Recently in OpenBSD Category

I've been trying to get OpenBSD 4.4 up and running on an old'ish PowerBook I had to rebuild recently. This is one of the last 15" G4 series PowerBooks Apple made. The basic specs are the 1.0 GHz G4 PowerPC processor, 1GB of RAM, DVI, 1gbps Ethernet, 80GB drive, etc. (If you wish, you can stop reading the story part of this post here. Go to the last paragraph if you are simply checking how I got OpenBSD to work as a second OS on the PowerBook.) Running Leopard (OS X 10.5) was frustrating, as it was slow (especially compared to my newer Intel based MacBook Pro) and I really don't have a use for OS X unless it runs fast on a portable machine. At the end of the day, I am using this machine to check email, surf the net and muck around with OpenBSD related issues I have with a small server farm I'm responsible for managing. Considering the machine is in fantastic condition, it would be sad to let it sit on a desk somewhere and collect dust. The problem was that I have spent the last two days trying to get OpenBSD 4.4 running and while the installation went as smooth as would be expected (I rarely have problems with OpenBSD's install process), regardless of whether or not I left the drive formatted MBR or HFS style (i.e. using a boot map that is typical for Intel/AMD machines vs. using Apple's Open Firmware style boot sector), I just could not get OpenBSD to boot. That was, until I read the directions more closely...

I'm finally back to using the ThinkPad x40 for general use and testing purposes. This is a machine I bought some years back because it was the one most of the OpenBSD developers had been providing a great deal of support for. It has been a fantastic little machine in a number of respects. It has a great keyboard for long work hours (although, if left plugged in and compiling software through the ports, it sometimes gets a bit warm) and the battery lasts forever. I use the extended battery (which I have been chastised for, as it somewhat defeats the light weight and small size of the machine without the extended battery) and have been able to go more than six hours without plugging in.

There are plenty of issues I have running OpenBSD in comparison with OS X on my MacBook Pro. I won't be leaving the MacBook any time soon, as I depend heavily upon programs like Photoshop, iTunes, iMovie, iDVD, .Mac, integration with my iPhone and Blackberry, Aperture, Final Cut, etc. I just can't see how to make some of the relatively easy multimedia stuff work the way I want on OpenBSD. It just isn't worth the time for me. Yet. I imagine there will come a day when the locked-in-I-got-you-by-the-nads nature of software licensing will irk me enough to work to make other applications work. It is frustrating, however, because what are seemingly simple issues - like connectivity to PDAs - aren't. That is, the developers of hardware such as PDAs do not necessarily follow any type of standards and when you want to connect for syncing data, a lot of hacking has to happen to make it work. I don't even want to get into the multimedia - like HD video and RAW photos - side of things. So, on one hand, you sell your soul to the guy who requires you sign an EULA that is ridiculous and completely incomprehensible or, you get what you can be assured is *free* to use as you please, but is limited in areas where you want to manipulate data. A prime example, besides the multimedia content, remains business and Microsoft Word or Excel. There are so many documents we will receive from customers that have some type of proprietary (proprietary to Microsoft, that is) formatting, the it make using OpenOffice (which isn't all that open) or some type of BSD style licensed replacement not all that viable. This is simply a reality of doing business and it is not realistic for me to refuse documents that don't follow a certain format when the end user sending them to me has no clue what they are doing.

Right now, the only problem I'm running into is that the package snapshots have not caught up yet to the system snapshot I'm using and I'm stuck building a lot of applications from the ports. I am going to take the dive and experiment a bit with gimp and see how it fares with some of my photo stuff. As far as music goes, I'm less attached to iTunes than I was before. I stopped buying DRMed songs and rely more on our Sonos system at home than carrying around a lot of you-are-locked-into-iTunes music. (It turns out that purchasing used CDs through djangos.com is actually cheaper than buying an inferiorly encoded mp3 or aac track from a CD. In other words, I rip the way I please and depending upon the music itself, sometimes a higher bitrate doesn't make sense.)

If curious or interested, I've update the dmesg output and my xorg.conf file here (dmesg) and here (xorg.conf). I haven't been able to get flash on YouTube or other sites that require it to work properly, but until I get gaim and konquerer installed, I won't put much time into that.

One note for the archives: if you want Opera to work properly, you must set 'sysctl kern.emul.linux=1', otherwise, Opera will give out an obscure 'cannot run' error. I know I had this problem last time I ran Opera on the x40, but I never made any note of it, so I couldn't remember what the solution is.

I continually forget how to do this (because I usually set it up once and never again), so I'm making a quick note of how to show the shortened hostname, username and current directory at the prompt under ksh (the default shell for OpenBSD). In the standard .profile file, enter:

HOST=`hostname`
export PS1='${USER}@${HOST%%.*} ${PWD##*/} $ '

There are ways to add color, etc. to this, but I like the plain, vanilla look it produces. Finally, I won't be likely to run commands on a machine where I shouldn't be.

