Re: ulpt vs kernel relinking

[Thuban]

* Antoine Jacoutot  le [10-05-2019 14:41:08 +0200]:
> On Thu, May 09, 2019 at 11:41:17PM -0600, Theo de Raadt wrote:
> > config -e is incompatible with the KARL relinking sequence.
> > 
> > For now, we consider KARL more valuable than config -e usage
> > patterns.
> > 
> > We've thought about this but for now we don't have a clever
> > solution to solve this.
> 

Thanks for enlightenment.

> Usual disclaimer, you're on your own etc...
> You can probably do something like this in /etc/rc.shutdown:
> 
> printf 'disable ulpt\nq\n' | config -ef /bsd
> sha256 /bsd >/var/db/kernel.SHA256

Indeed, this removes wanings. Thank you.

ulpt vs kernel relinking

[Thuban]

Hi,
I have a printer that require ulpt to be disabled
as mentionned in /usr/local/share/doc/pkg-readmes/cups. And it works.

# config -fe /bsd
disable ulpt
quit

After a reboot, I can notice : 

reorder_kernel: kernel relinking failed; see 
/usr/share/relink/kernel/GENERIC.MP/relink.log

Ok, so I run, as mentioned in the above file : 

sha256 -h /var/db/kernel.SHA256 /bsd

However, at next reboot, ulpt is reenabled.

How can I still have KARL and use my printer ?


-- 
thuban

Re: How to synchronise 2 spamd instances

[Thuban]

* Otto Moerbeek  le [21-04-2019 12:49:07 +0200]:
> On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote:
> 
> > Hello,
> > I read the man but it's not so clear to me
> > https://man.openbsd.org/spamd#SYNCHRONISATION
> > a) I chose unicast synchronisation but I don't know which port should I 
> > open on the firewall ?
> > Is it going to use the spamd-cfg service ?
> 
> It will use spamd-sync (udp port 8025)

Good to know, I was blocking this traffic. It might be interesting to
add a word about this in the manpage, what do you think?

[bug?] cwm mouse can't leave dialog window

[Thuban]

Hi,
I'm not sure where to post this as I'm not sure it's a bug related to
cwm.
The mouse pointer can't leave some windows.

How to reproduce : 
1. Open libreoffice
2. Try to open a new document
3. The mouse pointer can't move out of the dialog window.

Attached is a screencast of what's happening to me.

Am I the only one ? 
Any suggestion to solve this ?
-- 
thuban

spamd and low priority MX

[Thuban]

Hello,
I ran into the spamd "-M" flag in the manpage, and I'm not sure to understand
it correctly.

On the server with the highest priority (lower MX), I must set "-M nn.nn.nn.nn"
where nn.nn.nn.nn is the IP of a lower priority MX ?
If there is more than one backup MX (lower priority), does the -M flag can be
called more than once ?

Am I wrong ?

Regards.

thuban

re0 issue : system freeze

[thuban]

Hi,
I have an issue on my server : after a while, it seems down and freeze. I have 
no SSH access because it's offline, I only can reboot it.
Looking in /var/log/messages, I see "/bsd: re0: watchdog timeout".
Instead of replacing the network card, what can I do to solve this issue?

Below more information : 

* OpenBSD 6.4 -stable amd64

* Last lines of /var/log/daemon before crash :
Dec 13 23:44:46 ledzep spamd[40106]: 198.71.246.20: disconnected after 433 
seconds. lists: spamd-greytrap
Dec 13 23:45:47 ledzep spamd[40106]: 64.90.177.115: connected (1/0)
Dec 13 23:46:00 ledzep spamd[40106]: (GREY) 64.90.177.115: 
 -> 
Dec 13 23:46:00 ledzep spamd[40106]: 64.90.177.115: disconnected after 13 
seconds.
Dec 13 23:47:30 ledzep spamd[40106]: 198.71.246.20: connected (1/1), lists: 
spamd-greytrap
Dec 13 23:47:38 ledzep spamd[40106]: 37.252.72.189: connected (2/2), lists: 
nixspam
Dec 13 23:47:41 ledzep spamd[40106]: 86.125.112.183: connected (3/3), lists: 
nixspam
Dec 13 23:47:42 ledzep spamd[40106]: 37.252.72.189: disconnected after 4 
seconds. lists: nixspam
Dec 13 23:47:45 ledzep spamd[40106]: 86.125.112.183: disconnected after 4 
seconds. lists: nixspam
Dec 13 23:51:41 ledzep spamd[40106]: (BLACK) 198.71.246.20: 

 -> 
Dec 13 23:53:36 ledzep spamd[40106]: 198.71.246.20: From: Matomo Analytics 

Dec 13 23:53:36 ledzep spamd[40106]: 198.71.246.20: To: maxime...@3hg.fr
Dec 13 23:53:36 ledzep spamd[40106]: 198.71.246.20: Subject: Matomo Tag Manager 
now available on Matomo 3.7.0 for free
Dec 13 23:54:48 ledzep spamd[40106]: 198.71.246.20: disconnected after 438 
seconds. lists: spamd-greytrap

* Part of /var/log/message around crash time : 
Dec 11 23:22:30 ledzep /bsd: re0: watchdog timeout
Dec 11 23:22:31 ledzep bgpd[70451]: neighbor 217.31.80.170: sending 
notification: HoldTimer expired
Dec 11 23:22:31 ledzep bgpd[70451]: neighbor 64.142.121.62: sending 
notification: HoldTimer expired
Dec 11 23:30:34 ledzep /bsd: re0: watchdog timeout
Dec 11 23:31:44 ledzep /bsd: re0: watchdog timeout
Dec 11 23:31:44 ledzep bgpd[70451]: neighbor 217.31.80.170: sending 
notification: HoldTimer expired
Dec 11 23:31:44 ledzep bgpd[70451]: neighbor 64.142.121.62: sending 
notification: HoldTimer expired
Dec 11 23:36:49 ledzep bgpd[70451]: neighbor 2a00:15a8:0:100:0:d91f:50aa:1: 
session_connect socket: No buffer space available
Dec 11 23:38:53 ledzep bgpd[70451]: neighbor 2a00:15a8:0:100:0:d91f:50aa:1: 
session_connect socket: No buffer space available
Dec 11 23:40:57 ledzep bgpd[70451]: neighbor 2a00:15a8:0:100:0:d91f:50aa:1: 
session_connect socket: No buffer space available
Dec 11 23:45:00 ledzep last message repeated 2 times
Dec 11 23:50:26 ledzep /bsd: re0: watchdog timeout
Dec 11 23:51:03 ledzep bgpd[70451]: neighbor 217.31.80.170: sending 
notification: HoldTimer expired
Dec 11 23:51:04 ledzep bgpd[70451]: neighbor 64.142.121.62: sending 
notification: HoldTimer expired
Dec 11 23:51:41 ledzep /bsd: re0: watchdog timeout
Dec 11 23:53:48 ledzep /bsd: re0: watchdog timeout
Dec 11 23:55:05 ledzep bgpd[70451]: neighbor 217.31.80.170: connect: No route 
to host
Dec 11 23:55:05 ledzep bgpd[70451]: neighbor 64.142.121.62: connect: No route 
to host
Dec 11 23:57:37 ledzep /bsd: re0: watchdog timeout
Dec 11 23:59:13 ledzep /bsd: re0: watchdog timeout
Dec 12 00:00:38 ledzep last message repeated 2 times
Dec 12 00:01:13 ledzep nsd[87909]: sendto 80.67.169.40 failed: No route to host
Dec 12 00:01:14 ledzep last message repeated 5 times
Dec 12 00:01:35 ledzep bgpd[70451]: neighbor 217.31.80.170: received 
notification: HoldTimer expired
Dec 12 00:01:36 ledzep bgpd[70451]: neighbor 64.142.121.62: received 
notification: HoldTimer expired
Dec 12 00:03:16 ledzep /bsd: re0: watchdog timeout
Dec 12 00:05:12 ledzep /bsd: re0: watchdog timeout
Dec 12 00:06:19 ledzep /bsd: re0: watchdog timeout
Dec 12 00:17:32 ledzep last message repeated 7 times
Dec 12 00:21:59 ledzep last message repeated 4 times

* dmesg : 
OpenBSD 6.4 (GENERIC.MP) #1: Mon Nov 26 10:18:14 CET 2018

r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2019500032 (1925MB)
avail mem = 1949073408 (1858MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebf00 (51 entries)
bios0: vendor American Megatrends Inc. version "F4" date 07/15/2014
bios0: GIGABYTE GB-BXBT-2807
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) 
BRCM(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N2807 @ 1.58GHz, 1583.70 MHz, 06-37-08
cpu0: 

Re: iked : pf.conf rule for outgoing traffic

[Thuban]

* Stuart Henderson  le [10-12-2018 18:19:41 +]:
> On 2018-12-07, Thuban  wrote:
> > * Stuart Henderson  le [06-12-2018 13:44:50 +]:
> >> On 2018-12-06, Thuban  wrote:
> >> > * Thuban  le [02-12-2018 19:16:09 +0100]:
> >> >> Hi,
> >> >> I need help to write a correct rule in pf.conf.
> >> >> 
> >> >> I want : 
> >> >> 
> >> >> A ->  B --> web
> >> >> 
> >> >> The appearing IP of A is the B's one on the web.
> >> >> 
> >> >> I managed to configure iked on A and B using default pubkeys according
> >> >> to Stuart Henderson advices.
> >> >> 
> >> >> iked.conf on A : 
> >> >> 
> >> >> ikev2 active ipcomp esp \
> >> >> from 192.168.100.0/16 to 0.0.0.0/0 \
> >> >> peer "xx.xx.xx.xx" \
> >> >> srcid "m...@moria.lan" \
> >> >> dstid "B-hostname.tld" \
> >> >> tag IKED
> >> >> 
> >> >> iked.conf on B : 
> >> >> 
> >> >> ikev2 "warrior" passive esp \
> >> >> from 0.0.0.0/0 to 0.0.0.0/0 \
> >> >> local xx.xx.xx.xx peer any \
> >> >> srcid "B-hostname.tld" \
> >> >> tag IKED
> >> >> 
> >> >> Auth works as expected : 
> >> >> 
> >> >> # iked -vvd
> >> >> ..
> >> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 
> >> >> 192.168.100.122:4500 policy 'policy1'
> >> >> ..
> >> >> 
> >> >> 
> >> >> But I can't reach internet from A through B.
> >> >> 
> >> >> Here is the pf.conf on B (at least a small part of it)
> >> >> 
> >> >> pass out on egress \
> >> >> from any to any tagged IKED \
> >> >> nat-to (egress)
> >> >> 
> >> >> 
> >> >
> >> > I'm still stuck at the same point.
> >> > Can someone give me an example of a working configuration natting ot
> >> > Internet?
> >> 
> >> I used this,
> >> 
> >> pass in on enc0 inet from $some_net
> >> pass out quick on egress inet received-on enc0 nat-to $some_address
> >> 
> >> Also I don't remember what you've already said you checked, but
> >> make sure you have sysctl net.inet.ip.forwarding=1.
> >> 
> >
> > Thank you.
> > Yes, I do have ip.forwarding=1.
> >
> > I'm confused how to replace "$some_address". Isn't it "(egress)" ?
> >
> > Regards.
> >
> >
> 
> It depends on what you want - I was just giving you the working example
> you asked for :-)
> 
> in my case I want to nat to a specific address, and not track the
> address/es on any egress interfaces.
> 
> 

Okay, got it, it works as expected.
Thank you :)

Re: iked : pf.conf rule for outgoing traffic

[Thuban]

* Stuart Henderson  le [06-12-2018 13:44:50 +]:
> On 2018-12-06, Thuban  wrote:
> > * Thuban  le [02-12-2018 19:16:09 +0100]:
> >> Hi,
> >> I need help to write a correct rule in pf.conf.
> >> 
> >> I want : 
> >> 
> >> A ->  B --> web
> >> 
> >> The appearing IP of A is the B's one on the web.
> >> 
> >> I managed to configure iked on A and B using default pubkeys according
> >> to Stuart Henderson advices.
> >> 
> >> iked.conf on A : 
> >> 
> >>ikev2 active ipcomp esp \
> >>from 192.168.100.0/16 to 0.0.0.0/0 \
> >>peer "xx.xx.xx.xx" \
> >>srcid "m...@moria.lan" \
> >>dstid "B-hostname.tld" \
> >>tag IKED
> >> 
> >> iked.conf on B : 
> >> 
> >>ikev2 "warrior" passive esp \
> >>from 0.0.0.0/0 to 0.0.0.0/0 \
> >>local xx.xx.xx.xx peer any \
> >>srcid "B-hostname.tld" \
> >>tag IKED
> >> 
> >> Auth works as expected : 
> >> 
> >> # iked -vvd
> >> ..
> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 
> >> 192.168.100.122:4500 policy 'policy1'
> >> ..
> >> 
> >> 
> >> But I can't reach internet from A through B.
> >> 
> >> Here is the pf.conf on B (at least a small part of it)
> >> 
> >> pass out on egress \
> >> from any to any tagged IKED \
> >> nat-to (egress)
> >> 
> >> 
> >
> > I'm still stuck at the same point.
> > Can someone give me an example of a working configuration natting ot
> > Internet?
> 
> I used this,
> 
> pass in on enc0 inet from $some_net
> pass out quick on egress inet received-on enc0 nat-to $some_address
> 
> Also I don't remember what you've already said you checked, but
> make sure you have sysctl net.inet.ip.forwarding=1.
> 

Thank you.
Yes, I do have ip.forwarding=1.

I'm confused how to replace "$some_address". Isn't it "(egress)" ?

Regards.

