Re: Best pf practices to limit ddos attacks

2018-07-16 Thread Walt
On July 16, 2018 8:14 PM, Ax0n a...@h-i-r.net wrote:
 
> On Mon, Jul 16, 2018, 19:39 Walt neurobot...@protonmail.ch wrote:
> 
> > I'm not sure what would be useful for when we are the target of an attack.  
> > It seems to me that when the attack is going on, our bandwidth is so 
> > saturated that I'm not sure what we can do except to wait it out or to pay 
> > our provider to help mitigate the attack.

> This is pretty much the gist of it. One cannot stop this class of DDoS from 
> the customer's end. There are a variety of solutions involving reverse 
> proxies and big, scalable clusters, but the fact is if the attacker knows 
> your real IP address, they can food your residential or small business 
> connection easily.
 
> > On the other hand, there are steps that we can take to limit any unwitting 
> > participation in an attack from our side.  For example, I have already been 
> > blocking all incoming UDP, TCP, and ICMP packets from the internet that 
> > claim to originate from our IP addresses and all outgoing UDP, TCP, and 
> > ICMP packets to the internet that are not from our IP addresses.

> This is a great start. Most recent attacks rely on either a fleet of many 
> hacked IoT/"Smart" devices to generate a bill of coordinated traffic from 
> thousands or even millions of networks, or they rely on UDP amplification 
> attacks.

I just wish everyone could do this.

> It sounds like you are taking adequate precautions against publicly 
> accessible assets that might get hijacked, so I'll focus on amplification 
> attacks.

> UDP amplification is where an unwitting third party (such as yourself) is 
> hosting a UDP service that is capable of responding back with a much larger 
> payload than that which is sent to it. The simplest and most obvious example 
> is hosting an open, recursive DNS resolver. The attacker spoofs a request for 
> a large record (often a TXT entry) using the IP address of the real victim. 
> Your resolver, in return, recursively fetches and caches the answer, then 
> forwards the rather large response to the victim, which, of course, didn't 
> actually make the request and is not expecting this data. The attacker does 
> this repeatedly, and in tandem with a large corpus of similarly misconfigured 
> services hosted by other unwitting third parties. Now tens of thousands of 
> unsolicited DNS responses per second are exhausting the bandwidth of the 
> victim, and the attackers' real address isn't even involved. Similar attacks 
> have used misconfigured NTP servers.

> Make sure your public, likely-authoritative DNS servers are not publicly 
> recursive for domains you don't control. 
> https://en.m.wikipedia.org/wiki/Split-horizon_DNS

We did this some years ago when it began to be a problem.  It's surprising how 
many probes we get every day by people looking for openly recursive servers.

I am getting older (nearly retirement age but with no intention of retiring) 
and am trying to reduce my workload somewhat.  This includes moving our web 
pages, e-mail, and DNS to outside providers. 

I'm trying to get rid of our e-mail and DNS servers first.  I've already moved 
the DNS for our own domains to a third party provider. All that is left is the 
DNS we host for a customer's domain and I've been trying to get them to move it 
elsewhere, but they are really dragging it out.  I've even offered to move it 
to where I moved our DNS and all they have to do is change the DNS records with 
the registrar, but the customer doesn't seem to be in any big hurry to move it 
elsewhere.

One thing that I'm very curious about is how those behind ddos attacks decide 
which networks to attack.  I know they attack some people for money but most 
seem to be just to cause problems.  Do they just randomly pick a block of 
addresses and attack it or is there some criteria that make them more likely to 
attack?

Walt




Re: Best pf practices to limit ddos attacks

2018-07-16 Thread Ax0n
On Mon, Jul 16, 2018, 19:39 Walt  wrote:

>
> I'm not sure what would be useful for when we are the target of an
> attack.  It seems to me that when the attack is going on, our bandwidth is
> so saturated that I'm not sure what we can do except to wait it out or to
> pay our provider to help mitigate the attack.
>

This is pretty much the gist of it. One cannot stop this class of DDoS from
the customer's end. There are a variety of solutions involving reverse
proxies and big, scalable clusters, but the fact is if the attacker knows
your real IP address, they can food your residential or small business
connection easily.

On the other hand, there are steps that we can take to limit any unwitting
> participation in an attack from our side.  For example, I have already been
> blocking all incoming UDP, TCP, and ICMP packets from the internet that
> claim to originate from our IP addresses and all outgoing UDP, TCP, and
> ICMP packets to the internet that are not from our IP addresses.
>

This is a great start. Most recent attacks rely on either a fleet of many
hacked IoT/"Smart" devices to generate a bill of coordinated traffic from
thousands or even millions of networks, or they rely on UDP amplification
attacks.

It sounds like you are taking adequate precautions against publicly
accessible assets that might get hijacked, so I'll focus on amplification
attacks.

