Installing apsfilter package fails
I have an OpenBSD 4.2 box without X installed, and I'm trying to install apsfilter to set up printing. Apsfilter fails with the following message: # pkg_add apsfilter-7.2.8p0.tgz Can't install gettext-0.14.6p0: lib not found expat.8.0 Dependencies for gettext-0.14.6p0 resolve to: libiconv-1.9.2p3 Full dependency tree is libiconv-1.9.2p3 Can't install a2ps-4.13bp4-letter: can't resolve gettext-0.14.6p0 Can't install apsfilter-7.2.8p0: can't resolve a2ps-4.13bp4-letter What am I doing wrong??? Thanks, Ed
Re: Installing apsfilter package fails
Thank you Preston. You said, If I remember correctly, you need to have the x-base package installed for the libiconv / gettext dependencies to be met. It's an issue with 4.2. How did you know that? Is there a source that I should reference that I'm not aware of to keep up on the latest idiosyncrasies, bugs, etc.??? Thanks, Ed
Setting up an HP laserjet with apsfilter unknown printer error
Hi folks, I'm using apsfilter on OBSD 4.2, and trying to set up an HP LaserJet printer. I have an HP P2015DN and a 4240n, so printing to either one would be fine with me. After running apsfilter SETUP, here's my /etc/printcap file: lp|PSgs;r=300x300;q=medium;c=mono;p=letter;m=auto:\ :lp=:\ :rm=192.168.1.15:\ :rp=raw:\ :if=/etc/apsfilter/basedir/bin/apsfilter:\ :sd=/var/spool/lpd/lp:\ :lf=/var/spool/lpd/lp/log:\ :af=/var/spool/lpd/lp/acct:\ :mx#0:\ :sh: When I try and print a testpage, this is what I get: Printing test page... -rw-r--r-- 1 root wheel 924020 Mar 20 08:46 /tmp/apsfilter20397/test_page.aps lpr: [EMAIL PROTECTED]: unknown printer 0m0.00s real 0m0.00s user 0m0.00s system [ press RETURN to continue ] Can someone give me some tips on setting up a network printer? I thought setting up a network printer would be a snap with apsfilter, but it's not as easy as I thought. :-) Thanks, Ed
Would OpenBSD and Squid be considered a Proxy Firewall?
Hi folks, I'm reading a book on network security and it mentions proxy firewalls, so I'm wondering if an OpenBSD box with Squid installed would fit this description? Or, are there other proxy firewalls the author is referring to? The book mentions that although proxy firewalls tend to slow traffic down, they are much more secure than a typical, statefull packet filtering firewall. He says they will ignore the typical network discovery methods, i.e. nmap, etc., etc. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? Thank you, Ed
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
I have not yet fully researched the PF functionality of OpenBSD, so I'm therefore guessing that the PF feature adds stateful packet inspection to an OpenBSD box. With that assumption, I guess I'm thinking PF and Squid (which works at the application layer of the OSI stack) would make a pretty formidable firewall. I wonder if PF would analyze the incoming data stream first and then Squid, or would that be Squid first and then PF? Ed On Sat, Mar 22, 2008 at 6:05 AM, Denise H. G. [EMAIL PROTECTED] wrote: Ed Flecko [EMAIL PROTECTED] writes: Hi folks, I'm reading a book on network security and it mentions proxy firewalls, so I'm wondering if an OpenBSD box with Squid installed would fit this description? Or, are there other proxy firewalls the author is referring to? The book mentions that although proxy firewalls tend to slow traffic down, they are much more secure than a typical, statefull packet filtering firewall. He says they will ignore the typical network discovery methods, i.e. nmap, etc., etc. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? I have an ancient box, which is an AMD K6 266MHz with 64M RAM, running OBSD 4.2 + pf + squid. I use it as a home router + firewall + WWW cache. Since it is running smooth, quiet and well, it just sits in one corner without my further investigations. But I don't know how `proxy' plus `firewall' would enhance security issues. Would you elaborate on it? Thank you, Ed -- Denise H. G. darcsis AT gmail DOT com
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
The book is called Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/ref=pd_bb s_1?ie=UTF8s=booksqid=1206284032sr=8-1 The author makes several references to proxy firewalls and implies they are more secure than traditional firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Ed On Sat, Mar 22, 2008 at 7:38 AM, Lars Noodin [EMAIL PROTECTED] wrote: Ed Flecko wrote: I'm reading a book on network security and it mentions proxy firewalls ... are there other proxy firewalls the author is referring to? Which book? Title, author, ISBN would help. Or send a link to a review. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? The results depend entirely on how you have Squid set up and how PF is configured. Regards, -Lars
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
