Re: OpenBSD + Firebird Server
On Tue, Nov 24, 2020 at 9:27 PM Radek wrote: > Hi, > is it possible to install Firebird Server in OpenBSD? I can't find any > info about that anywhere. > Thanks! Assuming you mean the SQL database, when last I looked into this years ago, Firebird required pthread_condattr_setpshared and pthread_mutexattr_setpshared, which OpenBSD doesn't implement. Thanks, Jeremy
OpenBSD + Firebird Server
Hi, is it possible to install Firebird Server in OpenBSD? I can't find any info about that anywhere. Thanks! -- Radek
Re: Advice on using intrusion detection
On Sun, Nov 22, 2020 at 1:14 AM Nick Holland wrote: > > On 2020-11-20 17:15, Erik Lauritsen wrote: > > Is it recommended to run some kind of intrusion detection on an > > OpenBSD router/firewall? > > > > I suspect that any kind of system like Snort or Suricata will give a > > lot of false positives? > > [SNIP] > > One thing I have been doing for a while is rsync --link-dest backups of > systems, both in-house and at various workplaces. FANTASTIC tool, > giving incredibly "useful" backups, with relatively low impact and > resource requirements. My I use a -v on rsync to get verbose backups, > and log it to a file. > > Just recently, I realized these logs are basically a "changed file" > report, which is a starting point for a file alteration reporting > tool. Combine that with a carefully crafted "ignore" file (you > can do that with a grep -vf ignorefile logfile), and you have an > interesting file monitoring system. > This sounds similar to what I do with logs - something Marcus Ranum called "artificial ignorance". Using grep, you fill a file with patterns to remove things you know aren't interesting, and once you apply it to your logs what remains will absolutely be interesting. If anything else uninteresting shows up, update the pattern file to filter those entries out. I used this method on the logs of my OpenBSD-based Request Tracker server and found that the reason a commercial piece of software running on a Hyper-V virtual machine kept needing to be reactivated was because the server's MAC address would regularly change if you left it set to Dynamic. Really, Microsoft? > The painful part with any such system is crafting the list of what > to ignore vs. what to panic over. Everyone wants to tick the > checkbox that says "We have an intrusion detection system", and > everyone wants one of two results: "No problem" and "intruder > detected". So far, I don't think any tool does that. An IDS > without careful human monitoring is just for show (and it's a > potential security risk of its own), and more likely to be the > cause of a problem than a solution. Careful monitoring takes > time and resources. > Problems like "we're only getting 56Mbps from our 1000mbit fibre connection". Yes, really. Bypassing the IDS/IPS actually led to better performance - or at least better numbers on the speed test. You got some 'splaining to do, Sophos. > One nifty thing I have found in "rolling my own" is that I found > a lot of little oddities, no security problems, but things that > needed fixing. I'd call that a win. > Exactly, it just takes effort. Something that is in short supply whether by overwork or laziness. > Nick. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Redistribution between ospfd and ripd
Hi, We are planning for migration from ripd to ospf, however both protocols will need to work together as the migration rolls through. I was looking at the 'redistribute rtlabel' option, even after digging into the code, it is unclear how this would work to bring other dynamic routes on the same host to be redistributed by a different routing protocol. A valid, but not very clean solution would be to add: redistribute 10.0.0/8 redistribute 172.16.0/12 redistribute 192.168.0/16 To both ospfd.conf and ripd.conf What am I missing here or is there a far more elegant way to achieve this? Thanks, Jason.
Re: PF divert-packet reinjection
On 2020-11-23, Szél Gábor wrote: > Dear @misc > > We test OpenBSD with Suricata in IPS mode. > IPS mode requires PF divert-packet. > > simple rule to divert: > pass in log quick on $_if proto tcp from ! to any > divert-packet port 700 > > At first look everything is good! > The packet goes to suricata, suricata check packet, if packet is "bad", > throw away. > But, not working good! > > if suricata does not drop packet, packet does not reinjected to PF! > After divert-packet rule, any rule nothing works. > > a simple example: > pass in log quick on $_if proto tcp from ! to any > divert-packet port 700 > block log all > > I'm trying to connect to host with SSH, divert to suricata is okay, and > SSH connect is successful. > Why? Next rule is block all! > > i thought apples wouldn't reinject packets, so i made a simple test: > https://man.openbsd.org/divert.4 - example C code > > If i replaced suricate with example C code, the situation is the same! > I see the packet in example log, and SSH connection is successfully. > I think PF divert-packet does not reinject packets to PF. This is all exactly as described in the divert(4) manual; Writing to a divert socket can be achieved using sendto(2) and it will skip pf(4) filters to avoid loops. Note that this means that a reinjected inbound packet will also not run through the pf out rules after being forwarded. A diverted packet that is not reinjected into the kernel stack is lost. > Is there a solution for this? Block packets first, then pass any remaining packets with divert-to?
PF divert-packet reinjection
Dear @misc We test OpenBSD with Suricata in IPS mode. IPS mode requires PF divert-packet. simple rule to divert: pass in log quick on $_if proto tcp from ! to any divert-packet port 700 At first look everything is good! The packet goes to suricata, suricata check packet, if packet is "bad", throw away. But, not working good! if suricata does not drop packet, packet does not reinjected to PF! After divert-packet rule, any rule nothing works. a simple example: pass in log quick on $_if proto tcp from ! to any divert-packet port 700 block log all I'm trying to connect to host with SSH, divert to suricata is okay, and SSH connect is successful. Why? Next rule is block all! i thought apples wouldn't reinject packets, so i made a simple test: https://man.openbsd.org/divert.4 - example C code If i replaced suricate with example C code, the situation is the same! I see the packet in example log, and SSH connection is successfully. I think PF divert-packet does not reinject packets to PF. Is there a solution for this? -- Üdvözlettel, Szél Gábor WanTax Kft. tel.: +36 20 3838 171 fax: +36 82 357 585 email: gabor.s...@wantax.hu web: http://wantax.hu web: http://halozatom.hu