torrent downloads
Hello, I was wondering if there is any particular reason explaining why there is no torrent file to retrieve OpenBSD *.fs and *.iso. I've been looking on the list and only found this site that doesn't seems up to date [1]. If the reason is a lack of human ressources, I think I can handle it. Regards. [1] : http://openbsd.somedomain.net/ --
Re: torrent downloads
> yes, but unlike those distros the openbsd installers aren't measured in > gigabytes. > Of course, the point doesn't apply to miniroot* but to installxx.xx. It doesn't remove the problem of long download for some and servers bandwidth possible issue. Using miniroot* still requires to download file from a mirror then, and using its banwidth. The torrent "idea" here is only relevant for big files, and doesn't remove the need to check SHA256 as usual. > The site mentioned by OP (http://openbsd.somedomain.net) is up to date, > and has the torrents mentioned. > Indeed it is. I've been fooled as the first entry is for OpenBSD **6.0 alpha**... Moreover, as it's not listed in official mirrors, it's harder to trust.
Mail server with many users
Hello, according to recent discussion on the list, I was wondering how you set up a mail server with smtpd with a lot of users. Regards. --
spamassassin filtering problem
Hello,
I was using spamassassin+smtpd for a while and everything worked as
expected. Now I added support for more tan one domain and incoming mails
are locked into allop, I can't figure out why.
Here is my /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
table virtuals file:/etc/mail/virtuals
table domains file:/etc/mail/domains
pki certsssl key "/etc/ssl/acme/private/mydomain.net-privkey.pem"
pki certsssl certificate "/etc/ssl/acme/mydomain.net-fullchain.pem"
ca certsssl certificate "/etc/ssl/acme/mydomain.net-fullchain.pem"
listen on lo0 port 10028 tag DKIM
listen on lo0 port 10026 tag NOSPAM
listen on lo0
listen on re0 port smtp tls pki certsssl
listen on re0 port submission tls-require pki certsssl auth
accept from local for local alias deliver to maildir
"~/Maildir"
accept tagged NOSPAM for domain virtual deliver to
maildir "/mnt/bigstorage/vmail/%{dest.domain}/%{dest.user}/Maildir"
accept from any for domain relay via smtp://127.0.0.1:10025
accept tagged DKIM for any relay
accept from local for any relay via smtp://127.0.0.1:10027
table virtuals contains :
us...@mydomain.net user1
us...@otherdomain.net user2
and table domains contains :
mydomain.net
otherdomain.net
In logs, I can see such messages
May 13 08:10:39 master smtpd[22622]: 9d2709d2fddd9a03 smtp
event=message address=127.0.0.1 host=localhost msgid=f23a6ab6
from= to= size=4665 ndest=1 proto=ESMTP
May 13 08:10:39 master smtpd[22622]: 9d2709d115477347 mta
event=delivery evpid=2fc2606678f20fd0 from=
to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1
(localhost)" delay=1s result="Ok" stat="250 2.0.0: f23a6ab6 Message accepted
for delivery"
May 13 08:10:39 master spampd[11644]: processing message
<20170513054818.gg33...@openbsd.my.domain> for
ORCPT=rfc822;t...@yeuxdelibad.net
May 13 08:10:40 master spampd[11644]: clean message
<20170513054818.gg33...@openbsd.my.domain> (1.19/5.00) from
for ORCPT=rfc822;t...@yeuxdelibad.net in 0.68s, 4764
bytes.
May 13 08:10:40 master smtpd[22622]: 9d2709d2fddd9a03 smtp
event=message address=127.0.0.1 host=localhost msgid=cb35fe0a
from= to= size=4828 ndest=1 proto=ESMTP
May 13 08:10:40 master smtpd[22622]: 9d2709d115477347 mta
event=delivery evpid=f23a6ab6dbaeb160 from=
to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1
(localhost)" delay=1s result="Ok" stat="250 2.0.0: cb35fe0a Message accepted
for delivery"
May 13 08:10:40 master spampd[11644]: processing message
<20170513054818.gg33...@openbsd.my.domain> for
ORCPT=rfc822;t...@yeuxdelibad.net
May 13 08:10:41 master spampd[11644]: clean message
<20170513054818.gg33...@openbsd.my.domain> (1.19/5.00) from
for ORCPT=rfc822;t...@yeuxdelibad.net in 0.67s, 4931
bytes.
May 13 08:10:41 master smtpd[22622]: 9d2709d2fddd9a03 smtp
event=message address=127.0.0.1 host=localhost msgid=994ab936
from= to= size=4991 ndest=1 proto=ESMTP
Please, any advise is welcome.
Regards.
--
Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?
* SOUL_OF_ROOT 55 le [26-06-2017 18:18:41 -0300]: > Can I use OpenBSD in a virtual machine, for example, VirtualBox? yes signature.asc Description: PGP signature
Libreoffice calc crash
, 1200, 1000, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09 inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09 drm0 at inteldrm0 inteldrm0: msi inteldrm0: 1600x900, 32bpp wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured puc0 at pci0 dev 22 function 3 "Intel 6 Series KT" rev 0x04: ports: 1 com com4 at puc0 port 0 apic 2 int 19: ns16550a, 16 byte fifo com4: probed fifo depth: 0 bytes em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address f0:de:f1:76:50:7b ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi azalia0: codecs: Conexant CX20590, Intel/0x2805, using Conexant CX20590 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi pci1 at ppb0 bus 2 ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi pci2 at ppb1 bus 3 iwn0 at pci2 dev 0 function 0 "Intel Centrino Advanced-N 6205" rev 0x34: msi, MIMO 2T2R, MoW, address a0:88:b4:c2:47:10 ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi pci3 at ppb2 bus 5 ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi pci4 at ppb3 bus 13 xhci0 at pci4 dev 0 function 0 "NEC xHCI" rev 0x04: msi usb1 at xhci0: USB revision 3.0 uhub1 at usb1 configuration 1 interface 0 "NEC xHCI root hub" rev 3.00/1.00 addr 1 ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 23 usb2 at ehci1: USB revision 2.0 uhub2 at usb2 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04 ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, AHCI 1.3 ahci0: port 0: 6.0Gb/s ahci0: port 1: 1.5Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa.5002538d41e6d54d sd0: 238475MB, 512 bytes/sector, 488397168 sectors, thin cd0 at scsibus1 targ 1 lun 0: ATAPI 5/cdrom removable ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 2 int 18 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM spdmem1 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-10600 SO-DIMM isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 wsmouse1 at pms0 mux 0 pms0: Synaptics touchpad, firmware 7.2 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 aps0 at isa0 port 0x1600/31 vmm0 at mainbus0: VMX/EPT uhub3 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 umass0 at uhub3 port 2 configuration 1 interface 0 "Norelsys NS1068" rev 2.10/1.00 addr 3 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd1 at scsibus2 targ 1 lun 0: SCSI4 0/direct fixed serial.253710683456789ABCDE sd1: 305245MB, 512 bytes/sector, 625142448 sectors ugen0 at uhub3 port 4 "Broadcom Corp Broadcom Bluetooth Device" rev 2.00/7.48 addr 4 uvideo0 at uhub3 port 6 configuration 1 interface 0 "Chicony Electronics Co., Ltd. Integrated Camera" rev 2.00/7.52 addr 5 video0 at uvideo0 uhidev0 at uhub1 port 3 configuration 1 interface 0 "Genesys Logic USB Mouse" rev 1.10/1.00 addr 2 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse2 at ums0 mux 0 uhub4 at uhub2 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets sd2 at scsibus4 targ 1 lun 0: SCSI2 0/direct fixed sd2: 238472MB, 512 bytes/sector, 488391473 sectors root on sd2a (4764b1057435753d.a) swap on sd2b dump on sd2b -- thuban
Re: Libreoffice calc crash
> I'm running -current snapshot dated Thu Aug 3 12:12:07 MDT 2017 with > libreoffice-5.2.7.2p5v0 and have been doing some heavy work in Calc for the > last hour without any issues. > Good to know it's seems ok on next snapshot. (I'm on -stable ont this machine). > What exactly you mean by "write changes" and "validate"; just typing values > in a cell and pressing Enter to finish your entry? Does it happen on a > blank spreadsheet? Just typing values in a cell ans finish entry, yes. It doesn't happen in blank spreadsheet, only when I modify a cell. > Do you have the user account set to the "staff" class, or somehow assigning > it a high datasize limit in login.conf? Yes, I run libreoffice with this user. -- thuban signature.asc Description: PGP signature
DNSSEC solution
Hi since we have nsd and unbound included in base, I was wondering what tool you use to deal with DNSSEC and sign your zone ? I use zkt, but your advices would be nice. Regards -- thuban signature.asc Description: PGP signature
httpd and gzip
Hi, since this thread [1] older than two years, is there any plan to have gzip compression in httpd ? [1] https://marc.info/?l=openbsd-misc&m=142402749002617&w=2 regards. -- thuban signature.asc Description: PGP signature
relayd transparent don't work
Hi,
I'm using relayd to check headers before serving my website with httpd.
I need to keep in httpd's logs the client IP address. So I try to use
the "transparent" keyword in relayd.conf, but in this case, relayd
doesn't work and I can't reach httpd.
Here is the **not working** relayd relevant configuration :
relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "https"
transparent forward to port 8443 check tcp
}
here is the **working without transparent" relayd.conf :
table { 127.0.0.1 }
ext_ip = 192.168.1.66
http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value
"max-age=1814400"
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1;
mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
return error
}
relay "www" {
listen on $ext_ip port 80
protocol "http"
forward to 127.0.0.1 port 8080
}
http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value
"max-age=1814400"
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1;
mode=block"
match header append "X-Forwarded-For" \
value "$REMOTE_ADDR"
match header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
return error
pass
tls { no client-renegotiation, cipher-server-preference }
}
relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "https"
forward to port 8443 check tcp
}
Any advice?
Regards
[rspamd and smtpd] (was: the whole greylisting, spam filtering thing)
By the way, does anyone has some instructions to use rspamd with the default smtpd ? Regards. -- thuban
httpd match pattern issue
Hello,
I need to redirect some URLS with httpd. As example :
/test/?d=2018/05/02/13/14/50-some-title
Must be redirected to /2018/05/02/some-title
My problem is that "?" is never matched.
Here is the pattern I use :
location match "^/test/%?d=(%d%d%d%d/%d%d/%d%d)/%d%d/%d%d/%d%d%-(%g+)$"
{
block return 301 "/%1/$2"
}
Any advice?
After many tests, it seems that the only problem is the "?"
thanks.
--
thuban
dovecot confusing default ssl configuration
I think this is since 6.3. Qhen installin dovecot package, a few files are created. The problem is that /etc/dovecot/conf.d/10-ssl.conf contains : ssl_cert =
USB power management
Hi, this might look as a stupid question, but I'm stuck and don't know where to look at this point. How would you disable an USB port? I would like to power off a USB drive (flashing blue LED at night) but keep it plugged, and power on when I need it. Any advice? Regards. -- thuban
nvi and unicode
Default vi (nvi) in OpenBSD doesn't handle correctly most of UTF-8 sings such as "é", "à" or so. One need to install nvi package to do so. Is it planned to replace the vi binary in the future? Is there any reason I can't think to keep this vi version? Regards. -- thuban
Re: nvi and unicode
Thanks for enligthenment. * Predrag Punosevac le [13-07-2018 10:06:19 -0400]: > On July 13 2018 Thuban wrote: > > > > Default vi (nvi) in OpenBSD doesn't handle correctly most of UTF-8 > > sings such as "", "?? " or so. One need to install > > nvi package to do so. > > Is it planned to replace the vi binary in the future? > > Is there any reason I can't think to keep this vi version? > > > > Regards. > > -- > > thuban > > If you read > > https://en.wikipedia.org/wiki/Nvi > > you should have noticed the following paragraph > > "BSD projects continue to use nvi version 1.79 due to licensing > differences between Berkeley Database 1.85 and the later versions by > Sleepycat Software." > > So the answer is no. nvi in the base of OpenBSD is further cleaned from > bugs beyond once upon a time common code. bcallah@ could shed more light > on the work on nvi from the base. Obviously if you need UTF-8 support > you have a choice of using package or two switching to DragonFly BSD > which has nvi2 in its base. > > Cheers, > Predrag > -- thuban
Re: Cloud-Storage & OpenBSD
* Predrag Punosevac le [02-09-2018 15:38:40 -0400]: > > On Sep 2, 2018, at 10:43 AM, Kurtis wrote: > > > > Hey all, > > > > I'm just wondering if anyone has any suggestions with any Online File > > Backup Synchronization services? > > > > I used Dropbox for a long time but decided to drop it in favor of > > pCloud. It's about time to do another annual subscription so I'm > > looking at options. > > > > I use the same service for backing up photos from my phone, backing up > > documents from computers, and syncing files between multiple machines > > (Mac, Windows, and Linux, Android). > > > > Specifically, I'm looking for a service that is compatible with the > > major operating systems but also has a good client for OpenBSD. > > > > Bonus feature would be the ability to share the service with my family > > using different accounts. > > > > The ability to generate credentials that can only access certain folders > > would be _really_ cool. For example, my machines could generate > > reports and store them in my sync'd service so I could simplify > > viewing them from any machine. > > > > Thanks! net/syncthing -- thuban
relayd as transparent proxy
Hi, I'm struggling to configure relayd as a transparent proxy. I can't figure hox to do so, the manpage only relates of a MITM configuration for TLS acceleration. I thought this tutorial [1] would help, but even following it steps by steps, I can't do this. Does anyone has a working example please ? Thanks. [1] http://nohair.net/transparent_reverse_proxy.html -- thuban
Re: relayd as transparent proxy
I think I found something working, I leave it here for others.
