Re: passive mode ftp pf.conf OpenBSD 5.6 i386

[Giancarlo Razzolini]

Em 23-10-2015 12:58, Motty escreveu:
> ### RULES FOR FTP
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to
> $web_server port ftp 
I believe you need a nat instead of rdr. From ftp-proxy(8) man page:

 In case of passive mode (PASV or EPSV):

   pass in from $client to $orig_server port $proxy_port \
   rdr-to $server port $port
   pass out from $client to $server port $port nat-to $proxy

p.s.: Please let FTP run its course and die! I beg you. Every time an
admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you
must, DAV.

Cheers,
Giancarlo Razzolini

Re: correct way to clear sensitive data from env?

[Giancarlo Razzolini]

Em 23-10-2015 12:14, Tamas TEVESZ escreveu:
> case in point: openvpn passing username/password in the environment to 
> openvpn_bsdauth.
>
> so there's actually a bit of a sensitive data in env that current 
> wisdom rightly tends to want to junk as soon as possible.
I wrote many years ago an openvpn plugin that would use getpwnam instead
of that PAM crap. I believe it's still around on sourceforge.
openvpn-auth-passwd if I recall correctly. I developed it specifically
because it would work on OpenBSD and also on any platform that works
with getpwnam. I can look it up if you want, but I don't even know if it
compiles with recent OpenVPN code.

Cheers,
Giancarlo Razzolini

[mot] serious about clang/llvm?

[Mayuresh Kathe]

i have been reading up online news about the core team considering a move
from 'gcc' to "clang/llvm".
is it really true? wouldn't that add a whole lot of complexity to the base
system? isn't clang/llvm written in c++11? wouldn't 'pcc' be a better
alternative? especially because (i think) openbsd is striving to deliver a
compact base install with as small a disk footprint as possible!
i had heard rumours about the openbsd core team having a part of openbsd
built using 'pcc', is it true? if yes, did that effort not produce desirable
results?
-mayuresh

correct way to clear sensitive data from env?

[Tamas TEVESZ]

hi,

case in point: openvpn passing username/password in the environment to 
openvpn_bsdauth.

so there's actually a bit of a sensitive data in env that current 
wisdom rightly tends to want to junk as soon as possible.

getenv(3) states, "If getenv() is successful, the string returned 
should be considered read-only.", operative word being "should".

what's the correct way to deal with this (specifically on openbsd if 
there are any facilities that help here, as well as on other 
systems perhaps)?

thanks,

-- 
[-]

mkdir /nonexistent

Re: [mot] serious about clang/llvm?

[Theo de Raadt]

> > Subject: Re: [mot] serious about clang/llvm?
> >
> > > On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni
> > >  wrote:
> > > > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote:
> > > >> i had heard rumours about the openbsd core team having a part of 
> > > >> openbsd
> > > >> built using 'pcc', is it true? if yes, did that effort not produce 
> > > >> desirable
> > > >> results?
> > > >
> > > > There are more things to LLVM/clang than its complexity and the fact
> > > > that it's written in C++. GCC is also pretty complex. For a better
> > > > clarification, check this:
> > > >
> > > > http://marc.info/?l=openbsd-misc=137530560232232=2
> > > 
> > > That doesn't really answer any questions about pcc though...
> >
> > those were hopes and dreams.  not everything pans out.
> >
> >
> >
> 
> hmnn, is it because the openbsd team doesn't have someone to work on bringing
> 'pcc' up to openbsd's expectations?
> if someone came along to work exclusively on 'pcc' for openbsd, would the team
> reconsider using 'pcc' as the default compiler suite?

yes you better hire a group of people to work on it...

Don't we already do enough??

Good grief.

Re: correct way to clear sensitive data from env?

[Theo de Raadt]

> case in point: openvpn passing username/password in the environment to 
> openvpn_bsdauth.
> 
> so there's actually a bit of a sensitive data in env that current 
> wisdom rightly tends to want to junk as soon as possible.
> 
> getenv(3) states, "If getenv() is successful, the string returned 
> should be considered read-only.", operative word being "should".
> 
> what's the correct way to deal with this (specifically on openbsd if 
> there are any facilities that help here, as well as on other 
> systems perhaps)?

Clearing the string is pointless, it is a race that it can still be
observed!

You should restructure it to move data over a socket/pipe.

Re: [mot] serious about clang/llvm?

