Lightweight Web browser

[Rodrigo Readi]

Can someone recommend a lightweight Browser that support javascript?
In which I can use gmail?

Otter browser hangs and even make core dumping with gmail.
Also with chromium I get core dumping sometimes.
There is no port for elinks to test it.

I need such a think till I get alpine 2.26 working in OpenBSD.
It does not compile with libssl, it compiles with openssl, but cert
verification fails.

Re: iridium/chromium webcam access

[Stefan Hagen]

Hi,

Try to start chrome with:
--enable-features=RunVideoCaptureServiceInBrowserProcess

Best Regards,
Stefan


Sent from my iPhone

> On 24. Dec 2022, at 14:38, Robert Alessi  wrote:
> 
> Hi,
> 
> It being understood that web services such as jitsi and bigbluebutton
> require WASM to be enabled,[1] I am experiencing issues with access to
> the webcam by iridium or chromium.
> 
> For the record, I used the BBB testing instance,[2] and Webcam
> Test.[3]
> 
> I followed the intructions given in the FAQ,[4] including those found
> at the bottom of the page, and modified /etc/ididium/unveil.main and
> /etc/iridium/unveil.utility_video as follows:
> 
> =
> --- unveil.main.origMon Nov 21 16:54:24 2022
> +++ unveil.mainSat Dec 24 13:50:22 2022
> @@ -1,5 +1,6 @@
> # needed for video(4)
> /dev/video rw
> +/dev/video0 rw
> 
> # needed for FIDO authentication
> /dev/fido rw
> 
> --- unveil.utility_video.origMon Nov 21 16:54:24 2022
> +++ unveil.utility_videoSat Dec 24 13:55:42 2022
> @@ -6,3 +6,4 @@
> 
> # needed for video(4)
> /dev/video rw
> +/dev/video0 rw
> =
> 
> Even so, iridium fails to access the webcam.  BBB says that the device
> may be used by another application and /var/log/messages reads as
> follows:
> 
> Dec 24 13:59:03  /bsd: uvideo0 at uhub0 port 2 configuration 1 interface 0 " 
> 4K Document Camera" rev 2.00/1.33 addr 2
> Dec 24 13:59:03  /bsd: video0 at uvideo0
> Dec 24 13:59:03  /bsd: uaudio0 at uhub0 port 2 configuration 1 interface 3 " 
> 4K Document Camera" rev 2.00/1.33 addr 2
> Dec 24 13:59:03  /bsd: uaudio0: class v1, high-speed, sync, channels: 0 play, 
> 2 rec, 2 ctls
> Dec 24 13:59:03  /bsd: audio1 at uaudio0
> Dec 24 13:59:22  /bsd: uvideo0: could not SET probe request: STALLED
> 
> The last message is repeated each time I attempt to share the webcam.
> 
> I think it is worth mentioning that this happens even if unveil.main
> and unveil.utility_video are left untouched.
> 
> This does not happen with firefox. (It can't be tested with BBB as
> it is unable to enter the testing room, but can be tested with
> webcamtests[3] or jitsi.[5])
> 
> Any help would be much appreciated.
> 
> -- Robert
> 
> Footnotes:
> [1]  See https://marc.info/?l=openbsd-misc=167181801710114=2 and
> the link to openbsd-ports
> 
> [2]  https://test.bigbluebutton.org
> 
> [3]  https://webcamtests.com/
> 
> [4]  https://www.openbsd.org/faq/faq13.html#webcam
> 
> [5]  https://meet.jit.si
> 

Re: Use daily(8), weekly(8), or monthly(8) but read less mail

[Jason McIntyre]

