httpd(8): Case For Reverting The "location [not] found" Feature

Namaste misc, Overview: With the caveat that my abilities are limited to reading code and basic admin, I think that the "location [not] found" feature in httpd(8) might possibly be "featuritis" - incorrectly using a term borrowed from reyk@. If I may go further, I think we might want to revert

Re: pf.conf parser/lint

Namaste Peter, Tusen takk for your reply. > Sent: Saturday, December 19, 2020 at 3:32 PM > From: "Peter Nicolai Mathias Hansteen" > To: "misc" > Subject: Re: pf.conf parser/lint > > > > > 19. des. 2020 kl. 14:50 skrev Aham Brahmasmi : > >

Re: pf.conf parser/lint

Namaste Theo, I apologize for reincarnating this thread. > Sent: Friday, September 04, 2020 at 5:33 PM > From: "Theo de Raadt" > To: "Tommy Nevtelen" > Cc: misc@openbsd.org > Subject: Re: pf.conf parser/lint > > Tommy Nevtelen wrote: > > > On 04/09/2020 18.07, Brian Brombacher wrote: > > >

Re: UNIX crash course

Namaste Pekka, > Sent: Tuesday, April 21, 2020 at 9:11 PM > From: "Edgar Pettijohn" > To: "Pekka Niiranen" > Cc: misc@openbsd.org > Subject: Re: UNIX crash course > > On Tue, Apr 21, 2020 at 09:17:50PM +0300, Pekka Niiranen wrote: > > Hello Sirs, > > > > That is very comprehensive list of

Re: Regarding randomized times in crontab

Namaste Andreas, > Sent: Friday, April 17, 2020 at 8:53 AM > From: "Andreas Kusalananda Kähäri" > To: "Janne Johansson" > Cc: "openbsd-misc" > Subject: Re: Regarding randomized times in crontab > > On Fri, Apr 17, 2020 at 09:06:10AM +0200, Janne Johansson wrote: > > Den tors 16 apr. 2020 kl

Re: openbsd.org - certain https URLs downgraded to http in redirection

Namaste misc, Apologies for the reincarnation of this mail trail. > Sent: Tuesday, February 25, 2020 at 10:40 PM > From: "Constantine A. Murenin" > To: "Vincenzo Nicosia" > Cc: "Stuart Henderson" , "misc@openbsd.org" > > Subject: Re: openbsd.org - certain https URLs downgraded to http in >

openbsd.org - certain https URLs downgraded to http in redirection

Namaste misc, Overview: Certain https URLs on openbsd.org get downgraded to http in redirection. Steps: When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi. Same with https://www.openbsd.org/cgi-bin/cvsweb [1],

Re: ssh: probable bug in ssh -current

> Sent: Monday, February 03, 2020 at 2:28 AM > From: "Damien Miller" > To: "Aham Brahmasmi" > Cc: Misc > Subject: Re: ssh: probable bug in ssh -current > > On Fri, 31 Jan 2020, Aham Brahmasmi wrote: > > > Bug: > > When the

ssh: switch UpdateHostKeys default back to "no" in ssh -current

Namaste misc, Could I request the ssh volks to please switch the default for UpdateHostKeys back to "no"? The default for UpdateHostKeys has been very recently switched to "ask" from the earlier default of "no" in rev 1.323 of the file src/usr.bin/ssh/readconf.c [1]. This default has been

ssh: probable minor bug in ssh -current

Namaste misc, Overview: In update_known_hosts function in file src/usr.bin/ssh/clientloop.c [1], the message strings used in debug and error functions may need to be changed. Bug: In src/usr.bin/ssh/clientloop.c, ... static void update_known_hosts(struct hostkeys_update_ctx *ctx) { ... if (errno

ssh: probable bug in ssh -current

Namaste misc, Overview: In -current (#625), the ssh client is asking the user to accept updated server host keys after every successful connection. No host keys have actually been updated at the server side. Setup: Consider a server (-current #625) which uses host certificates. The server's

Re: Assigning multiple IPv6 addresses to loopback

t; addresses > 127.0.0.1) > > eg > echo inet a.b.c.d/32 >/etc/hostname.lo2 > echo inet alias w.x.y.z/32 >>/etc/hostname.lo2 > > and just keep adding additional addresses using "inet alias" > > Hope this helps > > > > > > > > On Thu,

