Re: Topics for revised PF and networking tutorial

2017-04-07 Thread bytevolcano 
On Fri, 7 Apr 2017 17:39:16 + (UTC)
Stuart Henderson  wrote:

> On 2017-04-06, 
>  wrote:
> > On Wed, 5 Apr 2017 22:44:54 + (UTC)
> > Stuart Henderson  wrote:
> >  
> >> On 2017-04-05, 
> >>  wrote:  
> >> > I've been using a trick to emulate scheduled rules using IP
> >> > tables.
> >> 
> >> Nice trick. Anchors are also good for this.
> >> 
> >> But don't forget that active connections won't be dropped unless
> >> you also flush the relevant states.
> >>   
> >
> > Anchors do not work with securelevel=2. This trick works in
> > securelevel=2.  
> 
> Oh, people actually use that? :)

Oh I reckon someone out there runs tetris(6) on their firewall.
I use it when I am confident the ruleset is stable. Of course, I have
to restart the gateway everytime I change the rules.

> 
> > As for active connections, the goal here is to prevent new
> > connections being made after closing time. I don't want my
> > connection to close just because it is a few seconds after closing
> > time, especially when I already got in before the ports were
> > closed. It may be worth closing long-standing connections
> > eventually though.
> >
> > Maybe something like this:
> >
> > 0 18 * * * *root/sbin/pfctl -F states
> >
> >  
> 
> If it's given as an example for something, it's definitely important
> to point out about active connections. -F states will kill the
> "wanted" states too, I use pfctl -k to knock out just the relevant
> hosts.
> 

I was wondering about that. I missed -k while scrolling through the man
page. Labeling the rules may also be helpful:


# Schedule Table
table  persist

# Scheduled access to HTTP
pass in on egress proto tcp from  to any port http rdr-to $web_server 
keep state label sched_ip

# Scheduled access to SSH
pass in on egress proto tcp from  to any port ssh keep-state label 
sched_ip


System crontab:

0 18 * * *  root/sbin/pfctl -k label -k sched_ip

OpenBSD as a non-routing access point

2017-04-07 Thread Jordon 
My new wifi adapter finally arrived today (AR9271) so I want to give hostap a
try with its new 802.11n support.  Unfortunately, all the examples I’ve
found center around creating a router/AP when all I want to make is an AP - as
in, no DHCP or routing.  I just want to bridge my wired network to the
wireless one.  I want all DHCP requests from wireless devices to get passed to
my router so it assigns the address (192.168.77.x).

My interfaces are configured like this:

/etc/hostname.re0
dhcp

/ets/hostname.athn0
media autoselect mode 11n media opt host ap chan 1
nwid testytesterson
wpakey testingx
inet 192.168.77.253 255.255.255.0

/etc/hostname.bridge0
add athn0
add re0
up

A client laptop (running linux mint) sees the access point but will not
connect to it.

Am I on the right track?  Should a bridge be adequate or do I need to
configure pf to route between the interfaces?
Perhaps the configs for a simple AP-only setup would be a good example for the
faq.

Thanks
Jordon

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Mihai Popescu 
I don;t want to offend you folks, but I'm curious and I will ask: is
this BSDCon so useful? Does it pay the efforts?

If someone has time and knowledge to do a PF tutorial he/she can do it
and post. Do you need the Con?

I'm asking this having in my mind Google Summer of (no)Code thread from misc@.
Again, i'm asking, i've never been to a Con to sense the feeling.

Thanks.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread mabi 
Dear Peter,

May I suggest the following topic of interest:

PF with VLAN interfaces (with LACP trunk interface behind) and CARP of course.

Regards,
M.

 Original Message 
Subject: Topics for revised PF and networking tutorial
Local Time: April 1, 2017 10:52 AM
UTC Time: April 1, 2017 8:52 AM
From: pe...@bsdly.net
To: misc@openbsd.org

Hi,

I thought I'd like to give you a heads up that there will be a "PF and
networking" tutorial at BSDCan 2017 in Ottawa this June.

The session will however not be the Nth rerun of the old one, we're
starting from scratch this time, and were looking for input on what to
include.

Do you have questions on PF and related matters, or are there specific
topics you would like to see covered?