UDP amplification is where an unwitting third party (such as yourself) is
hosting a UDP service that is capable of responding back with a much larger
payload than that which is sent to it. The simplest and most obvious
example is hosting an open, recursive DNS resolver. The attacker spoofs a
request for a large record (often a TXT entry) using the IP address of the
real victim. Your resolver, in return, recursively fetches and caches the
answer, then forwards the rather large response to the victim, which, of
course, didn't actually make the request and is not expecting this data.
The attacker does this repeatedly, and in tandem with a large corpus of
similarly misconfigured services hosted by other unwitting third parties.
Now tens of thousands of unsolicited DNS responses per second are
exhausting the bandwidth of the victim, and the attackers' real address
isn't even involved. Similar attacks have used misconfigured NTP servers.

Make sure your public, likely-authoritative DNS servers are not publicly
recursive for domains you don't control.
https://en.m.wikipedia.org/wiki/Split-horizon_DNS

With the ever increasing sophistication of ddos attacks, is anything else
> we can do in order to keep anything on our network from being used as part
> of a botnet or in order to reduce the severity of an incoming ddos attack.
>
> Walt
>
>
> ​Sent with ProtonMail Secure Email.​
>
>
>


Best pf practices to limit ddos attacks

2018-07-16 Thread Walt
With the prevalance of ddos attacks today, are there any steps we can do to 
limit them.  We've been the subject of a few ddos attacks over the last 15 
years lasting anywhere between a couple of hours and several days.  One lasted 
a week or two but was largely broken into two parts -- the first lasting a 
couple of days before disappearing and then showing up again a week later for a 
couple of hours.  The last one lasted about three days nonstop.

I'm not sure what would be useful for when we are the target of an attack.  It 
seems to me that when the attack is going on, our bandwidth is so saturated 
that I'm not sure what we can do except to wait it out or to pay our provider 
to help mitigate the attack.

On the other hand, there are steps that we can take to limit any unwitting 
participation in an attack from our side.  For example, I have already been 
blocking all incoming UDP, TCP, and ICMP packets from the internet that claim 
to originate from our IP addresses and all outgoing UDP, TCP, and ICMP packets 
to the internet that are not from our IP addresses.

With the ever increasing sophistication of ddos attacks, is anything else we 
can do in order to keep anything on our network from being used as part of a 
botnet or in order to reduce the severity of an incoming ddos attack.

Walt


​Sent with ProtonMail Secure Email.​




Re: Can I ask a question about PF Here?

2018-07-16 Thread Jordan Geoghegan

On 07/16/18 15:57, Antonino Sidoti wrote:

Hi,

Before I go into to much detail, where is the appropriate place to get help for 
PF related problems? I am really stuck and need some assistance in 
understanding PF. I can provide diagrams, configuration files too to make is 
clearer.

Thanks in advance

Nino


misc is the place for all general OpenBSD enquiries.



Re: Installed current on top of FAT32 flash, Recover old filesystem??

2018-07-16 Thread Nick Holland
On 07/14/18 15:16, Chris Bennett wrote:
> I very carefully and surely tested which flash drive to use and then
> pulled out the wrong one.
> I stopped the install with halt and done nothing else.
> Should I have yanked it, halted it or just said goodbye?
> 
> ddrescue or something else or nothing else?

It depends on when you stopped the install.

If you had just done the disk layout, you could probably create (using
OpenBSD) a FAT32 partition that covered the entire disk (where did your
original start?  you might have to recreate some history on an identical
device here to find out) and see if your data is intact.  It very well
could be.

If you completed the install...uh...you have got a problem.  Still,
there are tools around now that will find, with amazing success,
particular types of files on "overwritten" media, though of course
anything that was actually overwritten is not going to be recovered.

Nick.



Can I ask a question about PF Here?

2018-07-16 Thread Antonino Sidoti
Hi,

Before I go into to much detail, where is the appropriate place to get help for 
PF related problems? I am really stuck and need some assistance in 
understanding PF. I can provide diagrams, configuration files too to make is 
clearer.

Thanks in advance

Nino



Re: Employers, Jobs and OpenBSD

2018-07-16 Thread Diana Eichert

I've been on more than one interview committee, if you put OpenBSD
experience on your resume you would stand out in my eyes.  However
most of my co-workers know very little about anything beside MAC,
Winders or Linux, therefore it wouldn't help with them.

Use OpenBSD because you want to.

diana



Re: rying to get meta-data configured for cloud-image VMM instances

2018-07-16 Thread Reyk Floeter
https://www.openbsd.org/faq/current.html#r20180613b

I can respond in more details when I’m back online later this week.

