Re: Etnernal & infernal browser woes

2017-04-28 Thread trondd 
On Fri, April 28, 2017 10:17 am, Fred wrote:
> I have to agree with David - here I used chrome on a daily basis with a
> minimum of two chrome windows with at least 4 tabs in each

I don't want to get into the conversation, but I thought this was funny.

I am a heavy tabs user.  I currently have firefox running with 134 tabs
open.  It's been running since I last updated -current last weekend.  That
number is actually small because I just went through my tabs and closed a
bunch of older or redundent ones.

Re: Etnernal & infernal browser woes

2017-04-29 Thread trondd 
On Sat, April 29, 2017 6:07 pm, Mihai Popescu wrote:
> Do not forget to use (activate) uBlock Origin too, there is in Add-Ons
> for Firefox.
>
> Teh guy with 134 opened tabs at once in firefox was funny. How many
> monitors is firefox windows spreading across?
>
> Thanks.
>

It's tabs.  You only need one window.

http://imgur.com/a/Cm4eO

uBlock and NoScript are a given.  I also use Tab Groups (pictured). 
Apparently I was the only one with this need, as tab groups were removed
from core firefox and even the plugin is being abandoned.  It's going to
be a rough transition when that stops working...

Re: DHCP in vmm guest

2017-05-04 Thread trondd 
On Thu, May 4, 2017 8:51 am, Francois Stephany wrote:
> Hi,
>
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> access to the network via tap and bridge. The host uses a wired connection
> and gets its network address with DHCP.
>
> Here's my /etc/vm.conf:
>
> switch "vms_switch" {
> interface bridge0
> add bge0
> }
>
> vm "vm.test" {
> memory 1G
> boot /home/fstephany/bsd.rd
> disk /var/vms/fstephany/vmtest-disk.img
> owner fstephany
> interface tap {
> switch "vms_switch"
> }
> disable
> }
>
>
> I've stopped vmd with #rcctl stop vmd
> and started it manually:
>
> # vmd -dvv
> startup
> /etc/vm.conf:4: switch "vms_switch" registered
> /etc/vm.conf:15: vm "vm.test" registered (disabled)
> vm_priv_brconfig: interface bridge0 description switch1-vms_switch
> vm_priv_brconfig: interface bridge0 add bge0
> vmd_configure: not creating vm vm.test (disabled)
> vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
> vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
> vm_priv_ifconfig: interface bridge0 add tap0
> vm.test: started vm 1 successfully, tty /dev/ttyp1
> loadfile_elf: loaded ELF kernel
> run_vm: initializing hardware for vm vm.test
> virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
> run_vm: starting vcpu threads for vm vm.test
> vcpu_reset: resetting vcpu 0 for vm 5
> run_vm: waiting on events for VM vm.test
> i8259_write_datareg: master pic, reset IRQ vector to 0x20
> i8259_write_datareg: slave pic, reset IRQ vector to 0x28
> vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
> virtio_blk_io: device reset
> virtio_net_io: device reset
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> virtio_net_io: device reset
>
>
> Here's what happens when the installer tries to get a network address:
>
> # vmctl status
>ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
> 1 - 11.0G   -   -fstephany vm.test
> # vmctl start vm.test -c
> Connected to /dev/ttyp1 (speed 9600)
>
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
>
> OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 1056964608 (1008MB)
> avail mem = 1021235200 (973MB)
> mainbus0 at root
> bios0 at mainbus0
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz
> cpu0:
> FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
> cpu0: 256KB 64b/line 8-way L2 cache
> pvbus0 at mainbus0: OpenBSD
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus0 at vioblk0: 2 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
> fixed
> sd0: 4096MB, 512 bytes/sector, 8388608 sectors
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address fe:e1:bb:d1:6d:23
> virtio2: irq 7
> virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
> virtio3: no matching child driver; not configured
> isa0 at mainbus0
> com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> com0: console
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on rd0a swap on rd0b dump on rd0b
>
> erase ^?, werase ^W, kill ^U, intr ^C, status ^T
>
> Welcome to the OpenBSD/amd64 6.1 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
> At any prompt except password prompts you can escape to a shell by
> typing '!'. Default answers are shown in []'s and are selected by
> pressing RETURN.  You can exit this program at any time by pressing
> Control-C, but this can leave your system in an inconsistent state.
>
> Terminal type? [vt220]
> System hostname? (short form, e.g. 'foo') vmtest
>
> Available network interfaces are: vio0 vlan0.
> Which network interface do you wish to configure? (or 'done') [vio0]
> IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp]
> DHCPDISCOVER on vio0 - interval 1
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> No acceptable DHCPOFFERS received.
> No working leases in persistent database - sleeping.
> IPv6 address for vio0? (or

Re: /usr/sbin/httpd and chunked transfer encoding

2017-05-08 Thread trondd 
On Mon, May 8, 2017 5:22 pm, r...@tamos.net wrote:
> On Mon, 08 May 2017 18:45 +0800, johnw wrote:
>> Both tried and not work.
>
> Yeah, you might be waiting for a while.  According to the following,
> both projects have this as an open issue but haven't been able to commit
> resources to it.  In the former case, the issue has been deferred from
> one release to another for over a year and a half.
>
> https://github.com/owncloud/android/issues/1128
> https://github.com/nextcloud/android/issues/113
>

For an alternative mobile client, I was using Folder Sync (Lite) with
httpd and OwnCloud.

https://play.google.com/store/apps/details?id=dk.tacit.android.foldersync.full&hl=en

https://play.google.com/store/apps/details?id=dk.tacit.android.foldersync.lite&hl=en

Re: siteXX.tgz with /home/user/.ssh/authorized_keys results in empty file

2017-05-29 Thread trondd 
On Mon, May 29, 2017 5:47 pm, Erling Westenvik wrote:
> everything is okay.
>
> What is going on? Why is the process extracting siteXX.tgz
> treating /mnt/home/user/.ssh different than /mnt/root/.ssh?
>
> *continues scratching head*
>
> Cheers.
> Erling.
>


You didn't really explain the failure case.  Is this a new install or an
upgrade?  Does your site file simply have the file
/home/user/.ssh/authorized_keys in it or are you doing the cat command as
you illustrated?

My guess is this is an install.  The installer seems to unpack the sets
first.  Including the site taball.  Then, if you created a new user,
copies the /etc/skel/ files over, overwriting your authorized_keys file. 
You'll need to use install.site or /etc/rc.firsttime

Root is different because root's files are part of the distribution sets.

Re: siteXX.tgz with /home/user/.ssh/authorized_keys results in empty file

2017-05-29 Thread trondd 
Site is installed last *of the sets*, not the last thing that happens. 
And the user is created after the sets are extracted, also.

The *.site scripts are run nearly last (close enough, that it doesn't
matter).

Re: Openbsd 6.1 and Current Console Freezes and lockup Proxmox PVE5.0

2017-07-18 Thread trondd 
On Tue, July 18, 2017 8:14 pm, Tom Smyth wrote:
> Apologies...
> Incomplete Mail ... was feeling Trigger happy and now im certainly
> feeling uncomfortably dumb :)
>
> proper bug report to come tomorrow,
> Its a long story... :/
> Thanks
>

When you do come back, mention if this is new with Proxmox 5.0 and if
you've used previous versions succesfully.

I have been running OpenBSD on Proxmox for 2 or 3 years with no problems. 
I think I am still on 4.x, though.  I'll check tomorrow.

Tim.

Re: Best way to monitor battery status on laptop

2017-07-26 Thread trondd 
On Wed, July 26, 2017 8:11 pm, Carlos Cardenas wrote:
> Howdy.
>
> Been using my toughbook with OpenBSD more and more and one of the things
> that I seem to be missing is simple battery status (percent remaining,
> if it's being charged, etc...) in my tmux(1) or wmii(1) session.
>
> Using sysctl(1) on hw.sensors.acpiac* and hw.sensors.acpibat* gets me
> the info I need.
>
> Is there a utility in base that does this already?
>
> Not seeing anything in the base or ports, I wrote a simple c program to
> get me the info (https://github.com/cobracmder/battery).
>
> Would a utility of this nature be useful to other folks?
>
> +--+
> Carlos
>

I just did it with a script since wmii has it's own unique status bar
stuff.  C is more efficent for sure, I might grab that. :)

Looks like x11/i3status would work.

Tim (I thought I was the last wmii user).

Re: vio(4) tap(4) question

2017-08-28 Thread trondd 
On Mon, August 28, 2017 6:03 pm, Bryan Harris wrote:
>
> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>
> Thanks all.
>
> V/r,
> Bryan
>

Can't you just use the interface group 'tap'?

pass on { vether0 tap }

Re: Open /dev/mem file failed when running as a root priviledge

2017-09-11 Thread trondd 
On Mon, September 11, 2017 8:58 pm, Nan Xiao wrote:
> Hi all,
>
> Greetings from me!
>
> I want to run dmidecode (https://github.com/mirror/dmidecode) on OpenBSD
> 6.1, but executing it will report following errors:
>
> # ./dmidecode
> # dmidecode 3.1
> Scanning /dev/mem for entry point.
> /dev/mem: Operation not permitted
>
> After single-step debugging, I find the error is from open /dev/mem:
>
> if ((fd = open(filename, O_RDONLY)) == -1)
> {
>  if (errno != ENOENT)
>  perror(filename);
>  return NULL;
> }
>
> I execute program as a root, and the attributes of `/dev/mem`:
>
> # ls -lt /dev/mem
> crw-r-  1 root  kmem2,   0 Aug 25 18:38 /dev/mem
>
> So it should open successfully. Could anyone give some clues of this
> issue?
>
> Thanks very much in advance!
>
> Best Regards
> Nan Xiao
>

/dev/mem and /dev/kmem were locked down.

https://marc.info/?l=openbsd-cvs&m=147481705211536&w=2

I can't recall if it's been further closed since last year.

Re: relayd https relay

2017-09-20 Thread trondd 
On Wed, September 20, 2017 8:10 am, Bryan Harris wrote:
> I don't think you can know the host header unless you decrypt the https
> using a certificate.  It seems that idea would require SNI but I don't
> know
> if they have SNI in relayd/httpd.  (I could be wrong about that.)
>

httpd has SNI, relayd does not.

https://marc.info/?l=openbsd-cvs&m=147187817314952&w=2

For these scenarios, I have to turn to www/pound which I like for it's
small size, and chroot support.

Re: OpenBSD router / firewall / gateway device

2017-09-20 Thread trondd 
On Tue, September 19, 2017 10:25 pm, Usexy Nerd wrote:
> https://beagleboard.org/x15
>
> 
> What is BeagleBoard-X15?
>
> BeagleBoard-X15 is the top performing, mainline Linux enabled,
> power-usersâ**
> dream board with a core tailored for every computing task and a highspeed
> interface for every connectivity need. Give your algorithms room to
> stretch!
> Processor: TI AM5728 2Ã*1.5-GHz ARM® Cortex-A15
> 
>
>- 2GB DDR3 RAM
>- 4GB 8-bit eMMC on-board flash storage
>- 2D/3D graphics and video accelerators (GPUs)
>- 2Ã*700-MHz C66 digital signal processors (DSPs)
>- 2Ã*ARM Cortex-M4 microcontrollers (MCUs)
>- 4Ã*32-bit programmable real-time units (PRUs)
>
> Connectivity
>
>- 2Ã*Gigabit Ethernet
>- 3Ã*SuperSpeed USB 3.0 host
>- HighSpeed USB 2.0 client
>- eSATA (500mA)
>- full-size HDMI video output
>- microSD card slot
>- Stereo audio in and out
>- 4Ã*60-pin headers with PCIe, LCD, mSATA
>- and much more... 
>
> See quick start guide 
>
>
>
>
> On Tue, Sep 19, 2017 at 10:14 PM, Greg Garrison  wrote:
>
>> Hello,
>>
>>
>> I am interested how well the ARM platform is supported. Does anyone know
>> of a low cost dual ethernet arm board that I could use to build an
>> OpenBSD
>> based router / gateway device? I'd be interested in hearing experiences
>> from the community. I don't care so much about wifi capability I just
>> want
>> a very cheap board with two lan ports.  Wifi would be an added bonus but
>> not necessary for what I have in mind.
>>
>>
>> Thanks,
>>
>> Greg
>>
>>
>

Why does everyone think they have to have ARM?  For the price of that X15,
I'd rather have an APU2.

(Sorry Usexy Nerd ;) for the direct reply, meant for this to go to the list)

Re: relayd https relay

2017-09-21 Thread trondd 
On Thu, September 21, 2017 3:49 am, rosjat wrote:
> Hi,
>
> so I added the with tls keywords to the relay and my webserver gets
> request now but from my relayhost and this is making the way back quiet
> hard :(
>
> so I added the X Headers for Forwarded-For and Forwarded-By but it still
> leaves the question how to tell the relayhost to just let it all out
> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
> so the traffic can go thorugh all the interfaces just fine.
>
> regards
>
> MArkus
>

You can't do what you want with a layer 7 relay in relayd.  Redirect rules
in pf work because pf doesn't know or care about DNS host names.

Because you are using SSL, once you need to make decisions based on the
host, you have two options:

A relay server that supports SNI so it can see the Host and forward to the
right server.  Or terminating the SSL encryption at the relay server so
you can read the unencrypted host value.

Option 2 is required for relayd as it does not support SNI.  But that
means the relay server holds the SSL certificate.  You can only have 1
certificate per IP and port.  If you want to use individual certs for each
web site, you're stuck.  You either need to use different ports, which is
typically a non-starter for web sites, or put multiple IPs on the relay
box.

If security between the relay server and web servers is necessary (don't
trust someone else's network, and if possible, don't trust your own) you
can re-encrypt the communication from relayd and the web server but it'll
be relayd using the web server certificate, not the user.

Re: relayd https relay

2017-09-21 Thread trondd 
On Thu, September 21, 2017 8:25 am, rosjat wrote:
> I try to figure out the ca file option mentioned by ronan maybe this is
> some kind of option here.
>

Using 'ca file' means you have to decrypt the SSL connection from the
clients with relayd then re-encrypt from relayd to the web servers. 
Clients will only see relayd's SSL certificate.  Originally you said you
want to use a different cert for each web site.

What CA signs the web server certificates?  There was a bug, I don't know
if it got fixed, in relayd that you can't use a big file of CAs for the
'ca file', the imsg was not chunked and if the file is too big, relayd
will fail to start the relay.  Take the CA cert that signed the web server
certificates and put that into a file and reference that file like 'ca
file "/etc/ssl/webca.pem"'

> Am 21.09.2017 um 14:11 schrieb trondd:
>> On Thu, September 21, 2017 3:49 am, rosjat wrote:
>>> Hi,
>>>
>>> so I added the with tls keywords to the relay and my webserver gets
>>> request now but from my relayhost and this is making the way back quiet
>>> hard :(
>>>
>>> so I added the X Headers for Forwarded-For and Forwarded-By but it
>>> still
>>> leaves the question how to tell the relayhost to just let it all out
>>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
>>> so the traffic can go thorugh all the interfaces just fine.
>>>
>>> regards
>>>
>>> MArkus
>>>
>>
>> You can't do what you want with a layer 7 relay in relayd.  Redirect
>> rules
>> in pf work because pf doesn't know or care about DNS host names.
>>
>> Because you are using SSL, once you need to make decisions based on the
>> host, you have two options:
>>
>> A relay server that supports SNI so it can see the Host and forward to
>> the
>> right server.  Or terminating the SSL encryption at the relay server so
>> you can read the unencrypted host value.
>>
>> Option 2 is required for relayd as it does not support SNI.  But that
>> means the relay server holds the SSL certificate.  You can only have 1
>> certificate per IP and port.  If you want to use individual certs for
>> each
>> web site, you're stuck.  You either need to use different ports, which
>> is
>> typically a non-starter for web sites, or put multiple IPs on the relay
>> box.
>>
>> If security between the relay server and web servers is necessary (don't
>> trust someone else's network, and if possible, don't trust your own) you
>> can re-encrypt the communication from relayd and the web server but
>> it'll
>> be relayd using the web server certificate, not the user.
>>

Re: log up or down interface end change physical address

2017-09-21 Thread trondd 
On Thu, September 21, 2017 9:29 am, Krzysztof Strzeszewski wrote:
> Hi,
>
> How to log up or down (connect or not connect cable) interface end
> change physical address on OpenBSD?
>
>
> --
> Regards,
> Krzysztof Strzeszewski
>

ifstated(8) and some scripts?

