protected domain for tap for vmm vms

[jirib]

Hello,

I was checking bridge's protected domains and I'm curious
how to add VMM VM's tap into a VMM switch/bridge protected domain.

It seems it's not implemented yet.

I wanted to achieve this:

- multiple VMM VMs in same switch/bridge
- VMs cannot talk to each other inside the bridge
  hence protected domain
- VMs can access uplink via bridge's vether

Jiri

Re: asm avr

[jirib]

On Thu, 22 Sep 2011 23:20:19 +0800
igor denisov saufe...@gmail.com wrote:

 Hello there,
 
 I installed avr-binutils  and tried to use it on some code and
 something strange happened. When I tried to compile code it appeared
 that the m16def.inc had a bad syntacs the file is from ATMEL site.
 
 What I did wrong?

You posted to bad list. OMG we will be  again spammed with your silly
mails :(

jirib

Re: BSD Day 2011

[jirib]

On Fri, 9 Sep 2011 11:13:43 +0200
Henning Brauer lists-open...@bsws.de wrote:

 * Tomas Bodzar tomas.bod...@gmail.com [2011-09-08 18:33]:
  Are some of the devs attending or no one invited?
  http://www.bsdday.eu/2011
 
 first time I personally hear about this at all.

Lua and FreeBSD and neologism, lol.

jirib

Re: essential reading for beginning OpenBSD users

[jirib]

On Tue, 6 Sep 2011 10:27:22 -0400
Daniel Villarreal yclwebmas...@gmail.com wrote:

 I consider the following to be essential reading for beginning OpenBSD
 users...
 
 Absolute FreeBSD, 2nd Edition information by Michael W. Lucas...
 http://www.nostarch.com/abs_bsd2.htm
 
 Don't forget the Book of PF, 2nd Edition by Peter N.M. Hansteen ...
 http://nostarch.com/pf2.htm
 
 Over the years I've spent a lot of money on O'Reilly GNU/Linux books,
 but the 1st ed. versions of the above books astound me with their
 clarity in explaining very technical concepts in an
 easy-to-understand manner. I never before considered technical
 computer writing to be elegantly handled, but combined with the man
 pages, the documentation is simply superb. Usually I wouldn't even
 consider buying a newer version of a computer book I already have,
 but I will be buying the second editions of said books when I can.
 
 Thanks for your efforts!
 Daniel Villarreal
 
 On Tue, Sep 6, 2011 at 7:12 AM, Amit Kulkarni amitk...@gmail.com
 wrote:
 
  Lucas is bringing out a 2nd edition of absolute openbsd, which i am
  gonna buy

I consider the best:

man afterboot
man hier

:DD

jirib

Re: Most secure Operating-System?

[jirib]

On Mon, 5 Sep 2011 23:55:52 +1000
Alec Taylor alec.tayl...@gmail.com wrote:

 Good evening,

 What's the most secure operating system?

 /me is thinking OpenBSD

 Features required:
  TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
 incorporating Internet access!)
  GUI
  Web-server (with HTTPS capabilities)
  LDAP+-Kerberos server for User auth
  CAS or similar for SSO
  Radius or (preferably) Diameter support
  Java support
  WINE compatible
  Multithreaded
  Multi-processor capable
  Wide architecture support (x86, x64, mainframes)

 If my project proposal is successful, I will be implementing this
 system to replace a Windows environment at one of the largest banks in
 the country.


Do NOT smoke that sh1t too much, or if you wanted to be funny you are
not.

jirib

Re: dump/restore - individual file

[jirib]

On Sun, 21 Aug 2011 18:22:15 -0500
Stefan Johnson tigerphoenixdra...@gmail.com wrote:

  # restore -xf root.dump './etc/pf.conf'
  restore: ./etc: File exists
  You have not read any tapes yet.
  Unless you know which volume your file(s) are on you should start
  with the last volume and work towards the first.
  Specify next volume #:
 
  And here I'm failing, why volume?
 
  Thank you for tips.
 
  jirib
 
 
 I believe restore with -x flag always asks for which volume, even if
 it is just a dump to a file.  Just tell it to use volume 1 (type 1
 then hit enter.)
 
 Also, I notice in your dump example, you dumped the raw device.
 You can just tell it to use / instead, and it will dump just fine
 as well.

