Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

OpenBSD 7.x Diskusage

OpenBSD

Background

It seems as OpenBSD (and the installed Software) is useing more and more Space in the /usr Partition. For Upgrading to 7.1, at least 1.1 GB Free Space is needed. So, i’m gooing to update my Default Partitioning Proposal like this:

Example with 25 GB

root@puffy# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G    766M    2.9G    20%    /
/dev/sd0d      1.9G   20.0K    1.8G     0%    /tmp
/dev/sd0e      5.8G   36.1M    7.3G     0%    /var
/dev/sd0f      7.8G    3.6G    3.8G    49%    /usr
/dev/sd0g      2.xG    150M    7.2G     2%    /home

which results in this:

a 4G  /
a 2G  swap
a 2G  /tmp
a 6G  /var
a 8G  /usr
a *   /home

Example with 32 GB

root@puffy# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G    766M    2.9G    20%    /
/dev/sd0d      1.9G   20.0K    1.8G     0%    /tmp
/dev/sd0e      7.8G   36.1M    7.3G     0%    /var
/dev/sd0f      7.8G    3.6G    3.8G    49%    /usr
/dev/sd0g      7.7G    150M    7.2G     2%    /home

which results in this:

a 4G  /
a 2G  swap
a 2G  /tmp
a 8G  /var
a 8G  /usr
a *   /home
Any Comments ?

sha256: 2f78497b58d2704bc07a1d2404cefe74432d634a4d816bb58f11b5c0a359627f

Python PIP3

OpenBSD

Python PIP

OpenBSD 7.1

# python3 --version
Python 3.9.12

# python3 -m pip --version
pip 22.0.4 from /usr/local/lib/python3.9/site-packages/pip (python 3.9)

List installed Packages

python3 -m pip list

List outdated Packages

python3 -m pip list --outdated --format columns
Any Comments ?

sha256: 6ada0942bc4d02ee477ab233571e893547049a379479b61910541e561d2f053a

VSCode

Code

Let’s tweak a bit the settings …

settings.json

Useful Settings for VSCode … settings.json

test -d .vscode || mkdir .vscode
test -f .vscode/settings.json && mv .vscode/settings.json .vscode/settings.json-$(date +%s)
cat << 'EOF' > .vscode/settings.json
{
    "[python]": {
        "editor.defaultFormatter": "charliermarsh.ruff",
        "editor.formatOnSave": true,
        "editor.codeActionsOnSave": {
            "source.organizeImports": "explicit",
            "source.fixAll": true
        },
    },
}
EOF

pyproject.toml

[tool.ruff]
# Disable rule F401 for unused imports
ignore = ["F401"]

launch.json

test -d .vscode || mkdir .vscode
test -f .vscode/launch.json && mv .vscode/launch.json .vscode/launch.json-$(date +%s)
cat << 'EOF' > .vscode/launch.json
{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        // default config to debug your current active file with python
        {
            "name": "Python: Current File",
            "type": "python",
            "request": "launch",
            "program": "${file}",
            "console": "integratedTerminal",
            "justMyCode": true
        },
        {
            "name": "Python: Test001",
            "type": "python",
            "request": "launch",
            "program": "${workspaceFolder}/project/code.py",
            "args": [
                "arg1",
                "arg2",
                "arg3"
            ],
            "console": "integratedTerminal"
        },
        {
            "name": "Python: FastAPI",
            "type": "python",
            "request": "launch",
            "module": "uvicorn",
            "args": [
                "app.main:app",
                "--reload"
            ]
        },
        {
            "name": "Python: Flask",
            "type": "python",
            "request": "launch",
            "module": "flask",
            "args": [
                "run",
                "--reload"
            ]
        }
    ]
}
EOF

.gitignore

test -f .gitignore && mv .gitignore .gitignore-$(date +%s)
cat << EOF > .gitignore
# added $(date), https://blog.stoege.net/posts/vscode/