We want to hear from you, either contact us directly at the reply-to
address use the list.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Substitute for other variables in pkg.conf(5)

2017-04-07 Thread Stuart Henderson 
On 2017-04-06,   wrote:
> Since pkg.conf(5) is no longer used, how would you set fullwidth,
> loglevel, nochecksum, ntogo?
>
> In particular, I am interested in fullwidth, loglevel, and ntogo.
>
>

ntogo is now on "pkg_add -V".

nochecksum (to stop verifying checksums during pkg_delete) is on by
default, use "pkg_add -D checksum" to enable verifying these again.

I think the others have gone.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Stuart Henderson 
On 2017-04-06,   wrote:
> On Wed, 5 Apr 2017 22:44:54 + (UTC)
> Stuart Henderson  wrote:
>
>> On 2017-04-05, 
>>  wrote:
>> > I've been using a trick to emulate scheduled rules using IP
>> > tables.  
>> 
>> Nice trick. Anchors are also good for this.
>> 
>> But don't forget that active connections won't be dropped unless you
>> also flush the relevant states.
>> 
>
> Anchors do not work with securelevel=2. This trick works in
> securelevel=2.

Oh, people actually use that? :)

> As for active connections, the goal here is to prevent new connections
> being made after closing time. I don't want my connection to close just
> because it is a few seconds after closing time, especially when I
> already got in before the ports were closed. It may be worth closing
> long-standing connections eventually though.
>
> Maybe something like this:
>
>   0 18 * * * *root/sbin/pfctl -F states
>
>

If it's given as an example for something, it's definitely important to
point out about active connections. -F states will kill the "wanted" states
too, I use pfctl -k to knock out just the relevant hosts.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Stuart Henderson 
On 2017-04-07, I love OpenBSD  wrote:
> I second to more IPv6 related information.
> I am curious about blocking port scanning in IPv6 Web. Does pf let me put a 
> CIDR into the named table based on offending IPv6 address and 64-bit mask? I 
> mean something similar to 'overload ' option.

"overload" only adds the actual address, it doesn't have a way to mask on /64.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Peter N. M. Hansteen 
On 04/07/17 18:00, I love OpenBSD wrote:
> I second to more IPv6 related information.
> I am curious about blocking port scanning in IPv6 Web. Does pf let me put a 
> CIDR into the named table based on offending IPv6 address and 64-bit mask? I 
> mean something similar to 'overload ' option.

Tables can hold both inet and inet6 items, and you can add them as
single addresses or with masks:

[Fri Apr 07 18:31:40] peter@skapet:~$ doas pfctl -t myself -T show
   127.0.0.1
   192.168.103.1
   213.187.179.198
   ::1
   2001:470:27:658::2
   2001:470:28:658::1
   2001:470:df85:dead:beef::1
   fe80::1
   fe80::7210:6fff:fe3e:dfd4
   fe80::7210:6fff:fe3e:dfd5
[Fri Apr 07 18:31:59] peter@skapet:~$ doas pfctl -t myself -T add
2001:470:df85:dead:beef::1/64
1/1 addresses added.
[Fri Apr 07 18:32:08] peter@skapet:~$ doas pfctl -t myself -T show
   127.0.0.1
   192.168.103.1
   213.187.179.198
   ::1
   2001:470:27:658::2
   2001:470:28:658::1
   2001:470:df85:dead::/64
   2001:470:df85:dead:beef::1
   fe80::1
   fe80::7210:6fff:fe3e:dfd4
   fe80::7210:6fff:fe3e:dfd5
[Fri Apr 07 18:32:13] peter@skapet:~$

overload rules would work similarly.

If you need to differentiate between address families, you use inet and
inet6 respectively in the criteria.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread R0me0 *** 
+1 Queue Prioritization and ToS ( set prio / set tos combinations ) by
examples will be great

2017-04-07 13:00 GMT-03:00 I love OpenBSD :

> I second to more IPv6 related information.
> I am curious about blocking port scanning in IPv6 Web. Does pf let me put
> a CIDR into the named table based on offending IPv6 address and 64-bit
> mask? I mean something similar to 'overload ' option.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread I love OpenBSD 
I second to more IPv6 related information.
I am curious about blocking port scanning in IPv6 Web. Does pf let me put a 
CIDR into the named table based on offending IPv6 address and 64-bit mask? I 
mean something similar to 'overload ' option.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Peter N. M. Hansteen 
On 04/07/17 13:36, Markus Rosjat wrote:
> Since not everyone can attend to this Conference will there be a
> recording of this session? 

At previous BSDCans, talks have generally been recorded but not
tutorials. So probably not. Slides likely will be available after the
session has concluded.

