Re: Questions on pf limit table-entries PFR_KENTRY_HIWAT_SMALL

[trondd]

On Sat, January 1, 2022 8:02 pm, Paul Pace wrote:
> Hello!
>
> I'm trying to understand the limits in PF, and I can't seem to figure
> this out:
>
> In pf.conf(5) I see two limits called table-entries, and one of them is
>
> table-entries PFR_KENTRY_HIWAT_SMALL  10
>
> Some searching and I found:
>
> grep PFR_KENTRY_HIWAT_SMALL /usr/include/net/pfvar.h
> #define PFR_KENTRY_HIWAT_SMALL10  /* Number of entries for tiny
> hosts */
>
> What is a tiny host?
>
> With the limit-item (table-entries) being used twice, does this somehow
> only apply to some system configuration I'm not using since pfctl -sm
> reports table-entries 20?
>
> Thank you,
>
> Paul
>
>

Answers are in the source.  In sys/net/pf_ioctl.c:

if (physmem <= atop(100*1024*1024))
pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].limit =
PFR_KENTRY_HIWAT_SMALL;

Re: How to set a HTTP proxy for sysupgrade

[trondd]

On Thu, July 1, 2021 4:25 am, Raimo Niskanen wrote:
> On Wed, Jun 30, 2021 at 09:23:15PM -0400, trondd wrote:
>>
>> I simply echo the export statements of the proxy environment variables
>> to
>> /etc/rc.firstime before reboot. The installer will always append to the
>> file so fw_update will be added after the variables are exported.
>
> I will try to remember to do that the next time.
> Thanks for the hint!
>
> Would that be a welcome addition to the installer to do this
> automatically?
>
>

The installer can't do it.  Sysupgrade pulls the sets down and so the
automated installation does not use the network.  It won't know if there
is a proxy configuration to pass to rc.firsttime.

I suppose sysupgrade can check the environment for the variables and write
them out to rc.firsttime if they are set.

I just have a wrapper script because I also have internally hosted site
tarballs that need the proxy disabled to access so it was just easier to
have my own script to enable and disable the proxy as needed for the steps
I need to take.  I suppose that's why I never thought to try modifying
sysupgrade.  In my environment, I would still need the script regardless.

Tim.

Re: How to set a HTTP proxy for sysupgrade

[trondd]

On Wed, June 30, 2021 5:28 am, Raimo Niskanen wrote:
> Hello list!
>
> I just upgraded one of our lab machines from 6.8 to 6.9
> (amd64), and our lab environment is closed to the Internet,
> so using an HTTP proxy is required to reach out.
>
> I have set http_proxy, ftp_proxy and https_proxy in
> /etc/login.conf, the default class, but it is apparently
> not used by rc.firstboot after sysupgrade.
>
> With the new installer in 6.9 rc.firstboot seems to be
> a background process that hangs because of this, so when I
> logged in as root after remote upgrade I resolved the stalemate
> by first killing an ftp job serving fw_update, then a similar
> download job serving syspatch, and waited until the not updated
> kernel was relinked.
> Then I could run fw_update and syspatch manually.
>
> Is there a better / proper way to set a HTTP/HTTPS proxy
> for sysupgrade?
>
> Cheers
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
>

I simply echo the export statements of the proxy environment variables to
/etc/rc.firstime before reboot. The installer will always append to the
file so fw_update will be added after the variables are exported.

The ftp process will timeout in, I think, 5 minutes.  That is a long time,
but you're not going to be hung there forever.

Tim.

Re: Not possible to sysupgrade via snapshots right now?

[trondd]

On Sat, May 8, 2021 9:19 pm, Scott Vanderbilt wrote:
> On 5/8/2021 6:04 PM, trondd wrote:
>> On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:
>>> Apologies if this is a question to which there is an obvious answer,
>>> but
>>> I could not find one in the sysupgrade man page,
>>
>> What is sysupgrade trying to do?  What do you want it to do?
>>
>> No?  Read it again.  It's not that long.
>>
>
> Another responder politely pointed out I needed to add the -s switch,
> which in fact eliminated the error.
>
> But your reply seems to imply I'm doing something unreasonable.
> I looked at the -s switch in the man page, where it says:
>
> -sUpgrade to a snapshot. This is the default if the system
>   is currently running a snapshot.
>
> I thus disregarded this switch for two reasons:
>
> (1) As I am already running a snapshot (6.9-current as stated in my
> original post), I concluded that the switch would effectively be a NOOP
> since it specifically says it's the _default behavior_ under these
> circumstances.
>
> (2) I've used sysupgrade without the -s switch for years and it's always
> worked fine.
>
> What is not clear or explained anywhere that I can find is why it
> behaves differently right now. Notwithstanding your suggestion, reading
> the man page more than once does not make the answer magically appear.
>

Probably too late now, but what did `sysctl kern.version` actually show?

If you were still in the period after -beta and before switching back to
-current, the system will be detected as a release version.

Re: Not possible to sysupgrade via snapshots right now?

[trondd]

On Sat, May 8, 2021 9:04 pm, trondd wrote:
> On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:
>> Apologies if this is a question to which there is an obvious answer, but
>> I could not find one in the sysupgrade man page,
>
> What is sysupgrade trying to do?  What do you want it to do?
>
> No?  Read it again.  It's not that long.
>

That got sent before I was ready. :(

Reread the man page, is what I was refering to.

Re: Not possible to sysupgrade via snapshots right now?

[trondd]

On Sat, May 8, 2021 7:58 pm, Scott Vanderbilt wrote:
> Apologies if this is a question to which there is an obvious answer, but
> I could not find one in the sysupgrade man page,

What is sysupgrade trying to do?  What do you want it to do?

No?  Read it again.  It's not that long.

Re: tc= in remote(5) example

[trondd]

On Thu, February 18, 2021 11:38 am, Jan Stary wrote:
> /etc/examples/remote contains the following stanzas:
>
>   unixhost:\
>   :br#9600:
>
>   cua00|For i386,macppc:\
>   :dv=/dev/cua00:tc=unixhost:
>
>   cuaa|For sparc:\
>   :dv=/dev/cuaa:tc=unixhost:
>
>
> The remote(5) manpage describes br, dc, dv
> but not tc, which seems to be used here as an include.
> Is it described elsewhere or is that an omission?
>
>   Jan
>

References are at the top of the example file.  The most complete
description of tc is probably in cgetcap(3).

Re: pflogd write /var/run/mypflogdinstance.pid?

[trondd]

>> On 2020-12-13, Harald Dunkel  wrote:
> On 12/13/20 7:10 PM, Theo de Raadt wrote:
>>
>> And I'm suggesting the arguments should look like this:
>>
>>  pflogd: [priv] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
>>  pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
>>
>> That might allow more accurate pkill targetting.
>>
>
> Wouldn't you admit that this appears to be very fragile? If I add
> some flags to the pflogd command line then I have to verify the
> pkill commands in newsyslog.conf again.

You can search the whole argument list, but you only have to match a
subset.  For log rotation that might be the logfile name.  But I would
think the interface name would generally be the most likely to be a unique
parameter.

Re: pflogd write /var/run/mypflogdinstance.pid?

[trondd]

Stuart Henderson  wrote:

> On 2020-12-07, Harald Dunkel  wrote:
> > About the PIDs: Maybe a systctl like
> >
> > kernel.pid_max = 4194303
> >
> > known from other OSes could help to reduce the risk for PID conflicts.
> 
> This doesn't help if you actually want reliability, rather than just
> "reliable most of the time".
> 
> There were also some concerns about what software would do with long
> PIDs - even on a very basic level that adds another couple of columns
> to top(1) output.
> 
> > If you store the PID files on a volatile file system, so you can be sure
> > they are gone on the next reboot, anyway.
> 
> /var/run is cleared at boot anyway - the problem is pid reuse during
> uptime of the system.
> 
> One can check that the new pid is owned by a process of the correct name
> - but then the problem returns, the process name doesn't have enough
> information to uniquely identify it. And if that is fixed there's no
> need to save the pid.
> 
> So if there's a problem to be fixed, it is to get the information into
> the other process string..

I think the user is looking for something like this.  Putting the interface
name in the process title.

Mabe this doesn't work for this use case or there is some other fallout.
And there may be other tweaks needed to support it, I don't have a dog in the
fight to go find them, though.

Tim.


Index: etc/rc.d/pflogd
===
RCS file: /cvs/src/etc/rc.d/pflogd,v
retrieving revision 1.3
diff -u -p -r1.3 pflogd
--- etc/rc.d/pflogd 11 Jan 2018 19:52:12 -  1.3
+++ etc/rc.d/pflogd 7 Dec 2020 18:08:23 -
@@ -6,7 +6,7 @@ daemon="/sbin/pflogd"
 
 . /etc/rc.d/rc.subr
 
-pexp="pflogd: \[priv\]"
+pexp="pflogd: \[priv\].*"
 
 rc_pre() {
if pfctl -si | grep -q Enabled; then
Index: sbin/pflogd/privsep.c
===
RCS file: /cvs/src/sbin/pflogd/privsep.c,v
retrieving revision 1.34
diff -u -p -r1.34 privsep.c
--- sbin/pflogd/privsep.c   27 Nov 2019 17:49:09 -  1.34
+++ sbin/pflogd/privsep.c   7 Dec 2020 18:08:45 -
@@ -131,7 +131,7 @@ priv_init(int Pflag, int argc, char *arg
signal(SIGINT,  sig_pass_to_chld);
signal(SIGQUIT, sig_pass_to_chld);
 
-   setproctitle("[priv]");
+   setproctitle("[priv] %s", interface);
 
if (unveil(_PATH_RESCONF, "r") == -1)
err(1, "unveil");

Re: Can't cron sct.

[trondd]

On Tue, October 27, 2020 11:10 am, avv. Nicola Dell'Uomo wrote:
> Hi,
>
> maybe I'm missing something trivial, but I can't figure out how to cron
> sct(1)
>
> My user cron config works and cron log reports sct was executed, but
> screen temp doesn't change ...
>
> Here's my user crontab:
>
> #Â
Â
Â
Â
Â
Â
 $OpenBSD: crontab,v 1.28 2020/04/18 17:22:43 jmc Exp $
> #
> # SHELL=/bin/sh
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
> HOME=/var/log
> #
> #minute hourÂ
Â
Â
 mdayÂ
Â
Â
 monthÂ
Â
 wdayÂ
Â
Â
 [flags] command
> #
> # rotate log files every hour, if necessary
> # 35Â
Â
Â
 19Â
Â
Â
Â
Â
Â
 *Â
Â
Â
Â
Â
Â
 *Â
Â
Â
Â
Â
Â
 *Â
Â
Â
Â
Â
 touch
> /home/nicola/sct
>
> 35Â
Â
Â
 19Â
Â
Â
Â
Â
Â
 *Â
Â
Â
Â
Â
Â
 *Â
Â
Â
Â
Â
Â
 *Â
Â
Â
Â
Â

> /usr/local/bin/sctÂ
 5000
>
> # touch /home/nicola/sct was a test in order to verify I had not
> misconfigured crontab.
> # cron was tested with SHELL variable defined and then commented out and
> the result was the same.
>

It needs access to X.  I'm guessing you need to pass the DISPLAY variable?

I'm using sctd in .xinitrc (or .xsession) to slowing adjust the temp.

Tim.

Re: Having trouble enabling TLSv1.3 on httpd(8)

[trondd]

On Thu, September 3, 2020 2:18 pm, Parker Ellertson wrote:
> According to my understanding of the manpages (specifically
> httpd.conf(5) and tls_config_set_protocols(3)), setting up TLSv1.3
> should be just as easy as adding:
>
> tls {
> protocols "TLS_PROTOCOL_TLSv1_3"
> }
>
> to the appropriate server in /etc/httpd.conf .  But when I do this,
> httpd(8) doesn't come up.  Clearly I'm not setting the right variable,
> but what is that variable to set?
>
> - Parker
>

You've used an ENUM for tls_config_set_protocols(), the httpd.conf(5)
manpage said to look at tls_config_parse_protocols(), that section of the
manpage says:

The protocol string is a comma or colon separated list of keywords.
Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all supported
protocols), default (an alias for secure), legacy (an alias for all) and
secure (currently TLSv1.2 and TLSv1.3).


Takes a little bit of careful reading, but that's what's documented.

Re: Can I boot without GPU ("headless")?

[trondd]

On Sun, August 30, 2020 7:12 am, Henry W. Peterson wrote:
> If I write at the boot prompt "set timeout 5" and then "set tty pc0" it
> waits indefinitely for new commands (as expected).
>
> I was asking if there is a way to start a new timeout or instantly boot
> the kernel after the console switching without typing anything else (to
> switch to com0, without actually connecting a serial console, let it boot
> and then control the computer by ssh).
>

Once you hit a key on the keyboard, you've stopped the timeout.  If you're
typing on the keyboard, you can just type "boot" (or just "b") to boot it.
 You don't need a timeout.

If you put your com0 settings (or whatever else) into boot.conf, then you
don't need to type anything and the timeout applies and it'll boot on its
own.

Re: email attachments in firefox

[trondd]

On Fri, August 21, 2020 5:24 pm, Jan Stary wrote:
> On Aug 21 18:06:59, falsif...@falsifian.org wrote:
>> On 2020-08-21 16:51, Raymond, David wrote:
>> > I noticed that trying to load an attachment to Gmail in Firefox leads
>> > to a basically empty menu for selecting the file to be loaded?  What
>> > gives?  Is this something to do with pledge/unveil?  Is there a way to
>> > do this?
>> >
>> > Dave Raymond
>>
>> In practice, if I want to give Firefox access to a file, I move it to
>> ~/Downloads and then it will appear in that chooser.
>
> But sometimes, the file selection will offer the content of /tmp
> and you have no way of making it something else.
>

Type in the path to your Downloads folder?

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[trondd]

On Wed, August 19, 2020 3:33 am, Hisacro Root wrote:
> On Tue, Aug 18, 2020 at 09:28:18PM -0400, trondd wrote:
>> The bug here is in how additional listen lines interact with the
>> remaining
>> configuration.  The first listen line in a server block gets the tls
>> block
>> and it doesn't get applied to the second listen line.  Except for certs
>> and keys which are handled differently for SNI.
>
> I rechecked, you're right. In TLS block except for key & certificate,
> sub domain server (or the server defined at last) inherits config from
> previously defined one (in example config, main server).
>
> Is it worthy of a bug or could be confusion on configs?
>

Yeah.  I would.  It's confusing.  Clearly there is an inconsistency in tls
parameter handling when there is both a new ip/port and an SNI host
defined in the same server block.

I'm not a C programmer so deciphering what's going on would take me a while.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[trondd]

On Sun, August 16, 2020 3:20 pm, hisacro wrote:
> On Sun, Aug 16, 2020 at 02:34:27PM -0400, trondd wrote:
>
>> Oh, I see what you're doing.  BOTH listen lines are active in the second
>> server block.  When you connect to port 443 with that config, which TLS
>> settings does it use?  I want to guess that because you're lisening on
>> port 8000 without tls first, the listen with tls is skipped along with
>> the
>> tls block below it.
>
> No, listen TLS isn't skipped for sub.domain.tld
>

That's not what I see.  With the additional listen line, allowing httpd to
start, my sub domain server is using the tls setup from the main server
tls block except for the cert and key to support SNI.  Change the
additional listen line to tls and you'll see that one will pick up the tls
block as it's on a different port.

I think my initial assessment stands.  You can't have different tls blocks
on the same ip/port except certificates and keys for SNI  It explicitly
does a check to make sure that the other parameters match.

