Re: pf.conf: identifying a specific user from dhcpd-table

[Bogdan Kulbida]

Edgar,

Sounds like you need to build an adaptive firewall. I would suggest to start 
with The Book of PF
by Peter Hansteen. An excellent resource. That might be a good starting point 
for you as well.
It has some good portion of the information on adaptive firewalls.

P.S. Thank you, Peter for such a great book.

-bogdan

> On Oct 10, 2018, at 8:17 AM, Edgar Pettijohn  wrote:
> 
> 
> On Oct 10, 2018 7:58 AM, "Peter N. M. Hansteen"  wrote:
>> 
>> On Wed, Oct 10, 2018 at 02:48:24PM +0200, Stefan Wollny wrote:
>>> 
>>> I'd like to set up PF to forward this port (25565) without a pre-defined
>>>   IP as macro as the dhcpd.conf has a line defining tables for abandoned
>>> ("-A"), changed ("-C") and present leases ("-L"). According to man
>>> dhcpd(8) those tables may be used with PF. But how??? I couldn't find
>>> examples.
>>> 
>>> Do I have to tell PF about these tables in pf.conf? Or don't I need
>>> these tables at all?
>> 
>> You do need to include the tables in your pf.conf. I'm a bit surprised
>> the example at https://home.nuug.no/~peter/pftutorial/#33 did not show up in 
>> your search.
>> 
>> - P
>> 
>> -- 
>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>> "Remember to set the evil bit on all malicious network traffic"
>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>> 
> 
> When looking for pf info I generally just Google Peter Hansteen.
> 
> Edgar
> 

syslogd restarts randomly

[Bogdan Kulbida]

Hi Everyone,

I'm having hard time understanding what is going on with the syslogd
on some of my servers. It restarts on a regular basis and that just
looks suspicious to me. I'm using OpenBSD 6.3 (GENERIC.MP).

Here is an output of the syslogd:

Sep 26 07:00:01  syslogd: restart
Sep 26 10:00:07  syslogd: dropped 9 messages during initialization
Sep 26 10:00:07  syslogd: restart
Sep 26 16:38:44  syslogd: dropped 5 messages during initialization
Sep 26 16:38:44  syslogd: restart
Sep 27 14:00:01  syslogd: dropped 9 messages during initialization
Sep 27 14:00:01  syslogd: restart
Sep 27 16:31:34  syslogd: dropped 5 messages during initialization
Sep 27 16:31:34  syslogd: restart
Sep 28 04:00:01  syslogd: dropped 9 messages during initialization
Sep 28 04:00:01  syslogd: restart
Sep 28 10:01:47  syslogd: dropped 9 messages during initialization
Sep 28 10:01:47  syslogd: start
Sep 28 11:25:54  syslogd: dropped 5 messages during initialization
Sep 28 11:25:54  syslogd: restart
Sep 28 16:24:24  syslogd: dropped 5 messages during initialization
Sep 28 16:24:24  syslogd: restart
Sep 28 17:00:02  syslogd: dropped 9 messages during initialization
Sep 28 17:00:02  syslogd: restart
Sep 28 19:00:01  syslogd: dropped 9 messages during initialization
Sep 28 19:00:01  syslogd: restart
Sep 28 23:22:18  syslogd: dropped 5 messages during initialization
Sep 28 23:22:18  syslogd: restart
Sep 29 10:00:01  syslogd: dropped 9 messages during initialization
Sep 29 10:00:01  syslogd: restart
Sep 29 16:17:14  syslogd: dropped 5 messages during initialization
Sep 29 16:17:14  syslogd: restart
Sep 29 19:00:01  syslogd: dropped 9 messages during initialization
Sep 29 19:00:01  syslogd: restart
Sep 30 10:11:52  syslogd: dropped 5 messages during initialization
Sep 30 10:11:52  syslogd: restart
Sep 30 16:10:05  syslogd: dropped 5 messages during initialization
Sep 30 16:10:05  syslogd: restart
Sep 30 17:00:02  syslogd: dropped 9 messages during initialization
Sep 30 17:00:02  syslogd: restart

Any ideas on how I can start investigate this issue? Also what would
be your thinking on what is going on?

Thank you a lot

-- 
---
Best regards,
Bogdan

Re: USB Ethernet adapter

[Bogdan Kulbida]

This is a great suggestion. Thanks Stuart. Much appreciated

-b.