Any advice is still welcome.
By the way, I'm confused about the "transparent forward" directive in
relayd.conf. It doesn't seems to work at all and setting a transparent proxy is
not using this keyword.
/etc/relayd.conf :
http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
pass
}
http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
tls { \
cipher-server-preference,\
no tlsv1.0\
}
pass
}
relay "www" {
listen on 127.0.0.1 port 8080
protocol "http"
forward to destination
}
relay "wwwtls" {
listen on 127.0.0.1 port 8443 tls
protocol "https"
For tls, you need /etc/ssl/127.0.0.1.crt and /etc/ssl/private/127.0.0.1.key
files. Use ln -s to link with your certificate if necessary.
In /etc/httpd.conf, leave this :
listen on * port 80
listen on * tls port 443
hsts preload
tls {
certificate ...
key ...
}
And finally, in /etc/pf.conf :
pass in on egress proto tcp to port www divert-to 127.0.0.1 port 8080 \
flags S/SA modulate state
pass in on egress proto tcp to port https divert-to 127.0.0.1 port 8443
\
flags S/SA modulate state
pass out on egress proto tcp all modulate state divert-reply
This way, relayd is a transparent proxy, you can changes headers and keep the
original source IP (useful for logs).
regards.
Re: relayd as transparent proxy
my bad, I still don't have the real source IP in my logs (just the local ip address of my server). Any advice for a **real** transparent proxy ?
Re: relayd as transparent proxy
* Stuart Henderson le [21-09-2018 10:10:03 +]: > On 2018-09-20, Thuban wrote: > > By the way, I'm confused about the "transparent forward" directive in > > relayd.conf. It doesn't seems to work at all and setting a transparent > > proxy is > > not using this keyword. > > "transparent proxy" used to be common for web proxies meaning "you > don't need to tell the client to use a proxy" but this is a confusing > term. squid has got rid of this in favour of the more descriptive > "interception proxy" now. > > if you want to originate packets using the client's original source > address you will need to figure out what's wrong with your setup using > "transparent forward" as that is exactly what you need to use. I've had > it working before but it *is* awkward. That's exactly where I'm confused with the man page of relayd. It is mentionned : forward to destination options ... When redirecting connections with a divert-to rule in pf.conf(5) to a relay listening on localhost, this directive will look up the real destination address of the intended target host, allowing the relay to be run as a **transparent proxy.** That's what I did, but the orginal source address isn't keeped. The "transparent" directive just don't work : [transparent] forward [with tls] to address [port port] options ... I tried relayd listening on port 80 and set up httpd to listen on port 8080. In relayd.conf : transparent forward to 127.0.0.1 port 8080 No success. Either I misunderstand the manpage, either it miss some precisions. Regards. thuban
[relayd] transparent don't work
I found a partial solution to my problem.
With the following configuration, the source client IP is correctly printed by a
php script (getip.php), but not in httpd logs.
Does anyone has an example with "transparent forward" please ?
relayd.conf :
http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
pass
}
http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
tls { \
cipher-server-preference,\
no tlsv1.0\
}
pass
}
relay "www" {
listen on 127.0.0.1 port 8080
protocol "http"
forward to destination
}
relay "wwwtls" {
listen on 127.0.0.1 port 8443 tls
protocol "https"
forward with tls to destination
}
/etc/relayd.proxy.conf:
return error
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
match query hash "sessid"
match request header remove "Proxy"
match response header set "Cache-Control" value "max-age=1814400"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Powered-By" value "Powered with
electricity on OpenBSD"
match response header set "X-Permitted-Cross-Domain-Policies" value
"none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
~
~
/etc/pf.conf:
...
pass in quick on $ext_if proto tcp to port www divert-to 127.0.0.1 port
8080 flags S/SA modulate state
pass in quick on $ext_if proto tcp to port https divert-to 127.0.0.1
port 8443 flags S/SA modulate state
# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp ipv6-icmp } all modulate state
/etc/httpd.conf:
listen on * port 80
listen on * tls port 443
hsts preload
tls {
certificate
"/etc/ssl/acme/yeuxdelibad.net-fullchain.pem"
key
"/etc/ssl/acme/private/yeuxdelibad.net-privkey.pem"
ticket lifetime default
}
...
getip.php:
[relayd] set response header for tagged connexion
Hi, I want to set a header according to the requested path. The goal is to increase the cache-control according to file extension. For now, I have in relayd.conf something like : match request path "/*.css" tag "CSS" match tagged "CSS" response header set "Cache-Control" value "max-age=1814400" Of course, there is a syntax error. Any advice ? -- thuban
Re: [relayd] set response header for tagged connexion
* tomr le [17-10-2018 15:37:42 +1100]: > > > On 10/17/18 4:14 AM, Thuban wrote: > > Hi, > > I want to set a header according to the requested path. The goal is to > > increase > > the cache-control according to file extension. > > > > For now, I have in relayd.conf something like : > > > > match request path "/*.css" tag "CSS" > > match tagged "CSS" response header set "Cache-Control" value > > "max-age=1814400" > > I think you might want to try moving 'response' left, so the line begins > 'match response tagged ' > > t > That's it, thanks. Now I have this configuration, if anyone is interested to increase cache on his website : match request path "/*.html" tag "HTML" match request path "/*.css" tag "CACHE" match request path "/*.js" tag "CACHE" match request path "/*.atom" tag "CACHE" match request path "/*.rss" tag "CACHE" match request path "/*.jpg" tag "CACHE" match request path "/*.png" tag "CACHE" match request path "/*.svg" tag "CACHE" match request path "/*.gif" tag "CACHE" match request path "/*.ico" tag "CACHE" match response tagged "CACHE" header set "Cache-Control" value "max-age=1814400" match response tagged "HTML" header set "Content-Type" value "text/html; charset=UTF-8" -- thuban
Re: spamd and google smtp ips
* Stuart Henderson le [30-10-2018 23:39:23 +]:
> On 2018-10-30, Chris Narkiewicz wrote:
> > Hi,
> >
> > I'm configuring spamd and I noticed that when I send an e-mail from
> > GMail, each time the e-mail is submitted by a different IP address.
> >
> > Here is spamdb output after sending a test email to myself:
> >
> > GREY|209.85.219.182|mail-yb1-f182.google.com|...
> > GREY|209.85.219.177|mail-yb1-f177.google.com|...
> > GREY|209.85.219.176|mail-yb1-f176.google.com|...
> > GREY|209.85.219.172|mail-yb1-f172.google.com|...
> > GREY|209.85.219.180|mail-yb1-f180.google.com|...
> > GREY|209.85.219.175|mail-yb1-f175.google.com|...
> > GREY|209.85.219.173|mail-yb1-f173.google.com|...
> > GREY|209.85.219.179|mail-yb1-f179.google.com|...
> > GREY|209.85.208.46|mail-ed1-f46.google.com|...
> > GREY|209.85.161.52|mail-yw1-f52.google.com|...
> > ... snip ...
> >
> > Of course they are not whitelisted, as each submission
> > attempt is done by a different node and I guess google has A LOT of
> > them. I see 2 issues with that:
> >
> > 1) e-mail delivery takes a lot of time (as google uses exponential
> > backoff and stops frequent retries after few failures)
> >
> > 2) whitelisted IPs are more likely being expired, as my server is
> > not getting a lot of gmail traffic
> >
> > I suppose different big e-mail providers will
> > have similar issues.
> >
> > I'm also running BGP server to download a whitelist,
> > but it does not contain google servers.
> >
> > Are there any solutions get around this problem? Ideally I'd like
> > to just whitelist reputable mail providers as I see little chance
> > that any spammer will outsmart Google/Yahoo/Microsoft/etc.
To solve this problem, I use two methods :
## whitelist from bsdly.net (thaniks again peter : )
In /etc/pf.conf
table persist file "/etc/mail/nospamd"
pass in on egress proto tcp from to any port smtp
/in /etc/weekly.local :
echo "update nospamd file"
ftp -o /etc/mail/nospamd http://www.bsdly.net/~peter/nospamd
## whitelist from spf walk :
In /etc/mail/spamd.conf :
all:\
:nixspam:bgp-spamd:bsdlyblack:whitelist:
...
whitelist:\
:white:\
:method=file:\
:file=/etc/mail/whitelist.txt
In /etc/weekly.local :
/usr/local/bin/domain-white-spamd
In /usr/local/bin/domain-white-spamd, adjust with domins you need :
TMP=$(mktemp)
WHITELIST=/etc/mail/whitelist.txt
DOMAINS='outlook.com
gmail.com
google.com
hotmail.com
yahoo.com
yahoo.fr
live.fr
mail-out.ovh.net
mxb.ovh.net
gandi.net
laposte.net
github.com
protonmail.com
'
for d in $DOMAINS; do
echo "$d" | smtpctl spf walk >> "$TMP"
done
mv "$TMP" "$WHITELIST"
exit 0
--
thuban
Permission on virtual user password file [dovecot+smtpd]
Hi,
I use dovecot and smtpd on my personal mail server.
They both share the same password file.
I works very well, but I'm concerned about permissions on this file :
-rw-r--r-- 1 root wheel passwd
It's world readable. I would like to let dovecot and smtpd to read only this
file, and no one else could.
I tried to set a _maildaemons group and put _smtpd and _dovecot users in it,
then :
-rw-r- 1 root _maildaemons passwd
Sadly, dovecot can't read the passwd file with this configuration,a nd I can't
figure out why.
Any advice ?
# part of dovecot config
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
--
thuban
Re: Permission on virtual user password file [dovecot+smtpd]
self-answer after some digging [1]. Not sure why I have to specify this. I mean,
what is the group used by dovecot by default ?
To make /etc/mail/passwd unreadable by regular users, I did this :
groupadd _maildaemons
usermod -G _maildaemons _sftpd
usermod -G _maildaemons _dovecot
chown root:_maildaemons /etc/mail/passwd
chmod 640 /etc/mail/passwd
In /etc/dovecot/local.conf :
service auth {
user = $default_internal_user
group = _maildaemons
}
Comments ?
[1] : https://wiki.dovecot.org/UserIds
smtpd.conf and junk
Hi, I can't figure how to make this "junk" argument to work as mentioned in The smtpd.conf manpages : If the junk argument is provided, the message will be moved to the Junk folder if it contains a positive X-Spam header. spams detected by spamassassin have multiple X-Spam-* headers, but aren't placed into Junk folder. Any advice ? -- thuban
Re: smtpd.conf and junk
* Gilles Chehade le [21-11-2018 16:31:31 +0100]:
> On Wed, Nov 21, 2018 at 03:22:45PM +0100, Thuban wrote:
> > Hi,
> > I can't figure how to make this "junk" argument to work as
> > mentioned in The smtpd.conf manpages :
> >
> > If the junk argument is provided, the message will be
> > moved to the Junk folder if it contains a positive X-Spam
> > header.
> >
> >
> > spams detected by spamassassin have multiple X-Spam-* headers, but aren't
> > placed
> > into Junk folder.
> >
> > Any advice ?
> >
>
> without seeing examples of these headers and your config, it's hard to
> understand what's incorrect ;-)
>
Sorry, I thought this was quite common.
A spam has these headers when detected by spamassassin :
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
ledzep.yeuxdelibad.net
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=19.0 required=5.0 tests=BAYES_99,BAYES_999,
Here is my smtpd.conf, incoming mails are analysed by spamassassin
(dafault configuration).