The bug here is in how additional listen lines interact with the remaining
configuration.  The first listen line in a server block gets the tls block
and it doesn't get applied to the second listen line.  Except for certs
and keys which are handled differently for SNI.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[trondd]

On Sun, August 16, 2020 1:23 pm, hisacro wrote:
> Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com:
>
>> Because it's not the same IP and port anymore. You can only have one
>> thing listening on an ip+port
>
> I got a working httpd config with same IP and same Port
>
> server "domain.tld" {
>   listen on $ext_ip tls port 443
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
> }
> server "sub.domain.tld" {
>   listen on 0.0.0.0 port 8000 # confusion?
>   listen on $ext_ip tls port 443
> tls {
>   certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key
>  }
> }
>
> This indeed listen on same address ($ext_ip) and same port (443)
> and works as intended with different cipher and ecdhe.
> Note: only when I add listen on 0.0.0.0 port 8000
>
>>Httpd allows you to configure multiple
>>"servers" for subdomains but in reality there is one actual server
>>listening and it has to know what parameters to use
>
> Sorry, I don't understand your reasoning because
> shouldn't httpd work the same way with or without extra listen on 0.0.0.0
>

Oh, I see what you're doing.  BOTH listen lines are active in the second
server block.  When you connect to port 443 with that config, which TLS
settings does it use?  I want to guess that because you're lisening on
port 8000 without tls first, the listen with tls is skipped along with the
tls block below it.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[trondd]

On Sun, August 16, 2020 1:49 am, hisacro wrote:
> Aug 16, 2020, 7:50 AM by tro...@kagu-tsuchi.com:
>
>>>On Sat, Aug 15, 2020 at 04:13:51PM -0700, hisacro wrote:
>>
>>> $ doas httpd -nv
>>> server "sub.domain.tld": tls configuration mismatch on same
>>> address/port
>>>
>>> instead of defining same cipher and ecdhe, uncommenting
>>> "listen on 0.0.0.0 port 8080"
>>> bypasses this error
>>>
>>> I'm unsure what causes this, can someone shed some light?
>>
>>It's what the error says. You're listening twice on the same ip and port
>>but with different tls blocks.
>
> Though I have emphasized enough (even on title), re-stating
>
> Why does having a listen statement on  port 
> bypasses tls misconfiguration.
>

Because it's not the same IP and port anymore.  You can only have one
thing listening on an ip+port.  Httpd allows you to configure multiple
"servers" for subdomains but in reality there is one actual server
listening and it has to know what parameters to use.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[trondd]

On Sat, August 15, 2020 7:13 pm, hisacro wrote:
> I'm on -current, httpd throws tls misconfig error when different
> cipher or ecdhe used but it's bypassed by listen statment.
>
> server "domain.tld" {
> listen on * tls port 443
> log style combined
> hsts
> {
> subdomains
> }
> root "/htdocs/domain.tld/"
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
>
>
> server "sub.domain.tld" {
> # listen on  port 
> # note: adding before tls
> # listen on 0.0.0.0 port 8080
> listen on * tls port 443
> root "/htdocs/sub.domain.tld"
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> }
>
> $ doas httpd -nv
> server "sub.domain.tld": tls configuration mismatch on same address/port
>
> instead of defining same cipher and ecdhe, uncommenting
> "listen on 0.0.0.0 port 8080"
> bypasses this error
>
> I'm unsure what causes this, can someone shed some light?
>

It's what the error says.  You're listening twice on the same ip and port
but with different tls blocks.

Re: checksums after reboot

[TronDD]

On Fri Feb 7, 2020 at 2:40 PM, Justin Muir wrote:
> Hello all,
>
> 
> Posting here for the first time! Using OBSD as daily laptop OS. Trying
> to
> be a little more security conscious these days by keeping checksums on
> system files with mtree. Did a reboot and several files were changed
> including libcrypto.so, ld.so and several other system-level files. Is
> this
> normal??
>

Yes.  At boot, rc(8) relinks some of the system libraries in order to
randomize the layout of the code.

Your kernel is also reordered for the next reboot.

Tim.

Re: vpn.rebehn.net upgrade log

[trondd]

On Mon, October 28, 2019 6:37 pm, Heinrich Rebehn wrote:
> Hello list,
>
> After upgrading a OpenBSD host running 6.5 to 6.6 using sysupgrade(8), I
> received the email below.
> It suggests that the upgrade has been aborted upon failure to upgrade
> comp66.tgz. This set was not part of the initial installation.
> Does this mean that the system is â**half upgradedâ**? What steps are
> missing because of the abort?
>
> Cheers,
>
>   Heinrich
>

I had something similar happen to me with the games set as I had stopped
installing games on my router some years ago.

Besides the unextracted sets, you've missed out on a bunch of other
upgrade steps such as MAKEDEV, installboot, and everything that runs from
rc.firsttime.

Since you got a kernel and base.tgz I would just manually extract the
other sets (follow the upgrade guide for how to do that correctly) and
clean up anything that generates an error until they extract cleanly. 
Then upgrade properly so you know it will work next time.

Tim.

>
>> On 28. Oct 2019, at 16:31, Charlie Root  wrote:
>>
>> Choose your keyboard layout ('?' or 'L' for list) [default] default
>> Available disks are: sd0.
>> Which disk is the root disk? ('?' for details) [sd0] sd0
>> Checking root filesystem (fsck -fp /dev/sd0a)... OK.
>> Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
>> Force checking of clean non-root filesystems? [no] no
>> /dev/sd0a (331a03408374f07d.a) on /mnt type ffs (rw, local, wxallowed)
>>
>> Let's upgrade the sets!
>> Location of sets? (cd0 disk http nfs or 'done') [http] disk
>> Is the disk partition already mounted? [yes] yes
>> Pathname to the sets? (or 'done') [6.6/amd64] /home/_sysupgrade/
>>
>> Select sets by entering a set name, a file name pattern or 'all'.
>> De-select
>> sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled
>> '[X]'.
>>   [X] bsd   [X] comp66.tgz[X] xbase66.tgz   [X] xserv66.tgz
>>   [X] bsd.rd[X] man66.tgz [X] xshare66.tgz
>>   [X] base66.tgz[X] game66.tgz[X] xfont66.tgz
>> Set name(s)? (or 'abort' or 'done') [done] done
>> Directory does not contain SHA256.sig. Continue without verification?
>> [no] yes
>> Installing bsd  100% |**| 18250 KB
>> 00:00
>> Installing bsd.rd   100% |**| 10058 KB
>> 00:00
>> Installing base66.tgz   100% |**|   236 MB
>> 00:12
>> Installing comp66.tgz78% |  | 56832 KB
>> 00:01 ETAtar: Unable to remove directory ./usr/include/machine:
>> Directory not empty
>> Installing comp66.tgz   100% |**| 72109 KB
>> 00:06
>> Installation of comp66.tgz failed. Continue anyway? [no] no
>

Re: relayd: "listen on egress" only listens to IPv4 and not IPv6

[trondd]

On Thu, August 29, 2019 8:55 am, Muhammad Kaisar Arkhan wrote:
> Hi Tom,
>
>> listen  on 2a03:6000:9106::50f7:f07a:d1cc port 443 tls
>
> I've tried this before, it just results in this:
>
> /etc/relayd.conf:33: cannot load certificates for relay https2:443
>
> I'm not sure why it does this despite the fact I have clearly
> indicated which TLS certificates to use in relayd.conf with the
> new "tls keypair" feature.
>
> % cat /etc/relayd.conf
>
> log connection
>
> table  { 127.0.0.1 }
> table  { 127.0.0.1 }
> table  { 127.0.0.1 }
>
> http protocol "reverse_proxy" {
> return error
>
> match header set "X-Forwarded-For" value "$REMOTE_ADDR"
> match header set "X-Forwarded-By" value
> "$SERVER_ADDR:$SERVER_PORT"
>
> match request header "Host" value "znc.yukiisbo.red" \
> forward to 
>
> tls keypair "yukiisbo.red"
> tls keypair "arkhan.io"
> tls keypair "znc.yukiisbo.red"
> }
>

Are the certificate and key files named correctly and placed in the
appropriate locations as specified in the manpage?

Re: Duplicity & /etc/daily.local

[trondd]

On Mon, May 20, 2019 5:50 pm, Noth wrote:
> Hi misc@,
>
>
>  Â
 I'm trying to run daily backups to a sftp server for various VMs and
> devices on my network, and want to use /etc/daily.local for this. I'm
> calling this script from the daily.local file:
>
> env 'GNUPG="/usr/local/bin/gpg" PASSPHRASE="mypassword"'
> /root/duplicity-hostname.sh
>
> but unfortunately duplicity can't find gnupg
>

I don't use duplicity anymore but is the GNUPG environment variable even a
thing?  Their manpage doesn't mention it but does specifiy a --ggp-binary
commandline argument.

http://duplicity.nongnu.org/duplicity.1.html

You'll also need to be sure gpg is looking in the right place for the
keyrings.

Re: Activating second crypted (or other raid) device

[trondd]

On Sun, May 5, 2019 3:57 pm, cho...@jtan.com wrote:
> Thomas Frohwein writes:
>> On Sun, May 05, 2019 at 08:57:55PM +0300, cho...@jtan.com wrote:
>> [...]
>> > Currently after every upgrade I patch /etc/rc to run /etc/rc.blockdev
>> > (containing bioctl -cC -p /etc/sd0.key -l sd0a softraid0) before the
>> > additional filesystems are checked or mounted.
>>
>>
> The problem with rc.local is that it's not executed until after fsck and
> mount have parsed /etc/fstab (or /etc/fstab has been parsed for them;
> whatever). If they do this before sd3 exists they at worst abort and at
> best don't perform their desired function on the previously-encrypted
> block device (ie. the plaintext block device is not scanned and mounted
> automagically and my computer boots without a /srv).
>

>
> My goals are:
>
>   * /etc/rc already handles fsck of plaintext devices mentioned in
> /etc/fstab.
>   * /etc/rc already handles mount of plaintext devices mentioned in
> /etc/fstab.
>   * I would like to activate an encrypted/RAIDed device before /etc/rc
> performs
> either of those (so that code somebody else has written can do them
> for me).
>   * /etc/rc.local is called too late.
>

It's really not that big of a deal to call 'fsck' and 'mount' yourself in
rc.local.

Unless you have system data on /srv (which would be it's own inconsistency
with a standard system) needed during rc.

In fstab, I set the RAID partition to noauto and disable automatic fsck. 
Then in rc.local call 'bioctl blah && fsck UUID.partition && mount /srv'

I use a password so it's interative for me and I see if anything goes
wrong.  Log a message with 'logger' or send an email or whatever if
something fails for your situation.  Then you're done dealing with this.

Re: Use xenodm like startx?

[trondd]

On Thu, January 31, 2019 5:57 am, John Ankarström wrote:
>
>> Only thing I never figured out is how to make X and xenodm shutdown when
>> I
>> exit my window manager.
>
> This too makes me feel like xenodm is far too complex for what I want.
>

It's not an issue of complexity.  It's a different tool that does a
different thing.  Bending it to work like something it's not will
inherently have caveats.

The thing is, what we had before was a trivial privilege escalation. 
Sometimes you just have to adapt a little and you can benefit greatly from
improvements.

Tim.

Re: Use xenodm like startx?

[trondd]

On Thu, January 31, 2019 7:35 am, Bruno Flueckiger wrote:
>
> Add the following line to /etc/X11/xenodm/xenodm-config:
>
> DisplayManager.*.terminateServer: true
>
> Cheers,
> Bruno
>

That doesn't work how you think it does.  It does shut down the X server
after quitting a window manager but then xenodm will restart X and log you
right back in.  That option is there is prevent resource leaks between X
sessions.

Tim.

Re: Use xenodm like startx?

[trondd]

On Wed, January 30, 2019 8:02 pm, John Ankarström wrote:
> Hi,
>
> I just got OpenBSD installed on my new laptop, and so far, it works great.
> But since I applied the latest X11 patch, I can no longer use startx to
> launch X11, unless I do it as root, which probably isnâ**t a good idea.
> Seems like I have to use xenodm.
>
> The thing is, xenodm is so complicated in comparison to a simple .xinitrc
> + startx. There are so many files I need to set up that I hardly know
> where to begin.
>
> I donâ**t want a login screen, I donâ**t want X11 to launch at startup. I
> just want to start X manually from a simple .xinitrc. Surely I canâ**t be
> alone.
>
> Any ideas or tips?
>
> Best regards
> John
>

It's not really that complicated.  The bare minimum is to copy your
.xinitrc to .xsession and then just run xenodm on demand with doas.  All
the configs already exist in /etc/X11/xenodm.  Nothing requires you to run
it at startup.

Here's what I've done:
Copy your .xinitrc to .xsession

Copy (or modify in place) /etc/X11/xenodm/xenodm-config to $HOME

Edit xenodm-config and add
DisplayManager*autoLogin:  yourusername

Comment out the call to Xsetup so you don't get the xconsole window
!DisplayManager._0.setup: /etc/X11/xenodm/Xsetup_0

Then you can alias it to run it on demand.  Alias to startx if you want.
alias xenodm='doas xenodm -config /home/myusername/xenodm-config'


Only thing I never figured out is how to make X and xenodm shutdown when I
exit my window manager.

Re: apu2 em0/dhclient problems

[trondd]

On Sun, January 27, 2019 12:44 pm, Edgar Pettijohn wrote:
> I'm trying to replace my dieing soekris box with an apu2 dmesg below.
> However, I can't seem to get em0 to connect to my isp. It will work
> when connecting to the soekris box though. So I don't think its the
> interface that is the problem. But everything I try seems to rule out
> eachother as the problem, leaving me in a viscious cycle.
>
> I'm going to try disabling pf and after that current. If you have
> any other suggestions please send them.
>
> Thanks,
>
> edgar

Does your ISP whitelist by MAC address?


>
> OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11 13:30:23 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 1996152832 (1903MB)
> avail mem = 1926434816 (1837MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x77fb7020 (7 entries)
> bios0: vendor coreboot version "4.0.7" date 02/28/2017
> bios0: PC Engines APU2
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S2 S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
> acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4)
> PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD GX-412TC SOC, 998.27 MHz, 16-30-01
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu3: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
> 64b/line 16-way L2 cache
> cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu3: DTLB 40 4KB entries fully associative, 8 4MB entries fully
> associative
> cpu3: smt 0, core 3, package 0
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins
> ioapic1 at mainbus0: apid 5 pa 0xfec2, version 21, 32 pins, remapped
> acpihpet0 at acpi0: 14318180 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PBR4)
> acpiprt2 at acpi0: bus 1 (PBR5)
> acpiprt3 at acpi0: bus 2 (PBR6)
> acpiprt4 at acpi0: bus 3 (PBR7)
> acpiprt5 at acpi0: bus 4 (PBR8)
> acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS
> acpibtn0 at 

Re: relayd: Layer 7 proxy: forward failed

[trondd]

On Thu, December 6, 2018 12:04 pm, Leo Unglaub wrote:
> Hi,
> i am trying to use relayd as an outbound proxy. I am following the
> manual page and also the book "Httpd and Relayd Mastery". I did this on
> the latest release 6.4 and also on the latest snapshot to make sure this
> was not already fixed somewhere. I am on amd64.
>
> My relayd config looks like this:
>
>> # cat /etc/relayd.conf
>> relay "proxy" {
>> listen on 127.0.0.1 port 8080
>> forward to destination
>> }
>>
>> relay "proxy2" {
>> listen on 192.168.0.19 port 9090
>> forward to destination
>> }
>
>
> I use this command to open up a connection from a different host in the
> network:
>
>> $ curl -i -x 192.168.0.19:9090 openbsd.org
>
> I used the following command when i am on the same host:
>
>> $ curl -i -x 127.0.0.1:8080 openbsd.org
>

I don't have the time to set this up to test, so just throwing ideas out.

Doesn't this set up a transparent relay?  Should you be configuring a
proxy with curl in this case?  Did you try it without?

>
> I get the same error every time:
>> # relayd -df /etc/relayd.conf
>> startup
>> pfe: filter init done
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> socket_rlimit: max open files 1024
>> parent_tls_ticket_rekey: rekeying tickets
>> relay_privinit: adding relay proxy
>> protocol -1: name default
>> flags: used, relay flags: divert
>> tls session tickets: disabled
>> type: tcp
>> relay_privinit: adding relay proxy2
>> protocol -1: name default
>> flags: used, relay flags: divert
>> tls session tickets: disabled
>> type: tcp
>> init_tables: created 0 tables
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy2
>> relay_launch: running relay proxy
>> relay_launch: running relay proxy2
>> relay_launch: running relay proxy2
>> relay_connect: session 1: forward failed: Operation not permitted
>> relay_close: sessions inflight decremented, now 0
>
>
> I used the following addition to the default pf.conf.
>> pass in on egress inet proto tcp to port 80 divert-to 127.0.0.1 port
>> 8080
>

If you're connecting from inside the network, is 'in on egress' the
correct interace here?


>
>
> Is this a bug in my setup or a problem with relayd?
>
> I also tryed the entire config from the book "Httpd and Relayd Mastery"
> and even when i type it down 1 by 1 i get the same error.
>
> Thanks and greetings
> Leo
>

Re: procmail and new grammar in smtpd.conf

[trondd]

On Wed, December 5, 2018 6:22 am, Eda Sky wrote:
>
> the original rule is
>
> accept from any for domain "example.com" alias  deliver to mda
> "/usr/local/bin/procmail -f -"
>
> I do not know how to write new rules.
> Everything I'm trying to do ends with syntax error.
>

What have you tried?

