LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name
Password

Notices


Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
  1. Old Comment

    u-boot is infuriating

    Ok, a bit of fudging stuff around and I think I have this figured out. The Raspberry Pi 3 B+ has the magic boot bits set to boot from usb0, however, I haven't been able to get the OpenBSD bootloader to load a kernel from an FFS filesystem at the boot> prompt if I boot from usb0 (mmc0 loads just fine, however).

    So I dd'd the latest miniroot63.fs to an sd card, then disklabel'd the sd card and deleted the 'a' partition. I edited the sd card with fdisk and grew out the OpenBSD partition to the full remainder of the sd card after the msdos partition. Once that was done, I disklabel -dE'd the sd card and created an 'a' partition that took up the entire OpenBSD area. Once that was done, I dd'd the first 4 MB of the miniroot back to the sd card, ftp'd the bsd* files for arm64 to the sd0a partition, and booted the pi up with my franken-sd.

    Now at the boot> prompt I can select any of the bsd* files I copied to the sd0a partition, so I obviously select the bsd.rd file, install to my external SATA drive. I reboot, catch the ddb error about the duid it can't find (and copy that to a safe location), then boot back up to bsd.rd, disklabel -E sd0 and update the duid ('i'), edit /etc/fstab to use the new duid, and...

    Then I cross my fingers and reboot!

    Success!

    NOTE: this approach basically disables any advantage you would get from kernel re-linking! And updating this franken-sd isn't going to be fun =\
    Posted 08-09-2018 at 12:47 PM by rocket357 rocket357 is offline
  2. Old Comment

    The little outlet that couldn't

    Yeah, once I figured that part out it was pretty clear why certain outlets failed when what seemed like an unrelated room had a power issue.
    Posted 08-09-2018 at 12:11 AM by rocket357 rocket357 is offline
  3. Old Comment

    u-boot is infuriating

    Bit the bullet and picked up one of these:

    https://www.amazon.com/AmazonBasics-...70_&dpSrc=srch

    Shows up as:

    axen0 at uhub1 port 2 configuration 1 interface 0 "ASIX Elec. Corp. AX88179" rev 2.10/1.00 addr 4
    axen0: AX88179, address xx:xx:xx:xx:xx:xx
    rgephy0 at axen0 phy 3: RTL8169S/8110S/8211 PHY, rev. 5
    Posted 08-08-2018 at 11:52 PM by rocket357 rocket357 is offline
  4. Old Comment

    The little outlet that couldn't

    My house is wired that way. The circuit breakers follow the construction of the house and not the rooms.
    Posted 08-08-2018 at 05:05 PM by vmccord vmccord is offline
  5. Old Comment

    This...this should *never* happen

    As it's systemd, I would take a wild guess that you're not supposed to use sudo/su/root login to reboot...

    As I recall, systemctl handles all that... and the reboot/shutdown/poweroff/halt/init/runlevel, etc are all replacements for the sysvinit originals which essentially call systemctl and are only there for compatibility.

    (I'm not a fan of systemd either, not for philosophical reasons, but because it's an ill conceived and poorly designed mess)
    Posted 07-05-2018 at 07:10 AM by cynwulf cynwulf is offline
    Updated 07-05-2018 at 07:11 AM by cynwulf
  6. Old Comment

    This...this should *never* happen

    I don't know *precisely* what happened, but there are a few changes on that machine that might account for it. This machine was installed via pxe/preseed initially to be an Openstack compute node. At some point down the road, I'd dropped it out of the Openstack cluster and installed Minecraft on it. It served as a Minecraft server for some time, and it always bugged me that it had an Openstack name instead of a minecraft-related hostname. So I switched the hostname on it.

    This is speculation, unfortunately, as the machine has been repurposed again (it's way too powerful to run Minecraft and the 2-3 other services I have on it, so it is now an infra node in the Openstack cluster and one of the other infra nodes was repurposed for Minecraft (fully re-installed with appropriate hostname/disk layout/services this time haha)), but I think the hostname change and systemd didn't agree, or perhaps an Openstack service I *thought* was disabled was causing issues? IIRC I rebooted a few times prior to the above error messages after those changes, though, so I can't say for certain what caused the issue.
    Posted 07-02-2018 at 10:46 AM by rocket357 rocket357 is offline
    Updated 07-02-2018 at 10:53 AM by rocket357
  7. Old Comment

    This...this should *never* happen

    I am not a fan of SystemD, primarily for philosophical reasons, but I have used a number of distros with SystemD and must say I've found it reliable. I've used Mageia since v. 4 and found the presence of SystemD completely transparent to the user.