Re: Install process: couple of comments

2017-10-18 Thread trondd 
On Wed, October 18, 2017 6:15 pm, Limaunion wrote:
> On 10/17/2017 05:44 PM, Stuart Henderson wrote:
>> On 2017-10-16, Limaunion  wrote:
>>> Hi! Last friday I upgraded my ALIX system from 6.0 to 6.2 using the PXE
>>> boot method. In previous years I used an internal FTP server to perform
>>> the upgrade, but for some reason this is not supported any more since a
>>> couple of releases.
>>
>> ftp support was removed from the installer, but you can place the same
>> files on an http/https server instead.
>>
>>> I mounted and published the ISO image using a
>>> raspberrypi and NGINX (HTTP method). During the install process I hit
>>> the following error 'unable to get a verified list of distribution
>>> sets'(*). I couldn't find much help from google but after some time I
>>> figured out that the install was looking for a file named index.txt,
>>> that is not included in the ISO.
>>
>> you want nearly all of the files from the release directory on a mirror,
>> you can skip install*.fs / install*.iso.
>>
>>> Maybe some of this information can be included to the install guide for
>>> those of us doing a local HTTP upgrade, and also it would be great to
>>> have the index.txt file included in the ISO.
>>
>> you won't have the SHA256.sig to verify the files against the signify
>> signature in the iso either.
>>
>>> For the record, the kernel relinking (Relinking to create unique
>>> kernel...) took about 14 minutes in my ALIX board and it takes about
>>> 2.5
>>> minutes the library reordering during the boot process.
>>
>> yes, it's terribly slow on machines with slow storage devices.
>> I tend to disable it on those (until I can justify replacing the
>> machine with something newer, which has other advantages too).
>>
>>
>>
>
> Hi! you mean that the library reordering can be disabled? care to share
> how to do that? google didn't help...
> Thanks for your comments.
>

Why does everyone always go straight to google? (Yeah, I know, silly
question.)  And then give up?

Looking at the code might be a better start.  Line 163 is particularly
interesting...

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc?annotate=1.519

Re: attach chroot-jail to switchd(8) ?

2018-05-24 Thread trondd 
On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
> Hi all,
>
> I´m just tinkering a little bit and try to mimic some "containerization"
> on
> OpenBSD with chroot. Is it somehow possible to attach a chrooted
> envirionment to swtichd(8) ?
>
> Thanks
> Thomas
>

OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There is
no network isolation.  Inside the chroot, you get all the same interfaces,
IP's, routes, ports as on the "host" or in another chroot.  So doing
anything with the network in the chroot is exactly as same as doing it
normally.

If you want to isolate, you probably need vether or tap or the like to
make virtual interfaces and manually tie them to whatever you have running
in the chroots and muanully set up proxies or whatever you need to make
services accessible.

Re: attach chroot-jail to switchd(8) ?

2018-05-24 Thread trondd 
On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote:
> On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote:
>> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
>> > Hi all,
>> >
>> > IÃ*´m just tinkering a little bit and try to mimic some
>> "containerization"
>> > on
>> > OpenBSD with chroot. Is it somehow possible to attach a chrooted
>> > envirionment to swtichd(8) ?
>> >
>> > Thanks
>> > Thomas
>> >
>>
>> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There
>> is
>> no network isolation.  Inside the chroot, you get all the same
>> interfaces,
>> IP's, routes, ports as on the "host" or in another chroot.  So doing
>> anything with the network in the chroot is exactly as same as doing it
>> normally.
>>
>> If you want to isolate, you probably need vether or tap or the like to
>> make virtual interfaces and manually tie them to whatever you have
>> running
>> in the chroots and muanully set up proxies or whatever you need to make
>> services accessible.
>>
>
> This is only partially true. If you use alternate routing tables or
> rdomain, route -T  exec will get you network isolation. Processes can
> not change the rtable unless they run as superuser. It is not perfect but
> neither is the linux or freebsd solution when it comes to networking.
>
> --
> :wq Claudio
>

Sorry, yes.  I meant to mention rdomains, which I think it a pretty cool
option worth tinkering with.

Re: dump/restore and crontab(5)

2018-07-02 Thread trondd 
On Mon, July 2, 2018 8:14 am, Ed Ahlsen-Girard wrote:
> Having clobbered my crontab (5) file in error (-r and -e are close) I
> merrily went to my level 0 dump to restore it. It's present on the dump
> (which is to file) but the restored file is zero bytes.
>
> Should I have run those dumps manually instead of as cron jobs?
>
> --
>
> Edward Ahlsen-Girard
> Ft Walton Beach, FL
>

I'd have to look later to see if my dumps are coreectly grabbing the
crontabs.  But first, try looking in /var/backups either on disk, or in
your dump.

Tim.

Re: dump/restore and crontab(5)

2018-07-02 Thread trondd 
On Mon, July 2, 2018 10:26 am, Ed Ahlsen-Girard wrote:
> On Mon, 2 Jul 2018 09:25:37 -0400
> "trondd"  wrote:
>
>> On Mon, July 2, 2018 8:14 am, Ed Ahlsen-Girard wrote:
>>  [...]
>>
>> I'd have to look later to see if my dumps are coreectly grabbing the
>> crontabs.  But first, try looking in /var/backups either on disk, or
>> in your dump.
>>
>> Tim.
>>
>
> In the backups. Thanks.
>
> --
>
> Edward Ahlsen-Girard
> Ft Walton Beach, FL
>

FYI.  dump/restore is correctly saving and restoring my /var/cron/tabs/*
so double check your dump and restore scripts, parameters, whatever.

Tim.

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-22 Thread trondd 
On Wed, August 22, 2018 1:23 pm, Parikh, Samir wrote:
> flipchan wrote on 22/08/18 01:19:
>> Try removing all keys in the ssl directory aswell as
>> /etc/acme/letsencrypt-privkey.pem
>
> Thank you for your suggestion! I tried that and still received a similar
> error:
>
> # acme-client -vAD git.example.com
> acme-client: /etc/ssl/private/git.example.com.key: domain key exists
> (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.86.101
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: git.example.com
> acme-client: /var/www/acme/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> created
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> challenge
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> status
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> bad response
> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> \"\u003c!DOCTYPE
> html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
> http-equiv=\"Content-Type\" content=\"text/html;
> charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
> "status": 403 }, "uri":

Clearly, Let's Encrypt can't access teh file on your server.  The easiest
way to debug is to drop an html file into /acme and go to your server
/.well-known/acme-challenge/file.html in a browser and see what happens.

I could reproduce the 500 error in a browser with your config.  I had to
do 2 things to fix it (which may or may not break cgit).

Wrap your general root "/cgi-bin/cgit.cgi" and fastcgi socket in a
location "*" {} block and then move that block to the bottom of the server
block under location ".well-known..."

This works for me (you might need to fix the "request strip" line as I am
on some version of -current).  The cgit location might need to move as
well, I didn't test further.

server "localhost" {
listen on 127.0.0.1 port 80
#serve the cgit static files directly
location "/cgit.*" {
root "/cgit"
no fastcgi
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
# cgit CGI
location "*" {
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
}

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-27 Thread trondd 
On Sun, August 26, 2018 4:40 pm, Parikh, Samir wrote:
>
> I guess my only remaining question is how did you know I needed to make
> this change?  I know the OpenBSD documentation is really good but I'm
> still fascinated how people manage to sort things like this out.  Maybe
> it's just pure experience?
>
> Either way, thanks again!
>
> Samir
>

It's part experience, part reading the output and logs, and part just
trying things.  I didn't know what the solution was.  I looked at
/etc/examples/httpd.conf, looked at the errors and made changes.

Be explicit in the configuration.  The 'root' without a 'location' wasn't
explicit so I didn't know how it got intrepreted.  Put it in a 'location'.
And most configurations on OpenBSD have an order to their evaluation. 
Some are first match wins, some are last match wins, so move things
around.

Tim.

Re: httpd and cgi

2018-10-04 Thread trondd 
On Thu, October 4, 2018 12:54 pm, Kihaguru Gathura wrote:
> Hi,
>
> For the following httpd setup, cgi scripts give a 403 Page not found
> on browser. However after removing the line:
>
> location "/*" {
> authenticate "Staff Only" with "/htpasswds"
> }
>
> cgi scripts run fine but no authentication for document root of course.
>
> Please explain the situation.
>
>
>
> ...
># $OpenBSD: httpd.conf,v 1.18 2018/03/23 11:36:41 florian Exp $
>
> server "xyz.co.ke" {
> listen on * port 80
> listen on :: port 80
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> location * {
> block return 302 "https://$HTTP_HOST$REQUEST_URI";
> }
> }
>
> server "xyz.co.ke" {
> listen on * tls port 443
> listen on :: tls port 443
> hsts
> tls {
> certificate "/etc/ssl/xyz.co.ke.fullchain.pem"
> key "/etc/ssl/private/xyz.co.ke.key"
> }
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> root "/xyz.co.ke"
> location "/*" {
> authenticate "Staff Only" with "/htpasswds"
> }
>
> location "/public/*" {
> directory auto index
> }
> location "/xyz/*" {
> root "/"
> fastcgi
> authenticate "Staff Only" with "/htpasswds"
> }
> }
> ..
>
> Thank you,
>
> Regards
>
> Kihaguru.
>

Move the location "/*" block to the bottom of the server block after the
specific paths.


location path {...}
Specify server configuration rules for a specific location. The path
argument will be matched against the request path with shell globbing
rules. In case of multiple location statements in the same context,
the first matching location statement will be put into effect, while
all later ones will be ignored. Therefore it is advisable to match for
more specific paths first and for generic ones later on.

Re: acme-client memory setup failure

2018-10-27 Thread trondd 
On Sat, October 27, 2018 6:19 am, ì*°ë*½ ì*°ë*½ wrote:
> Dear misc,
>
> I am getting an error saying "ssl verify memory setup failure" whenever
> I try to renew existing certificates on a host -- Openbsd 6.3, httpd,
> acme-client.
> Recently there were changes in a few configurations, including network,
> name servers, etc.
>
> The below is all I get when I try command acme-clilent -vv example.com:
>
> ..domain key
> ..account key
> ..cert ...days left
> ..directory
> ..DNS: (some ip)
> (some ip):tls_connect_socket: acme-v01.api.letsencrypt.org, ssl verify
> memory setup failure
> ..bad comm
> bad exit...
>
> Could someone let me know what could cause the ssl verify memory setup
> failure, or if the memory setup failure could be some kind of common
> error, such as something occurred by memory configuration, such as in
> login.conf?
>
> For your information, those worked before. Recently thinking about
> hardware issues, especially for RAM.
> Because I can't share detailed configurations, names, etc., I am
> wondering if someone could kindly give some advice on the above
> information.
>
> Any help and your time would be greatly appreciated indeed.
>

Did you modify certs.pem?  I've run into this when accidentally adding
certs multiple times growing the file too big or writing a DOS formatted
cert to it.

Re: acme-client memory setup failure

2018-10-28 Thread TronDD 



On October 28, 2018 12:09:02 AM EDT, "연락 연락"  wrote:
>Thank you indeed for your reply, trondd.
>Yes, I added certificate(s) to cert.pem, probably more than one time so
>far.
>But the size looks not much bigger than normal one that I see from 
>another host.
>size of the cert.pem modified(?): 357***
>size of cert.pem I see from another host where I didn't add anything to
>
>the cert.pem: 349***
>
>Do you think 357*** is too big?
>How did you solve the issue?
>What can I do if something went wrong when I added certificates or when
>
>upgrading openbsd and adding the certificates again?
>

Put the original cert.pem back and see if it solves the issue first.


>If the router/gateway before the host has been changed so the cert.pem 
>of the gateway is not the same of the previous one, can it be also a 
>matter?
>
>

The cert.pem only matters on the machine making the SSL connection.


>On 28/10/2018 04:54, trondd wrote:
>> On Sat, October 27, 2018 6:19 am, ì*°ë*½ ì*°ë*½ wrote:
>>> Dear misc,
>>>
>>> I am getting an error saying "ssl verify memory setup failure"
>whenever
>>> I try to renew existing certificates on a host -- Openbsd 6.3,
>httpd,
>>> acme-client.
>>> Recently there were changes in a few configurations, including
>network,
>>> name servers, etc.
>>>
>>> The below is all I get when I try command acme-clilent -vv
>example.com:
>>>
>>> ..domain key
>>> ..account key
>>> ..cert ...days left
>>> ..directory
>>> ..DNS: (some ip)
>>> (some ip):tls_connect_socket: acme-v01.api.letsencrypt.org, ssl
>verify
>>> memory setup failure
>>> ..bad comm
>>> bad exit...
>>>
>>> Could someone let me know what could cause the ssl verify memory
>setup
>>> failure, or if the memory setup failure could be some kind of common
>>> error, such as something occurred by memory configuration, such as
>in
>>> login.conf?
>>>
>>> For your information, those worked before. Recently thinking about
>>> hardware issues, especially for RAM.
>>> Because I can't share detailed configurations, names, etc., I am
>>> wondering if someone could kindly give some advice on the above
>>> information.
>>>
>>> Any help and your time would be greatly appreciated indeed.
>>>
>> 
>> Did you modify certs.pem?  I've run into this when accidentally
>adding
>> certs multiple times growing the file too big or writing a DOS
>formatted
>> cert to it.
>>

Re: smtpd new "relay as" syntax?

2018-10-31 Thread TronDD 



On October 31, 2018 5:31:44 PM EDT, "Paul B. Henson"  wrote:
>I just upgraded to OpenBSD 6.4, and I'm trying to figure out how to do
>this with the new syntax:
>
>accept from local for any relay via smtp://smtp.domain.com as
>"@domain.com"
>
>This would rewrite the outbound message to masquerade as being from the
>TLD rather than a specific machine. Right now I've got:
>
>action local_relay relay host smtp.domain.com
>match from local for any action local_relay
>
>But this doesn't do the rewriting. The only thing I see in the man page
>talks about 'senders  [masquerade]' which seems to be for
>authenticated users.
>
>Am I missing something obvious?
>
>Thanks...

Mail-from in the action options, I believe.

Re: Severe clock problems with OpenBSD VM on OpenBSD Host

2018-11-04 Thread trondd 
On Sat, November 3, 2018 7:10 pm, Stefan Arentz wrote:
> Hi everyone,
>
> I am having an issue where an OpenBSD VM running on vmd is having
> serious clock skew issues.
>
> I am relatively new to OpenBSD, so I am not sure how to properly debug
> this. What I hope is that I can provide a good amount of data and folks
> here can give me some hints and ask me for additional information to
> get to the root cause of this.
>
> So first some facts and symptoms:
>
> - Both Host and Guest are running OpenBSD 6.4. The host runs GENERIC.MP
>   and the guest GENERIC.
> - The host runs 50 guests, all OpenBSD (openbsd.amsterdam)
> - Only this VM is having this clock issue (is this correct, or were
>   there others?)
>
> - The guest has kern.timecounter.hardware=tsc
> - The time on the VM was set with rdate a couple of days ago, and as of
>   now the VM is running about 4 hours behind.
> - ntpd is running (main process, dns engine, ntp engine)
> - when started or restarted, ntpd complains about "pipe write error
>   (from main): No such file or directory" but does seem to start
>
> - I just ran rdate nl.pool.ntp.org and the date was properly updated
> - One minute after running rdate, the clock is already 7 seconds slow
>
> - The guest also has some severe networking issues. often I cannot type
>   more than a few characters before a ~15 second delays happens.
>   Interactive typing is difficult.
> - I can SSH into the Host and have none of these issues, ruling out
>   connectivity issues between me (Toronto) and the Host (Amsterdam)
>
> It would be easy to blame this on NTPd, which does have an unexplained
> error message. However, I think even without running NTPd, the clock
> skew should not be this extreme.
>
> Somehow I have a gut feeling that the clock issues and the networking
> issues are related.
>
> I am root on the VM but I am not on the host. I do have vmctl access.
> However, the host admin is friendly (Hi Mischa) and is happy to help to
> debug this issue.
>
> I tried to ktrace ntpd to get more insight in the "pipe write error
> (from main): No such file or directory" error but I did not get useful
> info out of it. This may be because of my unfamiliarity with those
> tools.
>
> Help appreciated :-)
>
>  S.
>

VMM VMs do have clock issues.  tsc and ntpd should be enough, though (at
least with only a couple VMs it is).  Is ntpd doing anything?  what does
'ntpctl -sa' say?

I think that error is causing ntpd to exit (one of the child procs, if not
the whole thing).

Re: mail doesn't read mail from /var/mail/root

2018-11-08 Thread TronDD 



On November 8, 2018 1:39:13 AM CST, ivp...@eml.cc wrote:
>Hello,
>
>I must be missing something obvious, but since installing 6.4-current
>(on a few versions in a row), I can't get mail to read /var/mail/root.
>
>After logging in, I see:
>
>>---<
>OpenBSD 6.4-current (GENERIC.MP) #425: Sun Nov 4
>
>[... skipped ...]
>
>You have mail.
>thor# mail
>No mail for root
>thor# mail -f /var/mail/root
>Mail version 8.1.2 01/15/2001.  Type ? for help.
>"/var/mail/root": 0 messages
>thor# ls -l /var/mail/root
>-rw---  1 root  wheel   3.9K Oct 20 00:37 /var/mail/root
>thor# head /var/mail/root
>From dera...@do-not-reply.openbsd.org Sun Nov 1 06:30:00 MDT 2018
>Return-Path: root
>Date: Nov 1 06:30:00 MDT 2018
>From: dera...@do-not-reply.openbsd.org (Theo de Raadt)
>To: root
>Subject: Welcome to OpenBSD 6.4!
>
>This message attempts to describe the most basic initial questions that
>a
>system administrator of an OpenBSD box might have.  You are urged to
>save
>this message for later reference.
>>--<
>
>I also remember that I had this problem since the first time I
>installed 6.4-current on my new laptop.
>
>I do receive local mail (e.g., from crontab) for a non-priveleged user
>created during setup.
>
>Any ideas of what might be going on?
>
>Best,
>ivpgbe

It's because the Welcome email that gets sent to root and the user created 
during install is dated in the future.  It has the initial planned release date 
of Nov. 1st.  Mail(1) can't seem to see into the future.