Re: Core Dev?

[trondd]

On Tue, December 4, 2018 6:50 am, Ahmad Bilal wrote:
>
> @Marc: Thanks for the information, but based on what you said, what would
> you consider as 'official' then? Just curious.
>

Let go of this concept.  These are your systems.  You're the only
official.  If you want to build an AMI for AWS, you have to understand how
that process works then looking at Antoine's scripts to see if that is
what they do is trivial.  If you want security, you have to know what that
means.  "Offical" or not is irrelivant.  You can't avoid your own due
diligence by passing that responsibility onto some imagined authority.

> And no, I'm not on OpenBSD at all 'yet'. I was basically on CentOS for a
> long time. Then recently shifted to FreeBSD, and I'm considering to use
> OpenBSD now (and for foreseeable future)
>

If you're new to OpenBSD, that's great.  But that means you shouldn't be
running anything mission critical on OpenBSD if you don't know much about
it yet.  In which case, experiment.  Run whatever looks reasonably like it
might be good and see what it does.  If it makes a mess, blow it away and
start over.  Read the man pages for the commands a script runs.  Ask
specific questions if it gets down in the weeds and you can't figure out
what something is doing.  There is absolutly no difference in what's
"official" or not.  Stuff works, and is good, or it isn't.  You have to
learn the difference.

Re: Cannot mount install.fs disk image to create custom auto_install.conf based USB flash drive

[trondd]

On Sun, November 11, 2018 4:28 pm, Andrew Lemin wrote:
>
> 4b) Mount new vnd1c device (this is where I'm stuck)
>
> ** Here is where I get lost. All the guides refer only to using
> install.iso (whos 'a:' and 'c:' partitions are ISO9660 filetypes - for CD
> based installs), but I need to use the install.fs (for USB based installs)
> **
>
> fw1# mount /dev/vnd1c /mnt
> mount_ffs: /dev/vnd1c on /mnt: Invalid argument
> fw1# mount -t cd9660 /dev/vnd1c /mnt
> mount_cd9660: /dev/vnd1c on /mnt: Invalid argument
> fw1# mount -t msdos /dev/vnd1c /mnt
> mount_msdos: /dev/vnd1c on /mnt: not an MSDOS filesystem
> fw1# mount -t ext2fs /dev/vnd1c /mnt
> mount_ext2fs: /dev/vnd1c on /mnt: Input/output error
>
> As you can see, none of the the types I know about are working?
>

Perhaps the filesystem type isn't the problem.


> bsd1# disklabel vnd1
> # /dev/rvnd1c:
> type: vnd
> disk: vnd device
> label: fictitious
> duid: e5445c1e269855f0
> flags:
> bytes/sector: 512
> sectors/track: 100
> tracks/cylinder: 1
> sectors/cylinder: 100
> cylinders: 7382
> total sectors: 738240
> boundstart: 1024
> boundend: 737280
> drivedata: 0
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a:   736256 1024  4.2BSD   2048 16384 16142
>   c:   7382400  unused
>   i:  960   64   MSDOS
>
> I cannot work out what the filesystem should be? It shows as 'unused'
> here.
>

c isn't a real partition.  It represents the whole disk.  Read the
disklabel output again.

Re: mail doesn't read mail from /var/mail/root

[TronDD]

On November 8, 2018 1:39:13 AM CST, ivp...@eml.cc wrote:
>Hello,
>
>I must be missing something obvious, but since installing 6.4-current
>(on a few versions in a row), I can't get mail to read /var/mail/root.
>
>After logging in, I see:
>
>>---<
>OpenBSD 6.4-current (GENERIC.MP) #425: Sun Nov 4
>
>[... skipped ...]
>
>You have mail.
>thor# mail
>No mail for root
>thor# mail -f /var/mail/root
>Mail version 8.1.2 01/15/2001.  Type ? for help.
>"/var/mail/root": 0 messages
>thor# ls -l /var/mail/root
>-rw---  1 root  wheel   3.9K Oct 20 00:37 /var/mail/root
>thor# head /var/mail/root
>From dera...@do-not-reply.openbsd.org Sun Nov 1 06:30:00 MDT 2018
>Return-Path: root
>Date: Nov 1 06:30:00 MDT 2018
>From: dera...@do-not-reply.openbsd.org (Theo de Raadt)
>To: root
>Subject: Welcome to OpenBSD 6.4!
>
>This message attempts to describe the most basic initial questions that
>a
>system administrator of an OpenBSD box might have.  You are urged to
>save
>this message for later reference.
>>--<
>
>I also remember that I had this problem since the first time I
>installed 6.4-current on my new laptop.
>
>I do receive local mail (e.g., from crontab) for a non-priveleged user
>created during setup.
>
>Any ideas of what might be going on?
>
>Best,
>ivpgbe

It's because the Welcome email that gets sent to root and the user created 
during install is dated in the future.  It has the initial planned release date 
of Nov. 1st.  Mail(1) can't seem to see into the future.

Re: Severe clock problems with OpenBSD VM on OpenBSD Host

[trondd]

On Sat, November 3, 2018 7:10 pm, Stefan Arentz wrote:
> Hi everyone,
>
> I am having an issue where an OpenBSD VM running on vmd is having
> serious clock skew issues.
>
> I am relatively new to OpenBSD, so I am not sure how to properly debug
> this. What I hope is that I can provide a good amount of data and folks
> here can give me some hints and ask me for additional information to
> get to the root cause of this.
>
> So first some facts and symptoms:
>
> - Both Host and Guest are running OpenBSD 6.4. The host runs GENERIC.MP
>   and the guest GENERIC.
> - The host runs 50 guests, all OpenBSD (openbsd.amsterdam)
> - Only this VM is having this clock issue (is this correct, or were
>   there others?)
>
> - The guest has kern.timecounter.hardware=tsc
> - The time on the VM was set with rdate a couple of days ago, and as of
>   now the VM is running about 4 hours behind.
> - ntpd is running (main process, dns engine, ntp engine)
> - when started or restarted, ntpd complains about "pipe write error
>   (from main): No such file or directory" but does seem to start
>
> - I just ran rdate nl.pool.ntp.org and the date was properly updated
> - One minute after running rdate, the clock is already 7 seconds slow
>
> - The guest also has some severe networking issues. often I cannot type
>   more than a few characters before a ~15 second delays happens.
>   Interactive typing is difficult.
> - I can SSH into the Host and have none of these issues, ruling out
>   connectivity issues between me (Toronto) and the Host (Amsterdam)
>
> It would be easy to blame this on NTPd, which does have an unexplained
> error message. However, I think even without running NTPd, the clock
> skew should not be this extreme.
>
> Somehow I have a gut feeling that the clock issues and the networking
> issues are related.
>
> I am root on the VM but I am not on the host. I do have vmctl access.
> However, the host admin is friendly (Hi Mischa) and is happy to help to
> debug this issue.
>
> I tried to ktrace ntpd to get more insight in the "pipe write error
> (from main): No such file or directory" error but I did not get useful
> info out of it. This may be because of my unfamiliarity with those
> tools.
>
> Help appreciated :-)
>
>  S.
>

VMM VMs do have clock issues.  tsc and ntpd should be enough, though (at
least with only a couple VMs it is).  Is ntpd doing anything?  what does
'ntpctl -sa' say?

I think that error is causing ntpd to exit (one of the child procs, if not
the whole thing).

Re: smtpd new "relay as" syntax?

[TronDD]

On October 31, 2018 5:31:44 PM EDT, "Paul B. Henson"  wrote:
>I just upgraded to OpenBSD 6.4, and I'm trying to figure out how to do
>this with the new syntax:
>
>accept from local for any relay via smtp://smtp.domain.com as
>"@domain.com"
>
>This would rewrite the outbound message to masquerade as being from the
>TLD rather than a specific machine. Right now I've got:
>
>action local_relay relay host smtp.domain.com
>match from local for any action local_relay
>
>But this doesn't do the rewriting. The only thing I see in the man page
>talks about 'senders  [masquerade]' which seems to be for
>authenticated users.
>
>Am I missing something obvious?
>
>Thanks...

Mail-from in the action options, I believe.

Re: acme-client memory setup failure

[TronDD]

On October 28, 2018 12:09:02 AM EDT, "연락 연락"  wrote:
>Thank you indeed for your reply, trondd.
>Yes, I added certificate(s) to cert.pem, probably more than one time so
>far.
>But the size looks not much bigger than normal one that I see from 
>another host.
>size of the cert.pem modified(?): 357***
>size of cert.pem I see from another host where I didn't add anything to
>
>the cert.pem: 349***
>
>Do you think 357*** is too big?
>How did you solve the issue?
>What can I do if something went wrong when I added certificates or when
>
>upgrading openbsd and adding the certificates again?
>

Put the original cert.pem back and see if it solves the issue first.


>If the router/gateway before the host has been changed so the cert.pem 
>of the gateway is not the same of the previous one, can it be also a 
>matter?
>
>

The cert.pem only matters on the machine making the SSL connection.


>On 28/10/2018 04:54, trondd wrote:
>> On Sat, October 27, 2018 6:19 am, ì*°ë*½ ì*°ë*½ wrote:
>>> Dear misc,
>>>
>>> I am getting an error saying "ssl verify memory setup failure"
>whenever
>>> I try to renew existing certificates on a host -- Openbsd 6.3,
>httpd,
>>> acme-client.
>>> Recently there were changes in a few configurations, including
>network,
>>> name servers, etc.
>>>
>>> The below is all I get when I try command acme-clilent -vv
>example.com:
>>>
>>> ..domain key
>>> ..account key
>>> ..cert ...days left
>>> ..directory
>>> ..DNS: (some ip)
>>> (some ip):tls_connect_socket: acme-v01.api.letsencrypt.org, ssl
>verify
>>> memory setup failure
>>> ..bad comm
>>> bad exit...
>>>
>>> Could someone let me know what could cause the ssl verify memory
>setup
>>> failure, or if the memory setup failure could be some kind of common
>>> error, such as something occurred by memory configuration, such as
>in
>>> login.conf?
>>>
>>> For your information, those worked before. Recently thinking about
>>> hardware issues, especially for RAM.
>>> Because I can't share detailed configurations, names, etc., I am
>>> wondering if someone could kindly give some advice on the above
>>> information.
>>>
>>> Any help and your time would be greatly appreciated indeed.
>>>
>> 
>> Did you modify certs.pem?  I've run into this when accidentally
>adding
>> certs multiple times growing the file too big or writing a DOS
>formatted
>> cert to it.
>> 

Re: acme-client memory setup failure

[trondd]

On Sat, October 27, 2018 6:19 am, ì*°ë*½ ì*°ë*½ wrote:
> Dear misc,
>
> I am getting an error saying "ssl verify memory setup failure" whenever
> I try to renew existing certificates on a host -- Openbsd 6.3, httpd,
> acme-client.
> Recently there were changes in a few configurations, including network,
> name servers, etc.
>
> The below is all I get when I try command acme-clilent -vv example.com:
>
> ..domain key
> ..account key
> ..cert ...days left
> ..directory
> ..DNS: (some ip)
> (some ip):tls_connect_socket: acme-v01.api.letsencrypt.org, ssl verify
> memory setup failure
> ..bad comm
> bad exit...
>
> Could someone let me know what could cause the ssl verify memory setup
> failure, or if the memory setup failure could be some kind of common
> error, such as something occurred by memory configuration, such as in
> login.conf?
>
> For your information, those worked before. Recently thinking about
> hardware issues, especially for RAM.
> Because I can't share detailed configurations, names, etc., I am
> wondering if someone could kindly give some advice on the above
> information.
>
> Any help and your time would be greatly appreciated indeed.
>

Did you modify certs.pem?  I've run into this when accidentally adding
certs multiple times growing the file too big or writing a DOS formatted
cert to it.

Re: httpd and cgi

[trondd]

On Thu, October 4, 2018 12:54 pm, Kihaguru Gathura wrote:
> Hi,
>
> For the following httpd setup, cgi scripts give a 403 Page not found
> on browser. However after removing the line:
>
> location "/*" {
> authenticate "Staff Only" with "/htpasswds"
> }
>
> cgi scripts run fine but no authentication for document root of course.
>
> Please explain the situation.
>
>
>
> ...
># $OpenBSD: httpd.conf,v 1.18 2018/03/23 11:36:41 florian Exp $
>
> server "xyz.co.ke" {
> listen on * port 80
> listen on :: port 80
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> location * {
> block return 302 "https://$HTTP_HOST$REQUEST_URI;
> }
> }
>
> server "xyz.co.ke" {
> listen on * tls port 443
> listen on :: tls port 443
> hsts
> tls {
> certificate "/etc/ssl/xyz.co.ke.fullchain.pem"
> key "/etc/ssl/private/xyz.co.ke.key"
> }
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> root "/xyz.co.ke"
> location "/*" {
> authenticate "Staff Only" with "/htpasswds"
> }
>
> location "/public/*" {
> directory auto index
> }
> location "/xyz/*" {
> root "/"
> fastcgi
> authenticate "Staff Only" with "/htpasswds"
> }
> }
> ..
>
> Thank you,
>
> Regards
>
> Kihaguru.
>

Move the location "/*" block to the bottom of the server block after the
specific paths.


location path {...}
Specify server configuration rules for a specific location. The path
argument will be matched against the request path with shell globbing
rules. In case of multiple location statements in the same context,
the first matching location statement will be put into effect, while
all later ones will be ignored. Therefore it is advisable to match for
more specific paths first and for generic ones later on.

Re: Let's Encrypt Error with cgit, httpd, acme-client

[trondd]

On Sun, August 26, 2018 4:40 pm, Parikh, Samir wrote:
>
> I guess my only remaining question is how did you know I needed to make
> this change?  I know the OpenBSD documentation is really good but I'm
> still fascinated how people manage to sort things like this out.  Maybe
> it's just pure experience?
>
> Either way, thanks again!
>
> Samir
>

It's part experience, part reading the output and logs, and part just
trying things.  I didn't know what the solution was.  I looked at
/etc/examples/httpd.conf, looked at the errors and made changes.

Be explicit in the configuration.  The 'root' without a 'location' wasn't
explicit so I didn't know how it got intrepreted.  Put it in a 'location'.
And most configurations on OpenBSD have an order to their evaluation. 
Some are first match wins, some are last match wins, so move things
around.

Tim.

Re: Let's Encrypt Error with cgit, httpd, acme-client

[trondd]

On Wed, August 22, 2018 1:23 pm, Parikh, Samir wrote:
> flipchan wrote on 22/08/18 01:19:
>> Try removing all keys in the ssl directory aswell as
>> /etc/acme/letsencrypt-privkey.pem
>
> Thank you for your suggestion! I tried that and still received a similar
> error:
>
> # acme-client -vAD git.example.com
> acme-client: /etc/ssl/private/git.example.com.key: domain key exists
> (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.86.101
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: git.example.com
> acme-client: /var/www/acme/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> created
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> challenge
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> status
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> bad response
> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> \"\u003c!DOCTYPE
> html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
> http-equiv=\"Content-Type\" content=\"text/html;
> charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
> "status": 403 }, "uri":

Clearly, Let's Encrypt can't access teh file on your server.  The easiest
way to debug is to drop an html file into /acme and go to your server
/.well-known/acme-challenge/file.html in a browser and see what happens.

I could reproduce the 500 error in a browser with your config.  I had to
do 2 things to fix it (which may or may not break cgit).

Wrap your general root "/cgi-bin/cgit.cgi" and fastcgi socket in a
location "*" {} block and then move that block to the bottom of the server
block under location ".well-known..."

This works for me (you might need to fix the "request strip" line as I am
on some version of -current).  The cgit location might need to move as
well, I didn't test further.

server "localhost" {
listen on 127.0.0.1 port 80
#serve the cgit static files directly
location "/cgit.*" {
root "/cgit"
no fastcgi
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
# cgit CGI
location "*" {
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
}

Re: dump/restore and crontab(5)

[trondd]

On Mon, July 2, 2018 10:26 am, Ed Ahlsen-Girard wrote:
> On Mon, 2 Jul 2018 09:25:37 -0400
> "trondd"  wrote:
>
>> On Mon, July 2, 2018 8:14 am, Ed Ahlsen-Girard wrote:
>>  [...]
>>
>> I'd have to look later to see if my dumps are coreectly grabbing the
>> crontabs.  But first, try looking in /var/backups either on disk, or
>> in your dump.
>>
>> Tim.
>>
>
> In the backups. Thanks.
>
> --
>
> Edward Ahlsen-Girard
> Ft Walton Beach, FL
>

FYI.  dump/restore is correctly saving and restoring my /var/cron/tabs/*
so double check your dump and restore scripts, parameters, whatever.

