ftp-proxy binat design -- Was: Re: binat questions
On 03/22/2007 03:17:00 PM, Stuart Henderson wrote: One thing to watch out for with binat: you can't use it with ftp-proxy(8), since binat is of higher priority than the rdr or nat rules which are added to the anchor. The workaround there is to list nat and rdr separately. I just figured this out myself. binat + ftp-proxy = passive ftp broken It seems a bit clunky to work-around this in pf.conf by doing both an rdr and a nat, and having double the states in consequence. Instead, how does the design below sound? The basic idea is to modify ftp-proxy so it adds binat rules to it's anchors. ftp-proxy adds a binat rule for every nat rule added to its anchors. Like so (based on the man page): snip--- In case of passive mode (PASV or EPSV): binat from $client to $server port $port - $proxy nat from $client to $server port $port - $proxy pass in quick inet proto tcp \ from $client to $server port $port pass out quick inet proto tcp \ from $proxy to $server port $port snip--- The ftp-proxy(8) man page could then have something like this starting the CONFIGURATION section: snip--- To make use of the proxy, pf.conf(5) needs the following rules. The binat-anchor is optional, all other anchors are mandatory. The binat-anchor should be filtered so that it applies to connections initiated by those hosts, and only those hosts, which are translated with binat rules further down in the pf rule set. Applying the binat-anchor to hosts not translated with binat rules, especially to connections initiated from the Internet, may be a security risk. Adjust the rules as needed. In the TABLE section: table binatted_hosts { 192.168.1.10, 192.168.1.11 } At the top of the NAT section: binat-anchor ftp-proxy/* from binatted_hosts to any nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $int_if proto tcp from $lan to any port 21 - \ 127.0.0.1 port 8021 snip--- Note that in theory ftp-proxy could use binat all the time instead of nat. Not only would this horribly break backwards compatibility with existing pf configs, it would require much care when writing pf configs to ensure that the binat was filtered so that it is used only when the ftp client initiates a passive ftp data connection. I can't think of a way to write the binat rule so that it will only ever apply when the ftp client initiates a passive data connection. But then, it's late. If somebody else can then the binat-anchor config line in pf.conf becomes simpler, and nat _could_ be entirely replaced by binat. Yes Virginia, FTP is ugly. Regards, Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Lyndon Nerenberg [EMAIL PROTECTED] writes: Well, that is exactly what I want to do. I use the system passwords for imap anyway, so why not? Of course, the channel must be protected by SSL/TLS when you do that. Because there are a large number of IMAP clients that are not aware of LOGINDISABLED, and which will blindly attempt LOGIN or AUTH PLAIN in the absence of TLS (which they are not aware of, either). Many IMAP clients predate RFC3501. So those passwords (with the matching authentication ids) are going to be flying around the Internet in the clear no matter what you do. Using the UNIX account password for IMAP (or POP) in this manner makes your system effectively password free. You have a way with words, but I think you are exaggerating slighly. I have never allowed plaintext IMAP/POP. Wouldn't dream of it. The client is Thunderbird. The default IMAP configuration will use plaintext passwords, but only if it talks to an IMAP server that does not support TLS, but see above. Also, I always use imaps/993, and not TLS on 143. I don't fell comfortable using a password over a connection that is encrypted, if possible. But I must thank you for reminding me to disable port 143, -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: following stable, extra file sets?
On Saturday, June 30, 2007 at 21:54:00 -0500, Aaron wrote: That sounds good, and i read http://www.openbsd.org/faq/upgrade41.html about upgrading, and http://www.openbsd.org/faq/faq5.html#Release When following stable with the method described in the faq, i didn't notice anything about final steps as outlined in the upgrade faq. Can i safely assume since i'm not in fact upgrading, only updating that I wouldn't have to worry about upgrading /etc, new users and groups, operational changes, /etc file changes and checking the kernel as described in the final steps of the upgrade faq? Would this leave all of my /etc files in tact with any changes I have made? Yes, you can safely assume that changes in the tree that require steps as described in the upgrade-faq like adding new users and groups, won't go into -stable. So when updating to a new -stable snapshot, it's OK to install the new kernel, reboot and untar the file sets you need (except etcXX.tgz and xetcXX.tgz). I don't think it's required to unter the file sets in single user mode, but it won't hurt. best regards, Maurice
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
On 2007/06/30 20:23, Chris Cappuccio wrote: For the rest, just give each domain name/user their own httpd instance running with its own config, its own unix user, and its own IP address. Or use different ports and proxy them based on host headers rather than burning IP addresses (for some RIR you are expected not to use IP addresses for non-SSL virtual web hosting). I haven't checked, but hoststated should be able to do this.
