Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Em 23-10-2015 12:58, Motty escreveu: > ### RULES FOR FTP > anchor "ftp-proxy/*" > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to > $web_server port ftp I believe you need a nat instead of rdr. From ftp-proxy(8) man page: In case of passive mode (PASV or EPSV): pass in from $client to $orig_server port $proxy_port \ rdr-to $server port $port pass out from $client to $server port $port nat-to $proxy p.s.: Please let FTP run its course and die! I beg you. Every time an admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you must, DAV. Cheers, Giancarlo Razzolini
Re: correct way to clear sensitive data from env?
Em 23-10-2015 12:14, Tamas TEVESZ escreveu: > case in point: openvpn passing username/password in the environment to > openvpn_bsdauth. > > so there's actually a bit of a sensitive data in env that current > wisdom rightly tends to want to junk as soon as possible. I wrote many years ago an openvpn plugin that would use getpwnam instead of that PAM crap. I believe it's still around on sourceforge. openvpn-auth-passwd if I recall correctly. I developed it specifically because it would work on OpenBSD and also on any platform that works with getpwnam. I can look it up if you want, but I don't even know if it compiles with recent OpenVPN code. Cheers, Giancarlo Razzolini
[mot] serious about clang/llvm?
i have been reading up online news about the core team considering a move from 'gcc' to "clang/llvm". is it really true? wouldn't that add a whole lot of complexity to the base system? isn't clang/llvm written in c++11? wouldn't 'pcc' be a better alternative? especially because (i think) openbsd is striving to deliver a compact base install with as small a disk footprint as possible! i had heard rumours about the openbsd core team having a part of openbsd built using 'pcc', is it true? if yes, did that effort not produce desirable results? -mayuresh
correct way to clear sensitive data from env?
hi, case in point: openvpn passing username/password in the environment to openvpn_bsdauth. so there's actually a bit of a sensitive data in env that current wisdom rightly tends to want to junk as soon as possible. getenv(3) states, "If getenv() is successful, the string returned should be considered read-only.", operative word being "should". what's the correct way to deal with this (specifically on openbsd if there are any facilities that help here, as well as on other systems perhaps)? thanks, -- [-] mkdir /nonexistent
Re: [mot] serious about clang/llvm?
> > Subject: Re: [mot] serious about clang/llvm? > > > > > On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni > > >wrote: > > > > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote: > > > >> i had heard rumours about the openbsd core team having a part of > > > >> openbsd > > > >> built using 'pcc', is it true? if yes, did that effort not produce > > > >> desirable > > > >> results? > > > > > > > > There are more things to LLVM/clang than its complexity and the fact > > > > that it's written in C++. GCC is also pretty complex. For a better > > > > clarification, check this: > > > > > > > > http://marc.info/?l=openbsd-misc=137530560232232=2 > > > > > > That doesn't really answer any questions about pcc though... > > > > those were hopes and dreams. not everything pans out. > > > > > > > > hmnn, is it because the openbsd team doesn't have someone to work on bringing > 'pcc' up to openbsd's expectations? > if someone came along to work exclusively on 'pcc' for openbsd, would the team > reconsider using 'pcc' as the default compiler suite? yes you better hire a group of people to work on it... Don't we already do enough?? Good grief.
Re: correct way to clear sensitive data from env?
> case in point: openvpn passing username/password in the environment to > openvpn_bsdauth. > > so there's actually a bit of a sensitive data in env that current > wisdom rightly tends to want to junk as soon as possible. > > getenv(3) states, "If getenv() is successful, the string returned > should be considered read-only.", operative word being "should". > > what's the correct way to deal with this (specifically on openbsd if > there are any facilities that help here, as well as on other > systems perhaps)? Clearing the string is pointless, it is a race that it can still be observed! You should restructure it to move data over a socket/pipe.
Re: [mot] serious about clang/llvm?