Re: iked : pf.conf rule for outgoing traffic

[Thuban]

* Thuban  le [02-12-2018 19:16:09 +0100]:
> Hi,
> I need help to write a correct rule in pf.conf.
> 
> I want : 
> 
> A ->  B --> web
> 
> The appearing IP of A is the B's one on the web.
> 
> I managed to configure iked on A and B using default pubkeys according
> to Stuart Henderson advices.
> 
> iked.conf on A : 
> 
>   ikev2 active ipcomp esp \
>   from 192.168.100.0/16 to 0.0.0.0/0 \
>   peer "xx.xx.xx.xx" \
>   srcid "m...@moria.lan" \
>   dstid "B-hostname.tld" \
>   tag IKED
> 
> iked.conf on B : 
> 
>   ikev2 "warrior" passive esp \
>   from 0.0.0.0/0 to 0.0.0.0/0 \
>   local xx.xx.xx.xx peer any \
>   srcid "B-hostname.tld" \
>   tag IKED
> 
> Auth works as expected : 
> 
> # iked -vvd
> ..
> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 
> policy 'policy1'
> ..
> 
> 
> But I can't reach internet from A through B.
> 
> Here is the pf.conf on B (at least a small part of it)
> 
> pass out on egress \
> from any to any tagged IKED \
> nat-to (egress)
> 
> 

I'm still stuck at the same point.
Can someone give me an example of a working configuration natting ot
Internet?

Regards.

iked : pf.conf rule for outgoing traffic

[Thuban]

Hi,
I need help to write a correct rule in pf.conf.

I want : 

A ->  B --> web

The appearing IP of A is the B's one on the web.

I managed to configure iked on A and B using default pubkeys according
to Stuart Henderson advices.

iked.conf on A : 

ikev2 active ipcomp esp \
from 192.168.100.0/16 to 0.0.0.0/0 \
peer "xx.xx.xx.xx" \
srcid "m...@moria.lan" \
dstid "B-hostname.tld" \
tag IKED

iked.conf on B : 

ikev2 "warrior" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local xx.xx.xx.xx peer any \
srcid "B-hostname.tld" \
tag IKED

Auth works as expected : 

# iked -vvd
...
sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 
policy 'policy1'
...


But I can't reach internet from A through B.

Here is the pf.conf on B (at least a small part of it)

pass out on egress \
from any to any tagged IKED \
nat-to (egress)


I guess the issue is in my pf.conf.
What do you think ?
Any advice?

Regards.

-- 
thuban

iked for travelling clients

[Thuban]

  ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 
length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 
endport 65535
ikev2_pld_ts: start :: end :::::::
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 
0x00 length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 
endport 65535
ikev2_pld_ts: start :: end :::::::
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY 
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY 
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type NO_ADDITIONAL_ADDRESSES
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY 
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type 
IKEV2_MESSAGE_ID_SYNC_SUPPORTED
sa_stateok: SA_INIT flags 0x, require 0x 
policy_lookup: peerid 'test'
ikev2_msg_auth: responder auth data length 515
ca_setauth: auth length 515
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x )
config_free_proposals: free 0x1709115c1a00
config_free_proposals: free 0x17094e007000
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 20 rspi 0x72e7d26735a1b6e8 ispi 
0x515201836a3a178d initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
ikev2_getimsgdata: imsg 25 rspi 0x72e7d26735a1b6e8 ispi 
0x515201836a3a178d initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x )
ikev2_recv: IKE_AUTH request from initiator 176.180.81.105:19761 to 
46.23.92.147:4500 policy 'warrior' id 1, 3536 bytes
ikev2_recv: ispi 0x515201836a3a178d rspi 0x72e7d26735a1b6e8


Any advice please ?



-- 
thuban

Re: smtpd.conf and junk

[Thuban]

* Gilles Chehade  le [25-11-2018 15:30:20 +0100]:
> On Wed, Nov 21, 2018 at 09:21:46PM +0100, Thuban wrote:
> > * Gilles Chehade  le [21-11-2018 21:06:39 +0100]:
> > > On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote:
> > > > * Edgar Pettijohn  le [21-11-2018 11:32:43 
> > > > -0600]:
> > > > > 
> > > > > On Nov 21, 2018 8:22 AM, Thuban  wrote:
> > > > > >
> > > > > > Hi,
> > > > > > I can't figure how to make this "junk" argument to work as 
> > > > > > mentioned in The smtpd.conf manpages :
> > > > > >
> > > > > > If the junk argument is provided, the message will be
> > > > > > moved to the Junk folder if it contains a positive X-Spam
> > > > > > header.
> > > > > >
> > > > > >
> > > > > > spams detected by spamassassin have multiple X-Spam-* headers, but 
> > > > > > aren't placed
> > > > > > into Junk folder.
> > > > > >
> > > > > > Any advice ?
> > > > > >
> > > > > >
> > > > > >
> > > > > > -- 
> > > > > > ?? thuban
> > > > > >
> > > > > It looks for a header matching:
> > > > > 
> > > > > X-Spam: Yes
> > > > > 
> > > > > You may need to configure spamassassin to write it that way. I 
> > > > > believe that the default is different, but I can't check right now.
> > > > > 
> > > > 
> > > > I tried to add this in spamassassin.conf [0] :
> > > > 
> > > > add_header spam X-Spam
> > > > 
> > > > But if you read the link [0] closely, it can't work because 
> > > > spamassassin add
> > > > headers "X-Spam-someting", never "X-Spam" : 
> > > > 
> > > > All headers begin with X-Spam- (so a header_name Foo will 
> > > > generate a header called X-Spam-Foo)
> > > > 
> > > > I guess the "junk" keyword in smtpd.conf was written to be handy, so I 
> > > > miss
> > > > something. Where ?
> > > > 
> > > 
> > > You didn't miss anything, the maildir agent only supports X-Spam headers
> > > as of today so this will need a diff to support SpamAssassin if it can't
> > > generate a X-Spam header.
> > > 
> > 
> > Okay, thanks, I doubt since english is not my main language.
> > 
> > > SpamAssassin wasn't a target when I wrote that feature but it's just one
> > > diff away ;-)
> > > 
> > 
> > Just need to check "X-Spam-Flag: YES" or "X-Spam-Status: Yes,.*" then.
> > 
> > Just curious, what was the target of that 'junk' feature ? rspamd ? Another 
> > ?
> > 
> > Regards.
> > 
> 
> in -current, maildir junk now recognizes X-Spam-Flag: YES

Thank you, I'll give it a try.
For now, I  use dovecot + lmtp and sieve for this (a bit too much...)

Re: mail.maildir junk patches

[thuban]

Nice to see such feature (no need dovecot).
For now, It's still possible with dovecot, lmtp delivery and sieve filter [1].

[1] https://wiki.dovecot.org/Pigeonhole/Sieve/Extensions/SpamtestVirustest

24 novembre 2018 18:02 "Edgar Pettijohn III"  a écrit:

> make the junk header customizable like so:
> 
> action "local" maildir junk "X-Spam-Flag: YES"
> 
> Index: mail.maildir.8
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.8,v
> retrieving revision 1.5
> diff -u -p -u -r1.5 mail.maildir.8
> --- mail.maildir.830 May 2018 12:37:57 -1.5
> +++ mail.maildir.824 Nov 2018 16:58:03 -
> @@ -22,7 +22,7 @@
> .Nd store mail in a maildir
> .Sh SYNOPSIS
> .Nm mail.maildir
> -.Op Fl j
> +.Op Fl j header
> .Op Ar pathname
> .Sh DESCRIPTION
> .Nm
> @@ -36,7 +36,9 @@ located in the user's home directory.
> The options are as follows:
> .Bl -tag -width Ds
> .It Fl j
> -Scan message for X-Spam and move to Junk folder if result is positive.
> +Scan message for
> +.Ar header
> +and move to Junk folder if result is positive.
> .El
> .Sh EXIT STATUS
> .Ex -std mail.maildir
> Index: mail.maildir.c
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.c,v
> retrieving revision 1.7
> diff -u -p -u -r1.7 mail.maildir.c
> --- mail.maildir.c24 Oct 2018 19:26:23 -1.7
> +++ mail.maildir.c24 Nov 2018 16:58:03 -
> @@ -37,23 +37,25 @@
> 
> static intmaildir_subdir(const char *, char *, size_t);
> static voidmaildir_mkdirs(const char *);
> -static voidmaildir_engine(const char *, int);
> +static voidmaildir_engine(const char *, int, const char *);
> static intmkdirs_component(const char *, mode_t);
> static intmkdirs(const char *, mode_t);
> 
> int
> main(int argc, char *argv[])
> {
> -intch;
> -intjunk = 0;
> +int ch;
> +int junk = 0;
> +char*header = NULL;
> 
> if (! geteuid())
> errx(1, "mail.maildir: may not be executed as root");
> 
> -while ((ch = getopt(argc, argv, "j")) != -1) {
> +while ((ch = getopt(argc, argv, "j:")) != -1) {
> switch (ch) {
> case 'j':
> junk = 1;
> +header = optarg;
> break;
> default:
> break;
> @@ -65,7 +67,7 @@ main(int argc, char *argv[])
> if (argc > 1)
> errx(1, "mail.maildir: only one maildir is allowed");
> 
> -maildir_engine(argv[0], junk);
> +maildir_engine(argv[0], junk, header);
> 
> return (0);
> }
> @@ -107,7 +109,7 @@ maildir_mkdirs(const char *dirname)
> }
> 
> static void
> -maildir_engine(const char *dirname, int junk)
> +maildir_engine(const char *dirname, int junk, const char *header)
> {
> charrootpath[PATH_MAX];
> charjunkpath[PATH_MAX];
> @@ -182,7 +184,7 @@ maildir_engine(const char *dirname, int
> line[strcspn(line, "\n")] = '\0';
> if (line[0] == '\0')
> in_hdr = 0;
> -if (junk && in_hdr && strcmp(line, "X-Spam: yes") == 0)
> +if (junk && in_hdr && strcmp(line, header) == 0)
> is_junk = 1;
> fprintf(fp, "%s\n", line);
> }
> Index: smtpd.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
> retrieving revision 1.206
> diff -u -p -u -r1.206 smtpd.conf.5
> --- smtpd.conf.58 Oct 2018 06:10:17 -1.206
> +++ smtpd.conf.524 Nov 2018 16:58:03 -
> @@ -128,7 +128,7 @@ Optionally,
> might be specified to use the
> recipient email address (after expansion) instead of the
> local user in the LMTP session as RCPT TO.
> -.It Cm maildir Op Ar pathname Op Cm junk
> +.It Cm maildir Op Ar pathname Op Cm junk header
> Deliver the message to the maildir in
> .Ar pathname
> if specified, or by default to
> @@ -142,7 +142,8 @@ may contain format specifiers that are e
> If the
> .Cm junk
> argument is provided, the message will be moved to the Junk
> -folder if it contains a positive X-Spam header.
> +folder if it contains a positive match for the provided
> +.Ar header .
> .It Cm mbox
> Deliver the message to the user's mbox with
> .Xr mail.local 8 .
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.230
> diff -u -p -u -r1.230 parse.y
> --- parse.y8 Nov 2018 13:24:22 -1.230
> +++ parse.y24 Nov 2018 16:58:04 -
> @@ -662,8 +662,8 @@ MBOX {
> | MAILDIR {
> asprintf(>u.local.command, "/usr/libexec/mail.maildir");
> } dispatcher_local_options
> -| MAILDIR JUNK {
> -asprintf(>u.local.command, "/usr/libexec/mail.maildir -j");
> +| MAILDIR JUNK STRING {
> +asprintf(>u.local.command, "/usr/libexec/mail.maildir -j 
> \"%s\"", $3);
> } dispatcher_local_options
> | MAILDIR STRING {
> if (strncmp($2, "~/", 2) == 0)
> @@ -673,13 +673,13 @@ MBOX {
> asprintf(>u.local.command,
> "/usr/libexec/mail.maildir \"%s\"", $2);
> } dispatcher_local_options
> -| MAILDIR STRING JUNK {
> +| MAILDIR STRING JUNK STRING{
> if 

Re: smtpd.conf and junk

[Thuban]

* Gilles Chehade  le [21-11-2018 21:06:39 +0100]:
> On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote:
> > * Edgar Pettijohn  le [21-11-2018 11:32:43 -0600]:
> > > 
> > > On Nov 21, 2018 8:22 AM, Thuban  wrote:
> > > >
> > > > Hi,
> > > > I can't figure how to make this "junk" argument to work as 
> > > > mentioned in The smtpd.conf manpages :
> > > >
> > > > If the junk argument is provided, the message will be
> > > > moved to the Junk folder if it contains a positive X-Spam
> > > > header.
> > > >
> > > >
> > > > spams detected by spamassassin have multiple X-Spam-* headers, but 
> > > > aren't placed
> > > > into Junk folder.
> > > >
> > > > Any advice ?
> > > >
> > > >
> > > >
> > > > -- 
> > > > ?? thuban
> > > >
> > > It looks for a header matching:
> > > 
> > > X-Spam: Yes
> > > 
> > > You may need to configure spamassassin to write it that way. I believe 
> > > that the default is different, but I can't check right now.
> > > 
> > 
> > I tried to add this in spamassassin.conf [0] :
> > 
> > add_header spam X-Spam
> > 
> > But if you read the link [0] closely, it can't work because spamassassin add
> > headers "X-Spam-someting", never "X-Spam" : 
> > 
> > All headers begin with X-Spam- (so a header_name Foo will generate a 
> > header called X-Spam-Foo)
> > 
> > I guess the "junk" keyword in smtpd.conf was written to be handy, so I miss
> > something. Where ?
> > 
> 
> You didn't miss anything, the maildir agent only supports X-Spam headers
> as of today so this will need a diff to support SpamAssassin if it can't
> generate a X-Spam header.
> 

Okay, thanks, I doubt since english is not my main language.