[Karel Gardas]

On Fri, Oct 23, 2015 at 1:58 PM, Daniel Bolgheroni
 wrote:

> There are more things to LLVM/clang than its complexity and the fact
> that it's written in C++. GCC is also pretty complex. For a better
> clarification, check this:
>
> http://marc.info/?l=openbsd-misc=137530560232232=2

This thread is from summer 2013. Has anything changed since this
w.r.t. LLVM/clang quality or platform support? I'm asking since IIRC
LLVM supports sparc64 and FreeBSD even uses that. Don't remember the
reference for this though. So I'm curious if there is any progress
which pushed LLVm/clang more near to the OpenBSD goal of LTS
compiler...

Thanks,
Karel

Re: [mot] serious about clang/llvm?

[Ted Unangst]

Raul Miller wrote:
> On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni
>  wrote:
> > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote:
> >> i had heard rumours about the openbsd core team having a part of openbsd
> >> built using 'pcc', is it true? if yes, did that effort not produce 
> >> desirable
> >> results?
> >
> > There are more things to LLVM/clang than its complexity and the fact
> > that it's written in C++. GCC is also pretty complex. For a better
> > clarification, check this:
> >
> > http://marc.info/?l=openbsd-misc=137530560232232=2
> 
> That doesn't really answer any questions about pcc though...

> pcc
ksh: pcc: not found

does that help?

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

[Giancarlo Razzolini]

Em 22-10-2015 19:49, Motty escreveu:
> I am trying to configure pf.conf (OpenBSD 5.6)

I know it is a beaten and old argument, but please upgrade your OpenBSD.
5.6 isn't supported anymore. That being said, I don't think your problem
has anything to do with your OpenBSD version.

> when I use pasive command FTP server does not
> respond. I enabled ftp-proxy (please see relevant information below)

You need to configure your ftp-proxy server as a reverse proxy. I
believe you attached the information, but this list uses demime, so
you'll need to paste the information as text here. Without it, it's
difficult to help you.

Cheers,
Giancarlo Razzolini

Re: [mot] serious about clang/llvm?

[Raul Miller]

On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni
 wrote:
> On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote:
>> i had heard rumours about the openbsd core team having a part of openbsd
>> built using 'pcc', is it true? if yes, did that effort not produce desirable
>> results?
>
> There are more things to LLVM/clang than its complexity and the fact
> that it's written in C++. GCC is also pretty complex. For a better
> clarification, check this:
>
> http://marc.info/?l=openbsd-misc=137530560232232=2

That doesn't really answer any questions about pcc though...

Thanks,

-- 
Raul

Re: [mot] serious about clang/llvm?

[Theo de Raadt]

> On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni
>  wrote:
> > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote:
> >> i had heard rumours about the openbsd core team having a part of openbsd
> >> built using 'pcc', is it true? if yes, did that effort not produce 
> >> desirable
> >> results?
> >
> > There are more things to LLVM/clang than its complexity and the fact
> > that it's written in C++. GCC is also pretty complex. For a better
> > clarification, check this:
> >
> > http://marc.info/?l=openbsd-misc=137530560232232=2
> 
> That doesn't really answer any questions about pcc though...

those were hopes and dreams.  not everything pans out.

Re: [mot] serious about clang/llvm?

[Daniel Bolgheroni]

On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote:
> i have been reading up online news about the core team considering a move
> from 'gcc' to "clang/llvm".
> is it really true? wouldn't that add a whole lot of complexity to the base
> system? isn't clang/llvm written in c++11? wouldn't 'pcc' be a better
> alternative? especially because (i think) openbsd is striving to deliver a
> compact base install with as small a disk footprint as possible!
> i had heard rumours about the openbsd core team having a part of openbsd
> built using 'pcc', is it true? if yes, did that effort not produce desirable
> results?

There are more things to LLVM/clang than its complexity and the fact
that it's written in C++. GCC is also pretty complex. For a better
clarification, check this:

http://marc.info/?l=openbsd-misc=137530560232232=2

Cheers,

-- 
db

Re: pledge(2) problems on 18/x/ octeon snapshot

[Ted Unangst]

Miod Vallat wrote:
> > > Might be a stupid question, but I haven't found an answer to it yet
> > > - how does one update to a new snapshot/kernel on an octeon system?
> > 
> > boot bsd.rd and select upgrade in the installer. (i hope.)
> > 
> I'm afraid this is not as simple as this, yet. You will also need to
> copy your kernel to the fat16 partition created during the install,
> since this is the only filesystem #$%^@# u-boot can read.

the md_installboot part of install.sh does that on octeon, no? it looks
like we run installboot after an upgrade, too.

does src include sys ?

[Tuyosi Takesima]

today i first time follow current .