On Sun, Dec 25, 2022 at 09:56:03AM +, Ibsen S Ripsbusker wrote:
> I want to use the altroot facility, but I don't want to read the mails
> about the the backup succeeding and nothing else failing.
> 
> Reading the scripts and the manual pages, I see no support for sending
> the daily, weekly, or monthly mails only on failure. I also see
> no support for running ROOTBACKUP outside of the daily script.
> Of course I could change the scripts, but I would rather not.
> Also, once I receive the mail, I don't see an easy way to classify
> it as having a failure or not.
> 
> What do you do if you want to use the altroot facility (or some
> other part of the periodic system maintenance scripts) and want
> to read reports only when something failed?
> 
> With great humility,
> 
> Ibsen S. Ripsbusker
> 

so these scripts used to be very chatty. then there was a decision
to cut the chatter unless it was asked for (via VERBOSESTATUS).
then finally to not output anything if there was nothing to report
(and VERBOSESTATUS was removed, as far as i can see).

so to try to answer your question: i don;t think you will get any
reports of anything succeeding, and you should only get reports
about actions the scripts think neccessary. if you did get any
"we've done it!" messages, i suppose you'd be entitled to complain.
do you?

the issue for me now is that i think that somewhere we should say
this.  i missed VERBOSESTATUS disappearing, but i think we might
want to say it. the commit message was:


revision 1.29
date: 2020/10/20 22:42:29;  author: danj;  state: Exp;  lines: +2 -19;  
commitid: EFsAssont5N9pxsI;
Remove calls for df(1), netstat(1), and the verbose dump(1)

With this change, daily(8) only sends email when something looks
dubious.
Consequently VERBOSESTATUS is now a no-op and may be unset.

The code is trivial and riddled with choices that look like personal
preferences. The old behavior can be achieved through
/etc/daily.local.

With schwarze@, tweak kn@, sthen@
OK schwarze@, kn@, jung@


although it's maybe true that the old behaviour can be achieved via a
*.local file, there's nothing that says how. i suppose the meaning was,
if you want more info, add it yourself.

still i think it makes sense to say not to expect mails if everything
looks ok. sth like this:

Index: daily.8
===
RCS file: /cvs/src/share/man/man8/daily.8,v
retrieving revision 1.29
diff -u -p -r1.29 daily.8
--- daily.8 20 Oct 2020 22:42:29 -  1.29
+++ daily.8 25 Dec 2022 21:25:48 -
@@ -29,7 +29,8 @@ and
 are shell scripts run on a periodic basis by the clock daemon,
 .Xr cron 8 .
 They take care of some basic administrative tasks.
-Their output, if any, is mailed to root.
+If anything looks amiss,
+a report is mailed to root.
 .Pp
 .Sy Note :
 The scripts are all run as part of root's

Re: how to get per-IP traffic statistics?

[Peter N. M. Hansteen]

On Sat, Dec 24, 2022 at 07:53:09PM -0800, Jonathan Thornburg wrote:
> I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems,
> an Android phone or two, and a VoIP phone) all connected to the internet
> through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon).
> I'm trying to track down which client(s) is/are responsible for a 5-fold
> increase in my overall data usage last month (and, I suspect, a similar
> ongoing data usage).
> 
> So, I'd like to modify the firewall to somehow record the per-IP-address
> number of bytes passed by the firewall (I can then match up the IP addresses
> with the dhcpd logs to find the offending client(s)).  This StackExchange
> question-and-answer
>   
> https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf
> gives a possible solution
> > export netflow data for all your traffic, grab it with Flow-Tools,
> > and feed it to something like JKFlow to parse (and graph/report on).
> but that was as of 2011.

I would go for a netflow based solution. I did just that for a somewhat
similar scenario some years back, as descibed in this 2014 blog post:
https://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html.

That post has some of the basics for setting up with pflow(4) and the
rather minor changes you need in your ruleset to export the traffic metadata.

You also need to set up a collector. At the time I did this, nfsen was what
looked like the most straightforward one, but that may have changed in the
meantime. I would anyway recommend reading Michael Lucas' book which is
referenced in the article.