Re: ssh and sudo, password not hidden
Oke, problem solved. But, why doesn't this flag get set implicitly when using a command with ssh? Chris Cohen wrote: On Saturday 30 June 2007 19:31, Tom Van Looy wrote: Hi Today I used sudo as command to ssh and it echoed my sudo password. [EMAIL PROTECTED] ~] $ ssh soekris sudo pfctl -s state [EMAIL PROTECTED]'s password: Password:secret_in_echo output of pfctl / [EMAIL PROTECTED] ~] $ I don't see anything about this in the manpage so I think this not expected behaviour. Normally I ssh from an Ubuntu box to the firewall, but to be sure, I ssh-ed to localhost on the openbsd box and I got the same result. What's wrong? Add -t to your ssh command: -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.
no partition number, how to mount a msdos partition
hello, my OpenBSD hard disk have a msdos partition, but it has no partition number like sd0x, (my system's partition no. was from Sd0a to Sd0g) how can I mount it or put it into fstab? thanks!
Re: path traversal exploits
On 6/29/07, J.C. Roberts [EMAIL PROTECTED] wrote: The unarj v2.43 archiver we have for use with clamav virus scanning does not really work. The same is true for the newer 2.65 version released by the author. The problem is unarj is unable to extract with paths, hence it will overwrite files and stuff won't actually be scanned. At the moment, I've got a working port of 2.65 patched to extract with full paths. The last problem to solve is preventing path traversal exploits. I suspect that just searching for double dot .. in the to be created path string is not enough but since I've never done this sort of thing, I'm not sure where/what to ask. I would like to find a standardized, well tested way to test strings for potential path traversal sequences. Searching with google has been fruitless. If you'd be so kind as to drop kick me in the right direction, possibly example code, it would be much appreciated. Well, the only way I know of to go up a directory level is .. or softlinks that point up. So that should be all you have to check for. (and even if I`m wrong, hopefully now more people will notice your question) -Nick
books.html out of date?
Is books.html falling behind? FYI, from looking at a few books i suspect the following: - Building Linux and OpenBSD Firewalls describes OpenBSD 2.5 and IPFilter... - Computer Networks does not refer to the latest edition (ISBN 0130661023 is edition 4) Of course there could be other useful fundamental stuff in old books as well (IPFilter NOT included), but I thought I'd just mention it. ... or is the OpenBSD/amazon association for specific ISBN's? /Alexander
Re: path traversal exploits
Nick Guenther wrote: On 6/29/07, J.C. Roberts [EMAIL PROTECTED] wrote: The unarj v2.43 archiver we have for use with clamav virus scanning does not really work. The same is true for the newer 2.65 version released by the author. The problem is unarj is unable to extract with paths, hence it will overwrite files and stuff won't actually be scanned. At the moment, I've got a working port of 2.65 patched to extract with full paths. The last problem to solve is preventing path traversal exploits. I suspect that just searching for double dot .. in the to be created path string is not enough but since I've never done this sort of thing, I'm not sure where/what to ask. I would like to find a standardized, well tested way to test strings for potential path traversal sequences. Searching with google has been fruitless. If you'd be so kind as to drop kick me in the right direction, possibly example code, it would be much appreciated. Well, the only way I know of to go up a directory level is .. or softlinks that point up. So that should be all you have to check for. (and even if I`m wrong, hopefully now more people will notice your question) Well, a slash in the beginning of path names made me overwrite my entire /etc dir with another machines configuration... However, that was with tar and not unarj... /Alexander
Re: no partition number, how to mount a msdos partition
Alex Kwan wrote: my OpenBSD hard disk have a msdos partition, but it has no partition number like sd0x, (my system's partition no. was from Sd0a to Sd0g) how can I mount it or put it into fstab? thanks! First, do `fdisk sd0` and locate the boundaries of the msdos file system. Then `disklabel -E sd0x` and add a partition of type MSDOS with the specified boundaries. NOTE! You must allow disklabel to point outside of the OBSD part of the disk, using the b command. Usually ``benter0enter*enter'' is your friend. /Alexander