Hi,

it would be nice if `restore' would know if it is restoring from a file
or from a tape. Even `-s 1' doesn't supress prompting for volume number.

This is from AIX man page:

-s SeekBackup   Specifies the backup to seek and restore on a
multiple-backup tape archive. The -s flag is only applicable when the
archive is written to a tape device. To use the -s flag properly, a
no-rewind-on-close and no-retension-on-open tape device, such
as /dev/rmt0.1 or /dev/rmt0.5, must be specified. If the -s flag is
specified with a rewind tape device, the restore command displays an
error message and exits with a nonzero return code. If a no-rewind tape
device is used and the -s flag is not specified, a default value of -s
1 is used. The value of the SeekBackup parameter must be in the range
of 1 to 100 inclusive. It is necessary to use a no-rewind-on-close,
no-retension-on-open tape device because of the behavior of the -s
flag. The value specified with -s is relative to the position of the
tapes read/write head and not to an archives position on the tape. For
example, to restore the first, second, and fourth backups from a
multiple-backup tape archive, the respective values for the -s flag
would be -s 1, -s 1, and -s 2.

I cannot do C so I cannot send a diff :(

jirib

dump/restore - individual file

[jirib]

hello,

i use `restore' command quite often to restore individual
files but not on OpenBSD but AIX.

I'm trying to do the same on OpenBSD but I'm failing, how to
do that on OpenBSD?

Imagine you `dump' a FS and then you need to recover some files.

# df -h /
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a 96.4M   69.9M   21.7M76%/
# dump -0af /tmp/root.dump /dev/rsd0a 
  DUMP: Date of this level 0 dump: Sun Aug 21 22:13:45 2011
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/rsd0a to /tmp/root.dump
  DUMP: mapping (Pass I) [regular files]
  DUMP: mapping (Pass II) [directories]
  DUMP: estimated 72646 tape blocks.
  DUMP: Volume 1 started at: Sun Aug 21 22:13:45 2011
  DUMP: dumping (Pass III) [directories]
  DUMP: dumping (Pass IV) [regular files]
  DUMP: 73963 tape blocks on 1 volume
  DUMP: Date of this level 0 dump: Sun Aug 21 22:13:45 2011
  DUMP: Volume 1 completed at: Sun Aug 21 22:13:59 2011
  DUMP: Volume 1 took 0:00:14
  DUMP: Volume 1 transfer rate: 5283 KB/s
  DUMP: Date this dump completed:  Sun Aug 21 22:13:59 2011
  DUMP: Average transfer rate: 5283 KB/s
  DUMP: Closing /tmp/root.dump
  DUMP: DUMP IS DONE
# restore -tf root.dump | egrep \./etc/pf\.conf$
Level 0 dump of an unlisted file system on t400.example.com:/dev/rsd0a
Label: none
  3789  ./etc/pf.conf
# restore -xf root.dump './etc/pf.conf'
restore: ./etc: File exists
You have not read any tapes yet.
Unless you know which volume your file(s) are on you should start
with the last volume and work towards the first.
Specify next volume #:

And here I'm failing, why volume?

Thank you for tips.

jirib

eSATA, SATA port multiplier, storage chasis and OpenBSD

[jirib]

Hello all,

I was google for a external storage chasis as cheap alternative to
expensive SANs -
http://www.addonics.com/products/raid_system/rack_overview.asp

What is the support status of eSATA/SATA port multiplier? I have never
used this technology but as I understand it it means that with one
cable you can see multiple disks...

Addonics offer even RAID but I looks like fake/soft raid.

Do you use any external storage chasis which are dumb - it means no SAN
software and this fancy expensive stuff?

jirib

Re: Debugging an app running in compat_linux

[jirib]

On Tue, 26 Jul 2011 19:41:24 -0400
Ted Unangst t...@tedunangst.com wrote:

 On Tue, Jul 26, 2011, jirib wrote:
  I'm trying to make running ATTclient (basically it is some programs
  for authentication, the network [vpn] setup is similar to vpnc).
  
  After I start one of its daemon the system is completelly blocked -
  stucked. No error, no kernel panic, nothing happens after pressing
  any key.
  
  Any tips how could I do some debugging?
 
 The first thing to try would be another version.  You don't mention
 which version you're running now, so all I can suggest is not that
 one.

