OpenBSD Errata: April 8, 2024 (xserver)
The webpage https://www.openbsd.org/errata74.html lists this like "016: SECURITY FIX: April 8, 2024 " but according to my calendar today is 04.04. Also it lists 7.5 as affected, but it doesnt even released yet, right? Whats going on here? Regards, --ext
Re: lcamtuf on the recent xz debacle
On Sat, Mar 30, 2024 at 9:32 PM Peter N. M. Hansteen wrote: > > "This dependency existed not because of a deliberate design decision > by the developers of OpenSSH, but because of a kludge added by some > Linux distributions to integrate the tool with the operating > system’s newfangled orchestration service, systemd." > As if I needed another reason to intensely dislike systemd... -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Bridging firewall with online update/upgrade
On 4/3/24 18:19, Karel Lucas wrote: I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option. I'm not entirely sure about how bridging works on OpenBSD and PF, but the answer, from a network point of view, would be "Don't make ETH4 part of the same bridge as ETH1-3, and apply a basic, restrictive ruleset to ETH4, allowing only for the update traffic to/from $self". (I hope I'm not missing something basic here)
Re: Bridging firewall with online update/upgrade
On 4/3/24 12:19, Karel Lucas wrote: Hi all, I am creating a bridging firewall with OpenBSD and the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1. OpenBSD is already installed. I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option. There are lots of options, but I'm not seeing the point of the bridging firewall here. Sounds like you are making things complicated and I'm suspicious you won't be getting much benefit from it. I think you would do much better with NAT. But...pretending for the moment this is the right solution for you, if you are already planning on physically moving to the box to do upgrades, just download the installXX.img file on another machine, drop it on a thumb drive, walk over to your bridge and reboot from the thumb drive and upgrade, don't bother fiddling with cables. I'm also pretty sure you can put an internal IP on one of the ports other than the bridge, and copy the files and install from there. That would have the benefit of remote administration, too. Nick.
Re: Bridging firewall with online update/upgrade
On Wed, Apr 03, 2024 at 06:19:29PM +0200, Karel Lucas wrote: > Hi all, > > I am creating a bridging firewall with OpenBSD and the following hardware: > https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1. > OpenBSD is already installed. I want to use ETH1 for the input from my ADSL > modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like > to use ETH4 for the update/upgrade of the firewall. Remove the connection > from ETH1, plug it into ETH4, and update/upgrade. Then the connection > returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and > ETH3 not. But now the problem: as long as the network connection of the ADSL > modem is in ETH4, my network, including the firewall, is no longer secured, > and attackers can take advantage. I therefore wonder whether it is possible > to let the data flow via ETH1 and ETH4 first pass through PF before an > update/upgrade is done via ETH4. This means that the bridging firewall will > have two entrances, one without and one with an IP address. I would like to > know if that is possible, or if there is another option. > I'd just run sysupgrade -n, unplug ETH1, reboot into the installer and upgrade, reboot, and finally plug ETH1 back in. --
Bridging firewall with online update/upgrade
Hi all, I am creating a bridging firewall with OpenBSD and the following hardware: https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1. OpenBSD is already installed. I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option.
Re: Bash instead of ksh
On Wed, 3 Apr 2024, at 14:08, Nick Holland wrote: > Why do you think that's an "excellent idea" -- something you would > encourage people to do? What is it that you see bash doing so much > better than stock pdksh? presumably those tens of thousands of lines of completely unvetted custom tab completion machinery ain't gonna work in ksh John
Re: need help to access my machine after upgrade -- system immediately logs me out
Cool. That worked. Also my system is back up and running. Turns out the i3
libraries installed had become incompatible with the rest of the system.
Simply deleted those and glib2 packages and reinstalled everything. Works
well now. Thanks for all the help :).
Cheers
Sandeep
On Wed, Apr 3, 2024 at 12:51 AM Otto Moerbeek wrote:
> On Wed, Apr 03, 2024 at 12:45:33AM +0530, Sandeep Gupta wrote:
>
> > Thank you for all the inputs. This is so useful. I am able to at least
> > access the file system and rescue the data.
> > However, I'm not able to restore the system yet. The command "pkg_add
> -u"
> > runs into "out of memory error".
> > ulimit -a shows decent memory:
> > memory(kbytes) 11872836.
>
> you want to increase the data limit, ulimit -d
>
> -Otto
>
> >
> > On Tue, Apr 2, 2024 at 5:04 PM Stuart Henderson <
> stu.li...@spacehopper.org>
> > wrote:
> >
> > > On 2024-04-01, Sandeep Gupta wrote:
> > > >
> > > > However when i tried to log from the console -- the login message
> shows
> > > but
> > > > the system logs me out immediately.
> > > > On the desktop gui too, with only root I was able to login. But
> running
> > > > xterm from the fvwm menu fails.
> > > > I am a bit clueless as to how to gain access to the system.
> > >
> > > Try this:
> > >
> > > Boot into single-user mode ("boot -s" at the boot loader prompt)
> > > fsck -p
> > > mount -a -t nonfs
> > >
> > > Hopefully that will get you access to the system. You can try looking
> at
> > > system logs to see if that gives any clues about the problem. TERM
> won't
> > > be set so you may want to use e.g. "TERM=xterm less /var/log/messages"
> > > etc. $HOME/.xsession-errors might give some clues too.
> > >
> > > If you think that updating packages might help then 'sh /etc/netstart'
> > > to get working net and proceed with pkg_add -u as usual.
> > >
> > >
> > >
>
