the file I got,
minus those last 4096 bytes.  There's probably nothing all that
interesting in those last 4K of the ISO, so my guess would be that
everything would still be fine.  You can verify that by checking the
contents of the mounted file system against the SHA256 file.

| 5. Or mine?

Also unlikely.  Could the download have been interrupted at the last
moment?

Cheers,

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: signify and ftp.eu.openbsd.org

[Peter J. Philipp]

On Wed, Apr 11, 2018 at 08:45:40PM +0200, Paul de Weerd wrote:
> Hi Peter,

Hello Paul,

> I downloaded those exact two files from the same IP addresses and the
> signature verified OK for me:
> 
> [weerd@pom] $ ftp -4 https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/i 
> >
> Trying 193.156.26.18...
> Requesting 
> https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso
> 100% |**|   339 MB 01:41
> 355909632 bytes received in 101.67 seconds (3.34 MB/s)
> [weerd@pom] $ nBSD/snapshots/amd64/SHA256.sig 
> <
> Trying 193.156.26.18...
> Requesting
> https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256.sig
> 100% |**|  2152 00:00
> 2152 bytes received in 0.00 seconds (1.02 MB/s)
> [weerd@pom] $ sd-63-base.pub -x SHA256.sig install63.iso  
> <
> Signature Verified
> install63.iso: OK
> 
> (Note that I forced IPv4 as IPv6 was rather slow for me, but both
> addresses match what your dig gave you).
> 
> So, some options:
> 
> Maybe you caught the mirror mid-update.  Perhaps a bit fell over due
> to cosmic radiation hitting your machine at the wrong moment,
> affecting a bit of RAM.  Maybe your storage medium is dying.
> 
> Could be various reasons why it failed; can you try again and see if
> it still fails?  Try also on another machine, if you have one around.
> I got WxAW3clMg3BLs/NBq58q9lMGlWFQLAOW5ToeltQlSyU= as a sha256 hash.
> 
> Cheers,
> 
> Paul 'WEiRD' de Weerd

So I re-downloaded this file on another machine.  It turned out to have your
checksum (sha256 -b) and upon downloading another SHA256.sig it signify'ed 
correctly.  But this leads me to ask questions:

1. doesn't the https mode ftp use some sort of authentication/integrity 
checking while it's downloading?  It's encrypted and anyone with a bit of
knowledge knows that if encryption is changed in-flight it will flip bits,
but with a MAC/HMAC/GMAC it should detect any anomalies.  Does ftp not check
for this?

2. I use quite recently a new unencrypted wifi network but I have IPSEC enabled
which uses aes-256 and auth hmac-sha2-256:

SAD:
esp tunnel from fd43:5602:29bd:16:0:dead:beef:16 to 
fd43:5602:29bd:16:0:dead:beef:1 spi 0x6ab04db8 auth hmac-sha2-256 enc aes-256
esp tunnel from fd43:5602:29bd:16:0:dead:beef:1 to 
fd43:5602:29bd:16:0:dead:beef:16 spi 0x780a14d0 auth hmac-sha2-256 enc aes-256

It is entirely possible that my IPSEC was off minutely and the gif tunnel 
inside it was not protected, but there was still the https...

3. The argument that this may have been modified by ftpmirror (or similar 
software) is good but I stat'ed the file and it's larger than what was 
downloaded by
us on the second try.  A cmp -l shows a lot of differences... here is the stat:
theta$ touch test
theta$ date
Wed Apr 11 21:45:16 CEST 2018
theta$ stat test
1034 8616981 -rw-r--r-- 1 pjp pjp 0 0 "Apr 11 21:45:15 2018" "Apr 11 21:45:15 
2018" "Apr 11 21:45:15 2018" 32768 0 0 test
theta$ stat install63.iso
1034 8616961 -rw-r--r-- 1 pjp pjp 34424768 355905536 "Apr 11 20:59:23 2018" 
"Apr 11 19:33:47 2018" "Apr 11 19:33:47 2018" 32768 695360 0 install63.iso

I did mount this iso with vnconfig is it possible that it was modified then?  
(and grew?).