Assigning multiple IPv6 addresses to loopback

Namaste misc, In IPv6, what address prefix/range is recommended for use when assigning multiple addresses to the loopback interface? The use case is running multiple servers (nsd and unbound) on the same port but different loopback addresses. It is similar to what popped up on the other thread

Re: Request for recommendation - encryption and signature for file backup

Namaste Philippe, Merci beaucoup for your reply. > Sent: Saturday, January 04, 2020 at 3:54 PM > From: "Philippe Meunier" > To: "Aham Brahmasmi" > Cc: misc@openbsd.org, Roderick > Subject: Re: Request for recommendation - encryption and signature for file

Re: Request for recommendation - encryption and signature for file backup

Namaste Rodrigo, Thank you for your reply. > Sent: Friday, January 03, 2020 at 5:43 PM > From: "Roderick" > To: "Aham Brahmasmi" > Cc: misc@openbsd.org > Subject: Re: Request for recommendation - encryption and signature for file > backup > >

Re: Request for recommendation - encryption and signature for file backup

Hallo Claus, Danke for your reply. > Sent: Thursday, January 02, 2020 at 6:38 PM > From: "Claus Assmann" > To: misc@openbsd.org > Subject: Re: Request for recommendation - encryption and signature for file > backup > > Maybe duplicity? It's available as package (not sure > whether it does

Re: Probable off by one in src/usr.bin/rdist/docmd.c

> Sent: Thursday, January 02, 2020 at 8:21 PM > From: "Otto Moerbeek" > To: "Aham Brahmasmi" > Cc: misc@openbsd.org > Subject: Re: Probable off by one in src/usr.bin/rdist/docmd.c > > On Thu, Jan 02, 2020 at 07:45:25PM +0100, Aham Brahmasmi wrote: > &g

Re: Probable off by one in src/usr.bin/rdist/docmd.c

> Sent: Thursday, January 02, 2020 at 4:26 PM > From: "Otto Moerbeek" > To: "Aham Brahmasmi" > Cc: misc@openbsd.org > Subject: Re: Probable off by one in src/usr.bin/rdist/docmd.c > > On Thu, Jan 02, 2020 at 03:39:53PM +0100, Aham Brahmasmi wrote: > &

Re: Probable off by one in src/usr.bin/rdist/docmd.c

Hallo Otto, Dank je Otto for your helpful reply. > Sent: Wednesday, January 01, 2020 at 3:36 PM > From: "Otto Moerbeek" > To: "Aham Brahmasmi" > Cc: misc@openbsd.org > Subject: Re: Probable off by one in src/usr.bin/rdist/docmd.c > > On Wed, Jan 01,

Request for recommendation - encryption and signature for file backup

Namaste misc, What tool(s) would you recommend to encrypt and sign a file - correctly - for backup? I possess a limited ability to read code, and I am certainly not a cryptographer. In my limited understanding, to securely backup and restore a file, the steps are: To backup: Step 1 - encrypt

Probable off by one in src/usr.bin/rdist/docmd.c

Namaste misc, Question: In the makeconn function in src/usr.bin/rdist/docmd.c, should the 5 in the following line be replaced by 4? ... static int makeconn(char *rhost) { ... (void) snprintf(buf, sizeof(buf), "%.*s -S", (int)(sizeof(buf)-5), path_rdistd); ... Explanation:

Re: Openrsync manpage - EXAMPLES and SEE ALSO

Namaste Ingo, Danke for your reply. I am sorry for the delay in my response. > Sent: Monday, December 09, 2019 at 4:44 PM > From: "Ingo Schwarze" > To: "Aham Brahmasmi" , be...@openbsd.org > Cc: misc@openbsd.org > Subject: Re: Openrsync manpage - EXAMPLES and

Openrsync manpage - EXAMPLES and SEE ALSO

Namaste misc, On the openrsync manpage [1], 1) In the EXAMPLES section, the examples use "rsync". ... % rsync -t ../src/bar ../src/baz host:dest ... The SYNOPSIS section has the invocation as "openrsync". Should we use "openrsync" in the EXAMPLES section? 2) In the SEE ALSO section, clicking

login.conf(5) - Do vmemoryuse and memoryuse limit a process' virtual and physical memory?

