sxxu - a tool to help build OpenBSD siteXX files.
The goals of sxxu are to help you:
- Keep configuration for your systems in a source control
- Recover from a disaster more quickly
- Do a matching install on a secondary system so you can:
- - Upgrade between versions of OpenBSD with the ability to revert
- - Replace aging hardware
- - Build a test environment before pushing changes to a production system
https://github.com/afresh1/sxxu
#github
The goals of sxxu are to help you:
- Keep configuration for your systems in a source control
- Recover from a disaster more quickly
- Do a matching install on a secondary system so you can:
- - Upgrade between versions of OpenBSD with the ability to revert
- - Replace aging hardware
- - Build a test environment before pushing changes to a production system
https://github.com/afresh1/sxxu
#github
Edge OpenBSD PF Firewall. Securing the first gate of your network.
OpenBSD comes with a built-in firewall called PF, short for Packet Filter. PF is ideal for firewalling in your DMZ zone. This blog post will show you how to create a robust edge firewall setup with OpenBSD 6.5...
https://cryptsus.com/blog/edge-openbsd-pf-firewall-securing-the-first-gate-of-your-network.html
#pf #firewall #security
OpenBSD comes with a built-in firewall called PF, short for Packet Filter. PF is ideal for firewalling in your DMZ zone. This blog post will show you how to create a robust edge firewall setup with OpenBSD 6.5...
https://cryptsus.com/blog/edge-openbsd-pf-firewall-securing-the-first-gate-of-your-network.html
#pf #firewall #security
fnaify 2.0-beta
FNA is a reimplementation of the Microsoft XNA Game Studio 4.0 Refresh libraries. Thanks to the great work by Ethan Lee (flibitijibibo) games using FNA are highly portable and can even run on OpenBSD: https://github.com/rfht/fnaify
* Refer to https://fna-xna.github.io/ for more information about FNA.
#games #fun
FNA is a reimplementation of the Microsoft XNA Game Studio 4.0 Refresh libraries. Thanks to the great work by Ethan Lee (flibitijibibo) games using FNA are highly portable and can even run on OpenBSD: https://github.com/rfht/fnaify
* Refer to https://fna-xna.github.io/ for more information about FNA.
#games #fun
Portable OpenSSH.
This is a port of OpenBSD's OpenSSH to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).
https://github.com/openssh/openssh-portable
#ssh
This is a port of OpenBSD's OpenSSH to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).
https://github.com/openssh/openssh-portable
#ssh
UTMFW.
UTMFW is a UTM firewall running on OpenBSD. UTMFW is expected to be used on production systems. The UTMFW project provides a Web User Interface (WUI) for monitoring and configuration.
https://github.com/sonertari/UTMFW
#firewall #security #network
UTMFW is a UTM firewall running on OpenBSD. UTMFW is expected to be used on production systems. The UTMFW project provides a Web User Interface (WUI) for monitoring and configuration.
https://github.com/sonertari/UTMFW
#firewall #security #network
Upgrading OpenBSD with Ansible.
This article is best enjoyed with basic knowledge of OpenBSD autoinstall and Ansible...
https://chown.me/blog/upgrading-openbsd-with-ansible.html
#ansible #system
This article is best enjoyed with basic knowledge of OpenBSD autoinstall and Ansible...
https://chown.me/blog/upgrading-openbsd-with-ansible.html
#ansible #system
CVE-2019-8460.
Reuven Plevinsky and Tal Vainshtein of Check Point Software Technologies Ltd. discovered that OpenBSD kernel (all versions, including 6.5) can be forced to create long chains of TCP SACK holes that cause very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8460
#security #cve
Reuven Plevinsky and Tal Vainshtein of Check Point Software Technologies Ltd. discovered that OpenBSD kernel (all versions, including 6.5) can be forced to create long chains of TCP SACK holes that cause very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8460
#security #cve
Configuring mail server on OpenBSD 6.5.
