Re: Swift?

[Shady]

On 2016-05-12 08:37, nacredata wrote:

I was thinking of the Apple sponsored projects which is now supposedly open
source & usable server side. I've done Objective-C in the past but have not
played with Swift yet myself; if it were available I might play with that
amongst all the other languages and frameworks that I am using on projects. No
big deal, I'm not sure if it's a particularly good fit or not, just like to
play with things.


devin
--
contact info: http://nacredata.com/devin




On May 11, 2016, at 23:53, Einfach Jemand  wrote:


On Wed, May 11, 2016 at 07:30:42PM -0400, Devin Ceartas wrote:
Can you run Swift on OpenBSD?


devin

Which one?
This:https://swift.org
Or that: http://swift-lang.org/main/

rru
No.  There's no package for it.  You can install the pre-requisites and 
attempt to build

 from source but their build tool does not recognize OpenBSD

Re: TLS now supported on openbsd.org?

[arrowscript]

>So
>is their an agenda or just many idiots who see TLS=security and don't
>see lack of secure cookie usage and XSS vulnerabilities (now protected
>by SSL everywhere) meaning a site is likely exploitable in other ways!!

You guys should seriously check "Nirvana fallacy".

Re: light browsers

[Theo de Raadt]

> On Thu, May 12, 2016 at 6:12 PM, Dmitrij D. Czarkoff  
> wrote:
> > You must face the reality:  all web browsers are broken.  Modern web
> > rendering engines are too complex and too fast-moving to be securable at
> > all.  Mozilla and Google made every effort to ensure that nobody can
> > ever be safe.
> 
> A related issue is that different people have conflicting ideas about
> what "security" means.

A related issue is lots of people don't know anything about anything.

Re: light browsers

[Raul Miller]

On Thu, May 12, 2016 at 6:12 PM, Dmitrij D. Czarkoff  wrote:
> You must face the reality:  all web browsers are broken.  Modern web
> rendering engines are too complex and too fast-moving to be securable at
> all.  Mozilla and Google made every effort to ensure that nobody can
> ever be safe.

A related issue is that different people have conflicting ideas about
what "security" means.

That said, if you want to minimize leakage of information, you can
stand up fresh system images for every site you browse to (and
regularly reset them). This can get a little frustrating when you want
information from one site to be used at another, but  that's also the
sort of issue which leads to people using different concepts of
"security".

-- 
Raul

pf queue bandwidth estimation

[niya levi]

using broadbandspeedchecker.co.uk i measured the bandwidth on my virgin
media line,
the download speed varied form as low as 20Mb/sec up to 50Mb/sec
depending on the time of day the test was run,
what will be the result if i put a value for the queue bandwidth which
is greater or lesser the the maximum download speed ?
shadrock

Re: light browsers

[Dmitrij D. Czarkoff]

sogal said:
>> Basically anything that is using webkit is going to have issues:
>> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
>> 
>> This means, xombrero, luakit, probably all the others that aren't
>> firefox and chromium.
> 
> Thanks for the interesting link.
> The xombrero "security" features lie in the default settings and the
> possibility to harden them regarding to privacy issues.
> 
> But indeed, it seems that every single Webkit(Gtk) web browser is broken
> which leaves us with very few choice.

You must face the reality:  all web browsers are broken.  Modern web
rendering engines are too complex and too fast-moving to be securable at
all.  Mozilla and Google made every effort to ensure that nobody can
ever be safe.

Webkit1-based browsers (Luakit, Midori, surf, Vimb and Xombrero) use
unmaintained engine, so nobody fixes even known issues.  People who care
about security should probably avoid these.

AFAIK situation is similar for QTWebKit (Otter).

Situation with Webkit2 (Epiphany and surf2) is a bit better.  It is
actively developed, and some issues get fixed.  But GTK+ port - the one
we can use - is undermanned and Linux-centric.  It has issues.

XUL (Firefox and SeaMonkey) and Blink (Chromium and Iridium) are in
better shape, so there issues there are probably fewer.  But there still
are issues.  And we are not top priority platform for either, so
upstream does not care much whether things work for us or not.  And
these are primary targets for bad guys, so those fewer issues have
higher chances of being exploited.


Thuban said:
> w3m already has been mentionned on the list. With some time, it becomes
> very handy.
> 
> But what about netsurf?

