Re: relayd forward with tls

[Uwe Werler]

Take a look at the example in man relayd.conf. You have to set the X-header 
like:

match header set "X-Forwarded-For" \value "$REMOTE_ADDR"
match header set "X-Forwarded-By" \ value 
"$SERVER_ADDR:$SERVER_PORT"

I could post an example when I'm back at my machine.

Am 8. Januar 2024 23:51:33 MEZ schrieb Adriano Barbosa :
>On Mon, Jan 08, 2024 at 07:01:04AM -0800, Paul Pace wrote:
>> On 1/7/24 1:31 PM, Adriano Barbosa wrote:
>> > On Sun, Jan 07, 2024 at 05:21:04AM -0800, Paul Pace wrote:
>> > > On 1/6/24 7:35 PM, Adriano Barbosa wrote:
>> > > > On Thu, Jan 04, 2024 at 06:57:10PM -0800, Paul Pace wrote:
>> > > > > On 1/4/24 10:22 AM, Adriano Barbosa wrote:
>> > > > > > Hi!
>> > > > > > I'm trying to use relayd with multiple FQDNs mixing remote servers
>> > > > > > with and without tls:
>> > > > > > 
>> > > > > > relayd -- fqdn1 --> 127.0.0.1 (no tls)
>> > > > > >   -- fqdn2 --> x.x.x.x (with tls)
>> > > > > > 
>> > > > > > I wrote my relayd.conf like this:
>> > > > > > 
>> > > > > > table  { 127.0.0.1 }
>> > > > > > table  { x.x.x.x }
>> > > > > > 
>> > > > > > http protocol https {
>> > > > > >tls keypair fqdn1
>> > > > > >tls keypair fqdn2
>> > > > > > 
>> > > > > >match request header "Host" value "fqdn1" tag "fqdn1"
>> > > > > >pass request tagged "fqdn1" forward to 
>> > > > > > 
>> > > > > >match request header "Host" value "fqdn2" tag "fqdn2"
>> > > > > >pass request tagged "fqdn2" forward to 
>> > > > > > }
>> > > > > > 
>> > > > > > relay wwwtls {
>> > > > > >listen on egress port 443 tls
>> > > > > >protocol https
>> > > > > >forward to  port 80
>> > > > > >forward with tls to  port 443
>> > > > > > }
>> > > > > 
>> > > > > With one forward requiring TLS in a relay block, relayd will require 
>> > > > > TLS for
>> > > > > all forward statements in the relay block.
>> > > > > 
>> > > > > > 
>> > > > > > I have fqdn2 working and fqdn1 giving a "curl: (52) Empty reply 
>> > > > > > from
>> > > > > > server".
>> > > > > > Removing "with tls" on the second forward, fqdn1 works and fqdn2 
>> > > > > > gives
>> > > > > > a "Client sent an HTTP request to an HTTPS server."
>> > > > > > 
>> > > > > > Is it possible to have relayd working on this scenario? What am I
>> > > > > > missing here?
>> > > > > > 
>> > > > > > Obrigado!
>> > > > > > --
>> > > > > > Adriano
>> > > > > 
>> > > > 
>> > > > Thank you for the response.
>> > > > 
>> > > > Digging a little more, I found that if I change the listen port from
>> > > > 443 to values other than 443 and 80, the "match request host" filter
>> > > > stops working. The behaviour is the same with or without "with tls" on
>> > > > the relay.
>> > > > 
>> > > > With port 443:
>> > > > stable# curl --insecure https://fqdn1
>> > > > Server 1
>> > > > stable# curl --insecure https://fqdn2
>> > > > Server 2
>> > > > 
>> > > > With port 4430 and allegedly any port other than 80 and 443:
>> > > > stable# curl --insecure https://fqdn1:4430
>> > > > Server 1
>> > > > stable# curl --insecure https://fqdn2:4430
>> > > > Server 1
>> > > > 
>> > > What does curl -vk show?
>> > > 
>> > 
>> > Unfortunately, no difference. Follows:
>> > 
>> > $ curl --insecure -vk https://fqdn2
>> > * Host fqdn2:443 was resolved.
>> > * IPv6: (none)
>> > * IPv4: 127.0.0.1
>> > *   Trying 127.0.0.1:443...
>> > * Connected to fqdn2 (127.0.0.1) port 443
>> > * ALPN: curl offers h2,http/1.1
>> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> > * TLSv1.3 (IN), TLS handshake, Unknown (8):
>> > * TLSv1.3 (IN), TLS handshake, Certificate (11):
>> > * TLSv1.3 (IN), TLS handshake, CERT verify (15):
>> > * TLSv1.3 (IN), TLS handshake, Finished (20):
>> > * TLSv1.3 (OUT), TLS handshake, Finished (20):
>> > * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
>> > * ALPN: server did not agree on a protocol. Uses default.
>> > * Server certificate:
>> > *  subject: C=BR; ST=MS; L=DOU
>> > *  start date: Jan  6 20:12:43 2024 GMT
>> > *  expire date: Jan  5 20:12:43 2025 GMT
>> > *  issuer: C=BR; ST=MS; L=DOU
>> > *  SSL certificate verify result: self signed certificate (18), continuing 
>> > anyway.
>> > *   Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed 
>> > using sha256WithRSAEncryption
>> > * using HTTP/1.x
>> > > GET / HTTP/1.1
>> > > Host: fqdn2
>> > > User-Agent: curl/8.5.0
>> > > Accept: */*
>> > > 
>> > < HTTP/1.1 200 OK
>> > < Connection: keep-alive
>> > < Content-Length: 18
>> > < Content-Type: text/html
>> > < Date: Sun, 07 Jan 2024 21:23:24 GMT
>> > < Last-Modified: Sun, 07 Jan 2024 21:19:24 GMT
>> > < Server: OpenBSD httpd
>> > <
>> > Server 2
>> > * Connection #0 to host fqdn2 left intact
>> > 
>> > and
>> > 
>> > $ curl --insecure -vk https://fqdn2:4430
>> > * Host fqdn2:4430 was resolved.
>> > * IPv6: (none)
>> > * IPv4: 127.0.0.1
>> > *   Trying 127.0.0.1:4430...
>> > * 

Re: cwm on wayland

[Uwe Werler]

Please keep woke bs out of technical development.

Am 16. Dezember 2023 00:22:51 MEZ schrieb Anders Andersson :
>On Fri, Dec 15, 2023 at 7:01 PM David Coppa  wrote:
>>
>> On Fri, Dec 15, 2023 at 6:29 PM  wrote:
>> >
>> > So they're putting a Wayland in our BSD.
>> >
>> > I've never used that before.
>> >
>> > Is a port of cwm planned?
>>
>> I really don't think so.
>>
>> But there's hikari, a stacking Wayland compositor heavily inspired by
>> cwm: https://hikari.acmelabs.space/
>>
>> We might probably have a port of it in our ports tree in the future.
>>
>> Ciao,
>> David
>>
>
>I'm not sure their "Geekfeminism Code of Conduct"
>(https://hikari.acmelabs.space/coc.html) works well with OpenBSD.
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: 2FA VPNs

[Uwe Werler]

On 02 Nov 02:05, Stuart Henderson wrote:
> If anyone's got any good suggestions on how to do VPNs with 2FA
> on an OpenBSD gateway for non-technical users to access (iOS, Android,
> Windows clients) I'd love to hear them.
> 
> I could bodge something together with openvpn and TOTP but it doesn't
> exactly spark joy.
> 
> 

Two possible solutions are coming to my mind. Use OpenVPN with bsd-auth and
configure login_totp from package login_oath. So one has the client
certificate plus totp. Or configure L2TP/IPsec with certificates and configure
npppd to use radius. Either use then radiusd with bsdauth or use freeradius
for mfa.

-- 
wq: ~uw

Re: Sharing desktop with Jitsi and pledge

[Uwe Werler]

Not with jitsi but with Nextcloud Talk I got it working in Chrome.

Am 29. Juni 2021 19:30:57 GMT+00:00 schrieb Jonathan Drews 
:
>Hi Folks:
>
>I am running OpenBSD 6.9 GENERIC.MP#4 amd64 and have Jitsi working
>well here on OpenBSD. The audio and video work fine. So do the typing
>of comments in Jitsi
>
>However when I attempt to share my desktop, through Jitsi, then
>Firefox crashes. I get this message in my dmesg output:
>
>firefox[17370]: pledge "", syscall 289
>
>It looks like pledge is stopping Jitsi, as it should. Any suggestions
>at to how I could share a presentation through OpenBSD? I've tried
>Zoom but it doesn't work as well as Jitsi.
>
>Kind regards,
>Jonathan

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: ssl/libssl certificate validation broken?

[Uwe Werler]

On 22 Oct 22:59, Daniel Jakots wrote:
> On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai"
>  wrote:
> 
> > >Hi Bob, it was in the middle of the night and I got quite kinda
> > >stressed because all services depending on our ldap proxy stopped
> > >working after the upgrade and it took me a while to figure the
> > >problem out.  
> > 
> > Perhaps this is unsolicited advice, but maybe you can setup a test
> > system first, perform major upgrade on it to make sure everything
> > works. If so, then do it in production. 
> > 
> 
> Even better, try -current a few weeks before release (a possible hint
> is -beta). This way you can get any encountered bug fixed in time for
> -release. Your prod but also every one else will benefit from it.
> 
> Cheers,
> Daniel
> 

That's a very good advice.

I have for most services a very similiar setup at home (even with ldap). I run
always -current at my workstations - one workstation is updated more or less
daily and if that works I upgrade the 2nd one (important for ports too).

At home I regularly install snapshots (~ every 2nd week) - because before I
implement something at work I usually try and test that also at home - often
with "cutting edge" features.

When upgrading at work I always upgrade dev first. And all infrastructure
critical services are "carped" so even when upgrading prod then node by
node***.  But exactly in this ssl case this failed for me with this bug. At
home I use letsencrypt certs so that means ssl used /etc/ssl/cert.pem. The
same for my dev landscape where I stored the L2 ca also in /etc/ssl/cert.pem
(without remembering that I did that once). So unfortunately dev and prod were
not 100% identical :(

But lesson learned. I did already tons of automatization (salt/git) so I will
focus more on that again (when I have the time ...).

***Also the latest bug in carp load balancing couldn't be properly detected in
this way because in a mixed setup 6.7/6.8 it worked :/

-- 
wq: ~uw

Re: ssl/libssl certificate validation broken?