Tim.

Re: dump/restore and crontab(5)

[trondd]

On Mon, July 2, 2018 8:14 am, Ed Ahlsen-Girard wrote:
> Having clobbered my crontab (5) file in error (-r and -e are close) I
> merrily went to my level 0 dump to restore it. It's present on the dump
> (which is to file) but the restored file is zero bytes.
>
> Should I have run those dumps manually instead of as cron jobs?
>
> --
>
> Edward Ahlsen-Girard
> Ft Walton Beach, FL
>

I'd have to look later to see if my dumps are coreectly grabbing the
crontabs.  But first, try looking in /var/backups either on disk, or in
your dump.

Tim.

Re: attach chroot-jail to switchd(8) ?

[trondd]

On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote:
> On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote:
>> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
>> > Hi all,
>> >
>> > IÃ*´m just tinkering a little bit and try to mimic some
>> "containerization"
>> > on
>> > OpenBSD with chroot. Is it somehow possible to attach a chrooted
>> > envirionment to swtichd(8) ?
>> >
>> > Thanks
>> > Thomas
>> >
>>
>> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There
>> is
>> no network isolation.  Inside the chroot, you get all the same
>> interfaces,
>> IP's, routes, ports as on the "host" or in another chroot.  So doing
>> anything with the network in the chroot is exactly as same as doing it
>> normally.
>>
>> If you want to isolate, you probably need vether or tap or the like to
>> make virtual interfaces and manually tie them to whatever you have
>> running
>> in the chroots and muanully set up proxies or whatever you need to make
>> services accessible.
>>
>
> This is only partially true. If you use alternate routing tables or
> rdomain, route -T  exec will get you network isolation. Processes can
> not change the rtable unless they run as superuser. It is not perfect but
> neither is the linux or freebsd solution when it comes to networking.
>
> --
> :wq Claudio
>

Sorry, yes.  I meant to mention rdomains, which I think it a pretty cool
option worth tinkering with.

Re: attach chroot-jail to switchd(8) ?

[trondd]

On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
> Hi all,
>
> I´m just tinkering a little bit and try to mimic some "containerization"
> on
> OpenBSD with chroot. Is it somehow possible to attach a chrooted
> envirionment to swtichd(8) ?
>
> Thanks
> Thomas
>

OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There is
no network isolation.  Inside the chroot, you get all the same interfaces,
IP's, routes, ports as on the "host" or in another chroot.  So doing
anything with the network in the chroot is exactly as same as doing it
normally.

If you want to isolate, you probably need vether or tap or the like to
make virtual interfaces and manually tie them to whatever you have running
in the chroots and muanully set up proxies or whatever you need to make
services accessible.

Re: stop syslogd from opening port 514 UDP

[trondd]

On Fri, March 16, 2018 6:42 am, Torsten wrote:
> I know I could use PF as a workaround

Really?  I wouldn't consider blocking incomming connections to unused
ports by default to be a workaround, but a necessity.

Re: Opensmtpd authentication error

[trondd]

On Wed, March 7, 2018 10:06 am, flipchan wrote:
> smtpctl encrypt mypassword
>
> Then syntax
> user:password ?
>
> On March 6, 2018 9:46:26 PM UTC, trondd <tro...@kagu-tsuchi.com> wrote:
>>On Tue, March 6, 2018 1:48 pm, flipchan wrote:
>>> Hello,
>>> im trying to create a mail server and i keep getting opensmtpd
>>> authentication fail
>>>
>>>
>>> i tried using neomutt and regular mutt, but no success
>>>
>>>
>>> tail -f /var/log/maillog
>>> Mar  6 18:15:37 mail dovecot: imap-login: Login:
>>user=<u...@mysite.com>,
>>> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS,
>>> session=
>>> Mar  6 18:15:48 mail dovecot: imap-login: Login:
>>user=<u...@mysite.com>,
>>> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS,
>>> session=
>>> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>event=connected
>>> address=homeip host=homeip
>>> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>event=starttls
>>> address=homeip host=homeip ciphers="version=TLSv1.2,
>>> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
>>> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>> event=authentication user=user address=homeip host=homeip
>>result=permfail
>>> Mar  6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
>>> event=failed-command address=homeip host=homeip command="AUTH PLAIN
>>(...)"
>>> result="535 Authentication failed"
>>> Mar  6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=closed
>>> address=homeip host=homeip reason=disconnect
>>>
>>>
>>>
>>>
>>>
>>> dovecot works so i can get imap but opensmtpd does work
>>>
>>> im using openbsd6.2
>>>
>>>
>>> # cat /etc/mail/smtpd.conf
>>> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt"
>>> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key"
>>>
>>> # tables setup
>>> table aliases file:/etc/mail/aliases
>>> table domains file:/etc/mail/domains
>>> table passwd file:/etc/mail/passwd
>>> table virtuals file:/etc/mail/virtuals
>>>
>>> # listen ports setup
>>> #listen on lo0
>>> listen on vio0 port 25 tls-require pki mail.mysite.com
>>> #listen on vio0 port 587 tls-require pki mail.mysite.com auth
>>
>>> listen on vio0 port 587 smtps pki mail.mysite.com auth 
>>> # special case for gmail to avoid ipv6 here
>>> #limit mta for domain gmail.com inet4
>>>
>>> # allow local messages
>>> accept from local for local alias  deliver to lmtp
>>> "/var/dovecot/lmtp" rcpt-to
>>> # allow virtual domains
>>> accept from any for domain  virtual  deliver to
>>lmtp
>>> "/var/dovecot/lmtp" rcpt-to
>>> # allow outgoing mails
>>> accept from local for any relay
>>> #reject from ! source  sender "@mysite.com" for any
>>>
>>>
>>>
>>> both dovecot and smtpd reads passwd's from /etc/mail/passwd and only
>>> dovecot works, think its some kind of smtpd config that is wrong...
>>>
>>
>>Is the password encrypted properly?
>>
>>   In a listener context, the credentials are a mapping of username and
>> encrypted passwords:
>>
>>   user1
>>$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
>>   user2
>>$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
>>
>> The passwords are to be encrypted using the smtpctl(8) encrypt
>> subcommand.
>
> --
> Take Care Sincerely flipchan layerprox dev
>

This comes from the table(5) man page.

The file will be:
username encryptedpassword

Re: Opensmtpd authentication error

[trondd]

On Tue, March 6, 2018 1:48 pm, flipchan wrote:
> Hello,
> im trying to create a mail server and i keep getting opensmtpd
> authentication fail
>
>
> i tried using neomutt and regular mutt, but no success
>
>
> tail -f /var/log/maillog
> Mar  6 18:15:37 mail dovecot: imap-login: Login: user=,
> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS,
> session=
> Mar  6 18:15:48 mail dovecot: imap-login: Login: user=,
> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS,
> session=
> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=connected
> address=homeip host=homeip
> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=starttls
> address=homeip host=homeip ciphers="version=TLSv1.2,
> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
> Mar  6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
> event=authentication user=user address=homeip host=homeip result=permfail
> Mar  6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp
> event=failed-command address=homeip host=homeip command="AUTH PLAIN (...)"
> result="535 Authentication failed"
> Mar  6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=closed
> address=homeip host=homeip reason=disconnect
>
>
>
>
>
> dovecot works so i can get imap but opensmtpd does work
>
> im using openbsd6.2
>
>
> # cat /etc/mail/smtpd.conf
> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt"
> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key"
>
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd file:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> # listen ports setup
> #listen on lo0
> listen on vio0 port 25 tls-require pki mail.mysite.com
> #listen on vio0 port 587 tls-require pki mail.mysite.com auth 
> listen on vio0 port 587 smtps pki mail.mysite.com auth 
> # special case for gmail to avoid ipv6 here
> #limit mta for domain gmail.com inet4
>
> # allow local messages
> accept from local for local alias  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
> # allow virtual domains
> accept from any for domain  virtual  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
> # allow outgoing mails
> accept from local for any relay
> #reject from ! source  sender "@mysite.com" for any
>
>
>
> both dovecot and smtpd reads passwd's from /etc/mail/passwd and only
> dovecot works, think its some kind of smtpd config that is wrong...
>

Is the password encrypted properly?

 In a listener context, the credentials are a mapping of username and
 encrypted passwords:

   user1  
$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
   user2  
$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK

 The passwords are to be encrypted using the smtpctl(8) encrypt
 subcommand.

Re: Loop problem in sending mail to root

[trondd]

On Mon, March 5, 2018 2:45 pm, Chris Bennett wrote:
> That did the trick.
>

For the future, page 2 'Trace subsystem':

https://www.bsdcan.org/2016/schedule/attachments/378_smtpd_cheatsheet.pdf

You can see which rule gets matched.

Re: Loop problem in sending mail to root

[trondd]

On Mon, March 5, 2018 1:05 pm, Chris Bennett wrote:
> I cannot get mail to reach root from /etc/daily for example.
> Not sure what I have setup wrong.
> also both femail-chroot and sendmail-mini-chroot fail
> femail: socket: Connection refused
> /var/www/bin/sendmail_mini: connect: Connection refused
> Any help appreciated.
> I also get the from as  instead of <> too.
> Same problem trying to send mail from a local user to another.
>
> bennettconstruction.us is /etc/myname
>
> running 6.2 -stable using openup on i386
> was trying to set up with vmail earlier, still using mbox and mutt.
> Let me know what else is needed for help.
> Also, I would like a clear explanation of what is happening.
> Could only find info about looping between different machines, not on
> same machine. I'd like to understand this problem.
>
> Thanks,
> Chris Bennett
>
>
> maillog:
>
>
> Feb 25 11:17:20 bennettconstruction smtpd[87019]: d6185c5660de72c5 smtp
> event=message address=104.217.196.250 host=bennettconstruction.us
> msgid=b0728562 from=<> to= size=54221 ndest=1
> proto=ESMTP
> Feb 25 11:17:20 bennettconstruction smtpd[87019]: d6185c55538136f0 mta
> event=delivery evpid=561745fbfe51ba45 from=<>
> to= rcpt=<-> source="104.217.196.250"
> relay="104.217.196.250 (bennettconstruction.us)" delay=1s result="Ok"
> stat="250 2.0.0: b0728562 Message accepted for delivery"
> Feb 25 11:17:21 bennettconstruction smtpd[87019]: warn: loop detected
> Feb 25 11:17:21 bennettconstruction smtpd[87019]: d6185c5660de72c5 smtp
> event=failed-command address=104.217.196.250 host=bennettconstruction.us
> command="DATA" result="500 5.4.6 Routing loop detected: Loop detected"
> Feb 25 11:17:21 bennettconstruction smtpd[87019]: d6185c55538136f0 mta
> event=delivery evpid=b07285629425f9ef from=<>
> to= rcpt=<-> source="104.217.196.250"
> relay="104.217.196.250 (bennettconstruction.us)" delay=1s
> result="PermFail" stat="500 5.4.6 Routing loop detected: Loop detected"
> Feb 25 11:17:21 bennettconstruction smtpd[19843]: warn: queue: no return
> path!
> Feb 25 11:17:31 bennettconstruction smtpd[87019]: d6185c5660de72c5 smtp
> event=closed address=104.217.196.250 host=bennettconstruction.us
> reason=quit
> Feb 25 11:17:31 bennettconstruction smtpd[87019]: d6185c55538136f0 mta
> event=closed reason=quit messages=96
>
> smtpd.conf:
>
>
> # $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $
>
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
>
> # tables section
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd file:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> # To accept external mail, replace with: listen on all
> #
> #listen on all
>
> #
> mx1 = "104.217.196.250"
> mx2 = "104.217.196.251"
> mx3 = "104.217.196.252"
> mx4 = "104.217.196.253"
> mx5 = "104.217.196.254"
> #all_mx = "{" $mx1 $mx2 "}"
> # $mx3 $mx4 $mx5 "}"
>
> pki mail.capuchado.com certificate "/etc/ssl/mail.capuchado.com.crt"
> pki mail.capuchado.com key "/etc/ssl/private/mail.capuchado.com.key"
> pki mail.bennettconstruction.us certificate
> "/etc/ssl/mail.bennettconstruction.us.crt"
> pki mail.bennettconstruction.us key
> "/etc/ssl/private/mail.bennettconstruction.us.key"
>
> listen on $mx2 port 25 tls pki mail.capuchado.com
> listen on $mx1 port 25 tls pki mail.bennettconstruction.us
>
> # special case for gmail to avoid ipv6 here
> limit mta for domain gmail.com inet4
>
> # allow local messages
> ##accept from local for local alias  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
> # allow virtual domains
> ##accept from any for domain  virtual  deliver to lmtp
> "/var/dovecot/lmtp" rcpt-to
>
> #pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
> #pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
> # $OpenBSD: smtpd.conf,v 1.8 2015/12/21 16:25:44 sunil Exp $
>
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # accept from any for domain "example.org" alias  deliver to mbox
> ##accept for local alias  deliver to mbox
> accept from local for any relay
> accept from any for domain "bennettconstruction.us" alias 
> deliver to mbox
> accept from any for domain "ed-bennett.com" alias  deliver to
> mbox
> accept from any for domain "capuchado.com" alias  deliver to mbox
>

First matching rule wins, are you relaying to yourself?  Try moving that
to the bottom.

Re: Upgrade 6.1->6.2 fails with "id 0 on/: file system full"

[trondd]

On Tue, February 20, 2018 8:34 am, Nicolas Schmidt wrote:
> Hey,
>
> it's me again, still trying to upgrade to 6.2.
>
> After choosing to skip verification and continue the upgrade process, I
> now immediately get the following error:
>
> Installing bsd0% |
> id 0 on /: file system full
>
> /: write failed, file system full
> ftp: Writing -: No space left on device
>
> Going to a shell, "df" reveals
>
> Filesystem512-blocks  UsedAvail   CapacityMounted 
> on
> /dev/rd0a   6143  6116   27   100%/
> /dev/sd2a2057756179068  1775804 9%/mnt
> .
> .
> .
>
> To me it seems, the install script is trying to install the kernel on the
> ram disk mounted on / instead of the actual root partition mounted on /mnt
> (sd2 is the volume I chose for installation; it's a RAID 1). Since the ram
> disk is full, this of course has to fail.
>
> Any suggestions?
>
> Best regards and thanks for your help,
> Nicolas
>

This just came up on Daemonforums.  The user had a symlink pointing to an
absolute path starting with /.  The installer follows that symlink to the
ramdisk / instead of /mnt.

http://daemonforums.org/showthread.php?p=63885

Tim.

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

[trondd]

On Thu, February 8, 2018 1:49 pm, Tinker wrote:
> Hi misc@,
>
> I looked through previous discussions on whether a SWAP partition
> should be inside or outside the RAID partition when making a crypto
> softraid.
>
> The only argument I stumbled into was that it should be outside because
> swap is encrypted anyhow and it would be unnecessary to double-encrypt
> the swap.
>
>
> That seems like a weak argument to me, because swap is generally used
> rarely and so speed does not really matter anyhow, and, the swap
> partition is always used also as dump partition, and dumps are *not*
> encrypted.
>
> For the case that a dump would happen, you want the OS to encrypt it
> and the way to do that is to put the SWAP *inside* the RAID.
>
>
> Maybe a crash-dump can be induced somehow. Maybe someone would get hold
> of the HDD while the dump data is still on the swap partition because
> the OS has not booted again, which would otherwise normally migrate
> that dump data over to the filesystem.
>
> This is an extreme consideration though as a comprehensive motivation
> for a choice it appears to me to make all sense.
>
>
> Thoughts, comments?
>
> I would probably interpret no comments as that the SWAP should indeed
> be located inside the RAID for this said reason.
>
> Thanks,
> Tinker
>

Assuming you are doing full disk encryption otherwise, put swap inside the
softraid disk.  The kernel is hardcoded to look on the boot disk to save
dumps.  If swap was is on sd0 but you decrypt a partition as sd1 and boot
from that, swap is no longer on the same disk.

Unless you override with config(8)

Tim.

