Re: Reboot and re-link

2019-06-19 Thread Christer Solskogen 
>
> Hit me with stright answers and no "bs wrap-around".
>
>
Upgrade to a snapshot using bsd.rd, and use sysupgrade from now on.

-- 
chs

Re: Transparent 301-to-https redirection with relayd

2019-06-19 Thread Anthony J. Bentley 
open...@phbits.com writes:
> Try this for relayd.conf
>
> table  { 127.0.0.1 }
>
> http protocol httpfilter {
> return error
> match request header "Host" value "www.openbsd.org" tag "HOST_OK"
> block request
> pass tagged "HOST_OK"
> }

That blocks every host not in the list, whereas I want to pass every
unlisted host through unmolested.

-- 
Anthony J. Bentley

Fwd: howto verify keydisk backup

2019-06-19 Thread shadrock uhuru 




 Forwarded Message 
Subject:Re: howto verify keydisk backup
Date:   Wed, 19 Jun 2019 09:23:53 +0100
From:   shadrock uhuru 
To: noah pugsley 





On 6/19/19 5:25 AM, noah pugsley wrote:
> On Tue, Jun 18, 2019 at 5:37 PM shadrock uhuru  wrote:
>> hi everyone
>> my keydisk is on a compactflash sandisk ultra 2 card,
>> which was created during disk encryption
>>
>> doas disklabel sd1
>> # /dev/rsd1c:
>> type: SCSI
>> disk: SCSI disk
>> label: USB CARD READER
>> duid: ea53e532b5ae2a0f
>> flags:
>> bytes/sector: 512
>> sectors/track: 63
>> tracks/cylinder: 255
>> sectors/cylinder: 16065
>> cylinders: 31
>> total sectors: 501760
>> boundstart: 64
>> boundend: 498015
>> drivedata: 0
>>
>> 16 partitions:
>> #   size   offset  fstype [fsize bsize   cpg]
>>   a:16001  64  RAID
>>   c:501760 0   unused
>>
>>
>> i boot my laptop  (samsung np300e5A) with this connected to a card
>> reader  connected to a usb port and i'm able to boot without a problem
>>
>> I HAVE A cruzer memory stick to use as a BACKUP keydisk
>>
>> doas disklabel sd3
>> # /dev/rsd3c:
>> type: SCSI
>> disk: SCSI disk
>> label: Cruzer Fit
>> duid: 7fe58412fc668f9e
>> flags:
>> bytes/sector: 512
>> sectors/track: 63
>> tracks/cylinder: 255
>> sectors/cylinder: 16065
>> cylinders: 972
>> total sectors: 15630336
>> boundstart: 64
>> boundend: 15615180
>> drivedata: 0
>>
>> 16 partitions:
>> #size   offset  fstype [fsize bsize   cpg]
>>   a:16001   64RAID
>>   c: 156303360  unused
>>
>> using the backup instruction on the openbsd faq i create an image of the 
>> keydisk
>>
>> dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img
>>
>> 999+1 records in
>> 999+1 records out
>> 8184320 bytes transferred in 2.251 secs (3634754 bytes/sec)
>>
>> i restore the image to the backup usb memory stick using
>>
>> dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd3a
>>
>> 999+1 records in
>> 999+1 records out
>> 8184320 bytes transferred in 1.744 secs (4690370 bytes/sec)
>>
> I might be speaking out of turn here, but I'm pretty sure you want to
> dd rsdXc, that images the entire disk, not just the a partition.
i don't think that would work,
the two memory sticks are  different sizes with the compactflash being
256mb and the cruzer being 8gb,
if i am wrong let me know,
this is why i dd the partition with the keydisk data on.

shadrock
>> when i try to boot off the backup usb memory stick i get
>> using drive 0 partition 3
>> no os
>>
>> i tried to verify the keydisk image  with diff using
>>
>> doas diff /dev/rsd1a backup-keydisk.img
>> Binary files /dev/rsd1a and backup-keydisk.img differ
>> ---
>>
>> is there a problem with the hardware combination of usb sticks i use for 
>> keydisk backup
>> or the commands i use especially the diff command to try and verify the 
>> image file ?
>>
>> shadrock
>>

Re: NFS exports everything

2019-06-19 Thread Roderick 



On Wed, 19 Jun 2019, Brian Brombacher wrote:


I am guessing /home and / are the same filesystem?

See exports(5):


Yes. This must be the explanation. With -alldirs the first field
must be the root of a file system and not some directory as I put
there. Thanks.

Rodrigo

NFS exports everything

2019-06-19 Thread Roderick 



I am quite sleepy, perhaps a stupid error, but annoying.

