OpenBSD

OpenBSD Bridge

OpenBSD

Bridge Interfaces on APU

Let’s assume you have an APU2/3/4 and you wanna Bridge some of it’s Interfaces, em0/em1/em2

Create Bridge, add Interfaces

cat << 'EOF' > /etc/hostname.bridge0
add vether0
add em0
add em1
add em2
up
EOF

Create Interfaces

echo "up" >> /etc/hostname.em0
echo "up" >> /etc/hostname.em1
echo "up" >> /etc/hostname.em2

Create L3 Interface

cat << 'EOF' > /etc/hostname.vether0
inet  autoconf
inet6 autoconf -temporary -soii
up
EOF

Bring Up all together

sh /etc/netstart

or do a simpy reload

OpenBSD 7.5

OpenBSD

OpenBSD 7.5 finally released

The 56th Release of OpenBSD was announced. My Upgrade Script is available here.

Highlights

  • added support for various new hardware, numerous performance improvements and of course security enhancements.
  • IPv6 support in ppp(4)

see the Post on Undeadly for more Details, or the OpenBSD Page

Script

doas su -
cd /root
ftp https://blog.stoege.net/scripts/{.helpers,upgrade_to_75.sh}
chmod u+x upgrade_to_75.sh

Execute

do the Upgrade

./upgrade_to_75.sh

after the reboot

Upgrade Packages

just run the Script again

PF Basics

OpenBSD

Basic Ruleset

  • Full Connectifity v4/v6
  • allow SSH in from RFC1918
  • allow all outgoing
# Backup
cp /etc/pf.conf /etc/pf.conf.bak-$(date "+%s")

# Paste new Ruleset
cat << 'EOF' > /etc/pf.conf

#######################################################################################################################
#
# OpenBSD PF Template
#
#######################################################################################################################

########################
### DEFAULT SETTINGS ###
########################

set block-policy drop
set limit states 100000
set limit table-entries 1000000
set optimization normal
set ruleset-optimization none
set skip on { lo0 enc0  }
set syncookies adaptive (start 25%, end 12%)


########################
### MACROS           ###
########################

# log block
lb  = "log"

# log pass
lp  = "log"


########################
### NORMALIZATION    ###
########################

match inet  scrub (no-df max-mss 1380)
match inet6 scrub (max-mss 1360)


########################
### Block all / uRPF ###
########################

block     log
block in  log quick from urpf-failed label uRPF


############################
### DHCP & IPv6 Stuff    ###
############################

# Allow DHCP
pass      $lp quick inet  proto udp       from  any     port 68   to 255.255.255.255  port 67
pass      $lp quick inet  proto udp       from  any     port 68   to (self)           port 67
pass      $lp quick inet  proto udp       from  (self)  port 67   to any              port 68

# In
pass in   $lp quick inet6 proto ipv6-icmp all                           icmp6-type { unreach toobig neighbrsol neighbradv } keep state

# Out
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to fe80::/10  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to ff02::/16  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state

# In
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ff02::/16  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ::         to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state


############################
### MyTrust for Hosts    ###
############################

# Allow RFC1918
pass in   $lp quick inet  proto tcp   from { 10/8 172.16/12 192.168/16 }             to (self) port 22

# Allow all Out
pass out  $lp quick


#######################################################################################################################
# End
#######################################################################################################################
EOF

# check & reload
pfctl -nf /etc/pf.confad && pfctl -f /etc/pf.conf
Any Comments ?

sha256: e41b3f0d6bbb5edf23921f2f8bdc7fc83b9ed8676d7e3e62b746af25aae2f30c

OpenBSD RDomains

OpenBSD

Intro

Let’s assume you have a Mikrotik Router which got a Mgmt Interface with IP: ‘192.168.88.1/24’ and DHCP Server enabled. You wann Access the Router via HTTP/HTTPS while offering Internet Services for the Mikrotik Router. You have an APU and OpenBSD running. What do you do ?

Setup

  • 2 NIC’s
  • em0: dhcp client, default route, rdomain 0
  • em3: dhcp client, rdomain 3

Interfaces

Interface em0

cat << 'EOF' > /etc/hostname.em0
# Public Internet
inet 	autoconf
inet6	autoconf
EOF

Interface em3

RSA - Weak Keys

OpenBSD

Intro

Did you ever try to generate a small RSA Key ? Today, you should go with 3072 oder 4096 Bits, or use ECC.