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
pki acmecert key "/etc/ssl/acme/private/yeuxdelibad.net.key"
pki acmecert cert "/etc/ssl/acme/yeuxdelibad.net-fullchain.pem"
## LISTEN ##
# envelopes signed by dkimproxy
listen on lo0 port 10028 tag DKIM
# envelopes checked by spamassassin
listen on lo0 port 10026 tag NOSPAM
# local
listen on lo0
# incoming
listen on egress tls pki acmecert tag INCOMING
# sending
listen on egress port submission tls-require pki acmecert auth
tag OUTGOING
## ACTIONS ##
action "relay" relay
action dkimproxy relay host smtp://127.0.0.1:10027
action spamassassin relay host smtp://127.0.0.1:10025
action "local_mbox" mbox alias
action virtual_maildir maildir
"/var/_vmail/%{dest.domain}/%{dest.user}/Maildir" junk virtual
## MATCH ##
match for local action local_mbox
match tag NOSPAM from any for domain action virtual_maildir
match from any for domain action spamassassin
match tag DKIM for any action "relay"
match auth tag DKIM from any for any action "relay"
match auth from any for any action dkimproxy
match for any action dkimproxy
Re: smtpd.conf and junk
* Edgar Pettijohn le [21-11-2018 11:32:43 -0600]: > > On Nov 21, 2018 8:22 AM, Thuban wrote: > > > > Hi, > > I can't figure how to make this "junk" argument to work as > > mentioned in The smtpd.conf manpages : > > > > If the junk argument is provided, the message will be > > moved to the Junk folder if it contains a positive X-Spam > > header. > > > > > > spams detected by spamassassin have multiple X-Spam-* headers, but aren't > > placed > > into Junk folder. > > > > Any advice ? > > > > > > > > -- > > thuban > > > It looks for a header matching: > > X-Spam: Yes > > You may need to configure spamassassin to write it that way. I believe that > the default is different, but I can't check right now. > I tried to add this in spamassassin.conf [0] : add_header spam X-Spam But if you read the link [0] closely, it can't work because spamassassin add headers "X-Spam-someting", never "X-Spam" : All headers begin with X-Spam- (so a header_name Foo will generate a header called X-Spam-Foo) I guess the "junk" keyword in smtpd.conf was written to be handy, so I miss something. Where ? Regards. [0] https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#basic_message_tagging_options
Re: smtpd.conf and junk
* Gilles Chehade le [21-11-2018 21:06:39 +0100]: > On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote: > > * Edgar Pettijohn le [21-11-2018 11:32:43 -0600]: > > > > > > On Nov 21, 2018 8:22 AM, Thuban wrote: > > > > > > > > Hi, > > > > I can't figure how to make this "junk" argument to work as > > > > mentioned in The smtpd.conf manpages : > > > > > > > > If the junk argument is provided, the message will be > > > > moved to the Junk folder if it contains a positive X-Spam > > > > header. > > > > > > > > > > > > spams detected by spamassassin have multiple X-Spam-* headers, but > > > > aren't placed > > > > into Junk folder. > > > > > > > > Any advice ? > > > > > > > > > > > > > > > > -- > > > > ?? thuban > > > > > > > It looks for a header matching: > > > > > > X-Spam: Yes > > > > > > You may need to configure spamassassin to write it that way. I believe > > > that the default is different, but I can't check right now. > > > > > > > I tried to add this in spamassassin.conf [0] : > > > > add_header spam X-Spam > > > > But if you read the link [0] closely, it can't work because spamassassin add > > headers "X-Spam-someting", never "X-Spam" : > > > > All headers begin with X-Spam- (so a header_name Foo will generate a > > header called X-Spam-Foo) > > > > I guess the "junk" keyword in smtpd.conf was written to be handy, so I miss > > something. Where ? > > > > You didn't miss anything, the maildir agent only supports X-Spam headers > as of today so this will need a diff to support SpamAssassin if it can't > generate a X-Spam header. > Okay, thanks, I doubt since english is not my main language. > SpamAssassin wasn't a target when I wrote that feature but it's just one > diff away ;-) > Just need to check "X-Spam-Flag: YES" or "X-Spam-Status: Yes,.*" then. Just curious, what was the target of that 'junk' feature ? rspamd ? Another ? Regards. -- thuban
Re: mail.maildir junk patches
Nice to see such feature (no need dovecot).
For now, It's still possible with dovecot, lmtp delivery and sieve filter [1].
[1] https://wiki.dovecot.org/Pigeonhole/Sieve/Extensions/SpamtestVirustest
24 novembre 2018 18:02 "Edgar Pettijohn III" a écrit:
> make the junk header customizable like so:
>
> action "local" maildir junk "X-Spam-Flag: YES"
>
> Index: mail.maildir.8
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.8,v
> retrieving revision 1.5
> diff -u -p -u -r1.5 mail.maildir.8
> --- mail.maildir.830 May 2018 12:37:57 -1.5
> +++ mail.maildir.824 Nov 2018 16:58:03 -
> @@ -22,7 +22,7 @@
> .Nd store mail in a maildir
> .Sh SYNOPSIS
> .Nm mail.maildir
> -.Op Fl j
> +.Op Fl j header
> .Op Ar pathname
> .Sh DESCRIPTION
> .Nm
> @@ -36,7 +36,9 @@ located in the user's home directory.
> The options are as follows:
> .Bl -tag -width Ds
> .It Fl j
> -Scan message for X-Spam and move to Junk folder if result is positive.
> +Scan message for
> +.Ar header
> +and move to Junk folder if result is positive.
> .El
> .Sh EXIT STATUS
> .Ex -std mail.maildir
> Index: mail.maildir.c
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.c,v
> retrieving revision 1.7
> diff -u -p -u -r1.7 mail.maildir.c
> --- mail.maildir.c24 Oct 2018 19:26:23 -1.7
> +++ mail.maildir.c24 Nov 2018 16:58:03 -
> @@ -37,23 +37,25 @@
>
> static intmaildir_subdir(const char *, char *, size_t);
> static voidmaildir_mkdirs(const char *);
> -static voidmaildir_engine(const char *, int);
> +static voidmaildir_engine(const char *, int, const char *);
> static intmkdirs_component(const char *, mode_t);
> static intmkdirs(const char *, mode_t);
>
> int
> main(int argc, char *argv[])
> {
> -intch;
> -intjunk = 0;
> +int ch;
> +int junk = 0;
> +char*header = NULL;
>
> if (! geteuid())
> errx(1, "mail.maildir: may not be executed as root");
>
> -while ((ch = getopt(argc, argv, "j")) != -1) {
> +while ((ch = getopt(argc, argv, "j:")) != -1) {
> switch (ch) {
> case 'j':
> junk = 1;
> +header = optarg;
> break;
> default:
> break;
> @@ -65,7 +67,7 @@ main(int argc, char *argv[])
> if (argc > 1)
> errx(1, "mail.maildir: only one maildir is allowed");
>
> -maildir_engine(argv[0], junk);
> +maildir_engine(argv[0], junk, header);
>
> return (0);
> }
> @@ -107,7 +109,7 @@ maildir_mkdirs(const char *dirname)
> }
>
> static void
> -maildir_engine(const char *dirname, int junk)
> +maildir_engine(const char *dirname, int junk, const char *header)
> {
> charrootpath[PATH_MAX];
> charjunkpath[PATH_MAX];
> @@ -182,7 +184,7 @@ maildir_engine(const char *dirname, int
> line[strcspn(line, "\n")] = '\0';
> if (line[0] == '\0')
> in_hdr = 0;
> -if (junk && in_hdr && strcmp(line, "X-Spam: yes") == 0)
> +if (junk && in_hdr && strcmp(line, header) == 0)
> is_junk = 1;
> fprintf(fp, "%s\n", line);
> }
> Index: smtpd.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
> retrieving revision 1.206
> diff -u -p -u -r1.206 smtpd.conf.5
> --- smtpd.conf.58 Oct 2018 06:10:17 -1.206
> +++ smtpd.conf.524 Nov 2018 16:58:03 -
> @@ -128,7 +128,7 @@ Optionally,
> might be specified to use the
> recipient email address (after expansion) instead of the
> local user in the LMTP session as RCPT TO.
> -.It Cm maildir Op Ar pathname Op Cm junk
> +.It Cm maildir Op Ar pathname Op Cm junk header
> Deliver the message to the maildir in
> .Ar pathname
> if specified, or by default to
> @@ -142,7 +142,8 @@ may contain format specifiers that are e
> If the
> .Cm junk
> argument is provided, the message will be moved to the Junk
> -folder if it contains a positive X-Spam header.
> +folder if it contains a positive match for the provided
> +.Ar header .
> .It Cm mbox
> Deliver the message to the user's mbox with
> .Xr mail.local 8 .
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.230
> diff -u -p -u -r1.230 parse.y
> --- parse.y8 Nov 2018 13:24:22 -1.230
> +++ parse.y24 Nov 2018 16:58:04 -
> @@ -662,8 +662,8 @@ MBOX {
> | MAILDIR {
> asprintf(&dispatcher->u.local.command, "/usr/libexec/mail.maildir");
> } dispatcher_local_options
> -| MAILDIR JUNK {
> -asprintf(&dispatcher->u.local.command, "/usr/libexec/mail.maildir -j");
> +| MAILDIR JUNK STRING {
> +asprintf(&dispatcher->u.local.command, "/usr/libexec/mail.maildir -j
> \"%s\"", $3);
> } dispatcher_local_options
> | MAILDIR STRING {
> if (strncmp($2, "~/", 2) == 0)
> @@ -673,13 +673,13 @@ MBOX {
> asprintf(&dispatcher->u.local.command,
> "/usr/libexec/mail.maildir \"%s\"", $2);
> } dispatcher_local_options
> -| MAILDIR STRI
Touchpad generate random input
05: msi, address 00:90:f5:bc:7b:56 jmphy0 at jme0 phy 1: JMP211 10/100/1000 PHY, rev. 1 "JMicron SD/MMC" rev 0x90 at pci3 dev 0 function 1 not configured sdhc0 at pci3 dev 0 function 2 "JMicron SD Host Controller" rev 0x90: apic 2 int 16 sdmmc0 at sdhc0 "JMicron Memory Stick" rev 0x90 at pci3 dev 0 function 3 not configured ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x05: apic 2 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1 pcib0 at pci0 dev 31 function 0 "Intel HM65 LPC" rev 0x05 ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x05: msi, AHCI 1.3 ahci0: port 0: 3.0Gb/s ahci0: port 2: 1.5Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed naa.5000c50020b62198 sd0: 476940MB, 512 bytes/sector, 976773168 sectors cd0 at scsibus1 targ 2 lun 0: ATAPI 5/cdrom removable ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x05: apic 2 int 18 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600 SO-DIMM spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-10600 SO-DIMM isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 uhidev0 at uhub2 port 2 configuration 1 interface 0 "Genesys Logic USB Mouse" rev 1.10/1.00 addr 3 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhub3 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 umass0 at uhub3 port 2 configuration 1 interface 0 "Sunplus Innovation Technology USB to Serial-ATA bridge" rev 2.00/1.32 addr 3 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd1 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed serial.1bcf0c3100022CFF01FF sd1: 238475MB, 512 bytes/sector, 488397168 sectors ugen0 at uhub3 port 3 "Cambridge Silicon Radio Bluetooth" rev 2.00/52.76 addr 4 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd1a (96d45ca8006100da.a) swap on sd1b dump on sd1b -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Touchpad generate random input
Thomas Bohl gave me a solution : during boot, use the touchpad AND the keyboard. Then, averything works as expected. Here is the new dmesg : Regards OpenBSD 5.8 (GENERIC.MP) #0: Tue Nov 10 11:57:58 CET 2015 jas...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sy s/arch/amd64/compile/GENERIC.MP real mem = 6330408960 (6037MB) avail mem = 6134661120 (5850MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeaee0 (47 entries) bios0: vendor American Megatrends Inc. version "4.6.4" date 05/19/2011 bios0: CLEVO CO. W240HU/W250HUQ acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG SSDT HPET SSDT SSDT acpi0: wakeup devices P0P1(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) VL30(S3) PXSX(S4) RP03(S4) PXSX(S4) J251(S5) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) CPU B940 @ 2.00GHz, 1995.80 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,EST ,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE ,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Pentium(R) CPU B940 @ 2.00GHz, 1995.47 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,EST ,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE ,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus 2 (RP03) acpiprt5 at acpi0: bus 3 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0 acpicpu0 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS acpitz0 at acpi0: critical temperature is 300 degC acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB acpiac0 at acpi0: AC unit online acpibtn2 at acpi0: LID0 acpibat0 at acpi0: BAT0 model "E41" serial type LION oem "Clevo CO." acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: LCD0 cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2000, 1900, 1800, 1700, 1600, 1500, 1400, 1300, 1200, 1100, 1000, 900, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09 vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2000" rev 0x09 intagp at vga1 not configured inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1366x768 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x05: apic 2 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x05: msi azalia0: codecs: Realtek ALC269, Intel/0x2805, using Realtek ALC269 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb5: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 2 "Intel 6 Series PCIE" rev 0xb5: msi pci2 at ppb1 bus 2 rtwn0 at pci2 dev 0 function 0 "Realtek 8188CE" rev 0x01: msi rtwn0: MAC/BB RTL8188CE, RF 6052 1T1R, address e0:b9:a5:4a:48:b1 ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb5: msi pci3 at ppb2 bus 3 jme0 at pci3 dev 0 function 0 "JMicron JMC250" rev 0x05: msi, address 00:90:f5:bc:7b:56 jmphy0 at jme0 phy 1: JMP211 10/100/1000 PHY, rev. 1 "JMicron SD/MMC" rev 0x90 at pci3 dev 0 function 1 not configured sdhc0 at pci3 dev 0 function 2 "JMicron SD Host Controller" rev 0x90: apic 2 int 16 sdmmc0 at sdhc0 "JMicron Memory Stick" rev 0x90 at pci3 de
Re: PATCH: cwm move window to {top,bottom}{left,right} corners
*/
> + xine = screen_area(sc,
> + cc->geom.x + cc->geom.w / 2,
> + cc->geom.y + cc->geom.h / 2, CWM_GAP);
> +
> + flags = cargs->flag;
> +
> + switch (flags) {
> + case CWM_TOP_LEFT:
> + cc->geom.x = xine.x;
> + cc->geom.y = xine.y;
> + client_move(cc);
> + break;
> + case CWM_BOTTOM_LEFT:
> + cc->geom.x = xine.x;
> + cc->geom.y = xine.y + xine.h - cc->geom.h - cc->bwidth * 2;
> + client_move(cc);
> + break;
> + case CWM_TOP_RIGHT:
> + cc->geom.x = xine.x + xine.w - cc->geom.w - cc->bwidth * 2;
> + cc->geom.y = xine.y;
> + client_move(cc);
> + break;
> + case CWM_BOTTOM_RIGHT:
> + cc->geom.x = xine.x + xine.w - cc->geom.w - cc->bwidth * 2;
> + cc->geom.y = xine.y + xine.h - cc->geom.h - cc->bwidth * 2;
> + client_move(cc);
> + break;
> + default:
> + warnx("invalid flags passed to kbfunc_client_move_edge");
> }
> }
>
--
thuban
signature.asc
Description: PGP signature
Re: Community-driven OpenBSD tutorials wiki?