In one section of the book (Page 301) the author contrasts nmap to Firewalk. He says, nmap cannot differentiate between what is open on an end machine and what is being firewalled. Firewalk, on the other hand, can determine if a given port is allowed through a packet-filtering device.With this information, Firewalk allows an attacker to determine your firewall rule set. I get the impression he thinks Firewalk is superior to nmap (although he doesn't come right out and SAY that). He then shortly thereafter says, Firewalk even works against traditional and stateful packet filters, which both just decrement the TTL by one. However, Firewalk does not work against proxy based firewalls, because proxies do not forward packets. Instead, a proxy application absorbs packets on one side of the gateway and creates a new connection on the other side, destroying all TTL information in the process. Packet filters actually forward the same packets, after applying filtering rules, keeping the TTL relatively intact (albeit decremented by one). So, although Firewalk is a highly effective technique against packet filter firewalls, it does not work at all against proxy firewalls. For services that the firewall is proxying, Firewalk reports that the associated ports are closed. Statements like this are what started me thinking I'd ask some of you (who probably know a whole lot more about this than I do :-)) your opinion about an OpenBSD with Squid. It sounds like a powerful combination to me! :-) Ed On Sun, Mar 23, 2008 at 1:42 PM, System Administrator [EMAIL PROTECTED] wrote: On 23 Mar 2008 at 7:58, Ed Flecko wrote: The book is called Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/re f=pd_bb s_1?ie=UTF8s=booksqid=1206284032sr=8-1 The author makes several references to proxy firewalls and implies they are more secure than traditional firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Assuming you have correctly understood the author's intent, then he is completely wrong. There is no difference in the abilities of either proxy or packet-filtering firewalls to block probing (reconnaissance) attempts. In fact, it is much much easier to configure a stealthy (or invisible) firewall with a powerful packet filtering engine like OpenBSD's pf. The main argument about proxy firewalls being more secure focuses on the ease of configuration, or more specifically on the fact that it is fairly easy for a novice to mis-configure a packet-filter wide open, whereas a well designed application gateway will preclude such a faux- pas. The second half of the same argument has to do with content analysis -- application gateways (proxies) by definition operate at the application layer and have an inherent ability to analyze the application specific data content and react accordingly, including extensive data re-writing and manipulation. A properly designed packet filter operates only on TCP/IP headers and is oblivious of the payload (data content). This is the reason OpenBSD's pf(4) requires the support of ftp-proxy(8) to allow FTP data transfers across the firewall. For a thorough discussion of this issue (payload manipulation on the firewall) please check the list archives -- there has been a number of excellent threads recently. If you've come from Linux world or have looked at some Linux-based commercial firewalls, you have probably seen the term deep packet inspection. That is an ugly hack whereby the packet filter uses various special cases to examine the payload of the packets passing the firewall. While at first glance this approach seems to provide more control than generic packet header filtering, it still falls way short of the capabilities and reliability of a true proxy -- after all, it still operates on individual packets and will miss many things due to normal or malicious fragmentation. So, to bring it back to your original question, a typical SOHO OpenBSD firewall is a packet filtering firewall even with a Squid Cache running. After all, which part of the firewall actually implements the security policy and handles the traffic control? BTW, even if you were to add some application gateways to your OpenBSD firewall, you would only have a hybrid firewall, i.e. one that combines the features and functionality of both packet filtering and proxying. The classic, or true proxy firewall turns IP forwarding off and requires that any traffic crossing the firewall use a dedicated proxy. Such firewalls are never transparent -- the client computers always make their connections to the firewall itself regardless of what the ultimate destination may be. Moreover, because they require a specialized application
Simple OBSD/Samba sharing/restart question
Hi folks, I'm running OpenBSD 4.2, I've installed and configured Samba. I have a shared directory on the OBSD box that I store some backup log files stored in. I want to be able to read the log files (or any other files as well) from the shared directory, but I'm not able to do so. Here's my smb.conf file : [global] workgroup = PROXYBOX server string = Samba Server security = share [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [shared] comment = Shared directory on the proxy server path = /var/squid/logs/squid_logs read only = no browseable = yes guest ok = yes public = yes For testing purposes, I've set the permissions on the squid_logs directory to: 777 I can map the drive from a Windows box and even create files/folders...but I can copy files from it to the Windows box or read files. O.K., I'm stumped; what am I overlooking??? Also, once you've made changes to your smb.conf file, how do you stop/restart Samba??? Thank you, Ed
Correctly uninstall default Apache and install Apache 2.2.4?
