Re: ntpd: "DNS lookup tempfail" when running on an IPv6-only node

[Willy Manga]

On 14/02/2024 09:31, Theo de Raadt wrote:

Willy Manga  wrote:


Is it possible the default ntpd.conf file use something like

"servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org
looking for IPv6 nodes?


Not going to happen.


Fine. Can we at least have a workaround from the start?

Change "#servers pool.ntp.org" with another pool of servers available in 
IPv6? Ideally I agree it must be fixed upstream. That's why I filed an 
issue on github.


At that moment, I don't know how the OpenBSD ecosystem prefers to deal 
with that kind of issue: wait for a fix from the upstream or solve at 
its own level the user experience.


I'm happy to learn :)



--
Willy Manga

Re: KeyTrap DNS vulnerability

[Otto Moerbeek]

On Wed, Feb 14, 2024 at 04:55:20AM +0100, b...@fea.st wrote:

> “A single packet can exhaust the processing 
> capacity of a vulnerable DNS server, effectively
> disabling the machine, by exploiting a 
> 20-plus-year-old design flaw in the DNSSEC
> specification.
> 
> https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

To be clear, this does not mean DNSSEC is cryptographically broken.

The RFCs specifying the DNSSEC validation algorithm do not take into
account potential resource usage validating many potential signatures
so the implementations following the RFCs suffered from the same.

By constraining the amount of work (limiting the potential signatures
considered) while validating these issues are worked around.

-Otto

Re: ntpd: "DNS lookup tempfail" when running on an IPv6-only node

[Theo de Raadt]

Willy Manga  wrote:

> Is it possible the default ntpd.conf file use something like
> 
> "servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org
> looking for IPv6 nodes?

Not going to happen.

ntpd: "DNS lookup tempfail" when running on an IPv6-only node

[Willy Manga]

Hello.


I'm running ntp-4.2.8pl10p6 on openbsd7.4 .. I saw messages like this one

"ntpd[26862]: DNS lookup tempfail"

This node is running with IPv6-only.

Since I did not have IPv4, I initially only commented the constraint 
with IPv4 . But it was not enough.



Then I realised that pool.ntp.org doesn't include a  record. I ended 
up by commenting the servers line and added several servers close enough .


I posted my question on github [1] and someone advised me to rely on 
"2.openbsd.pool.ntp.org"


Is it possible the default ntpd.conf file use something like

"servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org 
looking for IPv6 nodes?


Thanks.


1. https://github.com/abh/ntppool/issues/231

--
Willy Manga

Re: KeyTrap DNS vulnerability

[Peter J. Philipp]

On 2/14/24 04:55, b...@fea.st wrote:

“A single packet can exhaust the processing
capacity of a vulnerable DNS server, effectively
disabling the machine, by exploiting a
20-plus-year-old design flaw in the DNSSEC
specification.

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/


Thank you for sharing this, it's good to talk about this, as it affects 
any cryptographic keying system.  I was aware of this for a few years 
without giving it more thought because sending random garble instead of 
DNSSEC keys was mentioned on chat channels such as #dns before.


In my opinion, the defenses are not to turn off DNSSEC, but rather, to 
do some sanitizing of the cryptographic data with a lesser cost 
algorithm.  Such as length checks, heuristic collection identifying an 
algorithm before using the main decryption algorithm on it *.


To be honest I looked at the patches but wasn't any wiser that this was 
really done.  Another approach is to flag abusers of DNSSEC keys and 
block them for some time penalty, and if repeated abuse happens then to 
block the entire site.


* I'm not a cryptographer, mathematician nor do I program DNS on the 
recursive end.  I program on the authoritative server end, where you 
can't do anything about something like a MITM anyhow. Donald Knuth and 
other books using algorithmic approaches may be good reading for this.


Best Regards,

-peter

KeyTrap DNS vulnerability

[bsd]

“A single packet can exhaust the processing 
capacity of a vulnerable DNS server, effectively
disabling the machine, by exploiting a 
20-plus-year-old design flaw in the DNSSEC
specification.

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

Re: CARP and VRRP compliance

[Philipp Buehler]

Am 13.02.2024 19:07 schrieb Samuel Jayden:

Also I've another question:
Is it feasible to achieve CARP and VRRP interoperability through a
user-space application?


One step back.. you're looking for using one cisco router and one
OpenBSD box as a redundant pair? I've no idea and in over 20y I did
not consider doing this.

If you think about how an OpenBSD pair (failover/load between 
themselves)
and "on the other side" a Cisco pair using VRRP (acting betweeen 
themselves),
I can tell that this works w/o having a stamped letter with some crayon 
on it.