Re: Cannot mount install.fs disk image to create custom auto_install.conf based USB flash drive

2018-11-11 Thread trondd 
On Sun, November 11, 2018 4:28 pm, Andrew Lemin wrote:
>
> 4b) Mount new vnd1c device (this is where I'm stuck)
>
> ** Here is where I get lost. All the guides refer only to using
> install.iso (whos 'a:' and 'c:' partitions are ISO9660 filetypes - for CD
> based installs), but I need to use the install.fs (for USB based installs)
> **
>
> fw1# mount /dev/vnd1c /mnt
> mount_ffs: /dev/vnd1c on /mnt: Invalid argument
> fw1# mount -t cd9660 /dev/vnd1c /mnt
> mount_cd9660: /dev/vnd1c on /mnt: Invalid argument
> fw1# mount -t msdos /dev/vnd1c /mnt
> mount_msdos: /dev/vnd1c on /mnt: not an MSDOS filesystem
> fw1# mount -t ext2fs /dev/vnd1c /mnt
> mount_ext2fs: /dev/vnd1c on /mnt: Input/output error
>
> As you can see, none of the the types I know about are working?
>

Perhaps the filesystem type isn't the problem.


> bsd1# disklabel vnd1
> # /dev/rvnd1c:
> type: vnd
> disk: vnd device
> label: fictitious
> duid: e5445c1e269855f0
> flags:
> bytes/sector: 512
> sectors/track: 100
> tracks/cylinder: 1
> sectors/cylinder: 100
> cylinders: 7382
> total sectors: 738240
> boundstart: 1024
> boundend: 737280
> drivedata: 0
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a:   736256 1024  4.2BSD   2048 16384 16142
>   c:   7382400  unused
>   i:  960   64   MSDOS
>
> I cannot work out what the filesystem should be? It shows as 'unused'
> here.
>

c isn't a real partition.  It represents the whole disk.  Read the
disklabel output again.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-15 Thread trondd 
On Sat, August 15, 2020 7:13 pm, hisacro wrote:
> I'm on -current, httpd throws tls misconfig error when different
> cipher or ecdhe used but it's bypassed by listen statment.
>
> server "domain.tld" {
> listen on * tls port 443
> log style combined
> hsts
> {
> subdomains
> }
> root "/htdocs/domain.tld/"
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
>
>
> server "sub.domain.tld" {
> # listen on  port 
> # note: adding before tls
> # listen on 0.0.0.0 port 8080
> listen on * tls port 443
> root "/htdocs/sub.domain.tld"
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> }
>
> $ doas httpd -nv
> server "sub.domain.tld": tls configuration mismatch on same address/port
>
> instead of defining same cipher and ecdhe, uncommenting
> "listen on 0.0.0.0 port 8080"
> bypasses this error
>
> I'm unsure what causes this, can someone shed some light?
>

It's what the error says.  You're listening twice on the same ip and port
but with different tls blocks.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-15 Thread trondd 
On Sun, August 16, 2020 1:49 am, hisacro wrote:
> Aug 16, 2020, 7:50 AM by tro...@kagu-tsuchi.com:
>
>>>On Sat, Aug 15, 2020 at 04:13:51PM -0700, hisacro wrote:
>>
>>> $ doas httpd -nv
>>> server "sub.domain.tld": tls configuration mismatch on same
>>> address/port
>>>
>>> instead of defining same cipher and ecdhe, uncommenting
>>> "listen on 0.0.0.0 port 8080"
>>> bypasses this error
>>>
>>> I'm unsure what causes this, can someone shed some light?
>>
>>It's what the error says. You're listening twice on the same ip and port
>>but with different tls blocks.
>
> Though I have emphasized enough (even on title), re-stating
>
> Why does having a listen statement on  port 
> bypasses tls misconfiguration.
>

Because it's not the same IP and port anymore.  You can only have one
thing listening on an ip+port.  Httpd allows you to configure multiple
"servers" for subdomains but in reality there is one actual server
listening and it has to know what parameters to use.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-16 Thread trondd 
On Sun, August 16, 2020 1:23 pm, hisacro wrote:
> Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com:
>
>> Because it's not the same IP and port anymore. You can only have one
>> thing listening on an ip+port
>
> I got a working httpd config with same IP and same Port
>
> server "domain.tld" {
>   listen on $ext_ip tls port 443
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
> }
> server "sub.domain.tld" {
>   listen on 0.0.0.0 port 8000 # confusion?
>   listen on $ext_ip tls port 443
> tls {
>   certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key
>  }
> }
>
> This indeed listen on same address ($ext_ip) and same port (443)
> and works as intended with different cipher and ecdhe.
> Note: only when I add listen on 0.0.0.0 port 8000
>
>>Httpd allows you to configure multiple
>>"servers" for subdomains but in reality there is one actual server
>>listening and it has to know what parameters to use
>
> Sorry, I don't understand your reasoning because
> shouldn't httpd work the same way with or without extra listen on 0.0.0.0
>

Oh, I see what you're doing.  BOTH listen lines are active in the second
server block.  When you connect to port 443 with that config, which TLS
settings does it use?  I want to guess that because you're lisening on
port 8000 without tls first, the listen with tls is skipped along with the
tls block below it.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-18 Thread trondd 
On Sun, August 16, 2020 3:20 pm, hisacro wrote:
> On Sun, Aug 16, 2020 at 02:34:27PM -0400, trondd wrote:
>
>> Oh, I see what you're doing.  BOTH listen lines are active in the second
>> server block.  When you connect to port 443 with that config, which TLS
>> settings does it use?  I want to guess that because you're lisening on
>> port 8000 without tls first, the listen with tls is skipped along with
>> the
>> tls block below it.
>
> No, listen TLS isn't skipped for sub.domain.tld
>

That's not what I see.  With the additional listen line, allowing httpd to
start, my sub domain server is using the tls setup from the main server
tls block except for the cert and key to support SNI.  Change the
additional listen line to tls and you'll see that one will pick up the tls
block as it's on a different port.

I think my initial assessment stands.  You can't have different tls blocks
on the same ip/port except certificates and keys for SNI  It explicitly
does a check to make sure that the other parameters match.

The bug here is in how additional listen lines interact with the remaining
configuration.  The first listen line in a server block gets the tls block
and it doesn't get applied to the second listen line.  Except for certs
and keys which are handled differently for SNI.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-19 Thread trondd 
On Wed, August 19, 2020 3:33 am, Hisacro Root wrote:
> On Tue, Aug 18, 2020 at 09:28:18PM -0400, trondd wrote:
>> The bug here is in how additional listen lines interact with the
>> remaining
>> configuration.  The first listen line in a server block gets the tls
>> block
>> and it doesn't get applied to the second listen line.  Except for certs
>> and keys which are handled differently for SNI.
>
> I rechecked, you're right. In TLS block except for key & certificate,
> sub domain server (or the server defined at last) inherits config from
> previously defined one (in example config, main server).
>
> Is it worthy of a bug or could be confusion on configs?
>

Yeah.  I would.  It's confusing.  Clearly there is an inconsistency in tls
parameter handling when there is both a new ip/port and an SNI host
defined in the same server block.

I'm not a C programmer so deciphering what's going on would take me a while.

Re: email attachments in firefox

2020-08-24 Thread trondd 
On Fri, August 21, 2020 5:24 pm, Jan Stary wrote:
> On Aug 21 18:06:59, falsif...@falsifian.org wrote:
>> On 2020-08-21 16:51, Raymond, David wrote:
>> > I noticed that trying to load an attachment to Gmail in Firefox leads
>> > to a basically empty menu for selecting the file to be loaded?  What
>> > gives?  Is this something to do with pledge/unveil?  Is there a way to
>> > do this?
>> >
>> > Dave Raymond
>>
>> In practice, if I want to give Firefox access to a file, I move it to
>> ~/Downloads and then it will appear in that chooser.
>
> But sometimes, the file selection will offer the content of /tmp
> and you have no way of making it something else.
>

Type in the path to your Downloads folder?

Re: Can I boot without GPU ("headless")?

2020-08-30 Thread trondd 
On Sun, August 30, 2020 7:12 am, Henry W. Peterson wrote:
> If I write at the boot prompt "set timeout 5" and then "set tty pc0" it
> waits indefinitely for new commands (as expected).
>
> I was asking if there is a way to start a new timeout or instantly boot
> the kernel after the console switching without typing anything else (to
> switch to com0, without actually connecting a serial console, let it boot
> and then control the computer by ssh).
>

Once you hit a key on the keyboard, you've stopped the timeout.  If you're
typing on the keyboard, you can just type "boot" (or just "b") to boot it.
 You don't need a timeout.

If you put your com0 settings (or whatever else) into boot.conf, then you
don't need to type anything and the timeout applies and it'll boot on its
own.

Re: Having trouble enabling TLSv1.3 on httpd(8)

2020-09-03 Thread trondd 
On Thu, September 3, 2020 2:18 pm, Parker Ellertson wrote:
> According to my understanding of the manpages (specifically
> httpd.conf(5) and tls_config_set_protocols(3)), setting up TLSv1.3
> should be just as easy as adding:
>
> tls {
> protocols "TLS_PROTOCOL_TLSv1_3"
> }
>
> to the appropriate server in /etc/httpd.conf .  But when I do this,
> httpd(8) doesn't come up.  Clearly I'm not setting the right variable,
> but what is that variable to set?
>
> - Parker
>

You've used an ENUM for tls_config_set_protocols(), the httpd.conf(5)
manpage said to look at tls_config_parse_protocols(), that section of the
manpage says:

The protocol string is a comma or colon separated list of keywords.
Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all supported
protocols), default (an alias for secure), legacy (an alias for all) and
secure (currently TLSv1.2 and TLSv1.3).


Takes a little bit of careful reading, but that's what's documented.

Re: Can't cron sct.

2020-10-27 Thread trondd 
On Tue, October 27, 2020 11:10 am, avv. Nicola Dell'Uomo wrote:
> Hi,
>
> maybe I'm missing something trivial, but I can't figure out how to cron
> sct(1)
>
> My user cron config works and cron log reports sct was executed, but
> screen temp doesn't change ...
>
> Here's my user crontab:
>
> #ÂÂÂÂÂÂ $OpenBSD: crontab,v 1.28 2020/04/18 17:22:43 jmc Exp $
> #
> # SHELL=/bin/sh
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
> HOME=/var/log
> #
> #minute hourÂÂÂ mdayÂÂÂ monthÂÂ wdayÂÂÂ [flags] command
> #
> # rotate log files every hour, if necessary
> # 35ÂÂÂ 19ÂÂÂÂÂÂ *ÂÂÂÂÂÂ *ÂÂÂÂÂÂ *ÂÂÂÂÂ touch
> /home/nicola/sct
>
> 35ÂÂÂ 19ÂÂÂÂÂÂ *ÂÂÂÂÂÂ *ÂÂÂÂÂÂ *ÂÂÂÂÂ
> /usr/local/bin/sct 5000
>
> # touch /home/nicola/sct was a test in order to verify I had not
> misconfigured crontab.
> # cron was tested with SHELL variable defined and then commented out and
> the result was the same.
>

It needs access to X.  I'm guessing you need to pass the DISPLAY variable?

I'm using sctd in .xinitrc (or .xsession) to slowing adjust the temp.

Tim.

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

2019-08-29 Thread trondd 
On Thu, August 29, 2019 8:55 am, Muhammad Kaisar Arkhan wrote:
> Hi Tom,
>
>> listen  on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls
>
> I've tried this before, it just results in this:
>
> /etc/relayd.conf:33: cannot load certificates for relay https2:443
>
> I'm not sure why it does this despite the fact I have clearly
> indicated which TLS certificates to use in relayd.conf with the
> new "tls keypair" feature.
>
> % cat /etc/relayd.conf
>
> log connection
>
> table  { 127.0.0.1 }
> table  { 127.0.0.1 }
> table  { 127.0.0.1 }
>
> http protocol "reverse_proxy" {
> return error
>
> match header set "X-Forwarded-For" value "$REMOTE_ADDR"
> match header set "X-Forwarded-By" value
> "$SERVER_ADDR:$SERVER_PORT"
>
> match request header "Host" value "znc.yukiisbo.red" \
> forward to 
>
> tls keypair "yukiisbo.red"
> tls keypair "arkhan.io"
> tls keypair "znc.yukiisbo.red"
> }
>

Are the certificate and key files named correctly and placed in the
appropriate locations as specified in the manpage?

Re: vpn.rebehn.net upgrade log

2019-10-28 Thread trondd 
On Mon, October 28, 2019 6:37 pm, Heinrich Rebehn wrote:
> Hello list,
>
> After upgrading a OpenBSD host running 6.5 to 6.6 using sysupgrade(8), I
> received the email below.
> It suggests that the upgrade has been aborted upon failure to upgrade
> comp66.tgz. This set was not part of the initial installation.
> Does this mean that the system is â**half upgradedâ**? What steps are
> missing because of the abort?
>
> Cheers,
>
>   Heinrich
>

I had something similar happen to me with the games set as I had stopped
installing games on my router some years ago.

Besides the unextracted sets, you've missed out on a bunch of other
upgrade steps such as MAKEDEV, installboot, and everything that runs from
rc.firsttime.

Since you got a kernel and base.tgz I would just manually extract the
other sets (follow the upgrade guide for how to do that correctly) and
clean up anything that generates an error until they extract cleanly. 
Then upgrade properly so you know it will work next time.

Tim.

>
>> On 28. Oct 2019, at 16:31, Charlie Root  wrote:
>>
>> Choose your keyboard layout ('?' or 'L' for list) [default] default
>> Available disks are: sd0.
>> Which disk is the root disk? ('?' for details) [sd0] sd0
>> Checking root filesystem (fsck -fp /dev/sd0a)... OK.
>> Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
>> Force checking of clean non-root filesystems? [no] no
>> /dev/sd0a (331a03408374f07d.a) on /mnt type ffs (rw, local, wxallowed)
>>
>> Let's upgrade the sets!
>> Location of sets? (cd0 disk http nfs or 'done') [http] disk
>> Is the disk partition already mounted? [yes] yes
>> Pathname to the sets? (or 'done') [6.6/amd64] /home/_sysupgrade/
>>
>> Select sets by entering a set name, a file name pattern or 'all'.
>> De-select
>> sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled
>> '[X]'.
>>   [X] bsd   [X] comp66.tgz[X] xbase66.tgz   [X] xserv66.tgz
>>   [X] bsd.rd[X] man66.tgz [X] xshare66.tgz
>>   [X] base66.tgz[X] game66.tgz[X] xfont66.tgz
>> Set name(s)? (or 'abort' or 'done') [done] done
>> Directory does not contain SHA256.sig. Continue without verification?
>> [no] yes
>> Installing bsd  100% |**| 18250 KB
>> 00:00
>> Installing bsd.rd   100% |**| 10058 KB
>> 00:00
>> Installing base66.tgz   100% |**|   236 MB
>> 00:12
>> Installing comp66.tgz78% |  | 56832 KB
>> 00:01 ETAtar: Unable to remove directory ./usr/include/machine:
>> Directory not empty
>> Installing comp66.tgz   100% |**| 72109 KB
>> 00:06
>> Installation of comp66.tgz failed. Continue anyway? [no] no
>

Re: checksums after reboot

2020-02-07 Thread TronDD 
On Fri Feb 7, 2020 at 2:40 PM, Justin Muir wrote:
> Hello all,
>
> 
> Posting here for the first time! Using OBSD as daily laptop OS. Trying
> to
> be a little more security conscious these days by keeping checksums on
> system files with mtree. Did a reboot and several files were changed
> including libcrypto.so, ld.so and several other system-level files. Is
> this
> normal??
>

Yes.  At boot, rc(8) relinks some of the system libraries in order to
randomize the layout of the code.

Your kernel is also reordered for the next reboot.

Tim.

Re: Private cloud hosting recommendations

2015-10-09 Thread trondd 
On Fri, October 9, 2015 1:57 pm, MartÃn Ferco wrote:
> Thanks for all your input!
>
> I'm not particularly concerned about price -- if they are as expensive as
> AWS (paying around $150/mo per instance there), I'd be OK as well. If they
> are cheaper, the better, but I want quality and service as a priority.
>

$150 per instance?  For that money, why not go with dedicated hardware.

Tim.

Re: Private cloud hosting recommendations

2015-10-09 Thread trondd 
On Fri, October 9, 2015 4:34 pm, MartÃn Ferco wrote:
> I can consider that as well, but I'd like to not depend on someone
> inserting CDs or something like that for installing the OS for example
> and,
> also, I'd like to have the possibility of having our private network
> connected via VPN to our other sites.
>

For a measly $30 a month I have my own system and can get a network KVM
attached for console access through which you can also provide an ISO for
it to boot from / read.  And no reason you can't VPN to the box.  I have
that set up for myself.  For $150 you've gotta be able to do even better
than that.

