Re: TCP wrapper alternative?

[Peter N. M. Hansteen]

On Tue, Jul 09, 2019 at 01:18:36PM -0700, Thomas Smith wrote:
> 
> >> I'm considering an option to evaluate connecting IPs before they're 
> >> evaluated by `pf` in order to make some decisions about the "reputation" 
> >> of a connecting IP. Then if that reputation is low enough, some action 
> >> could either be taken: in `pf` to protect the associated application (say 
> >> by blocking the connection); or in the app responsible for the listening 
> >> port.
> > 
> > How about having your IP reputation system dump its data (which comes down 
> > to IP addresses and ranges plus associated rating) to something parseable 
> > that could then be loaded into whatever number of tables you need, to be 
> > used in your PF rules?
> > 
> > I imagine it wouldn’t be all that hard, depending on the degree of 
> > clunkiness of the reputation data export mainly, have the data refresh 
> > (data export, table reload) run from a cron job however often it seems 
> > useful.
> 
> I'm actually already doing something similar to this--loading tables 
> periodically. And this works reasonably well. 
> 
> The problem is that this isn't real time--there's always a delay between 
> updates, leaving an opportunity for 'bad' traffic to traverse the firewall. 
> 
> I'm trying to workout a solution that's more real time than this--it actually 
> does make a difference.
> 
> There are times when when a new IP is added or removed from the reputation 
> system but those changes aren't updated locally for a period of time, so 
> traffic flow within that window may not be correct (blocking good traffic or 
> not blocking bad traffic). 

There will always be a strictly nonzero lag and a strictly nonzero error rate. 

You know your particular application and data sources better than I do of 
course, but I have
anecdotal evidence that I might come around to writing up that changes in IP 
reputation in
some systems at least could take about a week to actually propagate.

It really comes down to how completely you can trust your data sources on data 
quality
and update rate.

It is possible to write OpenBSD applications that manipulate the contents of 
tables (dhcpd
and bgpd come to mind). A daemon that monitors changes in your IP reputation 
data could
conceivably add or remove table entries based on those changes immediately 
after receiving
the changes. It would take a bit of coding, but grabbing the relevant bits from 
existing
daemons should get you at least part of the way there.

Failing that, the dump-to-file, update table contents could easily be done by a 
tiny shell
script run from a frequently run cron job.

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: 4GB RAM too little for Firefox?

[Marc Espie]

On Tue, Jul 09, 2019 at 11:16:24PM +0200, ropers wrote:
> On 09/07/2019, Stuart Henderson  wrote:
> > The lsof port didn't display filenames. That information is not
> > available on OpenBSD (and is not trustworthy on other OS either;
> > files could have been moved/replaced since opening).
> 
> Interesting. Thanks.
> Is the (un)availability of filename info a feature of the filesystem
> (ext2/3/etc vs FFS) or of the OS?
> Are there security implications to this info being available/unavailable?

This information is actually meaningless, on *any* Unix-like OS.

You've got data on the disk. That data is accessible through a file
descriptor. That file descriptor may or may not correspond to a file name.

The following is perfectly okay in unix:

fd = open("/tmp/myfile", O_RDWR|O_CREAT|OTRUNC, 0666);
unlink("/tmp/myfile");

there. You've got a fd with no name attached to it.

similarly:
fd = open("/tmp/myfile", O_RDWR|O_CREAT|OTRUNC, 0666);
rename("/tmp/myfile", "/tmp/myfile2");

there.  What's the fd name ?

or
fd = open("/tmp/myfile", O_RDWR|O_CREAT|OTRUNC, 0666);
link("/tmp/myfile", "/tmp/myfile2");

do you return myfile or myfile2 ?

you could keep some correspondence between fds and file names, but it
might get out of date, or be meaningless.

You've got this one feature: fstat(2) will give you 
 dev_t  st_dev;/* inode's device */
 ino_t  st_ino;/* inode's number */
from which you could walk the device and retrieve things
(and actually it's very useful to uniquely identify files on a system)

And also, there's no guarantee that what information you determine will
be valid for any amount of time, as files may be renamed.

Guess what ? This is exactly the info fstat(1) displays. And not more,
with the exact same caveats in its manpage, though in terser fashion.

Re: When will OpenBSD become a friendly place for bug reporters?

[Consus]

On 18:56 Tue 09 Jul, Roderick wrote:
> 
> On Tue, 9 Jul 2019, cho...@jtan.com wrote:
> 
> > Perhaps rather than whining that OpenBSD lacks some specific feature,
> > those who want it could write it?
> 
> Or perhaps better not. All depends on what is a feature and for whom.
> 
> I, as normal user, am glad that packages are not inflated with debugging
> symbols.

That's why redhat and others offer *-debuginfo packages with DWARF
symbols. It's really helpful. It would be nice to have such in OpenBSD,
especially for base, because rebuilding something on my router is not
something I would like to do.

Re: When will OpenBSD become a friendly place for bug reporters?

[ropers]

On 09/07/2019, cho...@jtan.com  wrote:
> Perhaps rather than whining that OpenBSD lacks some specific feature, those
> who want it could write it? A novel idea, I know, but it IS specifically a
> development platform and there are precisely zero restrictions.
>
> Or if you don't wish to start with code, at least try a tack such as "I
> intend to write feature $foo and would like advice for how to go about it".

I intend to write feature "altnumd" and would like advice for how to
go about it.

