30 July 2015

Puffy

Undeadly :: c2k15: sashan@ on SMP pf progress

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

One of our new developers, Alexandr Nedvedicky (sashan@), writes in to tell us about his trip to the lovely locale of Calgary for c2k15.

It's been an honor for me to spend a week with OpenBSD developers. I'd like to thank to mikeb@, who somehow made it happen. I've tried not to slack too much, committing all small bugfixes to PF, we've found in past, while porting PF to Solaris. There is still one more patch to come, I'm basically waiting for O.K. from bluhm@.
Read more...

28 July 2015

Puffy

Undeadly :: c2k15: jsg@ on graphics work: Mesa, xenocara, drm, libGL

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

The next c2k15 hackathon report comes from Jonathan Gray (jsg@), who got a lot done this time:

During c2k15 I mostly focussed on some of the userland parts of graphics support, Mesa which implements the OpenGL library and libdrm the library which abstracts/wraps drm ioctls sent to the kernel.

Read more...

25 July 2015

Puffy

Undeadly :: c2k15: rzalamena@ on mpw(4), network MP safety

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

For our next c2k15 installment, we welcome new developer Rafael Zalamena (rzalamena@), who just submitted his first-ever hackathon report:

My name is Rafael Zalamena (rzalamena@) and this was my first OpenBSD hackathon.

I was invited to the hackathon early this year to help renato@ and mpi@ to deal with the commit of mpw(4) device to finish the VPLS implementation for OpenBSD, but after the first days in Calgary I was offered an account to do my first commits.

Read more...

Undeadly :: c2k15: jeremy@ on ruby work, kernel and libc bugs, ports progress

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Our series of c2k15 hackathon reports continues with this entry from Jeremy Evans (jeremy@):

I had a great time at c2k15 and got a lot of work done.

The first major project I worked on was switching the default version of ruby in the ports tree from 2.1 to 2.2. That's a fairly simple change, but it requires testing a bulk build of the ruby ports, which brought up some issues that had to be fixed in a handful of ports.

Read more...

24 July 2015

Puffy

Undeadly :: c2k15: mpi@ on trunk(4), pf(4), wifi, routing, bridge(4) and more

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Our next c2k15 report comes from Martin Pieuchot (mpi@), who appears to have had a quite productive hackathon:

As expected, I spent most of my time during this hackathon working on the network stack. But apart from a crazy trunk(4) bug fix I did not write much code during the week and this was completely new to me!

I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did.

Read more...

23 July 2015

Puffy

Undeadly :: c2k15: jasper@ on puppet progress, sed(1) enhancements and more

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

This just in - a fresh hackathon report, this time from Jasper Lievisse Adriaanse (jasper@). Jasper writes,

It seems to have become a standard part of my hackathons these days: Puppet. While I didn't work that much on Puppet itself this hackathon, I did spend a great deal of time before and at the hackathon on Facter. Facter is a tool used by Puppet to gather various bits of system information (facts). These can be trivial facts such as hostname and architecture, but also more complex and structured facts such as mountpoints and network interface information.

Read more...

22 July 2015

Puffy

Undeadly :: c2k15: ajacoutot@ on rc.d refinements, ports churn and sysmerge's future

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Next up in our series of c2k15 hackathon reports is from Antoine Jacoutot (ajacoutot@), who writes:

A few days before the hackathon, I worked on a few rc.d(8) related things that I wanted to (and did) commit at the start of the week to give me a chance to fix any fallout.

Read more...

Undeadly :: c2k15: stsp@ on wifi and usb matters, and a peek to the UTF-8 future

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Stefan Sperling (stsp@) may not have landed just yet, but he did file this report from the newly concluded hackathon:

The net80211 wireless code has plenty of comments referring to sections of and old version of the 802.11 standard. I started updating such references in the ieee80211.h header to the 802.11-2012 ("11n") version of the standard, and also added new macros for meta data added in this newer version.

Read more...

Undeadly :: c2k15: krw@ on softraid on 4k disks, cardbus on Dell vs Synaptics and Thinkpads

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Kenneth Westerback (krw@) just came back from c2k15 and filed his report:

I arrived with two goals: offload a problematic Dell L400 I had had donated to me, and get 4K softraid working. deraadt@ and beck@ immediately pointed out that I was banging my head on the wrong brick wall for the L400 problems.
Read more...