Re: path traversal exploits
Alexander Hall wrote: Well, a slash in the beginning of path names made me overwrite my entire /etc dir with another machines configuration... However, that was with tar and not unarj... Correcting myself after some testing. It was using pax. :-) /Alexander
Re: path traversal exploits
J.C. Roberts wrote on Fri, Jun 29, 2007 at 12:46:02PM -0700: The unarj v2.43 archiver we have for use with clamav virus scanning does not really work. The same is true for the newer 2.65 version released by the author. The problem is unarj is unable to extract with paths, hence it will overwrite files and stuff won't actually be scanned. At the moment, I've got a working port of 2.65 patched to extract with full paths. The last problem to solve is preventing path traversal exploits. I suspect that just searching for double dot .. in the to be created path string is not enough but since I've never done this sort of thing, I'm not sure where/what to ask. I just checked what Mark Dowd/John McDonald/Justin Schuh tell on path traversal vulnerabilities in The art of software security assessment. They treat this topic at several points, but don't give any reference implementation saying do it like this. If you want to keep unarj portable, keep in mind that different platforms use different path syntax: just to give two non-exhaustive examples, / vs. \ for separators and ^/ vs. ^[A-Z]:\\ for file system roots come to mind. In the following, i shall restrict myself to Unix all the same as i did too little programming on other platforms. On Unix, as far as i know, the only ways to achieve path traversal are - either starting the path with / - or including .. in the path. When checking the path, make sure to first fully concatenate it before checking it. Otherwise, dir=. + file=./myfile might get you. Check for just .., not ../ or /.. or even /../. Keep in mind that // is equivalent to /. Keep in mind that handling paths may expose other vulnerabilities besides path traversal, in particular buffer overflows or path truncation triggered by paths containing long strings like .././//. Depending on how you are using the path in the end of the day, also give thought to shell globbing (which is a much more difficult problem than just path traversal). Note shell globbing is shell dependent: Try `ls -d .*.` on ksh and bash. Finally, consider whether you only need path checking or whether you also need path normalisation. Path normalisation is considerably more difficult than just checking for path traversal. On the other hand, depending on the particular context, using realpath(3) and checking the result may or may not be a nice way to guard against path traversal. You might also consider looking at the tar(1) sources in /usr/src/bin/pax to understand how initial slashes can be handled. On the other hand, even venerable tar(1) does not bother preventing path traversal. Why? You can regard having .. in file names in the archive as a feature rather than a bug. Unless running privileged, you cannot clobber /root/.profile anyway. In case you have installed tar SUID, you get what you deserve. When running anything as root, you should only be using trusted input files anyway. Look here: [EMAIL PROTECTED] $ mkdir -p oldroot/olddir newroot/newdir [EMAIL PROTECTED] $ touch oldroot/olddir/myfile [EMAIL PROTECTED] $ cd oldroot/olddir/ [EMAIL PROTECTED] $ tar -cvf /tmp/my.tar .. .. ../olddir ../olddir/myfile [EMAIL PROTECTED] $ cd ../../newroot/newdir/ [EMAIL PROTECTED] $ tar -xvf /tmp/my.tar .. ../olddir ../olddir/myfile [EMAIL PROTECTED] $ ls [EMAIL PROTECTED] $ cd .. [EMAIL PROTECTED] $ find . . ./newdir ./olddir ./olddir/myfile I would like to find a standardized, well tested way to test strings for potential path traversal sequences. Searching with google has been fruitless. If you'd be so kind as to drop kick me in the right direction, possibly example code, it would be much appreciated. Perhaps someone more experienced can comment on this one. I'm not exactly sure, but i suspect you found nothing for the following simple reason: if all you want to do is checking for simple path traversal under Unix, m/^\// and m/\.\./ are all you need.