I have in /etc/exports only the following line:

/home/exp/nfs  -alldirs  -ro  -network=10.0.0.0  -mask=255.255.255.0

I start the nfs service either with "rcctl -f start portmap mountd nfsd" 
or with "portmap; mountd; nfsd -u -t -n 4".


Then I can mount *any* directory in the client, for example:

mount -t nfs 10.0.0.14:/etc /mnt

I do not remember that this is normal. Is it??

Rodrigo

Reboot and re-link

2019-06-19 Thread Maxim Bourmistrov 
Hey,

long story short: reboot and re-link is not practical.

Long story:
Time to upgrade 6.4 to 6.5.
If re-link been active in 6.4 (don't remember) - I never noticed it.
Installing via NOT RECOMMENDED WAY(following upgrade65.html) - scripting on
steroides (ansible).
All down. Reboot.
and now I get a SLOW sys - why ?! - compiling new kernel:

load averages:  3.25,  1.45,  0.60

53 processes: 1 running, 49 idle, 3 on processor

 up  0:04
CPU0 states:  0.0% user,  0.0% nice, 21.0% sys, 63.7% spin,  0.6% intr,
14.7% idle
CPU1 states:  0.5% user,  0.0% nice, 22.3% sys, 56.2% spin,  0.0% intr,
20.9% idle
CPU2 states:  0.7% user,  0.0% nice, 71.5% sys, 19.6% spin,  0.0% intr,
 8.3% idle
CPU3 states:  0.5% user,  0.0% nice,  6.3% sys, 63.3% spin,  0.0% intr,
29.9% idle
Memory: Real: 382M/792M act/tot Free: 1177M Cache: 310M Swap: 0K/1279M

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
51958 _snmpd640  956K 3148K run/0 - 3:25 119.87% snmpd
17683 root  640  166M  174M onproc/2  - 3:10 99.41% ld
59133 root   20 1404K 4248K sleep/0   select0:08 16.70% sshd
39714 root  180  908K  988K sleep/1   pause 0:05 12.55% ksh
69806 _tor   20   29M   41M sleep/3   kqread0:28  8.15% tor
56629 _pflogd40  744K  576K sleep/3   bpf   0:19  7.57% pflogd
92193 _iscsid20  732K 1256K sleep/3   kqread0:15  4.64% iscsid
  288 _squid 20   17M   14M sleep/0   kqread0:11  4.00% squid
53448 _lldpd 20 2656K 3848K sleep/3   kqread0:07  3.32% lldpd
42939 _syslogd   20 1108K 1692K sleep/3   kqread0:03  1.66% syslogd
 2842 _bgpd 100 1172K 1896K onproc/1  - 0:03  1.46% bgpd


I don't think THIS IS OK.
I'm lucky - secondary (but, if ONLY primary??)


For whatever reason, after rebooting, I got back 6.4 kernel.
(I'd like to here some great explanation here and MORE around the )

P.S.
I remember old times then you could fork and forget.
OS position it self as "an ASCII, no sh around and simple". Then why the
process to upgrade became a nightmare?! Was not like this BEFORE.

Hit me with stright answers and no "bs wrap-around".

Ye, btw, the "ansible way" been working before.

//mxb

mandoc for report writing?

2019-06-19 Thread Paul Swanson 
Hello,

Has anyone had any experience with using mandoc for report writing?

I realise it may be a silly / naive question.

But in recent times I've started using groff (with grefer) to write academic 
papers, because it's relatively easy to use for my purposes.

As such, it got me wondering if mandoc is suitable for such a purpose.

Regards,

Paul Swanson

Re: Transparent 301-to-https redirection with relayd

2019-06-19 Thread open...@phbits.com 
Try this for relayd.conf

table  { 127.0.0.1 }

http protocol httpfilter {
return error
match request header "Host" value "www.openbsd.org" tag "HOST_OK"
block request
pass tagged "HOST_OK"
}

relay "proxy" {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to  port 8081
}



From: owner-m...@openbsd.org  on behalf of Anthony J. 
Bentley 
Sent: Wednesday, June 19, 2019 4:19 AM
To: misc@openbsd.org
Subject: Transparent 301-to-https redirection with relayd

Hi,

I have relayd configured as a basic HTTP pass-through:

http protocol httpfilter {
return error
}

relay "proxy" {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}

I'd like to prevent certain domains from ever being accessed over
unencrypted http. So I set up httpd:

server "httpfilter" {
listen on localhost port 8081
block return 301 "https://$HTTP_HOST$REQUEST_URI;
}

The idea is to check the host header and if it matches my whitelist,
send it to httpd which will force a redirect to https before ever
leaving the LAN.