Namaste misc, As a good practice, I tried to limit the virtual and physical memory available to the svn daemon [1]. To achieve that, I read about login classes and login.conf(5) [2]: ... memoryuse sizeMaximum in core memoryuse size limit. ... vmemoryuse size

Re: Are there open source firewall distributions which are built on top of OpenBSD?

Hi Stuart, > Sent: Wednesday, March 13, 2019 at 11:05 AM > From: "Stuart Henderson" > To: misc@openbsd.org > Subject: Re: Are there open source firewall distributions which are built on > top of OpenBSD? > > On 2019-03-13, Mehma Sarja wrote: > > My current setup is basic firewall with DHCP,

Re: Relayd with multiple lets encrypt cert's

Hi Stuart, > Sent: Monday, December 24, 2018 at 1:13 AM > From: "Stuart Henderson" > To: misc@openbsd.org > Subject: Re: Relayd with multiple lets encrypt cert's > > On 2018-12-22, Aham Brahmasmi wrote: > >> On Sat, Dec 22, 2018 at 12:28:46PM +

Re: Relayd with multiple lets encrypt cert's

> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote: > > Hi, > > > > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote: > > > > Hello, > > > > Does anyone know how to get this working with multiple letsencrypt > > > &

Re: Relayd with multiple lets encrypt cert's

Hi, > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote: > > Hello, > > Does anyone know how to get this working with multiple letsencrypt certs? > > > > You need individual IP:port settings for each of the certs. Also don't > forward to different hosts based on match rules unless you

man switchd.conf - Port 6633 or 6653

Hello misc, >From the man page of switchd.conf [1]: ... By default, switchd(8) uses port 6653 and listen address 0.0.0.0. ... The following example is a typical one. listen on 0.0.0.0 port 6633 ... Would the example benefit from 6653 as the port number, instead of 6633? Dhanyavaad. Regards,

sshd_config: PubkeyAcceptedKeyTypes does not seem to have any effect

Hello misc, Setting PubkeyAcceptedKeyTypes in the sshd_config does not seem to have any effect on the selection of server signature algorithms (server-sig-algs). Further, the certificate variants of the algorithms are not selected at all. Steps: ON SERVER $ cat /etc/ssh/sshd_config ...

Re: File sets on internet exposed server

Thank you Robert and Stuart for your helpful responses. > Skipping X and games is usually safe. The compilers might be a bad > idea unless you're only installing software from ports. Yes, current plan is to install only from ports as of now. > If you aren't using those packages which use

File sets on internet exposed server

Hello misc, 1) For an internet exposed server, would it be ok to not install any i) compiler collection ii) games iii) X related file sets? Set name(s) = -comp* -game* -x* 2) Would ssh login be affected by lack of X related file sets on the server? In other words, is ssh one of the "programs

ssh-keygen(1) manpage

Hello misc, For the ssh-keygen manpage, https://man.openbsd.org/ssh-keygen.1: 1) We may possibly be missing "-a rounds" for the first incantation ssh-keygen [-q ] [-b bits ] [-t dsa | ecdsa | ed25519 | rsa ] [-N new_passphrase ] [-C comment ] [-f output_keyfile ] I may be wrong here, but I

Re: IPv6 Multicast Listener Discovery - Listing and Disabling Group Membership

Stuart, > Yes the original code was in the original import from KAME. The code > that actually *processed* these queries was removed in the commit I > mentioned (so it seems your main concern is already dealt with), but > I think the interfaces are still joined to the group so will receive >

Re: IPv6 Multicast Listener Discovery - Listing and Disabling Group Membership

Hi Stuart, Thank you for your response. > > 2) How to disable an interface from joining IPv6 Node Information > > multicast group (RFC 4620)? > > In sys/netinet6/in6.c, the function in6_update_ifa contains the > > following lines: > > > > /* > > * join node information group address > > */ > >

Re: network architecture question

Hi Ingo, Thank you for your response. > i mostly learn by reading reference manuals, standard documents, > and source code. I try to too, but with limited successes. So topology and other higher order concepts are out of my competency area, and hence my question. > I mentioned it to show that

Re: network architecture question

Hi Tom, > The book of PF by Peter M Hansteen is very good, and openBSD Specific > Building Internet firewalls is good also ... Building internet > firewalls book can > be a bit verbose atimes... but it does go through things in detail... Thank you for your recommendation. I apologize for my

IPv6 Multicast Listener Discovery - Listing and Disabling Group Membership

Hello misc, Running 6.4-beta from approximately a week ago. 1) How to determine the IPv6 multicast groups which have been joined by a particular interface? I have tried netstat but have been unsuccessful. # ifconfig em0 em0: flags=648843 mtu 1500 ... status: active ...