On Thu, Sep 27, 2018 at 14:57 Stuart Longland 
wrote:

> On 25/09/18 10:00, Bogdan Kulbida wrote:
> > Please don’t judge that hard, but I’m trying to see if I can set-up a
> > network gateway with one of the old’ish servers I have here. It was
> running
> > OBSD just fine for a looong time but has only one network interface.
> >
> > It does have few extra USB ports, ta-da...
> > Anyway, what USB network interface would you recommend that would run
> > smoothly with the OBSD 6.3?
>
> Another possibility is if you don't need the full link speed, you can
> use a managed switch and set up 802.1Q.
>
> Make the ports at both ends trunk ports and multiplex as many Ethernet
> segments as you like.
>
> I use this approach with a TS-7670 industrial PC which has only one
> 100Mbps Ethernet interface to have it route between a DMZ and a
> management network, and of course, indirectly two of my OpenBSD-based
> virtual machines do this (with the Linux host doing the 802.1Q stuff).
> --
> Stuart Longland (aka Redhatter, VK4MSL)
>
> I haven't lost my mind...
>   ...it's backed up on a tape somewhere.
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: USB Ethernet adapter

[Bogdan Kulbida]

Thank you for your help. Much appreciated.

On Tue, Sep 25, 2018 at 03:35 Stephane HUC "PengouinBSD" <
b...@stephane-huc.net> wrote:

> Hi, Bogdan
>
> I'm using every day, the Wii USB Lan Ethernet Adapter RVL-015; it's
> managed by axe driver:
>
> $ dmesg | grep axe
>
> axe0 at uhub0 port 1 configuration 1 interface 0 "ASIX Electronics
> AX88772" rev 2.00/0.01 addr 2
> axe0: AX88772, address 00:**:**:**:**:**
> ukphy0 at axe0 phy 16: Generic IEEE 802.3u media interface, rev. 1: OUI
> 0x000ec6, model 0x0001
>
> see https://man.openbsd.org/OpenBSD-current/man4/axe.4
>
> I maintain a webpage information about USB-Eth Adaptateur (in French),
> here: https://wiki.obsd4a.net/hardware:network:usb_eth ;)
>
>
> Le 09/25/18 à 02:00, Bogdan Kulbida a écrit :
> (...)
> > Anyway, what USB network interface would you recommend that would run
> > smoothly with the OBSD 6.3?
> > (...)
> --
> ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<
> 
> Stephane HUC as PengouinBSD or CIOTBSD
> b...@stephane-huc.net
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

USB Ethernet adapter

[Bogdan Kulbida]

Dear Community,

Please don’t judge that hard, but I’m trying to see if I can set-up a
network gateway with one of the old’ish servers I have here. It was running
OBSD just fine for a looong time but has only one network interface.

It does have few extra USB ports, ta-da...
Anyway, what USB network interface would you recommend that would run
smoothly with the OBSD 6.3?

Much appreciated all your efforts.

Thank you.
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Deploy Django app - strategy?

[Bogdan Kulbida]

Hi Ken,

Can you please be more specific on Nginx talking via sockets? Any URLs on
that topic will be appreciated. Thank you.

On Sun, Sep 16, 2018 at 09:46 Ken M  wrote:

> On Sun, Sep 16, 2018 at 09:05:33AM +0300, ??  wrote:
> > I deploy my django app using uwsgi and venv in my home dir
> > uWSGi starts on its default port and httpd server uses this port
> > to handle my app requests. Everything just like in the official manual of
> > uwsgi.
> >
>
> Don't know if this is helpful for Django apps, or if httpd in openbsd can
> use
> unix sockets. Anyway with a couple of falcon api's I setup with Gunicorn I
> actually used unix sockets instead of creating ports. If my proxy is on
> the same
> server as the api's I found that a little easier to manage. Granted in
> this case
> it was on centos and I was using nginx. Also in the process of figuring
> out how
> to do that I found a lot of the documentation on nginx syntax talking to a
> unix
> socket was wrong. But that is another story.
>
> Ken
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: NodeJS apps on Httpd?

[Bogdan Kulbida]

That is correct. I wanted to say relayd.

-Bogdan

On Thu, Sep 6, 2018 at 01:55 Solene Rapenne  wrote:

> Bogdan Kulbida  wrote:
> > Hi Mike,
> >
> > Why don’t you run a “usual” nodejs server (probably  multiple proceses)
> and
> > proxy requests into it via httpd?
> >
> > Question: Any objections or security concerns?
>
> httpd doesn't have proxy feature, only fastcgi
>
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: NodeJS apps on Httpd?