--
pb

Re: Single partition fs layout

[Brian Conway]

On Tue, Feb 13, 2024, at 6:37 AM, Odhiambo Washington wrote:
> Is there a disadvantage to having this layout style where everything is on
> 1 partition?

Beyond the plethora of responses you've already received, the Installation 
section of the FAQ covers this thoroughly:

https://www.openbsd.org/faq/faq4.html#Partitioning

Brian Conway
Owner
RCE Software, LLC

Re: CARP and VRRP compliance

[Samuel Jayden]

Hello Marcus,

Thank you for your response.

>From the information provided in the link, it appears that CARP and VRRP
protocols aren't inherently interoperable.
While Cisco may have attempted to address this by introducing a command
like "disable-loop-detection carp" in its Nexus 1000V virtual router
product, this solution unfortunately doesn't extend to standard router
hardware, rendering it ineffective in many scenarios.

Also I've another question:
Is it feasible to achieve CARP and VRRP interoperability through a
user-space application?
I am curious if there are any existing solutions or approaches that
leverage user-space applications to bridge the interoperability gap between
CARP and VRRP.
If anyone has insights or experiences in this area, I would greatly
appreciate hearing about them.

Thank you for considering my inquiries.

Best regards
Sam

On Tue, Feb 13, 2024 at 8:26 PM Marcus MERIGHI  wrote:

> Hello Samuel,
>
> samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET):
> > I am reaching out to seek guidance on creating redundancy between a Cisco
> > Router and OpenBSD. After conducting extensive research on the subject, I
> > find myself in need of clarification on a specific point.
>
> This has some background info for you:
>
> https://mwl.io/archives/1866
>
> Marcus
>

Re: CARP and VRRP compliance

[Marcus MERIGHI]

Hello Samuel, 

samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET):
> I am reaching out to seek guidance on creating redundancy between a Cisco
> Router and OpenBSD. After conducting extensive research on the subject, I
> find myself in need of clarification on a specific point.

This has some background info for you:

https://mwl.io/archives/1866

Marcus

Re: Screenshotting using PrtScr in cwm?

[bsd]

Here's someone who apparently had the same or similar 
problem on Arch Linux, and managed to solve it:

https://unix.stackexchange.com/questions/669853/printscreen-key-not-registering-in-arch-linux

Just changing the SysRq keycode doesn't work for me tho.

Re: Single partition fs layout

[Odhiambo Washington]

On Tue, Feb 13, 2024 at 6:00 PM Frank Habicht  wrote:

> On 13/02/2024 16:52, Odhiambo Washington wrote:
> > Thanks a million for such a nice explanation.
> > Let me now ask Google about those flags.
>   ^^
> you misspelled "the man pages"
>
> Frank
>

Heheee... it's just today I have opted to be reading the man pages via a
browser :)


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]

CARP and VRRP compliance

[Samuel Jayden]

Hello OpenBSD,

I am reaching out to seek guidance on creating redundancy between a Cisco
Router and OpenBSD. After conducting extensive research on the subject, I
find myself in need of clarification on a specific point.

My intention is to employ the use of the CARP protocol in OpenBSD and VRRP
on the Cisco Router. However, I am uncertain about the compatibility
between OpenBSD's CARP and Cisco's VRRP protocols.

If any of you have practical experience or insights into using these two
protocols simultaneously within the same broadcast domain, I would greatly
appreciate hearing about your experiences.

Thank you in advance for your time and assistance.

Best regards
Sam

Re: DDB Crash Report About if_ether.c and arpinit() Gelen Kutusu

[Samuel Jayden]

Hello again,

The patch you suggested definitely worked; OpenBSD no longer crashes. Thank
you very much.

On Wed, Jan 31, 2024 at 2:40 PM Samuel Jayden 
wrote:

> Hello Valdrin,
>
> Thanks, I'll check it out and write here soon.
>
> On Wed, Jan 31, 2024 at 12:40 PM Valdrin MUJA 
> wrote:
>
>> Hello Samuel,
>>
>> I think you should give a chance to this commit:
>>
>>
>> https://github.com/openbsd/src/commit/73fb5aae645f3bc12746fd705a937dfc9f9abc01
>>
>> I hope it works for you.
>>
>> --
>> Valdrin
>> --
>> *From:* owner-m...@openbsd.org  on behalf of
>> Samuel Jayden 
>> *Sent:* Wednesday, January 31, 2024 10:29
>> *To:* misc@openbsd.org 
>> *Subject:* Re: DDB Crash Report About if_ether.c and arpinit() Gelen
>> Kutusu
>>
>> Hello again,
>>
>> My device continues to crash almost every single day.
>> Unfortunately, due to the system freeze, I'm unable to generate a crash
>> report. These crashes typically result in the following errors:
>>
>> kernel : protection fault trap, code=0
>> Stopped at arptimer+0x45: movq 0x10(%r15),%rdi
>> ddb{0}>
>>
>> Is there a solution to this issue? What steps should I take?
>> Thanks.
>>
>>
>> On Sat, Jan 27, 2024 at 10:51 AM Samuel Jayden <
>> samueljaydan1...@gmail.com>
>> wrote:
>>
>> > Hello Misc,
>> >
>> > My OpenBSD 7.4 crash with this error messages;
>> >
>> > panic: kernel diagnostic assertion "ifp != NULL" failed: file
>> > "/usr/src/sys/net/inet/if_ether.c", line 758
>> >
>> > Stopped at db_enter+0x14: popq %rbp
>> >TID  PID UID   PRFLAGS   PFLAGS   CPUCOMMAND
>> >  399412   7311877   0x112 0   10dhcpleased
>> >  360364   39155   115   0x112 0   11slaacd
>> >  155433   90182 00x14000  0x2002softnet0
>> >  162438   45442 00x14000  0x2004systq
>> > * 37835   96688 00x14000 0x42000softclock
>> > db_enter() at db_enter+0x14
>> > panic(820a8599) at panic+0xc3
>> > __assert(821232bc,8209baea,2f6,820712c0) at
>> > __assert+0x29
>> > arpinit() at arpinit
>> > arptimer(825a38e8) at arptimer+0x5f
>> > softclock_thread(800021c1fd48) at softclock_thread+0x12b
>> > end trace frame: 0x0, count: 9
>> > https://www.openbsd.org/ddb.html describes the minimum info required in
>> > bug reports. Insufficient info makes it difficult to find and fix bugs.
>> > ddb{0}>
>> >
>> > Dmesg output of my device is in the attachment.
>> >
>> > Thank you in advance for your interest.
>> >
>>
>

Re: Improve support of Go

[Theo de Raadt]

Stuart Henderson  wrote:

> On 2024/02/13 07:36, Theo de Raadt wrote:
> > Stuart Henderson  wrote:
> > 
> > > On 2024-02-13, Kirill A  Korinsky  wrote:
> > > > Good day,
> > > >
> > > > I'm updating go's syscall table to modern OpenBSD (7.4).
> > > 
> > > Save your time. Post-7.4 you cannot call syscall() any more.
> > 
> > The result seems to have nothing to do with syscalls.
> > 
> > It is the same as the build process for kdump: It is finding cpp definitions
> > most of which are argument flags, but also a few structs in /usr/include, 
> > and
> > making them available at some level inside the go ecosystem. So if in go you
> > call a system call via the regular stub API, you may need those flags.  you 
> > may
> > also need them for some other higher-level function call?  go doesn't pull
> > from /usr/include otherwise, does it?
> > 
> > 
> 
> Oh, yes those are still needed then, I'd forgotten they were part of the
> same thing from last time I tried to get them updated ...

there probably needs to be a formal process to update at least once a year,
or just before a release, and also upstream.

Re: Improve support of Go

[Stuart Henderson]

On 2024/02/13 07:36, Theo de Raadt wrote:
> Stuart Henderson  wrote:
> 
> > On 2024-02-13, Kirill A  Korinsky  wrote:
> > > Good day,
> > >
> > > I'm updating go's syscall table to modern OpenBSD (7.4).
> > 
> > Save your time. Post-7.4 you cannot call syscall() any more.
> 
> The result seems to have nothing to do with syscalls.
> 
> It is the same as the build process for kdump: It is finding cpp definitions
> most of which are argument flags, but also a few structs in /usr/include, and
> making them available at some level inside the go ecosystem. So if in go you
> call a system call via the regular stub API, you may need those flags.  you 
> may
> also need them for some other higher-level function call?  go doesn't pull
> from /usr/include otherwise, does it?
> 
> 

Oh, yes those are still needed then, I'd forgotten they were part of the
same thing from last time I tried to get them updated ...

Re: Single partition fs layout

[Frank Habicht]

On 13/02/2024 16:52, Odhiambo Washington wrote:

Thanks a million for such a nice explanation.
Let me now ask Google about those flags.

