Puffy Spezial

Page content

Tips, Trick, Notes and Snippets around OpenBSD

Get Interfaces

ifconfig | awk '/^[^\t]/{iface=$1} /inet6? / {print iface, $2}' 
lo0: ::1
lo0: fe80::1%lo0
vio0: fe80::9400:2ff:fe16:5a70%vio0
vio0: 2a01:4f8:c0c:fff7::2

Adding Static Default GW

man route

route add -inet  default
route add -inet6 default 2001:db8:efef::1

Use Puffy as Jumphost

Redirect incomming Traffic from a certain Source and also NAT the Outgoing Traffic so we remain in the “Line” ;)

# Apply SNAT for outgoing Traffic
match out log       on em0    inet            from !(egress)        to IP_OF_TARGET_HOST  nat-to (egress)

# Forward Port 22 to another (hidden) Host via DNAT
pass  in  log quick on egress inet  proto tcp from SRC_IP_OF_HOST   to egress port 22    rdr-to IP_OF_TARGET_HOST   port 22
pass  in  log quick on egress inet  proto tcp from SRC_NET/MASK     to egress port 22    rdr-to IP_OF_TARGET_HOST   port 22

Debug OpenSMTPD

doas rcctl stop smtpd
doas smtpd -dv -Tall

tty0 to fb0 on ARM

you may need to redirect tty0 on arm64 boxes

cat << EOF > /etc/boot.conf
set tty fb0

Switch Keyboard Language

-> to Swiss German

wsconsctl keyboard.encoding=sg

Disable Root Password Login

usermod -p'*' root

find Package for a certain Binary

# pkg_info -E /usr/local/bin/gwc
/usr/local/bin/gwc: coreutils-9.0
coreutils-9.0       file, shell and text manipulation utilities

Show Content of a Package

# pkg_info -L coreutils
Information for inst:coreutils-9.0


Show Package Dependency

neofetch requires bash

# pkg_info -R bash
Information for inst:bash-5.1.16

Required by:

xz is required by multiple Packages

# pkg_info -R xz
Information for inst:xz-5.2.5p1

Required by:

Supported Hardware (Wlan)

wlan and openbsd is a somewhat tiresome topic … neverless, lot of chipset are supported. you just have to buy the right hardware

AR9280+AR7010 2GHz/5GHz 2x2:2 USB 2.0
AR9271        2GHz      1x1:1 USB 2.0
AR9287+AR7010 2GHz      2x2:2 USB 2.0

PF Rule Expander

# ipv4
echo "pass log inet proto tcp from any to self port 22" |pfctl -nvf - |sort

# ipv6
echo "pass log inet proto tcp from any to self port 22" |pfctl -nvf - |sort

# dualstack
echo "pass log proto tcp from any to self port 22" |pfctl -nvf - |sort

PF Show all Tables

pfctl -sT

PFCTL Show Table Content

root@yourbox # pfctl -t pfbadhost -T show |head

Dump all Tables and it’s Hosts/Networks to a File

for item in $(pfctl -sT); do echo "*** TABLE $item ***" >> $f; pfctl -t $item -T show >> $f; echo -e "\n--------\n" >> $f; done
echo $f

remove File based on Inode

you have files with strange name which you can’t delete. try this.

ls -il -> grab nr
find . -inum $mynr -exec ls -i {} \;
find . -inum $mynr -exec rm -i {} \;

Read Env from File

env $( </some/file ) [command]

boot from usb stick

if you attach your usb stick, you will get an additional drive, here hd1+. you can boot from this stick and do a fresh install, upgrade, autoinstall as you want :)

Using drive 0, partition 3.
probing: pc0 com0 com1 mem[638K 1918M a20=on]
disk: hd0+ hd1+
>> OpenBSD/amd64 BOOT 3.33
boot> boot hd1d:/bsd.rd

Backup File

simple backup a file with shell expanding

doas cp /etc/hosts{,.bak}

Test SSH Config and Failback

need to test a config and failback if you locked out yourself ? -> you’ve got two minutes to reattach tmux and stop the command or your sshd_config will fail back :)

cd /etc/ssh
cp sshd_config{,.bak}
update your sshd_config with your dirty hack
rcctl restart sshd && sleep 120 && mv sshd_config{.bak,} && rcctl restart sshd

Count Open File Descriptors for Process ID

fstat -np 43704 |echo $(($(wc -l)-1))
# fstat -np 43704 |echo $(($(wc -l)-1))

8 Port USB/Serial Box, how to activate Port 5-8

cd /dev; ./MAKEDEV ttyU4 ttyU5 ttyU6 ttyU7

OpenBSD Crontab

Run once, at startup
@yearly   Every January 1 (0 0 1 1 *)
@monthly  Run the first day of every month (0 0 1 * *)
@weekly   Run every Sunday (0 0 * * 0)
@daily    Run every (0 0 * * *)
@hourly   Every hour (0 * * * *)

ASCII to binary

$ echo ASCII to binary | xxd -b -c1 | cut -d\  -f2

OpenBSD hier — layout of filesystems

hier manpage

Default Mail Forwarder

echo gott@world.net > $HOME/.forward

is your host ready for virtualization ?

dmesg |egrep '(VMX/EPT|SVM/RVI)' || echo "NOT READY for virtualization"

