Re: ntpd: "DNS lookup tempfail" when running on an IPv6-only node
On 14/02/2024 09:31, Theo de Raadt wrote: Willy Manga wrote: Is it possible the default ntpd.conf file use something like "servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org looking for IPv6 nodes? Not going to happen. Fine. Can we at least have a workaround from the start? Change "#servers pool.ntp.org" with another pool of servers available in IPv6? Ideally I agree it must be fixed upstream. That's why I filed an issue on github. At that moment, I don't know how the OpenBSD ecosystem prefers to deal with that kind of issue: wait for a fix from the upstream or solve at its own level the user experience. I'm happy to learn :) -- Willy Manga
Re: KeyTrap DNS vulnerability
On Wed, Feb 14, 2024 at 04:55:20AM +0100, b...@fea.st wrote: > “A single packet can exhaust the processing > capacity of a vulnerable DNS server, effectively > disabling the machine, by exploiting a > 20-plus-year-old design flaw in the DNSSEC > specification. > > https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ To be clear, this does not mean DNSSEC is cryptographically broken. The RFCs specifying the DNSSEC validation algorithm do not take into account potential resource usage validating many potential signatures so the implementations following the RFCs suffered from the same. By constraining the amount of work (limiting the potential signatures considered) while validating these issues are worked around. -Otto
Re: ntpd: "DNS lookup tempfail" when running on an IPv6-only node
Willy Manga wrote: > Is it possible the default ntpd.conf file use something like > > "servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org > looking for IPv6 nodes? Not going to happen.
ntpd: "DNS lookup tempfail" when running on an IPv6-only node
Hello. I'm running ntp-4.2.8pl10p6 on openbsd7.4 .. I saw messages like this one "ntpd[26862]: DNS lookup tempfail" This node is running with IPv6-only. Since I did not have IPv4, I initially only commented the constraint with IPv4 . But it was not enough. Then I realised that pool.ntp.org doesn't include a record. I ended up by commenting the servers line and added several servers close enough . I posted my question on github [1] and someone advised me to rely on "2.openbsd.pool.ntp.org" Is it possible the default ntpd.conf file use something like "servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org looking for IPv6 nodes? Thanks. 1. https://github.com/abh/ntppool/issues/231 -- Willy Manga
Re: KeyTrap DNS vulnerability
On 2/14/24 04:55, b...@fea.st wrote: “A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification. https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ Thank you for sharing this, it's good to talk about this, as it affects any cryptographic keying system. I was aware of this for a few years without giving it more thought because sending random garble instead of DNSSEC keys was mentioned on chat channels such as #dns before. In my opinion, the defenses are not to turn off DNSSEC, but rather, to do some sanitizing of the cryptographic data with a lesser cost algorithm. Such as length checks, heuristic collection identifying an algorithm before using the main decryption algorithm on it *. To be honest I looked at the patches but wasn't any wiser that this was really done. Another approach is to flag abusers of DNSSEC keys and block them for some time penalty, and if repeated abuse happens then to block the entire site. * I'm not a cryptographer, mathematician nor do I program DNS on the recursive end. I program on the authoritative server end, where you can't do anything about something like a MITM anyhow. Donald Knuth and other books using algorithmic approaches may be good reading for this. Best Regards, -peter
KeyTrap DNS vulnerability
“A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification. https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
Re: CARP and VRRP compliance
