Re: pf.conf: identifying a specific user from dhcpd-table
Edgar, Sounds like you need to build an adaptive firewall. I would suggest to start with The Book of PF by Peter Hansteen. An excellent resource. That might be a good starting point for you as well. It has some good portion of the information on adaptive firewalls. P.S. Thank you, Peter for such a great book. -bogdan > On Oct 10, 2018, at 8:17 AM, Edgar Pettijohn wrote: > > > On Oct 10, 2018 7:58 AM, "Peter N. M. Hansteen" wrote: >> >> On Wed, Oct 10, 2018 at 02:48:24PM +0200, Stefan Wollny wrote: >>> >>> I'd like to set up PF to forward this port (25565) without a pre-defined >>> IP as macro as the dhcpd.conf has a line defining tables for abandoned >>> ("-A"), changed ("-C") and present leases ("-L"). According to man >>> dhcpd(8) those tables may be used with PF. But how??? I couldn't find >>> examples. >>> >>> Do I have to tell PF about these tables in pf.conf? Or don't I need >>> these tables at all? >> >> You do need to include the tables in your pf.conf. I'm a bit surprised >> the example at https://home.nuug.no/~peter/pftutorial/#33 did not show up in >> your search. >> >> - P >> >> -- >> Peter N. M. Hansteen, member of the first RFC 1149 implementation team >> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ >> "Remember to set the evil bit on all malicious network traffic" >> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >> > > When looking for pf info I generally just Google Peter Hansteen. > > Edgar >
syslogd restarts randomly
Hi Everyone, I'm having hard time understanding what is going on with the syslogd on some of my servers. It restarts on a regular basis and that just looks suspicious to me. I'm using OpenBSD 6.3 (GENERIC.MP). Here is an output of the syslogd: Sep 26 07:00:01 syslogd: restart Sep 26 10:00:07 syslogd: dropped 9 messages during initialization Sep 26 10:00:07 syslogd: restart Sep 26 16:38:44 syslogd: dropped 5 messages during initialization Sep 26 16:38:44 syslogd: restart Sep 27 14:00:01 syslogd: dropped 9 messages during initialization Sep 27 14:00:01 syslogd: restart Sep 27 16:31:34 syslogd: dropped 5 messages during initialization Sep 27 16:31:34 syslogd: restart Sep 28 04:00:01 syslogd: dropped 9 messages during initialization Sep 28 04:00:01 syslogd: restart Sep 28 10:01:47 syslogd: dropped 9 messages during initialization Sep 28 10:01:47 syslogd: start Sep 28 11:25:54 syslogd: dropped 5 messages during initialization Sep 28 11:25:54 syslogd: restart Sep 28 16:24:24 syslogd: dropped 5 messages during initialization Sep 28 16:24:24 syslogd: restart Sep 28 17:00:02 syslogd: dropped 9 messages during initialization Sep 28 17:00:02 syslogd: restart Sep 28 19:00:01 syslogd: dropped 9 messages during initialization Sep 28 19:00:01 syslogd: restart Sep 28 23:22:18 syslogd: dropped 5 messages during initialization Sep 28 23:22:18 syslogd: restart Sep 29 10:00:01 syslogd: dropped 9 messages during initialization Sep 29 10:00:01 syslogd: restart Sep 29 16:17:14 syslogd: dropped 5 messages during initialization Sep 29 16:17:14 syslogd: restart Sep 29 19:00:01 syslogd: dropped 9 messages during initialization Sep 29 19:00:01 syslogd: restart Sep 30 10:11:52 syslogd: dropped 5 messages during initialization Sep 30 10:11:52 syslogd: restart Sep 30 16:10:05 syslogd: dropped 5 messages during initialization Sep 30 16:10:05 syslogd: restart Sep 30 17:00:02 syslogd: dropped 9 messages during initialization Sep 30 17:00:02 syslogd: restart Any ideas on how I can start investigate this issue? Also what would be your thinking on what is going on? Thank you a lot -- --- Best regards, Bogdan
Re: USB Ethernet adapter
