Re: redirect nor vpn (as I know it) solves this problem
Am Donnerstag, den 13.08.2015, 22:10 -0400 schrieb Sonic: Problem is a device that, due to its limitations, must have a default gateway that is not the default gateway of the OpenBSD router (unlike the rest of the network) so I'm having difficulty connecting to it from the outside world. Have you though about placing a router at that hard configured default gateway address, which forwards the packets to your BSD router (or sends ICMP redirects)? Alternatively, just configure that address on the internal interface of the router as an -alias. What I need to have happen is for the incoming packets to the problematic device to have a source address in that private subnet (the internal address of the router) so that the device sends return packets to the right place instead of its configured default gateway (which is not the router). Sounds like an typical use case for NAT to me (inbound nat-to). Alternatively, beam yourself into that network using some kind of L2 VPN. Possibilities would be EtherIP (gif(4)) or vxlan(4) over IPsec(4) or OpenVPN respectively. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
Re: redirect nor vpn (as I know it) solves this problem
On 2015-08-14, David Dahlberg david.dahlb...@fkie.fraunhofer.de wrote: Sounds like an typical use case for NAT to me (inbound nat-to). Config for this would be fairly similar to this example: http://www.openbsd.org/faq/pf/rdr.html#rdrnat
Re: securing web browser
On Fri, 14 Aug 2015 16:45:52 + Frank White mediome...@gmail.com wrote:
Hi, anyone has some advices to make more secure a browser like firefox ?
chroot + systrace ?
Thank you.
apparently it's been done. David Coppa reported that he succeeded chrooting
firefox here: https://marc.info/?l=openbsd-techm=143645383725835w=2.
i think he was following this ('isolating untrusted programs in ssh chroot
jails'): https://marc.info/?l=openbsd-miscm=142676615612510w=2 which
details chrooting. that post also links to J. Thornburg's earlier work
securing firefox.
Re: Various ACPI problems on various IBM hardware
On Fri, Aug 14, 2015 at 03:13:17PM +0200, Frederic URBAN wrote: Hello, We have some ACPI problems with various IBM server X. Since it's a very early panic when kernel boot there is now access to ddb to print the trace. You are prompted to press any key to reboot :) It has been verified on IBM Server x3650 M1, M2 and M3. We are using OpenBSD 5.7, this panic happends with bsd.rd and bsd.mp The system is usable when I disable acpi when booting on RAMDISK_CD and after the installation on GENERIC.MP I can provide a screenshot of the KVM over LAN if you guys wants. Like we did in the past (Adding support of Intel 82576 on em(4)), I also can provide you a remote access to both oldest machines (a Server x3650 M1 and a Server x3650 M2) with serial cable to help you to fix this. We are big users of OpenBSD on various systems (Dell, HP) for the first time i need to install a firewall on IBM hardware so if we can help, i'm ready to setup a lab for you. I'll volunteer to help here. Please send a dmesg and screen capture of the panic, and acpidump if available. We can then decide if remote access is needed. -ml Fr??d??ric. -- Fr??d??ric URBAN *Fr??d??ric URBAN* Ing??nieur R??seaux frederic.ur...@ircad.fr mailto:frederic.ur...@ircad.fr T??l. : +33 (0)3 88 119 038 IRCAD France http://www.ircad.fr/ http://www.ircad.fr/ Suivez l'IRCAD sur Facebook http://www.facebook.com/pages/IRCAD/193785273990141 *IRCAD France* H??pitaux Universitaires - 1, place de l'H??pital - 67091 Strasbourg Cedex - FRANCE
Re: lxde
2015-08-14 18:03 GMT+02:00 Joseph Oficre seran...@gmail.com: Hello, friends. Can someone teel me why there is no lxde (lxqt) or some of the lxde stuff like lxappearance and lxpanel in OpenBSD? Is the shitty code the only reason? lxde is the kind of package you would find in ports. I haven't found it so I'll assume nobody showed enough interest to create a package for it. If you want to help, you can have a look at the FAQ [1] [1] http://www.openbsd.org/faq/faq15.html#NoPort -- Cordialement, Coues Ludovic +336 148 743 42
Re: securing web browser
On 8/14/15, Frank White mediome...@gmail.com wrote: Hi, anyone has some advices to make more secure a browser like firefox ? chroot + systrace ? This previoius thread is one solution. Plus read a subsequent thread on pdf viewers. http://marc.info/?l=openbsd-miscm=142676615612510w=2
securing web browser
Hi, anyone has some advices to make more secure a browser like firefox ? chroot + systrace ? Thank you.
Re: Various ACPI problems on various IBM hardware
Frederic URBAN frederic.urban at ircad.fr writes: We have some ACPI problems with various IBM server X. Since it's a very early panic when kernel boot there is now access to ddb to print the trace. You are prompted to press any key to reboot :) It has been verified on IBM Server x3650 M1, M2 and M3. We are using OpenBSD 5.7, this panic happends with bsd.rd and bsd.mp You really need to try more -current OpenBSD version. Use a snapshot for that. If you still can't boot OpenBSD, please find a way to get acpidump (from other OS for instance), get screen capture of OpenBSD kernel stopped booting than submit these to bugs@.