> Before I go and create anything - are there already a place similar to what > I'm describing, where I could get myself involved? (I'm too junior to start > suggesting changes and updates to the docs on OpenBSD.org, and I'm not sure > they should be used for what I want to achieve.) yes, see here : https://wiki.obsd4a.net/doku.php It's mainly in french, but I don't know what is your favourite language. regards -- thuban signature.asc Description: PGP signature
Re-compute bsd checksum
I disabled `ulpt` in the kernel using `config` to use an USB-printer. Now, at reboot, I see "kernel relinking failed" message. How to recreate the new checksum? I can't igure out where to find this information. Any advice? Regards. -- thuban signature.asc Description: PGP signature
Re: Re-compute bsd checksum
* Sterling Archer le [16-01-2018 21:35:56 +0100]: > On Tue, Jan 16, 2018 at 9:08 PM, Thuban wrote: > > I disabled `ulpt` in the kernel using `config` to use an USB-printer. > > > > Now, at reboot, I see "kernel relinking failed" message. > > How to recreate the new checksum? I can't igure out where to find this > > information. > > > > Any advice? > > > > Regards. > > > > -- > > thuban > > sha256 /bsd > /var/db/kernel.SHA256 > thanks! signature.asc Description: PGP signature
gzip compression and httpd/relayd
I'm very happy with relayd + httpd. Relayd deals with headers and httpd serve files. I know httpd doesn't have gzip compression. 1. Do you know if it's planned in the future? 2. Does anyone has a workaround to advise? regards -- thuban
Re: gzip compression and httpd/relayd
Thank you for all answers, very interesting. I'll try to compress some files on my own, we'll see. Regards -- thuban signature.asc Description: PGP signature
Re: gzip compression and httpd/relayd
> Yes it's possible. Make sure to set the appriopriate HTTP headers aswell > with relayd: read "Accept-Encoding" and if it's acceptable set > "Content-Encoding". Indeed, it works. relayd.conf : match response header "Accept-Encoding" value "gzip" match response header set "Content-Encoding" value "gzip" Then : cd /var/www/htdocs/site gzip style.css && mv style.css.gz style.css Now, open URL pointing to style.css, and here you go. However, all your files must be gzipped, or the browser is unhappy. Thanks a lot.
Re: gzip compression and httpd/relayd
* Stuart Henderson le [29-01-2018 08:14:03 +]: > On 2018-01-28, Thuban wrote: > > > >> Yes it's possible. Make sure to set the appriopriate HTTP headers aswell > >> with relayd: read "Accept-Encoding" and if it's acceptable set > >> "Content-Encoding". > > > > Indeed, it works. > > > > relayd.conf : > > > > match response header "Accept-Encoding" value "gzip" > > match response header set "Content-Encoding" value "gzip" > > > > Then : > > > > cd /var/www/htdocs/site > > gzip style.css && mv style.css.gz style.css > > > > Now, open URL pointing to style.css, and here you go. > > > > However, all your files must be gzipped, or the browser is unhappy. > > > > Thanks a lot. > > > > > > Fun hack, but it's going to break for a browser that doesn't support gzip. > Also it's a nice trap for the next admin that comes along (which may be your > future self :) The fun part comes when you trap script kiddies with gzip bomb: - Create a bomb : `dd if=/dev/zero bs=1M count=10240 | gzip > surprise.html` (yeah, this is not html, but bots don't care) - In html code, put something like Do NOT follow this link or you will have problems! - In relayd.conf : match request header "Accept-Encoding" value "gzip" match request path "/surprise.html" match response header set "Content-Encoding" value "gzip" A bot fetching "surprise.html" will see CPU usage increasing, too bad... Regards. signature.asc Description: PGP signature
roundcube and enigma [PGP]
Hi, Did anyone use enigma plugin with roundcube hosted on OpenBSD to deal with GPG? I can't figure exactly how to configure it with httpd chroot, even after copying gpg binaries in chroot. Regards -- thuban
Re: roundcube and enigma [PGP]
* jul le [03-02-2018 12:47:19 +0100]:
> Thuban wrote:
>
> > I can't figure exactly how to configure it with httpd chroot, even after
> > copying gpg binaries in chroot.
>
> Hello Thuban
>
> To know what to copy in the chroot, ldd(1) is your friend.
thanks, it works as expected now.
For the record :
cd /var/www
mkdir -p usr/local/lib
mkdir -p usr/local/bin
mkdir -p usr/lib
mkdir -p usr/libexec
mkdir dev
# create /dev/null
mknod dev/null c 1 3
chmod 666 dev/null
chown -R www:daemon dev/
# copy files
for i in $(ldd /usr/local/bin/gpg2 | awk '{if(NR>2)print $7}'); do cp
$i $(echo $i | cut -d'/' -f2); done
for i in $(ldd /usr/local/bin/gpg-agent | awk '{if(NR>2)print $7}'); do
cp $i $(echo $i | cut -d'/' -f2); done
# pinentry if required
cp /usr/local/bin/pinentry usr/local/bin/
cd plugins/enigma
cp config.inc.php.dist config.inc.php
#comment location of gpg binary
Re: roundcube and enigma [PGP]
* Thuban le [03-02-2018 18:38:27 +0100]:
> * jul le [03-02-2018 12:47:19 +0100]:
> > Thuban wrote:
> >
> > > I can't figure exactly how to configure it with httpd chroot, even after
> > > copying gpg binaries in chroot.
> >
> > Hello Thuban
> >
> > To know what to copy in the chroot, ldd(1) is your friend.
>
> thanks, it works as expected now.
>
> For the record :
>
> cd /var/www
> mkdir -p usr/local/lib
> mkdir -p usr/local/bin
> mkdir -p usr/lib
> mkdir -p usr/libexec
> mkdir dev
>
> # create /dev/null
> mknod dev/null c 1 3
> chmod 666 dev/null
> chown -R www:daemon dev/
>
> # copy files
> for i in $(ldd /usr/local/bin/gpg2 | awk '{if(NR>2)print $7}'); do cp
> $i $(echo $i | cut -d'/' -f2); done
> for i in $(ldd /usr/local/bin/gpg-agent | awk '{if(NR>2)print $7}'); do
> cp $i $(echo $i | cut -d'/' -f2); done
> # pinentry if required
> cp /usr/local/bin/pinentry usr/local/bin/
>
> cd plugins/enigma
> cp config.inc.php.dist config.inc.php
> #comment location of gpg binary
well, almost work.
GPG complains that he can't access to any entropy :
GPG: ERROR: gpg: Fatal: no entropy gathering module detected
Any idea ?
Creating dev/urandom doesn't help
--
thuban
signature.asc
Description: PGP signature
Flask app with chrooted httpd
Hi,
Did anyone use httpd to serve a flask app (python)?
I found this [1], but its a little outdated (python < 3) and makes me
wonder about safety, because of all those dependencies copied in chroot.
Any advice ?
Regards
--
thuban
Re: Flask app with chrooted httpd
I forgot the link, my bad: [1] : http://www.hydrus.org.uk/journal/openbsd-httpd.html signature.asc Description: PGP signature
Custom bsd.rd to include auto_install.conf
As mentionned in autoinstall(8), """ If either /auto_install.conf or /auto_upgrade.conf is found on bsd.rd's built-in RAM disk, autoinstall behaves as if the machine is netbooted, but uses the local response file. """ I would like to build a custom bsd.rd to include auto_install.conf file. Do you have any advice for this ? I found some tutorials for 5.7 [1], so quite outdated, and can't go through the entire process. Regards. [1] : http://mouedine.net/reinstall57/ -- thuban signature.asc Description: PGP signature
Re: Custom bsd.rd to include auto_install.conf
Gret, everything is in. Thank you.
For the record, the relevant function is :
uo_addfile() {
local dest=${1}
local src=${2}
local vnd_n=0
[ -r "${WRKDIR}/bsd.rd" ] || uo_err 2 "uo_addfile: no
bsd.rd in WRKDIR"
[ -r "${src}" ] || uo_err 1 "file not found: ${src}"
uo_verbose "adding response file: ${dest}: ${src}"
# extract ramdisk from bsd.rd
elfrdsetroot -x "${WRKDIR}/bsd.rd" "${WRKDIR}/ramdisk"
# create mountpoint
mkdir "${WRKDIR}/ramdisk.d"
# prepare ramdisk for mounting
while ! uo_priv vnconfig "vnd${vnd_n}"
"${WRKDIR}/ramdisk"; do
vnd_n=$(( vnd_n + 1 ))
[[ ${vnd_n} > 4 ]] && \
uo_err 1 "no more vnd
device available"
done
# mount ramdisk
if ! uo_priv mount -o noperm "/dev/vnd${vnd_n}a"
"${WRKDIR}/ramdisk.d"; then
uo_priv vnconfig -u "vnd${vnd_n}" ||
true
uo_err 1 "unable to mount:
/dev/vnd${vnd_n}a"
fi
# copy the file
if ! uo_priv install -m 644 -o root -g wheel -- \
"${src}" "${WRKDIR}/ramdisk.d/${dest}";
then
uo_priv umount "/dev/vnd${vnd_n}a" ||
true
uo_priv vnconfig -u "vnd${vnd_n}" ||
true
uo_err 1 "unable to copy: ${src}:
ramdisk.d/${dest}"
fi
# umount vndX
if ! uo_priv umount "/dev/vnd${vnd_n}a" ; then
uo_priv vnconfig -u "vnd${vnd_n}" ||
true
uo_err 1 "unable to umount:
/dev/vnd${vnd_n}a"
fi
# unconfigure vndX
if ! uo_priv vnconfig -u "vnd${vnd_n}" ; then
uo_err 1 "unable to unconfigure:
vnd${vnd_n}"
fi
# mountpoint cleanup (ensure it is empty)
rmdir "${WRKDIR}/ramdisk.d"
# put ramdisk back in bsd.rd
elfrdsetroot "${WRKDIR}/bsd.rd" "${WRKDIR}/ramdisk"
}
* Wesley MOUEDINE ASSABY le [23-02-2018 17:05:11 +0400]:
> Try 'upobsd' tool
> (http://ports.su/sysutils/upobsd)
> (https://maly.io/@semarie)
>
> /Wesley
>
>
> Le 2018-02-23 17:01, Thuban a écrit :
> > As mentionned in autoinstall(8),
> > """
> > If either /auto_install.conf or /auto_upgrade.conf is found on bsd.rd's
> > built-in RAM disk, autoinstall behaves as if the machine is netbooted,
> > but uses the local response file.
> > """
> >
> > I would like to build a custom bsd.rd to include auto_install.conf file.
> >
> > Do you have any advice for this ?
> > I found some tutorials for 5.7 [1], so quite outdated, and can't go
> > through
> > the entire process.
> >
> > Regards.
