Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Alexis 



Jon Tabor  writes:

Yep, right there with ya.  So, ah...what's everyone using for 
mail
filtering these days?  Spamassassin? ClamAV?  Something else 
entirely?


i use maildrop:

   http://www.courier-mta.org/maildrop/


Alexis.

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Z Ero 
Seems like a rational response to the issue.

On 8/30/18, Allan Streib  wrote:
> I quote from the FAQ:
>
> Complaining about and commenting upon spam on the list proper is
> counter-productive, as it generates more traffic than the spam
> itself.
>
> I am cognizant that I am violating this rule right now, but maybe helps
> reduce pointless traffic in the future...
>
> Allan
>
>

Block TLD senders with opensmtpd

2018-08-30 Thread Scott Seekamp 
Hi all,

Looking at the manpage for smtpd.conf it’s possible to block a domain with:

reject sender 

and put:

@domain.tld

Is it possible to block entire tld’s and if so what would the syntax be?

I’d like to filter out high spam content senders “.bid, .date, .us” that I”m 
seeing and avoid spam processing altogether.

Thanks
Scott

Re: isakmpd and iked on the same box

2018-08-30 Thread Tommy Nevtelen 
On 2018-08-30 22:06, Daniel Polak wrote:
> On 30/08/2018 17:39, Philipp Buehler wrote:
>> I was not following development too closely, but I think that on the
>> kernel side
>> things have not changed. Which means iked and isakmpd will happily
>> "toe tap"
>> on each others SADB in the kernel (even if there is *some* PID
>> handling).
>>
>> Would like to hear if kernel side has "improved" lately, but the
>> overall standpoint
>> looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in
>> iked some "months ago").
> Why would IKEv1 be dead if the stubs were removed from iked? There is
> still isakmpd and that works pretty well.
>
> Also I see many companies that still use IKEv1 and it would be
> unpleasant if there was no way to connect to them with OpenBSD.

We use isakmpd to interconnect 30ish routers and I would like to switch
to iked, but since there is no support to run both at the same time it
makes it quite hard to migrate slowly. Will basically need to do it all
at the same time and that is not very good for SLAs which complicates
things. Or am I missing something?

-- 
Tommy

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Allan Streib 
I quote from the FAQ:

Complaining about and commenting upon spam on the list proper is
counter-productive, as it generates more traffic than the spam
itself.

I am cognizant that I am violating this rule right now, but maybe helps
reduce pointless traffic in the future...

Allan

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Jon Tabor 
On Thu, Aug 30, 2018 at 07:40:55PM +, Daniel Corbe wrote:
> 
> 
> On 8/30/2018 15:27:23, ed...@pettijohn-web.com wrote:
> 
> > 
> > https://marc.info/?l=openbsd-ports=141634350915839=2
> 
> 
> Hmm..
> 
> $ procmail -v
> procmail v3.22 2001/09/10
> Copyright (c) 1990-2001, Stephen R. van den Berg 
> Copyright (c) 1997-2001, Philip A. Guenther 
> 
> 
> Okay.
> 
> Well, thanks.   I'm now in the midst of an existential crisis for not
> knowing a critical piece of my mailer chain was last updated in 2001.  I no
> longer believeI'm qualified to speak on topics of technology.   I might try
> driving trucks for a living.   At least then I don't have to think.
> 
> 



Yep, right there with ya.  So, ah...what's everyone using for mail
filtering these days?  Spamassassin? ClamAV?  Something else entirely?


-- 
Jon Tabor
tab...@obsolete.site
http://obsolete.site

'There is a saying: There is no such thing as overkill. 
 There is only “Open fire!” and “Reloading!”' 
― John Ringo, The Hot Gate

Re: isakmpd and iked on the same box

2018-08-30 Thread Daniel Polak 

On 30/08/2018 17:39, Philipp Buehler wrote:
I was not following development too closely, but I think that on the 
kernel side
things have not changed. Which means iked and isakmpd will happily 
"toe tap"

on each others SADB in the kernel (even if there is *some* PID handling).

Would like to hear if kernel side has "improved" lately, but the 
overall standpoint
looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked 
some "months ago").
Why would IKEv1 be dead if the stubs were removed from iked? There is 
still isakmpd and that works pretty well.


Also I see many companies that still use IKEv1 and it would be 
unpleasant if there was no way to connect to them with OpenBSD.