Re: no partition number, how to mount a msdos partition
On 7/1/07, Alexander Hall [EMAIL PROTECTED] wrote: Alex Kwan wrote: my OpenBSD hard disk have a msdos partition, but it has no partition number like sd0x, (my system's partition no. was from Sd0a to Sd0g) how can I mount it or put it into fstab? thanks! First, do `fdisk sd0` and locate the boundaries of the msdos file system. Then `disklabel -E sd0x` and add a partition of type MSDOS with the specified boundaries. NOTE! You must allow disklabel to point outside of the OBSD part of the disk, using the b command. Usually ``benter0enter*enter'' is your friend. Additionally: OpenBSD usually automatically detects FAT partitions and puts them into the disklabel (read up on this in the FAQ and in man 8 disklabel) as partition i, even if it's not within the supposed OpenBSD boundaries of the disk. I don't know what's up with your system. If you still can't figure it out, provide fdisk and disklabel output for us and we'll try to figure it out. -Nick
Re: no partition number, how to mount a msdos partition
Alexander Hall wrote: Then `disklabel -E sd0x` and add a partition of type MSDOS with the For the records; Should be `disklabel -E sd0` /Alexander
Re: path traversal exploits
Perhaps someone more experienced can comment on this one. I'm not exactly sure, but i suspect you found nothing for the following simple reason: if all you want to do is checking for simple path traversal under Unix, m/^\// and m/\.\./ are all you need. Except that it would make valid names like path/foo...bar/baz fail. I'd rather test for m#(?:^|/)\.\.(?:/|$)# (perl regexp) or m#^\.\.$# m#^\.\./# m#/\.\./# m#/\.\.$# Untested though. Expect it to fail or don't blame me. /Alexander
question for install bash-3.2
Hello, thanks for everyone, the mount problem was solved, the msdos partition # was sd0i . I install the bash with pkg_add bash-3.2.tgz, it was failed, I got following error message: Not an ustar archive header at /usr/libdata/perl5/OpenBSD/ustar.pm line 114. what is the problem of me? many thanks!
ftp-proxy fxp transfers
Hi, according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy and changed my pf.conf. A client on the extern interface of the firewall can upload files, use passive and active mode. But fxp transfers (server to server) doesn't work. My ftpserver (vsftpd) on the host behind the firewall doesn't tell me anything but: Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: Client 10.1.3.1, /home/chris/README.MIRRORING-US, 0.00Kbyte/sec Doesn't ftp-proxy support fxp transvers in reverse mode? Or do I need to not keep state/set flags in pf.conf? -- Greetings Chris
can not install binaries with pkg_add
Hello All, I'm having a hard time trying to install packages on my machine. 1. PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ 2. pkg_add -i screen gives me the following: sh: cannot create /var/tmp/pkgout.V6ybCkITOgB: File exists No packages available in the PKG_PATH Can't resolve screen 3. here's my dmesg OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481710080 (470420K) using 4278 buffers containing 26943488 bytes (26312K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 08/03/01, BIOS32 rev. 0 @ 0xfb500, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: VIA Technologies, Inc. VT82C694X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/144 (7 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc800 0xd/0x4000! 0xd4000/0x800 0xd5000/0x800 0xd6000/0x800 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340823A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DC DQ60, MREC SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x50: irq 10 ac97: codec id 0x49434511 (ICEnsemble ICE1232) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 12, address 00:04:75:ad:69:67 exphy0 at xl0 phy 24: 3Com internal media interface ral0 at pci0 dev 10 function 0 Ralink RT2561S rev 0x00: irq 5, address 00:19:db:0f:6d:66 ral0: MAC/BBP RT2561C, RF RT2527 xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:0a:5e:05:6a:54 exphy1 at xl1 phy 24: 3Com internal media interface xl2 at pci0 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:0a:5e:05:63:00 exphy2 at xl2 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb45 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted uhub2 at uhub0 port 2 uhub2: Texas Instruments TUSB2046 hub, rev 1.10/1.25, addr 2 uhub2: 4 ports with 4 removable, self powered uhidev0 at uhub2 port 3 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 3 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 3, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1
Re: ftp-proxy binat design -- Was: Re: binat questions
On Sun, 1 Jul 2007, Karl O. Pinc wrote: On 03/22/2007 03:17:00 PM, Stuart Henderson wrote: One thing to watch out for with binat: you can't use it with ftp-proxy(8), since binat is of higher priority than the rdr or nat rules which are added to the anchor. The workaround there is to list nat and rdr separately. I just figured this out myself. binat + ftp-proxy = passive ftp broken It seems a bit clunky to work-around this in pf.conf by doing both an rdr and a nat, and having double the states in consequence. Instead, how does the design below sound? The basic idea is to modify ftp-proxy so it adds binat rules to it's anchors. ftp-proxy adds a binat rule for every nat rule added to its anchors. Like so (based on the man page): snip--- In case of passive mode (PASV or EPSV): binat from $client to $server port $port - $proxy You cannot use port in binat rules, so that would not work. An alternative would be to use a no binat from $client to $server so the nat rule in the ftp-proxy can take effect. But that would disable binat completely from $client to $server which is unacceptable, even for a short while. I think this problem can only be fixed in pf itself, by not prioritizing binat and just use the order in which all NAT rules are configured. That could subtly break some rulesets though, and it might be quite a lot of work. So rewriting binat to nat+rdr for hosts that need proxied FTP remains the only solution. -- Cam
Re: ftp-proxy fxp transfers
On 2007/07/01 18:14, Chris Cohen wrote: Doesn't ftp-proxy support fxp transvers in reverse mode? The negotiated IP address for active modes is ignored for security rea- sons. This makes third party file transfers impossible.
