Namaste misc,
Overview:
With the caveat that my abilities are limited to reading code and basic
admin, I think that the "location [not] found" feature in httpd(8)
might possibly be "featuritis" - incorrectly using a term borrowed from
reyk@.
If I may go further, I think we might want to revert th
Namaste Peter,
Tusen takk for your reply.
> Sent: Saturday, December 19, 2020 at 3:32 PM
> From: "Peter Nicolai Mathias Hansteen"
> To: "misc"
> Subject: Re: pf.conf parser/lint
>
>
>
> > 19. des. 2020 kl. 14:50 skrev Aham Brahmasmi :
> >
Namaste Theo,
I apologize for reincarnating this thread.
> Sent: Friday, September 04, 2020 at 5:33 PM
> From: "Theo de Raadt"
> To: "Tommy Nevtelen"
> Cc: misc@openbsd.org
> Subject: Re: pf.conf parser/lint
>
> Tommy Nevtelen wrote:
>
> > On 04/09/2020 18.07, Brian Brombacher wrote:
> > > We
Namaste Pekka,
> Sent: Tuesday, April 21, 2020 at 9:11 PM
> From: "Edgar Pettijohn"
> To: "Pekka Niiranen"
> Cc: misc@openbsd.org
> Subject: Re: UNIX crash course
>
> On Tue, Apr 21, 2020 at 09:17:50PM +0300, Pekka Niiranen wrote:
> > Hello Sirs,
> >
> > That is very comprehensive list of books,
Namaste Andreas,
> Sent: Friday, April 17, 2020 at 8:53 AM
> From: "Andreas Kusalananda Kähäri"
> To: "Janne Johansson"
> Cc: "openbsd-misc"
> Subject: Re: Regarding randomized times in crontab
>
> On Fri, Apr 17, 2020 at 09:06:10AM +0200, Janne Johansson wrote:
> > Den tors 16 apr. 2020 kl 20:
Namaste misc,
Apologies for the reincarnation of this mail trail.
> Sent: Tuesday, February 25, 2020 at 10:40 PM
> From: "Constantine A. Murenin"
> To: "Vincenzo Nicosia"
> Cc: "Stuart Henderson" , "misc@openbsd.org"
>
> Subject: Re: openbsd.org - certain https URLs downgraded to http in
> r
Namaste misc,
Overview:
Certain https URLs on openbsd.org get downgraded to http in redirection.
Steps:
When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
Same with https://www.openbsd.org/cgi-bin/cvsweb [1], whic
> Sent: Monday, February 03, 2020 at 2:28 AM
> From: "Damien Miller"
> To: "Aham Brahmasmi"
> Cc: Misc
> Subject: Re: ssh: probable bug in ssh -current
>
> On Fri, 31 Jan 2020, Aham Brahmasmi wrote:
>
> > Bug:
> > When the cli
Namaste misc,
Could I request the ssh volks to please switch the default for
UpdateHostKeys back to "no"?
The default for UpdateHostKeys has been very recently switched to "ask"
from the earlier default of "no" in rev 1.323 of the file
src/usr.bin/ssh/readconf.c [1]. This default has been further
Namaste misc,
Overview:
In update_known_hosts function in file src/usr.bin/ssh/clientloop.c [1],
the message strings used in debug and error functions may need to be
changed.
Bug:
In src/usr.bin/ssh/clientloop.c,
...
static void
update_known_hosts(struct hostkeys_update_ctx *ctx)
{
...
if (errno
Namaste misc,
Overview:
In -current (#625), the ssh client is asking the user to accept updated
server host keys after every successful connection. No host keys have
actually been updated at the server side.
Setup:
Consider a server (-current #625) which uses host certificates. The
server's ed255
ck
> addresses
> 127.0.0.1)
>
> eg
> echo inet a.b.c.d/32 >/etc/hostname.lo2
> echo inet alias w.x.y.z/32 >>/etc/hostname.lo2
>
> and just keep adding additional addresses using "inet alias"
>
> Hope this helps
>
>
>
>
>
>
>
> On
Namaste misc,
In IPv6, what address prefix/range is recommended for use when
assigning multiple addresses to the loopback interface?
The use case is running multiple servers (nsd and unbound) on the same
port but different loopback addresses. It is similar to what popped up
on the other thread ab
Namaste Philippe,
Merci beaucoup for your reply.
> Sent: Saturday, January 04, 2020 at 3:54 PM
> From: "Philippe Meunier"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org, Roderick
> Subject: Re: Request for recommendation - encryption and signature for file
Namaste Rodrigo,
Thank you for your reply.
