Re: Reboot and re-link
> > Hit me with stright answers and no "bs wrap-around". > > Upgrade to a snapshot using bsd.rd, and use sysupgrade from now on. -- chs
Re: Transparent 301-to-https redirection with relayd
open...@phbits.com writes: > Try this for relayd.conf > > table { 127.0.0.1 } > > http protocol httpfilter { > return error > match request header "Host" value "www.openbsd.org" tag "HOST_OK" > block request > pass tagged "HOST_OK" > } That blocks every host not in the list, whereas I want to pass every unlisted host through unmolested. -- Anthony J. Bentley
Fwd: howto verify keydisk backup
Forwarded Message Subject:Re: howto verify keydisk backup Date: Wed, 19 Jun 2019 09:23:53 +0100 From: shadrock uhuru To: noah pugsley On 6/19/19 5:25 AM, noah pugsley wrote: > On Tue, Jun 18, 2019 at 5:37 PM shadrock uhuru wrote: >> hi everyone >> my keydisk is on a compactflash sandisk ultra 2 card, >> which was created during disk encryption >> >> doas disklabel sd1 >> # /dev/rsd1c: >> type: SCSI >> disk: SCSI disk >> label: USB CARD READER >> duid: ea53e532b5ae2a0f >> flags: >> bytes/sector: 512 >> sectors/track: 63 >> tracks/cylinder: 255 >> sectors/cylinder: 16065 >> cylinders: 31 >> total sectors: 501760 >> boundstart: 64 >> boundend: 498015 >> drivedata: 0 >> >> 16 partitions: >> # size offset fstype [fsize bsize cpg] >> a:16001 64 RAID >> c:501760 0 unused >> >> >> i boot my laptop (samsung np300e5A) with this connected to a card >> reader connected to a usb port and i'm able to boot without a problem >> >> I HAVE A cruzer memory stick to use as a BACKUP keydisk >> >> doas disklabel sd3 >> # /dev/rsd3c: >> type: SCSI >> disk: SCSI disk >> label: Cruzer Fit >> duid: 7fe58412fc668f9e >> flags: >> bytes/sector: 512 >> sectors/track: 63 >> tracks/cylinder: 255 >> sectors/cylinder: 16065 >> cylinders: 972 >> total sectors: 15630336 >> boundstart: 64 >> boundend: 15615180 >> drivedata: 0 >> >> 16 partitions: >> #size offset fstype [fsize bsize cpg] >> a:16001 64RAID >> c: 156303360 unused >> >> using the backup instruction on the openbsd faq i create an image of the >> keydisk >> >> dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img >> >> 999+1 records in >> 999+1 records out >> 8184320 bytes transferred in 2.251 secs (3634754 bytes/sec) >> >> i restore the image to the backup usb memory stick using >> >> dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd3a >> >> 999+1 records in >> 999+1 records out >> 8184320 bytes transferred in 1.744 secs (4690370 bytes/sec) >> > I might be speaking out of turn here, but I'm pretty sure you want to > dd rsdXc, that images the entire disk, not just the a partition. i don't think that would work, the two memory sticks are different sizes with the compactflash being 256mb and the cruzer being 8gb, if i am wrong let me know, this is why i dd the partition with the keydisk data on. shadrock >> when i try to boot off the backup usb memory stick i get >> using drive 0 partition 3 >> no os >> >> i tried to verify the keydisk image with diff using >> >> doas diff /dev/rsd1a backup-keydisk.img >> Binary files /dev/rsd1a and backup-keydisk.img differ >> --- >> >> is there a problem with the hardware combination of usb sticks i use for >> keydisk backup >> or the commands i use especially the diff command to try and verify the >> image file ? >> >> shadrock >>
Re: NFS exports everything
On Wed, 19 Jun 2019, Brian Brombacher wrote: I am guessing /home and / are the same filesystem? See exports(5): Yes. This must be the explanation. With -alldirs the first field must be the root of a file system and not some directory as I put there. Thanks. Rodrigo
NFS exports everything
I am quite sleepy, perhaps a stupid error, but annoying. I have in /etc/exports only the following line: /home/exp/nfs -alldirs -ro -network=10.0.0.0 -mask=255.255.255.0 I start the nfs service either with "rcctl -f start portmap mountd nfsd" or with "portmap; mountd; nfsd -u -t -n 4". Then I can mount *any* directory in the client, for example: mount -t nfs 10.0.0.14:/etc /mnt I do not remember that this is normal. Is it?? Rodrigo
Reboot and re-link