Re: ftp-proxy fxp transfers
On Sun, 1 Jul 2007, Chris Cohen wrote: according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy and changed my pf.conf. A client on the extern interface of the firewall can upload files, use passive and active mode. But fxp transfers (server to server) doesn't work. My ftpserver (vsftpd) on the host behind the firewall doesn't tell me anything but: Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: Client 10.1.3.1, /home/chris/README.MIRRORING-US, 0.00Kbyte/sec Doesn't ftp-proxy support fxp transvers in reverse mode? No, this entry in the manpage CAVEAT section applies: The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible. I do have plans to make ftp-proxy optionally allow negotiated IP addresses, but I'm a bit busy at the moment, so don't hold your breath. -- Cam
Re: ftp-proxy fxp transfers
On Sunday 01 July 2007 18:14, Chris Cohen wrote: Hi, according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy and changed my pf.conf. A client on the extern interface of the firewall can upload files, use passive and active mode. But fxp transfers (server to server) doesn't work. My ftpserver (vsftpd) on the host behind the firewall doesn't tell me anything but: Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: Client 10.1.3.1, /home/chris/README.MIRRORING-US, 0.00Kbyte/sec Doesn't ftp-proxy support fxp transvers in reverse mode? Or do I need to not keep state/set flags in pf.conf? One thing I should add: the file is created but with zero size. The only note the client gets is: 425 Failed to establish connection. Transfer Failed! -- Greetings Chris
Re: can not install binaries with pkg_add
On 7/1/07, Alden Pierre [EMAIL PROTECTED] wrote: Hello All, I'm having a hard time trying to install packages on my machine. 1. PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ 2. pkg_add -i screen gives me the following: sh: cannot create /var/tmp/pkgout.V6ybCkITOgB: File exists No packages available in the PKG_PATH Can't resolve screen You probably didn't export PKG_PATH into your environment: $ env - ksh $ env _=/usr/bin/env PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin $ PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ $ env _=/usr/bin/env PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin $ sudo pkg_add -i screen Password: No packages available in the PKG_PATH Can't resolve screen $ export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ $ sudo pkg_add -i screen Ambiguous: choose package for screen 0: None 1: screen-4.0.3p0 2: screen-4.0.3p0-shm 3: screen-4.0.3p0-static Your choice: DS
Formatting MS-DOS drive
I have a usb flash drive that I wish to reformat as an MS-DOS (FAT) file system. How do I do that on OpenBSD? I want the drive to be formatted in the same manner that a Windows machine or Macintosh might format an MS-DOS file system. So clearly, I don't want to use disklabel, since OpenBSD disklabels are only intended to be read by OpenBSD. I know that fsck_msdos can repair MS-DOS file systems, but I want to create an MS-DOS file system (or possibly overwrite an existing MS-DOS file system), rather than repair one. What about fdisk? The default MBR template for fdisk is again doing something very OpenBSD-specific, but maybe I could use some other template instead?
Soekris net5501 IPsec performance?
