protected domain for tap for vmm vms

[jirib]

Hello,

I was checking bridge's protected domains and I'm curious
how to add VMM VM's tap into a VMM switch/bridge protected domain.

It seems it's not implemented yet.

I wanted to achieve this:

- multiple VMM VMs in same switch/bridge
- VMs cannot talk to each other inside the bridge
  hence protected domain
- VMs can access uplink via bridge's vether

Jiri

Re: asm avr

[jirib]

On Thu, 22 Sep 2011 23:20:19 +0800
igor denisov  wrote:

> Hello there,
> 
> I installed avr-binutils  and tried to use it on some code and
> something strange happened. When I tried to compile code it appeared
> that the m16def.inc had a bad syntacs the file is from ATMEL site.
> 
> What I did wrong?

You posted to bad list. OMG we will be  again spammed with your silly
mails :(

jirib

Re: BSD Day 2011

[jirib]

On Fri, 9 Sep 2011 11:13:43 +0200
Henning Brauer  wrote:

> * Tomas Bodzar  [2011-09-08 18:33]:
> > Are some of the devs attending or no one invited?
> > http://www.bsdday.eu/2011
> 
> first time I personally hear about this at all.

Lua and FreeBSD and neologism, lol.

jirib

Re: essential reading for beginning OpenBSD users

[jirib]

On Tue, 6 Sep 2011 10:27:22 -0400
Daniel Villarreal  wrote:

> I consider the following to be essential reading for beginning OpenBSD
> users...
> 
> "Absolute FreeBSD, 2nd Edition information" by Michael W. Lucas...
> http://www.nostarch.com/abs_bsd2.htm
> 
> Don't forget the "Book of PF, 2nd Edition" by Peter N.M. Hansteen ...
> http://nostarch.com/pf2.htm
> 
> Over the years I've spent a lot of money on O'Reilly GNU/Linux books,
> but the 1st ed. versions of the above books astound me with their
> clarity in explaining very technical concepts in an
> easy-to-understand manner. I never before considered technical
> computer writing to be elegantly handled, but combined with the man
> pages, the documentation is simply superb. Usually I wouldn't even
> consider buying a newer version of a computer book I already have,
> but I will be buying the second editions of said books when I can.
> 
> Thanks for your efforts!
> Daniel Villarreal
> 
> On Tue, Sep 6, 2011 at 7:12 AM, Amit Kulkarni 
> wrote:
> 
> > Lucas is bringing out a 2nd edition of absolute openbsd, which i am
> > gonna buy

I consider the best:

man afterboot
man hier

:DD

jirib

Re: Most secure Operating-System?

[jirib]

On Mon, 5 Sep 2011 23:55:52 +1000
Alec Taylor  wrote:

> Good evening,
>
> What's the most secure operating system?
>
> /me is thinking OpenBSD
>
> Features required:
>  TCP/IP Suite with IPv4 and IPv6 (yeah, I know, big security loss by
> incorporating Internet access!)
>  GUI
>  Web-server (with HTTPS capabilities)
>  LDAP+-Kerberos server for User auth
>  CAS or similar for SSO
>  Radius or (preferably) Diameter support
>  Java support
>  WINE compatible
>  Multithreaded
>  Multi-processor capable
>  Wide architecture support (x86, x64, mainframes)
>
> If my project proposal is successful, I will be implementing this
> system to replace a Windows environment at one of the largest banks in
> the country.
>

Do NOT smoke that sh1t too much, or if you wanted to be funny you are
not.

jirib

Re: dump/restore - individual file

[jirib]

On Sun, 21 Aug 2011 18:22:15 -0500
Stefan Johnson  wrote:

> > # restore -xf root.dump './etc/pf.conf'
> > restore: ./etc: File exists
> > You have not read any tapes yet.
> > Unless you know which volume your file(s) are on you should start
> > with the last volume and work towards the first.
> > Specify next volume #:
> >
> > And here I'm failing, why volume?
> >
> > Thank you for tips.
> >
> > jirib
> >
> >
> I believe restore with -x flag always asks for which volume, even if
> it is just a dump to a file.  Just tell it to use volume 1 (type 1
> then hit enter.)
> 
> Also, I notice in your dump example, you dumped the raw device.
> You can just tell it to use "/" instead, and it will dump just fine
> as well.

Hi,

it would be nice if `restore' would know if it is restoring from a file
or from a tape. Even `-s 1' doesn't supress prompting for volume number.

This is from AIX man page:

-s SeekBackup   Specifies the backup to seek and restore on a
multiple-backup tape archive. The -s flag is only applicable when the
archive is written to a tape device. To use the -s flag properly, a
no-rewind-on-close and no-retension-on-open tape device, such
as /dev/rmt0.1 or /dev/rmt0.5, must be specified. If the -s flag is
specified with a rewind tape device, the restore command displays an
error message and exits with a nonzero return code. If a no-rewind tape
device is used and the -s flag is not specified, a default value of -s
1 is used. The value of the SeekBackup parameter must be in the range
of 1 to 100 inclusive. It is necessary to use a no-rewind-on-close,
no-retension-on-open tape device because of the behavior of the -s
flag. The value specified with -s is relative to the position of the
tapes read/write head and not to an archives position on the tape. For
example, to restore the first, second, and fourth backups from a
multiple-backup tape archive, the respective values for the -s flag
would be -s 1, -s 1, and -s 2.

I cannot do C so I cannot send a diff :(

jirib

dump/restore - individual file

[jirib]

hello,

i use `restore' command quite often to restore individual
files but not on OpenBSD but AIX.

I'm trying to do the same on OpenBSD but I'm failing, how to
do that on OpenBSD?

Imagine you `dump' a FS and then you need to recover some files.

# df -h /
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a 96.4M   69.9M   21.7M76%/
# dump -0af /tmp/root.dump /dev/rsd0a 
  DUMP: Date of this level 0 dump: Sun Aug 21 22:13:45 2011
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/rsd0a to /tmp/root.dump
  DUMP: mapping (Pass I) [regular files]
  DUMP: mapping (Pass II) [directories]
  DUMP: estimated 72646 tape blocks.
  DUMP: Volume 1 started at: Sun Aug 21 22:13:45 2011
  DUMP: dumping (Pass III) [directories]
  DUMP: dumping (Pass IV) [regular files]
  DUMP: 73963 tape blocks on 1 volume
  DUMP: Date of this level 0 dump: Sun Aug 21 22:13:45 2011
  DUMP: Volume 1 completed at: Sun Aug 21 22:13:59 2011
  DUMP: Volume 1 took 0:00:14
  DUMP: Volume 1 transfer rate: 5283 KB/s
  DUMP: Date this dump completed:  Sun Aug 21 22:13:59 2011
  DUMP: Average transfer rate: 5283 KB/s
  DUMP: Closing /tmp/root.dump
  DUMP: DUMP IS DONE
# restore -tf root.dump | egrep "\./etc/pf\.conf$"
Level 0 dump of an unlisted file system on t400.example.com:/dev/rsd0a
Label: none
  3789  ./etc/pf.conf
# restore -xf root.dump './etc/pf.conf'
restore: ./etc: File exists
You have not read any tapes yet.
Unless you know which volume your file(s) are on you should start
with the last volume and work towards the first.
Specify next volume #:

And here I'm failing, why volume?

Thank you for tips.

jirib

eSATA, SATA port multiplier, storage chasis and OpenBSD

[jirib]

Hello all,

I was google for a external storage chasis as cheap alternative to
expensive SANs -
http://www.addonics.com/products/raid_system/rack_overview.asp

What is the support status of eSATA/SATA port multiplier? I have never
used this technology but as I understand it it means that with one
cable you can see multiple disks...

Addonics offer even RAID but I looks like fake/soft raid.

Do you use any external storage chasis which are dumb - it means no SAN
software and this fancy expensive stuff?

jirib

Re: Debugging an app running in compat_linux

[jirib]

On Tue, 26 Jul 2011 19:41:24 -0400
Ted Unangst  wrote:

> On Tue, Jul 26, 2011, jirib wrote:
> > I'm trying to make running ATTclient (basically it is some programs
> > for authentication, the network [vpn] setup is similar to vpnc).
> > 
> > After I start one of its daemon the system is completelly blocked -
> > stucked. No error, no kernel panic, nothing happens after pressing
> > any key.
> > 
> > Any tips how could I do some debugging?
> 
> The first thing to try would be another version.  You don't mention
> which version you're running now, so all I can suggest is not that
> one.

Hello,

using latest -current snapshot of course ;)

And the ugly app is
ftp://ftp.attglobal.net/pub/custom/ibm_linux/agnclient-1.0-2.0.1.3003.i386.rpm

I will try some ooold version then.

jirib

Debugging an app running in compat_linux

[jirib]

Hello,

I'm trying to make running ATTclient (basically it is some programs for
authentication, the network [vpn] setup is similar to vpnc).

After I start one of its daemon the system is completelly blocked -
stucked. No error, no kernel panic, nothing happens after pressing any
key.

Any tips how could I do some debugging?

Thank you.

jirib

Re: openbsd 4.9 based UTM

[jirib]

On Tue, 19 Jul 2011 12:41:40 +0200
Otto Moerbeek  wrote:

> On Tue, Jul 19, 2011 at 11:34:48AM +0100, citoyen citoyen wrote:
> 
> > Hi,
> > I'm about starting a project of building my own High secure UTM
> > based on the last openbsd flower 4.9,
> > i can do all system and network configs  needed by myself  but I'm
> > wondering what language to use in order to get
> > my UTM configurable from a web browser.
> > any pointers or help are welcome.
> > 
> > Thanks in advance.
> 
> What IS an UTM?

Marketing :) First start with good design, see for example series about
tunneling from corporate network on undeadly.org

jirib

Re: Anyone know of an smtp-proxy (or other mechanism) for routing mail to different IMAP servers depending recipient address?

[jirib]

On Thu, 7 Jul 2011 13:42:00 -0400
IT Guy  wrote:

> Hi all,
> 
> I'm in the process of migrating our company from a certain
> proprietary mail system to a new OpenBSD mailserver (IMAP + Postfix).
> 
> I'd like to be able to migrate our users one at a time rather than do
> the whole company in one fell swoop.
> 
> Does anyone know of a good/easy way to conditionally route incoming
> mail based on the envelope recipient address? (Basically I want
> migrated users to start getting their mail from the new box, while
> the other users continue to connect to the old server)
> 
> I looked in the ports tree and didn't see an smtp proxy per se. Also
> the relayd manpage seemed relevant but I've never used that daemon
> before and thus am not sure.
> 
> I'm a newbie in this area, so any suggestions/guidance would be
> greatly appreciated.
> 
> Thanks in advance.
> 
> :-)
> 
> Dre

Never tried myself but...

http://anfi.homeunix.org/sendmail/smarttab.html

jirib

Re: How does OpenBSD compare to Ubuntu Server?

[jirib]

On Thu, 7 Jul 2011 09:02:08 -0400
Juan Miscaro  wrote:

> Was wondering what advantages OpenBSD has over a progressive Linux
> distribution such as Ubuntu (Server edition).

Are you kidding? Ubuntu? Where installed daemons are running by default,
where there is no command to disable shitty upstart daemons?

I installed once mysql on Ubuntu, just to check something, i disabled
that ugly symlinks in rcX.d via update-rc.d and it was after reboot
running -- well bloody hell, it has also upstart script, OMFG!

jirib

Re: Citrix ICAclient hangs whole PC with latest i386 PC

[jirib]

On Tue, 12 Apr 2011 05:36:50 +0200
Tomas Bodzar  wrote:

> Hi,
> 
> will try ktrace and log output of Citrix too. Yesterday when I saw
> that crash word in output of last I thought that maybe I can enter
> ddb. Will test that today and you can expect outputs. Anyway no need
> to worry about it right now, you have holidays and I have "workaround"

- use java version, it works quite OK, example:

java -cp ./JICAEngN.jar com.citrix.JICA -httpbrowseraddress:x.x.250.111
-initialprogram:#WIN2KAPPS -username:x -address:WIN2KAPPS
-launcher:Custom -desiredvres:768 -desiredhres:1024 -password:x
-end:terminate

jirib

Re: DUID's and fstab

[jirib]

On Tue, 12 Apr 2011 02:06:51 +0400
Alexander Polakov  wrote:

> I am probably misunderstanding something, but are DUID's supposed to
> be used in place of device filenames in fstab? I suppose they are,
> so this looks strange to me:
> 
> % sudo mount f777cc5bbeded528.a
> mount: can't find fstab entry for f777cc5bbeded528.a.