I was looking for cheap, so I don't have easy access to that KVM, it's by
request, and support is through their ticketing system only.  No phone or
the like.  This isn't a recommendation for a business (but for personal
use, I recommend them) but for a comparison:
https://www.wholesaleinternet.net/dedicated

For $85 you could have a 12 core 72G system, install ESX and then whatever
VMs you want. :)

Tim.

Re: Question about core dumps and swap space.

2015-10-19 Thread trondd 
On Mon, October 19, 2015 8:01 pm, Joel Rees wrote:
>
> I have lots of core dumps sitting around. I have not seen any the size
> of physical memory. Nothing close. Even firefox doesn't leave that
> much of a dump when it bombs.
>
> Hmm. Xombrero, from when I was playing with that, left a coredump of
> 512M. Firefox left one at 197M. Time to rm those.
>
> Why do you have 32G of RAM? What kind of working sets do you expect
> the applications you'll be running to have?
>

He's referring to savecore(8) dumps when the kernel crashes, not
application crashes.

Tim.

Re: make release error on 5.8

2015-10-20 Thread trondd 
On Tue, October 20, 2015 11:02 am, Joe S wrote:
>
> since the FAQ didnâ**t mention the need to do this separately.
>


Sure it does.  5.3.5 describes building userland and 5.4, about building
the release, references it several times.

"the above build process"
"build...then make a release"
"The release process uses the binaries created...in the building process
above, so you must successfully complete the build first"

Tim.

Re: ipsec via iked

2015-11-04 Thread trondd 
> I do have read the puffysecurity website

Did you?  I struggled with this for a while, too, and found the
puffysecurity example, when followed, works.

>
> For example, the laptop is connected to internet through a network
> 192.168.100.0/24 (ip 192.168.100.37)
>
> The working configuration is (using now ca, no more psk) :
>
> On the gateway :
> distantnet="192.168.100.0/24"
> ikev2 "qcvpn" passive ipcomp esp \
> from 192.168.0.0/24 to $distantnet \
> peer any \
> srcid ets.qualitycenter.fr
>

> I've tried other configurations like this :
>
> On the gateway :
> distantnet="192.168.33.0/24"
> ikev2 "qcvpn" passive ipcomp esp \
> from 192.168.0.0/24 to $distantnet \
> peer any \
> srcid ets.qualitycenter.fr \
> config address 192.168.33.2 \
> config name-server 192.168.0.190
>

Why do you keep configuring a specific network if that is not what you
want to do?  Did you try 0.0.0.0/0?

> I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and
> SAD ok (same as in the working configuration but 192.168.100 is replaced
> by
> 192.168.33 which looks like fine to me), but I'm not able to get access to
> any distant computer. The laptop pf is as simple as possible :
> pass in
> match out on enc0 nat-to 192.168.33.2
>

I don't think you're supposed to NAT on the enc0 interface.  That's a
special internal interface.  If you're going out to the internet you have
to NAT on the egress interface.  Why are you doing NAT on the laptop at
all, actually?  If you're trying to get the laptop to talk over the VPN
tunnel, that's what iked does, you only need to allow VPN ports and
protocols through the laptop firewall.

I can't get to my working config from where I am now, if I remember, I'll
send it along this evening.

Tim.

Re: OBSD 5.8 and console

2015-11-22 Thread trondd 
On Sun, November 22, 2015 11:13 am, Alessandro Baggi wrote:
> Hi list,
> I've an APU1D where I want install OpenBSD 5.8 amd64. The only option
> that I have is install from console.
>
> I've downloaded install58.fs and modified /etc/boot.conf adding:
> set tty com0
> (saved)
>
> During boot it recognizes obsd install media then print this message:
> switching to com0
>
> after this I can't receive any output from terminal console (in my case
> screen from linux) and don't know what happen.
>

You set com0, but not the speed.  If I recall, the APU defaults to 115200
while it boots, then OBSD defaults to 9600 on com0 if you dont' tell it
otherwise.  Disconnect and reconnect at 9600, or add the speed to
boot.conf.

Tim.

[PATCH] pledge x11/wmii (and other ports?)

2015-11-22 Thread trondd 
I haven't seen much discussion about applying pledge to ports, so I thought I'd
find out how people feel about it.

I chose to start with x11/wmii because
a) It's no longer officially developed so (other than updating the port to the
last release) it's not going to change.
b) I might be the only one left who uses it.

I've been running it pledged since it was tame.

I can see downsides to this such as, ports maintainers not necessarily being
involved in the development of the port and having a lower understanding of the
code as compared to OBSD developers with base code, or not having the ability
to reorganize or change the code in a way that improves it for pledge.

Tim.


Index: Makefile
===
RCS file: /cvs/ports/x11/wmii/Makefile,v
retrieving revision 1.21
diff -u -p -r1.21 Makefile
--- Makefile12 Nov 2015 09:59:41 -  1.21
+++ Makefile20 Nov 2015 22:33:36 -
@@ -3,7 +3,7 @@
 COMMENT=   dynamic window manager
 DISTNAME=  wmii-3.6
-REVISION=  6
+REVISION=  7
 CATEGORIES=x11
 HOMEPAGE=  http://wmii.suckless.org/
cvs server: Diffing patches
Index: patches/patch-cmd_wmii_main_c
===
RCS file: patches/patch-cmd_wmii_main_c
diff -N patches/patch-cmd_wmii_main_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-cmd_wmii_main_c   20 Nov 2015 22:33:36 - @@ -0,0 
+1,13 @@
+$OpenBSD$
+--- cmd/wmii/main.c.orig   Sun Oct 18 15:10:20 2015
 cmd/wmii/main.cSun Oct 18 15:10:33 2015
+@@ -408,6 +408,9 @@ main(int argc, char *argv[]) {
+   WinAttr wa;
+   int i;
+ 
++  if (pledge("stdio rpath cpath fattr unix proc exec prot_exec", NULL) == 
-1)
++  err(1, "pledge");
++
+   fmtinstall('r', errfmt);
+   fmtinstall('C', Cfmt);
+ 
Index: patches/patch-cmd_wmiir_c
===
RCS file: patches/patch-cmd_wmiir_c
diff -N patches/patch-cmd_wmiir_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-cmd_wmiir_c   20 Nov 2015 22:33:36 -
@@ -0,0 +1,13 @@
+$OpenBSD$
+--- cmd/wmiir.c.orig   Sun Oct 18 15:09:57 2015
 cmd/wmiir.cSun Oct 18 15:10:44 2015
+@@ -312,6 +312,9 @@ main(int argc, char *argv[]) {
+   exectab *tab;
+   int ret;
+ 
++  if (pledge("stdio unix", NULL) == -1)
++  err(1, "pledge");
++
+   fmtinstall('r', errfmt);
+ 
+   address = getenv("WMII_ADDRESS");

Re: release and patch/errata info in (easily) machine readable format?

2015-12-05 Thread trondd 
On Sat, December 5, 2015 2:20 pm, openbsd-m...@clark-communications.com
wrote:
> I mostly follow -stable, and have scripts/tools that enable me to
> (re)build
> stable from source with minimal human intervention.
>
> To further automate this process, it would be helpful to have the current
> release number and (at least) the most current patch number.

What is your build process?  The machine doing the build is running the
same version it's building, right?  Does 'uname -r' not work for you?

As for the patch number, someone can correct me if I am wrong, but I don't
believe it is recorded anywhere else.  I used to parse the errata page but
to be kinder to the server, I started parsing my local mirror which I
actually found to be easier to get the info from.

I maintain a "patchlevel" file on each system to keep track of what patch
I have applied and I check it against the patches on my mirror in
daily.local so I keep getting notified of out of date systems.  I also add
it to the motd so I see it when I log in, as well.

I prefer this slightly manual intervention because I like to know what is
changing on my systems.  I'm already patching manually, so also
maintaining the patchlevel file is minor.

Tim.

Re: release and patch/errata info in (easily) machine readable format?

2015-12-05 Thread trondd 
On Sat, December 5, 2015 4:08 pm, openbsd-m...@clark-communications.com
wrote:
> Yes, if I end up writing a scraper, I will very likely obtain the html
> pages
> from the www directory of my local CVS mirror, rather than making http
> requests
> of the OpenBSD website.
>
> Another nice piece of data to have about a patch level would be the
> revision
> number in CVS for that patch.
> At present, the only place I see that information is inside the patch.sig
> file, e.g.
>
>   
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/004_smtpd.patch.sig
>

I meant, I parse the files in patches/*/common, not the html in cvs.  I
found it easier.  I get a nice little report of the errata number, name
and synopsis.  It's mostly wasted as I see the cvs checkin first and am
already rebuilding. :)

> My approach is to build an entire new release for the current patch level.
> I understand this is way overkill, but given that is is a (mostly)
> automated
> process, I prefer this
> approach to manually applying and rebuildingâ*¦.

This is also what I do.  I rebuild the whole release and then apply the
kernel or base tarball to update the systems.  This way I have an
up-to-date release available for new system deployments as well.  I don't
have the luxury of redundency or down time to fully redeploy a system to
update it.

I do maintain configuration changes in siteXX.tgz files in case I do have
to redeploy.  Unfortunatly, they are mostly untested which is bad, but it
should get me 95% of the way.  A dev/staging environment is in the works.

> I can imagine that at some point I can have my build system send me a
> notification that a new patch is available, and a bit later,
> that a new release has been built and is available for installation,
> if/when I
> so choose.
>

My build machine monitors cvs for -stable updates in the code, as well as
changes to the patches/$version/ folder.  I see the cvs changes, and if
errata newer than the build machine's patchlevel have been created.  I
mirror the patches directory so all the systems compare their patchlevel
to my internal mirror.  Currently, I manually kick off a new release build
and then initiate an update from each system.

The patchlevel handles errata, but I can't yet be sure a system has the
latest stable changes.  The theory is that it's the errata that's
important, so I haven't solved that problem yet.

As it stands I have way better insite into the changes going onto my OBSD
machines as compared to the linux ones with rolling updates of hundreds of
packages of who-knows-what.

Re: release and patch/errata info in (easily) machine readable format?

2015-12-05 Thread trondd 
On Sat, December 5, 2015 4:08 pm, openbsd-m...@clark-communications.com
wrote:
> Yes, if I end up writing a scraper, I will very likely obtain the html
> pages
> from the www directory of my local CVS mirror, rather than making http
> requests
> of the OpenBSD website.
>
> Another nice piece of data to have about a patch level would be the
> revision
> number in CVS for that patch.
> At present, the only place I see that information is inside the patch.sig
> file, e.g.
>
>   
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/004_smtpd.patch.sig
>

I meant, I parse the files in patches/*/common, not the html in cvs.  I
found it easier.  I get a nice little report of the errata number, name
and synopsis.  It's mostly wasted as I see the cvs checkin first and am
already rebuilding. :)

> My approach is to build an entire new release for the current patch level.
> I understand this is way overkill, but given that is is a (mostly)
> automated
> process, I prefer this
> approach to manually applying and rebuildingâ*¦.

This is also what I do.  I rebuild the whole release and then apply the
kernel or base tarball to update the systems.  This way I have an
up-to-date release available for new system deployments as well.  I don't
have the luxury of redundency or down time to fully redeploy a system to
update it.

I do maintain configuration changes in siteXX.tgz files in case I do have
to redeploy.  Unfortunatly, they are mostly untested which is bad, but it
should get me 95% of the way.  A dev/staging environment is in the works.

> I can imagine that at some point I can have my build system send me a
> notification that a new patch is available, and a bit later,
> that a new release has been built and is available for installation,
> if/when I
> so choose.
>

My build machine monitors cvs for -stable updates in the code, as well as
changes to the patches/$version/ folder.  I see the cvs changes, and if
errata newer than the build machine's patchlevel have been created.  I
mirror the patches directory so all the systems compare their patchlevel
to my internal mirror.  Currently, I manually kick off a new release build
and then initiate an update from each system.

The patchlevel handles errata, but I can't yet be sure a system has the
latest stable changes.  The theory is that it's the errata that's
important, so I haven't solved that problem yet.

As it stands I have way better insite into the changes going onto my OBSD
machines as compared to the linux ones with rolling updates of hundreds of
packages.

Re: NOT POSSIBLE: Fully encrypted system with keydisk

2015-12-10 Thread trondd 
On Thu, December 10, 2015 6:35 pm, Stefan Wollny wrote:
> YES: I did 'disklabel -E sd0' and 'disklabel -E sd1' accordingly,
setting every partition to type RAID

How many partitions are you making on sd0?  For FDE, typically you make
one partition of type RAID filling the disk (or your desired OpenBSD area)
and all the other partitions are created inside of it.  How are you
partitioning the drives?

> YES: I did 'bioctl -C force -c C -l /dev/sd0d -k /dev/sd1d softraid0'

Why force?  Why partition d?  Again, how are you partitioning your drives?

Re: security(8) mailbox check question

2016-01-23 Thread trondd 
On Sat, January 23, 2016 1:29 pm, Adam Wolk wrote:
> Hi misc@
>
> I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8) keeps
> complaining on the way I setup my maildir on the host.
>
> TL;DR: why u+x on users maildir is considered a bad practice?
>
> Running security(8):
>
> Checking mailbox ownership.
> user mulander mailbox is drwx--, group mulander
> user nemessica mailbox is drwx--, group nemessica
>

My guess is that since the system uses mbox format mail storage, it's
expecting /var/mail/* to be *files* not folders in which case you wouldn't
want them to be executable.  If you want to put dovecot mail in var, use a
directory other than the system location.

Tim.

Re: Making and using a release

2016-01-31 Thread trondd 
On Sun, January 31, 2016 7:04 am, Mark Carroll wrote:
> http://www.openbsd.org/faq/faq5.html#Release tells me at the end that,
>
>> ... if updating a machine to a new -stable, simply unpack the tar
>> files in the root directory of the target machine.
>
> Am I right to worry that this approach wouldn't include all the patches
> because it won't actually update the kernel itself?
>
> -- Mark
>

Yeah, you should follow the entire update process (unless you know exactly
what changed).  Replace your kernel, reboot, unpack the tarballs, run
sysmerge, etc.

Looks like someone already tweaked the FAQ.

Tim.

Re: Sorry for the n00b question but I could use some education on relayd

2017-11-02 Thread trondd 
On Thu, November 2, 2017 2:17 pm, Bryan C. Everly wrote:
> Hi misc@,
>
> I have a use case where I'm using OpenBSD 6.2 as my router/firewall
> and there are several websites that sit behind it on separate servers
> (let's call them http://one.com, http://two.com and http://three.com
>
> I'd like to be able to have just a single IP address exposed through
> DNS for all three of them (it's a home cablemodem and I only have one
> public IP address) and then use something on OpenBSD (pf?  relayd?) to
> route the traffic to the appropriate private IP address on the LAN
> side of the network.
>
> In looking at the manpage for relayd and relayd.conf, I'm wondering if
> I could set up a relay using something like this:
>
> table   { 192.168.1.2 }
> table  { 192.168.1.3 }
> table  { 192.168.1.4 }
>
> redirect "one" {
> listen on one.com port 80
> forward to 
> }
>
> redirect "two" {
> listen on two.com port 80
> forward to 
> }
>
> redirect "three" {
> listen on three.com port 80
> forward to 
> }
>
> I've tried this and even after re-reading the manpage and seeing that
> I needed to add the "anchor" bit to my pf.conf I'm still not getting
> what I'm looking for.  Perhaps I'm using the wrong tool for the job?
>
> Thanks in advance for any suggestions or knocks on the head!
>
> Thanks,
> Bryan
>

You can't have multiple redirects on the same IP and port.  DNS isn't
known at that layer.

If you have only one external IP, you have to use a relay and
pass...forward to the host based on HOST header value.

Somethin like this:

ext_addr="xxx.xxx.xxx.xxx"

#
# Global Options
#
interval 20
timeout 2000
prefork 5

#
# Each table will be mapped to a pf table.
#
table  { 192.168.1.10 }
table  { 192.168.1.11 }
table  { 192.168.1.12 }
table  { 127.0.0.1 }

#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
#
http protocol http {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"

match request header log "Host"

pass request quick header "Host" value "web1.com" forward to 
pass request quick header "Host" value "web2.com" forward to 
pass request quick header "Host" value "web3.com" forward to 

pass quick forward to 
return error style "body {background: white; color black; }"

# Various TCP performance options
tcp { nodelay, sack, splice, socket buffer 65536, backlog 128 }

}

relay www {
listen on $ext_addr port 80
protocol http

forward to  port http check http "/index.html" code 200
forward to  port http check http "/index.html" code 200
forward to  port http check http "/index.html" code 200
forward to  port 8080 check http "/index.html" code 200
}

Re: Streamlining disklabel...

2017-11-04 Thread trondd 
On Sat, November 4, 2017 5:09 pm, Implausibility wrote:
> Again, the interactive editor is way too many steps, too many
> opportunities for screw-ups, and does nothing to streamline the process of
> adding a new disk for me.
>
> So this is what I've come up with...
>
> fdisk -i sd1
> echo "/disk21M-* 100%" >/tmp/disktab.new
> disklabel -w -dv  -A -T /tmp/disktab.new sd1 && rm /tmp/disktab.new
> newfs /dev/rsd1a
> mkdir /disk2
> mount /dev/sd1a /disk2
>
> This seems kludgy, but it is more automated / flexible, and best of all,
> it works.
>
> I'm still curious to know if this is really the most efficient way of
> doing this.
>
> Thanks.
>

That's the way I do it.  That's the way the automated installer does it...