4. Is it possible that there was an attack on the OpenBSD network 
infrastructure?

5. Or mine?

Best regards,
-peter

Re: signify and ftp.eu.openbsd.org

[Stuart Henderson]

On 2018-04-11, Peter J. Philipp  wrote:
> Sorry to be writing this twice.  Not my day.
>
> The complete path where I downloaded this from was
> https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso
>
> including the SHA256.sig which I check against.
>
> Also:
>
> beta$ dig ftp.eu.openbsd.org +short
> 193.156.26.18
> beta$ dig ftp.eu.openbsd.org +short 
> 2001:700:3:4017::100
>
> that is in my DNS cache is this all correct?
>
> Best Regards,
>
> -peter
>
>
> On 04/11/18 19:54, Peter J. Philipp wrote:
>> Hi,
>>
>> I just downloaded this install63.iso from https://ftp.eu.openbsd.org:
>>
>> beta$  signify -C -p /etc/signify/openbsd-63-base.pub \   
>>> -x SHA256.sig bsd
>> Signature Verified
>> bsd: OK
>> beta$  signify -C -p /etc/signify/openbsd-63-base.pub \ 
>>> -x SHA256.sig install63.iso
>> Signature Verified
>> install63.iso: FAIL
>> beta$ sha256 -C SHA256 install63.iso 
>>   
>> (SHA256) install63.iso: FAILED
>>
>> What's going on ?  Why has the checksum failed?
>>
>> Regards,
>> -peter
>
>

A new snapshot may have been produced while the files were transferring,
so SHA256.sig is from one snapshot and install63.iso from another.

If you try another mirror at the same time and get the same error and
file contents from both, it's quite likely that is what happened.

IPsec on enc0: icmp echo requests not decrypted?

[Johan Hattne]

Dear all;

I’m trying to set up IPSec between two hosts; for now I’m not worrying about 
any networks these hosts might be gatewaying.  The OpenBSD 6.2 host at a.a.a.a 
runs on an old SGI machine and has /etc/ipsec.conf:

  ike esp tunnel from a.a.a.a to b.b.b.b local a.a.a.a peer b.b.b.b psk 
my_secret

The other end is a Linux host running racoon.  The tunnel is established, and 
when pinging from b.b.b.b to a.a.a.a, I can see the packets with tcpdump:

  $ tcpdump -nlp -i fxp0 -s 1500 | grep b.b.b.b  
  tcpdump: listening on fxp0, link-type EN10MB
  00:21:58.808868 esp b.b.b.b > a.a.a.a spi 0x01256dc7 seq 280 len 132 (DF) 
[tos 0x28]
  ...

I can also decrypt the packets.  However, nothing shows up on enc0 ("tcpdump 
-nlp -i enc0 -s 1500" is silent) and consequently, there is no reply to the 
echo request. pf is involved, but it has

  set skip on enc0
  ...
  pass in  on fxp0 proto udp from b.b.b.b to a.a.a.a port {500, 4500}
  pass out on fxp0 proto udp from a.a.a.a to b.b.b.b port {500, 4500}

  pass in  on fxp0 proto esp from b.b.b.b to a.a.a.a
  pass out on fxp0 proto esp from a.a.a.a to b.b.b.b

  pass in  on enc0 proto ipencap from b.b.b.b to a.a.a.a keep state (if-bound)
  pass out on enc0 proto ipencap from a.a.a.a to b.b.b.b keep state (if-bound)

I don’t know where to look next.  Hints?

// Best wishes; Johan

Re: signify and ftp.eu.openbsd.org

[Paul de Weerd]

Hi Peter,

On Wed, Apr 11, 2018 at 07:58:56PM +0200, Peter J. Philipp wrote:
| Sorry to be writing this twice.  Not my day.
| 
| The complete path where I downloaded this from was
| https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso
| 
| including the SHA256.sig which I check against.
| 
| Also:
| 
| beta$ dig ftp.eu.openbsd.org +short
| 193.156.26.18
| beta$ dig ftp.eu.openbsd.org +short 
| 2001:700:3:4017::100

I downloaded those exact two files from the same IP addresses and the
signature verified OK for me:

[weerd@pom] $ ftp -4 https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/i >
Trying 193.156.26.18...
Requesting https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso
100% |**|   339 MB 01:41
355909632 bytes received in 101.67 seconds (3.34 MB/s)
[weerd@pom] $ nBSD/snapshots/amd64/SHA256.sig <
Trying 193.156.26.18...
Requesting
https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256.sig
100% |**|  2152 00:00
2152 bytes received in 0.00 seconds (1.02 MB/s)
[weerd@pom] $ sd-63-base.pub -x SHA256.sig install63.iso  <
Signature Verified
install63.iso: OK

(Note that I forced IPv4 as IPv6 was rather slow for me, but both
addresses match what your dig gave you).