[Bogdan Kulbida]

Hi Mike,

Why don’t you run a “usual” nodejs server (probably  multiple proceses) and
proxy requests into it via httpd?

Question: Any objections or security concerns?

-Bogdan

On Wed, Sep 5, 2018 at 13:01 Chris Cappuccio  wrote:

> Michael Joy [mich...@michaeljoy.eu] wrote:
> > Does anyone have any experience of getting node apps running through
> httpd?
> > Any opinions, instructions or warnings are welcome.
>
> I think generally node apps will be run behind relayd, not httpd.
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Equipment for OBSD based firewall

[Bogdan Kulbida]

Ingo,
I so much enjoyed reading your answer. Thanks a lot for sharing.

-Bogdan

On Mon, Sep 3, 2018 at 20:04 Ingo Schwarze  wrote:

> Hi Bogdan,
>
> Bogdan Kulbida wrote on Mon, Sep 03, 2018 at 04:17:51PM -0700:
>
> > I need to build a pf OBSD firewall for a small office. What minimally
> > feasible equipment would you recommend in order to achieve this goal?
>
> I seriously doubt that you can find anything in the trash that isn't
> seriously oversized.
>
> In 2001, i ran an OpenBSD 2.7 firewall with ipf(4) on an
> Intel 486-SX25 (25 MHz) with 24 MB (not GB!) RAM, a system
> disk of 100 MB (not GB!) and a /var/ disk of another 100 MB.
> The about ten concurrent users were happy with it for years.
>
> OK, that would no longer work because the SX25 had no numerical
> coprocessor which is now required to run OpenBSD, and it required
> some fiddling to fit the system installation into 100 MB.  But it
> always routed the traffic fast enough.
>
> Currently, one of my office firewalls runs on:
>
>  - CPU: AMD-K6 234 MHz (yes, a quarter of a GHz)
>  - RAM: 128 MB (yes, an eigth of a GB)
>  - HD: ATA (not SATA!) UDMA-2, 3 GB (not 300 GB!)
>
> The only reason the machine is *THAT* large is that at the time it
> was selected, we no longer had any smaller dismantled desktop
> machines in the trash.  I don't have the slightest doubt that a
> much smaller machine would also be fine - certainly with half of
> everything, like 100 MHz, 64 MB RAM, 1 GB disk.
>
> And since then, i'm too lazy to pull something newer from the trash
> to replace it - because it just works.
>
> As a matter of fact, i'm sending this email over it...
>
> Yours,
>   Ingo
>
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Equipment for OBSD based firewall

[Bogdan Kulbida]

Thank you. Much appreciated.

On Mon, Sep 3, 2018 at 17:03 Tracey Emery  wrote:

> https://pcengines.ch
>
>
>
>
> On September 3, 2018 5:17:51 PM MDT, Bogdan Kulbida 
> wrote:
>>
>> Ladies and gentlemen,
>>
>> I need to build a pf OBSD firewall for a small office. What minimally
>> feasible equipment would you recommend in order to achieve this goal?
>>
>> Thank you!
>>
>>
> --
> Tracey
>
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Equipment for OBSD based firewall

[Bogdan Kulbida]

Ladies and gentlemen,

I need to build a pf OBSD firewall for a small office. What minimally
feasible equipment would you recommend in order to achieve this goal?

Thank you!
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

[Bogdan Kulbida]

I would like to apologize for the previous email. The joke was
unprofessional and very rude.
I’m sorry if it was offensive to someone in this list.

-Bogdan

On Wed, Aug 29, 2018 at 22:40 Bogdan Kulbida  wrote:

> I love it! Damn f.. asshole! Get him out of here!
>
> On Wed, Aug 29, 2018 at 21:09 Theo de Raadt  wrote:
>
>> Jacqueline Jolicoeur  wrote:
>>
>> > > Finally, whether intended or not, your intention to try to SELL
>> > > something on this list is extraordinarily rude. Move on and go learn
>> > > about this on your own. The Internet is filled with useful
>> information.
>> > > The mailing list archives also have a tremendous amount of useful
>> info.
>> >
>> > Asking permission, while at the same time, performing the act.
>> >
>> > "Wrote a song about it. Like to hear it? Here it goes." - Calhoun Tubbs
>>
>> May I call people trying to sell things on misc assholes?  The guy
>> trying to sell stuff on misc is an asshole. Oh sorry, I'm sorry I called
>> an asshole an asshole.
>>
>> Right?
>>
>> --
> --
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

[Bogdan Kulbida]

I love it! Damn f.. asshole! Get him out of here!