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

tap vm network interfaces are not added to bridge/veb host interface

[Maksim Rodin]

Hello.
Recently I tried to change my vmm network to using veb instead of
bridge.
I tried to do it as simple as possible and just renamed hostname.bridge0
to hostname.veb0, renamed hostname.vether0 to hostname.vport0, and
changed hostname.veb0 to include vport0 interface:
Here is the current network configuration on the host machine:
$ tail -n3 /etc/hostname.*
==> /etc/hostname.alc0 <==
inet autoconf

==> /etc/hostname.veb0 <==
add vport0
up

==> /etc/hostname.vport0 <==
inet 172.25.0.1 255.255.255.0
up

And here is the vmm configuration:
$ cat /etc/vm.conf
switch "vmm_switch" {
interface veb0
}

vm "addc" {
memory 4G
disk "/DISK1/vmm/addc/disk0.img"
interface { switch "vm_switch"
lladdr fe:e1:ba:d3:57:48
}
owner vmowner
disable
}

The only change in pf.conf is this:
# match out on egress from vether0:network to any nat-to (egress)
match out on egress from vport0:network to any nat-to (egress)

After that I could not access my vm by its network address anymore
though it was alive and accessible through the console.

After some investigation I found out that when I start the vm as vm
owner its tap0 interface is not automatically added to veb0 interface
as a child interface.

When I manually added tap0 interface to veb0 as a child, network connectivity 
was
back.

I tried to revert all the changes back to working with bridge but the tap
interface of the vm since that still needs manual addition to bridge interface 
as
well.
After every change like these I rebooted the host machine to make sure
nothing from the previous configuration is left behind but nothing has
changed in this behaviour.

Here is the ifconfig output when the vm is not started:
veb0: flags=8843
description: switch1-vmm_switch
index 4 llprio 3
groups: veb
vport0 flags=3
port 5 ifpriority 0 ifcost 0
vport0: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:aa:a8
index 5 priority 0 llprio 3
groups: vport
inet 172.25.0.1 netmask 0xff00 broadcast 172.25.0.255

Here is the ifconfig output when the vm is running (no network access to
the vm):
veb0: flags=8843
description: switch1-vmm_switch
index 4 llprio 3
groups: veb
vport0 flags=3
port 5 ifpriority 0 ifcost 0
vport0: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:aa:a8
index 5 priority 0 llprio 3
groups: vport
inet 172.25.0.1 netmask 0xff00 broadcast 172.25.0.255
tap0: flags=8843 mtu 1500
lladdr fe:e1:ba:d3:3e:d8
description: vm1-if0-addc
index 9 priority 0 llprio 3
groups: tap
status: active

Here is the ifconfig output when I add tap0 to veb0 (network access to the
vm is ok):
veb0: flags=8843
description: switch1-vmm_switch
index 4 llprio 3
groups: veb
vport0 flags=3
port 5 ifpriority 0 ifcost 0
tap0 flags=3
port 9 ifpriority 0 ifcost 0
vport0: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:aa:a8
index 5 priority 0 llprio 3
groups: vport
inet 172.25.0.1 netmask 0xff00 broadcast 172.25.0.255
tap0: flags=8943 mtu 1500
lladdr fe:e1:ba:d3:3e:d8
description: vm1-if0-addc
index 9 priority 0 llprio 3
groups: tap
status: active

My vmd host is OpenBSD 7.2 amd64 (which is used as a workstation as well if 
that matters).

Is there something I missed during changing network configuration from
bridge to veb and back again?

-- 
Maksim Rodin

Re: Use daily(8), weekly(8), or monthly(8) but read less mail

[Claus Assmann]

On Sun, Dec 25, 2022, Ibsen S Ripsbusker wrote:

> ... want
> to read reports only when something failed?

Use a mail filter.