Hey, long story short: reboot and re-link is not practical. Long story: Time to upgrade 6.4 to 6.5. If re-link been active in 6.4 (don't remember) - I never noticed it. Installing via NOT RECOMMENDED WAY(following upgrade65.html) - scripting on steroides (ansible). All down. Reboot. and now I get a SLOW sys - why ?! - compiling new kernel: load averages: 3.25, 1.45, 0.60 53 processes: 1 running, 49 idle, 3 on processor up 0:04 CPU0 states: 0.0% user, 0.0% nice, 21.0% sys, 63.7% spin, 0.6% intr, 14.7% idle CPU1 states: 0.5% user, 0.0% nice, 22.3% sys, 56.2% spin, 0.0% intr, 20.9% idle CPU2 states: 0.7% user, 0.0% nice, 71.5% sys, 19.6% spin, 0.0% intr, 8.3% idle CPU3 states: 0.5% user, 0.0% nice, 6.3% sys, 63.3% spin, 0.0% intr, 29.9% idle Memory: Real: 382M/792M act/tot Free: 1177M Cache: 310M Swap: 0K/1279M PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 51958 _snmpd640 956K 3148K run/0 - 3:25 119.87% snmpd 17683 root 640 166M 174M onproc/2 - 3:10 99.41% ld 59133 root 20 1404K 4248K sleep/0 select0:08 16.70% sshd 39714 root 180 908K 988K sleep/1 pause 0:05 12.55% ksh 69806 _tor 20 29M 41M sleep/3 kqread0:28 8.15% tor 56629 _pflogd40 744K 576K sleep/3 bpf 0:19 7.57% pflogd 92193 _iscsid20 732K 1256K sleep/3 kqread0:15 4.64% iscsid 288 _squid 20 17M 14M sleep/0 kqread0:11 4.00% squid 53448 _lldpd 20 2656K 3848K sleep/3 kqread0:07 3.32% lldpd 42939 _syslogd 20 1108K 1692K sleep/3 kqread0:03 1.66% syslogd 2842 _bgpd 100 1172K 1896K onproc/1 - 0:03 1.46% bgpd I don't think THIS IS OK. I'm lucky - secondary (but, if ONLY primary??) For whatever reason, after rebooting, I got back 6.4 kernel. (I'd like to here some great explanation here and MORE around the ) P.S. I remember old times then you could fork and forget. OS position it self as "an ASCII, no sh around and simple". Then why the process to upgrade became a nightmare?! Was not like this BEFORE. Hit me with stright answers and no "bs wrap-around". Ye, btw, the "ansible way" been working before. //mxb
mandoc for report writing?
Hello, Has anyone had any experience with using mandoc for report writing? I realise it may be a silly / naive question. But in recent times I've started using groff (with grefer) to write academic papers, because it's relatively easy to use for my purposes. As such, it got me wondering if mandoc is suitable for such a purpose. Regards, Paul Swanson
Re: Transparent 301-to-https redirection with relayd
Try this for relayd.conf table { 127.0.0.1 } http protocol httpfilter { return error match request header "Host" value "www.openbsd.org" tag "HOST_OK" block request pass tagged "HOST_OK" } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to port 8081 } From: owner-m...@openbsd.org on behalf of Anthony J. Bentley Sent: Wednesday, June 19, 2019 4:19 AM To: misc@openbsd.org Subject: Transparent 301-to-https redirection with relayd Hi, I have relayd configured as a basic HTTP pass-through: http protocol httpfilter { return error } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } I'd like to prevent certain domains from ever being accessed over unencrypted http. So I set up httpd: server "httpfilter" { listen on localhost port 8081 block return 301 "https://$HTTP_HOST$REQUEST_URI; } The idea is to check the host header and if it matches my whitelist, send it to httpd which will force a redirect to https before ever leaving the LAN. I don't understand relayd configuration too well. I tried this: table { 127.0.0.1 } http protocol httpfilter { return error match request header "Host" value "www.openbsd.org" forward to } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination forward to port 8081 } It seems to do what I want: $ ftp -o - http://www.openbsd.org/ >/dev/null Trying 129.128.5.194... Requesting http://www.openbsd.org/ Redirected to https://www.openbsd.org/ Trying 129.128.5.194... Requesting https://www.openbsd.org/ 4033 bytes received in 0.07 seconds (57.97 KB/s) Except that it sends every host to httpd: $ ftp -o - http://neverssl.com/ >/dev/null Trying 13.33.67.177... Requesting http://neverssl.com/ Redirected to https://neverssl.com/ Trying 13.33.67.177... Requesting https://neverssl.com/ ftp: SSL write error: name `neverssl.com' not present in server certificate Fiddling with the config further doesn't seem to get me anywhere closer to redirecting only whitelisted domains. I must be missing something, but what? -- Anthony J. Bentley