21 July 2015

Puffy

Undeadly :: c2k15: Internal jump targets to help navigating big manual pages

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

One of our favorite developers Ingo Schwarze (schwarze@) writes in about a new feature that he just added to mandoc(1).

Did you ever look at a huge page in man(1), wanted to jump to the definition of a specific term - say, in ksh(1), to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?
Read more...

08 July 2015

Puffy

Undeadly :: EuroBSDCon 2015 Registration Is Open

Registration for this year's European BSDs conference is now open at registration.eurobsdcon.org, open up until right before the conference starts but early bird discounts end on August 31st (midnight CEST).

And to help you plan your conference, the you can look up the talks and tutorials (with a useful portion of OpenBSD stuff in all tracks) by clicking the links.

See you in Stockholm October 1st through 4th, 2015!

07 July 2015

Puffy

Undeadly :: EuroBSDCon 2015 Preliminary Program Published

The EuroBSDCon 2015 organizers have published the initial list of accepted talks and tutorials, with a useful portion of OpenBSD stuff in all tracks.

It is worth noting that this is a preliminary version (the schedule is not yet finalized), but barring the usual human and practical factors, this is likely close to the conference's final program.

Undeadly :: Microsoft Now OpenBSD Foundation Gold Contributor

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

On the heels of announcing support for SSH, and specifically OpenSSH, Microsoft has become the OpenBSD Foundation's first-ever Gold contributor:

The OpenBSD Foundation is happy to announce that Microsoft has made a significant financial donation to the Foundation. This donation is in recognition of the role of the Foundation in supporting the OpenSSH project. This donation makes Microsoft the first Gold level contributor in the OpenBSD Foundation's 2015 fundraising campaign.

Donations to the Foundation can be made on our Donations Page.

We can be contacted regarding corporate sponsorship at fundraising@openbsdfoundation.org.

It's encouraging to see words followed by action, especially for such a critical piece of software.

01 July 2015

Puffy

Undeadly :: Out With the Old, in With the New

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Ted Unangst (tedu@) has given out a blog post detailing some of the recent work going into OpenBSD:

Notes and thoughts on various OpenBSD replacements and reductions. Existing functionality and programs are frequently rewritten and replaced for the sake of simplicity or security or whatever it is that OpenBSD is all about. This process has been going on for some time, of course, but some recent activity is worth highlighting.

Read more...

28 June 2015

Puffy

Undeadly :: Handling Leap Seconds the OpenBSD Way

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Christian Weisberger (naddy@) let us all know what we need to do to prepare for the impending leap second:

As you may have heard, a leap second will be upon us at 23:59:60
UTC on June 30.

The sky will fall, civilization will end, and dinosaurs will roam
the earth again.  Well, maybe not.

Neither the OpenBSD kernel nor OpenNTPD handle leap seconds in any
way.  So what will happen?
Read more...

19 June 2015

Puffy

Undeadly :: BSDCan 2015 Videos Online

The videos of the recently-concluded BSDCan are coming online at record speed. The OpenBSD videos online are:

  • Ted Unangst, "signify: Securing OpenBSD From Us To You" (video)
  • Ray Percival, "Networking with OpenBSD in a virtualized environment" (video)
  • Reyk Flöter, "Introducing OpenBSD’s new httpd" (video, part1, part2)
  • Peter Hessler, "Using routing domains / routing tables in a production network" (video)

Undeadly :: BSDNow Episode 094: Builder's Insurance

On this week's episode of BSDNow, Marc Espie (espie@) talks about dpb, OpenBSD's distributed package builder, which runs the binary package builds in Theo's basement. He talks about why it came about, the security measures built in, and the minimalistic and works-out-of-the-box configuration, among other things.

The hosts also talk about their experiences at the recent BSDCan, and, ss usual, they have the roundup of the news, big and small, in the world of all things BSD.

[ Video | HD Video | MP3 Audio | OGG Audio | Torrent ]

12 June 2015

Puffy

Undeadly :: Call for Testing: audio(4)

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Alexandre Ratchov (ratchov@) posted a call for testing of a new audio(4) driver:

This is a replacement for the audio(4) driver. It implements a
minimal and complete subset of the audio abi. The main goal is to
simplify the semantics and the code itself. Less code, less bugs,
hopefuly easier development.

To test this diff, simply run your regular audio stuff and let us
know if you notice any difference. I'd suggest to keep a copy of
the old kernel in order to be able to compare easily.