So, some options:

Maybe you caught the mirror mid-update.  Perhaps a bit fell over due
to cosmic radiation hitting your machine at the wrong moment,
affecting a bit of RAM.  Maybe your storage medium is dying.

Could be various reasons why it failed; can you try again and see if
it still fails?  Try also on another machine, if you have one around.
I got WxAW3clMg3BLs/NBq58q9lMGlWFQLAOW5ToeltQlSyU= as a sha256 hash.

Cheers,

Paul 'WEiRD' de Weerd

| that is in my DNS cache is this all correct?
| 
| Best Regards,
| 
| -peter
| 
| 
| On 04/11/18 19:54, Peter J. Philipp wrote:
| > Hi,
| >
| > I just downloaded this install63.iso from https://ftp.eu.openbsd.org:
| >
| > beta$  signify -C -p /etc/signify/openbsd-63-base.pub \   
| >> -x SHA256.sig bsd
| > Signature Verified
| > bsd: OK
| > beta$  signify -C -p /etc/signify/openbsd-63-base.pub \ 
| >> -x SHA256.sig install63.iso
| > Signature Verified
| > install63.iso: FAIL
| > beta$ sha256 -C SHA256 install63.iso
   
| > (SHA256) install63.iso: FAILED
| >
| > What's going on ?  Why has the checksum failed?
| >
| > Regards,
| > -peter
| 

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: signify and ftp.eu.openbsd.org

[Peter J. Philipp]

Sorry to be writing this twice.  Not my day.

The complete path where I downloaded this from was
https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso

including the SHA256.sig which I check against.

Also:

beta$ dig ftp.eu.openbsd.org +short
193.156.26.18
beta$ dig ftp.eu.openbsd.org +short 
2001:700:3:4017::100

that is in my DNS cache is this all correct?

Best Regards,

-peter


On 04/11/18 19:54, Peter J. Philipp wrote:
> Hi,
>
> I just downloaded this install63.iso from https://ftp.eu.openbsd.org:
>
> beta$  signify -C -p /etc/signify/openbsd-63-base.pub \   
>> -x SHA256.sig bsd
> Signature Verified
> bsd: OK
> beta$  signify -C -p /etc/signify/openbsd-63-base.pub \ 
>> -x SHA256.sig install63.iso
> Signature Verified
> install63.iso: FAIL
> beta$ sha256 -C SHA256 install63.iso  
>  
> (SHA256) install63.iso: FAILED
>
> What's going on ?  Why has the checksum failed?
>
> Regards,
> -peter

signify and ftp.eu.openbsd.org

[Peter J. Philipp]

Hi,

I just downloaded this install63.iso from https://ftp.eu.openbsd.org:

beta$  signify -C -p /etc/signify/openbsd-63-base.pub \   
> -x SHA256.sig bsd
Signature Verified
bsd: OK
beta$  signify -C -p /etc/signify/openbsd-63-base.pub \ 
> -x SHA256.sig install63.iso
Signature Verified
install63.iso: FAIL
beta$ sha256 -C SHA256 install63.iso   
(SHA256) install63.iso: FAILED

What's going on ?  Why has the checksum failed?

Regards,
-peter

Re: 4-ports router under $150

[Todd C. Miller]

On Wed, 11 Apr 2018 10:49:54 +0300, lilit-aibolit wrote:

> Hi, I've been looking for more then one year to get something similar 
> until I found this:
>
> https://pt.aliexpress.com/item/Celeron-J1900-Mini-pc-free-shipping-micro-sd-t
> wo-usb-and-four-lan-laptop-overwatch-Computer/32794678352.html?spm
>
> I already got and tested it and it work fine.

Can you access the BIOS from the serial port or only via VGA?

 - todd

Re: httpd - serving index.html & index.php at the same time

[Mischa]

> On 11 Apr 2018, at 12:14, Gregory Edigarov  wrote:
> 
> On 11.04.18 11:40, Mischa wrote
>> Ok, good to know. It doesn't work as written. The only thing I see in the 
>> error.log is the fact that the PHP script is not found.
>> 
>> Access to the script '/htdocs/s/' has been denied (see 
>> security.limit_extensions)
>> 
>> Which tells me index.php is not requested.
>> 
>> Browser tells me: File not found
>> 
>> Running in debug mode it shows the following
>> 
>> default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/ HTTP/1.1" 404 
>> 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 
>> Firefox/58.0"
>> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408 0 "" ""
>> server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx, 
>> timeout (408 Request Timeout)
>> Primary script unknown
>> default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/ HTTP/1.1" 404 
>> 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 
>> Firefox/58.0"
>> 
>> Not sure what else to look at. :((
> Did some tests.
> here's how it works:
> 
> location "/test" {
> block return 301 "/test/"
> }
> location "/test/" {
> root strip 1
> root "/htdocs/phpapp"
> directory index "test.php"
> }
> 
> note "root strip 1" directive.