> SpamAssassin wasn't a target when I wrote that feature but it's just one
> diff away ;-)
> 

Just need to check "X-Spam-Flag: YES" or "X-Spam-Status: Yes,.*" then.

Just curious, what was the target of that 'junk' feature ? rspamd ? Another ?

Regards.

-- 
thuban

Re: smtpd.conf and junk

[Thuban]

* Edgar Pettijohn  le [21-11-2018 11:32:43 -0600]:
> 
> On Nov 21, 2018 8:22 AM, Thuban  wrote:
> >
> > Hi,
> > I can't figure how to make this "junk" argument to work as 
> > mentioned in The smtpd.conf manpages :
> >
> > If the junk argument is provided, the message will be
> > moved to the Junk folder if it contains a positive X-Spam
> > header.
> >
> >
> > spams detected by spamassassin have multiple X-Spam-* headers, but aren't 
> > placed
> > into Junk folder.
> >
> > Any advice ?
> >
> >
> >
> > -- 
> >     thuban
> >
> It looks for a header matching:
> 
> X-Spam: Yes
> 
> You may need to configure spamassassin to write it that way. I believe that 
> the default is different, but I can't check right now.
> 

I tried to add this in spamassassin.conf [0] :

add_header spam X-Spam

But if you read the link [0] closely, it can't work because spamassassin add
headers "X-Spam-someting", never "X-Spam" : 

All headers begin with X-Spam- (so a header_name Foo will generate a 
header called X-Spam-Foo)

I guess the "junk" keyword in smtpd.conf was written to be handy, so I miss
something. Where ?

Regards.

[0] 
https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#basic_message_tagging_options

Re: smtpd.conf and junk

[Thuban]

* Gilles Chehade  le [21-11-2018 16:31:31 +0100]:
> On Wed, Nov 21, 2018 at 03:22:45PM +0100, Thuban wrote:
> > Hi,
> > I can't figure how to make this "junk" argument to work as 
> > mentioned in The smtpd.conf manpages :
> > 
> > If the junk argument is provided, the message will be
> > moved to the Junk folder if it contains a positive X-Spam
> > header.
> > 
> > 
> > spams detected by spamassassin have multiple X-Spam-* headers, but aren't 
> > placed
> > into Junk folder.
> > 
> > Any advice ?
> > 
> 
> without seeing examples of these headers and your config, it's hard to
> understand what's incorrect ;-)
> 

Sorry, I thought this was quite common.

A spam has these headers when detected by spamassassin : 

X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
ledzep.yeuxdelibad.net
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=19.0 required=5.0 tests=BAYES_99,BAYES_999,


Here is my smtpd.conf, incoming mails are analysed by spamassassin
(dafault configuration).

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals

pki acmecert key "/etc/ssl/acme/private/yeuxdelibad.net.key"
pki acmecert cert "/etc/ssl/acme/yeuxdelibad.net-fullchain.pem"

## LISTEN ##
# envelopes signed by dkimproxy
listen on lo0 port 10028 tag DKIM
# envelopes checked by spamassassin
listen on lo0 port 10026 tag NOSPAM
# local
listen on lo0
# incoming
listen on egress tls pki acmecert tag INCOMING
# sending
listen on egress port submission tls-require pki acmecert auth  
tag OUTGOING

## ACTIONS ##
action "relay" relay
action dkimproxy relay host smtp://127.0.0.1:10027
action spamassassin relay host smtp://127.0.0.1:10025

action "local_mbox" mbox alias 
action virtual_maildir maildir 
"/var/_vmail/%{dest.domain}/%{dest.user}/Maildir" junk virtual 

## MATCH ##
match for local action local_mbox

match tag NOSPAM from any for domain  action virtual_maildir
match from any for domain  action spamassassin

match tag DKIM for any action "relay"
match auth tag DKIM from any for any action "relay"

match auth from any for any action dkimproxy
match for any action dkimproxy

smtpd.conf and junk

[Thuban]

Hi,
I can't figure how to make this "junk" argument to work as 
mentioned in The smtpd.conf manpages :

If the junk argument is provided, the message will be
moved to the Junk folder if it contains a positive X-Spam
header.


spams detected by spamassassin have multiple X-Spam-* headers, but aren't placed
into Junk folder.

Any advice ?



-- 
thuban

Re: Permission on virtual user password file [dovecot+smtpd]

[Thuban]

self-answer after some digging [1]. Not sure why I have to specify this. I mean,
what is the group used by dovecot by default ?

To make /etc/mail/passwd unreadable by regular users, I did this : 


groupadd _maildaemons
usermod -G _maildaemons _sftpd
usermod -G _maildaemons _dovecot

chown root:_maildaemons /etc/mail/passwd
chmod 640 /etc/mail/passwd

In /etc/dovecot/local.conf : 

service auth {
user = $default_internal_user
group = _maildaemons
}


Comments ? 


[1] : https://wiki.dovecot.org/UserIds

Permission on virtual user password file [dovecot+smtpd]

[Thuban]

Hi,
I use dovecot and smtpd on my personal mail server.
They both share the same password file.

I works very well, but I'm concerned about permissions on this file : 

-rw-r--r--  1 root  wheel passwd

It's world readable. I would like to let dovecot and smtpd to read only this
file, and no one else could.


I tried to set a _maildaemons group and put _smtpd and _dovecot users in it,
then : 

-rw-r-  1 root  _maildaemons passwd


Sadly, dovecot can't read the passwd file with this configuration,a nd I can't
figure out why.

Any advice ?


# part of dovecot config 
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}

-- 
thuban

Re: spamd and google smtp ips

[Thuban]

* Stuart Henderson  le [30-10-2018 23:39:23 +]:
> On 2018-10-30, Chris Narkiewicz  wrote:
> > Hi,
> >
> > I'm configuring spamd and I noticed that when I send an e-mail from 
> > GMail, each time the e-mail is submitted by a different IP address.
> >
> > Here is spamdb output after sending a test email to myself:
> >
> > GREY|209.85.219.182|mail-yb1-f182.google.com|...
> > GREY|209.85.219.177|mail-yb1-f177.google.com|...
> > GREY|209.85.219.176|mail-yb1-f176.google.com|...
> > GREY|209.85.219.172|mail-yb1-f172.google.com|...
> > GREY|209.85.219.180|mail-yb1-f180.google.com|...
> > GREY|209.85.219.175|mail-yb1-f175.google.com|...
> > GREY|209.85.219.173|mail-yb1-f173.google.com|...
> > GREY|209.85.219.179|mail-yb1-f179.google.com|...
> > GREY|209.85.208.46|mail-ed1-f46.google.com|...
> > GREY|209.85.161.52|mail-yw1-f52.google.com|...
> > ... snip ...
> >
> > Of course they are not whitelisted, as each submission
> > attempt is done by a different node and I guess google has A LOT of
> > them. I see 2 issues with that:
> >
> > 1) e-mail delivery takes a lot of time (as google uses exponential 
> > backoff and stops frequent retries after few failures)
> >
> > 2) whitelisted IPs are more likely being expired, as my server is
> > not getting a lot of gmail traffic
> >
> > I suppose different big e-mail providers will
> > have similar issues.
> >
> > I'm also running BGP server to download a whitelist,
> > but it does not contain google servers.
> >
> > Are there any solutions get around this problem? Ideally I'd like
> > to just whitelist reputable mail providers as I see little chance
> > that any spammer will outsmart Google/Yahoo/Microsoft/etc.


To solve this problem, I use two methods : 

## whitelist from bsdly.net (thaniks again peter : )

In /etc/pf.conf

table  persist file "/etc/mail/nospamd"
pass in on egress proto tcp from  to any port smtp

/in /etc/weekly.local : 

echo "update nospamd file"
ftp -o /etc/mail/nospamd http://www.bsdly.net/~peter/nospamd


## whitelist from spf walk : 

In /etc/mail/spamd.conf : 


all:\
:nixspam:bgp-spamd:bsdlyblack:whitelist:

...

whitelist:\
:white:\
:method=file:\
:file=/etc/mail/whitelist.txt


In /etc/weekly.local : 

/usr/local/bin/domain-white-spamd

In /usr/local/bin/domain-white-spamd, adjust with domins you need  :

TMP=$(mktemp)

WHITELIST=/etc/mail/whitelist.txt

DOMAINS='outlook.com
gmail.com
google.com
hotmail.com
yahoo.com
yahoo.fr
live.fr
mail-out.ovh.net
mxb.ovh.net
    gandi.net
laposte.net
github.com
protonmail.com
'


for d in $DOMAINS; do
echo "$d" | smtpctl spf walk >> "$TMP"
done
mv "$TMP" "$WHITELIST"
exit 0




-- 
thuban

Re: [relayd] set response header for tagged connexion

[Thuban]

* tomr  le [17-10-2018 15:37:42 +1100]:
> 
> 
> On 10/17/18 4:14 AM, Thuban wrote:
> > Hi,
> > I want to set a header according to the requested path. The goal is to 
> > increase
> > the cache-control according to file extension.
> > 
> > For now, I have in relayd.conf something like : 
> > 
> > match request path "/*.css" tag "CSS"
> > match tagged "CSS" response header set "Cache-Control" value 
> > "max-age=1814400"
> 
> I think you might want to try moving 'response' left, so the line begins
> 'match response tagged '
> 
> t
> 

That's it, thanks.

Now I have this configuration, if anyone is interested to increase cache on his
website : 

match request path "/*.html" tag "HTML"
match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"

match response tagged "CACHE" header set "Cache-Control" value 
"max-age=1814400"

match response tagged "HTML" header set "Content-Type" value 
"text/html; charset=UTF-8"


-- 
thuban

[relayd] set response header for tagged connexion

[Thuban]

Hi,
I want to set a header according to the requested path. The goal is to increase
the cache-control according to file extension.

For now, I have in relayd.conf something like : 

match request path "/*.css" tag "CSS"
match tagged "CSS" response header set "Cache-Control" value "max-age=1814400"

Of course, there is a syntax error.

Any advice ?


-- 
thuban

[relayd] transparent don't work

[Thuban]

I found a partial solution to my problem.
With the following configuration, the source client IP is correctly printed by a
php script (getip.php), but not in httpd logs.

Does anyone has an example with "transparent forward" please ?

relayd.conf : 

http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
pass
}

http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
tls { \
cipher-server-preference,\
no tlsv1.0\
}
pass

}
relay "www" {
listen on 127.0.0.1 port 8080
protocol "http"
forward to destination
}

relay "wwwtls" {
listen on 127.0.0.1 port 8443 tls
protocol "https"
forward with tls to destination
}

/etc/relayd.proxy.conf: 

return error
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
match query hash "sessid"

match request header remove "Proxy"
match response header set "Cache-Control" value "max-age=1814400"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Powered-By" value "Powered with 
electricity on OpenBSD"
match response header set "X-Permitted-Cross-Domain-Policies" value 
"none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"

~   


~ 
/etc/pf.conf: 

...
pass in quick on $ext_if proto tcp to port www divert-to 127.0.0.1 port 
8080 flags S/SA modulate state
pass in quick on $ext_if proto tcp to port https divert-to 127.0.0.1 
port 8443 flags S/SA modulate state

# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp ipv6-icmp } all modulate state 



/etc/httpd.conf: 

listen on * port 80
listen on * tls port 443
hsts preload
tls {
certificate 
"/etc/ssl/acme/yeuxdelibad.net-fullchain.pem"
key 
"/etc/ssl/acme/private/yeuxdelibad.net-privkey.pem"
ticket lifetime default
}
...

getip.php:

Re: relayd as transparent proxy

[Thuban]

* Stuart Henderson  le [21-09-2018 10:10:03 +]:
> On 2018-09-20, Thuban  wrote:
> > By the way, I'm confused about the "transparent forward" directive in
> > relayd.conf. It doesn't seems to work at all and setting a transparent 
> > proxy is
> > not using this keyword.
> 
> "transparent proxy" used to be common for web proxies meaning "you
> don't need to tell the client to use a proxy" but this is a confusing
> term. squid has got rid of this in favour of the more descriptive
> "interception proxy" now.
> 
> if you want to originate packets using the client's original source
> address you will need to figure out what's wrong with your setup using
> "transparent forward" as that is exactly what you need to use. I've had
> it working before but it *is* awkward.

That's exactly where I'm confused with the man page of relayd.

It is mentionned : 
forward to destination options ...
When redirecting connections with a divert-to 
rule in pf.conf(5)
to a relay listening on localhost, this 
directive will look up
the real destination address of the intended 
target host,
allowing the relay to be run as a **transparent 
proxy.**

That's what I did, but the orginal source address isn't keeped.

The "transparent" directive just don't work : 
[transparent] forward [with tls] to address [port port] options ...

I tried relayd listening on port 80 and set up httpd to listen on port 8080. In
relayd.conf : 

transparent forward to 127.0.0.1 port 8080

No success.

Either I misunderstand the manpage, either it miss some precisions.

Regards.

thuban

Re: relayd as transparent proxy

[Thuban]

my bad, I still don't have the real source IP in my logs (just the local ip
address of my server).

Any advice for a **real** transparent proxy ?

Re: relayd as transparent proxy

[Thuban]

I think I found something working, I leave it here for others.
Any advice is still welcome.

By the way, I'm confused about the "transparent forward" directive in
relayd.conf. It doesn't seems to work at all and setting a transparent proxy is
not using this keyword.

/etc/relayd.conf : 

http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
pass
}

http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
tls { \
cipher-server-preference,\
no tlsv1.0\
}
pass

}
relay "www" {
listen on 127.0.0.1 port 8080
protocol "http"
forward to destination
}

relay "wwwtls" {
listen on 127.0.0.1 port 8443 tls
protocol "https"


For tls, you need /etc/ssl/127.0.0.1.crt and /etc/ssl/private/127.0.0.1.key
files. Use ln -s to link with your certificate if necessary.