On Fri, Oct 23, 2015 at 1:58 PM, Daniel Bolgheroniwrote: > There are more things to LLVM/clang than its complexity and the fact > that it's written in C++. GCC is also pretty complex. For a better > clarification, check this: > > http://marc.info/?l=openbsd-misc=137530560232232=2 This thread is from summer 2013. Has anything changed since this w.r.t. LLVM/clang quality or platform support? I'm asking since IIRC LLVM supports sparc64 and FreeBSD even uses that. Don't remember the reference for this though. So I'm curious if there is any progress which pushed LLVm/clang more near to the OpenBSD goal of LTS compiler... Thanks, Karel
Re: [mot] serious about clang/llvm?
Raul Miller wrote: > On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni >wrote: > > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote: > >> i had heard rumours about the openbsd core team having a part of openbsd > >> built using 'pcc', is it true? if yes, did that effort not produce > >> desirable > >> results? > > > > There are more things to LLVM/clang than its complexity and the fact > > that it's written in C++. GCC is also pretty complex. For a better > > clarification, check this: > > > > http://marc.info/?l=openbsd-misc=137530560232232=2 > > That doesn't really answer any questions about pcc though... > pcc ksh: pcc: not found does that help?
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Em 22-10-2015 19:49, Motty escreveu: > I am trying to configure pf.conf (OpenBSD 5.6) I know it is a beaten and old argument, but please upgrade your OpenBSD. 5.6 isn't supported anymore. That being said, I don't think your problem has anything to do with your OpenBSD version. > when I use pasive command FTP server does not > respond. I enabled ftp-proxy (please see relevant information below) You need to configure your ftp-proxy server as a reverse proxy. I believe you attached the information, but this list uses demime, so you'll need to paste the information as text here. Without it, it's difficult to help you. Cheers, Giancarlo Razzolini
Re: [mot] serious about clang/llvm?
On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroniwrote: > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote: >> i had heard rumours about the openbsd core team having a part of openbsd >> built using 'pcc', is it true? if yes, did that effort not produce desirable >> results? > > There are more things to LLVM/clang than its complexity and the fact > that it's written in C++. GCC is also pretty complex. For a better > clarification, check this: > > http://marc.info/?l=openbsd-misc=137530560232232=2 That doesn't really answer any questions about pcc though... Thanks, -- Raul
Re: [mot] serious about clang/llvm?
> On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni >wrote: > > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote: > >> i had heard rumours about the openbsd core team having a part of openbsd > >> built using 'pcc', is it true? if yes, did that effort not produce > >> desirable > >> results? > > > > There are more things to LLVM/clang than its complexity and the fact > > that it's written in C++. GCC is also pretty complex. For a better > > clarification, check this: > > > > http://marc.info/?l=openbsd-misc=137530560232232=2 > > That doesn't really answer any questions about pcc though... those were hopes and dreams. not everything pans out.
Re: [mot] serious about clang/llvm?
On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote: > i have been reading up online news about the core team considering a move > from 'gcc' to "clang/llvm". > is it really true? wouldn't that add a whole lot of complexity to the base > system? isn't clang/llvm written in c++11? wouldn't 'pcc' be a better > alternative? especially because (i think) openbsd is striving to deliver a > compact base install with as small a disk footprint as possible! > i had heard rumours about the openbsd core team having a part of openbsd > built using 'pcc', is it true? if yes, did that effort not produce desirable > results? There are more things to LLVM/clang than its complexity and the fact that it's written in C++. GCC is also pretty complex. For a better clarification, check this: http://marc.info/?l=openbsd-misc=137530560232232=2 Cheers, -- db
Re: pledge(2) problems on 18/x/ octeon snapshot
Miod Vallat wrote: > > > Might be a stupid question, but I haven't found an answer to it yet > > > - how does one update to a new snapshot/kernel on an octeon system? > > > > boot bsd.rd and select upgrade in the installer. (i hope.) > > > I'm afraid this is not as simple as this, yet. You will also need to > copy your kernel to the fat16 partition created during the install, > since this is the only filesystem #$%^@# u-boot can read. the md_installboot part of install.sh does that on octeon, no? it looks like we run installboot after an upgrade, too.
does src include sys ?
today i first time follow current . # cd /usr # export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs # cvs -d$CVSROOT checkout -P src cvs -d$CVSROOT checkout -P sys<--- 1)quetion is [cvs -d$CVSROOT checkout -P sys] needless ? and Faq write about only src not touch sys . # cd /usr/src # export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs # cvs -d$CVSROOT up -Pd 2)qustion does src include sys ? - regards
Re: does src include sys ?