I had tried with strip 1 as well, it seems problem is with: fastcgi socket 
"/run/php-fpm.sock"
The working end result is something like:

server "default" {
listen on $ext_addr port 80
root "/htdocs/default"
location "^/phpapp/*" {
root { "/htdocs/phpapp", strip 1 }
directory index "index.php"
}
location match "^/phpapp/[%l%u%d]+$" {
root "/htdocs/phpapp/index.php"
fastcgi socket "/run/php-fpm.sock"
}
location "/*.php*" {
fastcgi socket "/run/php-fpm.sock"
}
}

Thank you very much for your response and testing. Really appreciate it.

Mischa

Re: kernel (6.2 amd-64 mp) relinking failed on cloned disk

[Benjamin Baier]

On Tue, 10 Apr 2018 22:16:14 -0500
Z Ero  wrote:
> Does this mean that a machine specific hash / checksum required to
> validate / execute the kernel relink is not working or what?

It compares /bsd with checksum in /var/db/kernel.SHA256
if it does not match kernel relinking is disabled because it
assumes you are a kernel developer and know what you are doing.

> Also, how to correct the error, if possible?

$ doas sha256 -h /var/db/kernel.SHA256 /bsd

Re: Cannot access internet with virtual switch

[Aham Brahmasmi]

> Sent: Wednesday, April 11, 2018 at 10:18 AM
> From: "Ayaka Koshibe" 
> To: misc@openbsd.org
> Subject: Re: Cannot access internet with virtual switch
>
> > This informs us that for a PACKET_OUT with action OUTPUT, it cannot
> > have its port as ANY. Now, I do not know why for a PACKET_OUT message,
> > an action OUTPUT cannot have port as ANY. More importantly, I do not
> > know why the controller seems to be sending the PACKET_OUT with action
> > OUTPUT and port ANY.
> 
> A PACKET_OUT is usually a response to some message e.g. a PACKET_IN,
> so it would probably help to see which message (if any) the switch
> sent to the controller to receive that PACKET_OUT.

Thank you Koshibe-san for your reply.

>From what I understand, the PACKET_IN for that PACKET_OUT seems to be
the following:

ofrelay_input_done: connection 1.1: 179 bytes from switch 1
/dev/switch0 > any: version 1_3 type PACKET_IN length 179 xid 81972
buffer NO_BUFFER length 129 reason REASON_NO_MATCH table <0> cookie 
0x
match type OXM length 24 (padded to 26)
ox match class OPENFLOW_BASIC type IN_PORT hasmask no length 4
1
ox match class OPENFLOW_BASIC type META hasmask no length 8
0
switch_learn: updated mac ac:1f:6b:2e:22:ce on switch 1 port 1
packet_input: ac:1f:6b:2e:22:ce -> 00:c8:8b:e2:d6:87, port 1 -> 1

I have also attached the complete output of "doas switchd -d". This
is because I do not know whether the above message is the correct
PACKET_OUT message corresponding to the PACKET_IN message.

Regards,
ab
-|-|-|-|-|-|-|--
listen on 0.0.0.0:6633
ofrelay_attach: new connection 1.1
ofp_open: new connection 1.1 from switch 0
any > /dev/switch0: version 1_3 type HELLO length 16 xid 0
	version bitmap:
		version 1_0
		version 1_3
0408 00014025
ofrelay_input_done: connection 1.1: 8 bytes from switch 0
0408 00014025
/dev/switch0 > any: version 1_3 type HELLO length 8 xid 81957
any > /dev/switch0: version 1_3 type FEATURES_REQUEST length 8 xid 1
04060020 0001
55330647 2d30f2ae  fe00 000f 
ofrelay_input_done: connection 1.1: 32 bytes from switch 1
04060020 0001 55330647 2d30f2ae  fe00 000f 
/dev/switch0 > any: version 1_3 type FEATURES_REPLY length 32 xid 1
	datapath_id 0x553306472d30f2ae nbuffers 0 ntables 254 aux_id 0 capabilities 0x0f
any > /dev/switch0: version 1_3 type MULTIPART_REQUEST length 16 xid 2
	type TABLE_FEATURES flags 
	empty table properties request
any > /dev/switch0: version 1_3 type SET_CONFIG length 12 xid 3
	flags  miss_send_len NO_BUFFER
04130418 0002
000c  0408     
       