In /etc/httpd.conf, leave this : 

listen on * port 80
listen on * tls port 443
hsts preload
tls {
certificate ...
key ...
}

And finally, in /etc/pf.conf : 

pass in on egress proto tcp to port www divert-to 127.0.0.1 port 8080 \
flags S/SA modulate state
pass in on egress proto tcp to port https divert-to 127.0.0.1 port 8443 
\
flags S/SA modulate state

pass out  on egress proto tcp all modulate state divert-reply


This way, relayd is a transparent proxy, you can changes headers and keep the
original source IP (useful for logs).


regards.

relayd as transparent proxy

[Thuban]

Hi,
I'm struggling to configure relayd as a transparent proxy. I can't figure hox to
do so, the manpage only relates of a MITM configuration for TLS acceleration.

I thought this tutorial [1] would help, but even following it steps by steps, I
can't do this.

Does anyone has a working example please ?

Thanks.

[1] http://nohair.net/transparent_reverse_proxy.html
-- 
thuban

Re: Cloud-Storage & OpenBSD

[Thuban]

* Predrag Punosevac  le [02-09-2018 15:38:40 -0400]:
> > On Sep 2, 2018, at 10:43 AM, Kurtis  wrote:
> > 
> > Hey all,
> > 
> > I'm just wondering if anyone has any suggestions with any Online File
> > Backup Synchronization services?
> > 
> > I used Dropbox for a long time but decided to drop it in favor of
> > pCloud. It's about time to do another annual subscription so I'm
> > looking at options.
> > 
> > I use the same service for backing up photos from my phone, backing up
> > documents from computers, and syncing files between multiple machines
> > (Mac, Windows, and Linux, Android).
> > 
> > Specifically, I'm looking for a service that is compatible with the
> > major operating systems but also has a good client for OpenBSD.
> > 
> > Bonus feature would be the ability to share the service with my family
> > using different accounts.
> > 
> > The ability to generate credentials that can only access certain folders
> > would be  _really_ cool. For example, my machines could generate
> > reports and store them in my sync'd service so I could simplify
> > viewing them from any machine.
> > 
> > Thanks!


net/syncthing

-- 
thuban

Re: nvi and unicode

[Thuban]

Thanks for enligthenment.

* Predrag Punosevac  le [13-07-2018 10:06:19 -0400]:
> On July 13 2018 Thuban wrote:
> > 
> > Default vi (nvi) in OpenBSD doesn't handle correctly most of UTF-8
> > sings such as "", "?? " or so. One need to install
> > nvi package to do so.
> > Is it planned to replace the vi binary in the future?
> > Is there any reason I can't think to keep this vi version?
> > 
> > Regards.
> > -- 
> > thuban
> 
> If you read
> 
> https://en.wikipedia.org/wiki/Nvi
> 
> you should have noticed the following paragraph
> 
> "BSD projects continue to use nvi version 1.79 due to licensing
> differences between Berkeley Database 1.85 and the later versions by
> Sleepycat Software."
> 
> So the answer is no. nvi in the base of OpenBSD is further cleaned from
> bugs beyond once upon a time common code. bcallah@ could shed more light
> on the work on nvi from the base. Obviously if you need UTF-8 support
> you have a choice of using package or two switching to DragonFly BSD
> which has nvi2 in its base.
> 
> Cheers,
> Predrag 
> 

-- 
thuban

nvi and unicode

[Thuban]

Default vi (nvi) in OpenBSD doesn't handle correctly most of UTF-8
sings such as "é", "à" or so. One need to install nvi package to do so.
Is it planned to replace the vi binary in the future?
Is there any reason I can't think to keep this vi version?

Regards.
-- 
thuban

USB power management

[Thuban]

Hi,
this might look as a stupid question, but I'm stuck and don't know where
to look at this point.
How would you disable an USB port?
I would like to power off a USB drive (flashing blue LED at night) but
keep it plugged, and power on when I need it.

Any advice?

Regards.
-- 
thuban

dovecot confusing default ssl configuration

[Thuban]

I think this is since 6.3.
Qhen installin dovecot package, a few files are created.
The problem is that /etc/dovecot/conf.d/10-ssl.conf contains : 

ssl_cert = 

httpd match pattern issue

[Thuban]

Hello,
I need to redirect some URLS with httpd. As example : 

/test/?d=2018/05/02/13/14/50-some-title

Must be redirected to /2018/05/02/some-title

My problem is that "?" is never matched.

Here is the pattern I use : 

location match "^/test/%?d=(%d%d%d%d/%d%d/%d%d)/%d%d/%d%d/%d%d%-(%g+)$" 
{
block return 301 "/%1/$2"
}


Any advice?
After many tests, it seems that the only problem is the "?"

thanks.

-- 
thuban

Re: Custom bsd.rd to include auto_install.conf

[Thuban]

Gret, everything is in. Thank you.
For the record, the relevant function is :

uo_addfile() {
local dest=${1}
local src=${2}
local vnd_n=0

[ -r "${WRKDIR}/bsd.rd" ] || uo_err 2 "uo_addfile: no 
bsd.rd in WRKDIR"
[ -r "${src}" ] || uo_err 1 "file not found: ${src}"

uo_verbose "adding response file: ${dest}: ${src}"

# extract ramdisk from bsd.rd
elfrdsetroot -x "${WRKDIR}/bsd.rd" "${WRKDIR}/ramdisk"

# create mountpoint
mkdir "${WRKDIR}/ramdisk.d"

# prepare ramdisk for mounting
while ! uo_priv vnconfig "vnd${vnd_n}" 
"${WRKDIR}/ramdisk"; do
vnd_n=$(( vnd_n + 1 ))

[[ ${vnd_n} > 4 ]] && \
uo_err 1 "no more vnd 
device available"
done

# mount ramdisk
if ! uo_priv mount -o noperm "/dev/vnd${vnd_n}a" 
"${WRKDIR}/ramdisk.d"; then
uo_priv vnconfig -u "vnd${vnd_n}" || 
true

uo_err 1 "unable to mount: 
/dev/vnd${vnd_n}a"
fi

# copy the file
if ! uo_priv install -m 644 -o root -g wheel -- \
"${src}" "${WRKDIR}/ramdisk.d/${dest}"; 
then

uo_priv umount "/dev/vnd${vnd_n}a" || 
true
uo_priv vnconfig -u "vnd${vnd_n}" || 
true

uo_err 1 "unable to copy: ${src}: 
ramdisk.d/${dest}"
fi

# umount vndX
if ! uo_priv umount "/dev/vnd${vnd_n}a" ; then
uo_priv vnconfig -u "vnd${vnd_n}" || 
true

uo_err 1 "unable to umount: 
/dev/vnd${vnd_n}a"
fi

# unconfigure vndX
if ! uo_priv vnconfig -u "vnd${vnd_n}" ; then
uo_err 1 "unable to unconfigure: 
vnd${vnd_n}"
fi

# mountpoint cleanup (ensure it is empty)
rmdir "${WRKDIR}/ramdisk.d"

# put ramdisk back in bsd.rd
elfrdsetroot "${WRKDIR}/bsd.rd" "${WRKDIR}/ramdisk"
}


* Wesley MOUEDINE ASSABY <wes...@e-solutions.re> le [23-02-2018 17:05:11 +0400]:
> Try 'upobsd' tool
> (http://ports.su/sysutils/upobsd)
> (https://maly.io/@semarie)
> 
> /Wesley
> 
> 
> Le 2018-02-23 17:01, Thuban a écrit :
> > As mentionned in autoinstall(8),
> > """
> > If either /auto_install.conf or /auto_upgrade.conf is found on bsd.rd's
> > built-in RAM disk, autoinstall behaves as if the machine is netbooted,
> > but uses the local response file.
> > """
> > 
> > I would like to build a custom bsd.rd to include auto_install.conf file.
> > 
> > Do you have any advice for this ?
> > I found some tutorials for 5.7 [1], so quite outdated, and can't go
> > through
> > the entire process.
> > 
> > Regards.
> > 
> > [1] : http://mouedine.net/reinstall57/

-- 
thuban


signature.asc
Description: PGP signature

Custom bsd.rd to include auto_install.conf

[Thuban]

As mentionned in autoinstall(8), 
"""
If either /auto_install.conf or /auto_upgrade.conf is found on bsd.rd's
built-in RAM disk, autoinstall behaves as if the machine is netbooted,
but uses the local response file.
"""

I would like to build a custom bsd.rd to include auto_install.conf file.

Do you have any advice for this ?
I found some tutorials for 5.7 [1], so quite outdated, and can't go through
the entire process.

Regards.

[1] : http://mouedine.net/reinstall57/

-- 
thuban


signature.asc
Description: PGP signature

Re: Flask app with chrooted httpd

[Thuban]

I forgot the link, my bad:

[1] : http://www.hydrus.org.uk/journal/openbsd-httpd.html


signature.asc
Description: PGP signature

Flask app with chrooted httpd

[Thuban]

Hi,
Did anyone use httpd to serve a flask app (python)?
I found this [1], but its a little outdated (python < 3) and makes me
wonder about safety, because of all those dependencies copied in chroot.

Any advice ?

Regards

-- 
    thuban

Re: roundcube and enigma [PGP]

[Thuban]

* Thuban <thu...@yeuxdelibad.net> le [03-02-2018 18:38:27 +0100]:
> * jul <jul@localhost> le [03-02-2018 12:47:19 +0100]:
> > Thuban <thu...@yeuxdelibad.net> wrote:
> > 
> > > I can't figure exactly how to configure it with httpd chroot, even after
> > > copying gpg binaries in chroot.
> > 
> > Hello Thuban
> > 
> > To know what to copy in the chroot, ldd(1) is your friend.
> 
> thanks, it works as expected now.
> 
> For the record : 
> 
>   cd /var/www
>   mkdir -p usr/local/lib
>   mkdir -p usr/local/bin
>   mkdir -p usr/lib
>   mkdir -p usr/libexec
>   mkdir dev
> 
>   # create /dev/null
>   mknod dev/null c 1 3
>   chmod 666 dev/null
>   chown -R www:daemon dev/
> 
>   # copy files
>   for i in $(ldd /usr/local/bin/gpg2 | awk '{if(NR>2)print $7}'); do cp 
> $i $(echo $i | cut -d'/' -f2); done
>   for i in $(ldd /usr/local/bin/gpg-agent | awk '{if(NR>2)print $7}'); do 
> cp $i $(echo $i | cut -d'/' -f2); done
>   # pinentry if required
>   cp /usr/local/bin/pinentry usr/local/bin/
> 
>   cd plugins/enigma
>   cp config.inc.php.dist config.inc.php
>   #comment location of gpg binary


well, almost work.

GPG complains that he can't access to any entropy : 

GPG: ERROR: gpg: Fatal: no entropy gathering module detected

Any idea ?

Creating dev/urandom doesn't help

-- 
thuban


signature.asc
Description: PGP signature

Re: roundcube and enigma [PGP]

[Thuban]

* jul <jul@localhost> le [03-02-2018 12:47:19 +0100]:
> Thuban <thu...@yeuxdelibad.net> wrote:
> 
> > I can't figure exactly how to configure it with httpd chroot, even after
> > copying gpg binaries in chroot.
> 
> Hello Thuban
> 
> To know what to copy in the chroot, ldd(1) is your friend.

thanks, it works as expected now.

For the record : 

cd /var/www
mkdir -p usr/local/lib
mkdir -p usr/local/bin
mkdir -p usr/lib
mkdir -p usr/libexec
mkdir dev

# create /dev/null
mknod dev/null c 1 3
chmod 666 dev/null
chown -R www:daemon dev/

# copy files
for i in $(ldd /usr/local/bin/gpg2 | awk '{if(NR>2)print $7}'); do cp 
$i $(echo $i | cut -d'/' -f2); done
for i in $(ldd /usr/local/bin/gpg-agent | awk '{if(NR>2)print $7}'); do 
cp $i $(echo $i | cut -d'/' -f2); done
# pinentry if required
cp /usr/local/bin/pinentry usr/local/bin/

cd plugins/enigma
cp config.inc.php.dist config.inc.php
#comment location of gpg binary

roundcube and enigma [PGP]

[Thuban]

Hi,
Did anyone use enigma plugin with roundcube hosted on OpenBSD to deal
with GPG?
I can't figure exactly how to configure it with httpd chroot, even after
copying gpg binaries in chroot.

Regards
-- 
thuban

Re: gzip compression and httpd/relayd

[Thuban]

* Stuart Henderson <s...@spacehopper.org> le [29-01-2018 08:14:03 +]:
> On 2018-01-28, Thuban <thu...@yeuxdelibad.net> wrote:
> >  
> >> Yes it's possible. Make sure to set the appriopriate HTTP headers aswell
> >> with relayd: read "Accept-Encoding" and if it's acceptable set
> >> "Content-Encoding".
> >
> > Indeed, it works.
> >
> > relayd.conf : 
> >
> > match response header "Accept-Encoding" value "gzip"
> > match response header set "Content-Encoding" value "gzip"
> >
> > Then : 
> >
> > cd /var/www/htdocs/site
> > gzip style.css && mv style.css.gz style.css
> >
> > Now, open URL pointing to style.css, and here you go.
> >
> > However, all your files must be gzipped, or the browser is unhappy.
> >
> > Thanks a lot.
> >
> >
> 
> Fun hack, but it's going to break for a browser that doesn't support gzip.
> Also it's a nice trap for the next admin that comes along (which may be your
> future self :)

The fun part comes when you trap script kiddies with gzip bomb: 

- Create a bomb : `dd if=/dev/zero bs=1M count=10240 | gzip > surprise.html`
(yeah, this is not html, but bots don't care)
- In html code, put something like 
Do NOT 
follow this link or you will have problems!