This is a great suggestion. Thanks Stuart. Much appreciated -b. On Thu, Sep 27, 2018 at 14:57 Stuart Longland wrote: > On 25/09/18 10:00, Bogdan Kulbida wrote: > > Please don’t judge that hard, but I’m trying to see if I can set-up a > > network gateway with one of the old’ish servers I have here. It was > running > > OBSD just fine for a looong time but has only one network interface. > > > > It does have few extra USB ports, ta-da... > > Anyway, what USB network interface would you recommend that would run > > smoothly with the OBSD 6.3? > > Another possibility is if you don't need the full link speed, you can > use a managed switch and set up 802.1Q. > > Make the ports at both ends trunk ports and multiplex as many Ethernet > segments as you like. > > I use this approach with a TS-7670 industrial PC which has only one > 100Mbps Ethernet interface to have it route between a DMZ and a > management network, and of course, indirectly two of my OpenBSD-based > virtual machines do this (with the Linux host doing the 802.1Q stuff). > -- > Stuart Longland (aka Redhatter, VK4MSL) > > I haven't lost my mind... > ...it's backed up on a tape somewhere. > > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: USB Ethernet adapter
Thank you for your help. Much appreciated. On Tue, Sep 25, 2018 at 03:35 Stephane HUC "PengouinBSD" < b...@stephane-huc.net> wrote: > Hi, Bogdan > > I'm using every day, the Wii USB Lan Ethernet Adapter RVL-015; it's > managed by axe driver: > > $ dmesg | grep axe > > axe0 at uhub0 port 1 configuration 1 interface 0 "ASIX Electronics > AX88772" rev 2.00/0.01 addr 2 > axe0: AX88772, address 00:**:**:**:**:** > ukphy0 at axe0 phy 16: Generic IEEE 802.3u media interface, rev. 1: OUI > 0x000ec6, model 0x0001 > > see https://man.openbsd.org/OpenBSD-current/man4/axe.4 > > I maintain a webpage information about USB-Eth Adaptateur (in French), > here: https://wiki.obsd4a.net/hardware:network:usb_eth ;) > > > Le 09/25/18 à 02:00, Bogdan Kulbida a écrit : > (...) > > Anyway, what USB network interface would you recommend that would run > > smoothly with the OBSD 6.3? > > (...) > -- > ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< > > Stephane HUC as PengouinBSD or CIOTBSD > b...@stephane-huc.net > > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
USB Ethernet adapter
Dear Community, Please don’t judge that hard, but I’m trying to see if I can set-up a network gateway with one of the old’ish servers I have here. It was running OBSD just fine for a looong time but has only one network interface. It does have few extra USB ports, ta-da... Anyway, what USB network interface would you recommend that would run smoothly with the OBSD 6.3? Much appreciated all your efforts. Thank you. -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Deploy Django app - strategy?
Hi Ken, Can you please be more specific on Nginx talking via sockets? Any URLs on that topic will be appreciated. Thank you. On Sun, Sep 16, 2018 at 09:46 Ken M wrote: > On Sun, Sep 16, 2018 at 09:05:33AM +0300, ?? wrote: > > I deploy my django app using uwsgi and venv in my home dir > > uWSGi starts on its default port and httpd server uses this port > > to handle my app requests. Everything just like in the official manual of > > uwsgi. > > > > Don't know if this is helpful for Django apps, or if httpd in openbsd can > use > unix sockets. Anyway with a couple of falcon api's I setup with Gunicorn I > actually used unix sockets instead of creating ports. If my proxy is on > the same > server as the api's I found that a little easier to manage. Granted in > this case > it was on centos and I was using nginx. Also in the process of figuring > out how > to do that I found a lot of the documentation on nginx syntax talking to a > unix > socket was wrong. But that is another story. > > Ken > > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: NodeJS apps on Httpd?
That is correct. I wanted to say relayd. -Bogdan On Thu, Sep 6, 2018 at 01:55 Solene Rapenne wrote: > Bogdan Kulbida wrote: > > Hi Mike, > > > > Why don’t you run a “usual” nodejs server (probably multiple proceses) > and > > proxy requests into it via httpd? > > > > Question: Any objections or security concerns? > > httpd doesn't have proxy feature, only fastcgi > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: NodeJS apps on Httpd?