 2710 0018 00010004 00020004 00030004 00040004 00050004
00010018 00010004 00020004 00030004 00040004 00050004 00060018 00120004
00110004 00190004 00160004 0004 00070018 00120004 00110004 00190004
00160004 0004 00040018 00120004 00110004 00190004 00160004 0004
00050018 00120004 00110004 00190004 00160004 0004 0008008c 8004
8508 8706 8906 8a02 8d02 8e01 80001001 80001201
80001401 80001704 80001904 80001a02 80001c02 80001e02 80002002 80002202
80002402 80002601 80002801 80002a02 80002d04 80002f04 80003106 80003306
80003510 80003710 80003904 80003a01 80003c01 80003e10 80004006 80004206
80004c08  000a0088 8408 8606 8806 8a02 8c02
8e01 80001001 80001201 80001401 80001604 80001804 80001a02 80001c02
80001e02 80002002 80002202 80002402 80002601 80002801 80002a02 80002c04
80002e04 80003006 80003206 80003410 80003610 80003804 80003a01 80003c01
80003e10 80004006 80004206 80004c08 000c0084 8606 8806 8a02
8c02 8e01 80001001 80001201 80001401 80001604 80001804 80001a02
80001c02 80001e02 80002002 80002202 80002402 80002601 80002801 80002a02
80002c04 80002e04 80003006 80003206 80003410 80003610 80003804 80003a01
80003c01 80003e10 80004006 80004206 80004c08  000d0084 8606
8806 8a02 8c02 8e01 80001001 80001201 80001401 80001604
80001804 80001a02 80001c02 80001e02 80002002 80002202 80002402 80002601
80002801 80002a02 80002c04 80002e04 80003006 80003206 80003410 80003610
80003804 80003a01 80003c01 80003e10 80004006 80004206 80004c08 
000e0084 8606 8806 8a02 8c02 8e01 80001001 80001201
80001401 80001604 80001804 80001a02 80001c02 80001e02 80002002 80002202
80002402 80002601 80002801 80002a02 80002c04 80002e04 80003006 80003206
80003410 80003610 80003804 80003a01 80003c01 80003e10 80004006 80004206
80004c08  000f0084 8606 8806 8a02 8c02 8e01
80001001 80001201 80001401 80001604 80001804 80001a02 80001c02 80001e02
80002002 80002202 80002402 80002601 80002801 80002a02 80002c04 80002e04
80003006 80003206 80003410 80003610 80003804 

Re: Cold / warm spare for OpenBSD server

[Gregory Edigarov]

I would solve the problem of config sync vice versa.
instead of syncing the files from one host to another you could just 
create the same files using any software configuration management system 
like ansible.


of course, you will still need to sync the data, and rsync is your best 
friend here.



On 11.04.18 16:08, Jeff Zimmerman wrote:

Hello!


I administer multiple OpenBSD machines which have been backing up via tar and sftp. I do 
have one server that is mission critical that I'd like to move to a more "warm" 
backup, perhaps using rsync. I already have a second server with the same hardware and 
OpenBSD version that is in a cold state but currently it would take some time to rebuild 
from the backup tars if something happened to the main server.


I see this project as having two different stages. Because I've installed a lot 
of ports and packages outside of the base install, stage one would involve 
installing the same rev of OpenBSD on the redundant machine and having rsync 
sync everything (binaries, config, etc.) from production to the redundant 
machine. Then stage two would pare down the rsync config to only sync the 
dynamic data, like /var/mail, /etc configuration files and that kind of thing.


My questions:

Stage 1: sync the two machines so are initially identical.


When syncing everything from existing to redundant machine in stage 1, what 
directories wouldn't need to be / shouldn't be synced?


I suspect that /dev and /mnt probably shouldn't be synced and probably don't 
need to be synced if the server hardware and OS version is the same between 
machines. Likewise kernel files like /boot and /bsd probably don't need to be 
synced either unless upgrading the kernel for security patches. Are there other 
directories that shouldn't be or don't need to be synced?


Stage 2: sync mail, /etc/passwd, etc. on a regular basis between the machines


I need to mirror /etc, /var/mail, and any other directories with dynamically 
changing data. I'm not so concerned about logs so I probably won't sync all of 
/var. Similar to my question above, are there other directories that would have 
commonly changed data that I should be backing up on a semi-regular basis?