To elaborate:
  Many older DOS/Windows users still have an old special character
input method in muscle memory that goes back all the way to the IBM
5150[0]: Alt+Numpad[1].
Meaning, hold Alt, and then on the number pad, type a decimal code for
a character in order to insert that character into the (originally
BIOS-)keyboard buffer, from which it is off to the races, to be picked
up by whoever is grabbing characters off the keyboard buffer.
I'm explaining this, because AFAIK that feature has never existed on
Unix-like OSes, and I think--corrections welcome--the BIOS isn't even
involved when OpenBSD talks to the keyboard or vice versa.
I am very aware of the Compose key support in X11, and this isn't
about that. This isn't about inputting characters in a good or better
way. This is about inputting characters in exactly THAT way
(Alt+Numpad), "just like mammy used to".
  Alt+Numpad was originally a BIOS feature for the Single-Byte
Character Set[2] DOS code pages[3] where--unlike in UTF-8 today--there
was no difference between code units and code points[4]. Every one of
the then at most 256 characters on the currently configured code page
was at users' fingertips with Alt+0 thru Alt+255.[5]
  At least part of reimplementing Alt+Numpad support on OpenBSD (as
3rd-party software; I don't expect this to become an OS feature)
should be possible in that these hotkey programs seem able to perform
fairly arbitrary actions in response to configurable key sequences:
, . I have
not yet explored this enough and not yet gotten them to respond to
Alt+Numpad, but I suspect that may be possible.
  However, I don't have a sufficient understanding of the basics of
OpenBSD/console/X11 keyboard support yet. I would like "altnumd" to
work the same or as similar as possible on both console and X11. My
very deficient understanding of OpenBSD non-BIOS keyboard support is
this: I. keypresses on the physical (USB/PS2) keyboard. I think the
actual keyboard has an internal microcontroller and small buffer, but
I don't think that's accessible to write back to. --> II. Low-level OS
keyboard device support. Presumably there's some sort of buffer there
that could be written to, given permission? --> III. At some point
things connect to console and/or X11, and then programs themselves
have their buffers too. Is wscons always involved? Is that the lowest
one can go and can that be written back to? I'm unsure. Essentially,
after registering the keypress sequence, which existing hotkey
programs seem up to, I would need to write something similar to a
software keyboard emulator. Apparently there used to be this TIOCSTI
thing that maybe could help, but this was removed for security
reasons?[6] Is there an alternative?
  Also, it's not even quite clear to me where along the line from
keyboard to program, the scan codes turn into code units/code points
and characters. I.e., assuming the use of UTF-8 at the end of the day,
once I've registered the right code for, say, the NOT character
(Alt+170 on DOS CP437 or Alt+172 on Win/CP1252 and OpenBSD's old
ISO-8859-1), once I've registered that, what goes into the buffer?
0xAA (170) or 0xAC (172), or UTF-8's ready-made 0xC2 0xAC (=U+00AC)?
(Speaking of multiple bytes, a "stretch goal" might be the option to
insert an entire string in response to an Alt code, but that's gravy
and not the old muscle memory.)

Yes, I seriously would like to do this if I can get good enough, from
zero to not-quite-hero. Yes, I would very much appreciate help and any
useful pointers. On-list, off-list, elsewhere, anything, from anyone.

Ian

PS: That said, nobody bet on me succeeding, unless you like losing money.

[0] 
[1] 
[2] 
[3] 
[4] :
"The compromise solution that was eventually found and developed into
Unicode was to break the assumption (dating back to telegraph codes)
that each character should always directly correspond to a particular
sequence of bits. Instead, characters would first be mapped to a
universal intermediate representation in the form of abstract numbers
called __code points__. Code points would then be represented in a
variety of ways and with various default numbers of bits per character
(__code units__) depending o

Re: Did I install correctly the openbsd?

[Rudy Baker]

Aren't you that guy "Ywë Carlen" or something like that?

On Tue, Jul 9, 2019, 7:30 PM SOUL_OF_ROOT 55, 
wrote:

> I installed openbsd 6.5 in Virtualbox for Windows 7, the following
> screenshots show it:
>
> [image: openbsd installation.png]
>
> [image: openbsd virtualbox2.png]
>
> [image: congratulations.png]
>
> [image: ls -l in openbsd6.5.png]
>
> I tried to install openbsd according to the following video:
>
> https://youtu.be/8lqISJFB3ak
>
> Did I install correctly the openbsd?
>

Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

[Tom Smyth]

Roman has, a nice mail setup on his blog that
describes sending mails without exec IIRC
https://www.romanzolotarev.com/

another alternative is to use postifx and maildrop folders or postdrop
folder ...  I hope this helps

Tom Smyth

On Wed, 10 Jul 2019 at 00:31, Kevin Chadwick  wrote:

>
> >Agree this is likely the problem, unfortunately in PHP-land sometimes
> >you can't avoid it. For platforms such as Drupal (just to pick an
> >example I am familiar with) some of the modules will run shell commands
> >to do things such as send email.
> >
> >Allan
>
> The php mail() function runs /bin/sh sendmail. I used to replace /bin/sh
> in the chroot but I've moved to golang now :)
>
>
>

-- 
Kindest regards,
Tom Smyth.

Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

[Kevin Chadwick]

>Agree this is likely the problem, unfortunately in PHP-land sometimes
>you can't avoid it. For platforms such as Drupal (just to pick an
>example I am familiar with) some of the modules will run shell commands
>to do things such as send email.
>
>Allan

The php mail() function runs /bin/sh sendmail. I used to replace /bin/sh in the 
chroot but I've moved to golang now :)

Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

[Allan Streib]

Martijn van Duren  writes:

> You haven't given enough information for a definitive answer, but my
> guess is that you run php through php-fpm, which is by default chrooted
> to /var/www. Since shell_exec and system first call /bin/sh and you
> most likely didn't copy it to /var/www/bin/sh it can't find your shell.
> After that you'd also need to copy the binaries (in this case ls) to
> your chroot and possible library dependencies (not needed for files
> under /bin).
>
> Hope this helps for illustrative purposes, but please don't use it in
> production.

