Re: Programming for OpenBSD
Hello, Kevin. please, join us on Telegram, openbsdjumpstart channel. There are people who can help you to start. http://openbsdjumpstart.org/#/47 Ve.
Re: stuck on spamd
Am Mittwoch, den 13.06.2018, 22:05 +0200 schrieb Hasse Hansson: > Hello and thank you for your answer. > I've adjusted my settings according to your advice, but now it looks > like > it just directly whitelist every connection without greylisting. > > smtp$ sudo spamdb | sort > WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0 > WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0 > WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3 > WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0 > WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0 > WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0 > WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0 > WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0 > WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0 > WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0 > WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0 > > This is how my files look like now. spamd.conf is the original one. > > smtp$ sudo cat /etc/rc.conf.local > httpd_flags= > pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon > messagebus mysqld php70_fpm > smtpd_flags=NO > unbound_flags= > spamd_flags="-v -G 2:4:864" > spamd_grey=YES > spamlogd_flags="-I" > - > smtp$ sudo cat /etc/pf.conf > ext_if = "em0" > int_if = "fxp0" > localnet = $int_if:network > tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }" > mail_services = "{ smtp, smtps, submission }" > udp_services = "{ domain, ntp }" > icmp_types = "echoreq" > > table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 > 169.254.0.0/16 \ >172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 > 224.0.0.0/3 \ >192.168.0.0/16 198.18.0.0/15 > 198.51.100.0/24\ >203.0.113.0/24 } > > table persist > table persist file "/etc/abusers" > table persist > table persist file "/etc/mail/nospamd" > > set block-policy drop > set loginterface egress > set skip on lo0 > > match in all scrub (no-df random-id max-mss 1440) > match out on egress inet from !(egress:network) to any nat-to > (egress:0) > > antispoof quick for { egress $ext_if int_if } > > block in quick on egress from to any > block return out quick on egress from any to > > block in quick log on egress from to any label "abusers" > > block all > pass out quick inet > > pass in on egress inet proto tcp from any to any port smtp \ > divert-to 127.0.0.1 port spamd > pass in on egress proto tcp from to any port smtp > pass in log on egress proto tcp from to any port smtp > pass out log on egress proto tcp to any port smtp > > pass in on { $ext_if } inet > > pass log quick proto tcp from any to (egress) port ssh flags S/SA > keep state \ > (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > > pass log quick proto tcp from any to (egress) port $tcp_services > flags S/SA keep state \ > (max-src-conn 50, max-src-conn-rate 15/5, overload > flush global) > > pass log quick proto tcp from any to (egress) port $mail_services > flags S/SA keep state \ > (max-src-conn 50, max-src-conn-rate 25/5, overload > flush global) > > pass in on egress inet proto tcp from any to (egress) port { 80 443 } > > pass inet proto tcp from { self, $localnet } > > pass quick inet proto tcp to port $tcp_services keep state > pass quick inet proto tcp to port $mail_services keep state > > pass quick inet proto udp to port $udp_services keep state > pass out on $ext_if inet proto udp to port 33433 >< 33626 > pass inet proto icmp all icmp-type $icmp_types > As far as my knowledge goes, since you say 'pass out quick inet' early on in the ruleset, the other 'pass out rules' don't get a chance to be triggered. Also, quick only makes sense if you put them at first, not somewhere at the end of your ruleset. -- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 Threema: DN8PJX4Z XMPP: tb@bsd.services
Different sound sources interfere with each other
Hello, I use USB headphones on OpenBSD amd64 6.3 So they are detected on the system: uaudio0 at uhub3 port 2 configuration 1 interface 0 "Sennheiser Communications Sennheiser USB headset" rev 1.10/1.00 addr 3 uaudio0: audio rev 1.00, 8 mixer controls audio1 at uaudio0 I've set up this audio device in accordance with official FAQ (https://www.openbsd.org/faq/faq13.html#confaudio) cat /etc/rc.conf.local "sndiod_flags=-f rsnd/1" The first problem is: when I listen to music (cmus) and browse in the internet (Firefox) cmus sometimes stops playing for a second. This happens when I click a link on a page or receive some notification from the web page (which may play some short sound) The second problem is: when some audio source is played (online video or some music file) the sound is sometimes distorted or it bursts. To fix this I have to pause and unpause the sound source several times. What can be a problem? Do I need any additional setup for my audio device? -- Best regards Maksim Rodin
Re: SSH segfault when SendEnv is used in .ssh/config