Am 13.02.2024 19:07 schrieb Samuel Jayden: Also I've another question: Is it feasible to achieve CARP and VRRP interoperability through a user-space application? One step back.. you're looking for using one cisco router and one OpenBSD box as a redundant pair? I've no idea and in over 20y I did not consider doing this. If you think about how an OpenBSD pair (failover/load between themselves) and "on the other side" a Cisco pair using VRRP (acting betweeen themselves), I can tell that this works w/o having a stamped letter with some crayon on it. -- pb
Re: Single partition fs layout
On Tue, Feb 13, 2024, at 6:37 AM, Odhiambo Washington wrote: > Is there a disadvantage to having this layout style where everything is on > 1 partition? Beyond the plethora of responses you've already received, the Installation section of the FAQ covers this thoroughly: https://www.openbsd.org/faq/faq4.html#Partitioning Brian Conway Owner RCE Software, LLC
Re: CARP and VRRP compliance
Hello Marcus, Thank you for your response. >From the information provided in the link, it appears that CARP and VRRP protocols aren't inherently interoperable. While Cisco may have attempted to address this by introducing a command like "disable-loop-detection carp" in its Nexus 1000V virtual router product, this solution unfortunately doesn't extend to standard router hardware, rendering it ineffective in many scenarios. Also I've another question: Is it feasible to achieve CARP and VRRP interoperability through a user-space application? I am curious if there are any existing solutions or approaches that leverage user-space applications to bridge the interoperability gap between CARP and VRRP. If anyone has insights or experiences in this area, I would greatly appreciate hearing about them. Thank you for considering my inquiries. Best regards Sam On Tue, Feb 13, 2024 at 8:26 PM Marcus MERIGHI wrote: > Hello Samuel, > > samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET): > > I am reaching out to seek guidance on creating redundancy between a Cisco > > Router and OpenBSD. After conducting extensive research on the subject, I > > find myself in need of clarification on a specific point. > > This has some background info for you: > > https://mwl.io/archives/1866 > > Marcus >
Re: CARP and VRRP compliance
Hello Samuel, samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET): > I am reaching out to seek guidance on creating redundancy between a Cisco > Router and OpenBSD. After conducting extensive research on the subject, I > find myself in need of clarification on a specific point. This has some background info for you: https://mwl.io/archives/1866 Marcus
Re: Screenshotting using PrtScr in cwm?
Here's someone who apparently had the same or similar problem on Arch Linux, and managed to solve it: https://unix.stackexchange.com/questions/669853/printscreen-key-not-registering-in-arch-linux Just changing the SysRq keycode doesn't work for me tho.
Re: Single partition fs layout
On Tue, Feb 13, 2024 at 6:00 PM Frank Habicht wrote: > On 13/02/2024 16:52, Odhiambo Washington wrote: > > Thanks a million for such a nice explanation. > > Let me now ask Google about those flags. > ^^ > you misspelled "the man pages" > > Frank > Heheee... it's just today I have opted to be reading the man pages via a browser :) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
CARP and VRRP compliance
Hello OpenBSD, I am reaching out to seek guidance on creating redundancy between a Cisco Router and OpenBSD. After conducting extensive research on the subject, I find myself in need of clarification on a specific point. My intention is to employ the use of the CARP protocol in OpenBSD and VRRP on the Cisco Router. However, I am uncertain about the compatibility between OpenBSD's CARP and Cisco's VRRP protocols. If any of you have practical experience or insights into using these two protocols simultaneously within the same broadcast domain, I would greatly appreciate hearing about your experiences. Thank you in advance for your time and assistance. Best regards Sam
Re: DDB Crash Report About if_ether.c and arpinit() Gelen Kutusu