 ^^
you misspelled "the man pages"

Frank

Re: Single partition fs layout

[Odhiambo Washington]

On Tue, Feb 13, 2024 at 5:21 PM Andreas Kähäri 
wrote:

> On Tue, Feb 13, 2024 at 04:52:08PM +0300, Odhiambo Washington wrote:
> > On Tue, Feb 13, 2024 at 4:12 PM Janne Johansson 
> wrote:
> >
> > > Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington <
> > > odhia...@gmail.com>:
> > > >
> > > > Is there a disadvantage to having this layout style where everything
> is
> > > on
> > > > 1 partition?
> > >
> > > A few. The partitioning scheme allow certain parts of the filesystem
> > > to have different permissions,
> > >
> > > /dev/sd1a on / type ffs (local)
> > > /dev/sd1e on /home type ffs (local, nodev, nosuid)
> > > /dev/sd1d on /usr type ffs (local, nodev)
> > > /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed)
> > >
> > > but also if something decides to log like crazy and fills up /var and
> > > you have /var ( or /var/log ) as a separate partition, the rest of the
> > > system is not affected by it going full and it might be lots easier to
> > > recover from it when the rest of the paths work as expected.
> > >
> > > It's a tradeoff between having to know in advance where data will go
> > > or not, versus being able to prevent some nasty issues that could
> > > occur if you let someone else run code on your machine.
> > >
> > > For a throwaway VM that you can reproduce, it would not matter so
> > > much. For a box you really care about and is meant to run for yeats,
> > > it matters more.
> > >
> > > --
> > > May the most significant bit of your life be positive.
> > >
> >
> > Hello Janne,
> >
> > Thanks a million for such a nice explanation.
> > Let me now ask Google about those flags.
>
> It would be better to read the mount(8) manual page, as it explains
> what the mount options mean in the context of OpenBSD.
>
> See "man mount" or, if you have to use a web browser, the online manual
> at http://man.openbsd.org/mount.8
>
>
> --
> Andreas (Kusalananda) Kähäri
> Uppsala, Sweden
>

Thank you.
Greetings from Kenya.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]

Re: Improve support of Go

[Theo de Raadt]

Stuart Henderson  wrote:

> On 2024-02-13, Kirill A  Korinsky  wrote:
> > Good day,
> >
> > I'm updating go's syscall table to modern OpenBSD (7.4).
> 
> Save your time. Post-7.4 you cannot call syscall() any more.

The result seems to have nothing to do with syscalls.

It is the same as the build process for kdump: It is finding cpp definitions
most of which are argument flags, but also a few structs in /usr/include, and
making them available at some level inside the go ecosystem. So if in go you
call a system call via the regular stub API, you may need those flags.  you may
also need them for some other higher-level function call?  go doesn't pull
from /usr/include otherwise, does it?

Re: Improve support of Go

[Stuart Henderson]

On 2024-02-13, Kirill A  Korinsky  wrote:
> Good day,
>
> I'm updating go's syscall table to modern OpenBSD (7.4).

Save your time. Post-7.4 you cannot call syscall() any more.

-- 
Please keep replies on the mailing list.

Re: Single partition fs layout

[Andreas Kähäri]

On Tue, Feb 13, 2024 at 04:52:08PM +0300, Odhiambo Washington wrote:
> On Tue, Feb 13, 2024 at 4:12 PM Janne Johansson  wrote:
> 
> > Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington <
> > odhia...@gmail.com>:
> > >
> > > Is there a disadvantage to having this layout style where everything is
> > on
> > > 1 partition?
> >
> > A few. The partitioning scheme allow certain parts of the filesystem
> > to have different permissions,
> >
> > /dev/sd1a on / type ffs (local)
> > /dev/sd1e on /home type ffs (local, nodev, nosuid)
> > /dev/sd1d on /usr type ffs (local, nodev)
> > /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed)
> >
> > but also if something decides to log like crazy and fills up /var and
> > you have /var ( or /var/log ) as a separate partition, the rest of the
> > system is not affected by it going full and it might be lots easier to
> > recover from it when the rest of the paths work as expected.
> >
> > It's a tradeoff between having to know in advance where data will go
> > or not, versus being able to prevent some nasty issues that could
> > occur if you let someone else run code on your machine.
> >
> > For a throwaway VM that you can reproduce, it would not matter so
> > much. For a box you really care about and is meant to run for yeats,
> > it matters more.
> >
> > --
> > May the most significant bit of your life be positive.
> >
> 
> Hello Janne,
> 
> Thanks a million for such a nice explanation.
> Let me now ask Google about those flags.

It would be better to read the mount(8) manual page, as it explains
what the mount options mean in the context of OpenBSD.

See "man mount" or, if you have to use a web browser, the online manual
at http://man.openbsd.org/mount.8


-- 
Andreas (Kusalananda) Kähäri
Uppsala, Sweden

.