Today, yet another kudos need to be given to the team of people that help develop and refine OpenBSD. For years, I've been running a qmail server that handles mail for various domains associated with our hosting arm and last week we hit a major snag. The server was running out of inodes available to the /var directory where email is temporarily spooled (either awaiting delivery or being bounced). As every experienced admin out there knows, the overwhelming, majority burden of resource usage these days has to do with processing spam. In our specific case, messages were being bounced from non-users in the domains we handle mail for and would sit awaiting "rejection delivery" for x number of hours. The specific problem we had was that we were being inundated with mail originating from a number of IP addresses that are assigned to Russian and Brasiian web/internet operators. Because I don't like the slash-and-burn approach of simply blocking access to our sites from swaths of IP addresses, I used a tool I've been using for years on my personal domains; pf and spamd (specifically, OpenBSD's pf and spamd). Because the email server is running an older (patched) version of FreeBSD, I didn't want to spend the time that would have been necessary to move the installation to OpenBSD so that I could run pf and spamd natively (yes, I realize there are ports for pf for FreeBSD, but I'm not going to recompile, nor do all the bs required to get that up and running - for more pragmatic reasons, anyway). We have an OpenBSD based bridge set up between our internal network (of machines with public IPs) to cut down on private network traffic out to our internet provider. (Even though they should be tossing the traffic, I've found more than one ISP whose routers happily pass private network traffic beyond your router.) I've never implemented spamd pf rules on a bridge and I was concerned as to how it was going to work. (I often get confused as to traffic flow direction and generic firewalling concepts.) With a little work and some queries on the openbsd-misc list, I found the solution and wanted to make note of it:

The rules that finally worked for pf.conf are:

# macros
filter_if="sis0"
pass_if="xl0"

mail_servers = "{ mailip1, mailip2, mailip3 }"
spamd_no_block = "{ relayip1, relayip2, relayip3 }"

table <spamd> persist
table <spamd-white> persist
table <spamd-pass> persist file "/var/db/spamd_whitelist"

priv_nets="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set loginterface $filter_if
set skip on { lo }

no rdr on $filter_if proto tcp from <spamd-pass> to $mail_servers port smtp
no rdr on $filter_if proto tcp from $spamd_no_block to 66.208.74.153 port smtp
rdr pass on egress inet proto tcp from <spamd> to 66.208.74.153 port smtp \
-> 127.0.0.1 port spamd
rdr pass on egress inet proto tcp from !<spamd-white> to 66.208.74.153 port smtp \
-> 127.0.0.1 port spamd
pass out quick route-to lo0 proto tcp from any to 127.0.0.1 port spamd

# block private traffic from going across the filter_if
block log on $filter_if from any to $priv_nets
block log on $filter_if from $priv_nets to any

The specific issues that I dealt with (and solved my dilemma of it not working) were: a) the bridge needed a real-world IP address assigned to one of the interfaces (up until today, it had only been assigned a private IP so that I could access it from a workstation within the network), b) the items in red needed to be added to the ruleset, and c) I added a rule to allow for certain IP addresses and ranges to have immediate access to the smtp daemon because they use the server to relay email.

I realize that c opens up a hole for abuse if a machine from one of those addresses becomes infected, but between smtp-auth being required for relay and the fact that the networks with that type of access are quite limited, it is a risk I am willing to take.I will admit, the items in red are those whose syntax I don't understand. I don't understand egress or why the route-to rule works like it does. I was pulling out my hair at the point when I finally happened across an entry in the OpenBSD archives that showed these rules and when they worked, I simply sighed a sigh of relief.Since activating the above rules, we have gone from 100+ bogus simultaneous smtp inbound connections to 2-3 at any given point in time. The whitelist is obviously working well because when I started this morning it had two entries in about 10 minutes and now it has a hundred or so. I randomly checked the IPs and they appear legitimate enough. The list of greylisted IPs is over 12000 - that is in under 3 hours for a server that handles mail for only 15 domains.

As far as setup of spamd is concerned, I didn't do any more than add the following to rc.conf.local:

spamd_flags=""
spamd_grey=YES

I love it when stuff just works and when the community behind that stuff like things to remain simple. I will be making an [albeit small] donation to the team today because this saved me days worth of work. I can continue to run a system, which aside from the spam issue, works just fine and doesn't deserve being tossed in the garbage heap. Not only did I save time, but the waste of another perfectly useful machine being sent to a landfill.

This is a random, random post. I'm working on a customer's warranty claims and am finding two things missing on my Mac that I would find quite useful.
1) Somehow link my del.icio.us bookmarks tagged “weblogs” to my NetNewsWire account. All of the items tagged weblogs should automatically show up on my list of accounts under NetNewsWire. I'm not surprised no one has done this, but I am that no one else has mentioned how useful something like this would be. The problem I have with using disparate programs that keep track of the same data (in this case a web “application” and a real desktop application) is that there are seldom good ways to link the two.
2) I want more hosting providers to offer receiving email via ssl. Even if email in it, of itself is not secure (and it *isn't*), I'd like to see more show explicit support for at least encrypting email passwords. I travel a lot and am becoming more and more wary of snooping on wifi hotspots.
3) The wonderful and invaluable OpenBSD pf ported to OS X. Yes, a ridiculous request because of a) the difficulty I imagine something like this would entail and b) I haven't seen anyone else make the request through the right channels. I still prefer pf over ipfw for so many reasons, not the least of which that the designers/hackers of pf really do *understand* how a normal person uses a firewall.