Hello again, The patch you suggested definitely worked; OpenBSD no longer crashes. Thank you very much. On Wed, Jan 31, 2024 at 2:40 PM Samuel Jayden wrote: > Hello Valdrin, > > Thanks, I'll check it out and write here soon. > > On Wed, Jan 31, 2024 at 12:40 PM Valdrin MUJA > wrote: > >> Hello Samuel, >> >> I think you should give a chance to this commit: >> >> >> https://github.com/openbsd/src/commit/73fb5aae645f3bc12746fd705a937dfc9f9abc01 >> >> I hope it works for you. >> >> -- >> Valdrin >> -- >> *From:* owner-m...@openbsd.org on behalf of >> Samuel Jayden >> *Sent:* Wednesday, January 31, 2024 10:29 >> *To:* misc@openbsd.org >> *Subject:* Re: DDB Crash Report About if_ether.c and arpinit() Gelen >> Kutusu >> >> Hello again, >> >> My device continues to crash almost every single day. >> Unfortunately, due to the system freeze, I'm unable to generate a crash >> report. These crashes typically result in the following errors: >> >> kernel : protection fault trap, code=0 >> Stopped at arptimer+0x45: movq 0x10(%r15),%rdi >> ddb{0}> >> >> Is there a solution to this issue? What steps should I take? >> Thanks. >> >> >> On Sat, Jan 27, 2024 at 10:51 AM Samuel Jayden < >> samueljaydan1...@gmail.com> >> wrote: >> >> > Hello Misc, >> > >> > My OpenBSD 7.4 crash with this error messages; >> > >> > panic: kernel diagnostic assertion "ifp != NULL" failed: file >> > "/usr/src/sys/net/inet/if_ether.c", line 758 >> > >> > Stopped at db_enter+0x14: popq %rbp >> >TID PID UID PRFLAGS PFLAGS CPUCOMMAND >> > 399412 7311877 0x112 0 10dhcpleased >> > 360364 39155 115 0x112 0 11slaacd >> > 155433 90182 00x14000 0x2002softnet0 >> > 162438 45442 00x14000 0x2004systq >> > * 37835 96688 00x14000 0x42000softclock >> > db_enter() at db_enter+0x14 >> > panic(820a8599) at panic+0xc3 >> > __assert(821232bc,8209baea,2f6,820712c0) at >> > __assert+0x29 >> > arpinit() at arpinit >> > arptimer(825a38e8) at arptimer+0x5f >> > softclock_thread(800021c1fd48) at softclock_thread+0x12b >> > end trace frame: 0x0, count: 9 >> > https://www.openbsd.org/ddb.html describes the minimum info required in >> > bug reports. Insufficient info makes it difficult to find and fix bugs. >> > ddb{0}> >> > >> > Dmesg output of my device is in the attachment. >> > >> > Thank you in advance for your interest. >> > >> >
Re: Improve support of Go
Stuart Henderson wrote: > On 2024/02/13 07:36, Theo de Raadt wrote: > > Stuart Henderson wrote: > > > > > On 2024-02-13, Kirill A Korinsky wrote: > > > > Good day, > > > > > > > > I'm updating go's syscall table to modern OpenBSD (7.4). > > > > > > Save your time. Post-7.4 you cannot call syscall() any more. > > > > The result seems to have nothing to do with syscalls. > > > > It is the same as the build process for kdump: It is finding cpp definitions > > most of which are argument flags, but also a few structs in /usr/include, > > and > > making them available at some level inside the go ecosystem. So if in go you > > call a system call via the regular stub API, you may need those flags. you > > may > > also need them for some other higher-level function call? go doesn't pull > > from /usr/include otherwise, does it? > > > > > > Oh, yes those are still needed then, I'd forgotten they were part of the > same thing from last time I tried to get them updated ... there probably needs to be a formal process to update at least once a year, or just before a release, and also upstream.
Re: Improve support of Go
On 2024/02/13 07:36, Theo de Raadt wrote: > Stuart Henderson wrote: > > > On 2024-02-13, Kirill A Korinsky wrote: > > > Good day, > > > > > > I'm updating go's syscall table to modern OpenBSD (7.4). > > > > Save your time. Post-7.4 you cannot call syscall() any more. > > The result seems to have nothing to do with syscalls. > > It is the same as the build process for kdump: It is finding cpp definitions > most of which are argument flags, but also a few structs in /usr/include, and > making them available at some level inside the go ecosystem. So if in go you > call a system call via the regular stub API, you may need those flags. you > may > also need them for some other higher-level function call? go doesn't pull > from /usr/include otherwise, does it? > > Oh, yes those are still needed then, I'd forgotten they were part of the same thing from last time I tried to get them updated ...