Re: Single partition fs layout

[Odhiambo Washington]

On Tue, Feb 13, 2024 at 4:12 PM Janne Johansson  wrote:

> Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington <
> odhia...@gmail.com>:
> >
> > Is there a disadvantage to having this layout style where everything is
> on
> > 1 partition?
>
> A few. The partitioning scheme allow certain parts of the filesystem
> to have different permissions,
>
> /dev/sd1a on / type ffs (local)
> /dev/sd1e on /home type ffs (local, nodev, nosuid)
> /dev/sd1d on /usr type ffs (local, nodev)
> /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed)
>
> but also if something decides to log like crazy and fills up /var and
> you have /var ( or /var/log ) as a separate partition, the rest of the
> system is not affected by it going full and it might be lots easier to
> recover from it when the rest of the paths work as expected.
>
> It's a tradeoff between having to know in advance where data will go
> or not, versus being able to prevent some nasty issues that could
> occur if you let someone else run code on your machine.
>
> For a throwaway VM that you can reproduce, it would not matter so
> much. For a box you really care about and is meant to run for yeats,
> it matters more.
>
> --
> May the most significant bit of your life be positive.
>

Hello Janne,

Thanks a million for such a nice explanation.
Let me now ask Google about those flags.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]

Re: Single partition fs layout

[Maja Reberc]

A very nice explanation, Janne, thank you!

On Tue, 13 Feb 2024 14:12:10 +0100
Janne Johansson  wrote:

> A few. The partitioning scheme allow certain parts of the filesystem
> to have different permissions,
> 
> /dev/sd1a on / type ffs (local)
> /dev/sd1e on /home type ffs (local, nodev, nosuid)
> /dev/sd1d on /usr type ffs (local, nodev)
> /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed)
> 
> but also if something decides to log like crazy and fills up /var and
> you have /var ( or /var/log ) as a separate partition, the rest of the
> system is not affected by it going full and it might be lots easier to
> recover from it when the rest of the paths work as expected.
> 
> It's a tradeoff between having to know in advance where data will go
> or not, versus being able to prevent some nasty issues that could
> occur if you let someone else run code on your machine.
> 
> For a throwaway VM that you can reproduce, it would not matter so
> much. For a box you really care about and is meant to run for yeats,
> it matters more.

Re: Single partition fs layout

[Janne Johansson]

Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington :
>
> Is there a disadvantage to having this layout style where everything is on
> 1 partition?

A few. The partitioning scheme allow certain parts of the filesystem
to have different permissions,

/dev/sd1a on / type ffs (local)
/dev/sd1e on /home type ffs (local, nodev, nosuid)
/dev/sd1d on /usr type ffs (local, nodev)
/dev/sd0a on /usr/local type ffs (local, nodev, wxallowed)

but also if something decides to log like crazy and fills up /var and
you have /var ( or /var/log ) as a separate partition, the rest of the
system is not affected by it going full and it might be lots easier to
recover from it when the rest of the paths work as expected.

It's a tradeoff between having to know in advance where data will go
or not, versus being able to prevent some nasty issues that could
occur if you let someone else run code on your machine.

For a throwaway VM that you can reproduce, it would not matter so
much. For a box you really care about and is meant to run for yeats,
it matters more.

-- 
May the most significant bit of your life be positive.

Re: Improve support of Go

[Kirill A . Korinsky]

On Tue, 13 Feb 2024 13:10:44 +0100,
Janne Johansson wrote:
> 
> I can run them on mips64 for you at least.
> 

I'll appriciete this. After that I only need
 - arm
 - arm64
 - ppc64
 - riscv64

Can you run something like this?

  doas pkg_add bash git go
  git clone -b opebsd-syscalls https://github.com/catap/go.git
  cd go/src
  ulimit -S -d $(ulimit -H -d)
  env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash
  cd syscall
  env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH 
./mkall.sh
  git diff > /tmp/go-mips64.diff

and send me back /tmp/go-mips64.diff?

But it requires some time to bootstrap go and everything. Inside full
virtulization for i386 it works near an hour on not that fast host.

I assume that on real mips64 it might be something like this.

-- 
wbr, Kirill

Single partition fs layout

[Odhiambo Washington]