Is rsync the best way to keep two OpenBSD servers in close sync with each other? Is rsync a 
reasonable way to initially mirror the installed ports and packages and configuration data from one 
machine to another? And is there a better way to go about having 2 servers in sync, one 
"hot" and one "warm"?


Thanks!


Jeff

Cold / warm spare for OpenBSD server

[Jeff Zimmerman]

Hello!


I administer multiple OpenBSD machines which have been backing up via tar and 
sftp. I do have one server that is mission critical that I'd like to move to a 
more "warm" backup, perhaps using rsync. I already have a second server with 
the same hardware and OpenBSD version that is in a cold state but currently it 
would take some time to rebuild from the backup tars if something happened to 
the main server.


I see this project as having two different stages. Because I've installed a lot 
of ports and packages outside of the base install, stage one would involve 
installing the same rev of OpenBSD on the redundant machine and having rsync 
sync everything (binaries, config, etc.) from production to the redundant 
machine. Then stage two would pare down the rsync config to only sync the 
dynamic data, like /var/mail, /etc configuration files and that kind of thing.


My questions:

Stage 1: sync the two machines so are initially identical.


When syncing everything from existing to redundant machine in stage 1, what 
directories wouldn't need to be / shouldn't be synced?


I suspect that /dev and /mnt probably shouldn't be synced and probably don't 
need to be synced if the server hardware and OS version is the same between 
machines. Likewise kernel files like /boot and /bsd probably don't need to be 
synced either unless upgrading the kernel for security patches. Are there other 
directories that shouldn't be or don't need to be synced?


Stage 2: sync mail, /etc/passwd, etc. on a regular basis between the machines


I need to mirror /etc, /var/mail, and any other directories with dynamically 
changing data. I'm not so concerned about logs so I probably won't sync all of 
/var. Similar to my question above, are there other directories that would have 
commonly changed data that I should be backing up on a semi-regular basis?


Is rsync the best way to keep two OpenBSD servers in close sync with each 
other? Is rsync a reasonable way to initially mirror the installed ports and 
packages and configuration data from one machine to another? And is there a 
better way to go about having 2 servers in sync, one "hot" and one "warm"?


Thanks!


Jeff

Re: using installboot to create a custom OpenBSD install on sd1

[Chris Milham]

It looks to me that you're trying to find a way to quickly set up new
machines which share a similar OpenBSD configuration? Can I suggest an
alternative approach to help achieve this...

Read through: man autoinstall. You can use this approach to set up machines
quickly across a LAN. To get it going you'll also need to refer to man
pxeboot (using pxe shouldn't be a problem as looks like you're on amd64).
You'll have to get dhcpd, tftpd and (optionally) httpd going too. Also be
aware of how to customise the install for your needs with a custom install
set: https://www.openbsd.org/faq/faq4.html#site

I've found autoinstall an excellent approach to setting up new machines. It
does take a bit of setup, but once done it's easy to maintain and get ready
when new OpenBSD releases are made. I download all the install files and
packages for each release, which are served locally by httpd, so it's nice
and quick to install and upgrade. For new installs I have a small VLAN on
my switch, connected to the "install" interface on my file server, which I
then just plug a new machine into, boot via pxe, and then leave it alone to
do the autoinstall. In a few mins OpenBSD is installed and ready to run on
it. Very nice!

Cheers

Chris



On 9 April 2018 at 23:54, Torsten  wrote:

> I spent another three hours on this and now I've come to a point where
> at least my kernel boots.
>
>
>
> > Hi!
> >
> > In short:
> > I am trying to use installboot to make a new harddrive bootable that
> > should contain a custom OpenBSD installation, however, when trying to
> > boot from that new hd I always get "No O/S".
> >
> >
> > Detailed:
> > I successfully set up a standard OpenBSD6.3 (machine A) on sd0 using
> > install.iso. Using custom scripts, I would like to create custom
> > installations on sd1 to create individual installations (machine B, C
> > and so on), each on a separate HD that I would swap for sd1 each time.
> >
> > On (A) I did:
> >
> > fdisk -iy sd1
> > echo "a a\n\n2g\n\na b\n\n\n\n\nw\nq\n"|disklabel -E sd1
> > newfs /dev/rsd1a
> >
> > mount /dev/sd1a /mnt
> >
> > cp -R /altroot  /mnt/altroot
> > cp -R /bin  /mnt/bin
> > cp -R /dev  /mnt/dev
> > cp -R /etc  /mnt/etc
> > cp -R /home /mnt/home
> > cp -R /root /mnt/root
> > cp -R /sbin /mnt/sbin
> > cp -R /tmp  /mnt/tmp
> > cp -R /usr  /mnt/usr
> > cp -R /var  /mnt/var
> > cp /bsd* /mnt/
> >
> > cd /mnt/dev
> > ./MAKEDEV std
> >
> > installboot -v sd1 /usr/mdec/biosboot /usr/mdec/boot
> >
> > (also tried
> > installboot -v -r /mnt/ sd1 /usr/mdec/biosboot /usr/mdec/boot
> > without success)
> >
> >
> > Hints and help will be appreciated!
> >
> > Regards,
> > T.
> >
>
>