Hi Mike, Why don’t you run a “usual” nodejs server (probably multiple proceses) and proxy requests into it via httpd? Question: Any objections or security concerns? -Bogdan On Wed, Sep 5, 2018 at 13:01 Chris Cappuccio wrote: > Michael Joy [mich...@michaeljoy.eu] wrote: > > Does anyone have any experience of getting node apps running through > httpd? > > Any opinions, instructions or warnings are welcome. > > I think generally node apps will be run behind relayd, not httpd. > > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Equipment for OBSD based firewall
Ingo, I so much enjoyed reading your answer. Thanks a lot for sharing. -Bogdan On Mon, Sep 3, 2018 at 20:04 Ingo Schwarze wrote: > Hi Bogdan, > > Bogdan Kulbida wrote on Mon, Sep 03, 2018 at 04:17:51PM -0700: > > > I need to build a pf OBSD firewall for a small office. What minimally > > feasible equipment would you recommend in order to achieve this goal? > > I seriously doubt that you can find anything in the trash that isn't > seriously oversized. > > In 2001, i ran an OpenBSD 2.7 firewall with ipf(4) on an > Intel 486-SX25 (25 MHz) with 24 MB (not GB!) RAM, a system > disk of 100 MB (not GB!) and a /var/ disk of another 100 MB. > The about ten concurrent users were happy with it for years. > > OK, that would no longer work because the SX25 had no numerical > coprocessor which is now required to run OpenBSD, and it required > some fiddling to fit the system installation into 100 MB. But it > always routed the traffic fast enough. > > Currently, one of my office firewalls runs on: > > - CPU: AMD-K6 234 MHz (yes, a quarter of a GHz) > - RAM: 128 MB (yes, an eigth of a GB) > - HD: ATA (not SATA!) UDMA-2, 3 GB (not 300 GB!) > > The only reason the machine is *THAT* large is that at the time it > was selected, we no longer had any smaller dismantled desktop > machines in the trash. I don't have the slightest doubt that a > much smaller machine would also be fine - certainly with half of > everything, like 100 MHz, 64 MB RAM, 1 GB disk. > > And since then, i'm too lazy to pull something newer from the trash > to replace it - because it just works. > > As a matter of fact, i'm sending this email over it... > > Yours, > Ingo > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Equipment for OBSD based firewall
Thank you. Much appreciated. On Mon, Sep 3, 2018 at 17:03 Tracey Emery wrote: > https://pcengines.ch > > > > > On September 3, 2018 5:17:51 PM MDT, Bogdan Kulbida > wrote: >> >> Ladies and gentlemen, >> >> I need to build a pf OBSD firewall for a small office. What minimally >> feasible equipment would you recommend in order to achieve this goal? >> >> Thank you! >> >> > -- > Tracey > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Equipment for OBSD based firewall
Ladies and gentlemen, I need to build a pf OBSD firewall for a small office. What minimally feasible equipment would you recommend in order to achieve this goal? Thank you! -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available
I would like to apologize for the previous email. The joke was unprofessional and very rude. I’m sorry if it was offensive to someone in this list. -Bogdan On Wed, Aug 29, 2018 at 22:40 Bogdan Kulbida wrote: > I love it! Damn f.. asshole! Get him out of here! > > On Wed, Aug 29, 2018 at 21:09 Theo de Raadt wrote: > >> Jacqueline Jolicoeur wrote: >> >> > > Finally, whether intended or not, your intention to try to SELL >> > > something on this list is extraordinarily rude. Move on and go learn >> > > about this on your own. The Internet is filled with useful >> information. >> > > The mailing list archives also have a tremendous amount of useful >> info. >> > >> > Asking permission, while at the same time, performing the act. >> > >> > "Wrote a song about it. Like to hear it? Here it goes." - Calhoun Tubbs >> >> May I call people trying to sell things on misc assholes? The guy >> trying to sell stuff on misc is an asshole. Oh sorry, I'm sorry I called >> an asshole an asshole. >> >> Right? >> >> -- > -- > > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available
