pages and that seems to be the way to
> go, but I thought I'd check the wisdom here to see if there is a better
> approach.
As said, just pay attention that nsd is a resolver only.
> Thanks,
> Steve Williams
Nowadays, I try to avoid using the same domain for internal and
external. From my ops point of view, having a domain.local and a
domain.ext is easier to maintain.
Regards,
Claer
fic
> with transport mode ipsec.
>
> If someone has experience with similar setup please chime in.
I built this kind of setup in the past, still running after all those
years. So the configuration you want to build is robust.
If you plan to have multiple R3 routers and don't interract with other
ospf routers outside your responsabilities, I advise you to move to bgp.
It's not way harder to learn and it is more powerful regarding route
filtering.
Claer
On Fri, Jun 02 2017 at 42:07, cdix wrote:
> I have the same problem.
> Did you ever found a resolution for your problem?
> If so what was it?
>
Hi,
FTP has one command tcp connection and one dynamic data connection that makes
an entire applicative session. In order FTP to work, it needs both
; against Cisco. What I don't know is whether it harms interop with
> anything else.
>
> http://marc.info/?l=openbsd-tech=131244805816474
I ran with this patch on production for nearly 2 years. It didn't cause any
issue interoperating with few kind of devices. I successfully configured VPN
with ASA, Juniper, Fortinet, StormShield and Windows on the other side.
If there were some side effects, they were not visible.
Claer
for
common web browsing (usually smaller packets).
Best regards,
Claer
ks for your answer
>
> Kim
Best regards,
Claer
--- | NET
> NET # 10Mb |DSL|/ ---
> --- #--- 101.0.0.0
> 100.0.0.0 #21.0.0.0
Best regards,
Claer
ed by LOCAL to tun1
l2tp58:/etc # cat sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.gre.allow=1
# isakmpd -4K
# ipsecctl -f /etc/ipsec.conf
# npppd -f /etc/npppd/npppd.conf
#
Claer
Hello,
Thanks guys for the pointer on pair. My mail was intended to show (what IMO is)
an issue in the bridge code. With the recent post on n2k15 by Reyk[0], I'll keep
an eye on the following developments :)
Claer
[O] http://undeadly.org/cgi?action=article=20151217134417
On Thu, Dec 17 2015
ff:ff:ff:ff 0806 42: arp who-has
192.168.79.193 tell 192.168.79.159
Thanks for reading that far :)
Claer
s wrong.
With ScreenOS software (not JunOS like you, but they should be similar)
the "encryption domain" is usually set to 0/0 and the OS manages routes
to determine what to send to the tunnel. This will not work with your
configuration and the network/sys admin on the other side needs to do
some ajustments. Do you have the configuration of the other side?
Good luck with troubleshooting.
Claer
message from Stuart Henderson s...@spacehopper.org -
From: Stuart Henderson s...@spacehopper.org
To: Claer cl...@claer.hammock.fr
Subject: Re: Isakmpd NAT-T interoperability
Date: Mon, 9 Feb 2015 09:42:51 +
User-Agent: Mutt/1.5.23 (2014-03-12)
Thanks - would you mind posting results
On Sat, Aug 02 2014 at 09:01, Nick Holland wrote:
On 08/01/14 08:12, Claer wrote:
On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
...
I'll leave you to develop the script.
My design philosophy:
1) No additional hw, other than the two firewalls.
2) EITHER machine should be able
up each node
as a master, and sync the data through scripts like this.
Nick.
Claer
are blocked on this list ;-)
You can read the PF book http://home.nuug.no/~peter/pf/ to find good
informations on PF.
Regards,
Claer
On Sun, Jan 13 2013 at 04:11, Maximo Pech wrote:
At work, we have an information security area for IT.
They mandate that on all shell scripts we have to use absolute paths for
every single command.
I feel that this does not provide real security and only makes scripts
somewhat more
it on one of my resolvers).
NSD is just an autoritative name server that doesn't do cache and does not
answer recursive queries.
nsd and unbound are complementary.
Claer
On Tue, Oct 04 2011 at 42:21, Stuart Henderson wrote:
On 2011-10-03, Claer cl...@claer.hammock.fr wrote:
On Sat, Oct 01 2011 at 18:08, Joe S wrote:
On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius joa...@aronius.se wrote:
I have used Soekris for a few years and are very happy with them
On Sat, Oct 01 2011 at 18:08, Joe S wrote:
On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius joa...@aronius.se wrote:
I have used Soekris for a few years and are very happy with them. They have
a new board that will start shipping soon: http://soekris.com/net6501.htm
Curious if anyone
site and not 4.