FWIW there is no reason to believe that situation with w3m, netsurf,
dillo, lynx and numerous links forks is better.  These browsers support
smaller subset of HTML/CSS/JS specs then major browsers do, but their
developer teams are yet smaller, and their security was never studied
in detail.  They may be just as broken as major browsers.  Who knows?


There is no safe bet here.  Pick whatever you want, and you'll loose
eventually.  Or maybe you won't, but only if you are lucky enough.
Parsing HTML manually is probably the safest option, albeit ugly.  You
will still suffer from bugs in your HTTP(S) tool though.

-- 
Dmitrij D. Czarkoff

Re: httpd - Multiple index files?

[Romain]

Thank you very much! I will look into that. 
 

 




On Thu, 12 May 2016 12:54:02 +0200
Erling Westenvik  wrote:

On Thu, May 12, 2016 at 10:18:09AM +, Romain wrote:
> Allright. 
> Thanks for your answer. 

Have a look at this thread: https://github.com/reyk/httpd/issues/27

And my example would probably be better this way:



> On Thu, 12 May 2016 11:40:10 +0200
> Erling Westenvik  wrote:
> 
> On Thu, May 12, 2016 at 12:04:50AM +, Romain wrote:
> > Is it possible to supply multiple index files to the directory index
> > directive?  I mean, I would like to write something like that in
> > httpd.conf: 
> >  
> >directory index "index.html" "index.php" 
> >  
> > which would mean that, if the directory contains "index.html", then
> > the server should serve it first, if not, then try "index.php",
> > otherwise the standard error. 
> 
> Not that I'm aware of. Anyway: Such logic should be part of your
> application, not the web server since it would just add unnecessary and
> ambiguos complexity to the latter.
> 
> > Or should I do it in another way? 
> 
> You could try something like this:
> 
> if (basename($_SERVER["PHP_SELF"]) == "index.php") {
>header("Location: ".$_SERVER["REQUEST_URI"]."index.html");
>}
> ?>
> 
> > Thanks. 
> > Best, 
> > Romain 
> 
> Regards.
> 
> Erling

Re: light browsers

[Thuban]

> Firefox used to be nice, but I don't like the way it goes with
> embedded crap such as Hello or even worse, the Pocket thing.
>
Indeed, but it's maybe the last web browser caring about its users,
without selling them or asking them to pay.

w3m already has been mentionned on the list. With some time, it becomes
very handy.

But what about netsurf?

http://www.netsurf-browser.org/

Regards,
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: TLS now supported on openbsd.org?

[Kevin Chadwick]

> > It's main unrealised potential benefit is; add *some* security by
> > default to all those insecure wordpress logins.  
> 
> That's a terrible reason. And actually it's "make those insecure
> CMS sites look more like they might be secure" when they're no
> such thing. Because people have been trained into equating https
> with security. Which is just plain wrong.

Also whilst ordering a 100 units could happen when you only want one,
often the security such as for payment is a third party server which is
*usually* more secure or atleast PCI compliant, haha. Strangely,
payment systems (paypal started requiring it last year) often require
javascript which I guess is ironically the most likely vector for ID
theft in this scenario.

So... why is there so much hoo har about SSL everywhere and no
attention given to javascript from third party domains doing all sorts
of potential things (potentially exploitation) and encouraging
payment systems to be javascript free. Both SSL everywhere and
javascript nowhere require encouragement and time to accomplish. So
is their an agenda or just many idiots who see TLS=security and don't
see lack of secure cookie usage and XSS vulnerabilities (now protected
by SSL everywhere) meaning a site is likely exploitable in other ways!!

Which brings us nicely back to your original point, haha ;)

-- 

KISSIS - Keep It Simple So It's Securable

Re: TLS now supported on openbsd.org?

[Kevin Chadwick]

> On 2016-05-10, Kevin Chadwick  wrote:
> >> > Also, after you generate and sign the certificate, you don't have
> >> > to keep the script.
> >> 
> >> Validity on the letsencrypt CA is 90 days max. (Partly to restrict
> >> usefulness of a bad cert because they don't do CRLs, which are pretty
> >> much useless anyway, and partly to encourage users to automate).  
> >
> > Ugghhh, I was fearing that their automate and security mantra might
> > clash, but they don't seem to mention it up front. 365 days already
> > annoys me especially as I intend to use OpenSSH for anything
> > particularly important and cryptanalysis is not a problem for years on
> > a low traffic site.  
> 
> It's not about cryptanalysis, it's about reducing impact from
> compromised hosts and from the weak authentication systems that are done
> on all the "low value" DV CAs. (specifically this one is "requester had
> access to cause files to be served at an http server running at the
> address pointed to by DNS at the time it was requested" so a security
> failure at any of a number of points would allow access).
> 

Yeah but all I give them is an CSR. I haven't had an issue like that
before with STARTSSL. I agree the CA system is ridiculous though and
was disappointed when I found letsencrypt's policy documented showed it
to largely be a copy of all that has gone before rather than something
revolutionary. I guess without DNSSEC being fixed and widely used or
DNSCURVE being widely used or major browsers getting directly involved
in domain validation (really the only important thing) then that can't
happen.

