Re: no flows with my iked vpn
sent from my mobile device Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru : hi everyone i have setup iked on my firewall and laptop as a roadwarrior setup following https://www.openbsd.org/faq/faq17.html i.ve tested from within the local network but no flows are started. could someone have a look at the following files to see where i have erred. Looks like your client cert (pegasus) is missing a subjectAltName. Robert # my iked config method http://paste.openstack.org/show/789464/ imhoptep iked logs (responder) http://paste.openstack.org/show/789465/ pegasus iked logs (initiator) http://paste.openstack.org/show/789466/ thanks shadrock Mit AquaMail Android https://www.mobisystems.com/aqua-mail
Re: Awaiting a diff [was: Re: File systems...] Probably not gonna happen anyway
On 13/2/20 5:17 am, jeanfrancois wrote:
> Good evening,
>
> Very good videos are available from one of the developer of EXT2/3/4
> recommended to see.
>
> https://www.youtube.com/watch?v=2mYDFr5T4tY
>
> OpenBSD's FFS code looks awesome.
It's mature, and not worth chucking out anytime soon as it'll be much
more stable than any effort to port ${FANCYFS} will be.
About the only big complaint I've heard about it is that there's no
journaling which slows down boot times after an unclean shut-down
(particularly for larger volumes). This does concern me, but not
greatly at this point.
It's on my rather large back-log to look at, some time in the future
unless someone beats me to it. (Contrary to others' research, pet
Python projects is not my sole software development experience.)
As it happens there's two ways I can scratch my itch (management of
OpenBSD disk partitions):
1. get OpenBSD to run on a FS that the tools I have¹ understand
(side-benefit: OpenBSD gains support for a journalled FS)
2. get the tools I have to understand OpenBSD disklabels + ffs
(side-benefit: people would be able to re-arrange² partitions)
As this thread already struck a few raw nerves last time, I would
suggest if there's any interest, we can collectively discuss it off-list.
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
¹. Mainly what I miss is a tool for re-arranging partitions. gparted
has served me well for this purpose.
². Primarily the goal here being that a user can "move" partitions
around to re-organise free space. Right now one can "grow" a partition,
but shuffling the partitions around is not easily possible without
daring unsupported and dangerous acts using `dd`, `disklabel` and `growfs`.
Re: Packages for 6.6 mips64el missing from cdn.openbsd.org
Xiyue Deng writes: > Hi, > > It looks like cdn.openbsd.org[1] doesn't sync the 6.6 packages for mips64el > from ftp.openbsd.org[2]. > > [1] http://cdn.openbsd.org/pub/OpenBSD/6.6/packages/ > [2] http://ftp.openbsd.org/pub/OpenBSD/6.6/packages/ Ping. signature.asc Description: PGP signature
Re: Kibana/Elasticsearch fail
On Mon, Feb 10, 2020 at 11:20 PM Aaron Bieber wrote:
> On Thu, 06 Feb 2020 at 23:31:01 -0600, Eric Zylstra wrote:
> > I’ve installed the ELK packages (Elasticsearch, Logstash, Kibana) using
> pkg_add. Installs went fine. I checked out the pkg documentation
> (pkg_reames) and followed the steps for those that had documentation to
> follow.
> >
> > When I boot, Logstash and Kibana fail. I can use rcctl to start
> Logstash with no problem. When I try to start Kibana, the following is
> what I see:
> >
> > # rcctl -d start kibana
> > doing _rc_parse_conf
> > doing _rc_quirks
> > kibana_flags empty, using default ><
> > doing _rc_parse_conf /var/run/rc.d/kibana
> > doing _rc_quirks
> > doing rc_check
> > kibana
> > doing rc_start
> > doing _rc_wait start
> > doing rc_check
> > No home directory /nonexistent!
> > Logging in with home = "/".
> > Kibana does not support the current Node.js version v10.16.3. Please use
> Node.js v>=10.15.0 <10.16.
> > doing _rc_rm_runfile
> > (failed)
> >
> >
> > I’m not sure what to do with this. Why is Logstash not starting on
> reboot? Why does Kibana fail? I assume there is some config that need be
> done, because that Node.js error wouldn’t have made it to distribution,
> right?