Is there a disadvantage to having this layout style where everything is on
1 partition?

```
openbsd$ uname -a
OpenBSD openbsd.vmbridge.local 7.4 GENERIC.MP#1397 amd64
openbsd$ df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a 43.3G1.7G   39.5G 5%/
openbsd$ ls -al /
total 158208
drwxr-xr-x  13 root  wheel   512 Feb 13 14:54 .
drwxr-xr-x  13 root  wheel   512 Feb 13 14:54 ..
-rw-r--r--   1 root  wheel   578 Oct 10 17:41 .cshrc
-rw-r--r--   1 root  wheel   468 Oct 10 17:41 .profile
drwxr-xr-x   2 root  wheel   512 Oct 10 17:41 altroot
drwxr-xr-x   2 root  wheel  1024 Oct 10 17:41 bin
-rwx--   1 root  wheel  25441732 Feb 13 14:54 bsd
-rwx--   1 root  wheel  25417620 Feb 13 14:36 bsd.booted
-rw---   1 root  wheel   4659966 Feb 13 14:35 bsd.rd
-rw---   1 root  wheel  25344566 Feb 13 14:35 bsd.sp
drwxr-xr-x   6 root  wheel 19456 Feb 13 14:39 dev
drwxr-xr-x  24 root  wheel  1536 Feb 13 14:53 etc
drwxr-xr-x   3 root  wheel   512 Feb 13 14:36 home
drwxr-xr-x   2 root  wheel   512 Oct 10 17:41 mnt
drwx--   3 root  wheel   512 Feb 13 14:36 root
drwxr-xr-x   2 root  wheel  1536 Oct 10 17:41 sbin
lrwxrwx---   1 root  wheel11 Oct 10 17:41 sys -> usr/src/sys
drwxrwxrwt   6 root  wheel   512 Feb 13 14:54 tmp
drwxr-xr-x  16 root  wheel   512 Feb 13 14:36 usr
drwxr-xr-x  24 root  wheel   512 Oct  8 18:42 var
```

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]

Re: Improve support of Go

[Janne Johansson]

> Good day,
>
> I'm updating go's syscall table to modern OpenBSD (7.4).
> For some architectures it was updated more than decade ago, and a lot of 
> things
> had changed.
> To do it I need to run commands like:
>
>   cd src
>   ulimit -S -d $(ulimit -H -d)
>   env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash
>   cd syscall
>   env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH 
> ./mkall.sh
>
> where %ARCH% is one of go's architecutres:
>  - 386
>  - amd64
>  - arm
>  - arm64
>  - mips64
>  - ppc64
>  - riscv64
>
> The part with amd64 and 386 was quite easy. But the next parts... well..
>
> I stuck with attempt to install OpenBSD into qemu. I can't figure out how to
> boot an installer :(
>
> To move forward I need some help.
>
> The first way if someone can share the way to boot / install OpenBSD into 
> qemu.
>
> And an alternative and simpler way I guess, if someone can grand me shell to
> that machine or run commands above on OpenBSD with installed go inside source
> tree from this branch: https://github.com/catap/go/tree/opebsd-syscalls

I can run them on mips64 for you at least.

-- 
May the most significant bit of your life be positive.

Improve support of Go

[Kirill A . Korinsky]

Good day,

I'm updating go's syscall table to modern OpenBSD (7.4).

For some architectures it was updated more than decade ago, and a lot of things
had changed.

To do it I need to run commands like:

  cd src
  ulimit -S -d $(ulimit -H -d)
  env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash
  cd syscall
  env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH 
./mkall.sh

where %ARCH% is one of go's architecutres:
 - 386
 - amd64
 - arm
 - arm64
 - mips64
 - ppc64
 - riscv64

The part with amd64 and 386 was quite easy. But the next parts... well..

I stuck with attempt to install OpenBSD into qemu. I can't figure out how to
boot an installer :(

To move forward I need some help.

The first way if someone can share the way to boot / install OpenBSD into qemu.

And an alternative and simpler way I guess, if someone can grand me shell to
that machine or run commands above on OpenBSD with installed go inside source
tree from this branch: https://github.com/catap/go/tree/opebsd-syscalls

Thanks.

--
wbr, Kirill

Re: Log files, OpenBSD and Zero click exploits

[Stuart Henderson]

On 2024-02-13, Peter N. M. Hansteen  wrote:
> On Tue, Feb 13, 2024 at 08:29:59AM +, jonathon575 wrote:
>> Kindly find below log entries generated from tcpdump of the pflog. The is a 
>> fresh install & updated openbsd 7.4, with bare-minimum installation 
>> configured for a firewall. There are no x* programs installed.
>> 
>> Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0xdd6a56bc
>> Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x963acc89
>> Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x93d9508d
>> Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x112cf65b
>> Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x639ed21a
>> Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0xb2fcd9b8
>> Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x8ae84cca
>> Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0xcbb881b7
>> Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x612a28f8
>> Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x49f595ec
>> 
>> wan-ip is my wan static ip address.
>> 
>> What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? 
>
> These log entries mean that your system blocked attempts from 69.166.225.73 
> access to whatever wan-ip is. 
>
> Your system recognized the traffic as attempts to initiate a WireGuard (a 
> sort of vpn, see https://man.openbsd.org/wg 
> and links therein). The attempts were blocked.