> > You enforce SSL for data submissions, a user checking keys has to check
> > the domain in any case and hope the browser domain matching code is
> > secure too (yes there has been atleast one firefox bug there) even
> > before considering the DNS system.  
> 
> Still, browsers are a higher bar than the control panels and front line
> support staff at a typical cheap domain host.
> 

Agreed, and non gpg'd emails especially.

> > It's main unrealised potential benefit is; add *some* security by
> > default to all those insecure wordpress logins.  
> 
> That's a terrible reason. And actually it's "make those insecure
> CMS sites look more like they might be secure" when they're no
> such thing. Because people have been trained into equating https
> with security. Which is just plain wrong.
> 

Well yes but more pop up everyday. I have a friend who paid good money
for a site and because I didn't want to send passwords by text message
or email and enabled SSL on the wordpress login (for free simply
because I couldn't allow it!!!) I was asked by the web developer
company if I worked for the CIA or something!! Later they changed the
password on me to something quite simple!!

Interestingly, a few months later the wordpress admin login went down
at heart internet and login attempt restrictions put on them all because
wordpress sites were being widely brute forced apparently in order to
add them as attractive (high upload bandwidth) clients in botnets.


-- 

KISSIS - Keep It Simple So It's Securable

Re: PF and interface changing IP

[Philipp Buehler]

Am 12.05.2016 11:52 schrieb Gabriele Tozzi:

I did not know about the "new" parentheses feature.


It was brand-new with the 3.2 release :-)

--
pb

Balanced and failover IPSEC

[Info]

Hello, this is my first post on OpenBSD, so do not riddle me, please...

I have one infrastructure with one tunnel IPSEC. This works ok, but I think I 
can duplicate the transfers. My topology is like this:

  * One ADSL 20Mb on Site A
  * Two ADSL 10Mb on Site B
  * Consists on one OpenBSD by site, attached the router directly

I need share Network A with Network B with ipsec like now, but 
balanced/failovered. I search solutions and found 3 methods, but I'm not sure 
which use and this seems a little complicated:

  * CARP (I haven't two server by site)
  * PF (with ipsec i'm lost)
  * ifstated (I dont know nothing of this)

I will send my topology graphically on attachment (it will read with system or 
fixed font).

Thanks very much and regards.
 #20.0.0.0  
 #--- ##
 #####  10Mb |DSL|\   ##   ##
 #--- |   ##
 #####/   |   ##   ##
 ####   20Mb##   /|.2 ##
--- .2  ---  .1 ##--/---
   |BSD|---|DSL|#  INET  #  |BSD|---
--- --- ##--\--- \
 |  ##   \|.2|
 | 10.0.0.0  #\   | ---
---  #--- | NET
NET  #  10Mb |DSL|/ ---
---  #---101.0.0.0
 100.0.0.0   #21.0.0.0

Re: light browsers

[sogal]

Le Thursday 12 May 2016 à 09:52:56AM, Aaron Bieber a écrit :
> 
> sogal writes:
> 
> > Le Wednesday 11 May 2016 à 10:26:03PM, 
> > 3sad68+aivzh013i5...@guerrillamail.com a écrit :
> >> Hi,
> >> 
> >> did anyone try Midori or other light browsers with good results ?
> >
> > You might want to give a try to xombrero.
> > It's webkit based and was "Built with security in mind" [0]
> 
> Basically anything that is using webkit is going to have issues:
> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
> 
> This means, xombrero, luakit, probably all the others that aren't
> firefox and chromium.

Thanks for the interesting link.
The xombrero "security" features lie in the default settings and the
possibility to harden them regarding to privacy issues.

But indeed, it seems that every single Webkit(Gtk) web browser is broken
which leaves us with very few choice.

Firefox used to be nice, but I don't like the way it goes with embedded
crap such as Hello or even worse, the Pocket thing.

Chromium is Google related, not always for the best. [0]

IMO both of them are heavy and need a lot of add-ons to be usable.