Agree this is likely the problem, unfortunately in PHP-land sometimes
you can't avoid it. For platforms such as Drupal (just to pick an
example I am familiar with) some of the modules will run shell commands
to do things such as send email.

Allan

Re: 4GB RAM too little for Firefox?

[ropers]

> On 2019-07-09, ropers  wrote:
>> Just for the record, I think *my* (not the OP's) problem when trying
>> to grep fstat results was that unlike lsof, fstat didn't show the
>> former file names (hence unlinked); it only showed inodes, so I never
>> got the "find this former file" part to work on OpenBSD.
>> I have since found this blog post, where your man seems to have had
>> the same problem, and where he had written a script with ncheck_ffs(8)
>> to hack his way around that. That's a 13 year-old post though, and I
>> haven't tried it:
>> http://geek00l.blogspot.com/2006/03/openbsd-fstat-vs-lsof.html
>> There used to be an OpenBSD lsof port, as per what's listed on
>> ports.su, but there's no amd64 package now, and I never got that port
>> to work either.

On 09/07/2019, Stuart Henderson  wrote:
> The lsof port didn't display filenames. That information is not
> available on OpenBSD (and is not trustworthy on other OS either;
> files could have been moved/replaced since opening).

Interesting. Thanks.
Is the (un)availability of filename info a feature of the filesystem
(ext2/3/etc vs FFS) or of the OS?
Are there security implications to this info being available/unavailable?

regards,
Ian

Re: When will OpenBSD become a friendly place for bug reporters?

[Chris Humphries]

Marc and Stuart (and whoever else was involved), thanks for the work
done on this stuff. It is simple and clean for me as a user and I have
trust in the integrity of what I'm receiving. I don't take it for
granted.

And there's probably a ton more involved that I'm not aware of yet,
but I trust in you guys to do the right thing (tm) all the time for
users. Trust is a big deal. 


Sadly, the OP could have saved a lot of effort for everyone if they
just would have remembered there's other humans on the other side of
the email. And the fundamentals of communication include if you want
to have a real conversation with someone where they listen to you,
don't come at them guns blazing and emotional.

Thanks for explaining things (for the rest of us that are curious).

Hope you didn't let the emotional outrage of a random person on the
Internet infect you. 




On Tue, Jul 09, 2019 at 08:40:29PM +0200, Marc Espie wrote:
> On Tue, Jul 09, 2019 at 08:04:23PM +0300, Leonid Bobrov wrote:
> > > An all-arches package snapshot currently runs at 200GB and adding
> > > symbols across the board would add a lot to this.
> > 
> > Stuart and Espie, have you ever heard of compression?
> 
> WTF is wrong with you ?
> 
> I haven't participated to that thread yet, but I wager I know more about
> compression than you do.
> 
> Just have a fucking look at the code in signify, the pkg tools, and more
> generally, EVERYWHERE I have touched in BSD before spouting insults like
> this.
> 
> Most specifically:
> - we do use gzip because other compression systems won't work with little
> memory/don't have the right licence.
> - gzip allows you to stick COMMENTS in the header, which is where the
> signature lives. I DID A WHOLE FUCKING PRESENTATION ABOUT THAT DESIGN
> CHOICE.
> - pkg_create uses an LRU cache to make updates faster.  And we use some
> specificities of gzip  to make packages amenable to using rsync actually.
> - Stuart has wasted hours getting mirrors to work as good as they can.
> - *we* have spent hours trying to share stuff while keeping things secure.
> 
> It *still* doesn't change the fact that a full snapshot takes up a lot of
> space.  And it's an important factor in having enough sites provide mirrors.
> 
> It's also an important factor in making sure snapshots are distributed 
> quickly.
> 
> Heck, there are design choices in package snapshots to avoid shearing.
> 
> So, to summarize. Get the hell away from this mailing-list.
> 
> I don't want to have anything to do with a condescending idiot who sends
> disparaging comments my way 100% out of the blue.
> 
> Fuck you very much,
> 
> -- 
>   Marc
> 

-- 
Chris Humphries 
5223 9548 E1DE DE87 F509  1888 8141 8451 6338 DD29

Re: TCP wrapper alternative?

[Torsten]

HI
A much simpler option Is D.J.  Bernstein's tcpserver in combination with 
daemontools

I use it for all sorts of things including IP black listing into pf's tables
The packages are in the ports system

T

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Thomas Smith
Sent: 09 July 2019 19:04
To: misc@openbsd.org
Subject: TCP wrapper alternative?

Hi,

I'm considering an option to evaluate connecting IPs before they're evaluated 
by `pf` in order to make some decisions about the "reputation" of a connecting 
IP. Then if that reputation is low enough, some action could either be taken: 
in `pf` to protect the associated application (say by blocking the connection); 
or in the app responsible for the listening port. 

`pf`, unfortunately, isn't able to make routing decisions based on external 
factors (insofar as I understand)--I'm hoping to add some additional (very 
simple) intelligence to that. Just another metric or two for determining if a 
connection is legitimate.

I've been looking into TCP wrappers for OpenBSD but it seems that this 
functionality was removed in version 5. Is my understanding of that correct?

If so, is there an alternate way to achieve what I mentioned?

I know I can use something like sshguard or fail2ban, but I'm looking for a 
much simpler option and one that preferably doesn't rely on tailing log files 
(if there aren't viable alternatives, I may consider these, however). 