> >
> > [1] : http://mouedine.net/reinstall57/
--
thuban
signature.asc
Description: PGP signature
Re: smtpd.conf and junk
* Gilles Chehade le [25-11-2018 15:30:20 +0100]: > On Wed, Nov 21, 2018 at 09:21:46PM +0100, Thuban wrote: > > * Gilles Chehade le [21-11-2018 21:06:39 +0100]: > > > On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote: > > > > * Edgar Pettijohn le [21-11-2018 11:32:43 > > > > -0600]: > > > > > > > > > > On Nov 21, 2018 8:22 AM, Thuban wrote: > > > > > > > > > > > > Hi, > > > > > > I can't figure how to make this "junk" argument to work as > > > > > > mentioned in The smtpd.conf manpages : > > > > > > > > > > > > If the junk argument is provided, the message will be > > > > > > moved to the Junk folder if it contains a positive X-Spam > > > > > > header. > > > > > > > > > > > > > > > > > > spams detected by spamassassin have multiple X-Spam-* headers, but > > > > > > aren't placed > > > > > > into Junk folder. > > > > > > > > > > > > Any advice ? > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > ?? thuban > > > > > > > > > > > It looks for a header matching: > > > > > > > > > > X-Spam: Yes > > > > > > > > > > You may need to configure spamassassin to write it that way. I > > > > > believe that the default is different, but I can't check right now. > > > > > > > > > > > > > I tried to add this in spamassassin.conf [0] : > > > > > > > > add_header spam X-Spam > > > > > > > > But if you read the link [0] closely, it can't work because > > > > spamassassin add > > > > headers "X-Spam-someting", never "X-Spam" : > > > > > > > > All headers begin with X-Spam- (so a header_name Foo will > > > > generate a header called X-Spam-Foo) > > > > > > > > I guess the "junk" keyword in smtpd.conf was written to be handy, so I > > > > miss > > > > something. Where ? > > > > > > > > > > You didn't miss anything, the maildir agent only supports X-Spam headers > > > as of today so this will need a diff to support SpamAssassin if it can't > > > generate a X-Spam header. > > > > > > > Okay, thanks, I doubt since english is not my main language. > > > > > SpamAssassin wasn't a target when I wrote that feature but it's just one > > > diff away ;-) > > > > > > > Just need to check "X-Spam-Flag: YES" or "X-Spam-Status: Yes,.*" then. > > > > Just curious, what was the target of that 'junk' feature ? rspamd ? Another > > ? > > > > Regards. > > > > in -current, maildir junk now recognizes X-Spam-Flag: YES Thank you, I'll give it a try. For now, I use dovecot + lmtp and sieve for this (a bit too much...)
iked for travelling clients
ed 0 length 8 type INTEGR id HMAC_SHA2_512_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 64 ikev2_pld_ts: count 2 length 56 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 ikev2_pld_ts: start :: end ::::::: ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 64 ikev2_pld_ts: count 2 length 56 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 ikev2_pld_ts: start :: end ::::::: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type NO_ADDITIONAL_ADDRESSES ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type IKEV2_MESSAGE_ID_SYNC_SUPPORTED sa_stateok: SA_INIT flags 0x, require 0x policy_lookup: peerid 'test' ikev2_msg_auth: responder auth data length 515 ca_setauth: auth length 515 ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 4 sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x ) config_free_proposals: free 0x1709115c1a00 config_free_proposals: free 0x17094e007000 ca_getreq: no valid local certificate found ca_setauth: auth length 256 ikev2_getimsgdata: imsg 20 rspi 0x72e7d26735a1b6e8 ispi 0x515201836a3a178d initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_getimsgdata: imsg 25 rspi 0x72e7d26735a1b6e8 ispi 0x515201836a3a178d initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x ) ikev2_recv: IKE_AUTH request from initiator 176.180.81.105:19761 to 46.23.92.147:4500 policy 'warrior' id 1, 3536 bytes ikev2_recv: ispi 0x515201836a3a178d rspi 0x72e7d26735a1b6e8 Any advice please ? -- thuban
iked : pf.conf rule for outgoing traffic
Hi, I need help to write a correct rule in pf.conf. I want : A -> B --> web The appearing IP of A is the B's one on the web. I managed to configure iked on A and B using default pubkeys according to Stuart Henderson advices. iked.conf on A : ikev2 active ipcomp esp \ from 192.168.100.0/16 to 0.0.0.0/0 \ peer "xx.xx.xx.xx" \ srcid "m...@moria.lan" \ dstid "B-hostname.tld" \ tag IKED iked.conf on B : ikev2 "warrior" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local xx.xx.xx.xx peer any \ srcid "B-hostname.tld" \ tag IKED Auth works as expected : # iked -vvd ... sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 policy 'policy1' ... But I can't reach internet from A through B. Here is the pf.conf on B (at least a small part of it) pass out on egress \ from any to any tagged IKED \ nat-to (egress) I guess the issue is in my pf.conf. What do you think ? Any advice? Regards. -- thuban
Re: iked : pf.conf rule for outgoing traffic
* Thuban le [02-12-2018 19:16:09 +0100]: > Hi, > I need help to write a correct rule in pf.conf. > > I want : > > A -> B --> web > > The appearing IP of A is the B's one on the web. > > I managed to configure iked on A and B using default pubkeys according > to Stuart Henderson advices. > > iked.conf on A : > > ikev2 active ipcomp esp \ > from 192.168.100.0/16 to 0.0.0.0/0 \ > peer "xx.xx.xx.xx" \ > srcid "m...@moria.lan" \ > dstid "B-hostname.tld" \ > tag IKED > > iked.conf on B : > > ikev2 "warrior" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ > local xx.xx.xx.xx peer any \ > srcid "B-hostname.tld" \ > tag IKED > > Auth works as expected : > > # iked -vvd > .. > sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 > policy 'policy1' > .. > > > But I can't reach internet from A through B. > > Here is the pf.conf on B (at least a small part of it) > > pass out on egress \ > from any to any tagged IKED \ > nat-to (egress) > > I'm still stuck at the same point. Can someone give me an example of a working configuration natting ot Internet? Regards.
Re: iked : pf.conf rule for outgoing traffic
* Stuart Henderson le [06-12-2018 13:44:50 +]: > On 2018-12-06, Thuban wrote: > > * Thuban le [02-12-2018 19:16:09 +0100]: > >> Hi, > >> I need help to write a correct rule in pf.conf. > >> > >> I want : > >> > >> A -> B --> web > >> > >> The appearing IP of A is the B's one on the web. > >> > >> I managed to configure iked on A and B using default pubkeys according > >> to Stuart Henderson advices. > >> > >> iked.conf on A : > >> > >>ikev2 active ipcomp esp \ > >>from 192.168.100.0/16 to 0.0.0.0/0 \ > >>peer "xx.xx.xx.xx" \ > >>srcid "m...@moria.lan" \ > >>dstid "B-hostname.tld" \ > >>tag IKED > >> > >> iked.conf on B : > >> > >>ikev2 "warrior" passive esp \ > >>from 0.0.0.0/0 to 0.0.0.0/0 \ > >>local xx.xx.xx.xx peer any \ > >>srcid "B-hostname.tld" \ > >>tag IKED > >> > >> Auth works as expected : > >> > >> # iked -vvd > >> .. > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > >> 192.168.100.122:4500 policy 'policy1' > >> .. > >> > >> > >> But I can't reach internet from A through B. > >> > >> Here is the pf.conf on B (at least a small part of it) > >> > >> pass out on egress \ > >> from any to any tagged IKED \ > >> nat-to (egress) > >> > >> > > > > I'm still stuck at the same point. > > Can someone give me an example of a working configuration natting ot > > Internet? > > I used this, > > pass in on enc0 inet from $some_net > pass out quick on egress inet received-on enc0 nat-to $some_address > > Also I don't remember what you've already said you checked, but > make sure you have sysctl net.inet.ip.forwarding=1. > Thank you. Yes, I do have ip.forwarding=1. I'm confused how to replace "$some_address". Isn't it "(egress)" ? Regards.
Re: iked : pf.conf rule for outgoing traffic
* Stuart Henderson le [10-12-2018 18:19:41 +]: > On 2018-12-07, Thuban wrote: > > * Stuart Henderson le [06-12-2018 13:44:50 +]: > >> On 2018-12-06, Thuban wrote: > >> > * Thuban le [02-12-2018 19:16:09 +0100]: > >> >> Hi, > >> >> I need help to write a correct rule in pf.conf. > >> >> > >> >> I want : > >> >> > >> >> A -> B --> web > >> >> > >> >> The appearing IP of A is the B's one on the web. > >> >> > >> >> I managed to configure iked on A and B using default pubkeys according > >> >> to Stuart Henderson advices. > >> >> > >> >> iked.conf on A : > >> >> > >> >> ikev2 active ipcomp esp \ > >> >> from 192.168.100.0/16 to 0.0.0.0/0 \ > >> >> peer "xx.xx.xx.xx" \ > >> >> srcid "m...@moria.lan" \ > >> >> dstid "B-hostname.tld" \ > >> >> tag IKED > >> >> > >> >> iked.conf on B : > >> >> > >> >> ikev2 "warrior" passive esp \ > >> >> from 0.0.0.0/0 to 0.0.0.0/0 \ > >> >> local xx.xx.xx.xx peer any \ > >> >> srcid "B-hostname.tld" \ > >> >> tag IKED > >> >> > >> >> Auth works as expected : > >> >> > >> >> # iked -vvd > >> >> .. > >> >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > >> >> 192.168.100.122:4500 policy 'policy1' > >> >> .. > >> >> > >> >> > >> >> But I can't reach internet from A through B. > >> >> > >> >> Here is the pf.conf on B (at least a small part of it) > >> >> > >> >> pass out on egress \ > >> >> from any to any tagged IKED \ > >> >> nat-to (egress) > >> >> > >> >> > >> > > >> > I'm still stuck at the same point. > >> > Can someone give me an example of a working configuration natting ot > >> > Internet? > >> > >> I used this, > >> > >> pass in on enc0 inet from $some_net > >> pass out quick on egress inet received-on enc0 nat-to $some_address > >> > >> Also I don't remember what you've already said you checked, but > >> make sure you have sysctl net.inet.ip.forwarding=1. > >> > > > > Thank you. > > Yes, I do have ip.forwarding=1. > > > > I'm confused how to replace "$some_address". Isn't it "(egress)" ? > > > > Regards. > > > > > > It depends on what you want - I was just giving you the working example > you asked for :-) > > in my case I want to nat to a specific address, and not track the > address/es on any egress interfaces. > > Okay, got it, it works as expected. Thank you :)
re0 issue : system freeze
Hi, I have an issue on my server : after a while, it seems down and freeze. I have no SSH access because it's offline, I only can reboot it. Looking in /var/log/messages, I see "/bsd: re0: watchdog timeout". Instead of replacing the network card, what can I do to solve this issue? Below more information : * OpenBSD 6.4 -stable amd64 * Last lines of /var/log/daemon before crash : Dec 13 23:44:46 ledzep spamd[40106]: 198.71.246.20: disconnected after 433 seconds. lists: spamd-greytrap Dec 13 23:45:47 ledzep spamd[40106]: 64.90.177.115: connected (1/0) Dec 13 23:46:00 ledzep spamd[40106]: (GREY) 64.90.177.115: -> Dec 13 23:46:00 ledzep spamd[40106]: 64.90.177.115: disconnected after 13 seconds. Dec 13 23:47:30 ledzep spamd[40106]: 198.71.246.20: connected (1/1), lists: spamd-greytrap Dec 13 23:47:38 ledzep spamd[40106]: 37.252.72.189: connected (2/2), lists: nixspam Dec 13 23:47:41 ledzep spamd[40106]: 86.125.112.183: connected (3/3), lists: nixspam Dec 13 23:47:42 ledzep spamd[40106]: 37.252.72.189: disconnected after 4 seconds. lists: nixspam Dec 13 23:47:45 ledzep spamd[40106]: 86.125.112.183: disconnected after 4 seconds. lists: nixspam Dec 13 23:51:41 ledzep spamd[40106]: (BLACK) 198.71.246.20: -> Dec 13 23:53:36 ledzep spamd[40106]: 198.71.246.20: From: Matomo Analytics Dec 13 23:53:36 ledzep spamd[40106]: 198.71.246.20: To: maxime...@3hg.fr Dec 13 23:53:36 ledzep spamd[40106]: 198.71.246.20: Subject: Matomo Tag Manager now available on Matomo 3.7.0 for free Dec 13 23:54:48 ledzep spamd[40106]: 198.71.246.20: disconnected after 438 seconds. lists: spamd-greytrap * Part of /var/log/message around crash time : Dec 11 23:22:30 ledzep /bsd: re0: watchdog timeout Dec 11 23:22:31 ledzep bgpd[70451]: neighbor 217.31.80.170: sending notification: HoldTimer expired Dec 11 23:22:31 ledzep bgpd[70451]: neighbor 64.142.121.62: sending notification: HoldTimer expired Dec 11 23:30:34 ledzep /bsd: re0: watchdog timeout Dec 11 23:31:44 ledzep /bsd: re0: watchdog timeout Dec 11 23:31:44 ledzep bgpd[70451]: neighbor 217.31.80.170: sending notification: HoldTimer expired Dec 11 23:31:44 ledzep bgpd[70451]: neighbor 64.142.121.62: sending notification: HoldTimer expired Dec 11 23:36:49 ledzep bgpd[70451]: neighbor 2a00:15a8:0:100:0:d91f:50aa:1: session_connect socket: No buffer space available Dec 11 23:38:53 ledzep bgpd[70451]: neighbor 2a00:15a8:0:100:0:d91f:50aa:1: session_connect socket: No buffer space available Dec 11 23:40:57 ledzep bgpd[70451]: neighbor 2a00:15a8:0:100:0:d91f:50aa:1: session_connect socket: No buffer space available Dec 11 23:45:00 ledzep last message repeated 2 times Dec 11 23:50:26 ledzep /bsd: re0: watchdog timeout Dec 11 23:51:03 ledzep bgpd[70451]: neighbor 217.31.80.170: sending notification: HoldTimer expired Dec 11 23:51:04 ledzep bgpd[70451]: neighbor 64.142.121.62: sending notification: HoldTimer expired Dec 11 23:51:41 ledzep /bsd: re0: watchdog timeout Dec 11 23:53:48 ledzep /bsd: re0: watchdog timeout Dec 11 23:55:05 ledzep bgpd[70451]: neighbor 217.31.80.170: connect: No route to host Dec 11 23:55:05 ledzep bgpd[70451]: neighbor 64.142.121.62: connect: No route to host Dec 11 23:57:37 ledzep /bsd: re0: watchdog timeout Dec 11 23:59:13 ledzep /bsd: re0: watchdog timeout Dec 12 00:00:38 ledzep last message repeated 2 times Dec 12 00:01:13 ledzep nsd[87909]: sendto 80.67.169.40 failed: No route to host Dec 12 00:01:14 ledzep last message repeated 5 times Dec 12 00:01:35 ledzep bgpd[70451]: neighbor 217.31.80.170: received notification: HoldTimer expired Dec 12 00:01:36 ledzep bgpd[70451]: neighbor 64.142.121.62: received notification: HoldTimer expired Dec 12 00:03:16 ledzep /bsd: re0: watchdog timeout Dec 12 00:05:12 ledzep /bsd: re0: watchdog timeout Dec 12 00:06:19 ledzep /bsd: re0: watchdog timeout Dec 12 00:17:32 ledzep last message repeated 7 times Dec 12 00:21:59 ledzep last message repeated 4 times * dmesg : OpenBSD 6.4 (GENERIC.MP) #1: Mon Nov 26 10:18:14 CET 2018 r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2019500032 (1925MB) avail mem = 1949073408 (1858MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebf00 (51 entries) bios0: vendor American Megatrends Inc. version "F4" date 07/15/2014 bios0: GIGABYTE GB-BXBT-2807 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI acpi0: wakeup devices XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) BRCM(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU N2807 @ 1.58GHz, 1583.70 MHz, 06-37-08 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,D