Reyk

> Am 16.07.2018 um 20:29 schrieb Ax0n :
> 
> On Mon, Jul 16, 2018 at 4:56 AM, Rickard von Essen <
> rickard.von.es...@gmail.com> wrote:
> 
>> It looks like cloud-init in the VM can't even reach 169.254.169.254. Does
>> it have routing to get there? Is there a fw blocking the calls from the VM
>> to 169.254.169.254?
>> 
> 
> I don't think so. This is my pf.conf (n.b. it's mostly just additional
> stuff so that I can access the permanently-configired VMs through the NAT)
> 
> #   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
> ext_if="athn0"
> #ext_if="bge0"
> vmd_if="vether0"
> 
> set skip on lo
> 
> block return# block stateless traffic
> pass# establish keep-state
> 
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> # vmm setup: outbound nat, inbound port mapping
> match out on $ext_if inet from $vmd_if:network to any nat-to ($ext_if)
> pass in on $ext_if proto tcp from any to any port 2200 rdr-to 10.13.37.200
> port 22
> pass in on $ext_if proto tcp from any to any port 2201 rdr-to 10.13.37.201
> port 22
> pass in on $ext_if proto tcp from any to any port 2202 rdr-to 10.13.37.202
> port 22
> pass in on $ext_if proto tcp from any to any port 2203 rdr-to 10.13.37.203
> port 22
> pass in on $ext_if proto tcp from any to any port 2204 rdr-to 10.13.37.204
> port 22
> pass in on $ext_if proto tcp from any to any port 8000 rdr-to 10.13.37.200
> port 80
> pass in on $ext_if proto tcp from any to any port 8001 rdr-to 10.13.37.201
> port 80
> pass in on $ext_if proto tcp from any to any port 8002 rdr-to 10.13.37.202
> port 80
> pass in on $ext_if proto tcp from any to any port 8003 rdr-to 10.13.37.203
> port 80
> 
> So that you can get a feel for my setup:
> vether0 is static-configured 10.13.37.1 255.255.255.0. dhcpd is bound only
> to vether0 (to assign a mix of reserved and pool IPs to VMM guests) and
> vether0 is added to bridge0 at boot via hostname.bridge0.
> 
> bridge0 is tied to the "local" switch in vm.conf, and that's what all of my
> VMs connect to.
> 
> 
>> On Mon, Jul 16, 2018 at 12:20 PM,  wrote:
>> 
>> 
>> I thought it was:
>> 
>> root "/" strip 1
>> 
>> No curlies and no comma, but I haven't tried it.
>> 
>> 
> httpd doesn't like that syntax, either:
> 
> [axon@transient ~]$ doas httpd -d
> startup
> /etc/httpd.conf:16: syntax error
> logger exiting, pid 63722
> server exiting, pid 24069
> server exiting, pid 34562
> server exiting, pid 69335
> [axon@transient ~]$ cat -n /etc/httpd.conf
> 1  ext_addr="*"
> 2  server "default" {
> 3  root "/htdocs/"
> 4  directory auto index
> 5  listen on $ext_addr port 80
> 6  }
> 7
> 8  # Include MIME types instead of the built-in ones
> 9  types {
>10  include "/usr/share/misc/mime.types"
>11  }
>12
>13  server "meta-data" {
>14  listen on 169.254.169.254 port 80
>15  fastcgi socket "/run/httpd.sock"
>16  root  "/" strip 1
>17  }
>18


Re: Stockholm anoncvs rsync mirror not updating

2018-07-16 Thread Andreas Kusalananda Kähäri
On Mon, Jul 16, 2018 at 12:38:24PM -0700, Bryan Vyhmeister wrote:
> This is probably due to the Hackathon from July 8-13 and that at least
> some developers are probably still traveling. Snapshots are often not
> built for public use during that time from my observation but it is
> unusual for cvs changes to not be fanning out to the mirrors. Perhaps
> some maintenantce issue or something else is going on. It is not
> specific to one mirror as far as I can tell from two other Canadian and
> US mirrors using cvsync or rsync for cvs.
>
> Bryan

There was an edit to a rather long and erroneous commit message on
Thursday last week that may have confused something.

Testing again now, it works (it didn't earlier in the afternoon).

Regards,

--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.








När du har kontakt med oss på Uppsala universitet med e-post så innebär det att 
vi behandlar dina personuppgifter. För att läsa mer om hur vi gör det kan du 
läsa här: http://www.uu.se/om-uu/dataskydd-personuppgifter/

E-mailing Uppsala University means that we will process your personal data. For 
more information on how this is performed, please read here: 
http://www.uu.se/om-uu/dataskydd-personuppgifter/



Re: Stockholm anoncvs rsync mirror not updating

2018-07-16 Thread Bryan Vyhmeister
This is probably due to the Hackathon from July 8-13 and that at least
some developers are probably still traveling. Snapshots are often not
built for public use during that time from my observation but it is
unusual for cvs changes to not be fanning out to the mirrors. Perhaps
some maintenantce issue or something else is going on. It is not
specific to one mirror as far as I can tell from two other Canadian and
US mirrors using cvsync or rsync for cvs.