- In relayd.conf : 

match request header "Accept-Encoding" value "gzip"
match request path "/surprise.html"
match response header set "Content-Encoding" value "gzip"

A bot fetching "surprise.html" will see CPU usage increasing, too bad...

Regards.


signature.asc
Description: PGP signature

Re: gzip compression and httpd/relayd

[Thuban]

 
> Yes it's possible. Make sure to set the appriopriate HTTP headers aswell
> with relayd: read "Accept-Encoding" and if it's acceptable set
> "Content-Encoding".

Indeed, it works.

relayd.conf : 

match response header "Accept-Encoding" value "gzip"
match response header set "Content-Encoding" value "gzip"

Then : 

cd /var/www/htdocs/site
gzip style.css && mv style.css.gz style.css

Now, open URL pointing to style.css, and here you go.

However, all your files must be gzipped, or the browser is unhappy.

Thanks a lot.

Re: gzip compression and httpd/relayd

[Thuban]

Thank you for all answers, very interesting.
I'll try to compress some files on my own, we'll see.

Regards
-- 
thuban


signature.asc
Description: PGP signature

gzip compression and httpd/relayd

[Thuban]

I'm very happy with relayd + httpd.
Relayd deals with headers and httpd serve files.

I know httpd doesn't have gzip compression.

1. Do you know if it's planned in the future?
2. Does anyone has a workaround to advise?

regards

-- 
thuban

Re: Re-compute bsd checksum

[Thuban]

* Sterling Archer <deb...@gmail.com> le [16-01-2018 21:35:56 +0100]:
> On Tue, Jan 16, 2018 at 9:08 PM, Thuban <thu...@yeuxdelibad.net> wrote:
> > I disabled `ulpt` in the kernel using `config` to use an USB-printer.
> >
> > Now, at reboot, I see "kernel relinking failed" message.
> > How to recreate the new checksum? I can't igure out where to find this
> > information.
> >
> > Any advice?
> >
> > Regards.
> >
> > --
> > thuban
> 
> sha256 /bsd > /var/db/kernel.SHA256
> 

thanks!


signature.asc
Description: PGP signature

Re-compute bsd checksum

[Thuban]

I disabled `ulpt` in the kernel using `config` to use an USB-printer.

Now, at reboot, I see "kernel relinking failed" message.
How to recreate the new checksum? I can't igure out where to find this
information.

Any advice?

Regards.

-- 
thuban


signature.asc
Description: PGP signature

Re: Community-driven OpenBSD tutorials wiki?

[Thuban]

> Before I go and create anything - are there already a place similar to what
> I'm describing, where I could get myself involved? (I'm too junior to start
> suggesting changes and updates to the docs on OpenBSD.org, and I'm not sure
> they should be used for what I want to achieve.)

yes, see here : https://wiki.obsd4a.net/doku.php

It's mainly in french, but I don't know what is your favourite language.

regards
-- 
thuban


signature.asc
Description: PGP signature

Re: PATCH: cwm move window to {top,bottom}{left,right} corners

[Thuban]

t; +  */
> + xine = screen_area(sc,
> + cc->geom.x + cc->geom.w / 2,
> + cc->geom.y + cc->geom.h / 2, CWM_GAP);
> +
> + flags = cargs->flag;
> +
> + switch (flags) {
> + case CWM_TOP_LEFT:
> +  cc->geom.x = xine.x;
> +  cc->geom.y = xine.y;
> +  client_move(cc);
> +  break;
> + case CWM_BOTTOM_LEFT:
> +  cc->geom.x = xine.x;
> +  cc->geom.y = xine.y + xine.h - cc->geom.h - cc->bwidth * 2;
> +  client_move(cc);
> +  break;
> + case CWM_TOP_RIGHT:
> +  cc->geom.x = xine.x + xine.w - cc->geom.w - cc->bwidth * 2;
> +  cc->geom.y = xine.y;
> +  client_move(cc);
> +  break;
> + case CWM_BOTTOM_RIGHT:
> +  cc->geom.x = xine.x + xine.w - cc->geom.w - cc->bwidth * 2;
> +  cc->geom.y = xine.y + xine.h - cc->geom.h - cc->bwidth * 2;
> +  client_move(cc);
> +  break;
> + default:
> +  warnx("invalid flags passed to kbfunc_client_move_edge");
>   }
>  }
>  

-- 
thuban


signature.asc
Description: PGP signature

[rspamd and smtpd] (was: the whole greylisting, spam filtering thing)

[Thuban]

By the way, does anyone has some instructions to use rspamd with the
default smtpd ?

Regards.

-- 
thuban

relayd transparent don't work

[Thuban]

Hi,
I'm using relayd to check headers before serving my website with httpd.

I need to keep in httpd's logs the client IP address. So I try to use
the "transparent" keyword in relayd.conf, but in this case, relayd
doesn't work and I can't reach httpd.

Here is the **not working** relayd relevant configuration : 

relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "https"
transparent forward to  port 8443 check tcp
}


here is the **working without transparent" relayd.conf : 

table  { 127.0.0.1 }
ext_ip = 192.168.1.66

http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value 
"max-age=1814400"
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1; 
mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
return error
}
relay "www" {
listen on $ext_ip port 80
protocol "http"
forward to 127.0.0.1 port 8080
}

http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value 
"max-age=1814400"
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1; 
mode=block"
match header append "X-Forwarded-For" \
value "$REMOTE_ADDR"
match header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
return error
pass
tls { no client-renegotiation, cipher-server-preference }
}

relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "https"
forward to  port 8443 check tcp
}


Any advice?

Regards

httpd and gzip

[Thuban]

Hi,
since this thread [1] older than two years, is there any plan to have
gzip compression in httpd ? 

[1] https://marc.info/?l=openbsd-misc=142402749002617=2

regards.
-- 
thuban


signature.asc
Description: PGP signature

DNSSEC solution

[Thuban]

Hi
since we have nsd and unbound included in base, I was wondering what
tool you use to deal with DNSSEC and sign your zone ?
I use zkt, but your advices would be nice.

Regards
-- 
thuban


signature.asc
Description: PGP signature

Re: Libreoffice calc crash

[Thuban]

> I'm running -current snapshot dated Thu Aug  3 12:12:07 MDT 2017 with
> libreoffice-5.2.7.2p5v0 and have been doing some heavy work in Calc for the
> last hour without any issues.
> 

Good to know it's seems ok on next snapshot. (I'm on -stable ont this
machine).

> What exactly you mean by "write changes" and "validate"; just typing values
> in a cell and pressing Enter to finish your entry? Does it happen on a
> blank spreadsheet?

Just typing values in a cell ans finish entry, yes.

It doesn't happen in blank spreadsheet, only when I modify a cell.

> Do you have the user account set to the "staff" class, or somehow assigning
> it a high datasize limit in login.conf?

Yes, I run libreoffice with this user.

-- 
thuban


signature.asc
Description: PGP signature

Libreoffice calc crash

[Thuban]

, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1600x900, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
puc0 at pci0 dev 22 function 3 "Intel 6 Series KT" rev 0x04: ports: 1 
com
com4 at puc0 port 0 apic 2 int 19: ns16550a, 16 byte fifo
com4: probed fifo depth: 0 bytes
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address 
f0:de:f1:76:50:7b
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 
int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 
2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: 
msi
azalia0: codecs: Conexant CX20590, Intel/0x2805, using Conexant CX20590
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi
pci2 at ppb1 bus 3
iwn0 at pci2 dev 0 function 0 "Intel Centrino Advanced-N 6205" rev 
0x34: msi, MIMO 2T2R, MoW, address a0:88:b4:c2:47:10
ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi
pci3 at ppb2 bus 5
ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi
pci4 at ppb3 bus 13
xhci0 at pci4 dev 0 function 0 "NEC xHCI" rev 0x04: msi
usb1 at xhci0: USB revision 3.0
uhub1 at usb1 configuration 1 interface 0 "NEC xHCI root hub" rev 
3.00/1.00 addr 1
ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 
int 23
usb2 at ehci1: USB revision 2.0
uhub2 at usb2 configuration 1 interface 0 "Intel EHCI root hub" rev 
2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, 
AHCI 1.3
ahci0: port 0: 6.0Gb/s
ahci0: port 1: 1.5Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, Samsung SSD 850, EMT0> SCSI3 
0/direct fixed naa.5002538d41e6d54d
sd0: 238475MB, 512 bytes/sector, 488397168 sectors, thin
cd0 at scsibus1 targ 1 lun 0: <Optiarc, DVD RW AD-7930H, 1.D1> ATAPI 
5/cdrom removable
ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 
2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
spdmem1 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics touchpad, firmware 7.2
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
vmm0 at mainbus0: VMX/EPT
uhub3 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching 
Hub" rev 2.00/0.00 addr 2
umass0 at uhub3 port 2 configuration 1 interface 0 "Norelsys NS1068" 
rev 2.10/1.00 addr 3
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <ATA, HITACHI HTS72323, B70B> SCSI4 
0/direct fixed serial.253710683456789ABCDE
sd1: 305245MB, 512 bytes/sector, 625142448 sectors
ugen0 at uhub3 port 4 "Broadcom Corp Broadcom Bluetooth Device" rev 
2.00/7.48 addr 4
uvideo0 at uhub3 port 6 configuration 1 interface 0 "Chicony 
Electronics Co., Ltd. Integrated Camera" rev 2.00/7.52 addr 5
video0 at uvideo0
uhidev0 at uhub1 port 3 configuration 1 interface 0 "Genesys Logic USB 
Mouse" rev 1.10/1.00 addr 2
uhidev0: iclass 3/1
ums0 at uhidev0: 3 buttons, Z dir
wsmouse2 at ums0 mux 0
uhub4 at uhub2 port 1 configuration 1 interface 0 "Intel Rate Matching 
Hub" rev 2.00/0.00 addr 2
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
sd2 at scsibus4 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct 
fixed
sd2: 238472MB, 512 bytes/sector, 488391473 sectors
root on sd2a (4764b1057435753d.a) swap on sd2b dump on sd2b


-- 
thuban

Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?

[Thuban]

* SOUL_OF_ROOT 55  le [26-06-2017 18:18:41 -0300]:
> Can I use OpenBSD in a virtual machine, for example, VirtualBox?

yes


signature.asc
Description: PGP signature

spamassassin filtering problem

[Thuban]

Hello,
I was using spamassassin+smtpd for a while and everything worked as
expected. Now I added support for more tan one domain and incoming mails
are locked into allop, I can't figure out why.

Here is my /etc/mail/smtpd.conf 


table aliases file:/etc/mail/aliases
table virtuals file:/etc/mail/virtuals
table domains file:/etc/mail/domains

pki certsssl key "/etc/ssl/acme/private/mydomain.net-privkey.pem"
pki certsssl certificate "/etc/ssl/acme/mydomain.net-fullchain.pem"
ca certsssl certificate "/etc/ssl/acme/mydomain.net-fullchain.pem"


listen on lo0 port 10028 tag DKIM   
listen on lo0 port 10026 tag NOSPAM
listen on lo0

listen on re0 port smtp tls pki certsssl
listen on re0 port submission tls-require pki certsssl auth 

accept from local for local alias  deliver to maildir 
"~/Maildir"

accept tagged NOSPAM for domain  virtual  deliver to 
maildir "/mnt/bigstorage/vmail/%{dest.domain}/%{dest.user}/Maildir"
accept from any for domain  relay via smtp://127.0.0.1:10025

accept tagged DKIM for any relay
accept from local for any relay via smtp://127.0.0.1:10027


table virtuals contains : 
us...@mydomain.net user1
us...@otherdomain.net user2

and table domains contains : 

mydomain.net
otherdomain.net


In logs, I can see such messages

May 13 08:10:39 master smtpd[22622]: 9d2709d2fddd9a03 smtp 
event=message address=127.0.0.1 host=localhost msgid=f23a6ab6 
from= to= size=4665 ndest=1 proto=ESMTP
May 13 08:10:39 master smtpd[22622]: 9d2709d115477347 mta 
event=delivery evpid=2fc2606678f20fd0 from= 
to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 
(localhost)" delay=1s result="Ok" stat="250 2.0.0: f23a6ab6 Message accepted 
for delivery"
May 13 08:10:39 master spampd[11644]: processing message 
<20170513054818.gg33...@openbsd.my.domain> for  
ORCPT=rfc822;t...@yeuxdelibad.net 
May 13 08:10:40 master spampd[11644]: clean message 
<20170513054818.gg33...@openbsd.my.domain> (1.19/5.00) from  
for  ORCPT=rfc822;t...@yeuxdelibad.net in 0.68s, 4764 
bytes. 
May 13 08:10:40 master smtpd[22622]: 9d2709d2fddd9a03 smtp 
event=message address=127.0.0.1 host=localhost msgid=cb35fe0a 
from= to= size=4828 ndest=1 proto=ESMTP
May 13 08:10:40 master smtpd[22622]: 9d2709d115477347 mta 
event=delivery evpid=f23a6ab6dbaeb160 from= 
to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 
(localhost)" delay=1s result="Ok" stat="250 2.0.0: cb35fe0a Message accepted 
for delivery"
May 13 08:10:40 master spampd[11644]: processing message 
<20170513054818.gg33...@openbsd.my.domain> for  
ORCPT=rfc822;t...@yeuxdelibad.net 
May 13 08:10:41 master spampd[11644]: clean message 
<20170513054818.gg33...@openbsd.my.domain> (1.19/5.00) from  
for  ORCPT=rfc822;t...@yeuxdelibad.net in 0.67s, 4931 
bytes. 
May 13 08:10:41 master smtpd[22622]: 9d2709d2fddd9a03 smtp 
event=message address=127.0.0.1 host=localhost msgid=994ab936 
from= to= size=4991 ndest=1 proto=ESMTP



Please, any advise is welcome.

Regards.