Hello,

using latest -current snapshot of course ;)

And the ugly app is
ftp://ftp.attglobal.net/pub/custom/ibm_linux/agnclient-1.0-2.0.1.3003.i386.rpm

I will try some ooold version then.

jirib

Debugging an app running in compat_linux

[jirib]

Hello,

I'm trying to make running ATTclient (basically it is some programs for
authentication, the network [vpn] setup is similar to vpnc).

After I start one of its daemon the system is completelly blocked -
stucked. No error, no kernel panic, nothing happens after pressing any
key.

Any tips how could I do some debugging?

Thank you.

jirib

Re: openbsd 4.9 based UTM

[jirib]

On Tue, 19 Jul 2011 12:41:40 +0200
Otto Moerbeek o...@drijf.net wrote:

 On Tue, Jul 19, 2011 at 11:34:48AM +0100, citoyen citoyen wrote:
 
  Hi,
  I'm about starting a project of building my own High secure UTM
  based on the last openbsd flower 4.9,
  i can do all system and network configs  needed by myself  but I'm
  wondering what language to use in order to get
  my UTM configurable from a web browser.
  any pointers or help are welcome.
  
  Thanks in advance.
 
 What IS an UTM?

Marketing :) First start with good design, see for example series about
tunneling from corporate network on undeadly.org

jirib

Re: How does OpenBSD compare to Ubuntu Server?

[jirib]

On Thu, 7 Jul 2011 09:02:08 -0400
Juan Miscaro jmisc...@gmail.com wrote:

 Was wondering what advantages OpenBSD has over a progressive Linux
 distribution such as Ubuntu (Server edition).

Are you kidding? Ubuntu? Where installed daemons are running by default,
where there is no command to disable shitty upstart daemons?

I installed once mysql on Ubuntu, just to check something, i disabled
that ugly symlinks in rcX.d via update-rc.d and it was after reboot
running -- well bloody hell, it has also upstart script, OMFG!

jirib

Re: Anyone know of an smtp-proxy (or other mechanism) for routing mail to different IMAP servers depending recipient address?

[jirib]

On Thu, 7 Jul 2011 13:42:00 -0400
IT Guy it...@barrett.com wrote:

 Hi all,
 
 I'm in the process of migrating our company from a certain
 proprietary mail system to a new OpenBSD mailserver (IMAP + Postfix).
 
 I'd like to be able to migrate our users one at a time rather than do
 the whole company in one fell swoop.
 
 Does anyone know of a good/easy way to conditionally route incoming
 mail based on the envelope recipient address? (Basically I want
 migrated users to start getting their mail from the new box, while
 the other users continue to connect to the old server)
 
 I looked in the ports tree and didn't see an smtp proxy per se. Also
 the relayd manpage seemed relevant but I've never used that daemon
 before and thus am not sure.
 
 I'm a newbie in this area, so any suggestions/guidance would be
 greatly appreciated.
 
 Thanks in advance.
 
 :-)
 
 Dre

Never tried myself but...

http://anfi.homeunix.org/sendmail/smarttab.html

jirib

Re: DUID's and fstab

[jirib]

On Tue, 12 Apr 2011 02:06:51 +0400
Alexander Polakov polac...@gmail.com wrote:

 I am probably misunderstanding something, but are DUID's supposed to
 be used in place of device filenames in fstab? I suppose they are,
 so this looks strange to me:
 
 % sudo mount f777cc5bbeded528.a
 mount: can't find fstab entry for f777cc5bbeded528.a.

I was always in believing that one has to define mountpoint for `mount'
without specifying device, like `mount /foo'.

Eh?

jirib

Re: Citrix ICAclient hangs whole PC with latest i386 PC

[jirib]

On Tue, 12 Apr 2011 05:36:50 +0200
Tomas Bodzar tomas.bod...@gmail.com wrote:

 Hi,
 
 will try ktrace and log output of Citrix too. Yesterday when I saw
 that crash word in output of last I thought that maybe I can enter
 ddb. Will test that today and you can expect outputs. Anyway no need
 to worry about it right now, you have holidays and I have workaround

- use java version, it works quite OK, example:

java -cp ./JICAEngN.jar com.citrix.JICA -httpbrowseraddress:x.x.250.111
-initialprogram:#WIN2KAPPS -username:x -address:WIN2KAPPS
-launcher:Custom -desiredvres:768 -desiredhres:1024 -password:x
-end:terminate

jirib

Re: place xenocara compile output into /scratch

[jirib]