I love it! Damn f.. asshole! Get him out of here! On Wed, Aug 29, 2018 at 21:09 Theo de Raadt wrote: > Jacqueline Jolicoeur wrote: > > > > Finally, whether intended or not, your intention to try to SELL > > > something on this list is extraordinarily rude. Move on and go learn > > > about this on your own. The Internet is filled with useful information. > > > The mailing list archives also have a tremendous amount of useful info. > > > > Asking permission, while at the same time, performing the act. > > > > "Wrote a song about it. Like to hear it? Here it goes." - Calhoun Tubbs > > May I call people trying to sell things on misc assholes? The guy > trying to sell stuff on misc is an asshole. Oh sorry, I'm sorry I called > an asshole an asshole. > > Right? > > -- --- Best regards, Bogdan Kulbida Founder and CEO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: CVE-2018-8897
I guess this is the main reason why we all love OpenBSD and an idea and a philosophy (and people) behind this great OS! - Bogdan > On May 11, 2018, at 6:49 AM, andrew fabbrowrote: > > "A statement...was mishandled in the development of some or all > operating-system kernels..." > > I think it's really "some" and the reason it's "some" and not "all" is > OpenBSD. > > On Thu, May 10, 2018 at 9:51 PM, John Long wrote: > >> On Thu, 2018-05-10 at 18:54 -0600, Theo de Raadt wrote: Dare I ask what lead to OpenBSD not being affected. Sorry if it is a dumb question but since this hit FreeBSD as well I am wondering what OpenBSD did differently. Was this caught in an audit? I am just curious about causality that kept OpenBSD in the clear of this one that made such headlines yesterday. >>> >>> >>> We didn't chase the fad of using every Intel cpu feature. >> >> This goes into the achive! Thank you for the slice of sanity in an >> insane word. >> >> /jl >> >> > > > -- > andrew fabbro > and...@fabbro.org
Re: Unpriviliged wkhtmltopdf binary invocation fails with core dump
Andrew, The ‘-n’ flag did help and resolved an issue. You have no idea how much I appreciate your help! I’m interested to know why it failed w/ js enabled. Would you mind to share that, or point me into the direction where to find the answer? Best, Bogdan On Mon, Apr 23, 2018 at 14:53 Andrew <and...@quickstick.net> wrote: > On 04/23/18 15:50, Bogdan Kulbida wrote: > >Hi Everyone, > > > >I'm trying to use wkhtmltopdf to generate PDF from my HTML files. I > >was googling like crazy but did no find any valuable information so > >far. > >When I run (as root) > > > ># /usr/local/bin/wkhtmltopdf http://google.com /tmp/out.pdf > > > >It does generate pdf just fine. But when I run the same command as > >unprivileged user I got > >Trace/BPT trap (core dumped) ] 10% > > Bogdan, > > See if this helps. As an unprivileged user, try the -n switch to disable > javascript -- e.g. wkhtmltopdf -n [args]. > > -A > > PS: A related package is htmldoc -- but I haven't tried it out yet. > > -- --- Best regards, Bogdan Kulbida CEO/CTO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Unpriviliged wkhtmltopdf binary invocation fails with core dump
Hi Everyone, I'm trying to use wkhtmltopdf to generate PDF from my HTML files. I was googling like crazy but did no find any valuable information so far. When I run (as root) # /usr/local/bin/wkhtmltopdf http://google.com /tmp/out.pdf It does generate pdf just fine. But when I run the same command as unprivileged user I got Trace/BPT trap (core dumped) ] 10% This is how `ldd` output looks like: web$ ldd /usr/local/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf: StartEnd Type Open Ref GrpRef Name 0ab734d0 0ab737ef7000 exe 20 0 /usr/local/bin/wkhtmltopdf 0ab99bee9000 0ab99c15e000 rlib 01 0 /usr/local/lib/libjpeg.so.68.1 0ab97f467000 0ab97f6a1000 rlib 01 0 /usr/local/lib/libpng.so.17.5 0ab966451000 