Claer
, but it works and seems to be reliable for
the moment and it does not require to kill and restart the daemon :)
Claer
to investigate (and bug report)
yet. It's on my todo list :)
Regards,
Claer
to devs,
and now it's fixed in current. Try current and report the bug if it's still
present.
As I didn't try more than 200 rdomains in a test machine, I could not tell
if 512/1024/2048 is a silly idea or not.
Claer
in different rdomains to manage overlapping easily?
(Thanks to Reyk to clarify the usage of ipsec+rdomain)
Claer
in a routing domain? (virtual firewall setup)
maybe i should try GRE with IPSEC on top of
that...(?)
Setting up gif on rdomain on top of ipsec works.
Hope this helps :)
Claer
forget to define gif tunnels in
both directions!
Ex: gif1 in rdomain 1, lo1 - lo2
gif2 in rdomain 2, lo2 - lo1
..
Claer
be scripted easily enough I was hoping to automate this as much as
possible.
Any suggestions ?
You setup permanently tunnels A and B,
you add gif over both tunnels,
then you run ospf on to of gif on both end points, assigning different weights
for the links.
Claer
=129534605406967w=2
Claer
Dear list,
Recently I built a new VPN hub and it seems I reached a limit in ospfd.
The configuration is the following :
2 central OpenBSD (4.7 on production, 4.8 and latest snapshot in our
lab). they both run ospfd on LAN side.
49 OpenBSD clients, running IPSEC + gif encapsulation over to each
, layer 2 hashing doesn't help me very much since the
source MAC is always the same.
I took a peek at the source, but I'm definitely not a C hacker, so nothing
jumped out at me for computing the hash...
Thanks,
Jason
Claer
?
Proxification will mostly require modifications on the client's side but
it could be simplified with proxy.pac distribution. If you go the socks
way, you won't have any choice but to install a proxy client on each
computer.
Claer
of starting serveral
mongrel instances. It is much simpler to manage.
Claer
--
--
Joe McDonagh
Operations Engineer
AIM: YoosingYoonickz
IRC: joe-mac on freenode
When the going gets weird, the weird turn pro.
On Thu, Sep 30 2010 at 45:10, Tilo Stritzky wrote:
On 30/09/10 00:40 Claer wrote:
Hello list,
I have a minipci umts modem that is reconized fine by OpenBSD (4.7-stable)
but I'm unable to find the good pppd configuration to establish the
configuration to my ISP
On Fri, Oct 01 2010 at 00:11, Denis Doroshenko wrote:
On Fri, Oct 1, 2010 at 10:31 AM, Claer cl...@claer.hammock.fr wrote:
...
it's usual for todays modems to no negotiate their IP address (in
older days handsets would send some dummy value), but you can add a
predefined address
fw pppd[14700]: pppd 2.3.5 started by root, uid 0
Aug 24 02:52:00 fw pppd[14700]: Connect script failed
Any help appreciated :)
Thanks,
Claer
On Thu, Aug 05 2010 at 50:12, Z Wing wrote:
[...]
The question I have is how do I get dhclient working with the cable modem,
given that the IP address is dynamic? dhclient doesn't work when the carp
interface is in INIT mode and I'm not sure how to get carp to share the IP
address between the
On Tue, Jul 27 2010 at 04:10, Maikel Verheijen wrote:
Hello fellow openbsd fans,
Hello,
While preparing a test environment for my upgrade to openbsd 4.7 I ran into a
slight problem. My current setup uses route-to rules to send out traffic back
out on the interface it received it on like this:
is the configuration I used between 2 peers :
ike esp tunnel \
from 10.10.10.6 to 10.10.10.5 \
main auth hmac-sha1 enc aes group grp5 \
quick auth hmac-sha1 enc aes group grp5 \
psk OpenBSD
As stated, juste adding the local keyword should suffice.
Claer
claer $
[General]
DPD-check-interval= 30
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
Listen-on= IP.IP.IP.IP
Claer
obtain a kerberos ticket on the system :
# kinit claer
cl...@claer.hammock.fr's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: cl...@claer.hammock.fr
Issued Expires Principal
May 19 10:06:28 May 19 20:05:51 krbtgt/claer.hammock...@claer.hammock.fr
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
On Wed, 19 May 2010, Claer wrote:
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
On Wed, 19 May 2010, Claer wrote:
It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is /etc/afs/ThisCell. Is there a way
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote:
On Wed, 19 May 2010, Claer wrote:
_claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
Now the next step is to try an authentification with ssh. That's why
/etc/login.conf has
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote:
Am 19.05.2010 20:52, schrieb Claer:
However, on the kerberos server side, no request have been made to the
claer account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND
On Wed, Nov 12 2008 at 18:13, Joe Warren-Meeks wrote:
Hey guys,
Hi,
I'm struggling to get isakpmd to talk to a checkpoint firewall
I need the following parameters
General IKE Properties = AES-256 with SHA1
IKE Phase 1 SA = Group2 (1024 bit)
IKE Phase 1 SA renegotiation = 1440
IKE Phase
at proxying the
trap with net-snmp ?
Direct the original trap to your firewall (carped ?) and then when the
trap arrives on it, ask net-snmp to send serveral traps to the
supervision servers.
Claer
The main objective though, is to preserve the source address, while
replacing the destination
but worked fine during tests.
Claer
On Mon, Oct 13 2008 at 48:08, Freddy DISSAUX wrote:
Thanks to all the developers for a job well done.
Hehehe Where in Poissy? I'm in beauregard ;-)
cya
Claer
negociations after a short internet failure.
Claer
In our environnement (we manage openbsd tunnels to cisco 3030
which is out of our scope) we debugged a strange problem when
the connection goes down. The tunnels won't come back after a
small link shutdown.
The problem was Cisco 3030
On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote:
I finally was able to setup vpn connection.
Other side was configured in wrong way and sum of all my ipsec.conf look in
this way:
-- ipsec.conf --
other_peer = c.c.c.c_public_ip
ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer
cards.
Does someone here already play with such devices ?
Regards,
Claer
performance. These Dell protect small Internet link
so we didn't bother check performance for links below 10Mb.
Claer
Torsten Frost escribis:
On Fri, Jul 11, 2008 at 11:47 PM, Martmn Coco
[EMAIL PROTECTED] wrote:
Hi misc,
I'm currently looking for hardware alternatives for firewalls
but not write it. Write support was commited
last month (http://marc.info/?l=openbsd-cvsm=121014159632272w=2)
so you can certainly test this functionnality with a snapshot.
Claer
/Maximum_transmission_unit
Claer
ifstated(8) and ifstated.conf(5)
Sorry for the long email and thanks in advance.
Sorry I shortened it :)
Claer
else run into this?
I've seen this, too. But a package made out of the port will work.
Repeatable also here. We built net-snmp package from ports.
Claer
be implemented following the ftp-proxy anchor. These
rules can use special pf(4) features like route-to, reply-to, la-
bel, rtable, overload, etc. that ftp-proxy does not implement it-
self.
Claer
bigger than the MTU.
# tcpdump -ns 1550
Claer
for mismatched types, however i think it
just looks up the name anyone doesnt it?
Do you have a rule to allow esp traffic ? If you don't have one, here is
what you should add in your pf ruleset :
pass in on $ext_if inet proto 50 from any to $ext_if
Claer
On Wed, May 14 2008 at 24:09, David Gwynne wrote:
i believe this has been fixed with revision 1.80 of src/sys/dev/ic/mfi.c.
could you please try -current (or at least 4.3) and see if the problem
persists?
OK. I'll try to upgrade these servers asap. (It's have to be done anyway =))
Claer
for tests it did not impact any users
(exept myself ;)) but permits to run debug commands if suggested.
I'll update the perc firmware as mentionned on the thread posted above.
The server will be upgraded soon to 4.3 too.
Any help on how to avoid this problem is welcome.
Claer
dmeg :
OpenBSD 4.1
:
include /etc/macros.conf
Claer
.
But my question is: will it be supported by the 4.3 release? We're not used
to run -current on our firewalls, and we'd prefer to continue with -release
and -stable.
We tested r200 servers this week with a 4.3 stable release. It seems to work
fine for the moment.
Claer
On Wed, Apr 23 2008 at 40:17, Monah Baki wrote:
Hi all,
Hi,
I implemented the following rule and so far I can see that all users are
accessing my proxy server
Tried the following in /etc/inetd.conf
127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \
20 192.168.3.106
On Tue, Apr 22 2008 at 43:22, Arun G Nair wrote:
On Mon, Apr 21, 2008 at 11:44 PM, Claer [EMAIL PROTECTED] wrote:
I personnaly use unicode rxvt. It's a clone of rxvt that comes with
unicode (oh surprising) and with client/server mode to reduce memory
usage when you have serveral terms
On Wed, Apr 23 2008 at 01:00, Jon Radel wrote:
Sam Fourman Jr. wrote:
Is there a way to login the passwords that were used in the bruteforce
attack?
I am siting trying to come up with a good reason why you would give a
damn what passwords they tried?