>
> > that Node.js error wouldn’t have made it to distribution
>
> It did, and it's entirely my fault.
>
> Kibana is failing because it is very strict about the version of node it
> wants
> to use (hence the "Kibana does not support.." message).
>
> Apparently the tests I had run to verify this update worked failed:
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/kibana/patches/patch-package_json?rev=1.4=text/x-cvsweb-markup
>
> Here is a diff that fixes it for 6.6 (you will have to build it from ports
> until (if?) a proper fix is in place).
>
> https://deftly.net/patches/kibana-6.6.1.diff
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/www/kibana/Makefile,v
> retrieving revision 1.32
> diff -u -p -r1.32 Makefile
> --- Makefile28 Sep 2019 09:37:54 - 1.32
> +++ Makefile11 Feb 2020 04:13:52 -
> @@ -3,7 +3,7 @@
> COMMENT= browser based analytics/search interface to ElasticSearch
>
> V =6.6.1
> -REVISION = 1
> +REVISION = 2
> PKGNAME = kibana-${V}
> DISTNAME = kibana-oss-${V}-darwin-x86_64
>
> Index: patches/patch-package_json
> ===
> RCS file: /cvs/ports/www/kibana/patches/patch-package_json,v
> retrieving revision 1.4
> diff -u -p -r1.4 patch-package_json
> --- patches/patch-package_json 13 May 2019 22:08:11 - 1.4
> +++ patches/patch-package_json 11 Feb 2020 04:13:52 -
> @@ -8,7 +8,7 @@ Index: package.json
> },
> "engines": {
> -"node": "10.15.1"
> -+"node": ">=10.15.0 <10.16"
> ++"node": "10.16.3"
> }
> -}
> \ No newline at end of file
>
> >
> > Thanks,
> >
> > EZ
>
> --
> PGP: 0x1F81112D62A9ADCE / 3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9
> ADCE
>
>
Works great for me, thanks for the belated update.
--david
Re: Awaiting a diff [was: Re: File systems...] Probably not gonna happen anyway
Good evening, Very good videos are available from one of the developer of EXT2/3/4 recommended to see. https://www.youtube.com/watch?v=2mYDFr5T4tY OpenBSD's FFS code looks awesome. Jean-François Le 09/01/2020 à 03:25, Theo de Raadt a écrit : Xiyue Deng wrote: It would be better to point out where to start, what hard problems to solve, what work has been done in this area that people can continue to work on. Looking at that list, noone here owes you any of those. Do your own homework. Re-reading the thread is remarkable. It's a bunch of people who won't do the work telling us that we need to tell them what work to do. A bunch of garbage is coming out of your mouths.
Re: using first alias as masquerading ip on pf.conf
On 2020-02-12, Sebastian Benoit wrote: > Paul de Weerd(we...@weirdnet.nl) on 2020.02.12 12:46:02 +0100: >> On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: >> | Hi all, >> | >> | I have a couple of firewalls with carp configured and I need them to >> | reach the Internet even when they are in BACKUP state. >> | I'm managing pf via Ansible/GIT, so I'd like to keep the >> | configuration of pf.conf standard and simple as much as possible. >> | >> | Usually, I use the notation "nat-to ($interface)" to let pf use the >> | correct ip, but in this case I've BGP configured and the provider >> | forces me to use a complex configuration with an alias on the >> | external interface, like this: >> | >> | # ifconfig vlan835 >> | vlan835: flags=8943 mtu >> 1500 >> |lladdr b0:26:28:1e:e6:6e >> |index 13 priority 0 llprio 3 >> |encap: vnetid 835 parent trunk0 txprio packet rxprio outer >> |groups: vlan egress >> |media: Ethernet autoselect >> |status: active >> |inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 >> |inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 Does the 2.2.2.2 address specifically need to be on this interface (i.e. do you need to answer ARP for it)? If not then maybe you could just put it on a loopback instead (e.g. lo1) then things are simple. >> Alternatively, you could refer to a hostname that you then specify in >> /etc/hosts (with a different address on each host). > > If you dont want to go that route, you could have a file with a local > definition: > > $ cat /etc/pf/local > natip="2.2.2.2" > > $ cat /etc/pf.conf > include "/etc/pf/local" > [...] > pass in on em0 to any nat-to $natip > > Then you have pf.conf identical on both machines and /etc/pf/local per > machine (and possibly generated by ansible differently on each box). Or just use a j2 template rather than a plain copied file and set it per-host from a variable in ansible. Lots of alternatives..