This guide is mostly notes for myself rather than something readable, but it may be useful anyway. It contains an example of working configuration for OpenSMTPD, SpamPD, SpamAssassin, DKIM Proxy and Dovecot with Sieve support on OpenBSD...
https://ch1p.io/blog/11/
#mail #opensmtpd
This guide is mostly notes for myself rather than something readable, but it may be useful anyway. It contains an example of working configuration for OpenSMTPD, SpamPD, SpamAssassin, DKIM Proxy and Dovecot with Sieve support on OpenBSD...
https://ch1p.io/blog/11/
#mail #opensmtpd
OpenBSD GeoIP pf – filter by country.
https://doublefault0.wordpress.com/2018/01/05/openbsd-geoip-pf-filter-by-country/
#firewall
https://doublefault0.wordpress.com/2018/01/05/openbsd-geoip-pf-filter-by-country/
#firewall
The simple web-stack.
The OpenBSD httpd(8) is my obvious choice. It's small, easy to configure and designed from the ground up to use privilege separation. It does however lack a way to add custom HTTP-headers. To solve this problem, I run relayd(8) infront of httpd(8) and lets it handle TLS acceleration and adding proper caching headers...
https://ifconfig.se/simple-web-stack.html
#httpd #relayd
The OpenBSD httpd(8) is my obvious choice. It's small, easy to configure and designed from the ground up to use privilege separation. It does however lack a way to add custom HTTP-headers. To solve this problem, I run relayd(8) infront of httpd(8) and lets it handle TLS acceleration and adding proper caching headers...
https://ifconfig.se/simple-web-stack.html
#httpd #relayd
And another one... OpenBSD webserver with httpd, relayd and TLS
https://www.alexander-pluhar.de/openbsd-webserver.html
#httpd #relayd
https://www.alexander-pluhar.de/openbsd-webserver.html
#httpd #relayd
OpenBSD Is Now My Workstation.
Disclaimer: in this post, I’m speaking about what is my opinion, and I’m not trying to convince you to use OpenBSD or anything else. I don’t truly care, but wanted to share in case it could be useful to you. I do hope you give OpenBSD a shot as your workstation, especially if it has been a while...
https://sogubsys.com/openbsd-is-now-my-workstation-operating-system/
#desktop
Disclaimer: in this post, I’m speaking about what is my opinion, and I’m not trying to convince you to use OpenBSD or anything else. I don’t truly care, but wanted to share in case it could be useful to you. I do hope you give OpenBSD a shot as your workstation, especially if it has been a while...
https://sogubsys.com/openbsd-is-now-my-workstation-operating-system/
#desktop
Why (and how) we use OpenBSD at VidiGuard.
At VidiGuard, we care a lot about physical security. In fact, it’s our job. But equally important to physical security is the security of our customers’ data. We also need a robust, reliable platform that can run with minimal interaction. To make both of those happen, we employ OpenBSD in our on-premise equipment and our data infrastructure. Why OpenBSD?
https://austinstartups.com/why-and-how-we-use-openbsd-at-vidiguard-b23353d959bb
#story
At VidiGuard, we care a lot about physical security. In fact, it’s our job. But equally important to physical security is the security of our customers’ data. We also need a robust, reliable platform that can run with minimal interaction. To make both of those happen, we employ OpenBSD in our on-premise equipment and our data infrastructure. Why OpenBSD?
https://austinstartups.com/why-and-how-we-use-openbsd-at-vidiguard-b23353d959bb
#story
DoH disabled by default in Firefox.
While encrypting DNS might be a good thing, sending all DNS traffic to Cloudflare by default is not a good idea. Applications should respect OS configured settings. https://undeadly.org/cgi?action=article;sid=20190911113856
DoH, disabled by default, is...
🐡 ... a good idea.
🦐 ... a bad idea.
#desktop #firefox
While encrypting DNS might be a good thing, sending all DNS traffic to Cloudflare by default is not a good idea. Applications should respect OS configured settings. https://undeadly.org/cgi?action=article;sid=20190911113856
DoH, disabled by default, is...
🐡 ... a good idea.
🦐 ... a bad idea.
#desktop #firefox