Re: After upgrade to 6.5: Weird Apache2 perl_module behavior
Hi Sam, > Bug report here: https://bz.apache.org/bugzilla/show_bug.cgi?id=63516 Great! Thanks a lot for tracking this down and the suggested patch in that ticket. I’ll give that a try. Best, Harald
Re: After upgrade to 6.5: Weird Apache2 perl_module behavior
I hit this recently too. I finally had some time to track it down and it's a use-after-free bug in Apache that looks like it's been there since at least 2016. It's only triggered if you load a non-standard module like mod_perl that inserts its own config defines into the server's global ap_server_config_defines array: void modperl_register_hooks(apr_pool_t *p) { /* for and Apache2->define("MODPERL2") */ *(char **)apr_array_push(ap_server_config_defines) = apr_pstrdup(p, "MODPERL2"); Apache later clears out and frees that particular memory pool, and after that it walks the ap_server_config_defines and segfaults. Bug report here: https://bz.apache.org/bugzilla/show_bug.cgi?id=63516 -- Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Thursday, June 13, 2019 10:46 PM, Stuart Henderson wrote: > 4.9.0.6 does have it enabled by default. I'm not sure about the 4.0.x releases > and don't want to reboot mine to check now either :) Finally managed to reboot my firewall box and so I can confirm that on my previous firmware (v4.0.24) the boost option was already enabled by default. I now upgraded to v4.9.0.6 but unfortunately as that boost option was already enabled I do not see any further improvements. For reference here is the output of a "md5 -tt": MD5 time trial. Processing 10 1-byte blocks... Digest = 766a2bb5d24bddae466c572bcabca3ee Time = 9.69 seconds Speed = 103199174.406605 bytes/second
Transparent 301-to-https redirection with relayd
Hi, I have relayd configured as a basic HTTP pass-through: http protocol httpfilter { return error } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination } I'd like to prevent certain domains from ever being accessed over unencrypted http. So I set up httpd: server "httpfilter" { listen on localhost port 8081 block return 301 "https://$HTTP_HOST$REQUEST_URI; } The idea is to check the host header and if it matches my whitelist, send it to httpd which will force a redirect to https before ever leaving the LAN. I don't understand relayd configuration too well. I tried this: table { 127.0.0.1 } http protocol httpfilter { return error match request header "Host" value "www.openbsd.org" forward to } relay "proxy" { listen on 127.0.0.1 port 8080 protocol httpfilter forward to destination forward to port 8081 } It seems to do what I want: $ ftp -o - http://www.openbsd.org/ >/dev/null Trying 129.128.5.194... Requesting http://www.openbsd.org/ Redirected to https://www.openbsd.org/ Trying 129.128.5.194... Requesting https://www.openbsd.org/ 4033 bytes received in 0.07 seconds (57.97 KB/s) Except that it sends every host to httpd: $ ftp -o - http://neverssl.com/ >/dev/null Trying 13.33.67.177... Requesting http://neverssl.com/ Redirected to https://neverssl.com/ Trying 13.33.67.177... Requesting https://neverssl.com/ ftp: SSL write error: name `neverssl.com' not present in server certificate Fiddling with the config further doesn't seem to get me anywhere closer to redirecting only whitelisted domains. I must be missing something, but what? -- Anthony J. Bentley
Fujitsu Xeon box running 6.4 + all sypatches doesn't power off for halt -p
I am not sure when this changed since I don't reboot the box often but halt -p no longer powers off this box. It used to work, now it doesn't. Any idea what the problem could be? Thanks, /jl
Re: Mount SMB share with usmb on startup