Sending wireguard packets at you doesn't seem very likely to be
malicious, more likely wan-ip was previously used by someone for their
wireguard connections and it was reassigned to you.

> Some of the things you mention may require specialized tools, but please 
> invest some time in learning to
> properly interpret the output of the basic tools first.

accton(8) and the manpages referenced in accton's "SEE ALSO" might be
one place to start reading to log what's been run on a system.

aide (in packagea) might be useful for detecting changed files.


-- 
Please keep replies on the mailing list.

Re: relayd fallback when using tag/tagged

[Joel Carnat]

Le 13/02/2024 à 10:07, Manuel Giraud a écrit :

Joel Carnat  writes:


Hello,

I'm trying to configure relayd(8) to use tags, to allow legit host
names only and modify HTTP headers, and fallback. But I can't have it
working properly.

Using such a configuration:
#-8<---
table   { 192.0.2.4 }
table  { 192.0.2.7}
http protocol www {
   block
   match request header "Host" value "www.example" tag "example"
   pass request tagged "example" forward to 
}


I've not tested it but maybe you're missing this last rule in the
previous block:

 pass request forward to 


That doesn't work either.

If I add it, with or without a tagged directive, it becomes the only 
effective rule (last matching rule?) and it never reaches the primary 
server.

Re: relayd fallback when using tag/tagged

[Manuel Giraud]

Joel Carnat  writes:

> Hello,
>
> I'm trying to configure relayd(8) to use tags, to allow legit host
> names only and modify HTTP headers, and fallback. But I can't have it
> working properly.
>
> Using such a configuration:
> #-8<---
> table   { 192.0.2.4 }
> table  { 192.0.2.7}
> http protocol www {
>   block
>   match request header "Host" value "www.example" tag "example"
>   pass request tagged "example" forward to 
> }

I've not tested it but maybe you're missing this last rule in the
previous block:

pass request forward to 
-- 
Manuel Giraud

Re: Log files, OpenBSD and Zero click exploits

[Peter N. M. Hansteen]

On Tue, Feb 13, 2024 at 08:29:59AM +, jonathon575 wrote:
> Kindly find below log entries generated from tcpdump of the pflog. The is a 
> fresh install & updated openbsd 7.4, with bare-minimum installation 
> configured for a firewall. There are no x* programs installed.
> 
> Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0xdd6a56bc
> Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x963acc89
> Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x93d9508d
> Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x112cf65b
> Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x639ed21a
> Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0xb2fcd9b8
> Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x8ae84cca
> Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0xcbb881b7
> Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x612a28f8
> Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
> wan-ip.60360: [wg] initiation from 0x49f595ec
> 
> wan-ip is my wan static ip address.
> 
> What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? 

These log entries mean that your system blocked attempts from 69.166.225.73 
access to whatever wan-ip is. 

Your system recognized the traffic as attempts to initiate a WireGuard (a sort 
of vpn, see https://man.openbsd.org/wg 
and links therein). The attempts were blocked.

The rest of your questions can be answered relatively easily by familiarizing 
yourself with the tools
at hand, such as the tcpdump you have already encountered. Do read up on how 
syslog classfies messages
and how to report which levels and so forth. 

Some of the things you mention may require specialized tools, but please invest 
some time in learning to
properly interpret the output of the basic tools first.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: relayd fallback when using tag/tagged

[Joel Carnat]

The proposed rules don't seem to change relayd(8)'s behaviour.
It keeps sending HTTP traffic to the primary server and fail when it is 
down. The secondary / fallback server is never used.


Starting status:
relayd[26195]: host 192.0.2.7, check http code (14ms,http code ok), 
state unknown -> up, availability 100.00%
relayd[26195]: host 192.0.2.4, check http code (44ms,http code ok), 
state unknown -> up, availability 100.00%


Stopping the backend server:
*relayd[21988]: host 192.0.2.4, check http code (3ms,http code 
malformed), state up -> down, availability 95.65%
relayd[54506]: host 192.0.2.4, check http code (1ms,tcp connect failed), 
state up -> down, availability 99.44%*


HTTP request while primary host is down:
relayd[63036]: relay www4tls, session 6 (1 active), example, 1.2.3.4 -> 
:0, session failed, [ww.example/] [Host: www.example] [User-Agent: 
curl/7.81.0] GET


Le 13/02/2024 à 04:29, l...@trungnguyen.me a écrit :

Hi

On February 13, 2024 12:20:26 AM UTC, Joel Carnat  wrote:

Hello,

I'm trying to configure relayd(8) to use tags, to allow legit host names only 
and modify HTTP headers, and fallback. But I can't have it working properly.