Re: Single partition fs layout
On 13/02/2024 16:52, Odhiambo Washington wrote: Thanks a million for such a nice explanation. Let me now ask Google about those flags. ^^ you misspelled "the man pages" Frank
Re: Single partition fs layout
On Tue, Feb 13, 2024 at 5:21 PM Andreas Kähäri wrote: > On Tue, Feb 13, 2024 at 04:52:08PM +0300, Odhiambo Washington wrote: > > On Tue, Feb 13, 2024 at 4:12 PM Janne Johansson > wrote: > > > > > Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington < > > > odhia...@gmail.com>: > > > > > > > > Is there a disadvantage to having this layout style where everything > is > > > on > > > > 1 partition? > > > > > > A few. The partitioning scheme allow certain parts of the filesystem > > > to have different permissions, > > > > > > /dev/sd1a on / type ffs (local) > > > /dev/sd1e on /home type ffs (local, nodev, nosuid) > > > /dev/sd1d on /usr type ffs (local, nodev) > > > /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed) > > > > > > but also if something decides to log like crazy and fills up /var and > > > you have /var ( or /var/log ) as a separate partition, the rest of the > > > system is not affected by it going full and it might be lots easier to > > > recover from it when the rest of the paths work as expected. > > > > > > It's a tradeoff between having to know in advance where data will go > > > or not, versus being able to prevent some nasty issues that could > > > occur if you let someone else run code on your machine. > > > > > > For a throwaway VM that you can reproduce, it would not matter so > > > much. For a box you really care about and is meant to run for yeats, > > > it matters more. > > > > > > -- > > > May the most significant bit of your life be positive. > > > > > > > Hello Janne, > > > > Thanks a million for such a nice explanation. > > Let me now ask Google about those flags. > > It would be better to read the mount(8) manual page, as it explains > what the mount options mean in the context of OpenBSD. > > See "man mount" or, if you have to use a web browser, the online manual > at http://man.openbsd.org/mount.8 > > > -- > Andreas (Kusalananda) Kähäri > Uppsala, Sweden > Thank you. Greetings from Kenya. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Re: Improve support of Go
Stuart Henderson wrote: > On 2024-02-13, Kirill A Korinsky wrote: > > Good day, > > > > I'm updating go's syscall table to modern OpenBSD (7.4). > > Save your time. Post-7.4 you cannot call syscall() any more. The result seems to have nothing to do with syscalls. It is the same as the build process for kdump: It is finding cpp definitions most of which are argument flags, but also a few structs in /usr/include, and making them available at some level inside the go ecosystem. So if in go you call a system call via the regular stub API, you may need those flags. you may also need them for some other higher-level function call? go doesn't pull from /usr/include otherwise, does it?
Re: Improve support of Go
On 2024-02-13, Kirill A Korinsky wrote: > Good day, > > I'm updating go's syscall table to modern OpenBSD (7.4). Save your time. Post-7.4 you cannot call syscall() any more. -- Please keep replies on the mailing list.
Re: Single partition fs layout
On Tue, Feb 13, 2024 at 04:52:08PM +0300, Odhiambo Washington wrote: > On Tue, Feb 13, 2024 at 4:12 PM Janne Johansson wrote: > > > Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington < > > odhia...@gmail.com>: > > > > > > Is there a disadvantage to having this layout style where everything is > > on > > > 1 partition? > > > > A few. The partitioning scheme allow certain parts of the filesystem > > to have different permissions, > > > > /dev/sd1a on / type ffs (local) > > /dev/sd1e on /home type ffs (local, nodev, nosuid) > > /dev/sd1d on /usr type ffs (local, nodev) > > /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed) > > > > but also if something decides to log like crazy and fills up /var and > > you have /var ( or /var/log ) as a separate partition, the rest of the > > system is not affected by it going full and it might be lots easier to > > recover from it when the rest of the paths work as expected. > > > > It's a tradeoff between having to know in advance where data will go > > or not, versus being able to prevent some nasty issues that could > > occur if you let someone else run code on your machine. > > > > For a throwaway VM that you can reproduce, it would not matter so > > much. For a box you really care about and is meant to run for yeats, > > it matters more. > > > > -- > > May the most significant bit of your life be positive. > > > > Hello Janne, > > Thanks a million for such a nice explanation. > Let me now ask Google about those flags. It would be better to read the mount(8) manual page, as it explains what the mount options mean in the context of OpenBSD. See "man mount" or, if you have to use a web browser, the online manual at http://man.openbsd.org/mount.8 -- Andreas (Kusalananda) Kähäri Uppsala, Sweden .