# Files
.DS_Store
backup.*
secret
secrets

# Folders
**/.DS_Store/*
**/.history/*
**/.terraform/*
**/.venv/*
**/__pycache__/*
**/cache/*
EOF

Add Basic Packages

poetry add --group dev black pylint py-pytest

keyboards shortcuts macOS

Comment block

command + k, command + u

Uncomment block

command + k, command + u

Collapse All

command + k, command + 0

Expand All

command + k, command + j

Export Extensions

code --list-extensions |xargs -L 1 echo code --install-extension |sed "s/$/ --force/"

import Extensions on another Machine

IPv6 Reverse DNS

OpenBSD

IPv6 is fun, if you know how to handle it ! As a “sponsor LIR”, i got my own AS and a small /44 IP Space. So, as we all do “forward” DNS with our Domains, i’d like to have Reverse DNS as well. And as i don’t have a legacy IP Range, i like todo it with my v6 Space. Special thanks to Christian for his remote Hands/Tips. Appreciate it!

Little Mail Validator in Python

OpenBSD

wrote a little Mail Adresse Validator in Python. use it, modify it, like it … best practice for python is to use a virtual env like Poetry (or virtualenv) and add the “email-validator” module like this:

poetry add email-validator

Code

few lines of code …

#!/usr/bin/env python3

from email_validator import validate_email, EmailNotValidError

ok=[]
nok=[]

emails = [
        "[email protected]", "[email protected]", "[email protected]",
        "[email protected]", "asf.asdf", "[email protected]", "[email protected]"
        ]

print ("\nMy Little Mail Validator\n")

for email in emails:

    try:
        # Validate.
        valid = validate_email(email)

        # Update with the n
        email = valid.email

        # Append to List
        ok.append(email)

    except EmailNotValidError as e:

        # email is not valid, exception message is human-readable
        nok.append(str(e))


print ("*** Mail ok ***")
for item in ok:
    print("ok: ", item)

print ("\n*** Mail NOT ok ***")
for item in nok:
    print("NOK:", item,"!")

print()

Run

just run and enjoy …

Nginx - Log Headers

OpenBSD

How to enable Logging with Headers for Nginx

Assuming you have a running setup and you want to enable logging with headers for debug and learning purposes ?

Add Lua

doas pkg_add nginx-lua--

and you get …

doas pkg_info -L nginx-lua--
Information for inst:nginx-lua-1.20.1p0

Files:
/var/www/modules/ndk_http_module.so
/var/www/modules/ngx_http_lua_module.so

Enable Modules in /etc/nginx/nginx.conf

add two lines on Top

load_module "modules/ndk_http_module.so";
load_module "modules/ngx_http_lua_module.so";

Enhance Logging

add the following to the “http” Section

log_format log_req_resp   '$remote_addr - $remote_user [$time_local] '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" '
                          '$request_time req_header:"$req_header" '
                          'resp_header:"$resp_header"';

Enable Logging

add the following lines to your virtual Host Section

IPSEC OpenBSD <-> Linux

OpenBSD

Environment

  • OpenBSD 7.0
  • Debian 11.2 with Strongswan
  • IPv4 only
  • IKE v1

ToDo

  • IPv6 and Dualstack
  • IKE v2

Debian

ipsec.conf

conn puffy
   authby      = secret
   ike         = aes256-sha256-modp2048
   keyexchange = ikev1
   ikelifetime = 1h
   keyingtries = 0
   left        = %defaultroute
   right       = 193.xx.xx.xx
   leftid      = 212.xx.xx.xx
   rightid     = 193.xx.xx.xx
   lifetime    = 1200s
   leftsubnet  = 10.11.1.8/30
   rightsubnet = 10.1.6.0/24
   esp         = aes256-sha256-modp2048
   dpddelay    = 30
   dpdtimeout  = 120
   dpdaction   = restart
   auto        = start