Bryan



Re: rying to get meta-data configured for cloud-image VMM instances

2018-07-16 Thread Ax0n
On Mon, Jul 16, 2018 at 4:56 AM, Rickard von Essen <
rickard.von.es...@gmail.com> wrote:

> It looks like cloud-init in the VM can't even reach 169.254.169.254. Does
> it have routing to get there? Is there a fw blocking the calls from the VM
> to 169.254.169.254?
>

I don't think so. This is my pf.conf (n.b. it's mostly just additional
stuff so that I can access the permanently-configired VMs through the NAT)

#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
ext_if="athn0"
#ext_if="bge0"
vmd_if="vether0"

set skip on lo

block return# block stateless traffic
pass# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# vmm setup: outbound nat, inbound port mapping
match out on $ext_if inet from $vmd_if:network to any nat-to ($ext_if)
pass in on $ext_if proto tcp from any to any port 2200 rdr-to 10.13.37.200
port 22
pass in on $ext_if proto tcp from any to any port 2201 rdr-to 10.13.37.201
port 22
pass in on $ext_if proto tcp from any to any port 2202 rdr-to 10.13.37.202
port 22
pass in on $ext_if proto tcp from any to any port 2203 rdr-to 10.13.37.203
port 22
pass in on $ext_if proto tcp from any to any port 2204 rdr-to 10.13.37.204
port 22
pass in on $ext_if proto tcp from any to any port 8000 rdr-to 10.13.37.200
port 80
pass in on $ext_if proto tcp from any to any port 8001 rdr-to 10.13.37.201
port 80
pass in on $ext_if proto tcp from any to any port 8002 rdr-to 10.13.37.202
port 80
pass in on $ext_if proto tcp from any to any port 8003 rdr-to 10.13.37.203
port 80

So that you can get a feel for my setup:
vether0 is static-configured 10.13.37.1 255.255.255.0. dhcpd is bound only
to vether0 (to assign a mix of reserved and pool IPs to VMM guests) and
vether0 is added to bridge0 at boot via hostname.bridge0.

bridge0 is tied to the "local" switch in vm.conf, and that's what all of my
VMs connect to.


On Mon, Jul 16, 2018 at 12:20 PM,  wrote:

>
> I thought it was:
>
> root "/" strip 1
>
> No curlies and no comma, but I haven't tried it.
>
>
httpd doesn't like that syntax, either:

[axon@transient ~]$ doas httpd -d
startup
/etc/httpd.conf:16: syntax error
logger exiting, pid 63722
server exiting, pid 24069
server exiting, pid 34562
server exiting, pid 69335
[axon@transient ~]$ cat -n /etc/httpd.conf
 1  ext_addr="*"
 2  server "default" {
 3  root "/htdocs/"
 4  directory auto index
 5  listen on $ext_addr port 80
 6  }
 7
 8  # Include MIME types instead of the built-in ones
 9  types {
10  include "/usr/share/misc/mime.types"
11  }
12
13  server "meta-data" {
14  listen on 169.254.169.254 port 80
15  fastcgi socket "/run/httpd.sock"
16  root  "/" strip 1
17  }
18


Re: rying to get meta-data configured for cloud-image VMM instances

2018-07-16 Thread edgar


On Jul 15, 2018 4:52 PM, Ax0n  wrote:
>
> I'm hoping someone on-list has actually gotten this to work and can point
> out where I'm going wrong.
>
> I've been trying for months off and on to get this to work. I have a
> feeling I just don't understand the documentation for meta-data (
> https://github.com/reyk/meta-data ) though I see at least one httpd.conf
> anachronism in the documentation. "Strip" isn't allowed in the "root"
> definition of httpd.conf, so httpd won't even start with this chunk of
> config:
>
> server "meta-data" {
> listen on 169.254.169.254 port 80
> fastcgi socket "/run/httpd.sock"
> root { "/", strip 1 }
> }
>
> I've removed ", strip 1 " from the httpd.conf, so my whole config looks
> like this. N.B. This may be my actual problem, but I don't know how to
> solve it.

I thought it was:

root "/" strip 1

No curlies and no comma, but I haven't tried it.