spamd and low priority MX
Hello, I ran into the spamd "-M" flag in the manpage, and I'm not sure to understand it correctly. On the server with the highest priority (lower MX), I must set "-M nn.nn.nn.nn" where nn.nn.nn.nn is the IP of a lower priority MX ? If there is more than one backup MX (lower priority), does the -M flag can be called more than once ? Am I wrong ? Regards. thuban
[bug?] cwm mouse can't leave dialog window
Hi, I'm not sure where to post this as I'm not sure it's a bug related to cwm. The mouse pointer can't leave some windows. How to reproduce : 1. Open libreoffice 2. Try to open a new document 3. The mouse pointer can't move out of the dialog window. Attached is a screencast of what's happening to me. Am I the only one ? Any suggestion to solve this ? -- thuban
Re: How to synchronise 2 spamd instances
* Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > Hello, > > I read the man but it's not so clear to me > > https://man.openbsd.org/spamd#SYNCHRONISATION > > a) I chose unicast synchronisation but I don't know which port should I > > open on the firewall ? > > Is it going to use the spamd-cfg service ? > > It will use spamd-sync (udp port 8025) Good to know, I was blocking this traffic. It might be interesting to add a word about this in the manpage, what do you think?
ulpt vs kernel relinking
Hi, I have a printer that require ulpt to be disabled as mentionned in /usr/local/share/doc/pkg-readmes/cups. And it works. # config -fe /bsd disable ulpt quit After a reboot, I can notice : reorder_kernel: kernel relinking failed; see /usr/share/relink/kernel/GENERIC.MP/relink.log Ok, so I run, as mentioned in the above file : sha256 -h /var/db/kernel.SHA256 /bsd However, at next reboot, ulpt is reenabled. How can I still have KARL and use my printer ? -- thuban
Re: ulpt vs kernel relinking
* Antoine Jacoutot le [10-05-2019 14:41:08 +0200]: > On Thu, May 09, 2019 at 11:41:17PM -0600, Theo de Raadt wrote: > > config -e is incompatible with the KARL relinking sequence. > > > > For now, we consider KARL more valuable than config -e usage > > patterns. > > > > We've thought about this but for now we don't have a clever > > solution to solve this. > Thanks for enlightenment. > Usual disclaimer, you're on your own etc... > You can probably do something like this in /etc/rc.shutdown: > > printf 'disable ulpt\nq\n' | config -ef /bsd > sha256 /bsd >/var/db/kernel.SHA256 Indeed, this removes wanings. Thank you.
pf rule for openvpn
Hi, I have an openvpn server running and working, but can't go "outside" the server to access the web. To configure the server, I followed this : http://2f30.org/guides/openvpn.html So ip forwarding is ative, vpn port is open, clients can connect to the vpn. But they can't access wwweb. I guess the problem comes from this pf rule : pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) I've been on this issue for too many hours to have a clear mind on this. Any advice to find why I'm stuck on the server? Regards. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pf rule for openvpn
* obsd le [23-10-2016 21:13:19 +0200]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
> How about a rule that permits tunnel traffic to go out? How about a rule
> that permits the traffic to come in on the tunnel?
>
Here are the relevant parts of my pf.conf :
ext_if = "re0"
tcp_pass = "{ gopher ipp 8000 }"
udp_pass = "{ 1194 }"
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state
pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if
pass out on $ext_if proto { tcp udp icmp } all modulate state
traffic comes in $ext_if on port 1194. There, it goes in the tunnel.
The nat-to directive forward the traffic to $ext_if, which is supposed
to go out.
I feel I miss something here... :/
--
/Thuban/
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: pf rule for openvpn
* Predrag Punosevac le [23-10-2016 20:18:27 -0400]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to
> the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on
> this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
>
> Hi,
>
> I saw your e-mail this morning but I had no idea what to make out of it
> as I am confused about your network topology. I was also not impressed
> that you were following some howto from the internet. Both PF and
> OpenVPN are well documented. Grab the books and read it.
>
The link to the howto was to avoid long explanations. Anyway, here is
some more information. I'm pretty sure I'm wrong to redirect packets.
What I want is this :
VPN
Clients -> Server -> Web
simply.
openvpn configuration :
dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 80.67.169.12"
push "redirect-gateway def1"
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem
daemon openvpn
group _openvpn
user _openvpn
keepalive 10 120
management 127.0.0.1 1195 /etc/openvpn/private/mgmt.pwd
max-clients 100
persist-key
persist-tun
port 1194
proto udp
comp-lzo
client-cert-not-required
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
auth-nocache
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3
/etc/pf.conf :
ext_if = "re0" # interface
ssh_port = "" # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }" # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop # bloque
silencieusement
set skip on lo # Pas de filtre en
local
set limit table-entries 40
## tables pour les vilains bruteforceurs
table persist
table persist
table persist
# antispam avec greylisting
table persist
table persist file "/etc/mail/nospamd"
table persist
## Traitement des paquets ##
match in all scrub (no-df) # Paquets
partiels
block in quick from urpf-failed
## Les règles du parefeu ##
# on bloque tout par défaut
block log all
# on bloque les ip blacklistées
block in log quick proto tcp from to any port $http_ports
block in log quick proto tcp from to any port $ssh_port
# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from to any port smtp
pass in on $ext_if proto tcp from to any port smtp
pass in quick on $ext_if proto tcp from to any port
smtp
# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload flush global)
# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload flush)
# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload flush global)
# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp all icmp-type { echoreq, unreach
}
# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any
Re: pf rule for openvpn
> # tcpdump -e -ttt -ni pflog0 action block
>
> You will be able to see what exactly is being blocked :)
>
That's my problem, nothing seems blocked , tcpdump returns nothing about
my requests to reach the outside web.
I'm stuck.
Please find below my full pf.conf in case I missed something :
ext_if = "re0" # interface
tun_if = "tun0" # vpn
ssh_port = "" # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }" # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop # bloque
silencieusement
set skip on lo # Pas de filtre
en local
set limit table-entries 40
## tables pour les vilains bruteforceurs
table persist
table persist
table persist
# antispam avec greylisting
table persist
table persist file "/etc/mail/nospamd"
table persist
## Traitement des paquets ##
match in all scrub (no-df) # Paquets partiels
block in quick from urpf-failed
## Les règles du parefeu ##
# on bloque tout par défaut
block log all
# on bloque les ip blacklistées
block in log quick proto tcp from to any port $http_ports
block in log quick proto tcp from to any port $ssh_port
# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from to any port smtp
pass in on $ext_if proto tcp from to any port smtp
pass in quick on $ext_if proto tcp from to any port
smtp
# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload flush global)
# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload flush)
# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload flush global)
# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp all icmp-type { echoreq, unreach
}
# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state
# vpn
pass in quick on $tun_if keep state
pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp } all modulate state
Regards
--
/Thuban/
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: pf rule for openvpn
* Thuban le [25-10-2016 10:41:27 +0200]: > > # tcpdump -e -ttt -ni pflog0 action block > > > > You will be able to see what exactly is being blocked :) > > Okay, I'm just too stupid. I can access the wwweb through my VPN. I just can't ping, which is not a problem and seems logic according to my pf.conf. Sorry for the noise. Regards. -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Slow wifi
* George Pediaditis le [10-11-2016 23:43:20 +0200]: > thanks for the reply. I will try it next week when i have more time. > If that doesnt work im thinking if its possible to go from current > back to stable. If i try current and i have problems. It looks > possible but it isnt in FAQ > https://www.openbsd.org/faq/faq5.html#Flavors > im wondering if im missing something. No, I don't think that's possible. It's safer to do a clean install of -release . -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Custom installation iso
Hello, I currently use customized install60.iso images with site60.tgz set. It works quite well, but I need to include in site60.tgz set some packages. For now, I used pkg_add in a rc.firsttime script, but it requires an internet access at first boot, and it's not handy. Do you have any advice to include packages with dependencies in an install cd ? regards. thuban [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Custom installation iso
* Stuart Henderson le [31-12-2016 21:08:13 +]: > On 2016-12-31, Thuban wrote: > > Hello, > > I currently use customized install60.iso images with site60.tgz set. It > > works quite well, but I need to include in site60.tgz set some packages. > > > > For now, I used pkg_add in a rc.firsttime script, but it requires an > > internet access at first boot, and it's not handy. > > > > Do you have any advice to include packages with dependencies in an > > install cd ? > > You can use siteXX.tgz to create a directory containing the tgz files > for the packages you need (include the "quirks" package too). You probably > still want to do the installation from rc.firsttime, you can do something > like "PKG_PATH=/path/to/pkgs/ pkg_add [...]". > This last solution is great. I just had to write a script to find every dependencies of each packages, but once it's done, everything works as expected. Thanks. Regards -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
installXX.fs build
Hi, Just by curiosity, I was wondering how installXX.fs file is build? Regards. -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: installXX.fs build
* Jiri B le [27-01-2017 17:01:17 -0500]: > On Fri, Jan 27, 2017 at 08:29:08PM +0100, Thuban wrote: > > Hi, > > > > Just by curiosity, I was wondering how installXX.fs file is build? > > https://github.com/openbsd/src/blob/master/distrib/amd64/iso/Makefile#L9 > > j. Thanks. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
relayd and letsencrypt certificates
Hello,
I can't figure how to use letsencrypt certificates with relayd. I keep
getting this error :
# relayd -vvv -n
/etc/relayd.conf:33: cannot load certificates for relay tlsforward
My relayd.conf :
# cat /etc/relayd.conf
table { 127.0.0.1 }
ext_ip = 192.168.1.66
http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value "max-age=1814400"
return error
pass
tls { no client-renegotiation, cipher-server-preference }
tls ca key "/etc/letsencrypt/certificates/privkey.pem" password ""
tls ca cert "/etc/letsencrypt/certificates/cert.pem"
}
relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "https"
forward to port 8443 mode loadbalance check tcp
}
Do you see any error or have any advice?