no flows with my iked vpn
hi everyone i have setup iked on my firewall and laptop as a roadwarrior setup following https://www.openbsd.org/faq/faq17.html i.ve tested from within the local network but no flows are started. could someone have a look at the following files to see where i have erred. # my iked config method http://paste.openstack.org/show/789464/ imhoptep iked logs (responder) http://paste.openstack.org/show/789465/ pegasus iked logs (initiator) http://paste.openstack.org/show/789466/ thanks shadrock smime.p7s Description: S/MIME cryptographic signature
Re: using first alias as masquerading ip on pf.conf
Paul de Weerd(we...@weirdnet.nl) on 2020.02.12 12:46:02 +0100: > On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: > | Hi all, > | > | I have a couple of firewalls with carp configured and I need them to > | reach the Internet even when they are in BACKUP state. > | I'm managing pf via Ansible/GIT, so I'd like to keep the > | configuration of pf.conf standard and simple as much as possible. > | > | Usually, I use the notation "nat-to ($interface)" to let pf use the > | correct ip, but in this case I've BGP configured and the provider > | forces me to use a complex configuration with an alias on the > | external interface, like this: > | > | # ifconfig vlan835 > | vlan835: flags=8943 mtu 1500 > | lladdr b0:26:28:1e:e6:6e > | index 13 priority 0 llprio 3 > | encap: vnetid 835 parent trunk0 txprio packet rxprio outer > | groups: vlan egress > | media: Ethernet autoselect > | status: active > | inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 > | inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 > > Surely the provider doesn't force 1.1.1.1 to be the "primary" and > 2.2.2.2 to the be alias? How could they tell the difference? > > | So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to > | talk with the provider's router and that I can't use as masquerading > | ip. > | > | The ip 2.2.2.2 is the one that I should use to mask my traffic to > | the Internet, and is different on each firewall. > | > | Is there a way to tell pf to use the first alias of interface to > | mask the traffic? Something like "nat-to (vlan835:1)"... > > Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address? > Then your NAT rule could simply use (vlan835:0). > > Alternatively, you could refer to a hostname that you then specify in > /etc/hosts (with a different address on each host). If you dont want to go that route, you could have a file with a local definition: $ cat /etc/pf/local natip="2.2.2.2" $ cat /etc/pf.conf include "/etc/pf/local" [...] pass in on em0 to any nat-to $natip Then you have pf.conf identical on both machines and /etc/pf/local per machine (and possibly generated by ansible differently on each box). > As far as I know, there's no way to refer to the 'first alias'. What > is the 'first alias' anyway? The first one you configured? Or the > last one? Since you're using the '(interface)' specification (with > the parentheses), you're using dynamically changing addresses .. what > does that mean in the context of 'first alias'? I would stay away from the :0 syntax as much as possible. It does not do what you think it does in IPv6, and in fact there were discussions lately to remove it completly. Even tough the ifconfig manpage and command line syntax suggests, there is no difference between primary address and aliases on an interface, it's all the same to the kernel. /Benno > | I would like to keep things simple and avoid to use the include > | directive, if possible. I think its simpler than fiddeling with /etc/hosts ;) > I tend to dislike the whole IP address "aliases" thing more and more > recently... :) > > Cheers, > > Paul 'WEiRD' de Weerd > > -- > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ > --
NAT on enc0 unexpected behavior. Bug? or misconfiguration
I have working IKEv2 VPN between both OpenBSD 6.6 server and 6.6 client
which connects to server from behind ISP NAT. My configuration is very
close to FAQ with OpenBSD Client connection behind ISP NAT to a server:
https://www.openbsd.org/faq/faq17.html#clientikev2
When VPN is disconnected, NAT on egress works as should be for client
itself and LAN hosts connected to the client using pf.conf second NAT rule:
...
match out log on enc0 inet all nat-to 10.0.5.2 tagged WEB
match out log on egress from 192.168.2.0/24 to any nat-to (egress)
tagged WEB
...