On the other hand there is a chance we will be able to offer a similar
session at EuroBSDCon too, but no decisions have been made yet.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

No message-id header on port 587 - OpenSMTPD

2017-04-07 Thread LD 
I have configured an OpenSMPTD server to use port 587 upon which to receive
inbound mail. When the email is delivered I do not see a message-id from
this originating SMTP server, instead I see a message-id header inserted by
the last server in the line, i.e. in this case my office's Exchange server.
Even Gmail inserts the missing header. I have tried telnet and OpenSSL from
the local server and others in the LAN to port 587 using but never seem to
get a message-id generated by this server. I have DKIM installed (and
working). Can anyone point me in the right direction please?

Have I misconfigured something? Below is the beginning of the smtpd.conf
file...

/# pki set up
pki server1.example.com certificate "/home/ssl/cert/server1.crt"
pki server1.example.com key "/home/ssl/private/server1.key"

# Listen ports
listen on lo0
listen on lo0 port 10028 tag DKIM 
listen on vmx1 port 25 tls pki server1.example.com
listen on 172.16.x.x port 587 tls pki server1.example.com
/



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/No-message-id-header-on-port-587-OpenSMTPD-tp315997.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Markus Rosjat 
Since not everyone can attend to this Conference will there be a 
recording of this session? I use pf not so much on a daily basis but I 
would like to get more insight too ;)


And I admit I'm more the visual guy

regards

Markus

Am 07.04.2017 um 06:25 schrieb li...@wrant.com:

Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać 

On Sat, 1 Apr 2017 10:52:20 +0200
"Peter N. M. Hansteen"  wrote:


Hi,

I thought I'd like to give you a heads up that there will be a "PF and
networking" tutorial at BSDCan 2017 in Ottawa this June.

The session will however not be the Nth rerun of the old one, we're
starting from scratch this time, and were looking for input on what to
include.

Do you have questions on PF and related matters, or are there specific
topics you would like to see covered?

We want to hear from you, either contact us directly at the reply-to
address use the list.


Queueing. Prioritization. Throttling.


Hi Peter, misc@,

I would second the coherent practical examples in: queues, priorities,
bandwidth caps, normalisation & reordering to have quality of service.

And all required steps to achieve an advanced fully functional feature
full typical home, office, lab, ISP, enterprise, etc setups iterative,
each time incrementally enhancing the previous set of tricks and skill
one game at a time, much more a practical hands on approach to the PF.

Including performing common tasks of monitoring, maintenance, upgrade,
conflict resolve, capturing, post processing, sanitation, enhancement.
My personal interests have always been practical application examples,
especially these extending the previous ones in a connected structure.

From the default rule set after installation, through getting Internet
working, and then fixing most common pitfalls of poor packet scheduler
practices (or lack of) in (dumb) broadband equipment.. through solving
all aspects to realisation of complete deployments, as YOU learned it.

The PF features got implemented over time, to solve real actual needs.
The typical new user begins with small common tasks up to their needs.
The full example shows a complete configuration addressing most needs.
The best tutorials give a practical approach to fulfil the real needs.

I dream of a revised PF and networking tutorial from sketch to artist.
Thank you ALL for the hard work over the years to complement OpenBSD..

Kind regards,
Anton Lazarov


I have hard time configuring these since years now. The fact (or is
it rumour?) that prio works only when physical interface bandwidth is
saturated couldn't be read in manpages, pf faq, or other 'official'
docs, I heard about it by chance:
[https://marc.info/?l=openbsd-misc=145261341431381=2]

I still haven't found a way to throttle down queues to desired values
without using fixed min and max values. Adding NAT to the mix
complicates things further. What about queueing of traffic inside GRE
tunnels in transport mode protected with IPSEC? Where to read about it?

Optimistic me believes that devs are too busy making stuff work and
have no time to explain it to us poor admins (by means of manpages,
faqs or howtos). But how can I know how to use it if I can't read about
it anywhere?

Pessimistic me starts to notice that less and less free knowledge can be
found around the 'net. If I want answers to my questions, is the
best way to start saving money for paying OpenBSD consultants hourly
rates for tuition?

If there's any way I could help, don't hesitate to contact me.
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Craig Skinner 
On Fri, 7 Apr 2017 07:25:58 +0300 li...@wrant.com wrote:
> Thank you ALL for the hard work over the years to complement OpenBSD.

Yes.