Tuyosi Takesima wrote: > today i first time follow current . > > # cd /usr > # export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs > # cvs -d$CVSROOT checkout -P src > cvs -d$CVSROOT checkout -P sys<--- > 1)quetion > is [cvs -d$CVSROOT checkout -P sys] needless ? > > > and > Faq write about only src not touch sys . > # cd /usr/src > # export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs > # cvs -d$CVSROOT up -Pd > 2)qustion > does src include sys ? Yes, you only need to check out src. (And xenocara, if you want to build X.)
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Thank you very much! ### RULES FOR FTP anchor "ftp-proxy/*" pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass out inet proto tcp from $ext to any port ftp worked for me! On 10/23/2015 11:09 AM, Giancarlo Razzolini wrote: > Em 23-10-2015 12:58, Motty escreveu: >> ### RULES FOR FTP >> anchor "ftp-proxy/*" >> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 >> pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to >> $web_server port ftp > I believe you need a nat instead of rdr. From ftp-proxy(8) man page: > > In case of passive mode (PASV or EPSV): > >pass in from $client to $orig_server port $proxy_port \ >rdr-to $server port $port >pass out from $client to $server port $port nat-to $proxy > > p.s.: Please let FTP run its course and die! I beg you. Every time an > admin starts a ftp server, a puppy dies. Consider using SSH. Or, if > you must, DAV. > > Cheers, > Giancarlo Razzolini
Re: CD's arrived
I got my 5.8 pre-order today. Compared to 5.7, which I waited 1/2 a year for, this was "fast" :-/. Hey, I just wanted to support the good cause, anyway ... Thanks for all the good work and the release for download! Cheers Eike -- Eike Lantzsch ZP6CGE Agencia Shopping del Sol Casilla de Correo 13005 1749 Asuncion / Paraguay It's is not, it isn't ain't, and it's it's, not its, if you mean it is. If you don't, it's its. Then too, it's hers. It isn't her's. It isn't our's either. It's ours, and likewise yours and theirs. -- Oxford University Press, Edpress New
Re: [mot] serious about clang/llvm?
> From dera...@openbsd.org Fri Oct 23 09:23:36 2015 > From: Theo de Raadt> To: Raul Miller > cc: Mayuresh Kathe , > OpenBSD general usage list > Subject: Re: [mot] serious about clang/llvm? > > > On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni > > wrote: > > > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote: > > >> i had heard rumours about the openbsd core team having a part of openbsd > > >> built using 'pcc', is it true? if yes, did that effort not produce > > >> desirable > > >> results? > > > > > > There are more things to LLVM/clang than its complexity and the fact > > > that it's written in C++. GCC is also pretty complex. For a better > > > clarification, check this: > > > > > > http://marc.info/?l=openbsd-misc=137530560232232=2 > > > > That doesn't really answer any questions about pcc though... > > those were hopes and dreams. not everything pans out. > > > hmnn, is it because the openbsd team doesn't have someone to work on bringing 'pcc' up to openbsd's expectations? if someone came along to work exclusively on 'pcc' for openbsd, would the team reconsider using 'pcc' as the default compiler suite?