>
> ext_addr="*"
> server "default" {
>     root "/htdocs/"
>     directory auto index
>     listen on $ext_addr port 80
> }
>
> # Include MIME types instead of the built-in ones
> types {
>     include "/usr/share/misc/mime.types"
> }
>
> server "meta-data" {
>     listen on 169.254.169.254 port 80
>     fastcgi socket "/run/httpd.sock"
>     root { "/" }
> }
>
> I've otherwise installed meta-data as the instructions say, and started it
> with this command-line:
>
> doas kfcgi -r -n 2 -u www -p / -- /usr/local/libexec/meta-data
>
> The meta-data directory structure is as follows:
> [axon@transient ~]$ find /home/vm/meta-data/ -type f
> /home/vm/meta-data/vmmbuntu/instance-id
> /home/vm/meta-data/vmmbuntu/username
> /home/vm/meta-data/vmmbuntu/public-keys/0/openssh-key
>
> Where instance-id contains "vm1", username contains "puffy" and the
> openssh-key is the public key for this laptop I'm running on.
>
> I downloaded xenial-server-cloudimg-amd64-disk1.img and converted it to raw
> with the qemu-img utility. I also made a 10GB image that I intended to
> install some stuff permanently to (ubuntu.img)
>
> I then started the vm like this:
>
> doas vmctl start vmmubuntu -d xenial-server-cloudimg-amd64-disk1.raw -d
> ubuntu.img -n local -m 2G -c
> Connected to /dev/ttyp2 (speed 115200)
> SeaBIOS (version 1.11.0p0-OpenBSD-vmm)
>
>
>    [    0.00] Initializing
> cgroup subsys cpuset
> [    0.00] Initializing cgroup subsys cpu
> [    0.00] Initializing cgroup subsys cpuacct
> [    0.00] Linux version 4.4.0-130-generic (buildd@lgw01-amd64-039)
> (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #156-Ubuntu
> SMP Thu Jun 14 08:53:28 UTC 2018 (Ubuntu 4.4.0-130.156-generic 4.4.134)
> [    0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-4.4.0-130-generic
> root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0
> [    0.00] KERNEL supported cpus:
> [    0.00]   Intel GenuineIntel
> [    0.00]   AMD AuthenticAMD
> [    0.00]   Centaur CentaurHauls
> [    0.00] Disabled fast string operations
> [    0.00] x86/fpu: Legacy x87 FPU detected.
> [    0.00] x86/fpu: Using 'eager' FPU context switches.
> [    0.00] e820: BIOS-provided physical RAM map:
> [    0.00] BIOS-e820: [mem 0x-0x0009f7ff] usable
> [    0.00] BIOS-e820: [mem 0x0009f800-0x0009]
> reserved
> [    0.00] BIOS-e820: [mem 0x000f-0x000f]
> reserved
> [    0.00] BIOS-e820: [mem 0x0010-0x7fffbfff] usable
> [    0.00] BIOS-e820: [mem 0x7fffc000-0x7fff]
> reserved
> [    0.00] BIOS-e820: [mem 0xfffc-0x]
> reserved
> [    0.00] NX (Execute Disable) protection: active
> [    0.00] SMBIOS 2.4 present.
> [    0.00] e820: last_pfn = 0x7fffc max_arch_pfn = 0x4
> [    0.00] MTRR: Disabled
> [    0.00] x86/PAT: MTRRs disabled, skipping PAT initialization too.
> [    0.00] x86/PAT: Configuration [0-7]: WB  WT  UC- UC  WB  WT  UC-
> UC
> [    0.00] Scanning 1 areas for low memory corruption
> [    0.00] RAMDISK: [mem 0x36aa4000-0x37549fff]
> [    0.00] ACPI: Early table checksum verification disabled
> [    0.00] ACPI BIOS Error (bug): A valid RSDP was not found
> (20150930/tbxfroot-243)
> [    0.00] No NUMA configuration found
> [    0.00] Faking a node at [mem 0x-0x7fffbfff]
> [    0.00] NODE_DATA(0) allocated [mem 0x7fff7000-0x7fffbfff]
> [    0.00] Zone ranges:
> [    0.00]   DMA  [mem 0x1000-0x00ff]
> [    0.00]   DMA32    [mem 0x0100-0x7fffbfff]
> [    0.00]   Normal   empty
> [    0.00]   Device   empty
> [    0.00] Movable zone start for each node
> [    0.00] Early memory node ranges
> [    0.00]   node   0: [mem 0x1000-0x0009efff]
> [    0.00]   node   0: [mem 0x0010-0x7fffbfff]
> [    0.00] 

Re: newaliases vs makemap

2018-07-16 Thread Scott Vanderbilt

On 7/16/2018 9:15 AM, Todd C. Miller wrote:


On Mon, 16 Jul 2018 09:11:50 -0700, Scott Vanderbilt wrote:


BTW, newaliases seg faults for me with latest couple of snapshots
(amd64). No message other than "segmentation fault". Just submitted a PR
with sendbug.


Already fixed in -current by:

CVSROOT:/cvs
Module name:src
Changes by: morti...@cvs.openbsd.org2018/07/02 19:34:43

Modified files:
 usr.sbin/smtpd : config.c makemap.c
 usr.sbin/smtpd/smtpctl: Makefile

Log message:
unbreak newaliases.
ok millert@


Ach! I thought I was running a more recent snapshot on my mail server. 
It was in fact:


OpenBSD 6.3-current (GENERIC.MP) #80: Sun Jul  1 12:22:16 MDT 2018

Thank you.




Re: newaliases vs makemap

2018-07-16 Thread Todd C. Miller
On Mon, 16 Jul 2018 09:11:50 -0700, Scott Vanderbilt wrote:

> BTW, newaliases seg faults for me with latest couple of snapshots 
> (amd64). No message other than "segmentation fault". Just submitted a PR 
> with sendbug.

Already fixed in -current by:

CVSROOT:/cvs
Module name:src
Changes by: morti...@cvs.openbsd.org2018/07/02 19:34:43

Modified files:
usr.sbin/smtpd : config.c makemap.c
usr.sbin/smtpd/smtpctl: Makefile

Log message:
unbreak newaliases.
ok millert@



Re: newaliases vs makemap

2018-07-16 Thread Scott Vanderbilt

On 7/16/2018 8:32 AM, Todd C. Miller wrote:


On Sun, 15 Jul 2018 17:59:58 -0700, Scott Vanderbilt wrote:


In /etc/mail/aliases, there is the following note:

#   >>The program "newaliases" must be run after
#   >> NOTE >>  this file is updated for any changes to
#   >>show through to smtpd.


That is correct.