~ Tom

possible athn(4) bug in 6.5-current involving AR5418 chipset on used ThinkPad T60

[Matthew Graybosch]

Hello. I'm having a bit of trouble getting wifi to work on a used
ThinkPad T60 with an AR5418 chipset, and gathered as much info as
possible by running sendbug as root. I can post the following to bugs@
if anybody thinks that would be more appropriate, but I had read
 and thought it best to post here
first since I'm having trouble with -current.

I'm currently managing without wifi on this machine, so I'll understand
if my particular setup is too old and busted to be worth much effort,
but in the meantime I'll be watching misc@ in case it's my fault for
not understanding the man pages.

>Synopsis:  constant athn0 "device timeout" errors on 6.5-current
>Category:  amd64 kernel system
>Environment:
System  : OpenBSD 6.5
Details : OpenBSD 6.5-current (GENERIC.MP) #101: Fri Jul 5 08:19:55 
MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
After buying a refurbished Lenovo ThinkPad T60 and installing
OpenBSD 6.5 I attempted to set up wifi using the athn(4) driver
using the instructions in the man page and the OpenBSD FAQ at
.I tried
switching to -current in case the issue had already been fixed,
but no dice.

I've reproduced the contents of my hostname.athn0 file below,
with the SSIDs and passwords changed.

#BEGIN /etc/hostname.athn0
join "FBI Surveillance Van" wpakey 
join "I have loud neighbors" wpakey 
join "Smartphone Hotspot" wpakey 
dhcp
inet6 autoconf
up powersave
#END /etc/hostname.athn0
>How-To-Repeat:
This issue happens automatically when I reboot, unless I
disable wifi using the hardware switch. This issue also occurs
if I attempt to manually connect using ifconfig and dhclient.
>Fix:
Wired ethernet works, as does Android phone tethering using
urndis(4).

dmesg:
OpenBSD 6.5-current (GENERIC.MP) #101: Fri Jul  5 08:19:55 MDT 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3203203072 (3054MB)
avail mem = 3096092672 (2952MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
bios0: vendor LENOVO version "7IET30WW (1.11 )" date 07/13/2007
bios0: LENOVO 87445BU
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT
SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4)
EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3)
HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1995.38 MHz, 06-0f-06
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu0: 4MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1995.01 MHz, 06-0f-06
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu1: 4MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xf000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus 4 (EXP2)
acpiprt5 at acpi0: bus 12 (EXP3)
acpiprt6 at acpi0: bus 21 (PCI1)
acpicpu0 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10),
C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: !C3(250@17
mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7 acpitz0 at
acpi0: critical temperature is 127 degC acpitz1 at acpi0: critical
temperature is 100 degC acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpicmos0 at acpi0
"IBM0071" at acpi0 not configured
tpm0 at acpi0: TPM_ addr 0xfed4/0x1000, Atmel 97SC3203 rev 0x5
acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial 13920 type LION oem
"SANYO" acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpidock0 at acpi0: GDCK not docked (0)
acp

Re: Sysmerge

[Sebastian Benoit]

Jay Hart(jh...@kevla.org) on 2019.07.06 08:57:49 -0400:
> > On Sat, Jul 06, 2019 at 11:56:32AM BST, Jay Hart wrote:
> >> Good Morning,
> >>
> >> What is the simple way to have sysmerge "keep" all custom changes to the 
> >> config files, during a
> >> system update from one stable release to the next? I seem to struggle with 
> >> this every release...
> >>
> >> Thanks for your time.
> >>
> >> Jay
> >>
> >
> > Hi Jay,
> >
> > $ man 8 sysmerge
> > [...]
> > FILES
> >  /etc/sysmerge.ignoreFiles and directories to ignore from 
> > comparison.
> > [...]
> >
> > Is this what you have in mind?
> >
> > Regards,
> >
> > Raf
> >
> >
> 
> I think its more like when diff asks to keep current config vs new config. I 
> want to keep my
> current config files (or at least those custom portions).

But your current config may be incompatible with the new code.

However, sysmerge offers you an option that gets you there halfway: the
sdiff(1) merge feature.

It it a bit awkward to use if you have the original and your own changes
mixed, so here is a trick to help you with the merge:

Put as many of your local changes at the bottom of the file, or at least in
one large chunk, and leave as much of the original file untouched.

For example with sshd_config, all options are commented out.
So put your local changes at the bottom of the file.
The next time sshd_config changes, your merge will be a lot easier.

/B

Re: TCP wrapper alternative?

[Marc Espie]

On Tue, Jul 09, 2019 at 11:03:36AM -0700, Thomas Smith wrote:
> Hi,
> 
> I'm considering an option to evaluate connecting IPs before they're evaluated 
> by `pf` in order to make some decisions about the "reputation" of a 
> connecting IP. Then if that reputation is low enough, some action could 
> either be taken: in `pf` to protect the associated application (say by 
> blocking the connection); or in the app responsible for the listening port. 

That's what tables are for, usually, but you don't have a hook to decide
beforehand... afaik

Re: TCP wrapper alternative?

[Peter Nicolai Mathias Hansteen]

> 9. jul. 2019 kl. 20:03 skrev Thomas Smith :
> 
> Hi,
> 
> I'm considering an option to evaluate connecting IPs before they're evaluated 
> by `pf` in order to make some decisions about the "reputation" of a 
> connecting IP. Then if that reputation is low enough, some action could 
> either be taken: in `pf` to protect the associated application (say by 
> blocking the connection); or in the app responsible for the listening port.