Using such a configuration:
#-8<---
table   { 192.0.2.4 }
table  { 192.0.2.7}
http protocol www {
  block
  match request header "Host" value "www.example" tag "example"
  pass request tagged "example" forward to 

Try:
match request header "Host" value "www.example" tag example
pass forward to  tagged example

}
relay www {
  listen on 192.0.2.30 port 80
  protocol www
  forward to   port 80 check http "/" code 200
  forward to  port 80
}
#-8<---
forwards all tagged HTTP traffic to the primary server. But if it is turned 
off, relayd(8) only replies with error rather than sending the traffic to the 
fallback server.


What errors are you having?

Removing tags and using a simple "pass" directive in protocol (as described in 
the man page) does work as expected regarding the fallback server.

Is there a way to use both tags and fallback with relayd(8) to mimic Apache's Failover[1] 
configuration with "ProxyPass" and "BalancerMember (...) status=+H" ?

Thank you,
Joel C.

[1] https://httpd.apache.org/docs/trunk/howto/reverse_proxy.html#failover


https://man.openbsd.org/relayd.conf.5#tag

Log files, OpenBSD and Zero click exploits

[jonathon575]

Subject: Log files and Zero click exploits

Greetings,

Kindly find below log entries generated from tcpdump of the pflog. The is a 
fresh install & updated openbsd 7.4, with bare-minimum installation configured 
for a firewall. There are no x* programs installed.

Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0xdd6a56bc
Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x963acc89
Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x93d9508d
Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x112cf65b
Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x639ed21a
Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0xb2fcd9b8
Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x8ae84cca
Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0xcbb881b7
Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x612a28f8
Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > 
wan-ip.60360: [wg] initiation from 0x49f595ec

wan-ip is my wan static ip address.

What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? Does 
that mean there is a malicious file/app located at those memory addresses in my 
system trying to initiate connection to this specific 69.166.225.73.51820 
address/port? This ip address is a malicious and there are others as well we 
get every single time we connect to the internet. Those malicious ip addresses 
could also be spoofed. Other log files are not indicating anything. We always 
get those attacks every time when connecting to the internet, and usually 
happens at the initial connections.

How to configure the log files to record all the activities happening on the 
system and especially to locate malicious activities/files including zero-click 
exploits...etc?

I created a basic bin malware for testing purposes and copied it to the bsd 
system using usb. The only activity that was logged under messages was the usb 
attach/detach. However, the malicious file itself and its execution were not 
recorded at all in any of the log files. Also, for Intrusion Detection, I used 
mtree before and after the malware copy to the system, mtree was able to detect 
the file and record it under extra:, however, when I deleted the file and 
covered the track using dd if=/dev/zero of=/bin_location bs=1024k count=12, 
mtree could not detect it. That means as an IDS, mtree is defenseless against 
malicious files that deletes and covers its tracks.

When examining citizen lab's zero-click exploits reports, almost all the 
malicious directories and files are stored under folders that would not be 
immutable such as /usr/ library directories and files. As an example, under 
openbsd, the folders /bin, /sbin, /usr/bin, /usr/sbin, and /etc, could be schg 
immutable, however, if the other folder or files configured to be schg 
immutable, the openbsd system would break, and when restart, it would not load. 
Also, the zero-click exploits for the most part do not attempt to change the 
files in the mentioned bin/sbin folders, rather, the exploit would copy the 
malware to a location that is not immutable and use those files to its 
malicious purposes.

The zero-click exploit attacks for smartphones may be slightly different than a 
fixed standalone device system, as the smartphone such as ios, andriod...etc 
are mobile, so the malware may have to be persistence, however, for a 
standalone system such as a firewall, since it would be in a fixed location 
with static wan IP address, and especially if the device was under the telecom 
umbrella of a corrupted adversary, as long as they know what platform you are 
using, the zero-click exploit could happen almost instantly and does not have 
to be persistent as they would get in at every internet connection, then 
delete, cover tracks, and reinstating the system to an undetectable status at 
every internet disconnect.

How to activate the log files to be able to detect such activities, How to 
protect openbsd from such exploits, what tools could be used in openbsd to help 
detect such malicious intrusion, any kernel/firewall tweaks to protect against 
such attacks?

The rules "block all, pass out" are insufficient, and you do not have to click 
on any link for the attack to take place.

Appreciate your kind support.

John

On Sunday, April 30th, 2023 at 5:23 AM, jonathon575 
 wrote:

> Thank you Stuart.
>
> --- Original Message ---
> On Saturday, April 29th, 2023 at 

Re: Installing shellinabox on OpenBSD

[Stuart Henderson]

On 2024-02-12, Daniel Ouellet  wrote:
> Anyway in 2024 still not have a decent native ssh client on Window

Except it does, a port of openssh.