Regards.
thuban
Re: relayd and letsencrypt certificates
* trondd le [10-02-2017 12:32:36 -0500]:
> On Fri, February 10, 2017 11:48 am, Thuban wrote:
> > Hello,
> > I can't figure how to use letsencrypt certificates with relayd. I keep
> > getting this error :
> >
> > # relayd -vvv -n
> > /etc/relayd.conf:33: cannot load certificates for relay tlsforward
> >
> >
> > My relayd.conf :
> >
> > # cat /etc/relayd.conf
> > table { 127.0.0.1 }
> > ext_ip = 192.168.1.66
> >
> > http protocol "https" {
> > tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> > match response header set "Cache-Control" value "max-age=1814400"
> > return error
> > pass
> > tls { no client-renegotiation, cipher-server-preference }
> > tls ca key "/etc/letsencrypt/certificates/privkey.pem" password
""
> > tls ca cert "/etc/letsencrypt/certificates/cert.pem"
> > }
> >
> >
> > relay "tlsforward" {
> > listen on $ext_ip port 443 tls
> > protocol "https"
> > forward to port 8443 mode loadbalance check tcp
> > }
> >
> >
> >
> > Do you see any error or have any advice?
> >
> > Regards.
> >
> > thuban
> >
>
> 'ca key' and 'ca cert' is for MITM roll your own certs on the fly.
>
> For server certs, like a web server would have, you don't specify them.
> relayd looks for address:port.key and address:port.crt as per the 'listen
> on' description in relayd.conf(5)
Ok, it works as expected now. I created symlinks to
/etc/ssl/private/address.key
and for address.crt.
Thank you.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
build libtorrent fail
Hello, I try again to build libtorrent [1]. I can't have ./configure to find the boost-python library. The .configure file has been modified like this : - CXXFLAGS="$CXXFLAGS -ftemplate-depth=120" + CXXFLAGS="$CXXFLAGS" Then, I try to build like this : export LDFLAGS="-L /usr/lib -L/usr/local/lib" export CXXFLAGS="-I /usr/include -I/usr/local/include" ./configure \ --with-boost=/usr/local/ \ --with-boost-system=boost_system-mt \ --enable-python-binding \ --with-boost-python=boost_python-mt \ --disable-static \ --enable-dht \ --enable-pool-allocators \ --with-libiconv \ --disable-debug Here is the error message : checking for Python include path... -I/usr/local/include/python3.6m checking for Python library path... -L/usr/local/lib -lpython3.6m checking for Python site-packages path... /usr/local/lib/python3.6/site-packages checking python extra libraries... -lintl -lpthread -lutil -lm checking python extra linking flags... -Wl,--export-dynamic checking consistency of all components of python development environment... yes checking whether the Boost::Python library is available... no configure: error: Boost.Python library not found. Try using --with-boost-python=lib. You may find the full ./configure log here : http://pastebin.com/Ac4SkrEG Any advice ? Regards. [1] : http://libtorrent.org/ -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Install fail on Latitude E64460 : disk not recognised
Hello, I try to help a friend installing OpenBSD on a Dell Latitude E6440. It seems the disk (SSD) isn't recognised, only the USB stick is found by the installer, even with the last snapshot. You can see the dmesg and installer output as screenshots below. (yes, it's not ideal but that is the best I could ask via mail). https://clbin.com/lRWaSs.jpeg https://clbin.com/bsJGm7.jpeg https://clbin.com/ddgY4d.jpeg https://clbin.com/BkaCiG.jpeg https://clbin.com/ji8jtn.jpeg https://clbin.com/DGBVtl.jpeg https://clbin.com/OR6ZBu.jpeg Do you have any advice? Regards. -- :thuban: [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Install fail on Latitude E64460 : disk not recognised
* lawgi...@nym.hush.com le [03-04-2017 13:52:20 -0700]: > On 4/3/2017 at 1:31 PM, "Thuban" wrote: > >I try to help a friend installing OpenBSD on a Dell Latitude E6440. > >It seems the disk (SSD) isn't recognised, only the USB stick is > >found by > >the installer, even with the last snapshot. > > Is your situation perhaps similar to the one here? > > https://marc.info/?l=openbsd-misc&m=149083706402019&w=2 > That was exactly such issue. compatibility/AHCI/RAID is disabled and everything works as expected. Thank you very much. -- :thuban:
[relayd] keep origin IP in logs
Hello, I use relayd to deal with HTTP headers as suggested here [1]. My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats not very handy to track bruteforce attacks (in example). Do you have any advice to keep the visitor IP in logs ? [1] : https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic -- :thuban:
Re: [relayd] keep origin IP in logs
* Hiltjo Posthuma le [09-04-2017 11:42:23 +0200]:
> On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote:
> > Hello,
> > I use relayd to deal with HTTP headers as suggested here [1].
> > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats
> > not very handy to track bruteforce attacks (in example).
> >
> > Do you have any advice to keep the visitor IP in logs ?
> >
> > [1] :
> > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic
> > --
> > :thuban:
> >
>
> Hey,
>
> It's commonly done by adding a X-Forwarded-For header with the origin IP.
>
> From the relayd.conf(5) man page:
>
>http protocol "https" {
>match header append "X-Forwarded-For" \
>value "$REMOTE_ADDR"
>match header append "X-Forwarded-By" \
>value "$SERVER_ADDR:$SERVER_PORT"
>
>... snip snip ...
>}
>
That's exactly what I use, but it doesn't seems to work :
# snip from httpd logs
test.yeuxdelibad.net 127.0.0.1 - - [09/Apr/2017:11:47:54 +0200] "GET /
HTTP/1.0" 200 0
Here is my full relayd.conf.
I tried to use "transparent" keyword but relay fail in this case.
# cat /etc/relayd.conf
table { 127.0.0.1 }
ext_ip = 192.168.1.2
http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
match response header set "Cache-Control" value
"max-age=1814400"
match request header remove "Proxy"
match response header set "X-Xss-Protection" value "1;
mode=block"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match header append "X-Forwarded-For" \
value "$REMOTE_ADDR"
match header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
return error
}
relay "www" {
listen on $ext_ip port 80
protocol "http"
forward to port 8080 check tcp
}
Regards.
--
:thuban:
Re: [relayd] keep origin IP in logs
* Hiltjo Posthuma le [09-04-2017 14:06:48 +0200]:
> On Sun, Apr 09, 2017 at 11:30:37AM +, Stuart Henderson wrote:
> > On 2017-04-09, Thuban wrote:
> > > * Hiltjo Posthuma le [09-04-2017 11:42:23 +0200]:
> > >> On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote:
> > >> > Hello,
> > >> > I use relayd to deal with HTTP headers as suggested here [1].
> > >> > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats
> > >> > not very handy to track bruteforce attacks (in example).
> > >> >
> > >> > Do you have any advice to keep the visitor IP in logs ?
> > >> >
> > >> > [1] :
> > >> > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic
> > >> > --
> > >> > :thuban:
> > >> >
> > >>
> > >> It's commonly done by adding a X-Forwarded-For header with the origin IP.
> > >>
> > >> From the relayd.conf(5) man page:
> > >>
> > >>http protocol "https" {
> > >>match header append "X-Forwarded-For" \
> > >>value "$REMOTE_ADDR"
> > >>match header append "X-Forwarded-By" \
> > >>value "$SERVER_ADDR:$SERVER_PORT"
> >
> > "append" isn't good here, you don't want to trust whatever the client
> > sends in headers.
> >
>
> Good point! I've send a relayd.conf(5) patch for this to tech@.
That's right indeed. The man page may have an alert on this.
So, transparent relay is what I need. Does anyone have a working
example ?
Just adding the "transparent" keyword doesn't work for me, the client
never access httpd.
Regards
--
:thuban:
ugen0 instead of urtwn0
Hi, I have a usb wifi dongle supposed to work with urtwn firmware. usbdevs returns WNA 1000Mv2 Netgear listed here [0] But the device is detected as ugen. How can I fix this? Regards. [0]Â : http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/urtwn.4?query=urt wn&sec=4 -- Thuban PubKey : http://yeuxdelibad.net/Divers/thuban.pub [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ugen0 instead of urtwn0
* Thuban le [21-09-2015 11:14:22 +0200]: > usbdevs returns WNA 1000Mv2 Netgear listed here [0] > > But the device is detected as ugen. My bad, it seemd to be fixed in 5.8 [0]. Except waiting for 5.8 or unsing -current, I guess there is no other solution to usr this usb stick? [0] : http://www.openbsd.org/plus.html [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ugen0 instead of urtwn0
* Fred le [21-09-2015 11:50:27 +0100]: > On 09/21/15 11:01, Thuban wrote: > >* Thuban le [21-09-2015 11:14:22 +0200]: > >>usbdevs returns WNA 1000Mv2 Netgear listed here [0] > >> > >>But the device is detected as ugen. > > > >My bad, it seemd to be fixed in 5.8 [0]. > > > >Except waiting for 5.8 or unsing -current, I guess there is no other > >solution to usr this usb stick? > > > >[0] : http://www.openbsd.org/plus.html > > You could back port the relevant changes to 5.7 and build a new kernel > following the information in http://www.openbsd.org/faq/faq5.html > > -current is currently ahead of 5.8 which will be released on the 18 October. Thanks for the answer. I never back ported on openbsd before. Where can I find any relevant documentation do do this before building the kernel? Regards -- Thuban PubKey : http://yeuxdelibad.net/Divers/thuban.pub [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ugen0 instead of urtwn0
> Grab relevant > > src/sys/dev/usb/if_urtwn.c > sys/dev/usb/usbdevs > > from CVS, than cd sys/dev/usb && make, than rebuild/install kernel > as described in FAQ. > I rebuild and installed the kernel without any error, but still, the usb stick isn't detected as urtwn. What did I do wrong : # cd /usr # export CVSROOT=anon...@anoncvs.fr.openbsd.org:/cvs # cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src # cd //usr/src/sys/dev # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/usbdevs # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/if_urtwn.c # # rebuild/install kernel -- Thuban PubKey : http://yeuxdelibad.net/Divers/thuban.pub [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ugen0 instead of urtwn0
> > I rebuild and installed the kernel without any error, but still, the usb > > stick isn't detected as urtwn. > > > > What did I do wrong : > > > > # cd /usr > > # export CVSROOT=anon...@anoncvs.fr.openbsd.org:/cvs > > # cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src > > > You don't want to do this if you're going to checkout src/sys/*, the > two cvs(1) commands below will > create /usr/src/sys/dev/src/sys/dev/* instead of updating > /usr/src/sys/dev/* as intended. > > # cd //usr/src/sys/dev > > > > # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/usbdevs > > # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/if_urtwn.c Right, files were in wrong place. Thanks. I tried to rebuild the kernel with usbdevs and if_urtwn.c at the correct emplacement, but now build fail. In if_urtwn.c, there are undecladerd variables : if_urtwn.c:3556: error: 'R88E_HIMRE_TXERR' undeclared (first usr un this function) ... #you know the song I guess some file is missing, of course, because mixing 5.7 and 5.8 couldn't for like that. Here are dmesg and usbdevs -v as requested : dmesg : OpenBSD 5.7-stable (GENERIC.MP) #1: Tue Sep 22 07:41:56 CEST 2015 r...@openbsd.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2128605184 (2029MB) avail mem = 2068082688 (1972MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (76 entries) bios0: vendor Dell Inc. version "2.2.0" date 03/29/2007 bios0: Dell Inc. OptiPlex 745 acpi0 at bios0: rev 2 acpi0: TCPA checksum error acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA SLIC acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5) PCI5(S5) PCI6(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz, 1862.22 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM 2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF cpu0: 2MB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 266MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz, 1862.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM 2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF cpu1: 2MB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 4 (PCI4) acpiprt1 at acpi0: bus 2 (PCI2) acpiprt2 at acpi0: bus -1 (PCI3) acpiprt3 at acpi0: bus 1 (PCI1) acpiprt4 at acpi0: bus 3 (PCI5) acpiprt5 at acpi0: bus -1 (PCI6) acpiprt6 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: VBTN memory map conflict 0x7fe03c00/0x1fc400 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82Q965 Host" rev 0x02 ppb0 at pci0 dev 1 function 0 "Intel 82Q965 PCIE" rev 0x02: msi pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "NVIDIA GeForce 210" rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci1 dev 0 function 1 vendor "NVIDIA", unknown product 0x0be3 rev 0xa1: msi azalia0: no supported codecs uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x02: apic 8 int 16 uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x02: apic 8 int 17 ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x02: apic 8 int 22 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia1 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x02: msi azalia1: codecs: Analog Devices AD1983 audio0 at azalia1 ppb1 at pci0 dev 28 function 0 "Intel 82801H PCIE" rev 0x02: msi pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 "Intel 82801H PCIE" rev 0x02: msi pci3 at ppb2 bus 3 bge0 at pci3 dev 0 function 0 "Broadcom BCM5754" rev 0x02, BCM5754/5787 A2 (0xb002): msi, address 00:19:b9:2f:0a:50 brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 uhci2 at pci0 dev 29 function 0 "Intel 82801H USB" rev 0x02: apic 8 int 23 uhci3 at pci0 dev 29 function 1 "Intel 82801H USB" rev 0x02: apic 8 int 17 uhci4
Re: ugen0 instead of urtwn0
* Stefan Sperling le [22-09-2015 11:33:28 +0200]:
> On Mon, Sep 21, 2015 at 11:14:22AM +0200, Thuban wrote:
> > Hi,
> > I have a usb wifi dongle supposed to work with urtwn firmware.