On 10 June 2018 at 17:43, Tom Murphy wrote: > I upgraded to the June 9th snapshot and noticed ssh segfaults > when I make connections. After a bit of checking in my .ssh/config, > I discovered the SendEnv directive is making is segfault. Not sure > if it has to do with the changes made 2 days ago? This may have been fixed: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c?rev=1.291&content-type=text/x-cvsweb-markup If not, could you please share the fragment of your config that triggers it? -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
ldapd sync with outside data
Has anyone tried LSC on OpenBSD to synchronize between ldapd and a SQL database such as MariaDB? How well did it [not] work, or do you use something else? https://lsc-project.org/ Thanks, Allan
Re: stuck on spamd
Hello and thank you for your answer. I've adjusted my settings according to your advice, but now it looks like it just directly whitelist every connection without greylisting. smtp$ sudo spamdb | sort WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0 WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0 WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3 WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0 WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0 WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0 WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0 WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0 WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0 WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0 WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0 This is how my files look like now. spamd.conf is the original one. smtp$ sudo cat /etc/rc.conf.local httpd_flags= pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus mysqld php70_fpm smtpd_flags=NO unbound_flags= spamd_flags="-v -G 2:4:864" spamd_grey=YES spamlogd_flags="-I" - smtp$ sudo cat /etc/pf.conf ext_if = "em0" int_if = "fxp0" localnet = $int_if:network tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }" mail_services = "{ smtp, smtps, submission }" udp_services = "{ domain, ntp }" icmp_types = "echoreq" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } table persist table persist file "/etc/abusers" table persist table persist file "/etc/mail/nospamd" set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for { egress $ext_if int_if } block in quick on egress from to any block return out quick on egress from any to block in quick log on egress from to any label "abusers" block all pass out quick inet pass in on egress inet proto tcp from any to any port smtp \ divert-to 127.0.0.1 port spamd pass in on egress proto tcp from to any port smtp pass in log on egress proto tcp from to any port smtp pass out log on egress proto tcp to any port smtp pass in on { $ext_if } inet pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA keep state \ (max-src-conn 50, max-src-conn-rate 15/5, overload flush global) pass log quick proto tcp from any to (egress) port $mail_services flags S/SA keep state \ (max-src-conn 50, max-src-conn-rate 25/5, overload flush global) pass in on egress inet proto tcp from any to (egress) port { 80 443 } pass inet proto tcp from { self, $localnet } pass quick inet proto tcp to port $tcp_services keep state pass quick inet proto tcp to port $mail_services keep state pass quick inet proto udp to port $udp_services keep state pass out on $ext_if inet proto udp to port 33433 >< 33626 pass inet proto icmp all icmp-type $icmp_types
Re: stuck on spamd
Hi Hasse, I see a few problems: On Mon, 11 Jun 2018 20:36:12 +0200 Hasse Hansson wrote: > smtp# cat /etc/rc.conf.local > ... > spamlogd_flags="-I -i lo0" I'd remove the localhost interface then restart spamlogd. > smtp# cat /etc/pf.conf > ext_if = "em0" > ... > > > pass in log on egress proto tcp from to any port smtp This line follows spamd's man page, i.e. you log incoming traffic on the egress interface (em0) for spamlogd - correct. But you have configured spamlogd to listen on lo0 in /etc/rc.conf.local - no match. > > ... > block all The block rules need to be above the pass rules, otherwise their matched traffic is blocked. Move all the block rules up above the pass rules and reload. > smtp# cat /etc/mail/spamd.conf > > ... > :msg="SPAM. All spmmers get reported ! This line is not closed. It needs ":\ Then restart spamd to invoke spamd-setup. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: chromium and firefox - myths and facts?
On Mon, 11 Jun 2018 07:56:50 -0600 > In a browser, there are 2 main security components you want: The main > security advantage is privsep. The other is W^X jit. Other security > effects will follow from those design choices, especially if you have > privsep. For instance, the chrome privsep is nicely refined and > pledge enforcements could be added. This is surely of far less interest than the ability to pledge but perhaps of interest. These are the Windows 10 1803 exploit protection settings that I have found can be enabled without crashing chrome then firefox. There seems to be a few targeted at ROP that firefox runs with but break Chrome.