I was always in believing that one has to define mountpoint for `mount'
without specifying device, like `mount /foo'.

Eh?

jirib

Re: place xenocara compile output into /scratch

[jirib]

On Sat, 09 Apr 2011 02:58:47 -0400
"STeve Andre'"  wrote:

> On 04/08/11 23:57, Amit Kulkarni wrote:
> > hi,
> >
> > how do i redirect a compile of xenocara to say /scratch? i can do
> > that easily for userland using
> >
> > cd /usr/src/etc&&  env DESTDIR=/scratch make distrib-dirs
> >
> > i don't want to fiddle too much like changing X11BASE X11ETC just a
> > simple way to do it.
> >
> > thanks
> Why don't you use script(1) to capture things?  That way you never
> have to tweak anything.
> 
> --STeve Andre'

Or tmux and pipe-pane ;) very nice.

jirib

Re: mysql problem

[jirib]

On Fri, 8 Apr 2011 09:52:15 +0200
"Gianluca D'Auri Muscelli"  wrote:

> Hi,
> i'v installed postfix-mysql + mysql-server + courier-imap and
> imap-ssl + courier-pop and pop-ssl on OpenBSD 4.8-Stable
> 
> But now i have a problem with vmail and mysql, i'v created the
> database for postfix users
> Pastebin link of database:   http://pastebin.com/70qd43AZ
> 
> And i insert my account into database mail with:
> 
> mysql>  INSERT INTO users (login, name, password, maildir)
> -> VALUES ('gdrm@my_domain.org', 'Gianluca', ENCRYPT('my_password'),
> -> '/my_site.org/gdrm/');
> 
> 
> When i connect with mutt:   mutt -f
> imaps://my_u...@example.com@localhost the password does not match!
> Or when i try:  sudo -u vmail mutt
> -f /var/vmail/mydomain.org/user_name
> 
> I don't know where is the problem, can u help me??
> Tks vvm

This is postfix related, not OpenBSD. You are on bad list.

jirib

Re: sftp-server logging with chroot in OpenBSD?

[jirib]

On Sun, 27 Mar 2011 21:38:58 +0800
Marcus  wrote:

> sftp-server logging with chroot in OpenBSD?
> 
> I want to log upload/download information in sftp server

I don't know where is your problem but this is how it works for me ;)

jirib

Match User 
ChrootDirectory /data/share
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -R -l INFO -f LOCAL0

Match User 
ChrootDirectory /data/share
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l INFO -f LOCAL


$ ls
-l /data/share/dev/log srw-rw-rw-  1 root  wheel  0 Mar 26
09:21 /data/share/dev/log=

$ sftp @localhost
Connected to localhost.
sftp> ls
drupal   ebooks   movies   musicopenbsd  upload   video
sftp> quit



$ tail /var/log/
Dec 22 02:30:39 t400 internal-sftp[24742]: closedir "/disk/0/openbsd"
Dec 22 02:30:41 t400 internal-sftp[24742]: opendir "/disk/1/openbsd/cvs"
Dec 22 02:30:41 t400 internal-sftp[24742]: closedir "/disk/1/openbsd/cvs"
Dec 22 02:30:45 t400 internal-sftp[24742]: opendir "/disk/1/openbsd/cvs/ports"
Dec 22 02:30:45 t400 internal-sftp[24742]: closedir "/disk/1/openbsd/cvs/ports"
Dec 22 02:30:50 t400 internal-sftp[24742]: session closed for local user  
from [127.0.0.1]
Mar 27 18:52:09 t400 internal-sftp[892]: session opened for local user  
from [127.0.0.1]
Mar 27 18:52:10 t400 internal-sftp[892]: opendir "/pub"
Mar 27 18:52:10 t400 internal-sftp[892]: closedir "/pub"
Mar 27 18:52:12 t400 internal-sftp[892]: session closed for local user  
from [127.0.0.1]

Re: pf rdr-to outgoing to local port issues

[jirib]

On Sat, 19 Mar 2011 21:28:09 +0100
Henning Brauer  wrote:

> > it was working for me - rdr-to outbound to a daemon on the firewall
> > itself, but I deleted that virtual machine...
> > 
> >rdr-to is usually applied inbound.  If applied
> > outbound, rdr-to to a local IP address is not supported.
> > 
> > I would put my hand in fire -- it was working :) I read the manpage
> > but I don't get it, how could it work then?
> 
> pretty certain it could not have worked. the rdr-to in this case is
> too late and the local/remote decision already taken.