> > usbdevs returns WNA 1000Mv2 Netgear listed here [0]
> >
> > But the device is detected as ugen.
> >
> > How can I fix this?
>
> This device was added to -current after 5.8.
> It will work out of the box in OpenBSD 5.9.
>
> The easiest way to get support for it is to use snapshots (i.e. -current).
> See the "Snapshots" section in http://www.openbsd.org/faq/faq5.html#Flavors
>
> You can try to get it to work with 5.7 but this might not work.
> Getting this device to work on 5.8 (to be released on Oct 18) should be
> possible using the steps below.
>
> Starting with pristine OpenBSD 5.8 kernel source (or 5.7, if you want to
> try your luck), add the line
>
> product NETGEAR WNA1000Mv20x9043 WNA1000Mv2
>
> somewhere in the file /usr/src/sys/dev/usb/usbdevs
>
> as shown here:
>
> ===
> RCS file: /cvs/src/sys/dev/usb/usbdevs,v
> retrieving revision 1.654
> retrieving revision 1.655
> diff -u -r1.654 -r1.655
> --- src/sys/dev/usb/usbdevs 2015/07/15 13:25:49 1.654
> +++ src/sys/dev/usb/usbdevs 2015/08/22 15:10:19 1.655
> @@ -3135,6 +3135,7 @@
> product NETGEAR WNA1100 0x9030 WNA1100
> product NETGEAR WNA1000 0x9040 WNA1000
> product NETGEAR WNA1000M 0x9041 WNA1000M
> +product NETGEAR WNA1000Mv2 0x9043 WNA1000Mv2
>
> /* Netgear(2) products */
> product NETGEAR2 MA101 0x4100 MA101
>
>
> Now run
>
> $ cd /usr/src/sys/dev/usb/
> $ make
>
> to re-create the USB device list header files usbdevs.h and usbdevs_data.h.
>
> Next, add the line
>
> { USB_VENDOR_NETGEAR, USB_PRODUCT_NETGEAR_WNA1000Mv2 },
>
> to /usr/src/sys/dev/usb/if_urtwn.c somewhere in the driver's ID table,
> as shown here:
>
> ===
> RCS file: /cvs/src/sys/dev/usb/if_urtwn.c,v
> retrieving revision 1.48
> retrieving revision 1.49
> diff -u -r1.48 -r1.49
> --- src/sys/dev/usb/if_urtwn.c2015/06/12 15:47:31 1.48
> +++ src/sys/dev/usb/if_urtwn.c2015/08/22 15:19:33 1.49
> @@ -110,6 +110,7 @@
> { USB_VENDOR_IODATA,USB_PRODUCT_IODATA_WNG150UM },
> { USB_VENDOR_IODATA,USB_PRODUCT_IODATA_RTL8192CU },
> { USB_VENDOR_NETGEAR, USB_PRODUCT_NETGEAR_WNA1000M },
> + { USB_VENDOR_NETGEAR, USB_PRODUCT_NETGEAR_WNA1000Mv2 },
> { USB_VENDOR_NETGEAR, USB_PRODUCT_NETGEAR_RTL8192CU },
> { USB_VENDOR_NETGEAR4, USB_PRODUCT_NETGEAR4_RTL8188CU },
> { USB_VENDOR_NETWEEN, USB_PRODUCT_NETWEEN_RTL8192CU },
>
> Now compile a new kernel and install it.
>
> For more information on the steps involved in compiling the kernel,
> see http://www.openbsd.org/faq/faq5.html#Bld and in particular this
> section: http://www.openbsd.org/faq/faq5.html#BldKernel
Thank you for this very complete explanations.
Currently, I can't build the kernel without any error vith the last
snapshot, even without modifying anything.
Same with current.
I'll wait some time and see.
Regards
--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: ugen0 instead of urtwn0
> Those instructions are for 5.8 or possible 5.7, they aren't needed for > -current snapshots which already include this change. > Of course, I read the files. -- Thuban PubKey : http://yeuxdelibad.net/Divers/thuban.pub [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
rookie questions about flavors
Hello, I'm not sure to understand correctly somme points : 1. A snapshot is a build made at one time of the developpement, more recent than *-stable* flavor. It is not *-current*. Can we consider a snapshot as an unreleased *5.8* at this time. Or is it above *5.8*? 2. In odrer to build the system, one can choose : - to follow *-current* with `cvs -d$CVSROOT checkout -P src` - to follow *-stable* with `cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src ` Is it possible to upgrade from 5.7 yo 5.8 using this flag : cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates for 5.8 *-stable* later? And if so, what PKG_PATH should be used to stay on 5.8? PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/`uname -m`/ then switch to PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/packages/`uname -m`/ when 5.8 is released? The missing packages must be replaced with ports build until the 19 Oct? Sorry for the long message. I know the best is to use *-current* or a *-stable* flavor, but I wish to understand these points in order to keep things clean. Regards [1]Â : http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/install58.iso -- Thuban [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: rookie questions about flavors
Thanks a lot for this answer. > > 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates > > for 5.8 *-stable* later? > > No. As I said earlier (and would be clear from a careful reading of the FAQ), > snapshots track -current, not -stable. Finding an install58.iso in a snapshot directory gave me some doubts about what i understood in the FAQ (as english is not my first language). -- Thuban PubKey : http://yeuxdelibad.net/Divers/thuban.pub [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Can't use sshfs as user
Hi, I try to mount a directory with sshfs as non-root, but I get the following error : fuse_mount: Permission denied I don't get it. I have "kern.usermount=1" in /etc/sysctl.conf, but according to [1] I need to use some option about uid. But which ones? Regards. [1] : http://openbsd-archive.7691.n7.nabble.com/sshfs-as-non-root-fuse-mount-Permis sion-denied-td253224.html -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Can't use sshfs as user
* Thuban le [22-04-2016 16:51:39 +0200]: > Hi, > I try to mount a directory with sshfs as non-root, but I get the > following error : > > fuse_mount: Permission denied > > I don't get it. I have "kern.usermount=1" in /etc/sysctl.conf, but > according to [1] I need to use some option about uid. But which ones? > > Regards. > > [1] : > http://openbsd-archive.7691.n7.nabble.com/sshfs-as-non-root-fuse-mount-Permis > sion-denied-td253224.html I tried to add -o uid=1000 -o gid=1000 to sshfs, but he does'n seems to understand these options despite the man page says. Where am I wrong? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Can't use sshfs as user
* Sebastien Marie le [24-04-2016 10:17:58 +0200]:
> On Fri, Apr 22, 2016 at 04:51:39PM +0200, Thuban wrote:
> > Hi,
> > I try to mount a directory with sshfs as non-root, but I get the
> > following error :
> >
> > fuse_mount: Permission denied
> >
> > I don't get it. I have "kern.usermount=1" in /etc/sysctl.conf, but
> > according to [1] I need to use some option about uid. But which ones?
> >
>
> - read/write permissions on /dev/fuse0
> - mount point owned by the user
>
Oh, that was it.
It works after a
# chmod 666 /dev/fuse0
Not sure it's really secure thought.
Thanks.
--
/Thuban/
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: Fwd: Creating a blog using OpenBSD: technology choices and security considerations
The thing you should ask yourself is "what do I really need?" before installing a huge and useless CMS. +1 for a static site generator. I use swx [1] on my own, its just a markdown converter with some script to add rss feed, sitemap and so. But there are so many. There is also many small blog utilities, like Kriss blog [2]. Anyway, if you wnat to add comments to a static site, you can host it yourself instead of using Disqus. See hashover : [3] regards, [1] : http://yeuxdelibad.net/Programmation/swx_en.html fork of https://github.com/jroimartin/sw [2] : https://github.com/tontof/kriss_blog [3] : http://tildehash.com/?page=hashover -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Installing py3-libtorrent
Hello, I need to install the python3 bindings for libtorrent. I doesn't seem to be packaged, nor present in ports. Because I need to install it on several machines, I wanted to ask if I didn't miss it somewhere, before compiling it by hand again and angain. Thanks. -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: light browsers
> Firefox used to be nice, but I don't like the way it goes with > embedded crap such as Hello or even worse, the Pocket thing. > Indeed, but it's maybe the last web browser caring about its users, without selling them or asking them to pay. w3m already has been mentionned on the list. With some time, it becomes very handy. But what about netsurf? http://www.netsurf-browser.org/ Regards, -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
libtorrent build fail
Hi, I'm trying to build libtorrent [1], but can't figure out how to have ./configure detect boost library. So, I always have such output : configure: We could not detect the boost libraries (version 1.47 or higher). If you have a staged boost library (still not installed) please specify $BOOST_ROOT in your environment and do not give a PATH to --with-boost option. If you are sure you have boost installed, then check your version number looking in . See http://randspringer.de/boost for more documentation. checking whether the Boost::System library is available... no (yes, boost is installed) I have these environment variables : export LDFLAGS="-L /usr/lib -L/usr/local/lib" export CXXFLAGS="-I /usr/include -I/usr/local/include" I even tried to find any clue in freeBSD without luck. Do you have any advice? Regards [1] : http://libtorrent.org/building.html [2] : https://svnweb.freebsd.org/ports/head/net-p2p/libtorrent-rasterbar/Makefile?v iew=markup -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: libtorrent build fail
* Josh Grosse le [26-05-2016 12:30:40 -0400]: > On 2016-05-26 11:50, Thuban wrote: > >Hi, > >I'm trying to build libtorrent [1], but can't figure out how to have > >./configure detect boost library. > > Have you tried installing the libtorrent package? :) > Yes, of course. This is not the same libtorrent. The package in openbsd is the old one. One is "rasterbar", the other is still maintained and have various bindings. -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: libtorrent build fail
Tah was too beautiful, now it's``make`` that give me errors I can't understand : In file included from ../include/libtorrent/parse_url.hpp:40, from web_connection_base.cpp:53: ../include/libtorrent/aux_/disable_warnings_pop.hpp:42: warning: expected [error|warning|ignored] after '#pragma GCC diagnostic' *** Error 1 in src (Makefile:972 'web_connection_base.lo': @echo " CXX " web_connection_base.lo;depbase=`echo web_connection_base.lo | ...) *** Error 1 in /home/xavier/geek/libtorrent/libtorrent-rasterbar-1.1.0 (Makefile:645 'all-recursive') See full warnings here : https://clbin.com/uPgvb Do you have any advice on this? Thanks.
Re: libtorrent build fail
* David Coppa le [27-05-2016 15:39:00 +0200]: > On Fri, May 27, 2016 at 3:02 PM, Thuban wrote: > > Tah was too beautiful, now it's``make`` that give me errors I can't > > understand : > > > > > > In file included from ../include/libtorrent/parse_url.hpp:40, > > from web_connection_base.cpp:53: > > ../include/libtorrent/aux_/disable_warnings_pop.hpp:42: warning: expected > > [error|warning|ignored] after '#pragma GCC diagnostic' > > *** Error 1 in src (Makefile:972 'web_connection_base.lo': @echo " CXX > > " web_connection_base.lo;depbase=`echo web_connection_base.lo | ...) > > *** Error 1 in /home/xavier/geek/libtorrent/libtorrent-rasterbar-1.1.0 > > (Makefile:645 'all-recursive') > > > > See full warnings here : https://clbin.com/uPgvb > > > > Do you have any advice on this? > > Please give me some time... > I'm trying to cook a proper port, but there's a lot of stuff that > needs to be fixed. woah, thank you very much! I stop filling the list with my useless messages then. good luck. Regards, -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Clean OpenBSD's httpd logs
* C. L. Martinez le [30-06-2016 12:50:36 +]:
> Hi all,
>
> Sorry if this question sounds stupid, but how can I avoid this type of
entry in OpenBSD's httpd access.log:
>
> 172.22.55.1:44710 -> 172.22.55.10, /favicon.ico (404 Not Found), [/]
[/favicon.ico]
>
Hi,
in httpd.conf :
server "yourdomain.com" {
...
no log
}
You might want to keep access log. Separate errors in another file :
server "yourdomain.com" {
...
log access "yourdomain.access.log"
log error "yourdomain.errors.log"
}
see man httpd.conf for more :)
--
/Thuban/
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
bluetooth audio device
Hello, I'm trying to connect an audio device via bluetooth, but can't find any intructions to do so on OpenBSD. Do you have any advices/links? Regards, -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