0ab96665b000 rlib 01 0 /usr/X11R6/lib/libXrender.so.6.0 0ab9c1255000 0ab9c149d000 rlib 01 0 /usr/X11R6/lib/libfontconfig.so.11.0 0ab9db822000 0ab9dbae5000 rlib 02 0 /usr/X11R6/lib/libfreetype.so.28.2 0ab9db221000 0ab9db433000 rlib 01 0 /usr/X11R6/lib/libXext.so.13.0 0ab99d159000 0ab99d49c000 rlib 03 0 /usr/X11R6/lib/libX11.so.16.1 0aba030a5000 0aba032bc000 rlib 03 0 /usr/lib/libz.so.5.0 0aba0643c000 0aba06664000 rlib 02 0 /usr/lib/libm.so.10.1 0ab9b1757000 0ab9b1a54000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 0ab9a240e000 0ab9a26ce000 rlib 01 0 /usr/lib/libc++.so.1.0 0ab94b1bb000 0ab94b41b000 rlib 01 0 /usr/lib/libc++abi.so.0.0 0aba1dffc000 0aba1e205000 rlib 01 0 /usr/lib/libpthread.so.25.1 0ab9bf67a000 0ab9bf95a000 rlib 01 0 /usr/lib/libc.so.92.3 0ab9a2bce000 0ab9a2df9000 rlib 03 0 /usr/X11R6/lib/libxcb.so.4.0 0ab9af568000 0ab9af793000 rlib 01 0 /usr/lib/libexpat.so.12.0 0ab9b26d 0ab9b28d4000 rlib 01 0 /usr/X11R6/lib/libXau.so.10.0 0ab9d8f45000 0ab9d914b000 rlib 01 0 /usr/X11R6/lib/libXdmcp.so.11.0 0ab997e0 0ab997e0 ld.so 01 0 /usr/libexec/ld.so The file dump is ~10Mb I did not want to include it unless you ask for it... Please help. Thank you. --- Best, Bogdan
Re: thank you for 6.3
I use block storage device with encryption just to keep my /home encrypted and mount it manually everytime I boot... On Thu, Apr 19, 2018 at 04:50 flipchan <flipc...@riseup.net> wrote: > Running 6.3 on x200 here aswell but with libreboot, except for libreboot > not allowing me to have full disk encryption it works like a charm > > On April 18, 2018 5:10:26 PM UTC, Scott Bonds <sc...@ggr.com> wrote: > >Under 6.2 my laptop would hang a few hours after waking from sleep, and > > > >it was my own damn fault for running an unsupported config (Lenovo x200 > > > >+ coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able > >to > >get it to hang and I find myself back in 'it just works' land which is > >so, so nice. So nice. > > > >I don't know who to thank, and maybe the dev that fixed my issue > >wouldn't know *they* fixed it, but...thank you. > > -- > Take Care Sincerely flipchan layerprox dev > -- --- Best regards, Bogdan Kulbida CEO/CTO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Block device encryption
Dear OpenBSD awesome community, I tryed to find some information on block device encryption topic, specifically about best practices in using it and did find some. But there is not much I could find about what happens when my actual device contents starting to consume more space than initially alocated. I know you can resize a volume but what if for some reason that was not done what are the ramifications of continuing using block device and adding even more data onto it? Thank you for all the hard work all and each of you have done to make it such a great world class operating system. Regards, Bogdan -- --- Best regards, Bogdan Kulbida CEO/CTO, Konstankino LLC <http://konstankino.com> +1.802.793.8295
Re: Migrating nginx config to OpenBSD's httpd
Hi Carlos, HAproxy project exists and serves much better as load balancer and reverse proxy server. It is more efficient than engine X. Any concerns using it? - Bogdan On Fri, Apr 13, 2018 at 04:47 Pavel Korovin <p...@tristero.se> wrote: > Hi Carlos, > > There's no analog of proxy_pass in httpd(8). relayd(8) is your friend. > > On 04/13, C. L. Martinez wrote: > > I am trying to migrate nginx configuration to OpenBSD's httpd. All it is > > working ok, except for some proxy reverse config that I use with nginx's > > config, like for example: > > > > server { > > listen 80; > > server_name internal.w01.domain.org; > > > > location / { > > proxy_pass http://192.168.30.4; > > } > > } > > > > I don't see what is the option to use with httpd.conf or is it best > > option to use relayd.conf for this type of configs? > > -- > With best regards, > Pavel Korovin > > -- --- Best regards, Bogdan Kulbida CEO/CTO, Konstankino LLC <http://konstankino.com> +1.802.793.8295