OpenBSD

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.gre.allow=1

Apply all Settings

for i in $(cat /etc/sysctl.conf); do sysctl $i;done

/etc/ipsec.conf

# Tunnel to Debian

local_gw    = "193.xx.xx.xx"
local_net   = "10.1.6.0/24"
remote_gw   = "212.xx.xx.xx"
remote_net  = "10.11.1.8/30"
key         = "DAS-SAG-ICH-DIR-NICHT-:)"

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $local_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $remote_gw \
psk $key

start/restart services

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K
rcctl restart ipsec isakmpd

Enc Interfaces

cat /etc/hostname.enc0
up

FW Rules

# Allow UDP Port 500 and 4500
pass in  on (egress) proto udp from 193.xx.xx.xx to 212.xx.xx.xx port {isakmp, ipsec-nat-t}
pass out on (egress) proto udp from 212.xx.xx.xx to 193.xx.xx.xx {isakmp, ipsec-nat-t}

# Allow ESP encapsulated IPsec traffic on the external interface
pass in  on (egress) proto esp from 193.xx.xx.xx to 212.xx.xx.xx
pass out on (egress) proto esp from 212.xx.xx.xx to 139.xx.xx.xx

# Allow IP in IP Traffic
pass in  on enc0 proto ipencap from 193.xx.xx.xx to 212.xx.xx.xx keep state (if-bound)
pass out on enc0 proto ipencap from 212.xx.xx.xx to 193.xx.xx.xx keep state (if-bound)

Start Services & Apply Setting

… or reboot the Box so all Settings gets applied

Regex IPv4 & IPv6

Network

Regex is cool. But have you ever tried to grep IPv4 / IPv6 Adresses from a File or extract from a bunch of data ? Did you use Google Search and found lot of Links, Tip’s and Examples ? And non of them worked well ?

I can highly recommend CyberChef for stuff like that … https://gchq.github.io/CyberChef/

Regex from CyberChef

If you wanna use Regex in your own Scripts, here is a little Extract from Cyberchef.

AGE - Encrypt Files with SSH Keys

OpenBSD, Security

Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :)

Source

Install Package

OpenBSD (and most others *nix systems) got a package for age. Just install it.

doas pkg_add age

Asymmetric Encryption

Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’

MAC Converter

OpenBSD, Network

MAC Address Converter

We’re all dealing with MAC Addresses, some times … there are different formats on different systems. this little script convert it to all formats and you can choise the appropriate ones.

Example

$ maconvert aa:bb:cc:dd:ee:ff

aabbccddeeff
aa:bb:cc:dd:ee:ff
aa-bb-cc-dd-ee-ff
aabb.ccdd.eeff

Script

Copy/Paste will work on OpenBSD, Linux needs some small Modifications (as there is no doas for example …)

doas su -

cat << 'EOFSCRIPT' > /usr/local/bin/maconvert
#!/usr/bin/env bash

# v0.1, 2021, by Christian Henschel
# v0.2, 2021-12-29, Stöge -> add OpenBSD Support & install gawk if needed

if [ OpenBSD == $(uname -s) ]; then
  which gawk &>/dev/null || doas pkg_add gawk
  _awk=$(which gawk)
else
  _awk=$(which awk)
fi

if [ -z "$1" ]; then
  cat <<'EOF'

  no mac address entered, valid format are:

  cafedeadbeef
  cafe.dead.beef
  ca:fe:de:ad:be:ef
  ca-fe-de-ad-be-ef

EOF
  exit 1
else
  mac=$(echo $1 | sed -e 's/[.:-]//g')
  maccolon=$(echo $mac  | $_awk '{gsub(/..\B/,"&:")}1')
  macdash=$(echo $mac  | $_awk '{gsub(/..\B/,"&-")}1')
  macpoint=$(echo $mac | $_awk '{gsub(/....\B/,"&.")}1')
fi

cat <<EOF

  $mac
  $maccolon
  $macdash
  $macpoint

EOF
exit 0
EOFSCRIPT

doas chmod 755 /usr/local/bin/maconvert
maconvert

NJoy!