[Uwe Werler]

On 22 Oct 21:49, Rafael Possamai wrote:
> >Hi Bob, it was in the middle of the night and I got quite kinda stressed
> >because all services depending on our ldap proxy stopped working after the
> >upgrade and it took me a while to figure the problem out.
> 
> Perhaps this is unsolicited advice, but maybe you can setup a test system 
> first, perform major upgrade on it to make sure everything works. If so, then 
> do it in production. 
> 

That's a very good advice and I have such a setup. But unfortunately exactly
in this case this didn't work because in my dev/test landscape I have other
ssl certs (different domain name) which were stored in /etc/ssl/cert.pem :/

-- 
wq: ~uw

Re: ssl/libssl certificate validation broken?

[Uwe Werler]

On 20 Oct 20:21, Bob Beck wrote:
> On 20 Oct 21:01, Uwe Werler wrote:
> > Hi folks,
> > 
> > before opening a bug report I'll ask here because I want to make sure that I
> > have not missed something.
> 
> You should probably submit a real bug report instead of jumping to 
> conclusions on misc@

Hi Bob, it was in the middle of the night and I got quite kinda stressed
because all services depending on our ldap proxy stopped working after the
upgrade and it took me a while to figure the problem out. But as in 99.9% of
the cases I wanted to be sure that the problem sits not between screen and
keyboard because I missed or misconfigured something.

Will open a proper bug report now.

> 
> > 
> > With the upgrade to 6.8 my cert validation seems to be broken because the
> > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our
> > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl 
> > certhash".
> > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca
> > certs to /etc/ssl/cert.pem works.
> > 
> > Did I miss something? I guess something changed during k2k20 in "certificate
> > chain validation in libcrypto"?
> > 
> > Thanks and with kind regards.
> > 
> > Uwe
> > 
> ...
> >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my
> >openldap proxies were screwed too. I configured explicitely
> >
> >olcTLSCACertificatePath: /etc/ssl/certs
> >
> >But that broke so I had to change to:
> 
> "Broke".. how?

The certificate chain can't be verified anymore so ldap connections (server -
server and client - server) can't be established anymore.

> 
> 
> >olcTLSCACertificateFile: /etc/ssl/cert.pem
> >
> >... and I had to change also /etc/openldap/ldap.conf from:
> >
> >TLS_CACERTDIR /etc/ssl/certs
> >
> >to
> >
> >TLS_CACERT /etc/ssl/cert.pem
> >
> >to keep syncrepl running.
> 
> You are a little bit thin on details here. The changes in the validator
> should not affect the loading of your certificates. 

slapd acts as a ldap client for syncreplication to work and is therefore
configured via /etc/openldap/ldap.conf. But because the validation stopped
working syncrepl also stopped working.

> 
> Are you using openldap from packages or something else?

Yes, always from ports.

> 
> So please pass on some details and perhaps a succint way to reproduce
> and include the error messages you see. Probably as a real bug report
> instead of misc discussions.
> 

Yes, I open now a bug report.

mbk Uwe

Re: CARP load balancing problems under KVM

[Uwe Werler]

On 21 Oct 07:12, Carlos Lopez wrote:
> Hi all,
> 
> Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using 
> carp in IP balance mode without problems from several months. These firewalls 
> are installed in a RHEL 8.2 (fully patched) KVM host.
> 
> After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have 
> tested reconfiguring balance mode for ip-stealth and ip-unicast also and the 
> result is always the same: network packets are not processed by firewalls. 
> But if I configure CARP using “the simple configuration” and one node is 
> master and the other is backup all it is working without problems.
> 
> Since the configuration is exactly the same for version 6.8 as it was for 
> version 6.7, could there be some kind of problem with the virtio driver on 
> the network interfaces in version 6.8?
> 
> Regards,
> C. L. Martinez

Hi folks,

I run into exactly the same issue with my ldap proxy. When one node is master
for both carp nodes it responds to packets addressed to the carp ip. In load
balancing mode it sometimes responds depending on the source ip.

Please open a bug report.

-- 
wq: ~uw

Re: ssl/libssl certificate validation broken?

[Uwe Werler]

On 20 Oct 21:01, Uwe Werler wrote:
> Hi folks,
> 
> before opening a bug report I'll ask here because I want to make sure that I
> have not missed something.
> 
> With the upgrade to 6.8 my cert validation seems to be broken because the
> hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our
> L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash".
> That worked for all my machines until 6.7 but broke with 6.8. Adding the ca
> certs to /etc/ssl/cert.pem works.
> 
> Did I miss something? I guess something changed during k2k20 in "certificate
> chain validation in libcrypto"?
> 
> Thanks and with kind regards.
> 
> Uwe
> 

Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my
openldap proxies were screwed too. I configured explicitely

olcTLSCACertificatePath: /etc/ssl/certs

But that broke so I had to change to:

olcTLSCACertificateFile: /etc/ssl/cert.pem

... and I had to change also /etc/openldap/ldap.conf from:

TLS_CACERTDIR /etc/ssl/certs

to

TLS_CACERT /etc/ssl/cert.pem

to keep syncrepl running.

-- wq: ~uw

ssl/libssl certificate validation broken?

[Uwe Werler]

Hi folks,

before opening a bug report I'll ask here because I want to make sure that I
have not missed something.

With the upgrade to 6.8 my cert validation seems to be broken because the
hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our
L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash".
That worked for all my machines until 6.7 but broke with 6.8. Adding the ca
certs to /etc/ssl/cert.pem works.

Did I miss something? I guess something changed during k2k20 in "certificate
chain validation in libcrypto"?

Thanks and with kind regards.

Uwe

Re: iwm0: fatal firmware error on Dell Latitude E5570

[Uwe Werler]

On 24 Sep 12:24, Jan Stary wrote:
> On Sep 24 11:36:24, h...@stare.cz wrote:
> > This is 6.8-beta/amd64 on a Dell Latitude E5570 (dmesg below).
> > iwm stopped working, saying
> > 
> > iwm0: hw rev 0x200, fw ver 34.0.1, address e4:a4:71:40:21:08
> > iwm0: fatal firmware error
> > iwm0: could not remove MAC context (error 35)
> > iwm0: fatal firmware error
> > iwm0: could not remove MAC context (error 35)
> > iwm0: fatal firmware error
> > iwm0: could not remove MAC context (error 35)
> > [etc]
> > 
> > This is after sysupgrade and a fw_update.
> > Is anyone seeing the same?
> > 
> > Last changes to sys/dev/pci/*iwm* are months ago,
> > and I have seen it work this week ...
> 
> After recompiling current, everything works again. Note that
> it's GENERIC.MP now, as opposed to GENERIC installed by the sysupgrade.
> (Can that be related to a iwm error?)
> 
>   Jan
> 

Hi Jan,

I have a similiar problem when using sysupgrade on Dell 7400 and on one Dell
7280 - installer switches to bsd.sp. I tried to debug that but when I boot
into ramdisk it properly detects MP cpu. Checked that several times. I have
another 7280 with exact the same config (dd'ed the hd) where it doesn't
happen. That's strange.

-- 
wq: ~uw

Re: ideas needed for password management

[Uwe Werler]

On 24 Sep 10:55, Uwe Werler wrote:
> On 23 Sep 20:52, Hakan E. Duran wrote:
> > Dear all,
> > 
> > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and 
> > Dovecot. The users will be the Unix users on the VPS for simplicity. 
> > However, I now have the problem of allowing users setting and modifying 
> > their own passwords (perhaps even their usernames) without giving them ssh 
> > access to the host. I don't have technical background and training for this 
> > type of work; however, I love doing this, please be gentle with me. The 
> > mail server is a hobby that is intended for family and a few friends, and 
> > is not mission critical.
> > 
> > I thought something like Webmin could work for this purpose, but without 
> > root access of course. However, I am not sure if such a tool exists. Any 
> > other ideas are welcome.
> > 
> > Thank you so much in advance for your suggestions.
> > 
> > Hakan
> > 
> 
> Hi Hakan,
> 
> I had a similiar problem which I solved with Rainloop (as an app in Nextcloud)
> with the POPPASSD plugin and the local poppassd daemon (pkg_add openpoppassd).
> 
> -- 
> wq: ~uw
> 

But as Stuart suggested - I would rather use a db backend for that. I plan
myself to finally use ldapd for that. Most applications allow e.g. password
changes against ldap. In my setup I complicated things more than making it
easier. For example I separated my system user from my "virtual" user for mail
etc. That could have been done in the end simpler with ldap.

-- 
wq: ~uw

Re: ideas needed for password management

[Uwe Werler]

On 23 Sep 20:52, Hakan E. Duran wrote:
> Dear all,
> 
> I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and 
> Dovecot. The users will be the Unix users on the VPS for simplicity. However, 
> I now have the problem of allowing users setting and modifying their own 
> passwords (perhaps even their usernames) without giving them ssh access to 
> the host. I don't have technical background and training for this type of 
> work; however, I love doing this, please be gentle with me. The mail server 
> is a hobby that is intended for family and a few friends, and is not mission 
> critical.
> 
> I thought something like Webmin could work for this purpose, but without root 
> access of course. However, I am not sure if such a tool exists. Any other 
> ideas are welcome.
> 
> Thank you so much in advance for your suggestions.
> 
> Hakan
> 

Hi Hakan,

I had a similiar problem which I solved with Rainloop (as an app in Nextcloud)
with the POPPASSD plugin and the local poppassd daemon (pkg_add openpoppassd).

-- 
wq: ~uw

Re: Web based document / spredsheet editor

[Uwe Werler]

On 22 Sep 15:37, Martin Sukany wrote:
> Hi colleges,
> 
> I need to set up some kind of collaborative environment (rich text 
> docjuments, basic tables) — request is „something like google docs“. 
> 
> As I’m almost working in shell I have to say that I’m little bit lost in this 
> area.
> 
> Could you recommend me some web-based application (idealy something which is 
> „easily“ deployed on OpenBSD)? If it wouldn’t have behind some of the ‚big 
> frameworks‘, it would be great.
> 
> Any hints welcomed … 
> 
> Thanks
> M>
> 
> 
> S pozdravem / Kind regards
> 
> Martin Sukaný
> UNIX Engineer, Developer, DevOps specialist
> xmpp: mar...@sukany.cz
> phone: +420 776 275 713
> email: mar...@sukany.cz
> l: https://www.linkedin.com/in/martins6
> 
> 
> 

Hi Martin,

we have at work nextcloud plus collabora online dev edition. Works so far. The
latter one I used the container from them - it's debian based - and run it on
kvm.