Re: lxde
In the spirit of George box, all code is shitty, but some is ok. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Joseph Oficre Sent: Friday, August 14, 2015 12:05 PM To: OpenBSD misc Subject: lxde Hello, friends. Can someone teel me why there is no lxde (lxqt) or some of the lxde stuff like lxappearance and lxpanel in OpenBSD? Is the shitty code the only reason?
Re: Setting a git http server with httpd(8): directions needed
Hello again,
On Fri 14/08/2015 11:51, Alessandro DE LAURENZIS wrote:
Dear misc@ readers,
I'm trying to set up a git server with HTTP as transfer protocol, using
httpd(8) in base; considering that info on the net are very sparse
when apache isn't the subject and that I'm completely a newbie of this
matter, it isn't difficult to understand that I'm a bit lost...
[...]
The first thing that comes to my mind is: I know that I should set the
two environmental variables GIT_PROJECT_ROOT (to /git I suppose) and
GIT_HTTP_EXPORT_ALL, but I don't know how to export them to the CGI
script...
So, if I understand correctly, I need something equivalent to the
fastcgi_param setting in nginx:
location ~ /git(/.*) {
fastcgi_pass localhost:9001;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME
/usr/lib/git-core/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL ;
fastcgi_param GIT_PROJECT_ROOT/srv/git;
fastcgi_param PATH_INFO $1;
}
but I'm afraid that httpd(8) doesn't support that... Anybody could
confirm and/or suggest a possible workaround?
I tried to make a sh wrapper around git-http-backend:
location /git/* {
authenticate with /git/.htaccess
fastcgi socket /run/slowcgi.sock
root /git/git-http-backend-wrapper
}
# cat /var/www/git/git-http-backend-wrapper
#!/bin/sh
GIT_PROJECT_ROOT=/git GIT_HTTP_EXPORT_ALL= /cgi-bin/git-http-backend
(of course I copied /bin/sh in /var/www/bin), but it doesn't seem to work...
Thanks in advance for any hints
--
Alessandro DE LAURENZIS
[mailto:just22@gmail.com]
LinkedIn: http://it.linkedin.com/in/delaurenzis
lxde
Hello, friends. Can someone teel me why there is no lxde (lxqt) or some of the lxde stuff like lxappearance and lxpanel in OpenBSD? Is the shitty code the only reason?
Re: Setting a git http server with httpd(8): directions needed
Hello Stefan, On Fri 14/08/2015 12:19, Stefan Sperling wrote: This is not a static binary. So to use it in chroot you have to copy shared libraries it needs into chroot as well. Did you already do that? $ ldd /usr/local/libexec/git/git-http-backend /usr/local/libexec/git/git-http-backend: StartEnd Type Open Ref GrpRef Name 0c677840 0c67788e9000 exe 10 0 /usr/local/libexec/git/git-http-backend 0c6a29525000 0c6a2993a000 rlib 01 0 /usr/lib/libz.so.5.0 0c6a59762000 0c6a59c6 rlib 02 0 /usr/local/lib/libiconv.so.6.0 0c69cd452000 0c69cd85c000 rlib 01 0 /usr/local/lib/libintl.so.6.0 0c69aeac4000 0c69af095000 rlib 01 0 /usr/lib/libcrypto.so.34.0 0c6a60818000 0c6a60c2a000 rlib 02 0 /usr/lib/libpthread.so.19.0 0c69c28b9000 0c69c2d93000 rlib 01 0 /usr/lib/libc.so.80.1 0c6a1ad0 0c6a1ad0 rtld 01 0 /usr/libexec/ld.so Now they are copied; I think it should be ok: - before: # chroot -g daemon -u www /var/www /git/git-http-backend Abort trap - now: # chroot -g daemon -u www /var/www /git/git-http-backend Status: 500 Internal Server Error Expires: Fri, 01 Jan 1980 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, max-age=0, must-revalidate fatal: No REQUEST_METHOD from server But still unable to clone the repo: ┌──[just22@poseidon]-[0]-[✓]-[tmp] └─› git clone https://atlantide.t28.net/git/dotfiles.git Cloning into 'dotfiles'... fatal: repository 'https://atlantide.t28.net/git/dotfiles.git/' not found My point related to the env vars to be passed to the CGI script is still valid, I guess... Many thanks for your help -- Alessandro DE LAURENZIS [mailto:just22@gmail.com] LinkedIn: http://it.linkedin.com/in/delaurenzis
Re: Setting a git http server with httpd(8): directions needed
On Fri, Aug 14, 2015 at 11:51:46AM +0200, Alessandro DE LAURENZIS wrote: This is the content of the /var/www/git directory: -r-xr-xr-x 1 root daemon 884442 Aug 14 10:23 git-http-backend This is not a static binary. So to use it in chroot you have to copy shared libraries it needs into chroot as well. Did you already do that? $ ldd /usr/local/libexec/git/git-http-backend /usr/local/libexec/git/git-http-backend: StartEnd Type Open Ref GrpRef Name 0c677840 0c67788e9000 exe 10 0 /usr/local/libexec/git/git-http-backend 0c6a29525000 0c6a2993a000 rlib 01 0 /usr/lib/libz.so.5.0 0c6a59762000 0c6a59c6 rlib 02 0 /usr/local/lib/libiconv.so.6.0 0c69cd452000 0c69cd85c000 rlib 01 0 /usr/local/lib/libintl.so.6.0 0c69aeac4000 0c69af095000 rlib 01 0 /usr/lib/libcrypto.so.34.0 0c6a60818000 0c6a60c2a000 rlib 02 0 /usr/lib/libpthread.so.19.0 0c69c28b9000 0c69c2d93000 rlib 01 0 /usr/lib/libc.so.80.1 0c6a1ad0 0c6a1ad0 rtld 01 0 /usr/libexec/ld.so
Setting a git http server with httpd(8): directions needed
Dear misc@ readers,
I'm trying to set up a git server with HTTP as transfer protocol, using
httpd(8) in base; considering that info on the net are very sparse
when apache isn't the subject and that I'm completely a newbie of this
matter, it isn't difficult to understand that I'm a bit lost...