On Wed, Aug 29, 2018 at 21:09 Theo de Raadt  wrote:

> Jacqueline Jolicoeur  wrote:
>
> > > Finally, whether intended or not, your intention to try to SELL
> > > something on this list is extraordinarily rude. Move on and go learn
> > > about this on your own. The Internet is filled with useful information.
> > > The mailing list archives also have a tremendous amount of useful info.
> >
> > Asking permission, while at the same time, performing the act.
> >
> > "Wrote a song about it. Like to hear it? Here it goes." - Calhoun Tubbs
>
> May I call people trying to sell things on misc assholes?  The guy
> trying to sell stuff on misc is an asshole. Oh sorry, I'm sorry I called
> an asshole an asshole.
>
> Right?
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: CVE-2018-8897

[Bogdan Kulbida]

I guess this is the main reason why we all love OpenBSD and an idea and a 
philosophy (and people) behind this great OS!

- Bogdan

> On May 11, 2018, at 6:49 AM, andrew fabbro  wrote:
> 
> "A statement...was mishandled in the development of some or all
> operating-system kernels..."
> 
> I think it's really "some" and the reason it's "some" and not "all" is
> OpenBSD.
> 
> On Thu, May 10, 2018 at 9:51 PM, John Long  wrote:
> 
>> On Thu, 2018-05-10 at 18:54 -0600, Theo de Raadt wrote:
 Dare I ask what lead to OpenBSD not being affected.
 
 Sorry if it is a dumb question but since this hit FreeBSD as well I
 am
 wondering
 what OpenBSD did differently.
 
 Was this caught in an audit?
 
 I am just curious about causality that kept OpenBSD in the clear of
 this one
 that made such headlines yesterday.
>>> 
>>> 
>>> We didn't chase the fad of using every Intel cpu feature.
>> 
>> This goes into the achive! Thank you for the slice of sanity in an
>> insane word.
>> 
>> /jl
>> 
>> 
> 
> 
> -- 
> andrew fabbro
> and...@fabbro.org

Re: Unpriviliged wkhtmltopdf binary invocation fails with core dump

[Bogdan Kulbida]

Andrew,

The ‘-n’ flag did help and resolved an issue.
You have no idea how much I appreciate your help!

I’m interested to know why it failed w/ js enabled. Would you mind to share
that, or point me into the direction where to find the answer?

Best,
Bogdan

On Mon, Apr 23, 2018 at 14:53 Andrew <and...@quickstick.net> wrote:

> On 04/23/18 15:50, Bogdan Kulbida wrote:
> >Hi Everyone,
> >
> >I'm trying to use wkhtmltopdf to generate PDF from my HTML files. I
> >was googling like crazy but did no find any valuable information so
> >far.
> >When I run (as root)
> >
> ># /usr/local/bin/wkhtmltopdf http://google.com /tmp/out.pdf
> >
> >It does generate pdf just fine. But when I run the same command as
> >unprivileged user I got
> >Trace/BPT trap (core dumped) ] 10%
>
> Bogdan,
>
> See if this helps. As an unprivileged user, try the -n switch to disable
> javascript -- e.g. wkhtmltopdf -n [args].
>
> -A
>
> PS: A related package is htmldoc -- but I haven't tried it out yet.
>
> --

---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Unpriviliged wkhtmltopdf binary invocation fails with core dump

[Bogdan Kulbida]

Hi Everyone,

I'm trying to use wkhtmltopdf to generate PDF from my HTML files. I
was googling like crazy but did no find any valuable information so
far.
When I run (as root)

# /usr/local/bin/wkhtmltopdf http://google.com /tmp/out.pdf

It does generate pdf just fine. But when I run the same command as
unprivileged user I got
Trace/BPT trap (core dumped) ] 10%

This is how `ldd` output looks like:

web$ ldd /usr/local/bin/wkhtmltopdf
/usr/local/bin/wkhtmltopdf:
StartEnd  Type  Open Ref GrpRef Name
0ab734d0 0ab737ef7000 exe   20   0
/usr/local/bin/wkhtmltopdf
0ab99bee9000 0ab99c15e000 rlib  01   0
/usr/local/lib/libjpeg.so.68.1
0ab97f467000 0ab97f6a1000 rlib  01   0
/usr/local/lib/libpng.so.17.5
0ab966451000 0ab96665b000 rlib  01   0
/usr/X11R6/lib/libXrender.so.6.0
0ab9c1255000 0ab9c149d000 rlib  01   0
/usr/X11R6/lib/libfontconfig.so.11.0
0ab9db822000 0ab9dbae5000 rlib  02   0
/usr/X11R6/lib/libfreetype.so.28.2
0ab9db221000 0ab9db433000 rlib  01   0
/usr/X11R6/lib/libXext.so.13.0
0ab99d159000 0ab99d49c000 rlib  03   0
/usr/X11R6/lib/libX11.so.16.1
0aba030a5000 0aba032bc000 rlib  03   0
/usr/lib/libz.so.5.0
0aba0643c000 0aba06664000 rlib  02   0
/usr/lib/libm.so.10.1
0ab9b1757000 0ab9b1a54000 rlib  01   0
/usr/local/lib/libiconv.so.6.0
0ab9a240e000 0ab9a26ce000 rlib  01   0
/usr/lib/libc++.so.1.0
0ab94b1bb000 0ab94b41b000 rlib  01   0
/usr/lib/libc++abi.so.0.0
0aba1dffc000 0aba1e205000 rlib  01   0
/usr/lib/libpthread.so.25.1
0ab9bf67a000 0ab9bf95a000 rlib  01   0
/usr/lib/libc.so.92.3
0ab9a2bce000 0ab9a2df9000 rlib  03   0
/usr/X11R6/lib/libxcb.so.4.0
0ab9af568000 0ab9af793000 rlib  01   0
/usr/lib/libexpat.so.12.0
0ab9b26d 0ab9b28d4000 rlib  01   0
/usr/X11R6/lib/libXau.so.10.0
0ab9d8f45000 0ab9d914b000 rlib  01   0
/usr/X11R6/lib/libXdmcp.so.11.0
0ab997e0 0ab997e0 ld.so 01   0
/usr/libexec/ld.so

The file dump is ~10Mb I did not want to include it unless you ask for it...

Please help. Thank you.

---
Best,
Bogdan

Re: thank you for 6.3

[Bogdan Kulbida]

I use block storage device with encryption just to keep my /home encrypted
and mount it manually everytime I boot...

On Thu, Apr 19, 2018 at 04:50 flipchan <flipc...@riseup.net> wrote:

> Running 6.3 on x200 here aswell but with libreboot, except for libreboot
> not allowing me to have full disk encryption  it works like a charm
>
> On April 18, 2018 5:10:26 PM UTC, Scott Bonds <sc...@ggr.com> wrote:
> >Under 6.2 my laptop would hang a few hours after waking from sleep, and
> >
> >it was my own damn fault for running an unsupported config (Lenovo x200
> >
> >+ coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able
> >to
> >get it to hang and I find myself back in 'it just works' land which is
> >so, so nice. So nice.
> >
> >I don't know who to thank, and maybe the dev that fixed my issue
> >wouldn't know *they* fixed it, but...thank you.
>
> --
> Take Care Sincerely flipchan layerprox dev
>
-- 

---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Block device encryption

[Bogdan Kulbida]

Dear OpenBSD awesome community,

I tryed to find some information on block device encryption topic,
specifically about best practices in using it and did find some. But there
is not much I could find about what happens when my actual device contents
starting to consume more space than initially alocated. I know you can
resize a volume but what if for some reason that was not done what are the
ramifications of continuing using block device and adding even more data
onto it?

Thank you for all the hard work all and each of you have done to make it
such a great world class operating system.

Regards,
Bogdan
-- 

---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295

Re: Migrating nginx config to OpenBSD's httpd

[Bogdan Kulbida]

Hi Carlos,

HAproxy project exists and serves much better as load balancer and reverse
proxy server. It is more efficient than engine X. Any concerns using it?

- Bogdan

On Fri, Apr 13, 2018 at 04:47 Pavel Korovin <p...@tristero.se> wrote:

> Hi Carlos,
>
> There's no analog of proxy_pass in httpd(8). relayd(8) is your friend.
>
> On 04/13, C. L. Martinez wrote:
> >  I am trying to migrate nginx configuration to OpenBSD's httpd. All it is
> > working ok, except for some proxy reverse config that I use with nginx's
> > config, like for example:
> >
> > server {
> > listen 80;
> > server_name internal.w01.domain.org;
> >
> > location / {
> > proxy_pass http://192.168.30.4;
> > }
> > }
> >
> >  I don't see what is the option to use with httpd.conf or is it best
> > option to use relayd.conf for this type of configs?
>
> --
> With best regards,
> Pavel Korovin
>
> --

---
Best regards,
Bogdan Kulbida
CEO/CTO, Konstankino LLC <http://konstankino.com>
+1.802.793.8295