[0] 
http://arstechnica.com/security/2015/06/not-ok-google-chromium-voice-extension-pulled-after-spying-concerns/

Re: httpd - Multiple index files?

[Stuart Henderson]

On 2016-05-12, Erling Westenvik  wrote:
> Not that I'm aware of. Anyway: Such logic should be part of your
> application, not the web server since it would just add unnecessary and
> ambiguos complexity to the latter.
>
>> Or should I do it in another way? 
>
> You could try something like this:
>
>if (basename($_SERVER["PHP_SELF"]) == "index.php") {
>header("Location: ".$_SERVER["REQUEST_URI"]."index.html");
>}
> ?>

This is quite a common requirement, using PHP for this seems quite overkill...

Re: light browsers

[Aaron Bieber]

sogal writes:

> Le Wednesday 11 May 2016 à 10:26:03PM, 3sad68+aivzh013i5...@guerrillamail.com 
> a écrit :
>> Hi,
>> 
>> did anyone try Midori or other light browsers with good results ?
>
> You might want to give a try to xombrero.
> It's webkit based and was "Built with security in mind" [0]

Basically anything that is using webkit is going to have issues:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

This means, xombrero, luakit, probably all the others that aren't
firefox and chromium.

>
> When in "whitelist" mode, it provides a fine grained, per-domain control
> over cookies and JS activation and is highly configurable through a
> well documented conf file (sane vim-like keybindings and mouse control
> if needed).
>
> I use it everyday, it's ok for general purpose even though some fancy
> website design may appear broken from time to time.
>
> [0] https://opensource.conformal.com/wiki/xombrero

Re: light browsers

[sogal]

Le Wednesday 11 May 2016 à 10:26:03PM, 3sad68+aivzh013i5...@guerrillamail.com a 
écrit :
> Hi,
> 
> did anyone try Midori or other light browsers with good results ?

You might want to give a try to xombrero.
It's webkit based and was "Built with security in mind" [0]

When in "whitelist" mode, it provides a fine grained, per-domain control
over cookies and JS activation and is highly configurable through a
well documented conf file (sane vim-like keybindings and mouse control
if needed).

I use it everyday, it's ok for general purpose even though some fancy
website design may appear broken from time to time.

[0] https://opensource.conformal.com/wiki/xombrero

Re: Swift?

[nacredata]

I was thinking of the Apple sponsored projects which is now supposedly open
source & usable server side. I've done Objective-C in the past but have not
played with Swift yet myself; if it were available I might play with that
amongst all the other languages and frameworks that I am using on projects. No
big deal, I'm not sure if it's a particularly good fit or not, just like to
play with things.


devin
--
contact info: http://nacredata.com/devin



> On May 11, 2016, at 23:53, Einfach Jemand  wrote:
>
>> On Wed, May 11, 2016 at 07:30:42PM -0400, Devin Ceartas wrote:
>> Can you run Swift on OpenBSD?
>>
>>
>> devin
>
> Which one?
> This:https://swift.org
> Or that: http://swift-lang.org/main/
>
> rru

Re: light browsers

[Gleydson Soares]

Hi,

On Wed, May 11, 2016 at 7:26 PM,
<3sad68+aivzh013i5...@guerrillamail.com> wrote:
> Hi,
>
> did anyone try Midori or other light browsers with good results ?

I've been using www/luakit for a long time on a thinkpad x40/i386. It
is running fast and works just fine.

html5 support was fixed in -current [1] a few days ago by me and
abieber@ and it works like a charm, so you may to watch videos on
youtube without effort...

If you are looking either that suckless and functional browser, luakit
is over there.

[1] - http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/luakit/Makefile

// gsoares

Re: light browsers

[lists]

> dillo

is in ports www/dillo - a fast and light graphical web browser (no JS)

[http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/www/dillo/pkg/DESCR]

"Dillo is a multi-platform graphical web browser known for its speed
and small size.  It is written in C and C++ and based on FLTK."

[http://www.dillo.org/]

Very useful, replaces heavy Mozilla and all other huge monstrosities.

Re: Swift?

[Einfach Jemand]

On Wed, May 11, 2016 at 07:30:42PM -0400, Devin Ceartas wrote:
> Can you run Swift on OpenBSD?
> 
> 
> devin

Which one?
This:https://swift.org
Or that: http://swift-lang.org/main/

rru

Re: light browsers

[Bruno Flueckiger]

On 12.05.2016 00:26, 3sad68+aivzh013i5...@guerrillamail.com wrote:

Hi,

did anyone try Midori or other light browsers with good results ?

