Can somebody tell me what I'm doing wrong here. When I run
'make' against this makefile it blows up with:
Fatal: WRKDIR ends with a slash: /usr/ports/pobj/ (in hush/hush-proxyctl)
Fatal: WRKDIST ends with a slash: /usr/ports/pobj/ (in hush/hush-proxyctl)
Fatal: WRKSRC ends with a slash:
Stuart Henderson writes:
> I think you'd need to disable mount completely, otherwise you can mount
> a new writable filesystem (e.g. MFS) that doesn't have noexec.
Yeah, I completely missed that vector. And really, that makes more
sense. How often do you live mount filesystems on a firewall?
Omar Polo writes:
> or they can just upload to /usr/local or /home, or mess with /etc, or...
> I don't see how this would help.
It's another layer to make things more difficult.
If the writable filesystems are noexec and they can't take that
away, uploads become less valuable.
/etc is always
I am curious to hear peoples thoughts on adding some mount(2)
hardening when the system is running at securelevel 2. Specifically:
* do not allow removing MT_NODEV, MT_NOEXEC, MT_NOSUID,
or MT_RDONLY in conjunction with MNT_UPDATE
* do not allow MNT_WXALLOWED in
Try changing ($wan:0) to $(wan) and see what happens.
Kevin Williams writes:
> The main use case I see for this is to manage a fleet of more than 10 or
> so machines/VMs/instances. rdist or a package such as Ansible could
> manage the crontab and possibly search announce@ on marc.info for
> keywords to hold off on the upgrade.
Blind updating out
Todd C. Miller writes:
> local-zone: "1.1.10.in-addr.arpa." transparent
That (well, a variant) was the answer. I was having a real problem
wrapping my head around what 'transparent' did, so I was applying
it incorrectly. Thanks for prodding me to revisit it!
--lyndon
I am at Witt's End.
I am trying to get unbound to serve up reverse DNS for our internal
1918 address space. I have been going hammer and tongs at unbound.conf
to try to make it forward requests for '*.10.in-addr.arpa.' to our
two internal nameservers that are authoritative for the
Sean Kamath writes:
> Just which hosts and ports? No caching?
Sorry, I should have given a better description ...
We proxy http, https, and rsync. squid functions as a simple L7
relay for those protocols. The purpose of the proxy is to restrict
1) which internal hosts can establish outbound
We've been running squid on OpenBSD for years, but it seems these
days that any time it tries to proxy a file > 1MB, it just dies.
This makes it impossible to do thinks like mirror the OpenBSD
distributions.
Does anyone know of another HTTP proxy that supports squid-style
ACLs? That's a big part
Peter Hessler writes:
> On 2023 Sep 13 (Wed) at 14:45:37 -0700 (-0700), Lyndon Nerenberg (VE7TFX/VE6B
> BM) wrote:
> :This might be worth a note in the rpki-client manpage
>
> Please re-read my entire email.
>
Doh! Sorry, I didn't look at that part of the page as I already knew
where the files
Peter Hessler writes:
> Because ARIN insists on a completely ridiculous agreement for a public
> key to verify their data.
That's odd. I didn't have to agree to anything to download the file.
This might be worth a note in the rpki-client manpage, as it certainly
violates POLA.
--lyndon
After some head bashing wondering why rpki-client wasn't
finding our ROAs I discovered the system doesn't ship with
ARINs tal file. So great swaths of RPKI data aren't getting
downloaded.
Why are those things?
--lyndon
> dmesg | grep em
em0 at pci8 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:25:90:b8:82:b8
em1 at pci9 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:25:90:b8:82:b9
em2 at pci12 dev 0 function 0 "Intel I350" rev 0x01: msi, address
00:25:90:b8:82:ba
em3 at pci12 dev 0
I'm setting up jumbograms on a couple of vlans stacked
on an aggr and I need a sanithy check that I'm doing
this right.
The switches use a hardware MTU of 9192. We want an IP
MTU of 9000 for the vlans. I'm assuming this will work?
ifconfig em1 mtu 9192
ifconfig em5 mtu 9192
ifconfig
Gabor LENCSE writes:
> If you are interested, you can find the results in Tables 18 - 20 of
> this (open access) paper: https://doi.org/10.1016/j.comcom.2023.08.009
Thanks for the pointer -- that's a very interesting paper.
After giving it a quick read through, one thing immediately jumps
out.
For over a year now we have been seeing instability on our firewalls
that seems to kick in when our state tables approach 200K entries.
The number varies, but it's a safe bet that once we cross the 180K
threshold, the machines start getting cranky. At 200K+ performance
visibly degrades, often
I need to set up an ipsec tunnel between a couple of ip6 networks,
but I only have an ip4 path between the two gateways. I don't want
any ip4 traffic inside the ipsec tunnel, so I'm a bit puzzled about
how to set this up. Once I have the end-points up, can I just point
the ip6 traffic and routes
We are about to discover the joys of upstream BGP routing :-P The
current plan is to use a pair of OpenBSD+bgpd hosts as the routers.