Re: pf not redirecting DNS queries

2017-11-06 Thread trondd 
On Mon, November 6, 2017 8:50 pm, Scott Bennett wrote:
> I have an APU2 running 6.2, acting as pf NAT gateway, DHCP server, and
> DNS cache (unbound) for my internal LAN.
>
> I've attempted to make all DNS queries redirect to the APU2, as many
> examples have illustrated, so that they can be forwarded to OpenDNS (to
> take advantage of domain filtering). But it seems that it is still
> possible for queries to evade the redirection.
>
> Using dig as a concrete example, if I do the following simple
> query from a client, I get an answer from unbound as expected:
>
> However, if I specify an alternate DNS server, I get a response from
> that server:
>
> $ doas cat /etc/pf.conf
> wired = "{ vether0 em1 em2 }"
> wifi = "athn0"
> wired_ip = "192.168.0.1"
> wifi_ip = "192.168.2.1"
> icmp_types = "{ echoreq, unreach }"
> udp_ports = "{ domain, ntp }"
> tcp_ports = "{ ssh, smtp, domain, www, pop3, auth, http, https, pop3s }"
>
> table  { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
>172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \
>192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \
>203.0.113.0/24, 224.0.0.0/3 }
> set block-policy drop
> set loginterface egress
> set skip on lo
> match in all scrub (no-df random-id)
> match out on egress set prio (5, 6)
> match in on $wifi set prio (5, 6)
> match proto tcp to port ssh set prio 7
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> antispoof quick for { egress, $wifi }
> block in quick log on egress from  to any
> block return out quick log on egress from any to 
> block in quick on egress from no-route to any
> block in quick on egress inet proto icmp all label "icmp-in"
> block all
> pass quick proto { tcp, udp } to port $udp_ports

Because you're telling pf to pass all taffic on port domain to anywhere. 
Quick rules stop evaluation and you never hit the rdr-to rules below.


> pass inet proto icmp icmp-type $icmp_types
> pass out on egress inet proto udp to port 33433:33626
> pass inet proto tcp from $wifi:network to port $tcp_ports modulate state
> pass from { self, $wifi:network } modulate state
> pass in on $wired inet
> # Redirect DNS Queries
> pass in on $wifi  proto { udp, tcp } from any to any port domain \
>  rdr-to $wifi_ip  port domain label "dns-redirect"
> pass in on $wired proto { udp, tcp } from any to any port domain \
>  rdr-to $wired_ip port domain label "dns-redirect"
>

What is on your LAN that isn't using your DHCP settings for DNS?  Why
redirect instead of just blocking DNS from the LAN to all but unbound?

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

2017-11-09 Thread trondd 
On Thu, November 9, 2017 4:54 pm, Jeff wrote:
> On Thu, 9 Nov 2017 22:06:43 +0100
> "Christoph R. Murauer"  wrote:
>
>> If I understood your question correct ...
>>
>> > Running: OpenBSD6.2-release
>> >
>> > Goal: To run a secure and functional web server.
>> > (the server is currently up and running and used by
>> > the public at large)
>>
>> If there are security related patches or things needed to be fixed,
>> that the package works as it should, you can simple run pkg_add -iu
>
> Thanks for your replay Christoph.
>
> Please correct me if I'm wrong, but as I understand things, this only
> works if one is following OpenBSD-current.  I am running -release.
> This is an in-use production server; I don't feel wise running -current.
>
>> You can add wxallowed to a already mounted filesystem using mount(8).
>
> In theory, I don't like this;  I would rather keep preventing everything
> not mapped from /use/local from being able to have both writable and
> executeable pages, even if it's only temporary.
>
>> > Is it not worth it to update ports in this way; meaning, is it better
>> > to simply wait for OpenBSD6.3 and stick with binary packages only
>> > (as recommended on the openbsd.org site)?
>>
>> That depends on your requirements. See above.
>
> My answer also depends.  Ideally, I'd want to jump on any update for
> any software for which a security advisory has been issued.  Also,
> I do wish to track other non-critical updates to keep the server's
> software relatively up-to-date as not to fall behind; picking up
> performance and related enhancements in a bonus.  In practice,
> at least for myself and my available time, this isn't always feasible
> (e.g. the ports tree doesn't have the latest software available as a port
> and it would also be a significant time commitment to build and install
> the software from the original source and successfully integrate it into
> OpenBSD.)
>
> For example, moving to php v7.1.11 or 7.2 fall into this category
> (see: http://www.securityfocus.com/bid/101745)
> .
> Looking at what the ports system has to do to make the php 7.0.23
> package, I'd be spending my life getting 7.2 to build and work properly
> and I feel this is better left to those with more OpenBSD porting
> experience.
>
> Some software builds and integrates from original sources more easilym
> that is, the usual:
> ./configure {reasonable options} -> make -> make install
> procedure goes off withotu a hitch, or at least without too many edits.
>
>> > Also, is there an easy/sane way to remove packages that were only
>> > required for building once the ports have been updated?
>>
>> A port is a package. See make clean and so on for builded ports and
>> pkg_delete -a for packages. IMHO Who say, that something unneeded is
>> installed ? It also has no effect to the system if build deps. are
>> kept in the ports tree.
>
> I understand that the ports system first builds and packages a port,
> and then installs it.
>
> I could be doing something wrong, but it seems that some ports install
> dependencies to the system (pkg_add-style) that are required to *build*
> the package from source, but that aren't required to *run* the package
> (e.g. cmake).
>
> So, I definitely don't mind leaving the built packages in the ports
> tree, but I *do* mind leaving them installed on the system.
>

Use proot(1).  It's amazing.  You need space, though.  I am using 2.5G to
build my personal use ports.  So, nothing huge.

With dpb(1) it's a pretty automatic process to rebuild stuff.

Tim.

Re: trouble while building a release

2018-01-03 Thread trondd 
On Wed, January 3, 2018 1:07 pm, Etienne wrote:
> Hello list,
>
> I'm a bit confused. I believe I have correctly applied the instructions
> in release(8), but I hit this error when running "make release" in
> paragraph 4, on unmodified sources:
>
> # cd /usr/src/etc && make release
> [â*¦]
> sh /usr/src/sys/conf/newvers.sh
> touch: version: Permission denied
> /usr/src/sys/conf/newvers.sh[84]: cannot create version: Permission denied
> *** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC (Makefile:970
> 'vers.o')
> *** Error 2 in . (Makefile:20 'bsd')
> *** Error 2 in . (Makefile:274 'release-sets')
> *** Error 2 in . (Makefile:267 'do-release')
> *** Error 2 in /usr/src/etc (Makefile:251 'release')
>
> However, I have set the directories and permissions as requested:
>
> # ls -ld $RELEASEDIR
> drwxr-xr-x  2 build  daemon  512 Dec 31 06:51
> /var/www/htdocs/pub/OpenBSD/6.2/amd64/
> # ls -ld $DESTDIR
> drwx--  13 build  wheel  512 Dec 31 06:58 /var/destdir/
> #  mount | grep vnd1
> /dev/vnd1a on /var/destdir type ffs (local, nodev, noexec, noperm)
>
> Any idea on what I need to check?
>
> Cheers,
>
> --
> Ã*tienne
>

What are the perms on /usr/obj?  Should be build:wsrc 770 per step 3.

Tim.

Re: Probable mistake in PF tagging example ruleset order

2018-01-10 Thread trondd 
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
> Hi,
>
> I am trying to learn and understand the pf tagging mechanism. I was
> wondering whether my understanding of the order in the example at
> https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
> there might be a mistake in the order. The relevant lines are
>

Read the rules tagging follows again.  Tags are sticky.  Also a packet
passing through the firewall, say from a LAN machine to the internet, will
be evaluated twice.  If it gets tagged the first time, it'll have that tag
already when evaluated the second time.  If it matches a rule which tags
it, then matches another rule later, it still has the tag from the first
match.

> ...
> pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress)
> pass in on $int_if from $int_net tag LAN_INET
> ...
> pass out quick on egress tagged LAN_INET_NAT
> ...
>
> My understanding:
> For the first line, an IPv4 packet that is already tagged with LAN_INET
> will now have the tag LAN_INET_NAT, and will be passed out on the
> egress interface after Network Address Translation.
>
> For the second line, a packet that is coming from the internal network
> on the internal interface will be passed and tagged with LAN_INET.
>
> For the third line, a packet that is tagged with LAN_INET_NAT will be
> passed out on the egress interface, and the rule evaluation will stop.
>
> Now, if my understanding is correct, then a packet will never match the
> first line, since the LAN_INET tagging happens only in the second line.
> And if that is the case, the third line will also not match, since the
> LAN_INET_NAT tagging happens in the first line.
>

Don't just read the rules from top to bottom.  Follow the packet.  Where
is the packet coming from?  Where is it going?  If there is a packet
coming from the LAN through this firewall to the internet what rules
match?  Does that rule tag the packet?  Does evaluation continue?

That's pass 1.  Since this packet is not destined for this machine, but
for something on the internet, it has to leave this machine.  So now it's
evaluated as an outgoing packet.  Did it get tagged before?  What rules
match based on direction and tag?  Does it get a new tag?  Does evaluation
continue?  Does it match anything else?


> If my understanding is correct, then we may need to switch the order of
> the first and second lines.
>
> The complete ruleset is
>
> int_if  = "dc0"
> dmz_if  = "dc1"
> int_net = "10.0.0.0/24"
> dmz_net = "192.168.0.0/24"
> www_server  = "192.168.0.5"
> mail_server = "192.168.0.10"
>
> table  persist file "/etc/spammers"
> # classification -- classify packets based on the defined firewall
> # policy.
> block all
> pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress)
> pass in on $int_if from $int_net tag LAN_INET
> pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ
> pass in on egress proto tcp to $www_server port 80 tag INET_DMZ
> pass in on egress proto tcp from  to port smtp tag SPAMD rdr-to \
> 127.0.0.1 port 8025
>
> # policy enforcement -- pass/block based on the defined firewall policy.
> pass in  quick on egress tagged SPAMD
> pass out quick on egress tagged LAN_INET_NAT
> pass out quick on $dmz_if tagged LAN_DMZ
> pass out quick on $dmz_if tagged INET_DMZ
>
> Thanks.
>
> Regards,
> ab
> -|-|-|-|-|-|-|--
>

Re: Writing "ones" instead of "zeroes" when wiping disk

2018-01-11 Thread trondd 
On Thu, January 11, 2018 5:12 pm, worik wrote:
> On 12/01/18 11:09, Jan Stary wrote:
>> On Jan 11 14:45:21, andreasthu...@gmail.com wrote:
>>> in order to achieve paranoid disk-wiping?
>> Ones are not nearly as secure as zeros.
>>
> Why not? Is it not arbitrary?
>

A 1 is too narrow to fully cover the original data.

Re: http_proxy for rc.firsttime after Upgrade

2018-01-19 Thread trondd 
On Fri, January 19, 2018 4:29 am, Raimo Niskanen wrote:
> Hello list!
>
> I have some machines behind a squid proxy and have set the http_proxy and
> ftp_proxy environment variables both in /etc/profile and in
> /etc/login.conf
> for the default login class.  This works well.
>
> But after an upgrade when rc.firsttime calls fw_update and checks for
> binary patches the proxy is not used, so I have to wait for that to time
> out or break it with Ctrl-C and call fw_update manually.
>
> So I just wonder if anybody have an idea of how to set the http_proxy and
> ftp_proxy environment variables so they are picked up by rc.firsttime?
>
> Best regards
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
>

I submitted a patch for this:
https://marc.info/?l=openbsd-tech&m=151260860105270&w=2

In the meantime, before reboot, you can edit the rc.firstime script after
installation.

Tim.

Re: http_proxy for rc.firsttime after Upgrade

2018-01-22 Thread trondd 
On Mon, January 22, 2018 2:36 am, Raimo Niskanen wrote:
> On Fri, Jan 19, 2018 at 10:47:15AM -0500, trondd wrote:
>> On Fri, January 19, 2018 4:29 am, Raimo Niskanen wrote:
>> > Hello list!
>> >
>> > I have some machines behind a squid proxy and have set the http_proxy
>> and
>> > ftp_proxy environment variables both in /etc/profile and in
>> > /etc/login.conf
>> > for the default login class.  This works well.
>> >
>> > But after an upgrade when rc.firsttime calls fw_update and checks for
>> > binary patches the proxy is not used, so I have to wait for that to
>> time
>> > out or break it with Ctrl-C and call fw_update manually.
>> >
>> > So I just wonder if anybody have an idea of how to set the http_proxy
>> and
>> > ftp_proxy environment variables so they are picked up by rc.firsttime?
>> >
>> > Best regards
>> > --
>> >
>> > / Raimo Niskanen, Erlang/OTP, Ericsson AB
>> >
>>
>> I submitted a patch for this:
>> https://marc.info/?l=openbsd-tech&m=151260860105270&w=2
>
> That sure looks like an improvement!  But should maybe $http_proxy be
> placed between single quotes?
>
> Unfortunately I fetch the sets into /var/OpenBSD/`machine` and verify them
> before rebooting into /bsd62.rd, so it would not work for me...
>
>>
>> In the meantime, before reboot, you can edit the rc.firstime script
>> after
>> installation.
>
> I'll try that trick next time.  Thank you!
>
>>
>> Tim.
>
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
>

Ah, I see.  Yeah, I only acconted for the obvious case when a net install
was done.

Having thought about it again, an easier solution will be to write your
http_proxy export to /etc/rc.firsttime before rebooting into bsd.rd.  If
you have your update process scripted already, it's an easy additional
line.  The installer only appends commands so anything you have in
rc.firsttime will be preserved.

Tim.

Re: iwm errors with new snapshot

2018-01-23 Thread trondd 
On Tue, January 23, 2018 2:09 pm, Stefan Sperling wrote:
> On Tue, Jan 23, 2018 at 11:50:28AM -0600, Vijay Sankar wrote:
>> Over the weekend, I was trying to do some tests requested in tech@
>> (inteldrm). I downloaded the latest snapshot but had problems with iwm
>> firmware on my laptops (X1 Carbon 5th gen)
>>
>> I did not have these errors with the previous snapshot (from January 8,
>> 2018). DHCP etc all worked properly the past couple of weeks, I was able
>> to
>> copy large file sets through wifi etc.
>>
>> So I tried a new build myself in case there was a mismatch between the
>> packages on firmware.openbsd.org and the latest snapshot but that did
>> not
>> work.
>>
>> Waited couple of days for a newer snapshot, installed it and still get
>> the
>> following errors
>
> Can you please try a kernel compiled from -current CVS source?
>
> Such kernels work for me.
>

Had the same problem with a snapshot installed yesterday.  Building from
-current seems to be fine.

Tim.

Re: Kernel panic with openbsd 6.2

2018-01-24 Thread trondd 
On Mon, January 22, 2018 10:47 am, Mik J wrote:
> Hello Stuart,
> For me it takes just a few days...
> I have a crash every 3/4 days maybe (2 crashes so far) and my server does
> not handle load.
> Yes I read your reports this morning, although you wrote that there was a
> combination with snmpd, I have it with nginx on my side.
>
>  Regards
>
> Le lundi 22 janvier 2018 Ã 10:35:47 UTC+1, Stuart Henderson
>  a écrit :
>
>  On 2018/01/22 00:22, Mik J wrote:
>> Le dimanche 21 janvier 2018 Ã 11:48:00 UTC+1, Stuart Henderson
>>  a écrit :
>> On 2018-01-19, Mik J  wrote:
>> > I had many kernel panic these past days. This is a 6.2 openbsd VM
>> running o=
>> > n esxi 5.5
>> >
>> > # grep "" /tmp/if_vmx.dis
>>
>> I've reported a lot of vmxnet3_getbuf panics, nobody seems interested.
>> I suggest switching to e1000 in the vmx file, this works with the em(4)
>> driver and has been stable so far.
>>
>>
>> Hello Stuart,
>> Thank you for your answer.
>> I had my VM running for months in version 6.1 and had not problem but I
>> reinstalled it in
>> version 6.2 and the problem is happening.
>> It seems to me that something in version 6.2 is producing the error.
>> One crash today again
>
> I hit this in last April, which was either 6.1 or -current from soon
> after.
> It can take weeks to run into it though so bisecting to find a working
> kernel
> is futile.
>
>

I am running about a dozen 6.2 -stable VMs on ESXi 6.5.  I have exactly
one VM that panics with vmxnet3_getbuf but only when it's being
snapshotted.  And not every time, but usually.

I think once it paniced when I was snapshotting a lot of other VMs in the
cluster but I don't trust that memory now.  I've not seen that again.

Tim.