README from the OpenBSD packages


combine cat & echo

$ echo "hallo hosts" | { cat; head -1 /etc/hosts; echo "bye hosts"; }
hallo hosts	localhost
bye hosts

Multiline Regex

find # MyStuff

$ pcregrep -M '#\n# My.*\n#' /etc/acme-client.conf
# My Stuff

Multiline Regex2



# bla bla bla
in /etc/*
pcregrep -M '^$\n#.*\n#.*\n#.*\n^$\n' /etc/*

Sort File

hint: “cat somefile |sort > somefile” will not work as the file “somefile” will be erased before sending it’s content to the sort programm

sort -o file file

or (shorter)

sort -o file{,}

Fix /dev/null

if you ever broke your /dev/null, fix it like:

mknod -m 666 /dev/null c 2 2

$ ls -la /dev/null
crw-rw-rw-  1 root  wheel    2,   2 Sep 20 01:30 /dev/null

Firmware for APU


or local mirror (v4.13.0.6)

Firmware for APU2, APU3, APU4

Rate Limiting

You may wanna ratelimiting some script, BorgBackup for Example …

doas pkg_add pv

cat << 'EOF' > /usr/local/bin/pv-wrapper

    ## -q, --quiet              do not output any transfer information at all
    ## -L, --rate-limit RATE    limit transfer to RATE bytes per second

# 10 MBit/s -> 1'250'000 Byte/s
pv -q -L $RATE  | "$@"

chmod 755 /usr/local/bin/pv-wrapper

Modify Backup Script

export BORG_RSH='/usr/local/bin/pv-wrapper ssh'

and you can tune the Backup Process while running:

pv -R $(pgrep pv) -L 1250000
pv -R $(pgrep pv) -L 2500000
pv -R $(pgrep pv) -L 5000000

Boot Stuff

let’s reboot bsd.rd next time (-> be sure you have a console to this server!)

echo "bsd.rd" > /etc/boot.conf"

boot from disk

boot> boot hd0a:/bsd


if you have ‘stucked’ mails … you can remove them all or push them again

mailq -> ?
smtpctl flush all -> kill all
smtpctl schedule all -> try again

non-breaking space


vim -b file
set encoding=latin1
set isprint=
set display+=uhex

Updatedb and Move *~to archiv

updatedb && locate *~ |xargs -I '{}' mv '{}' /etc/zzz_archiv/

Run Bulk Commands on remote Hosts

./scripts/getversions.sh |awk '/CHANGED/{ print $1 }' |xargs -I '{}' ssh -A root@'{}' "cd bin; git pull;"

VIM File on Remote host

edit /etc/hosts on remote

vim scp://user@remotehost//etc/hosts

SSH without Pubkey

if you wanna explicitly disable public key authentication for a certain connection. (Remote Host does not support and block you because auf failed Pubkey Auth try …)

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -l root remote-host


tcpdump -nettt vio0
tcpdump -netolv vio0
-n    disable name resolution
-e    print link layer
-t    no timestamp
-tt   print timestamp as unix time
-ttt  print time delta with microseconds
-o    unknown
-l    Make stdout line buffered
-v    slightly more verbose output

Install Kernel Sources (45 MB)

ftp -o /tmp/sys.tar.gz https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/sys.tar.gz
cd /usr/src
tar xfz /tmp/sys.tar.gz

Install Userland Soures (190 MB)

ftp -o /tmp/src.tar.gz https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/src.tar.gz
cd /usr/src
tar xfz /tmp/src.tar.gz

Install Ports

ftp -o /tmp/ports.tar.gz https://cdn.openbsd.org/pub/OpenBSD/$(uname -f)/ports.tar.gz
cd /usr
tar xfz /tmp/ports.tar.gz

Install Xenocara

ftp -o /tmp/xenocara.tar.gz https://cdn.openbsd.org/pub/OpenBSD/$(uname -f)/xenocara.tar.gz
cd /usr/xenocara
tar xfz /tmp/xenocara.tar.gz

Compile Kernel with Multiple CPU

if you have multiple (virtual) CPU’s installed (sysctl kern.version -> MP), you wanna use all of them for Compiling a Kernel …

time make -j $(sysctl hw.ncpufound |cut -d= -f 2)

-> 8m05.66s real 24m31.08s user 5m17.71s system

vs single Core …

time make

-> 36m06.84s real 29m06.81s user 5m48.20s system


IFS - Internal Field Separator

backupIFS    () { ${IFS+'false'} && oldIFS=$IFS || unset oldIFS; }
restoreIFS () { ${oldIFS+'false'} && IFS=$oldIFS || unset IFS; }

IFS='a new value'
... do the stuff you need todo ...

Add IP’s for Domain to Table

host spammers.com |awk '$0 ~ "has" {print $NF}' |pfctl -t spammers -T add -

Check Counters with kstat

kstat -w 3 em1:0:rxq:0
         packets: 576674223 packets
           bytes: 653922652863 bytes
          fdrops: 67 packets
          qdrops: 0 packets
          errors: 0 packets
            qlen: 0 packets
        enqueues: 202543474
        dequeues: 185383891

Any Comments ?

sha256: 5b9ba4f787f82b36a62f4605171c91978ae2c1d6b3e740355dc0e3e94d417ba9