Sent using GuerrillaMail.com
Block or report abuse:
https://www.guerrillamail.com/abuse/?a=TEhnBi0PU7Ebih2wvnENdQ%3D%3D


Midori works fine. But if your definition of "light" is "consumes little 
resources" then I would recommend to use one of the browsers with a text 
interface:


- w3m
- lynx
- links

Cheers,
Bruno

Re: httpd - Multiple index files?

[Erling Westenvik]

On Thu, May 12, 2016 at 10:18:09AM +, Romain wrote:
> Allright. 
> Thanks for your answer. 

Have a look at this thread: https://github.com/reyk/httpd/issues/27

And my example would probably be better this way:



> On Thu, 12 May 2016 11:40:10 +0200
> Erling Westenvik  wrote:
> 
> On Thu, May 12, 2016 at 12:04:50AM +, Romain wrote:
> > Is it possible to supply multiple index files to the directory index
> > directive?  I mean, I would like to write something like that in
> > httpd.conf: 
> >  
> >directory index "index.html" "index.php" 
> >  
> > which would mean that, if the directory contains "index.html", then
> > the server should serve it first, if not, then try "index.php",
> > otherwise the standard error. 
> 
> Not that I'm aware of. Anyway: Such logic should be part of your
> application, not the web server since it would just add unnecessary and
> ambiguos complexity to the latter.
> 
> > Or should I do it in another way? 
> 
> You could try something like this:
> 
> if (basename($_SERVER["PHP_SELF"]) == "index.php") {
>header("Location: ".$_SERVER["REQUEST_URI"]."index.html");
>}
> ?>
> 
> > Thanks. 
> > Best, 
> > Romain 
> 
> Regards.
> 
> Erling

Re: httpd - Multiple index files?

[Romain]

Allright. 
 
Thanks for your answer. 
 



On Thu, 12 May 2016 11:40:10 +0200
Erling Westenvik  wrote:

On Thu, May 12, 2016 at 12:04:50AM +, Romain wrote:
> Is it possible to supply multiple index files to the directory index
> directive?  I mean, I would like to write something like that in
> httpd.conf: 
>  
>directory index "index.html" "index.php" 
>  
> which would mean that, if the directory contains "index.html", then
> the server should serve it first, if not, then try "index.php",
> otherwise the standard error. 

Not that I'm aware of. Anyway: Such logic should be part of your
application, not the web server since it would just add unnecessary and
ambiguos complexity to the latter.

> Or should I do it in another way? 

You could try something like this:



> Thanks. 
> Best, 
> Romain 

Regards.

Erling

Re: PF and interface changing IP

[Gabriele Tozzi]

Thank you for all your answers.

I did not know about the "new" parentheses feature.
Solved :)

Gabriele Tozzi

--
GPG Key Fingerprint:
DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF

Re: httpd - Multiple index files?

[Erling Westenvik]

On Thu, May 12, 2016 at 12:04:50AM +, Romain wrote:
> Is it possible to supply multiple index files to the directory index
> directive?  I mean, I would like to write something like that in
> httpd.conf: 
>  
>directory index "index.html" "index.php" 
>  
> which would mean that, if the directory contains "index.html", then
> the server should serve it first, if not, then try "index.php",
> otherwise the standard error. 

Not that I'm aware of. Anyway: Such logic should be part of your
application, not the web server since it would just add unnecessary and
ambiguos complexity to the latter.

> Or should I do it in another way? 

You could try something like this:



> Thanks. 
> Best, 
> Romain 

Regards.

Erling

Re: light browsers

[Craig Skinner]

dillo

Re: malloc.conf on BeagleBone Black

[hans]

On May 10 18:45:49, h...@stare.cz wrote:
> > > > >   malloc() warning: unknown char in MALLOC_OPTIONS
> > 
> > if it's only some programs, then it's because those are older programs.
> 
> Yes they are. I will get back after they recompile. Thanks.

Indeed, after recompiling the ports (it was only port binaries
that complained), the warning disappeared.