    Have you checked journalctl or the logs to see if they cast any light on what broke?
    Posted 07-01-2018 at 09:36 PM by frankbell frankbell is offline
    Updated 07-01-2018 at 09:39 PM by frankbell
  8. Old Comment

    This...this should *never* happen

    Wouldn't happen on Slackware either. If the insanity ever spreads to Slackware I'll likely be joining you in BSD world. I'd have already moved if OpenBSD base was utf8 clean (or still supported iso8859-1) but it looks like they still have work to do on that regard.
    Posted 07-01-2018 at 04:37 AM by GazL GazL is offline
  9. Old Comment

    This...this should *never* happen

    Yeah systemd was jacked. Not sure what caused it. Hard reboot "fixed" it.
    Posted 07-01-2018 at 01:18 AM by rocket357 rocket357 is offline
  10. Old Comment

    This...this should *never* happen

    I was going to ask the same question Frank...
    Posted 06-30-2018 at 10:10 PM by rkelsen rkelsen is online now
  11. Old Comment
    Posted 06-30-2018 at 04:16 PM by frankbell frankbell is offline
  12. Old Comment

    The little outlet that couldn't

    GFCI beat me up a time or two.
    I forget they're "there".
    Posted 06-19-2018 at 12:08 PM by Habitual Habitual is offline
  13. Old Comment

    Challenge Accepted - Part 1

    I could, yes, but my current focus is getting up and running with veggies to go along with the herbs. It's not a matter of it being impossible, but rather the non-edibles being quite low on the priorities list.
    Posted 08-04-2016 at 10:33 AM by rocket357 rocket357 is offline
  14. Old Comment

    Challenge Accepted - Part 1

    But wouldn't you grow flowers or a pretty set of houseplants?
    Posted 08-04-2016 at 09:56 AM by vmccord vmccord is offline
  15. Old Comment

    Challenge Accepted - Part 1

    It would appear that, while completely feasible, this idea is not very safe. Plant roots (at least some) take up Salmonella readily, so the turtle tank would have to be non-edibles only.

    Bummer. Maybe I'll build it on top of the African Cichlid tank instead (though the Fluval 406 on that tank needs no help whatsoever).
    Posted 07-29-2016 at 11:42 PM by rocket357 rocket357 is offline
  16. Old Comment

    Layer 7 filtering with relayd

    Quote:
    Originally Posted by rocket357 View Comment
    Here's my network layout:

    Internet <- Cable Modem <- OpenBSD Firewall <- Cisco 3560 <- Daughter's Machine

    Each of the windows machines on my network is split (via vlans on the 3560 and firewall) into its own /29 (i.e. each one only has access to the IP space of the firewall (which has several IPs across several vlans) and the IP space of my Cisco 2801 (used just for IPSec and BGP). In short, internet access is via the OpenBSD firewall, and the vlans are denied access to each other, and then the 2801 allows access to private VPCs at Amazon. The Windows machines are not allowed to access anything else on the network (oh, we do have a network attached printer...that traffic is allowed).

    Ok, the relayd instance runs on the OpenBSD firewall, so each Windows vlan has port 80 and port 443 traffic re-routed to relayd, which checks URLs against a whitelist and sends back an http 403 (access denied) for anything not on the whitelist. It goes without saying that my daughter does not have access to the firewall configuration =)
    Ahhh, ok, gotcha! Thank you for explaining that. If you would, please report back later and let us know how it goes.

    Regards...
    Posted 04-01-2016 at 09:33 PM by ardvark71 ardvark71 is offline
    Updated 04-01-2016 at 09:34 PM by ardvark71 (Added wordage.)
  17. Old Comment

    Layer 7 filtering with relayd

    Here's my network layout:

    Internet <- Cable Modem <- OpenBSD Firewall <- Cisco 3560 <- Daughter's Machine

    Each of the windows machines on my network is split (via vlans on the 3560 and firewall) into its own /29 (i.e. each one only has access to the IP space of the firewall (which has several IPs across several vlans) and the IP space of my Cisco 2801 (used just for IPSec and BGP). In short, internet access is via the OpenBSD firewall, and the vlans are denied access to each other, and then the 2801 allows access to private VPCs at Amazon. The Windows machines are not allowed to access anything else on the network (oh, we do have a network attached printer...that traffic is allowed).