#!/bin/sh
# filter (in)security mails:
# if it's only this: return 1 which causes the mail to be discarded
egrep -v '^(Running security|Checking the /etc/master.passwd file)' "$@"

-- 
Address is valid for this mailing list only, please do not reply
to it directly, but to the list.

Re: how to get per-IP traffic statistics?

[Stuart Henderson]

On 2022-12-25, Jonathan Thornburg  wrote:
> I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems,
> an Android phone or two, and a VoIP phone) all connected to the internet
> through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon).
> I'm trying to track down which client(s) is/are responsible for a 5-fold
> increase in my overall data usage last month (and, I suspect, a similar
> ongoing data usage).
>
> So, I'd like to modify the firewall to somehow record the per-IP-address
> number of bytes passed by the firewall (I can then match up the IP addresses
> with the dhcpd logs to find the offending client(s)).  This StackExchange
> question-and-answer
>   
> https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf
> gives a possible solution
>> export netflow data for all your traffic, grab it with Flow-Tools,
>> and feed it to something like JKFlow to parse (and graph/report on).
> but that was as of 2011.
>
> Is this still the most straightforward way to get per-IP traffic stats?
> If so, can anyone point me to any reasonably up-to-date "big picture"
> tutorials/documentation?  The closest I've come so far is this discussion
>   https://www.pantz.org/software/flowtools/configflowtoolspfflow.html
> but it's from 2006.
>
> Thanks,

netflow is good if you want to see what the actual traffic is over a
longer period of time. There is also ntopng which shows a lot more info
(looks at flows and does a bit of dpi) but it's quite heavy on cpu use.
Netflow is good as part of a more custom toolkit, ntopng if you want to
run something quickly with a nice ui.

Both are probably overkill if you just want per-IP statistics. For that,
you can either just use pf labels + statistics (though watch out for
ruleset reloads clearing them), or darkstat (in packages) is easy to
use and perfect for this.

-- 
Please keep replies on the mailing list.

Re: Use daily(8), weekly(8), or monthly(8) but read less mail

[Stuart Henderson]

On 2022-12-25, Ibsen S Ripsbusker  wrote:
> I want to use the altroot facility, but I don't want to read the mails
> about the the backup succeeding and nothing else failing.
>
> Reading the scripts and the manual pages, I see no support for sending
> the daily, weekly, or monthly mails only on failure. I also see
> no support for running ROOTBACKUP outside of the daily script.
> Of course I could change the scripts, but I would rather not.
> Also, once I receive the mail, I don't see an easy way to classify
> it as having a failure or not.
>
> What do you do if you want to use the altroot facility (or some
> other part of the periodic system maintenance scripts) and want
> to read reports only when something failed?

Seems like it would be a useful change to make. Someone will need to
change the script in order to do this, why not give it a go and send a
diff if you don't want to carry a local change?


-- 
Please keep replies on the mailing list.

Re: how to get per-IP traffic statistics?

[Crystal Kolipe]

On Sat, Dec 24, 2022 at 07:53:09PM -0800, Jonathan Thornburg wrote:
> So, I'd like to modify the firewall to somehow record the per-IP-address
> number of bytes passed by the firewall

Add match rules to pf.conf for the IPs you're interested in and give them
named labels.

Then you can view statistics for the packets that matched each label using
pfctl -s labels.

Use daily(8), weekly(8), or monthly(8) but read less mail

[Ibsen S Ripsbusker]

I want to use the altroot facility, but I don't want to read the mails
about the the backup succeeding and nothing else failing.

Reading the scripts and the manual pages, I see no support for sending
the daily, weekly, or monthly mails only on failure. I also see
no support for running ROOTBACKUP outside of the daily script.
Of course I could change the scripts, but I would rather not.
Also, once I receive the mail, I don't see an easy way to classify
it as having a failure or not.

What do you do if you want to use the altroot facility (or some
other part of the periodic system maintenance scripts) and want
to read reports only when something failed?

With great humility,

Ibsen S. Ripsbusker