Once VPN is connected, NAT works for client itself only, and no NAT for
client's LAN connected hosts on enc0 using first rule above.
For instance, there is no NAT on enc0 from VMM host 192.168.2.4 from
virtual LAN 192.168.2.0/24. The same is for physical LAN connected hosts
to client machine.
$ telnet 172.217.21.142 80 (from LAN VMM host 192.168.2.4)
tcpdump -en -i pflog0
13.29.33.694116 rule 4/(match) match out on enc0: 10.0.5.2.64401 >
172.217.21.142.80 S 3601041753:3601041753(0) win 64240 [tos 0x10]
13.29.33.694116 rule 135/(match) match out on enc0: 10.0.5.2.64401 >
172.217.21.142.80 S 3601041753:3601041753(0) win 64240 [tos 0x10]
13.29.34.316393 rule 4/(match) match out on enc0: 10.0.5.2.50426 >
192.168.2.4.59062 S 880722202:880722202(0) ack 3601041754 win 60192
13.29.34.625518 rule 4/(match) match out on enc0: 10.0.5.2.54501 >
192.168.2.4.59062 S 880722202:880722202(0) ack 3601041754 win 60192
Initiator's VMM LAN SA bypassed in /etc/ipsec.conf in all directions
flow from 192.168.2.0/24 to 192.168.2.0/24 type bypass
flow from 127.0.0.1/32 to 192.168.2.0/24 type bypass
flow from 192.168.2.0/24 to 127.0.0.1/32 type bypass
responder /etc/iked.conf
ikev2 'responder' passive esp \
from 0.0.0.0/0 to 10.0.5.0/24 \
local 9.8.7.6 peer any \
srcid srv.vpn \
tag "ROADW"
initiator /etc/iked.conf
ikev2 'initiator' active esp \
from 10.0.5.2 (0.0.0.0/0) to 0.0.0.0/0 \ => to have traffic
appears for LAN hosts from 10.0.5.2 as in IPSEC.CONF(5) for NAT
configurations
peer 9.8.7.6 \
srcid clnt.vpn \
dstid srv.vpn
/etc/pf.conf (client)
...
match out log on enc0 inet all nat-to 10.0.5.2 tagged WEB
...
pass in log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state (if-bound)
pass out log on enc0 inet from 0.0.0.0/0 to 0.0.0.0/0 keep state
(if-bound) tagged WEB
...
pass in on 192.168.2.1 inet proto tcp from 192.168.2.0/24 to any port
{www, https} flags S/SA modulate state tag WEB
Re: openbsd.org - certain https URLs downgraded to http in redirection
Aham Brahmasmi(aham.brahma...@gmx.com) on 2020.02.12 10:34:55 +0100:
> Namaste misc,
>
> Overview:
> Certain https URLs on openbsd.org get downgraded to http in redirection.
>
> Steps:
> When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
> browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
>
> Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
>
> Probable Solution:
> Would we benefit from changing our httpd.conf to
> ...
> listen on * port https
> ...
> location "/cgi-bin/man.cgi*" {
> block return 301 "https://man...
> ...
>
> ...
>
> This is similar to the recommended httpd.conf for OpenBSD mirrors [2].
>
> Dhanyavaad,
> ab
> [1] - These URLs are among the top search results for the search terms
> "openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
> non-evil web search engine.
> [2] -
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5=text/x-cvsweb-markup
Thanks for noticing this.
These two services are run by volunteers, and it's up to them how to provide
the service.
If you want to keep it secret what manpage you are looking at or what src
file you are reading, OpenBSD comes with fine command line tools that dont
need network access after initial installation.
Best regards,
B.
