Re: Bridging OpenVPN and LAN

2021-09-08 Thread Stuart Longland 
On Sun, 5 Sep 2021 16:52:58 +0300
kasak  wrote:

> You should add ip pool for bridge in server config.
> 
> like this:
> 
> server-bridge 10.70.0.1 255.225.255.0 10.70.0.100 10.70.0.110

You should *only* do this if you have configured your DHCP server to
_not_ hand out IP addresses in that range.

The DHCP server can't actually tell what a "VPN client" is and what a
local Ethernet client is, so it should work.  Likely, it's a lack of a
`server-bridge` statement (*without* IP address ranges given) that is
likely confusing matters.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: PC Engines apu4 network performance

2021-09-08 Thread Stuart Henderson 
On 2021-09-08, Paulo Manoel Mafra  wrote:
> Hello guys,
> I've configured a pc engines apu4 with openbsd 6.9 and I verified the
> network performance is around 550 mbit/s with pf and 700 mbit/s without.
>
> Is there any known issue for that poor performance ?
> Running another OS on the same hardware I can reach some like 920 mbit/s.
>
> I've googled for this problem and it appears some messages from 2018.

Sounds about right for OpenBSD on that hardware.


-- 
Please keep replies on the mailing list.

Re: Recover partition table/FFS2 after overwrite?

2021-09-08 Thread Stuart Henderson 
On 2021-09-08, Thomas Windisch  wrote:
> I mangaged to restore my drive using 
>
> #fdisk -iy
> #disklabel -R
> #fsck
>
> Thanks Geoff and David.
>
> After reinstalling OpenBSD everything seems so be running fine.
> Almost.
>
> When I now run grep I get this:
>
> $ grep
> warning: libc.so.96.0: minor version >= 1 expected, using it anyway
> ld.so: grep: can't load library 'libz.so.6.0'
> Killed
>
> I was previously running -current and I reinstalled -release 6.9.
> It seems that grep is a remnant of the old install? How come?

If you "downgrade" you will need to clean up newer libraries,
things from packages, sometimes perl modules, etc. It is for this reason
that this is really not a supported thing to do.

-- 
Please keep replies on the mailing list.

Re: Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread Sean Kamath 



> On Sep 8, 2021, at 02:24, jim hook  wrote:
> ...
> ex.: "unset cd" would help, but any solution in general?

I alias ‘ls’ to my preferred args.  Sometimes I don’t want those.  In ksh, I 
just use \ls to not use the alias.

I confirmed \cd will use the builtin (at least on ksh) with:

$cd() {
> echo hello
> }
$ cd /tmp
hello
$ \cd /tmp
$ pwd
/tmp

PC Engines apu4 network performance

2021-09-08 Thread Paulo Manoel Mafra 
Hello guys,
I've configured a pc engines apu4 with openbsd 6.9 and I verified the
network performance is around 550 mbit/s with pf and 700 mbit/s without.

Is there any known issue for that poor performance ?
Running another OS on the same hardware I can reach some like 920 mbit/s.

I've googled for this problem and it appears some messages from 2018.

Kind Regards,
Paulo.

Re: Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread Reuben ua Bríġ 
> Date: Wed,  8 Sep 2021 11:24:18 +0200
> From: jim hook 

> Thinking of that home dirs could be on a shared storage, that can be
> accessed by others and maliciously modify the ".profile", etc. files
> of the targeted user.
> 
> ex.: "unset cd" would help, but any solution in general?

directory permissions.  in code:

for u in /home/*
do chown "$u" "/home/$u"
chmod go-w "/home/$u"

which you should find is already the default.

Re: Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread Reuben ua Bríġ 
> Date: Wed,  8 Sep 2021 11:24:18 +0200
> From: jim hook   

> Thinking of that home dirs could be on a shared storage, that can be
> accessed by others and maliciously modify the ".profile", etc. files
> of the targeted user.
> 
> ex.: "unset cd" would help, but any solution in general?  


> Date: Wed,  8 Sep 2021 19:41:46 +0959
> From: Reuben ua Bríġ 

> directory permissions.  in code:
> 
>   for u in /home/*
>   do chown "$u" "/home/$u"
>   chmod go-w "/home/$u"
> 
> which you should find is already the default.


oops, wrong code.  i meant

cd /home
for u in *
do set -- "$u" "$u/.profile"
chown "$u" "$@"
chmod go-w "$@"
done

assuming you have the usual directory set-up.
a more general solution would involve parsing /etc/passwd

Re: Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread Reuben ua Bríġ 
> Date: Wed,  8 Sep 2021 11:24:18 +0200
> From: jim hook 

> Thinking of that home dirs could be on a shared storage, that can be
> accessed by others and maliciously modify the ".profile", etc. files
> of the targeted user.
> 
> ex.: "unset cd" would help, but any solution in general?


> Date: Wed,  8 Sep 2021 19:41:46 +0959
> From: Reuben ua Bríġ   

> directory permissions.  in code:
> 
>   for u in /home/*
>   do chown "$u" "/home/$u"
>   chmod go-w "/home/$u"
> 
> which you should find is already the default.  