Daniel

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Daniel Corbe 




On 8/30/2018 15:27:23, ed...@pettijohn-web.com wrote:



On Aug 30, 2018 1:48 PM, Daniel Corbe  wrote:



at 1:35 PM, flauenroth  wrote:

> This mail keeps crawling out the dumpster again and again. Are we 
done

> with this topic here? Correct me when I am wrong but afaik there are
> pretty simple rules about the mailing list(s) so asking about 
selling
> stuff in the first place proofed lack of reading and or 
comprehending

> simple rules or maybe call them guidelines.
> Have something useful to donate to the project or something that 
might be
> useful, ask here if someone has use for it. Have something to sell? 
Sell

> it on some auction side or wherever you feel like but not here.

You do know that procmail is capable of filtering by Subject, right?



https://marc.info/?l=openbsd-ports=141634350915839=2



Hmm..

$ procmail -v
procmail v3.22 2001/09/10
Copyright (c) 1990-2001, Stephen R. van den Berg 
Copyright (c) 1997-2001, Philip A. Guenther 


Okay.

Well, thanks.   I'm now in the midst of an existential crisis for not 
knowing a critical piece of my mailer chain was last updated in 2001.  I 
no longer believeI'm qualified to speak on topics of technology.   I 
might try driving trucks for a living.   At least then I don't have to 
think.

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread edgar 


On Aug 30, 2018 1:48 PM, Daniel Corbe  wrote:
>
>
> at 1:35 PM, flauenroth  wrote:
>
> > This mail keeps crawling out the dumpster again and again. Are we done  
> > with this topic here? Correct me when I am wrong but afaik there are  
> > pretty simple rules about the mailing list(s) so asking about selling  
> > stuff in the first place proofed lack of reading and or comprehending  
> > simple rules or maybe call them guidelines.
> > Have something useful to donate to the project or something that might be  
> > useful, ask here if someone has use for it. Have something to sell? Sell  
> > it on some auction side or wherever you feel like but not here.
>
> You do know that procmail is capable of filtering by Subject, right?
>

https://marc.info/?l=openbsd-ports=141634350915839=2

Re: alpine linux under vm? freezes

2018-08-30 Thread Rudolf Sykora 
On Thu, 30 Aug 2018 at 20:43, Rudolf Sykora  wrote:
> I connect to the console with the 'vmctl console' command.
> At various moments I am no longer able to write anything,
> the alpine system as if freezes.

It seems to be a problem with the console.
I still can ssh to the system, and it is
working.

Thanks
Ruda

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Daniel Corbe 



at 1:35 PM, flauenroth  wrote:

This mail keeps crawling out the dumpster again and again. Are we done  
with this topic here? Correct me when I am wrong but afaik there are  
pretty simple rules about the mailing list(s) so asking about selling  
stuff in the first place proofed lack of reading and or comprehending  
simple rules or maybe call them guidelines.
Have something useful to donate to the project or something that might be  
useful, ask here if someone has use for it. Have something to sell? Sell  
it on some auction side or wherever you feel like but not here.


You do know that procmail is capable of filtering by Subject, right?

alpine linux under vm? freezes

2018-08-30 Thread Rudolf Sykora 
Hello,

I tried to run alpine linux (alpine-virt-3.8.0-x86_64.iso)
under the OpenBSD (latest snapshot) virtual machine.

I was able to boot it, even to install it to an image.

I connect to the console with the 'vmctl console' command.
At various moments I am no longer able to write anything,
the alpine system as if freezes.

Has anybody encountered something similar?

Thanks for any comments.

Thanks
Ruda



PS.: I like OpenBSD but I seem to need some linux, too,
for various programs (Julia, J, Texmacs, reduce,
pressure sensitivity for a Wacom Intuos 3 tablet, ...)

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread flauenroth 
This mail keeps crawling out the dumpster again and again. Are we done with 
this topic here? Correct me when I am wrong but afaik there are pretty simple 
rules about the mailing list(s) so asking about selling stuff in the first 
place proofed lack of reading and or comprehending simple rules or maybe call 
them guidelines.
Have something useful to donate to the project or something that might be 
useful, ask here if someone has use for it. Have something to sell? Sell it on 
some auction side or wherever you feel like but not here.



___
Always exit with 42 to return the answer.

‐‐‐ Original Message ‐‐‐
On 30 August 2018 5:45 PM, Bogdan Kulbida  wrote:

> I would like to apologize for the previous email. The joke was
> unprofessional and very rude.
> I’m sorry if it was offensive to someone in this list.
>
> -Bogdan
>
> On Wed, Aug 29, 2018 at 22:40 Bogdan Kulbida i...@konstankino.com wrote:
>
> > I love it! Damn f.. asshole! Get him out of here!
> > On Wed, Aug 29, 2018 at 21:09 Theo de Raadt dera...@openbsd.org wrote:
> >
> > > Jacqueline Jolicoeur fen...@airmail.cc wrote:
> > >
> > > > > Finally, whether intended or not, your intention to try to SELL
> > > > > something on this list is extraordinarily rude. Move on and go learn
> > > > > about this on your own. The Internet is filled with useful
> > > > > information.
> > > >
> > > > > The mailing list archives also have a tremendous amount of useful
> > > > > info.
> > > >
> > > > Asking permission, while at the same time, performing the act.
> > > > "Wrote a song about it. Like to hear it? Here it goes." - Calhoun Tubbs
> > >
> > > May I call people trying to sell things on misc assholes? The guy
> > > trying to sell stuff on misc is an asshole. Oh sorry, I'm sorry I called
> > > an asshole an asshole.
> > > Right?
> > > --
> > > --
> >
> > --
>
> Best regards,
> Bogdan Kulbida
> Founder and CEO, Konstankino LLC http://konstankino.com
> +1.802.793.8295

Re: OpenBGPD as route server - correct filter syntax ?

2018-08-30 Thread Bob Smith 


Thanks for your reply.

>
> If you are configuring a route server, you don't want "route-collector yes".
> Or if you want a route collector, it won't advertise any route so your 
> concerns
> are null.


Interesting point. My understanding was that a route server did not make any 
best-path decisions and merely relayed what it was told ? That was my thinking 
behind "route-collector yes".

> This is not needed. Code says (rde_update.c L292) :
>
> if (peer == prefp)
> /* Do not send routes back to sender */
> return (0);
>

That's good news !

Re: OpenBGPD as route server - correct filter syntax ?

2018-08-30 Thread Denis Fondras 
On Thu, Aug 30, 2018 at 03:29:50PM +, Bob Smith wrote:
> Hi,
> 
> I'm trying to figure out the most suitable config params transform OpenBGPD 
> into a route server.
> 
> So far I have :
> route-collector yes

If you are configuring a route server, you don't want "route-collector yes".
Or if you want a route collector, it won't advertise any route so your concerns
are null.

> transparent-as yes
> 
> But my concern is more in the area of suitable filters to prevent loops.
> 
> I'm thinking I need something along the lines of :
> 
> allow to any peer-as != neighbor-as
> 
> But any variation of the above that I try always ends up with a "bgpd -n -f" 
> throwing a syntax error.
> 
> Ideas most welcome !
> 

This is not needed. Code says (rde_update.c L292) :

if (peer == prefp)
/* Do not send routes back to sender */
return (0);

> Thanks
> 
> Bob
>

Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Bogdan Kulbida 
I would like to apologize for the previous email. The joke was
unprofessional and very rude.
I’m sorry if it was offensive to someone in this list.

-Bogdan

On Wed, Aug 29, 2018 at 22:40 Bogdan Kulbida  wrote:

> I love it! Damn f.. asshole! Get him out of here!
>
> On Wed, Aug 29, 2018 at 21:09 Theo de Raadt  wrote:
>
>> Jacqueline Jolicoeur  wrote:
>>
>> > > Finally, whether intended or not, your intention to try to SELL
>> > > something on this list is extraordinarily rude. Move on and go learn
>> > > about this on your own. The Internet is filled with useful
>> information.
>> > > The mailing list archives also have a tremendous amount of useful
>> info.
>> >
>> > Asking permission, while at the same time, performing the act.
>> >
>> > "Wrote a song about it. Like to hear it? Here it goes." - Calhoun Tubbs
>>
>> May I call people trying to sell things on misc assholes?  The guy
>> trying to sell stuff on misc is an asshole. Oh sorry, I'm sorry I called
>> an asshole an asshole.
>>
>> Right?
>>
>> --
> --
>
> --
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC 
+1.802.793.8295

Re: isakmpd and iked on the same box

2018-08-30 Thread Philipp Buehler 

Hi,

Am 30.08.2018 10:27 schrieb Sebastian Reitenbach:

Hi,

I'm wondering if it would be possible to add iked to my box already
running isakmpd.
I found this quite old thread:
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html


Why is it "always" my old threads in this area? :-)

I was not following development too closely, but I think that on the 
kernel side
things have not changed. Which means iked and isakmpd will happily "toe 
tap"
on each others SADB in the kernel (even if there is *some* PID 
handling).