-- 
wq: ~uw

Re: Troubleshooting pf congestion

[Uwe Werler]

Without seeing a rule set what should one say? 

Am 14. September 2020 15:19:46 GMT+00:00 schrieb Scott Reese 
:
>Greetings:
>
>I am troubleshooting an issue: users complaining about network
>performance. The firewall
>is an OpenBSD 6.7 system with patches applied. I've traced the issue
>and I'm seeing the
>congestion counter incrementing on system. The problems that we're
>seeing fit with what
>I have been able to find about congestion - when the firewall is
>congested it continues
>passing packets that match existing state entries but it will not
>create any new state
>entries until the congestion clears.
>
>I'm having trouble troubleshooting it beyond that point because I have
>not been able to
>find any additional information about what the congestion counter is
>counting. There is
>the information in the pfctl man page: "congestion: network interface
>queue congested",
>but beyond that I can't really find any information about exactly what
>network interface
>queue is congested.
>
>I'm not seeing packets being dropped, either on the switch side or
>firewall side that
>correspond with the congestion counter going up. The average on the
>congestion counter
>stays around 10/s, but what it's really doing is going up by 100-300/s
>for short periods
>and then not moving for longer periods.
>
>If anyone could spare a couple of sentences or a share a link to a page
>detailing what
>state causes the system to consider itself contested, I would
>appreciate it.
>
>Thanks for your time.
>
>-Scott
>
>
>System dmesg:
>
>OpenBSD 6.7 (GENERIC.MP) #6: Thu Sep  3 14:08:18 MDT 2020
>r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>real mem = 8386699264 (7998MB)
>avail mem = 8119902208 (7743MB)
>mpath0 at root
>scsibus0 at mpath0: 256 targets
>mainbus0 at root
>bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7fb76000 (62 entries)
>bios0: vendor American Megatrends Inc. version "2.2" date 05/23/2018
>bios0: Supermicro X11SSL-F
>acpi0 at bios0: ACPI 5.0
>acpi0: sleep states S0 S4 S5
>acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG HPET LPIT SSDT SSDT
>SSDT DBGP DBG2 SSDT SSDT UEFI SSDT DMAR EINJ ERST BERT HEST
>acpi0: wakeup devices PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4)
>PEGP(S4) RP09(S4) PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4)
>PXSX(S4) RP13(S4) PXSX(S4) [...]
>acpitimer0 at acpi0: 3579545 Hz, 24 bits
>acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>cpu0 at mainbus0: apid 0 (boot processor)
>cpu0: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3901.62 MHz, 06-9e-09
>cpu0:
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
>cpu0: 256KB 64b/line 8-way L2 cache
>cpu0: smt 0, core 0, package 0
>mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
>cpu0: apic clock running at 24MHz
>cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE
>cpu1 at mainbus0: apid 2 (application processor)
>cpu1: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09
>cpu1:
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
>cpu1: 256KB 64b/line 8-way L2 cache
>cpu1: smt 0, core 1, package 0
>cpu2 at mainbus0: apid 4 (application processor)
>cpu2: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09
>cpu2:
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
>cpu2: 256KB 64b/line 8-way L2 cache
>cpu2: smt 0, core 2, package 0
>cpu3 at mainbus0: apid 6 (application processor)
>cpu3: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09
>cpu3:

Re: Cleaning system's old ibraries/files after update to next -release or -current

[Uwe Werler]

On 14 Jul 15:44, Stuart Henderson wrote:
> On 2020-07-14, Christian Weisgerber  wrote:
> > Old versions of libraries are innocuous.  They will simply be
> > ignored.
> 
> Until you run out of disk space, which is fairly easy in /usr if you
> installed a couple of releases ago and took the auto disklabel defaults.

If that happens during upgrade I usually ^C; umount /mnt/usr/local; umount
/mnt/usr/X11R6; umount /mnt/usr; newfs what-dev-usr-is; mount what-dev-usr-is
/mnt/usr; mkdir /mnt/usr/{local,X11R6} and restart upgrade.

That happens more or less regularly on my APU but never had any problems with
that.

-- 

Uwe

Re: How did it happen?

[Uwe Werler]

Am 31. Januar 2020 18:48:51 GMT+00:00 schrieb gil...@poolp.org:
>January 30, 2020 4:44 PM, gil...@poolp.org wrote:
>
>> It depends on your configuration, not all setups are vulnerable.
>> 
>> I think I recall your name from the comments on my tutorial and this
>is a
>> setup that would not be vulnerable for example. The bug still exists,
>but
>> it can't be used to exploit the same code path.
>> 
>> You should update, this is not something you want to rely on.
>> 
>> I'm writing a _very_ detailed post-mortem which will go into the
>details,
>> I just want to give it a few days to make sure it is as informative
>as it
>> should.
>> 
>
>
>As promised, I have written a (too much ?) detailed write-up about the
>recent event:
>
>https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
>
>Hope it clarifies what happened and plans for the future.
>
>Gilles

Thank you very much Gilles for the insights.

It's not really your fault because it's how our brain works. If we want to get 
things working we are concentrating to get them working - not how to break 
them. It's amazing that the code worked like "intended" - that means you are a 
very good dev. Logical fallacies hit us every day - we are human. 

I would give +1 to not to deliver mails directly to root.

Re: ksh complete_command for commands with "-" in name

[Uwe Werler]

On 18 Jan 00:27, Andreas Kusalananda Kähäri wrote:
> On Fri, Jan 17, 2020 at 10:41:30PM +0000, Uwe Werler wrote:
> > On 17 Jan 22:32, Ottavio Caruso wrote:
> > > On Fri, 17 Jan 2020 at 22:03, Uwe Werler  wrote:
> > > >
> > > > Hi misc,
> > > >
> > > > I use heavily the feature to set command completion in ksh. 
> > > > Unfortunately
> > > > this doesn't work for commands with "-" (like ssh-add, salt-call etc.) 
> > > > in
> > > > command name because the parameter name for the array is invalid.
> > > 
> > > I'm not sure if I'm getting what you're saying. I have a barebone
> > > plain-vanilla OpenBSD 6.6 installation and I have ksh as my login
> > > shell. I can do command and file completion with [TAB] on any commands
> > > with a hyphen (pkg-config, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan
> > > and so on).
> > 
> > >From man 1 ksh:
> > 
> >  Custom completions may be configured by creating an array named
> >  ‘complete_command’, optionally suffixed with an argument number
> >  to complete only for a single argument.  So defining an array
> >  named ‘complete_kill’ provides possible completions for any
> >  argument to the kill(1) command, but ‘complete_kill_1’ only
> >  completes the first argument.  For example, the following 
> > command
> >  makes ksh offer a selection of signal names for the first
> >  argument to kill(1):
> > 
> >set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM
> > 
> > This of course can't work for commands with a hyphen because the parameter 
> > name
> > of the array is then invalid.
> > 
> > Uwe
> 
> A somewhat ugly workaround would be to define aliases for the commands
> that you want te install these completions for.  The aliases would have
> no dashes in their names.
> 
>   alias ssh_add=ssh-add
>   set -A complete_ssh_add_1 -- -D -l -L -v

Yeah, that's what I came up with too.

Re: ksh complete_command for commands with "-" in name

[Uwe Werler]

On 17 Jan 22:32, Ottavio Caruso wrote:
> On Fri, 17 Jan 2020 at 22:03, Uwe Werler  wrote:
> >
> > Hi misc,
> >
> > I use heavily the feature to set command completion in ksh. Unfortunately
> > this doesn't work for commands with "-" (like ssh-add, salt-call etc.) in
> > command name because the parameter name for the array is invalid.
> 
> I'm not sure if I'm getting what you're saying. I have a barebone
> plain-vanilla OpenBSD 6.6 installation and I have ksh as my login
> shell. I can do command and file completion with [TAB] on any commands
> with a hyphen (pkg-config, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan
> and so on).

>From man 1 ksh:

 Custom completions may be configured by creating an array named
 ‘complete_command’, optionally suffixed with an argument number
 to complete only for a single argument.  So defining an array
 named ‘complete_kill’ provides possible completions for any
 argument to the kill(1) command, but ‘complete_kill_1’ only
 completes the first argument.  For example, the following command
 makes ksh offer a selection of signal names for the first
 argument to kill(1):

   set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM

This of course can't work for commands with a hyphen because the parameter name
of the array is then invalid.

Uwe

ksh complete_command for commands with "-" in name

[Uwe Werler]

Hi misc,

I use heavily the feature to set command completion in ksh. Unfortunately this 
doesn't work for commands with "-" (like ssh-add, salt-call etc.) in command 
name because the parameter name for the array is invalid. Any idea to work 
around that or plans to allow at least "-" when parameter name starts with 
"complete_"? I'm not a developer and don't really understand the code for ksh :/

Thanks in advance.

Uwe

Re: tinc on openBSD?

[Uwe Werler]

On 27. Apr  7:51:18, Harald Dunkel wrote:
> Hi folks,
> 
> AFAICS tinc is included in the packages for 6.1, but surely
> that doesn't mean its safe to use without looking.
> 
> Are there security concerns against running tinc on an OpenBSD
> gateway as an alternative to IPsec and openvpn in a +50 road
> warriors setup? What is your impression of this tool in daily
> usage? Which VPN solution would you prefer?
> 
> 
> Every helpful comment is highly appreciated
> Harri
> 

Hi Harri,

running tinc now since ~2 years for my private vpn solution - especially via
proxy out of my company from my OpenBSD vm to my OpenBSD router. Runs like a
charme. It's much easier to configure than e.g. OpenVPN. There are already
some networks running with tinc like https://dn42.net/Home e.g.

Regards Uwe

-- 

Re: tmux, option allow-rename off allows renaming

[Uwe Werler]

That's exactly the reason why I wrote this little wrapper script:

https://github.com/uwerler/tmux_ssh


Am 17. März 2017 12:12:52 MEZ schrieb "Andreas Kusalananda Kähäri"
:
>Hi,
>
>I'm doing some development on a Linux machine over SSH from a tmux
>shell
>session.
>
>Whenever I log into the Linux host, it renames the current tmux window
>(what's displayed to the right at the bottom) to "user@host /path"
>(with
>those words replaced by the actual user etc.).
>
>This window name stays around even after I log out of the Linux host,
>which is annoying.
>
>This happens even though I have the following in my .tmux.conf file:
>
>set-window-option -g allow-rename off
>set-window-option -g automatic-rename off
>
>I'm running OpenBSD-current (updated weekly) on amd64.
>
>How may I disallow the renaming of the tmux window?
>
>
>Regards,
>Kusalananda
>
>[demime 1.01d removed an attachment of type application/pgp-signature
>which had a name of signature.asc]

--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Re: APCu/Memcached/Redis - OwnCloud/Nextcloud memory caching - which OpenBSD package?