Hi folks, For a variety of reasons and features, I'd like to install the apache-httpd-2.2.4.tgz package. As a side note, I tried to install it on OpenBSD 4.2, and there are a few package dependencies it apparently is missing (at least on my box, which runs 4.2 without X) because the install fails. Anyway, 1.) Is there a correct way to uninstall the default Apache 1.3 that ships with OpenBSD? I can't use a pkg_delete... can I? 2.) Maybe I don't need to? If I don't uninstall the original Apache, will the new version overwrite the 1.3 version? 3.) Do I need to chroot the Apache 2.2.4 or will the default install set it up that way? Thank you, Ed
My ntpd isn't starting on OBSD 4.3?
Hi folks, O.K., I'm stumped. I've just installed 4.3, and I have the typical: ntpd_flags=-s entry in /etc/rc.conf.local and # sync to a single server 128.9.176.30 # use a random selection of 8 public stratum 2 servers # see http://support.ntp.org/bin/view/Servers/NTPPoolServers # servers pool.ntp.org in /etc/ntpd.conf, and ntpd isn't starting on boot. Am I missing something unique to 4.3? Thank you.
Re: My ntpd isn't starting on OBSD 4.3?
Yep, that was it. Thanks guys. :-) On Thu, May 1, 2008 at 1:21 PM, Martin Toft [EMAIL PROTECTED] wrote: On Thu, May 01, 2008 at 01:06:41PM -0700, Ed Flecko wrote: Hi folks, O.K., I'm stumped. I've just installed 4.3, and I have the typical: ntpd_flags=-s entry in /etc/rc.conf.local and # sync to a single server 128.9.176.30 AFAIK, you need server before the address, i.e.: server 128.9.176.30 # use a random selection of 8 public stratum 2 servers # see http://support.ntp.org/bin/view/Servers/NTPPoolServers # servers pool.ntp.org in /etc/ntpd.conf, and ntpd isn't starting on boot. Am I missing something unique to 4.3? Thank you.
How do I set up personal web sites for users?
Hi folks, I have a few questions about how to set up users on my OBSD 4.3 box. I've created a user (Stephanie) on the box, and I've added her to the /etc/ftpchroot file so she can upload stuff to her directory; now I just want her to be able to reach whatever she uploads (which probably will be just a bunch of files) via Apache and that's where I'm stumped. I was expecting to be able to reach her stuff via the typical *nix http://server/~stephanie, but that didn't work. 1.) Can someone tell me what I'm doing wrong? 2.) Inside the /var/www directory, there's a user directory. What's that for? 3.) Do I need to, or would it be advantageous to, modify the httpd.conf file? What sort of entries might be helpful? Thank you, Ed
How do I use digest authentication to allow/deny directory access
Hi folks, I'm trying to use digest authentication and require a visitor to supply a password in order to be able to access a certain subdirectory. Here's my scenario: I have a directory called download which is located at: /var/www/htdocs/stephanie/download. I've created a file called digest which is located at: /var/www/conf/digest using the following command: # htdigest -c /var/www/conf/digest Private guest Then, I've created an entry in my httpd.conf file that looks like this: Directory /stephanie/download AuthType Digest AuthName Pssst...what's the password? AuthUserFile /var/www/conf/digest Require user guest /Directory I've then stopped and restarted Apache. I'm apparently missing something because I can get to the home page fine, but I get a Internet Explorer cannot display the webpage if even try and get to http://servername/stephanie Suggestions? Thank you, as always. Ed
Re: How do I use digest authentication to allow/deny directory access
Thanks, Adam Yeah, I'm still chrooted. Also, I forgot to mention before that I've tried both modules: LoadModule digest_auth_module /usr/lib/apache/modules/mod_auth_digest.so LoadModule digest_module /usr/lib/apache/modules/mod_digest.so and neither seems to work. In fact, if I enable either module, I can't even access the stephanie directory with the referenced entries to my httpd.conf file. That really puzzzles me. Suggestions? Ed On Tue, May 6, 2008 at 2:31 PM, Adam Patterson [EMAIL PROTECTED] wrote: Ed Flecko wrote: ...snip... Directory /stephanie/download AuthType Digest AuthName Pssst...what's the password? AuthUserFile /var/www/conf/digest Require user guest /Directory Ed If you are still chrooted you need to make sure thats the right directory. If you disabled the chroot then its obviously another issue.