Re: httpd - serving index.html & index.php at the same time

[Gregory Edigarov]

On 11.04.18 11:40, Mischa wrote

Ok, good to know. It doesn't work as written. The only thing I see in the 
error.log is the fact that the PHP script is not found.

Access to the script '/htdocs/s/' has been denied (see 
security.limit_extensions)

Which tells me index.php is not requested.

Browser tells me: File not found

Running in debug mode it shows the following

default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/ HTTP/1.1" 404 0 "" 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0"
default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408 0 "" ""
server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx, timeout 
(408 Request Timeout)
Primary script unknown
default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/ HTTP/1.1" 404 0 "" 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0"

Not sure what else to look at. :((

Did some tests.
here's how it works:

    location "/test" {
    block return 301 "/test/"
    }
    location "/test/" {
    root strip 1
    root "/htdocs/phpapp"
    directory index "test.php"
    }

note "root strip 1" directive.

Re: Virtualbox vs latest snapshot

[Stuart Henderson]

On 2018-04-11, Richard Toohey  wrote:
> On 04/11/18 10:50, Stuart Henderson wrote:
>> On 2018-04-10, csszep  wrote:
>>> Hi!
>>>
>>> I installed the latest 04.10 snapshot, the install procedure went fine, but
>>> after reboot the VM stucks at endless boot loop .
>>>
>>> It prints only the "booting hda0:/bsd" line.. before reboot
>>>
>>> The 04.03 snapshot works fine.
>>>
>>> There is a similar experience for someone with Virtualbox 5.2.8?
>>>
>> There's a recent bootloader problem, possibly following the update
>> to clang 6, that affects some machines. I suspect this might be
>> involved here.
> Ah, that might (?) explain what was happening to me with a Lenovo 
> Thinkpad X1 Carbon?
>
> Not a VM.
>
> Stuck in an endless boot loop, with a flash of a "heap full" message 
> before the next reboot.
>
> Tried the same snapshot on an older Thinkpad and no issues.
>
> Looked like it was a possible SSD problem (from what I could find in the 
> archives), so I tried the 6.3 installer and that was fine.
>
> Repeated the snapshot install and got back into the endless rebooting.

"heap full" is the known failure mode but I suspect that Virtualbox
might have a slightly different failure but due to the same issue.

Fwd: [EdLUG] FLOSSUK Conference later this month

[Craig Skinner]

Hi folks,


"FLOSSUK is the UK's primary support organisation for Free/Libre Open
Source Systems (FLOSS) supporting Free and Open Technology.

Our Spring Conference is the UK's longest running event supporting
systems and network administrators. But as FLOSSUK has evolved to
support open networks, software, hardware and data, so our primary
conference now also covers these areas.

This year we are visiting Edinburgh,
Scotland’s historic, beautiful capital city."





Begin forwarded message:

Date: Wed, 11 Apr 2018 08:43:55 +0100
To: Edinburgh Linux Users Group 


Hi,

The FLOSSUK (formerly UKUUG) annual conference is taking place in
Edinburgh later this month:




...

Heavily discounted tickets are available for students and those in
financial hardship e.g. unemployed.


Mark
-- 
/

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk
PGP: 0x435A9621

***/

The University of Edinburgh is a charitable body,
registered in Scotland, with registration number SC005336.