> Sent: Friday, January 03, 2020 at 5:43 PM
> From: "Roderick"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: Request for recommendation - encryption and signature for file
> backup
>
>
Hallo Claus,
Danke for your reply.
> Sent: Thursday, January 02, 2020 at 6:38 PM
> From: "Claus Assmann"
> To: misc@openbsd.org
> Subject: Re: Request for recommendation - encryption and signature for file
> backup
>
> Maybe duplicity? It's available as package (not sure
> whether it does signi
> Sent: Thursday, January 02, 2020 at 8:21 PM
> From: "Otto Moerbeek"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: Probable off by one in src/usr.bin/rdist/docmd.c
>
> On Thu, Jan 02, 2020 at 07:45:25PM +0100, Aham Brahmasmi wrote:
>
&g
> Sent: Thursday, January 02, 2020 at 4:26 PM
> From: "Otto Moerbeek"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: Probable off by one in src/usr.bin/rdist/docmd.c
>
> On Thu, Jan 02, 2020 at 03:39:53PM +0100, Aham Brahmasmi wrote:
>
&
Hallo Otto,
Dank je Otto for your helpful reply.
> Sent: Wednesday, January 01, 2020 at 3:36 PM
> From: "Otto Moerbeek"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: Probable off by one in src/usr.bin/rdist/docmd.c
>
> On Wed, Jan 01,
Namaste misc,
What tool(s) would you recommend to encrypt and sign a file - correctly
- for backup?
I possess a limited ability to read code, and I am certainly not a
cryptographer.
In my limited understanding, to securely backup and restore a file, the
steps are:
To backup:
Step 1 - encrypt th
Namaste misc,
Question:
In the makeconn function in src/usr.bin/rdist/docmd.c, should the 5 in
the following line be replaced by 4?
...
static int
makeconn(char *rhost)
{
...
(void) snprintf(buf, sizeof(buf), "%.*s -S",
(int)(sizeof(buf)-5), path_rdistd);
...
Explanation:
Namaste Ingo,
Danke for your reply. I am sorry for the delay in my response.
> Sent: Monday, December 09, 2019 at 4:44 PM
> From: "Ingo Schwarze"
> To: "Aham Brahmasmi" , be...@openbsd.org
> Cc: misc@openbsd.org
> Subject: Re: Openrsync manpage - EXAMPLES and
Namaste misc,
On the openrsync manpage [1],
1) In the EXAMPLES section, the examples use "rsync".
...
% rsync -t ../src/bar ../src/baz host:dest
...
The SYNOPSIS section has the invocation as "openrsync".
Should we use "openrsync" in the EXAMPLES section?
2) In the SEE ALSO section, clicking on
Namaste misc,
As a good practice, I tried to limit the virtual and physical memory
available to the svn daemon [1]. To achieve that, I read about login
classes and login.conf(5) [2]:
...
memoryuse sizeMaximum in core memoryuse size limit.
...
vmemoryuse sizeMaxim
Hi Stuart,
> Sent: Wednesday, March 13, 2019 at 11:05 AM
> From: "Stuart Henderson"
> To: misc@openbsd.org
> Subject: Re: Are there open source firewall distributions which are built on
> top of OpenBSD?
>
> On 2019-03-13, Mehma Sarja wrote:
> > My current setup is basic firewall with DHCP, NAT
Hi Stuart,
> Sent: Monday, December 24, 2018 at 1:13 AM
> From: "Stuart Henderson"
> To: misc@openbsd.org
> Subject: Re: Relayd with multiple lets encrypt cert's
>
> On 2018-12-22, Aham Brahmasmi wrote:
> >> On Sat, Dec 22, 2018 at 12:28:4
> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote:
> > Hi,
> >
> > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> > > > Hello,
> > > > Does anyone know how to get this working with multiple letsencrypt
> > > &
Hi,
> On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote:
> > Hello,
> > Does anyone know how to get this working with multiple letsencrypt certs?
> >
>
> You need individual IP:port settings for each of the certs. Also don't
> forward to different hosts based on match rules unless you rea
Hello misc,
>From the man page of switchd.conf [1]:
...
By default, switchd(8) uses port 6653 and listen address 0.0.0.0.
...
The following example is a typical one.
listen on 0.0.0.0 port 6633
...
Would the example benefit from 6653 as the port number, instead of 6633?
Dhanyavaad.
Regards,
ab
Hello misc,
Setting PubkeyAcceptedKeyTypes in the sshd_config does not seem to have
any effect on the selection of server signature algorithms
(server-sig-algs). Further, the certificate variants of the algorithms
are not selected at all.