In case you notice a regression, you could build the kernel with
the AUDIO_DEBUG option, reboot, trigger the bug and send the
resulting dmesg and any related information.

thanks!

-- Alexandre

As always, testing is essential to maintaining the quality of OpenBSD!

11 June 2015

Puffy

Undeadly :: LibreSSL 2.1.7 and 2.2.0 Released

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Brent Cook (bcook@) has announced the latest LibreSSL releases, which contain fixes for several CVEs:

We have released LibreSSL 2.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This release is the first from the OpenBSD 5.8 development tree and
features mainly on build system improvements and new OS support.

We have also released LibreSSL 2.1.7, which contains additional security
fixes.

Of special note is the upcoming removal of SSLv3:

Note: This will likely be the last 2.2.x release with support for SSLv3,
as it will be removed entirely from the main LibreSSL tree.

03 June 2015

Puffy

Undeadly :: Microsoft Announces Support for SSH

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Windows admins rejoice! Microsoft's PowerShell Team announced future support for SSH, specifically OpenSSH:

[T]he PowerShell team realized the best option will be for our team to adopt an industry proven solution while providing tight integration with Windows; a solution that Microsoft will deliver in Windows while working closely with subject matter experts across the planet to build it. Based on these goals, I’m pleased to announce that the PowerShell team will support and contribute to the OpenSSH community - Very excited to work with the OpenSSH community to deliver the PowerShell and Windows SSH solution!

A follow up question the reader might have is When and How will the SSH support be available? The team is in the early planning phase, and there’re not exact days yet. However the PowerShell team will provide details in the near future on availability dates.

Emphasis in the original. Wider adoption of secure technologies can only benefit the community. Hopefully that future is actually near, both for deployment and 'support and contribution'.

31 May 2015

Puffy

Maxime DERCHE :: "The Book of PF", version française

PF_Eyrolles_couverture.jpg

Ça y est, ma traduction de l'excellent The Book of PF de Peter N.M. Hansteen (blog) vient d'être publiée, chez Eyrolles, sous le titre Le Livre de Packet Filter (collection Cahiers de l'Admin) !

Ce livre, basé sur le célèbre didacticiel que l'auteur avait rédigé comme support de conférence, est l'un des très rares ouvrages (le seul en français) à couvrir ce filtre de paquets développé par Daniel Hartmeier pour OpenBSD, puis repris et intégré par FreeBSD et NetBSD. Il intéressera les professionnels (administrateurs système et/ou réseau, etc.) désireux d'apprendre à se servir de ce petit bijou qu'est PF, ou de se perfectionner dans sa maîtrise, ainsi que les amateurs de bidouille réseau qui y trouveront largement de quoi s'amuser quelques temps.

Comme son titre l'indique, ce livre ambitionne de servir de support à l'apprentissage et à la maitrise de tous les aspects de Packet Filter.

Une fois les présentations terminées (qu'est-ce que PF, pourquoi c'est pas disponible dans le monde GNU/Linux, etc.), on enchaîne sur un premier chapitre qui sert d'introduction, présentant les grandes lignes de l'histoire du développement de PF et expliquant les bases de la terminologie employée (NAT, IPv4/IPv6, différences entre filtre réseau et pare-feu, etc.).

On en arrive alors, au deuxième chapitre, à la configuration basique de PF, de son activation à l'écriture d'un tout premier jeu de règle pour une machine seule et autonome ; tout est détaillé pour OpenBSD, FreeBSD et NetBSD. L'auteur touche également deux mots à propos des statistiques que peut nous donner pfctl(8) si on lui demande gentiment.

Les choses sérieuses commencent au troisième chapitre : on commence par la gestion de la NAT, avec une mention spéciale pour la gestion du protocole FTP dans un réseau NATé (ftp-sesame, pftpx et bien entendu ftp-proxy), on continue par le debugging réseau (protocole ICMP pour le ping, traceroute, et la MTU path discovery), et on termine par l'explication de pourquoi les tables c'est bien. Notez qu'à chaque fois, les détails sont donnés pour les implémentations de PF d'OpenBSD, de FreeBSD et de NetBSD.

Le chapitre 4 est tout entier consacré aux réseaux sans-fil (Wi-Fi) : généralités d'usage, configuration d'une interface Wi-Fi côté client et côté routeur (avec le morceau de script /etc/pf.conf qui va bien), et on termine bien entendu par la spécialité locale : la création d'une passerelle authentifiante grâce à authpf.