Yet the man page for newaliases(8) says:

Note: this utility is provided for sendmail compatibility. The
preferred way of rebuilding the database is withmakemap(8)
:


This is bad advices that should be removed.  It is only true if
using db files for aliases.  When using a flat file for aliases,
you should use newaliases, which will notify smtpd that the file
has changed.


Taking the note in the man page at face value, I would expect that the
note in /etc/mail/aliases is now out-of-date, is it not? Or am I
overlooking something?


It is the other way around.


Thanks for your explanation, Todd.

BTW, newaliases seg faults for me with latest couple of snapshots 
(amd64). No message other than "segmentation fault". Just submitted a PR 
with sendbug.





Re: newaliases vs makemap

2018-07-16 Thread Todd C. Miller
On Sun, 15 Jul 2018 17:59:58 -0700, Scott Vanderbilt wrote:

> In /etc/mail/aliases, there is the following note:
>
> # >>  The program "newaliases" must be run after
> # >> NOTE >>  this file is updated for any changes to
> # >>  show through to smtpd.

That is correct.

> Yet the man page for newaliases(8) says:
>
> Note: this utility is provided for sendmail compatibility. The 
> preferred way of rebuilding the database is withmakemap(8) 
> :

This is bad advices that should be removed.  It is only true if
using db files for aliases.  When using a flat file for aliases,
you should use newaliases, which will notify smtpd that the file
has changed.

> Taking the note in the man page at face value, I would expect that the 
> note in /etc/mail/aliases is now out-of-date, is it not? Or am I 
> overlooking something?

It is the other way around.

 - todd



Re: Employers, Jobs and OpenBSD

2018-07-16 Thread Marko Cupać
On Fri, 13 Jul 2018 23:05:09 -0300
Man Hobby  wrote:

> What is the opinion of employers about OpenBSD?
> There is reason for to learn use OpenBSD to find job?
> If not, why?
> If there is not reason for to learn use OpenBSD to find job, why use
> OpenBSD?

There are employers and employers, as for mine I think their opinion
goes somewhere along the lines of "This is great, both technically and
financially wise, but I'd like to have more than one local guy who knows
how to run this stuff".

Hack with OpenBSD if you like it, and hopefully one day you will be
able to get some money from it.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/



Re: newaliases vs makemap

2018-07-16 Thread Scott Vanderbilt

On 7/16/2018 3:01 AM, Benjamin Baier wrote:

On Sun, 15 Jul 2018 19:54:12 -0700
Joshua Taylor Eppinette  wrote:


On Sun, Jul 15, 2018 at 05:59:58PM -0700, Scott Vanderbilt wrote:

In /etc/mail/aliases, there is the following note:

#   >>The program "newaliases" must be run after
#   >> NOTE >>  this file is updated for any changes to
#   >>show through to smtpd.


I found this note confusing, because I was able to make changes and see them
reflected without running newaliases(8). However, I believe this is because
you only need to run newaliases(8)/makemap(8) if you are using a db table.


True. 2 years ago smtpd defaults switched from db to file based tables.

Because backwards compatibility: newaliases(8), makemap(8), sendmail(8)
and mailq(8) are all symlinks to mailwrapper(8) which then runs smtpctl(8).



That all makes sense, but my original point was that the note in 
aliases(5) is incorrect/misleading. It should be struck or modified. I 
would submit a diff myself if I were more confident about what it should 
say. Barring that, who should be notified/asked? The OpenSMTPD devs? 
Someone else?





Re: rying to get meta-data configured for cloud-image VMM instances

2018-07-16 Thread Rickard von Essen
It looks like cloud-init in the VM can't even reach 169.254.169.254. Does
it have routing to get there? Is there a fw blocking the calls from the VM
to 169.254.169.254?

On Mon, 16 Jul 2018 at 03:11, Ax0n  wrote:

> I'm hoping someone on-list has actually gotten this to work and can point
> out where I'm going wrong.
>
> I've been trying for months off and on to get this to work. I have a
> feeling I just don't understand the documentation for meta-data (
> https://github.com/reyk/meta-data ) though I see at least one httpd.conf
> anachronism in the documentation. "Strip" isn't allowed in the "root"
> definition of httpd.conf, so httpd won't even start with this chunk of
> config:
>
> server "meta-data" {
> listen on 169.254.169.254 port 80
> fastcgi socket "/run/httpd.sock"
> root { "/", strip 1 }
> }
>
> I've removed ", strip 1 " from the httpd.conf, so my whole config looks
> like this. N.B. This may be my actual problem, but I don't know how to
> solve it.
>
> ext_addr="*"
> server "default" {
> root "/htdocs/"
> directory auto index
> listen on $ext_addr port 80
> }
>
> # Include MIME types instead of the built-in ones
> types {
> include "/usr/share/misc/mime.types"
> }
>
> server "meta-data" {
> listen on 169.254.169.254 port 80
> fastcgi socket "/run/httpd.sock"
> root { "/" }
> }
>
> I've otherwise installed meta-data as the instructions say, and started it
> with this command-line:
>
> doas kfcgi -r -n 2 -u www -p / -- /usr/local/libexec/meta-data
>
> The meta-data directory structure is as follows:
> [axon@transient ~]$ find /home/vm/meta-data/ -type f
> /home/vm/meta-data/vmmbuntu/instance-id
> /home/vm/meta-data/vmmbuntu/username
> /home/vm/meta-data/vmmbuntu/public-keys/0/openssh-key
>
> Where instance-id contains "vm1", username contains "puffy" and the
> openssh-key is the public key for this laptop I'm running on.
>
> I downloaded xenial-server-cloudimg-amd64-disk1.img and converted it to raw
> with the qemu-img utility. I also made a 10GB image that I intended to
> install some stuff permanently to (ubuntu.img)
>
> I then started the vm like this:
>
> doas vmctl start vmmubuntu -d xenial-server-cloudimg-amd64-disk1.raw -d
> ubuntu.img -n local -m 2G -c
> Connected to /dev/ttyp2 (speed 115200)
> SeaBIOS (version 1.11.0p0-OpenBSD-vmm)
>
>
>[0.00] Initializing
> cgroup subsys cpuset
> [0.00] Initializing cgroup subsys cpu
> [0.00] Initializing cgroup subsys cpuacct
> [0.00] Linux version 4.4.0-130-generic (buildd@lgw01-amd64-039)
> (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #156-Ubuntu
> SMP Thu Jun 14 08:53:28 UTC 2018 (Ubuntu 4.4.0-130.156-generic 4.4.134)
> [0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-4.4.0-130-generic
> root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0
> [0.00] KERNEL supported cpus:
> [0.00]   Intel GenuineIntel
> [0.00]   AMD AuthenticAMD
> [0.00]   Centaur CentaurHauls
> [0.00] Disabled fast string operations
> [0.00] x86/fpu: Legacy x87 FPU detected.
> [0.00] x86/fpu: Using 'eager' FPU context switches.
> [0.00] e820: BIOS-provided physical RAM map:
> [0.00] BIOS-e820: [mem 0x-0x0009f7ff]
> usable
> [0.00] BIOS-e820: [mem 0x0009f800-0x0009]
> reserved
> [0.00] BIOS-e820: [mem 0x000f-0x000f]
> reserved
> [0.00] BIOS-e820: [mem 0x0010-0x7fffbfff]
> usable
> [0.00] BIOS-e820: [mem 0x7fffc000-0x7fff]
> reserved
> [0.00] BIOS-e820: [mem 0xfffc-0x]
> reserved
> [0.00] NX (Execute Disable) protection: active
> [0.00] SMBIOS 2.4 present.
> [0.00] e820: last_pfn = 0x7fffc max_arch_pfn = 0x4
> [0.00] MTRR: Disabled
> [0.00] x86/PAT: MTRRs disabled, skipping PAT initialization too.
> [0.00] x86/PAT: Configuration [0-7]: WB  WT  UC- UC  WB  WT  UC-
> UC
> [0.00] Scanning 1 areas for low memory corruption
> [0.00] RAMDISK: [mem 0x36aa4000-0x37549fff]
> [0.00] ACPI: Early table checksum verification disabled
> [0.00] ACPI BIOS Error (bug): A valid RSDP was not found
> (20150930/tbxfroot-243)
> [0.00] No NUMA configuration found
> [0.00] Faking a node at [mem 0x-0x7fffbfff]
> [0.00] NODE_DATA(0) allocated [mem 0x7fff7000-0x7fffbfff]
> [0.00] Zone ranges:
> [0.00]   DMA  [mem 0x1000-0x00ff]
> [0.00]   DMA32[mem 0x0100-0x7fffbfff]
> [0.00]   Normal   empty
> [0.00]   Device   empty
> [0.00] Movable zone start for each node
> [0.00] Early memory node ranges
> [0.00]   node   0: [mem 0x1000-0x0009efff]
> [  

Re: linux under vm on openbsd tutorial

2018-07-16 Thread Rudolf Sykora
On 16 July 2018 at 14:01, Oliver Marugg  wrote:
> Did you enable VT/Extendend Mem64 Technology and Excute Disable Bit support
> in BIOS?

This helped.
I found some items in BIOS pertaining to virtualization, enabled them,
and vmd now runs.

Thanks
Ruda



Re: linux under vm on openbsd tutorial

2018-07-16 Thread Oliver Marugg

Hi

Did you enable VT/Extendend Mem64 Technology and Excute Disable Bit 
support in BIOS?


-oliver



Re: linux under vm on openbsd tutorial

2018-07-16 Thread Rudolf Sykora
OpenBSD 6.3 (GENERIC.MP) #4: Sun Jun 17 11:22:20 CEST 2018

r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17044406272 (16254MB)
avail mem = 16520765440 (15755MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeceb0 (84 entries)
bios0: vendor Dell Inc. version "A21" date 09/21/2015
bios0: Dell Inc. OptiPlex 9010
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT TCPA MCFG HPET SSDT SSDT SSDT ASF! SSDT SLIC
acpi0: wakeup devices UAR1(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3)
USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4)
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.91 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpitimer0: recalibrated TSC frequency 3392316555 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 1, package 0
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu6: 256KB 64b/line 8-way L2 cache
cpu6: smt 1, core 2, package 0
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, 3392.30 MHz
cpu7: 

Re: linux under vm on openbsd tutorial

2018-07-16 Thread Ax0n
On Mon, Jul 16, 2018 at 6:24 AM, Ax0n  wrote:

> I created that article. My guess is your hardware doesn't support VMX/EPT.
>
> Please post the full output of dmesg.
>

Also, try, as root, running vmd in verbose debug mode, e.g.

doas vmd -dvvv

And then post the output of that as well.