-- 

Mail server with many users

[Thuban]

Hello,
according to recent discussion on the list, I was wondering how you set
up a mail server with smtpd with a lot of users.

Regards.
-- 

Re: torrent downloads

[Thuban]

> yes, but unlike those distros the openbsd installers aren't measured in
> gigabytes.
> 

Of course, the point doesn't apply to miniroot* but to installxx.xx. 
It doesn't remove the problem of long download for some and servers
bandwidth possible issue.
Using miniroot* still requires to download file from a mirror then, and
using its banwidth.
The torrent "idea" here is only relevant for big files, and doesn't
remove the need to check SHA256 as usual.

> The site mentioned by OP (http://openbsd.somedomain.net) is up to date,
> and has the torrents mentioned.
> 

Indeed it is. 
I've been fooled as the first entry is for OpenBSD **6.0 alpha**...
Moreover, as it's not listed in official mirrors, it's harder to trust.

torrent downloads

[Thuban]

Hello,
I was wondering if there is any particular reason explaining why there
is no torrent file to retrieve OpenBSD *.fs and *.iso. 

I've been looking on the list and only found this site that doesn't
seems up to date [1].

If the reason is a lack of human ressources, I think I can handle it.

Regards.

[1] : http://openbsd.somedomain.net/
-- 

Re: [relayd] keep origin IP in logs

[Thuban]

* Hiltjo Posthuma <hil...@codemadness.org> le [09-04-2017 14:06:48 +0200]:
> On Sun, Apr 09, 2017 at 11:30:37AM +, Stuart Henderson wrote:
> > On 2017-04-09, Thuban <thu...@yeuxdelibad.net> wrote:
> > > * Hiltjo Posthuma <hil...@codemadness.org> le [09-04-2017 11:42:23 +0200]:
> > >> On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote:
> > >> > Hello,
> > >> > I use relayd to deal with HTTP headers as suggested here [1].
> > >> > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats
> > >> > not very handy to track bruteforce attacks (in example).
> > >> > 
> > >> > Do you have any advice to keep the visitor IP in logs ?
> > >> > 
> > >> > [1] : 
> > >> > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic
> > >> > -- 
> > >> > :thuban:
> > >> > 
> > >> 
> > >> It's commonly done by adding a X-Forwarded-For header with the origin IP.
> > >> 
> > >> From the relayd.conf(5) man page:
> > >> 
> > >>http protocol "https" {
> > >>match header append "X-Forwarded-For" \
> > >>value "$REMOTE_ADDR"
> > >>match header append "X-Forwarded-By" \
> > >>value "$SERVER_ADDR:$SERVER_PORT"
> > 
> > "append" isn't good here, you don't want to trust whatever the client
> > sends in headers.
> > 
> 
> Good point! I've send a relayd.conf(5) patch for this to tech@.
 
That's right indeed. The man page may have an alert on this.

So, transparent relay is what I need. Does anyone have a working
example ? 
Just adding the "transparent" keyword doesn't work for me, the client
never access httpd.

Regards

-- 
:thuban:

Re: [relayd] keep origin IP in logs

[Thuban]

* Hiltjo Posthuma <hil...@codemadness.org> le [09-04-2017 11:42:23 +0200]:
> On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote:
> > Hello,
> > I use relayd to deal with HTTP headers as suggested here [1].
> > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats
> > not very handy to track bruteforce attacks (in example).
> > 
> > Do you have any advice to keep the visitor IP in logs ?
> > 
> > [1] : 
> > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic
> > -- 
> > :thuban:
> > 
> 
> Hey,
> 
> It's commonly done by adding a X-Forwarded-For header with the origin IP.
> 
> From the relayd.conf(5) man page:
> 
>http protocol "https" {
>match header append "X-Forwarded-For" \
>value "$REMOTE_ADDR"
>match header append "X-Forwarded-By" \
>value "$SERVER_ADDR:$SERVER_PORT"
> 
>... snip snip ...
>}
> 

That's exactly what I use, but it doesn't seems to work : 

# snip from httpd logs
test.yeuxdelibad.net 127.0.0.1 - - [09/Apr/2017:11:47:54 +0200] "GET / 
HTTP/1.0" 200 0



Here is my full relayd.conf.


I tried to use "transparent" keyword but relay fail in this case.


# cat /etc/relayd.conf
table  { 127.0.0.1 }
ext_ip = 192.168.1.2

http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value 
"max-age=1814400"
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1; 
mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match header append "X-Forwarded-For" \
value "$REMOTE_ADDR"
    match header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
return error
}
relay "www" {
listen on $ext_ip port 80
protocol "http"
forward to  port 8080 check tcp
}


Regards.

-- 
:thuban:

[relayd] keep origin IP in logs

[Thuban]

Hello,
I use relayd to deal with HTTP headers as suggested here [1].
My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats
not very handy to track bruteforce attacks (in example).

Do you have any advice to keep the visitor IP in logs ?

[1] : 
https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic
-- 
:thuban:

Re: Install fail on Latitude E64460 : disk not recognised

[Thuban]

* lawgi...@nym.hush.com <lawgi...@nym.hush.com> le [03-04-2017 13:52:20 -0700]:
> On 4/3/2017 at 1:31 PM, "Thuban" <thu...@yeuxdelibad.net> wrote:
> >I try to help a friend installing OpenBSD on a Dell Latitude E6440.
> >It seems the disk (SSD) isn't recognised, only the USB stick is 
> >found by
> >the installer, even with the last snapshot.
> 
> Is your situation perhaps similar to the one here?
> 
> https://marc.info/?l=openbsd-misc=149083706402019=2
> 

That was exactly such issue.
compatibility/AHCI/RAID is disabled and everything works as expected.

Thank you very much.
-- 
:thuban:

Install fail on Latitude E64460 : disk not recognised

[Thuban]

Hello,
I try to help a friend installing OpenBSD on a Dell Latitude E6440.
It seems the disk (SSD) isn't recognised, only the USB stick is found by
the installer, even with the last snapshot.
You can see the dmesg and installer output as screenshots below. (yes,
it's not ideal but that is the best I could ask via mail).

https://clbin.com/lRWaSs.jpeg
https://clbin.com/bsJGm7.jpeg
https://clbin.com/ddgY4d.jpeg
https://clbin.com/BkaCiG.jpeg
https://clbin.com/ji8jtn.jpeg
https://clbin.com/DGBVtl.jpeg
https://clbin.com/OR6ZBu.jpeg

Do you have any advice?

Regards.
--
:thuban:

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

build libtorrent fail

[Thuban]

Hello,
I try again to build libtorrent [1].
I can't have ./configure to find the boost-python library.

The .configure file has been modified like this :

- CXXFLAGS="$CXXFLAGS -ftemplate-depth=120"
+ CXXFLAGS="$CXXFLAGS"

Then, I try to build like this :

export LDFLAGS="-L /usr/lib -L/usr/local/lib"
export CXXFLAGS="-I /usr/include -I/usr/local/include"

./configure \
--with-boost=/usr/local/ \
--with-boost-system=boost_system-mt \
--enable-python-binding \
--with-boost-python=boost_python-mt \
--disable-static \
--enable-dht \
--enable-pool-allocators \
--with-libiconv \
--disable-debug

Here is the error message :

checking for Python include path... -I/usr/local/include/python3.6m
checking for Python library path... -L/usr/local/lib -lpython3.6m
checking for Python site-packages path...
/usr/local/lib/python3.6/site-packages
checking python extra libraries... -lintl -lpthread  -lutil -lm
checking python extra linking flags... -Wl,--export-dynamic
checking consistency of all components of python development
environment... yes
checking whether the Boost::Python library is available... no
configure: error: Boost.Python library not found. Try using
--with-boost-python=lib.

You may find the full ./configure log here : http://pastebin.com/Ac4SkrEG


Any advice ?

Regards.

[1] : http://libtorrent.org/

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: relayd and letsencrypt certificates

[Thuban]

* trondd <tro...@kagu-tsuchi.com> le [10-02-2017 12:32:36 -0500]:
> On Fri, February 10, 2017 11:48 am, Thuban wrote:
> > Hello,
> > I can't figure how to use letsencrypt certificates with relayd. I keep
> > getting this error :
> >
> > # relayd -vvv -n
> > /etc/relayd.conf:33: cannot load certificates for relay tlsforward
> >
> >
> > My relayd.conf :
> >
> > # cat /etc/relayd.conf
> > table  { 127.0.0.1 }
> > ext_ip = 192.168.1.66
> >
> > http protocol "https" {
> > tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> > match response header set "Cache-Control" value "max-age=1814400"
> > return error
> > pass
> > tls { no client-renegotiation, cipher-server-preference }
> > tls ca key "/etc/letsencrypt/certificates/privkey.pem" password
""
> > tls ca cert "/etc/letsencrypt/certificates/cert.pem"
> > }
> >
> >
> > relay "tlsforward" {
> > listen on $ext_ip port 443 tls
> > protocol "https"
> > forward to  port 8443 mode loadbalance check tcp
> > }
> >
> >
> >
> > Do you see any error or have any advice?
> >
> > Regards.
> >
> > thuban
> >
>
> 'ca key' and 'ca cert' is for MITM roll your own certs on the fly.
>
> For server certs, like a web server would have, you don't specify them.
> relayd looks for address:port.key and address:port.crt as per the 'listen
> on' description in relayd.conf(5)

Ok, it works as expected now. I created symlinks to
/etc/ssl/private/address.key
and for address.crt.

Thank you.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

relayd and letsencrypt certificates

[Thuban]

Hello,
I can't figure how to use letsencrypt certificates with relayd. I keep
getting this error : 

# relayd -vvv -n
/etc/relayd.conf:33: cannot load certificates for relay tlsforward


My relayd.conf : 

# cat /etc/relayd.conf
table  { 127.0.0.1 }
ext_ip = 192.168.1.66

http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value "max-age=1814400"
return error
pass
tls { no client-renegotiation, cipher-server-preference }
tls ca key "/etc/letsencrypt/certificates/privkey.pem" password ""
tls ca cert "/etc/letsencrypt/certificates/cert.pem"
}


relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "https"
forward to  port 8443 mode loadbalance check tcp
}



Do you see any error or have any advice?

Regards.

thuban

Re: installXX.fs build

[Thuban]

* Jiri B <ji...@devio.us> le [27-01-2017 17:01:17 -0500]:
> On Fri, Jan 27, 2017 at 08:29:08PM +0100, Thuban wrote:
> > Hi,
> >
> > Just by curiosity, I was wondering how installXX.fs file is build?
>
> https://github.com/openbsd/src/blob/master/distrib/amd64/iso/Makefile#L9
>
> j.

Thanks.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

installXX.fs build

[Thuban]

Hi,

Just by curiosity, I was wondering how installXX.fs file is build?

Regards.
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Custom installation iso

[Thuban]

* Stuart Henderson <s...@spacehopper.org> le [31-12-2016 21:08:13 +]:
> On 2016-12-31, Thuban <thu...@yeuxdelibad.net> wrote:
> > Hello,
> > I currently use customized install60.iso images with site60.tgz set. It
> > works quite well, but I need to include in site60.tgz set some packages.
> >
> > For now, I used pkg_add in a rc.firsttime script, but it requires an
> > internet access at first boot, and it's not handy.
> >
> > Do you have any advice to include packages with dependencies in an
> > install cd ?
>
> You can use siteXX.tgz to create a directory containing the tgz files
> for the packages you need (include the "quirks" package too). You probably
> still want to do the installation from rc.firsttime, you can do something
> like "PKG_PATH=/path/to/pkgs/ pkg_add [...]".
>

This last solution is great. I just had to write a script to find every
dependencies of each packages, but once it's done, everything works as
expected.

Thanks.

Regards

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Custom installation iso

[Thuban]

Hello,
I currently use customized install60.iso images with site60.tgz set. It
works quite well, but I need to include in site60.tgz set some packages.

For now, I used pkg_add in a rc.firsttime script, but it requires an
internet access at first boot, and it's not handy.

Do you have any advice to include packages with dependencies in an
install cd ?

regards.

thuban

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Slow wifi

[Thuban]

* George Pediaditis <g.pediaditis1...@gmail.com> le [10-11-2016 23:43:20
+0200]:
> thanks for the reply. I will try it next week when i have more time.
> If that doesnt work im thinking if its possible to go from current
> back to stable. If i try current and i have problems. It looks
> possible but it isnt in FAQ
> https://www.openbsd.org/faq/faq5.html#Flavors
> im wondering if im missing something.

No, I don't think that's possible. It's safer to do a clean install of
-release .

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf rule for openvpn

[Thuban]

* Thuban <thu...@yeuxdelibad.net> le [25-10-2016 10:41:27 +0200]:
> > # tcpdump -e -ttt -ni pflog0 action block
> >
> > You will be able to see what exactly is being blocked :)
> >

Okay, I'm just too stupid. I can access the wwweb through my VPN. I just
can't ping, which is not a problem and seems logic according to my
pf.conf.

Sorry for the noise.

Regards.
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf rule for openvpn

[Thuban]

> # tcpdump -e -ttt -ni pflog0 action block
>
> You will be able to see what exactly is being blocked :)
>
That's my problem, nothing seems blocked , tcpdump returns nothing about
my requests to reach the outside web.
I'm stuck.