[Uwe Werler]

27. Februar 2017 17:09, "Florian Viehweger" 
schrieb:
> Hey,
> 
>> I use php56 and nginx from ports. Any other idea?
> 
>
try to upgrade to PHP 7. I've experienced a significant performance
>
improvement, albeit on Arch Linux.
> 
> --
> greetings,
> 
> Florian Viehweger
Mmh, but there's no redis package for php7 yet.

Re: APCu/Memcached/Redis - OwnCloud/Nextcloud memory caching - which OpenBSD package?

[Uwe Werler]

> make sure your SQL encoding is set to unicode/UTF8, I recently did a fresh
>
install and the encoding ended up as SQL_ASCII and performance was abysmal.
>
Switching to UTF-8 and performance was as expected. (this was with postgresql)
Mmh, I checked my mysql settings and they are still utf8 - and I have a really
poor performance anyway. At the same machine also tine20 is running quite much
much faster. For caching I use redis (also for tine20) and tried all the
performance tips from owncloud/nextcloud. I use php56 and nginx from ports.
Any other idea?

httpd rewrite

[Uwe Werler]

Hello guys,

I try to move from nginx to httpd. But I have a problem with rewrite. I try to
use this nginx-rule:

rewrite ^/Microsoft-Server-ActiveSync?(.*)$ 
/tine20/index.php?frontend=activesync$1;

with httpd:

location "/Microsoft-Server-ActiveSync" {
block return 302 
"/tine20/index.php?frontend=activesync$QUERY_STRING"
}

The redirect seems to work - but no auth takes place.

Is it generally possible what I try to do? And if yes - what I'm missing?

The output looks not bad at a first glance:

webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:01 +0100] "POST 
/Microsoft-Server-ActiveSync?Cmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F
 HTTP/1.1" 302 0
server webtest.local, client 64 (3 active), 192.168.176.12:60819 -> 
192.168.177.100:443, 
/tine20/index.php?frontend=activesyncCmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F
 (302 Found)
webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:02 +0100] "GET 
/tine20/index.php?frontend=activesyncCmd=Sync%2526User=USER%2526DeviceId=DEVICEID%2526DeviceType=SAMSUNGSMG930F
 HTTP/1.1" 200 0

Thanks in advance.

Uwe

Re: spreed server

[Uwe Werler]

Hi Stephen, did You get the spreed server built?



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/spreed-server-tp300701p311543.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: rdomain incompatible with NSD ? (OpenBSD 6)

[Uwe Werler]

You have to start nsd in rdomain 1.


Von meinem Samsung Galaxy Smartphone gesendet.

 Ursprüngliche Nachricht 
Von: Bob Jones  
Datum: 03.09.16  20:13  (GMT+01:00) An: misc@openbsd.org 
Betreff: rdomain incompatible with NSD ? (OpenBSD 6) 

Re: DigitalOcean and OpenBSD

[Uwe Werler]

On 25. Aug 12:02:37, Daniel Winters wrote:
> Hi,
> 
> > Hetzner customer here. Hetzner doesn't support OpenBSD natively. The
> > only instructions I could find are kind of dated, in German, seem to
> > apply only to dedicated servers (as opposed to VMs), and overall look
> > like a giant hack. Anyone had luck getting things running recently?
> 
> I have a VM at Hetzner running amd64 current flawlessly as my mail/web
> server since 2013 on what Hetzner calls a VQ7 vServer. I dd'ed a basic
> OpenBSD file system image on the disc via the Debian rescue system,
> worked like a charm.
> 
> I recently got a new CX10 VM as well, but current will hang after a few
> minutes, this seems to be related to virtio disc(?) drivers that are
> used in the newer VMs. FreeBSD runs flawlessly on this and I did not
> have time to investigate this yet.
> 
> So long story cut short, Hetzner is a good choice for hosting, but their
> current VM offerings seem to be incompatible with OpenBSD amd64 current
> + 5.9, this can probably be fixed though.

I have also several VM running at Hetzner. Now they offer a rescue boot with
OpenBSD 5.9 too. It's quite easy to install a new machine now. And a very plus
it their support.

ksh, PS1 and PWD

[Uwe Werler]

Hello list,

maybe this can be done better (~/.kshrc):

_pwd(){

  local _len="25"

  local _sym="/<.."

  [[ ${PWD} == ${HOME}* ]] && { PWD="~${PWD#${HOME}}"; _sym="~${_sym#/}"; }

  [[ ${#PWD} -gt $_len ]] && { typeset -R"$_len" local _pwd=$PWD; 
PWD="${_sym}/${_pwd#*/}"; }

  print $PWD
}

PS1='\h:$(_pwd)\\$ '

Any hints?

Thanks in advance.

-- 

Re: PF and interface changing IP

[Uwe Werler]

pass in on pppoe0 inet proto tcp to (pppoe0) port ssh keep state

Von meinem Samsung Gerät gesendet.

 Ursprüngliche Nachricht 
Von: Gabriele Tozzi  
Datum: 12.05.2016  09:45  (GMT+01:00) 
An: misc@openbsd.org 
Betreff: PF and interface changing IP 

Re: openbsd vs freebsd NAT performance

[Uwe Werler]

On 16. Apr  5:10:56, bluesun08 wrote:
> Hi,
> 
> beside OpenBSD 5.8 i installed FreeBSD 10.3 on my router-pc. For routing i
> use pf.
> I noticed that the routing/NAT-performance is in FreeBSD noticeable higher
> than in OpenBSD. I think that is due to the SMP-support of pf in FreeBSD.
> 
> Is there also a SMP support (intended) in OpenBSD?
> 
> Regards
> 
> Alex
> 
> 
> 
> --
> View this message in context: 
> http://openbsd-archive.7691.n7.nabble.com/openbsd-vs-freebsd-NAT-performance-tp294095.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
> 

https://calomel.org/network_performance.html

-- 

Re: LibreNMS chroot issues

[Uwe Werler]

Why not pointing the socket to chroot? 


Von meinem Samsung Galaxy Smartphone gesendet.


 Ursprüngliche Nachricht 
Von: Ax0n  
Datum:27.12.2015  18:58  (GMT+01:00) 
An: cou...@gmail.com, punoseva...@gmail.com 
Cc: misc@openbsd.org 
Betreff: Re: LibreNMS chroot issues 

Re: Highest Speed Network Packet Generator?

[Uwe Werler]

tcpbench in base or iperf from ports.


 Ursprüngliche Nachricht 
Von: Mohammad BadieZadegan  
Datum:26.12.2015  09:15  (GMT+01:00) 
An: misc@openbsd.org 
Cc:  
Betreff: Highest Speed Network Packet Generator? 

resize crypto raid

[Uwe Werler]

Hello list,

is it currently possible to resize/increase a crypto raid anyhow? I tested it
with a virtual disk image via vnconfig - created an image file, attached it
via vnconfig, created a raid partition and configured a raid with crypto
discipline. Later I increased the image and adopted the partitoin size at the
vnd image. Softraid starts properly but still with the old size - disk
boundaries didn't change too.

Background: I think about full disk encryption for my virtual machine. In the
hindsight maybe that I let the disk size increase by my cloud provider.

Any hints? Any ideas?

Thanks in advance!

Regards Uwe

Re: resize crypto raid

[Uwe Werler]

Hello Karel,

exactly this I guessed :(

Mmh, any idea how can be dealt with crypto raid and a kinda ccd?

Regards Uwe

On 21. Dec 22:58:27, Karel Gardas wrote:
> Hello Uwe,
> 
> IIRC softraid0 also saves disk size as a part of its metadata. I'm not
> sure if metadata gets updated when you change just partition/disklabel
> size, but I would not expect it.
> 
> On Mon, Dec 21, 2015 at 10:49 PM, Uwe Werler <uwe.wer...@retiolum.eu> wrote:
> > Hello Ted,
> >
> > this is exactly my problem - i can't change the disk boundaries at the
> > softraid disk. I tried it with saving the disklabel of softraid0/sd0 and
> > editing manually - with no success. Any ideas?
> >
> > Regards Uwe
> >
> > On 21. Dec 16:05:28, Ted Unangst wrote:
> >> Uwe Werler wrote:
> >> > Hello list,
> >> >
> >> > is it currently possible to resize/increase a crypto raid anyhow? I 
> >> > tested it
> >> > with a virtual disk image via vnconfig - created an image file, attached 
> >> > it
> >> > via vnconfig, created a raid partition and configured a raid with crypto
> >> > discipline. Later I increased the image and adopted the partitoin size 
> >> > at the
> >> > vnd image. Softraid starts properly but still with the old size - disk
> >> > boundaries didn't change too.
> >>
> >> run disklabel on the softraid disk, use 'b' to change the area.
> >
> > --
> 

-- 

Re: resize crypto raid

[Uwe Werler]

Hello Ted,

this is exactly my problem - i can't change the disk boundaries at the
softraid disk. I tried it with saving the disklabel of softraid0/sd0 and
editing manually - with no success. Any ideas?

Regards Uwe

On 21. Dec 16:05:28, Ted Unangst wrote:
> Uwe Werler wrote:
> > Hello list,
> > 
> > is it currently possible to resize/increase a crypto raid anyhow? I tested 
> > it
> > with a virtual disk image via vnconfig - created an image file, attached it
> > via vnconfig, created a raid partition and configured a raid with crypto
> > discipline. Later I increased the image and adopted the partitoin size at 
> > the
> > vnd image. Softraid starts properly but still with the old size - disk
> > boundaries didn't change too.
> 
> run disklabel on the softraid disk, use 'b' to change the area.

-- 

Re: Playing with rdomains and bridge on 5.8 and current

[Uwe Werler]

Take a look at pair(4).