I don't understand relayd configuration too well. I tried this:

table  { 127.0.0.1 }

http protocol httpfilter {
return error
match request header "Host" value "www.openbsd.org" forward to 
}

relay "proxy" {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
forward to  port 8081
}

It seems to do what I want:

$ ftp -o - http://www.openbsd.org/ >/dev/null
Trying 129.128.5.194...
Requesting http://www.openbsd.org/
Redirected to https://www.openbsd.org/
Trying 129.128.5.194...
Requesting https://www.openbsd.org/
4033 bytes received in 0.07 seconds (57.97 KB/s)

Except that it sends every host to httpd:

$ ftp -o - http://neverssl.com/ >/dev/null
Trying 13.33.67.177...
Requesting http://neverssl.com/
Redirected to https://neverssl.com/
Trying 13.33.67.177...
Requesting https://neverssl.com/
ftp: SSL write error: name `neverssl.com' not present in server certificate

Fiddling with the config further doesn't seem to get me anywhere
closer to redirecting only whitelisted domains. I must be missing
something, but what?

--
Anthony J. Bentley

Re: After upgrade to 6.5: Weird Apache2 perl_module behavior

2019-06-19 Thread Harald Klimach 
Hi Sam,

> Bug report here: https://bz.apache.org/bugzilla/show_bug.cgi?id=63516
Great! Thanks a lot for tracking this down and the suggested patch in that 
ticket.
I’ll give that a try.

Best,
Harald

Re: After upgrade to 6.5: Weird Apache2 perl_module behavior

2019-06-19 Thread Sam Vaughan 
I hit this recently too.  I finally had some time to track it down and it's a
use-after-free bug in Apache that looks like it's been there since at least
2016.

It's only triggered if you load a non-standard module like mod_perl that
inserts its own config defines into the server's global
ap_server_config_defines array:

void modperl_register_hooks(apr_pool_t *p)
{
/* for  and Apache2->define("MODPERL2") */
*(char **)apr_array_push(ap_server_config_defines) =
apr_pstrdup(p, "MODPERL2");

Apache later clears out and frees that particular memory pool, and after
that it walks the ap_server_config_defines and segfaults.

Bug report here: https://bz.apache.org/bugzilla/show_bug.cgi?id=63516




--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

Re: IPsec bandwidth perf on APU4C4

2019-06-19 Thread mabi 
‐‐‐ Original Message ‐‐‐
On Thursday, June 13, 2019 10:46 PM, Stuart Henderson  
wrote:

> 4.9.0.6 does have it enabled by default. I'm not sure about the 4.0.x releases
> and don't want to reboot mine to check now either :)

Finally managed to reboot my firewall box and so I can confirm that on my 
previous firmware (v4.0.24) the boost option was already enabled by default. I 
now upgraded to v4.9.0.6 but unfortunately as that boost option was already 
enabled I do not see any further improvements.

For reference here is the output of a "md5 -tt":

MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 9.69 seconds
Speed  = 103199174.406605 bytes/second

Transparent 301-to-https redirection with relayd

2019-06-19 Thread Anthony J. Bentley 
Hi,

I have relayd configured as a basic HTTP pass-through:

http protocol httpfilter {
return error
}

relay "proxy" {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
}

I'd like to prevent certain domains from ever being accessed over
unencrypted http. So I set up httpd:

server "httpfilter" {
listen on localhost port 8081
block return 301 "https://$HTTP_HOST$REQUEST_URI;
}

The idea is to check the host header and if it matches my whitelist,
send it to httpd which will force a redirect to https before ever
leaving the LAN.

I don't understand relayd configuration too well. I tried this:

table  { 127.0.0.1 }

http protocol httpfilter {
return error
match request header "Host" value "www.openbsd.org" forward to 
}

relay "proxy" {
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to destination
forward to  port 8081
}

It seems to do what I want:

$ ftp -o - http://www.openbsd.org/ >/dev/null
Trying 129.128.5.194...
Requesting http://www.openbsd.org/
Redirected to https://www.openbsd.org/
Trying 129.128.5.194...
Requesting https://www.openbsd.org/
4033 bytes received in 0.07 seconds (57.97 KB/s)

Except that it sends every host to httpd:

$ ftp -o - http://neverssl.com/ >/dev/null   
Trying 13.33.67.177...
Requesting http://neverssl.com/
Redirected to https://neverssl.com/
Trying 13.33.67.177...
Requesting https://neverssl.com/
ftp: SSL write error: name `neverssl.com' not present in server certificate

Fiddling with the config further doesn't seem to get me anywhere
closer to redirecting only whitelisted domains. I must be missing
something, but what?

-- 
Anthony J. Bentley

Fujitsu Xeon box running 6.4 + all sypatches doesn't power off for halt -p

2019-06-19 Thread John Long 
I am not sure when this changed since I don't reboot the box often but
halt -p no longer powers off this box. It used to work, now it doesn't.