Thank you

Jan

Re: PF and interface changing IP

[Mark Carroll]

On 12 May 2016, Gabriele Tozzi wrote:
(snip)
> Then I have setup PF to allow incoming ssh traffic. Here is my rule:
>
> pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state
>
>
> The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f
> /etc/pf.conf" rule to reload my PF when the IP changes but, apparently,
> it is not working as expected: it looks like the interface can change
> its IP without being restarted, so PF never gets reloaded and keeps
> using the old IP.
(snip)

Does it start to work okay if you put the pppoe0 in parentheses?
http://www.openbsd.org/faq/pf/filter.html has,

] The name of a network interface or group in parentheses ( ). This
] tells PF to update the rule if the IP address(es) on the named
] interface change. 

-- Mark

Re: PF and interface changing IP

[Uwe Werler]

pass in on pppoe0 inet proto tcp to (pppoe0) port ssh keep state

Von meinem Samsung Gerät gesendet.

 Ursprüngliche Nachricht 
Von: Gabriele Tozzi  
Datum: 12.05.2016  09:45  (GMT+01:00) 
An: misc@openbsd.org 
Betreff: PF and interface changing IP 

Re: PF and interface changing IP

[Mihai Popescu]

>From the pf.conf man page:

"Surrounding the interface name (and optional modifiers) in
parentheses changes this behaviour. When the interface name is
surrounded by parentheses, the rule is automatically updated whenever
the interface changes its address. The ruleset does not need to be
reloaded. This is especially useful with NAT."

Read it all, a few times and whenever is necessary.

Re: PF and interface changing IP

[Jiri B]

On Thu, May 12, 2016 at 09:36:35AM +0200, Gabriele Tozzi wrote:
> Hi there,
> 
> I have a pppoe0 interface setup like this (hostname.pppoe0):
> 
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev re0 \
> authproto pap \
> authname 'myuser' \
> authkey 'mypass' up
> dest 0.0.0.1
> !/sbin/route add default 0.0.0.1
> !/sbin/pfctl -f /etc/pf.conf
> !/etc/rc.d/isc_named restart
> !/etc/rc.d/aiccu restart
> 
> 
> Then I have setup PF to allow incoming ssh traffic. Here is my rule:
> 
> pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state
> 
> 
> The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f
> /etc/pf.conf" rule to reload my PF when the IP changes but, apparently,
> it is not working as expected: it looks like the interface can change
> its IP without being restarted, so PF never gets reloaded and keeps
> using the old IP.
> 
> I am now thinking of placing a cron job that just reloads PF once in a
> while. Is there a cleaner way to reload PF when the IP changes? Or maybe
> even a better way to write the rule so that it auto-updates without the
> need to reload PF at all?

You can use interface groups, 'egress' or 'ppp' ? You can also hack
your setup to label a router and use 'route '.

j.

PF and interface changing IP

[Gabriele Tozzi]

Hi there,

I have a pppoe0 interface setup like this (hostname.pppoe0):

inet 0.0.0.0 255.255.255.255 NONE \
pppoedev re0 \
authproto pap \
authname 'myuser' \
authkey 'mypass' up
dest 0.0.0.1
!/sbin/route add default 0.0.0.1
!/sbin/pfctl -f /etc/pf.conf
!/etc/rc.d/isc_named restart
!/etc/rc.d/aiccu restart


Then I have setup PF to allow incoming ssh traffic. Here is my rule:

pass in on pppoe0 inet proto tcp to pppoe0 port ssh keep state


The interface has a dynamic IP. I was relying on the "!/sbin/pfctl -f
/etc/pf.conf" rule to reload my PF when the IP changes but, apparently,
it is not working as expected: it looks like the interface can change
its IP without being restarted, so PF never gets reloaded and keeps
using the old IP.

I am now thinking of placing a cron job that just reloads PF once in a
while. Is there a cleaner way to reload PF when the IP changes? Or maybe
even a better way to write the rule so that it auto-updates without the
need to reload PF at all?

Thank you

Gabriele Tozzi

-- 
GPG Key Fingerprint:
DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF

Re: Interface between block/char device and driver handler functions

[Ian Sutton]

> So my question is, how do I get a block device in /dev to connect to
> my driver open/close/ioctl/etc functions? And secondly, if I want this
> to happen automatically a la MAKEDEV, am I supposed to edit the m4 macro
> in etc/etc.armv7/MAKEDEV.md or is there a more proper way?

I figured out the issue:

Every block device in arm's conf.c has a corresponding character device, so 
  
I added a cdev_decl(), entry in cdevsw[], and entry in chrtoblktbl[]. I believe 
 
this was the crux of the issue. From there, I followed the instructions in 
etc/MAKEDEV.common and my device was properly created with the resultant 
MAKEDEV   
script.


Ian