Re: Programming for OpenBSD

2018-06-13 Thread Ve Telko 
Hello, Kevin.

please, join us on Telegram, openbsdjumpstart channel. There
are people who can help you to start.

http://openbsdjumpstart.org/#/47

Ve.

Re: stuck on spamd

2018-06-13 Thread Tony Boston 
Am Mittwoch, den 13.06.2018, 22:05 +0200 schrieb Hasse Hansson:
> Hello and thank you for your answer.
> I've adjusted my settings according to your advice, but now it looks
> like
> it just directly whitelist every connection without greylisting.
> 
> smtp$ sudo spamdb | sort
> WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0
> WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0
> WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3
> WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0
> WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0
> WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0
> WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0
> WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0
> WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0
> WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0
> WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0
> 
> This is how my files look like now. spamd.conf is the original one.
>  
> smtp$ sudo cat /etc/rc.conf.local
> httpd_flags=
> pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon
> messagebus mysqld php70_fpm
> smtpd_flags=NO
> unbound_flags=
> spamd_flags="-v -G 2:4:864"
> spamd_grey=YES
> spamlogd_flags="-I"
> -
> smtp$ sudo cat /etc/pf.conf
> ext_if = "em0"
> int_if = "fxp0"
> localnet = $int_if:network
> tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
> mail_services = "{ smtp, smtps, submission }"
> udp_services = "{ domain, ntp }"
> icmp_types = "echoreq"
> 
> table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8
> 169.254.0.0/16 \
>172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
> 224.0.0.0/3 \
>192.168.0.0/16 198.18.0.0/15
> 198.51.100.0/24\
>203.0.113.0/24 }
> 
> table  persist
> table  persist file "/etc/abusers"
> table  persist
> table  persist file "/etc/mail/nospamd"
> 
> set block-policy drop
> set loginterface egress
> set skip on lo0
> 
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to
> (egress:0)
> 
> antispoof quick for { egress $ext_if int_if }
> 
> block in quick on egress from  to any
> block return out quick on egress from any to 
> 
> block in quick log on egress from  to any label "abusers"
> 
> block all
> pass out quick inet
> 
> pass in on egress inet proto tcp from any to any port smtp \
> divert-to 127.0.0.1 port spamd
> pass in on egress proto tcp from  to any port smtp
> pass in log on egress proto tcp from  to any port smtp
> pass out log on egress proto tcp to any port smtp
> 
> pass in on { $ext_if } inet
> 
> pass log quick proto tcp from any to (egress) port ssh flags S/SA
> keep state \
> (max-src-conn 15, max-src-conn-rate 5/3, overload
>  flush global)
> 
> pass log quick proto tcp from any to (egress) port $tcp_services
> flags S/SA keep state \
> (max-src-conn 50, max-src-conn-rate 15/5, overload
>  flush global)
> 
> pass log quick proto tcp from any to (egress) port $mail_services
> flags S/SA keep state \
> (max-src-conn 50, max-src-conn-rate 25/5, overload
>  flush global)
> 
> pass in on egress inet proto tcp from any to (egress) port { 80 443 }
> 
> pass inet proto tcp from { self, $localnet }
> 
> pass quick inet proto tcp to port $tcp_services keep state
> pass quick inet proto tcp to port $mail_services keep state
> 
> pass quick inet proto udp to port $udp_services keep state
> pass out on $ext_if inet proto udp to port 33433 >< 33626
> pass inet proto icmp all icmp-type $icmp_types
> 
As far as my knowledge goes, since you say 'pass out quick inet' early
on in the ruleset, the other 'pass out rules' don't get a chance to be
triggered. Also, quick only makes sense if you put them at first, not
somewhere at the end of your ruleset.

--
Tony
 
GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580
Threema: DN8PJX4Z
XMPP: tb@bsd.services

Different sound sources interfere with each other

2018-06-13 Thread Максим 
Hello,
I use USB headphones on OpenBSD amd64 6.3
So they are detected on the system:
uaudio0 at uhub3 port 2 configuration 1 interface 0 "Sennheiser Communications 
Sennheiser USB headset" rev 1.10/1.00 addr 3
uaudio0: audio rev 1.00, 8 mixer controls
audio1 at uaudio0

I've set up  this audio device in accordance with official FAQ 
(https://www.openbsd.org/faq/faq13.html#confaudio)
cat /etc/rc.conf.local
"sndiod_flags=-f rsnd/1"

The first problem is: when I listen to music (cmus) and browse in the internet 
(Firefox) cmus sometimes stops playing for a second.
This happens when I click a link on a page or receive some notification from 
the web page (which may play some short sound)

The second problem is: when some audio source is played (online video or some 
music file) the sound is sometimes distorted or it bursts.
To fix this I have to pause and unpause the sound source several times.