How about having your IP reputation system dump its data (which comes down to 
IP addresses and ranges plus associated rating) to something parseable that 
could then be loaded into whatever number of tables you need, to be used in 
your PF rules?

I imagine it wouldn’t be all that hard, depending on the degree of clunkiness 
of the reputation data export mainly, have the data refresh (data export, table 
reload) run from a cron job however often it seems useful.

- Peter

—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP

TCP wrapper alternative?

[Thomas Smith]

Hi,

I'm considering an option to evaluate connecting IPs before they're evaluated 
by `pf` in order to make some decisions about the "reputation" of a connecting 
IP. Then if that reputation is low enough, some action could either be taken: 
in `pf` to protect the associated application (say by blocking the connection); 
or in the app responsible for the listening port. 

`pf`, unfortunately, isn't able to make routing decisions based on external 
factors (insofar as I understand)--I'm hoping to add some additional (very 
simple) intelligence to that. Just another metric or two for determining if a 
connection is legitimate.

I've been looking into TCP wrappers for OpenBSD but it seems that this 
functionality was removed in version 5. Is my understanding of that correct?

If so, is there an alternate way to achieve what I mentioned?

I know I can use something like sshguard or fail2ban, but I'm looking for a 
much simpler option and one that preferably doesn't rely on tailing log files 
(if there aren't viable alternatives, I may consider these, however). 

~ Tom

Re: When will OpenBSD become a friendly place for bug reporters?

[Nathan Hartman]

On Tue, Jul 9, 2019 at 2:43 PM Marc Espie  wrote:

> - we do use gzip because other compression systems won't work with little
> memory/don't have the right licence.


You might find this interesting:

https://github.com/silentbicycle/heatshrink

Re: When will OpenBSD become a friendly place for bug reporters?

[Roderick]

On Tue, 9 Jul 2019, cho...@jtan.com wrote:


Perhaps rather than whining that OpenBSD lacks some specific feature,
those who want it could write it?


Or perhaps better not. All depends on what is a feature and for whom.

I, as normal user, am glad that packages are not inflated with debugging
symbols.

Rod.

Re: sysupgrade: exclude sets

[Leo Unglaub]

On 09.07.19 15:13, Theo de Raadt wrote:

i am a huge fan of sysupgrade. It works perfectly on my laptop where i
use all sets that OpenBSD provides. But now i want to start to use
sysupgrade on a router where i don't need the "x*" sets.

I looked at the manual here (https://man.openbsd.org/sysupgrade) but
did not find a way to exclude them (-x*) from the selection.

In this case i also cannot use an answer file from a DHCP server
because i don't control the DHCP environment in that network. So that
option falls flat for me. Is there a way to remove sets from the
installation that i am missing?

No there isn't.



thank you very much for your answer.

I looked into the source again and found a way that works for me. I use 
sysupgrade -n to download everything and then i remove the files 
manually from /home/_sysupgrade and then reboot. The installer reads the 
directory and only offers the sets stored in there.



#!/bin/sh
sysupgrade -n
rm /home/_sysupgrade/x*
rm /home/_sysupgrade/game*
reboot

I am sorry i did not think about this before asking on the mailing list.
Thanks and greetings
Leo :)

Re: When will OpenBSD become a friendly place for bug reporters?

[Marc Espie]

On Tue, Jul 09, 2019 at 08:04:23PM +0300, Leonid Bobrov wrote:
> > An all-arches package snapshot currently runs at 200GB and adding
> > symbols across the board would add a lot to this.
> 
> Stuart and Espie, have you ever heard of compression?

WTF is wrong with you ?

I haven't participated to that thread yet, but I wager I know more about
compression than you do.

Just have a fucking look at the code in signify, the pkg tools, and more
generally, EVERYWHERE I have touched in BSD before spouting insults like
this.

Most specifically:
- we do use gzip because other compression systems won't work with little
memory/don't have the right licence.
- gzip allows you to stick COMMENTS in the header, which is where the
signature lives. I DID A WHOLE FUCKING PRESENTATION ABOUT THAT DESIGN
CHOICE.
- pkg_create uses an LRU cache to make updates faster.  And we use some
specificities of gzip  to make packages amenable to using rsync actually.
- Stuart has wasted hours getting mirrors to work as good as they can.
- *we* have spent hours trying to share stuff while keeping things secure.

It *still* doesn't change the fact that a full snapshot takes up a lot of
space.  And it's an important factor in having enough sites provide mirrors.

It's also an important factor in making sure snapshots are distributed 
quickly.

Heck, there are design choices in package snapshots to avoid shearing.

So, to summarize. Get the hell away from this mailing-list.

I don't want to have anything to do with a condescending idiot who sends
disparaging comments my way 100% out of the blue.

Fuck you very much,

-- 
Marc

Re: When will OpenBSD become a friendly place for bug reporters?

[chohag]

Perhaps rather than whining that OpenBSD lacks some specific feature, those who 
want it could write it? A novel idea, I know, but it IS specifically a 
development platform and there are precisely zero restrictions.

Or if you don't wish to start with code, at least try a tack such as "I intend 
to write feature $foo and would like advice for how to go about it". Notice 
that the act of _writing actual code_ is still implied.

I imagine that if a patch came through which adapted the build/release process 
such that symbols weren't removed but extracted into their own set for post-hoc 
installation by interested individuals, for example, that it would at least 
receive discussion if not eventual inclusion.

The bitching and public masturbation in this and the recent X thread, among 
many other examples, helps no-one.