Au cinquième chapitre, l'auteur termine son tour des fonctionnalités basiques de PF, que tout administrateur ou passionné se doit de maitriser pour utiliser PF dans une vraie configuration : mise en place d'une DMZ (avec ou sans NAT), filtrage de service (accessibilité depuis l'extérieur et/ou depuis le LAN), répartition de charge avec hoststated, utilisation des tags (étiquettes) pour clarifier le jeu de règles de filtrage. L'auteur ajoute à cela la mise en place d'un pare-feu ponté (décrite pour OpenBSD, FreeBSD et NetBSD), et une petite astuce pour gérer le fait que les adresses IPv4 non routables ne devraient jamais ni envoyer ni recevoir de trafic par Internet.

Au chapitre 6 (mon préféré), l'auteur traite ce qui est peut-être LE sujet par excellence quand on touche à OpenBSD : la défense pro-active. C'est ainsi qu'il (re-)donne l'astuce qui a fait la célébrité de son didacticiel en ligne : la gestion des attaques par force brute grâce à une liste noire et à quelques options (max-src-conn, max-src-conn-rate, overload, et flush global). Ensuite, l'auteur explique en détail la mise en place d'une stratégie antispam grâce à spamd ; au menu : liste noire, liste grise (greylisting), greytrapping, et utilisation des outils associés que sont spamdb et spamlogd. Que l'on me permette d'insister : ce chapitre constitue la seule vraie documentation sur spamd existant en français à l'heure actuelle, alors ne boudons pas notre plaisir...

Quant au septième chapitre, il conviendra aux plus barbus : ALTQ est détaillé sur une vingtaine de pages, et le couple CARP/pfsync sur une dizaine. Au vu du faible nombre de documentations existant en français sur ces sujets, les connaisseurs apprécieront...

Enfin, le chapitre 8 est consacré à la journalisation et aux statistiques (pflog, syslog, labels pour les règles, pftop, pfstat, pfflowd), et le neuvième et dernier chapitre donne une référence aux options utiles mais non couvertes dans le reste du livre, notamment la normalisation de trafic (scrub).

Vous trouverez en outre deux annexes, qui donnent respectivement des références documentaires et des remarques de l'auteur concernant la prise en charge du matériel.

A noter que l'intégralité du livre a été mis à jour pour être en concordance avec les dernières modifications survenues dans PF entre la sortie de la dernière version en date (OpenBSD 4.5) et celle qui sortira le 1er novembre prochain (OpenBSD 4.6), je pense notamment à scrub. Vous savez sur qui taper en cas de problème. ;-)

Vous l'aurez compris, cet ouvrage est une mine d'or pour qui cherche à apprendre à se servir de Packet Filter, que ce soit dans un cadre professionnel ou amateur.

Et si vous voulez voir un peu ce que cela donne concrètement, sachez que, suite à mon travail de traduction, j'ai décidé de réécrire totalement le script de configuration pf (/etc/pf.conf) que j'utilise pour mon réseau personnel, et j'y ai inclus un grand nombre d'astuces que l'on trouve dans le livre.

J'aimerais terminer en remerciant les éditions Eyrolles pour m'avoir fait confiance sur ce projet que j'ai mis plus d'un an à voir aboutir, Rodrigo Osorio pour avoir bien gentiment accepté de traduire le texte Explaining BSD de Greg Lehey afin que je ne sois pas obligé de faire pointer mes lecteurs vers un texte anglais :), et le canal IRC #OpenBSD.fr pour m'avoir bien aidé quand j'en avais besoin.

Et, enfin, juste pour vous mettre l'eau à la bouche, voici la traduction du fameux haïku PF que Jason Dixon a publié sur la liste de diffusion de PF, le 20 mai 2004, et qui conclut l'Avant-propos du livre :

Comparé à iptables, PF est comme ce haïku :

A breath of fresh air,                   Un souffle d'air frais,
floating on white rose petals,   Flottant sur de blancs pétales,
eating strawberries.                    En mangeant des fraises.

Et voilà que je m’emporte :

Hartmeier codes now,                       Hartmeier développe,
Henning knows not why it fails,          Henning ne comprend pas
fails only for n00b.             Pourquoi les nuls n’y arrivent pas.

Tables load my lists,                Des tables chargent mes listes,
tarpit for the asshole spammer,      Punition pour les spammers.
death to his mail store.                  Mort à leur commerce !