Hi,

I understand I'm becoming annoying but it worked, but maybe I was on
drugs... Unfortunatelly no evidence in hand now :) I tested like this:

* ssh -D remotehost
* redsocks listening on 127.0.0.1:12345 and redirecting to
  127.0.0.1:
* pf redirecting www to 127.0.0.1:12345
* lynx ipid.shat.net

Finally I saw in lynx IP of remote ssh socks5 tunnel.

Any idea how to redirect outgoing traffic to local port?

Would this be hard to add such funcionality into PF? (I don't like
such comparisons but it can be done on other OS.)

This feature would be handy to people doing system-wide socksifying (I
already saw apps which spawned another apps and thus it was not
socksified), or people who want to run almost everything via Tor or
similar anonymizing networks -- I think it's better to socksify Tor
traffic on OS level because one can misconfigure his application).

Thank you for help!

jirib

Re: pf rdr-to outgoing to local port issues

[jirib]

On Fri, 25 Feb 2011 10:21:20 +0100
Henning Brauer  wrote:

> * william dunand  [2011-02-25 05:26]:
> > > pass out log(matches) quick inet proto tcp from any to
> > > 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080
> > I think rdr-to is meant to be use on inbound rules.
> 
> we allow rdr-to outbound too now. it has caveats, and - surprise! -
> they are described in the manpage.
> this example hits a caveat.
> 

Hi,

it was working for me - rdr-to outbound to a daemon on the firewall
itself, but I deleted that virtual machine...

   rdr-to is usually applied inbound.  If applied outbound,
   rdr-to to a local IP address is not supported.

I would put my hand in fire -- it was working :) I read the manpage
but I don't get it, how could it work then?

Thanks for help.

jirib

Re: full disk encryption & google chrome on OpenBSD!

[jirib]

On Fri, 18 Mar 2011 09:11:26 -0500
Marco Peereboom  wrote:

> On Fri, Mar 18, 2011 at 07:02:58AM -0700, johhny_at_poland77 wrote:
> > So our point is, if there is a good method to encrypt the full disk
> > [like with dm-crypt/AES/under Linux], and we could have an
> > up-to-date google chrome browser on OpenBSD, then it could be a
> > very very good operating system for daily use! Dear community! Can
> > someone please post small and compact [pointed] howtos, how to
> > install an OpenBSD with full disk encryption, and how can we
> > install google chrome on it? It's very important! Thank you in
> > anticipation!
> 
> It isn't important at all for me so I have no idea what you are
> talking about.
> 
> And if you use chrome why would you bother encrypting your disk
> anyway?

Nobody has mentioned that it is impossible to have full disk encryption
right now -- one has to have root fs - / - unencrypted.

But let's see... there was a commit to add detection of softraid into
boot loader.

jirib

Re: syslog - log program output to its own file

[jirib]

On Mon, 14 Mar 2011 13:07:02 +1300
Paul M  wrote:

> I have a program who's output I want to log exclusively to it's own 
> file.
> Which is to say I dont want any of it's output appearing in the
> system logs.
> 
> Reading the syslog man pages this doesn't seem possible:
> If I put
> !!myprog
> *.*   /path/to/logfile
> 


localX, check manpage.

i would go with rsyslog seems better.

jirib

Re: Chrooting users the right way

[jirib]

[EMAIL PROTECTED] wrote:

Hi

I am setting up a new OpenBSD machine in which I want to chroot users. I don't
want to use any of the patching solutions to OpenSSH but want to implement a
real system chroot solution so any user, who is chrooted, is jailed even if he
logs in manually.

I have tried to find articles on this, but haven't been succesfull. 


Does anyone know of a good tutorial on how to do this on OpenBSD?

Best and kind regards.

Rico Secada.




Hi,
just try to use combination of directives of sshd_config (Match & 
ForceCommand) and your own made script-wrapper for systrace...


Something like this:
sshd_config
ForceCommand /path/to/systrace-wrapper

systrace-wrapper:
/bin/systrace -a /usr/libexec/sftp-server