Re: Printing problem
Thank you Stuart. If I use /usr/local/bin/lpr printing works as expected. $ grep Kyocera /etc/xpdfrc psFile "|/usr/local/bin/lpr -P Kyocera_Mita_FS-6020" On Wed, 23 Jan 2019 14:33:15 - (UTC) Stuart Henderson wrote: > On 2019-01-23, Radek wrote: > > Hello, > > > > I can print from LibreOffice without any problems, but I canNOT print from > > textproc/xpdf > > > > If I print from textproc/xpdf (command: /usr/bin/lpr -P > > Kyocera_Mita_FS-6020) I get error: > > lpr: connect: No such file or directory > > jobs queued, but cannot start daemon. > > /usr/bin/lpr is lpr from the base OS. Since you are using CUPS you need > to use /usr/local/bin/lpr instead, you can either set this in xpdf (e.g. > /etc/xpdfrc), or you could adjust your PATH so that /usr/local/bin comes > before /usr/bin. > > > -- radek
Re: OpenSMTPD??? how do I do these things, or do I just use postfix?
On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote: > Hi all, > > I've got a few silly questions regarding OpenSMTPD??? I'd ask on the > opensmtpd misc mailing list, but my subscribe requests keep bouncing > after a few days. Since I'm running OpenSMTPD on OpenBSD, I figure > they're on-topic here too. > I can probably help with this ;-) > [...] > > First and foremost is the issue of backscatter-prevention. I would like > OpenSMTPD to validate the addresses passed to it before accepting them > for relay to my primary MX. In Postfix I can put > > relay_recipient_maps = hash:/etc/postfix/valid_recipients > > into /etc/postfix/main.cf and fill that valid_recipients file with > > f...@example.com x > b...@example.comx > > I can come up with a full list -- no problem, but the question is how do > I encode this list into the configuration of OpenSMTPD so that if the > list contained f...@example.com and b...@example.com, but someone tries > sending to foo...@example.com, that RCPT TO request is rejected before > the email delivery begins. > How you do it depends on which version you are running. before 6.4: accept [...] recipient [...] after 6.4: match [..] rcpt-to [...] where table is a table containing a list of recipient addresses for that rule to match. > Second is about how to define custom mail transports. Rather than using > SMTP/SSL like I am now, I'd like the emails destined for relay to my > server, to be encrypted using a RSA key, (well, AES, then RSA encrypt > the AES key) then either: > - scp'd to a special spool directory on my Linux server??? OR if it > happens to be down, > - placed in a special directory on the VPS for my server to later ciphon > down using `rsync --remove-source-files` over SSH. (Basically, a bit > like UUCP.) > no custom mail transports in smtpd. a way to achieve what you want is to write a custom mda, and this is actually how i did it to achieve a use-case similar to yours in the past. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg
Re: Is a commercial wireless router a security risk if it is behind an OpenBSD router with pf?
On Fri, Jan 25, 2019 at 08:14:43AM +0100, Florian Weber wrote: > Good morning > > Why don’t you add https://www.pcengines.ch/wle200nx.htm Our athn(4) driver is incomplete and only provides basic performance. This driver still needs a lot of work to get it operating at full capacity offered by ath9k devices. However, it runs without firmware and support is expected to slowly improve over time. My own AP uses this device. For now, a device supported by bwfm(4) is an option where 11ac performance is required, such as https://wikidevi.com/wiki/Broadcom_BCM94350ZAE These devices run closed-source firmware which contains an entire 802.11ac stack. The OpenBSD driver can drive them in hostap mode so they will appear as a regular wifi interface. All 802.11ac capabilities are enabled but OpenBSD's ifconfig is not yet able to display or configure such capabilities. This is being worked on. This isn't a perfect solution either, but at least avoids much of the easy attack surface of a standard wifi AP plastic box. E.g. there's no Web UI that could be targeted. Firmware-level exploits are still a concern, but that is true for any 802.11ac device. At least I am not aware of any 802.11ac devices which do not require closed-source firmware. You will need an M.2-to-miniPCIe adapter board to fit a bwfm(4) card into an APU, and you will need very very tiny pigtails to plug the antennas, which are a pain to get plugged (took me an hour). But then it should work.
Re: Is a commercial wireless router a security risk if it is behind an OpenBSD router with pf?
On Fri, Jan 25, 2019 at 7:59 AM Peter N. M. Hansteen wrote: > On 1/24/19 11:55 PM, John Page wrote: > > I decided on installing OpenBSD 6.4 on a PC Engines apu4. I > > had previously been using an Asus RT-86U as both my router and wireless > > access point. > > OpenBSD's newer-wifi protocol support unfortunately lags what is > available in various commercial products. > > For that reason, in similar environments to what you describe I've tried > to get hold of APs with good radios and support for all the protocol > variants, then disabled all functionality on the access points > themselves other than the access point functionality, in some cases down > to even letting the things get the IP address for their Ethernet > interface from the OpenBSD dhcpd. > > With 'dumb' access points little more than Ethernet interfaces > themselves, you get to control how things work from the sane OpenBSD > environment. > I second this approach as working quite well, and is almost as easy to manage as HostAP from within OpenBSD. I have my commercial AP configured to bridge each SSID/network onto a different VLAN. My OpenBSD router can then process each VLAN in a way appropriate to their purpose (family, guests, streaming appliances, etc). --david
OpenSMTPD… how do I do these things, or do I just use postfix?