Re: Kernel panic with openbsd 6.2

2018-01-25 Thread trondd 
On Thu, January 25, 2018 4:29 am, Maxim Bourmistrov wrote:
> As Stuart mentioned, em(4) on top of e1000 proven to be more stable.
> Even under higher load.
> Vmx starting to misbehave under high load, resulting for ex. with unstable
> CARP setup.
>
> //mxb
>
>> 25 jan. 2018 kl. 02:40 skrev trondd :
>>
>> I am running about a dozen 6.2 -stable VMs on ESXi 6.5.  I have exactly
>> one VM that panics with vmxnet3_getbuf but only when it's being
>> snapshotted.  And not every time, but usually.
>>
>> I think once it paniced when I was snapshotting a lot of other VMs in
>> the
>> cluster but I don't trust that memory now.  I've not seen that again.
>>
>> Tim.
>>
>

I should have also said that these VMs all run postgreSQL servers.  The
busiest nears 200 simultanious connections which may be well below the
load other's are handling on their effected systems.

Tim.

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

2018-02-08 Thread trondd 
On Thu, February 8, 2018 1:49 pm, Tinker wrote:
> Hi misc@,
>
> I looked through previous discussions on whether a SWAP partition
> should be inside or outside the RAID partition when making a crypto
> softraid.
>
> The only argument I stumbled into was that it should be outside because
> swap is encrypted anyhow and it would be unnecessary to double-encrypt
> the swap.
>
>
> That seems like a weak argument to me, because swap is generally used
> rarely and so speed does not really matter anyhow, and, the swap
> partition is always used also as dump partition, and dumps are *not*
> encrypted.
>
> For the case that a dump would happen, you want the OS to encrypt it
> and the way to do that is to put the SWAP *inside* the RAID.
>
>
> Maybe a crash-dump can be induced somehow. Maybe someone would get hold
> of the HDD while the dump data is still on the swap partition because
> the OS has not booted again, which would otherwise normally migrate
> that dump data over to the filesystem.
>
> This is an extreme consideration though as a comprehensive motivation
> for a choice it appears to me to make all sense.
>
>
> Thoughts, comments?
>
> I would probably interpret no comments as that the SWAP should indeed
> be located inside the RAID for this said reason.
>
> Thanks,
> Tinker
>

Assuming you are doing full disk encryption otherwise, put swap inside the
softraid disk.  The kernel is hardcoded to look on the boot disk to save
dumps.  If swap was is on sd0 but you decrypt a partition as sd1 and boot
from that, swap is no longer on the same disk.

Unless you override with config(8)

Tim.

Re: Upgrade 6.1->6.2 fails with "id 0 on/: file system full"

2018-02-20 Thread trondd 
On Tue, February 20, 2018 8:34 am, Nicolas Schmidt wrote:
> Hey,
>
> it's me again, still trying to upgrade to 6.2.
>
> After choosing to skip verification and continue the upgrade process, I
> now immediately get the following error:
>
> Installing bsd0% |
> id 0 on /: file system full
>
> /: write failed, file system full
> ftp: Writing -: No space left on device
>
> Going to a shell, "df" reveals
>
> Filesystem512-blocks  UsedAvail   CapacityMounted 
> on
> /dev/rd0a   6143  6116   27   100%/
> /dev/sd2a2057756179068  1775804 9%/mnt
> .
> .
> .
>
> To me it seems, the install script is trying to install the kernel on the
> ram disk mounted on / instead of the actual root partition mounted on /mnt
> (sd2 is the volume I chose for installation; it's a RAID 1). Since the ram
> disk is full, this of course has to fail.
>
> Any suggestions?
>
> Best regards and thanks for your help,
> Nicolas
>

This just came up on Daemonforums.  The user had a symlink pointing to an
absolute path starting with /.  The installer follows that symlink to the
ramdisk / instead of /mnt.

http://daemonforums.org/showthread.php?p=63885

Tim.

Re: Loop problem in sending mail to root

2018-03-05 Thread trondd 
On Mon, March 5, 2018 1:05 pm, Chris Bennett wrote:
> I cannot get mail to reach root from /etc/daily for example.
> Not sure what I have setup wrong.
> also both femail-chroot and sendmail-mini-chroot fail
> femail: socket: Connection refused
> /var/www/bin/sendmail_mini: connect: Connection refused
> Any help appreciated.
> I also get the from as  instead of <> too.
> Same problem trying to send mail from a local user to another.
>
> bennettconstruction.us is /etc/myname
>
> running 6.2 -stable using openup on i386
> was trying to set up with vmail earlier, still using mbox and mutt.
> Let me know what else is needed for help.
> Also, I would like a clear explanation of what is happening.
> Could only find info about looping between different machines, not on
> same machine. I'd like to understand this problem.
>
> Thanks,
> Chris Bennett
>
>
> maillog:
>
>
> Feb 25 11:17:20 bennettconstruction smtpd[87019]: d6185c5660de72c5 smtp
> event=message address=104.217.196.250 host=bennettconstruction.us
> msgid=b0728562 from=<> to= size=54221 ndest=1
> proto=ESMTP
> Feb 25 11:17:20 bennettconstruction smtpd[87019]: d6185c55538136f0 mta
> event=delivery evpid=561745fbfe51ba45 from=<>
> to= rcpt=<-> source="104.217.196.250"
> relay="104.217.196.250 (bennettconstruction.us)" delay=1s result="Ok"
> stat="250 2.0.0: b0728562 Message accepted for delivery"
> Feb 25 11:17:21 bennettconstruction smtpd[87019]: warn: loop detected
> Feb 25 11:17:21 bennettconstruction smtpd[87019]: d6185c5660de72c5 smtp
> event=failed-command address=104.217.196.250 host=bennettconstruction.us
> command="DATA" result="500 5.4.6 Routing loop detected: Loop detected"
> Feb 25 11:17:21 bennettconstruction smtpd[87019]: d6185c55538136f0 mta
> event=delivery evpid=b07285629425f9ef from=<>
> to= rcpt=<-> source="104.217.196.250"
> relay="104.217.196.250 (bennettconstruction.us)" delay=1s
> result="PermFail" stat="500 5.4.6 Routing loop detected: Loop detected"
> Feb 25 11:17:21 bennettconstruction smtpd[19843]: warn: queue: no return
> path!
> Feb 25 11:17:31 bennettconstruction smtpd[87019]: d6185c5660de72c5 smtp
> event=closed address=104.217.196.250 host=bennettconstruction.us
> reason=quit
> Feb 25 11:17:31 bennettconstruction smtpd[87019]: d6185c55538136f0 mta
> event=closed reason=quit messages=96
>
> smtpd.conf:
>
>
> # $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $
>
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
>
> # tables section
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd file:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> # To accept external mail, replace with: listen on all
> #
> #listen on all
>
> #
> mx1 = "104.217.196.250"
> mx2 = "104.217.196.251"
> mx3 = "104.217.196.252"
> mx4 = "104.217.196.253"
> mx5 = "104.217.196.254"
> #all_mx = "{" $mx1 $mx2 "}"
> # $mx3 $mx4 $mx5 "}"
>
> pki mail.capuchado.com certificate "/etc/ssl/mail.capuchado.com.crt"
> pki mail.capuchado.com key "/etc/ssl/private/mail.capuchado.com.key"
> pki mail.bennettconstruction.us certificate
> "/etc/ssl/mail.bennettconstruction.us.crt"
> pki mail.bennettconstruction.us key
> "/etc/ssl/private/mail.bennettconstruction.us.key"
>
> listen on $mx2 port 25 tls pki mail.capuchado.com
> listen on $mx1 port 25 tls pki mail.bennettconstruction.us
>
> # special case for gmail to avoid ipv6 here
> limit mta for domain gmail.com inet4
>
> # allow local messages
> ##accept from local for local alias  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
> # allow virtual domains
> ##accept from any for domain  virtual  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
>
> #pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
> #pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
> # $OpenBSD: smtpd.conf,v 1.8 2015/12/21 16:25:44 sunil Exp $
>
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # accept from any for domain "example.org" alias  deliver to mbox
> ##accept for local alias  deliver to mbox
> accept from local for any relay
> accept from any for domain "bennettconstruction.us" alias 
> deliver to mbox
> accept from any for domain "ed-bennett.com" alias  deliver to
> mbox
> accept from any for domain "capuchado.com" alias  deliver to mbox
>

First matching rule wins, are you relaying to yourself?  Try moving that
to the bottom.

Re: Loop problem in sending mail to root

2018-03-05 Thread trondd 
On Mon, March 5, 2018 2:45 pm, Chris Bennett wrote:
> That did the trick.
>

For the future, page 2 'Trace subsystem':

https://www.bsdcan.org/2016/schedule/attachments/378_smtpd_cheatsheet.pdf

You can see which rule gets matched.

Re: Opensmtpd authentication error

2018-03-06 Thread trondd 
On Tue, March 6, 2018 1:48 pm, flipchan wrote:
> Hello,
> im trying to create a mail server and i keep getting opensmtpd
> authentication fail
>
>
> i tried using neomutt and regular mutt, but no success
>
>
> tail -f /var/log/maillog
> Mar  6 18:15:37 mail dovecot: imap-login: Login: user=,
> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS,
> session=
> Mar  6 18:15:48 mail dovecot: imap-login: Login: user=,
> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS,
> session=
> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=connected
> address=homeip host=homeip
> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=starttls
> address=homeip host=homeip ciphers="version=TLSv1.2,
> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
> event=authentication user=user address=homeip host=homeip result=permfail
> Mar  6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
> event=failed-command address=homeip host=homeip command="AUTH PLAIN (...)"
> result="535 Authentication failed"
> Mar  6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=closed
> address=homeip host=homeip reason=disconnect
>
>
>
>
>
> dovecot works so i can get imap but opensmtpd does work
>
> im using openbsd6.2
>
>
> # cat /etc/mail/smtpd.conf
> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt"
> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key"
>
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd file:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> # listen ports setup
> #listen on lo0
> listen on vio0 port 25 tls-require pki mail.mysite.com
> #listen on vio0 port 587 tls-require pki mail.mysite.com auth 
> listen on vio0 port 587 smtps pki mail.mysite.com auth 
> # special case for gmail to avoid ipv6 here
> #limit mta for domain gmail.com inet4
>
> # allow local messages
> accept from local for local alias  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
> # allow virtual domains
> accept from any for domain  virtual  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
> # allow outgoing mails
> accept from local for any relay
> #reject from ! source  sender "@mysite.com" for any
>
>
>
> both dovecot and smtpd reads passwd's from /etc/mail/passwd and only
> dovecot works, think its some kind of smtpd config that is wrong...
>

Is the password encrypted properly?

 In a listener context, the credentials are a mapping of username and
 encrypted passwords:

   user1  
$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
   user2  
$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK

 The passwords are to be encrypted using the smtpctl(8) encrypt
 subcommand.

Re: Opensmtpd authentication error

2018-03-07 Thread trondd 
On Wed, March 7, 2018 10:06 am, flipchan wrote:
> smtpctl encrypt mypassword
>
> Then syntax
> user:password ?
>
> On March 6, 2018 9:46:26 PM UTC, trondd  wrote:
>>On Tue, March 6, 2018 1:48 pm, flipchan wrote:
>>> Hello,
>>> im trying to create a mail server and i keep getting opensmtpd
>>> authentication fail
>>>
>>>
>>> i tried using neomutt and regular mutt, but no success
>>>
>>>
>>> tail -f /var/log/maillog
>>> Mar  6 18:15:37 mail dovecot: imap-login: Login:
>>user=,
>>> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS,
>>> session=
>>> Mar  6 18:15:48 mail dovecot: imap-login: Login:
>>user=,
>>> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS,
>>> session=
>>> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>event=connected
>>> address=homeip host=homeip
>>> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>event=starttls
>>> address=homeip host=homeip ciphers="version=TLSv1.2,
>>> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
>>> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>> event=authentication user=user address=homeip host=homeip
>>result=permfail
>>> Mar  6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>> event=failed-command address=homeip host=homeip command="AUTH PLAIN
>>(...)"
>>> result="535 Authentication failed"
>>> Mar  6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=closed
>>> address=homeip host=homeip reason=disconnect
>>>
>>>
>>>
>>>
>>>
>>> dovecot works so i can get imap but opensmtpd does work
>>>
>>> im using openbsd6.2
>>>
>>>
>>> # cat /etc/mail/smtpd.conf
>>> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt"
>>> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key"
>>>
>>> # tables setup
>>> table aliases file:/etc/mail/aliases
>>> table domains file:/etc/mail/domains
>>> table passwd file:/etc/mail/passwd
>>> table virtuals file:/etc/mail/virtuals
>>>
>>> # listen ports setup
>>> #listen on lo0
>>> listen on vio0 port 25 tls-require pki mail.mysite.com
>>> #listen on vio0 port 587 tls-require pki mail.mysite.com auth
>>
>>> listen on vio0 port 587 smtps pki mail.mysite.com auth 
>>> # special case for gmail to avoid ipv6 here
>>> #limit mta for domain gmail.com inet4
>>>
>>> # allow local messages
>>> accept from local for local alias  deliver to lmtp
>>> "/var/dovecot/lmtp" rcpt-to
>>> # allow virtual domains
>>> accept from any for domain  virtual  deliver to
>>lmtp
>>> "/var/dovecot/lmtp" rcpt-to
>>> # allow outgoing mails
>>> accept from local for any relay
>>> #reject from ! source  sender "@mysite.com" for any
>>>
>>>
>>>
>>> both dovecot and smtpd reads passwd's from /etc/mail/passwd and only
>>> dovecot works, think its some kind of smtpd config that is wrong...
>>>
>>
>>Is the password encrypted properly?
>>
>>   In a listener context, the credentials are a mapping of username and
>> encrypted passwords:
>>
>>   user1
>>$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
>>   user2
>>$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
>>
>> The passwords are to be encrypted using the smtpctl(8) encrypt
>> subcommand.
>
> --
> Take Care Sincerely flipchan layerprox dev
>

This comes from the table(5) man page.

The file will be:
username encryptedpassword

Re: stop syslogd from opening port 514 UDP

2018-03-16 Thread trondd 
On Fri, March 16, 2018 6:42 am, Torsten wrote:
> I know I could use PF as a workaround

Really?  I wouldn't consider blocking incomming connections to unused
ports by default to be a workaround, but a necessity.

Re: pflogd write /var/run/mypflogdinstance.pid?

2020-12-07 Thread trondd 
Stuart Henderson  wrote:

> On 2020-12-07, Harald Dunkel  wrote:
> > About the PIDs: Maybe a systctl like
> >
> > kernel.pid_max = 4194303
> >
> > known from other OSes could help to reduce the risk for PID conflicts.
> 
> This doesn't help if you actually want reliability, rather than just
> "reliable most of the time".
> 
> There were also some concerns about what software would do with long
> PIDs - even on a very basic level that adds another couple of columns
> to top(1) output.
> 
> > If you store the PID files on a volatile file system, so you can be sure
> > they are gone on the next reboot, anyway.
> 
> /var/run is cleared at boot anyway - the problem is pid reuse during
> uptime of the system.
> 
> One can check that the new pid is owned by a process of the correct name
> - but then the problem returns, the process name doesn't have enough
> information to uniquely identify it. And if that is fixed there's no
> need to save the pid.
> 
> So if there's a problem to be fixed, it is to get the information into
> the other process string..

I think the user is looking for something like this.  Putting the interface
name in the process title.

Mabe this doesn't work for this use case or there is some other fallout.
And there may be other tweaks needed to support it, I don't have a dog in the
fight to go find them, though.

Tim.


Index: etc/rc.d/pflogd
===
RCS file: /cvs/src/etc/rc.d/pflogd,v
retrieving revision 1.3
diff -u -p -r1.3 pflogd
--- etc/rc.d/pflogd 11 Jan 2018 19:52:12 -  1.3
+++ etc/rc.d/pflogd 7 Dec 2020 18:08:23 -
@@ -6,7 +6,7 @@ daemon="/sbin/pflogd"
 
 . /etc/rc.d/rc.subr
 
-pexp="pflogd: \[priv\]"
+pexp="pflogd: \[priv\].*"
 
 rc_pre() {
if pfctl -si | grep -q Enabled; then
Index: sbin/pflogd/privsep.c
===
RCS file: /cvs/src/sbin/pflogd/privsep.c,v
retrieving revision 1.34
diff -u -p -r1.34 privsep.c
--- sbin/pflogd/privsep.c   27 Nov 2019 17:49:09 -  1.34
+++ sbin/pflogd/privsep.c   7 Dec 2020 18:08:45 -
@@ -131,7 +131,7 @@ priv_init(int Pflag, int argc, char *arg
signal(SIGINT,  sig_pass_to_chld);
signal(SIGQUIT, sig_pass_to_chld);
 
-   setproctitle("[priv]");
+   setproctitle("[priv] %s", interface);
 
if (unveil(_PATH_RESCONF, "r") == -1)
err(1, "unveil");

Re: pflogd write /var/run/mypflogdinstance.pid?

2020-12-13 Thread trondd 
>> On 2020-12-13, Harald Dunkel  wrote:
> On 12/13/20 7:10 PM, Theo de Raadt wrote:
>>
>> And I'm suggesting the arguments should look like this:
>>
>>  pflogd: [priv] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
>>  pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
>>
>> That might allow more accurate pkill targetting.
>>
>
> Wouldn't you admit that this appears to be very fragile? If I add
> some flags to the pflogd command line then I have to verify the
> pkill commands in newsyslog.conf again.