Re: Kernel panic with openbsd 6.2

[trondd]

On Thu, January 25, 2018 4:29 am, Maxim Bourmistrov wrote:
> As Stuart mentioned, em(4) on top of e1000 proven to be more stable.
> Even under higher load.
> Vmx starting to misbehave under high load, resulting for ex. with unstable
> CARP setup.
>
> //mxb
>
>> 25 jan. 2018 kl. 02:40 skrev trondd <tro...@kagu-tsuchi.com>:
>>
>> I am running about a dozen 6.2 -stable VMs on ESXi 6.5.  I have exactly
>> one VM that panics with vmxnet3_getbuf but only when it's being
>> snapshotted.  And not every time, but usually.
>>
>> I think once it paniced when I was snapshotting a lot of other VMs in
>> the
>> cluster but I don't trust that memory now.  I've not seen that again.
>>
>> Tim.
>>
>

I should have also said that these VMs all run postgreSQL servers.  The
busiest nears 200 simultanious connections which may be well below the
load other's are handling on their effected systems.

Tim.

Re: Kernel panic with openbsd 6.2

[trondd]

On Mon, January 22, 2018 10:47 am, Mik J wrote:
> Hello Stuart,
> For me it takes just a few days...
> I have a crash every 3/4 days maybe (2 crashes so far) and my server does
> not handle load.
> Yes I read your reports this morning, although you wrote that there was a
> combination with snmpd, I have it with nginx on my side.
>
>  Regards
>
> Le lundi 22 janvier 2018 Ã
 10:35:47 UTC+1, Stuart Henderson
>  a écrit :
>
>  On 2018/01/22 00:22, Mik J wrote:
>> Le dimanche 21 janvier 2018 Ã
 11:48:00 UTC+1, Stuart Henderson
>>  a écrit :
>> On 2018-01-19, Mik J  wrote:
>> > I had many kernel panic these past days. This is a 6.2 openbsd VM
>> running o=
>> > n esxi 5.5
>> >
>> > # grep "" /tmp/if_vmx.dis
>>
>> I've reported a lot of vmxnet3_getbuf panics, nobody seems interested.
>> I suggest switching to e1000 in the vmx file, this works with the em(4)
>> driver and has been stable so far.
>>
>>
>> Hello Stuart,
>> Thank you for your answer.
>> I had my VM running for months in version 6.1 and had not problem but I
>> reinstalled it in
>> version 6.2 and the problem is happening.
>> It seems to me that something in version 6.2 is producing the error.
>> One crash today again
>
> I hit this in last April, which was either 6.1 or -current from soon
> after.
> It can take weeks to run into it though so bisecting to find a working
> kernel
> is futile.
>
>

I am running about a dozen 6.2 -stable VMs on ESXi 6.5.  I have exactly
one VM that panics with vmxnet3_getbuf but only when it's being
snapshotted.  And not every time, but usually.

I think once it paniced when I was snapshotting a lot of other VMs in the
cluster but I don't trust that memory now.  I've not seen that again.

Tim.

Re: iwm errors with new snapshot

[trondd]

On Tue, January 23, 2018 2:09 pm, Stefan Sperling wrote:
> On Tue, Jan 23, 2018 at 11:50:28AM -0600, Vijay Sankar wrote:
>> Over the weekend, I was trying to do some tests requested in tech@
>> (inteldrm). I downloaded the latest snapshot but had problems with iwm
>> firmware on my laptops (X1 Carbon 5th gen)
>>
>> I did not have these errors with the previous snapshot (from January 8,
>> 2018). DHCP etc all worked properly the past couple of weeks, I was able
>> to
>> copy large file sets through wifi etc.
>>
>> So I tried a new build myself in case there was a mismatch between the
>> packages on firmware.openbsd.org and the latest snapshot but that did
>> not
>> work.
>>
>> Waited couple of days for a newer snapshot, installed it and still get
>> the
>> following errors
>
> Can you please try a kernel compiled from -current CVS source?
>
> Such kernels work for me.
>

Had the same problem with a snapshot installed yesterday.  Building from
-current seems to be fine.

Tim.

Re: http_proxy for rc.firsttime after Upgrade

[trondd]

On Mon, January 22, 2018 2:36 am, Raimo Niskanen wrote:
> On Fri, Jan 19, 2018 at 10:47:15AM -0500, trondd wrote:
>> On Fri, January 19, 2018 4:29 am, Raimo Niskanen wrote:
>> > Hello list!
>> >
>> > I have some machines behind a squid proxy and have set the http_proxy
>> and
>> > ftp_proxy environment variables both in /etc/profile and in
>> > /etc/login.conf
>> > for the default login class.  This works well.
>> >
>> > But after an upgrade when rc.firsttime calls fw_update and checks for
>> > binary patches the proxy is not used, so I have to wait for that to
>> time
>> > out or break it with Ctrl-C and call fw_update manually.
>> >
>> > So I just wonder if anybody have an idea of how to set the http_proxy
>> and
>> > ftp_proxy environment variables so they are picked up by rc.firsttime?
>> >
>> > Best regards
>> > --
>> >
>> > / Raimo Niskanen, Erlang/OTP, Ericsson AB
>> >
>>
>> I submitted a patch for this:
>> https://marc.info/?l=openbsd-tech=151260860105270=2
>
> That sure looks like an improvement!  But should maybe $http_proxy be
> placed between single quotes?
>
> Unfortunately I fetch the sets into /var/OpenBSD/`machine` and verify them
> before rebooting into /bsd62.rd, so it would not work for me...
>
>>
>> In the meantime, before reboot, you can edit the rc.firstime script
>> after
>> installation.
>
> I'll try that trick next time.  Thank you!
>
>>
>> Tim.
>
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
>

Ah, I see.  Yeah, I only acconted for the obvious case when a net install
was done.

Having thought about it again, an easier solution will be to write your
http_proxy export to /etc/rc.firsttime before rebooting into bsd.rd.  If
you have your update process scripted already, it's an easy additional
line.  The installer only appends commands so anything you have in
rc.firsttime will be preserved.

Tim.

Re: http_proxy for rc.firsttime after Upgrade

[trondd]

On Fri, January 19, 2018 4:29 am, Raimo Niskanen wrote:
> Hello list!
>
> I have some machines behind a squid proxy and have set the http_proxy and
> ftp_proxy environment variables both in /etc/profile and in
> /etc/login.conf
> for the default login class.  This works well.
>
> But after an upgrade when rc.firsttime calls fw_update and checks for
> binary patches the proxy is not used, so I have to wait for that to time
> out or break it with Ctrl-C and call fw_update manually.
>
> So I just wonder if anybody have an idea of how to set the http_proxy and
> ftp_proxy environment variables so they are picked up by rc.firsttime?
>
> Best regards
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
>

I submitted a patch for this:
https://marc.info/?l=openbsd-tech=151260860105270=2

In the meantime, before reboot, you can edit the rc.firstime script after
installation.

Tim.

Re: Writing "ones" instead of "zeroes" when wiping disk

[trondd]

On Thu, January 11, 2018 5:12 pm, worik wrote:
> On 12/01/18 11:09, Jan Stary wrote:
>> On Jan 11 14:45:21, andreasthu...@gmail.com wrote:
>>> in order to achieve paranoid disk-wiping?
>> Ones are not nearly as secure as zeros.
>>
> Why not?Â
 Is it not arbitrary?
>

A 1 is too narrow to fully cover the original data.

Re: Probable mistake in PF tagging example ruleset order

[trondd]

On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
> Hi,
>
> I am trying to learn and understand the pf tagging mechanism. I was
> wondering whether my understanding of the order in the example at
> https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
> there might be a mistake in the order. The relevant lines are
>

Read the rules tagging follows again.  Tags are sticky.  Also a packet
passing through the firewall, say from a LAN machine to the internet, will
be evaluated twice.  If it gets tagged the first time, it'll have that tag
already when evaluated the second time.  If it matches a rule which tags
it, then matches another rule later, it still has the tag from the first
match.

> ...
> pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress)
> pass in on $int_if from $int_net tag LAN_INET
> ...
> pass out quick on egress tagged LAN_INET_NAT
> ...
>
> My understanding:
> For the first line, an IPv4 packet that is already tagged with LAN_INET
> will now have the tag LAN_INET_NAT, and will be passed out on the
> egress interface after Network Address Translation.
>
> For the second line, a packet that is coming from the internal network
> on the internal interface will be passed and tagged with LAN_INET.
>
> For the third line, a packet that is tagged with LAN_INET_NAT will be
> passed out on the egress interface, and the rule evaluation will stop.
>
> Now, if my understanding is correct, then a packet will never match the
> first line, since the LAN_INET tagging happens only in the second line.
> And if that is the case, the third line will also not match, since the
> LAN_INET_NAT tagging happens in the first line.
>

Don't just read the rules from top to bottom.  Follow the packet.  Where
is the packet coming from?  Where is it going?  If there is a packet
coming from the LAN through this firewall to the internet what rules
match?  Does that rule tag the packet?  Does evaluation continue?

That's pass 1.  Since this packet is not destined for this machine, but
for something on the internet, it has to leave this machine.  So now it's
evaluated as an outgoing packet.  Did it get tagged before?  What rules
match based on direction and tag?  Does it get a new tag?  Does evaluation
continue?  Does it match anything else?


> If my understanding is correct, then we may need to switch the order of
> the first and second lines.
>
> The complete ruleset is
>
> int_if  = "dc0"
> dmz_if  = "dc1"
> int_net = "10.0.0.0/24"
> dmz_net = "192.168.0.0/24"
> www_server  = "192.168.0.5"
> mail_server = "192.168.0.10"
>
> table  persist file "/etc/spammers"
> # classification -- classify packets based on the defined firewall
> # policy.
> block all
> pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress)
> pass in on $int_if from $int_net tag LAN_INET
> pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ
> pass in on egress proto tcp to $www_server port 80 tag INET_DMZ
> pass in on egress proto tcp from  to port smtp tag SPAMD rdr-to \
> 127.0.0.1 port 8025
>
> # policy enforcement -- pass/block based on the defined firewall policy.
> pass in  quick on egress tagged SPAMD
> pass out quick on egress tagged LAN_INET_NAT
> pass out quick on $dmz_if tagged LAN_DMZ
> pass out quick on $dmz_if tagged INET_DMZ
>
> Thanks.
>
> Regards,
> ab
> -|-|-|-|-|-|-|--
>

Re: trouble while building a release

[trondd]

On Wed, January 3, 2018 1:07 pm, Etienne wrote:
> Hello list,
>
> I'm a bit confused. I believe I have correctly applied the instructions
> in release(8), but I hit this error when running "make release" in
> paragraph 4, on unmodified sources:
>
> # cd /usr/src/etc && make release
> [â*¦]
> sh /usr/src/sys/conf/newvers.sh
> touch: version: Permission denied
> /usr/src/sys/conf/newvers.sh[84]: cannot create version: Permission denied
> *** Error 1 in /usr/src/sys/arch/amd64/compile/GENERIC (Makefile:970
> 'vers.o')
> *** Error 2 in . (Makefile:20 'bsd')
> *** Error 2 in . (Makefile:274 'release-sets')
> *** Error 2 in . (Makefile:267 'do-release')
> *** Error 2 in /usr/src/etc (Makefile:251 'release')
>
> However, I have set the directories and permissions as requested:
>
> # ls -ld $RELEASEDIR
> drwxr-xr-x  2 build  daemon  512 Dec 31 06:51
> /var/www/htdocs/pub/OpenBSD/6.2/amd64/
> # ls -ld $DESTDIR
> drwx--  13 build  wheel  512 Dec 31 06:58 /var/destdir/
> #  mount | grep vnd1
> /dev/vnd1a on /var/destdir type ffs (local, nodev, noexec, noperm)
>
> Any idea on what I need to check?
>
> Cheers,
>
> --
> Ã*tienne
>

What are the perms on /usr/obj?  Should be build:wsrc 770 per step 3.

Tim.

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

[trondd]

On Thu, November 9, 2017 4:54 pm, Jeff wrote:
> On Thu, 9 Nov 2017 22:06:43 +0100
> "Christoph R. Murauer"  wrote:
>
>> If I understood your question correct ...
>>
>> > Running: OpenBSD6.2-release
>> >
>> > Goal: To run a secure and functional web server.
>> > (the server is currently up and running and used by
>> > the public at large)
>>
>> If there are security related patches or things needed to be fixed,
>> that the package works as it should, you can simple run pkg_add -iu
>
> Thanks for your replay Christoph.
>
> Please correct me if I'm wrong, but as I understand things, this only
> works if one is following OpenBSD-current.  I am running -release.
> This is an in-use production server; I don't feel wise running -current.
>
>> You can add wxallowed to a already mounted filesystem using mount(8).
>
> In theory, I don't like this;  I would rather keep preventing everything
> not mapped from /use/local from being able to have both writable and
> executeable pages, even if it's only temporary.
>
>> > Is it not worth it to update ports in this way; meaning, is it better
>> > to simply wait for OpenBSD6.3 and stick with binary packages only
>> > (as recommended on the openbsd.org site)?
>>
>> That depends on your requirements. See above.
>
> My answer also depends.  Ideally, I'd want to jump on any update for
> any software for which a security advisory has been issued.  Also,
> I do wish to track other non-critical updates to keep the server's
> software relatively up-to-date as not to fall behind; picking up
> performance and related enhancements in a bonus.  In practice,
> at least for myself and my available time, this isn't always feasible
> (e.g. the ports tree doesn't have the latest software available as a port
> and it would also be a significant time commitment to build and install
> the software from the original source and successfully integrate it into
> OpenBSD.)
>
> For example, moving to php v7.1.11 or 7.2 fall into this category
> (see: http://www.securityfocus.com/bid/101745)
> .
> Looking at what the ports system has to do to make the php 7.0.23
> package, I'd be spending my life getting 7.2 to build and work properly
> and I feel this is better left to those with more OpenBSD porting
> experience.
>
> Some software builds and integrates from original sources more easilym
> that is, the usual:
> ./configure {reasonable options} -> make -> make install
> procedure goes off withotu a hitch, or at least without too many edits.
>
>> > Also, is there an easy/sane way to remove packages that were only
>> > required for building once the ports have been updated?
>>
>> A port is a package. See make clean and so on for builded ports and
>> pkg_delete -a for packages. IMHO Who say, that something unneeded is
>> installed ? It also has no effect to the system if build deps. are
>> kept in the ports tree.
>
> I understand that the ports system first builds and packages a port,
> and then installs it.
>
> I could be doing something wrong, but it seems that some ports install
> dependencies to the system (pkg_add-style) that are required to *build*
> the package from source, but that aren't required to *run* the package
> (e.g. cmake).
>
> So, I definitely don't mind leaving the built packages in the ports
> tree, but I *do* mind leaving them installed on the system.
>

Use proot(1).  It's amazing.  You need space, though.  I am using 2.5G to
build my personal use ports.  So, nothing huge.

With dpb(1) it's a pretty automatic process to rebuild stuff.

Tim.

Re: pf not redirecting DNS queries

[trondd]

On Mon, November 6, 2017 8:50 pm, Scott Bennett wrote:
> I have an APU2 running 6.2, acting as pf NAT gateway, DHCP server, and
> DNS cache (unbound) for my internal LAN.
>
> I've attempted to make all DNS queries redirect to the APU2, as many
> examples have illustrated, so that they can be forwarded to OpenDNS (to
> take advantage of domain filtering). But it seems that it is still
> possible for queries to evade the redirection.
>
> Using dig as a concrete example, if I do the following simple
> query from a client, I get an answer from unbound as expected:
>
> However, if I specify an alternate DNS server, I get a response from
> that server:
>
> $ doas cat /etc/pf.conf
> wired = "{ vether0 em1 em2 }"
> wifi = "athn0"
> wired_ip = "192.168.0.1"
> wifi_ip = "192.168.2.1"
> icmp_types = "{ echoreq, unreach }"
> udp_ports = "{ domain, ntp }"
> tcp_ports = "{ ssh, smtp, domain, www, pop3, auth, http, https, pop3s }"
>
> table  { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
>172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \
>192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \
>203.0.113.0/24, 224.0.0.0/3 }
> set block-policy drop
> set loginterface egress
> set skip on lo
> match in all scrub (no-df random-id)
> match out on egress set prio (5, 6)
> match in on $wifi set prio (5, 6)
> match proto tcp to port ssh set prio 7
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> antispoof quick for { egress, $wifi }
> block in quick log on egress from  to any
> block return out quick log on egress from any to 
> block in quick on egress from no-route to any
> block in quick on egress inet proto icmp all label "icmp-in"
> block all
> pass quick proto { tcp, udp } to port $udp_ports

Because you're telling pf to pass all taffic on port domain to anywhere. 
Quick rules stop evaluation and you never hit the rdr-to rules below.