Any idea what the problem could be?

Thanks,

/jl

Re: Mount SMB share with usmb on startup

2019-06-19 Thread Daniel Gracia 
Most probably PATH. Dirty solution may be appending the full path to the
binary.

Logged as root:

# which usmb

should get you the full path name for your command. Something like
'/usr/local/bin/usmb'. Use this full path instead of 'usmb0', i.e.

/usr/local/bin/usmb -c /root/.usmb.conf boxx &> /dev/null

Regards!


El mié., 19 jun. 2019 a las 9:53, slackwaree ()
escribió:

> Hello guys,
>
> I know everyone hates windoz :( but here is something I would like to
> solve:
>
> I have a working share with usmb. I have writteng an rc script to mount
> this at boots:
>
> #!/bin/sh
> sleep 60
>
> usmb -c /root/.usmb.conf boxx &> /dev/null
>
> Adding sleep didnt help.
> I have put this script into /etc/rc.local but unfortunately it does not
> mount anything. Maybe some enviromental variable is not loaded in correctly?
>
> As root manually this works and mounts the share.
>

Re: Newer snapshots on ALIX

2019-06-19 Thread Jan Vlach 
Hi Paul,

could you try manually set tty and console in the bootloader and then
verify you have /etc/boot.conf with same values?

stty com0 115200
set tty com0

JV

On Wed, Jun 19, 2019 at 08:37:28AM +0200, Paul de Weerd wrote:
> Morning folks,
> 
> I ran into a problem after upgrading my ALIX to a more recent snapshot
> in that it won't boot anymore.  It gets to "entry point 0x2d0" and
> then stops.  I tried using the PXE bootloader to load the local kernel
> from disk (both bsd and bsd.rd) and to load kernels from tftp, but all
> fails in similar ways with the entry point being the last output.
> 
> I grabbed another ALIX to test, but I'm afraid I screwed that one up
> and now that one doesn't boot either anymore.  This is probably user
> error, but now I'd like to confirm: has anyone successfully upgraded
> their ALIX to a recent snapshot?
> 
> It could be that my hardware is dying on me (I should find my piggy
> bank for some nickels), so confirmation that this still works for
> others is appreciated.
> 
> Paul
> 
> -- 
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
>  http://www.weirdnet.nl/ 
>

Mount SMB share with usmb on startup

2019-06-19 Thread slackwaree 
Hello guys,

I know everyone hates windoz :( but here is something I would like to solve:

I have a working share with usmb. I have writteng an rc script to mount this at 
boots:

#!/bin/sh
sleep 60

usmb -c /root/.usmb.conf boxx &> /dev/null

Adding sleep didnt help.
I have put this script into /etc/rc.local but unfortunately it does not mount 
anything. Maybe some enviromental variable is not loaded in correctly?

As root manually this works and mounts the share.

Re: Newer snapshots on ALIX

2019-06-19 Thread Claudio Jeker 
On Wed, Jun 19, 2019 at 08:37:28AM +0200, Paul de Weerd wrote:
> Morning folks,
> 
> I ran into a problem after upgrading my ALIX to a more recent snapshot
> in that it won't boot anymore.  It gets to "entry point 0x2d0" and
> then stops.  I tried using the PXE bootloader to load the local kernel
> from disk (both bsd and bsd.rd) and to load kernels from tftp, but all
> fails in similar ways with the entry point being the last output.
> 
> I grabbed another ALIX to test, but I'm afraid I screwed that one up
> and now that one doesn't boot either anymore.  This is probably user
> error, but now I'd like to confirm: has anyone successfully upgraded
> their ALIX to a recent snapshot?
> 
> It could be that my hardware is dying on me (I should find my piggy
> bank for some nickels), so confirmation that this still works for
> others is appreciated.
> 

There were some boot(8) changes so try some older pxeboot from 6.4, 6.5 or
the snapshot archive to see when the breakage was introduced.

-- 
:wq Claudio

Newer snapshots on ALIX

2019-06-19 Thread Paul de Weerd 
Morning folks,

I ran into a problem after upgrading my ALIX to a more recent snapshot
in that it won't boot anymore.  It gets to "entry point 0x2d0" and
then stops.  I tried using the PXE bootloader to load the local kernel
from disk (both bsd and bsd.rd) and to load kernels from tftp, but all
fails in similar ways with the entry point being the last output.

I grabbed another ALIX to test, but I'm afraid I screwed that one up
and now that one doesn't boot either anymore.  This is probably user
error, but now I'd like to confirm: has anyone successfully upgraded
their ALIX to a recent snapshot?

It could be that my hardware is dying on me (I should find my piggy
bank for some nickels), so confirmation that this still works for
others is appreciated.

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/