Re: using first alias as masquerading ip on pf.conf
On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: | Hi all, | | I have a couple of firewalls with carp configured and I need them to | reach the Internet even when they are in BACKUP state. | I'm managing pf via Ansible/GIT, so I'd like to keep the | configuration of pf.conf standard and simple as much as possible. | | Usually, I use the notation "nat-to ($interface)" to let pf use the | correct ip, but in this case I've BGP configured and the provider | forces me to use a complex configuration with an alias on the | external interface, like this: | | # ifconfig vlan835 | vlan835: flags=8943 mtu 1500 | lladdr b0:26:28:1e:e6:6e | index 13 priority 0 llprio 3 | encap: vnetid 835 parent trunk0 txprio packet rxprio outer | groups: vlan egress | media: Ethernet autoselect | status: active | inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 | inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 Surely the provider doesn't force 1.1.1.1 to be the "primary" and 2.2.2.2 to the be alias? How could they tell the difference? | So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to | talk with the provider's router and that I can't use as masquerading | ip. | | The ip 2.2.2.2 is the one that I should use to mask my traffic to | the Internet, and is different on each firewall. | | Is there a way to tell pf to use the first alias of interface to | mask the traffic? Something like "nat-to (vlan835:1)"... Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address? Then your NAT rule could simply use (vlan835:0). Alternatively, you could refer to a hostname that you then specify in /etc/hosts (with a different address on each host). As far as I know, there's no way to refer to the 'first alias'. What is the 'first alias' anyway? The first one you configured? Or the last one? Since you're using the '(interface)' specification (with the parentheses), you're using dynamically changing addresses .. what does that mean in the context of 'first alias'? | I would like to keep things simple and avoid to use the include | directive, if possible. I tend to dislike the whole IP address "aliases" thing more and more recently... :) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Use encrypted partition from other OS via FUSE, e.g. EXT2 in dm-crypt or Veracrypt?
Hi misc@, Just curious if there is any way to use an encrypted partition in OpenBSD, that can be used from Linux/Mac OS/Windows also. OpenBSD's cryptoraid does not have any Linux/Mac OS/Windows drivers, right. OpenBSD does have built-in EXT2 support, which Linux then supports natively and Mac OS and Windows supports via third party drivers, however this is unencrypted. OpenBSD's filesystem support can be dynamically extended using FUSE, right. Via FUSE or any other route, can OpenBSD be made to support say EXT2 on dm-crypt or Veracrypt partitions? Thanks! Joseph
using first alias as masquerading ip on pf.conf
Hi all, I have a couple of firewalls with carp configured and I need them to reach the Internet even when they are in BACKUP state. I'm managing pf via Ansible/GIT, so I'd like to keep the configuration of pf.conf standard and simple as much as possible. Usually, I use the notation "nat-to ($interface)" to let pf use the correct ip, but in this case I've BGP configured and the provider forces me to use a complex configuration with an alias on the external interface, like this: # ifconfig vlan835 vlan835: flags=8943 mtu 1500 lladdr b0:26:28:1e:e6:6e index 13 priority 0 llprio 3 encap: vnetid 835 parent trunk0 txprio packet rxprio outer groups: vlan egress media: Ethernet autoselect status: active inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to talk with the provider's router and that I can't use as masquerading ip. The ip 2.2.2.2 is the one that I should use to mask my traffic to the Internet, and is different on each firewall. Is there a way to tell pf to use the first alias of interface to mask the traffic? Something like "nat-to (vlan835:1)"... I would like to keep things simple and avoid to use the include directive, if possible. Thank you for your suggestions. Bye
openbsd.org - certain https URLs downgraded to http in redirection
Namaste misc,
Overview:
Certain https URLs on openbsd.org get downgraded to http in redirection.
Steps:
When navigating to https://www.openbsd.org/cgi-bin/man.cgi [1] from a
browser, one ends up on http://man.openbsd.org/cgi-bin/man.cgi.
Same with https://www.openbsd.org/cgi-bin/cvsweb [1], which ends up on
http://cvsweb.openbsd.org/cgi-bin/cvsweb/.
Probable Solution:
Would we benefit from changing our httpd.conf to
...
listen on * port https
...
location "/cgi-bin/man.cgi*" {
block return 301 "https://man...
...
...
This is similar to the recommended httpd.conf for OpenBSD mirrors [2].
Dhanyavaad,
ab
[1] - These URLs are among the top search results for the search terms
"openbsd man", "openbsd cvsweb" et al, as returned by a privacy-friendly
non-evil web search engine.
[2] -
https://cvsweb.openbsd.org/cgi-bin/cvsweb/www/httpd.conf?rev=1.5=text/x-cvsweb-markup
-|-|-|-|-|-|-|--