-- 
EdLUG mailing list
ed...@lists.edlug.org.uk
https://lists.edlug.org.uk/mailman/listinfo/edlug

Re: httpd - serving index.html & index.php at the same time

[Mischa]

> On 11 Apr 2018, at 10:00, Gregory Edigarov  wrote:
> 
> On 10.04.18 22:24, Mischa wrote:
>> Hi All,
>> 
>> Is there a way to serve both static and dynamic content, eg. index.html and 
>> index.php within the same server { } definition?
>> I am looking for something like:
>> 
>> server "default" {
>>listen on $ext_addr port 80
>>root "/htdocs"
>>directory index "index.html" # not needed as it's the default
>>location "/files/*" {
>>root "/htdocs/files"
>>directory auto index
>>}
>>location "^/phpapp/*" {
>>root "/htdocs/phpapp"
>>directory index "index.php"
>>fastcgi socket "/run/php-fpm.sock"
>>}
>> }
>> 
>> Is it possible at all or do I need split static and dynamic content based on 
>> server { }?
>> 
> Seems like it should work exactly as you have written.
> if not you should show more then you've shown.

Ok, good to know. It doesn't work as written. The only thing I see in the 
error.log is the fact that the PHP script is not found.

Access to the script '/htdocs/s/' has been denied (see 
security.limit_extensions)

Which tells me index.php is not requested.

Browser tells me: File not found

Running in debug mode it shows the following

default 46.xx.xx.xx - - [11/Apr/2018:10:24:26 +0200] "GET /s/ HTTP/1.1" 404 0 
"" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 
Firefox/58.0"
default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] " " 408 0 "" ""
server default, client 1 (1 active), 46.xx.xx.xx:4824 -> xx.xx.xx.xx, timeout 
(408 Request Timeout)
Primary script unknown
default 46.xx.xx.xx - - [11/Apr/2018:10:24:27 +0200] "GET /s/ HTTP/1.1" 404 0 
"" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 
Firefox/58.0"

Not sure what else to look at. :((

Mischa

Re: Cannot access internet with virtual switch

[Ayaka Koshibe]

> This informs us that for a PACKET_OUT with action OUTPUT, it cannot
> have its port as ANY. Now, I do not know why for a PACKET_OUT message,
> an action OUTPUT cannot have port as ANY. More importantly, I do not
> know why the controller seems to be sending the PACKET_OUT with action
> OUTPUT and port ANY.

A PACKET_OUT is usually a response to some message e.g. a PACKET_IN,
so it would probably help to see which message (if any) the switch
sent to the controller to receive that PACKET_OUT.

Re: httpd - serving index.html & index.php at the same time

[Gregory Edigarov]

On 10.04.18 22:24, Mischa wrote:

Hi All,

Is there a way to serve both static and dynamic content, eg. index.html and 
index.php within the same server { } definition?
I am looking for something like:

server "default" {
 listen on $ext_addr port 80
 root "/htdocs"
 directory index "index.html" # not needed as it's the default
 location "/files/*" {
 root "/htdocs/files"
 directory auto index
 }
 location "^/phpapp/*" {
 root "/htdocs/phpapp"
 directory index "index.php"
 fastcgi socket "/run/php-fpm.sock"
 }
}

Is it possible at all or do I need split static and dynamic content based on 
server { }?


Seems like it should work exactly as you have written.
if not you should show more then you've shown.

Re: 4-ports router under $150

[lilit-aibolit]

Hi, I've been looking for more then one year to get something similar 
until I found this:


https://pt.aliexpress.com/item/Celeron-J1900-Mini-pc-free-shipping-micro-sd-two-usb-and-four-lan-laptop-overwatch-Computer/32794678352.html?spm

I already got and tested it and it work fine.


On 08/04/18 00:59, Anatoli wrote:

Hi All!

I'm looking for a modest 4-5 ports router under $150 that works well 
with OpenBSD. I don't need WiFi, USB or console port, and the 
throughput don't need to exceed 100Mbps. The ideal device would be 
EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at 
this moment and probably never will be.


EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of 
ERPOE-5 are not yet supported.


ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP 
NIC for one of my devices and I'm not sure it's supported as the 
octeon page says ER PRO SFP ports are not supported yet. Also it's a 
bit expensive ($190).


Banana Pi R2 would be great too, but I couldn't find if it's supported 
by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7).


Are there 4-5 port devices that are known to work well with OpenBSD?

Thanks,
Anatoli

.

Re: Virtualbox vs latest snapshot

[faisal saadatmand]

Thank you, Stuart, for the instructions. I have been suffering from
the same issue as well since April 6: all subsequent snapshots failed
to boot on virtualbox.  I also was able to reproduce the problem in
qemu.  Interestingly, like Richard, I, too, am using a Thinkpad X1
Carbon; however, openbsd is running in a vm.  In any case, I reported
the issue to bugs@

best,
cdude