Re: linux under vm on openbsd tutorial

2018-07-16 Thread Ax0n
I created that article. My guess is your hardware doesn't support VMX/EPT.

Please post the full output of dmesg.

On Jul 16, 2018 05:26, "Rudolf Sykora"  wrote:

Hello,

please, is there some good (easy to follow, up to date)
tutorial about how to set up a linux distribution
under virtual machine on OpenBSD?

[
I found eg

http://www.h-i-r.net/2017/04/openbsd-vmm-hypervisor-part-2.html

but as soon as I issue
rcctl start vmd
I get 'failed'
]

Thanks
Ruda


linux under vm on openbsd tutorial

2018-07-16 Thread Rudolf Sykora
Hello,

please, is there some good (easy to follow, up to date)
tutorial about how to set up a linux distribution
under virtual machine on OpenBSD?

[
I found eg

http://www.h-i-r.net/2017/04/openbsd-vmm-hypervisor-part-2.html

but as soon as I issue
rcctl start vmd
I get 'failed'
]

Thanks
Ruda



Re: newaliases vs makemap

2018-07-16 Thread Benjamin Baier
On Sun, 15 Jul 2018 19:54:12 -0700
Joshua Taylor Eppinette  wrote:

> On Sun, Jul 15, 2018 at 05:59:58PM -0700, Scott Vanderbilt wrote:
> >In /etc/mail/aliases, there is the following note:
> >
> >#>>  The program "newaliases" must be run after
> >#>> NOTE >>  this file is updated for any changes to
> >#>>  show through to smtpd.  
> 
> I found this note confusing, because I was able to make changes and see them 
> reflected without running newaliases(8). However, I believe this is because 
> you only need to run newaliases(8)/makemap(8) if you are using a db table.

True. 2 years ago smtpd defaults switched from db to file based tables.

Because backwards compatibility: newaliases(8), makemap(8), sendmail(8)
and mailq(8) are all symlinks to mailwrapper(8) which then runs smtpctl(8).



Re: Kaby Lake software rendering on Intel NUC

2018-07-16 Thread Frank Groeneveld
On Fri, Jul 13, 2018, at 16:51, Frank Groeneveld wrote:
> After sending the email I noticed the first line in the Xorg log 
> (machdep.aperture=1) and that also doesn't seem to fix the software 
> rendering.

Anybody have an idea?

Thanks in advance.

Frank



Re: Julia on OpenBSD?

2018-07-16 Thread Rudolf Sykora
Dear Ze,

On 13 July 2018 at 11:24, Zé Loff  wrote:
> If absolute top-notch performance isn't a concern I'd say its much much
> quicker and easier to setup a VM with some barebones linux

ok, thanks for the recommendation. I will probably try it (also for
other software: TeXmacs, J, pressure sensitivity of Wacom Intuos3)

> 
> As a side note, I (a statistician) was once contracted to aid a research
> project that needed to use some Julia code created by a third party.
> Julia was (still is?) very much a moving target back then, the code
> wasn't maintained and didn't work anymore.  I tried to make it work
> again and ended up rewriting the whole thing in C++.  At least C++ is
> stable (code-wise), is fast, runs everywhere and there are bindings to
> interface it with other langs.
> 

Well, this should become better when Julia is  >1.0, no?

Thanks
Ruda



Re: Employers, Jobs and OpenBSD

2018-07-16 Thread Siju George
On Mon, Jul 16, 2018 at 12:58 PM Steve Litt 
wrote:

> On Fri, 13 Jul 2018 23:05:09 -0300
> >
> > If there is not reason for to learn use OpenBSD to find job, why use
> > OpenBSD?
>

I did not learn it to get a job. I used it in my job instead to get a
better network firewall than the M S Windows/Linux/FreeBSD variants. The
reasons for using OpenBSD can be gleaned from the OS website.

--Siju


Re: Employers, Jobs and OpenBSD

2018-07-16 Thread Steve Litt
On Fri, 13 Jul 2018 23:05:09 -0300
Man Hobby  wrote:

> Hi,
> 
> What is the opinion of employers about OpenBSD?
> 
> There is reason for to learn use OpenBSD to find job?
> 
> If not, why?
> 
> If there is not reason for to learn use OpenBSD to find job, why use
> OpenBSD?

One reason is so that if the corporate powers succeed in making
GNU/Linux into systemd/linux, I have a place to go for a simple, DIY OS
I can bend to my workflow instead of bending my workflow to
Poettering's vision.

SteveT

Steve Litt
Author: The Key to Everyday Excellence
http://www.troubleshooters.com/key
Twitter: http://www.twitter.com/stevelitt