First things first, this is what I would like to achieve:
- the bare repositories should be located at /var/www/git, so they
should be accessible in the chroot-ed environment;
- the access to the repos for cloning and pushing should be protected by
a userID/passwd mechanism.
I ended up with the following httpd config:
# cat /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $
#
# Macros
#
ext_addr=*
#
# Global Options
#
prefork 3
#
# Servers
#
# A minimal (secure) server
server atlantide.t28.net {
listen on $ext_addr tls port 443
tls {
certificate /etc/ssl/https.crt
key /etc/ssl/private/https.key
}
root /htdocs/atlantide.t28.net
location /restricted/* {
directory auto index
authenticate with
/htdocs/atlantide.t28.net/restricted/.htaccess
}
location /git {
authenticate with /git/.htaccess
fastcgi socket /run/slowcgi.sock
root /git/git-http-backend
}
}
This is the content of the /var/www/git directory:
# ls -la /var/www/git
total 1776
drwxr-xr-x 3 www daemon 512 Aug 14 11:34 .
drwxr-xr-x 10 root daemon 512 Aug 14 10:14 ..
-rw--- 1 www daemon 68 Aug 14 10:21 .htaccess
drwxr-xr-x 7 www daemon 512 Aug 14 10:17 dotfiles.git
-r-xr-xr-x 1 root daemon 884442 Aug 14 10:23 git-http-backend
(where .htaccess contains the users' credentials and git-http-backend is
a copy of /usr/local/libexec/git/git-http-backend).
slowcgi is running, too:
# ls -la /var/www/run/slowcgi.sock
srw-rw 1 www www 0 Aug 14 10:12 /var/www/run/slowcgi.sock
If I point my browser to https://atlantide.t28.net/git, I'm asked for my
credentials, so the authentication method is working properly.
But if I try to access the dotfiles.git repository from a remote git
client, I obtain:
┌──[just22@poseidon]-[0]-[✓]-[tmp]
└─› git clone https://atlantide.t28.net/git/dotfiles.git
Cloning into 'dotfiles'...
fatal: repository 'https://atlantide.t28.net/git/dotfiles.git/' not found
Now, for sure a lot of things are still missing in this configuration,
but again: I definitely need some help here.
The first thing that comes to my mind is: I know that I should set the
two environmental variables GIT_PROJECT_ROOT (to /git I suppose) and
GIT_HTTP_EXPORT_ALL, but I don't know how to export them to the CGI
script...
Any additional hints (and of course, any corrections) are welcome, of
course.
Thanks in advance
--
Alessandro DE LAURENZIS
[mailto:just22@gmail.com]
LinkedIn: http://it.linkedin.com/in/delaurenzis
Various ACPI problems on various IBM hardware
Hello, We have some ACPI problems with various IBM server X. Since it's a very early panic when kernel boot there is now access to ddb to print the trace. You are prompted to press any key to reboot :) It has been verified on IBM Server x3650 M1, M2 and M3. We are using OpenBSD 5.7, this panic happends with bsd.rd and bsd.mp The system is usable when I disable acpi when booting on RAMDISK_CD and after the installation on GENERIC.MP I can provide a screenshot of the KVM over LAN if you guys wants. Like we did in the past (Adding support of Intel 82576 on em(4)), I also can provide you a remote access to both oldest machines (a Server x3650 M1 and a Server x3650 M2) with serial cable to help you to fix this. We are big users of OpenBSD on various systems (Dell, HP) for the first time i need to install a firewall on IBM hardware so if we can help, i'm ready to setup a lab for you. Frédéric. -- Frédéric URBAN *Frédéric URBAN* Ingénieur Réseaux frederic.ur...@ircad.fr mailto:frederic.ur...@ircad.fr Tél. : +33 (0)3 88 119 038 IRCAD France http://www.ircad.fr/ http://www.ircad.fr/ Suivez l'IRCAD sur Facebook http://www.facebook.com/pages/IRCAD/193785273990141 *IRCAD France* Hôpitaux Universitaires - 1, place de l'Hôpital - 67091 Strasbourg Cedex - FRANCE