Re: Single partition fs layout
On Tue, Feb 13, 2024 at 4:12 PM Janne Johansson wrote: > Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington < > odhia...@gmail.com>: > > > > Is there a disadvantage to having this layout style where everything is > on > > 1 partition? > > A few. The partitioning scheme allow certain parts of the filesystem > to have different permissions, > > /dev/sd1a on / type ffs (local) > /dev/sd1e on /home type ffs (local, nodev, nosuid) > /dev/sd1d on /usr type ffs (local, nodev) > /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed) > > but also if something decides to log like crazy and fills up /var and > you have /var ( or /var/log ) as a separate partition, the rest of the > system is not affected by it going full and it might be lots easier to > recover from it when the rest of the paths work as expected. > > It's a tradeoff between having to know in advance where data will go > or not, versus being able to prevent some nasty issues that could > occur if you let someone else run code on your machine. > > For a throwaway VM that you can reproduce, it would not matter so > much. For a box you really care about and is meant to run for yeats, > it matters more. > > -- > May the most significant bit of your life be positive. > Hello Janne, Thanks a million for such a nice explanation. Let me now ask Google about those flags. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Re: Single partition fs layout
A very nice explanation, Janne, thank you! On Tue, 13 Feb 2024 14:12:10 +0100 Janne Johansson wrote: > A few. The partitioning scheme allow certain parts of the filesystem > to have different permissions, > > /dev/sd1a on / type ffs (local) > /dev/sd1e on /home type ffs (local, nodev, nosuid) > /dev/sd1d on /usr type ffs (local, nodev) > /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed) > > but also if something decides to log like crazy and fills up /var and > you have /var ( or /var/log ) as a separate partition, the rest of the > system is not affected by it going full and it might be lots easier to > recover from it when the rest of the paths work as expected. > > It's a tradeoff between having to know in advance where data will go > or not, versus being able to prevent some nasty issues that could > occur if you let someone else run code on your machine. > > For a throwaway VM that you can reproduce, it would not matter so > much. For a box you really care about and is meant to run for yeats, > it matters more.
Re: Single partition fs layout
Den tis 13 feb. 2024 kl 13:40 skrev Odhiambo Washington : > > Is there a disadvantage to having this layout style where everything is on > 1 partition? A few. The partitioning scheme allow certain parts of the filesystem to have different permissions, /dev/sd1a on / type ffs (local) /dev/sd1e on /home type ffs (local, nodev, nosuid) /dev/sd1d on /usr type ffs (local, nodev) /dev/sd0a on /usr/local type ffs (local, nodev, wxallowed) but also if something decides to log like crazy and fills up /var and you have /var ( or /var/log ) as a separate partition, the rest of the system is not affected by it going full and it might be lots easier to recover from it when the rest of the paths work as expected. It's a tradeoff between having to know in advance where data will go or not, versus being able to prevent some nasty issues that could occur if you let someone else run code on your machine. For a throwaway VM that you can reproduce, it would not matter so much. For a box you really care about and is meant to run for yeats, it matters more. -- May the most significant bit of your life be positive.
Re: Improve support of Go
On Tue, 13 Feb 2024 13:10:44 +0100, Janne Johansson wrote: > > I can run them on mips64 for you at least. > I'll appriciete this. After that I only need - arm - arm64 - ppc64 - riscv64 Can you run something like this? doas pkg_add bash git go git clone -b opebsd-syscalls https://github.com/catap/go.git cd go/src ulimit -S -d $(ulimit -H -d) env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash cd syscall env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH ./mkall.sh git diff > /tmp/go-mips64.diff and send me back /tmp/go-mips64.diff? But it requires some time to bootstrap go and everything. Inside full virtulization for i386 it works near an hour on not that fast host. I assume that on real mips64 it might be something like this. -- wbr, Kirill
Single partition fs layout
