Re: Install latest package without prompts on OpenBSD 7.0
Jeffrey Walton writes: How do I tell pkg_add to install the latest version without prompting me? Proof-of-concept wrapper script, written in Perl: https://gist.github.com/flexibeast/816610233ebbb3745ec43852a96b9248 Alexis.
Re: Limit dir write by its storage size
On Wed, Jan 12, 2022 at 02:06:39AM +0800, Yamadaえりな wrote: > For a BSD based system, how can I setup that, if a dir has total storage > size reached to the max, it won’t be writable anymore? > > Thank you very much! > Yamada Create a separate partition for it. --
Re: OpenSMTPd: Unable to use TLS/SSL over IPv6
On 2022-01-11, Leo Unglaub wrote: > i am running OpenBSD 7.0 with all patches applied. Some weeks ago i > noticed a very strange issue with my OpenSMTPd instance. People are > unable to use TLS when connecting via IPv6. This is not just my > observation, some people on misc@ told me so as well. Works for me. I bet it is MTU related. Try lowering MTU on that interface (you cannot do it separately for IPv4 and IPv6 so it will change both, but that's not likely to be a problem) and get someone who has seen the problems to re-test.
Re: Nagios check_by_ssh
On 2022-01-11, Nick Holland wrote: > On 1/10/22 6:33 PM, F Bax wrote: >> nagios install creates user _nagios with login = /sbin/nologin >> I have some OpenBSD systems not configured to send email to external >> addresses; there is one system (host0) that is configured to send email >> outside. I wish to use nagios on host0 to monitor the other systems and >> send notifications to an offsite email address. I was thinking that some >> sort of restricted shell (only access to /usr/local/libexec/nagios/) would >> be appropriate. Anyone able to provide a clue how this can be accomplished? >> Is there a best practices document for using check_by_ssh in OpenBSD? >> Frank > > ok, I'm totally lost as to what e-mail has to do with your question. > > Been a while since I managed setting up new services on Nagios, but if you > are having your nagios server monitor other systems by SSH, you probably > want to have passwords disabled on the monitored node accounts, use keys > and IP address restrictions. Setting up a restricted shell or a chroot is > probably going to be very frustrating and in the end, not very productive. > > What you ask for is basically what the nagios nrpe modules are about -- > avoiding full logins. NRPE runs various tests and answers queries about > the results. Strongly recommend not using NRPE. If it's something that can be monitored via SNMP (e.g. cpu, memory, process counts, disk space, network interfaces) then that's often not a bad way to do it, there are scripts that work with nagios/icinga that will do this nicely in the "manubulon-snmp" package. Then you can just run snmpd(8) on the monitored node. Icinga has quite nice distributed monitoring where it has its own methods to distribute check jobs to agents, which might be appropriate for setups that aren't wedded to nagios. For check_by_ssh probably the best way to go is to generate separate keys for different checks and use ForceCommand so each key can only run the relevant check.
Re: Limit dir write by its storage size
On Wed, Jan 12, 2022 at 02:06:39AM +0800, Yamada? wrote: > For a BSD based system, how can I setup that, if a dir has total storage > size reached to the max, it won???t be writable anymore? > I know you can restrict storage usage at a filesystem level using quota(1), but I'm not aware of a way to restrict it by directory. I use this for the /home partition so that each user can only use up a certain chunk of space for their own home directory and not hog the shared space for the other users. You might be able to get by with doing something similar, but I suppose it would depend on your use case. -- Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.
Re: OpenSMTPd: Unable to use TLS/SSL over IPv6
Hi Leo, > Am 11.01.2022 um 19:10 schrieb Leo Unglaub : > > Hey friends, > i am running OpenBSD 7.0 with all patches applied. Some weeks ago i noticed a > very strange issue with my OpenSMTPd instance. People are unable to use TLS > when connecting via IPv6. This is not just my observation, some people on > misc@ told me so as well. > > I talked to gilles@ in private and he could confirm the issue, but he thinks > its not related to OpenSMTPd itsef and might be even an OpenBSD (LibreSSL) > issue itself. gilles@ told me to post this to the ML because it might be a > little bit more complicated. > > Here are some basics from the System. I am using the real hostname and IP > addresses so every one can look at the problem directly. > > The Server is configured to use both IPv4 and IPv6: > >> $ cat /etc/hostname.vio0 >>inet >> 116.202.103.165 255.255.255.255 >> inet6 2a01:4f8:c010:3301::dead:beef 64 -soii >> !route add -inet 172.31.1.1 -llinfo -link -static -iface vio0 >> !route add -inet default 172.31.1.1 > > I confimed it via ifconfig: > >> $ ifconfig vio0 vio0: >> flags=408843 mtu 1500 >>lladdr 96:00:00:31:1f:b5 >>index 1 priority 0 llprio 3 >>groups: egress >>media: Ethernet autoselect >>status: active >>inet 116.202.103.165 netmask 0x >>inet6 fe80::9400:ff:fe31:1fb5%vio0 prefixlen 64 scopeid 0x1 >>inet6 2a01:4f8:c010:3301::dead:beef prefixlen 64 > > I also can use ping and ping6 to reach other servers and the server can be > reached over IPv4 and IPv6. So this seams to work. You can test the SSL connection (from a host that supports OpenSSL and IPv6) as follows: $ openssl s_client -connect [2a01:4f8:c010:3301::dead:beef]:25 -starttls smtp https://www.hardenize.com/report/storm-peaks.northrend.azeroth.wow-data.net/1641931125 HTH Mike
Re: Nagios check_by_ssh
On 1/10/22 6:33 PM, F Bax wrote: nagios install creates user _nagios with login = /sbin/nologin I have some OpenBSD systems not configured to send email to external addresses; there is one system (host0) that is configured to send email outside. I wish to use nagios on host0 to monitor the other systems and send notifications to an offsite email address. I was thinking that some sort of restricted shell (only access to /usr/local/libexec/nagios/) would be appropriate. Anyone able to provide a clue how this can be accomplished? Is there a best practices document for using check_by_ssh in OpenBSD? Frank ok, I'm totally lost as to what e-mail has to do with your question. Been a while since I managed setting up new services on Nagios, but if you are having your nagios server monitor other systems by SSH, you probably want to have passwords disabled on the monitored node accounts, use keys and IP address restrictions. Setting up a restricted shell or a chroot is probably going to be very frustrating and in the end, not very productive. What you ask for is basically what the nagios nrpe modules are about -- avoiding full logins. NRPE runs various tests and answers queries about the results. The monitoring service account on the monitored nodes should be unpriv'd, no doas access. If you need to monitor something only root can tell you, have a process run periodically as root on the monitored machine and drop a status report in some place the monitor service account can read it, then digest it on the nagios server. I look at monitoring systems as "read only" apps. Some people disagree with me...but I consider those people wrong. :) Nick.
OpenSMTPd: Unable to use TLS/SSL over IPv6
Hey friends,
i am running OpenBSD 7.0 with all patches applied. Some weeks ago i
noticed a very strange issue with my OpenSMTPd instance. People are
unable to use TLS when connecting via IPv6. This is not just my
observation, some people on misc@ told me so as well.
I talked to gilles@ in private and he could confirm the issue, but he
thinks its not related to OpenSMTPd itsef and might be even an OpenBSD
(LibreSSL) issue itself. gilles@ told me to post this to the ML because
it might be a little bit more complicated.
Here are some basics from the System. I am using the real hostname and
IP addresses so every one can look at the problem directly.
The Server is configured to use both IPv4 and IPv6:
$ cat /etc/hostname.vio0
inet 116.202.103.165 255.255.255.255
inet6 2a01:4f8:c010:3301::dead:beef 64 -soii
!route add -inet 172.31.1.1 -llinfo -link -static -iface vio0
!route add -inet default 172.31.1.1
I confimed it via ifconfig:
$ ifconfig vio0
vio0: flags=408843 mtu 1500
lladdr 96:00:00:31:1f:b5
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 116.202.103.165 netmask 0x
inet6 fe80::9400:ff:fe31:1fb5%vio0 prefixlen 64 scopeid 0x1
inet6 2a01:4f8:c010:3301::dead:beef prefixlen 64
I also can use ping and ping6 to reach other servers and the server can
be reached over IPv4 and IPv6. So this seams to work.
Here is my OpenSMTTPd config. The only thing i replaced is the
encryption key:
##
## Queue
##
queue compression
queue encryption x
##
## SMTP
##
smtp max-message-size 80M
smtp sub-addr-delim "+"
##
## Tables
##
table aliases file:/etc/mail/aliases
table vdomains file:/etc/mail/table-vdomains
table vaddr file:/etc/mail/table-vaddr
table credentials file:/etc/mail/table-credentials
table filter-dyndns file:/etc/mail/table-filter-dyndns
table vmailstub file:/etc/mail/table-vmailstub
##
## PKI
##
pki "*" cert "/etc/ssl/storm-peaks.northrend.azeroth.wow-data.net.fullchain.pem"
pki "*" key "/etc/ssl/private/storm-peaks.northrend.azeroth.wow-data.net.key"
##
## Filter
##
filter "check-dyndns" phase connect match rdns regex disconnect "550
no residential/dyndns connections"
filter "check-rdns" phase connect match !rdns disconnect "550 rDNS missmatch"
filter "check-fcrdns" phase connect match !fcrdns disconnect "550 FCrDNS
missmatch"
filter "dnsbl" proc-exec "filter-dnsbl -v ix.dnsbl.manitu.net dnsbl.dronebl.org
all.spamrats.com dnsbl.sorbs.net bl.spamcop.net"
##
## Listen
##
listen on lo0
listen on egress tls pki "*" filter { "check-dyndns" "check-rdns" "check-fcrdns"
"dnsbl" }
listen on egress port submission tls-require pki "*" auth
listen on egress port 25255 tls-require pki "*" auth
##
## Actions
##
action "outbound" relay
action "local-lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual
##
## Matches
##
match from any for domain rcpt-to action "local-lmtp"
match auth from any for any action "outbound"
To me it looks like i am not doing anything different for IPv4 or IPv6.