Hi all, I've got a few silly questions regarding OpenSMTPD… I'd ask on the opensmtpd misc mailing list, but my subscribe requests keep bouncing after a few days. Since I'm running OpenSMTPD on OpenBSD, I figure they're on-topic here too. I have two servers (actually more than that, but two that are relevant to this discussion). One is a Gentoo Linux machine with Postfix, which acts as my primary MX. I keep it up to date, it's been a good workhorse, and provided many years of service. No reason to change it at this stage. I have a VPS with a hosting provider (BinaryLane in Brisbane; they're OpenStack/Xen-based), which runs OpenBSD 6.4. I primarily use this machine as a slave DNS server (with nsd). I figure it'd be a nice idea to use this machine as a backup MX. Right now, OpenSMTPD is running there, and whilst it is not publicly listening for SMTP traffic, it is configured to forward all *local* mail to my primary MX (where it has a virtual domain configured) so I can receive messages from `cron`, etc. Aside from some hiccups with TLS verification which I worked around by adding my custom CA to /etc/ssl/cert.pem, it all went smoothly. (I'd prefer to have OpenSMTPD verify my home server's certificate against a *specific* CA key, but at least it's working.) First and foremost is the issue of backscatter-prevention. I would like OpenSMTPD to validate the addresses passed to it before accepting them for relay to my primary MX. In Postfix I can put relay_recipient_maps = hash:/etc/postfix/valid_recipients into /etc/postfix/main.cf and fill that valid_recipients file with f...@example.com x b...@example.comx I can come up with a full list -- no problem, but the question is how do I encode this list into the configuration of OpenSMTPD so that if the list contained f...@example.com and b...@example.com, but someone tries sending to foo...@example.com, that RCPT TO request is rejected before the email delivery begins. Second is about how to define custom mail transports. Rather than using SMTP/SSL like I am now, I'd like the emails destined for relay to my server, to be encrypted using a RSA key, (well, AES, then RSA encrypt the AES key) then either: - scp'd to a special spool directory on my Linux server… OR if it happens to be down, - placed in a special directory on the VPS for my server to later ciphon down using `rsync --remove-source-files` over SSH. (Basically, a bit like UUCP.) The idea here is two-fold: 1. if someone gets even `root` access to the VPS (or mirrors the disk, etc)… there's no copy of the private key needed to decrypt the files -- that is safely stored on my home server. 2. if say the NBN roll-out in my patch of Brisbane gets royally screwed and I lose my static IPv4 address, I can make this server my primary MX and have the old server just "poll" for new messages. (Outbound delivery of mail will be a separate issue.) Again, in Postfix I'd define a script to do the encryption/scp/etc in /etc/postfix/master.cf, then set up transport_maps to direct the mail there. Would the equivalent in OpenSMTPD be `mda` or is there some other method? -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: Is a commercial wireless router a security risk if it is behind an OpenBSD router with pf?
On 1/24/19 11:55 PM, John Page wrote: > This is my first attempt at a router. Liberally borrowing from tutorials > and reading Absolute OpenBSD, 2nd Edition and Building Linux and OpenBSD > Firewalls, The last title there predates PF, but if I remember correctly the general discussion of firewalls and related network trickery is quite good. Only do not copy the examples and expect to have them work without extensive modification on any modern operating system. > I decided on installing OpenBSD 6.4 on a PC Engines apu4. I > had previously been using an Asus RT-86U as both my router and wireless > access point. OpenBSD's newer-wifi protocol support unfortunately lags what is available in various commercial products. For that reason, in similar environments to what you describe I've tried to get hold of APs with good radios and support for all the protocol variants, then disabled all functionality on the access points themselves other than the access point functionality, in some cases down to even letting the things get the IP address for their Ethernet interface from the OpenBSD dhcpd. With 'dumb' access points little more than Ethernet interfaces themselves, you get to control how things work from the sane OpenBSD environment. Examples closely matching this are in the tutorials and the book they reference :) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: i386 release build machines
On 2019-01-24, Luis Coronado wrote: > What machines (brand/model/specs) do you guys > use to create the releases/snapshots for i386? I am curious to find out if > possible as I would think that the bigger boxes out there even though could > have more than 4G of RAM the extra would go unused. > > I recently got a few old 32 bit servers and thought about building my own > snapshots just because is cool to do that. Not that matters exactly what > the project uses but I am sure you guys expect to have a build ready in a > reasonable time. > > Thanks > > -luis > Brand/model/etc is not really relevant (not super new but not dinosaurs) - but they are real machines not VMs and yes the extra RAM does go unused. FWIW when I do a cvs up, full base build and 'make release' on i386 it takes a bit over 3h, and a package bulk build (which uses 3 machines) it takes a little under 40h.
Setting custom fib-priority on certain bgpd received routes
Hello, I am running bgpd and ospfd which redistribute routes between them. Bgpd labels routes with rtlabels which ospfd picks up (redistribute rtlabel). Bgpd announced the ospfd genereated routes via fixed "network " statements. Now to my problem. As my sites are multiaccess and ospf is full mesh of all routers in the site I get multiple routes to the same external destination from all the BGP border routers. All fine and well except for the default priority of 48 (in bgpd) and 32 (in ospfd). So, traffic originating on a bgp border router is not sent externally at once but forwarded to the best ospf router before being sent externally. I tried setting the fib-priority in bgpd to <32 and that solves this problem but introduces another. The traffic that has an internal destination (i.e. anycast resolvers) is punted externally if generated on the border routers. Suggestions on how to solve this with ospfd and bgpd? Setting a custom fib priority on certain bgp learned routes? (possible?) Ditching one of the protocols entirely?