With current Versions of OpenSSL, you can’t generate Key Smaller than 512 Bit.

128 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(128)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

32 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(32)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

16 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(16)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

sample with 16Bit RSA Key

OpenBSD - USB

OpenBSD

dmesg

show disks

dmesg |grep ^sd. 

sd0 at scsibus1 targ 0 lun 0: <ATA, KingFast, T031> t10.ATA_KingFast_04xxxxxxxxxxxx
sd0: 114473MB, 512 bytes/sector, 234441648 sectors, thin
sd1 at scsibus4 targ 1 lun 0: <JetFlash, Transcend 8GB, 1100> removable serial.85xxxxxxxxxxxxxxxxxx
sd1: 7450MB, 512 bytes/sector, 15257600 sectors

Show DiskLabel

sysctl hw.disknames

hw.disknames=sd0:9axxxxxxxxxxxxxx,sd1:60xxxxxxxxxxxxxx

Show Disklabel sd1

disklabel sd1 

disklabel sd1 
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Transcend 8GB
duid: 60xxxxxxxxxxxxxx
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 949
total sectors: 15257600
boundstart: 64
boundend: 15257600

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  c:         15257600                0  unused

Fdisk

kill everything

Hetzner - Arm64 OpenBSD

OpenBSD

OpenBSD on ARM64 at Hetzner DC

Price/Performance is unbeatable at Hetzner for arm64 virtual machines. A Server (CAX21) with 4 CPU, 8 GB RAM, 80 GB Disk, 20 TB Traffic/month cost around 7 Euros/Month.

Let’s build a Template for OpenBSD. Here is how todo it:

  • Get Server with CAX21 (4 CPU, 8 GB RAM, 80 GB Disk), with Debian or Ubuntu
  • Menu “ISO-Images”, mount Image “OpenBSD 7.4-current 2023-11-03 (arm64)”
  • Reboot the VM
  • Install OpenBSD as usual
  • Disk: sd0
  • Use (W)hole disk
  • (E)dit auto layout
  • Delete all Partitions execpt Partition “i” (MSDOS)
  • Build Disk Layout as you like. My Layout for 80GB at Hetzner
  • Location of sets? http
  • HTTP Server: cdn.openbsd.org
  • Server directory? pub/OpenBSD/7.4/arm64
  • finish setup
  • halt vm, remove iso images
  • boot vm and login through console or ssh
Any Comments ?

sha256: 2ea0f6b96f44980331d15e964c778907c458816776b7ab2315d7c40bb24845b2

APU - Firmware Upgrade

OpenBSD

intro

as we all know, the apu’s from pcengines are eol. but it’s worth to bring the existing ones to the latest firmware. if you have openbsd running on your boxes, you can upgrade it with like this:

add packages

doas pkg_add -i flashrom pciutils

set hostname

based on apu version and mac of em0

type=$(dmesg |grep ^bios0: |tail -1 |sed 's/.*gines //')
mac=$(ifconfig em0 |awk '/lladdr/ {print $2}' |awk -F':' '{printf "%s-%s-%s\n",$4, $5, $6}')
echo "${type}-${mac}" |tee /etc/myname; hostname $(cat /etc/myname)

sample

Nginx - IP

OpenBSD

sometimes, you wanna restrict access to a webserver based on ip addresses. here a little howto.

Update nginx Config for your vhost

and forward temporary/permanent to a sorry host.

--->8- snip -8<---

    location / {
      allow 192.0.2.0/24;
      allow 2001:db8::/32;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

or move the ip’s to a dedicated file and include it here …

--->8- snip -8<---

    location / {
      include incl/admin_ip.txt;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

Admin IP’s

cat ../incl/admin_ip.txt

Python Versions

OpenBSD

History

Long time ago, there were huge discussions about Python 2.7 or Python 3.xx. Fortunately, these times are gone and we’ve all gotten over the hurdle to Python 3. But are you on 3.6, 3.7, 3.8 ? or even 3.11 or 3.12 ? That’s the current Version you should use for your daily Projects ?

Status of Python versions

A good indicator is this Website: https://devguide.python.org/versions/

OpenBSD

It’s also recommended to check what our Operating System is installing by default, or what you can get from their Package Repository.