    Ok, the relayd instance runs on the OpenBSD firewall, so each Windows vlan has port 80 and port 443 traffic re-routed to relayd, which checks URLs against a whitelist and sends back an http 403 (access denied) for anything not on the whitelist. It goes without saying that my daughter does not have access to the firewall configuration =)

    I originally had each Windows machine on its own /30 (i.e. 4 addresses: network, gateway, host, and broadcast), but then I wanted to add the 2801 without tons of traffic logic on the firewall, so I remapped that portion of the network to be /29's (8 addresses: network, gateway, 2801, host, 3x unused, and broadcast), which gives me room for expansion later, should I choose to do so.

    Really, all relayd does here is TLS validation and checking URLs against a whitelist, which is something I've been meaning to add for a while now.
    Posted 04-01-2016 at 05:36 PM by rocket357 rocket357 is offline
  18. Old Comment

    Layer 7 filtering with relayd

    Quote:
    Originally Posted by rocket357 View Comment
    One of my goals was to have the filtering take place upstream of the client machine. Obviously that wouldn't work in your case, as the machine itself served as the shared point, but in my case I have a bit of flexibility to provide services (and deny services) on my network.
    Hi...

    Out of curiosity, what is that upstream point? A particular server? I'm guessing a part of your goal is to keep any kind ability to make settings adjustments (or file changes) away from your daughter's system. But if the file (or code) you mentioned (in your first post) is on her system, how do you keep her from making changes to it? Please bear with me, my understanding of networking is very poor. I'm mostly a hardware guy.

    I have very little understanding of what's being said but I found some sites that deal with the relayd and layer 7, although they're not directly related to what you're doing...

    http://bsd.plumbing/

    http://www.slideshare.net/GiovanniBe...er-for-openbsd

    https://calomel.org/relayd.html

    http://www.mouedine.net/relayd/

    Regards...
    Posted 04-01-2016 at 05:09 PM by ardvark71 ardvark71 is offline
    Updated 04-01-2016 at 05:10 PM by ardvark71 (Correction.)
  19. Old Comment

    Layer 7 filtering with relayd

    Hiya ardvark!

    One of my goals was to have the filtering take place upstream of the client machine. Obviously that wouldn't work in your case, as the machine itself served as the shared point, but in my case I have a bit of flexibility to provide services (and deny services) on my network. I attempted to go with a blacklist config at first, putting around 14k known malware-distributing urls in the blacklist file, but my hardware just wasn't fast enough for that amount of scanning. The whitelist group is currently ~100 entries, so that is considerably faster =)

    I had a few hiccups with getting blackboard's collaborate suite working with the whitelist, but that ended up being operator error (typo in the whitelist, doh!). Now that all of the school stuff is perfectly operational, I'll be adding in time-slots for games/social stuff.

    One thing I've been pondering is how to solve the issue of a problem on a whitelisted site, such as when yahoo ads was distributing malware some years back. I haven't decided on an approach for that yet.
    Posted 04-01-2016 at 01:32 PM by rocket357 rocket357 is offline
  20. Old Comment

    Layer 7 filtering with relayd

    Hey, my man!

    Even though what you're describing is a bit "out of my league," it reminds me of the system I use as a public access station (running Windows XP) for the residents where I live.

    I use K9 Web Protection and a Firefox add-on that I can't remember the name of to handle the content filtering on the PC, to keep out pornography and other undesirable content. I also use a utility to keep the desktop locked down pretty tight, plus I've disabled CMD, safe mode and the ability to "restore" the OS. All residents use the limited users account that has no administrative privileges.

    Unfortunately, last summer, I had someone who wanted to access this kind of content so badly that he/she:

    1. Tried to access/change my password for K9. I've since removed access to K9's administrative settings (which can only be accessed by using my password) in the residents account. I got a notice in my email that attempt had been made to change the password, which was blocked.

    2. Reinstalled Firefox by accessing Firefox's safe mode. However, this ultimately failed since it didn't affect K9 or the restrictions I set. But I still had to spend some time getting all the individual settings back that I had in place.

    3. Spent some time trying to find the loopholes around K9's restrictions, which they were able to find one that took me a little bit to figure how they were doing it. There's a setting in K9 that deals with blocking sites or sections of sites that exclusively contain only images (I forgot what the technical term is.) Once I checked the block to block those sites, problem solved.

    By that time, the problem was resolved because I had a little talk with the person who was a suspect and all attempts to access the content ceased after that day.

    For a while, though, it really felt like a "cat and mouse" game but one thing I gained from the experience was how to more effectively use content filters and what to look out for.

    Regards...
    Posted 03-31-2016 at 10:05 PM by ardvark71 ardvark71 is offline

  



All times are GMT -5. The time now is 06:28 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration