Re: Secure PKG_PATH for doas

2016-05-20 Thread Igor Mironov 
Thank you Mart, Ted and Stuart--I understood that installpath in pkg.conf
provides a secure default, and PKG_PATH should probably be used for overrides
only (if at all).



On Friday, 20 May 2016, 3:41, Mart Tõnso <xti...@gmail.com> wrote:



There is an alternative to PKG_PATH env var:

http://man.openbsd.org/OpenBSD-current/man5/pkg.conf.5

echo "installpath = http://your.favorite.mirror/; > /etc/pkg.conf

.. and enjoy!

Mart



On Thu, May 19, 2016 at 4:32 AM, Ted Unangst <t...@tedunangst.com> wrote:
> Igor Mironov wrote:
>> The packages and ports' FAQ mentions that those using doas need to pass
keepenv { PKG_PATH } in the config file. Is there a way to instruct doas to
take PKG_PATH (or another variable) from the target account's environment
(~/.profile)?
>
> No, but you can easily write a shell wrapper that sets things up and calls
> pkg_add.

Secure PKG_PATH for doas

2016-05-18 Thread Igor Mironov 
The packages and ports' FAQ mentions that those using doas need to pass keepenv 
{ PKG_PATH } in the config file. Is there a way to instruct doas to take 
PKG_PATH (or another variable) from the target account's environment 
(~/.profile)?

One span port for two interfaces

2016-05-11 Thread Igor Mironov 
Hi,

I have set up an OpenBSD 5.9 machine to act as a router/firewall to selectively 
forward traffic between two subnets of its interfaces vic0 and vic1:

   ,---,
vic0 ---+ forwarder +--- vic1
`---'

I would like to create a read-only monitoring span port vic2 that would receive 
all traffic that appears on either interface:

   ,---,
vic0 -+-+ forwarder +-+- vic1
  | `---' |
  | |
   `--->|--+--|<---'
  |
   |vic2

(In the diagram above, the ->|- elements allow traffic in one direction only, 
as in "block out" pf rules.)

I have attempted to implement this using a bridge with vic0 and vic1 as members 
and vic2 as the span port; however the span interface only receives a subset of 
traffic because of pf filtering applied by the firewall (the bridge is 
filtered). I have also tried more complex designs with per-interface bridges.


The only way I could get this to work is by creating a separate pair of 
interfaces (one for each subnet) and using them in the bridge:

,---,
vic0 ---+ forwarder +--- vic1
`---'

vic3 ->|--+--|<- vic4
   |
  |vic2

Even though this method works (but causes further problems with loops), I would 
like to use a simpler/idiomatic approach, which almost certainly exists.


Apart from bridge(4) I also experimented with trunk(4) using broadcast 
protocol, but the trunk device did not receive all packets either (it was 
mostly silent).

I am aware that I could run two instances of the monitoring application (one 
for each interface), but would like to avoid that if possible.

I have researched the internet and man pages and at the moment do not have any 
further ideas.

Please let me know what you think.

Thanks,
Igor