You can search the whole argument list, but you only have to match a
subset.  For log rotation that might be the logfile name.  But I would
think the interface name would generally be the most likely to be a unique
parameter.

Re: tc= in remote(5) example

2021-02-18 Thread trondd 
On Thu, February 18, 2021 11:38 am, Jan Stary wrote:
> /etc/examples/remote contains the following stanzas:
>
>   unixhost:\
>   :br#9600:
>
>   cua00|For i386,macppc:\
>   :dv=/dev/cua00:tc=unixhost:
>
>   cuaa|For sparc:\
>   :dv=/dev/cuaa:tc=unixhost:
>
>
> The remote(5) manpage describes br, dc, dv
> but not tc, which seems to be used here as an include.
> Is it described elsewhere or is that an omission?
>
>   Jan
>

References are at the top of the example file.  The most complete
description of tc is probably in cgetcap(3).

Re: Not possible to sysupgrade via snapshots right now?

2021-05-08 Thread trondd 
On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:
> Apologies if this is a question to which there is an obvious answer, but
> I could not find one in the sysupgrade man page,

What is sysupgrade trying to do?  What do you want it to do?

No?  Read it again.  It's not that long.

Re: Not possible to sysupgrade via snapshots right now?

2021-05-08 Thread trondd 
On Sat, May 8, 2021 9:04 pm, trondd wrote:
> On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:
>> Apologies if this is a question to which there is an obvious answer, but
>> I could not find one in the sysupgrade man page,
>
> What is sysupgrade trying to do?  What do you want it to do?
>
> No?  Read it again.  It's not that long.
>

That got sent before I was ready. :(

Reread the man page, is what I was refering to.

Re: Not possible to sysupgrade via snapshots right now?

2021-05-08 Thread trondd 
On Sat, May 8, 2021 9:19 pm, Scott Vanderbilt wrote:
> On 5/8/2021 6:04 PM, trondd wrote:
>> On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:
>>> Apologies if this is a question to which there is an obvious answer,
>>> but
>>> I could not find one in the sysupgrade man page,
>>
>> What is sysupgrade trying to do?  What do you want it to do?
>>
>> No?  Read it again.  It's not that long.
>>
>
> Another responder politely pointed out I needed to add the -s switch,
> which in fact eliminated the error.
>
> But your reply seems to imply I'm doing something unreasonable.
> I looked at the -s switch in the man page, where it says:
>
> -sUpgrade to a snapshot. This is the default if the system
>   is currently running a snapshot.
>
> I thus disregarded this switch for two reasons:
>
> (1) As I am already running a snapshot (6.9-current as stated in my
> original post), I concluded that the switch would effectively be a NOOP
> since it specifically says it's the _default behavior_ under these
> circumstances.
>
> (2) I've used sysupgrade without the -s switch for years and it's always
> worked fine.
>
> What is not clear or explained anywhere that I can find is why it
> behaves differently right now. Notwithstanding your suggestion, reading
> the man page more than once does not make the answer magically appear.
>

Probably too late now, but what did `sysctl kern.version` actually show?

If you were still in the period after -beta and before switching back to
-current, the system will be detected as a release version.

Re: How to set a HTTP proxy for sysupgrade

2021-06-30 Thread trondd 
On Wed, June 30, 2021 5:28 am, Raimo Niskanen wrote:
> Hello list!
>
> I just upgraded one of our lab machines from 6.8 to 6.9
> (amd64), and our lab environment is closed to the Internet,
> so using an HTTP proxy is required to reach out.
>
> I have set http_proxy, ftp_proxy and https_proxy in
> /etc/login.conf, the default class, but it is apparently
> not used by rc.firstboot after sysupgrade.
>
> With the new installer in 6.9 rc.firstboot seems to be
> a background process that hangs because of this, so when I
> logged in as root after remote upgrade I resolved the stalemate
> by first killing an ftp job serving fw_update, then a similar
> download job serving syspatch, and waited until the not updated
> kernel was relinked.
> Then I could run fw_update and syspatch manually.
>
> Is there a better / proper way to set a HTTP/HTTPS proxy
> for sysupgrade?
>
> Cheers
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
>

I simply echo the export statements of the proxy environment variables to
/etc/rc.firstime before reboot. The installer will always append to the
file so fw_update will be added after the variables are exported.

The ftp process will timeout in, I think, 5 minutes.  That is a long time,
but you're not going to be hung there forever.

Tim.

Re: How to set a HTTP proxy for sysupgrade

2021-07-01 Thread trondd 
On Thu, July 1, 2021 4:25 am, Raimo Niskanen wrote:
> On Wed, Jun 30, 2021 at 09:23:15PM -0400, trondd wrote:
>>
>> I simply echo the export statements of the proxy environment variables
>> to
>> /etc/rc.firstime before reboot. The installer will always append to the
>> file so fw_update will be added after the variables are exported.
>
> I will try to remember to do that the next time.
> Thanks for the hint!
>
> Would that be a welcome addition to the installer to do this
> automatically?
>
>

The installer can't do it.  Sysupgrade pulls the sets down and so the
automated installation does not use the network.  It won't know if there
is a proxy configuration to pass to rc.firsttime.

I suppose sysupgrade can check the environment for the variables and write
them out to rc.firsttime if they are set.

I just have a wrapper script because I also have internally hosted site
tarballs that need the proxy disabled to access so it was just easier to
have my own script to enable and disable the proxy as needed for the steps
I need to take.  I suppose that's why I never thought to try modifying
sysupgrade.  In my environment, I would still need the script regardless.

Tim.

Re: Core Dev?

2018-12-04 Thread trondd 
On Tue, December 4, 2018 6:50 am, Ahmad Bilal wrote:
>
> @Marc: Thanks for the information, but based on what you said, what would
> you consider as 'official' then? Just curious.
>

Let go of this concept.  These are your systems.  You're the only
official.  If you want to build an AMI for AWS, you have to understand how
that process works then looking at Antoine's scripts to see if that is
what they do is trivial.  If you want security, you have to know what that
means.  "Offical" or not is irrelivant.  You can't avoid your own due
diligence by passing that responsibility onto some imagined authority.

> And no, I'm not on OpenBSD at all 'yet'. I was basically on CentOS for a
> long time. Then recently shifted to FreeBSD, and I'm considering to use
> OpenBSD now (and for foreseeable future)
>

If you're new to OpenBSD, that's great.  But that means you shouldn't be
running anything mission critical on OpenBSD if you don't know much about
it yet.  In which case, experiment.  Run whatever looks reasonably like it
might be good and see what it does.  If it makes a mess, blow it away and
start over.  Read the man pages for the commands a script runs.  Ask
specific questions if it gets down in the weeds and you can't figure out
what something is doing.  There is absolutly no difference in what's
"official" or not.  Stuff works, and is good, or it isn't.  You have to
learn the difference.

Re: procmail and new grammar in smtpd.conf

2018-12-05 Thread trondd 
On Wed, December 5, 2018 6:22 am, Eda Sky wrote:
>
> the original rule is
>
> accept from any for domain "example.com" alias  deliver to mda
> "/usr/local/bin/procmail -f -"
>
> I do not know how to write new rules.
> Everything I'm trying to do ends with syntax error.
>

What have you tried?

Re: relayd: Layer 7 proxy: forward failed

2018-12-07 Thread trondd 
On Thu, December 6, 2018 12:04 pm, Leo Unglaub wrote:
> Hi,
> i am trying to use relayd as an outbound proxy. I am following the
> manual page and also the book "Httpd and Relayd Mastery". I did this on
> the latest release 6.4 and also on the latest snapshot to make sure this
> was not already fixed somewhere. I am on amd64.
>
> My relayd config looks like this:
>
>> # cat /etc/relayd.conf
>> relay "proxy" {
>> listen on 127.0.0.1 port 8080
>> forward to destination
>> }
>>
>> relay "proxy2" {
>> listen on 192.168.0.19 port 9090
>> forward to destination
>> }
>
>
> I use this command to open up a connection from a different host in the
> network:
>
>> $ curl -i -x 192.168.0.19:9090 openbsd.org
>
> I used the following command when i am on the same host:
>
>> $ curl -i -x 127.0.0.1:8080 openbsd.org
>

I don't have the time to set this up to test, so just throwing ideas out.

Doesn't this set up a transparent relay?  Should you be configuring a
proxy with curl in this case?  Did you try it without?

>
> I get the same error every time:
>> # relayd -df /etc/relayd.conf
>> startup
>> pfe: filter init done
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> parent_tls_ticket_rekey: rekeying tickets
>> relay_privinit: adding relay proxy
>> protocol -1: name default
>> flags: used, relay flags: divert
>> tls session tickets: disabled
>> type: tcp
>> relay_privinit: adding relay proxy2
>> protocol -1: name default
>> flags: used, relay flags: divert
>> tls session tickets: disabled
>> type: tcp
>> init_tables: created 0 tables
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy2
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy2
>> relay_launch: running relay proxy2
>> relay_connect: session 1: forward failed: Operation not permitted
>> relay_close: sessions inflight decremented, now 0
>
>
> I used the following addition to the default pf.conf.
>> pass in on egress inet proto tcp to port 80 divert-to 127.0.0.1 port
>> 8080
>

If you're connecting from inside the network, is 'in on egress' the
correct interace here?


>
>
> Is this a bug in my setup or a problem with relayd?
>
> I also tryed the entire config from the book "Httpd and Relayd Mastery"
> and even when i type it down 1 by 1 i get the same error.
>
> Thanks and greetings
> Leo
>

Re: apu2 em0/dhclient problems

2019-01-27 Thread trondd 
On Sun, January 27, 2019 12:44 pm, Edgar Pettijohn wrote:
> I'm trying to replace my dieing soekris box with an apu2 dmesg below.
> However, I can't seem to get em0 to connect to my isp. It will work
> when connecting to the soekris box though. So I don't think its the
> interface that is the problem. But everything I try seems to rule out
> eachother as the problem, leaving me in a viscious cycle.
>
> I'm going to try disabling pf and after that current. If you have
> any other suggestions please send them.
>
> Thanks,
>
> edgar

Does your ISP whitelist by MAC address?


>
> OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 1996152832 (1903MB)
> avail mem = 1926434816 (1837MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x77fb7020 (7 entries)
> bios0: vendor coreboot version "4.0.7" date 02/28/2017
> bios0: PC Engines APU2
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S2 S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
> acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4)
> PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD GX-412TC SOC, 998.27 MHz, 16-30-01
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu3: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu3: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu3: smt 0, core 3, package 0
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins
> ioapic1 at mainbus0: apid 5 pa 0xfec2, version 21, 32 pins, remapped
> acpihpet0 at acpi0: 14318180 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PBR4)
> acpiprt2 at acpi0: bus 1 (PBR5)
> acpiprt3 at acpi0: bus 2 (PBR6)
> acpiprt4 at acpi0: bus 3 (PBR7)
> acpiprt5 at acpi0: bus 4 (PBR8)
> acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpibtn0 at acpi0:

Re: Use xenodm like startx?

2019-01-30 Thread trondd 
On Wed, January 30, 2019 8:02 pm, John Ankarström wrote:
> Hi,
>
> I just got OpenBSD installed on my new laptop, and so far, it works great.
> But since I applied the latest X11 patch, I can no longer use startx to
> launch X11, unless I do it as root, which probably isnâ**t a good idea.
> Seems like I have to use xenodm.
>
> The thing is, xenodm is so complicated in comparison to a simple .xinitrc
> + startx. There are so many files I need to set up that I hardly know
> where to begin.
>
> I donâ**t want a login screen, I donâ**t want X11 to launch at startup. I
> just want to start X manually from a simple .xinitrc. Surely I canâ**t be
> alone.
>
> Any ideas or tips?
>
> Best regards
> John
>

It's not really that complicated.  The bare minimum is to copy your
.xinitrc to .xsession and then just run xenodm on demand with doas.  All
the configs already exist in /etc/X11/xenodm.  Nothing requires you to run
it at startup.

Here's what I've done:
Copy your .xinitrc to .xsession

Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME

Edit xenodm-config and add
DisplayManager*autoLogin:  yourusername

Comment out the call to Xsetup so you don't get the xconsole window
!DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0

Then you can alias it to run it on demand.  Alias to startx if you want.
alias xenodm='doas xenodm -config /home/myusername/xenodm-config'


Only thing I never figured out is how to make X and xenodm shutdown when I
exit my window manager.

Re: Use xenodm like startx?

2019-01-31 Thread trondd 
On Thu, January 31, 2019 7:35 am, Bruno Flueckiger wrote:
>
> Add the following line to /etc/X11/xenodm/xenodm-config:
>
> DisplayManager.*.terminateServer: true
>
> Cheers,
> Bruno
>

That doesn't work how you think it does.  It does shut down the X server
after quitting a window manager but then xenodm will restart X and log you
right back in.  That option is there is prevent resource leaks between X
sessions.

Tim.

Re: Use xenodm like startx?

2019-01-31 Thread trondd 
On Thu, January 31, 2019 5:57 am, John Ankarström wrote:
>
>> Only thing I never figured out is how to make X and xenodm shutdown when
>> I
>> exit my window manager.
>
> This too makes me feel like xenodm is far too complex for what I want.
>

It's not an issue of complexity.  It's a different tool that does a
different thing.  Bending it to work like something it's not will
inherently have caveats.

The thing is, what we had before was a trivial privilege escalation. 
Sometimes you just have to adapt a little and you can benefit greatly from
improvements.

Tim.

Re: Activating second crypted (or other raid) device

2019-05-05 Thread trondd 
On Sun, May 5, 2019 3:57 pm, cho...@jtan.com wrote:
> Thomas Frohwein writes:
>> On Sun, May 05, 2019 at 08:57:55PM +0300, cho...@jtan.com wrote:
>> [...]
>> > Currently after every upgrade I patch /etc/rc to run /etc/rc.blockdev
>> > (containing bioctl -cC -p /etc/sd0.key -l sd0a softraid0) before the
>> > additional filesystems are checked or mounted.
>>
>>
> The problem with rc.local is that it's not executed until after fsck and
> mount have parsed /etc/fstab (or /etc/fstab has been parsed for them;
> whatever). If they do this before sd3 exists they at worst abort and at
> best don't perform their desired function on the previously-encrypted
> block device (ie. the plaintext block device is not scanned and mounted
> automagically and my computer boots without a /srv).
>

>
> My goals are:
>
>   * /etc/rc already handles fsck of plaintext devices mentioned in
> /etc/fstab.
>   * /etc/rc already handles mount of plaintext devices mentioned in
> /etc/fstab.
>   * I would like to activate an encrypted/RAIDed device before /etc/rc
> performs
> either of those (so that code somebody else has written can do them
> for me).
>   * /etc/rc.local is called too late.
>

It's really not that big of a deal to call 'fsck' and 'mount' yourself in
rc.local.

Unless you have system data on /srv (which would be it's own inconsistency
with a standard system) needed during rc.

In fstab, I set the RAID partition to noauto and disable automatic fsck. 
Then in rc.local call 'bioctl blah && fsck UUID.partition && mount /srv'

I use a password so it's interative for me and I see if anything goes
wrong.  Log a message with 'logger' or send an email or whatever if
something fails for your situation.  Then you're done dealing with this.

Re: Duplicity & /etc/daily.local

2019-05-20 Thread trondd 
On Mon, May 20, 2019 5:50 pm, Noth wrote:
> Hi misc@,
>
>
>  Â I'm trying to run daily backups to a sftp server for various VMs and
> devices on my network, and want to use /etc/daily.local for this. I'm
> calling this script from the daily.local file:
>
> env 'GNUPG="/usr/local/bin/gpg" PASSPHRASE="mypassword"'
> /root/duplicity-hostname.sh
>
> but unfortunately duplicity can't find gnupg
>

I don't use duplicity anymore but is the GNUPG environment variable even a
thing?  Their manpage doesn't mention it but does specifiy a --ggp-binary
commandline argument.

http://duplicity.nongnu.org/duplicity.1.html

You'll also need to be sure gpg is looking in the right place for the
keyrings.

Re: xenocara build on fresh install

2016-09-10 Thread trondd 
On Sat, September 10, 2016 4:14 pm, Stephen Trotter wrote:
> hi, I am just curious if the defaults (namely the disk sizes) are supposed
> to be sufficient for building xenocara after a fresh install.
>
> i attempted to do so following release(8) and it ended unsuccessfully due
> to the drive/filesystem being full.
>
> (it does seem to have almost finished, by the way)
>
> All I have done else in the system is pulling source and making according
> to the faq5 page.  This is after skipping the "release" part and moving on
> to building xenocara.
>
> Let me know what else i need to include for assist.
>

No.  Generally users are encouraged to use snapshots and packages and not
build things themselves so the auto-partitioning mostly assumes that.  The
problem is that since the auto-partitioning layout doesn't include a
separate /usr/xenocara or /usr/xobj partitions, it all goes into /usr
which is allocated a max of 2G and probably not enough inodes.

See disklabel(8).