Re: passive mode ftp pf.conf OpenBSD 5.6 i386
Thank you very much for your reply! I did configured ftp proxy as reverse: /usr/sbin/ftp-proxy -p 8021 -R 192.168.8.17 -P 21 -D7 -v Pf.conf ext="bnx0" int="bnx1" ext_net="10.1.10.0/24" web_server="192.168.8.17" sap_server="192.168.8.10" mail_server="192.168.8.22" # Default block all block in all # loop interface **# set skip on lo #ENABLE NAT *# match out on $ext from 192.168.8.0/24 to any nat-to 10.1.10.8 ### RULES FOR FTP anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to $web_server port ftp ### ICMP RULES pass in on $ext inet proto icmp all keep state pass out on $ext inet proto icmp all keep state ## PASS OUT ALL pass in on $int pass out on $int pass out on $ext pass out keep state pass out all The error I get: Response:200 Type set to I. Command:PASV Response:227 Entering Passive Mode (1,2,3,4,228,236) Command:LIST Error:Connection timed out Error:Failed to retrieve directory listing please advise! Thanks, _Motty On 10/23/2015 06:44 AM, Giancarlo Razzolini wrote: > Em 22-10-2015 19:49, Motty escreveu: >> I am trying to configure pf.conf (OpenBSD 5.6) > I know it is a beaten and old argument, but please upgrade your OpenBSD. > 5.6 isn't supported anymore. That being said, I don't think your problem > has anything to do with your OpenBSD version. > >> when I use pasive command FTP server does not >> respond. I enabled ftp-proxy (please see relevant information below) > You need to configure your ftp-proxy server as a reverse proxy. I > believe you attached the information, but this list uses demime, so > you'll need to paste the information as text here. Without it, it's > difficult to help you. > > Cheers, > Giancarlo Razzolini
apu1d as an NTP server
Howdy, Has anyone here used the PC Engines apu1d system board as an NTP server? I'm looking at setting up some in house stratum-2 servers so I can be a better neighbor. Wondering what kind of performance/capacity others have seen with this board. Thanks for your time. -Gene
Re: apu1d as an NTP server
How large is your network? Brian Conway On Oct 23, 2015 5:42 PM, "Gene"wrote: > Howdy, > > Has anyone here used the PC Engines apu1d system board as an NTP server? > > I'm looking at setting up some in house stratum-2 servers so I can be a > better neighbor. Wondering what kind of performance/capacity others have > seen with this board. > > Thanks for your time. > > -Gene
Re: apache 2.4 - Missing mod_cgid.so?
On Fri, Oct 23, 2015 at 07:20:43PM +0200, Alessandro DE LAURENZIS wrote: > Dear misc@ reader, > > I've just upgraded my home server to 5.8, so I switched to apache 2.4 > (from 2.2); the problem is that my git server no longer works and the > root cause seems to be that httpd2 with my current configuration (see [0]) > isn't able to run any cgi scripts. > > I noticed that the module mod_cgid.so (which, in my very limited > understanding, should supersede the old mod_cgi.so when threaded MPM is > used) is missing in /usr/local/lib/apache2 - Could it be the culprit? > > Any hints? Am I doing something very stupid? > > I would be glad to give further details, but please point me in the > right direction, because I'm a bit lost. > You may try to build your own version with adding --enable-cgi in the Makefile configure flags. It seems that even configure tells that --enable-cgi is the default it seems it is not. Go figure... Also mod_cgid.so should be built but seems to be missing. mod_cgid.so is the module that should be used with the worker or event MPM. So maybe try something like this diff. -- :wq Claudio Index: Makefile === RCS file: /cvs/ports/www/apache-httpd/Makefile,v retrieving revision 1.67 diff -u -p -r1.67 Makefile --- Makefile13 Sep 2015 12:37:49 - 1.67 +++ Makefile23 Oct 2015 20:15:37 - @@ -65,6 +65,7 @@ CONFIGURE_ARGS= --enable-layout=OpenBSD --enable-disk-cache \ --enable-proxy=shared \ --enable-mods-shared=all \ + --enable-cgi \ --enable-suexec \ --with-suexec-caller=www \ --with-suexec-bin=${TRUEPREFIX}/sbin/suexec2 \ Index: pkg/PLIST-main === RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST-main,v retrieving revision 1.6 diff -u -p -r1.6 PLIST-main --- pkg/PLIST-main 13 Sep 2015 12:37:49 - 1.6 +++ pkg/PLIST-main 23 Oct 2015 20:33:37 - @@ -98,7 +98,8 @@ lib/apache2/mod_buffer.so lib/apache2/mod_cache.so lib/apache2/mod_cache_disk.so lib/apache2/mod_cache_socache.so -@comment lib/apache2/mod_cgid.so +lib/apache2/mod_cgi.so +lib/apache2/mod_cgid.so lib/apache2/mod_charset_lite.so lib/apache2/mod_data.so lib/apache2/mod_dav.so