Re: network architecture question

Hi Ingo, Thank you for sharing your experience and insight. > This is discussed in very great detail, covering several chapters, > in the fundamental book by Elizabeth D. Zwicky, "Building Internet > Firewalls" (O'Reilly 2000). While in that book, lots of information > about specific services

Re: Running your own mail server

Craig, Thank you for your exhaustive reply - the list of checks along with current workarounds to achieve them are very helpful. I now know that I need to learn even more. > OpenSMTPd's filter interface is not yet usable (last update 12/2014): >

Re: Running your own mail server

Hi Craig, Thank you for sharing your valuable experience. I apologize for bumping up this slightly old thread. > After that, the MTA needs to be able to check the DNS validity of the > sender's SMTP HELO hostname, and check their DNS PTR record is valid, > and both the mail's envelope and

IPv6 Static Configuration Gateway Address - Link Local or Global Unicast?

Hello misc, I am wondering whether the good volks here would be able to share their insight on configuring the IPv6 gateway address for a machine which has been assigned a static IPv6 address. Based on my layman research, there are two options: 1) Link local gateway address - fe80::1%em0

Re: Cannot access internet with virtual switch

Thank you Koshibe-san for your reply. Here is the output of ping, after the steps: $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ping: sendmsg: Network is down ping: wrote 8.8.8.8 64 chars, ret=-1 ... So, it seems the ping fails, except, this time there is some output. > >

Re: Cannot access internet with virtual switch

Thank you Koshibe-san for your reply. > I've actually held back on that diff since it's a bit insufficient by itself. Ok. > Actually, you said that you had just em0 on that switch. Can you try > adding a local port (addlocal instead of add) alongside em0? It will > be a vether(4) interface

Re: Cannot access internet with virtual switch

> > $ cat /etc/hostname.switch0 > > add em0 > > up > > > > Here, em0 is the egress interface connected to the dedicated/bare-metal > > machine provider's network. This provider's network is beyond my > > control. As such, there might be a loop in the provider's network. > > (Sorry, was meaning to

Re: Cannot access internet with virtual switch

> Sent: Thursday, April 12, 2018 at 11:24 AM > From: "Ayaka Koshibe" <akosh...@gmail.com> > To: misc@openbsd.org > Subject: Re: Cannot access internet with virtual switch > > On Wed, Apr 11, 2018 at 6:25 AM, Aham Brahmasmi <aham.brahma...@gmx.com> >

Re: pf: certain recursive macros causing syntax error

> Sent: Thursday, April 12, 2018 at 5:57 AM > From: "Theo de Raadt" <dera...@openbsd.org> > To: "Aham Brahmasmi" <aham.brahma...@gmx.com> > Cc: misc@openbsd.org > Subject: Re: pf: certain recursive macros causing syntax error > > Aham Brahma

pf: certain recursive macros causing syntax error

Hello misc, Recursive macros which include macros containing certain specific characters cause syntax errors. Steps $ cat pftemp.conf forwardslash = "100/10" #forwardslashrecursive = $forwardslash number = "100" numberrecursive = $number string = "keep" #stringrecursive = $string ip = "0.0.0.0"

Re: Cannot access internet with virtual switch

> Sent: Wednesday, April 11, 2018 at 10:18 AM > From: "Ayaka Koshibe" > To: misc@openbsd.org > Subject: Re: Cannot access internet with virtual switch > > > This informs us that for a PACKET_OUT with action OUTPUT, it cannot > > have its port as ANY. Now, I do not know why for