So... Has anybody checked how much traffic you can push through a net5501 serving as an IPsec gateway? Has anybody tried a vpn1411 in a net5501 yet? -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: Formatting MS-DOS drive
Matthew Szudzik [EMAIL PROTECTED] writes: I have a usb flash drive that I wish to reformat as an MS-DOS (FAT) file system. How do I do that on OpenBSD? You probably want to look into newfs_msdos. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ftp-proxy fxp transfers
On Sunday 01 July 2007 19:58, Camiel Dobbelaar wrote: On Sun, 1 Jul 2007, Chris Cohen wrote: according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy and changed my pf.conf. A client on the extern interface of the firewall can upload files, use passive and active mode. But fxp transfers (server to server) doesn't work. My ftpserver (vsftpd) on the host behind the firewall doesn't tell me anything but: Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: Client 10.1.3.1, /home/chris/README.MIRRORING-US, 0.00Kbyte/sec Doesn't ftp-proxy support fxp transvers in reverse mode? No, this entry in the manpage CAVEAT section applies: The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible. I do have plans to make ftp-proxy optionally allow negotiated IP addresses, but I'm a bit busy at the moment, so don't hold your breath. I read the manpage but as it seems a bit too fast... Is there a workarround (without ftp-proxy)? If I just rdr the ports I will run into trouble with passive mode I think as I'm doing nat. -- Greetings Chris
Re: ssh and sudo, password not hidden
Because it is not necessarily needed, tty allocation may require other tasks like logging the user to wtmp* or creating job control and you may only need to run the command and get the result as if it where a file to read from. Btw, you can use the ssh's -T to log into a server and not to be noticed. :-D On 7/1/07, Tom Van Looy [EMAIL PROTECTED] wrote: Oke, problem solved. But, why doesn't this flag get set implicitly when using a command with ssh? Chris Cohen wrote: On Saturday 30 June 2007 19:31, Tom Van Looy wrote: Hi Today I used sudo as command to ssh and it echoed my sudo password. [EMAIL PROTECTED] ~] $ ssh soekris sudo pfctl -s state [EMAIL PROTECTED]'s password: Password:secret_in_echo output of pfctl / [EMAIL PROTECTED] ~] $ I don't see anything about this in the manpage so I think this not expected behaviour. Normally I ssh from an Ubuntu box to the firewall, but to be sure, I ssh-ed to localhost on the openbsd box and I got the same result. What's wrong? Add -t to your ssh command: -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty. -- You should be the change that you want to see in the world. - Gandhi
Re: Formatting MS-DOS drive
On 7/1/07, Matthew Szudzik [EMAIL PROTECTED] wrote: I have a usb flash drive that I wish to reformat as an MS-DOS (FAT) file system. How do I do that on OpenBSD? I want the drive to be formatted in the same manner that a Windows machine or Macintosh might format an MS-DOS file system. So clearly, I don't want to use disklabel, since OpenBSD disklabels are only intended to be read by OpenBSD. I know that fsck_msdos can repair MS-DOS file systems, but I want to create an MS-DOS file system (or possibly overwrite an existing MS-DOS file system), rather than repair one. What about fdisk? The default MBR template for fdisk is again doing something very OpenBSD-specific, but maybe I could use some other template instead? For interactive MBR edits you can use fdisk -e sd0 You probably want to use 0C for FAT32 with long file name support. fdisk sd0 fdisk: sysctl(machdep.bios.diskinfo): Device not configured Disk: sd0 geometry: 38154/64/32 [78140160 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] *0: 0C0 1 32 - 38154 23 32 [ 63:78140097 ] Win95 FAT32L 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused 3: 000 0 0 -0 0 0 [ 0: 0 ] unused Then use disklabel sd0 to check whether OpenBSD has automagically created a virtual disklabel i . Then use /dev/rsd0i as device name for the newfs. =Adriaan=
Re: ssh and sudo, password not hidden
Tom Van Looy wrote: Oke, problem solved. But, why doesn't this flag get set implicitly when using a command with ssh? Because it's not 8bit-clean, the tty layer can change the data. It's usually ok for text, but it messes up binary data so having it on all the time would make ssh pipelines a lot less useful. $ dd if=/dev/arandom of=/tmp/tmp1 bs=1k count=1k 2/dev/null $ ssh -t localhost cat /tmp/tmp1 /tmp/tmp2 Connection to localhost closed. $ ls -l /tmp/tmp* -rw-r--r-- 1 dtucker staff 1048576 Jul 2 07:49 /tmp/tmp1 -rw-r--r-- 1 dtucker staff 1067393 Jul 2 07:50 /tmp/tmp2 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: OBSD 4.1 drops to ddb with cdd0: error 22 on component 0 (and 1 (mirror))
On Sat, 2007-06-16 at 15:00 +0200, Marius Hooge wrote: Of course I did.. I just replaced the PSU with a spare one i got lying around. - It didn't work out. (Can a PSU even cause such errors?) A failing PSU is perhaps the least obvious hardware failure of all, because it looks like some combination of everything else. Been there, done that. -- Shawn K. Quinn [EMAIL PROTECTED]