On 17. Dec 12:19:42, Claer wrote:
> Hello,
> 
> I'm trying a "strange" setup with rdomains, bridge and vether.  As there is
> something I don't understand, I'd like to know if the behavior is normal or if
> it is an issue. This is not a production system, just experimentations.
> 
> Here is what I'm trying to do. With 1 NIC connected to a "physical" network, I
> wish to have several rdomains connected to the same uplink VLAN.
> As this uplink VLAN provides DHCP, it facilitates the configuration.
> 
> When everything is up, I can ping the default router from either rdomain but I
> can't ping rdomain 1 from rdomain 2 or vice versa. Arp is failing to resolve
> the IP addresses eventhough the arp packet is received on vether interface.
> With 2 NICs, the communication succeeds.
> 
> The results are the same with 5.8 and current (snapshot downloaded yesterday)
> 
> Here is the setup :
> 
> 1/ configure the interfaces
> testhost:~ # cat /etc/hostname.em0
> dhcp
> 
> testhost:~ # cat /etc/hostname.em1
> rdomain 1
> !route -T 1 exec dhclient em1
> testhost:~ #
> 
> testhost:~ # cat /etc/hostname.vether2
> rdomain 2
> !route -T 2 exec dhclient vether2
> up
> testhost:~ #
> 
> 2/ Build the bridge :
> testhost:~ # cat /etc/hostname.bridge0
> add em1
> add vether2
> up
> testhost:~ #
> 
> 3/ Verify configuration :
> testhost:~ # ifconfig bridge0
> bridge0: flags=41
> groups: bridge
> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
> designated: id 00:00:00:00:00:00 priority 0
> em1 flags=3
> port 2 ifpriority 0 ifcost 0
> vether2 flags=3
> port 5 ifpriority 0 ifcost 0
> Addresses (max cache: 100, timeout: 240):
> 08:00:27:2c:87:f2 em1 1 flags=0<>
> 00:50:b6:67:9c:82 em1 1 flags=0<>
>   [...]
> testhost:~ # ifconfig em0
> em0: flags=8843 mtu 1500
> lladdr 08:00:27:2c:87:f2
> priority: 0
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet 192.168.79.39 netmask 0xff00 broadcast 192.168.79.255
> testhost:~ # ifconfig em1
> em1: flags=8b43 
> rdomain 1 mtu 1500
> lladdr 08:00:27:36:20:e8
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet 192.168.79.159 netmask 0xff00 broadcast 192.168.79.255
> testhost:~ # ifconfig vether2
> vether2: flags=8943 rdomain 2 
> mtu 1500
> lladdr fe:e1:ba:d0:45:3b
> priority: 0
> groups: vether
> media: Ethernet autoselect
> status: active
> inet 192.168.79.193 netmask 0xff00 broadcast 192.168.79.255
> testhost:~ # route -n show -inet
> Routing tables
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default192.168.79.254 UGS0  788 - 8 em0
> 127/8  127.0.0.1  UGRS   00 32768 8 lo0
> 127.0.0.1  127.0.0.1  UHl00 32768 1 lo0
> 192.168.79/24  192.168.79.39  UC 412990 - 4 em0
> 192.168.79.39  08:00:27:2c:87:f2  UHLl   0   22 - 1 em0
> 192.168.79.123 70:5a:b6:af:a0:42  UHLc   1 6503 - 4 em0
> 192.168.79.159 08:00:27:36:20:e8  UHLc   011027 - 4 em0
> 192.168.79.193 fe:e1:ba:d0:45:3b  UHLc   011795 - 4 em0
> 192.168.79.254 2c:76:8a:30:2b:00  UHLc   1 1192 - 4 em0
> 192.168.79.255 192.168.79.39  UHb0 5764 - 1 em0
> 224/4  127.0.0.1  URS0  195 32768 8 lo0
> 
> testhost:~ # route -nT1 show
> Routing tables
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default192.168.79.254 UGS0 1752 - 8 em1
> 192.168.79/24  192.168.79.159 UC 115026 - 4 em1
> 192.168.79.159 08:00:27:36:20:e8  UHLl   00 - 1 em1
> 192.168.79.254 2c:76:8a:30:2b:00  UHLc   1 1167 - 4 em1
> 192.168.79.255 192.168.79.159 UHb0  734 - 1 em1
> 
> testhost:~ # route -nT2 show
> Routing tables
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default192.168.79.254 UGS0 2215 - 8 
> vether2
> 192.168.79/24  192.168.79.193 UC 1 5334 - 4 
> vether2
> 192.168.79.193 fe:e1:ba:d0:45:3b  UHLl   00 - 1 
> vether2
> 192.168.79.254 2c:76:8a:30:2b:00  UHLc   1  399 - 4 
> vether2
> 192.168.79.255 

Re: authentication infra structure

[Uwe Werler]

On 09. Dec 17:25:14, Friedrich Locke wrote:
> If you had about 10k users and 5k machine how would you manage
> authenticating issues? Keep in mind that this is a very heterogenous
> environment with ldap, ftp, smtp, pop3, traditional unix boxes etc 
> 

LDAP is Your friend. You can even combine OpenLDAP with saslauthd for pass
trough authentication to different other backends.

-- 

Re: Empty MFS on root

[Uwe Werler]

Am 08.12.2015 16:03:14, schrieb Tati Chevron:
> Currently, it's possible, (as
root), to do something like:
> 
> # mount_mfs -s 1g swap /
> 
> which
succeeds, and mounts the empty filesystem as the root filesystem.
> 
> This
makes the machine inoperable and requires a physical reset, without a clean
shutdown, as no system binaries are available.
> 
> Shouldn't we make
mount_mfs error out in this case?
> 
> -- 
> Tati Chevron
> Perl and FORTRAN
specialist.
> SWABSIT development and migration department.
>
http://www.swabsit.com
> 


Hehe, You can even shutdown the machine as root.
Should there be a warning too? Windoof-like? Or a bunch of questions if You're
really really sure?

Re: relayd ssl interception and certificate subject

[Uwe Werler]

On 25. Nov  8:02:17, Stuart Henderson wrote:
> On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote:
> > Hello,
> >
> > I'm just testing ssl interception and noticed the following problem. 
> > Sometimes the Subject/Subject Alternative Name of the cert is altered with 
> > a different name than the one the original cert has:
> 
> When relayd connects to the server to find out what names to use in
> the subject/SAN, it doesn't send the requested hostname (SNI) in
> the ClientHello, so it only has the information from the server's
> "default" certificate to include in the new generated certificate.
> 
> You can see this for yourself with openssl s_client -connect hostname:443
> compared with openssl s_client -connect hostname:443 -servername hostname.
> 

Hello Stuart,

thanks! Ok, got it.

Only for my understanding: is there a reason (probably security related?) for
not using the host name from ClientHello in relayd for fetching the target
cert?

And if not - is it planned to implement it in relayd?

Thanks in advance!

Regards Uwe

Re: relayd ssl interception and certificate subject

[Uwe Werler]

Thank You very much for the explanation Stuart!

I'll check this.

On 25. Nov  8:02:17, Stuart Henderson wrote:
> On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote:
> > Hello,
> >
> > I'm just testing ssl interception and noticed the following problem. 
> > Sometimes the Subject/Subject Alternative Name of the cert is altered with 
> > a different name than the one the original cert has:
> 
> When relayd connects to the server to find out what names to use in
> the subject/SAN, it doesn't send the requested hostname (SNI) in
> the ClientHello, so it only has the information from the server's
> "default" certificate to include in the new generated certificate.
> 
> You can see this for yourself with openssl s_client -connect hostname:443
> compared with openssl s_client -connect hostname:443 -servername hostname.
> 

-- 

Re: TLS intercepting proxy [MitM]

[Uwe Werler]

Am 24.11.2015 14:52:58, schrieb Jiri B:
> > With a little bit pf-magic this
works like this:
> > pass out log on $ext_if proto tcp to any port 443
route-to lo0
> > pass out log on
> > $ext_if proto tcp to any port 443 user
_relayd
> > pass in log on lo0 proto tcp to
> > any port 443 divert-to
127.0.0.1 port 8443

> Have you actually tested this? The traffic source is
the
> box itself, don't forget, thus not forwarding between two
> ifaces.
> 
>
Yep. 'cause I tested relayd from within my box itself.

relayd ssl interception and certificate subject

[Uwe Werler]

Hello,

I'm just testing ssl interception and noticed the following problem. Sometimes 
the Subject/Subject Alternative Name of the cert is altered with a different 
name than the one the original cert has:

The faked cert:

#

X.509 Certificate Information:
Version: 3
Serial Number (hex): 051f332aed0c96
Issuer: 
C=DE,ST=Saxony,L=Dresden,O=Retiolum,OU=WEB,CN=SUB_CA,EMAIL=uwe.wer...@retiolum.eu
Validity:
Not Before: Wed Jan 28 03:58:40 UTC 2015
Not After: Fri Jan 29 14:31:49 UTC 2016
Subject: C=DE,CN=blog.b1-systems.de,EMAIL=postmas...@b1-systems.de
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (4096 bits)

...

Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): FALSE
Key Usage (not critical):
Digital signature.
Key encipherment.
Key agreement.
Key Purpose (not critical):
TLS WWW Server.
Subject Key Identifier (not critical):
47c3adafb6c9b8d26507975d444b07c30a85f020
Authority Key Identifier (not critical):
eb4234d098b0ab9ff41b6b08f7cc642eef0e2c45
Subject Alternative Name (not critical):
--> DNSname: blog.b1-systems.de
--> DNSname: b1-systems.de
Certificate Policies (not critical):
2.23.140.1.2.1
1.3.6.1.4.1.23223.1.2.3
URI: http://www.startssl.com/policy.pdf
Note: This certificate was issued according to the Class 1 
Validation requirements of the StartCom CA policy, reliance only for the 
intended purpose in compliance of the relying party obligations.
CRL Distribution points (not critical):
URI: http://crl.startssl.com/crt1-crl.crl
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.startssl.com/sub/class1/server/ca
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: 
http://aia.startssl.com/certs/sub.class1.server.ca.crt
Issuer Alternative Name (not critical):
URI: http://www.startssl.com/
Signature Algorithm: RSA-SHA1
#

The original cert:

X.509 Certificate Information:
Version: 3
Serial Number (hex): 0813002129d4f6
Issuer: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate 
Signing,CN=StartCom Class 2 Primary Intermediate Server CA
Validity:
Not Before: Thu Sep 24 15:20:33 UTC 2015
Not After: Sun Sep 24 23:00:39 UTC 2017
Subject: C=DE,ST=Bayern,L=Vohburg,O=B1 Systems 
GmbH,CN=www.b1-systems.de,EMAIL=postmas...@b1-systems.de
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (4096 bits)
Modulus (bits 4096):

...

Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): FALSE
Key Usage (not critical):
Digital signature.
Key encipherment.
Key agreement.
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Key Identifier (not critical):
2c6fafda29839f35c51c0ccde681e036168b10a9
Authority Key Identifier (not critical):
11db2345fd54cc6a716f848a03d7bef7012f2686
Subject Alternative Name (not critical):
--> DNSname: www.b1-systems.de
--> DNSname: b1-systems.de
Certificate Policies (not critical):
2.23.140.1.2.2
1.3.6.1.4.1.23223.1.2.3
URI: http://www.startssl.com/policy.pdf
Note: This certificate was issued according to the Class 2 
Validation requirements of the StartCom CA policy, reliance only for the 
intended purpose in compliance of the relying party obligations.
CRL Distribution points (not critical):
URI: http://crl.startssl.com/crt2-crl.crl
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.startssl.com/sub/class2/server/ca
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: 
http://aia.startssl.com/certs/sub.class2.server.ca.crt
Issuer Alternative Name (not critical):
URI: http://www.startssl.com/
Signature Algorithm: RSA-SHA256
#

In this case the DNS name www.b1-systems.de is removed from the cert what leads 
to an error message in the webbrowser.

apu01$ dig @8.8.8.8 +short www.b1-systems.de
b1-systems.de.
84.200.69.202
apu01$ dig @8.8.8.8 +short blog.b1-systems.de
spacelords.systems.b1-systems.de.
84.200.69.202
apu01$ dig 

Re: TLS intercepting proxy [MitM]

[Uwe Werler]

Am 24.11.2015 14:17:41, schrieb Lampshade:
> Ok, I know that relayd can
decrypt traffic, then log, then encrypt. The thing is that I want to
> send
decrypted traffic to another process (privoxy), and then re-encrypt it.
> I
have also problem with  Reyk's config because I can not divert outgoing
traffic using pf.
> I have tried with rdr-to and nat-to, but it removes
destination IP address in packets.
> I want to intercept and alter traffic on
the same box that I run Firefox.
> Is this possible using pf and relayd or I
must use something else?
> 


With a little bit pf-magic this works like this:
pass out log on $ext_if proto tcp to any port 443 route-to lo0
pass out log on
$ext_if proto tcp to any port 443 user _relayd
pass in log on lo0 proto tcp to
any port 443 divert-to 127.0.0.1 port 8443

Kerberos disabled in SSH now?

[Uwe Werler]

Kerberos is disabled per default in SSH now?

Revision 1.60: download - view: text, markup, annotated - select for diffs
Wed Jun 19 05:27:06 2013 UTC (5 weeks, 5 days ago) by deraadt
Branches: MAIN
Diff to: previous 1.59: preferred, coloured
Changes since revision 1.59: +2 -1 lines

stop doing kerberos in ssh and sshd
the code bloat makes that no longer trustworthy functionality
ok guenther

Any plans to enable it again?

Re: Internet Connection - Load Balancing and Failover

[Uwe Werler]

-Ursprüngliche Nachricht-
An: OpenBSD-misc list misc@openbsd.org; 
Von:Imre Oolberg i...@auul.pri.ee
Gesendet:   Di 13.11.2012 09:05
Betreff:Re: Internet Connection - Load Balancing and Failover
 On 11/13/12 08:57, Tomas Bodzar wrote:
  On Mon, Nov 12, 2012 at 11:09 PM, Walter Netowsouz...@gmail.com  wrote:
  Hello guys,
 
  I have two internet connections, and I want to make load balancing and
  failover service, I had read about pf load balancing and multi-path route,
  what is the difference between them.
 
  Which is the better to use in my scenario?
 
  And for failover, the best solution is ifstated(8)?
 
  One of the possible approaches, but maybe easier for you will be
  
 http://www.openbsd.org/cgi-bin/man.cgi?query=trunkapropos=0sektion=0manpath=O
 penBSD+Currentarch=i386format=html
 
 I have been under impression that man trunk is for L2 redundancy. Could 
 you elaborate how it would help to load balance and fail over between 
 two different ISPs uplinks (one link per isp, i assume they have 
 different ip configurations)?
 
 
 Imre
 
 
 
 
  thanks in advance.
 
  Walter Neto
 
 

Hi Imre,

take a look at the router section of relayd.conf: 
http://www.openbsd.org/cgi-bin/man.cgi?query=relayd.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

Regards Uwe

Re: Ipsec tunnel between 2 sites with same network addressing

[Uwe Werler]

-Urspr|ngliche Nachricht-
Von: open...@e-solutions.re
Gesendet: Mo 15.02.2010 09:15
An: misc@openbsd.org;
Betreff: Ipsec tunnel between 2 sites with same network addressing

 Hi,

 It is very simple to do a tunnel ipsec with 2 sites when they have
 different network addressing.
 But if site A use this : 192.168.0.0/24 and Site B use the same address,
 how can we do ipsec tunnel ?
 I suppose, we need to use binat rules in pf.conf... I don't understand how
 to build that. If someone can explain me ...
 Thank's



http://undeadly.org/cgi?action=articlesid=20090127205841

Re: Maximizing File/Network I/O

[Uwe Werler]

 * Iqigo Ortiz de Urbina tarom...@gmail.com [2010-01-05 11:24]:
 On Tue, Jan 5, 2010 at 9:13 AM, Tomas Bodzar tomas.bod...@gmail.com
 wrote:

  There is much more to do. You can find some ideas eg. here
  http://www.openbsd.org/papers/tuning-openbsd.ps . It's good idea to
  follow outputs of systat, vmstat and top for some time to find
  bottlenecks.
 
 
 I recall a message in misc (which I am not able to find on the archives)
 about someone posting here the results of his research on optimizing and
 improving OpenBSD overall performance (fs, network, etc).

 Among the links he posted on his comprehensive compilation, he sent
 tuning-openbsd.ps.

 I'm one of the two authors of this paper.
 ignore it. it is obsolete.

 I remember one reply of a developer stating that some of those tuning
 measures are not needed anymore as OpenBSD has grown quite a bit since
that
 time. Which are the recommended -always working- directions, then, to
tune
 a
 system for its particular needs?

 there isn't really all that much needed these days, defaults are good.
 some very specific situations benefit from some specific things, but
 usually, you are wasting time trying to tune.

 My point is we all have to be careful and not follow guides or try values
on
 sysctls blindly (although experimenting is welcome and healthy) as we can
 harm more than benefit we can get. Still, some enviroments will need
 adjustment to push much more traffic than GENERIC can, and this is a
really
 hard task to accomplish unless you are a @henning or @claudio :)

 heh :)

 I really like the 275 - 420MBit/s change for 4.6 - current with pf.

Oh cool! There's this explained a little bit deeper? Sounds VERY
interesting.

Re: What does your environment look like?

[Uwe Werler]

On Sun, 3 Jan 2010 10:34:07 -0500
Anders Langworthy lagrang...@gmail.com wrote:

 On Sat, Jan 2, 2010 at 9:08 PM, Brynet bry...@gmail.com wrote:
  * Do you use one of the bundled window managers like
  cwm(1)/twm(1)/fvwm(1) or something else?
 
 I wasn't going to reply, but I couldn't believe that cwm hasn't
 received any love yet.   It's glorious.  Powerful keyboard control,
 neat features, and faster than you need it to be.  Its minimalism is
 elegant (and absolute) with no window decoration crud to distract or
 waste valuable pixels.  And it's in base.
 
  * Do you try to keep things uniform across other desktops?
 
 No, but net/rsync is excellent for that purpose.
 

always -current + cwm + mrxvt + tmux = all what i need. at my netbook
xfce or cwm.

rtable and pf

[Uwe Werler]

Hello list,

I have an OpenBSD box with 4.5 connected to two carriers, to one per dhcp and 
to the other static configured.
Now I tried to change my rule set from route-to/reply-to syntax to rtable usage.

Up to now I added my static configured gateway with route add default $GW 
-mpath so the dhclient-script
does only add an additional default route.

The following rule worked:

$ext1 = static configured as for $ext1_gw

pass in on $ext1 reply-to ($ext1 $ext1_gw) inet proto tcp to ($ext1) port ssh 
flags S/SA keep state \
(max-src-conn-rate 3/30,overload ssh-bruteforce flush global, pflow)

Now I moved the static gateway to routing table 1 with route -T 1 add default 
$GW and changed my
rule to:

pass in on $ext1 inet proto tcp to ($ext1) port ssh flags S/SA keep state \
(max-src-conn-rate 3/30,overload ssh-bruteforce flush global, pflow) 
rtable 1

But as soon as I make a dhclient $ext2 I can't logon via SSH to the static 
configured address so I
guess the reply packets are not routed via rtable 1.

What I'm missing or what I've disunderstood?

Thanks for Your clearification.

Regards Uwe

Re: automaticaly mount/umount encrypted $HOME or ...

[Uwe Werler]

Hi Maxim,
 
 Choosing bash was a quick solution for executing the job after I'v  
 logged out, e.g. how else do you umount and vnconfig -u?
 I'd like to use default ksh, but quick google-search gave me an
 answer  
 - ksh can not exec after logout.
 Here I hope someone can point me to the right direction. Using bash  
 and shells at all isn't a clean solution, but the only I have found
 at the time.

You can use something like this with ksh (.profile):

if [[ -r ~/.ksh_logout ]]; then
trap '. ~/.ksh_logout' EXIT TERM KILL
fi

Regards Uwe

Re: F5 FirePass SSL VPN on OpenBSD

[Uwe Werler]

Hi Mikolaj,

You can connect to F5 with a little bit perl and ppp. I know a perl script with 
does the magic with pppd and openssl s_client: 
http://devcentral.f5.com/SDK/sslvpn.public.pl.txt
. But in OpenBSD there is no pty option in pppd - that's why it should 
converted to use ppp.

Regards Uwe

Mikolaj Kucharski(mikolaj) wrote:
 On Fri, Apr 03, 2009 at 11:37:47AM +0100, Mikolaj Kucharski wrote:
  Hi,
  
  Anyone knows any open-source client so OpenBSD could connect to it?
 
 I'm looking for ppl who actually know how to do that, not ppl who are
 capable to read SERP without understanding the subject.
 
 I'm okay with zero replys for my question if no one has a clue. TIA.
 
 -- 
 best regards
 q#

Re: PF and CLamAV Integration - how to do it?