Please find below my full pf.conf in case I missed something :

ext_if = "re0"  # interface
tun_if = "tun0"  # vpn
ssh_port = ""   # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }"  # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop   # bloque 
silencieusement
set skip on lo  # Pas de filtre 
en local
set limit table-entries 40

## tables pour les vilains bruteforceurs
table  persist
table  persist
table  persist

# antispam avec greylisting
table  persist
table  persist file "/etc/mail/nospamd"
table  persist

## Traitement des paquets ##
match in all scrub (no-df)  # Paquets partiels
block in quick from urpf-failed

## Les règles du parefeu ##
# on bloque tout par défaut
block log all

# on bloque les ip blacklistées
block in log quick proto tcp from  to any port $http_ports
block in log quick proto tcp from  to any port $ssh_port

# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from  to any port smtp
pass in on $ext_if proto tcp from  to any port smtp
pass in quick on $ext_if proto tcp from  to any port
smtp

# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload  flush global)

# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload  flush)

# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload  flush global)

# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp  all icmp-type { echoreq, unreach
}

# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state

# vpn
pass in quick on $tun_if keep state
pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)

# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp } all modulate state


Regards


--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf rule for openvpn

[Thuban]

* Predrag Punosevac <punoseva...@gmail.com> le [23-10-2016 20:18:27 -0400]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to
> the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on
> this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
>
> Hi,
>
> I saw your e-mail this morning but I had no idea what to make out of it
> as I am confused about your network topology. I was also not impressed
> that you were following some howto from the internet. Both PF and
> OpenVPN are well documented. Grab the books and read it.
>

The link to the howto was to avoid long explanations. Anyway, here is
some more information. I'm pretty sure I'm wrong to redirect packets.

What I want is this :

 VPN
Clients -> Server -> Web

simply.

openvpn configuration :

dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 80.67.169.12"
push "redirect-gateway def1"

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem

daemon openvpn
group _openvpn
user _openvpn
keepalive 10 120
management 127.0.0.1 1195 /etc/openvpn/private/mgmt.pwd
max-clients 100
persist-key
persist-tun
port 1194
proto udp
comp-lzo

client-cert-not-required
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
auth-nocache

log-append  /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3


/etc/pf.conf :

ext_if = "re0"  # interface
ssh_port = ""   # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }"  # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop   # bloque
silencieusement
set skip on lo  # Pas de filtre en
local
set limit table-entries 40

## tables pour les vilains bruteforceurs
table  persist
table  persist
table  persist

# antispam avec greylisting
table  persist
table  persist file "/etc/mail/nospamd"
table  persist

## Traitement des paquets ##
match in all scrub (no-df)  # Paquets
partiels
block in quick from urpf-failed

## Les règles du parefeu ##
# on bloque tout par défaut
block log all

# on bloque les ip blacklistées
block in log quick proto tcp from  to any port $http_ports
block in log quick proto tcp from  to any port $ssh_port

# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from  to any port smtp
pass in on $ext_if proto tcp from  to any port smtp
pass in quick on $ext_if proto tcp from  to any port
smtp

# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload  flush global)

# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload  flush)

# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload  flush global)

# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp  all icmp-type { echoreq, unreach
}

# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pas

Re: pf rule for openvpn

[Thuban]

* obsd <o...@vanwesten.net> le [23-10-2016 21:13:19 +0200]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
> How about a rule that permits tunnel traffic to go out? How about a rule
> that permits the traffic to come in on the tunnel?
>

Here are the relevant parts of my pf.conf :

ext_if = "re0"
tcp_pass = "{ gopher ipp 8000 }"
udp_pass = "{ 1194 }"

pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state

pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if

pass out on $ext_if proto { tcp udp icmp } all modulate state


traffic comes in $ext_if on port 1194. There, it goes in the tunnel.
The nat-to directive forward the traffic to $ext_if, which is supposed
to go out.

I feel I miss something here... :/

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

pf rule for openvpn

[Thuban]

Hi,
I have an openvpn server running and working, but can't
go "outside" the server to access the web.

To configure the server, I followed this :
http://2f30.org/guides/openvpn.html

So ip forwarding is ative, vpn port is open, clients can connect to the
vpn. But they can't access wwweb.

I guess the problem comes from this pf rule :

pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)

I've been on this issue for too many hours to have a clear mind on this.
Any advice to find why I'm stuck on the server?

Regards.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

php and W^X

[Thuban]

Hello,
It seems that php-7.0 require wxallowed.
I don't like the idea to "wxallow" the whole /usr/local.

Do you have any advice?

Regards
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Security updates and packages

[Thuban]

Hello,
I was wondering if packages for -release would be fixed if a security
issue is found in one of these third party programs, which could be
updated with pkg_add -u.

Or does someone has to stay up to date and usr ports to upgrade each
single package on his system to follow -stable? (with the risk to miss
the last new of a tiny library...). This is what the FAQ make me wonder,
but just to be sure.

Regards.

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: php7.0 fail on stable

[Thuban]

* Frank Groeneveld <frank+openbsd-m...@frankgroeneveld.nl> le [18-08-2016
22:07:07 +0200]:
> On Thu, Aug 18, 2016 at 09:09:38PM +0200, Thuban wrote:
> > Hello,
> > I was trying to build php7.0 with ports, but it fails (see configure
> > failure below).
> >
> > I'm running on 5.9 with stable patches (for both ports and src of
> > course).
> >
> > It seems that configure doesn't recognise the "--with-apxs" option".
>
> It's missing a dependency, see this thread:
> http://marc.info/?t=14605309296=1=2
>
> This should be fixed in 6.0, but for 5.9 you can work around it by
> installing apache-httpd before compiling php.
>
> Frank


Thanks!

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

php7.0 fail on stable

[Thuban]

Hello,
I was trying to build php7.0 with ports, but it fails (see configure
failure below).

I'm running on 5.9 with stable patches (for both ports and src of
course).

It seems that configure doesn't recognise the "--with-apxs" option".



===>  Configuring for php-7.0.2
Using /usr/ports/pobj/php-7.0.2/config.site (generated)
/usr/bin/perl /usr/ports/infrastructure/bin/pkg_subst
-DMODPHP_CONFIG_PATH=/var/www/conf -DSV=70 -DPV=7.0 -D^MODULE_NAME=
-DMACHINE_ARCH=amd64 -DARCH=amd64 -DHOMEPAGE=http://www.php.net/
-D^PREFIX=/usr/local -D^SYSCONFDIR=/etc -DFLAVOR_EXT= -DFULLPKGNAME=php-7.0.2
-DMAINTAINER=Robert\ Nagy\ \<rob...@openbsd.org\> -D^BASE_PKGPATH=lang/php/7.0
-D^LOCALBASE=/usr/local -D^X11BASE=/usr/X11R6 -D^TRUEPREFIX=/usr/local
-D^RCDIR=/etc/rc.d -D^LOCALSTATEDIR=/var -i -B /usr/ports/pobj/php-7.0.2
/usr/ports/pobj/php-7.0.2/php-7.0.2/main/php_ini.c
configure: WARNING: unrecognized options: --enable-sqlite-utf8,
--with-apxs, --enable-zend-multibyte, --enable-fastcgi, --with-t1lib,
--enable-ucd-snmp-hack, --disable-silent-rules, --disable-gtk-doc
configure: loading site script /usr/ports/pobj/php-7.0.2/config.site
checking for grep that handles long lines and -e... (cached)
/usr/bin/grep
checking for egrep... (cached) /usr/bin/egrep
checking for a sed that does not truncate output... (cached) /usr/bin/sed
checking build system type... x86_64-unknown-openbsd5.9
checking host system type... x86_64-unknown-openbsd5.9
checking target system type... x86_64-unknown-openbsd5.9
shtool:echo:Warning: unable to determine terminal sequence for bold mode
shtool:echo:Warning: unable to determine terminal sequence for bold mode
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... (cached) o
checking whether we are using the GNU C compiler... (cached) yes
checking whether cc accepts -g... (cached) yes
checking for cc option to accept ISO C89... none needed
checking how to run the C preprocessor... cc -E
checking for icc... no
checking for suncc... no
checking whether cc understands -c and -o together... yes
checking how to run the C preprocessor... cc -E
checking for ANSI C header files... (cached) yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for memory.h... (cached) yes
checking for strings.h... (cached) yes
checking for inttypes.h... (cached) yes
checking for stdint.h... (cached) yes
checking for unistd.h... (cached) yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking whether ln -s works... yes
checking for system library directory... lib
checking whether to enable runpaths... no
checking if compiler supports -R... yes
checking for gawk... (cached) awk
checking if awk is broken... no
checking for bison... yacc
checking for bison version... invalid
configure: WARNING: This bison version is not supported for regeneration
of the Zend/PHP parsers (found: none, min: 204, excluded: ).
checking for re2c... re2c
checking for re2c version... 0.15.3 (ok)
checking whether to enable computed goto gcc extension with re2c... no
checking whether to force non-PIC code in shared modules... no
checking whether /dev/urandom exists... yes
checking whether /dev/arandom exists... yes
checking for global register variables support... no
checking for pthreads_cflags...
checking for pthreads_lib...

Configuring SAPI modules
checking for Apache 2.0 handler-module support via DSO through APXS...

Sorry, I cannot run apxs.  Possible reasons follow:

1. Perl is not installed
2. apxs was not found. Try to pass the path using
--with-apxs2=/path/to/apxs
3. Apache was not built using --enable-so (the apxs usage page is
displayed)

The output of /usr/local/sbin/apxs2 follows:
./configure[6900]: /usr/local/sbin/apxs2: not found
configure: error: Aborting
*** Error 127 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2750
'/usr/ports/pobj/php-7.0.2/.configure_done': @for d in
/usr/ports/pobj/php...)
*** Error 1 in /usr/ports/lang/php/7.0
(/usr/ports/infrastructure/mk/bsd.port.mk:2495 'all')


--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: bluetooth audio device

[Thuban]

* Lars Noodén <lars.noo...@gmail.com> le [30-06-2016 16:56:01 +0300]:
> On 6/30/16, Thuban <thu...@yeuxdelibad.net> wrote:
> > Hello,
> > I'm trying to connect an audio device via bluetooth, but can't find any
> > intructions to do so on OpenBSD.
> > Do you have any advices/links?
> >
> > Regards,
> >
> > --
> > /Thuban/
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature
which
> > had a name of signature.asc]
>
> http://marc.info/?l=openbsd-cvs=140511572108715=2
>
> and
>
> http://www.openbsd.org/plus56.html
>
> Regards,
> Lars

ok, this answer my question.

Thanks

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

bluetooth audio device

[Thuban]

Hello,
I'm trying to connect an audio device via bluetooth, but can't find any
intructions to do so on OpenBSD.
Do you have any advices/links?

Regards,

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Clean OpenBSD's httpd logs

[Thuban]

* C. L. Martinez <carlopm...@gmail.com> le [30-06-2016 12:50:36 +]:
> Hi all,
>
>  Sorry if this question sounds stupid, but how can I avoid this type of
entry in OpenBSD's httpd access.log:
>
> 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
[/favicon.ico]
>

Hi,
in httpd.conf :

server "yourdomain.com" {
...
no log
}


You might want to keep access log. Separate errors in another file :


server "yourdomain.com" {
...
log access "yourdomain.access.log"
log error "yourdomain.errors.log"
}


see man httpd.conf for more :)


--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: libtorrent build fail

[Thuban]

* David Coppa <dco...@gmail.com> le [27-05-2016 15:39:00 +0200]:
> On Fri, May 27, 2016 at 3:02 PM, Thuban <thu...@yeuxdelibad.net> wrote:
> > Tah was too beautiful, now it's``make`` that give me errors I can't
> > understand :
> >
> >
> > In file included from ../include/libtorrent/parse_url.hpp:40,
> > from web_connection_base.cpp:53:
> > ../include/libtorrent/aux_/disable_warnings_pop.hpp:42: warning:
expected
> > [error|warning|ignored] after '#pragma GCC diagnostic'
> > *** Error 1 in src (Makefile:972 'web_connection_base.lo': @echo "
CXX
> > " web_connection_base.lo;depbase=`echo web_connection_base.lo | ...)
> > *** Error 1 in
/home/xavier/geek/libtorrent/libtorrent-rasterbar-1.1.0
> > (Makefile:645 'all-recursive')
> >
> > See full warnings here : https://clbin.com/uPgvb
> >
> > Do you have any advice on this?
>
> Please give me some time...
> I'm trying to cook a proper port, but there's a lot of stuff that
> needs to be fixed.

woah, thank you very much!
I stop filling the list with my useless messages then.
good luck.

Regards,

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: libtorrent build fail

[Thuban]

Tah was too beautiful, now it's``make`` that give me errors I can't
understand :


In file included from ../include/libtorrent/parse_url.hpp:40,
from web_connection_base.cpp:53:
../include/libtorrent/aux_/disable_warnings_pop.hpp:42: warning: expected
[error|warning|ignored] after '#pragma GCC diagnostic'
*** Error 1 in src (Makefile:972 'web_connection_base.lo': @echo "  CXX
" web_connection_base.lo;depbase=`echo web_connection_base.lo | ...)
*** Error 1 in /home/xavier/geek/libtorrent/libtorrent-rasterbar-1.1.0
(Makefile:645 'all-recursive')

See full warnings here : https://clbin.com/uPgvb

Do you have any advice on this?

Thanks.

Re: libtorrent build fail

[Thuban]

* Josh Grosse <j...@jggimi.homeip.net> le [26-05-2016 12:30:40 -0400]:
> On 2016-05-26 11:50, Thuban wrote:
> >Hi,
> >I'm trying to build libtorrent [1], but can't figure out how to have
> >./configure detect boost library.
>
> Have you tried installing the libtorrent package? :)
>

Yes, of course. This is not the same libtorrent. The package in openbsd
is the old one. One is "rasterbar", the other is still maintained
and have various bindings.


--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

libtorrent build fail

[Thuban]

Hi,
I'm trying to build libtorrent [1], but can't figure out how to have
./configure detect boost library.