Is there a disadvantage to having this layout style where everything is on 1 partition? ``` openbsd$ uname -a OpenBSD openbsd.vmbridge.local 7.4 GENERIC.MP#1397 amd64 openbsd$ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 43.3G1.7G 39.5G 5%/ openbsd$ ls -al / total 158208 drwxr-xr-x 13 root wheel 512 Feb 13 14:54 . drwxr-xr-x 13 root wheel 512 Feb 13 14:54 .. -rw-r--r-- 1 root wheel 578 Oct 10 17:41 .cshrc -rw-r--r-- 1 root wheel 468 Oct 10 17:41 .profile drwxr-xr-x 2 root wheel 512 Oct 10 17:41 altroot drwxr-xr-x 2 root wheel 1024 Oct 10 17:41 bin -rwx-- 1 root wheel 25441732 Feb 13 14:54 bsd -rwx-- 1 root wheel 25417620 Feb 13 14:36 bsd.booted -rw--- 1 root wheel 4659966 Feb 13 14:35 bsd.rd -rw--- 1 root wheel 25344566 Feb 13 14:35 bsd.sp drwxr-xr-x 6 root wheel 19456 Feb 13 14:39 dev drwxr-xr-x 24 root wheel 1536 Feb 13 14:53 etc drwxr-xr-x 3 root wheel 512 Feb 13 14:36 home drwxr-xr-x 2 root wheel 512 Oct 10 17:41 mnt drwx-- 3 root wheel 512 Feb 13 14:36 root drwxr-xr-x 2 root wheel 1536 Oct 10 17:41 sbin lrwxrwx--- 1 root wheel11 Oct 10 17:41 sys -> usr/src/sys drwxrwxrwt 6 root wheel 512 Feb 13 14:54 tmp drwxr-xr-x 16 root wheel 512 Feb 13 14:36 usr drwxr-xr-x 24 root wheel 512 Oct 8 18:42 var ``` -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Re: Improve support of Go
> Good day, > > I'm updating go's syscall table to modern OpenBSD (7.4). > For some architectures it was updated more than decade ago, and a lot of > things > had changed. > To do it I need to run commands like: > > cd src > ulimit -S -d $(ulimit -H -d) > env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash > cd syscall > env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH > ./mkall.sh > > where %ARCH% is one of go's architecutres: > - 386 > - amd64 > - arm > - arm64 > - mips64 > - ppc64 > - riscv64 > > The part with amd64 and 386 was quite easy. But the next parts... well.. > > I stuck with attempt to install OpenBSD into qemu. I can't figure out how to > boot an installer :( > > To move forward I need some help. > > The first way if someone can share the way to boot / install OpenBSD into > qemu. > > And an alternative and simpler way I guess, if someone can grand me shell to > that machine or run commands above on OpenBSD with installed go inside source > tree from this branch: https://github.com/catap/go/tree/opebsd-syscalls I can run them on mips64 for you at least. -- May the most significant bit of your life be positive.
Improve support of Go
Good day, I'm updating go's syscall table to modern OpenBSD (7.4). For some architectures it was updated more than decade ago, and a lot of things had changed. To do it I need to run commands like: cd src ulimit -S -d $(ulimit -H -d) env CGO_ENABLED=1 CC=cc CXX=c++ ./make.bash cd syscall env GOOS=openbsd GOARCH=%ARCH% CC=cc CXX=c++ PATH=$(pwd)/../../bin:$PATH ./mkall.sh where %ARCH% is one of go's architecutres: - 386 - amd64 - arm - arm64 - mips64 - ppc64 - riscv64 The part with amd64 and 386 was quite easy. But the next parts... well.. I stuck with attempt to install OpenBSD into qemu. I can't figure out how to boot an installer :( To move forward I need some help. The first way if someone can share the way to boot / install OpenBSD into qemu. And an alternative and simpler way I guess, if someone can grand me shell to that machine or run commands above on OpenBSD with installed go inside source tree from this branch: https://github.com/catap/go/tree/opebsd-syscalls Thanks. -- wbr, Kirill
Re: Log files, OpenBSD and Zero click exploits
On 2024-02-13, Peter N. M. Hansteen wrote: > On Tue, Feb 13, 2024 at 08:29:59AM +, jonathon575 wrote: >> Kindly find below log entries generated from tcpdump of the pflog. The is a >> fresh install & updated openbsd 7.4, with bare-minimum installation >> configured for a firewall. There are no x* programs installed. >> >> Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0xdd6a56bc >> Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x963acc89 >> Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x93d9508d >> Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x112cf65b >> Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x639ed21a >> Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 >> Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x8ae84cca >> Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0xcbb881b7 >> Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x612a28f8 >> Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 >> > wan-ip.60360: [wg] initiation from 0x49f595ec >> >> wan-ip is my wan static ip address. >> >> What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? > > These log entries mean that your system blocked attempts from 69.166.225.73 > access to whatever wan-ip is. > > Your system recognized the traffic as attempts to initiate a WireGuard (a > sort of vpn, see https://man.openbsd.org/wg > and links therein). The attempts were blocked. Sending wireguard packets at you doesn't seem very likely to be malicious, more likely wan-ip was previously used by someone for their wireguard connections and it was reassigned to you. > Some of the things you mention may require specialized tools, but please > invest some time in learning to > properly interpret the output of the basic tools first. accton(8) and the manpages referenced in accton's "SEE ALSO" might be one place to start reading to log what's been run on a system. aide (in packagea) might be useful for detecting changed files. -- Please keep replies on the mailing list.