Matthew

Re: How to debug hanging machines / proc: table is full

[Raimo Niskanen]

On Tue, Jul 09, 2019 at 10:33:46AM -0400, Kenneth Gober wrote:
> On Tue, Jul 2, 2019 at 10:06 AM Raimo Niskanen <
> raimo+open...@erix.ericsson.se> wrote:
> 
> > In /var/log/messages I find suspicious entries "/bsd: proc: table is full"
> > possibly before the machines become inresponsive, but these entries appear
> > many more times before that point.  And after this "table is full" message
> > there are many syslog entries; on one machine smartd constatly complains
> > about
> > an unreadable (pending) sector and atascsi_passthru_done timeout, and on
> > the other the kernel complains about a probed monitor but no|invalid EDID.
> >
> 
> In addition to Stuart's suggestion to leave top(1) running, and
> periodically save "ps ax"
> output, it might also be a good idea to start up a bunch of nested shells
> and just leave
> them running.  This will reserve a bunch of process table slots, which you
> will be able to
> use via "exec", the idea being that if you can't fork new processes, you
> can at least use
> exec to replace an existing ksh process with something else.  This will
> hopefully give you
> some limited ability to run a few post-mortem diagnostic commands before
> you run out
> of reserved process table slots.
> 
> -ken

That's a nice one.  Thank you!

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: When will OpenBSD become a friendly place for bug reporters?

[Theo de Raadt]

Please leave the list.



Leonid Bobrov  wrote:

> > It is definately not a friendly place for people with a tone like yours.
> 
> Theo, your excuse that OpenBSD is not more popular than Linux because AT&T
> sued BSD in 90's is ridiculous, that's your own fault for being so
> terrible in technical field, also you are terrible person, just like
> me you can't communicate, so why do you think you can teach me
> communication? If my tone is that important you prefer ignoring important
> topic then you are even more terrible in terms of both personality and
> technical field.
> 
> > An all-arches package snapshot currently runs at 200GB and adding
> > symbols across the board would add a lot to this.
> 
> Stuart and Espie, have you ever heard of compression?
> 
> Again, what's wrong with my tone? I can't elaborate my thoughts in
> different ways, also my tone only bothers people in this community,
> most other communities don't see anything wrong about my way of speaking.
> 
> Anyway, Stuart suggests a really good solution: detaching symbols into
> subpackages, this practice is already used in Void Linux, I downloaded
> 1 GB of compressed archives and they expanded to 27 GB, so maybe you
> can learn how to use compression or at least switch packages to proper
> compression method.

Re: When will OpenBSD become a friendly place for bug reporters?

[Christopher Turkel]

Stop it now. You are being a troll.

On Tue, Jul 9, 2019 at 1:09 PM Leonid Bobrov  wrote:

> > It is definately not a friendly place for people with a tone like yours.
>
> Theo, your excuse that OpenBSD is not more popular than Linux because AT&T
> sued BSD in 90's is ridiculous, that's your own fault for being so
> terrible in technical field, also you are terrible person, just like
> me you can't communicate, so why do you think you can teach me
> communication? If my tone is that important you prefer ignoring important
> topic then you are even more terrible in terms of both personality and
> technical field.
>
> > An all-arches package snapshot currently runs at 200GB and adding
> > symbols across the board would add a lot to this.
>
> Stuart and Espie, have you ever heard of compression?
>
> Again, what's wrong with my tone? I can't elaborate my thoughts in
> different ways, also my tone only bothers people in this community,
> most other communities don't see anything wrong about my way of speaking.
>
> Anyway, Stuart suggests a really good solution: detaching symbols into
> subpackages, this practice is already used in Void Linux, I downloaded
> 1 GB of compressed archives and they expanded to 27 GB, so maybe you
> can learn how to use compression or at least switch packages to proper
> compression method.
>
>

Re: When will OpenBSD become a friendly place for bug reporters?

[Raul Miller]

On Tue, Jul 9, 2019 at 1:13 PM Leonid Bobrov  wrote:
> Theo, your excuse that OpenBSD is not more popular than Linux because AT&T
> sued BSD in 90's is ridiculous,

Nah, it's a relevant issue.

That said, it's not the only issue, which I imagine was the point you
were trying to get across.

-- 
Raul

Re: When will OpenBSD become a friendly place for bug reporters?

[Leonid Bobrov]

> It is definately not a friendly place for people with a tone like yours.

Theo, your excuse that OpenBSD is not more popular than Linux because AT&T
sued BSD in 90's is ridiculous, that's your own fault for being so
terrible in technical field, also you are terrible person, just like
me you can't communicate, so why do you think you can teach me
communication? If my tone is that important you prefer ignoring important
topic then you are even more terrible in terms of both personality and
technical field.

> An all-arches package snapshot currently runs at 200GB and adding
> symbols across the board would add a lot to this.

Stuart and Espie, have you ever heard of compression?

Again, what's wrong with my tone? I can't elaborate my thoughts in
different ways, also my tone only bothers people in this community,
most other communities don't see anything wrong about my way of speaking.

Anyway, Stuart suggests a really good solution: detaching symbols into
subpackages, this practice is already used in Void Linux, I downloaded
1 GB of compressed archives and they expanded to 27 GB, so maybe you
can learn how to use compression or at least switch packages to proper
compression method.

Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

[Martijn van Duren]

On 7/9/19 11:40 AM, mansoor wrote:
> Hi,
> I am using OpenBSD 6.4 and php version 5.6, I am trying to execute shell
> commands through php file using exec, shell_exec or system (tried all of
> them) but none is working.
> 
> Here is a sample code in my index.php file.
> 
>  $output = shell_exec('ls -l');
> echo "$output";
> ?>

It's almost never a good idea to use shell_exec or system.
In this case I'd advise to use opendir+readdir and stat if you need the
file metadata.
> 
> Here is  link
> 
>  
> to my stackoverflow question.
> 
> I am stuck in this problem for about a week now.
> Please help me if anyone know about this.
> Thanks

You haven't given enough information for a definitive answer, but my
guess is that you run php through php-fpm, which is by default chrooted
to /var/www. Since shell_exec and system first call /bin/sh and you
most likely didn't copy it to /var/www/bin/sh it can't find your shell.
After that you'd also need to copy the binaries (in this case ls) to
your chroot and possible library dependencies (not needed for files
under /bin).

Hope this helps for illustrative purposes, but please don't use it in
production.

martijn@
> 
> 
> 
> --
> Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
> 

Re: How to debug hanging machines / proc: table is full

[Kenneth Gober]

On Tue, Jul 2, 2019 at 10:06 AM Raimo Niskanen <
raimo+open...@erix.ericsson.se> wrote:

> In /var/log/messages I find suspicious entries "/bsd: proc: table is full"
> possibly before the machines become inresponsive, but these entries appear
> many more times before that point.  And after this "table is full" message
> there are many syslog entries; on one machine smartd constatly complains
> about
> an unreadable (pending) sector and atascsi_passthru_done timeout, and on
> the other the kernel complains about a probed monitor but no|invalid EDID.
>

In addition to Stuart's suggestion to leave top(1) running, and
periodically save "ps ax"
output, it might also be a good idea to start up a bunch of nested shells
and just leave
them running.  This will reserve a bunch of process table slots, which you
will be able to
use via "exec", the idea being that if you can't fork new processes, you
can at least use
exec to replace an existing ksh process with something else.  This will
hopefully give you
some limited ability to run a few post-mortem diagnostic commands before
you run out
of reserved process table slots.

-ken

shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

[mansoor]

Hi,
I am using OpenBSD 6.4 and php version 5.6, I am trying to execute shell
commands through php file using exec, shell_exec or system (tried all of
them) but none is working.

Here is a sample code in my index.php file.

$output";
?>

Here is  link

 
to my stackoverflow question.

I am stuck in this problem for about a week now.
Please help me if anyone know about this.
Thanks



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

Re: sysupgrade: exclude sets

[Theo de Raadt]

Leo Unglaub  wrote:

> Hi,
> i am a huge fan of sysupgrade. It works perfectly on my laptop where i
> use all sets that OpenBSD provides. But now i want to start to use
> sysupgrade on a router where i don't need the "x*" sets.
> 
> I looked at the manual here (https://man.openbsd.org/sysupgrade) but
> did not find a way to exclude them (-x*) from the selection.
> 
> In this case i also cannot use an answer file from a DHCP server
> because i don't control the DHCP environment in that network. So that
> option falls flat for me. Is there a way to remove sets from the
> installation that i am missing?

No there isn't.

sysupgrade: exclude sets

[Leo Unglaub]

Hi,
i am a huge fan of sysupgrade. It works perfectly on my laptop where i 
use all sets that OpenBSD provides. But now i want to start to use 
sysupgrade on a router where i don't need the "x*" sets.


I looked at the manual here (https://man.openbsd.org/sysupgrade) but did 
not find a way to exclude them (-x*) from the selection.


In this case i also cannot use an answer file from a DHCP server because 
i don't control the DHCP environment in that network. So that option 
falls flat for me. Is there a way to remove sets from the installation 
that i am missing?


Thanks so much!
Leo

Re: 4GB RAM too little for Firefox?

[Stuart Henderson]

On 2019-07-09, ropers  wrote:
> Just for the record, I think *my* (not the OP's) problem when trying
> to grep fstat results was that unlike lsof, fstat didn't show the
> former file names (hence unlinked); it only showed inodes, so I never
> got the "find this former file" part to work on OpenBSD.
> I have since found this blog post, where your man seems to have had
> the same problem, and where he had written a script with ncheck_ffs(8)
> to hack his way around that. That's a 13 year-old post though, and I
> haven't tried it:
> http://geek00l.blogspot.com/2006/03/openbsd-fstat-vs-lsof.html
> There used to be an OpenBSD lsof port, as per what's listed on
> ports.su, but there's no amd64 package now, and I never got that port
> to work either.

The lsof port didn't display filenames. That information is not
available on OpenBSD (and is not trustworthy on other OS either;
files could have been moved/replaced since opening).

adding ipv6 and pppoe to my firewall

[shadrock uhuru]

hi  everyone
i have a dual redundant firewall setup the same as the example given at
https://www.openbsd.org/faq/pf/carp.html
i was originally with virgin media but have moved to a provider
offering ipv4, ipv6 and fixed ip addresses,
i am now trying  to add ipv6 and pppoe to the firewall.
i haven't found an example on the web of a carp, pppoe and ipv6 firewall ,
so i've had to pieced together bits of info from different places
using the following hypothetical addresses this is my planned
configuration ,
please feel free to correct where there are mistakes.