> Date: Wed,  8 Sep 2021 19:50:26 +1000
> From: Reuben ua Bríġ 

> oops, wrong code.  i meant
> 
>   cd /home
>   for u in *
>   do set -- "$u" "$u/.profile"
>   chown "$u" "$@"
>   chmod go-w "$@"
>   done
> 
> assuming you have the usual directory set-up.
> a more general solution would involve parsing /etc/passwd


except that in general you should never do anything as root to files
under a directory owned by a user other than root, as that user could
replace the file with a symbolic link to some other file, and trick you
into modifying some important system file.

secure ways of doing basic stuff in obsd are... convoluted.

Re: PC Engines apu4 network performance

2021-09-08 Thread Elias Carter 
Paolo,

Your results match mine. I was never able to get my apu4 past about 600
Mb/s. I installed pfsense on my apu4 and was able to get speeds closer to 1
Gb/s so there does appear to be some bottleneck in openbsd which holds the
hardware back.

If I recall correctly the i210at hardware checksum offloading was not
enabled in openbsd due to a hardware quirk/bug. It looks like the i210at
still doesn’t do hardware checksums:
https://github.com/openbsd/src/blob/2207c4325726fdc5c4bcd0011af0fdf7d3dab137/sys/dev/pci/if_em.c#L1209

I didn’t profile the system so the lack of hardware checksums may not be
the bottleneck.

Elias

On Wed, Sep 8, 2021 at 9:52 AM Paulo Manoel Mafra 
wrote:

> Hello guys,
> I've configured a pc engines apu4 with openbsd 6.9 and I verified the
> network performance is around 550 mbit/s with pf and 700 mbit/s without.
>
> Is there any known issue for that poor performance ?
> Running another OS on the same hardware I can reach some like 920 mbit/s.
>
> I've googled for this problem and it appears some messages from 2018.
>
> Kind Regards,
> Paulo.
>
>

Re: Recover partition table/FFS2 after overwrite?

2021-09-08 Thread Thomas Windisch 
I mangaged to restore my drive using 

#fdisk -iy
#disklabel -R
#fsck

Thanks Geoff and David.

After reinstalling OpenBSD everything seems so be running fine.
Almost.

When I now run grep I get this:

$ grep
warning: libc.so.96.0: minor version >= 1 expected, using it anyway
ld.so: grep: can't load library 'libz.so.6.0'
Killed

I was previously running -current and I reinstalled -release 6.9.
It seems that grep is a remnant of the old install? How come?

Re: Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread Ian Darwin 
On Wed, Sep 08, 2021 at 11:24:18AM +0200, jim hook wrote:
> test$ cd
> rmplayer
> test$
> test$ type cd
> cd is a function
> test$
> test$ tail -4 .profile
> cd()
> {
> echo rmplayer
> }
> test$
> test$ uname -mrs
> OpenBSD 6.9 amd64
> test$
> 
> Thinking of that home dirs could be on a shared storage, that can be accessed 
> by others and maliciously modify the ".profile", etc. files of the targeted 
> user.
> 
> ex.: "unset cd" would help, but any solution in general?

If your $HOME is on a shared drive that can be written by others, then
blocking people from redefining shell builtins would be like throwing
deck chairs off the Titanic, i.e., you have no security whatsoever.

The only general solution is to have your home directory under better control.

Re: Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread Ingo Schwarze 
Hi Jim,

jim hook wrote on Wed, Sep 08, 2021 at 11:24:18AM +0200:

> test$ cd
> rmplayer
> test$
> test$ type cd
> cd is a function
> test$
> test$ tail -4 .profile
> cd()
> {
> echo rmplayer
> }
> test$
> test$ uname -mrs
> OpenBSD 6.9 amd64
> test$

Those are useful features.  I doubt you will find any Unix user who
never used aliases or shell functions to modify the behaviour of
system commands to better suit their personal taste.  Even myself,
though i dislike changing default configuration in general,
currently have an alias in place that modifies the default behaviour
of rm(1).  From what i have heard, most OpenBSD developers use
aliases or shell functions for several commands, not just for one.

> Thinking of that home dirs could be on a shared storage, that can
> be accessed by others and maliciously modify the ".profile",
> etc. files of the targeted user.

That is not an issue by any stretch of the imagination.  If anyone
else has write access to your home directory, you have already lost
the game, and the number of ways how they own you is is next to
unlimited.

Yours,
  Ingo

Are there any protection againts heisting the "shell builtin"s?

2021-09-08 Thread jim hook 
test$ cd
rmplayer
test$
test$ type cd
cd is a function
test$
test$ tail -4 .profile
cd()
{
echo rmplayer
}
test$
test$ uname -mrs
OpenBSD 6.9 amd64
test$

Thinking of that home dirs could be on a shared storage, that can be accessed 
by others and maliciously modify the ".profile", etc. files of the targeted 
user.

ex.: "unset cd" would help, but any solution in general?

Thanks.