Steps:
ON SERVER
$ cat /etc/ssh/sshd_config
...
PubkeyAcce
Thank you Robert and Stuart for your helpful responses.
> Skipping X and games is usually safe. The compilers might be a bad
> idea unless you're only installing software from ports.
Yes, current plan is to install only from ports as of now.
> If you aren't using those packages which use librar
Hello misc,
1) For an internet exposed server, would it be ok to not install any
i) compiler collection
ii) games
iii) X related
file sets?
Set name(s) = -comp* -game* -x*
2) Would ssh login be affected by lack of X related file sets on the
server? In other words, is ssh one of the "programs that
Hello misc,
For the ssh-keygen manpage, https://man.openbsd.org/ssh-keygen.1:
1) We may possibly be missing "-a rounds" for the first incantation
ssh-keygen [-q
] [-b bits
] [-t dsa | ecdsa | ed25519 | rsa
] [-N new_passphrase
] [-C comment
] [-f output_keyfile
]
I may be wrong here, but I t
Stuart,
> Yes the original code was in the original import from KAME. The code
> that actually *processed* these queries was removed in the commit I
> mentioned (so it seems your main concern is already dealt with), but
> I think the interfaces are still joined to the group so will receive
> those
Hi Stuart,
Thank you for your response.
> > 2) How to disable an interface from joining IPv6 Node Information
> > multicast group (RFC 4620)?
> > In sys/netinet6/in6.c, the function in6_update_ifa contains the
> > following lines:
> >
> > /*
> > * join node information group address
> > */
> >
Hi Ingo,
Thank you for your response.
> i mostly learn by reading reference manuals, standard documents,
> and source code.
I try to too, but with limited successes. So topology and other higher
order concepts are out of my competency area, and hence my question.
> I mentioned it to show that t
Hi Tom,
> The book of PF by Peter M Hansteen is very good, and openBSD Specific
> Building Internet firewalls is good also ... Building internet
> firewalls book can
> be a bit verbose atimes... but it does go through things in detail...
Thank you for your recommendation. I apologize for my inco
Hello misc,
Running 6.4-beta from approximately a week ago.
1) How to determine the IPv6 multicast groups which have been joined by
a particular interface?
I have tried netstat but have been unsuccessful.
# ifconfig em0
em0:
flags=648843
mtu 1500
...
status: active
...
Hi Ingo,
Thank you for sharing your experience and insight.
> This is discussed in very great detail, covering several chapters,
> in the fundamental book by Elizabeth D. Zwicky, "Building Internet
> Firewalls" (O'Reilly 2000). While in that book, lots of information
> about specific services is
Craig,
Thank you for your exhaustive reply - the list of checks along with
current workarounds to achieve them are very helpful. I now know that
I need to learn even more.
> OpenSMTPd's filter interface is not yet usable (last update 12/2014):
> http://www.poolp.org/posts/2014-12-12/the-state-of-
Hi Craig,
Thank you for sharing your valuable experience. I apologize for bumping
up this slightly old thread.
> After that, the MTA needs to be able to check the DNS validity of the
> sender's SMTP HELO hostname, and check their DNS PTR record is valid,
> and both the mail's envelope and address
Hello misc,
I am wondering whether the good volks here would be able to share
their insight on configuring the IPv6 gateway address for a machine
which has been assigned a static IPv6 address.
Based on my layman research, there are two options:
1) Link local gateway address - fe80::1%em0 (Prefera
Thank you Koshibe-san for your reply.
Here is the output of ping, after the steps:
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendmsg: Network is down
ping: wrote 8.8.8.8 64 chars, ret=-1
...
So, it seems the ping fails, except, this time there is some output.
> > Interestingly,
Thank you Koshibe-san for your reply.
> I've actually held back on that diff since it's a bit insufficient by itself.
Ok.
> Actually, you said that you had just em0 on that switch. Can you try
> adding a local port (addlocal instead of add) alongside em0? It will
> be a vether(4) interface that
> > $ cat /etc/hostname.switch0
> > add em0
> > up
> >
> > Here, em0 is the egress interface connected to the dedicated/bare-metal
> > machine provider's network. This provider's network is beyond my
> > control. As such, there might be a loop in the provider's network.
>
> (Sorry, was meaning to
> Sent: Thursday, April 12, 2018 at 11:24 AM
> From: "Ayaka Koshibe"
> To: misc@openbsd.org
> Subject: Re: Cannot access internet with virtual switch
>
> On Wed, Apr 11, 2018 at 6:25 AM, Aham Brahmasmi
> wrote:
> >> Sent: Wednesday, April 11, 2018 at 10:1
> Sent: Thursday, April 12, 2018 at 5:57 AM
> From: "Theo de Raadt"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: pf: certain recursive macros causing syntax error
>
> Aham Brahmasmi wrote:
>
> > Hello misc,
> >
>
Hello misc,
Recursive macros which include macros containing certain specific
characters cause syntax errors.
Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
i
> Sent: Wednesday, April 11, 2018 at 10:18 AM
> From: "Ayaka Koshibe"
> To: misc@openbsd.org
> Subject: Re: Cannot access internet with virtual switch
>
> > This informs us that for a PACKET_OUT with action OUTPUT, it cannot
> > have its port as ANY. Now, I do not know why for a PACKET_OUT message
> Sent: Monday, April 09, 2018 at 6:50 PM
> From: "Aham Brahmasmi"
> To: misc@openbsd.org
> Subject: Re: Cannot access internet with virtual switch
>
> > Sent: Saturday, April 07, 2018 at 5:02 AM
> > From: "Ayaka Koshibe"
> > To: "Aham Br
> Sent: Saturday, April 07, 2018 at 5:02 AM
> From: "Ayaka Koshibe"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: Cannot access internet with virtual switch
>
> On Fri, Apr 6, 2018 at 4:40 PM, Aham Brahmasmi wrote:
> > Hello mis
Hello misc,
Problem
A physical server with a switch (add em0 up) cannot access the internet.
However, the same host with a bridge (add em0 up) can access the
internet.
Steps
$ ifconfig
em0: flags=8843 mtu 1500
lladdr 22:22:22:22:22:22
index 1 priority 0 llprio 3
groups: eg
Hello Misc,
Will OpenBSD's patches for Spectre help mitigate the risk for the
processor families which are not receiving Intel's mitigation microcode
for Spectre/Spectre variant 2?
Backdrop
Intel has issued a Microcode Revision Guidance on April 3, 2018 [1].
As per this guidance, some processor f
> Sent: Monday, February 19, 2018 at 1:41 PM
> From: "Stuart Henderson"
> To: misc@openbsd.org
> Subject: Re: vmd - Unable to reboot Alpine guest
>
> On 2018-02-19, Martijn van Duren wrote:
> > Hello Aham,
> >
> > On 02/18/18 21:09, Aham Brahmasmi w
> Sent: Sunday, February 18, 2018 at 9:19 PM
> From: "Carlos Cardenas"
> To: "Aham Brahmasmi"
> Cc: misc@openbsd.org
> Subject: Re: vmd - Unable to reboot Alpine guest
>
> On Sun, Feb 18, 2018 at 04:23:39PM +0100, Aham Brahmasmi wrote:
> > Hi,
>
Hi,
I have a simple installation of OpenBSD 6.2 with latest patches
installed on an amd64 machine.
I am unable to reboot an Alpine Linux 3.7.0 guest.
1) I have installed an Alpine Linux guest and it works fine on vmd. The
entry in "vmctl status" properly lists the guest after host boot.
$ vmctl
> Sent: Wednesday, February 14, 2018 at 11:30 AM
> From: "Denis Fondras"
> To: misc@openbsd.org
> Subject: Re: spamd and IPv6
>
> > does anyone can tell me what the state of spamd and IPv6 is? I would
> > have expected it to work but I can't set for exampe ::1 or [::1] as a
> > listening address (
Thank you Kapetanakis Giannis and Mike Coddington for your helpful
replies. I will now use /3, since I do not think that I will use
multicast.
Regards,
ab
(Resending, I fessed up the inline reply)
Arigato gojaimas Trondd san for your very helpful reply.
I had understood from the documentation that tags were sticky. I also
understood that a packet can only have zero or one tag at any time.
Also, that a tag cannot be removed, but only replaced.
Howe
Arigato gojaimas Trondd san for your very helpful reply.
Sent: Thursday, January 11, 2018 at 3:17 AM
From: trondd
To: "Aham Brahmasmi"
Cc: misc@openbsd.org
Subject: Re: Probable mistake in PF tagging example ruleset order
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
>
Hi,
I am trying to learn and understand the pf tagging mechanism. I was
wondering whether my understanding of the order in the example at
https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
there might be a mistake in the order. The relevant lines are
...
pass out on egress inet
Hi,
What is the correct bitmask for the 224.0.0.0 Martian table entry in
pf.conf?
There are two bitmasks in two links on this page -
http://www.team-cymru.org/bogon-reference-http.html. /3 in the The Text
Bogon List, Aggregated and /4 in IPv4 Fullbogons. /3 is also present in
https://www.openbsd.
62 matches
Mail list logo