Re: Cannot access internet with virtual switch

> Sent: Monday, April 09, 2018 at 6:50 PM > From: "Aham Brahmasmi" <aham.brahma...@gmx.com> > To: misc@openbsd.org > Subject: Re: Cannot access internet with virtual switch > > > Sent: Saturday, April 07, 2018 at 5:02 AM > > From: "Ayaka Koshi

Re: Cannot access internet with virtual switch

> Sent: Saturday, April 07, 2018 at 5:02 AM > From: "Ayaka Koshibe" <akosh...@gmail.com> > To: "Aham Brahmasmi" <aham.brahma...@gmx.com> > Cc: misc@openbsd.org > Subject: Re: Cannot access internet with virtual switch > > On Fri, Apr 6, 20

Cannot access internet with virtual switch

Hello misc, Problem A physical server with a switch (add em0 up) cannot access the internet. However, the same host with a bridge (add em0 up) can access the internet. Steps $ ifconfig em0: flags=8843 mtu 1500 lladdr 22:22:22:22:22:22 index

Intel Microcode Guidance: Abandoned Processor Families and Spectre

Hello Misc, Will OpenBSD's patches for Spectre help mitigate the risk for the processor families which are not receiving Intel's mitigation microcode for Spectre/Spectre variant 2? Backdrop Intel has issued a Microcode Revision Guidance on April 3, 2018 [1]. As per this guidance, some processor

Re: vmd - Unable to reboot Alpine guest

> Sent: Monday, February 19, 2018 at 1:41 PM > From: "Stuart Henderson" <s...@spacehopper.org> > To: misc@openbsd.org > Subject: Re: vmd - Unable to reboot Alpine guest > > On 2018-02-19, Martijn van Duren <openbsd+m...@list.imperialat.at> wrote: > &g

Re: vmd - Unable to reboot Alpine guest

> Sent: Sunday, February 18, 2018 at 9:19 PM > From: "Carlos Cardenas" <cardena...@gmail.com> > To: "Aham Brahmasmi" <aham.brahma...@gmx.com> > Cc: misc@openbsd.org > Subject: Re: vmd - Unable to reboot Alpine guest > > On Sun, Feb 18, 2

vmd - Unable to reboot Alpine guest

Hi, I have a simple installation of OpenBSD 6.2 with latest patches installed on an amd64 machine. I am unable to reboot an Alpine Linux 3.7.0 guest. 1) I have installed an Alpine Linux guest and it works fine on vmd. The entry in "vmctl status" properly lists the guest after host boot. $

Re: spamd and IPv6

> Sent: Wednesday, February 14, 2018 at 11:30 AM > From: "Denis Fondras" > To: misc@openbsd.org > Subject: Re: spamd and IPv6 > > > does anyone can tell me what the state of spamd and IPv6 is? I would > > have expected it to work but I can't set for exampe ::1 or [::1] as a > >

Re: Bitmask for 224.0.0.0 in Martians PF table entry

Thank you Kapetanakis Giannis and Mike Coddington for your helpful replies. I will now use /3, since I do not think that I will use multicast. Regards, ab

Re: Probable mistake in PF tagging example ruleset order

(Resending, I fessed up the inline reply) Arigato gojaimas Trondd san for your very helpful reply. I had understood from the documentation that tags were sticky. I also understood that a packet can only have zero or one tag at any time. Also, that a tag cannot be removed, but only replaced.

Re: Probable mistake in PF tagging example ruleset order

Arigato gojaimas Trondd san for your very helpful reply.    Sent: Thursday, January 11, 2018 at 3:17 AM From: trondd <tro...@kagu-tsuchi.com> To: "Aham Brahmasmi" <aham.brahma...@gmx.com> Cc: misc@openbsd.org Subject: Re: Probable mistake in PF tagging example ruleset or

Probable mistake in PF tagging example ruleset order

Hi, I am trying to learn and understand the pf tagging mechanism. I was wondering whether my understanding of the order in the example at https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then there might be a mistake in the order. The relevant lines are ... pass out on egress

Bitmask for 224.0.0.0 in Martians PF table entry

Hi, What is the correct bitmask for the 224.0.0.0 Martian table entry in pf.conf? There are two bitmasks in two links on this page - http://www.team-cymru.org/bogon-reference-http.html. /3 in the The Text Bogon List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in