So, I always have such output :

configure: We could not detect the boost libraries (version 1.47 or
higher). If you have a staged boost library (still not installed) please
specify $BOOST_ROOT in your environment and do not give a PATH to --with-boost
option.  If you are sure you have boost installed, then check your version
number looking in . See http://randspringer.de/boost for
more documentation.
checking whether the Boost::System library is available... no


(yes, boost is installed)


I have these environment variables :

export LDFLAGS="-L /usr/lib -L/usr/local/lib"
export CXXFLAGS="-I /usr/include -I/usr/local/include"

I even tried to find any clue in freeBSD without luck.


Do you have any advice?

Regards


[1] : http://libtorrent.org/building.html
[2] :
https://svnweb.freebsd.org/ports/head/net-p2p/libtorrent-rasterbar/Makefile?v
iew=markup

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: light browsers

[Thuban]

> Firefox used to be nice, but I don't like the way it goes with
> embedded crap such as Hello or even worse, the Pocket thing.
>
Indeed, but it's maybe the last web browser caring about its users,
without selling them or asking them to pay.

w3m already has been mentionned on the list. With some time, it becomes
very handy.

But what about netsurf?

http://www.netsurf-browser.org/

Regards,
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Installing py3-libtorrent

[Thuban]

Hello,
I need to install the python3 bindings for libtorrent. I doesn't seem to
be packaged, nor present in ports.

Because I need to install it on several machines, I wanted to ask if I
didn't miss it somewhere, before compiling it by hand again and angain.

Thanks.

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Fwd: Creating a blog using OpenBSD: technology choices and security considerations

[Thuban]

The thing you should ask yourself is "what do I really need?" before
installing a huge and useless CMS.

+1 for a static site generator. I use swx [1] on my own, its just a
markdown converter with some script to add rss feed, sitemap and so. But
there are so many.

There is also many small blog utilities, like Kriss blog [2].

Anyway, if you wnat to add comments to a static site, you can host it
yourself instead of using Disqus. See hashover : [3]

regards,

[1] : http://yeuxdelibad.net/Programmation/swx_en.html fork of
  https://github.com/jroimartin/sw
[2] : https://github.com/tontof/kriss_blog
[3] : http://tildehash.com/?page=hashover
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Can't use sshfs as user

[Thuban]

* Sebastien Marie <sema...@openbsd.org> le [24-04-2016 10:17:58 +0200]:
> On Fri, Apr 22, 2016 at 04:51:39PM +0200, Thuban wrote:
> > Hi,
> > I try to mount a directory with sshfs as non-root, but I get the
> > following error :
> >
> > fuse_mount: Permission denied
> >
> > I don't get it. I have "kern.usermount=1" in /etc/sysctl.conf, but
> > according to [1] I need to use some option about uid. But which ones?
> >
>
> - read/write permissions on /dev/fuse0
> - mount point owned by the user
>

Oh, that was it.
It works after a
# chmod 666 /dev/fuse0

Not sure it's really secure thought.

Thanks.

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Can't use sshfs as user

[Thuban]

* Thuban <thu...@yeuxdelibad.net> le [22-04-2016 16:51:39 +0200]:
> Hi,
> I try to mount a directory with sshfs as non-root, but I get the
> following error :
>
> fuse_mount: Permission denied
>
> I don't get it. I have "kern.usermount=1" in /etc/sysctl.conf, but
> according to [1] I need to use some option about uid. But which ones?
>
> Regards.
>
> [1] :
>
http://openbsd-archive.7691.n7.nabble.com/sshfs-as-non-root-fuse-mount-Permis
> sion-denied-td253224.html

I tried to add -o uid=1000 -o gid=1000 to sshfs, but he does'n seems to
understand these options despite the man page says.

Where am I wrong?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Can't use sshfs as user

[Thuban]

Hi,
I try to mount a directory with sshfs as non-root, but I get the
following error :

fuse_mount: Permission denied

I don't get it. I have "kern.usermount=1" in /etc/sysctl.conf, but
according to [1] I need to use some option about uid. But which ones?

Regards.

[1] :
http://openbsd-archive.7691.n7.nabble.com/sshfs-as-non-root-fuse-mount-Permis
sion-denied-td253224.html
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Touchpad generate random input

[Thuban]

Thomas Bohl gave me a solution :
during boot, use the touchpad AND the keyboard. Then, averything works
as expected.

Here is the new dmesg :

Regards

OpenBSD 5.8 (GENERIC.MP) #0: Tue Nov 10 11:57:58 CET 2015
jas...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sy
s/arch/amd64/compile/GENERIC.MP
real mem = 6330408960 (6037MB)
avail mem = 6134661120 (5850MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeaee0 (47 entries)
bios0: vendor American Megatrends Inc. version "4.6.4" date 05/19/2011
bios0: CLEVO CO. W240HU/W250HUQ
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG SSDT HPET SSDT SSDT
acpi0: wakeup devices P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3)
USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) VL30(S3) PXSX(S4)
RP03(S4) PXSX(S4) J251(S5) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU B940 @ 2.00GHz, 1995.80 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,EST
,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE
,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU B940 @ 2.00GHz, 1995.47 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,EST
,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE
,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus 2 (RP03)
acpiprt5 at acpi0: bus 3 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus -1 (RP07)
acpiprt9 at acpi0: bus -1 (RP08)
acpiprt10 at acpi0: bus -1 (PEG0)
acpiprt11 at acpi0: bus -1 (PEG1)
acpiprt12 at acpi0: bus -1 (PEG2)
acpiprt13 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0
acpicpu0 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpitz0 at acpi0: critical temperature is 300 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
acpiac0 at acpi0: AC unit online
acpibtn2 at acpi0: LID0
acpibat0 at acpi0: BAT0 model "E41" serial type LION oem "Clevo CO."
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: LCD0
cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2000, 1900, 1800, 1700, 1600,
1500, 1400, 1300, 1200, 1100, 1000, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2000" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
inteldrm0: 1366x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x05: apic 2 int
16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x05: msi
azalia0: codecs: Realtek ALC269, Intel/0x2805, using Realtek ALC269
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb5: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 2 "Intel 6 Series PCIE" rev 0xb5: msi
pci2 at ppb1 bus 2
rtwn0 at pci2 dev 0 function 0 "Realtek 8188CE" rev 0x01: msi
rtwn0: MAC/BB RTL8188CE, RF 6052 1T1R, address e0:b9:a5:4a:48:b1
ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb5: msi
pci3 at ppb2 bus 3
jme0 at pci3 dev 0 function 0 "JMicron JMC250" rev 0x05: msi, address
00:90:f5:bc:7b:56
jmphy0 at jme0 phy 1: JMP211 10/100/1000 PHY, rev. 1
"JMicron SD/MMC" rev 0x90 at pci3 dev 0 function 1 not configured
sdhc0 at pci3 dev 0 function 2 "JMicron SD Host Controller" rev 0x90: apic
2 int 16
sdmmc0 at sdhc0
"JMicron Memory Stick" rev 0x90 at pci3 

Touchpad generate random input

[Thuban]

i, address
00:90:f5:bc:7b:56
jmphy0 at jme0 phy 1: JMP211 10/100/1000 PHY, rev. 1
"JMicron SD/MMC" rev 0x90 at pci3 dev 0 function 1 not configured
sdhc0 at pci3 dev 0 function 2 "JMicron SD Host Controller" rev 0x90: apic
2 int 16
sdmmc0 at sdhc0
"JMicron Memory Stick" rev 0x90 at pci3 dev 0 function 3 not configured
ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x05: apic 2 int
23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel HM65 LPC" rev 0x05
ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x05: msi, AHCI
1.3
ahci0: port 0: 3.0Gb/s
ahci0: port 2: 1.5Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST9500420AS, D004> SCSI3 0/direct
fixed naa.5000c50020b62198
sd0: 476940MB, 512 bytes/sector, 976773168 sectors
cd0 at scsibus1 targ 2 lun 0: <TSSTcorp, CDDVDW TS-L633F, TM00> ATAPI
5/cdrom removable
ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x05: apic 2
int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600 SO-DIMM
spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
uhidev0 at uhub2 port 2 configuration 1 interface 0 "Genesys Logic USB
Mouse" rev 1.10/1.00 addr 3
uhidev0: iclass 3/1
ums0 at uhidev0: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uhub3 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
umass0 at uhub3 port 2 configuration 1 interface 0 "Sunplus Innovation
Technology USB to Serial-ATA bridge" rev 2.00/1.32 addr 3
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <TOSHIBA, MK2559GSXP, 0200> SCSI2 0/direct
fixed serial.1bcf0c3100022CFF01FF
sd1: 238475MB, 512 bytes/sector, 488397168 sectors
ugen0 at uhub3 port 3 "Cambridge Silicon Radio Bluetooth" rev 2.00/52.76
addr 4
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd1a (96d45ca8006100da.a) swap on sd1b dump on sd1b

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: ugen0 instead of urtwn0

[Thuban]

> Those instructions are for 5.8 or possible 5.7, they aren't needed for
> -current snapshots which already include this change.
>
Of course, I read the files.

--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

rookie questions about flavors

[Thuban]

Hello,
I'm not sure to understand correctly somme points :
1. A snapshot is a build made at one time of the developpement, more
recent than *-stable* flavor.
It is not *-current*. Can we consider a snapshot as an unreleased *5.8*
at this time. Or is it above *5.8*?
2. In odrer to build the system, one can choose :
- to follow *-current* with `cvs -d$CVSROOT checkout -P src`
- to follow *-stable* with `cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src
`

Is it possible to upgrade from 5.7 yo 5.8 using this flag :
cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src

3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates
for 5.8 *-stable* later? And if so, what PKG_PATH should be used to stay
on 5.8?

PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/`uname
-m`/

then switch to

PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/packages/`uname -m`/

when 5.8 is released?
The missing packages must be replaced with ports build until the 19 Oct?

Sorry for the long message. I know the best  is to use *-current* or a
*-stable* flavor, but I wish to understand these points in order to keep
things clean.

Regards

[1] : http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/install58.iso
--
Thuban

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: rookie questions about flavors

[Thuban]

Thanks a lot for this answer.

> > 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates
> > for 5.8 *-stable* later?
>
> No. As I said earlier (and would be clear from a careful reading of the
FAQ),
> snapshots track -current, not -stable.
Finding an install58.iso in a snapshot directory gave me some doubts
about what i understood in the FAQ (as english is not my first
language).

--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: ugen0 instead of urtwn0

[Thuban]

* Stefan Sperling <s...@stsp.name> le [22-09-2015 11:33:28 +0200]:
> On Mon, Sep 21, 2015 at 11:14:22AM +0200, Thuban wrote:
> > Hi,
> > I have a usb wifi dongle supposed to work with urtwn firmware.
> > usbdevs returns WNA 1000Mv2 Netgear listed here [0]
> >
> > But the device is detected as ugen.
> >
> > How can I fix this?
>
> This device was added to -current after 5.8.
> It will work out of the box in OpenBSD 5.9.
>
> The easiest way to get support for it is to use snapshots (i.e. -current).
> See the "Snapshots" section in http://www.openbsd.org/faq/faq5.html#Flavors
>
> You can try to get it to work with 5.7 but this might not work.
> Getting this device to work on 5.8 (to be released on Oct 18) should be
> possible using the steps below.
>
> Starting with pristine OpenBSD 5.8 kernel source (or 5.7, if you want to
> try your luck), add the line
>
> product NETGEAR WNA1000Mv20x9043  WNA1000Mv2
>
> somewhere in the file /usr/src/sys/dev/usb/usbdevs
>
> as shown here:
>
> ===
> RCS file: /cvs/src/sys/dev/usb/usbdevs,v
> retrieving revision 1.654
> retrieving revision 1.655
> diff -u -r1.654 -r1.655
> --- src/sys/dev/usb/usbdevs   2015/07/15 13:25:49 1.654
> +++ src/sys/dev/usb/usbdevs   2015/08/22 15:10:19 1.655
> @@ -3135,6 +3135,7 @@
>  product NETGEAR WNA1100  0x9030  WNA1100
>  product NETGEAR WNA1000  0x9040  WNA1000
>  product NETGEAR WNA1000M 0x9041  WNA1000M
> +product NETGEAR WNA1000Mv2   0x9043  WNA1000Mv2
>
>  /* Netgear(2) products */
>  product NETGEAR2 MA101   0x4100  MA101
>
>
> Now run
>
>   $ cd /usr/src/sys/dev/usb/
>   $ make
>
> to re-create the USB device list header files usbdevs.h and usbdevs_data.h.
>
> Next, add the line
>
>   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000Mv2 },
>
> to /usr/src/sys/dev/usb/if_urtwn.c somewhere in the driver's ID table,
> as shown here:
>
> ===
> RCS file: /cvs/src/sys/dev/usb/if_urtwn.c,v
> retrieving revision 1.48
> retrieving revision 1.49
> diff -u -r1.48 -r1.49
> --- src/sys/dev/usb/if_urtwn.c2015/06/12 15:47:31 1.48
> +++ src/sys/dev/usb/if_urtwn.c2015/08/22 15:19:33 1.49
> @@ -110,6 +110,7 @@
>   { USB_VENDOR_IODATA,USB_PRODUCT_IODATA_WNG150UM },
>   { USB_VENDOR_IODATA,USB_PRODUCT_IODATA_RTL8192CU },
>   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000M },
> + { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000Mv2 },
>   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_RTL8192CU },
>   { USB_VENDOR_NETGEAR4,  USB_PRODUCT_NETGEAR4_RTL8188CU },
>   { USB_VENDOR_NETWEEN,   USB_PRODUCT_NETWEEN_RTL8192CU },
>
> Now compile a new kernel and install it.
>
> For more information on the steps involved in compiling the kernel,
> see http://www.openbsd.org/faq/faq5.html#Bld and in particular this
> section: http://www.openbsd.org/faq/faq5.html#BldKernel

Thank you for this very complete explanations.

Currently, I can't build the kernel without any error vith the last
snapshot, even without modifying anything.
Same with current.
I'll wait some time and see.

Regards

--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]