Re: How do I use digest authentication to allow/deny directory access
It seems like, from what I see on the web, that I should be using: AuthDigestFile instead of AuthUserFile however when I do that, save the httpd.conf and restart Apache, I get the following error message: Syntax error on line 61 of /var/www/conf/httpd.conf: Invalid command 'AuthDigestFile', perhaps mis-spelled or defined by a module not included in the server configuration /usr/sbin/apachectl start: httpd could not be started Suggestions??? Ed
Re: How do I use digest authentication to allow/deny directory access
Thanks, Adam. To test even Basic authentication, I created a file named passwords in the htdocs directory to confirm that Apache could reach it. :-) Then I made this entry in the httpd.conf file: Directory /download AuthType Basic AuthName Private AuthUserFile /var/www/htdocs/passwords Require user stephanie /Directory Unfortunately, all I get is an Internet Explorer cannot display the webpage error message. I don't get any dialog box to sign in. I'm stumped. Suggestions? Ed
How to use fdisk and manually create partitions at 4K increments?
I'd like to install OBSD, and I'd like to manually create my partition structure. 1.) Can someone tell me how to use fdisk to create my partitions at 4K increments? 2.) How do I confirm that the partitions are, in fact, aligned at 4K intervals after I've created them? 3.) Can you recommend a method of testing the performance of one disk that IS aligned at 4K and another disk that is NOT? I'd be very curious to see the performance difference. Thank you, Ed
Auto partition starting at Sector 32 and not Sector 64? That's not right, is it?
I started installing 5.1, and selected the auto partition. I saw the first partition starting at Sector 64, which was what I expected. I had to restart my install (through no fault of OBSD), only this time I noticed that the auto install, first partition starting at Sector 32. That's odd, isn't it? Shouldn't my install start at Sector 64 or is Sector 32 O.K.? Thanks! Ed
Applying 001_libcrypto.patch prompts for File to Patch:
I've created a /usr/src/patches directory which I've downloaded and untarred the 5.1.tar.gz into. Per the patch instructions, I cd to /usr/src and then: # patch -p0 /usr/src/patches/5.1/common/001_libcrypto.patch this is what I get: # patch -p0 /usr/src/patches/5.1/common/001_libcrypto.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -- |Apply by doing: | cd /usr/src | patch -p0 001_libcrypto.patch | |And then rebuild and install libcrypto: | cd lib/libssl/crypto | make obj | make depend | make | make install | |Index: lib/libssl/src/crypto/mem.c |=== |RCS file: /cvs/src/lib/libssl/src/crypto/mem.c,v |retrieving revision 1.13 |retrieving revision 1.13.8.1 |diff -u -p -r1.13 -r1.13.8.1 |--- lib/libssl/src/crypto/mem.c1 Oct 2010 22:58:53 - 1.13 |+++ lib/libssl/src/crypto/mem.c22 Apr 2012 01:39:22 - 1.13.8.1 -- Patching file lib/libssl/src/crypto/mem.c using Plan A... Hunk #1 succeeded at 362. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -- |Index: lib/libssl/src/crypto/asn1/a_d2i_fp.c |=== |RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c,v |retrieving revision 1.5 |retrieving revision 1.5.16.1 |diff -u -p -r1.5 -r1.5.16.1 |--- lib/libssl/src/crypto/asn1/a_d2i_fp.c 6 Sep 2008 12:17:48 - 1.5 |+++ lib/libssl/src/crypto/asn1/a_d2i_fp.c 22 Apr 2012 01:39:22 - 1.5.16.1 -- Patching file lib/libssl/src/crypto/asn1/a_d2i_fp.c using Plan A... Hunk #1 succeeded at 57. Hunk #2 succeeded at 144. Hunk #3 succeeded at 164. Hunk #4 succeeded at 176. Hunk #5 succeeded at 208. Hunk #6 succeeded at 227. Hunk #7 succeeded at 251. Hunk #8 succeeded at 272. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -- |Index: lib/libssl/src/crypto/buffer/buffer.c |=== |RCS file: /cvs/src/lib/libssl/src/crypto/buffer/buffer.c,v |retrieving revision 1.8 |retrieving revision 1.8.8.1 |diff -u -p -r1.8 -r1.8.8.1 |--- lib/libssl/src/crypto/buffer/buffer.c 1 Oct 2010 22:58:54 - 1.8 |+++ lib/libssl/src/crypto/buffer/buffer.c 22 Apr 2012 01:39:22 - 1.8.8.1 -- File to patch: I've read some prior posts, and I THOUGHT the patch is wanting me to tell it the path to the buffer.c file, but I don't have a /usr/src/lib/libssl/src/crypto/buffer/ directory with the buffer.c file (I only have a /usr/src/lib/libssl/src/crypto directory). Can someone tell me what I'm doing wrong? Thank you, Ed
Re: Applying 001_libcrypto.patch prompts for File to Patch:
Thanks Ted. After I installed 5.1, I downloaded the src.tar.gz and untarred it into /usr/src If that's not the correct way (and I guess it's not), can you tell me what IS the correct way to check out the src tree? Ed On Thu, Sep 13, 2012 at 10:42 AM, Ted Unangst t...@tedunangst.com wrote: On Thu, Sep 13, 2012 at 10:15, Ed Flecko wrote: I've read some prior posts, and I THOUGHT the patch is wanting me to tell it the path to the buffer.c file, but I don't have a /usr/src/lib/libssl/src/crypto/buffer/ directory with the buffer.c file (I only have a /usr/src/lib/libssl/src/crypto directory). Can someone tell me what I'm doing wrong? Checking out the src tree the wrong way. There has been a buffer/buffer.c file since OpenBSD 2.5. And still is.
Re: Applying 001_libcrypto.patch prompts for File to Patch:
Thank you Ted...I appreciate the advice and tips! Ed
How to PROVE your system is up to date?
I have State and Federal regulators that want me to PROVE (since their only used to looking at Micro$oft servers) my OBSD 5.1 server is up to date, and there are no outstanding patches that need to be applied. *I* know that's the case, because I follow the patch branch, but how do I show (i.e., something I could print for them would be best) them my system is up to date and that all patches have been applied??? Thank you, Ed
Re: How to PROVE your system is up to date?
Thanks Michael! I guess what I'm really asking is... if and when there ARE patches that you've applied, either manually or via following the patch branch, how do you know (i.e., prove to someone like my pesky regulators) that the patches have been applied? For example, I'm sure there's a log file, etc. somewhere that would indicate the changes, isn't there? Ed
Re: How to PROVE your system is up to date?
Thanks Ted! You lost me - could you explain what you mean, Make a list of files affected, and then demonstrate that their timestamps occur after the patch publication.? Ed
Re: How to PROVE your system is up to date?
Excellent!...thanks Steve. :-) Ed
How to stress (performance?) test my PF rules?
Does anyone have any suggestions on how to best test the performance of my PF ruleset? Maybe iperf? I'm just diving into learning PF and as I make changes to my ruleset, it would be great if there's a good way of testing the traffic flow through my OBSD box. Suggestions? Thank you, Ed