Each host will require 4x10gig ports (SFP+). One of those links
(to AWS) will be close to saturated, along with the downlink to our
switches. The other two will
Nick, spare yourself the pain and just designate one machine as the
master. This is how we run all our proxy server pairs (nginx,
squid, other stuff). For a pair fooa/foob, 'a' is the master, and
gets advskew 100. The 'b' host gets 150. Make sure preemption is
enabled.
When it's upgrade time,
Marcus MERIGHI writes:
> > vfs = catia fruit streams_xattr
>
> I run a Samba server that does not have these options set - but
> successfully serves iOS/macOS clients.
You need those extra attributes if you want to use your Samba
share for TimeMachine backups.
--lyndon
I have a C922 wired up to a mid-2014 Mac Mini. The system sees the
camera, /dev/video responds as expected, but when I run video(1) I
just get a window with a solid green background.
The camera works with MacOS, so I know the hardware is good, and
when I run the command the white "on the air"
Stuart Henderson writes:
> "synproxy state" cannot work on outbound (for more details see
> https://marc.info/?l=openbsd-tech=160686649524095=2).
>
> Because pfctl is doing something other than what you asked it to do,
> IMO the warning makes sense.
>
> Alternatively it could be classed as an
Given the rule
pass proto tcp from any to mail.example.com \
port { 25 80 110 143 443 587 993 } synproxy state
pfctl barks
/etc/pf.conf:586: warning: synproxy used for inbound rules only, ignored for
outbound
It's pretty obvious from reading pf.conf(5) that the above is the
Florian Obser writes:
>
> You need this one:
>
> filter filter-name phase phase-name match conditions decision
> Register a filter filter-name. A decision about what to do with
> the mail is taken at phase phase-name when matching conditions.
> Phases,
My reading of smtpd.conf says that any reject action should be able
to take a message parameter. Yet the following line is rejected
with a syntax error message:
match mail-from rdns regex "\.t-online\.de$" reject "550 5.7.1 you don't
accept our mail, so we don't accept yours."
Yet the same
Chris Bennett writes:
> I would instead recommend a new package with the critical newbie
> information included in text form.
> FAQ, anoncvs and ftp addresses, etc.
Long ago and far away, the Berkeley distributions used to ship an
assortment of system documentation in /usr/share/doc, including a
We have one of the above (X12STH-SYS motherboard) that's refusing
to PXE boot. It's connecting to DHCP and downloading the pxeboot
file (according to tftpd), and the bios appears to be printing a
message saying the boot image was successfully loaded, but it only
stays on the screen for about 200ms
The first declaration in is:
typedef struct __kvm kvm_t;
and yet 'grep -r __kvm /usr/include /sys' returns only the above
line. What am I missing?
--lyndon
Marc Espie writes:
> have DISTFILES be empty, put your sources under FILESDIR
> and a bit of glue to ln/mv them into WRKDIR since you got to have a WRKDIR
> for ports.
That was hinted at by a few people, and it's working like a champ!
--lyndon
We have a number of in-house utilities that we push out as packages.
Right now these are built using the standard make framework, with
a bunch of hand-crafted glue to build and sign the packages before
pushing them to our internal distribution server.
I would really like to take advantage of to
Nick Holland writes:
> Wrote a little script which, when run:
Good grief, man! Just put the pf.conf in CVS and push it with
rdist. We do that for all our carped firewall pairs and it
works a treat. The following 'special' command in the Distfile
will give you a failsafe reload of the pf rules:
Ingo Schwarze writes:
> That's not new, it has been like that for at least 14 years and likely
> much longer:
Heh :-) Filing a bug report about my horrible memory seems wrong.
> I don't think adding the more characters to each line would be a good idea.
> It would cause line wrapping in mail
Laura, for a first step I would look at pflog(4). As Peter hinted,
if you have an obscure pf rule blocking things after the connection
sets up, this will point it out. (Make sure you have all the
appropriate pflog bits enabled, of course.)
If that doesn't work your next step is to fire up
In the output from the daily insecurity report run, the sections on
setuid and block device changes are missing any diff markup. The
remaining sections are fine.
>From this morning's post-7.1-upgrade run:
Setuid changes:
-r-sr-xr-x 2 root bin 355952 Sep 30 13:01:03 2021 /sbin/ping
After the 7.1 update syspatch -c started throwing errors due to a
missing signatures file:
Patch check:
syspatch: Error retrieving
http://ftp.openbsd.org/pub/OpenBSD/syspatch/7.1/amd64/SHA256.sig: 404 Not Found
The error is valid. To suppress this message it would make sense to drop
an
I'm trying to get synproxy working on a firewall, using the following
rule:
pass quick proto tcp from any to $front_smtp4 port 25 synproxy state
The firewall accepts the connection on the outside interface, but
I don't see (tcpdump) any attempt to complete the connectiom on the
inside
37 matches
Mail list logo