Would like to hear if kernel side has "improved" lately, but the overall 
standpoint
looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked 
some "months ago").


[Still stuck with my ikev2 with strongswan on a different box solution]

HTH... wait, no:
ciao
--
pb

OpenBGPD as route server - correct filter syntax ?

2018-08-30 Thread Bob Smith 
Hi,

I'm trying to figure out the most suitable config params transform OpenBGPD 
into a route server.

So far I have :
route-collector yes
transparent-as yes

But my concern is more in the area of suitable filters to prevent loops.

I'm thinking I need something along the lines of :

allow to any peer-as != neighbor-as

But any variation of the above that I try always ends up with a "bgpd -n -f" 
throwing a syntax error.

Ideas most welcome !

Thanks

Bob

Re: DNS (UNBOUND) + PF ISSUE

2018-08-30 Thread Craig Skinner 
Hi NN,

On Wed, 29 Aug 2018 11:57:15 +0200 NN wrote:
> 
> here is my pf.conf on VM#1:
> 
>      int_if="{ vether0 re0 }"
>      set block-policy drop
>      set log interface egress
>      set skip on lo0
>      match in all scrub (no-df random-id max-mss 1440)
>      match out on egress inet from !(egress:network) to any nat-to (egress:0)
>  pass out quick inet pass in on $int_if inet
>  pass in on egress inet proto { tcp, udp } from any to (egress) port 53 
> rdr-to 192.168.50.2


Yuck.

Block everything:-


block in all
block in log on $ext_if
block return in on $int_if
block return out


Then only open up what is needed, e.g:


pass out on $ext_if inet proto {udp, tcp} \
from $ext_if port > 1023 \
to any port domain \
user {_nsd, _unbound}


pass in on $int_if inet proto {udp, tcp} \
from $int_if:network port > 1023 \
to $int_if port domain \
user root \
modulate state


Define your Unbound server in your DHCP daemon configuration.

> 
> *P.S: unbound.conf is here ...*
> 
> server:
>      # interface: 188.192.103.156

No no no no No No NO NO NO *NO* *NO* _NO_

NEVER run a recursive resolver on the Internet!!!



"Overview

A Domain Name Server (DNS) amplification attack is a popular form of
distributed denial of service (DDoS) that relies on the use of
publically accessible open DNS servers to overwhelm a victim system
with DNS response traffic.

"

https://www.us-cert.gov/ncas/alerts/TA13-088A






Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

isakmpd and iked on the same box

2018-08-30 Thread Sebastian Reitenbach 
Hi,

I'm wondering if it would be possible to add iked to my box already running 
isakmpd.
I found this quite old thread: 
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html

just checking to see if things might have changed since then.

Ive a vio0 interface with two IPs: 10.0.0.52 and 192.168.0.4:

so I've isakmpd running, binding it to a specific IP like this:
[General]
Listen-on=  10.0.0.52
Default-phase-1-lifetime=   28800,60:86400
Default-phase-2-lifetime=   1200,60:86400
DPD-check-interval= 10
Policy-File=/etc/isakmpd/isakmpd.policy

so with isakmpd, I'm used to use ipsecctl and have multiple 
/etc/ipsec.conf.tunnelXYZ files around, so that I can up/down etc. single 
tunnels without affecting the others.

now adding iked with following config:
ikev2 "just a test" \
esp proto tcp \
from 192.168.66.0/24 to 192.168.77.0/24 \
peer 172.16.0.3 local 192.166.0.4

starting up iked works. However, it binds to *:500 and *:4500 so care has to be 
taken to start it after isakmpd, otherwise isakmpd would refuse to start. I 
used the "local" keyword to see if iked would only bind to that specific 
address, but
it doesn't.
Looking at ikectl manpage, I only see the "load ". So I could specify 
alternate configuration files, but that would affect the overall iked 
configuration, I cannot add/remove single tunnel instances to iked?
I've seen that in iked.conf, I can specify names for the flows, but I guess 
that's only for easier identification, I cannot use
these names to trigger a start/stop/restart of a given flow?
I haven't used iked before, so far, isakmpd was sufficient, so I'm a bit 
curious, and might miss something about iked it in general.

Also isakmpd/iked, and ipsecctl/ikectl work on the same kernel resources, do 
they step onto each others toes?

Also, if not possible to run iked and isakmpd together on the same node, no big 
deal, can easily run on separate nodes, just
wanted to ensure I don't miss anything.

thanks,
Sebastian