[Uwe Werler]

Hi Sarah,

try to make a search in ports tree for different kind of proxies:

Port:   havp-0.89
Path:   www/havp
Info:   web proxy with antivirus filter
Maint:  Giovanni Bechis g.bec...@snb.it
Index:  www
L-deps: clamav.=1::security/clamav
B-deps: :devel/gmake
R-deps:
Archs:  any

For scanning mails there are a lot of tutorials right now...

Regards Uwe

Protocol Six Consulting(contact.us) wrote:
 Hi,

 I was wondering if anyone here knows how to integrate the PF firewall  
 with ClamAV.

 I am planning on putting into production an OpenBSD firewall and would  
 like to do virus scanning at the network perimeter.
 I am definitely interested in scanning email traffic, but also possibly  
 Web and IRC (and any other traffic types that makes sense) for a group  
 of 25 people.

 Unfortunately I've not seen any real discussion or howtos for this type  
 of integration.
 I've also looked in the PF FAQ pages and in the archives of Openbsd-misc  
 or Openbsd-PF.
 Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on  
 this topic either.

 I suspect my mental picture of how PF and ClamAV work together may be  
 flawed or incomplete.
 I guess I'm assuming there is a way to have PF pass information directly  
 to ClamAV, but perhaps some middle-ware glue is necessary.

 Any pointers and/or info would be greatly appreciated by this newbie.

 Thanks and best regards,

 :-)

 Sarah

Re: Can't get relayd to work for DNS + problem with relayctl reload

[Uwe Werler]

Hello Pierre,

I noticed the same behavior on my box with current before I read this
thread. That's why I sent a bug report: 6046/system
(http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=6046).

Regards Uwe


Am Wed, 14 Jan 2009 15:53:50 +0100
schrieb BARDOU Pierre bardo...@mipih.fr:

 Hi,



 I tried to send a bug report with sendbug(1), but I am not very
 familiar with it.

 I hope someone will notice...



 --

 Cordialement,

 Pierre BARDOU



 De : uday [mailto:umoorjani@gmail.com]
 Envoyi : mercredi 14 janvier 2009 15:52
 @ : BARDOU Pierre
 Cc : misc@openbsd.org; Nigel J. Taylor
 Objet : Re: Can't get relayd to work for DNS + problem with relayctl
 reload



 pierre,

 i'm seeing the same result with relayctl i don't know where it's
 coming from.

 um

 On Wed, Jan 14, 2009 at 8:16 AM, BARDOU Pierre bardo...@mipih.fr
 wrote:

 Shame on me, it didn't worked because I allowed connexion to the real
 IP (10.60.0.10x) and no to relayd IP (10.31.33.254).

 Now it works, thanks for the help :)

 But I still have the issue I reported a few monthes ago : when I use
 a relay, relayctl reload fails saying command failed.
 The relayd logs says nothing. Will I be forced to pkill relayd and
 restart it each time ?

 --
 Cordialement,
 Pierre BARDOU

 -Message d'origine-
 De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk]
 Envoyi : mercredi 14 janvier 2009 02:22
 @ : BARDOU Pierre
 Objet : Re: Can't get relayd to work for DNS

 I have this in my relayd.conf, it's just an extract, only a pass in
 in pf.conf
 you use either relay or redirect not both at once redirect requires
 an anchor in
 pf.conf, relay doesn't.

 dns protocol dnsudp

 tcp protocol dnstcp

 relay relaydnsudp {
   protocol dnsudp
   listen on $dns_int port domain
   forward to DNSSERVERS \
   check script /usr/local/bin/dnscheck
 }

 relay relaydnstcp {
   protocol dnstcp
   listen on $dns_int port domain
   forward to DNSSERVERS \
   check script /usr/local/bin/dnscheck
 }


 dnscheck script does a dig to check dns is up

 #!/bin/ksh
 dnsserver=$1
 if ping -n -c1 -w 1 $dnsserver /dev/null 21  dig -x \
  $dnsserver @$dnsserver /dev/null
 then
   exit 1
 fi
 exit 0


 Regards

 Nigel Taylor

 BARDOU Pierre wrote:
  Hello,
 
  I am trying to setup relayd for loadbalancing on my DNS servers.
  The problem is that relayd seems to handle only TCP connexions, UDP
  isn't taken into account.
  I found a known bug on openBSD 4.2, but I am using openBSD 4.4.
 
  I've tried the same setup with a relay, and still have the same
  problem.
 
  Where am I mistaking ?
 
  # pfctl -a relayd/DNS -s nat
  rdr inet proto tcp from any to 10.31.33.254 port = domain
  (tcp.established 600) - DNS port 53 round-robin
 
  # cat /etc/relayd.conf
  node1=10.60.0.101
  node2=10.60.0.102
  node3=10.60.0.103
 
  squid_int=10.31.33.254
  dns_int=10.31.33.254
 
  # Global Options
  interval 5
  log updates
  prefork 10
  timeout 1500
 
  table squid { $node1 , $node3 }
  table DNS { $node1 , $node3 }
 
  redirect squid {
  listen on $squid_int port 3128
  forward to squid mode roundrobin check tcp
  }
 
  redirect DNS {
  listen on $dns_int port 53
  forward to DNS mode roundrobin check tcp
  }
 
  Relay config :
  dns protocol dnsfilter {
 ### TCP performance options
  tcp { nodelay, sack, socket buffer 1024, backlog 1000 }
  }
 
  relay dns {
 ### listen and accept redirected connections from pf
  listen on $dns_int port 53
 
 ### apply web filters
  protocol dnsfilter
 
 ### forward to web server(s)
  forward to DNS mode roundrobin check tcp
  }
  --
  Cordialement,
 
  Pierre BARDOU
  CSIM - Bureau 012
 
  Midi Picardie Informatique Hospitalihre
  12 rue Michel Labrousse
  BP93668
  F-31036 Toulouse CEDEX 1
 
  Til : 05 67 31 90 84
  Fax : 05 34 61 51 00
  Mail : bardo...@mipih.fr



--


Mit freundlichen Gruessen

Uwe Werler

OB3SI
Open Source Software Solution Integration

Hosterwitzer Str. 15
D-01259 Dresden
Fon +49 351 41722902

http://www.o3si.de
mailto:i...@o3si.de

Sitz des Unternehmens: 01259 Dresden

Der Austausch von Nachrichten mit OB3SI via E-Mail dient ausschliesslich
Informationszwecken. RechtsgeschC$ftliche ErklC$rungen dCrfen auCerhalb
gesonderter Vereinbarungen Cber dieses Medium nicht ausgetauscht werden.
Angebote jeglicher Art verstehen sich freibleibend und unterliegen den
allgemeinen GeschC$ftsbedingungen.

This message is not intended to be relied upon without subsequent
written confirmation of its contents OB3SI therefore cannot accept any
liability of any kind which may arise from any person either acting
upon the contents of the message without having had written
confirmation. Any opinions expressed in the e-mail are those of the
individual writer and not necessarily those of the Company unless
specifically stated otherwise.

This e-mail and any files transmitted with it are private and
confidential and are solely

Re: LDAP and OpenBSD

[Uwe Werler]

Am Thu, 23 Oct 2008 01:02:18 +1100
schrieb Gavin Norman [EMAIL PROTECTED]:

 I attempted the steps based on your experience with ypldap.
 
 I downloaded a snapshot 2 days ago and setup a fresh install on a 
 virtual machine.
 
 However I get the following after running ypldap:
 
 # ypldap -dv
 startup [debug mode]
 configuration starting
 applying configuration
 connecting to directories
 starting directory update
 starting directory update
 updates are over, cleaning up trees now
 flattening trees
 
 I never receive the pushing lines: ... output.
 
 Here is my ypldap.conf:
 interval 60  # how many seconds between retries
 domain domain.net.au  # only one domain for now
 
 provide map passwd.byname
 provide map passwd.byuid
 provide map group.byname
 provide map group.bygid
 
 directory ldap server {
 binddn cn=Manager,dc=domain,dc=net,dc=au
 bindcred 
 basedn ou=Users,dc=domain,dc=net,dc=au
 
 passwd filter (objectClass=posixAccount)
 attribute name maps to uid
 fixed attribute passwd *
 fixed attribute class ldap
 attribute uid maps to uidNumber
 attribute gid maps to gidNumber
 attribute gecos maps to cn
 attribute home maps to homeDirectory
 attribute shell maps to loginShell
 attribute change maps to shadowLastChange
 fixed attribute expire 0
 
 group filter (objectClass=posixGroup)
 attribute groupname maps to cn
 fixed attribute grouppasswd *
 attribute groupgid maps to gidNumber
 list groupmembers maps to memberUid
 }
 
 Thanks.
 

Hi Gavin,

what says a ldapsearch -x -h ldap server -D 
cn=Manager,dc=domain,dc=net,dc=au -W -b ou=Users,dc=domain,dc=net,dc=au 
(objectClass=posixAccount) ?

Regards Uwe

Re: perl and openbsd

[Uwe Werler]

Am Wed, 15 Oct 2008 09:28:06 +0200 (CEST)
schrieb Holger Glaess [EMAIL PROTECTED]:

 hi
 
 which option i have to change that perl is able to ge more memory
 resoruces ?
 
 i an script that works on linux complete well but under openbsd ,
 he start and then perl stop to work an left the memory.
 
 if i disable some internal modules than he works.
 
 if i see the the working script in top  he allocate 4092k resource
 memory and 6216k size memory , but if i enable on more internal
 module he stop to work.
 
 i don have this problem under linux, but there is the limitation not
 so strict .
 any clue for it ?
 
 holger
 

Hello Holger,

I think You have to increase stacksize-cur in /etc/login.conf for
login class default.

Regards Uwe

Fw: LDAP and OpenBSD

[Uwe Werler]

 On Sat, 11 Oct 2008, Uwe Werler wrote:
 
 SNIP
  2. Add a line to /etc/rc.conf
 
  ypldap_flags=
 
  3. Add lines to /etc/rc.local:
 
 or more appropriately /ect/rc.conf.local
 
 otherwise your local changes could get overwritten on a future
 upgrade.
 

Hello Diana,

You are right - it was a typo by me.

It's necessary to comment out the following lines in /etc/rc too:

snip
#if [ -d /var/yp/binding ]; then
#   # YP client capabilities needed...
#   echo -n ' ypbind';  ypbind
#fi
snip

...and add these instead to /etc/rc.local so ypbind starts AFTER ypldap
is started. If You don't ypbind hangs at system start and times out.