CARP due to Cisco,                          CARP vient de Cisco,
redundant blessed packets,             Paquets redondants bénis,
licensed free for me.                        Sous licence libre.

Par Maxime DERCHE

19 May 2015

Puffy

Undeadly :: Heads Up: spamd(8) PF Rule Change

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

With a recent commit, Reyk Flöter (reyk@) flipped the switch on spamd(8)'s pf interfacement:

hange spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies.  For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to.  spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Those of you running spamd setups looking to upgrade need to double-check your pf configurations to make sure they still work the way you expect.

15 May 2015

Puffy

Undeadly :: OpenBSD 5.7 CD 2 Incorrectly Pressed

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

OpenBSD project leader Theo de Raadt (deraadt@) outlined some issues with the CD plant, which led to an incorrectly-finished CD 2, some of which were, unfortunately, shipped prior to the issue being found.

Sadly, CD2 of the OpenBSD 5.7 shipped in a broken fashion due to errors at the manufacturing plant. Two mistakes were made.

In the rush after the first error, this error was not caught in time. Many people have received (or will soon receive) their package with this broken disc. Orders which have not yet shipped are being held back... because...

A repaired disc is on the way from the plant.

This will be shipped out to everyone, and will be inserted into the orders not yet shipped.

Undeadly :: BSDNow Episode 089: Exclusive Disjunction

On this week's episode of BSDNow, the hosts interview Mike Larkin (mlarkin@) about how he got started in OpenBSD, his recent

and upcoming work on W^X, and how that fits into the OpenBSD exploit mitigation ecosystem.

As always, they also have all the news and reviews in the world of all things BSD.

[ Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube ]

08 May 2015

Puffy

Undeadly :: OpenBSD 5.7 Shipping, First Pre-orders Arriving

After a delay due to unfortunate production problems (the first such delay in 20 years), the OpenBSD Store announced that all pre-orders had been shipped.

And it seemed like only moments later that Raf Czlonka was the first to report on the misc@ mailing list that his pre-ordered OpenBSD 5.7 CD set had arrived.

Even if you hadn't preordered, you still have a chance to order your CD set and other swag by visting the OpenBSD Store. If you want to support the project financially in other ways, the Donations page is, as always, a good place to start.

05 May 2015

Puffy

Undeadly :: New disklabel(8) templates make for a more flexible autoinstall

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } In a this commit, a first in a series, Henning Brauer (henning@) made disk allocations during automatic installs much more flexible via the introduction of diskablel templates. The matching installer bits came along via this commit by Robert Peichaer (rpe@).

Quoting the updated disklabel(8) man page,

A template for the automatic allocation can be passed to disklabel using -T option.

But the more exciting news is the template format:

Read more...

30 April 2015

Puffy

Undeadly :: OpenBSD 5.7 Released

May 1st, 2015, Calgary, AB, CA and elsewhere:

OpenBSD 5.7 has been released. The brand new 5.7 subdirectory should now be available and filled up on all relevant mirrors for those of you who have yet to receive your CD orders.

The release announcement, posted on project mailing lists earlier today, and the release home page both mention some highlights of the new release, while the complete changelog for the release is available on the OpenBSD website.

While you are too late to be the first to preorder a shiny OpenBSD release CD set, you can order one of your own, as well as a very cool 5.7-release poster.

29 April 2015

Puffy

Undeadly :: OpenBSD has accepted projects from Google Summer of Code 2015

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } The OpenBSD page for Google Summer of Code 2015 has been updated with the list of accepted projects for this year.
Asynchronous USB Transfers From Userland
ARM SD/MMC Driver & Controller Driver In libsa For OpenBSD
Port HAMMER2 to OpenBSD
Implement KMS Driver For Cirrus Cards
Improving USB Userland Tools And ioctl(2)
Automating Module Porting
Many thanks to those that responded, and we wish the best of luck on all projects!

27 April 2015

Puffy

Undeadly :: EU study recommends OpenBSD

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } In this European Parliament study: “EU should finance key open source tools” pointed out to us by Paul Irofti (pirofti@), and especially at study 2, they come to the conclusion that:
"[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts."
Read more...

22 April 2015

Puffy

Undeadly :: CfP extended for EuroBSDCon 2015

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Due to overwhelming response, the deadline for submitting talks to EuroBSDCon has been extended:

Since there was a huge rush of submissions just on the very last day, we have decided to give a second chance for all of you that didn’t quite finish your talk or tutorial proposal in time for the deadline.

The new date is set to May 22nd, but you don’t have to wait until the very last moment. Send in your suggestions right away. We think there still is room for some more topics related to *BSD left to present.

For those of you who already have sent in yours, we are very happy to see so many good submissions. Don’t hesitate to add another topic to your submissions if you haven’t run out of good ideas yet.

If you've been sitting on that paper, now's the time to ship it!

20 April 2015

Puffy

Undeadly :: p2k15 Hackathon Report: schwarze@ on USE_GROFF

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Ingo Schwarze (schwarze@) writes in with our fourth report from the p2k15 ports hackathon:

When groff was removed from the OpenBSD base system in October 2010, Marc Espie@ marked more than 3000 ports with the USE_GROFF bsd.port.mk(5) variable, meaning that their manuals were formatted with groff at port build time and the preformatted versions included in the package. Over time, as mandoc(1) matured and learnt to handle more and more syntax, the number of ports having USE_GROFF gradually decreased.
Read more...

15 April 2015

Puffy

Undeadly :: Solaris Admins: For A Glimpse Of Your Networking Future, Install OpenBSD

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Undeadly's very own Peter Hansteen has written up some PF-on-Solaris-related email chatter:

Roughly a week ago, on April 5th, 2015, parts of Oracle's roadmap for upcoming releases of their Solaris operating system was leaked in a message to the public OpenBSD tech developer mailing list. This is notable for several reasons, one is that Solaris, then owned and developed by (the now defunct) Sun Microsystems, was the original development platform for Darren Reed's IP Filter, more commonly known as IPF, which in turn was the software PF was designed to replace.

As they say, read the whole thing!

13 April 2015

Puffy

Undeadly :: p2k15 Hackathon Report: stsp@ on wifi and games

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Stefan Sperling (stsp@) writes in with our third report from the p2k15 ports hackathon:

I spent the week before hackathon reviving a lingering work-in-progress implementation of a wireless driver for RTL8188CE devices. These are essentially urtwn(4) devices on the PCI bus instead of USB. The driver started out as a copy of urtwn(4) which I'm gradually moving over to PCI. With help from uwe@ I could clear some roadblocks that had prevented progress and got the driver up to the point where the firmware loading process completed successfully.
Read more...

Undeadly :: p2k15 Hackathon Report: krw@ on GPT support

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Ken Westerback (krw@) writes in with our second report from the p2k15 ports hackathon:

Never has a hackathon accomplished so much in the presence of so many fire doors. It appears that the University of Exeter is fire door mad, with every door labelled a fire door that must always be closed or locked.
Read more...

12 April 2015

Puffy

Undeadly :: softraid(4) - RAID 5 Call for Testing

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; }

Joel Sing (jsing@) has put out a call for testing for RAID 5 on softraid(4):

For those not following source-changes@, I have just re-enabled the RAID 5 discipline for softraid(4).

During the last two hackathons in Dunedin, the RAID 5 implementation was largely rewritten. As far as I am aware, the last missing part was the lack of ability to resume a partial rebuild, which has been fixed - it now needs further testing and usage so that any remaining issues can be found.

Read more...

10 April 2015

Puffy

Undeadly :: p2k15 Hackathon Report: landry@ on mozilla and more

td>p,td>ul,td>blockquote,td>font {margin-left:0.5ex;} a:visited {color:#303030!important;} p {margin-top:1ex;margin-bottom:0;} blockquote>p:first-child {margin-top:0;} blockquote>p:last-child {margin-bottom:0;} blockquote { background-color:#e0e0e0; padding:0.5ex 0.5ex 0.5ex 0.5ex; margin:0 0 0 3ex !important; } p+ul,p>ul {margin:0.5ex 0 0 0;} pre {margin:0;} tt {background-color:#f0f0f0; padding:0px; font-weight:500;} .bqcode { background-color: #ffffff; border:1px solid #999; padding: 0px; padding-left: 1em; } Landry Breuil (landry@) writes in with our first report from the p2k15 ports hackathon:

This was a short hackathon for once, so I took the opportunity to visit london on the way couchsurfing for two days, then enjoyed a quiet train trip to exeter through the nice countryside of devon...

Had quite a bit of fun being the first one on-site at the university building, since the people at the desk weren't aware at all that an event was organized in their place - didnt know hackathons were such secret things :)

Read more...