If you have a giant /home left over, carve out a /usr/xenocara and a
/usr/xobj for yourself.  I gave each 5G and am using ~15% of each.  To
give you an idea.

Tim.

Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

2016-09-28 Thread trondd 
On Wed, September 28, 2016 1:20 pm, Chris Bennett wrote:
>
> Right now I am using a simple script from the error log to block
> permanently any requests from that IP using OpenBSD pf.
>
> That simply doesn't work well enough anymore due to the time lag between
> 20+ requests at once getting to the log file.

I use a combination of overload in pf with a bruteforce table and log
parsing.  I don't currently do the log parsing in real time.  You could
use your own script or something like fail2ban for that.  The combination
will quickly lock out rapid connection attempts, while eventually also
getting the slow pokes.

> Plus, I
> occasionally screw up and block my own IP address so I keep an SSH
> session open before experimenting.
>

Create a "safe" table in pf and put your often used IPs in it (assuming
they are static enough for this) and match that before you check the
bruteforce table.  Also, your rules and tables for ssh can be different
than that of the web server.  No reason for accidentally going to a bad
URL to lock you out of ssh.

Tim.

Re: Is using relayd to block unwanted HTTP requests, with only having one server a good idea?

2016-10-01 Thread trondd 
On Sat, October 1, 2016 12:00 pm, Chris Bennett wrote:
> I like what I see in the FILTER RULES of relayd.
> I just want to be able to add new filters as needed when seen in http
> error_log.
> But I only have one server. And I use SSL for two sites. And multiple
> virtual hosts on each IP.
> Would I then forward to a new local port such as 127.0.0.1:34567 for the
> good requests, just block bad requests and do nothing at all for good
> requests?
>
> Or is this not a good solution?
> I'm not in a rush, but getting some experience and knowledge in tools
> I'm not using is a plus.
> I very much like the idea of removal before reaching the webserver.
>
> Thanks,
> Chris Bennett
>

I haven't used relayd to block, but experimented with a fairly complicated
setup just as a proxy using the match rules.

One shortcoming you might run into in your usecase is that relayd only
supports one cert/key per listening port.  So if you have relayd on 443
and multiple domains behind it, all of those domains have to be in that
one cert.

I don't know that you can dynamically update the match rules, either.  Not
without modifying the conf file and reloading.  Be careful with this
anyway.  You don't want to start blocking because someone's iOS device
gets a 404 on an apple-touch-icon not present on a site.

Tim.

Re: Multiple web servers behind NAT

2016-10-05 Thread trondd 
On Wed, October 5, 2016 8:43 am, Radek wrote:
> Yes, my servers share the same ext IP.
> It is 5.9. I am trying to configure relayd. I commented out previous
> "rdr-to" rules from /etc/pf.conf and added as below.
> 10.0.30.101, 10.0.30.201 - it is not a mistake - ( 10.0.8.11, 10.0.8.22
> was just an exemplary IP)
> All websites are unreachable now.
>
> #grep relayd /etc/pf.conf
> anchor "relayd/*"
>
> #relayd -n
> configuration OK
>
> #cat /etc/relayd.conf
> ext_addr="msk0"
> host1="10.0.30.101"
> host2="10.0.30.201"
>
> table  { $host1 }
> table  { $host2 }
>
> http protocol "web_one" {
>return error
>pass
>match request header "Host" value "1.domain.com" forward to 

I think you need "pass request header..."

> }
>
> http protocol "web_two" {
>return error
>pass
>match request header "Host" value "4.domain.com" forward to 
> }

You should combine the two protocols into one.  You can have multiple pass
lines.  Last match wins, unless you use "quick".  You can define a default
that way.

>
> relay relay_one {
>listen on $ext_addr port 80
>protocol "web_one"
>forward to  check tcp port 80
> }
>
> relay relay_two {
>listen on $ext_addr port 80
>protocol "web_two"
>forward to  check tcp port 80
> }

You should have only one relay defined, you can't have two things
listening on the same port.  Just put the two "forward to" lines in the
same relay block.


>
> #/etc/rc.d/relayd -df restart
> doing _rc_parse_conf
> doing _rc_quirks
> relayd_flags empty, using default ><
> doing _rc_read_runfile
> doing _rc_parse_conf
> doing _rc_quirks
> relayd_flags empty, using default ><
> doing _rc_read_runfile
> doing rc_check
> relayd
> doing rc_stop
> doing _rc_wait stop
> doing rc_check
> doing rc_check
> doing _rc_rm_runfile
> (ok)
> doing _rc_parse_conf
> doing _rc_quirks
> relayd_flags empty, using default ><
> doing _rc_read_runfile
> doing rc_check
> relayd
> doing rc_pre
> configuration OK
> doing rc_start
> doing _rc_wait start
> doing rc_check
> doing _rc_write_runfile
> (ok)
>

relayctl is your friend here.  See if the relays are actually up:
'relayctl show relays' and 'relayctl show summary'

Re: Multiple web servers behind NAT

2016-10-10 Thread trondd 
On Mon, October 10, 2016 6:01 am, Radek wrote:
>
> The second thing to do is enabling wesites' SSL/TLS certs.
> Each website has its own certificate on its server. I suppose that I have
> to configure man-in-the-middle "TLS inspecion" mode to enable TLS
> connection using these certs again.
> Am I right?
>

No.  TLS inspection doesn't work that way.  It's for LAN systems
connecting out through the relayd server to sites on the internet.  It
doesn't work in the other direction.  You would have needed to use
'forward to destination' in place of 'forward to ' but that
original destination will be the relayd machine again as it's IP based,
not domain name based.

You need one certificate that matches all of your web site hostnames and
configure relayd as a TLS server as you had it.

Tim.

> I did the following conf:
>
> #grep divert /etc/pf.conf
> pass in on $ext_if inet proto tcp to port 443 divert-to localhost port
> 8443
>
> #openssl req -x509 -days 365 -newkey rsa:2048 -keyout
> /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
> #openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout
> /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt
>
> #ls -la /etc/ssl/*.crt
> -rwxr-x---  1 root  _relayd  1298 Oct 10 09:29 /etc/ssl/127.0.0.1.crt
> -rwxr-x---  1 root  _relayd  1371 Oct  6 13:11 /etc/ssl/ca.crt
>
> #ls -la /etc/ssl/private/*.key
> -rwxr-x---  1 root  _relayd  1704 Oct 10 09:29
> /etc/ssl/private/127.0.0.1.key
> -rwxr-x---  1 root  _relayd  1858 Oct  6 13:11 /etc/ssl/private/ca.key
>
> #cat /etc/relayd.conf
> ext_addr="msk0"
> host1="10.0.30.101"
> host2="10.0.30.201"
>
> table  { $host1 }
> table  { $host2 }
>
> http protocol "web_one" {
>return error
>pass request header "Host" value "1.domain.com" forward to 
>pass request header "Host" value "2.domain.com" forward to 
>pass request header "Host" value "3.domain.com" forward to 
>
>pass request header "Host" value "4.domain.com" forward to 
>pass request header "Host" value "5.domain.com" forward to 
>pass request header "Host" value "6.domain.com" forward to 
> }
>
> http protocol "web_tls" {
>return error
>pass request header "Host" value "1.domain.com" forward to 
>pass request header "Host" value "2.domain.com" forward to 
>pass request header "Host" value "3.domain.com" forward to 
>
>pass request header "Host" value "4.domain.com" forward to 
>pass request header "Host" value "5.domain.com" forward to 
>pass request header "Host" value "6.domain.com" forward to 
>tls tlsv1
>tls ca key "/etc/ssl/private/ca.key" password "somepasshere"
>tls ca cert "/etc/ssl/ca.crt"
> }
>
> relay relay_one {
>listen on $ext_addr port 80
>protocol "web_one"
>forward to  check tcp port 80
>forward to  check tcp port 80
> }
>
> relay relay_tls {
>listen on 127.0.0.1 port 8443 tls
>protocol "web_tls"
>forward with tls to  check tcp port 443
>forward with tls to  check tcp port 443
> }
>
>
> #relayctl show relays
> Id  TypeNameAvlblty Status
> 1   relay   relay_one   active
> 2   relay   relay_tls   active
>
> #relayctl show summary
> Id  TypeNameAvlblty Status
> 1   relay   relay_one   active
> 1   table   www_101:80  active (1
> hosts)
> 1   host10.0.30.101 100.00% up
> 2   table   www_201:80  active (1
> hosts)
> 2   host10.0.30.201 100.00% up
> 2   relay   relay_tls   active
> 3   table   www_101:443 active (1
> hosts)
> 3   host10.0.30.101 100.00% up
> 4   table   www_201:443 active (1
> hosts)
> 4   host10.0.30.201 100.00% up
>
> Websites (https://4.domain, https://5.domain, https://6.domain) started to
> show the content of 1.domain.com
>
> If I changed the order of "forward" websites (https://1.domain,
> https://2.domain, https://3.domain) started to show content of
> 4.domain.com
>
> relay relay_tls {
>listen on 127.0.0.1 port 8443 tls
>protocol "web_tls"
>forward with tls to  check tcp port 443
>forward with tls to  check tcp port 443
> }
>
> All domains use relay_machine's certificate instead of the specific
> domain's cert.
>
> What am I doing wrong?

Re: Multiple web servers behind NAT

2016-10-12 Thread trondd 
On Wed, October 12, 2016 1:38 am, Florian Ermisch wrote:
>
> So relayd doesn't support SNI yet?
> Not that SNI and having a cert for each
> site on the relay covers the usecase but
> httpd does support SNI, right?
>
> Regards, Florian
>

I think you are correct.  I think SNI was added to libtls and httpd around
mid August.  No one implemented it in relayd.  Though it's possible that I
just missed it.

Tim.

Re: An AR9280 as an Access Point

2016-10-12 Thread trondd 
On Tue, October 11, 2016 12:04 pm, physkets wrote:
> Hello!
>
> I'd asked a related question on the OpenBSD subreddit, and someone
> pointed me here. Hope this is appropriate.
> https://www.reddit.com/r/openbsd/comments/56lzhu/which_wifi_card_to_make_an_access_point
>
> Does anyone know how good a WiFi Access Point I could make of the
> Atheros AR9280 card (Compex-wle200nx) offered by the guys at PC Engines:
> http://www.pcengines.ch/wle200nx.htm
>
> Thanks a lot!
>

I have an AR9285 I've had as an AP for 2 years.  Bought off Amazon.  Has
worked fine for my usage.  I have a max of 3 wireless devices in use at a
time and it's fast enough.

Tim.

Re: relayd.conf error

2016-10-15 Thread trondd 
On Sat, October 15, 2016 10:47 am, Ali H. Fardan wrote:
> Hey misc@, I'm having issues with relayd.conf. this is the error I get
> when I try to run relayd:
>
>
> # rcctl -df start relayd
> doing _rc_parse_conf
> doing _rc_quirks
> relayd_flags empty, using default ><
> doing _rc_parse_conf /var/run/rc.d/relayd
> doing _rc_quirks
> doing rc_check
> relayd
> doing rc_pre
> host_dns: chat.freenode.net resolves to more than 1 hosts
> host_dns: irc.oftc.net resolves to more than 1 hosts
> /etc/relayd.conf:11: syntax error
> /etc/relayd.conf:12: protocol irctls defined twice
> /etc/relayd.conf:17: syntax error
> /etc/relayd.conf:18: protocol irctls defined twice
> /etc/relayd.conf:23: syntax error
> /etc/relayd.conf:24: protocol irctls defined twice
> /etc/relayd.conf:31: syntax error
> no actions, nothing to do
> doing _rc_rm_runfile
> (failed)
> #
>
>
> using this config:
>
>
> # cat /etc/relayd.conf
> protocol "irctls" {
>  tcp { nodelay, sack }
> }
>
> table { chat.freenode.net }
> table { irc.oftc.net }
> table{ irc.swepipe.se }
> table { irc.krustykrab.restaurant }
>
> relay "freenode" {
>  listen 127.0.0.1 port 7000
>  protocol "irctls"
>  forward with tls to  port 6697
> }
>
> relay "oftc" {
>  listen 127.0.0.1 port 7001
>  protocol "irctls"
>  forward with tls to  port 6697
> }
>
> relay "efnet" {
>  listen 127.0.0.1 port 7002
>  protocol "irctls"
>  forward with tls to  port 6697
> }
>
> relay "volatile" {
>  listen on 127.0.0.1 port 7003
>  protocol "irctls"
>  forward with tls to  6697
> }
> #
>
>
> by the way, this config used to work the last time I tried it on my
> last server, not this though, have relayd.conf syntax change in last
> update?
>

Re-check your config like the errors say.  You're not consistantly using
the correct syntax.

This has an error:
listen 127.0.0.1 port 7000
This does not:
listen on 127.0.0.1 port 7003

This has an error:
forward with tls to  6697
The rest of your forward to lines do not.


Tim.

Re: vmm: panic: root filesystem has size 0

2016-11-03 Thread trondd 
On Thu, November 3, 2016 3:45 pm, Patrik Lundin wrote:
> Hello,
>
> I am trying to start a VMM guest based on the example commands in vmctl(8)
> without luck. The guest is panicking like so:
> ===
> panic: root filesystem has size 0
> ===
>
> Here are the commands I use:
> ===
> # vmctl create disk.img -s 4.5G
> vmctl: imagefile created
>
> # ls -lh disk.img
> -rw---  1 root  wheel   4.5G Nov  3 20:24 disk.img
>
> # vmctl start "myvm" -m 512M -i 1 -d disk.img -k /bsd -c
> Connected to /dev/ttyp4 (speed 9600)


You actually have to install OpenBSD into that image.  Try -k /bsd.rd first.


>
> [ using 1220352 bytes of bsd ELF symbol table ]
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2016 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
>
> OpenBSD 6.0-current (GENERIC.MP) #0: Wed Nov  2 18:41:56 MDT 2016
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 520093696 (496MB)
> avail mem = 499834880 (476MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2493.68 MHz
> cpu0:
> FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV
> cpu0: smt 0, core 0, package 0
> pvbus0 at mainbus0: OpenBSD
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM PCI Host Bridge" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus1 at vioblk0: 2 targets
> sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct
> fixed
> sd0: 4608MB, 512 bytes/sector, 9437184 sectors
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address fe:e1:bb:d1:84:90
> virtio2: irq 7
> isa0 at mainbus0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> com0: console
> vmm disabled by firmware
> vmm at mainbus0 not configured
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a swap on sd0b dump on sd0b
> panic: root filesystem has size 0
> Stopped at  Debugger+0x9:   leave
>TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND
> *0  0  0 0x1  0x2000  swapper
> Debugger() at Debugger+0x9
> panic() at panic+0xfe
> dk_mountroot() at dk_mountroot+0xf6
> main() at main+0x56e
> end trace frame: 0x0, count: 11
> https://www.openbsd.org/ddb.html describes the minimum info required in
> bug
> reports.  Insufficient info makes it difficult to find and fix bugs.
> ddb{0}>
> ===
>
> Output of vmd -dvvv when this happens:
> ===
> # vmd -dvvv
> startup
> failed to open /etc/vm.conf: No such file or directory
> vm_priv_ifconfig: interface tap0 description vm1-if0-myvm
> myvm: started vm 14 successfully, tty /dev/ttyp4
> run_vm: initializing hardware for vm myvm
> run_vm: starting vcpu threads for vm myvm
> vcpu_reset: resetting vcpu 0 for vm 14
> run_vm: waiting on events for VM myvm
> i8253_reset: unsupported counter mode 0xe
> vmd: unknown exit reason 48
> ===
>
> I notice the man-page runs "vmctl create" as an unspecified unprivileged
> user so I have tried doing "chown _vmd:_vmd disk.img", placing disk.img
> in "/home/vm" also owned by _vmd. I still get the same panic however.
>
> Complete dmesg of the host system in case it is interesting:
> ===
> OpenBSD 6.0-current (GENERIC.MP) #0: Wed Nov  2 18:41:56 MDT 2016
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> RTC BIOS diagnostic error 80
> real mem = 4156157952 (3963MB)
> avail mem = 4025647104 (3839MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (67 entries)
> bios0: vendor LENOVO version "8DET63WW (1.33 )" date 07/19/2012
> bios0: LENOVO 429137G
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA
> SSDT SSDT UEFI UEFI UEFI
> acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4)
> EHC1(S3) EHC2(S3) HDEF(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2492.32 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0

Re: Oddness with pkg_add

2016-11-03 Thread trondd 
On Thu, November 3, 2016 9:07 pm, Chris Huxtable wrote:
> Same as before unfortunately.
>
> # pkg_add -v nano
> Error from http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
> ftp: ftp.openbsd.org: no address associated with name
> http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ is empty
> Error from http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/
> ftp: openbsd.cs.toronto.edu: no address associated with name
> http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/ is empty
> Error from http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/
> ftp: athena.caslab.queensu.ca: no address associated with name
> http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/ is empty
> Can't find nano
>
> Could this be a pledge issue?
>

Check dmesg, but on a clean install, probably not.

Are you doing something funky with pf, like only allowing certain users
internet access?  pkg_add downloads as the _pfetch user.  Try doas -u
_pfetch host ftp.openbsd.org

  1   2   3   >