Re: relayd fallback when using tag/tagged
Le 13/02/2024 à 10:07, Manuel Giraud a écrit : Joel Carnat writes: Hello, I'm trying to configure relayd(8) to use tags, to allow legit host names only and modify HTTP headers, and fallback. But I can't have it working properly. Using such a configuration: #-8<--- table { 192.0.2.4 } table { 192.0.2.7} http protocol www { block match request header "Host" value "www.example" tag "example" pass request tagged "example" forward to } I've not tested it but maybe you're missing this last rule in the previous block: pass request forward to That doesn't work either. If I add it, with or without a tagged directive, it becomes the only effective rule (last matching rule?) and it never reaches the primary server.
Re: relayd fallback when using tag/tagged
Joel Carnat writes: > Hello, > > I'm trying to configure relayd(8) to use tags, to allow legit host > names only and modify HTTP headers, and fallback. But I can't have it > working properly. > > Using such a configuration: > #-8<--- > table { 192.0.2.4 } > table { 192.0.2.7} > http protocol www { > block > match request header "Host" value "www.example" tag "example" > pass request tagged "example" forward to > } I've not tested it but maybe you're missing this last rule in the previous block: pass request forward to -- Manuel Giraud
Re: Log files, OpenBSD and Zero click exploits
On Tue, Feb 13, 2024 at 08:29:59AM +, jonathon575 wrote: > Kindly find below log entries generated from tcpdump of the pflog. The is a > fresh install & updated openbsd 7.4, with bare-minimum installation > configured for a firewall. There are no x* programs installed. > > Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xdd6a56bc > Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x963acc89 > Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x93d9508d > Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x112cf65b > Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x639ed21a > Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 > Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x8ae84cca > Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0xcbb881b7 > Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x612a28f8 > Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > > wan-ip.60360: [wg] initiation from 0x49f595ec > > wan-ip is my wan static ip address. > > What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? These log entries mean that your system blocked attempts from 69.166.225.73 access to whatever wan-ip is. Your system recognized the traffic as attempts to initiate a WireGuard (a sort of vpn, see https://man.openbsd.org/wg and links therein). The attempts were blocked. The rest of your questions can be answered relatively easily by familiarizing yourself with the tools at hand, such as the tcpdump you have already encountered. Do read up on how syslog classfies messages and how to report which levels and so forth. Some of the things you mention may require specialized tools, but please invest some time in learning to properly interpret the output of the basic tools first. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: relayd fallback when using tag/tagged
The proposed rules don't seem to change relayd(8)'s behaviour. It keeps sending HTTP traffic to the primary server and fail when it is down. The secondary / fallback server is never used. Starting status: relayd[26195]: host 192.0.2.7, check http code (14ms,http code ok), state unknown -> up, availability 100.00% relayd[26195]: host 192.0.2.4, check http code (44ms,http code ok), state unknown -> up, availability 100.00% Stopping the backend server: *relayd[21988]: host 192.0.2.4, check http code (3ms,http code malformed), state up -> down, availability 95.65% relayd[54506]: host 192.0.2.4, check http code (1ms,tcp connect failed), state up -> down, availability 99.44%* HTTP request while primary host is down: relayd[63036]: relay www4tls, session 6 (1 active), example, 1.2.3.4 -> :0, session failed, [ww.example/] [Host: www.example] [User-Agent: curl/7.81.0] GET Le 13/02/2024 à 04:29, l...@trungnguyen.me a écrit : Hi On February 13, 2024 12:20:26 AM UTC, Joel Carnat wrote: Hello, I'm trying to configure relayd(8) to use tags, to allow legit host names only and modify HTTP headers, and fallback. But I can't have it working properly. Using such a configuration: #-8<--- table { 192.0.2.4 } table { 192.0.2.7} http protocol www { block match request header "Host" value "www.example" tag "example" pass request tagged "example" forward to Try: match request header "Host" value "www.example" tag example pass forward to tagged example } relay www { listen on 192.0.2.30 port 80 protocol www forward to port 80 check http "/" code 200 forward to port 80 } #-8<--- forwards all tagged HTTP traffic to the primary server. But if it is turned off, relayd(8) only replies with error rather than sending the traffic to the fallback server. What errors are you having? Removing tags and using a simple "pass" directive in protocol (as described in the man page) does work as expected regarding the fallback server. Is there a way to use both tags and fallback with relayd(8) to mimic Apache's Failover[1] configuration with "ProxyPass" and "BalancerMember (...) status=+H" ? Thank you, Joel C. [1] https://httpd.apache.org/docs/trunk/howto/reverse_proxy.html#failover https://man.openbsd.org/relayd.conf.5#tag