> pass inet proto icmp icmp-type $icmp_types
> pass out on egress inet proto udp to port 33433:33626
> pass inet proto tcp from $wifi:network to port $tcp_ports modulate state
> pass from { self, $wifi:network } modulate state
> pass in on $wired inet
> # Redirect DNS Queries
> pass in on $wifi  proto { udp, tcp } from any to any port domain \
>  rdr-to $wifi_ip  port domain label "dns-redirect"
> pass in on $wired proto { udp, tcp } from any to any port domain \
>  rdr-to $wired_ip port domain label "dns-redirect"
>

What is on your LAN that isn't using your DHCP settings for DNS?  Why
redirect instead of just blocking DNS from the LAN to all but unbound?

Re: Streamlining disklabel...

[trondd]

On Sat, November 4, 2017 5:09 pm, Implausibility wrote:
> Again, the interactive editor is way too many steps, too many
> opportunities for screw-ups, and does nothing to streamline the process of
> adding a new disk for me.
>
> So this is what I've come up with...
>
> fdisk -i sd1
> echo "/disk21M-* 100%" >/tmp/disktab.new
> disklabel -w -dv  -A -T /tmp/disktab.new sd1 && rm /tmp/disktab.new
> newfs /dev/rsd1a
> mkdir /disk2
> mount /dev/sd1a /disk2
>
> This seems kludgy, but it is more automated / flexible, and best of all,
> it works.
>
> I'm still curious to know if this is really the most efficient way of
> doing this.
>
> Thanks.
>

That's the way I do it.  That's the way the automated installer does it...

Re: Sorry for the n00b question but I could use some education on relayd

[trondd]

On Thu, November 2, 2017 2:17 pm, Bryan C. Everly wrote:
> Hi misc@,
>
> I have a use case where I'm using OpenBSD 6.2 as my router/firewall
> and there are several websites that sit behind it on separate servers
> (let's call them http://one.com, http://two.com and http://three.com
>
> I'd like to be able to have just a single IP address exposed through
> DNS for all three of them (it's a home cablemodem and I only have one
> public IP address) and then use something on OpenBSD (pf?  relayd?) to
> route the traffic to the appropriate private IP address on the LAN
> side of the network.
>
> In looking at the manpage for relayd and relayd.conf, I'm wondering if
> I could set up a relay using something like this:
>
> table   { 192.168.1.2 }
> table  { 192.168.1.3 }
> table  { 192.168.1.4 }
>
> redirect "one" {
> listen on one.com port 80
> forward to 
> }
>
> redirect "two" {
> listen on two.com port 80
> forward to 
> }
>
> redirect "three" {
> listen on three.com port 80
> forward to 
> }
>
> I've tried this and even after re-reading the manpage and seeing that
> I needed to add the "anchor" bit to my pf.conf I'm still not getting
> what I'm looking for.  Perhaps I'm using the wrong tool for the job?
>
> Thanks in advance for any suggestions or knocks on the head!
>
> Thanks,
> Bryan
>

You can't have multiple redirects on the same IP and port.  DNS isn't
known at that layer.

If you have only one external IP, you have to use a relay and
pass...forward to the host based on HOST header value.

Somethin like this:

ext_addr="xxx.xxx.xxx.xxx"

#
# Global Options
#
interval 20
timeout 2000
prefork 5

#
# Each table will be mapped to a pf table.
#
table  { 192.168.1.10 }
table  { 192.168.1.11 }
table  { 192.168.1.12 }
table  { 127.0.0.1 }

#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
#
http protocol http {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"

match request header log "Host"

pass request quick header "Host" value "web1.com" forward to 
pass request quick header "Host" value "web2.com" forward to 
pass request quick header "Host" value "web3.com" forward to 

pass quick forward to 
return error style "body {background: white; color black; }"

# Various TCP performance options
tcp { nodelay, sack, splice, socket buffer 65536, backlog 128 }

}

relay www {
listen on $ext_addr port 80
protocol http

forward to  port http check http "/index.html" code 200
forward to  port http check http "/index.html" code 200
forward to  port http check http "/index.html" code 200
forward to  port 8080 check http "/index.html" code 200
}

Re: Install process: couple of comments

[trondd]

On Wed, October 18, 2017 6:15 pm, Limaunion wrote:
> On 10/17/2017 05:44 PM, Stuart Henderson wrote:
>> On 2017-10-16, Limaunion  wrote:
>>> Hi! Last friday I upgraded my ALIX system from 6.0 to 6.2 using the PXE
>>> boot method. In previous years I used an internal FTP server to perform
>>> the upgrade, but for some reason this is not supported any more since a
>>> couple of releases.
>>
>> ftp support was removed from the installer, but you can place the same
>> files on an http/https server instead.
>>
>>> I mounted and published the ISO image using a
>>> raspberrypi and NGINX (HTTP method). During the install process I hit
>>> the following error 'unable to get a verified list of distribution
>>> sets'(*). I couldn't find much help from google but after some time I
>>> figured out that the install was looking for a file named index.txt,
>>> that is not included in the ISO.
>>
>> you want nearly all of the files from the release directory on a mirror,
>> you can skip install*.fs / install*.iso.
>>
>>> Maybe some of this information can be included to the install guide for
>>> those of us doing a local HTTP upgrade, and also it would be great to
>>> have the index.txt file included in the ISO.
>>
>> you won't have the SHA256.sig to verify the files against the signify
>> signature in the iso either.
>>
>>> For the record, the kernel relinking (Relinking to create unique
>>> kernel...) took about 14 minutes in my ALIX board and it takes about
>>> 2.5
>>> minutes the library reordering during the boot process.
>>
>> yes, it's terribly slow on machines with slow storage devices.
>> I tend to disable it on those (until I can justify replacing the
>> machine with something newer, which has other advantages too).
>>
>>
>>
>
> Hi! you mean that the library reordering can be disabled? care to share
> how to do that? google didn't help...
> Thanks for your comments.
>

Why does everyone always go straight to google? (Yeah, I know, silly
question.)  And then give up?

Looking at the code might be a better start.  Line 163 is particularly
interesting...

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc?annotate=1.519

Re: log up or down interface end change physical address

[trondd]

On Thu, September 21, 2017 9:29 am, Krzysztof Strzeszewski wrote:
> Hi,
>
> How to log up or down (connect or not connect cable) interface end
> change physical address on OpenBSD?
>
>
> --
> Regards,
> Krzysztof Strzeszewski
>

ifstated(8) and some scripts?

Re: relayd https relay

[trondd]

On Thu, September 21, 2017 8:25 am, rosjat wrote:
> I try to figure out the ca file option mentioned by ronan maybe this is
> some kind of option here.
>

Using 'ca file' means you have to decrypt the SSL connection from the
clients with relayd then re-encrypt from relayd to the web servers. 
Clients will only see relayd's SSL certificate.  Originally you said you
want to use a different cert for each web site.

What CA signs the web server certificates?  There was a bug, I don't know
if it got fixed, in relayd that you can't use a big file of CAs for the
'ca file', the imsg was not chunked and if the file is too big, relayd
will fail to start the relay.  Take the CA cert that signed the web server
certificates and put that into a file and reference that file like 'ca
file "/etc/ssl/webca.pem"'

> Am 21.09.2017 um 14:11 schrieb trondd:
>> On Thu, September 21, 2017 3:49 am, rosjat wrote:
>>> Hi,
>>>
>>> so I added the with tls keywords to the relay and my webserver gets
>>> request now but from my relayhost and this is making the way back quiet
>>> hard :(
>>>
>>> so I added the X Headers for Forwarded-For and Forwarded-By but it
>>> still
>>> leaves the question how to tell the relayhost to just let it all out
>>> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
>>> so the traffic can go thorugh all the interfaces just fine.
>>>
>>> regards
>>>
>>> MArkus
>>>
>>
>> You can't do what you want with a layer 7 relay in relayd.  Redirect
>> rules
>> in pf work because pf doesn't know or care about DNS host names.
>>
>> Because you are using SSL, once you need to make decisions based on the
>> host, you have two options:
>>
>> A relay server that supports SNI so it can see the Host and forward to
>> the
>> right server.  Or terminating the SSL encryption at the relay server so
>> you can read the unencrypted host value.
>>
>> Option 2 is required for relayd as it does not support SNI.  But that
>> means the relay server holds the SSL certificate.  You can only have 1
>> certificate per IP and port.  If you want to use individual certs for
>> each
>> web site, you're stuck.  You either need to use different ports, which
>> is
>> typically a non-starter for web sites, or put multiple IPs on the relay
>> box.
>>
>> If security between the relay server and web servers is necessary (don't
>> trust someone else's network, and if possible, don't trust your own) you
>> can re-encrypt the communication from relayd and the web server but
>> it'll
>> be relayd using the web server certificate, not the user.
>>

Re: relayd https relay

[trondd]

On Thu, September 21, 2017 3:49 am, rosjat wrote:
> Hi,
>
> so I added the with tls keywords to the relay and my webserver gets
> request now but from my relayhost and this is making the way back quiet
> hard :(
>
> so I added the X Headers for Forwarded-For and Forwarded-By but it still
> leaves the question how to tell the relayhost to just let it all out
> like in a normal rdr-to rule in pf? Like I said pf rule just works fine
> so the traffic can go thorugh all the interfaces just fine.
>
> regards
>
> MArkus
>

You can't do what you want with a layer 7 relay in relayd.  Redirect rules
in pf work because pf doesn't know or care about DNS host names.

Because you are using SSL, once you need to make decisions based on the
host, you have two options:

A relay server that supports SNI so it can see the Host and forward to the
right server.  Or terminating the SSL encryption at the relay server so
you can read the unencrypted host value.

Option 2 is required for relayd as it does not support SNI.  But that
means the relay server holds the SSL certificate.  You can only have 1
certificate per IP and port.  If you want to use individual certs for each
web site, you're stuck.  You either need to use different ports, which is
typically a non-starter for web sites, or put multiple IPs on the relay
box.

If security between the relay server and web servers is necessary (don't
trust someone else's network, and if possible, don't trust your own) you
can re-encrypt the communication from relayd and the web server but it'll
be relayd using the web server certificate, not the user.

Re: OpenBSD router / firewall / gateway device

[trondd]

On Tue, September 19, 2017 10:25 pm, Usexy Nerd wrote:
> https://beagleboard.org/x15
>
> 
> What is BeagleBoard-X15?
>
> BeagleBoard-X15 is the top performing, mainline Linux enabled,
> power-usersâ**
> dream board with a core tailored for every computing task and a highspeed
> interface for every connectivity need. Give your algorithms room to
> stretch!
> Processor: TI AM5728 2Ã*1.5-GHz ARM® Cortex-A15
> 
>
>- 2GB DDR3 RAM
>- 4GB 8-bit eMMC on-board flash storage
>- 2D/3D graphics and video accelerators (GPUs)
>- 2Ã*700-MHz C66 digital signal processors (DSPs)
>- 2Ã*ARM Cortex-M4 microcontrollers (MCUs)
>- 4Ã*32-bit programmable real-time units (PRUs)
>
> Connectivity
>
>- 2Ã*Gigabit Ethernet
>- 3Ã*SuperSpeed USB 3.0 host
>- HighSpeed USB 2.0 client
>- eSATA (500mA)
>- full-size HDMI video output
>- microSD card slot
>- Stereo audio in and out
>- 4Ã*60-pin headers with PCIe, LCD, mSATA
>- and much more... 
>
> See quick start guide 
>
>
>
>
> On Tue, Sep 19, 2017 at 10:14 PM, Greg Garrison  wrote:
>
>> Hello,
>>
>>
>> I am interested how well the ARM platform is supported. Does anyone know
>> of a low cost dual ethernet arm board that I could use to build an
>> OpenBSD
>> based router / gateway device? I'd be interested in hearing experiences
>> from the community. I don't care so much about wifi capability I just
>> want
>> a very cheap board with two lan ports.  Wifi would be an added bonus but
>> not necessary for what I have in mind.
>>
>>
>> Thanks,
>>
>> Greg
>>
>>
>

Why does everyone think they have to have ARM?  For the price of that X15,
I'd rather have an APU2.

(Sorry Usexy Nerd ;) for the direct reply, meant for this to go to the list)

Re: relayd https relay

[trondd]

On Wed, September 20, 2017 8:10 am, Bryan Harris wrote:
> I don't think you can know the host header unless you decrypt the https
> using a certificate.  It seems that idea would require SNI but I don't
> know
> if they have SNI in relayd/httpd.  (I could be wrong about that.)
>

httpd has SNI, relayd does not.

https://marc.info/?l=openbsd-cvs=147187817314952=2

For these scenarios, I have to turn to www/pound which I like for it's
small size, and chroot support.

Re: Open /dev/mem file failed when running as a root priviledge

[trondd]

On Mon, September 11, 2017 8:58 pm, Nan Xiao wrote:
> Hi all,
>
> Greetings from me!
>
> I want to run dmidecode (https://github.com/mirror/dmidecode) on OpenBSD
> 6.1, but executing it will report following errors:
>
> # ./dmidecode
> # dmidecode 3.1
> Scanning /dev/mem for entry point.
> /dev/mem: Operation not permitted
>
> After single-step debugging, I find the error is from open /dev/mem:
>
> if ((fd = open(filename, O_RDONLY)) == -1)
> {
>  if (errno != ENOENT)
>  perror(filename);
>  return NULL;
> }
>
> I execute program as a root, and the attributes of `/dev/mem`:
>
> # ls -lt /dev/mem
> crw-r-  1 root  kmem2,   0 Aug 25 18:38 /dev/mem
>
> So it should open successfully. Could anyone give some clues of this
> issue?
>
> Thanks very much in advance!
>
> Best Regards
> Nan Xiao
>

/dev/mem and /dev/kmem were locked down.

https://marc.info/?l=openbsd-cvs=147481705211536=2

I can't recall if it's been further closed since last year.

Re: vio(4) tap(4) question

[trondd]

On Mon, August 28, 2017 6:03 pm, Bryan Harris wrote:
>
> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>
> Thanks all.
>
> V/r,
> Bryan
>

Can't you just use the interface group 'tap'?

pass on { vether0 tap }

Re: Openbsd 6.1 and Current Console Freezes and lockup Proxmox PVE5.0

[trondd]

On Tue, July 18, 2017 8:14 pm, Tom Smyth wrote:
> Apologies...
> Incomplete Mail ... was feeling Trigger happy and now im certainly
> feeling uncomfortably dumb :)
>
> proper bug report to come tomorrow,
> Its a long story... :/
> Thanks
>

When you do come back, mention if this is new with Proxmox 5.0 and if
you've used previous versions succesfully.

I have been running OpenBSD on Proxmox for 2 or 3 years with no problems. 
I think I am still on 4.x, though.  I'll check tomorrow.

Tim.

Re: siteXX.tgz with /home/user/.ssh/authorized_keys results in empty file

[trondd]

Site is installed last *of the sets*, not the last thing that happens. 
And the user is created after the sets are extracted, also.

The *.site scripts are run nearly last (close enough, that it doesn't
matter).

Re: siteXX.tgz with /home/user/.ssh/authorized_keys results in empty file

[trondd]

On Mon, May 29, 2017 5:47 pm, Erling Westenvik wrote:
> everything is okay.
>
> What is going on? Why is the process extracting siteXX.tgz
> treating /mnt/home/user/.ssh different than /mnt/root/.ssh?
>
> *continues scratching head*
>
> Cheers.
> Erling.
>


You didn't really explain the failure case.  Is this a new install or an
upgrade?  Does your site file simply have the file
/home/user/.ssh/authorized_keys in it or are you doing the cat command as
you illustrated?

My guess is this is an install.  The installer seems to unpack the sets
first.  Including the site taball.  Then, if you created a new user,
copies the /etc/skel/ files over, overwriting your authorized_keys file. 
You'll need to use install.site or /etc/rc.firsttime

Root is different because root's files are part of the distribution sets.