# cd /usr
# export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs
# cvs -d$CVSROOT checkout -P src
  cvs -d$CVSROOT checkout -P sys<---
1)quetion
is [cvs -d$CVSROOT checkout -P sys] needless ?


and
Faq write about only src not touch sys .
# cd /usr/src
# export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs
# cvs -d$CVSROOT up -Pd
2)qustion
does src include sys ?

-
regards

Re: does src include sys ?

[Michael McConville]

Tuyosi Takesima wrote:
> today i first time follow current .
> 
> # cd /usr
> # export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs
> # cvs -d$CVSROOT checkout -P src
>   cvs -d$CVSROOT checkout -P sys<---
> 1)quetion
> is [cvs -d$CVSROOT checkout -P sys] needless ?
> 
> 
> and
> Faq write about only src not touch sys .
> # cd /usr/src
> # export CVSROOT=anon...@anoncvs.jp.openbsd.org:/cvs
> # cvs -d$CVSROOT up -Pd
> 2)qustion
> does src include sys ?

Yes, you only need to check out src. (And xenocara, if you want to build
X.)

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

[Motty]

Thank you very much!

### RULES FOR FTP

anchor "ftp-proxy/*"

pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

pass out inet proto tcp from $ext to any port ftp

worked for me!

On 10/23/2015 11:09 AM, Giancarlo Razzolini wrote:
> Em 23-10-2015 12:58, Motty escreveu:
>> ### RULES FOR FTP
>> anchor "ftp-proxy/*"
>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>> pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to 
>> $web_server port ftp 
> I believe you need a nat instead of rdr. From ftp-proxy(8) man page:
>
>  In case of passive mode (PASV or EPSV):
>
>pass in from $client to $orig_server port $proxy_port \
>rdr-to $server port $port
>pass out from $client to $server port $port nat-to $proxy
>
> p.s.: Please let FTP run its course and die! I beg you. Every time an 
> admin starts a ftp server, a puppy dies. Consider using SSH. Or, if 
> you must, DAV.
>
> Cheers,
> Giancarlo Razzolini

Re: CD's arrived

[Eike Lantzsch]

I got my 5.8 pre-order today. Compared to 5.7, which I waited 1/2 a year for, 
this was "fast" :-/. Hey, I just wanted to support the good cause, anyway ...
Thanks for all the good work and the release for download!
Cheers
Eike

-- 
Eike Lantzsch ZP6CGE
Agencia Shopping del Sol
Casilla de Correo 13005
1749 Asuncion / Paraguay

It's is not, it isn't ain't, and it's it's, not its, if you mean it
is. If you don't, it's its. Then too, it's hers. It isn't her's. It
isn't our's either. It's ours, and likewise yours and theirs.
 -- Oxford University Press, Edpress New

Re: [mot] serious about clang/llvm?

[Mayuresh Kathe]

> From dera...@openbsd.org  Fri Oct 23 09:23:36 2015
> From: Theo de Raadt 
> To: Raul Miller 
> cc: Mayuresh Kathe ,
> OpenBSD general usage list 
> Subject: Re: [mot] serious about clang/llvm?
>
> > On Fri, Oct 23, 2015 at 7:58 AM, Daniel Bolgheroni
> >  wrote:
> > > On Fri, Oct 23, 2015 at 04:43:50AM -0400, Mayuresh Kathe wrote:
> > >> i had heard rumours about the openbsd core team having a part of openbsd
> > >> built using 'pcc', is it true? if yes, did that effort not produce 
> > >> desirable
> > >> results?
> > >
> > > There are more things to LLVM/clang than its complexity and the fact
> > > that it's written in C++. GCC is also pretty complex. For a better
> > > clarification, check this:
> > >
> > > http://marc.info/?l=openbsd-misc=137530560232232=2
> > 
> > That doesn't really answer any questions about pcc though...
>
> those were hopes and dreams.  not everything pans out.
>
>
>

hmnn, is it because the openbsd team doesn't have someone to work on bringing
'pcc' up to openbsd's expectations?
if someone came along to work exclusively on 'pcc' for openbsd, would the team
reconsider using 'pcc' as the default compiler suite?

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

[Motty]

Thank you very much for your reply! I did configured ftp proxy as reverse:

/usr/sbin/ftp-proxy -p 8021 -R 192.168.8.17 -P 21 -D7 -v


Pf.conf
ext="bnx0"
int="bnx1"
ext_net="10.1.10.0/24"
web_server="192.168.8.17"
sap_server="192.168.8.10"
mail_server="192.168.8.22"

# Default block all
block in all

# loop interface **#
set skip on lo

#ENABLE NAT *#
match out on $ext from 192.168.8.0/24 to any nat-to 10.1.10.8

### RULES FOR FTP
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to 
$web_server port ftp

### ICMP RULES
pass in on $ext inet proto icmp all keep state
pass out on $ext inet proto icmp all keep state

## PASS OUT ALL
pass in on $int
pass out on $int
pass out on $ext
pass out keep state
pass out all

The error I get:
Response:200 Type set to I.
Command:PASV
Response:227 Entering Passive Mode (1,2,3,4,228,236)
Command:LIST
Error:Connection timed out
Error:Failed to retrieve directory listing

please advise!