Regards Uwe

Re: CARP multicast and ADSL bridge

[Uwe Werler]

Am Thu, 09 Oct 2008 19:45:01 -0700
schrieb Brian [EMAIL PROTECTED]:

 Hello,

 After much reading of man pages, FAQs and googling, I have come up
 against a dead end. I have a dual redundant CARP setup on 2 sparc64
 boxes running 4.3, with an Ovislink OV303 ADSL bridge for internet
 connectivity. All ports are connected to the bridge with a procurve
 1800-24g semi-intelligent switch.
 The problems are that the multicast CARP packets are getting
 forwarded over the bridge and running up my very limited bandwidth
 cap (which, of course, is no one's problem but my own) and more
 importantly is causing my ADSL connection to be dropped every 10-15
 minutes. The tech at the ISP diagnosed the problem, and I wouldn't
 have believed it if I hadn't verified the behaviour myself. As soon
 as I disable CARP on the external interface and the CARP announce
 packets stop, the connection stays up for days. With CARP running, I
 would sometimes be down for hours, with the ADSL connection going up
 for a second, and dropping right away. I tried to do multicast
 filtering on the ADSL port, but my switch isn't intelligent enough,
 and the ADSL device won't filter in bridge mode. The only thing I
 could think to do is to put the 2 CARP ports on a seperate VLAN and
 route the CARP multicast packets through that, but my attempts to use
 pf to rdr the multicast packets to a separate vlan0 interface have
 not been successful. Is there a magical way to resolve my situation
 without buying a more expensive switch? I thought it would be worth
 asking before shutting up and hacking together a possibly stupid VLAN
 tagging solution in ip_carp. Thanks for your patience.

 -Brian Marshall


Hi Brian,

did You try to avoid multicast by setting up the carppeers directly?

See man ifconfig:

 carppeer peer_address
 If the driver is a carp(4) pseudo-device, send the carp adver-
 tisements to a specified point-to-point peer or multicast group
 instead of sending the messages to the default carp multicast
 group.  The peer_address is the IP address of the other host
tak-
 ing part in the carp cluster.  With this option, carp(4) traffic
 can be protected using ipsec(4) and it may be desired in
networks
 that do not allow or have problems with IPv4 multicast traffic.

Regards Uwe

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: LDAP and OpenBSD

[Uwe Werler]

Am Fri, 10 Oct 2008 19:52:10 +0200
schrieb raven [EMAIL PROTECTED]:

 Hi misc :)

 I'm thinking how my users into an ldap db can login into my openbsd
 machine as users. I try to use google but no clue at all.
 Thanks guys :)

 Francesco


Hello Francesco,

there's a solution ;-).

I've gotten my -current running to authenticate against my openldap
server.

As stated by the others there is usr.sbin/ypldap. It's not linked to
the builds yet - but it works - together with the port
sysutils/login_ldap.

You can grab the users/groupsB9 from ypldap and then authenticate them
against an ldap server - no matter if this is openldap or AD.

I'll send a howto within the next days (hopely during this weekend).

Please be patient.

Regards Uwe

B9Not fully working yet - ypldap only lists the first group for the
user. But ypldap is still under developement.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: LDAP and OpenBSD

[Uwe Werler]

Ok guys...

because I have beer yet I decided to write my experience down now:

1. Use -current. Grab the sources and go to /usr/src/usr.sbin/ypldap
   and make a cvs update; make depend; make; make install

2. Install the port sysutils/login_ldap

3. Configure /etc/ypldap.conf:

EOF

domain $OPENBSD
interval 60

provide map passwd.byname
provide map passwd.byuid
provide map group.byname
provide map group.bygid

directory $USE_IP_HERE {# A

attribute name maps to uid
fixed attribute passwd *  # B
attribute uid maps to uidNumber
attribute gid maps to gidNumber
fixed attribute class ldap# Login class!
fixed attribute expire 0  # USE_IP_HERE
attribute change maps to shadowLastChange # D
attribute gecos maps to gecos
attribute home maps to homeDirectory
fixed attribute shell /bin/ksh# E
attribute groupname maps to cn
fixed attribute grouppasswd *
attribute groupgid maps to gidNumber
attribute groupmembers maps to memberUid

binddn cn=$ldapuser,dc=example,dc=com # F
bindcred YourSecret   
basedn dc=example,dc=com

group filter (objectclass=posixGroup)
passwd filter (objectclass=posixAccount)

}

EOF

A Name resolution not working yet - use IP instead
B Passwords in NIS not needed - we use login_ldap # XXX
C Problems with time format - account e usfor Linux users - but there's no 
bash ;-)
F Not needed if anonymous searches are allowed - not yet in man

XXX You could use other auth too - like krb5 against AD - should be tested!

4. Configure login_ldap: /etc/login.conf

ldap:\
:auth=-ldap:\
:x-ldap-server=$USE_IP_HERE:\
:shell=/bin/ksh:\   # not mandatory
:x-ldap-basedn=dc=example,dc=com:\
:x-ldap-filter=((objectclass=posixAccount)(uid=%u)):\
:x-ldap-groupdn=cn=group_users_should_reside_to,dc=example,dc=com:\
:x-ldap-groupfilter=((objectClass=posixGroup)(memberUid=%u)):\
:tc=default:

5. Test ypldap

~ # ypldap -dv startup [debug mode]
configuration starting
applying configuration
connecting to directories
trying directory: $IP
starting directory update
starting directory update
updates are over, cleaning up trees now
flattening trees
pushing line: anonymous:*:4:3:ldap:0:/home/anonymous:/bin/ksh
pushing line: uwerler:*:1000:1000:ldap:12011:0:Uwe Werler:/home/uwerler:/bin/ksh
pushing line: user001:*:1001:1001:ldap:12011:0:Who' this?:/home/user001:/bin/ksh
pushing line: admins:*:1000:uwerler
pushing line: users01:*:1001:user001

That means You should see something like this ;-)

6. Start ypbind

ypbind

7. Test the user

~ # id uwerler
uid=1000(uwerler) gid=1000(admins) groups=1000(admins)*

* as I already wrote - only the first group from ldap is used now

OK, this is working so far. Now try to login.

The problem is if You want to auth with passwords You should type Your password 
twice.

Why - I've to ask the list myself. I've seen such messages in my auhlog:

Oct  7 16:07:50 openbsd02 sshd[11261]: Failed password for uwerler from 
10.0.0.127 port 36885 ssh2
Oct  7 16:07:52 openbsd02 sshd[11261]: Accepted password for uwerler from 
10.0.0.127 port 36885 ssh2

!!! You've done !!!

Regards Uwe



To make Your changes permanent:

1. Find the lines and comment out in /etc/rc to avoid ypserv's startup

snip
if [ X`domainname` != X ]; then
#if [ -d /var/yp/`domainname` ]; then
#   # YP server capabilities needed...
#   echo -n ' ypserv';  ypserv ${ypserv_flags}
#   #echo -n ' ypxfrd'; ypxfrd
#fi
snip

2. Add a line to /etc/rc.conf

ypldap_flags=

3. Add lines to /etc/rc.local:

if [ X${ypldap_flags} != XNO ]; then
echo -n ' ypldap'
/usr/sbin/ypldap ${ypldap_flags} 1 /dev/null 
fi

Re: LDAP and OpenBSD

[Uwe Werler]

Ok, it's quite late tonight - after some beer:
#
vipw
^G
i
+:*
:wq
#
vi /etc/group
^G
i
+:*::
:wq
#
You've done.

Re: pf - queue filter directive sticky?

[Uwe Werler]

Am Tue, 30 Sep 2008 10:53:05 +0200
schrieb [EMAIL PROTECTED]:

 Am Mon, 29 Sep 2008 15:29:08 -0400
 schrieb (private) HKS [EMAIL PROTECTED]:
 
  If the following two rules apply to a given packet in the order
  shown, will the packet be queued?
 
  pass in on $int_if from 10.0.0.1 queue tens
  pass in on $int_if
 
  I've not been able to find a clear answer in pf.conf(5) or the
  online PF documentation. If I overlooked it, please let me know.
  Thanks in advance for the help.
 
  -HKS
 
 imho normally this packet wouldn't be queued because the last count
 matches the packet so the last rule applies:
 
 from man pf.conf:
 
 For each packet processed by the packet filter, the filter rules
 are evaluated in sequential order, from first to last.  The last
 matching rule decides what action is taken.  If no rule matches the
 packet, the default action is to pass the packet.
 
 uw
 
 [demime 1.01d removed an attachment of type application/pgp-signature
 which had a name of signature.asc]
 

on the other hand: 

During the filtering component of pf.conf, the last referenced
queue name is where any packets from pass rules will be queued...

that means because of the sequential order that the packet should be
queued imho.

howto determine boot device?

[Uwe Werler]

hi, is it possible to determine, after the kernel has loaded, from which
device it has booted? regards uwe

-- 
5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail
+++ GMX - die erste Adresse f|r Mail, Message, More +++

determine boot device after boot

[Uwe Werler]

hello,

is it possible to determine the boot device after the kernel has
loaded? i did'nt find any variable (with sysctl or an entry in logs)
which contains this information. i want to boot from any device like
floppy, cd etc. and the root will be a ramdisk. after boot i want to
read some additional files from the boot device. is there a way to get
this working?

thanks in advance!

-- 
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl

Re: read-only storage media

[Uwe Werler]

hi matt,

what is with an usb stick? that's my approach.

regards uwe

 
 Is there any kind of storage media that can be set as read-only, and
 only reset to read and write by physical access?
 
 I'm thinking about something like the (seemingly ancient) 3.5
 floppy disks that had that little switch you could use to set the
 disk to read only.
 
 Are there any hard drives that have a similar kind of feature?
 
 I'm thinking that this would be nice for a firewall machine: if the
 machine was compromised, it still couldn't be modified (i.e.,
 volumes mounted read only can always be remounted read-write if the
 machine is root compromised).
 
 I'm thinking that I could burn a CD-R (and re-burn it whenever
 there's a configuration change), but it seems like the system might
 have a lot of latency and the CD-ROM drive might prematurely fail.
 
 Any thoughts?
 
 Thanks,
 Matt
 
 -- 
 Matt Garman
 email at: http://raw-sewage.net/index.php?file=email
 

-- 
5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail
+++ GMX - die erste Adresse f|r Mail, Message, More +++