On Sat, 09 Apr 2011 02:58:47 -0400
STeve Andre' and...@msu.edu wrote:

 On 04/08/11 23:57, Amit Kulkarni wrote:
  hi,
 
  how do i redirect a compile of xenocara to say /scratch? i can do
  that easily for userland using
 
  cd /usr/src/etc  env DESTDIR=/scratch make distrib-dirs
 
  i don't want to fiddle too much like changing X11BASE X11ETC just a
  simple way to do it.
 
  thanks
 Why don't you use script(1) to capture things?  That way you never
 have to tweak anything.
 
 --STeve Andre'

Or tmux and pipe-pane ;) very nice.

jirib

Re: mysql problem

[jirib]

On Fri, 8 Apr 2011 09:52:15 +0200
Gianluca D'Auri Muscelli g...@email.it wrote:

 Hi,
 i'v installed postfix-mysql + mysql-server + courier-imap and
 imap-ssl + courier-pop and pop-ssl on OpenBSD 4.8-Stable
 
 But now i have a problem with vmail and mysql, i'v created the
 database for postfix users
 Pastebin link of database:   http://pastebin.com/70qd43AZ
 
 And i insert my account into database mail with:
 
 mysql  INSERT INTO users (login, name, password, maildir)
 - VALUES ('gdrm@my_domain.org', 'Gianluca', ENCRYPT('my_password'),
 - '/my_site.org/gdrm/');
 
 
 When i connect with mutt:   mutt -f
 imaps://my_u...@example.com@localhost the password does not match!
 Or when i try:  sudo -u vmail mutt
 -f /var/vmail/mydomain.org/user_name
 
 I don't know where is the problem, can u help me??
 Tks vvm

This is postfix related, not OpenBSD. You are on bad list.

jirib

Re: sftp-server logging with chroot in OpenBSD?

[jirib]

On Sun, 27 Mar 2011 21:38:58 +0800
Marcus f5b...@gmail.com wrote:

 sftp-server logging with chroot in OpenBSD?
 
 I want to log upload/download information in sftp server

I don't know where is your problem but this is how it works for me ;)

jirib

Match User 
ChrootDirectory /data/share
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -R -l INFO -f LOCAL0

Match User 
ChrootDirectory /data/share
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l INFO -f LOCAL


$ ls
-l /data/share/dev/log srw-rw-rw-  1 root  wheel  0 Mar 26
09:21 /data/share/dev/log=

$ sftp @localhost
Connected to localhost.
sftp ls
drupal   ebooks   movies   musicopenbsd  upload   video
sftp quit



$ tail /var/log/
Dec 22 02:30:39 t400 internal-sftp[24742]: closedir /disk/0/openbsd
Dec 22 02:30:41 t400 internal-sftp[24742]: opendir /disk/1/openbsd/cvs
Dec 22 02:30:41 t400 internal-sftp[24742]: closedir /disk/1/openbsd/cvs
Dec 22 02:30:45 t400 internal-sftp[24742]: opendir /disk/1/openbsd/cvs/ports
Dec 22 02:30:45 t400 internal-sftp[24742]: closedir /disk/1/openbsd/cvs/ports
Dec 22 02:30:50 t400 internal-sftp[24742]: session closed for local user  
from [127.0.0.1]
Mar 27 18:52:09 t400 internal-sftp[892]: session opened for local user  
from [127.0.0.1]
Mar 27 18:52:10 t400 internal-sftp[892]: opendir /pub
Mar 27 18:52:10 t400 internal-sftp[892]: closedir /pub
Mar 27 18:52:12 t400 internal-sftp[892]: session closed for local user  
from [127.0.0.1]

Re: pf rdr-to outgoing to local port issues

[jirib]

On Sat, 19 Mar 2011 21:28:09 +0100
Henning Brauer lists-open...@bsws.de wrote:

  it was working for me - rdr-to outbound to a daemon on the firewall
  itself, but I deleted that virtual machine...
  
 rdr-to is usually applied inbound.  If applied
  outbound, rdr-to to a local IP address is not supported.
  