Thanks,
_Motty
On 10/23/2015 06:44 AM, Giancarlo Razzolini wrote:
> Em 22-10-2015 19:49, Motty escreveu:
>> I am trying to configure pf.conf (OpenBSD 5.6)
> I know it is a beaten and old argument, but please upgrade your OpenBSD.
> 5.6 isn't supported anymore. That being said, I don't think your problem
> has anything to do with your OpenBSD version.
>
>> when I use pasive command FTP server does not
>> respond. I enabled ftp-proxy (please see relevant information below)
> You need to configure your ftp-proxy server as a reverse proxy. I
> believe you attached the information, but this list uses demime, so
> you'll need to paste the information as text here. Without it, it's
> difficult to help you.
>
> Cheers,
> Giancarlo Razzolini

apu1d as an NTP server

[Gene]

Howdy,

Has anyone here used the PC Engines apu1d system board as an NTP server?

I'm looking at setting up some in house stratum-2 servers so I can be a
better neighbor.  Wondering what kind of performance/capacity others have
seen with this board.

Thanks for your time.

-Gene

Re: apu1d as an NTP server

[Brian Conway]

How large is your network?

Brian Conway


On Oct 23, 2015 5:42 PM, "Gene"  wrote:

> Howdy,
>
> Has anyone here used the PC Engines apu1d system board as an NTP server?
>
> I'm looking at setting up some in house stratum-2 servers so I can be a
> better neighbor.  Wondering what kind of performance/capacity others have
> seen with this board.
>
> Thanks for your time.
>
> -Gene

Re: apache 2.4 - Missing mod_cgid.so?

[Claudio Jeker]

On Fri, Oct 23, 2015 at 07:20:43PM +0200, Alessandro DE LAURENZIS wrote:
> Dear misc@ reader,
> 
> I've just upgraded my home server to 5.8, so I switched to apache 2.4
> (from 2.2); the problem is that my git server no longer works and the
> root cause seems to be that httpd2 with my current configuration (see [0])
> isn't able to run any cgi scripts.
> 
> I noticed that the module mod_cgid.so (which, in my very limited
> understanding, should supersede the old mod_cgi.so when threaded MPM is
> used) is missing in /usr/local/lib/apache2 - Could it be the culprit?
> 
> Any hints? Am I doing something very stupid?
> 
> I would be glad to give further details, but please point me in the
> right direction, because I'm a bit lost.
> 

You may try to build your own version with adding --enable-cgi in the
Makefile configure flags. It seems that even configure tells that
--enable-cgi is the default it seems it is not. Go figure...

Also mod_cgid.so should be built but seems to be missing. mod_cgid.so is
the module that should be used with the worker or event MPM.

So maybe try something like this diff.
-- 
:wq Claudio

Index: Makefile
===
RCS file: /cvs/ports/www/apache-httpd/Makefile,v
retrieving revision 1.67
diff -u -p -r1.67 Makefile
--- Makefile13 Sep 2015 12:37:49 -  1.67
+++ Makefile23 Oct 2015 20:15:37 -
@@ -65,6 +65,7 @@ CONFIGURE_ARGS=   --enable-layout=OpenBSD
--enable-disk-cache \
--enable-proxy=shared \
--enable-mods-shared=all \
+   --enable-cgi \
--enable-suexec \
--with-suexec-caller=www \
--with-suexec-bin=${TRUEPREFIX}/sbin/suexec2 \
Index: pkg/PLIST-main
===
RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST-main,v
retrieving revision 1.6
diff -u -p -r1.6 PLIST-main
--- pkg/PLIST-main  13 Sep 2015 12:37:49 -  1.6
+++ pkg/PLIST-main  23 Oct 2015 20:33:37 -
@@ -98,7 +98,8 @@ lib/apache2/mod_buffer.so
 lib/apache2/mod_cache.so
 lib/apache2/mod_cache_disk.so
 lib/apache2/mod_cache_socache.so
-@comment lib/apache2/mod_cgid.so
+lib/apache2/mod_cgi.so
+lib/apache2/mod_cgid.so
 lib/apache2/mod_charset_lite.so
 lib/apache2/mod_data.so
 lib/apache2/mod_dav.so