I am just listening on egress and according to ifconfig is assigned to
vio0. But people cannot use SSL/TLS on IPv6, but it works fine when
using IPv4. This results in some emails getting delayed from IPv6
senders, until they downgrade or switch to IPv4.
Does someone of you have an idea why this might happen? To me the config
seams clean. Do you have this issue on other instances as well?
Thank you so much and greetings
Leo
OpenBSD 7.0 (GENERIC.MP) #3: Wed Dec 15 13:14:26 MST 2021
r...@syspatch-70-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4177379328 (3983MB)
avail mem = 4034760704 (3847MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5ad0 (10 entries)
bios0: vendor Hetzner version "2017" date 11/11/2017
bios0: Hetzner vServer
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.37 MHz, 06-55-04
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries
Limit dir write by its storage size
For a BSD based system, how can I setup that, if a dir has total storage size reached to the max, it won’t be writable anymore? Thank you very much! Yamada
Re: SIP ALG and VoIP
Guys, Thanks for the quick response and advice...always helpful as usual On Tue, Jan 11, 2022 at 8:07 AM Stuart Henderson wrote: > On 2022-01-11, Chris Cappuccio wrote: > > Atticus [grobe...@gmail.com] wrote: > >> It isn't just SIP. You will need to set up NAT traversal and make sure > RTP > >> traffic can pass as well. Setting up a STUN server and configuring the > >> clients to use it should aid in the NAT portion. The RTP traffic should > be > > Sometime STUN can be used to optimise things (getting call media direct > between endpoints rather than going via a PBX) but it adds complication > and is hardly ever _needed_. > > >> fine as long as pf is being stateful. If the phones register over SIP > fine, > >> but have no audio, then the RTP traffic isn't getting where it should. > IMO, > >> it makes more sense to use an on-site PBX so you only have to deal with > >> traffic to/from the one host, but that doesn't sound like an option for > you. > >> > > > > Using Asterisk as a SIP server and media gateway, on a public IP with > phones > > behind NAT, you can get NAT traversal via RFC 3581+symmetric RTP > (sip.conf > > nat=yes) without STUN and without a firewall SIP ALG. > > > > Freeswitch and also Kamailio + rtpproxy can do similar. These gateways > are > > all capable of symmetric RTP, and have been since forever. > > > > If you are connecting phones inside of your NAT to an outside SIP > provider, > > or PBX device, make sure the PBX has a public IP (not behind another NAT > > itself) and has symmetric RTP enabled. > > Most end-user-facing SIP providers (rather than wholesale providers) > seem pretty capable of handling client devices or PBXs behind NAT. > > Generally getting this to work natively requires that whoever is > configuring > it understands how the protocols work, and software that allows things like > sending RTP back to the IP that a SIP message was received from, and > sending SIP keepalives back to the source port that it received requests > from (frequent enough to avoid them timing out). It's not hard, but > is often not something that techs from a telco will do. > > Another way to do things is to use VPNs and bypass firewalls/NAT that > way. > > >
Re: SIP ALG and VoIP
On 2022-01-11, Chris Cappuccio wrote: > Atticus [grobe...@gmail.com] wrote: >> It isn't just SIP. You will need to set up NAT traversal and make sure RTP >> traffic can pass as well. Setting up a STUN server and configuring the >> clients to use it should aid in the NAT portion. The RTP traffic should be Sometime STUN can be used to optimise things (getting call media direct between endpoints rather than going via a PBX) but it adds complication and is hardly ever _needed_. >> fine as long as pf is being stateful. If the phones register over SIP fine, >> but have no audio, then the RTP traffic isn't getting where it should. IMO, >> it makes more sense to use an on-site PBX so you only have to deal with >> traffic to/from the one host, but that doesn't sound like an option for you. >> > > Using Asterisk as a SIP server and media gateway, on a public IP with phones > behind NAT, you can get NAT traversal via RFC 3581+symmetric RTP (sip.conf > nat=yes) without STUN and without a firewall SIP ALG. > > Freeswitch and also Kamailio + rtpproxy can do similar. These gateways are > all capable of symmetric RTP, and have been since forever. > > If you are connecting phones inside of your NAT to an outside SIP provider, > or PBX device, make sure the PBX has a public IP (not behind another NAT > itself) and has symmetric RTP enabled. Most end-user-facing SIP providers (rather than wholesale providers) seem pretty capable of handling client devices or PBXs behind NAT. Generally getting this to work natively requires that whoever is configuring it understands how the protocols work, and software that allows things like sending RTP back to the IP that a SIP message was received from, and sending SIP keepalives back to the source port that it received requests from (frequent enough to avoid them timing out). It's not hard, but is often not something that techs from a telco will do. Another way to do things is to use VPNs and bypass firewalls/NAT that way.