I mean for the most part
rxvt. It's a clone of rxvt that comes with
unicode (oh surprising) and with client/server mode to reduce memory
usage when you have serveral terms like I used to have.
urxvt is also one of the rare terms out there with transparency and
whitening the background and not darkening it.
Claer
the carp address from
the nat table
Claer
for crypto cards for IPSEC Encryption, the best answer I
found was : not use one ;-)
It mentions AES but not blowfish.
As said by other people, you should go for AES encryption.
Claer
.
that is ONE use of them, but certaily not the only one.
Please enlighten us then, Henning. What do you use tags for, routing?
Why don't you update the doco with some examples?
For example, I use tags for QoS inside IPSEC. It's documented in
ipsec.conf(5)
Claer
that emphase the important
alerts and not summarise in a beautiful graph all the connections.
Claer
easy, just do s/GRE/gif/ in my
previous sentense ;-)
Claer
Claer wrote:
On Sat, Feb 09 2008 at 00:10, Chris Jones wrote:
Hi all,
Hi,
A while back I attempted to setup a route-based VPN tunnel between a
Fortigate firewall and an OpenBSD firewall with no success. I now have
the need to get
a GRE tunnel (numbered) between peers and then
create a host to host vpn with GRE tunnel on top of it.
Both OpenBSD and Netscreen support GRE, I hope Fortinet does.
Claer
My setup is quite simple.
network
---
internal externalexternal internal
have any issues on the primary :)
Claer
. It's not too
hard to make up a shellscript (or use another scripting language) which
automates a daily report and the complaint.
I always hesitate to use this trick. Could you please develop more the
implications of this method? Is it still effective?
Thanks!
Claer
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote:
Claer [EMAIL PROTECTED] writes:
I always hesitate to use this trick. Could you please develop more the
implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you
feel
near december for the PE 1950.
Claer
On Wed, Nov 21, 2007 at 09:55:54AM -0800, Stanislav Ovcharenko wrote:
Hello,
I'm planning on running OpenBSD 4.2 on Dell Power Edge 1950.
Question 1: How stable is it on x64 platform? I mean native 64 bit code. I
assume that x86 code
.
--8---8--8-
Claer
demonstrated once again why regex
is a bad idea.
Just a few thoughts. I do not like the | (or) operator. This can be
written with two rules without any issues. I guess we will support +, ., -
, ^ and $.
About OpenBGPd todo list, is there any plan to implement bpg
confederations ?
Thanks
Claer
On Tue, Sep 11 2007 at 41:12, Bryan Irvine wrote:
I've found a couple of threads in the archive about the possibility of
adding this feature, but can't seem to find out whether or not this is
possible.
I think this is the patch you are looking for :
for phase 2. That means you don't use PFS. But in
this email you fixed sysctl's pfs option to 1. There is a contradiction.
Regards,
Claer
0 [quick mode only]
Regards,
Claer
IPs to the
interfaces if you are using carp + pfsync + sasyncd. You should have
only the carp IP set up.
Is your config working ? Did you test failover ?
Thanks,
Claer
to try
it, sorry.
Claer
On Fri, Apr 20 2007 at 34:05, Lars D. Nood?n wrote:
On Fri, 20 Apr 2007, Claer wrote:
On Thu, Apr 19 2007 at 53:12, carlopmart wrote:
Somebody have tried to use cisco vpn client to connect to openbsd ipsec
gateway using user and pass or x509 certificates? Can somebody sends me
some
didn't try roadw arriors yet. What client software do you use ?
Claer
a lifetime
problem.
The configuration should work, at least it works here between Checkpoint
R61 and OpenBSD 4.0.
Could you provide us some error messages pleas? Messages from the Checkpoint
side
would help too :)
Claer
the encryption to 3des resolved the issue.
There is certainly an error in the ipsecctl generated output for
isakmpd.
regards,
Claer
I started isakmpd -K and then did an ipsecctl -vv -c /etc/ipsec.conf, and
then I
immediately
get a Bad file descriptor, see below:
122049.815507 UI 30 ui_config
include a line like this one :
flow esp from 192.168.1.0/24 to 10.10.0.0/16 peer peer 2.2.2.2
Good luck!
Claer
cisco
IKE proposal
authentication mode - presharedkeys
authentication algorithm - sha/hmac-160
encryption - 3DES-168
DH Group - 1 768-bits
Lifetime - 3600seconds
Lan-to-Lan
routing it creates. It can be another source
of problems later. Please, try to check with a temp server (with one of
your free IP) before putting this configuration in production
environement.
Claer
:-)
A happy user,
Claer
to current
in order to see a resolution of this problem with no luck.
I didn't see the invalid Cookie message in log files.
Claer
92 matches
Mail list logo