What can be a problem? Do I need any additional setup for my audio device?

-- 
Best regards
Maksim Rodin

Re: SSH segfault when SendEnv is used in .ssh/config

2018-06-13 Thread Darren Tucker 
On 10 June 2018 at 17:43, Tom Murphy  wrote:
>   I upgraded to the June 9th snapshot and noticed ssh segfaults
> when I make connections. After a bit of checking in my .ssh/config,
> I discovered the SendEnv directive is making is segfault. Not sure
> if it has to do with the changes made 2 days ago?

This may have been fixed:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c?rev=1.291&content-type=text/x-cvsweb-markup

If not, could you please share the fragment of your config that triggers it?

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

ldapd sync with outside data

2018-06-13 Thread Allan Streib 
Has anyone tried LSC on OpenBSD to synchronize between ldapd and a SQL
database such as MariaDB? How well did it [not] work, or do you use
something else?

https://lsc-project.org/

Thanks,

Allan

Re: stuck on spamd

2018-06-13 Thread Hasse Hansson 
Hello and thank you for your answer.
I've adjusted my settings according to your advice, but now it looks like
it just directly whitelist every connection without greylisting.

smtp$ sudo spamdb | sort
WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0
WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0
WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3
WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0
WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0
WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0
WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0
WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0
WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0
WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0
WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0

This is how my files look like now. spamd.conf is the original one.
 
smtp$ sudo cat /etc/rc.conf.local
httpd_flags=
pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus 
mysqld php70_fpm
smtpd_flags=NO
unbound_flags=
spamd_flags="-v -G 2:4:864"
spamd_grey=YES
spamlogd_flags="-I"
-
smtp$ sudo cat /etc/pf.conf
ext_if = "em0"
int_if = "fxp0"
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
mail_services = "{ smtp, smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"

table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }

table  persist
table  persist file "/etc/abusers"
table  persist
table  persist file "/etc/mail/nospamd"

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $ext_if int_if }

block in quick on egress from  to any
block return out quick on egress from any to 

block in quick log on egress from  to any label "abusers"

block all
pass out quick inet

pass in on egress inet proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from  to any port smtp
pass in log on egress proto tcp from  to any port smtp
pass out log on egress proto tcp to any port smtp

pass in on { $ext_if } inet

pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload  flush 
global)

pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA 
keep state \
(max-src-conn 50, max-src-conn-rate 15/5, overload  flush 
global)

pass log quick proto tcp from any to (egress) port $mail_services flags S/SA 
keep state \
(max-src-conn 50, max-src-conn-rate 25/5, overload  flush 
global)

pass in on egress inet proto tcp from any to (egress) port { 80 443 }

pass inet proto tcp from { self, $localnet }

pass quick inet proto tcp to port $tcp_services keep state
pass quick inet proto tcp to port $mail_services keep state

pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types

Re: stuck on spamd

2018-06-13 Thread Craig Skinner 
Hi Hasse,

I see a few problems:

On Mon, 11 Jun 2018 20:36:12 +0200 Hasse Hansson wrote:
> smtp# cat /etc/rc.conf.local
> ...
> spamlogd_flags="-I -i lo0"

I'd remove the localhost interface then restart spamlogd.


> smtp# cat /etc/pf.conf
> ext_if = "em0"
> ...
> 
> 
> pass in log on egress proto tcp from  to any port smtp

This line follows spamd's man page, i.e. you log incoming traffic on
the egress interface (em0) for spamlogd - correct. But you have
configured spamlogd to listen on lo0 in /etc/rc.conf.local - no match.


> 
> ...
> block all


The block rules need to be above the pass rules, otherwise their
matched traffic is blocked. Move all the block rules up above the pass
rules and reload.


> smtp# cat /etc/mail/spamd.conf
> 
> ...
> :msg="SPAM.  All spmmers get reported !


This line is not closed. It needs ":\

Then restart spamd to invoke spamd-setup.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: chromium and firefox - myths and facts?

2018-06-13 Thread Kevin Chadwick 
On Mon, 11 Jun 2018 07:56:50 -0600


> In a browser, there are 2 main security components you want: The main
> security advantage is privsep.  The other is W^X jit.  Other security
> effects will follow from those design choices, especially if you have
> privsep.  For instance, the chrome privsep is nicely refined and
> pledge enforcements could be added.

This is surely of far less interest than the ability to pledge but
perhaps of interest.

These are the Windows 10 1803 exploit protection settings that I have
found can be enabled without crashing chrome then firefox. There seems
to be a few targeted at ROP that firefox runs with but break Chrome.