IPv6 Address:
ND Prefix: :::::/64
PD Prefix: ::::/48
IPv4 Address:     12.34.56.78 (Subnet mask 255.255.255.255)

    fw1 em0: 192.168.2.2 (lan)
    fw1 em1: 192.168.3.2 (wan)
    fw1 em2: 192.168.4.1 (pfsync)
    fw2 em0: 192.168.2.3 (lan)
    fw2 em1: 192.168.3.3 (wan)
    fw2 em2: 192.168.4.2 (pfsync)
    LAN shared IP: 192.168.2.1 (carp_lan)
    WAN/internet shared IP: 12.34.56.78 (carp_wan)

fw1
/etc/hostname.em0
inet 192.168.2.2 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::100 64

/etc/hostname.em1
inet 192.168.3.2 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::200 64

/etc/hostname.em2
inet 192.168.4.1 255.255.255.0 NONE

/etc/hostname.carp_lan.nic
inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
5 pass $PASSWORDIN
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::300 prefixlen 64 vhid 1 carpdev em0
advskew 5 pass $PASSWORDIN

/etc/hostname.carp_wan.nic
inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
advskew 100 pass $PASSWORDOUT
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::400 prefixlen 64 vhid 2 carpdev $em1
advskew 100 pass $PASSWORDOUT


fw2
/etc/hostname.em0
inet 192.168.2.3 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::150 64

/etc/hostname.em1
inet 192.168.3.3 255.255.255.0 NONE
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::250 64

/etc/hostname.em2
inet 192.168.4.2 255.255.255.0 NONE

/etc/hostname.carp_lan.nic
inet 192.168.2.1 255.255.255.0 192.168.2.255 vhid 1 carpdev em0 advskew
5 pass $PASSWORDIN
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::350 prefixlen 64 vhid 1 carpdev em0
advskew 5 pass $PASSWORDIN

/etc/hostname.carp_wan.nic
inet 12.34.56.78 255.255.255.255 'broadcast_addr' vhid 2 carpdev em1
advskew 100 pass $PASSWORDOUT
inet6 autoconf -autoconfprivacy -soii
inet6 alias :::::450 prefixlen 64 vhid 2 carpdev $em1
advskew 100 pass $PASSWORDOUT

/etc/hostname.pppoe
mtu 1500
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1/carp2 authproto chap
authname "XXX@isp" authkey "XXX" up
dest 0.0.0.1
inet6 -autoconfprivacy
inet6 autoconf
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8

% cat /etc/rc.d/dhcp6c
#!/bin/sh

daemon="/usr/local/sbin/dhcp6c"

. /etc/rc.d/rc.subr

rc_reload=NO

rc_cmd $1

% cat /etc/dhcp6c.conf
interface pppoe0 {
    send ia-pd 0;
    send domain-name-servers;
    send rapid-commit;
};

id-assoc pd {
    prefix-interface em1 {
        sla-id 0;
        sla-len 8;
    };
};

% echo 'dhcp6c_flags=pppoe0' | tee -a /etc/rc.conf.local
dhcp6c_flags=pppoe0

% echo '!/etc/rc.d/dhcp6c restart' | tee -a /etc/hostname.pppoe0
!/etc/rc.d/dhcp6c restart

% /etc/rc.d/dhcp6c restart
dhcp6c(ok)
    };
};

question 1
in hostname.pppoe do i set pppoedev to the wan facing nic or the wan
carp interface on each firewall
question 2
in dhcpv6.conf do i set the interface and prefix_interface to the wan
and lan facing nic or the wan and lan carp interface on each firewall
question 3
what broadcast address do i use for in the carp_wan configuration if the
mask is 255.255.255.255
question 4
do i just add interface em0 to rad.conf
or do i use the complex case to set the prefix and basic DNS options.
interface em1 {
    prefix ::::/48
    dns {
    nameserver ::::53
    search example.org
qeustion5
do i need to put -autoconfprivacy -soii  in the nics or should i remove it.

shadrock

relayd: forward to same host multiple ports

[Gino Pilotino]

Hi,
for weird reasons I need to implement RELAYD (OpenBSD 6.5) to balance a
service running on the same host but on multiple ports.

something like:
---
protocol "proto_MyHttpProxyWithSSL" {
 tcp { nodelay, sack, socket buffer 65536, backlog 100 }
 match header append "X-Forwarded-For" value "$REMOTE_ADDR" servers
 match header append "X-Forwarded-By"  value
"$SERVER_ADDR:$SERVER_PORT"
 match header set "Connection" value "close"
 match header set "Keep-Alive" value "$TIMEOUT"
 tls { no tlsv1.0, ciphers "HIGH" }
}

relay   "relay_MyHttpProxyWithSSL" {
  listen on $ext_ip port 20101 tls
  protocol proto_MyHttpProxyWithSSL
  forward to 1.1.1.1 port { 20101 20102 20103 }
 }
---

obviously this doesn't work..
so I found that it is possible to specify "forward to" multiple times

forward to 1.1.1.1 port 20101
forward to 1.1.1.1 port 20102
forward to 1.1.1.1 port 20103

but manpage says "subsequent entries will be used as the backup table if
all hosts in the previous table are down".
and anyway even this solution doesn't work

relayd[65845]: /etc/relayd.conf:197: relay relay_MyHttpProxyWithSSL target
or redirection already specified


is there a way to implement this without using PF?

Re: Future of X.org?

[Roderick]

On Mon, 8 Jul 2019, Steve Litt wrote:


It's one thing to support an alternative: Quite another to call
for the death of the original.


Unfortunately it is not an alternative as I wrote before.

X11 is among other things a standard. If wayland imposes itself,
we will have soon programs for X and programs for wayland. A chaos.

For many advanced purposes other than desktop, wayland is not enough:
X11 will not die as also RS-232 is not death. Also because it will be
difficult to port every X11 program.

A linux distribution may have wayland as default, perhaps soon
all linux distributions. Should all operating systems follow
as zelous wayland propagandists want?

Well, today we want to see any open source and not only open source
program in any free, general purpose Operating System. This is the
reason why we can move from one *BSD to other or to a linux
distribution or to Solaris. Obviously no such OS want to be fully
autonome, the exeption is for example Plan9, and you see the price.

Rodrigo