Most probably PATH. Dirty solution may be appending the full path to the binary. Logged as root: # which usmb should get you the full path name for your command. Something like '/usr/local/bin/usmb'. Use this full path instead of 'usmb0', i.e. /usr/local/bin/usmb -c /root/.usmb.conf boxx &> /dev/null Regards! El mié., 19 jun. 2019 a las 9:53, slackwaree () escribió: > Hello guys, > > I know everyone hates windoz :( but here is something I would like to > solve: > > I have a working share with usmb. I have writteng an rc script to mount > this at boots: > > #!/bin/sh > sleep 60 > > usmb -c /root/.usmb.conf boxx &> /dev/null > > Adding sleep didnt help. > I have put this script into /etc/rc.local but unfortunately it does not > mount anything. Maybe some enviromental variable is not loaded in correctly? > > As root manually this works and mounts the share. >
Re: Newer snapshots on ALIX
Hi Paul, could you try manually set tty and console in the bootloader and then verify you have /etc/boot.conf with same values? stty com0 115200 set tty com0 JV On Wed, Jun 19, 2019 at 08:37:28AM +0200, Paul de Weerd wrote: > Morning folks, > > I ran into a problem after upgrading my ALIX to a more recent snapshot > in that it won't boot anymore. It gets to "entry point 0x2d0" and > then stops. I tried using the PXE bootloader to load the local kernel > from disk (both bsd and bsd.rd) and to load kernels from tftp, but all > fails in similar ways with the entry point being the last output. > > I grabbed another ALIX to test, but I'm afraid I screwed that one up > and now that one doesn't boot either anymore. This is probably user > error, but now I'd like to confirm: has anyone successfully upgraded > their ALIX to a recent snapshot? > > It could be that my hardware is dying on me (I should find my piggy > bank for some nickels), so confirmation that this still works for > others is appreciated. > > Paul > > -- > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ >
Mount SMB share with usmb on startup
Hello guys, I know everyone hates windoz :( but here is something I would like to solve: I have a working share with usmb. I have writteng an rc script to mount this at boots: #!/bin/sh sleep 60 usmb -c /root/.usmb.conf boxx &> /dev/null Adding sleep didnt help. I have put this script into /etc/rc.local but unfortunately it does not mount anything. Maybe some enviromental variable is not loaded in correctly? As root manually this works and mounts the share.
Re: Newer snapshots on ALIX
On Wed, Jun 19, 2019 at 08:37:28AM +0200, Paul de Weerd wrote: > Morning folks, > > I ran into a problem after upgrading my ALIX to a more recent snapshot > in that it won't boot anymore. It gets to "entry point 0x2d0" and > then stops. I tried using the PXE bootloader to load the local kernel > from disk (both bsd and bsd.rd) and to load kernels from tftp, but all > fails in similar ways with the entry point being the last output. > > I grabbed another ALIX to test, but I'm afraid I screwed that one up > and now that one doesn't boot either anymore. This is probably user > error, but now I'd like to confirm: has anyone successfully upgraded > their ALIX to a recent snapshot? > > It could be that my hardware is dying on me (I should find my piggy > bank for some nickels), so confirmation that this still works for > others is appreciated. > There were some boot(8) changes so try some older pxeboot from 6.4, 6.5 or the snapshot archive to see when the breakage was introduced. -- :wq Claudio
Newer snapshots on ALIX
Morning folks, I ran into a problem after upgrading my ALIX to a more recent snapshot in that it won't boot anymore. It gets to "entry point 0x2d0" and then stops. I tried using the PXE bootloader to load the local kernel from disk (both bsd and bsd.rd) and to load kernels from tftp, but all fails in similar ways with the entry point being the last output. I grabbed another ALIX to test, but I'm afraid I screwed that one up and now that one doesn't boot either anymore. This is probably user error, but now I'd like to confirm: has anyone successfully upgraded their ALIX to a recent snapshot? It could be that my hardware is dying on me (I should find my piggy bank for some nickels), so confirmation that this still works for others is appreciated. Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/