Re: /usr/sbin/httpd and chunked transfer encoding

[trondd]

On Mon, May 8, 2017 5:22 pm, r...@tamos.net wrote:
> On Mon, 08 May 2017 18:45 +0800, johnw wrote:
>> Both tried and not work.
>
> Yeah, you might be waiting for a while.  According to the following,
> both projects have this as an open issue but haven't been able to commit
> resources to it.  In the former case, the issue has been deferred from
> one release to another for over a year and a half.
>
> https://github.com/owncloud/android/issues/1128
> https://github.com/nextcloud/android/issues/113
>

For an alternative mobile client, I was using Folder Sync (Lite) with
httpd and OwnCloud.

https://play.google.com/store/apps/details?id=dk.tacit.android.foldersync.full=en

https://play.google.com/store/apps/details?id=dk.tacit.android.foldersync.lite=en

Re: DHCP in vmm guest

[trondd]

On Thu, May 4, 2017 8:51 am, Francois Stephany wrote:
> Hi,
>
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> access to the network via tap and bridge. The host uses a wired connection
> and gets its network address with DHCP.
>
> Here's my /etc/vm.conf:
>
> switch "vms_switch" {
> interface bridge0
> add bge0
> }
>
> vm "vm.test" {
> memory 1G
> boot /home/fstephany/bsd.rd
> disk /var/vms/fstephany/vmtest-disk.img
> owner fstephany
> interface tap {
> switch "vms_switch"
> }
> disable
> }
>
>
> I've stopped vmd with #rcctl stop vmd
> and started it manually:
>
> # vmd -dvv
> startup
> /etc/vm.conf:4: switch "vms_switch" registered
> /etc/vm.conf:15: vm "vm.test" registered (disabled)
> vm_priv_brconfig: interface bridge0 description switch1-vms_switch
> vm_priv_brconfig: interface bridge0 add bge0
> vmd_configure: not creating vm vm.test (disabled)
> vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
> vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
> vm_priv_ifconfig: interface bridge0 add tap0
> vm.test: started vm 1 successfully, tty /dev/ttyp1
> loadfile_elf: loaded ELF kernel
> run_vm: initializing hardware for vm vm.test
> virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
> run_vm: starting vcpu threads for vm vm.test
> vcpu_reset: resetting vcpu 0 for vm 5
> run_vm: waiting on events for VM vm.test
> i8259_write_datareg: master pic, reset IRQ vector to 0x20
> i8259_write_datareg: slave pic, reset IRQ vector to 0x28
> vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
> virtio_blk_io: device reset
> virtio_net_io: device reset
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> virtio_net_io: device reset
>
>
> Here's what happens when the installer tries to get a network address:
>
> # vmctl status
>ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
> 1 - 11.0G   -   -fstephany vm.test
> # vmctl start vm.test -c
> Connected to /dev/ttyp1 (speed 9600)
>
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
>
> OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 1056964608 (1008MB)
> avail mem = 1021235200 (973MB)
> mainbus0 at root
> bios0 at mainbus0
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz
> cpu0:
> FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
> cpu0: 256KB 64b/line 8-way L2 cache
> pvbus0 at mainbus0: OpenBSD
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus0 at vioblk0: 2 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct
> fixed
> sd0: 4096MB, 512 bytes/sector, 8388608 sectors
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address fe:e1:bb:d1:6d:23
> virtio2: irq 7
> virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
> virtio3: no matching child driver; not configured
> isa0 at mainbus0
> com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> com0: console
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on rd0a swap on rd0b dump on rd0b
>
> erase ^?, werase ^W, kill ^U, intr ^C, status ^T
>
> Welcome to the OpenBSD/amd64 6.1 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
> At any prompt except password prompts you can escape to a shell by
> typing '!'. Default answers are shown in []'s and are selected by
> pressing RETURN.  You can exit this program at any time by pressing
> Control-C, but this can leave your system in an inconsistent state.
>
> Terminal type? [vt220]
> System hostname? (short form, e.g. 'foo') vmtest
>
> Available network interfaces are: vio0 vlan0.
> Which network interface do you wish to configure? (or 'done') [vio0]
> IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp]
> DHCPDISCOVER on vio0 - interval 1
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> DHCPDISCOVER on vio0 - interval 2
> No acceptable DHCPOFFERS received.
> No working leases in persistent database - sleeping.
> 

Re: Etnernal & infernal browser woes

[trondd]

On Sat, April 29, 2017 6:07 pm, Mihai Popescu wrote:
> Do not forget to use (activate) uBlock Origin too, there is in Add-Ons
> for Firefox.
>
> Teh guy with 134 opened tabs at once in firefox was funny. How many
> monitors is firefox windows spreading across?
>
> Thanks.
>

It's tabs.  You only need one window.

http://imgur.com/a/Cm4eO

uBlock and NoScript are a given.  I also use Tab Groups (pictured). 
Apparently I was the only one with this need, as tab groups were removed
from core firefox and even the plugin is being abandoned.  It's going to
be a rough transition when that stops working...

Re: Etnernal & infernal browser woes

[trondd]

On Fri, April 28, 2017 10:17 am, Fred wrote:
> I have to agree with David - here I used chrome on a daily basis with a
> minimum of two chrome windows with at least 4 tabs in each

I don't want to get into the conversation, but I thought this was funny.

I am a heavy tabs user.  I currently have firefox running with 134 tabs
open.  It's been running since I last updated -current last weekend.  That
number is actually small because I just went through my tabs and closed a
bunch of older or redundent ones.

Re: softraid mirror & large drives (3T)

[trondd]

On Tue, April 18, 2017 8:48 am, Kamil CholewiÅ*ski wrote:
> On Tue, 18 Apr 2017, Jiri B  wrote:
>> On Tue, Apr 18, 2017 at 08:23:56AM -0400, Allan Streib wrote:
>>> Buy a hardware RAID controller.
>>
>> I suppose you wanted to write - 'buy two equal hardware RAID
>> controllers',
>> or how would you be solving problem in broken hw raid controller in
>> cca 10 yrs from now? :-)
>>
>> j.
>
> Redundant machines in isolated failure zones.
>
> <3,K.
>

Woah.  Hold on.  There is a difference between backup and availability.

Copying your data to remote locations is part of backup.  RAID is for
availability (with integritry possibly included) but is not backup.

I initially read the original post as availability but maybe I am wrong. 
What is the desired goal?  What is the usage?  Personal or business?

Re: DHCP over bridge(4) was: OpenBSD as a non-routing access point

[trondd]

On Thu, April 13, 2017 9:00 am, Stuart Henderson wrote:
> On 2017-04-12, trondd <tro...@kagu-tsuchi.com> wrote:
>>
>> I have this problem as well.  DHCP requests go out over the bridge to
>> the
>> main interface.  The response comes back to the main interface but never
>> goes to the bridge.
>>
>> I'm trying to use vmm VMs on a bridge.  I've tried set skip on {bridge
>> tap}, and pass quick on {egress bridge tap} proto {tcp udp} from any to
>> any port {67 68}
>> Also disabling pf altogether.
>
> Bridging vmm to wired or wifi?
>
> Bridging to wifi requires hostap (or WDS, or L2 NAT, neither of which we
> support).
>

Wired.  An em NIC and tap and bridge set up by vmm.

Re: OpenBSD as a non-routing access point

[trondd]

On Wed, April 12, 2017 4:27 am, Stuart Henderson wrote:
> On 2017-04-12, Jordon  wrote:
>>> rcctl enable dhcrelay
>>> rcctl set dhcrelay flags -i athn0 192.168.1.1 "assuming that is your
>>> routers
>> address"
>>> rcctl start dhcrelay
>>>
>>> and possibly add -d (log to stderr) to see what its doing.
>>>
>>
>> Thank you!  That got it working!  So why is that necessary?  Doesnt the
>> bridge
>> just forward everything?  Or are DHCP requests broadcasts that dont get
>> forwarded?
>
> It shouldn't be necessary, dhcrelay is normally used when you have a
> subnet behind a router, and the DHCP server is a separate machine on a
> different subnet.
>
> Could it be a PF rule problem?
>
> Normally you would only have an IP address on one member of the bridge,
> just "up" on the others..
>

I have this problem as well.  DHCP requests go out over the bridge to the
main interface.  The response comes back to the main interface but never
goes to the bridge.

I'm trying to use vmm VMs on a bridge.  I've tried set skip on {bridge
tap}, and pass quick on {egress bridge tap} proto {tcp udp} from any to
any port {67 68}
Also disabling pf altogether.

Little bump in the upgrade path

[trondd]

Just FYI:

I upgraded 6.0 to 6.1 and /etc/installurl was populated with:
https://ftp4.usa.openbsd.org/pub/OpenBSD/6.1

(as is my mirror)

But when running pkg_add -u to upgrade, it searched
http://ftp4.usa.openbsd.org/pub/OpenBSD/6.1/6.1 for packages.

Chopped the 6.1 out of installurl to fix.

Tim.

Re: Is there something to replace zaurus?

[trondd]

On Wed, March 29, 2017 6:49 pm, Ryan Freeman wrote:
> On Wed, Mar 29, 2017 at 05:00:44PM -0500, Jordon wrote:
>> > On Mar 29, 2017, at 4:51 AM, Luke Small  wrote:
>> >
>> > I thought I read that there is an arm7 based mobile device, but I
>> can't
>> > find anything about it.
>> >
>>
>> I???m really hoping the Dragonbox Pyra could become a mobile OpenBSD
>> device
>> like the zaurus was.  It is almost ready for manufacturing.
>>
>> Jordon
>>
>
> Wow that is a really neat looking little unit, thanks for mentioning
> this!
>
> I only did a quick search, but it seems at least the cpuid for the
> Cortex A15 cpu at least exists in cvs:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/arm/arm/cpu.c?rev=1.36=text/x-cvsweb-markup
>
> I only hope the rest of the hardware in that little box is friendly :-)
>
> -ryan
>

I've never seen these before:

http://www.geekbuying.com/item/GPD-Win-5-5-inch-Game-Console-Intel-Atom-X5-Z8500-Windows-10-OS-4GB-64GB-Gamepad-Quad-Core-2-24GHz-Gorilla-Glass-Screen-1280-720-Type-C---Black-367872.html

Anyone familiar with one?

Re: relayd(8) relay: redirect based on URL paths

[trondd]

On Wed, February 22, 2017 9:02 pm, Lyndon Nerenberg wrote:
> My relayd.conf fu is lame and needs help.  Given the following config:
>
>
> ---8<---8<---
>
> interval 60
> timeout 2000
>
> table  { w1.example.com w2.example.com w3.example.com }
>
> http protocol https {
>
> tcp { nodelay, sack }
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-By" \
> value "$SERVER_ADDR:$SERVER_PORT"
> match request header set "Connection" value "close"
>
> }
>
> relay web {
>
> listen on 203.0.113.5 port 443 tls
> protocol https
>
> forward with tls to  port https mode loadbalance \
> check https "/" code 200
>
> }
>
> ---8<---8<---
>
> I am trying to figure out how to intercept request paths beginning with
> "/xy/"
> so that I can forward them to a different port in the same server pool.
> I.e.:
>
>   https://host.example.com/xy/mumblebarge ->
> https://:/xy/mumblebarge
>
>   https://host.example.com/anything_else  ->
> https:///anything_else
>
> It seems this should be possible, but I just can't get my head around
> relayd.conf(5) :-(
>
> --lyndon
>

I have an example at work I can dig up tomorrow, but look at the Filter
Rules.  You need bits like: 'pass request path "/xy" forward to
 '
and probably a catch all 'pass forward to ' for the rest of the
traffic.

You need to specify the two forwards to the two tables in your relay
section.  You need two tables since each will go to a different port and
the forward to filter only knows about the table name.

Re: http 408 messages in httpd logs

[trondd]

On Tue, February 14, 2017 2:27 pm, trondd wrote:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/server.c.diff?r1=1.106=1.107=h
>
> Unfortunately the commit message is not helpful here.
>

Ah hah.  I knew it'd be somewhere:
http://marc.info/?l=openbsd-cvs=148647072802851=2

I'd guess that the web browser was previously closing these connection
long before the server was timing out.

Re: http 408 messages in httpd logs

[trondd]

On Tue, February 14, 2017 1:48 pm, Walter Alejandro Iglesias wrote:
> Starting from Feb 11 my httpd logs are filled with 408 messages:
>
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET /
> HTTP/1.1" 200 2535
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/styles.css HTTP/1.1" 200 282
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/home-novelas.png HTTP/1.1" 200 1812
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/home-comic.png HTTP/1.1" 200 2779
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/at.png HTTP/1.1" 200 324
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/home-devel.png HTTP/1.1" 200 4111
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/home-articles.png HTTP/1.1" 200 5835
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/home-about.jpg HTTP/1.1" 200 22211
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
> /en/img/home-social.png HTTP/1.1" 200 2782
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
> 408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
> 408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
> 408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
> 408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
> 408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
> 408 0
>
> This affects my main site only (I have other several virtual sites
> hosted in that machine), the only one using ssl on 443 port.  As the
> example shows, some of them come right before a same source IP
> successful connection.  In fact, the hidden ip above is me browsing my
> web site from another location.  Besides, I didn't notice any delay, the
> pages are loaded as fast as before the messages started to appear.
>
> Increasing the request time out (in /etc/httpd.conf):
>
>   connection request timeout 120
>
> seems (not sure) to reduce a bit the number of messages.
>
> What intrigues me (and the reason I'm mentioning this here) is before
> Feb 11th, the date the first appeared, there is none, passed that date
> *all* requests generate that message.  I follow -current and upgrade
> snapshots regularly.  Could be some change in the system the cause?
>

Yes:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/server.c.diff?r1=1.106=1.107=h

I am assuming these are client pre-negotiated connections to speed up the
user experience.  I guess they were not properly being closed before. 
Unfortunately the commit message is not helpful here.

Re: relayd and letsencrypt certificates

[trondd]

On Fri, February 10, 2017 11:48 am, Thuban wrote:
> Hello,
> I can't figure how to use letsencrypt certificates with relayd. I keep
> getting this error :
>
> # relayd -vvv -n
> /etc/relayd.conf:33: cannot load certificates for relay tlsforward
>
>
> My relayd.conf :
>
> # cat /etc/relayd.conf
> table  { 127.0.0.1 }
> ext_ip = 192.168.1.66
>
> http protocol "https" {
> tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> match response header set "Cache-Control" value "max-age=1814400"
> return error
> pass
> tls { no client-renegotiation, cipher-server-preference }
> tls ca key "/etc/letsencrypt/certificates/privkey.pem" password ""
> tls ca cert "/etc/letsencrypt/certificates/cert.pem"
> }
>
>
> relay "tlsforward" {
> listen on $ext_ip port 443 tls
> protocol "https"
> forward to  port 8443 mode loadbalance check tcp
> }
>
>
>
> Do you see any error or have any advice?
>
> Regards.
>
> thuban
>

'ca key' and 'ca cert' is for MITM roll your own certs on the fly.

For server certs, like a web server would have, you don't specify them. 
relayd looks for address:port.key and address:port.crt as per the 'listen
on' description in relayd.conf(5)

Re: edge router lite with double NAT

[trondd]

On Tue, January 24, 2017 3:19 am, jungle boogie wrote:
> On 01/23/2017 05:43 PM, trondd wrote:
>>>
>>
>>
>> Maybe make rules that are very specific to the BBB and ERL IPs in
>> question.  And/or make sure 'egress' is the interface you thing it is.
>>
>
> Okay, at this point I'm blaming the ISP issued router. I can't add a
> static route and therefore, I think it's to blame for nothing in
> 172.16.13.0/24 to get out to the internet.
> Well the ERL may still collect dust, but it will give me more of a
> reason to replace the ISP router for something decent.
>
> Thanks for all the help!
>

Yeah, it's a problem if we have no idea what the ISP's router is doing,
but in theory, the ISP router should never see another IP besides the
ERL's.

Re: edge router lite with double NAT

[trondd]

On Mon, January 23, 2017 5:26 pm, jungle Boogie wrote:
> On 23 January 2017 at 08:29, trondd <tro...@kagu-tsuchi.com> wrote:
>>
>> Can the BBB ping the ISP router internal interface IP?
>>
>
> Yes, it can ping 192.168.0.1 and anything else connected to the ISP
> router.
>
>> Double check your default gateway settings on the BBB and ERL.
>
> BBB:
>
> Internet:
> DestinationGatewayFlags Netif Expire
> default172.16.13.1UGS   cpsw0
> 127.0.0.1  link#2 UH  lo0
> 172.16.13.0/24 link#1 U cpsw0
> 172.16.13.4link#1 UHS lo0
>
>
> from ERL here's 172.16.13:
> 172.16.13/24   172.16.13.1UCn0   10 - 4
> cnmac1
> 172.16.13.100:be:ef:10:00:01  UHLl   0  695 - 1
> cnmac1
> 172.16.13.255  172.16.13.1UHb00 - 1
> cnmac1
>
>
>>
>> Fire up tcpdump on each interface along the way and see how far the
>> packets get.
>>
>
> I've done this from the BBB and see the requests but not any replies
> for pings. I'll run it on ERL while doing pings on BBB.
>

Check the external interface and make sure the source IP has been translated.