Log files, OpenBSD and Zero click exploits
Subject: Log files and Zero click exploits Greetings, Kindly find below log entries generated from tcpdump of the pflog. The is a fresh install & updated openbsd 7.4, with bare-minimum installation configured for a firewall. There are no x* programs installed. Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0xdd6a56bc Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x963acc89 Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x93d9508d Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x112cf65b Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x639ed21a Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0xb2fcd9b8 Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x8ae84cca Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0xcbb881b7 Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x612a28f8 Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 > wan-ip.60360: [wg] initiation from 0x49f595ec wan-ip is my wan static ip address. What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? Does that mean there is a malicious file/app located at those memory addresses in my system trying to initiate connection to this specific 69.166.225.73.51820 address/port? This ip address is a malicious and there are others as well we get every single time we connect to the internet. Those malicious ip addresses could also be spoofed. Other log files are not indicating anything. We always get those attacks every time when connecting to the internet, and usually happens at the initial connections. How to configure the log files to record all the activities happening on the system and especially to locate malicious activities/files including zero-click exploits...etc? I created a basic bin malware for testing purposes and copied it to the bsd system using usb. The only activity that was logged under messages was the usb attach/detach. However, the malicious file itself and its execution were not recorded at all in any of the log files. Also, for Intrusion Detection, I used mtree before and after the malware copy to the system, mtree was able to detect the file and record it under extra:, however, when I deleted the file and covered the track using dd if=/dev/zero of=/bin_location bs=1024k count=12, mtree could not detect it. That means as an IDS, mtree is defenseless against malicious files that deletes and covers its tracks. When examining citizen lab's zero-click exploits reports, almost all the malicious directories and files are stored under folders that would not be immutable such as /usr/ library directories and files. As an example, under openbsd, the folders /bin, /sbin, /usr/bin, /usr/sbin, and /etc, could be schg immutable, however, if the other folder or files configured to be schg immutable, the openbsd system would break, and when restart, it would not load. Also, the zero-click exploits for the most part do not attempt to change the files in the mentioned bin/sbin folders, rather, the exploit would copy the malware to a location that is not immutable and use those files to its malicious purposes. The zero-click exploit attacks for smartphones may be slightly different than a fixed standalone device system, as the smartphone such as ios, andriod...etc are mobile, so the malware may have to be persistence, however, for a standalone system such as a firewall, since it would be in a fixed location with static wan IP address, and especially if the device was under the telecom umbrella of a corrupted adversary, as long as they know what platform you are using, the zero-click exploit could happen almost instantly and does not have to be persistent as they would get in at every internet connection, then delete, cover tracks, and reinstating the system to an undetectable status at every internet disconnect. How to activate the log files to be able to detect such activities, How to protect openbsd from such exploits, what tools could be used in openbsd to help detect such malicious intrusion, any kernel/firewall tweaks to protect against such attacks? The rules "block all, pass out" are insufficient, and you do not have to click on any link for the attack to take place. Appreciate your kind support. John On Sunday, April 30th, 2023 at 5:23 AM, jonathon575 wrote: > Thank you Stuart. > > --- Original Message --- > On Saturday, April 29th, 2023 at
Re: Installing shellinabox on OpenBSD
On 2024-02-12, Daniel Ouellet wrote: > Anyway in 2024 still not have a decent native ssh client on Window Except it does, a port of openssh.