Re: How to install yfklog
On 2022-01-11, Pascal wrote: > > I want to install yfklog software > ( https://fkurz.net/ham/yfklog.html ) on OpenBSD. I have no experience. The > author, Fabian Kurz, says in the installation manual: > > "Install the required packages: > > Perl > > DBI > > SQLite > > Curses > > Make > > libwww-perl > > On Ubuntu or Debian Linux, you can satisfy all requirements simply by running: > sudo apt-get install perl libdbd-sqlite3-perl libclass-dbi-sqlite-perl make > libsqlite3-0 libcurses-perl libwww-perl libnet-telnet-perl " > > > > Do these packets have equivalents on OpenBSD? How do I install them? That part is easy enough: pkg_add p5-DBD-SQLite p5-Class-DBI-SQLite p5-libwww p5-Curses p5-Net-Telnet The problem is that yfklog requires Perl to be built differently than how it is done in OpenBSD base (with threads) and that isn't something that can be changed easily, AFAIK compiled modules from packages will not be compatible with a version of Perl built that way so you would need to compile a second copy of Perl separately, install to a different location, and fetch the various modules separately (packages will mostly not work), also some of them may need patching to work on OpenBSD. This is possible if you are stubborn and have time to spend on it, but likely to be a real pain, and will need to be re-done after many OS updates. Honestly for this software I would recommend running it on a Linux box (either a VM or on a small machine, any old raspberry pi is likely to be fast enough...)
Re: SIP ALG and VoIP
Thanks to both of you for the valued information. Much appreciated. @Atticus This was rather short notice.I wasn't aware that they had gone ahead with the service installation. Unfortunately in this case there's no on-site PBX. Understandable given the current work-from-home situation. The provider (Bell) is installing a dry-loop that should fix the issue in this case @Chris Thanks for identifying some additional solutions. I'll have to find a suitable solution for a separate client installation in the next 2 weeks. They will also use softphones and will not have any on-site PBX. On a separate note, I looked at all the logs but couldn't see any attempted/dropped SIP traffic from the softphones from any of the internal users or Bell techs during the morning testing. Shouldn't there be some traffic? On Tue, Jan 11, 2022 at 1:18 AM Chris Cappuccio wrote: > Atticus [grobe...@gmail.com] wrote: > > It isn't just SIP. You will need to set up NAT traversal and make sure > RTP > > traffic can pass as well. Setting up a STUN server and configuring the > > clients to use it should aid in the NAT portion. The RTP traffic should > be > > fine as long as pf is being stateful. If the phones register over SIP > fine, > > but have no audio, then the RTP traffic isn't getting where it should. > IMO, > > it makes more sense to use an on-site PBX so you only have to deal with > > traffic to/from the one host, but that doesn't sound like an option for > you. > > > > Using Asterisk as a SIP server and media gateway, on a public IP with > phones > behind NAT, you can get NAT traversal via RFC 3581+symmetric RTP (sip.conf > nat=yes) without STUN and without a firewall SIP ALG. > > Freeswitch and also Kamailio + rtpproxy can do similar. These gateways are > all capable of symmetric RTP, and have been since forever. > > If you are connecting phones inside of your NAT to an outside SIP provider, > or PBX device, make sure the PBX has a public IP (not behind another NAT > itself) and has symmetric RTP enabled. >
Re: How to install yfklog
I'd read through this: https://www.openbsd.org/faq/faq15.html After you read that you should be able to verify if the required packages are available on OpenBSD or not. And then go through what you think are the correct steps. And then ask questions after you've written exactly what you've done if things don't work. On Tue, Jan 11, 2022 at 12:06 AM Pascal wrote: > > I want to install yfklog software > ( https://fkurz.net/ham/yfklog.html ) on OpenBSD. I have no experience. > The author, Fabian Kurz, says in the installation manual: > > "Install the required packages: > > Perl > > DBI > > SQLite > > Curses > > Make > > libwww-perl > > On Ubuntu or Debian Linux, you can satisfy all requirements simply by > running: > sudo apt-get install perl libdbd-sqlite3-perl libclass-dbi-sqlite-perl > make libsqlite3-0 libcurses-perl libwww-perl libnet-telnet-perl " > > > > Do these packets have equivalents on OpenBSD? How do I install them? > > Thank you for your help. > > Pascal > >