>
> Do you have a double-NAT pf example you can share?
>

Not easily.  I've done it to run VMM vm's through wifi (which requires a
NAT setup) and then through my main router which also does NAT.  I 'block
all' and tend to be specific about what can go where so it's a large
configuration.

For ping:

On my router, I use:
match out on $wan_if inet from $lan_net to any nat-to ($wan_if)

pass in log on $lan_if inet proto icmp all icmp-type echoreq
pass out log inet proto icmp all icmp-type echoreq

On my laptap:
match out on egress inet from $vm_net to any nat-to (egress:0)

pass out quick proto icmp all


Maybe make rules that are very specific to the BBB and ERL IPs in
question.  And/or make sure 'egress' is the interface you thing it is.

Re: httpd weirdness ("connection max request body")

[trondd]

On Mon, January 23, 2017 7:47 am, Farid Joubbi wrote:
> Does anyone know if I should report this as a bug (or is it me being
> incompetent)?
>
> On Fri, Dec 16, 2016 at 3:17 PM, Farid Joubbi  wrote:
>
>> Hello,
>>
>> I noticed a weird thing which I can not explain.
>> To me it feels like a bug with httpd, or some feature that I have
>> misunderstood.
>>
>> I have a server running 6.0 -stable.
>> It runs httpd with both the roundcube and owncloud ports.
>> The server has only one NIC with only one public IP address.
>>

>> Now my questions.
>> Why did owncloud sync some files to mail.example.se instead of
>> cloud.example.se?
>> Why does it work as supposed to after me raising the file upload limit
>> for
>> mail.example.se?
>> Is it possible to have different "connection max request body" for the
>> different servers?
>> Am I doing something wrong in httpd.conf?
>>

You should try it with -current.  I know at some point, some server
configurations in one server section would be applied to all servers.  I
can't recall if/when that has been fixed.  But there have been a number of
changes to httpd since 6.0

If it's still a bug in -current, you can report it.

Re: edge router lite with double NAT

[trondd]

On Mon, January 23, 2017 12:09 am, jungle boogie wrote:
> On 01/22/2017 04:44 PM, trondd wrote:
>> On Sun, January 22, 2017 7:19 pm, jungle boogie wrote:
>>> On 01/22/2017 04:13 PM, trondd wrote:
>>>> On Sun, January 22, 2017 5:38 pm, jungle boogie wrote:
>>>>> Hi All,
>>>>>
>>>>> So I want to actually use my edge router lite instead of it
>>>>> collecting
>>>>> dust. At the moment I don't have a way to put my ISP provided
>>>>> router/modem into bridge mode. It acts as a DHCP server for my
>>>>> devices
>>>>> and does all gateway stuff. This means it's double NATTed. Not ideal,
>>>>> but I don't have a choice right now.
>>>>>
>>>>
>>>>>
>>>>> Problem is the BBB cannot do anything outside either 192.168.0.0/24
>>>>> or
>>>>> 172.16.13.0/24, like curl websites, ping websites, etc.
>>>>>
>>>>> pfctl is completely disabled on the ERL. What should I look at next
>>>>> to
>>>>> see how I can get internet to the BBB?
>>>>>
>>>>
>>>> First thought, if you have pf disabled on the ERL, then its not doing
>>>> NAT.
>>>>
>>>> Can the ERL get to the internet?
>>
>> Ok, and did you enable and configure pf on the ERL so it does NAT for
>> BBB?
>>
>
> Shamefully copying the pf example from the FAQ:
> int_if="{ cnmac0 cnmac1 }"
> set block-policy drop
> set loginterface egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> #block all
> pass out quick inet
> pass in on $int_if inet
>
>
> I removed the martins bit because I'm expecting traffic from 192.168.0.0
> from cnmac0.
>
> I can connect to the BBB but still cannot ping.
>
> Is this not actually establishing NAT?
>
> Thanks!
>

Can the BBB ping the ISP router internal interface IP?

Double check your default gateway settings on the BBB and ERL.

Fire up tcpdump on each interface along the way and see how far the
packets get.

Re: edge router lite with double NAT

[trondd]

On Sun, January 22, 2017 7:19 pm, jungle boogie wrote:
> On 01/22/2017 04:13 PM, trondd wrote:
>> On Sun, January 22, 2017 5:38 pm, jungle boogie wrote:
>>> Hi All,
>>>
>>> So I want to actually use my edge router lite instead of it collecting
>>> dust. At the moment I don't have a way to put my ISP provided
>>> router/modem into bridge mode. It acts as a DHCP server for my devices
>>> and does all gateway stuff. This means it's double NATTed. Not ideal,
>>> but I don't have a choice right now.
>>>
>>
>>>
>>> Problem is the BBB cannot do anything outside either 192.168.0.0/24 or
>>> 172.16.13.0/24, like curl websites, ping websites, etc.
>>>
>>> pfctl is completely disabled on the ERL. What should I look at next to
>>> see how I can get internet to the BBB?
>>>
>>
>> First thought, if you have pf disabled on the ERL, then its not doing
>> NAT.
>>
>> Can the ERL get to the internet?

Ok, and did you enable and configure pf on the ERL so it does NAT for BBB?

Re: edge router lite with double NAT

[trondd]

On Sun, January 22, 2017 5:38 pm, jungle boogie wrote:
> Hi All,
>
> So I want to actually use my edge router lite instead of it collecting
> dust. At the moment I don't have a way to put my ISP provided
> router/modem into bridge mode. It acts as a DHCP server for my devices
> and does all gateway stuff. This means it's double NATTed. Not ideal,
> but I don't have a choice right now.
>

>
> Problem is the BBB cannot do anything outside either 192.168.0.0/24 or
> 172.16.13.0/24, like curl websites, ping websites, etc.
>
> pfctl is completely disabled on the ERL. What should I look at next to
> see how I can get internet to the BBB?
>

First thought, if you have pf disabled on the ERL, then its not doing NAT.

Can the ERL get to the internet?

Re: OpenBSD Stable

[trondd]

On Wed, January 18, 2017 12:51 pm, George wrote:
>

> # /usr/ports/infrastructure/bin/dpb -f 20 -R pkglist
>
> dpb fetches the packages and i get the following result
> Elapsed time=00:28:34
> I=0 B=0 Q=0 T=547 F=0 !=9
> L=devel/quirks libglade-2.6.4.tar.bz2.dist
> ...

Everything is locked now because of the previous failures.  Blow away
everything under /usr/ports/logs/ to start clean.  Build one
package.

>
> I didnt change any paths on dpb since i followed the pdf josg grosse
> send me. I run dpb as root so i guess permissions dont matter.
>

The permissions absoletly matter.  Read the Security Model of the dpb man
page.  Even the slides told you this. ;)  Dpb drops privileges.

Re: OpenBSD Stable

[trondd]

On Tue, January 17, 2017 8:46 pm, George wrote:
> Hello.
> Im new here.
> I installed OpenBSD on my laptop. I used anoncvs to download the stable
> sources for kernel, xenocara and ports. I rebuild my kernel,system and
> xenocara and i tried to update various packages to stable.
> I used
> /usr/ports/infrastructure/bin/out-of-date
> to get a list of out of date packages. I added that list to dpb with the
> following command
> /usr/ports/infrastructure/bin/dpb -f 20 -U -P PackageList2.txt
> dpb fetches the source code and chooses the packages that can be
> installed or build and then stops. It doesn't build anything or install
> anything.
>
> I'm sure its something stupid that I cant understand.
> What am i missing?

Need more information than this.  What's dpb doing?  Logs are in
/usr/ports/logs.  Are the permissions set correctly for the /usr/ports/*
directories per the dpb man page?  Are you sure you have -stable source?

>
> Thanks!
>
> PS. I also changed /etc/mk.conf by adding
>
> FETCH_PACKAGES=Yes
>
> it doesn't seems to work. It still downloads source code and then build
> it.
>

FETCH_PACKAGES, I believe, only works with the PKG_PATH variable, not with
/etc/pkg.conf.  Maybe that's the problem?

Re: doas prompting for password in script

[trondd]

On Thu, December 15, 2016 12:28 pm, Ax0n wrote:
> I don't know how doas is keeping track of a session. If it's by
> interactive
> tty session only, that could cause problems with non-interactive scripts.
> I'll let someone closer to the code answer that question.
>

It's tied to the shell.

http://www.tedunangst.com/flak/post/doas-mastery

"If you have multiple shell logins to a machine, each login will require
authentication. Additionally, the authentication information includes the
parent shell process ID. This means that executing doas again in a shell
script will require authentication."

> On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogie 
> wrote:
>
>> On 15 December 2016 at 09:21, Ax0n  wrote:
>> > In -CURRENT, doas.conf has a "persist" keyword that will only prompt
>> once
>> > per session. This isn't available in OpenBSD 6.0, but should work when
>> 6.1
>> > is released. Here's a fairly minimal rule that would allow wheel group
>> users
>> > to do whatever they want with doas after authenticating once:
>>
>> DOH! I forgot to mention that I'm running a snapshot from this morning.
>>
>> OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
>> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>>
>> by doas.conf:
>> permit persist :wheel
>> permit persist keepenv jungle as root
>>
>> With this, should I be re-prompted for the password?
>>
>>
>> --
>> ---
>> inum: 883510009027723
>> sip: jungleboo...@sip2sip.info

Re: IP Forwarding is not working?

[trondd]

On Fri, December 9, 2016 2:24 pm, é*·è*´å¼º wrote:
> Hi, I donâ**t really think ip forwarding is broken either as I can still
> access the Internet.
>
> # ifconfig
> lo0: flags=8049 mtu 32768
>index 6 priority 0 llprio 3
>groups: lo
>inet6 ::1 prefixlen 128
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
>inet 127.0.0.1 netmask 0xff00
> em0: flags=8843 mtu 1500
>lladdr 1a:cc:00:12:b1:9c
>index 1 priority 0 llprio 3
>media: Ethernet autoselect (100baseTX full-duplex)
>status: active
>inet 192.168.244.1 netmask 0xff00 broadcast 192.168.244.255
> em1: flags=8843 mtu 1500
>lladdr 1a:cc:00:12:b1:9d
>index 2 priority 0 llprio 3
>media: Ethernet autoselect (100baseTX full-duplex)
>status: active
>inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
> em2: flags=8843 mtu 1500
>lladdr 1a:cc:00:12:b1:9e
>index 3 priority 0 llprio 3
>media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
>status: active
>inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255
> em3: flags=8843 mtu 1500
>lladdr 1a:cc:00:12:b1:9f
>index 4 priority 0 llprio 3
>media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
>status: active
>inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255
> enc0: flags=0<>
>index 5 priority 0 llprio 3
>groups: enc
>status: active
> pppoe0: flags=8851 mtu 1492
>index 7 priority 0 llprio 3
>dev: em0 state: session
>sid: 0x69cc PADI retries: 15 PADR retries: 0 time: 4d 13:55:21
>sppp: phase network authproto pap authname "lan1201210025"
>groups: pppoe egress
>status: active
>inet 27.9.22.243 --> 27.9.20.1 netmask 0x
> pflog0: flags=141 mtu 33144
>index 8 priority 0 llprio 3
>groups: pflog
>
> # cat /etc/pf.conf
> #   $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
>
> set skip on lo
>
> block return# block stateless traffic
> pass# establish keep-state
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> pass out on egress from !(egress:network) to any nat-to (egress)
>

You're probably matching on the nat-to rule even when going from LAN to
LAN.  It reads like this:  Pass out on your internet interface from not
the internet to anywhere (the internet or even the LAN) and NAT it out the
internet interface.

You can't get to your LAN from the internet interface.  You need to
exclude the LAN networks from 'any' or add additional rules to match when
going LAN to LAN.

Re: trouble adding user to a chroot sandbox

[trondd]

On Fri, November 25, 2016 4:24 pm, trondd wrote:
> On Fri, November 25, 2016 2:01 pm, Dave Cohen wrote:
>> I'm new to `chroot`.  Trying to make sandbox where I can build and run
>> untrusted code without affecting the base system.
>>
>> Following instructions from
>> https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en,
>> I am at the point where I can `doas chroot /jails/untrusted/` and I have
>> root access to my chroot environment.  So far, so good.
>>
>> Next I try to make a non-root user in the chroot environment, but run
>> into
>> trouble doing so.  For example, this complaint that /etc/shells is
>> missing:
>>
>> # adduser
>> Couldn't find /etc/adduser.conf: creating a new adduser configuration
>> file
>> Reading /etc/shells
>> /etc/shells: No such file or directory
>>
>>
>> This is solved easily enough, copying /etc/shells from my base install
>> to
>> /jails/untrusted/etc/shells.  But I quickly run into a similar problem
>> because /etc/master.passwd is missing.
>>
>> I'm not sure I want to use the /etc/master.passwd from the base install
>> in
>> the chroot.  Also, I suspect that I'll run into more problems like this.
>> Have I missed a step in initializing my chroot directory?  Is there a
>> recommended way to create files like /etc/master.passwd the same as
>> created by the openbsd installer?
>>
>> Thanks for any help!
>>
>
> It's an old how-to.  There are no etc sets anymore.  Did you run sysmerge
> in  the chroot or otherwise extact the etc tarball out of the base
> tarball?
>
> Also, depending on what you're trying to do in the chroot, maybe look into
> leveraging proot from ports.
>

And by "proot from ports" I mean ports/infrastructure/bin/proot.  It's not
a 3rd party package.

Re: trouble adding user to a chroot sandbox

[trondd]

On Fri, November 25, 2016 2:01 pm, Dave Cohen wrote:
> I'm new to `chroot`.  Trying to make sandbox where I can build and run
> untrusted code without affecting the base system.
>
> Following instructions from
> https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en,
> I am at the point where I can `doas chroot /jails/untrusted/` and I have
> root access to my chroot environment.  So far, so good.
>
> Next I try to make a non-root user in the chroot environment, but run into
> trouble doing so.  For example, this complaint that /etc/shells is
> missing:
>
> # adduser
> Couldn't find /etc/adduser.conf: creating a new adduser configuration file
> Reading /etc/shells
> /etc/shells: No such file or directory
>
>
> This is solved easily enough, copying /etc/shells from my base install to
> /jails/untrusted/etc/shells.  But I quickly run into a similar problem
> because /etc/master.passwd is missing.
>
> I'm not sure I want to use the /etc/master.passwd from the base install in
> the chroot.  Also, I suspect that I'll run into more problems like this.
> Have I missed a step in initializing my chroot directory?  Is there a
> recommended way to create files like /etc/master.passwd the same as
> created by the openbsd installer?
>
> Thanks for any help!
>

It's an old how-to.  There are no etc sets anymore.  Did you run sysmerge
in  the chroot or otherwise extact the etc tarball out of the base
tarball?

Also, depending on what you're trying to do in the chroot, maybe look into
leveraging proot from ports.

Re: mailx as root ignores set keep

[trondd]

On Fri, November 25, 2016 12:36 pm, Walter Alejandro Iglesias wrote:
> Hello trondd,
>
> On Fri, Nov 25, 2016 at 11:03:49AM -0500, trondd wrote:
>> On Fri, November 25, 2016 4:17 am, Walter Alejandro Iglesias wrote:
>> > Is this on purpose?
>> >
>> > I've tried adding 'set keep' to /etc/mail.rc and /root/.mailrc
>> > but mail(1) still removes empty mailbox files before quiting.
>> >
>>
>> Worked here.  How exactly are you reading mail?
>>
>
> Have you tried running mail as root as I said in the subject?
>
> For example, copy some mbox file to /tmp, then su to root and open the
> file:
>
> # mail -f /tmp/mbox
>

This makes a difference.  That's not a system mailbox.  'Keep' seems to
only apply to a system mailbox and not to a "file".  Though, it seems like
it should.

Re: mailx as root ignores set keep

[trondd]

On Fri, November 25, 2016 4:17 am, Walter Alejandro Iglesias wrote:
> Is this on purpose?
>
> I've tried adding 'set keep' to /etc/mail.rc and /root/.mailrc
> but mail(1) still removes empty mailbox files before quiting.
>

Worked here.  How exactly are you reading mail?