  I would put my hand in fire -- it was working :) I read the manpage
  but I don't get it, how could it work then?
 
 pretty certain it could not have worked. the rdr-to in this case is
 too late and the local/remote decision already taken.


Hi,

I understand I'm becoming annoying but it worked, but maybe I was on
drugs... Unfortunatelly no evidence in hand now :) I tested like this:

* ssh -D remotehost
* redsocks listening on 127.0.0.1:12345 and redirecting to
  127.0.0.1:
* pf redirecting www to 127.0.0.1:12345
* lynx ipid.shat.net

Finally I saw in lynx IP of remote ssh socks5 tunnel.

Any idea how to redirect outgoing traffic to local port?

Would this be hard to add such funcionality into PF? (I don't like
such comparisons but it can be done on other OS.)

This feature would be handy to people doing system-wide socksifying (I
already saw apps which spawned another apps and thus it was not
socksified), or people who want to run almost everything via Tor or
similar anonymizing networks -- I think it's better to socksify Tor
traffic on OS level because one can misconfigure his application).

Thank you for help!

jirib

Re: full disk encryption google chrome on OpenBSD!

[jirib]

On Fri, 18 Mar 2011 09:11:26 -0500
Marco Peereboom sl...@peereboom.us wrote:

 On Fri, Mar 18, 2011 at 07:02:58AM -0700, johhny_at_poland77 wrote:
  So our point is, if there is a good method to encrypt the full disk
  [like with dm-crypt/AES/under Linux], and we could have an
  up-to-date google chrome browser on OpenBSD, then it could be a
  very very good operating system for daily use! Dear community! Can
  someone please post small and compact [pointed] howtos, how to
  install an OpenBSD with full disk encryption, and how can we
  install google chrome on it? It's very important! Thank you in
  anticipation!
 
 It isn't important at all for me so I have no idea what you are
 talking about.
 
 And if you use chrome why would you bother encrypting your disk
 anyway?

Nobody has mentioned that it is impossible to have full disk encryption
right now -- one has to have root fs - / - unencrypted.

But let's see... there was a commit to add detection of softraid into
boot loader.

jirib

Re: pf rdr-to outgoing to local port issues

[jirib]

On Fri, 25 Feb 2011 10:21:20 +0100
Henning Brauer lists-open...@bsws.de wrote:

 * william dunand william.dun...@gmail.com [2011-02-25 05:26]:
   pass out log(matches) quick inet proto tcp from any to
   89.176.141.250 port = www rdr-to 127.0.0.1 port 8080
  I think rdr-to is meant to be use on inbound rules.
 
 we allow rdr-to outbound too now. it has caveats, and - surprise! -
 they are described in the manpage.
 this example hits a caveat.
 

Hi,

it was working for me - rdr-to outbound to a daemon on the firewall
itself, but I deleted that virtual machine...

   rdr-to is usually applied inbound.  If applied outbound,
   rdr-to to a local IP address is not supported.

I would put my hand in fire -- it was working :) I read the manpage
but I don't get it, how could it work then?

Thanks for help.

jirib

Re: syslog - log program output to its own file

[jirib]

On Mon, 14 Mar 2011 13:07:02 +1300
Paul M l...@no-tek.com wrote:

 I have a program who's output I want to log exclusively to it's own 
 file.
 Which is to say I dont want any of it's output appearing in the
 system logs.
 
 Reading the syslog man pages this doesn't seem possible:
 If I put
 !!myprog
 *.*   /path/to/logfile
 


localX, check manpage.

i would go with rsyslog seems better.

jirib

Re: Chrooting users the right way

[jirib]

[EMAIL PROTECTED] wrote:

Hi

I am setting up a new OpenBSD machine in which I want to chroot users. I don't
want to use any of the patching solutions to OpenSSH but want to implement a
real system chroot solution so any user, who is chrooted, is jailed even if he
logs in manually.

I have tried to find articles on this, but haven't been succesfull. 


Does anyone know of a good tutorial on how to do this on OpenBSD?

Best and kind regards.

Rico Secada.




Hi,
just try to use combination of directives of sshd_config (Match  
ForceCommand) and your own made script-wrapper for systrace...


Something like this:
sshd_config
ForceCommand /path/to/systrace-wrapper

systrace-wrapper:
/bin/systrace -a /usr/libexec/sftp-server